Web Services with Apache CXF

CXF framework is widely used to create web services. It supports a variety of protocols such as SOAP, XML/HTTP, RESTful HTTP, or CORBA and work over a variety of transports such as HTTP, JMS or JBI.

CXF has some tools like wsdl2java witch generate web service code from WSDL. This tool is very useful but it integrates some code that usually we don’t control all its details.

Photo credit: Brian A Jackson

I wrote this article to presents a concise way to create a web service with CXF and Spring. This solution has the advantage to avoid generating extra code to integrate in your project.

1 – CXF dependency

If you are using Maven you can add dependency by adding the XML code below.

<dependency>
	<groupId>org.apache.cxf</groupId>
	<artifactId>cxf-rt-frontend-jaxws</artifactId>
	<version>2.1.3</version>
</dependency>
<dependency>
	<groupId>org.apache.cxf</groupId>
	<artifactId>cxf-rt-transports-http</artifactId>
	<version>2.1.3</version>
</dependency>

2 – Web service implementation

First, add a web service interface. The code source bellow is a simple of web service that allows adding a customer to an existent JSF web application.

import javax.jws.WebService;
import com.mycompany.entity.Customer;

@WebService
public interface CustomerService {

	String SaveCustomer(Customer customer);

}


Next, write your web service implementation.

import javax.jws.WebService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import com.mycompany.dao.ICustomerDao;
import com.mycompany.entity.Customer;

@Component("customerService")
@WebService(endpointInterface = "com.mycompany.service.CustomerService")
public class CustomerServiceImpl implements CustomerService {
	
@Autowired
private ICustomerDao customerDao;

	public String SaveCustomer(Customer customer) {
		customer.setCustomerId(null);
		customer.setCustomerOrders(null);
		customerDao.save(customer);
		return "saved";
	}	
}


Finally, add spring configuration to configure the web service end point and client.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws"
	xsi:schemaLocation="
	http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
	http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">

	<import resource="classpath:META-INF/cxf/cxf.xml" />
	<import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
	<import resource="classpath:META-INF/cxf/cxf-servlet.xml" />

	<jaxws:endpoint id="customerServiceEndPoint" implementor="#customerService"
		address="/CustomerService" />

	<jaxws:client id="customerServiceClient" serviceClass="com.mycompany.service.CustomerService"
		address="http://localhost:8080/myApp_JSF_CXF/ws/CustomerService" />
</beans>

3 – Web service test

Test with SoapUi
You can use SoapUi to test your web service. In this case you don’t need to implemente a service client.

SoapUi needs a wsdl file. You can provide this URL http://localhost:8080/myApp_JSF_CXF/ws/CustomerService?wsdl.

Test with JUnit

Testing a web service with junit it’s more likely to be an integration test than a unit test because it depends on other resources. You will need to start your application server and deploy your web service before running your test.

The code source bellow uses the web service client to test the web service developed in this article.

@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(locations={"/application-context-test.xml"})
public class CustomerServiceTest {
	
	@Autowired
	@Qualifier("customerServiceClient")
	private CustomerService customerServiceClient;

	@Test
	public void SaveCustomerClientTest() {
		Customer customer = new Customer(25, "nameTest","adresse", "city", "state", "123", "0606060606", null);
		assertEquals("saved", customerServiceClient.SaveCustomer(customer));	
	}
}

Advertisements

Secure your web application with Spring Security

Spring Security is great framework to secure web application. It’s easy to configure and it doesn’t need to make special changes or deploy libraries to your Servlet or EJB container.

Spring security keeps your application objects free of security code, unless you specifically choose to interact with the security context.

   

Photo credit: V.Áron

This article explains how to secure a JEE application with Spring Security by a sample project. This project is implemented with JSF, Spring (version 3.0) and Hibernate.

The source code of the project is available on github here.

Basic configuration

In this part we will add dependencies and basic configuration to integrate Spring security to the web application.

  • Add Spring Security dependencies to the maven pom.xml file.
     <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>org.springframework.security.web</artifactId>
            <version>3.0.5.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>org.springframework.security.config</artifactId>
            <version>3.0.5.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>org.springframework.security.taglibs</artifactId>
            <version>3.0.5.RELEASE</version>
        </dependency>
    

– Update web.xml file.
Inside web.xml, insert the following block of code. It should be inserted right after the /context-param end-tag.

