April 15, 2011

How to test Spring session scoped beans

I wanted to use the http session just as a repository (database/files), to keep facebook access token for currently logged user. While I can manipulate session directly, another option is to declare the class as a session scoped bean in Spring. Something like this:

public class RepositoryOnHttpSession {
    private String facebookAccessToken;

    public FacebookTemplate getFacebookTemplate() {
        return new FacebookTemplate(facebookAccessToken);

    public void setFacebookAccessToken(String facebookAccessToken) {
        this.facebookAccessToken = facebookAccessToken;
<bean id="repositoryOnHttpSession" class="pl.touk.storytelling.infrastructure.repositories.RepositoryOnHttpSession" scope="session">
<aop:scoped-proxy/> makes Spring IoC container create a cglib proxy, and inject that to other singleton type beans instead. All nice and cool, except integration tests (which get Spring IoC container to inject all the dependencies) are blowing up with:

java.lang.IllegalStateException: No Scope registered for scope 'session'

While there's a lot of solutions to be googled (including redeclaring the object as a prototype/sinlgeton for test context, injecting mock http session and request), the easiest way to have a simple thread-bound session scope is just to declare it in the TEST IoC configuration, like below. Just keep in mind that junit fires all tests in a single thread by default, so the state is persisted between tests. You may need to clean it up in @After.
<bean class="org.springframework.beans.factory.config.CustomScopeConfigurer">
    <property name="scopes">
            <entry key="session">
                <bean class="org.springframework.context.support.SimpleThreadScope"/>

April 1, 2011

Spring Security by example: OpenID (login via gmail)

This is a part of a simple Spring Security tutorial:

1. Set up and form authentication
2. User in the backend (getting logged user, authentication, testing)
3. Securing web resources
4. Securing methods
5. OpenID (login via gmail)
6. OAuth2 (login via Facebook)
7. Writing on Facebook wall with Spring Social

OpenID is to form authentication, what DVCS is to centralized version control system.

Ok, but without the technical mumbo-jumbo: OpenID allows the user to use one account (like Gmail) to login to other services (websites) without having to remember anything and without worries about password security.

Easy enough?

And the best part is: chances are, you already have an account which is a provider to OpenID. Are you registered on Gmail, Yahoo, or even Blogger? You can already use it to login to other sites.

But why would you? Isn't login/password good enough?

Have you ever wondered whether the service you are logging to, uses one-way password hashing or keeps the password as open text? Most users do not create password per site because they cannot remember more than, let's say, three passwords. If one site keeps their password as open text, they are practically screwed. And more often than not, it's the site that has the worst (or non-existing) security. Welcome to hell: all your bases are belong to us.

By the way, I know of only one site, which does SHA hashing on the client side (in javascript), so that the server has no way of knowing what the real password is: sprezentuj.pl

Kudos for that, though it smells like overengineering a bit :)

OpenID is pretty simple, and the process description at Wikipedia is practically everything you need, but as they say, one picture is worth 1000 words, so let's look at a  picture. There is a loot you can find with google, but most of them are in big-arrows-pointing-some-boxes-notation, and I find easier to read a sequence diagram, so here is my take on it:

Read emails from imap with Spring Intergration

What's the easiest way to read emails from IMAP account in Java? Depends what your background is. If you have any experience in Apache Camel, ServiceMix, Mule, you already know the answer. If you don't, and your application is using Spring already, Spring-Integration may be the solution for you.

It's not a one-liner like what you could do with Camel, but it's still quite easy to understand.

Spring Integration has great docs and there are nice tutorials around, but if you just want to get it running first and dig into the docs later, here is a quick example for you.

To make it work, you need three steps: