Blogging Roller

I wrote this article for O'Reilly's OnJava.com over twenty years ago and it was published on April 17, 2002. Roller would not become Apache Roller until about five years later. Publishing this article changed my life and set my career on a new trajectory. I can't find it online anymore so to celebrate this anniversay, i'm going to publish it here on Roller. As a Java developer, you should be aware of the tremendous wealth of open source development software that is available for your use -- even if you have no desire to release any of your own software as open source. In this article, I will introduce you to some of the most useful open source Java development tools by showing you how I used these tools to develop a complete database-driven Web application called Roller.[Read More]

This is the third of my 2014 side projects that I'm sharing and one that involves the Apache Roller blog server and the Apache Shiro security framework. You might find this interesting if you're considering using Shiro for authentication and authorization, or if your interested in how security works in Apache Roller.

Inspired by my work with Ember.js in Fall 2014, I started thinking about what it would take to build an Ember.js-based editor/admin interface for Apache Roller. To do that, I'd need to add a comprehensive REST API to Roller, and I'd need a way to implement secrity for the new API. I've enjoyed working with Apache Shiro, so I decided that a good first step would be to figure out how to use Apache Shiro in Roller for Roller's existing web interface.

Working over the winter break I was able to replace Roller's existing Spring security implementation with Shiro and remove all Spring dependencies from my Rollarcus fork of Roller. Below I'll describe what I had to do get Shiro working for Form-base Authentication in Roller.

Creating a Shiro Authorizing Realm

The first step in hooking Shiro into Roller is to implement a Shiro interface called ShiroAuthorizingRealm. This interface enables Shiro to do username and password checks for users when they attempt to login, and to get the user's roles.

Below is the first part of the class, which includes the doGetAuthenticationInfo() method, which returns the AuthenticationInfo for a user specified by an AuthenticationToken that includes the user's username. In other words, this method allows Shiro to look-up a user by providing a username and get back the user's (hashed) password, so that Shiro can validate a user's username and password.

ShiroAuthorizingRealm.java (link)

public class ShiroAuthorizingRealm extends AuthorizingRealm {

    public ShiroAuthorizingRealm(){
        setName("ShiroAuthorizingRealm");
        setCredentialsMatcher(
            new HashedCredentialsMatcher(Sha1Hash.ALGORITHM_NAME));
    }

    @Override
    public AuthenticationInfo doGetAuthenticationInfo(
        AuthenticationToken authToken) throws AuthenticationException {

        UsernamePasswordToken token = (UsernamePasswordToken) authToken;

        User user;
        try {
            user = loadUserByUsername( token.getUsername() );

        } catch (WebloggerException ex) {
            throw new AuthenticationException(
                "Error looking up user " + token.getUsername(), ex);
        }

        if (user != null) {
            return new SimpleAuthenticationInfo( 
                user.getUserName(), user.getPassword(), getName());

        } else {
            throw new AuthenticationException(
                "Username not found: " + token.getUsername());
        }
    }

In the code above you can see how we pull the username out of the authToken provided by Shiro and we call a method, loadUserByUserName(), which uses Roller's Java API to load a Roller user object specified by name.

The next method of interest is doGetAuthorizationInfo(), which allows Shiro to look-up a user's Role. This allows Shiro to detmerine if the user is a Roller admin user or a blog editor.

ShiroAuthorizingRealm.java (continued)

    public AuthorizationInfo doGetAuthorizationInfo(
        PrincipalCollection principals) {

        String userName = (String)
            (principals.fromRealm(getName()).iterator().next());

        User user;
        try {
            user = loadUserByUsername( userName );
        } catch (WebloggerException ex) {
            throw new RuntimeException("Error looking up user " + userName, ex);
        }

        Weblogger roller = WebloggerFactory.getWeblogger();
        UserManager umgr = roller.getUserManager();

        if (user != null) {
            List roles;
            try {
                roles = umgr.getRoles(user);
            } catch (WebloggerException ex) {
                throw new RuntimeException(
                    "Error looking up roles for user " + userName, ex);
            }
            SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
            for ( String role : roles ) {
                info.addRole( role );
            }
            log.debug("Returning " + roles.size() 
                + " roles for user " + userName + " roles= " + roles);
            return info;

        } else {
            throw new RuntimeException("Username not found: " + userName);
        }
    }

In the code above you can see that we use the loadUserByUsername() too look-up a user by username, then we use Roller's Java API to get the user's roles. We add those roles to an instance of the Shiro class SimpleAuthorizationInfo and return it to Shir.