<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>

– Add applicationContext-security.xml file
This file contains the basic Spring Security config. There is no user access control for any path. Users are defined in the Spring application context file.

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:jdbc="http://www.springframework.org/schema/jdbc"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
		http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.0.xsd
		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
 
 <http use-expressions="true">
        <intercept-url pattern="/**" filters="none" />
        <form-login />
        <logout />
    </http>

	<authentication-manager>
	    <authentication-provider>
	      <user-service>
	        <user name="user1" password="password1" authorities="ROLE_USER, ROLE_ADMIN" />
	        <user name="user2" password="password2" authorities="ROLE_USER" />
	      </user-service>
	    </authentication-provider>
  </authentication-manager>
</beans>

After the basic configuration is done, you should have your web application running and you should access all pages.

Security Configuration

1 – Authentication

Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. [2]

Spring security supports LDAP, database, XML and Properties file to authenticate users. In this article, we use database authentication. The database schema is created by hibernate and it is populated by DbUnit framework.

We create two persistent classes to save users and their authorities.


– Create a login.xhtml page as shown in the code bellow

<html xmlns:jsp="http://java.sun.com/JSP/Page"
      xmlns:h="http://java.sun.com/jsf/html"
      xmlns:f="http://java.sun.com/jsf/core"
      xmlns:c="http://java.sun.com/jstl/core" 
>
<head></head>
<body>

<c:if test="${param.state=='failure'}">
		<c:set var="username" value="#{sessionScope.SPRING_SECURITY_LAST_USERNAME}"/>
		<div class="ERROR">
			Your login attempt was not successful, try again.<br />
			Reason: #{sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}
		</div>
</c:if>
	<form  action="#{request.contextPath}/j_spring_security_check" method="post">
		<h:panelGrid columns="2" title="Customer">
			<f:facet name="header"> 
				<h:outputText value="Login form" />
			</f:facet>
			<h:outputText value="User:" />
			<h:inputText id="j_username" value="#{username}"  />
			<h:outputText value="Password:" />
			<h:inputSecret id="j_password" />
			<f:facet name="footer"> 
				<h:commandButton  value="Login" type="submit"  />
			</f:facet>
		</h:panelGrid>
	</form>
</body>
</html>

To add JDBC Spring security some changes nead to be done to the applicationContext-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

	<http use-expressions="true" access-denied-page="/pages/static/accessDenied.jsf">
		<intercept-url pattern="/login.jsf" filters="none"/>
		<intercept-url pattern="/pages/**" access="isAuthenticated()" />
		<form-login login-page="/login.jsf" default-target-url="/pages/static/welcome.jsf" authentication-failure-url="/login.jsf?state=failure"/>
		<logout logout-success-url="/login.jsf?state=logout"  />
	</http>

	<authentication-manager alias="authenticationManager">
		<authentication-provider>
			<password-encoder hash="md5" />
			<jdbc-user-service data-source-ref="dataSource"
				users-by-username-query="SELECT U.login AS username, U.password as password, U.enabled as enabled FROM user U where U.login=?"
				authorities-by-username-query="SELECT U.login as username, A.authority_name as authority FROM user U, authority A WHERE U.user_id=A.user_id and U.login=?"
				role-prefix="ROLE_" />
		</authentication-provider>
	</authentication-manager>

</beans:beans>

To maximize password security we made a choice to use md5 password encoding.

2 – Authorization

Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, “to authorize” is to define access policy. [1]

With spring security we can manage pages, screen components and methods execution rights policies.

– Path access control

Then implement access rules for URLs by adding <intercept-url> children directly under the <http> element.

	
	<http use-expressions="true" access-denied-page="/pages/static/accessDenied.jsf">
		<intercept-url pattern="/login.jsf" filters="none" />
		<intercept-url pattern="/pages/static/**" access="isAuthenticated()" />
		<intercept-url pattern="/pages/customer/**" access="hasAnyRole('ROLE_ADMIN','ROLE_CUSTOMER')" />
		<intercept-url pattern="/pages/order/**" access="hasAnyRole('ROLE_ADMIN','ROLE_ORDER')" />
		<intercept-url pattern="/pages/admin/**" access="hasRole('ROLE_ADMIN')" />
		<form-login login-page="/login.jsf" default-target-url="/pages/static/welcome.jsf"
			authentication-failure-url="/login.jsf?state=failure" />
		<logout logout-success-url="/login.jsf?state=logout" />
	</http>

-Taglib Spring Security

Sometimes, it is better to hide some unauthorized links rather than letting them available and showing the access denied page when they are requested.

