STRATEGIES:
Though Spring Security provides tools to integrate LDAP, a seamless integration of ActiveDirectory in a web application using spring security is still a pain. I recently came across this problem and after some research found Waffle Security the best tool for this job. I had to modify the source code to customize the solution based on my requirements. Here’s a writeup of my findings:

Spring Security LDAP
* Spring LDAP Security Reference
* Spring uses ActiveDirectoryLdapAuthenticationProvider, which delegates the work to LdapAuthenticator and LdapAuthoritiesPopulator which are responsible for authenticating the user and retrieving the user’s set of GrantedAuthoritys respectively.UserDetails can be populated using DefaultLdapAuthoritiesPopulator.
* A local LDAP instance can be easily setup (and tested) in a web app.
* You must update ldap properties in users.ldif (sample ldap user info) for authentication/authorization to work. However this doesn’t work as a single-sign on environment, since additional filters need to be written.

Hence this approach was not suited for a single-sign-on requirement.

Tomcat 7 integration
* Not sure how Tomcat integration is useful since configuring Realms and other server settings is an additional step outside of the App. Each environment has to ensure these settings exist, which means local development and test, stage, prod configuration grow exponentially. Also, the authentication object should to be populated in Spring’s context (ie., the application’s context). This leads to Spring being aware of Tomcat’s Realms and settings + the web app supporting Tomcat’s authentication (SPNEGO) etc.,
* Tomcat integration is geared towards plain servlet apps.

Due to the above reasons I didn’t find this solution extensible.

Spring Security Kerberos/SPNEGO Extension
* For Kerberos (unix or windows) based, client based (browser) authentication, this extension from Spring is apt
* You need some knowledge on the server side (setup kerberos etc.,) so this may not be an “out of the box” solution
* Reference example is here

Ideally this solution would’ve been great but at the point of this writing (to my findings), this solution doesn’t integrate with Active Directory on NTLM.

Kerberos + NTLM with Waffle Filter support with Spring Security
* More flexible than the above example since it supports both Kerberos and Windows NTLM. Waffle will allow you to get rid of IIS (as a pass through) as well. Unlike many other implementations WAFFLE on Windows does not usually require any server-side Kerberos keytab setup, it’s a drop-in solution.
* Integrates well with Spring Security
* Project Site is here.
* Reference example is here.
* Was able to get this working with custom classes that extend Waffle’s filter and custom Authentication object. WORKS as a single-sign within a corporate network and roles are correctly mapped into granted authorities.

Implementation Summary
* The above reference example provided by Waffle is a good start, however that code also assumes authorization loaded from ActiveDirectory. In order to customize authorization, you must extend waffle.spring.NegotiateSecurityFilter. Since Waffle doesn’t open up api to override (Duh#TemplatePatternWouldBeSoNice), I had to copy its implementation and make changes myself.

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.context.SecurityContextHolder;
import waffle.servlet.WindowsPrincipal;
import waffle.spring.NegotiateSecurityFilter;
import waffle.util.AuthorizationHeader;
import waffle.windows.auth.IWindowsIdentity;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * Custom Authentication Filter extending Waffle's built-in Filter.
 * Loads User Roles from Db and uses custom AuthenticationToken.
 * For the most part its same as NegotiateSecurityFilter. See #Note below for the key difference
 */
public class CustomAuthenticationFilter extends NegotiateSecurityFilter {

    Logger logger = LoggerFactory.getLogger(CustomAuthenticationFilter.class);

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        logger.info(request.getMethod() + " " + request.getRequestURI() + ", contentlength: " + request.getContentLength());
        AuthorizationHeader authorizationHeader = new AuthorizationHeader(request);

        // authenticate user
        if (!authorizationHeader.isNull()
                && getProvider().isSecurityPackageSupported(authorizationHeader.getSecurityPackage())) {

            // log the user in using the token
            IWindowsIdentity windowsIdentity = null;

            try {
                windowsIdentity = getProvider().doFilter(request, response);
                if (windowsIdentity == null) {
                    return;
                }
            } catch (Exception e) {
                logger.warn("error logging in user: " + e.getMessage());
                sendUnauthorized(response, true);
                return;
            }

            if (!getAllowGuestLogin() && windowsIdentity.isGuest()) {
                logger.warn("guest login disabled: " + windowsIdentity.getFqn());
                sendUnauthorized(response, true);
                return;
            }

            try {
                logger.debug("logged in user: " + windowsIdentity.getFqn() +
                        " (" + windowsIdentity.getSidString() + ")");
                WindowsPrincipal principal = new WindowsPrincipal(
                        windowsIdentity, getPrincipalFormat(), getRoleFormat());
                logger.debug("roles: " + principal.getRolesString());

