Apache OpenOffice for OpenIndiana (Hipster)

It’s been a long while since I’ve blogged anything on the OpenIndiana front – just a quick update regarding the recent announcement of an Apache OpenOffice package for the OpenIndiana rapid development branch, a.k.a. Hipster.

Installation from the current Hipster repository is straightforward, and aside from a rather long launch time (in the order of tens of seconds, something which definitely needs to be looked at), it opens an existing LibreOffice Writer document with absolutely no problems, retaining the customised footers, background images, and the proprietary PostScript fonts (once installed):

OpenOffice running on OpenIndiana

OpenOffice running on OpenIndiana

Great work from the various contributing developers to make this happen, and an important component of building a Nuxeo DM server based on illumos.

(EDIT: It appears there are issues with being able to save newly-created ODT-format files, whereas editing and saving existing files appears to be okay. Stay tuned.)

About these ads

Configuring a public JSPWiki instance for private use

Been a tad quiet on this blog for a while I realise – time to freshen thing up a bit.

In this blog post we’re going to quickly cover how to configure a JSPWiki instance such that wiki content cannot be viewed without being authenticated with a login account. For example, you may wish to deploy JSPWiki in the cloud for convenient access anywhere, but also use it to host company-sensitive documentation. In this case you probably don’t want the general public even having read-only access to the wiki content.

It turns out this is very straightforward to achieve and merely consists of making the desired changes in the jspwiki.policy file. The function of each policy block within jspwiki.policy is also clearly documented in the same file, so everything is pretty self explanatory.

JSPWiki setup and configuration is outside the scope of this post, so I’m assuming you’ve set up JSPWiki to use container-managed authentication similar to some of my previous articles here. Also note that in recent releases of JSPWiki (certainly v2.10.x) the location of various configurations files has changed – again, outside the scope of this post. All this considered, the following full excerpt of my jspwiki.policy file achieves the following:

  • All public users are prevented from being able to view the wiki.
  • Anonymous users have no permissions.
  • Users authenticated via a browser cookie have no permissions.
  • Users authenticated with a JSPWiki login account (configured in our application server, e.g. GlassFish) have a set of standard permissions for viewing, editing, and modifying content.
  • Admin users have full permissions.

Note that I’ve left the original policy blocks in place commented out so you can see the exact settings I’ve made.


//  Licensed to the Apache Software Foundation (ASF) under one
//  or more contributor license agreements.  See the NOTICE file
//  distributed with this work for additional information
//  regarding copyright ownership.  The ASF licenses this file
//  to you under the Apache License, Version 2.0 (the
//  "License"); you may not use this file except in compliance
//  with the License.  You may obtain a copy of the License at
//
//    http://www.apache.org/licenses/LICENSE-2.0
//
//  Unless required by applicable law or agreed to in writing,
//  software distributed under the License is distributed on an
//  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
//  KIND, either express or implied.  See the License for the
//  specific language governing permissions and limitations
//  under the License.

// $Id: jspwiki.policy,v 1.23 2007-07-06 10:36:36 jalkanen Exp $
//
// This file contains the local security policy for JSPWiki.
// It provides the permissions rules for the JSPWiki
// environment, and should be suitable for most purposes.
// JSPWiki will load this policy when the wiki webapp starts.
//
// As noted, this is the 'local' policy for this instance of JSPWiki.
// You can also use the standard Java 2 security policy mechanisms
// to create a consolidated 'global policy' (JVM-wide) that will be checked first,
// before this local policy. This is ideal for situations in which you are
// running multiple instances of JSPWiki in your web container.
// To set a global security policy for all running instances of JSPWiki,
// you will need to specify the location of the global policy by setting the
// JVM system property 'java.security.policy' in the command line script
// you use to start your web container. See the documentation
// pages at http://doc.jspwiki.org/2.4/wiki/InstallingJSPWiki. If you
// don't know what this means, don't worry about it.
//
// Also, if you are running JSPWiki with a security policy, you will probably
// want to copy the contents of the file jspwiki-container.policy into your
// container's policy. See that file for more details.
//
// ------ EVERYTHING THAT FOLLOWS IS THE 'LOCAL' POLICY FOR YOUR WIKI ------

// The first policy block grants privileges that all users need, regardless of
// the roles or groups they belong to. Everyone can register with the wiki and
// log in. Everyone can edit their profile after they authenticate.
// Everyone can also view all wiki pages unless otherwise protected by an ACL.
// If that seems too loose for your needs, you can restrict page-viewing
// privileges by moving the PagePermission 'view' grant to one of the other blocks.

