Tuesday, January 30, 2007

DWR integrate with Spring

DWR is a Java open source library which allows you to write Ajax web sites.

DWR consists of two main parts:

  • A Java Servlet running on the server that processes requests and sends responses back to the browser.
  • JavaScript running in the browser that sends requests and can dynamically update the webpage.
Why DWR:
  • mostly used Ajax framework
  • integrate best with Spring
  • RPC style Ajax
  • Java <--> Javascript marshalling (using Javascript objects)
  • Support most browser

Saturday, January 06, 2007

Yahoo YUI Calendar

Recently I start to look Yahoo YUI for rich UI. One feature is about Calendar. In general, YUI works pretty well with my application. However, one bug related to IE took me 2 days to figure it out.

When I click any date in Calendar. It subscribe to YUI render:
YAHOO.example.calendar.cal1.selectEvent.subscribe(mySelectDate, YAHOO.example.calendar.cal1, true);
YAHOO.example.calendar.cal1.addRenderer(txtDate1.value, YAHOO.example.calendar.cal1.renderCellStyleHighlight2);
YAHOO.example.calendar.cal1.render();
In my application, I need send new request to the server and get result for this specific date. It works well in Firefox, however, it does not always work in IE6. After dig for a while, there exist this code in YUI calendar.js:
YAHOO.widget.Calendar.prototype.renderCellDefault = function(workingDate, cell)
Exist: javascript:void(null) in href
IE does not pass javascript:void(null) in href.

href="javascript: ", onclick="javascript:" There is no such thing as a JavaScript protocol on the web. Links use protocols to connect documents.

Tuesday, January 02, 2007

Authentication and authorization - Acegi and More

Most of our web application are based on the form-based authorization and authentication - role based access control. Form-based authentication is the most popular web authentication mechanism in use. It provides us with the greatest control over the look and fell of the “login screen”.

Acegi provides a quick/simple/good solution for this. However, acegi also have some limitation:

1: Authentication

Acegi uses AuthenticationProcessingFilter. The AuthenticationProcessingFilter handles the Authentication Request Check (“logging into the application”). It uses the AuthenticationManager to do its work. One dsiadvantage is that we need create our login table based on the Acegi's wishes. And we also need access DB directly using SQL code.

2: Authorization

Acegi is based on the URL authorization. Secure URLs by role with regular expressions or ant-style pattern. First, role can not be added dynamically. Some actions (view and edit) use the same URLs, this bring problem for authorization.

To fix the above problem, we can build self simple security system.

Following list the tables relationship:



For each customer, it can create its own role and assign account to this role. For each service, there includes many features. And for each feature, it can be different privilege (verb: CRUD List etc). We can assign role to different privilege.

In each button/link field, we need add a parameter "privilegeCode", for example: privilegeCode=editAccount. We just need write a filter, this filter will check privilegeCode and login user privilege. If login user has this privilege, continue. Otherwise, permission deny.

Simple, easy and quick to fix the authorization issue in Acegi