Spring Security has its own taglib which provides basic support for accessing security information and applying security constraints in JSPs. [3]

To use Spring security taglib in JSP pages, you need to add the taglib declaration to your project as shown in the source code bellow:

<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<sec:authorize ifAllGranted="ROLE_USER">
  Utilisateur : <sec:authentication property="principal.username"/>
</sec:authorize>

To use Spring security Taglib in a facelets pages is a little bit more complicated.

  • We need to add XML namespaces declaration for Spring security taglib into facelet page as highlighted in this source code.
<html xmlns="http://www.w3.org/1999/xhtml"
	xmlns:h="http://java.sun.com/jsf/html"
	xmlns:f="http://java.sun.com/jsf/core"
	xmlns:ui="http://java.sun.com/jsf/facelets"
    xmlns:rich="http://richfaces.org/rich"
    xmlns:sec="http://www.springframework.org/security/tags">
  • Create springsecurity.taglib.xml file into the WEB-INF file and a param declaration to reference this file in the web.xml file.
	<context-param>
		<param-name>facelets.LIBRARIES</param-name>
		<param-value>/WEB-INF/springsecurity.taglib.xml</param-value>
	</context-param>

This is the source code of springsecurity.taglib.xml I used in this prototype project. But this file has to be changed if you are using JSF 2.0. For more detail, read the spring documentation in this link.

<?xml version="1.0"?>
<!DOCTYPE facelet-taglib PUBLIC
  "-//Sun Microsystems, Inc.//DTD Facelet Taglib 1.0//EN"
  "http://java.sun.com/dtd/facelet-taglib_1_0.dtd">
<facelet-taglib>
	<namespace>http://www.springframework.org/security/tags</namespace>
	<tag>
		<tag-name>authorize</tag-name>
		<handler-class>org.springframework.faces.security.Jsf12FaceletsAuthorizeTagHandler</handler-class>
	</tag>
	<function>
		<function-name>areAllGranted</function-name>
		<function-class>org.springframework.faces.security.Jsf12FaceletsAuthorizeTagUtils</function-class>
		<function-signature>boolean areAllGranted(java.lang.String)</function-signature>
	</function>
	<function>
		<function-name>areAnyGranted</function-name>
		<function-class>org.springframework.faces.security.Jsf12FaceletsAuthorizeTagUtils</function-class>
		<function-signature>boolean areAnyGranted(java.lang.String)</function-signature>
	</function>
	<function>
		<function-name>areNotGranted</function-name>
		<function-class>org.springframework.faces.security.Jsf12FaceletsAuthorizeTagUtils</function-class>
		<function-signature>boolean areNotGranted(java.lang.String)</function-signature>
	</function>
	<function>
		<function-name>isAllowed</function-name>
		<function-class>org.springframework.faces.security.Jsf12FaceletsAuthorizeTagUtils</function-class>
		<function-signature>boolean isAllowed(java.lang.String, java.lang.String)</function-signature>
	</function>
</facelet-taglib>

  • Add this dependency to the pom.xml file
		<dependency>
			<groupId>org.springframework.webflow</groupId>
			<artifactId>spring-faces</artifactId>
			<version>2.2.1.RELEASE</version>
		</dependency>

Usually, the admin menu panel is visible only for users having the admin role. To implement this behavior, the panel source code is nested into the spring security authorize tag.

<sec:authorize access="hasAnyRole('ROLE_ADMIN')" >
	<rich:panelMenuGroup label="Admin">
		<rich:panelMenuItem >
				 <h:outputLink value="../admin/admin.jsf" >Users</h:outputLink>
		</rich:panelMenuItem> 
	</rich:panelMenuGroup>
</sec:authorize>

-Method authorization

Spring security allows method execution authorization management. It provides annotations which can contain expression attributes which are applied before and after the method invocation. To enable support for them, the attribute global-method-security has to be assigned the value enabled:

<global-method-security pre-post-annotations="enabled"/>

The source code above is added to application-context-security.xml file.

