Ales Novak's old blog

28 VI · Út 2005

XML, SAX and DOM too

Read as XML sucks... The subject was once a name of a speech of my two colleagues nominated for JavaOne session. Fortunately not accepted. That was before the web services buzz was all around. Maybe they were right. There is a sample of client/server communication, when using Web Services Security. One would think that we only need to send SUNW and Hello words to the other side. Do not forget to multiply that by 2 for server reply. Here we go:


run-sample:
     [echo] Running the simple.TestClient program....
     [java] Service URL=http://localhost:8080/securesimple/Ping
     [java] Jun 28, 2005 2:00:07 PM com.sun.xml.wss.filter.DumpFilter process
     [java] INFO: ==== Sending Message Start ====
     [java] <?xml version="1.0" encoding="UTF-8"?>
     [java] <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://xmlsoap.org/Ping" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     [java] <env:Header>
     [java] <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
     [java] <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="Id-7200843894568839789">MIIDWTCCAsKgAwIBAgIBAjANBgkqhkiG9w0BAQQFADB0MQswCQYDVQQGEwJOQTELMAkGA1UECBMC
     [java] TkExCzAJBgNVBAcTAk5BMQswCQYDVQQKEwJOQTELMAkGA1UECxMCTkExHjAcBgNVBAMTFWNlcnRp
     [java] ZmljYXRlLWF1dGhvcml0eTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMDQwNDA5MjAyMDA0WhcNMDUw
     [java] NDA5MjAyMDA0WjByMQswCQYDVQQGEwJOQTELMAkGA1UECBMCTkExCzAJBgNVBAcTAk5BMQswCQYD
     [java] VQQKEwJOQTELMAkGA1UECxMCTkExHDAaBgNVBAMTE3h3cy1zZWN1cml0eS1jbGllbnQxETAPBgkq
     [java] hkiG9w0BCQEWAk5BMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChxbTlPz21PNp5YSh3Wr0Q
     [java] 97HhHOenXMI4G/mAkknS3gEFV8CJJR8sE2+WeweOk2M2UIpQLYHPE2mFKoe9SV82IW5o0dJwrh5J
     [java] ELSq9fR3x6wdE5/O8leY0dFL5zPtm4gWHU7b/pV1kfijrGiIBTO7M59oACxhHJE7RB0WYy1zUQID
     [java] AQABo4H8MIH5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
     [java] cnRpZmljYXRlMB0GA1UdDgQWBBSdEF+wTGtncGGY/Pd6MpAKaIRhtDCBngYDVR0jBIGWMIGTgBS1
     [java] BYo8LSYEn16yMWhvreilyanXfqF4pHYwdDELMAkGA1UEBhMCTkExCzAJBgNVBAgTAk5BMQswCQYD
     [java] VQQHEwJOQTELMAkGA1UEChMCTkExCzAJBgNVBAsTAk5BMR4wHAYDVQQDExVjZXJ0aWZpY2F0ZS1h
     [java] dXRob3JpdHkxETAPBgkqhkiG9w0BCQEWAk5BggEAMA0GCSqGSIb3DQEBBAUAA4GBAMxAGol7R7BT
     [java] BWW/Jv+51R0JAtWfZyI54qmU0cfYkgiIk5wp7LrVge4NlJwmlnq0exp5LKPB2gLqHVP9oK6PIEbS
     [java] P6yMzV0G2/qXbsi1UPQvQlKeAdkcsbYeq1WpQUzdNLCVg4eTIsoZQoosSdAiL672kRBEW2fDtRuK
     [java] qV+oNKQk</wsse:BinarySecurityToken>
     [java] <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     [java] <ds:SignedInfo>
     [java] <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     [java] <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     [java] <ds:Reference URI="#Id-4825289659218818612">
     [java] <ds:Transforms>
     [java] <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     [java] </ds:Transforms>
     [java] <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
     [java] <ds:DigestValue>letnI/+7kxBE7cq0wFwd4Rxr/xc=</ds:DigestValue>
     [java] </ds:Reference>
     [java] <ds:Reference URI="#Id-442752300277299994">
     [java] <ds:Transforms>
     [java] <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     [java] </ds:Transforms>
     [java] <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
     [java] <ds:DigestValue>2AHArZHXUEG2g5os+Hfc/+IUySE=</ds:DigestValue>
     [java] </ds:Reference>
     [java] </ds:SignedInfo>
     [java] <ds:SignatureValue>
     [java] cHhgyrI+/Jq3qCoJ8XD2UMl+N4Mpma9fTdKNXhFwL72vTuZDOWYiim77ATLn4XQ+rxR8viM324V3
     [java] h9VRHziR+pmH+UoyjjI4rvRJSo/+U4H/lE95F/Nz3u2hCE0J+n0qbhj4PZPUXmJ+iPIOJK7Qh67K
     [java] ZutcDzA375eIg3kQfFU=
     [java] </ds:SignatureValue>
     [java] <ds:KeyInfo>
     [java] <wsse:SecurityTokenReference>
     [java] <wsse:Reference URI="#Id-7200843894568839789" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
     [java] </wsse:SecurityTokenReference>
     [java] </ds:KeyInfo>
     [java] </ds:Signature>
     [java] <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-442752300277299994">
     [java] <wsu:Created>2005-06-28T12:00:06Z</wsu:Created>
     [java] <wsu:Expires>2005-06-28T12:05:06Z</wsu:Expires>
     [java] </wsu:Timestamp>
     [java] </wsse:Security>
     [java] </env:Header>
     [java] <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-4825289659218818612">
     [java] <ns0:Ping>
     [java] <ns0:ticket>SUNW</ns0:ticket>
     [java] <ns0:text>Hello !</ns0:text>
     [java] </ns0:Ping>
     [java] </env:Body>
     [java] </env:Envelope>
     [java] ==== Sending Message End ====

