Category: Allgemein

Posted on

Wildfly 29 – OIDC – Bearer Token Authentication

In this blog post I explain the setup of a application running on Wildfly 29 using the OIDC authentication mechanism. It took me a long time to figure out the correct and necessary configuration steps. My requirement was not only to authenticate a user with Keycloak via OpenID Connect (OIDC), but also enable my backend services to authenticate programmatically to access the Rest API.

So we have two requirements: User login via Keycloak/OIDC and a programmatically login for backend service. The later is called Bearer Authentication mechanism.

Bearer Token Authentication

The Bearer Token Authorization is the process of authorizing HTTP requests through a valid Bearer Token. Such a token can be obtained from a Identity Authority like Keycloak using a simple curl command. For example to get a valid token from a Keycloak server you can run:

curl -X POST \
  -d "grant_type=password" \
  -d "client_id=imixs" \
  -d "client_secret=xxxxxxxxxxxxxxxxxxx" \
  -d "username=anna" \
  -d "password=123" \
  "https://my-keycloak.server/realms/my-keycloak-realm/protocol/openid-connect/token"

This will result in a JSON Web Token (JWT) containing differnet sections. 

{"access_token":"eyxxxxx.eyxxxxxxxxx",
  "expires_in":300,
  "refresh_expires_in":1800,
  "refresh_token":"eyyyyyyyyyy.eyyyyyyy",
  "token_type":"Bearer",
  "not-before-policy":0,
  "session_state":"fc2f7e36-e4ba-145a-b493-efb287ec0c7a",
  "scope":"profile email"
}

The interesting one is the ‘access_token’. You can copy this part and now you can request a secured resource from your applications Rest API:

curl -X GET \
  -H "Authorization: Bearer eyyyyyyyyyyyyyyyyyy" \
  "https://my-app/api/documents/ABC"

OK, this all sounds very easy and straight forward. But due to the fact that this security mechanisms evolving fast also in wildfly there were differnet concepts used in the past. So the following will work for Wildfly 29 (and hopefully later) version.

The Wildfly Descriptor ‘oidc.json’

An easy and very fast setup is to use the Wildfly specific deployment descriptor file ‘oidc.json‘. This file is placed in /WEB-INF/ directory:

{
    "client-id" : "my-client-id",
    "provider-url" : "https://my-keycloak.server/realms/my-keycloak-realm",    
    "principal-attribute" : "preferred_username",  
    "credentials" : {
        "secret" : "xxxxxxxxxxxxxxx"
    }
}

In addition change the login-config in your web.xml file to ‘OIDC’

...
  <login-config>
    <auth-method>OIDC</auth-method>
  </login-config>
...

No further configuration is needed. No realms need to be configured at all in the standalone.xml or in your application.

The Jakarta OpenIdAuthenticationMechanismDefinition

Jakarta EE 10 includes a new authentication mechanism: OpenID Connect! This can be added to a Jakarta EE servlet using the new @OpenIdAuthenticationMechanismDefinition annotation.

This annotation is the standarized way to use OIDC authentication mechanism. You need to implement a CDI security bean in your application like shown in the following example:

import jakarta.enterprise.context.RequestScoped;
import jakarta.enterprise.event.Observes;
import jakarta.inject.Inject;
import jakarta.security.enterprise.authentication.mechanism.http.OpenIdAuthenticationMechanismDefinition;
import jakarta.security.enterprise.identitystore.openid.AccessToken;
import jakarta.security.enterprise.identitystore.openid.OpenIdContext;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.MediaType;

@RequestScoped
@Path("/oidc")
@Produces({ MediaType.TEXT_PLAIN })
@OpenIdAuthenticationMechanismDefinition( //
        clientId = "${oidcConfig.clientId}", //
        clientSecret = "${oidcConfig.clientSecret}", //
        redirectURI = "${baseURL}/callback", //
        providerURI = "${oidcConfig.issuerUri}" //
)
public class Securitybean implements Serializable {
    private static final long serialVersionUID = 1L;
   