                /// NOTE: This is where you customize auth. You'd need your own token and initialization mechanism different from
                /// Waffle's built in token implementation
                // Populate Authentication Token along with GrantedAuthorities
                CustomAuthenticationToken authentication = new CustomAuthenticationToken(principal);
                SecurityContextHolder.getContext().setAuthentication(authentication);
                logger.info("successfully logged in user: " + windowsIdentity.getFqn());
            } finally {
                windowsIdentity.dispose();
            }
        }

        chain.doFilter(request, response);
    }

    /**
     * Send a 401 Unauthorized along with protocol authentication headers.
     *
     * @param response HTTP Response
     * @param close    Close connection.
     */
    private void sendUnauthorized(HttpServletResponse response, boolean close) {
        try {
            getProvider().sendUnauthorized(response);
            if (close) {
                response.setHeader("Connection", "close");
            } else {
                response.setHeader("Connection", "keep-alive");
            }
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
            response.flushBuffer();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

Here’s the custom Authentication Token:

import xxx.domain.User;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import waffle.servlet.WindowsPrincipal;

import java.util.Collection;
import java.util.List;

/**
 * Custom Authentication Token to comply with custom Waffle Authentication mechanism.
 * Variation of Waffle's WindowsAuthenticationToken. See #Note below
 */
public class CustomAuthenticationToken implements Authentication {

    Logger logger = LoggerFactory.getLogger(CustomAuthenticationToken.class);

    private static final long serialVersionUID = 1L;
    private WindowsPrincipal windowsPrincipal = null;
    private org.springframework.security.core.userdetails.User principal = null;
    private Collection<GrantedAuthority> authorities = null;

    // Move this to a config
    public static final String MY_DOMAIN = "<your corporate domain>";

    /**
     * Constructor that fully initializes the principal
     *
     * @param windowsPrincipal windows principal
     */
    public CustomAuthenticationToken(WindowsPrincipal windowsPrincipal) {
        this.windowsPrincipal = windowsPrincipal;
        // Strip domainName in <domainName>\\username to get mapped username in App
        String username = windowsPrincipal.getName().substring(MY_DOMAIN.length()+1);
        logger.debug("App Login Info derived from ActiveDirectory: " + username);

        // Load roles
        Collection<GrantedAuthority> authorities = loadAuthorities(username);

        // Create UserDetails object
        this.principal = new org.springframework.security.core.userdetails.User(username, "", true, true,
                true, true, authorities);
    }

    /**
     * Loads granted authorities by looking up User=>Roles.
     * Throws UsernameNotFoundException if principal isn't mapped mapped to Db
     * @return
     */
    private Collection<GrantedAuthority> loadAuthorities(String username) {

        // Match User Account from Db
        User account = null;
        try {
            // NOTE: I Use Spring Roo's inbuilt finder but you can easily replace the below code by JDBC/JPA/Hibernate Dao or Service
            account = User.findUserByName(username);
        }
        catch (Exception e) {
            logger.info("A unique account " + username + " could not be found: " + e.getMessage());
            throw new UsernameNotFoundException("A unique account " + username + " could not be found");
        }

        // Load User Roles
        List<String> roles = account.getRoleNames();
        logger.debug("Loaded Roles from Database: " + roles.toString());
        Collection<GrantedAuthority> grantedAuthorities = toGrantedAuthorities(roles);
        this.authorities = grantedAuthorities;
        return authorities;
    }

    @Override
    public Collection<GrantedAuthority> getAuthorities() {
        return authorities;
    }

    public Object getCredentials() {
        return null;
    }

    public Object getDetails() {
        return windowsPrincipal;
    }

    public Object getPrincipal() {
        return principal;
    }

    public boolean isAuthenticated() {
        return (principal != null);
    }

    public void setAuthenticated(boolean authenticated) throws IllegalArgumentException {
        throw new IllegalArgumentException();
    }

    public String getName() {
        return principal.getUsername();
    }

    private static Collection<GrantedAuthority> toGrantedAuthorities(List<String> roles) {
        List<GrantedAuthority> result = new ArrayList<GrantedAuthority>();

        for (String role : roles) {
            result.add(new GrantedAuthorityImpl(role));
        }

        return result;
    }
}

And here’s the Spring Config (very similar to the Waffle’s reference example):

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener" />

    <!-- Windows authentication provider -->
    <bean id="waffleWindowsAuthProvider" class="waffle.windows.auth.impl.WindowsAuthProviderImpl"/>

    <!-- Collection of security filters -->
    <bean id="negotiateSecurityFilterProvider" class="waffle.servlet.spi.NegotiateSecurityFilterProvider">
        <constructor-arg ref="waffleWindowsAuthProvider"/>
    </bean>
    <bean id="basicSecurityFilterProvider" class="waffle.servlet.spi.BasicSecurityFilterProvider">
        <constructor-arg ref="waffleWindowsAuthProvider"/>
    </bean>

    <bean id="waffleSecurityFilterProviderCollection" class="waffle.servlet.spi.SecurityFilterProviderCollection">
        <constructor-arg>
            <list>
                <ref bean="negotiateSecurityFilterProvider"/>
                <ref bean="basicSecurityFilterProvider"/>
            </list>
        </constructor-arg>
    </bean>

