machine501

While running the Los Angeles Flex Users Group I got a lot of questions from people about how BlazeDS could fit into their existing infrastructure.

Typically, they will have an application container, such as JBoss, or maybe just a servlet container, like Tomcat, and a SQL backend. Usually MySQL or PostgresSQL. JSPs are used for the presentation layer and, sometimes, they may use Struts or SpringMVC as a web application framework. If you’re using ColdFusion this post is likely of little use to you.

Many programmers are understandably weary of introducing yet another component into their system and BlazeDS sounds like such a complex component that it’s often mistaken for a standalone application container that doesn’t readily integrate with standard Java application containers. This couldn’t be further from the truth. Those programmers who follow the bundled BlazeDS examples get stuck trying to figure out how to expand the example to fit their application or how to even start from scratch.

Let’s tackle the first misconception, that is, that BlazeDS doesn’t play well with Java application containers. To put it simply, BlazeDS is configured as a standard servlet. When a Flex client wants to make a request to a BlazeDS server it will issue a POST request to a defined servlet path. That path is whatever you configured the BlazeDS MessageBrokerServlet to. Flex sends the request as an AMF binary payload or an XML version of AMF. I’m glossing over some details but just knowing that you can access BlazeDS as a servlet is a good starting point for figuring out how you can start integrating BlazeDS into your existing application.

What this means to you is that BlazeDS can use container authentication or even work with Spring.

Let me make it even more clear by putting some sample configuration and code.

Here’s the part of the web.xml in which you declare and configure the MessageBrokerServlet:

<servlet>
<servlet-name>MessageBrokerServlet</servlet-name>
<display-name>MessageBrokerServlet</display-name>
<servlet-class>flex.messaging.MessageBrokerServlet</servlet-class>
<init-param>
<param-name>services.configuration.file</param-name>
<param-value>/WEB-INF/flex/services-config.xml</param-value>
</init-param>
</servlet>

Here’s the part where you map the MessageBrokerServlet to a path:

<servlet-mapping>
<servlet-name>MessageBrokerServlet</servlet-name>
<url-pattern>/messagebroker/*</url-pattern>
</servlet-mapping>

The file “services-config.xml” is the primary configuration file for BlazeDS. Here is where you define a “channel”:

<channel-definition id="amf" class="mx.messaging.channels.AMFChannel">
<endpoint url="http://localhost:8080/sample_bds/messagebroker/amf"  .... />
</channel-definition>

This tells the Flex client where to make an HTTP POST request when using the “amf” channel on a RemoteObject, for example.

In fact, try it out on a browser, startup BlazeDS and point to htp://localhost:8080/blazeds/messagebroker/amf/

You’ll get a blank page. That’s a good thing!

The next question I usually get is, “do I have to dump my JSP/WebServices/Struts in order to use BlazeDS?” The answer is definitely no! In fact, if you have a JSP AND a WebServices front end to your application you’re a good bit along the way towards integrating BlazeDS. The reason for this is that if you have two front-ends to your application, and these two front-ends share some functionality, then you have probably structured your application in such a way (using a Service Layer, for example) that makes it easy to add a third front-end.

So what architectural patterns are useful for BlazeDS? To cut to the chase, I use Service Layer, Data Transfer Objects, and Mapper (or Assembler) on the server side. I’ll have a post on what I use on the client side later.

If you have played around with BlazeDS or used it to create a production application you’ve probably followed the examples bundled with the turnkey solution. And you probably have a hunch and instinct about how to create your app. I’m guilty of jumping right in and starting to code from my gut, but after a few days of learning a technology I like to step back and formalize my approach. My first place to consult is Martin Fowler’s Patterns of Enterprise Application Architecture (PEAA), and Design Patterns: Elements of Reusable Object-Oriented Software (Typically referred to as The Gang of Four Book, or GoF).

Service Layer

A Service Layer can have many methods, each using a variety of domain objects and models. Service Layer have application logic, like telling an emailing component to notify administrators that a payment has been processed, while delegating the business logic to the domain models. It’s pretty easy to figure out what types of methods a Service Layer should support; you can use the user interface as a guide to what sorts of things a client can do or you could base this off your use cases, if you’ve taken the time to do this.

