The domain model and hibernate mapping were really basic – Descriptor object has reference to List of Note objects:

public class Descriptor{
    private Long id;
    private List<Note> notes = new ArrayList<Note>;

    public void addNote(Note note){
       note.setDescriptor(note);
       this.notes.add(note);
   }
   //getters and setters omitted for clarity
}
public class Note{
    private Long id;
    private String text;
    private Descriptor descriptor;
    //getters and setters omitted for clarity
}
<class name="Descriptor" table="t_descriptor">
        <id name="id" type="long" unsaved-value="null">
            <generator class="sequence">
                <param name="sequence">s_descriptor_id</param>
            </generator>
        </id>

        <list name="notes" cascade="all"
            <key column="descriptor"/>
            <index column="id"/>
            <one-to-many class="Note"/>
        </list>
</class>
<class name="Note" table="t_note">
        <id name="id" type="long" unsaved-value="null">
            <generator class="sequence">
                <param name="sequence">s_note</param>
            </generator>
        </id>
        <property name="text" column="text" not-null="true"/>
        <many-to-one name="descriptor" column="descriptor" not-null="true"
                     class="Descriptor"/>
    </class>

Looks simple, but when i run the test for the code above, i got dreaded primary key unique constraint exception.
After a bit of though, i was able to kick myself for not noticing the problem:
The notes property of Descriptor class is mapped with cascade=”all” meaning all save, updates, deletes with apply for the child objects as well. However, the inverse is set to false (inverse property is missing, defaults to inverse=”false”) – making both sides of the bi-directional relationship responsible of taking care of the relationship. SO Hibernate generates two insert statements, one because of cascade=”all”, and one as part of inverse=”false” rule.
The solutions is to set inverse=”true” on notes property mapping – this will make just one side of bi-directional relationship responsible for relationship, and the Hibernate will issue just one insert statement for the Note object.
Here is the correct piece of mapping:

        <list name="notes" cascade="all" inverse="true">
            <key column="descriptor"/>
            <index column="id"/>
            <one-to-many class="Note"/>
        </list>

Huh! Cascade and inverse properties when mapping collections in hibernate simplify the development, and improve performance if used correctly, but beware of the pitfalls of unsuspected exception.
To read more go to the Hibernate website or read this blog: http://www.codeweblog.com/hibernate-in-the-inverse-and-cascade/

I was working on a pretty much straight-forward web application. As usual, i used Spring’s org.springframework.context.MessageSourcesupport, to be more precise, i used standard implementation – ResourceBundleMessageSource. Simple configuration, as following:

<bean id="messageSource"
                 class="org.springframework.context.support.ResourceBundleMessageSource">
          <property name="basename" value="messages"/>
</bean>

My messages properties file was standard as well, country names, so i had something like this:

country.name.unitedkindom=UK
country.name.ireland=Ireland
country.name.belgium=België
country.name.iceland=Ísland
country.name.israel=Israel...

As you can guess, the problems developed with specific characters in country names(ë, Í…). When i run the application, i got ‘???’ characters instead of specific UTF-8 characters for countries (so ‘België’ become ‘Belgi???’).

After some research, and digging in Spring source code, i located the problem, and the solution!

The problem was that ResourceBundleMessageSource uses the standard java.util.ResourceBundle and
java.util.Properties, which only support ISO-8859-1 encoding – so no UTF-8 encoding, no support for any special French, Spanish or Asian characters.

The solutions is very simple, and it comes with Spring as well. Use ReloadableResourceBundleMessageSource instead! Here is the correct configuration:

<bean id="messageSource";
                     class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
         <property name="basename" value="classpath:messages"/>
         <property name="defaultEncoding" value="UTF-8"/>
</bean>

As you can see, we are now able ot set default encoding explicitelly, so the countries names in my example worked like charm. The only other change was that the basename is now specified as Resource, so i was able to use convenient classpath: identifier to specify my messages.properties wherever i need it in the source code

There were 3 very useful talks (and a very good lunch after:) – as expected of Oracle I guess.

