Recent work with Blooming Cookies has given me an opportunity to enhance pages with ASP.NET and Javascript. Script blocks are easy to insert programmatically with the use of the RegisterStartupScript and RegisterClientScriptBlock methods, and integrate near seamlessly with the client-side scripting generated by the ASP.NET framework itself.

A naive method for web based authentication is the use of a session variable check on every security-restricted page. If the user is not the authenticated, he or she is then redirected to a login page. This works, but it’s quite inelegant.

A better solution is the use of the J2EE form-based authentication mechanism, which moves authentication logic from the web application to the application server itself. A common scenario involves a password restricted folder, authenticated via a database store which contains usernames, passwords, and role information.

In this example, we illustrate the use of the JDBCAuthenticator provided by Resin in conjunction with the jTDS Microsoft SQL Server driver to pull data from the backend. The first step is to add a database pool to resin.conf:

<database>
  <jndi-name>jdbc/db-pool</jndi-name>
  <driver>
 <type>net.sourceforge.jtds.jdbc.Driver</type>
    <url>jdbc:jtds:sqlserver://serveraddr:1433;
       DatabaseName=dbName</url>
    <user>username</user>
    <password>password</password>
  </driver>
</database>

The database pool manages and provides all connections to a database. The jndi-name is relative to java:comp/env, and I’ve chosen the name that I have because it’s the default pool-name used by the JDBCAuthenticator later on. Next, we specify a security constraint:

<security-constraint url-pattern='/users-only/*'
   role-name='user'/>

This, and all future changes are made to the web.xml file for your project. Basically, all this says is that only users who successfully authenticate under the user role can access pages in the users-only directory. If a user tries to access page in this directory, and is not authenticated, then he or she is taken to the login page:

<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/fail_login.html</form-error-page>
  </form-login-config>
</login-config>

The login.jsp form is not much more difficult:

<form action="j_security_check" method="POST">
  <input name="j_username">
  <input name="j_password">
  <input type="submit" />
</form>

The form action must be named j_security_check, and the fields must be named j_username and j_password.

Simple enough. The final step is to tell login-config how exactly it should validate a user. You can use any authenticate mechanism you like, and you can even write your own. We of course, are using the Resin built-in JDBCAuthenticator:

<authenticator
  type='com.caucho.server.security.JdbcAuthenticator'>

<init>
  <password-query>
  SELECT password FROM TBL_USERS WHERE username=?
  </password-query>
  <cookie-auth-query>
  SELECT username FROM TBL_USERS WHERE cookie=?
  </cookie-auth-query>
  <cookie-auth-update>
  UPDATE TBL_USERS SET cookie=? WHERE username=?
  </cookie-auth-update>
  <password-digest>none</password-digest>
</init>

</authenticator>

Since our authenticator is actually a database, we specify the proper query which returns the password we’re checking against. The username is automatically filled in through the use of the ? substitution operator. Cookies are used to maintain the user session throughout the application context, and these are stored in the database as well. The default password encryption mechanism is md5-base64. If set to none, the password is stored in the database in plain-text.

You can now authenticate users for your web application easily and without any messy session checking. I wrote this article because I had a lot of trouble finding coherent documentation on how to complete this single task end to end.

In between writing articles and work, it’s become quite difficult to write in my weblog as frequently as I would like. I’ll try to give you the highlights. Yesterday, Laurel and I went out to the movies to see Finding Neverland, the story of J.M. Barrie’s friendship with a family who inspired him to create Peter Pan. The day before, I worked with Cobb Habitat once again to help paint the house on Pat Mell. On Friday, I joined Audrey and her friends for a farewell dinner at the Melting Pot. She’s moving to Savannah to be a counselor at one of the camps located there. And on Wednesday, the Georgia Lottery dropped the ball on their Fantasy 5 drawing due to human error, and we’re currently in the process of modifying the web site to account for this rare glitch.

These past few days I’ve been having issues with getting one of our Web Archive files to deploy on anything other than Red Hat Enterprise Linux or Debian. Resin would mysteriously throw an AbstractMethodError exception on certain Linux systems, even while the same web archive loaded perfectly on others. I’m not sure exactly why this happens, but one solution is to move all of the Apache Struts jars and log4j jar files into the global Resin classpath. It also seems that I’m not the only one having difficulties with Struts and Resin.

This past week has been a busy, social bonanza, intermingled with work. On Superbowl Sunday, Ben and I had dinner at Graham’s place and watched Ingmar Bergman’s Skammen. Simply put, Bergman’s work is a lot like that of Woody Allen, except depressing. On Monday, Mark and I had steak and a pint at Highlander, and on Wednesday and Friday I met with long lost Audrey and her friends at the Taco Mac and an Irish Pub all the way up in Cartersville. Last night, of course, was the Atlanta meetup. And on Tuesday, I actually managed to get something done for an upcoming article.

It’s Mai Tai Thursday! Our first get-together was so much fun that we decided to do it again this month at Trader Vics, deep in the abyss of the Hilton Hotel. The regular cast of Atlanta bloggers were all present, including some new folks who don’t have weblogs themselves, namely, Oliver and his buddy. Strange. As usual, Lori has the blogarama pictures, while Mary and Scott get honorable mentions for having posts about the event. Hollis MB, on the other hand, gets nothing, and Mark should be ashamed at his lack of attendance.

Occasionally, the Red Hat 8.0 RPM process locks up and cannot be killed except through the use of SIGKILL. When this happens, the database has become corrupt and must be purged:

rm /var/lib/rpm/__db*
rpm --rebuilddb

There’s actually a bug report on this over at the Red Hat Bugzilla, but it still took a while to figure out. The Linux Documentation Project has some additional information on using RPM packages.

There’s a few houses on Pat Mell Road right here in Smyrna currently being built by Cobb County Habitat for Humanity, so I thought it would be a great idea to come out and give them a hand since the weather was so nice today. The day was spent landscaping, laying down sod for the front yard, seeding the back yard, and painting the house. I also met quite a few students from Kennesaw State, and we got a lot done. It’s a lot of hard work, but it’s a very worthwhile thing to do.

Getting started with the ASP.NET platform need not be an expensive investment. When I’m away from work, I use the light-weight Web Matrix development tool for ASP.NET. In conjunction with the Microsoft SQL Server Desktop Engine, and the command-line Microsoft .NET Framework, Web Matrix offers a suitable platform for experimenting with ASP. While the environment does not offer some of the more advanced features found in Visual Studio, such as IntelliSense and debugging, it’s still a great way to hack up some quick and dirty ASP code. My only compliant with ASP.NET is that its controls are not XHTML valid; fortunately, it appears that Whidbey will soon come to the rescue.