    <bean id="negotiateSecurityFilterEntryPoint" class="waffle.spring.NegotiateSecurityFilterEntryPoint">
        <property name="provider" ref="waffleSecurityFilterProviderCollection"/>
    </bean>

    <!-- Waffle authentication provider -->
    <sec:authentication-manager alias="authenticationProvider"/>

    <!-- Custom Authentication Filter -->
    <bean id="waffleNegotiateSecurityFilter" class="xxx.CustomAuthenticationFilter">
        <property name="provider" ref="waffleSecurityFilterProviderCollection"/>
        <property name="allowGuestLogin" value="false"/>
        <property name="principalFormat" value="fqn"/>
        <property name="roleFormat" value="both"/>
    </bean>

    <!-- Core config-->
    <sec:http entry-point-ref="negotiateSecurityFilterEntryPoint">
        <sec:custom-filter ref="waffleNegotiateSecurityFilter" position="BASIC_AUTH_FILTER"/>

        <sec:logout logout-url="/app/logout" logout-success-url="/app/home"/>
        <sec:access-denied-handler error-page="/app/accessdenied"/>

        <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
        <sec:intercept-url pattern="/app/resource/*" filters="none"/>
        <sec:intercept-url pattern="/app/javax.*/**" filters="none"/>
    </sec:http>

</beans>

That’s it.

The above spring config is loaded via web.xml, along with other spring contexts.

Now when user tries to access the application url, CustomAuthenticationFilter correctly recognizes the authenticated Windows user and redirects to app home page. Yes it’s a single-sign-on!

To simplify testing, I’d recommended having a “Spring-LDAP-security” for dev and switch to Waffle Filter for prod environments.

Source Structure
- src/main/resources/sample.xsd
- src/main/resources/binding/binding.xjb

<bindings xmlns="http://java.sun.com/xml/ns/jaxb" version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <globalBindings>
    <javaType name="java.util.Calendar" xmlType="xs:date"
      parseMethod="javax.xml.bind.DatatypeConverter.parseDate"
      printMethod="javax.xml.bind.DatatypeConverter.printDate"
    />
  </globalBindings>
</bindings>

- Finally, integrate jaxb compile and generate step via pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <artifactId>common-xml-schema</artifactId>
    <packaging>jar</packaging>
    <name>Common Schema and JaxB Module</name>

    <description>Common Module to hold all XML Schemas and JaxB objects</description>
    <dependencies>
         <dependency>
            <groupId>javax.xml.bind</groupId>
            <artifactId>jaxb-api</artifactId>
            <version>2.2.2</version>
        </dependency>
        <dependency>
            <groupId>com.sun.xml.bind</groupId>
            <artifactId>jaxb-impl</artifactId>
            <version>2.2.4</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <!-- It's advised not to checkin the generated classes. By default they are generated in target/generated-sources with xmlns namespace provided
            in xsd. If you need the sources to be generated uncomment the below.
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>jaxb2-maven-plugin</artifactId>
                <executions>
                    <execution>
                        <goals>
                            <goal>xjc</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <packagename>xxx.schema</packagename>
                    <schemaDirectory>${basedir}/src/main/resources</schemaDirectory>
                    <outputdirectory>${basedir}/src/main/java/xxx/generated</outputdirectory>
                </configuration>
            </plugin>
            -->

            <plugin>
                <groupId>org.jvnet.jaxb2.maven2</groupId>
                <artifactId>maven-jaxb2-plugin</artifactId>

                <configuration>
                    <extension>true</extension>
                    <args>
                        <arg>-Xfluent-api</arg>
                    </args>
                    <plugins>
                        <plugin>
                            <groupId>net.java.dev.jaxb2-commons</groupId>
                            <artifactId>jaxb-fluent-api</artifactId>
                            <version>2.1.8</version>
                        </plugin>
                    </plugins>
                    <bindingDirectory>src/main/resources/binding</bindingDirectory>
                </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>generate</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>

</project>

I like to see logged in user, along with session-id info in logging messages in applications, where analyzing secure operations becomes critical (healthcare, financial apps).

Here’s a sample filter log4j’s MDC to add diagnostic context in log messages.

package com.cramer.srf.web.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.apache.log4j.MDC;

import com.cramer.srf.util.SRFUtils;

/**
 * Filter that adds user session info in log4j MDC (Mapped Diagnoistic Context)
 *
 */
public class Log4jSessionFilter implements Filter {

	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain filterChain) throws IOException, ServletException {
		if (request instanceof HttpServletRequest) {
			if (SRFUtils.getLoggedUser() != null) {
			    MDC.put("user", SRFUtils.getLoggedUser());
			}
		}
		filterChain.doFilter(request, response);
	}

	@Override
	public void destroy() {
		// NO OP
	}

	@Override
	public void init(FilterConfig arg0) throws ServletException {
		// NO OP
	}
}

The corresponding log4j file. Note ‘[%X{user}]‘ in the ConversionPattern below.