Creating a Shiro Authorizing Filter

Now that we've implementated a realm, we've provided Shiro with everything needed to authenticate Roller users and get access to Roller user role information. Next, we need to configure Shiro to enforce roles for the URL apths found in Roller. Shiro includes a RolesAuthorizationFilter, which is close to what we need but not exactly right for Roller. I had to extend Shiro's roles filter so that we can allow a user who has any (not all) of the required roles for a resource.

RollerRolesAuthorizationFilter.java (link)

public class RollerRolesAuthorizationFilter 
    extends RolesAuthorizationFilter {

    @Override
    public boolean isAccessAllowed( 
        ServletRequest request, 
        ServletResponse response, 
        Object mappedValue) throws IOException {

        final Subject subject = getSubject(request, response);
        final String[] roles = (String[]) mappedValue;

        if (roles == null || roles.length == 0) {
            return true;
        }

        // user is authorized if they have ANY of the roles
        for (String role : roles) {
            if (subject.hasRole(role)) {
                return true;
            }
        }
        return false;
    }
}

Configuring Shiro for Roller

Now that we've seen the Java code needed to hook Shiro into Roller, lets look at how we configure Shiro to use that code. We do that using the Shiro configuration file: shiro.ini, as shown below.

shiro.ini (link)

[main]

defaultRealm = org.apache.roller.weblogger.auth.ShiroAuthorizingRealm
securityManager.realms = $defaultRealm

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager

authc = org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc.loginUrl = /roller-ui/login.rol
authc.successUrl = /roller-ui/menu.rol

rollerroles = org.apache.roller.weblogger.rest.auth.RollerRolesAuthorizationFilter

[urls]

/roller-ui/login.rol          = authc
/roller-ui/login-redirect.rol = authc, rollerroles[admin,editor]
/roller-ui/profile**          = authc, rollerroles[admin,editor]
/roller-ui/createWeblog**     = authc, rollerroles[admin,editor]
/roller-ui/menu**             = authc, rollerroles[admin,editor]
/roller-ui/authoring/**       = authc, rollerroles[admin,editor]
/roller-ui/admin/**           = authc, rollerroles[admin]
/rewrite-status/**            = authc, rollerroles[admin]
/roller-services/rest/**      = authcBasic, rollerroles[admin,editor]

In the configuration file above, you see how we hook in the new ShiroAuthorizingRealm on line 3. The next couple lines are boiler-plate code to hook in Shiro's caching mechanism and then, on line 9, we configure an authentication method called authc, which is configured to use Shiro's Form Authentication feature. And, on line 13, we hook in our new RollerRolesAuthorizationFilter.

Next, we tell Shiro that the login page for Roller is /roller-ui/login.rol and which page to direct a user to on a successful login, /roller-ui/menu.rol, if the user did not specify which page they wanted to access. And finally, on lines 17-25, you see the list of Roller URL patterns that need protection, which authentication method to use (authc or authcBasic) and the authorization filter and roles required for access to the URL pattern.

Wrapping up...

That's all there is to the story of Roller and Shiro so far. I was able to get Roller's form-based authentication working with Shiro, but I did not try to test with OpenID or LDAP, so I assume more work will be necessary to get them working. I did the work in my experimental Rollarcus fork of Roller. You can get the code from the shiro_not_spring branch. Pull requests are quite welcome as are suggestions for improvement. Please let me know if you see anything wrong in the above code.

This work may not find its way into Roller proper, but it plays a part in my the next side-project that I will share: A REST API for Roller with JAX-RS.

