Fuzed Forums Adds Google Search

Fuzed Forums continues to evolve and prepare for its official launch.  I’ve now integrated Google Search into the system.  It was a little more interesting than I expected and there are some more things to figure out, but it’s now working as expected.

Fuzed Forums is, as you may know, a GWT site.  There are some special things that must be done in order for the Googlebot to understand a site rendered with AJAX.

Then the search itself must be integrated into the site.  I didn’t want to compromise the integrity of the GWT interface by using a separate traditional HTML page, so there were some tricks I had to figure out to make that happen (maybe I’ll blog about that soon, but some Googling of your own would probably reveal a path).

In any case, it’s good to have it working.

Introducing Fuzed Forums

Today I’d like to announce Fuzed Forums. Fuzed Forums is my take on the next generation of forums.  It’s a place to create communities, to share and to communicate. Fuzed Forums uses GWT and Google App Engine for more of a moden web dynamic, and the forum layouts you’re probably familiar with, to create what I hope to be a fast and pleasing forum experience for you and your members.

Fuzed Forums is now in “demo” mode.  This means it’s up and working and you can try it out.  But I want your feedback to incorporate it before it is released for your production use.  It also means that the data you create won’t survive after demo mode.  So take that as an invitation and a warning.

An easy way to try out Fuzed Forums is to visit the support forum.  Like the rest of this “demo”, this version of the support forum will not survive when Fuzed Forums moves out of demo, but you can get the feel of Fuzed Forums and provide feedback to make Fuzed Forums more of what you want for your community.  Also within the support forum is an area to provide feedback, proposing features or changes, whatever would like to see become part of Fuzed Forums.

If you want to try it out with a bit more content, visit The One Forum, which is filled with generated content.

If you want to find out where it’s going, more about the current limitations and more, see the “path” here.  You’ll notice that some things aren’t quite “done”, but I wanted to get this demo in front of people sooner rather than later.

Try it out and let me know what you think!

About Forums

Search, email, social media, forums. These are some of the core uses of the Internet today. And some of the most advanced technology has gone into each one. Google Search is amazing. Gmail is a revolution. Facebook is the #1 destination on the web today. And forums … well, they’ve not kept up.

Products like vBulletin get the job done, but are hardly modern with their clunky web 1.0 interfaces. It’s also relatively expensive and complicated to get going with vBulletin, with the cost of the software, getting it hosted, installed and setup the way you want. That can easily run you over $200 a year, even for a small forum with a few users. However, you can customize vBulletin as much as you like, as long as you are willing to maintain those customizations, which is not for the casual forum administrator.

Other online solutions have made the setup easy. But their forum software is terrible. You can’t create a community there. You’re just one forum among the many. No since of membership or differentiation. And you’re usually stuck with their colors and layout.

It’s time forums moved into the modern era.

GWT Bean Validation How-To

There doesn’t appear to be a recent “how-to” on setting up GWT Bean Validation for a GWT 2.4 project.  In this post, I’ll let you know what I’m doing and then ask you for your feedback on how I might do it better.

The idea is to follow the Validation sample that comes with the GWT 2.4 distribution.  The key items follow.

Inherit the Hibernate Validator

You need this in your gwt.xml file:

  <entry-point class='com.google.gwt.sample.validation.client.Validation' />

Setup the Validation Factory

Also in your gwt.xml, you need:

  <replace-with
    class="com.google.gwt.sample.validation.client.SampleValidatorFactory">
    <when-type-is class="javax.validation.ValidatorFactory" />
  </replace-with>

This is the factory that’s used when you build the validator.

Something else in that file is the code for setting up your messages. That’s optional: you can also specify your messages in your validation annotations. Refer to the Bean Validation documentation on what you should do in your case.

Setup for Deployment

You need the two validation-related libraries in your WEB-INF/lib directory:

• validation-api-1.0.0.GA.jar
• hibernate-validator-4.1.0.Final.jar

Then in your compile path, you need the two sources libraries:

• validation-api-1.0.0.GA-sources.jar
• hibernate-validator-4.1.0.Final-sources.jar

You can also put these in your WEB-INF/lib directory, but they’re not needed at runtime, only during the GWT compile phase.  This could be important if you’re using Google App Engine, where every added JAR lengthens your startup time.

