Tuesday May 05, 2009

Open Source Identity Connector for Google Apps

google apps

Identity Manager 8.1 (or later) contains support for a very cool open source connector framework. The project name isn't too exciting (Identity Connectors ?  definitely needs some marketing love ) but the end result is fantastic.

 I had the experience of porting my IdM legacy adapter for Google Apps to this new framework. The API is much simpler (no depedencies on IdM or any other product), and the concepts are clean and well thought out. Just what one would expect from a team that a has a few decades of experience building connectors. 

 You can download the google apps connector, along with many other bundles here.

 Feedback is most welcome

Thursday Feb 26, 2009

Spring comes early - an updated OpenSSO Spring Security provider

Following on the pioneering work of Robert Dale  and Miguel Alonso I have updated the OpenSSO Spring provider with additional support for authorization. You can now use Spring security JSP tags, method security annotations and Spring method security point cuts.

Where to get it!

You can download the provider and a sample Spring application from the OpenSSO Extensions project page.

The package-info header is reproduced below:

Package com.sun.identity.provider.springsecurity Description

A Spring 2 Security provider for OpenSSO.

Provides authentication and authorization plugins for the Spring 2 Security framework. For an example of how to configure this module refer to the OpenSSO / Spring example


The provider delegates authentication to the OpenSSO instance configured in the applications AMConfig.properties. When a user tries to access an application web page, the spring provider will check for a valid SSOToken. If the user is not authenticated they will be redirected to OpenSSO. Once authentication is complete, OpenSSO will redirect the user back to the application.

Upon authentication, a Spring UserDetails object is created for the user and placed in the session. This can be used by the application to query for the user principal and other information. The spring security authentication tags can be used within a JSP, as shown in the following example:

  The Logged on Principal is <security:authentication property="principal.username"/>

Authorization - Web URL Policy

The provider delegates URL policy decisions to OpenSSO. This is different than most Spring 2 providers where the URL policy is configured in the application using annotations or spring XML configuration.

OpenSSO is queried for URL policy decisions, and will return ALLOW, DENY or null. A null return means that OpenSSO does not have a policy for the requested URL. The provider will return an ABSTAIN vote if the OpenSSO policy decision is null. If you wish to implement a policy of "Deny that which is not explicity permitted" you will want to use Springs AffirmativeBased voter in your security configuration. This ensures that at least one voter must "ALLOW" the request.

Authorization - Roles

Spring Security uses the concept of GrantedAuthorities which are analagous to roles in OpenSSO. This provider converts OpenSSO group (role) membership into Spring GrantedAuthorities. The current implementation converts an OpenSSO group membership (for example "staff") into a GrantedAuthority by concatenating the prefix "ROLE_" with the upper cased group name. For example, if a user belongs to the OpenSSO groups "staff" and "admins", they will be granted "ROLE_STAFF" and "ROLE_ADMINS" authorizations.

Authorizations can be used in JSPs using the Spring security tags. For example, the following JSP snippet will output different results depending on whether the user belongs to the staff group or not:

<security:authorize ifAllGranted="ROLE_STAFF">
    <div align="left"><h2>Congrats!! You have the Staff role</h2></div>

<security:authorize ifNotGranted="ROLE_STAFF">
    <div align="left"><h2>TOO BAD SO SAD - You do NOT have the Staff role</h2></div>

Authorizations can also be used to protect methods using Spring pointcuts or annotations. The example below demonstrates using JSR security annotations:

@RolesAllowed("ROLE_ADMIN") public String sayHello() { return "Hello" }

The above method will throw a Spring Security AccessException if the user is not in the admin group.

Tuesday Oct 14, 2008

Clojure and Lisp Revival

I have always been fascinated by Lisp, but it just seemed like one of those languages that while theoretically nice was completely impractical.  Lisp environments have either been powerful but proprietary, or have been free but limited in capability.  Although Lisp is one of the oldest language around (circa 1950s!)it has remained a niche language, never quite attracting enough critical mass to make it a serious alternative to mainstream languages such as Java, ruby, or C#.

Clojure might just change that.

It's a Lisp dialect built on top of the JVM, and it solves many problems which have impaired Lisp adoption:
  • Courtesy of the JVM, Clojure has access to the world's largest collection of software libraries. 
  • It's a two way street. Clojure is able to create classes that can be called from Java.
  • Clojure has a cross platform GUI. Love it or hate it, Swing does a reasonable job at solving this problem. My money is on someone leveraging JavaFX libraries to build a DSL with Clojure. Might be a nice alternative to JavaFX script!
  • It's got a free IDE. Enclojure is a Netbeans plugin that provides a namespace browser, editor, code completion, and interaction with REPL. For a Java guy used to the Edit-Compile-Jar-Deploy-Run cycle it's pretty neat to be able to incrementally send expressions to the REPL.
  • It's fast (or at least fast enough). Expressions entered in the REPL (the Read Evaluate, and Print Loop) are compiled directly to Java byte code. As Java gets better at dynamic languages (think invokedynamic!), Clojure gets faster.
  • It's practical. Rich Hickey, the mastermind behind Clojure, has made a few design choices that improve the performance and interoperability with the JVM. For example, Clojure supports vectors, maps, and sequences, all of which map nicely to Java constructs.  

Most importantly, Clojure's functional style is perfectly suited to a future when massively parallel multi-core machines are the norm:

Functional programs eschew the external 'effects' of imperative
programs, and thus become easier to understand, reason about, and test,
since the activity of functions is completely local. To the extent a
portion of a program is purely functional, concurrency is a non-issue,
as there is simply no change to coordinate.

Check it out  here


Things that amuse me


« July 2016

No bookmarks in folder