JBoss/Tomcat Single Sign-On: glory and goofs

Dabbling in the unknown can be an interesting excursion into highs and lows, and my experiments with JBoss/Tomcat’s Single Sign-On facility have been no exception. Hopefully, these quick tips can help.

Configuration of SSO under JBoss 3.2.2 (Tomcat 4.1.27) was fairly simple – just add the following line to your server/<instance>/deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml inside the <Host> element:

<Valve className=”org.apache.catalina.authenticator.SingleSignOn”/>

Then, I made sure each webapp I wanted under SSO had a jboss-web.xml configured for the same security realm (defined in login-config.xml). The jboss-web entry looks something like this:


I also have the realm-name of the login-config in the web.xml set to be the same for all apps. Not sure if it’s all necessary, but it works, so I won’t question it.

The interesting glitch in this version is that while it supports single sign-ON, it does not support single sign-OFF. So you can use SSO to log into one app, link happily to another webapp running on the same JBoss instance, and when you invalidate your session for one app, the other sessions are still alive. Since this isn’t really acceptable behavior, I thought that perhaps a newer version of JBoss/Tomcat might do the trick, so I grabbed JBoss 3.2.3 (Tomcat 4.1.29). And all SSO capabilities completely disappeared, even after modifying the jboss-service.xml.

I found the answer to this problem buried in the JBoss 3.2.3 release notes. Those notes say “The tomcat4.1.x single sign-on behavior has been updated to allow for propagation of the web app security context to the ejb container and other secured resources.
* Configuration: In the jbossweb-tomcat41.sar/META-INF/jboss-service.xml file, inside the element of any virtual hosts for which you want single sign-on support, add a element: <blank space>”

Viewing the source of this page tells me that I’m actually supposed to add:

<Valve className=”org.jboss.web.tomcat.tc4.authenticator.SingleSignOn” debug=”0″/>

A google search on “org.jboss.web.tomcat.tc4.authenticator.SingleSignOn” yields exactly one result – that page of release notes. Well, I’m letting the cat out of the bag (no pun intended) – here’s result #2. Restarting JBoss/Tomcat with this configuration yielded the desired results – Single Sign-On across multiple webapps using only J2EE Container Managed Security and JBoss/Tomcat, with single sign-off as well – one session.invalidate() now kills the session for all apps.

Since I see this as a REALLY cool feature – minimal intrusion on applications and high standards compliance (CMS), I hope this little ditty can help you get it running as well.


MySQL server taking a beating

There are countless things that I dislike about MySQL. One thing that’s impressing me is that in 4 hours, our MySQL server for one of our major customers has performed 700 million row reads. The interesting bit is that a full half-billion of those hits can be eliminated. Using the MySQL slow query log with a 1 second threshold and an enhanced version of the MySQL slow query log parser, combined with ‘mysqladmin extended-status’, I was able to track our database performance issues to an isolated set of 3 queries that are executed regularly and require full table scans. Adding 3 single column integer indexes on 150k-200k row tables should solve that and cut our reads at least in half.


Needed – Adobe FDF Toolkit

Adobe used to offer a free FDF Toolkit – a multi-language API for processing PDF forms submitted over the web. No longer available on their site. It seems they’re trying to rope everyone into buying some wonky LiveCycle Server that manges everything for you, but quite frankly, I have no desire to deal with all of that overhead when a simple API will do the trick. Anyone have this toolkit that they can share with me? Drop me an email – rkischuk at-symbol gmail dot com. Thanks!


The "Sex & Cash" Theory for geeks

“The creative person basically has two kinds of jobs: One is the sexy, creative kind. Second is the kind that pays the bills. Sometimes the task in hand covers both bases, but not often. This tense duality will always play center stage. It will never be transcended…

geeks. You spend you weekdays writing code for a faceless corporation (“Cash”), then you spend your evening and weekends writing anarchic, weird computer games to amuse your techie friends with (“Sex”).”

Hugh uses this analogy to explain his suggestion for being creative, “Don’t quit your day job”. It’s interesting when we see key open source developers get hired by Google or JBoss to take their sexy side project and get paid for it. There’s a certain allure to getting paid for something you previously did purely out of passion. In my own life, I realize that I do side work in both arenas – I have a nicely paying contract doing some vanilla, cut-and-dry development, and some side projects that pay little more than potential for the future. Up to this point, each project is clearly for-hire or for-creativity.

As he mentions, there is a tension between the two that can be balanced, but it’s challenging. Pattern the employment relationship after a marriage, and the convergence of “sex” and “cash” is incidental. Of course, if you let the two become cause and effect, and it’s prostitution. Sound familiar?


Contracting to Improve Productivity

Nothing like some contract work to force priorities around a bit. When I mentioned a few days ago that interesting opportunities were cropping up rapidly, I had no idea that this dilemma was about to grow. A former employer of mine contacted me out of the blue today, and asked if I’d be interested in putting in some work-from-home time as supplemental development help on a project they’re working on. By the end of the day, we’d agreed on a fair rate, and the info I needed started to roll in. After work, I met with someone who wants me to be their main technical resource on a company they want to launch. The app is fairly simple, and the market is ripe for the picking – if they can get the app out the door in time. And have I mentioned that all of this is outside of the day job, which is interesting work in database optimization (details/tips forthcoming), with co-workers I actually enjoy seeing away from the office.

