Hi,

My name is Ibrahim Dawid LO and I am a member of the “Super” Cake team, I joined in January.
Actually I work on the Neptune project, a new version of the Mercury software Cake has developed for NUSSL.
We are doing lots of interesting stuff. Of course, when you work with Jan, things can’t be boring because he always has plenty of good ideas : “How to make things more intelligent ” hahaha
One of those things which I am quite proud of, is our “intelligent conversion service” which can convert from one unit to another. That on its own is not significant, but our conversion service can deal with transitive conversions.
For example, using these 3 conversions:

1. from A to B with rate = x,
2. from C to A with rate = y,
3. from A to D with rate = z

Neptune knows how to convert between all 4 units of measure (A, B, C, D):

1. from B to D,
2. from A to C,
3. from C to B
4. …

To put this into real world concept, if we have conversion from ml to l and from l to pints, our conversion service will be able to convert from ml to pints.

Internally, we hold the conversion structures in a directed graph with cycles. If you remember the dark days of discrete mathematics, a graph is a structure usually denoted G(V, E), where V is a set of vertices and E is a set of edges. The conversion from v1 ∈ V to v2 ∈ V is therefore an ordered set (C) of e ∈ E such that v1 and v2 are at the ends of the first and last edge in C.

The cake team is also about to publish the new “ProSpring 2″ book which is great !!!!

When I’ve had a spare hour or two between projects I have been working on the brand-spanking new cake site.

It will have some smooth UI tweaks thanks to jQuery and pretty interesting features on the contact page with integrated Google Maps.

The site is almost ready. Just a few odds and ends to tie up.

Once the site is launched I’ll blog a quick feature tour with some insights into the technologies used.

It is a security requirement for most web sites to disable concurrent logins, so users cannot login from different machines using same login details.

Let’s see how to enable this functionality with Acegi Security.

Firstly, add org.acegisecurity.concurrent.SessionRegistry implementation bean to your security context:

<bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl" />

We are using default Acegi implementation org.acegisecurity.concurrent.SessionRegistryImpl.

Next, define the org.acegisecurity.concurrent.SessionController bean:

    <bean id="sessionController" class="org.acegisecurity.
           concurrent.ConcurrentSessionControllerImpl">
        <property name="exceptionIfMaximumExceeded" value="true"/>
        <property name="maximumSessions" value="1" />
        <property name="sessionRegistry" ref="sessionRegistry"/>
    </bean>

As you can see, it takes sessionRegistry property, as well as two additional properties maximumSessions and exceptionIfMAximumExceeded.
maximumSessions says how meny concurrent login sessions are allowed (in our case just one)
if exceptionIfMAximumExceeded property is set to true, exception will be thrown every time the user tries to login concurrently. You can check this exception in your login controller and display user with a message.
Otherwise, if exceptionIfMAximumExceeded property is set to false, exception will NOT be thrown. If user tries to login concurrently, he will be allowed, but his last login session (before the concurrent one) will be invalidated.

Last step is to add sessionController property to your ProviderManager bean:

     <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref local="daoAuthenticationProvider"/>
			</list>
		</property>
        <property name="sessionController" ref="sessionController"/>
    </bean>

And you’re ready to run.

Some users have encountered problems with concurrent logins: If a user logs out, and then tries to log in again, the ConcurrentLoginException is thrown, so user cannot log in again. This happens when Acegi logout does not remove the session data for the user that has been logout out (before his login session has expired)
In order to fix this, you can manually clear the authentication session for the user that’s logged out:

public void logout() {
        SecurityContext context = SecurityContextHolder.getContext();
        if (context == null) return;
        Authentication authentication = context.getAuthentication();
        if (authentication == null) return;
        String sessionId = SessionRegistryUtils.obtainSessionIdFromAuthentication(authentication);
        this.sessionRegistry.removeSessionInformation(sessionId);
}

