Authentication on Rails

You may have heard me whine that rails isn’t going to replace Java anytime soon. You probably heard from me as well that it is a fad. Well, it’s been almost 6 years since its launch and it has already proven it’s here to stay. Like a lot of technologies, it has also made its way into my own likings as well. I just can’t say I like ruby yet, but rails is a nicely written framework.

I’ve been developing a rails app for a RPG community project, and one of the features I had to add in was authentication. Coming from the CakePHP camp, I was expecting to find something similar to Cake’s Auth component in the Rails core, but they did not have it. Instead the community has a wide variety of plugins, although the restful_authentication plugin is the most popular.

I tried using it and had a couple newbie issues going on. First off, when i ran script/plugin install using the git URL, it didn’t do anything, but also didn’t give me an error, so I thought it was install. So when i tried running script/generate authenticated … told me that the generator was not installed. Took me a while to figure out the plugins are installed under the vendor folder, and as I went there, the directory was blank. Also took me a while to figure out that it was due to not having git installed, so I went ahead and downloaded git. 

Plugin installation went fine, and the generator also ran fine after that, but when I tried the /signup url, it gave me:

NameError in AccountsController#new

uninitialized constant Account::Authentication

So after some googling, I found nothing. Looking at that error, i checked the model the generator created, and turns out that Account::Authentication was supposed to be populated by   include Authentication, but it wasn’t being found to include.

What I had to do in order to solve it was copying the contents of the lib folder in the vendor/restful-authentication/lib to the main application /lib folder.

Thought I’d share so one may find this post when having that error and hopefully not loose 3 hours over it like I did.

The Prototype life, Ajax universe and JavaScript everything

I was from the very beginning of the ajax days an anti-framework guy. The XMLHttpRequest object has a pretty straightforward API, easy enough not to need any abstraction layer on top of it. I also took the X on Ajax for real, and used Ajax async calls to call RESTful services on the server side (I didn’t know they were called RESTful services back then)  and process the XML returned from them in javascript, in order to update elements of the page using the DOM.

As I was exposed to more fellow Ajax developers, and also some server-side frameworks such as Rails and CakePHP, I realized everyone was using it in order to pull partial page renders from the server itself, instead of handling XML in the client side. Although it all started with that Apple Developer Connection article for me, and that already pointed me to the “right way”, I must admit that I fell in love instantly on all of a sudden being able to treat my server as a “business service server” and have the user interface on the client side.

I started looking for a way around the browser quirks and repeated JS code, and by then the most used framework was Prototype. But Prototype was all too simple and didn’t have any UI components, so it made things only a bit easier. I looked into dojo, and found something new to love.

So I grew older, and as I got older I also got lazier, and I ended up finally allowing myself to get interested in Rails and CakePHP and other agile frameworks, all of which used Prototype as their underlying JS library of choice. I started using the built-in Ajax capabilities of those frameworks, and tried my best not to cringe at the idea of pulling partial HTML from the server-side. Turns out it makes things quite simple for people used to server-side development, but still I wouldn’t use that if it wasn’t a part of the frameworks.

The Prototype experience came in to me a little late, since seemingly everybody was using it while i was still hacking dojo to get my share of client-side code up and running, and now the hype has been growing constatly over jQuery. I recall looking at it once and thinking “yeah nice, CSS selectors on JavaScript, but where are the widgets?”. Well seems I found another JS-head – Simon Willison- that thought about the same thing at first look, but decided to dive deeper than I ever did, and seems to have made the case for one to use it.

His blog article got me interested again on jQuery and I will definetly look into it for the next rich interface webapp I build. Great work there Simon,  I’m just sorry to only have found it only a couple years later than when you posted it.

Windows and open source

I’ve been known among my friends for pushing people to use quality open source software instead of illegal copies or copyrighted software, or unregistered versions of shareware programs. I’ve also been pushing the day to blog about this for a while, for some reason.

After using a Mac if only for a few hours – I bought my wife a MacBook that i tend to use the “Look don’t touch” approach with in order to let her feel as its true owner  and customize it her way – I clearly understood why Apple becomes a religion to most people. There’s so much aggregated value to the Mac OS itself and iLife that now ships with all new Apple computers since 2008 at least, that you might as well do without installing a single piece of software in it.

Now if you look at Windows, there may be some of that too: where Apple has iTunes, they have Windows Media Player. Where the Mac has Mail, windows has Microsoft Exchange…. So why is the Mac OS more pleasant to people?  Simple answer: Apple’s products don’t feel half-assed. Why does Windows Media Player be such a resource hog and take me anywhere but my own music when I open it? I could brag about this all day, but my point is, Windows is NOT pleasant to use out of the box.

Does it make it a bad OS? Well, if you compare it to, say, Kubuntu, it’s definetly far superior in the usability aspect. Sure, amarok beats WMP’s sorry behind, and Konqueror is sexier than IE, but it’s still broken. I tried using Kubuntu with KDE4 almost exclusively for the last year, but felt relieved when I finally took the decision to ditch it and go with windows instead.