Give it a Go

The rest is just applying the proper annotations and running the validator on your objects.  See the ValidationView.java file in the sample application for an example of this.  There are classes annotated with the validations from the framework in the shared sub-directory of the sample application.

GIN

I use Google GIN in my GWT application.  I currently don’t know the best “GIN way” to setup the validations.  I just have GIN create my validator instead of doing it in my code:

    @Provides
    @Singleton
    Validator createValidator() {
        return Validation.buildDefaultValidatorFactory().getValidator();
    }

I imagine there’s a better way, one that would replace the replace-with facility in the gwt.xml, but I don’t know what that is yet.

Feedback

I haven’t found good documentation on setting this up.  This post shows what works for me.  But it certainly may not be the best way to set things up.  If you have better information, please let me know.  I appreciate your feedback.

Apache Shiro on Google App Engine

I had previously used a Spring-centered stack in Google App Engine.  These days I’m on more of a Google Guice kick.  There are some nice advantages to Guice, but some drawbacks as well.  One of the latter is the lack of an out-of-the-box integrated security solution. I am currently using Apache Shiro wired in with Guice as my security solution.  In this post, I’ll tell you how to do the same.

Getting Started

If you want to setup Shiro with Guice, you’ll need Shiro (I’m using 1.1.0) and Guice (I’m using 3.0).  Also, this post just tells you how to get started.  You should read all of the Shiro Reference Manual so you can apply Shiro appropriately to your situation.  Only then can you have confidence your app is secure.

As always, your feedback is appreciated.  If I’m doing something wrong, please let me know!

Shiro Realm

To adapt Shiro to your application, the first thing you need is to implement a “realm”.  The realm is the core adaptation mechanism between Shiro and your particular datasource (where  you store your authentication and authorization information).  This is a straightforward process: just follow the documentation, perhaps extending AuthorizingRealm, which is the logical extension point if you’re providing authentication and authorization context.  You might consider using SimpleAuthorizationInfo and SimpleAccount if you just need basic authentication and authorization in your realm.

The following is a simple realm example. The reference manual has information on writing a better realm than what you see here.  For example, you may want to use a HashedCredentialsMatcher instead of just matching clear character arrays.

public class MyRealm extends AuthorizingRealm {

    private static Logger logger = Logger.getLogger(MyRealm.class.getName());

    private MySecurityManagerService mySecurityManagerService;

    @Inject
    public MyRealm(MySecurityManagerService mySecurityManagerService) {
        // This is the thing that knows how to find user creds and roles
        this.mySecurityManagerService = mySecurityManagerService;
    }

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {

        String username = (String) principalCollection.getPrimaryPrincipal();

        // Find the thing that stores your user's roles.
        MyPrincipal principal = mySecurityManagerService.findMyPrincipalByUsername(username);
        if (principal == null) {
            if (logger.isLoggable(Level.FINE)) {
                logger.fine("Principal not found for authorizing user with username: " + username);
            }
            return null;
        } else {
            if (logger.isLoggable(Level.FINE)) {
                logger.fine(String.format("Authoriziong user %s with roles: %s", username, principal.getRoles()));
            }
            SimpleAuthorizationInfo result = new SimpleAuthorizationInfo(principal.getRoles());
            return result;
        }
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken)
            throws AuthenticationException {

        UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
        if (usernamePasswordToken.getUsername() == null || usernamePasswordToken.getUsername().isEmpty()) {
            throw new AuthenticationException("Authentication failed");
        }

        // Find the thing that stores your user's credentials.  This may be the same or different than
        // the thing that stores the roles.
        MyPrincipal principal = mySecurityManagerService.findMyPrincipalByUsername(usernamePasswordToken.getUsername());
        if (principal == null) {
            if (logger.isLoggable(Level.FINE)) {
                logger.fine("Principal not found for user with username: " + usernamePasswordToken.getUsername());
            }
            return null;
        }

        if (logger.isLoggable(Level.FINE)) {
            logger.fine("Principal found for authenticating user with username: " + usernamePasswordToken.getUsername());
        }

        return new SimpleAccount(principal.getUsername(), principal.getPassword(), getName(),
                principal.getRoles(), new HashSet());
    }
}

That should get you started anyway.

Shiro Filter

Shiro has something of it’s own mini dependency injection facility with the IniShiroFilter.  There is good documentation on that, and I think it might be the default configuration facility for most people using Shiro.  However, if you’re using Guice, that’s not the way you want to go.  You want to leverage Guice to wire everything together, and just do in Shiro what Shiro is meant for: security.

