Category Archives: Apache Roller

Apache Roller 5 problems on GlassFish 3.0.1

I recently installed Apache Roller 5 on GlassFish 3.0.1 (on an OpenIndiana host with JDK 6u26, connecting to a PostgreSQL 8.4 database) and had the rather unusual behaviour of the Roller web app seemingly failing after an arbitrary period of time, followed by the GlassFish domain itself stopping.

I have two GlassFish domains set up on the host in question, one serving up JSPWiki, the other serving Roller. The JSPWiki domain remained stable, so I figured this was possibly either a problem with Roller 5.0 or a port conflict issue between the two domains. Even after recreating the second domain with the –portbase option and ensuring there were no conflicting ports, Roller would still eventually crap out followed by the domain itself, with seemingly nothing of relevance logged.

I upgraded to GlassFish 3.1.1 and so far things are perfectly stable – so I guess this was due to some issue with GlassFish 3.0.1 in the end.

Apache Roller 5 running the Lightword theme

Advertisements

blogs.oracle.com now runs on Apache Roller

I was quite surprised to see this:

“Blogs.oracle.com, previously on the Movable Type platform, has packed its bags and moved over to the Apache Roller platform.”:

http://blogs.oracle.com/otn/entry/the_blogs_rolling_on_with

Nice to see one part of blogs.sun.com survive the transition, and a huge endorsement of Roller surely! 🙂

Cool new Apache Roller theme…

Spied on the Apache Roller users list; Ralf Eichinger has adapted this beautiful theme;

http://blog.datazuul.com/roller/entry/new_apache_roller_theme_lightword

Well done Ralf! 🙂

Use OpenDS for Thunderbird LDAP Address Book data

Trey Drake at Sun Microsystems has a quick little post for trying this with Apple Address Book:

http://blogs.sun.com/treydrake/entry/mac_address_book_and_opends

“Works like a charm” indeed, and doing the same with Thunderbird proves to be just as easy 🙂 Using the OpenDS setup instructions outlined in my Apache Roller post, and using Thunderbird 3.0 on OpenSolaris snv_134 x64, one simply configures an LDAP address book like so:

OpenDS LDAP Address Book in Thunderbird

By default OpenDS enables anonymous read/search access to the directory, so we don’t need to authenticate.

Additionally, I’ve set up my OpenDS server to run automatically as a service using SMF – the guide which I followed to achieve this is here:

https://docs.opends.org/2.2/page/ManagingTheDirectoryServerAsAnSMFServiceOpenSolarisOnly

The only problem I encountered after configuring the above was getting the ldap user to access the OpenDS control panel GUI without X server security errors. One has to use the xhost command to grant access to the X server for the ldap user:

$ xhost  
access control enabled, only authorized clients can connect
SI:localuser:gdm
SI:localuser:root

$ pfexec xhost +SI:localuser:ldap
localuser:ldap being added to access control list

$ xhost                          
access control enabled, only authorized clients can connect
SI:localuser:ldap
SI:localuser:gdm
SI:localuser:root

After which I could launch the OpenDS control-panel application as the ldap user fine – although I haven’t determined yet how to make this persistent across reboots or desktop logins.

Using Apache Roller with OpenDS for LDAP authentication

This is a basic guide and is more a set of self-help notes while I learn about LDAP. Even so, at the end of this you’ll have an idea about how to securely authenticate to Roller with user account information held in an OpenDS LDAP directory.

We are using OpenDS v2.2, and an OpenSolaris system running Apache Roller as described in detail in my post here. This how-to assumes you have a freshly installed instance of Roller as described in that link, and have created the initial Roller administrator account with a username of “admin”.

 

Install OpenDS v2.2

The OpenDS installer is a thing of beauty, and a model for how easy software download and installation could be. Matter of fact, with its built-in Java monitoring and administration control panels, the whole package is pretty darn cool.

Go to http://www.opends.org/ and click the “Get 2.2″ now!” link. (make sure you have a recent JRE installed and a decent internet connection).

You’ll be presented with the OpenDS QuickSetup Welcome screen. We want to install a new server instance:

OpenDS QuickSetup Welcome screen

Enter your installation path, and under “LDAP Secure Access”, click the “Configure…” button; in the following screen enable SSL access, and generate a self-signed certificate. All other settings are fine at their defaults:

OpenDS Server Settings

OpenDS configure SSL

We want a standalone server:

OpenDS standalone server

For our Directory Data, the default Directory Base DN of dc=example,dc=com is fine. We also only want to create the base entry for now:

OpenDS Directory Data

Review the settings, and click “Finish” to complete. Once OpenDS has worked its magic, launch the OpenDS control panel, and select the local server instance to manage:

OpenDS installation finished

OpenDS control panel login

 

Create LDAP account information in OpenDS

We’ll now quickly populate our OpenDS directory with some very basic user information.