You will also need this code to be run when Acegi session gets unpublished.
For this implement org.acegisecurity.ui.session.HttpSessionEventPublisher, and configure listener for it in your web.xml:

public class MyHttpSessionEventPublisher extends HttpSessionEventPublisher {
    private static final Log logger = LogFactory.getLog(MyHttpSessionEventPublisher.class);
    private UserContext userContext;

    public void sessionDestroyed(HttpSessionEvent event) {
        logger.info("unpublishing session");
        if (userContext == null) {
            this.userContext = lookupBean(
                        WebApplicationContextUtils.
                             getWebApplicationContext(
                              event.getSession().getServletContext()),
                       "userContext",
                       UserContext.class);
        }

        this.userContext.invalidate();
        super.sessionDestroyed(event);
    }

    private  T lookupBean(final ApplicationContext applicationContext, final String beanName, final Class c) {
        //noinspection unchecked
        return (T) applicationContext.getBean(beanName, c);
    }
}

In web.xml you will have:

<listener>
        <listener-class>uk.gov.ukti.bim.service.security.acegi.BimHttpSessionEventPublisher</listener-class>
</listener>

And you’re ready to go.

Hope this article has helped anyone in configuring concurrent logins with Acegi Security.

If you web application sends emails based on information entered in the form, you should pay attention to the possibility of Email header injection attack.
Email header injection attack is based on flaws in the email protocol. Headers in the MIME message are recognized by SMTP servers by the line feed ([LF]). So typical email message looks like this:

[LF]to: recipient@domain.com
[LF]Subject: recipient@domain.com
[LF]Content type: recipient@domain.com
[LF]Message body

Now if a user can enter recipient email in the form he/she can do something like this:

recipient email: johndoe@serbiancafe.com%0Asubject:this is new even subject.

%0A is actually line feed.
Now, it will depend from SMTP server and email client which subject will it show, some use first one, some the lates one, some append all subjects to email.

Malicious user can change any header of your message this way, to, cc, bcc fields, content-type, even the actual message.

Message body can be changed in the same way, only without the header name. But note that body added like this will be PREPENDED to the email message. So if someone uses your email form to send an email message with new body he/she can enter the follwing in the available form filed (in our case recipient address):

recipient email: johndoe@serbiancafe.com%0Asubject:this is new even subject.%0AThe Spam message body, you didnt want this, but it will come to your inbox

And without knowing it, your ‘email this page to a friend’ form will become the source of spam!

Now how to resolve this issue?
You shpuld check all the fields that are available for user input in your email form for and characters (’\n’ and ‘\r’ in your java code).

You have two approaches available. You can either:
1. reject to send any email that contains any of these characters (recommended)
2. remove the characters and send the email as it is

The java code that does this is very simple:


public static boolean isHeaderInjection(String value) {
if (value == null) return false;
if ((value.indexOf("\n") != -1 || value.indexOf("\r") != -1) || value.indexOf("%0A") != -1) {
return true;
}
return false;
}


Make sure to check all your email form fields, and you should be safe from this kind of attack.

Here’s another in the series of our internal talks, this time on our old friends, the relational database management systems — also known under their misleading alias — databases.
In the talk, I’ve explained some of the concepts of relational algebra and shown that if all our tables were indeed relations, the RDBMSs could do a lot of optimisations. For further reading, I recommend an excellent book by C. J. Date Database in Depth — Relational Theory for Practitioners.
To cut a potentially long entry short, download the presentation as PDF.

We have the first version of the SO module. We can define flows, states and transitions. If this were all we did, it would make it a vanilla (Cake-vanilla, if you’ll pardon the pun) workflow engine.
We have taken an innovative approach to the configuration of the flows. Just like any other workflow engine, we use the concept of FlowDefinitions with many StateDefinitions with many TransitionDefinitions. Using this structure, we can create a directed graph with cycles (flow) with states as its vertices and transitions as its edges. Simple, eh?
You can obviously manually create the definition beans, but you can use annotation-based configuration. Take this code, for example:

@Flow
public class MainFlow {
}

@State(start = true)
public class StartState {

    @Transition
    @Transactional
    public void one() {
    }

    @Transition(to = “end”)
    public void end() {
    }
}

@State(end = true)
public class EndState {

    @Transition
    public void one() {
    }

    @Transition(to = “start”)
    public void restart(@TransitionArgument int i) {
    }
}

Without giving a detailed explanation, you can follow the annotation and infer that we have a flow with two states (start and end); each state has two transitions. To use this flow, we can use the FlowSession like so:

// instantiate flow with id “main”
FlowInstance instance = flowSession.instantiate(”main”); 

