Custom JSR 303 Bean Validation constraints for the JSR 310 New Date/Time API

With JSR 310 Java 8 finally brought us a decent date and time API. For those of you that are still using Java 7 – like I am at my current project – there is an excellent backport available, see www.threeten.org for more details. However, I’m not going to go into any details about using the new API since there are already a ton of blog posts out there about the topic. What I am going to show you in this post is how you can use the Date/Time API in conjunction with the JSR 303 Bean Validation API by writing your own custom annotations.
Continue reading “Custom JSR 303 Bean Validation constraints for the JSR 310 New Date/Time API”

Eclipse code templates

Eclipse comes bundled with a nice feature in the form of editor templates. These templates allow you to quickly generate commonly used code. To use a template, simply type in the name of the template and hit Ctrl + space.

There are already a ton of templates available in vanilla Eclipse like test, which will generate a JUnit 4 test method stub, or sysout that will expand into a System.out.println();. But it is also very easy to create your own. Here I will demonstrate how by creating a code template for a SLF4J logger field.
Continue reading “Eclipse code templates”

My First Real AngularJS Project (with Spring REST and Data JPA)

I’ve been playing around with AngularJS since March this year but only in my spare time. So I was thrilled to be able to use AngularJS on an actual real-world project at my day job at the Academic Medical Center in Amsterdam.

So for the last three weeks I’ve been working at a small but nice web site. The web site is a training course catalogue for the nursing education program, which is ordered according to the CanMEDS Framework. Last week I released version 1.0 and next wednesday it will be formally presented to the public during an important conference.

The application is split into a backend with a REST interface and a Single Page frontend that’s basically a master-detail page with some filtering options, and added to it some necessary administration pages. I’ve built the backend of the application with Spring Data JPA, Spring REST, and Spring Security. For the frontend I’d chosen AngularJS and Boostrap 3. Below I will describe some of my experiences from the last couple of weeks.
Continue reading “My First Real AngularJS Project (with Spring REST and Data JPA)”

Encrypting passwords in Tomcat

Apache TomcatApache Tomcat is by far the most popular (open source) web server and Java servlet container. It has been around for a long time and – at the time of writing this post – has reached version 7.0.29. As Apache rightfully claims on its web site, Tomcat powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations. Therefore, one might imagine that such a widely used server would out-of-the-box already prove to be very secure .

However, alot of weaknesses in Apache Tomcat stem from incorrect or inappropriate configuration – as is the case not only for Tomcat but for the majority of software products, I would imagine. The OWASP organization has written up a nice document with a lot of best practices and recommendations on how to make Tomcat more secure than the default out-of-the-box installation.

The OWASP document rightfully states that best practices advice us never to store clear text passwords, but that in the case of the server.xml it is very difficult to avoid. In this post, I will try to look into ways to avoid storing clear text password in Tomcat’s files that hopefully will make it less difficult to avoid.
Continue reading “Encrypting passwords in Tomcat”

Integrating Wicket with Wicket Auth/Roles and Spring Security

In this tutorial I describe how you can setup Wicket 1.5 to use Spring Security 3.1 for authentication and Wicket Auth/Roles for authorization.

Spring Security is a very complete and flexible solution for all kinds of security needs. It offers a lot of functionality out-of-the-box and it is quite easy to extend to fit your own custom needs. Visit the Spring Security website (http://static.springsource.org/spring-security/site/index.html) for more information.

Wicket Auth/Roles makes it easy to annotate components with authorization information. E.g., the @AuthorizeInstantiation configures what roles are allowed to instantiate the annotated component or package, and the @AuthorizeAction annotation controls wether the component is rendered or not based on the roles.

At the and of this tutorial you will have a sample Wicket project that uses Spring Security to look up the user – including roles, full name, etc. -, validate the password, and manage the current user session. Wicket Auth/Roles validates whether the current user has access to a particular page, or even a particular component. Continue reading “Integrating Wicket with Wicket Auth/Roles and Spring Security”