Do you love it? I do. Several colleagues of mine were laughing a lot - poor old C and assembler guys!

Posted by anovak @ 01:55 odp. CEST

Which Java class writes this? A simple debug facility.

Something like:

[07/Apr/2005:17:32:53] WARNING (27486): CORE3283: stderr: Warning: validation was turned on but an org.xml.sax.ErrorHandler was not
[07/Apr/2005:17:32:53] WARNING (27486): CORE3283: stderr: set, which is probably not what is desired.  Parser will use a default
[07/Apr/2005:17:32:53] WARNING (27486): CORE3283: stderr: ErrorHandler to print the first 10 errors.  Please call
...

was written in appserver logs. Go and find it out, told me my manager. Our customer is not happy :-) I remember this task from my previous NetBeans career. It is quite simple. Use this:

public class DebugPrintStream extends PrintStream {

    private PrintStream orig;
    private String match;

    /** Creates a new instance of DebugPrintStream */
    public DebugPrintStream(PrintStream out, String match) throws UnsupportedEncodingException {
        super(out, true, "UTF-8");

        assert orig != null;
        assert match != null;

        this.orig = out;
        this.match = match.toLowerCase();
    }

    protected void filter(String s) {
        if (s == null) {
            return;
        }

        if (s.toLowerCase().indexOf(match) >= 0) {
            Exception e = new Exception();
            getOrig().println("DEBUG PRINT STREAM MATCH");
            e.printStackTrace(getOrig());
        }
    }

...

    public void print(String s) {
        filter(s);
        getOrig().print(s);
    }

    // more overriden methods from PrintStream follows 
...

Not complete source code, but it should give you sense what it does - if somebody calls this new PrintStream, the message is examinated by filter(), if matched then stack trace is written. Second part of the puzzle is sequence:

            DebugPrintStream dpserr = new DebugPrintStream(System.err, "Warning: validation was turned on but an org.xml.sax.ErrorHandler");
            DebugPrintStream dpsout = new DebugPrintStream(System.out, "Warning: validation was turned on but an org.xml.sax.ErrorHandler");

            System.setErr(dpserr);
            System.setOut(dpsout);

Add the previous code to a Main class, a JSP or a Servlet. The result in this case was:

[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at test.DebugPrintStream.filter(DebugPrintStream.java:43)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at test.DebugPrintStream.println(DebugPrintStream.java:69)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at org.apache.xerces.jaxp.DefaultValidationErrorHandler.error(DefaultValidationErrorHandler.java:74)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at org.apache.xerces.framework.XMLParser.reportError(XMLParser.java:1232)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at org.apache.xerces.validators.common.XMLValidator.reportRecoverableXMLError(XMLValidator.java:1737)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at org.apache.xerces.validators.common.XMLValidator.validateElementAndAttributes(XMLValidator.java:3552)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at org.apache.xerces.validators.common.XMLValidator.callStartElement(XMLValidator.java:1159)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at org.apache.xerces.framework.XMLDocumentScanner.scanElement(XMLDocumentScanner.java:1806)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at org.apache.xerces.framework.XMLDocumentScanner$ContentDispatcher.dispatch(XMLDocumentScanner.java:949)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at org.apache.xerces.framework.XMLDocumentScanner.parseSome(XMLDocumentScanner.java:381)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at org.apache.xerces.framework.XMLParser.parse(XMLParser.java:1081)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:195)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:76)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at com.iplanet.am.util.XMLUtils.toDOMDocument(XMLUtils.java:98)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at com.iplanet.services.comm.share.ResponseSetParser.(ResponseSetParser.java:36)
[01/Jun/2005:13:26:14] WARNING (10980): CORE3283: stderr:       at com.iplanet.services.comm.share.ResponseSet.parseXML(ResponseSet.java:93)
... many more frames here ...

As it turned out, by looking into iplanet classes, the message appears because those classes are using a validating parser on XML messages which do not define their DTD. However, the validation is on only if some debug flags for that classes are on. Who turned them on in config files? We will never know - maybe the customer, maybe system integrator, ...

Posted by anovak @ 01:25 odp. CEST

25 V · St 2005

Open source Java?

It seems that there is an Apache project - an open source implementation of Java. I do not care if Java is open source or not. By the way, how many people realize that having something opensourced does not mean that I have commit/check-in sources privilege? Anyway - what I have heard from people since Java started is - I need performance.

Now Sun, IBM, BEA have JVMs with pretty advanced JITs, GC schemes etc. I do not think that it will be easy to match performance of those highly tuned JVMs. Obviously performance is not all, think of stability, monitoring.

I do not know - even implementing all Java libraries, AWT, Swing is huge job. Writing JVM internals is even more challenging - people here at Sun are doing GC algorithms research for maybe 15 years. People writing HotSpot compiler are also compiler veterans.

Posted by anovak @ 09:53 dop. CEST

23 V · Po 2005

NetBeans team 7 years ago

... looked like this (view image should reveal more details).

Not many people indeed. I guess the photo was taken at least 3 month after NetBeans happened. I think even the name was not NetBeans but something like Lime Tree or maybe something completely different. I just do not remember.

The guy on the right side is Hanz. In about half a year he will start work on debugger (since that photo). Oh wait, he has been working on debugger and related modules since then. The next one, with that brown jumper, is Zdenek. Zdenek was working for SilverStream (swallowed by Novell). He is now in Systinet.

The girl in red shirt - I really do not remember her name. Sad. She left for university, if I remember right. The man behind computer is Jack, our website maintainer, developer, and designer. He has been also doing his job ever since. Next one, not very visible, is Petr. Petr was working on Java language processing - parser, tokens for syntax coloring, etc. Petr left Sun some two years ago.

Then comes the girl in blue shirt, Helena. She was something between COO, admin, contact for investors, etc. She left NetBeans at around acquisition time. Next to her is Ian. Ian was people manager. He was working on form editor. That was in times when Swing was distant future, so AWT components were his playground (and Swing later of course).

On Ian's righthand side, I am standing. I was working as a part time programmer. My area was initial javac integration, execution, output window and other sweet stuff completely rewritten many years ago. I am not with NetBeans anymore, though I am at Sun. The standalone guy hiding on the other side of the pole is Yarda. Yarda was main architect. He was working on filesystems, datasystems, but he talked to every aspect of the IDE.

Notice that office. We looked like a garage company, did not we?

Posted by anovak @ 04:01 odp. CEST

19 V · Čt 2005

Weizenbier

Finally! I have found it in a local store. Before that, to my knowledge, the nearest possible place for buying was down in Bavaria. I bought one bottle as a starter and it was great experience. I am going to buy some more. This type of beer is made of wheat instead of barley. It is less bitter and a bit sweeter. It contains unfiltered yeast.
My way to alcoholism is paved ;-).

Posted by anovak @ 01:01 odp. CEST

04 V · St 2005

Gray on database future

Jim Gray of Microsoft wrote this nice article on future database development (as I learned on Slashdot).

I read his book on transaction processing. It is a good one, no wonder he got Turing Award. Anyway, he sees that the artificial division of data and data processing programs blurs in modern databases - you can write triggers or stored procedures in Java or C#. He also suggests that time for main memory databases is coming. Who am I to disagree?

The idea of single address space for application and DB data is really tempting. Pros are left as an exercise to readers. However, given current price tags for enterprise database engines, this would create the most expensive application servers on the planet.