The defining characteristics of Service Layers are the following:

• Defines application boundaries
• Defines available services from the perspective of interfacing clients
• Encapsulates business logics
• Provides convenient place for handling transactions, logging, etc.
• Prepares the response appropriately for the client

That last one brings me to the next pattern I use.

Data Transfer Objects

These are objects that have a bunch of properties, contain no domain logic, and may be structured in a simple hierarchy. When I first started with BlazeDS I was using an Hibernate as my object-relational mapping (ORM) solution and so I was happily transporting the objects I got from a database straight through BlazeDS and over to Flex. Some of my objects had few methods for domain logic, some had more. Few had a complex hierarchies.

Once I started adding parent child relationships and collections then I suddenly encountered a problem where retrieving one of these objects would cause Hibernate to recreate a pretty huge hierarchy. Just as bad was a problem with transactions; when you’re about to send an object down the wire, BlazeDS will call each of its getter methods and each of those Object’s getter methods in turn. This is why it recreates entire hierarchies, but if you close the Hibernate session before BlazeDS has a chance to get to these methods then you’ll get an exception because the Hibernate proxy object can’t get a hold of a session with which to get the rest of the objects out of the database.

There are ways to go around this, such as using the Open Session in View approach, and that works well, though I found it felt awkward because of the name, since the “view” part of this is that hibernate objects are being used by the view and so the session should not be closed, but I also didn’t need to load all the objects that were connected to the one measly object I wanted to read.

I could have used the custom serialization method specified here: Using custom serialization between ActionScript and Java.

So, the simples solution I finally adopted was to use Data Transfer Objects. Characteristics of DTOs are the following:

• May contain aggregated data
• Fields are simple, such as primitives, or other DTOs

The pain of adding DTOs is that you now have to transform some of your domain models, in my case, for example, some of the objects gathered with Hibernate into DTOs. So you have to use the Assembler (or Mapper) pattern. An Assembler can take care of:

• Knowing how to transform an object into a DTO
• How to reconstruct hierarchies for DTOs
• Keeps the domain model independent of external interfaces
• May make use of more than one assembler per dto based on the semantics of the request.

Now I have no problem with building deep hierarchies when I only need one object. If I do need the complete hierarchy I can use a different assembler that knows how to reconstruct that. That’s what the last bullet point on that list is talking about; if it makes sense in one request to bring in all children and grandchildren objects then an assembler can know how to do that, if, instead, all you need, is the one object, then that’s all the other assembler needs to do. In my case, I now had better control over when I could close the session without having to worry about Session closed exceptions.

An additional benefit with respect to BlazeDS and Flex is that the RemoteClass mapping from Flex to Java can always map to DTO and you won’t have to worry about changing your actual Domain Objects and having those changes reflected in the mapped actionscript class; if you remove a property from your domain object then the Java compiler will complain because the assembler will be unable to access that property. You’ve caught the error earlier on.

I didn’t talk about the client side much. I’m working on another post that will address that side.

Update: The “start”-method-not-getting-called bug is now a filed in the adobe bug tracker: http://bugs.adobe.com/jira/browse/BLZ-190

This post is another baby step in getting acegi/spring security and blazeds to work together. The whole purpose of these exercises is to for acegi to handle authentication/authorization and destination security. Even bypassing container security.

In the last part I talked about how I was stumped by the LoginCommand and how the “start” method is never called. The reason I want the start method to be called is so that I am passed a ServletConfig and from there I can get access to the ServletContext, and thereby access to the Spring WebApplicationContext but unfortunately this method never seems to get called. I traced the BlazeDS source in SVN, not very thoroughly I should admit, and never found a spot where the start method gets called.

That’s not such a big deal because I can get access to the ServletContext by using the FlexContext singleton. I’m not generally a fan of singletons but what the hell; if it gets it to work =p

Anyway, here’s a brief outline of my AcegiLoginCommand, which extends AppServerLoginCommand:

.. class AcegiLoginCommand extends AppServerLoginCommand …

public AcegiLoginCommand() {
    initAuthenticationManager();
}

private void initAuthenticationManager()
{
    ServletContext servletContext = FlexContext.getServletContext();
    String beanId = servletContext.getInitParameter("loginCommandBean");

    if (beanId == null) {
        beanId = "authenticationManager";
    }

    WebApplicationContext context =
        WebApplicationContextUtils.getWebApplicationContext(servletContext);

    authenticationManager = (AuthenticationManager)context.getBean(beanId);

    if (authenticationManager == null) {
      throw new RuntimeException("AuthenticationManager could not be found.  Tried beanId='"+ beanId+"'");
    }
}

The LoginCommand needs access t othe authenticationManager so that it can pass it call the manager’s “authenticate” method. To make it more configurable, I added a little bit of code that will get the bean name from a web.xml init-parameter.