<!-- File appender -->
<appender name="FILE" class="org.apache.log4j.DailyRollingFileAppender">
    <param name="File" value="logs/rx.log" />
    <param name="Append" value="true"
    <param name="DatePattern" value="'.'yyyy-ww" />
    <layout class="org.apache.log4j.PatternLayout">
        <param name="ConversionPattern" value="%d{ISO8601}  %-5p [%X{user}] [%t:%X{SESSION}] %c - %m%n" />
    </layout>
</appender>

sudo apt-get install wordnet

Then simply type:

wn hello -over

You should see output similar to this:

Overview of noun hello

The noun hello has 1 sense (first 1 from tagged texts)

1. (1) hello, hullo, hi, howdy, how-do-you-do — (an expression of greeting; “every morning they exchanged polite hellos”)

That’s all well and good, until I typed this:

wn smote -over

And came up empty. Indeed WordNet is useful but it is limited. There are 2 solutions that immediately came to mind.

1. Figure out how to get more definitions loaded into my instance of WordNet
2. Find a dictionary service that is much more comprehensive than WordNet, and write a client for it

After a couple of quick Google searches I decided on the latter. And, since I’ve been doing a fair amount of Grails work lately, I thought, why not try this in Groovy?

One of those Google searches brought me to http://services.aonaware.com/DictService/. After a few trials with the simple front-end on the page, I was satisfied. Then it was time to find a Groovy example, which I found quickly enough with Groovy WS.

If you look at the code snippet on that page, it is incredibly simple.

@Grab(group='org.codehaus.groovy.modules', module='groovyws', version='0.5.2')
import groovyx.net.ws.WSClient

proxy = new WSClient("http://www.w3schools.com/webservices/tempconvert.asmx?WSDL", this.class.classLoader)
proxy.initialize()

result = proxy.CelsiusToFahrenheit(0)
println "You are probably freezing at ${result} degrees Farhenheit"

I tried this example as is, but seemed to have problems with the annotation at the top. Being rather impatient, I found a Groovy WS Standalone jar here at:
http://snapshots.dist.codehaus.org/groovy/distributions/groovyws/groovyws-standalone-0.5-SNAPSHOT.jar

I dropped it into my $GROOVY_HOME/lib directory, and then removed the annotation from the code. The example worked perfectly.

So, using the WSDL from the service I mentioned earlier, I made a few modifications and named it Pablo.groovy. Why Pablo? Why not? When speed counts, who cares?!

import groovyx.net.ws.WSClient

proxy = new WSClient("http://services.aonaware.com/DictService/DictService.asmx?WSDL", this.class.classLoader)
proxy.initialize()

//Define is a name of the service method, see the service WSDL
result = proxy.Define(args[0])

if(result != null) {
	for(defin in result.definitions.definition) {
		println "${defin.wordDefinition}"
	}
}

I needed to analyze the WSDL to figure out how to interpret the results, but other than that, it was a pleasantly pain-free experience.

Now I type:

groovy Pablo.groovy smote

And I get a much more satisfying result, save the logging garbage at the top!

Jul 18, 2011 5:11:29 PM org.apache.cxf.endpoint.dynamic.DynamicClientFactory outputDebug
INFO: Created classes: com.aonaware.services.webservices.ArrayOfDefinition, com.aonaware.services.webservices.ArrayOfDictionary, com.aonaware.services.webservices.ArrayOfDictionaryWord, com.aonaware.services.webservices.ArrayOfStrategy, com.aonaware.services.webservices.Define, com.aonaware.services.webservices.DefineInDict, com.aonaware.services.webservices.DefineInDictResponse, com.aonaware.services.webservices.DefineResponse, com.aonaware.services.webservices.Definition, com.aonaware.services.webservices.Dictionary, com.aonaware.services.webservices.DictionaryInfo, com.aonaware.services.webservices.DictionaryInfoResponse, com.aonaware.services.webservices.DictionaryList, com.aonaware.services.webservices.DictionaryListExtended, com.aonaware.services.webservices.DictionaryListExtendedResponse, com.aonaware.services.webservices.DictionaryListResponse, com.aonaware.services.webservices.DictionaryWord, com.aonaware.services.webservices.Match, com.aonaware.services.webservices.MatchInDict, com.aonaware.services.webservices.MatchInDictResponse, com.aonaware.services.webservices.MatchResponse, com.aonaware.services.webservices.ObjectFactory, com.aonaware.services.webservices.ServerInfo, com.aonaware.services.webservices.ServerInfoResponse, com.aonaware.services.webservices.Strategy, com.aonaware.services.webservices.StrategyList, com.aonaware.services.webservices.StrategyListResponse, com.aonaware.services.webservices.WordDefinition
Jul 18, 2011 5:11:30 PM groovyx.net.ws.AbstractCXFWSClient getBindingOperationInfo
WARNING: Using SOAP version: 1.1
Smite \Smite\ (sm[imac]t), v. t. [imp. {Smote} (sm[=o]t), rarely
{Smit} (sm[i^]t); p. p. {Smitten} (sm[i^]t”t’n), rarely
{Smit}, or {Smote}; p. pr. & vb. n. {Smiting}
(sm[imac]t”[i^]ng).] [AS. sm[=i]tan to smite, to soil,
pollute; akin to OFries. sm[=i]ta to smite, LG. smiten, D.
smijten, G. schmeissen, OHG. sm[=i]zan to smear, stroke, OSw.
& dial. Sw. smita to smite, Dan. smide to throw, Goth.
bismeitan, to anoint, besmear; cf. Skr. m[=e]d to be fat. The
original sense seems to have been, to daub on, to smear. Cf.
{Smut}.]
1. To strike; to inflict a blow upon with the hand, or with
any instrument held in the hand, or with a missile thrown
by the hand; as, to smite with the fist, with a rod,
sword, spear, or stone.
[1913 Webster]

Now to smote the logging and be rid of it; simply adding these few lines will do:

import java.util.logging.Level
import java.util.logging.LogManager

LogManager.getLogManager().getLogger("").setLevel(Level.SEVERE)

Now the output is as tidy as I want it to be for now.

$ groovy Pablo.groovy smote
Smite \Smite\ (sm[imac]t), v. t. [imp. {Smote} (sm[=o]t), rarely
{Smit} (sm[i^]t); p. p. {Smitten} (sm[i^]t”t’n), rarely
{Smit}, or {Smote}; p. pr. & vb. n. {Smiting}
(sm[imac]t”[i^]ng).] [AS. sm[=i]tan to smite, to soil,
pollute; akin to OFries. sm[=i]ta to smite, LG. smiten, D.
smijten, G. schmeissen, OHG. sm[=i]zan to smear, stroke, OSw.
& dial. Sw. smita to smite, Dan. smide to throw, Goth.
bismeitan, to anoint, besmear; cf. Skr. m[=e]d to be fat. The
original sense seems to have been, to daub on, to smear. Cf.
{Smut}.]
1. To strike; to inflict a blow upon with the hand, or with
any instrument held in the hand, or with a missile thrown
by the hand; as, to smite with the fist, with a rod,
sword, spear, or stone.
[1913 Webster]

Whosoever shall smite thee on thy right cheek, turn
to him the other also. –Matt. v. 39.
[1913 Webster]

And David . . . took thence a stone, and slang it,
and smote the Philistine in his forehead. –1 Sam.
xvii. 49.
[1913 Webster]

2. To cause to strike; to use as an instrument in striking or
hurling.
[1913 Webster]

Prophesy, and smite thine hands together. –Ezek.
xxi. 14.
[1913 Webster]

Saul . . . smote the javelin into the wall. –1 Sam.
xix. 10.
[1913 Webster]

3. To destroy the life of by beating, or by weapons of any
kind; to slay by a blow; to kill; as, to smite one with
the sword, or with an arrow or other instrument.
[1913 Webster]

4. To put to rout in battle; to overthrow by war.
[1913 Webster]

5. To blast; to destroy the life or vigor of, as by a stroke
or by some visitation.
[1913 Webster]

The flax and the barly was smitten. –Ex. ix. 31.
[1913 Webster]

6. To afflict; to chasten; to punish.
[1913 Webster]

Let us not mistake God’s goodness, nor imagine,
because he smites us, that we are forsaken by him.
–Wake.
[1913 Webster]

7. To strike or affect with passion, as love or fear.
[1913 Webster]

The charms that smite the simple heart. –Pope.
[1913 Webster]

Smit with the love of sister arts we came. –Pope.
[1913 Webster]

{To smite off}, to cut off.

{To smite out}, to knock out, as a tooth. –Exod. xxi. 27.

{To smite with the tongue}, to reproach or upbraid; to
revile. [Obs.] –Jer. xviii. 18.
[1913 Webster]

Smite \Smite\ (sm[imac]t), v. t. [imp. {Smote} (sm[=o]t), rarely
{Smit} (sm[i^]t); p. p. {Smitten} (sm[i^]t”t’n), rarely
{Smit}, or {Smote}; p. pr. & vb. n. {Smiting}
(sm[imac]t”[i^]ng).] [AS. sm[=i]tan to smite, to soil,
pollute; akin to OFries. sm[=i]ta to smite, LG. smiten, D.
smijten, G. schmeissen, OHG. sm[=i]zan to smear, stroke, OSw.
& dial. Sw. smita to smite, Dan. smide to throw, Goth.
bismeitan, to anoint, besmear; cf. Skr. m[=e]d to be fat. The
original sense seems to have been, to daub on, to smear. Cf.
{Smut}.]
1. To strike; to inflict a blow upon with the hand, or with
any instrument held in the hand, or with a missile thrown
by the hand; as, to smite with the fist, with a rod,
sword, spear, or stone.
[1913 Webster]

