Spring Security (previously Acegi) gives you an awesome AOP way of locking down methods in your Java application. And well-placed lock down is a special power indeed. However, Spring disappoints a bit on this score because it turns out its default behavior is to ‘or’ the roles listed in @Secured annotation. You’d think the default would be the stricter ‘and’, but alas. But never fear, there is hope.
In Java Land, everything is tied up in multiple layers of multi-colored wrapping paper. The abstraction often provides niceties and protections and convenience, etc. But, sometimes it practically makes you forget where you are. For instance, why would anyone write a little howto on requesting something over the web from the context of the web. That should be easy, right? Well, yes, I think so. And it turns out it is in Java, as it is in many other languages. It’s just that there you’re super close to the HTTP protocol all the time, and in many Java uber-frameworks, if you want to know how to break into the low-level operations, you have to know where the fire exit is.
Around the office, when someone security-minded finds out that I instant message (IM) over Pidgin (using Google Talk’s service), there tends to be wailing and gnashing of teeth, because I am chatting in clear text over the wire. I am encouraged to use a clunky, Windows-only, proprietary, corporate, different tool that is for internal talk with internal people. “It’s secure.” “It’s encrypted,” they say. I never though I said too much of worth over chat, and what was occasionally awesome was well-encoded in l33t. But, now my friend Dean teaches me the goodness of encrypting your IMs in Pidgin.
How do you log into a MarkLogic application to run as a user besides the default app server user? Use xdmp:login(), baby! User/role management can be awesome – when it’s done and coded. For now, let’s sing out a few important things to remember about xdmp:login() and all its hidden secrets.
Sometimes you need to install a security certificate for authentication to work for certain services – services that are accessed by your java application that requirement a secure connection. For instance, needing to authenticate against an LDAP server from one of our apps, we had to run a little InstallCert.java on all JDKs used to run the app.