I've been working at Apigee since September 2013 and one of the things I love most about my new job is the fact that I'm actively contributing to open source again.

I'm working on Apache Usergrid (incubating), an open source Backend-As-A-Service (BaaS) that's built on the Apache Cassandra database system. Apigee uses Usergrid as part of Apigee Edge (see the Build Apps part of the docs).

Apigee contributed code for Usergrid to the Apache Software Foundation back in October 2013 and Usergrid is now part of the Apache Incubator. The project is working towards graduating from the Incubator. That means learning the Apache way, following the processes to get a release out and most importantly, building a diverse community of contributors to build and maintain Usergrid.

One on the most important parts of building an open source community is making it easy for people to contribute and and that's why I submitted a talk to the ApacheCon US 2014 conference (April 7-9 in Denver, CO) titled How to Contribute to Usergrid.

The talk is intended to be a briefing for contributors, one that will lead you through building and running Usergrid locally, understanding the code-base and test infrastructure and how to get your code accepted into the Usergrid project.

Here's the outline I have so far:

How to Contribute to Apache Usergrid

• Motivation
  • Why would anybody want to contribute to Usergrid?
• First steps
  • The basics
  • Getting signed up
• Contributing to the Stack
  • Understanding the architecture & code base
  • Building the code. Making and testing changes
  • Running Usergrid locally via launcher & via Tomcat
• Contributing to the Portal
  • Understanding the architecture & code base
  • Building the code. Making and testing changes
  • Running the portal locally via node.js
• Contributing to the SDKs
  • Understanding the architecture & code base
  • Building the code. Making and testing changes
• Contributor workflow: how to get your code into Usergrid
  • For quickie drive-by code contributions
  • For more substantial code contributions
  • For documentation & website changes
• Contributing Docs and Website changes
  • Website, wiki and GitHub pages
  • How to build the website and docs
• Roadmap
  • First release
  • New Core Persistence system
  • The two-dot-o branch
  • Other ideas

I'm in the process of writing this talk now so suggestions and other feedback are most welcome.

I'm going to break blog silence now to tell you about Apache Roller and Google Summer of Code 2011, which just wrapped up about a week ago.

This year we were very fortunate to get a another highly motivated and smart student, Shelan Perera, and an good proposal as well: Mobile-enabled Templates. Over the summer Shelan designed and implemented a new feature for the Roller blog server, one that enables theme authors to provide an alternative "mobile" template for each page template in a Roller blog theme. You can see a screenshot of the new Edit Template page in Shelan's blog How to change template codes in Roller.

Now, when a page request comes into Roller, Shelan's code determines if it's from a mobile device and, if it is, switches to a mobile template, if one is available. There's also an easy way for template authors to create a button to allow users to switch to the "Standard" site instead of the mobile version. The screenshot on the right, of Roller with a mobile theme comes from Shelan's most recent blog.

It was an honor to act as mentor for this project, and fun talking to Shelan via Skype most Fridays. I'm looking forward to getting this on my blog, and getting this cool new feature into an Apache Roller 5.1 release sometime soon. Thanks, Shelan! And, thanks to Google for running the most excellent Summer of Code program.

(cross-posted from the Roller project blog)

Here's some more happy Roller news. Apache Roller 5.0 has been released!

http://rollerweblogger.org/project/mediaresource/3cdaff7b-2745-4dac-89c9-151a3a1ccf26' align='right' style='padding:1em' />

The major new feature in Roller 5.0 is Media Blogging, a set of enhancements to Roller's file upload and management capabilities. Also included in 5.0 are simple multi-site support, OpenID and ~OAuth support for Roller's AtomPub interface. All major dependencies have been updated and Roller now uses Maven for build and dependency management. You can find a summary of Roller 5.0's new features on the Roller wiki.

The road to Roller 5.0 has been a long one and if you are interested the history, you might want to check Dave Johnson's What's New in Roller 5.0 presentation from ApacheCon US 2009. Roller 5.0 includes contributions from contributors from Google Summer of Code, San Jose State Univ. and the usual case of Roller committers. Thanks to all who contributed to Roller 5.0 over the years.