Whosoever shall smite thee on thy right cheek, turn
to him the other also. –Matt. v. 39.
[1913 Webster]

And David . . . took thence a stone, and slang it,
and smote the Philistine in his forehead. –1 Sam.
xvii. 49.
[1913 Webster]

2. To cause to strike; to use as an instrument in striking or
hurling.
[1913 Webster]

Prophesy, and smite thine hands together. –Ezek.
xxi. 14.
[1913 Webster]

Saul . . . smote the javelin into the wall. –1 Sam.
xix. 10.
[1913 Webster]

3. To destroy the life of by beating, or by weapons of any
kind; to slay by a blow; to kill; as, to smite one with
the sword, or with an arrow or other instrument.
[1913 Webster]

4. To put to rout in battle; to overthrow by war.
[1913 Webster]

5. To blast; to destroy the life or vigor of, as by a stroke
or by some visitation.
[1913 Webster]

The flax and the barly was smitten. –Ex. ix. 31.
[1913 Webster]

6. To afflict; to chasten; to punish.
[1913 Webster]

Let us not mistake God’s goodness, nor imagine,
because he smites us, that we are forsaken by him.
–Wake.
[1913 Webster]

7. To strike or affect with passion, as love or fear.
[1913 Webster]

The charms that smite the simple heart. –Pope.
[1913 Webster]

Smit with the love of sister arts we came. –Pope.
[1913 Webster]

{To smite off}, to cut off.

{To smite out}, to knock out, as a tooth. –Exod. xxi. 27.

{To smite with the tongue}, to reproach or upbraid; to
revile. [Obs.] –Jer. xviii. 18.
[1913 Webster]

Smote \Smote\,
imp. (& rare p. p.) of {Smite}.
[1913 Webster]

smite
v 1: inflict a heavy blow on, with the hand, a tool, or a weapon
2: affect suddenly with deep feeling; “He was smitten with love
for this young girl”
3: cause pain or suffering in; “afflict with the plague”; “That
debasement of the verbal currency that afflicts terms used
in advertisement” [syn: {afflict}]
[also: {smote}, {smitten}, {smit}]

smote
See {smite}

The results are lengthy, but for right now, it’s all that I want. And nay, I shan’t complain!

It was quick and easy, and as long as I use it less than several thousand times per day, I am operating well within the terms of service.

Till next time!

<openjpa-1.2.2-r422266:898935 fatal user error> org.apache.openjpa.persistence.InvalidStateException: Detected reentrant flush.  Make sure your flush-time instance callback methods or event listeners do not invoke any operations that require the in-progress flush to complete.
	at org.apache.openjpa.kernel.BrokerImpl.flushSafe(BrokerImpl.java:1923)
	at org.apache.openjpa.kernel.BrokerImpl.flush(BrokerImpl.java:1698)
	at org.apache.openjpa.kernel.QueryImpl.isInMemory(QueryImpl.java:956)
	at org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:838)
	at org.apache.openjpa.kernel.QueryImpl.execute(QueryImpl.java:779)
	at org.apache.openjpa.kernel.DelegatingQuery.execute(DelegatingQuery.java:525)

This is a tricky exception since the verbose description does not clarify the intent.

The problem:
I had to write my own Auditing since we weren’t using Hibernate (and so no Envers) but openjpa 1.2.2. Don’t ask me why. It’s a big financial company and they like Websphere 7 (which “ships” openjpa 1.2).

A sample “Profile” entity

@Entity
@EntityListeners({ProfileAuditListener.class})
public class Profile implements Serializable {
 ...
}

The standard JPA Entity Listener:

@Named
public class ProfileAuditListener implements ApplicationContextAware {
        private ProfileAuditDao auditDao;

	@PostUpdate
	@Transactional
	public void postUpdate(Profile newProfile) {
	    ProfileAudit audit = new ProfileAudit();
	    ...
    	    ...
   	    Profile oldProfile = profileDao.read(newProfile.getEmail());
            // InvalidStateException thrown above
            ...
            // Compare field by field for editable fields
	    ...	

	    auditDao.audit(audit);
	}
}

A simple Dao

@Repository("profileDao")
public class JPAProfileDao implements ProfileDao {

	@Transactional(readOnly = true)
	public Profile read(String email) {
		List<Profile> profiles = em.createNamedQuery("findByEmail").setParameter("email", email);
		if (profiles.size() != 0) {
			return profiles.get(0);
		}
		return null;
	}
}

As you can see, nothing fancy here. An Audit interceptor trying to see the difference in ‘Profile’ properties just after updated the entity in db. However an exception is thrown where I execute a read-only Transactional query.

Explanation:
The exception indicates that the event listener might be executing a flush accidentally from another operation and OpenJPA doesnt allow a flush to occur during a flush. Wait, a flush? But I’m not flushing anywhere, in fact — I think it’s all default flushing.