In the OpenDS Control Panel main view, click the “Directory Data” disclosure arrow on the left-hand of the window, and select “Manage Entries”. In the “Manage Entries” window that appears, select “Entries” on the menu bar, then select “New Organizational Unit”. Name the new OU “People”:

OpenDS - create People OU

Select the newly created “People” OU, and from the “Entries” menu, select “New User…”. Enter the information as follows, noting that the value for “User ID” (UID) will be the same as the Roller account username (in this case, the initial Roller administrator account):

OpenDS - create an admin user

Create additional entries in the same way if you like:

OpenDS - create additional users

 

Import the OpenDS SSL certificate into the system and Glassfish domain keystores

We are setting this up with secure connections all ’round, so Roller needs to trust OpenDS by using OpenDS’ certificate. When installing OpenDS, we generated a self-signed certificate – so we simply locate this and import it into the relevant keystores. We use the keytool command to do this.

I’ve installed OpenDS to /opt/OpenDS, so the OpenDS keystore is located at /opt/OpenDS/config/keystore.

The location of the keystores for the system, and for the Glassfish domain containing the instance of Roller are located respectively at:

/usr/java/jre/lib/security/cacerts
/var/appserver/domains/domain1/config/cacerts.jks

 

Let’s view the contents of the OpenDS keystore:

$ pfexec keytool -list -v -keystore /opt/OpenDS/config/keystore
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: server-cert
Creation date: 3/05/2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=afterburner, O=OpenDS Self-Signed Certificate
Issuer: CN=afterburner, O=OpenDS Self-Signed Certificate
Serial number: 
Valid from: Mon May 03 16:38:02 NZST 2010 until: Wed May 02 16:38:02 NZST 2012
Certificate fingerprints:
	 MD5:  
	 SHA1: 
	 Signature algorithm name: SHA1withRSA
	 Version: 3

 

Now, export the OpenDS certificate to a file:

$ pfexec keytool -export -alias "server-cert" \
-keystore /opt/OpenDS/config/keystore -file /tmp/server-cert.cer
Enter keystore password:  
Certificate stored in file /tmp/server-cert.cer

 

Then import the exported certificate into the Java system keystore:

$ pfexec keytool -import -v -trustcacerts -alias "server-cert" \
-keystore /usr/java/jre/lib/security/cacerts -file /tmp/server\-cert.cer 
Enter keystore password:  
Owner: CN=afterburner, O=OpenDS Self-Signed Certificate
Issuer: CN=afterburner, O=OpenDS Self-Signed Certificate
Serial number: 
Valid from: Mon May 03 16:38:02 NZST 2010 until: Wed May 02 16:38:02 NZST 2012
Certificate fingerprints:
	 MD5:  
	 SHA1: 
	 Signature algorithm name: SHA1withRSA
	 Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing /usr/java/jre/lib/security/cacerts]

 

And do the same for the Glassfish Roller domain keystore:

$ pfexec keytool -import -v -trustcacerts -alias "server-cert" \
-keystore /var/appserver/domains/domain1/config/cacerts.jks \
-file /tmp/server\-cert.cer 
Enter keystore password:  
Certificate already exists in system-wide CA keystore under alias server-cert
Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore
[Storing /var/appserver/domains/domain1/config/cacerts.jks]

 

 

Configure Roller for LDAP authentication

This involves modifications to the Roller security.xml file to enable LDAP logins, as well as a small change to the roller-custom.properties file. The security.xml file is located (on my system) at /opt/Roller/webapp/roller/WEB-INF. Let’s modify this file first.

 

Under the AUTHENTICATION section of security.xml I’ve added /roller-ui/user.do*=register to the value list for the filterInvocationInterceptor bean. Then under the authenticationManager bean I’ve commented out daoAuthenticationProvider and uncommented ldapAuthProvider.