So you need another, more basic, filter.  Shiro could have just provided such a basic, essential module.  But they don’t.  I don’t know why.  Nevertheless, it’s easy to make your own.  Really easy.  Prepare yourself.  Here it is:

@Singleton
public class ShiroFilter extends AbstractShiroFilter {

	@Inject
	public ShiroFilter(WebSecurityManager webSecurityManager) {
		setSecurityManager(webSecurityManager);
	}
}

Once you have your mind around that, you’ll need to do yourself some AOP.

Guice Interceptor

Shiro uses AOP to intercept method invocations for access control. Generally, that’s what you want: it’s non-intrusive and extensible. But it doesn’t use standard APIs to do that. I don’t know why. Guice, on the other hand, uses the AOP Alliance API for interception. So you need to make the one fit into the other.

The APIs are very similar, though (again, why not just use the AOP Alliance APIs? …), so it’s easy to adapt them:

public class ShiroMethodInterceptor implements MethodInterceptor {

	private RoleAnnotationMethodInterceptor roleAnnotationMethodInterceptor = new RoleAnnotationMethodInterceptor();

	@Override
	public Object invoke(MethodInvocation methodInvocation) throws Throwable {
		return roleAnnotationMethodInterceptor.invoke(new ShiroMethodInvocation(methodInvocation));
	}

	private static class ShiroMethodInvocation implements org.apache.shiro.aop.MethodInvocation {

		private MethodInvocation methodInvocation;

		public ShiroMethodInvocation(MethodInvocation methodInvocation) {
			this.methodInvocation = methodInvocation;
		}
...

Easy stuff, right?

Wiring it All Together

Shiro is very modular.  And if you’re using the default configuration, they really take care of things for you.  But who does that?  Not me.  So that means you need to assemble the parts you need for your particular environment.  This includes:

• Creating a Realm for your particular environment
• Selecting a session manager
• Selecting a remember-me manager
• Selecting a SecurityManager and telling it about your realm, session manager and remember-me manager

You should know what all of those things are because you should have read the Shiro documentation, which is not bad at all.  I created a custom realm and then did the following inside one of my Guice modules:

public class MyModule extends AbstractModule {

	@Override
	protected void configure() {
		...
		bind(Realm.class).to(MyRealm.class);
		bindInterceptor(Matchers.any(), Matchers.annotatedWith(RequiresRoles.class),
		        new ShiroMethodInterceptor());
	}

	@Provides
	@Singleton
	WebSecurityManager provideSecurityManager(Realm realm, SessionManager sessionManager, RememberMeManager rememberMeManager) {
		DefaultWebSecurityManager result = new DefaultWebSecurityManager(realm);
		result.setSessionManager(sessionManager);
		result.setRememberMeManager(rememberMeManager);
		return result;
	}

	@Provides
	@Singleton
	SessionManager provideSessionManager() {
	    return new ServletContainerSessionManager();
	}

	@Provides
	@Singleton
	RememberMeManager provideRememberMeManager() {
	    return new CookieRememberMeManager();
	}
}

I love how easy it is to do AOP in Guice.  So nice.

In Google App Engine, it’s important to use the ServletContainerSessionManager instead of something like DefaultWebSessionManager because the latter tries to start threads, which GAE doesn’t care for at all.

The last thing you need to wire in is that filter, so Shiro will actually get involved in your web requests.  I again do that with Guice:

public class MyServletModule extends ServletModule {

	@Override
	protected void configureServlets() {
		filter("/*").through(ShiroFilter.class);
	}
}

To make that work, you need to have configured Guice in your web.xml.

Securing Services

Authentication with Shiro is nice and simple.  The 10 Minute Tutorial will get you started. In the simplest case might do something like this:

        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken(username, password);
        token.setRememberMe(true);
        try {
            subject.login(token);
        } catch (AuthenticationException ae) {
            // handle failed logins here ... see the docs for more exceptions
        }

Authorization is even easier.  If you’re doing something basic, you will probably want some role-based security on your services. Shiro provides nice APIs for checking roles and permissions. I currently only care about roles. And that’s why we setup that aspect. To add role access control to your service method (on the server side of course!), just do something like this:

    @RequiresRoles("importantRole")
    public void doSomethingImportant(...) {
    ...