That’s the catch. The default querying in openjpa is FlushModeType.AUTO and that causes a flush to occur even if it’s a @Transactional(readOnly=true)

Solution:
set the flush mode to FlushModeType.COMMIT on that particular query.

You can also set a system wide property like setting false flushBeforeQueries = true in persistence.xml but I wouldn’t recommend that unless you want this behavior explicitly. For instance, my unit tests needed the auto flush to work since I persist and read in the same transaction (Spring Transactional tests).

In general, your use case might be different from mine but the underlying concept is same. Look for the accidental flushes from openjpa. If in doubt, always tune up the DEBUG logging.

Traditional examples provide a List mocking example or foo/bar example which I find it mostly annoying since it doesn’t teach you how to solve real problems. And the documentation is verbose and crams with unnecessary features confusing us further. In this tutorial, I’ll dive straight into a relevant example of mock testing Daos in Service layer. I’m not a big fan of Daos anymore (after the advent of JPA), however for the purposes of this tutorial, it’ll be easier to explain.

Consider a Profile entity (like facebook user profile) with daos/services: ProfileDao/JPAProfileDao, ProfileService/ProfileServiceImpl. To complicate things further, say you are using DTOs since it’s a client server app with a GWT front end. You might need a simple mapper class. Let’s call it ProfileMapper/ProfileMapperImpl.

@Service("profileService")
public class ProfileServiceImpl implements ProfileService {
	private final ProfileDao profileDao;
	private final ProfileMapper profileMapper;

	@Inject
	public ProfileServiceImpl(final ProfileDao profileDao, final ProfileMapper profileMapper) {
		this.profileDao = profileDao;
		this.profileMapper = profileMapper;
	}

	@Transactional
	public void create(ProfileDto profile) throws DuplicateProfileException {
		if (profile == null) {
			throw new IllegalArgumentException("profile cannot be null.");
		}

		Profile profile = profileMapper.toEntity(profile);
		// set default state as active
		profile .setIsActive(true);

		try {
			profileDao.save(profile);
		}
		catch (DuplicateKeyException e) {
			logger.warn("Unable to save profile with userId: " + profile.getUserId() + " already exists.");
			throw new DuplicateProfileException();
		}
		logger.debug("Profile saved successfully.");
	}

	@Transactional(readOnly = true)
	public ProfileDto read(String userId) throws InvalidProfileException {
		validateProfileInfo(userId);

		ProfileDto profileDto = null;
		Profile profile = profileDao.read(userId);
		if (profile != null) {
			profileDto = profileMapper.fromEntity(profile);
			logger.debug("Profile retrieved successfully.");
		}
		else {
			logger.debug("...");
		}
		return profileDto;
	}

	...
}

Now, in order to test ProfileService, you need to mock out ProfileMapper and ProfileDao, right? Let’s see how we do this in a simple JUnit 4.4+ test.

import static org.mockito.Mockito.*;

@RunWith(MockitoJUnitRunner.class)
public class ProfileServiceTest {

	@Mock
	ProfileDao profileDao;

	@Mock
	ProfileMapper profileMapper;

	// Can't use @InjectMocks because Mockito doesn't support constructor injection
	// As a workaround use @Before below to initialize service with stubs
	ProfileService profileService;

	@Before
	public void init() {
		profileService = new ProfileServiceImpl(profileDao, profileMapper);
	}

	@Test
	public void testRead() throws InvalidProfileException {
		// Simulate InvalidProfileException
		try {
			profileService.read("");
			fail(); // should never execute
		}
		catch (InvalidProfileException e) {
			e.getMessage(); // expected
		}

		// Given
		Profile profile = TestData.createTestProfile("userid"); // test utility to create a test Profile
		when(profileDao.read("userid")).thenReturn(profile);
		when(profileMapper.fromEntity(profile )).thenReturn(TestData.createTestProfileDto("userid"));

		// When
		ProfileDto dto = profileService.read("userid");

		// Then
		assertEquals(dto.getUserId(), "userid");
	}
}

Explanation:
1) Wrapping your test with @RunWith(MockitoJUnitRunner.class) helps create the mock initialization through annotation scanning (@Mock, @InjectMocks)
2) Add @Mock annotations for the components to mock. In this case profileDao, profileMapper
3) As of 1.8.5, Mockito doesn’t provide @InjectMock with construction injection. @Before test initializer is a workaround to inject ProfileService with mocks. Note that this will not be required if ProfileService has setter/getter injection of dependencies. However, I prefer JSR330 construction injection which is a best practice .
4) The actual @Test class with mockito stubs. Let’s dig deep into this.

As a template, it’s a good practice to view tests like a BDD style test.

// Given 

// When

// Then

The above template forces you to think on the explicit conditions during which we run our unit test.