    @Inject
    Principal principal;

    @Inject
    private OpenIdContext context;

    @GET
    @Produces("text/plain")
    public String sessionInfoAuth() {
        String message = "";
        try {
            System.out.println("=========================================");
            if (principal != null) {
                System.out.println("  Principal name: " + principal.getName());
            } else {
                System.out.println("  Principal resolved to null!");
            }
            // Here's the unique subject identifier within the issuer
            if (context == null) {
                message = "Failed to resolve OpenIdContext!";
            } else {
                System.out.println("  Subject = " + context.getSubject());
                System.out.println("  Access token = " + context.getAccessToken());
                System.out.println("  ID token = " + context.getIdentityToken());
                System.out.println("  Claims json = " + context.getClaimsJson());
                System.out.println("=========================================");
                message = "Imixs-Security-OIDC ==> OK \n" + //
                        "User Principal      ==> " + principal.getName()
                        + "\n\nSession details are available on server log";
            }
        } catch (Exception e) {
            message = "Failed to resolve OpenIdContext!";
        }
        return message;
    }
}

The important part is only the annotation. I added the method sessionInfoAuth only for convenience to provide a rest API to check the auth information.

Using this mechanism it is important to disable the integrated-jaspi module in your standalone.xml file:

...
        <subsystem xmlns="urn:jboss:domain:undertow:14.0" default-virtual-host="default-host"
            default-servlet-container="default" default-server="default-server"
            statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}"
            default-security-domain="other">
            ......
            <application-security-domains>
                <application-security-domain name="other" security-domain="ApplicationDomain"
                    integrated-jaspi="false" />
            </application-security-domains>
            .......
        </subsystem>            
.....

The problem is, that with this setup you can login as a user like before with the oidc.yaml file, but a programmatic login with the access token is no longer possible.

If you find an solution for this problem, please let me know 😉

Posted on

PostgreSQL: Major Upgrade in Kubernetes

In the following I show an example how you can upgrade an old PostgreSQL server to a new Major version running in a Kubernetes cluster. In this example I upgrade directly from 9.6.1 to 17.4. My deployment runs on Kubernetes and I have external data volumes bound to my servers based on a ceph system. The migration concept in short is the following:

  1. Mount a new /backup/ volume to backup the data on the old databasesever
  2. Backup the existing database with pg_dump
  3. Undeploy your old PostgreSQL Server
  4. Create a new deployment for the new empty Server and mount the /backup/ volume
  5. Restore the backup with pg_restore
Continue reading “PostgreSQL: Major Upgrade in Kubernetes”
Posted on

EJB => CDI Migration

In this blog post I will try to explain how to replace Jakrata EE EJBs with CDI beans. In onw of the future releases of Jakarta EE (possible version 12) the EJB concepts will be fully replaced by CDI technology. The reason simply is that EJBs become more and more outdated as the technology is based on older concepts that today are no longer recommended. Another goal for the replacement is to make developers life easier and not providing two very similar technologies in parallel. The Imixs-Workflow project is fully based on Jakarta EE and we are using also EJBs in some of its core components. So this will also be a kind of travel guide of my own journey from EJB to CDI.

The Basics

So first question: Why will EJBs be removed? The first and most obvious answer is: it does not make sens for the Jakarta EE project to support tow similar technologies in parallel. CDI is the newer technology and already today provides a lot of concepts from EJBs. So often in a Jakrata EE project you can either choose to implement a Service in a EJB or CDI bean without any difference in its result.

One of the more hidden reasons is that EJBs were invented at a time when the Java VM did not yet offer the performance and functionality that it does today. At that time, it was simply not efficiently possible to use a bean instance in a multi-threaded situation without running into a problem with the VMs garbage collector that it could no longer keep up cleaning old objects. The was the reason for the EJB Container and its pooling mechanism. That means in EJB a client always gets an EJB instance exclusive and can use it in a thread save way. If all EJBs from the pool are in use a new client request have to wait until one of the pools EJB instances is free again. This was and is a very robust and thread save mechanism and makes the developers life very easy. In a CDI Container we don’t have this kind of pooling and so the first result is the different code layout of CID implementations.