What makes windows usable is the endless number of add-ons, packages and applications you can use to make it better. It’s more of a platform for creating your own OS in a way. I chose to create mine using lightweight and quality open source software.

So without further due, here’s a list of the open source software I use, endorse, and can’t live without on windows:

  • Browser – Mozilla Firefox – If you’re reading this blog you know all I can tell you about it. I’ve been using Google Chrome more than it, I have to admit, but Firefox still has the best add-on support and I find myself resorting to it for the great Firebug, FireFTP, DownThemAll and ChatZilla add-ons.
  • Music Player – Songbird – Songbird is the closest thing you’ll get to Open Source iTunes. I love iTunes’ interface, but I hate being locked in to a store I can’t shop in (Apple Store won’t sell anything but iPhone apps to Brazil), so Songbird unlocks the potential of the iTunes library to a broader set of – you guessed it – add-ons.
  • CD Recorder – InfraRecorder – Now here’s something that I’m proud I’ve found. I was sick of having to install the monolithic Nero everytime I wanted to record a CD on windows. The built-in CD recording capabilites are seriously lacking, and InfraRecorder handles anything from MP3 CDs to Audio, to DVD Video and DVD Data discs. It also burns images both on the bin/cue and ISO format. All that on a 5mb install footprint, all open source.
  • Code Editor – Notepad++ – I must admit I was a die-hard vi fan. I used gvim on windows for quite a while, and it served me well, but I grew tired of the whole <esc>:something thing. I was looking into TextPad which is what most of the people in the coding business use for quick file opens with syntax highlight, and as usual looked for a open source alternative. I stumbled into Notepad++ which is godsent. The syntax highlight works awesomely, it has an explorer plugin that allows me to open files as I go while developing with Rails or CakePHP,  and also has some nice plugins for syncing with remote FTPs and for pretty printing HTML and XML. 
  • Archiver – 7-zip – Can’t say enough about this open source archive handler. It handles all format, and does so with style. The VB interface (as much as I hate VB) is flawless, and it also integrates nicely into the shell right-click menus. Their own .7z format allows for better compression than any other algorythm I’ve seen as well, and I’ve been converting people using WinRAR and WinZip to use 7zip with 100% of success so far. Get rid of those silly “UNREGISTERED” messages and go with the best, open source solution
  • Launcher – Launchy – If you ever heard of QuickSilver for the mac, Launchy would be the closest thing in windows. Basically you press alt-space and it brings up a “command line” where you can type in anything from a Putty session name to a command prompt command or a bookmark title, and it fires the right program for you, already positioned where you want to be. Anything in your computer is just an alt-space away.

As a side note, I’ve been doing some rails development, and this blog post has some nice highlight and shortcuts Notepad++ setup for .erb files.

Wish it had a command prompt window integrated like Kate does in Linux/KDE4

The rotten and broken music industry and the press

The music industry is a declining business as we all know by now. The internet has shifted the control from record labels and publishers to the artists, breaking their monopoly on the most valuable thing in the business: the listeners.

Alongside that, we’re also seeing the printed press die. Newspapers were one the first ones to take the hit, both by a generation uniterested and unwilling to go to a news stand and buy a paper, and by the lack of advertising caused by shifting of classified business to the internet, through eBay and craigslist, and the targeted ads offered by new technologies such as Google AdWords and even ad networks such as Double Click.

Despite the really  bad scenario for both medias, boy was I surprised to read this announcement by my former Guitar Teacher and good friend Breno Teixeira, stating that a new music magazine in Brazil asked him R$ 1k to publish an interview alongside a track in the CD that comes bundled with it.

How stupid is that? I mean, artists are the ones who generate content for those magazines.  Content is what draws what’s left of their audience to them.  It seems that the magazine thinks it is the middle man, the record label, the only means to reach the audience, and wants to charge artists for access to their precious audience.

I call you all to join this cause and link to Breno’s post to spread the word on the internet and hopefully hit the said magazine with a major punch in the stomach, because that’s what they deserve. Am I trying to start a mob? Hell yeah, I am.

Breno’s Original Post

Interface Mockups

 

 
During agile project planning meetings, we usually find ourselves having to skecth a mockup of the user interface in order to make sure that both us and the client understood what will be done, and to improve that discussion as well.

If you’re on-site with your client, it’s a no brainer, just pick up a piece of paper, a pencil, and draw it up. But what if you’re on opposite corners of the world? One way would be to use a video camera to capture it, but usually live video over the web is low resolution, which would make it impossible to fully see what you’re trying to picture. You would have to take pictures, and pictures are not that easy to modify anyway.

I find myself to be in that very position, having been doing projects for people around the globe through GetAFreelancer.com and other freelance websites. One of the guys I worked with, Ken Naza, pointed me to a great software he uses for creating interface mockups. Balsamiq is a simple flash tool that you draw in using pre-built components, pretty much like crafting a mockup in Visio, and then export to XML. You and your client can send that XML back and forth and refine the mockup till you’re both happy with it.

Here are some sample J2ME and web mockups I’ve crafted with it, for your viewing pleasure. I’m totally pleased by them, and they look remarkably similar to the ones in “Agile Web Development with Rails

 

Website
Website

 

J2ME app
J2ME app

MD5 and SHA1 hashes on PHP and JBoss AS

So, a hash is a hash, and all you need to do to compare them is comparing strings right?

