Things to do

[Dave Briccetti]

Here, in rough form, is what I’d like to start with (copied from Lift group):

I want to start by porting the administrative side of the Swing application to Scala/Lift/Squeryl. Create/import/edit students, and assign them to music groups on instruments in school years. Display students by school year, group and instrument. Sort/search by the same. Edit lists of instruments, pieces (and their tempos, default and per-instrument), groups.

The Swing app works pretty well, but we’ve had a lot of problems with unsophisticated users and Java Web Start.

Something else that should be done soon is a login feature, with salted hashed passwords (or whatever the current recommended way is). 

[Diego Medina]

Hi,

On a side project I recently integrated [1] lift shiro to
authentication / authorization. It has some neat features, and while
getting it (well, apache shiro[2] ) to work nicely with a database
based login was quite the challenge, I know have it working, so I
could contribute it to the project.

At work we are also using apache shiro, because it allows us to easily
have LDAP and Database based login, all using the same interface. And
it has been working really well.

When it comes to how to use it, to protect a page, on your sitemap you
would add a loc like

>> RequireAuthentication >> HasRole("admin")
You can also surround some html/ snippet invocation with one of the
helpers snippets from lift-shiro, and it will display or not, based on
current roles.

On the down side, Lift's record proto user uses becrypt, which I
believe is the latest in the latest in security, but Shiro uses salted
password with SHA-256 and you can set the number of hash iterations to
run, on my application, I'm using credentialsMatcher.hashIterations =
200000 (the higher the better/safer).
But I think that we should be ok with SHA-256 for at least a couple of
years (if not more)

[1] https://github.com/timperrett/lift-shiro
[2] http://shiro.apache.org/

Regards,

Diego

> --
>
>



--
Diego Medina
Lift/Scala Developer
di...@fmpwizard.com
http://www.fmpwizard.com

[Dave Briccetti]

Carlos, that may be the way to go, but why don’t we cover the broad strokes with David and Diego, since they are here. Experts, what is a good way to do CRUD in this application?

[Dave Briccetti]

Diego, I’d be pleased to have you add whatever solution you think is best. Thanks!

[carlos.montemuino]

I don't see it so hard. Besides Lift/Scala, setting up the ORM is something we all did for years.

I think we should (at least) have in place a mechanism to setup the DB connection from properties file instead of hardcode. I already created a couple of those kind of files: one for development (using H2) and another for production (using Postgres).

Then we need something to add CRUD support. Using Lift Records seems to be a good approach. But that's not enough, as we need pooled connections. I was thinking to use BoneCP.

I'm in the middle of setting up all the above, using a helper object. I'll need a couple of hours to test.

Best,

Carlos.

[Dave Briccetti]

 

The highest priority task now is a login page, and authentication against the com.dbschools.music.orm.User table (not yet in Squeryl). Anybody want to work on that? Diego, I think you said you have something suitable?

After that’s in, I want to deploy what we have both in production, and against the demo database, dbsmusic-demo.

[Diego Medina]

Hi,

I don't know exactly what I have, but today I felt pretty sick, and
there is some stuff going on at work that may prevent me from working
on this, at least until mid next week.
@Carlos: Would you like to try and integrate lift-shiro [1]?

I should be able to answer questions if you run into any issues.

[1] https://github.com/timperrett/lift-shiro

Thanks

Diego

[Diego Medina]

Here comes some notes/ raw code for the shiro integration:


you will need a shiro.ini file in src/main/resources

#=================================================================================
# Shiro Configuration
#=================================================================================
[main]

#Realms
authenticationRealm=com.......DBRealm // We define this a bit later

#strong pw hashing
credentialsMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
credentialsMatcher.hashAlgorithmName = SHA-256
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 200000
authenticationRealm.credentialsMatcher = $credentialsMatcher

#Security Manager
firstSuccessfulStrategy=org.apache.shiro.authc.pam.FirstSuccessfulStrategy
securityManager.authenticator.authenticationStrategy=$firstSuccessfulStrategy
securityManager.realms=$authenticationRealm


===================

The DBRealm class is:

https://gist.github.com/5862c2a031970c766764

The User in my app is written using mapper, but I'm sure you can guess
the fields you need.

I hope this gets you ion the right direction

Diego

[Dave Briccetti]

Hey there, Diego. Sorry you have been feeling bad. Thanks for the Shiro info.

I’ll just throw in that the security needs are very simple, and we need something quickly. Carlos, if you should be able to do something your today, that’s great, otherwise I will create something very simple (which we can expand or replace later if needed).

[Carlos Montemuiño]

Guys, I'll try to add the integration.
Carlos

El 23/10/2012 07:06, "Dave Briccetti" <dcbri...@gmail.com> escribió:

Hey there, Diego. Sorry you have been feeling bad. Thanks for the Shiro info.

I’ll just throw in that the security needs are very simple, and we need something quickly. Carlos, if you should be able to do something your today, that’s great, otherwise I will create something very simple (which we can expand or replace later if needed).

--