It’s one thing to talk about how time is such a precious resource, it’s still easy to waste it. It’s quite another thing when any time you waste is time you could be billing. Suddenly, just vegetating and watching some show I don’t care about seems a lot more wasteful. Time spent on the other side tasks I’m working on is more intentional – if I’m going to spend time on a project that will pay off later rather than now, I want to make sure that time is focused, not interrupted by surfing Slashdot, reading game reviews, etc. It’s not about chasing money – rather the ability to switch tasks and bill time whenever I want in the evenings means that whatever I do, I’m more intentional about it. If I’m going to spend time relaxing, I’m going to really relax instead of just vegetating. Quality time with the wife means focusing on her instead of just being near her. It’s an unexpected extra load on my time, but it’s amazing how it is actually helping me use my leisure and extracurricular-work time more efficiently. Good work if you can find it.


Wealth of Opportunity, Dearth of Time

It’s more blessing than curse, but lately the chances I have to do interesting work are through the roof. The day job is very engaging, and particularly the research I’m doing on the weaknesses of our current persistence approach and their remedies for the problems is very interesting. I’ll soon be gaining an equity stake in a company I’ve invested a lot of time in, building a framework for quickly deploying new web sites with reusable functionality, beyond simple search/message boards/shopping carts. One project for them is wrapping up (I’ll announce that site launch when it comes), and we’re preparing a quote for another group which will all but certainly be accepted.

There’s another opportunity on the table as well that came from my gym. I try to work out 3-5 times a week, and try to get my workout in as efficiently as possible. It’s not a social outlet, and I try and avoid wasting time in conversation there as much as possible. It’s not that I don’t like people, it’s that I don’t enjoy socializing in a gym. In spite of this, I was approached by a guy there because I was wearing a shirt from a former employer that made me seem technical. It seems that he has investment money and a product mostly built, but he’s a sales guy, and his programmer decided he wanted to backpack Europe or something. Good idea and a good guy, so I’m looking at an equity stake and possibly cash finishing some software for the medical field and expanding that product. I think the product is well-positioned, and could really catch fire.

Then there’s the side projects I’d love to get my hands on. There’s a product for music distribution that I think is unique with a huge potential market. There’s an interest in helping groups, particularly Christian groups, raise funds online. I had an idea like Zopa – an online debt exchange. If anything, their existence encourages me more than frightens me. The existence of other players in a market doesn’t mean that creating a competitor is bad.

It’s exciting, but I sure wish I had more time to spend making each of these things succeed. As things stand, though, it’s not bad – I have time to work on several of these things without any of it distracting from my day job. Not too shabby. More details to come as each opportunity takes shape.


My "Apprentice" Audition

I tried out for Donald Trump’s “The Apprentice” TV show this weekend. In preparing for this, I found a dearth of information on their tryout process on the net, so I’m fixing that. The preface is that leading up to my audition, I waited for several hours – arrived at 8 AM, received a wristband at 9 AM, interviews began at 10 AM, and I finally got to the front of the line around 12:30 PM. If you’re curious, I didn’t make the cut, but I have a nifty “Apprentice” wristband to show for it.

Now about the audition. I’m putting this out here because honestly, I don’t think it will actually help anyone game the system, but it is interesting. We were ushered into a room 20 at a time and seated at a set of tables configured in a rectangle – candidates on 3 sides, and the casting director on the 4th. He was a reasonably young-looking, [proud] Irish Catholic from Philly named Paul, and was already nursing a glass of bourbon. He seemed to enjoy his job as he positioned himself as provocateur and incredible multi-tasker. He told us that we had 10 minutes, and if he had to talk much during that time, then we weren’t doing well. He was going to give us topics, and we were supposed to pick a position and support it with a decent argument.

The first topic was “Did the right guy win the election?” and I can only describe what ensued as chaos. Yelling, lots of yelling. Everyone trying to make their position heard, trying to stand out. It wasn’t a subdued roundtable discussion, it was 20 people all clawing to get noticed above the rest. Some people clammed up, initimidated by it all. Some yelled into space, not talking to anyone in particular. More topics flowed, with each one ramping from silence to uproar in about 5 seconds.

I can’t tell you what they were looking for, especially since I didn’t have the stuff. I can speculate a bit. I think they were looking for quick responders, people who would articulate a strong position with good supporting points right off the bat. If you haven’t finished making a solid point on each topic in 5 seconds, I think you’re losing. This is why so many lawyers make the show. I think there are some intangibles in the mix – he probably looks at body language, style of speaking, ability to grab the attention of others. Some of it probably depends on what they’re trying to cast. The current season is “Book smarts” vs. “Street smarts” – I would expect they were looking for people to fill certain roles on each of those teams from the time they had their first audition.

I responded a bit slowly on some topics, did make some points loudly, did back up some of my points well, did hold some smaller, more direct conversations with people around me. I did yell to nobody in particular a couple of times (many people were doing this), but I don’t think that’s productive unless you;re the first one. So can I give you interview tips to get on the show? No way – I don’t even know what they want, but this is what you could expect in the audition process.

So why’d I do it? I don’t idolize Donald Trump, but I do respect some of his accomplishments. Between the knowledge and connections that a winner (or even runner-up) on that show develops, especially working with Trump, it IS a golden opportunity. If nothing else, I knew it would be an interesting experience, an amusing story to share, and a good time to reflect on things I can do better.