To download Apache Roller 5.0 and documentation, visit the Apache Roller download page at the Apache Software Foundation's website.

Congrats to Simon Phipps on what sounds like a great new job at ForgeRock and on his new column in ComputerWorld.UK.

One of the key benefits to customers of the source code becoming open source is that, in the event a product is discontinued by its owner, a group of people from the community can simply pick up the source code and keep on maintaining and improving it. That's a radical change from proprietary products, which can be killed stone dead with no appeal. With open source, the company may fold but the community carries on.

That's all fine in theory, but does it actually work? I intend to find out. Starting this week, I'm joining ForgeRock as chief strategy officer.

Read More

One year ago on this day I wrote that Sun Microsystems is willing to contribute Project SocialSite" to the Apache Software Foundation. My contacts at Sun told me it was OK to make that announcement because a VP approved. One year later, we have established Apache SocialSite (incubating) project, setup user accounts, put up a status page and setup source code control but we still have no code from Sun.

Since March 2009 I've been exchanging emails with my helpful contacts at Sun and trying to help them move forward with the contribution, but because of the ongoing Oracle/Sun merger things have moved incredibly slowly. Finally in late December 2009, my Sun contacts had permission to actually release the code to Apache, but there was a problem.

When Sun said that they were willing to contribute the SocialSite code to Apache, I figured that they would do so using the standard Software Grant agreement that was used for Roller and all other projects entering Apache via the Incubator. Unfortunately, the Sun lawyers did not want to use the standard Software Grant agreement and Apache did and does not want to devise a new legal agreement just to accommodate Sun. That's where we stand today. Sun committed to contributing SocialSite to Apache and now we're waiting for Oracle/Sun to follow through on that commitment.

Meanwhile, others have been making some progress with SocialSite. A major sports brand has launched a SocialSite based network with a million-plus users. A couple of developers have rewritten the build script to use Maven, others have "ported" to JBoss and there is still interest in and a need for what was Sun's Project SocialSite. Neither effort has contributed code back to SocialSite-proper and because of legal concerns are waiting for the main code to appear at Apache.

SocialSite is a small project and it will not survive for much longer with resources spread across multiple sites and a community working separately. So, I'm asking again and publicly: Oracle, please follow through on your commitment and grant the Project SocialSite codebase to Apache.

I blogged about Alfonso Romero's Apache Roller 4.0 Beginner's Guide book before. It's a great resource for folks who want to get the most out of their Apache Roller-based blogs, and not just beginners. As you can see in the photo on the right, I've got my copy. You can get yours directly from Pakt publishing:

Buy a copy of Beginner's Guide to Apache Roller 4.0

To publicize the book, Pakt publishing has been publishing some useful excerpts and even a complete sample chapter online. Here's summary of the excerpts so far:

• Chapter 9 - Advanced topics (PDF)
• Working with Templates in Apache Roller 4.0
• Using video and sound files in Roller
• Including Google Maps in Roller blog posts
• Spicing up your Roller blog with uploaded images

If you've been following Roller development you know that Roller 5.0 is on the way. Most of the changes in Roller 5.0 are "under the hood" so 5.0 won't make Alfonso's book obsolete. Except for a couple of pages in Chapter 5 "Spicing Up Your Blog" that need updated screenshots, I believe everything in the book applies to Roller 5.0 as well.

Crammed into one post...

After a month of blog neglect, my automatic Latest Links from my Delicious.com account started to pile up. Back in the glory days of this blog, I blogged about things instead just saving links or tweeting about them. I realized that, by adding some commentary/opinion for each, I could turn a month's worth of links into a month's worth of blog posts and thus gain total absolution for my sin of going a full month without a post. So that's what I did.  [Read More]

For the past five months I've had the pleasure of mentoring two San Jose State Univ. graduate students, Ganesh Mathrubootham and Tanuja Varkanthe, who are working on a project for classes CMP 295A and B. They picked one of the projects that I first proposed for Google Summer of Code and then for Glassfish's student outreach program, Media Blogging for Apache Roller. It's turned out to be a major project and the central new feature in the upcoming Roller 5.0 release. [Read More]

Good news for ROME fans. Nick Lothian picked up the puck and is galloping towards the finish line (sorry, I'm terrible at sports analogies).