//grant principal org.apache.wiki.auth.authorize.Role "All" {
//    permission org.apache.wiki.auth.permissions.PagePermission "*:*", "view";
//    permission org.apache.wiki.auth.permissions.WikiPermission "*", "editPreferences";
//    permission org.apache.wiki.auth.permissions.WikiPermission "*", "editProfile";
//    permission org.apache.wiki.auth.permissions.WikiPermission "*", "login";
//};

grant principal org.apache.wiki.auth.authorize.Role "All" {
    permission org.apache.wiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission org.apache.wiki.auth.permissions.WikiPermission "*", "editProfile";
    permission org.apache.wiki.auth.permissions.WikiPermission "*", "login";
};


// The second policy block is extremely loose, and unsuited for public-facing wikis.
// Anonymous users are allowed to create, edit and comment on all pages.
//
// Note: For Internet-facing wikis, you are strongly advised to remove the
// lines containing the "modify" and "createPages" permissions; this will make
// the wiki read-only for anonymous users.

// Note that "modify" implies *both* "edit" and "upload", so if you wish to
// allow editing only, then replace "modify" with "edit".

//grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
//    permission org.apache.wiki.auth.permissions.PagePermission "*:*", "modify";
//    permission org.apache.wiki.auth.permissions.WikiPermission "*", "createPages";
//};

grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
};


// This next policy block is also pretty loose. It allows users who claim to
// be someone (via their cookie) to create, edit and comment on all pages,
// as well as upload files.
// They can also view the membership list of groups.

//grant principal org.apache.wiki.auth.authorize.Role "Asserted" {
//    permission org.apache.wiki.auth.permissions.PagePermission "*:*", "modify";
//    permission org.apache.wiki.auth.permissions.WikiPermission "*", "createPages";
//    permission org.apache.wiki.auth.permissions.GroupPermission "*:*", "view";
//};

grant principal org.apache.wiki.auth.authorize.Role "Asserted" {
};


// Authenticated users can do most things: view, create, edit and
// comment on all pages; upload files to existing ones; create and edit
// wiki groups; and rename existing pages. Authenticated users can also
// edit groups they are members of.

grant principal org.apache.wiki.auth.authorize.Role "Authenticated" {
    permission org.apache.wiki.auth.permissions.PagePermission "*:*", "modify,rename";
    permission org.apache.wiki.auth.permissions.GroupPermission "*:*", "view";
    permission org.apache.wiki.auth.permissions.GroupPermission "*:<groupmember>", "edit";
    permission org.apache.wiki.auth.permissions.WikiPermission "*", "createPages,createGroups";
};


// Administrators (principals or roles possessing AllPermission)
// are allowed to delete any page, and can edit, rename and delete
// groups. You should match the permission target (here, 'JSPWiki')
// with the value of the 'jspwiki.applicationName' property in
// jspwiki.properties. Two administative groups are set up below:
// the wiki group "Admin" (stored by default in wiki page GroupAdmin)
// and the container role "Admin" (managed by the web container).

grant principal org.apache.wiki.auth.GroupPrincipal "Admin" {
    permission org.apache.wiki.auth.permissions.AllPermission "*";
};
grant principal org.apache.wiki.auth.authorize.Role "Admin" {
    permission org.apache.wiki.auth.permissions.AllPermission "*";
};

After applying this and restarting the application server domain, one can now see that we need to authenticate even to view any of the wiki content.

JSPWiki now requires authentication to view.

Enjoy, and if you have any problems please leave a comment.

2013 in review

The WordPress.com stats helper monkeys prepared a 2013 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 24,000 times in 2013. If it were a concert at Sydney Opera House, it would take about 9 sold-out performances for that many people to see it.

Click here to see the complete report.

Microsoft Outlook: UI designers on drugs

Outlook 2010: you want to export a PST of your account contents, you say? Sure – once you’ve flailed around looking for the “Export” button, you in fact achieve this by navigating to “File -> Open”. Then, you click on the “Import” button. Yup, “File -> Open -> Import”. Once you’ve done that, then you’ll see a handy option for performing a file export. Nice.

Outlook Export PST 1

Outlook Export PST 2

 

Outlook 2010: You’ve got an inbox or whatever containing several thousand items. You make a selection with the mouse of a certain number, and you want Outlook to tell you just how many you’ve got selected. No, you’re not crazy: Microsoft’s flagship email application, the one you hopefully paid a tonne of cash for a license, is incapable of doing this.

 

Outlook Web App: We’ve been here before, but let’s also highlight another drug-induced design decision. I’m viewing the contents of my inbox, or whatever. I want to perform a search for something in the current folder, but the default search option is to search the entire fucking mail account every time. Just, why?

Outlook Web App default search

Configure Apple Mail 4.6 with Gmail

This is a brief guide describing how to quickly configure Apple Mail with Gmail over IMAP. This is pertaining to an old release of Mac OS, specifically OS 10.6.8, which is running Apple Mail 4.6. I am documenting this for the benefit of readers stuck on Mac OS 10.6 and who have been saddled with Apple Mail in lieu of a vastly superior, free, openly-developed mail client such as Thunderbird. Note that the procedure documented here may differ in later releases of Mac OS.