An EJB implementation typical looks like this:

package com.example;

import jakarta.ejb.EJB;
import jakarta.ejb.Stateless;
import jakarta.ejb.TransactionAttribute;
import jakarta.ejb.TransactionAttributeType;
import jakarta.persistence.EntityManager;
import jakarta.persistence.PersistenceContext;

@Stateless
public class StatelessBeanInEJB {

  @PersistenceContext
  private EntityManager entityManager;

  // The @TransactionAttribute(TransactionAttributeType.REQUIRED) // annotation is optional; this is the default already.
  public void transactionalMethod() {
   // ...
  }


  @TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
  public void independentTransactionalMethod() {
   // ...
  }


}

Now this is how the same looks in CDI with help of the in Jakarta Transactions 2.0:

package com.example;

import jakarta.enterprise.context.ApplicationScoped;
import jakarta.persistence.EntityManager;
import jakarta.persistence.PersistenceContext;
import jakarta.transaction.Transactional;
import jakarta.transaction.Transactional.TxType;

@ApplicationScoped
public class StatelessBeanInCDI {

  @PersistenceContext
  private EntityManager entityManager;

  @Transactional // The annotation value TxType.REQUIRED is optional; this is the default already.
  public void transactionalMethod() {
   // ...
  }

  @Transactional(TxType.REQUIRES_NEW)
  public void independentTransactionalMethod() {
   // ...
  }


}

The CDI bean has been marked @ApplicationScoped and is no longer pooled. And the CDI instances are unsynchronized while EJB instances are synchronized.

Synchronized vs Unsynchronized – Was does this mean?

I’ll explain the important difference between synchronized EJB instances and non-synchronized CDI instances:

EJB (@Stateless) – synchronized:

  • With EJBs, each bean instance from the pool is only used by one thread at a time
  • The container automatically ensures this thread safety
  • If several threads want to access the bean at the same time, they have to fetch a free instance from the pool or wait

This makes implementation easier because you don’t have to worry about thread safety.
However, it can lead to performance degradation under high load because threads have to wait.

CDI (@ApplicationScoped) – unsynchronized:

  • A CDI Bean instance can be used by multiple threads in parallel
  • There is no automatic synchronization by the container
  • The developer is responsible for thread safety

This allows for better performance under high load, as no threads have to wait.
However this requires a more careful implementation to avoid race conditions.

Here is an example: 

@ApplicationScoped
public class UnsynchronizedCounter {
    private int count = 0; // shared state

  // NOT thread-save!
  public void increment() {
  count++;  // can lead into a Race Condition
  }

  // Thread-save Version
  public synchronized void incrementThreadSafe() {
   count++;
  }
}

So with CDI, we have to pay attention to thread safety ourselves if the bean has shared state. Possible solutions are:

  • Using Synchronized Methods/Blocks
  • Use thread-safe data structures (e.g. AtomicInteger)
  • Working stateless
  • Use a narrower scope like @RequestScoped

The EJB version would automatically be thread-safe, but less performant under high load.

Using instance variables in stateless EJBs was always a very bad practice but is was possible. So if you have clean implementations of EJBs without using instance variables, on the first glance it should be easy to transfere your EJB into a CID bean by just replacing the annotation @Stateless with @ApplicationScoped.

But now let’s take a deeper look into the details….

… will be continued ….

Posted on

How to Change the Color of Your BASH Prompt

On Linux servers you sometimes have to switch to the superuser (su). The user has privileged rights and thing can got mad if you are not aware if you are currently working as a ‘normal’ user or a superuser. To make this situations more obvious in a Linux shell, you can add colors to your BASH Prompt.