A copy of this section of my security.xml file follows; hover your mouse over the top-right of the box and select “view source” for the full view:


    <!-- ======================== AUTHENTICATION ======================= -->
    
    <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="accessDecisionManager"/>
         <property name="objectDefinitionSource">
            <value>
                PATTERN_TYPE_APACHE_ANT
                /roller-ui/login-redirect**=admin,editor
                /roller-ui/profile**=admin,editor
                /roller-ui/createWeblog**=admin,editor
                /roller-ui/menu**=admin,editor
                /roller-ui/authoring/**=admin,editor
                /roller-ui/admin/**=admin
                /roller-ui/user.do*=register
                /rewrite-status*=admin
            </value>
                <!-- Add this to above list for LDAP/SSO configuration -->
                <!-- /roller-ui/user.do*=register -->
        </property>
    </bean>

    <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
        <property name="providers">
            <list>
                <!-- <ref local="daoAuthenticationProvider"/> -->
                <ref local="ldapAuthProvider"/>
                <!-- Uncomment this for CAS/SSO configuration <ref local="casAuthenticationProvider"/> -->
                <ref local="anonymousAuthenticationProvider"/>                
                <!-- rememberMeAuthenticationProvider added programmatically -->
            </list>
        </property>
    </bean>

 

Next, proceed to the LDAP AUTHENTICATION section of security.xml, and uncomment the sample block of code visible there. Most of the code is fine as-is, but we set the constructor-arg value for the initialDirContextFactory bean to the URL/BaseDN of our LDAP server, and the values for managerDn and managerPassword to our OpenDS directory administrator username and password respectively.

A copy of this section of my security.xml file follows; hover your mouse over the top-right of the box and select “view source” for the full view:


    <!-- ===================== LDAP AUTHENTICATION ==================== -->

    <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
        <constructor-arg value="ldaps://localhost:1636/dc=example,dc=com"/>
        <property name="managerDn" value="cn=Directory Manager"/>
        <property name="managerPassword" value="somepassword"/>
    </bean>
   
    <bean id="ldapUserSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
        <constructor-arg index="0" value=""/>
        <constructor-arg index="1" value="uid={0}"/>
        <constructor-arg index="2" ref="initialDirContextFactory"/>         
        <property name="searchSubtree" value="true"/>           
    </bean>     
    
    <bean id="ldapAuthProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
        <constructor-arg>
            <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
                <constructor-arg ref="initialDirContextFactory"/>
                <property name="userSearch" ref="ldapUserSearch"/>
            </bean>
        </constructor-arg>
        <constructor-arg ref="jdbcAuthoritiesPopulator"/>
        <property name="userCache" ref="userCache"/>
    </bean>    
    
    <bean id="jdbcAuthoritiesPopulator" class="org.apache.roller.weblogger.ui.core.security.AuthoritiesPopulator">
        <property name="defaultRole" value="register"/>       
    </bean>

 

Now, add the following entry to roller-custom.properties (which resides on my system at /var/appserver/domains/domain1/lib/classes):

users.sso.enabled=true

A shout out to Trey Drake from Sun Microsystems who originally blogged about this at http://blogs.sun.com/treydrake/entry/opends_roller_integration.

 

Log in to Roller using LDAP authentication

The caveat here is that Roller user accounts must already exist for successful LDAP authentication; LDAP+Roller will not provision them automatically, at least not with this simple setup.

Restart the Glassfish Roller domain (and possibly the Roller MySQL database as well for completeness) and you should now be able to log in to Roller with the username admin, using the LDAP password specified when you created the corresponding admin account in OpenDS.

Additional Roller user accounts you create as the Roller admin user (using the Roller admin BUI) can use LDAP for authentication, provided the username you specify for the Roller user account is the same as the UID (User ID) for the corresponding OpenDS entry.

What’s new in Apache Roller 5.0

Dave Johnson, the primary developer behind the Apache Roller blogging platform, has posted a “what’s new” list for the upcoming Apache Roller 5.0 release:

https://cwiki.apache.org/confluence/display/ROLLER/What%27s+new+in+Roller+5.0

Lots of incremental improvements to an already solid application – good stuff.

Install and run Apache Roller 4.01 on OpenSolaris

Although I use WordPress to do this blog, I’m also familiar with Apache Roller, a Java-based enterprise blogging system that famously is used to power the IBM developerWorks blogs and blogs.sun.com sites.

http://roller.apache.org/
http://en.wikipedia.org/wiki/Apache_Roller

Although WordPress undoubtedly has more bells and whistles, with themes and plug-ins galore, I find Roller quicker and less fussy in operation, with far more comprehensive documentation – and its scalability cannot be denied. This guide will enable you to install and run Apache Roller for the purposes of evaluation and tinkering.

