Implementing JASPIC in the application

One of the nice things about JASPIC is it does not have to be limited to just a container installation, but can be put as part of the application.  One of the key advantages of this over web tier solutions such as Shiro is the authentication subject can be passed all the way down to the EJB tier via @Inject Principal .

However to do this is a bit tricky, JASPIC isn’t really as straight forward and one key information is buried deep inside the specs and not immediately visible in the Javadocs.

This blog post assumes the reader to have gone through the motions of creating a ServerAuthModule.  The purpose of this is to somehow call the initialize() method with the settings .

When to use this

Normally I would advocate authentication be done in the container and not be part of the application.  However, there’s a specific scenario I had which forced me to do this:  I had a to use a different Server Auth Module on a server that already has the Server Auth Module defined.  So I had to do it on a per application basis.

The approach

We’re going to do a bottom up approach from the ServerAuthModule.  To start we add the ServerAuthContext  to the implements list  of the ServerAuthModule.  Since ServerAuthContext has a subset of methods as ServerAuthModule, it is not related as such it needs to be explicitly added.


The next bit is to create a class that implements ServerAuthConfig that will create an instance of the ServerAuthModule, intialize it and return it.

In that module is a method that determines whether the module is needed by the security constraints.  This is the one that took a while to find and it was actually in the spec.  There’s a property called which is set to the string “true” if the requested resource requires authentication.  It should return null if the resource does not require any authentication.

if (isMandatory != null && isMandatory instanceof String && Boolean.valueOf((String) isMandatory)) {
return messageInfo.toString();
return null;

The getAuthContext method is needed to provide the ServerAuthContext which would the initialized ServerAuthModule.  It takes in a properties map which contains additional properties that the container may send and should augment any configuration options that were passed in.  Also depending on the authContextID parameter being null or not will determine whether we initialize with a MessagePolicy indicating mandatory or not.


The next JASPIC component that needs to get built is used to provide the ServerAuthConfig.

  • It needs a two argument constructor though the AuthConfigFactory parameter is generally ignored.
  • The getClientAuthConfig method returns null unless a client authentication module is being provided
  • Lastly the getServerAuthConfig simply creates  a new instance of the ServerAuthConfig passing in some contextual information

Tying it to the application

To tie this to the application, the AuthConfigProvider needs to be registered in the factory as part of application startup.    To do this, a ServletContextListener is used and the contextInitialize method would set the options and register the provider using

The sources

The source code to this is available in along with my OpenID Connect, Google and HTTP Header auth modules.


When I worked with Java EE, I see the elegance of having the application not deal with user authentication and let the container manage it.  It is very rare that I see it in practice though because FORM authentication is quite limited and I have been in a lot of projects where I had to deal with the login use case in non-standard ways which only keep the authentication details on the web tier only.

With the advent of JASPIC, I am able to use standardized mechanisms that allow me to retrieve authentication and authorization contexts all the way through to the EJB tier.

And although this is part of the application, it can be modularized away to a different web application context if needed.

Share Button

Quickly set up an HTTP Server with NodeJS

Here is some quick instructions on how to set up an HTTP Server to host your local files in Windows or other platforms.
Continue reading

Share Button

Things I don’t like about iOS8

Each iOS iteration introduces new features, iOS8 is no execption and some of them I like even at the expense of privacy such as Medical ID which I hopefully won’t need anytime soon. However, it had added a few other features that I am not too fond of. Some of them are likely due to peer pressure to give more of what Android provides, but it is implemented no better than Android itself.

Here’s the list of the three things that I had turned off:

  • Predictive Text
  • Third party keyboard support
  • Transparency effects

Predictive Test

Android keyboards including the stock Google keyboard adds a bar for predictive text. I turned this feature off because of two things:

  • Reduces screen space. Since it adds a bar on top of the keyboard.
  • Introduces lag much.

Which are the reasons I have trouble with Android’s keyboards to begin with.

Third party keyboards

Android has had a long history of third party keyboards, I even bought one myself. For Android, it compensates for the abysmal default keyboard experiences that came with older versions of Android. It also adds a nifty feature of doing swipe input. I personally prefer the Swype keyboard for my android devices though I have recently dropped it for Google Keyboard as it has the least latency between Swype, Google and Samsung keyboards.