You simply have to edit the file ~/.bashrc on Debian systems. For a normal user add this code block:

# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
        # We have color support; assume it's compliant with Ecma-48
        # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
        # a case would tend to support setf rather than setaf.)
        color_prompt=yes
    else
        color_prompt=
    fi
fi

if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u\[\033[01;34m\]@\[\033[01;36m\]\h\[\033[01;33m\]\w\[\033[01;35m\]\$ \[\033[00m\]'
else
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt

And for the root user (/root/.bashrc) change the color settings like this:

# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
force_color_prompt=yes

if [ -n "$force_color_prompt" ]; then
    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
        # We have color support; assume it's compliant with Ecma-48
        # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
        # a case would tend to support setf rather than setaf.)
        color_prompt=yes
    else
        color_prompt=
    fi
fi

if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u\[\033[01;34m\]@\[\033[01;36m\]\h\[\033[01;33m\]\w\[\033[01;35m\]\$ \[\033[00m\]'

else
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt

That’s it. Now you have a red marker if you are logged in as a superuser and a green marker if you are working as a normal user:

Normal User:

Root:

Posted on

How to Run LLMs in a Docker Container

LLM stands for Large Language Model and is a large-scale AI model that has been trained with an extensive amount of text and code. Beside the well known and widespread Chat GPT, today there are many powerful Open Source alternatives available. The advantage of an Open Source LLM is that you can use such a model in your own application within your own environment. There is no dependency on an external service provider that can raise prices, shut down services, or remove models.

But the question that inevitably arises is: Where to start? At least that’s the question I asked myself. After some research I found out that it isn’t such difficulty as it sounds to run a local LLM.

First of all there is a place called Hugging Face providing a kind of market place for all kinds of AI models. After you have registers yourself on the page you can search and download all kinds of different Models. Of course each model is different and addresses different needs and requirements. But the good news is that there is a kind of common open standard to run a LLM called LLaMA CCP. Lamma CCP allows you to run a LLM with minimal setup and state-of-the-art performance on a wide variety of hardware – locally and in the cloud. And of course there is also a Python binding available. And this makes is easy to test a LLM in a Docker container.

Continue reading “How to Run LLMs in a Docker Container”
Posted on

My Git – Cheat Sheet

This is just a short collection of Git commands and tricks which I personally did not always remember.

Create a new Tag

To create and push a new tag:

1.) List current tags

$ git tag

2.) Create a new Tag

$ git tag -a <TAG-VERSION> -m "next release"

3.) Push tag

By default, the git push command doesn’t transfer tags to remote servers. You will have to explicitly push tags to a shared server after you have created them.

$ git push origin <TAG-VERSION>

Create a Branch

To list all existing branches:

$ git branch

to create a new local branch

$ git branch <branch>

and checkout it with

$ git checkout <branch>

to push the branch to the remote repo

$ git push origin <branch>

Merge a Branch

Merge another branch into the current (e.g. into the master branch)

List all the branches in your local Git repository using the git branch command:

$ git branch

The output shows all branches and marks the current branch with an *.

Ensure you are on the branch you want to merge into. To switch to the master branch:

$ git checkout master

Now you can start merging. Since merging is a type of commit, it also requires a commit message. 

$ git merge -m "Your merge commit message" [source_branch]

Check the result in your current file tree.

Finally push your changes:

$ git push origin

How to resolve Merge Conflicts

Sometime you may forget to pull before you start working on something. Later you can not push your commit directly if a colleague has worked on some other artifacts. In this case you need to ‘stage’ your local changes first, pull the changes from your colleague and than you can push your own changes back into the remote repo:

# Stage all local changes 
git add .
git commit -am "commit message"
# Pull all changes from colleague and rebase your last commit on top of the upstream 
git pull origin --rebase
# Push all together back into the remote repo
git push


Posted on

Install Open JDK 11 on Debian 12 (Bookworm)

In Debian 12 the default JDK is Java 17. In case you need Java 11 instead you can follow this blog from Linux Shout .

