open source code

Pac4J Integration with Embedded Tomcat 10 using Generic OAuth via Keycloak

(I will ramble for a bit, if you just want the guide jump below) I want to start a series more around programing than the other articles I have put up here. I know everyone here knows me as the good-looking hardware hacking guy, but most of my time at work is spent on programming and systems automation. I haven’t used the programming tag on this blog in a while, and I want to start this new series beginning with discussing upgrading to Tomcat 10.

I have for years been using an embedded Tomcat + Servlet backend, with a jQuery frontend for different small webapps I have made. I know for anyone who learned webdev in the recent past that sounds very old. I am using more and more Dropwizard and React these days, but that does leave my legacy projects on this old framework. While not the newest or flashiest thing, it does perform well with some systems handling hundreds to thousands of calls a second. (My hope is to get approval and open source some of them soon.) With the changes in the Java universe, (after Oracle bought Sun and decided to ruin everyone’s fun and causing splintering) I had to start moving from the traditional JavaX servlet namespace that Tomcat 9 and before used to Tomcat 10s Jakarta namespace. Migrating the servlets themselves was not so bad. The first big issue arose around Google’s OAuth library. I have used this library for a long time. It provides the easy-ish ability to connect to any OAuth server you want (I have specific ones at work I use) for authentication. Recently Google, doing what they do, marked this library as Maintenance Mode Only, stating they would only do emergency security fixes, but overall, its abandoned. Not what you want to hear from your authentication library. They also are not planning to move it over the Jakarta namespace making me stuck on Tomcat 9 for as long as it has support. This should be a long-time sine many big companies and projects are right where I was, and the plan is for 9 and 10 to develop together for a long time. This does mean that I cannot use the newer features of Java though. From this I knew I had to start looking at other options.

Every time I have to work on auth systems, it is maze, and once I get it working, I want it to stay working for a while, where I hopefully don’t have to touch it. There are not a ton of OAuth libraries for Java backend systems, and I wanted one that I knew had community support and would last for a while. That brought me to the popular PAC4J project. A lot of the guides I found for using this were around using JavaX and/or using PAC4J to integrate with Google Auth, or Facebook Auth, or other auth systems. I want to be able to use the systems at work, or a more generic provider such as Keycloak. I spent a good amount of time bringing different bits of information together to get a fully working PAC4J 5.7 + Tomcat 10 + Servlets setup working. I posted it on Github, and below has a guide on how to configure Keycloak in Docker to demonstrate this. This took a fair amount of time to put together, I hope it helps you out there, if it does, please give the post a like or star the repo, it pushes me to keep doing these tutorials.

Keycloak Setup

To start at the beginning, Keycloak is a webserver that works as an Identity Provider (IDP). It has its own database for users and groups, or can link into many other systems such as Google, Facebook, and many more. When hooking up to it, you can decide to use SAML or OpenID. I tend to use OAuth which is a subset of the OpenID standard (I think thats the order). This guide will use Keycloak as our IDP, then connect to that with RAC4J. I do believe PAC4J has a more native and easier to use Keycloak integration, but where is the fun in that.

Keycloak out of the box has a Docker image for development. You optionally can attach persistent storage to make users and groups stay after you delete and rebuild the container. Using this container with local storage is not a good setup this way for production, you should use a database like Postgres to back the container instead. But for our home testing this setup is fine and will work well. I use persistent storage so I can have a local Keycloak that can be updated without recreating everything. More information about the Keycloak docker container can be found here.

Setting up Keycloak with persistent storage

docker volume create keycloak
# We need to set the keycloak user to be the owner of that folder
docker run --rm --entrypoint chown -v keycloak:/keycloak alpine -R 1000:0 /keycloak
docker run -p 8081:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -v keycloak:/opt/keycloak/data/h2 quay.io/keycloak/keycloak:20.0.2 start-dev --http-relative-path /auth

Setting up Keycloak WITHOUT persistent storage

docker run -p 8081:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:20.0.2 start-dev --http-relative-path /auth

After a minute you should be able to browse to “http://127.0.0.1:8081/auth” and get:

Keycloak can use OpenID as its connector which is more of a superset of OAuth itself. For this guide I want to go over using OAuth; so we will tweak some of the Keycloak configs to work how we want, as a generic OAuth provider.