Posted by anovak @ 02:40 odp. CEST

03 V · Út 2005

Why do I like Identity Manager

My previous entry touched area of people want to make things abstract, general, complex, allmighty. Natural born architects. I like things simple, stupid (KISS he?).

On an unrelated note - Jako parrots are able to speak to each other in English. Those are not random words but they do contain information. They can even count up to 9 or so. Which qualifies them for five star IT architects in my opinion :-).

Our Identity Manager is amazing balance of simplicity and well calculated abstraction. The creators of this package (unknown to me) had to be really smart. For instance there is really powerfull workflow engine, which helped me to fulfill customers requirements repeatedly. It is a must have I mean. Then there are the Forms. Forms look like a simple XML but it is in fact a general framework for displaying data as well as simple data transformations. Since each customer wants forms to be slightly different and built in rules to be totally different, they are used all the time.

Which takes us to XPRESS. It is an XML based language mainly for string and list processing with logical and arithmetic operators. It has no ambition to be Java language at all. As a result it is so simple that people used write shell scripts, but not Java, are able learn it and use it really quickly.

At the same time, founding fathers did not suffer NIH (not invented here) syndrome, IDM uses load of free software for rendering graphics, or connecting to resources (SSH, JDBC drivers, OS/400).

Best of all, it uses agentless approach. In other words you do not need to install custom packages on managed systems. We were repeatedly able to connect to different UNIX systems, IBM systems, ERP systems, etc. without actual knowing internals of those managed systems.

If there would be voting process for acquisitions inside Sun, I would vote for more acquisitions like this :-).

Posted by anovak @ 02:12 odp. CEST

Managing a customer

Last week or so I have had several unpleasant interactions with a customer. The customer should solve a business problem but since he was originally a developer, he tries to solve the problem from a technician point of view.

We speak different language. I have no idea how his manager came to a conclusion that if somebody is able to develop a piece of software then he is the best person for defining requirements.

On the other hand, I know people who suffer the idea that if he/she was able to graduate at a top university in compute science then he/she is perfectly equiped to manage people.

To be a little bit more specific, as a starter he wants to use specific prgramming constructs. Should the architecture scale, what is planned transaction throughput, should it be HA, what about security? Those are second level questions...

What to do?

Posted by anovak @ 01:55 odp. CEST

29 IV · Pá 2005

Debugging

Yesterday, I suffered incremental debugger syndrome. One of my workflows just disappeared in the middle of the execution. No exception, errors, messages... Switching logging on helped to localize supect workflow step. Then I start to throw more debug messages in, reconfigurations, etc., until my wife called recalling me that I promised to pick her up.

Well I did so, but I was still thinking about the problem. I came to a conclusion that I miss some classes though no NoClassDefFoundError or ClassNotFoundException were found.

It helped. It is interesting that one can found a solution after three hours of thinking without actually touching the product or playing with computer at all.

Posted by anovak @ 09:04 dop. CEST

22 IV · Pá 2005

Sad week

One week ago we had another RIF (Reduction in Force). This happened to Client Solutions organization, namely in countries which were underperformers we were said. While I understand business reasons, I also regret our colleagues.

Jana, Marketa, Milan, Pavel, Petr fare well whatever you are going to do.

Posted by anovak @ 03:38 odp. CEST

13 IV · St 2005

Extending EU

Bulgaria and Romania will start talks about joining EU. I wish them the best. EU did a lot for our country. When I say a lot, people will start to think in financial terms. Yes, that is also the case.

What I have in my mind is, however, the gentle pressure to make compliant laws, to make transparent financial sector, to make transparent decision making, to suppress corruption, to keep financial discipline of our budget. All those things that make life harder for our stupid incompetent government! Government lead by prime minister who lied, government supported by a party leader notoriously suspected for corruption.

Posted by anovak @ 09:33 odp. CEST

What happened to Germany?

I was growing up in a communistic country where Germany, our neighbour, was perceived as really rich country. My cousin married a fine German guy, Hans, a few years ago, my brother probably will marry a German girl soon - after all they await baby ;-). From their perspective, however, Germany is not what it used to be. Hans, for instance, was working for a textile industry equipment maker. Textile industry in Europe is basically dead, what was not outsourced to China, is dying. They do not need engines anymore. As a result, Hans, experienced engineer lost his job. Though he lives near Munich he has really tough times to find a new job.