We will be using OpenSolaris snv_134 x64, with Apache Roller 4.01, Glassfish v2.1, and MySQL 5.1.

(Note that you can click on the “view source” button for the longer command transcripts recreated below for the easy-to-read view.)

View Source

 

1) Install MySQL 5.1

We need both the database, and the JDBC connector. Both are available using the IPS Package Manager GUI. On my snv_134 system, MySQL 5.1 was already installed, but if it isn’t simply point and click.

The package names are:

database/mysql-51
database/mysql-50/connector/jdbc

Install MySQL from IPS

 

2) Create a system-wide properties file for MySQL

This is achieved by creating a file named my.cnf and placing it at /etc

Roller requires UTF-8 compatibility, and, I also wanted to set the default MySQL storage engine to InnoDB. The contents of my configuration file are therefore:

[mysqld]
default-character-set=utf8
default-storage-engine=innodb

 


3)
Run the initial MySQL setup script

Execute the following:

$ pfexec /usr/mysql/5.1/bin/mysql_install_db --user=mysql</pre>

You should observe the following output:

Installing MySQL system tables...
100426 20:07:30 [Warning] Forcing shutdown of 2 plugins
OK
Filling help tables...
100426 20:07:30 [Warning] Forcing shutdown of 2 plugins
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/mysql/5.1/bin/mysqladmin -u root password 'somepassword'
/usr/mysql/5.1/bin/mysqladmin -u root -h afterburner password 'somepassword'

Alternatively you can run:
/usr/mysql/5.1/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr/mysql/5.1 ; /usr/mysql/5.1/bin/mysqld_safe &amp;

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql/5.1/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/mysql/5.1/bin/mysqlbug script!

The latest information about MySQL is available at http://www.mysql.com/
Support MySQL by buying support/licenses from http://shop.mysql.com/

 

4) Start the MySQL server

On OpenSolaris, this is controlled by SMF. Enter the following command:

$ pfexec svcadm enable mysql:version_51

Verify the server is running:

$ svcs -a | grep mysql                    
disabled       19:43:08 svc:/application/database/mysql:version_50
online         23:08:12 svc:/application/database/mysql:version_51

 

5) Secure the default MySQL root account

I followed the two steps detailed in the CLI output in step 3), in summary (afterburner is the name of my host – you would change this to your own hostname):

$ pfexec /usr/mysql/5.1/bin/mysqladmin -u root password 'somepassword'
$ pfexec /usr/mysql/5.1/bin/mysqladmin -u root -h afterburner password 'somepassword'

I also followed the procedure at http://dev.mysql.com/doc/refman/5.1/en/default-privileges.html to remove the MySQL anonymous accounts.

 

6) Create a database for Roller

Now that we have set up and configured MySQL, we can proceed with setting up Roller. First, we need to create the database that Roller will populate with its tables on first run. This is covered on page 7 of the Roller Install Guide (available from here), under step 5.1 (“Create a database for Roller”).

The example given in the guide is reproduced similarly here; rollerdb is the name of the database we are creating; the MySQL user rolleradm in the example is created dynamically with the grant command, as is the password that is specified (‘somepassword’ in the example). Change these values as needed:

$ pfexec /usr/mysql/5.1/bin/mysql -u root -p

mysql&gt; create database rollerdb;
mysql&gt; grant all on rollerdb.* to rolleradm@'%' identified by 'somepassword';
mysql&gt; grant all on rollerdb.* to rolleradm@localhost identified by 'somepassword';
mysql&gt; exit

 

7) Install and configure Glassfish

The Glassfish application server will contain the Roller web app. Fortunately, it’s also available from IPS as a one-click install.

The package name is:

web/glassfish-2

Install Glassfish using IPS

Once installed, create the directories for the Glassfish domains:

$ pfexec mkdir /var/appserver
$ pfexec mkdir /var/appserver/domains

Then run the asadmin command, and create the domain domain1:

$ pfexec asadmin
asadmin&gt; create-domain --adminport 8081 --domaindir /var/appserver/domains/ domain1
Please enter the admin user name&gt;admin
Please enter the admin password&gt;
Please enter the admin password again&gt;
Please enter the master password [Enter to accept the default]:&gt;
Please enter the master password again [Enter to accept the default]:&gt;
Using port 8081 for Admin.
Using default port 8080 for HTTP Instance.
Using default port 7676 for JMS.
Using default port 3700 for IIOP.
Using default port 8181 for HTTP_SSL.
Using default port 3820 for IIOP_SSL.
Using default port 3920 for IIOP_MUTUALAUTH.
Using default port 8686 for JMX_ADMIN.
Domain being created with profile:developer, as specified by variable AS_ADMIN_PROFILE in configuration file.
------ Using Profile [developer] to create the domain ------
XML processing for profile: Base document [/usr/appserver/lib/install/templates/default-domain.xml.template]. Profile name [developer]. Processing property [domain.xml.style-sheets].

