Monday, August 08, 2011

Security Flaw with IU CAS-Enabled Web Sites

There is a security flaw in many of IU's online services (such as the time off system and the document workflow approval system--see http://kb.iu.edu/data/akui.html): they use CAS for single-sign on but don't provide a CAS "log off". If you log into one of these services, you are logged into every CAS-enabled service until your session expires, perhaps without realizing it.  The only way I know to log off after CAS login is to go through IU's OneStart portal, which does have a CAS log-off.

For example, if you login to the EPTO service to record your time off, you are also logged into OneStart and everything else.  If you leave your laptop or workstation unattended while the CAS session is still valid, I can sneak over and access all of your private employee information by pointing your browser to OneStart.



Wednesday, July 27, 2011

GCE11 Workshop Scheduled

The Gateway Computing Environments 2011 workshop will be at Supercomputing 2011.  Submissions are open and welcome.  See http://www.collab-ogce.org/gce11/index.php/Main_Page  for more information.

Changing Apache Rave's backing database

Apache Rave provides software for running a social networking portal. The default download uses the H2 in-memory relational database on the backend. To change this to MySQL, PostgreSQL or another external database, you need to do the following:
  • Edit the file rave-portal/src/main/webapp/WEB-INF/dataContext.xml to use the desired JDBC driver; and
  • Download the appropriate database driver jar file and place it in the WEB-INF/lib directory of your portal's tomcat server.
    • If you are starting the server with "mvn cargo:start", this is rave-portal/target/tomcat6x/webapps/portal/WEB-INF/lib/|
    • You probably will want to install the JDBC driver jar in your local Maven repository and put the dependency in rave-portal/pom.xml.
It is also worth reviewing the dataContext.xml file.  The H2 database default user name and password are here (you may want to update) and has a console running on port 11111.  You can point your browser to http://localhost:1111/ and login.  You can also change the default behavior of H2 to use files for persistence.

Thursday, June 23, 2011

Implementing account creation in Apache Rave

Apache Rave (http://incubator.apache.org/rave/) is an Apache Incubator project to build a Web portal and services on top of Google's OpenSocial and W3C's Widget specifications.  We're writing Rave from scratch using the Spring (version 3) framework.  These are notes on adding a basic user registration feature. The code described below is open source and will soon be in Rave's SVN.  I'll assume general familiarity with Spring.  If not, check out Rave's source code and walk through it.  The notes below will tell you were to look, but I won't include all the code.

Rave's user management is built around the following classes:

  1. User:  this is a data model class that represents a user (name, password, etc).  Spring (and JPA) manage the object-relational mappings between User objects and the relational database storage.
  2. UserService:  this is an interface that allows you to interact with the User data model.
  3. UserRepository: this is an interface that allows you to interact with the backend database. We use JPA for object-relational mapping.
  4. DefaultUserService: this implements the UserService interface and interacts with the UserRepository (and thus the JpaUserRepository).
  5. JpaUserRepository:  this implements the UserRepository interface and provides access to the javax.persistence.EntityManager, which handles the database persistence.
There are similar classes and interfaces for Rave's widget, page, and region data models.  Spring of course handles all the dependency injection (makes sure DefaultUserService has an instance of the UserRepository implementation, for example).  JPA takes care of the crud.

We'll now need to implement two pieces of code: an account registration form (newaccount.jsp) and a Spring controller class to intercept our form actions (NewAccountController.java).  The registration form and associated action URL both need to be accessed by unauthenticated users, so we modify Rave's applicationContext-security.xml file accordingly (see Rave code for full example).

NewAccountController needs to do three things: get access to the UserService implementation (Spring injects this), create a new User object, and use the UserService to insert the new User object into the repository.  Once a user is registered, NewAccountController redirects to the login page.

This is pretty basic functionality, and there's a lot left to do. As an Apache Software Foundation incubator project, Rave is not only open source but community driven.  If you want to participate, checkout the code from SVN, create an account on Rave's Jira system (https://issues.apache.org/jira/browse/rave), create issues and submit patches.  Frequent contributors can become full project members.  

Wednesday, May 11, 2011

Chembiogrid and Chembiocloud

We had some adventures in domain hosting.  If you are looking for the correct version of the ChemBioGrid website, please see http://www.chembiogrid.info or http://www.chembiocloud.org.  This contains links to Web services, databases, and other useful stuff from the NIH funded CICC project.  The chembiogrid.org site is currently outside our control.