Next, we need to figure out a way to stub our mock component’s methods,

when(operation).thenReturn(object)

In our example we want to mock profileDao.read(userId). So that translates to

when(profileDao.read("userid")).thenReturn(profile);

Note that we’re letting the mocked dao return a profile object that we just created in the previous step. This will be 50% of most of your mocking use cases.

The next common used use case is to simulate exceptions from the mocked classes. Consider a test for create(…) that simulates the DuplicateProfileException.

@Test
	public void testCreateDuplicate() {
		// Given
		ProfileDto dto = TestData.createTestProfileDto("userid");
		Profile profile = TestData.createTestProfile("userid");
		when(profileMapper.toEntity(dto)).thenReturn(profile);
		doThrow(new DuplicateKeyException("duplicate profile")).when(profileDao).save(profile);

		// When
		try {
			profileService.create(dto);
			assertEquals(1, 2); // should never execute
		}
		// Then
		catch (DuplicateProfileException e) {
			e.getMessage();
		}
	}

Notice the line

doThrow(new DuplicateKeyException("duplicate profile")).when(profileDao).save(profile);

Quite simple, isn’t it?

If you’ve read so far, you can succuessfully write mock unit tests for 80% of your use cases. There are other advanced features like finding redundant invocations, spying on objects to simulate partial mocking, most of which I don’t see implementing for majority of my use cases.

To get started, you don’t need to add much more to your .emacs than this:

(add-to-list 'load-path "~/.emacs.d/vendor/org-7.5/lisp")

(add-to-list 'auto-mode-alist '("\\.org$" . org-mode))

I recently discovered org2blog, a means of publishing blog posts to wordpress from within org mode. I guess it’s now technically org2blog/wp, so as not to be confused with another org2blog for blogger, but whatever.

I added this for org2blog:

(require 'org2blog-autoloads)

(setq org2blog/wp-blog-alist
      '(("wordpress"
         :url "http://myblog.com/xmlrpc.php"
         :username "username"
         :default-categories ("emacs"))))
(setq org2blog/wp-use-tags-as-categories t)

wordpress above is the name of the entry, you’ll use it later.

And lastly, because I work behind a strict firewall, my proxy info:

 (setq url-proxy-services '(("http" . "my.awesome.proxy:8081"))) 

To get started, I’d recommended reading the instructions on the github page, but quickly:

1. Login- M-x org2blog/wp-login. It will prompt you for the entry, and then your password.
2. M-x org2blog/wp-new-entry. Give your post a title, write something.
3. C-c d to post buffer as draft. It will prompt you to preview in a browser. Do that.
4. C-c p publish away!

To extend this example, I wanted to use git and my github account. I can do this because github was nice enough to have port 443 available for ssh.

Like in my example before, I created a config entry for github:

host gh
     user git
     hostname ssh.github.com
     port 443
     proxycommand corkscrew my.http.proxy 8081 %h %p ~/.ssh/proxyauth

From there it’s really easy:

> git clone gh:jeffhemminger/dot-emacs.git

In such situations it’s common that you’ll be provided with an http-proxy, and this can be used if necessary to tunnel SSH.

I’ve recently had to do this, and this is how I did it, after installing corkscrew:

Create a config file in ~/.ssh

host myremoteserver
    user username
    hostname my.remote.domain
    port 443
    proxycommand corkscrew my.http.proxy 8081 %h %p ~/.ssh/proxyauth

Create an auth file containing your proxy username and password (I added mine to ~/.ssh/proxyauth in the above example)

username:password

Now, to ssh to the remote server:

ssh myremoteserver

Natural key
- business requirements changes, then you have to change the natural key
- not easy to index an alphanumeric or String value
- can’t expose the natural key to end users who can then guess the business key and use for querying undesireable data
- you can’t rename the type without changing everything
- If using strings, joins are a bit slower as compared to the int data-type joins, storage is more as well. Since storage is more, less data-values get stored per index page. Also, reading strings is a two step process in some RDBMS: one to get the actual length of the string and second to actually perform the read operation to get the value.
- Locking contentions can arise if using application driven generation mechanism for the key.
- Can’t enter a record until value is known since the value has some meaning.

Surrogate key
- A surrogate key is immune to changes in business. In addition, the key depends on only one field, so it’s compact. The auto-incrementing field provides a unique, stable, and compact primary key.
- Business Logic is not in the keys.
- Small 4-byte key (the surrogate key will most likely be an integer and SQL Server for example requires only 4 bytes to store it, if a bigint, then 8 bytes).
- Joins are very fast.
- No locking contentions because of unique constraint (this refers to the waits that get developed when two sessions are trying to insert the same unique business key) as the surrogates get generated by the DB and are cached. Very scalable.

Not to mention, for surrogate keys, a Java developer could assume and code several reusable strategies:
- Have a common BaseIdEntity with an @Id attribute with a common generation strategy or named sequence generators
- Have Base generic services or daos (FooServiceImpl extends BaseServiceImpl)
- Generic finder methods with named queries
- And many other referential lookups that can be streamlined once a common id is used

References:
The great primary key debate