// calls StartState.one() and stays in the start state
instance.performTransition(”one”); 

// calls StartState.end() and transitions to end state
instance.performTransition(”end”); 

// calls EndState.restart(5) and transitions to start state
instance.performTransition(”restart”, 5);
…

Now, you can ask where we got the names “main”, “one”, “end” and others; I’m sure you can see that the MainFlow class would be the flow with id “main”, but we never said so explicitly in the code. The BeanPostProcessor uses naming strategies that take the ids explicitly set in the annotations or, if the annotation does not have the id set, it takes the class name or the bean name as the identity of the flow, state or transition.
Also, you may notice that the states somehow get attached to the main flow, even though we never defined this. Again, there is a bit of “intelligence” in the module that automatically registers a state with a flow even if no flow id is set if there is only one flow. In more complex applications (ones that use more than one flow), you must explicitly set the flowId value in the @State annotation.
We are going to put much more work into this module, but we can confidently state that the module is an exciting piece of code. The design of the module will allow us to use service orchestration language in the transitions (take a look at the TransitionAction interface and its implementations for a hint of possible solution).

We have begun implementation of two new exciting Spring Modules! The first one will be the Service Orchestration module and the second one will be Spring AJAX

Service Orchestration

The SO module will allow the developers to create a workflow-style structure, where the transitions carry business logic. In the transitions — I’m sure you’ll forgive me for the slightly non-technical description — you will be able to call any number of services; naturally, the transition will be able to participate in a JTA transaction.

Spring AJAX

This is a buzz-word like no other, but it is still very clumsy to create rich applications using the Spring Framework. We propose to create a module that will allow declarative AJAX handling code. The handling code will work with AjaxSessions and JsonViews by default, but there will be nothing stopping you from creating much more complex AJAX handling structures. Along with the Java-side support, we will give you JSP tag libraries to handle all mundane AJAX code.

Every Wednesday at Cake we have sessions where one of us has the opportunity to present an emerging technology. Today was my turn. With my experience in AJAX and all things Web 2.0 it was the natural choice to give the Cake team a rundown on AJAX.

AJAX stands for Asynchronous JavaScript and XML. It is asynchronous to the extent of the JavaScript does all the requesting, loading, parsing of the XML in the background or “behind the scenes” without the disturbance of the display of the existing page.

Due to it’s very nature it offers advantages over non-AJAX web applications.

1. Gives a richer user experience - create desktop-like applications
2. Makes use of existing functionality and business logic i.e. DRY code, no need to write the same functionality again in JavaScript
3. Lower bandwidth usage as data only is sent, rather than the accompanying style and layout

So how does it work?

First you need an instance of the XMLHttpRequest object. This in turn sends request for the XML (HTML, JSON or plain text also) file. The XML file could be served from a data service e.g. outputted by server-side scripting, a file system or some proxy or pooling service.

An instance where you’d need a proxy or pooling service is where the XML data, say an RSS feed, is hosted on another domain. Browser security settings prohibit JavaScript from accessing XML data from another domain as it could initiate a XSS attack. Say you trust the domain you are acquiring the XML data from, you need to create a proxy on your domain. In PHP a simple proxy could be made using the following code:


<?PHP
header('Content-Type: text/xml');
$xml_url = "http://www.cakesolutions.net/teamblogs/feed/";
if($xml_url) print implode(file($xml_url));
?>


Note that when you do serve an XML file from a server-side script be sure that you send the correct mime-type (text/xml in the case of XML) in the Content-Type response header. Some browsers are more forgiving than others but for your AJAX application to work in all browsers you should include the correct Content-Type. That would be the best practice anyhow.

So do you create an XMLHttpRequest object?