The conference was aimed at large organizations, with considerable amounts of sensitive data stored in Oracle databases and the way in which they store and transport the data.

i) Oracle provides pretty useful tool for encrypting all data in a database transparently, so applications and users still see data as normal, but the data is encrypted internally. It is the question of just turning it on and selecting the encryption algorithm for it to be used (from Enterprise Manager Web Interface) and the actual data stored in data files on hard disk drive will be encrypted on the actual medium.
With encryption turned on, if anyone gets hands on the hard drive from database server, or if someone nicks the entire server from the data centre (not unheard-of ) for example, actual data will be scribbled and so of no use to the intruder.

ii) Another utility shown provides a way to encrypt the database backups and exports as well, which can then be transported without fear of losing it (even if someone leave the DVD on the train or it gets lost in the post), the data will actually be encrypted, therefore unreadable, before it reaches the destination. The Oracle 10g+ Data Pump utility for data import/export support this out of the box.

iii) Finally, a couple of very useful tools for data masking. Imagine a complex application that deals with large amounts of data. In order for it to be developed as scalable, and to perform good, without bugs, the development and testing teams would require the real world data for the development process. However, since the data contains sensitive information, it cannot be given to them in its raw form. What development teams then resort to is the local database, with imaginary data. However, development or testing databases populated in this way usually don’t have the required amount of data (which may be in millions on the production system). What would be better is to use the actual production data, but with the sensitive columns masked, so they are unreadable, and therefore unavailable for any misuse while held at development and testing machines.
The demo shown used just a couple of mouse clicks to mask all sensitive data columns (names, email addresses, NI numbers…) – so ‘John Smith’ becomes ‘jhkjh laskjlkjlk’ for example. There are advance features as well, so you can mask sensitive columns but keep them human-readable, by using a set of rules or even an another set of data – so you can mask ‘John Smith’ to ‘Peter Taylor’ in the masked database. The masking process can be deterministic or not, depending on the security constraints. The deterministic approach is a bit less secure, but the data will always be masked in the same way, no matter how many times the masking process is run (therefore ‘John Smith’ from production database will always be masked as ‘Peter Taylor’ – so the testing teams can pick the ‘peter Taylor’ record every time, and each time be sure they are using the same database row as before). The non-deterministic approach will mask the data differently every time the masking is applied.

Each of these looks very useful and easy to use (on the demo at least:)). The demos shown used an Oracle Enterprise Manager web application to do the tasks, from the browser, but it is possible to run each of the from the command line or sqlplus as well.

Further resources:
http://www.oracle.com/technology/deploy/security/database-security/index.html
http://www.oracle.com/technology/products/oem/pdf/ds_datamasking.pdf
http://www.oracle.com/technology/deploy/security/database-security/transparent-data-encryption/index.html

If you want to pass object from subflow to its parent flow, you should declare it as output parameter in the end state of the subflow:

    <end-state id="endUpload" view="endupload" >
        <output-mapper>
            <mapping source="${flowScope.subflowResult}" target="subflowResult"/>
        </output-mapper>
    </end-state>

Note that the source argument is the parameter value as it is referenced in current flow (subflow), including the scope qualifier. Target is the text value, which will be the key in the generic parameters map that is transfered between subflow and its parent.

In the parent flow, you must declare output-mapper in the subflow-state section:

   <subflow-state id="uploadFile" flow="upload-flow">
        <attribute-mapper>
            <output-mapper>
                <mapping source="${subflowResult}" target="flowScope.result"/>
            </output-mapper>
        </attribute-mapper>
        <transition on="endUpload" to="startPublication"/>
    </subflow-state>

Now there is one very important difference in the output mapper: the source parameter is now the text, defining the key in the generic parameter map transfered from subflow, and the source is the the parameter name in the current flow (now parent flow) – including the scope qualifier.

And thats it!

If you want to do the oposite, pass the object as a parameter from the parent flow to the subflow, you will do similiar thing, only this time you will be dealing with input-mappers:
In parent flow definition, you will add input-mapper to the subflow-state definition:

<subflow-state id="transition" flow="workflow-flow">
        <attribute-mapper>
            <input-mapper/>
                <mapping source="flowScope.parentFlowParameter" target="parentFlowParameter"/>
            </input-mapper>
        </attribute-mapper>
        <transition on="done" to="done"/>
    </subflow-state>

And it the subflow, input mapper is needed at the beginning of the flow definition file:

<input-mapper/>
        <mapping source="parentFlowParameter" target="flowScope.myparameter"/>
</input-mapper>

I hope this will help some of you dealing with the same problem.

Let’s see how to enable this functionality with Acegi Security.

Firstly, add org.acegisecurity.concurrent.SessionRegistry implementation bean to your security context:

<bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl" />

We are using default Acegi implementation org.acegisecurity.concurrent.SessionRegistryImpl.