Finally, my “doAuthentication” method looks like this:

public Principal doAuthentication(String username, Object password) {
  Authentication authentication =
        new UsernamePasswordAuthenticationToken(username, password);
  authentication = authenticationManager.authenticate(authentication);
  SecurityContextHolder.getContext().setAuthentication(authentication);

  return (Principal)authentication;
}

I don’t need to override doAuthorization because when I’m doing MethodSecurityInterceptor, that class takes care of looking at the Authentication token’s “GrantedAuthority”es to see if they can execute the method.

That’s pretty much it. I need to figure out the extent of the security integration. I know that at the moment the authentication will not work on RTMP channels.

A good explanation and example for Spring and BlazeDS is important for driving adoption of BlazeDS into environments that run on Java. I know a potential client of mine is looking into using BlazeDS as a transport layer for a product they have running on a Tomcat container. They want to try following established practices in Java and want to use off-the-shelf, tried-and-true technologies like Spring and Hibernate, and having information on using these with BlazeDS would make them more confident when adopting BlazeDS.

Hope this helps. Also, I just found out someone else had documented a similar approach at this blog post:

http://blog.f4k3.net/fake/entry/acegi_logincommand_for_fds

In an earlier post I talked about BlazeDS and Spring Security and gave a high level overview of how to get a BlazeDS destination to be secured with Acegi security instead of BlazeDS’ security. However, I overlooked a simple thing that would make the whole system play nicer with Flex. That is, I didn’t translate the authentication exception into a flex.messaging.SecurityException and did not set its code to Client.Authentication. It’s not really necessary to do so as you will get an error message anyway because BlazeDS catches Acegi’s exception and wraps it in a MessageException, but it’s nicer if it’s wrapped in a semantically appropriate exception.

I first thought I’d add an exceptionTranslationFilter to my filterChainProxy but this doesn’t work because BlazeDS wraps the exception after the proxied bean invocation and doesn’t let it percolate to the container filter. Duh! That took me about an hour to figure out.

The next step would have been to pass an afterInvocationManager to the method SecurityInterceptor but this guy never gets called when an exception occurs.

So, the next step, which I think is kinda hacky, is to extend the MethodSecurityInvocation class and override invoke. Catch any AuthenticationExceptions and translate them into SecurityExceptions so that BlazeDS can transfer that exception to Flex as appropriate. Here’s the code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

<pre lang="Java" line="1">
@Override
public Object invoke(MethodInvocation mi) throws Throwable {
    try {
        return super.invoke(mi);
    } catch (AuthenticationException ae) {
        SecurityException se = new SecurityException();
        se.setMessage(ae.getLocalizedMessage());
        se.setRootCause(ae);
        se.setDetails(ae.getLocalizedMessage());
        // This is an authorization error instead of an auth error 
        if (ae instanceof InsufficientAuthenticationException) {
            se.setCode(SecurityException.CLIENT_AUTHORIZATION_CODE);
        }
        else {
            se.setCode(SecurityException.CLIENT_AUTHENTICATION_CODE);
        }
        throw se;
    }
}

My next step is to bypass BlazeDS’s authentication mechanism and just do it through Acegi. I’ll keep you posted.

This is a component that mimics the text finding functionality in Safari. When you do a search it dims out the text field and highlights the currently found fragment of text. Other fragments in the text are currently set apart by a black rectangle, but I plan to change that.  This is kind of like the Highlighter component on FlexLib http://code.google.com/p/flexlib/wiki/ComponentList

The currently selected text indicator can be a IDataRenderer component that you can specify in code.

I couldn’t wait to show it to people before cleaning the code … so here it is. Without code. But I’ll release the source to the public once I clean it up and fix a few bugs.