Well, while that might be true for PHP version of the hashes, the MessageDigest class in the java security package hashes bytes into other bytes, not strings into other strings or bytes into strings. In order to obtain a string representation of the hash, you need to convert it to a string, be it representing bytes as hex strings (i.e. ff for 255), or converting it through other algorythms such as Base64, which generate a smaller string.

PHP functions sha1() and md5() both convert strings into other strings, and nothing else. They also use hex (base16) conversion to create them.

I had a problem trying to get both PHP and Java to use the same hashes using the DatabaseServerLoginModule in JBoss AS, because by default it encodes hashes with base64 when comparing them to strings in the database, while PHP was doing it base16 (hex). In order to fix that, I had to add this:


	
		
			
                ... 
				HEX
			
		
	
        ...
    

Thought I’d share that.

Database backed declarative security in JBoss

This had me looking through the docs for a while to find, so I thought I would share.

If you need to secure a Java EE app, be it a web or EJB module, and want to use container-based security instead of coding it yourself, JBoss provides a nice convenience model for pulling out Principals (users)  and Roles (permissions)  from a table in your database.

What you have to do is edit the file <jboss_home>/server/login-config.xml and add an entry using the org.jboss.security.auth.spi.DatabaseServerLoginModule. Here’s the one I’m using:


    
        
            
            java:/AdminPanelDS
            
                 select password from entry_user where username=?
            
                select role, 'Roles' from entry_user_roles where username=?
            SHA-1
            
        
    

After that, add to your applications WEB-INF/jboss-web.xml if it’s a webapp or META-INF/jboss.xml if it’s an EJB jar the name of your policy:

jboss-web.xml:


    java:/jaas/CaptchaUserDB

jboss.xml


    java:/jaas/CaptchaUserDB

After that, obviously configure security using the @RolesAllowed annotation on the methods or class of your EJBs or the security elements in web.xml of your webapp

 

Further detail can be found at the JBoss Documentation.

SOA Security

For all those that ignored security as a major concern of SOA (me included), here’s an excerpt from the soapUI welcome screen today:

Important Notice

Warning! Do not use soapUI to withdraw money! 

Eviware software has been alerted to users using soapUI to withdraw large sums of money from the European National Bank.  

So far millions of Euro has left the European National Bank further enhancing the credit crisis in Europe.  The Perpetrators has been downloading a WSDL from the European National Banks Web Service using a security flaw to retrieve large sums of money from the European National Bank, “The Fort Knox of Europe”.  

“At eviware we take this issue seriously and are working with the people at the ENB to solve the problem” says Dain Nilsson, Security Expert from eviware Switzerland, “The solution is not many days away, but due to the complexity of the Web Services and the powerful features of soapUI, the WSDL allows for untraceable withdrawals from the ENB.”  At eviware we urge all users not to download the WSDL found here and take advantage of a critical situation. Europe has a tough time as it is.

 

Scary isn’t it? Might happen to YOUR SOA if you don’t do your security homework.

The time for enterpreneurs and startups

Yes we all do know by now that the world is undergoing one of the worst financial crisis in capitalism history.  Jobs are being cut, work hours and salaries have been reduced, and most importantly, companies are being pushed into making cost cuts and seeking new business partners in order to become more efficient and agile while spending less money.

I could write about how SOA would make your enterprise more agile, and how you could leverage Open Source SOA tools in order to make it happen even on tight budgets, but SOA has been getting a lot of badmouthing these days since so many projects have failed to meet the expectations set to pie-in-the-sky standards by all the vendor babble.

Today’s post is about the opportunity that rises from rough financial times: starting your own company. In the brazilian IT industry most of us have done it already. 90% of the IT workforce are contractors, and 70% of those have their own one-man companies in order to avoid the legal issues of being hired, and to pay lower taxes on our incomes. So what does it take in order to push your one-man company into a full-fledged profitable business?

Well first of all, you obviously need customers. Since you’re probably a contractor like me, you have worked for at least a couple companies, and probably have a good contact with a project manager or CIO on at least one of them. If you can manage to get them to lend their name as one of your customers, you already have a customer portfolio before you know it.

Since companies are looking for new partners, it is your chance to present to both your previous employers, and potential clients how can you do what they need cheaper, which leads us to one of the big questions in this subject: Why would I be cheaper?

Well, some could defend not charging less than your current employer charges their customers in order to keep everyone’s gains high, but it’s exactly those companies such as the one you probably work for right now that customers are trying to get rid of.   

If you can manage to be more agile, and charge less, the odds are you’re probably gonna catch the attention and praise of your customers, and before you know it, you’ll have more work demand than everyone else is getting right now. Also, the companies already stabilished are probably undergoing the same financial issues as everyone else, so if you have less mass, you’ll be less affected by the crisis.

It is a unique time for everyone with the enterpreneur spirit ready for action, it’s up to us if we’re ready to get some real money, or to be yet another guy looking for a new, lower pay job after you get a cut from your current one.