Next, define the org.acegisecurity.concurrent.SessionController bean:

    <bean id="sessionController" class="org.acegisecurity.
           concurrent.ConcurrentSessionControllerImpl">
        <property name="exceptionIfMaximumExceeded" value="true"/>
        <property name="maximumSessions" value="1" />
        <property name="sessionRegistry" ref="sessionRegistry"/>
    </bean>

As you can see, it takes sessionRegistry property, as well as two additional properties maximumSessions and exceptionIfMAximumExceeded.
maximumSessions says how meny concurrent login sessions are allowed (in our case just one)
if exceptionIfMAximumExceeded property is set to true, exception will be thrown every time the user tries to login concurrently. You can check this exception in your login controller and display user with a message.
Otherwise, if exceptionIfMAximumExceeded property is set to false, exception will NOT be thrown. If user tries to login concurrently, he will be allowed, but his last login session (before the concurrent one) will be invalidated.

Last step is to add sessionController property to your ProviderManager bean:

     <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref local="daoAuthenticationProvider"/>
			</list>
		</property>
        <property name="sessionController" ref="sessionController"/>
    </bean>

And you’re ready to run.

Some users have encountered problems with concurrent logins: If a user logs out, and then tries to log in again, the ConcurrentLoginException is thrown, so user cannot log in again. This happens when Acegi logout does not remove the session data for the user that has been logout out (before his login session has expired)
In order to fix this, you can manually clear the authentication session for the user that’s logged out:

public void logout() {
        SecurityContext context = SecurityContextHolder.getContext();
        if (context == null) return;
        Authentication authentication = context.getAuthentication();
        if (authentication == null) return;
        String sessionId = SessionRegistryUtils.obtainSessionIdFromAuthentication(authentication);
        this.sessionRegistry.removeSessionInformation(sessionId);
}

You will also need this code to be run when Acegi session gets unpublished.
For this implement org.acegisecurity.ui.session.HttpSessionEventPublisher, and configure listener for it in your web.xml:

public class MyHttpSessionEventPublisher extends HttpSessionEventPublisher {
    private static final Log logger = LogFactory.getLog(MyHttpSessionEventPublisher.class);
    private UserContext userContext;

    public void sessionDestroyed(HttpSessionEvent event) {
        logger.info("unpublishing session");
        if (userContext == null) {
            this.userContext = lookupBean(
                        WebApplicationContextUtils.
                             getWebApplicationContext(
                              event.getSession().getServletContext()),
                       "userContext",
                       UserContext.class);
        }

        this.userContext.invalidate();
        super.sessionDestroyed(event);
    }

    private  T lookupBean(final ApplicationContext applicationContext, final String beanName, final Class c) {
        //noinspection unchecked
        return (T) applicationContext.getBean(beanName, c);
    }
}

In web.xml you will have:

<listener>
        <listener-class>net.cakesolutions.service.security.acegi.BimHttpSessionEventPublisher</listener-class>
</listener>

And you’re ready to go.

Hope this article has helped anyone in configuring concurrent logins with Acegi Security.

Malicious user can change any header of your message this way, to, cc, bcc fields, content-type, even the actual message.

Message body can be changed in the same way, only without the header name. But note that body added like this will be PREPENDED to the email message. So if someone uses your email form to send an email message with new body he/she can enter the follwing in the available form filed (in our case recipient address):

recipient email: johndoe@serbiancafe.com%0Asubject:this is new even subject.%0AThe Spam message body, you didnt want this, but it will come to your inbox

And without knowing it, your ‘email this page to a friend’ form will become the source of spam!

Now how to resolve this issue?
You shpuld check all the fields that are available for user input in your email form for and characters (‘\n’ and ‘\r’ in your java code).

You have two approaches available. You can either:
1. reject to send any email that contains any of these characters (recommended)
2. remove the characters and send the email as it is

The java code that does this is very simple:


public static boolean isHeaderInjection(String value) {
if (value == null) return false;
if ((value.indexOf("\n") != -1 || value.indexOf("\r") != -1) || value.indexOf("%0A") != -1) {
return true;
}
return false;
}


Make sure to check all your email form fields, and you should be safe from this kind of attack.

It comes after sleepless night watching Australian Open (Djokovic and Ivanovic joined Jankovic in the semis, and in style, was worth it:)).

Some interesting times ahead, with Pro Spring 2.5 book work nearing the end, and few new projects coming.

I am currently working on some JMX management on Weblogic 9.2, will keep you posted how it goes.

Hopefully this is just a start of regular blog posting for me.

See you soon!