Note that IMAP must be first enabled in the Gmail account in question. Be sure to disable the labels you do not wish to access as folders in Apple Mail (especially the “All Mail” folder) as documented here.

The Gmail account can be created in Apple Mail using the add account wizard (or first-run setup procedure), which will attempt to obtain the correct server settings (incoming and outgoing servers, username) automatically. Note that if using an “@gmail.com” address the correct server settings will be retrieved correctly. However, if using a Google Apps Gmail account with a custom domain name (e.g. “@mycompany.co.nz”), the server and username settings will need to be configured manually (according to the Google documentation for IMAP client connections).

Once the account is added we need to perform some additional steps.

By default, Apple will use separate local folders (called “mailboxes” in Apple Mail-speak for some bizarre reason) for the account Sent and Trash folders. We need to map the Gmail “Sent Mail” and “Bin” IMAP folders to these local folders, so that when email is sent or deleted in Apple Mail it will be updated in the server-side Gmail “Sent Mail” and “Bin” folders, respectively.

To do this, first select the relevant Gmail folder, and then go to “Mailbox -> Use This Mailbox For”. In this example we are mapping the Gmail “Sent Mail” folder to be used for Apple Mail sent items. The “Sent” folder visible at the top-left of the folder listing in Apple Mail will then contain and be sycnchronised with our Gmail “Sent Mail” folder:

Apple Mail IMAP folder mapping

Perform the same for mapping the Apple Mail “Trash” folder to the Gmail “Bin” folder. Once done, test that sent mail and deleted items are synchronised both ways between Apple Mail and Gmail (use the Gmail web interface to verify this). If these steps are missed or misconfigured, you will end up with local mail stores in Apple Mail for sent and deleted items (this is totally undesirable for reasons of backup, amongst other things).

Note that counter to the official Google documentation (and what we would configure in Thunderbird for example), with the above folder mapping configuration in place we have to configure Apple Mail to store sent items on the server. Mail sent out through Google’s SMTP servers is normally copied into the “Sent Items” folder anyway regardless of the client settings, but in Apple Mail this has to be enabled explicitly (as disabling it also disables the folder mapping performed above):

Settings in Apple Mail for sent items.

Finally, in Apple Mail we disable the built-in Junk email filter (as spam filtering is performed automatically in Gmail):

Settings in Apple Mail for junk email.

Apple Mail should now be configured successfully for basic interoperability with Gmail.

The bane of my life (and probably everybody else’s)

I think folks have every reasonable cause to question the general competence of IT persons who design authentication systems that mandate an exact password length, or a maximum password length (say, 10 characters max), or passwords which must not contain certain characters, or lock your account out after three (why three?) attempts.

Also cute – government online service providers that ask you to fill out a “forgotten password phrase” when you set up your account initially. How are mere mortals supposed to remember the phrase two years down the track without writing it down or reusing it? And how is this supposed to be more secure than your basic security questions?

Hello DuckDuckGo (and goodbye google.com)

DuckDuckGo logo

Yeah, I can now really do with less targeted advertising, a search homepage which isn’t like a giant ad itself, and Google mining my search queries to “enhance” their floundering me-too social network. Plus that other nasty business. So I’ve switched to DuckDuckGo. It’s like google.com of old, searches are anonymized, and it’s got a cooler name to boot.

The standard DuckDuckGo search provider for add-on for Firefox (the best darn browser around) can be found here.

Natural pest control, Nepenthes-style

It’s a marvellous thing seeing the efficiency with which my pitcher plant can trap and kill food when simply left to its own devices. Bugs are attracted to the nectar, clamber into the traps and become nom noms for the plant. What’s more, it really loves the New Zealand climate combined with being parked next to an open bathroom window. Pitcher plants make a terrific addition to the household for natural pest control. Quite pretty to boot.

Pitcher plant

Oracle nukes Sun Ray and VDI

I shouldn’t be surprised, but still: Oracle to halt development of Sun virtualization technologies

What’s really, really rich was one of Oracle’s own folks only a couple of months ago stating the following on the Sun Ray Users mailing list:

“Oracle does not keep acquired products that they do not believe have a future. I’d challenge you to compare release timelines from both Sun and Oracle and see under which flag the product has had more major releases and more features. If Oracle was not committed to Sun Ray and VDI, it would have been gone very soon after the acquisition.

I can tell you Oracle is committed to Sun Ray and VDI. I get that people are unhappy with some of the changes (Firmware requiring a support contract, Public road maps, social media changes), but those things have very little bearing on whether or not Oracle is committed.”

Whoopsies.

At the day job we migrated from Sun Ray onto Onelan for our digital signage needs, and after that my contact with either Sun Ray or Solaris dropped to zero. Still, sad to see what was a fantastic platform kicked to the curb, joining the myriad other Sun products and projects which Oracle has bungled, mismanaged, or ejected – presumably to support the unbelievably crass lifestyle of the guy ostensibly running the joint. Sad times.

Sun Ray installation