Things I still need to do:

• Allow custom renderer for non-selected item
• Fix scrolling issues
• Looks like I’m missing the ability to highlight items towards the very end of the text
• Simplify so it can be used as a component. Currently needs a few lines of AS code to get working

Some notable features:

• You are passed the text formats of the text fragment match so that you can render the text in the selected indicator exactly as it looks on the original text.
• You can pass a custom selected text renderer. Notice it has animations as you click for the next find

There is another version that works on an HTML control in AIR. There’s a problem with that, however, when the text match wraps; I can’t figure out a way to find the coordinates of the start of text that’s been wrapped to the next line.

I was recently invited to the Microsoft Technology Summit, a two days worth of sessions on MS technologies. My guess for why I was invited is because I run the Los Angeles Flex Users Group. I looked around for criteria for invitees and found a blog post here:

“The event is specifically for people other than Microsoft fanboys… they want to have a dialogue with influential members of the developer community outside of their comfort zone to see what we can learn from each other..”

The sessions cover specific technologies like ASP.NET MVC, to Silverlight, to IIS, to robotics and the projects under Microsoft Research.  There also will be a few presentations by attendees. The summit begins on Wednesday, March 26, and I’ll be blogging about it here and chatting it live at the Flex chat room at chatopica: http://www.chatopica.com/topics/flex/

This is a quick utility class I came up with that will keep track of a set of Validators and change a bindable property to true if all of the validators it tracks are valid and false if any of the validators is invalid.

I wanted this so I could quickly say something like:

<mx:Button label=”OK” enabled=”{compositeValidator.valid}” />

Here’s how to use it:

<validators:CompositeValidator id=”compositeValidator”>
<validators:validators>
<mx:StringValidator … />
<mx:EmailValidator … />
</validators:validators>
</validators:CompositeValidator>

<mx:Button …. enabled=”{compositeValidator.valid}” />

To get the source just right click on it and select “View Source …”

I’ve been trying to figure out how to use Acegi security with BlazeDS, hopefully working it in with Spring MVC and this is what I ended up with. If anyone has other suggestions please let me know. This is a topic that really needs discussing.

The way you secure a destination in BlazeDS is you configure a <security-constraint> on the destination, and you specify the roles that are allowed to access the destination and, optionally, a list of methods on the destination that the authenticated user can invoke.

You then specify a LoginCommand which is specific to your servlet container. The job is this guy is to check the user’s credentials and log the user into the Servlet Container if the user is not logged in.

If you introduce Acegi into the mix, you suddenly have to deal with Spring specific authentication and authorization. At first I thought that I would have to write my own LoginCommand and maybe other stuff.

I decided to go with the lowest impact change possible.

First, I created a SpringFactory for my destinations, as described in Cristophe Coenraets blogs post Using Flex with Spring.

Next, instead of securing my destinations in the BlazeDS configuration files I created a BeanNameAutoProxyCreator and added my destinations, and passed it a securityInterceptor which lists the methods and roles that are allowed to access them. I also configured the web security interceptor filter chain and made sure that /messagebroker/** matched the chain. This should be the case if your filterInvocationDefinitionSource has /** as the path. What this means is that calls to /messagebroker/**, which is the url that a Flex app uses when talking to BlazeDS, pass through Spring’s security filter chain and have a chance to have the Authentication principal added to the context.

I setup simple Basic Authentication to avoid dealing with forms and login, for the moment.

I created a SampleService bean with two methods:

public class SampleService {
  private String name;  public String getName() {
     return name;
  }

  public void setName(String name) {
     this.name = name;
  }  

  public String getSecureName()
  {
      return "secure: " + name;
  }
}

As I mentioned above, I added my destination bean to the autoProxyCreator:

<bean id="autoProxyCreator" ... >
  <property name="interceptorNames">
   ...

    <value>securityInterceptor</value>...
  <property name="beanNames">
  ...

    <value>sampleService</value>
  ...
</bean>

Configured the SecurityInterceptor to intercept calls to the getSecureName method.