I’m confident most everyone reading this knows that checking permissions on the client in a web app is not enough. So you need to do your security on the server side. Once something is on the client computer all bets are off!

In my app, I return some data useful for predicating particular permissions so I can toggle buttons, show panels, etc, on the client. But I do all of that an more on the server.

Conclusion

I think Apache Shiro is a good choice for adding security to a Guice-based app.  In particular it’s working well for me in Google App Engine with a GWT front-end.  I hope this guide helps some if you’re working a similar environment.  As always, if you see something I’m doing wrong, let me know!

Gin Injector Methods

I must be slow, but I had a hard time understanding some of the Gin Tutorial.

The tutorial states:

Experienced GWT users will notice the similarity to the way GWT image bundles and messages are done: You simply create a method for each object type you want to create, and the an implementation of the interface gets generated for you at compile time.

Note that you only need to create injector methods for classes that you would directly access in your top-level initialization code, such as the UI classes to install in your RootPanel. You don’t need to create injector methods for lower-level classes that will be automatically injected. So for example, if Class A uses class B which uses class C, you only need to create an injector method for A, as the other classes B and C will automatically be injected into A.

In other words, injector methods provide a bridge between the Guice and non-Guice world.

I still find that explanation confusing.  But I finally realized they’re trying to say that you only create methods for getting an object from the injector:

MyClass myObject = injector.getMyClass();

That’s it.  So where in Guice you would do this:

MyClass myObject = injector.getInstance(MyClass.class);

In Gin you do this:

MyClass myObject = injector.getMyClass();

So if you need to call a method on the injector, create it. I ended up with one method.

Testing GWT Events

I’m working on my first GWT application.  In the process of trying to test some event-driven code, I was seeing that my events were being picked up by objects registered from previous tests.

This was due to the way I was instantiating my EventBus instance:

public static final EventBus eventBus = new SimpleEventBus();

This meant that, between tests, instances of previous texts fixtures were still being held by the eventBus.

I shouldn’t have been surprised.  I try to avoid statics for the most part.  They tend to get me into trouble.  If it’s a primitive value, that’s one thing.  But a core item like the event bus?  I should have known it was a bad idea.

I’m using Google Gin in GWT and Google Guice in the server-side code.  So I looked for a way to inject the code.  My problem was with more static code.  I followed the idiom I had seen, I think, in a Google presentation.  The code looked something like this:

MyEvent.register(new MyHandler() { ... });
...
MyEvent.fire(new MyEvent(...));

That code is quite convenient to use.  Statics are convenient in a lot of cases. But the problem comes in when you want anything to vary. Want polymorphism? No chance. Want to swap instances? Not going to happen.  Statics are convenient, but that convenience comes at a price, and I tend to be cheap.

My first thought was to create instances of my event classes and inject them in where I needed them. The obvious problem with that is that some classes register for several events. Injecting in all of those events starts to smell. Further, what would I inject? Instances of the events themselves? That is also odorous. In the code with the statics, the classes is playing two roles: managing the events and then being the event itself. So I could create a sort of “event manager” for each of my events, but I’m still left with a lot of things to inject.

Instead, I came up with a compromise. I created a class for registering and firing events that held my EventBus instance, but kept the events separate. I called this the EventBroker and it looks like this:

class EventBroker {
  private EventBus eventBus;
  @Inject
  public EventBroker(EventBus eventBus) {
    this.eventBus = eventBus;
  }
  public HandlerRegistration registerMyHandler(MyHandler handler) {
    return eventBus.addHandler(MyEvent.TYPE, handler);
  }
  public void fireMyEvent(MyEvent event) {
    eventBus.fireEvent(event);
  }
  // more register and fire methods ...
}

This allows me to register a single instance of my EventBus in Gin or Guice (Guice for unit tests). I may either register a single instance of EventBroker or let Gin create one each time I ask: it doesn’t matter because I always have one EventBus instance.

As you might imagine, the interface to EventBroker may become quite large. However, I can create an EventBroker for any subset of events I choose, and so have some reasonable number of EventBroker classes, all using the same EventBus instance. This seems not much worse than the static code idiom in terms of convenience, but much more powerful for unit testing.

One additional note: these methods seem to cry for the use of generics.  But I can’t seem to make it work.  If you have any ideas, I would appreciate it!