Login with the username and password of “admin” that we set in creating the container
Click in the top left dropdown where it says “master” and create a new realm, we will call it “example“
Now that we are in your new realm, go to “Users” on the left
- Create a new user, lets name this new user “Jon” (or whatever your heart desires)
- Once created, click the “Credentials” tab, and set a password, I disable “temporary password” because this is not a production auth system
Click “Client Scopes” in the top left
- “Create client scope“
- Name “openid”
- Type “Default“
- Save
- “Mappers” tab
- “Add predefined mapper“
- I did “full name”, “email”, “username”, “groups”
- Note: I found the add screen here buggy, if you page to the next list of mappers, saving doesn’t work, so do one page at a time
Click “Clients” in the top left
- “Create client“
- Client-id “example-client”, I like to enable “Always display in console”, “Next”
- Enable “Client Authentication”, then save.
  - “Client Authentication” enables “confidential access type”, this is the classic OAuth where you need a client secret to access the server
- For this demo we need to enter “http://127.0.0.1:8080/oauth/redirect*” to the “Valid redirect URIs“, and save
- Go up to “Client scopes” and add the “openid” scope as a “Default” type
- Note: I have found with PAC4J + Keycloak specifically, if you do not add the openid type, then you will get through auth but when PAC4J goes to get user information you will get an error of WARN org.keycloak.events type=USER_INFO_REQUEST_ERROR, realmId=59d04435-daf4-4ca7-8623-195769911c0e, clientId=null, userId=null, ipAddress=172.17.0.1, error=access_denied, auth_method=validate_access_token. You may also see WARN org.keycloak.services KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request. If your client is not requesting the openid scope.
  - This can present itself to your client as a 401 or 403 error. As here and here, this helped me.
- Go to the “Credentials” tab, view the “Client secret” and save that for later

At this point going to http://127.0.0.1:8081/auth/realms/example/.well-known/openid-configuration will give you the OAuth endpoints we need.

Using The Example Code

Clone down the repository over at my Github. The README.md should contain what you need to get going! After adding your client secret from above, if you followed this guide, that demo should work for you with http://127.0.0.1:8080/ being the web app, and http://127.0.0.1:8081/auth being the auth server.

In the end you get a simple screen like this one that lets you play around with the functionality and experiment with the code.

Building a Tiny Classic Mac Part 3 – OS and Software

In building the project I wanted the computer to have the closest to the original feel as I could get. There were a few difficulties in the project, from the TFT screen, to the OS configuration. Yet in the end, I got a cute little replica running on top of a Raspberry Pi. I am not trying to break copyright, or profit from this. I simply do it as a fan of good hardware and past operating systems.

To start I want to mention that there are areas of this “guide” where I have been short, if you are unfamiliar with Linux, some of the parts in this config may give you problems. This project includes compiling code, adding scripts to boot, and configuring systems like VNC.

I loaded the standard Debian install onto a SD card to start (which at the time was Debian 6 or 7), then I started investigating the different original Motorola Mac emulators. The two main ones I found were Basilisk II and Mini vMac. Basilisk offers features such as Color, networking, and advanced features over Mini vMac. A very useful feature that Basilisk has is supporting a shared drive. You can tell the emulator that a folder on your Pi or any PC should show up as a hard drive in Mac OS 7. That way you can easily download games/software from archive.org or other locations, then load it onto the virtual system!

Mini vMac did offer greater compatibility for apps, while only being black and white, it seems to do a much deeper level of emulation; this makes it slower, but some apps that wont work on Basilisk will work on it. My solution in the end was to put both of the emulators on the box, pointing to the same virtual hard drive.

A script wraps the system, by default it auto boots into Basilisk, but if you “shutdown” the Mac in the emulator, you get a options screen that will allow you to switch modes the emulator is running in, the emulator itself, or some other settings. Some of the other settings including pairing Bluetooth, shutting down, or dropping to the console.

These files are available under https://github.com/daberkow/minimacparts. There is a SYSINIT script that starts the script, aka the wrapper, and gets the session started under the “pi” user, this goes in the /etc/init.d folder. Then there are folders for the different emulators in the /opt/mac folder.

Note: I used the current Raspberry Pi Debian build when I did this project, which at the time was using SYSINIT over the newer SystemD. If you want to use a newer build (which you probably should) you will have to translate my crummy SYSINIT script into a SystemD script. Feel free to pull request the repo! 🙂

One of the larger issues that had to be overcome was screen scaling. The screen I used is 480×320, but the original Macintosh resolution was 512 × 342. This had some of the emulators either cut off, or scrolling around the screen when the mouse got to a corner, which was not great. I could run the emulators at a smaller resolution, but some software was designed with that screen in mind and applications were cut off!

