All entries for June 2006
June 19, 2006
Writing about web page http://www.springone.com/
I spent last Wednesday, Thursday and Friday in Antwerp attending the SpringOne conference.
Chris blogged every session he went to so I won't go over those again.
For me the most interesting parts that came out of it were:
- New features of Spring 2.0 explained a lot better than the documentation (which is improving but still doesn't cover Spring 2.0 well enough I don't think)
- Discussion of rich domain models was interesting (which we've tried to do for a while), but everyone was talking like it was all new. There are a couple of new methods for achieving this with AOP or Spring 2.0's new @Configurable annotation
- Productivity improvements with Spring MVC, primarily the move towards convention over configuration (a big nod to Ruby)
- New namespace support in Spring 2.0 that will hopefully greatly reduce the reams and reams of XML that you always have to create and maintain
- AOP/AspectJ support, was there in Spring before 2.0, but it is much more powerful and documented now, it was great to see real world examples, even if they did sometimes take it too far
- Voca's presentation about how they had up to 500 people working on their new Spring based application that basically runs the UK's bank transfer systems, 100,000,000 transactions in 4 hours!!!
June 07, 2006
I've always run any SSL I need on Tomcat on Windows as it was just really easy and less complicated and messy than getting Apache to work with SSL on Windows. Unfortunately I eventually needed to do it because of the extra power of Apache in that you can set different SSL options under different directories.
If you need to do client certificate authentication in Tomcat it is easy, but that is it, everything under that port is now protected with client auth.
In Apache you can do this:
... <Location /clientauth> SSLVerifyClient require SSLVerifyDepth 2 </Location> ...
Kindly a few people have written up some instructions on this:
Apache and SSL on Windows
Someone has also pre–built a Windows version of Apache with SSL built in:
Hunter Apache SSL builds as Apache doesn't provide it because they believe Windows is just not secure enough and allowing SSL on Windows lulls people into a false sense of security.
Anyway, most of it worked, but I just couldn't get Apache to trust my client certificates. The problem was this:
SSLEngine On SSLCertificateFile conf/ssl/my.crt SSLCertificateKeyFile conf/ssl/my.key SSLCACertificatePath conf/ssl.crt SSLCACertificateFile conf/ssl.crt/cabundle.crt
If you put certificates in the conf/ssl.crt path, when Apache starts up, it lists them all nicely saying that it has found them all, but will it trust them, will it hell. Only if you specifically put the certificate in the cabundle.crt (or whatever you've set SSLCACertificateFile to) will it work! Gah!
Anyway, working now so soon we should have a test membership of the SDSS federation so that we can do further tests on our Shibboleth SSO system.
June 01, 2006
I've recently been working on improving our Web Groups system. This is a central system that allows users to create their own arbitrary groups of Single Sign On users. These groups are then exposed through some web services which allow our other web apps to use them as the basis of permissions or grouping in whatever way they see fit.
Along with SSO, Web Groups is one of the systems that really helps us build very powerful systems with very easy and fine grained permissions…without having to actually do much work in each of those applications.
Web Groups now includes all sorts of groupings now such as:
- Students in a department
- Teaching staff in a department
- Students going a particular course
- A full or part time students in a department
- Students in a particular year of a course
- Tutor groups
All of this data is automatically pulled in from our Academic Data Store (ADS) project. This means that the data is always up to date. Previously if someone wanted to protect say a SiteBuilder page so that only people doing that module can see it, they had to find and keep up to date a list of the ITS usercodes of all students on that module. Now they just need to enter a group name and it'll be kept up to date for them.
If our groups are not good enough, people can make their own groups. So for instance you could create a group that is all the students on a module plus the 3 staff involved with that module. Again, this will all stay up to date as the students on that course change, even at the start of a new year.
We currently have a similar system in BlogBuilder, but we'll be moving over to this new system soon as it is more reliable, powerful and just plain faster.
By using these shared services such as SSO and Web Groups, we can build much more integrated and powerful solutions that we just probably couldn't get from an external vendor.