Here is the short version:

1) Edit your sources.list

Edit the file /etc/apt/sources.list and add the unstable packages at the end of the file

deb http://deb.debian.org/debian unstable main non-free contrib

2) Next Update your apt preferences

Edit the file /etc/apt/preferences and add the following entry:

Package: *
Pin: release a=stable
Pin-Priority: 900

Package: *
Pin: release a=unstable
Pin-Priority: 50

This will make our Debian 12 system only choose the stable packages while updating instead of unstable ones.

3) Install JDK 11

Now you can install JDK 11 and switch the java version using the

$ sudo apt update
$ sudo apt install openjdk-11-jdk
$ sudo update-alternatives --config java

The last command allows you to switch between JDK 17 and JDK 11.

Posted on

How to Use Flameshot in Debian 12 (bookworm)

Flameshot is a nice screen capture tool allowing you to mark a screenshot with lines and text and save the screenshot or copy it into the clipboard.

I uses this tool since years. But on Debian 12 it seems not to work. At least it does not open on my installation.

The trick is to start the program form a terminal window with the option gui

$ flameshot gui
Posted on

How to Handle JSF Exceptions in Jakarta EE 10

Exception handling is a tedious but necessary job during development of modern web applications. And it’s teh same for Jakarta EE 10. But if you migrate an existing application to the new Jakarta EE 10 things have change a little bit and so it can happen that you old errorHandler does no no longer work. At least this was the case when I migrated Imixs-Office-Workflow to Jakrata EE 10. So in this short tutorial I will briefly explain how to handle JSF Exceptions.

First of all you need an exeptionHandler extending the Jakarta EE10 ExceptionHandlerWrapper class. The implementation can look like this:


import java.util.Iterator;
import java.util.Objects;

import jakarta.faces.FacesException;
import jakarta.faces.application.NavigationHandler;
import jakarta.faces.context.ExceptionHandler;
import jakarta.faces.context.ExceptionHandlerWrapper;
import jakarta.faces.context.FacesContext;
import jakarta.faces.context.Flash;
import jakarta.faces.event.ExceptionQueuedEvent;
import jakarta.faces.event.ExceptionQueuedEventContext;

public class MyExceptionHandler extends ExceptionHandlerWrapper {

  public MyExceptionHandler(ExceptionHandler wrapped) {
    super(wrapped);
  }

  @Override
  public void handle() throws FacesException {
    Iterator iterator = getUnhandledExceptionQueuedEvents().iterator();

    while (iterator.hasNext()) {
      ExceptionQueuedEvent event = (ExceptionQueuedEvent) iterator.next();
      ExceptionQueuedEventContext context = (ExceptionQueuedEventContext) event.getSource();

      Throwable throwable = context.getException();

      throwable = findCauseUsingPlainJava(throwable);

      FacesContext fc = FacesContext.getCurrentInstance();

      try {
        Flash flash = fc.getExternalContext().getFlash();
        flash.put("message", throwable.getMessage());
        flash.put("type", throwable.getClass().getSimpleName());
        flash.put("exception", throwable.getClass().getName());

        NavigationHandler navigationHandler = fc.getApplication().getNavigationHandler();

        navigationHandler.handleNavigation(fc, null, "/errorhandler.xhtml?faces-redirect=true");

        fc.renderResponse();
      } finally {
        iterator.remove();
      }
    }

    // Let the parent handle the rest
    getWrapped().handle();
  }

  /**
   * Helper method to find the exception root cause.
   * 
   * See: https://www.baeldung.com/java-exception-root-cause
   */
  public static Throwable findCauseUsingPlainJava(Throwable throwable) {
    Objects.requireNonNull(throwable);
    Throwable rootCause = throwable;
    while (rootCause.getCause() != null && rootCause.getCause() != rootCause) {
      System.out.println("cause: " + rootCause.getCause().getMessage());
      rootCause = rootCause.getCause();
    }
    return rootCause;
  }

}

This wrapper overwrites the default ExceptionHandlerWrapper. In the method handle() (which is the imprtant one) we search the root cause of the exception and put some meta information into the JSF flash scope. The flash is a memory that can be used by the JSF page we redirect to – ‘errorhandler.xhtml’