Security Store uses: JKS
Domain domain1 created.
asadmin&gt; exit

 

Start the domain:

$ pfexec asadmin start-domain domain1
Starting Domain domain1, please wait.
Default Log location is /var/appserver/domains/domain1/logs/server.log.
Redirecting output to /var/appserver/domains/domain1/logs/server.log
Domain domain1 is ready to receive client requests. Additional services are being started in background. 
Domain [domain1] is running [Sun GlassFish Enterprise Server v2.1 (9.1.1) (build b60e-fcs)] with its configuration and logs at: [/var/appserver/domains].
Admin Console is available at [http://localhost:8081].
Use the same port [8081] for "asadmin" commands.
User web applications are available at these URLs:
[http://localhost:8080 https://localhost:8181 ].
Following web-contexts are available:
[/web1  /__wstx-services ].
Standard JMX Clients (like JConsole) can connect to JMXServiceURL:
[service:jmx:rmi:///jndi/rmi://afterburner:8686/jmxrmi] for domain management purposes.
Domain listens on at least following ports for connections:
[8080 8181 8081 3700 3820 3920 8686 ].
Domain does not support application server clusters and other standalone instances.

 

Once the domain is running, point your web browser to http://127.0.0.1:8081 to access the Glassfish admin BUI. I prefer secure connections to everything myself, even when running development setups – so the first thing I do is enable a secure connection to the Glassfish admin BUI. This is as simple as ticking the “Enabled” tickbox for the “Security” parameter, under “Configuration -> HTTP Service -> HTTP Listeners -> admin-listener”:

Enable a secure Glassfish admin interface

 

8) Download and install Roller

The Roller 4.01 download page may be found at: http://roller.apache.org/download.cgi#roller40

I decompressed the .zip file to /opt and created a symbolic link so I could access it at /opt/Roller

 

9) Install the JDBC connector

In step 1) we downloaded the JDBC connector using IPS. To install it for use with Roller:

$ cd /var/appserver/domains/domain1/lib/
$ pfexec cp /usr/mysql/connectors/jdbc/5.1/mysql-connector-java-5.1.5-bin.jar .

 

10) Create a custom Roller startup properties override file

I created a roller-custom.properties file that contains startup override settings for Roller. This is placed at /var/appserver/domains/domain1/lib/classes

My roller-custom.properties file contains:

installation.type=auto
database.configurationType=jdbc
database.jdbc.driverClass=com.mysql.jdbc.Driver
database.jdbc.connectionURL=jdbc:mysql://localhost:3306/rollerdb
database.jdbc.username=rolleradm
database.jdbc.password=somepassword
mail.configurationType=properties
mail.hostname=mymailserver.company.com
securelogin.enabled=true

The JDBC credentials as visible above are the same as the MySQL user with permissions on the Roller database as covered in step 6).

 

11) Deploy Roller to Glassfish

Refer to page 11 of the Roller Install Guide. I’m using the Glassfish BUI to upload /opt/Roller/webapp/roller

Deploy Roller to Glassfish

In our roller-custom.properties file we have specified secure logins to Roller. We therefore need to enable an HTTP listener in Glassfish that listens on port 8443 (which Roller uses for HTTPS logins). I’ve used the existing http-listener-2 listener, enabled the “Security” setting, and changed the “Listener Port” to 8443:

Enable an HTTPS listener in Glassfish for Roller

 

12) Launch Roller and complete setup

Finally, we now navigate to http://localhost:8080/roller and let Roller work its magic:

Roller - create database tables?

Roller welcome screen

If you have trouble with the above steps, be sure to inspect any error messages closely, as Roller is actually helpfully descriptive about why it cannot launch. Undeploying/redeploying Roller in Glassfish, and restarting the Glassfish domain containing Roller may also help.

As a final step, I looked over the “Configuration tips and tricks” section in the Install Guide, and decided to perform the security step detailed on page 15 in step 9.2 – “Changing keys in security.xml”.

 

You should now be ready to explore Roller:

Dave's Blog in Roller