However, on Android devices it introduces a short latency which is practically non-existent on the default iOS keyboards even down to the iPhone 3GS. iOS 8 added the predictive text which adds latency now which I have summarily disabled.

Trying Swype for iOS 8 just brought back the memories of lag on the iPhone 5S. After giving it a try for a couple of days I decided to drop it. Starting up the keyboard introduces a sub second lag that distracts my train of thought.

Transparency effects

Though this was introduced in iOS 7 to make it appeal to the artsy crowd, it was still usable. iOS 8 added quite a bit more transparency effects to the point of annoyance when I see the image processing artifacts. I have since then turned it off as well.

Don’t bother copying Android

Generally I just find in the last two iOS iterations when Apple tried to copy more things from Android, their implementations are just as mediocre as Android’s. Seems like their product focus groups are not doing a good job and try to rapidly expand their markets rather than retaining and strategically expanding their existing market. This reminds me of Blackberry which is doing the right thing and dropping their focus on the mass market and focus on their strategic market. Let Samsung/Google deal with the masses, the percentage of the masses who buy cheaper devices are usually the ones that don’t buy the high value add items such as iTunes and app purchases, so why target them?

I think I spent a total of $0.99 + taxes on SwiftKey (which I eventually disabled) and that’s about it on Android. I spent significantly less than that on myself on Apple Store, but I acknowledge that I am really should not be in Apple’s target market. They should target the experience for those who are willing to pay for those high revenue items.

Share Button

Predictiability and versioning JAX-RS REST API

Over the course of time, your REST APIs will change to accommodate new client requirements. Using and, you can enable multiple active client API versions in your WAR file.
Continue reading

Share Button

Enable Personal Hotspot on iOS 8

When I upgraded to iOS 8, I noticed that tethering on my Mac stopped working on Wind Mobile. After looking around for it, I found out how to enable it again, simply copy the values from the Cellular Data APN to the Personal Hotspot APN.
Continue reading

Share Button

Explaining Dependency Injection and Inversion of Control

In a normal programming sense, your code generally tells the system what to do and what resources such as databases or authentication system to use. In Inversion of Control reverses that idea and the system instead tells which of your code to run. Hence, inversion of control, IoC for short.

Normally when we code we tend to have dependencies on resources. When coding in an IoC fashion, these dependencies are “injected” into your codde when needed. Hence the name Dependency Injection.
Continue reading

Share Button

Screen time vs Paper Time

Screen time vs Paper Time

I think the above comic sums up my view when I hear parents limiting their kids use of screens.  Personally, setting arbitrary limits to kids creativity isn’t my cup of tea.  Most things on the iPad [that PM-1 will get when he is big enough] have a lot of  apps that promote creative expression so why hamper? Continue reading

Share Button


When I was doing my JPA Anntation Processor, I used JET to do my code generation because it was the only templating engine that I have seen that creates Java code that can return a String. The problem with using JET was the Maven plugin that was is available on central doesn’t have any of its sources and is no longer actively developed (as shown by the lack of source pointed by their POM). Using JET that comes from Eclipse apparently requires the entire Eclipse runtime and their direction with JET2 seems to force more Eclipse dependencies. However, JET in itself is a pretty neat standard so I decided to reduce the chance of having trouble with lack of support I decided to make my own with an associated Maven plugin. This blog post defines the requirements I had for my implementation
Continue reading

Share Button

Microbenchmarking repeated characters in Java

When doing a code generator, I found that I had to do indents which usually involve repeating characters. So I wrote some short code to do it using arrays. Of course this should be tested and Google created a microbenchmarking tool called Caliper to do this. Unfortunately, this tool has practically ended up in the ever big pile known as the Google Graveyard in that it has abandoned supporting people who may use this in Windows that are affected by this bug #215. I have decided to fork and do the deployment myself on my own namespace in central rather than waiting for a release which is who knows when.

Once I got it done I then implemented the benchmark.
Continue reading

Share Button

No iPad for my kid

At least not until he can carry it on their own.  One of the things I notice about kids and their iPads is who carries them around when they are not using them.  Sorry PM-1, I am not your pack mule. Continue reading

Share Button