My solution was to use VNC, the system starts the emulator in a VNC session running at the native resolution, then the Pi screen connects to that session and enables scaling mode, shrinking it to the proper size. This way VNC worries about all the scaling, at a minor speed loss. I looked at different X configs to try to do the scaling that way, but the way this screen works, it gets upset and has problems very easily. The screen does not have a scaler of any sort, so you HAVE to send that resolution of 480×320 to it. The VNC solution works well. The different emulators have VNC config files that are copied to the running config right before its run depending on the emulators properties.

At this point we should discuss dependencies; TightVNC server was used for VNC. A quick minor note about VNC, you need to config the VNC users password, and then setup the script to auto-login with that password for the above script to work. Bluez Bluetooth stack and utils were used to be able so use Bluetooth peripherals. Basilisk and Mini vMac were compiled from source on the Pi 2 so that I could squeeze the most performance out of the little PC. Also its hard to find the latest versions ARM compiled online.

Basilisk II:

Basilisk has a good make file that you can use on the Pi as long as you have standard development environment setup, https://github.com/cebix/macemu/tree/master/BasiliskII.

Mini vMac:

The authors website offers a nice little service to have the website compile to code for you, or you can compile it yourself. Depending on your screen and how you want the app to start (a lot of those settings are hard coded in at compile time) http://www.gryphel.com/c/var/index.html.

I made one virtual hard drive, that both emulators used. Luckily they use a compatible hard drive image format. I set the first image up on my desktop just because it was easier. Then copied it over once I got the image in a good state. For years Apple gave out for free on their website Mac OS 7.5.3, then after a website update it seem to break a lot of the links. A few still worked but most over the years have stopped working. A lot of different sites have mirrors of those disks available though, if you search “System_7.5.3_01of19.smi.bin”, that should bring you to one of the mirrors. The one other thing you need is a ROM for a original Macintosh. I have some classic Macs at home, and you can dump the ROM from those. Or there are sites out there that have them hosted, I would guess that would not be to hard to find.

I put the virtual hard drive, and the ROM in a folder called “Shared” in the /opt/mac directory. You may have to tweak some of the configs/scripts to get everything working your way.

Once you get it working, there are a ton of games and pieces of software on archive.org for the old Macintosh, just make sure you get the 680*0 versions not the PowerPC versions. There are also a ton of abandonware sites, since half the companies that made this software are out of business, I doubt they will mind you taking a look, though legally its a grey area.

Those are the basics for how I got the system setup. One item that gave me a bunch of problems was the TFT screen. At the time you needed to load separate kernel modules and configure boot parameters for it. I think newer kernel images have added this, so that should be a simpler task for everyone.

Updated Windows Sudo

Recently I updated my Windows sudo program and added a command for Super Conduit, this is what I call some tweaks that you can make to a Windows Vista+ system. This allows someone to copy sudo.exe to a systems, system32 folder; then after running “sudo cmd” you can run “sudo /write” so add ls, ifconfig, and superc as a option in the command line.

Superc has options of enable, disable, and show. Making it easy to run. 🙂

Newest build is always here https://github.com/daberkow/win_sudo/raw/master/sudo/sudo/bin/Release/sudo.exe

QuickLogs v3.3.0 (and quickly v3.3.1) (and then v3.3.2)

Recently there was a big update the to QuickLogs product, on the face of it, it looks like the buttons have been changed a little bit. That is the small part of the upgrade, the main change is how the stats page works. Now the stats page is run by the HighCharts JavaScript engine instead of the PHP libchart that was used in the past. This takes the load of creating charts off of the server, and moves it to JavaScript Also this increases the flexibility to add more charts in the future.

I started the new stats page (v3.3.0) with a drop down to select different types of graphs, the Activities, User, and Overall graphs were used with the drop down. A quick comment made by people at the Helpdesk was “why not use all the space available, I dont like having to navigate again after refreshing.” v3.3.1 brought back the single page, but more importantly sorted the data in the charts. By default Highcharts plots by order the data is put into it; but it was not largest category to smallest. A quick sort was put in, and then we were back to where v3.2 ws with charts but a new engine. The new engine also allows for the charts to be looked at under different time periods instead of only 30 days.

The morning the program moved to version 3.3.2, this was a pure bug fix with CAS having a certificate issue under the login page. At this time, I decided to centralize the CAS information for all pages under the ‘core.php’ page. That way if the certificate moves there is one place to do it.

QuickLogs represents a early version of my app design; these days I tend to make core.php and ajax.php heavy with most of the application functions, and subsequent pages call them with ajax. This is a older app where a lot of the functions are hard coded in the page. I have started migrating to using a wrapper on MySQL like I have with the time cards app. But I only changed it on functions I was modifying so most of QuickLogs remains doing manual queries.