Next you need to create a custom ExceptionHanlderFactor. This class simple registers our new ExceptionHandler:


import jakarta.faces.context.ExceptionHandler;
import jakarta.faces.context.ExceptionHandlerFactory;

public class MyExceptionHandlerFactory extends ExceptionHandlerFactory {
    public MyExceptionHandlerFactory(ExceptionHandlerFactory wrapped) {
        super(wrapped);
    }

    @Override
    public ExceptionHandler getExceptionHandler() {
        ExceptionHandler parentHandler = getWrapped().getExceptionHandler();
        return new MyExceptionHandler(parentHandler);
    }

}

The new Factory method need to be registered in the faces-config.xml file: 

 .... 
    <factory>
      <exception-handler-factory>
        org.foo.MyExceptionHandlerFactory
      </exception-handler-factory>
    </factory>
 ....

And finally we can create a errorhandler.xhtml page that displays a user friendly error message. We can access the flash memory here to display the meta data collected in our ErrorHandler. 

<ui:composition xmlns="http://www.w3.org/1999/xhtml"
	xmlns:c="http://xmlns.jcp.org/jsp/jstl/core"
	xmlns:f="http://xmlns.jcp.org/jsf/core"
	xmlns:h="http://xmlns.jcp.org/jsf/html"
	xmlns:ui="http://xmlns.jcp.org/jsf/facelets"
	template="/layout/template.xhtml">
	<!-- 
		Display a error message depending on the cause of a exception
	 -->
	<ui:define name="content">
	  <h:panelGroup styleClass="" layout="block">
				<p><h4>#{flash.keep.type}: #{flash.keep.message}</h4>
		<br />
		<strong>Exception:</strong>#{flash.keep.exception}
		<br />
		<strong>Error Code:</strong>
		<br />
		<strong>URI:</strong>#{flash.keep.uri}
		</p>
		<h:outputText value="#{session.lastAccessedTime}">
			<f:convertDateTime pattern="#{message.dateTimePatternLong}" timeZone="#{message.timeZone}"
							type="date" />
		</h:outputText>
	<h:form>
	  <h:commandButton action="home" value="Close"
		immediate="true" />			
	</h:form>
  </h:panelGroup>
  </ui:define>

</ui:composition>

That’s it. You can extend and customize this to you own needs.

Posted on

Why You Shouldn’t Trust IT Consulting Companies

Very large companies often tend to hire very large IT consulting firms to solve their IT problems. Often with moderate success. You can observe this all over the world when you read about failed big IT projects.

So why is this happening? Large IT consulting firms are perfect at telling you that they are the only ones able to solve your problem quickly and reliably. Typically, they also have a real expert who recognizes the problem very well and has an idea of a working solution. You should memorize this person’s face well, because you may never see this expert again. And he probably won’t be the one to solve your problem.

But what exactly is happening here? Why should an international big IT consulting company not be the right expert for your IT problem? To understand this, you simply think about the business model of such companies. It consists of selling you IT services at a fixed daily or hourly rate. This means that the more hours you buy, the better it is for the consulting firm. In order to further maximize profits, these companies are often looking for teams consisting of young enthusiastic university graduates. Typically in a completely different place in the world, where much lower wages are paid. It may be that you are lucky and you find an expert able to solve your problem. But it can also happen that he is confronted with this problem for the first time in his life.

So, now you have an international IT team managed by a large consulting firm and you may continue to have your original IT problem for a very long time. How can you solve this situation in a better way? It’s basically quite simple. Just take a look at the open source community. For every problem in IT, there is someone who deals with it. And if he or she makes the problem public and also publishes his proposed solution, then that’s your IT expert! If the problem is big enough, it may happen that the open source project grows a little. This means that there are now more than one experts able to solve your problem. You will save yourself a lot of money and time if you try to solve your IT problems in this way in the future.

So the biggest problem for you is actually only to find these IT experts in the open source community. However, you should not hire a large IT consulting company to search for such experts. If you’re wondering why – just read this article again from the beginning.

Proudly powered by WordPress