In an ideal world the JavaScript would be as follows:

var xmlHttp = new XMLHttpRequest();


Unfortunately, when it comes to standards, the browser world is far from ideal. We have to do this:


try {
//Firefox,Safari and Opera
xmlHttp = new XMLHttpRequest();
}
catch(e)
{
//Internet Explorer
try {
xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
}
catch(e)
{
xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
}
}

//Handle xmlHttp state changes
//Syntax .onreadystatechange = function;
xmlHttp.onreadystatechange = <Some Function>;


In the first example we see an image gallery. Note that there are HTML elements and content surrounding the gallery are the same even when you click through to image 2 and 3. It is pointless sending all these HTML elements and content again using up precious bandwidth and loading it all again in the browser, so lets use our new AJAX skills to load an XML with the sources and descriptions and change them dynamically. This is what Facebook does in their albums. Check out the following example. The image sources and descriptions are contained within the images.xml and the JavaScript is contained with in ajax.js. Note in this implementation that we are not creating a new HTML page or even changing the link sources, if JavaScript is switched off it will still work. The initializeClick function returns false, telling the browser not to load the linked page. Hence no unnecessary loading of pages as we already have loaded the XML when HTML document loads.

Once again, implementing functionality in JavaScript can be problematic due to the various incarnations of the implementation of JavaScript in browsers and the lengths one needs to go to to get the information one wants. You’ll find yourself after having spent time debugging your script in Firefox, you try it in Internet Explorer and it’s broken. One way to avoid the headache of cross-browser compatibility is to use a framework.

jQuery has been my framework of choice for some time. It enables you to write your JavaScript code only once and you’ll be able to have the assurance that it will work in most browsers. jQuery has a Test Suite that has 1157 tests to check browser compatibility. All modern browsers pass the test. This also is a great way to benchmark the performance of each browser’s implementations of JavaScript.

Looking at the example again but this time using jQuery, we see that the implementation takes fewer lines of code hence jQuery’s mantra Write less, Do more.

You can also use CSS like selectors:

$("div") // returns all div elements
$(".class") // returns all elements with the class .class i.e. class="class"
$("#id") // returns the element with the id #id i.e. id="id"


Selecting elements by class is a very handy. If you like to do things properly, with valid markup, you will know that you can have multiple elements with the same class, whereas you cannot have more than one element with the same id. At the moment there are no native implementation of document.getElementsByClassName(). Using a framework’s implementation not only allows you to the functionality now but rest assured with later incarnations of the framework it’ll utilize the native functions, thus your code is backwardly compatible and future proof!

On to our next example, using jQuery. We have a sign up form that on certain events (See signup_check.js) will trigger an AJAX call to a service with has some logic contained within it. This in turn will output XML and a message will be displayed.

In the case of the Username field once the user has tabbed/clicked out of the input box (blur) it posts the parameter user to the user.php where the checks go on. The responses are as follows.


//If the user exists already
<message>
<type>error</type>
<text>Username already taken</text>
</message>

//If the user does not exist
<message>
<type>notice</type>
<text>Username available</text>
</message>


In the case of the Password field once the user has entered more than four characters it posts the parameter password to the strength.php to see whether if the password is strong or not. The responses are as follows.


//If all lowercase, uppercase or numbers
<password_strength>
<stength>weak</strength>
</password_strength>

//else
<password_strength>
<stength>strong</strength>
</password_strength>


Then the utilization of jQuery’s DOM manipulation functionality is used to process and output the XML data in the existing HTML document’s DOM.

Remember that a good AJAX application is a good non-AJAX application. When JavaScript is switched off your application should still work. It may not have all the fancy DOM transitions or the rich desktop-like experience but the functionality should still remain, the links should work, the server side part of the application should be able to deal with the data, error handle and do all things you’d expect from the AJAX version. First build your application without AJAX, then add additional AJAX functionality, then, your web application will be truly accessible to all.

Download the source zip tar.gz
Download the Quicktime presentation (Preview: YouTube)

Back in December I read a post on TechCrunch UK about Channel 4 launching a competition at the Widgety Goodness conference in Brighton. The contest was to create a widget using at least one Film 4 feed and a feed from somewhere else; a mash-up.

I decided to have a go. I used two Film 4 rss feeds, three Apple Trailer feeds and tens of dynamically generated Technorati blog search feeds to show the reaction to the films in the blogosphere. These feeds were were accessed using jQuery’s AJAX API via a lightweight PHP proxy. My entry can be found at film4.chalkley.org.

On Friday I found out that I was one of the two joint runners up. It was not only good to win a cash prize but also the kudos given by a large innovative brand such as Channel 4 made it all the more awesome.

As a follow-up of my previous JMock post, I give you the internal presentation we held at Cake. Download it here.