Looking to the future there are many ideas for QuickLogs, yet little time to compete them. One person suggested a achievement system for different things you can do at work. Another suggestion was a Nemesis a person who is right ahead of you for tickets, and having competition. The final suggestion was for some different types of charts. I wanted to do charts, I just have to find time.

At this point, QuickLogs is going on the shelf. (Unless I get a itch to add more charts) I am shifting to more time on Time Tracker and getting this product finished, before I leave RPI. Documentation for both products should be updated soon as well.

OpenAFS @RPI Client

Recently I was told “I can’t remember anyone getting OpenAFS to work on their own”, by a staffer at my school. I took it on myself then to figure out how to get this working for students. And in the end I wrote an app that will automatically download and install the AFS client, then configure drives for you. This was an experiment in threading and using WPF instead of Windows Forms.

First the app goes and downloads the OpenAFS client, if it is a 64 bit machine it grabs the 32 bit tools first then the client. While downloading and installing these things it connects via SSH to a school server to get the location of the user’s home folder as well as verify the credentials given.

Once installation is complete the program runs ‘klog’, this goes to the AFS server and requests tokens in the cluster using the credentials given earlier. Once we are past the installing point all these actions need to be run on the campus network. When the program starts it tries to ping a couple internal servers, if it can hit more than half of them in under 75 milliseconds then it considers itself on campus; if it thinks it’s off campus, then it notifies the user. One small problem with the first release is sometimes this system gets confused by vpn taking slightly longer.

Now that we have working token the system recommends drive letters that are not in use as well as AFS spaces to mount including the users folder and ‘dept’ to start. The configure button will activate these drives, they are not set to persistent at this time.

Below is the github link, as well as the direct exe link:

Github: https://github.com/daberkow/RPI_OpenAFS

EXE: https://github.com/daberkow/RPI_OpenAFS/blob/master/OpenAFS%20Installer%20WPF/bin/Release/OpenAFS%20Installer%20WPF.exe

Enstall Project

I am working on a project called Enstall with a partner for RCOS @ RPI, it’s available at enstall.wordpress.com, the goal is to make a package management system. One may say “but Dan there are like 10 available and one or two are already open source…” That is true but most of them are aimed at IT personel, and controlling all the computers in a corporation, this is just for a student to install and get software from their school on their PERSONAL computer. That’s the dream.

6to4 Card Cleaner Github!

Here it is! The source code (all be it not great) for 6to4 card cleaner up on github. This program has become less useful recently because my school recently implemented IPv6 across the network, and that has seemed to fixed the problem, along with new images. Anyway have fun with it, build it out, add to it…

https://github.com/daberkow/6to4-Card-Cleaner

PHP/JS and C# Encryption

Here is some code from a project I have been working on and then shelved. A C# (mono) project creates a RSA public/private key pair, then gives the public side to a MySQL database. The private side is saved to the hard drive for later. Then PHP dynamically adds the currently active key public portion into javascript, which encrypts the users input, and saves it to MySQL. Then the C# application can get the keys it has saved in a good place, and decrypt the data in the database. Benefits of this include the web data is secured from the client to the server, and even if somehow someone steals your database off your webserver, they dont have the encryption keys to take it away. This system also has a way to deactivate a old key and move to a new one, if more code was put into it someone could revoke a old key and migrate all the data using it to a new key, but that wasn’t implemented. I thought this would be a cool project and I learned a lot about RSA public private keys, a lot of languages handle the keys differently; some take it in hex, some do it differently, some call the parts one thing, some call them other names. The javascript portion is based mostly off this library (link). JQuery is used for ease.

Feel free to give feed back or use this, open source fun.

https://github.com/daberkow/PHP_PublicKeyDemo

Update

Hello Internet, I am back at school; along with working on some new and exciting things. https://github.com/daberkow is going to be my new GitHub place where I put up fun and exciting code, as well as add older things I have worked on and not released code for. Below I will list a couple projects and their state:

Javascript/C# SSL: I am slowly working on putting up open source code of the Javascript/C# SSL code

6to4 Card Cleaner: There was a error in the server side version library, that was fixed and clients should be able to update to newest version of 1.63

Duplicate Image Thing: I havent done much with this, I will be adding it to github for anyway to play with

New Project! Jukebox: I am working on a Jukebox from scratch, it will be based on raspberrypi.org computer. Designed as follows using EL lighting.

BuildingTents

Giving the campers something to read while they guard the flag