In this example we made a choice to allow only users having ROLE_CUSTOMER role to add customers.

import com.mycompany.dao.ICustomerDao;
import com.mycompany.entity.Customer;
import org.springframework.orm.hibernate3.support.HibernateDaoSupport;
import org.springframework.security.access.prepost.PreAuthorize;

public class CustomerDao extends HibernateDaoSupport implements ICustomerDao{

    @PreAuthorize("hasRole('ROLE_CUSTOMER')")
    public void save(Customer customer) {
        getHibernateTemplate().save(customer);
    }

// Other methods ....

}

To test Spring method execution authorization, we created a user “orderManager” which doesn’t have the role ROLE_CUSTOMER. When this user tries to save a customer, the application display the caught error message “Access is denied”.

Application example (Access is denied message)


Spring Security is a powerful framework to secure JEE applications. It has many other features to manage authentication and access-control services for java/JEE applications. I had used Spring Security since the project had a name Acegi. I think that the framewok has made a lot of progress and I recommend it for Securing web applications.

Reference:
[1] en.wikipedia.org
[2] searchsecurity.techtarget.com
[3] www.springsource.org

Enhance your pictures with Gimp

Gimp is an open-source alternative for Photoshop. It has all basic picture editing tools and many advanced features. It is a freely distributed program for such tasks as photo retouching, image composition and image authoring. It is compatible with most operating systems (Windows, Linux, MacOS X …).

Gimp has many tools to manage color saturation, brightness, contrast … The picture bellow presents the GIMP user interface and how to adjust a picture color curve.

In this portrait image I made some other changes in the background of the picture like hiding some part and applying a blur filter. There is a lot of free tutorials about Gimp. To make those changes I used this link : http://gimpguru.org/tutorials

Original picture

Modified picture

I think GIMP is very good tool to edit and enhance pictures. I find it better than pictures editing software provided with my camera which are a little bit basic and which change from one constructor to another.

Cloud computing

We read a lot of articles about Cloud computing in IT magazines and blogs. It reminds me the SOA phenomenon four years ago. Until now I don’t see a big impact of this technology in enterprise information systems. But, it seems attracting the interest of information systems managers.

   

Photo credit: photocillin

Today I’m curious to know what will be the real impact of cloud computing in enterprises information systems and in applications development?

What is Cloud Computing?
Wikipedia defines cloud computing as an Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid.

Cloud computing is delivered as a service accessible through the Internet. These services are broadly divided into three categories.

Infrastructure as a service (IaaS) is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. [1]

Platform as a service (PaaS) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones.[1]

Software as a service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. [1]

The table bellow present the services provided by each type of cloud service.

Application Runtimes Database Virtualization Server Storage Network
IaaS
PaaS
SaaS

Cloud computing comes in three forms: public clouds, private clouds, and hybrids clouds.

Private cloud is one in which the services and infrastructure are maintained on a private network. These clouds offer the greatest level of security and control, but they require the company to still purchase and maintain all the software and infrastructure, which reduces the cost savings. [2]

Public cloud A public cloud is one in which the services and infrastructure are provided off-site over the Internet. These clouds offer the greatest level of efficiency in shared resources; however, they are also more vulnerable than private clouds.

Hybrid cloud is a cloud computing environment in which an organization provides and manages some resources in-house and has others provided externally. Ideally, the hybrid approach allows a business to take advantage of the scalability and cost-effectiveness that a public cloud computing environment offers without exposing mission-critical applications and data to third-party vulnerabilities. [1]

Cloud Computing impact in enterprise application development
Developing application for the cloud needs some new skills from developers. Because Cloud developing has some specific constraints that they need to deal with:

  • Using new kind of databases non-relational ones (Cassandra, MongoDB …), map-reduce frameworks.
  • Building for the cloud requires designing stateless applications.
  • There’s no concept of a local disk and there’s no registry.
  • Different parts of an application might be in many places in the cloud.

All of these issues means that building for the cloud requires new thinking about the system architecture and an emphasis on leveraging massive scale. [3]


I think that cloud computing will change the way we purchase, use and develop applications. Users have a good experience with some web applications like Mail, CMS, CRM (salesforce)… Some of the larger IT firms (like Google, Amazon, Microsoft, VMware, IBM …) are investing in this technology. I think software and ERP editors are more attracted by migrating their products to the cloud. They give access to their product on a SaaS model. But specific functional application development will resist more to change.

Refrence:
[1] http://searchcloudcomputing.techtarget.com
[2] http://www.dummies.com
[3] http://www.infoworld.com