Nick Lothian on ROME dev:

I've gone and built some preview jars for the upcoming ROME 1.0RC2, ROME Fetcher 1.0RC2 and Modules 0.3 release.

Those jars can be found here: https://rome.dev.java.net/servlets/ProjectDoc...

I've created source and javadoc jars as well as the normal jars - the idea being that I'll get them uploaded to some maven repository.

If you have some spare time, please take a look at these and test them and let me know of any problems. Assuming there are no big issues found I'd like to do a proper release in a couple of days.

Guess that means I should test Propono with RC2.

Congratulations to the Apache Abdera team, who've just graduated to full Apache top level project status. The don't have the new site at abdera.apache.org up yet and they're still not quite at 1.0 yet, but this is a major milestone. They've got the best Atom format and protocol toolkit around, in my opinion.

via Garett and James.

My talk went pretty well yesterday and I'm definitely enjoying both the conference, which is still in progress, and my stay in Copenhagen. I'll post more photos later, but for now here is a shot of the conference setup at ITU Copenhagen.

I'm happy to report that I'll be traveling to Copenhagen, Denmark to talk about Roller and Project SocialSite at the Open Source Days 2008 conference on Oct. 3-4 this year. I'm going to tell the story of Roller and lessons learned along the way and then talk about blogging in the age of social networks and how to social-enable Roller with the SocialSite widgets. The session is called titled The once and future Roller.

If you want the lowdown on what's going on with Roller community health, ongoing work and upcoming releases then check out the Apache Roller August 2008 Board Report.

• Placating people with options [dive into mark]
  "Google Project Hosting is and has always been a tool to fight license proliferation. It is only incidentally useful"
• tecosystems - Google Code vs License Proliferation
  "There is room in my philosophy for file based reciprocal licenses such as the CDDL, EPL, and MPL. While they may create islands of code, some of those islands are very large indeed"
• Launchpad, by Canonical
  Speaking of FOSS project hosting, LaunchPad looks very cool. Take the tour.
• JavaFX, are we there yet? [kirk.blog-city.com]
  "With this in mind, I'm pretty optimistic that JavaFX, being free and open, will become the preferred choice for building rich clients if..."
• OpenJFX: Open Source sidebar
  "Sun is committed to delivering enhancements to the JavaFX platform and to this end will continue internal development -- hmm... I don't understand the logic here
• Open Source and Cloud Computing - O'Reilly Radar
  "almost all of the software stacks running on cloud computing platforms are open source, for the simple reason that proprietary software licenses have no provisions for cloud deployment"
• Patent Law Blog (Patently-O): The Death of Google's Patents?
  "The Patent and Trademark Office has now made clear that its newly developed position on patentable subject matter will invalidate many and perhaps most software patents"

My teammates and I have started a new blog over at blogs.sun.com to cover Project SocialSite and to break the big news: we're open!

We are very pleased to announce that source code is now available for Project SocialSite (under a CDDL/GPL license) and the project is now operating as an open source project following the Glassfish governance policy. We're working in the open and welcome contributors of all stripes. Read more...

via <a href= "http://blogs.sun.com/jimgris/entry/jspwiki_and_xwiki_evaluations">Jim Grisanzio: Chris Phelan has done evaluations of <a href= "http://opensolaris.org/jive/thread.jspa?threadID=64619&tstart=0">JSPWiki and XWiki for use on the OpenSolaris.org site. Based on his 32 requirements, XWiki came out on top.

On balance, XWiki wins by virtue of having better support for management, searching, page taxonomies, virtual servers, content export and language translation/localization support.

JSPWiki has slightly better support for identifying orphaned pages and accesskey support (XWiki 1.4 will have support for access keys).

Confluence was not considered because requirement #0 is "the software must be free and open source," which seems like a reasonable request when selecting software for an open source community site.