<bean id="securityInterceptor">
  ...
  <property name="objectDefinitionSource">
     <value>com.machine501.bdss.SampleService.getSecureName=ROLE_ADMIN</value>
  ...
</bean>

Then, I created a Flex client with a remote object pointing to my secure destination:

  sampleServiceRO = new RemoteObject("sampleService");

and created two buttons, one to execute sampleServiceRO.getName() and the other to execute sampleServiceRO.getSecureName(). Please note that I configured the RemoteObject manually instead of relying on specifying services-config.xml in the Flex compiler. Doing this is relatively easy:

  var channel:AMFChannel = new AMFChannel();
  channel.url = "http://localhost:8080/blazeds-spring/messagebroker/amf";
  cs = new ChannelSet();
  cs.addChannel(channel);
  sampleServiceRO = new RemoteObject("sampleService");
  sampleServiceRO.channelSet = cs;

Once all that’s setup and the servlet container is running, hit the non-secure method and you’ll get a reply. Hit the secure method and you’ll get a service fault, as you should, because you’re not logged in. Next hit an url that requires the ROLE_ADMIN and log in when the BasicAuth box pops up. Now hit the secure method again and you should get a response.

There’s are some issues that I see here:

1) If you’re using BasicAuth and you hit a secured destination you won’t get the BasicAuth dialog box automatically, you have to go to a URL, get the box, then hit the original method again.

2) You’re bypassing LoginCommand and the BlazeDS security model. I’m not completely sure if this is wise. For example, what happens when I use DataService destinations with RTMP? When does authentication happen?

3) You can’t pass credentials with setCredentials or setRemoteCredentials. You have to log in some other way.

I’d like to hear how others have handled this.

Just a quick note on SQLite in AIR and slow writes: using transactions will speed up multiple inserts/updates.

haven’t had a chance to do any performance tuning or testing when using SQLite in AIR.  But just today I finished writing some tests for writing some stuff into a SQL db and noticed that the writes were slow.  I created a little benchmark test project that wrote 55 records total over two tables with a  total of 4 columns of NUMERIC type for each table … nothing fancy.   This is obviously not a thorough analysis and just something quick and dirty, but just writing those 55 records took almost 30 seconds on average.  That’s way too slow.  Specially since I am not using any of the async methods, such a slow write speed will lock up your Flex interface.

Once I wrapped the saves in one transaction the speed went down to an average .4 seconds because the data is committed in one big chunk when you call commit.

There may be other ways to increase the speed. I’ll have to investigate this later. .4 seconds will probably still be too noticeable a hiccup on the interface so I’ll be changing my data store to use async methods.

Just thought I’d put it out there.

Also, if you have an table with an INTEGER PRIMARY KEY AUTOINCREMENT and you keep getting an error that says “Unable to convert Text value to Numeric value” or something to that effect make sure you’ve upgraded to the engineering drop of FB3 from January 14th, 2008.  Apparently that’s a bug in the version before that, but I didn’t find it on the Adobe bug db.

With the recent news about Google possibly using Adobe’s Search SDK to index text in swfs I thought I’d post a quick howto for downloading the sdk and testing out your swfs to see what they look like to the link extractor.

First, download the SDK:

http://www.adobe.com/licensing/developer/

Scroll down to where it says “SEARCH ENGINE SDK”

Click on “Begin the licensing process for the Search Engine SDK” (or click here http://www.adobe.com/cfusion/entitlement/index.cfm?e=search_sdk)

Follow the instructions for signing up and wait for an email.  Once you receive an email it will tell you where to download the sdk.   Download the zip file.  If you’re on windows, extract it to your hard drive.

Use your command line to navigate to this location. I put mine on c:\work\search_sdk\

go into the “windows” directory in that folder: c:\work\search_sdk\windows

Type:

swf2html [name of swf you want to index]

you’ll see an a bunch of HTML showing you links and text in the swf.  Read the README.html file in the archive to find out what exactly the SDK indexes.

I haven’t tried this on linux and I don’t know if it compiles on OSX.

A new site dedicated to everything RIA by O’Reilly, with posts from people like Rich Tretola of EverythingFlex.com,  Andre Charland from Nitobi, Andre Trice from Cynergy Systems, and many others.

http://www.insideria.com/

There’s already some good leads there like a post about Google possibly using Adobe’s Search SDK to index swfs.

http://weblogs.macromedia.com/jd/archives/2008/01/google_swf_sdk.cfm