That is not all - when he was employed, my cousin worked for a while too, but for quite a low salary. However, their combined salary, reached new tax level so they had to pay back some money to state. As a result, she quit her job immediately. Now he is unemployed, she has a baby.

My brother and his girlfriend are completely different story. Since she still studies and he works as unskilled worker in building constructions, they really do not have money. However, their families are ready to support them. To our surprise, our help is not welcome. If they miss something, German social care will help them. Ridiculous, is not it?

Our newspaper says that Germans in general think that extending EU was big mistake. I do not know numbers for last year, but years before we imported 1 billion euro more goods then exported. That means that we supported some jobs in Germany, did not we?

Finally - my old friend was hired as aircraft engineer for a German company. I think that he is good - he studied in UK too. He got way more money then here, however, after taxation he loses nearly half of his money, then he pays rent for a flat and that is a lot of money down in Munich as well. Food is 3 - 4 times expensive than here. His net income is still bigger than used to be but less than he originally hoped.

Posted by anovak @ 08:47 odp. CEST

31 III · Čt 2005

NetBeans bug status improving?

A few days ago, I talked to friends from my previous life, i.e. NetBeans engineering. I remember that when I was part of that organization it was quite common to have a dozen of P1 bugs, handful of P2 and many P3 bugs. My bug tail was about 70 - 80 bugs I think. Now they looked quite happy - in general they do not have P1, saying that it is not problem anymore. I could not resist and run some issuezilla searches. I was looking for changes in bug resolution with any status, prio P1 - P3, where resolution changed between 01/01 and 03/01 (MM/DD notation) for years 2002, 2003, 2004, and 2005 for openide module.

Numbers are 155, 238, 274, and 153.

What does it mean? The module gets bigger over time, so I guess the number of bugs should be growing. There is more engineers (but not that many more), so the number of bugs should be decreasing. I do not think that they are droping features and focus only on bugs. Anyway, it is a positive trend, is not it?

See
2002
2003
2004
2005

Posted by anovak @ 11:15 dop. CEST

27 III · Ne 2005

Awaiting twins

We have finished 21st week of pregnacy. So far it has been never ending story of complications. We could not have babies for over a year because ovarian did not produce eggs. We did not know that until we underwent some initial testing. The problem is named polycystic ovarian and it is fairly easy to cure by hormonal therapy taking about two weeks.

What happened then was that suddenly four eggs were released. They were successfuly nested and suddenly we were awaiting four babies. However, according to doctors that was a big risk for all babies. The risk included early birth, which itself could lead to underdeveloped brain, eyes, etc. Doctor strongly recommend to undergo what he called reduction, but what was essentially abortion, of at least two embryos.

Before that, my opinion was that abortion was not murder. However, when you see those embryos in ultrasound scanner, they really look like a man. You can see hands and legs and fingers and teeth. It is difficult to say yes two of them will be never born. It is difficult to say no either and risk some disabilities or even death.

During investigation, doctors found that skinfold one of the babies was about 1mm (or 50%) thicker than it should be. This could suggest Down syndrome. They could not abort this embryo because it was hidden under another embryo. So we were condemnated to wait one more week. During the week, we went through few more investigations which shown that the anomaly disappeared. Well move on.

Four weeks later, now with only two embryos, we had a blood test showing that we have very high level of AFP. This could suggest problems with brain, skull and spinal cord, but it could also be efect of the reduction. So the next step was genetical testing.

Just two days ago we found out that everything is OK and that we are awaiting two boys. I cannot fully describe our relief.

Earlier today my wife started to bleed a bit. We went immediately to a hospital only to be told that it happens sometimes, and that it will stop soon. More importantly she is OK and babies are doing well too. Nevertheless, she will stay there for two, three days.

Will this uncertainity ever stop? I do not think so. A colleague of mine said that after birth it is even worse.

Posted by anovak @ 10:40 odp. CEST

23 III · St 2005

Identity Manager x Access Manager integration, a bit of DTrace too

I had $subject demo working on my old notebook with JDS/Linux, so I thought it would be nice to have it on my new notebook with JDS/Solaris 10. Since I already had working IDM instance in /opt/idmsp4, I deployed that to Sun Web Server 6.1. I am not exactly sure how entries should look like in server.xml and wdeploy does not let you deploy a directory (unlike app server), so I deployed a sample app first and then just changed directory path in server.xml. After web server restart, IDM was up and running.

I had Access Manager already installed as a part of my Java ES installation, so the next step was to install and configure policy agent for the web server. Once the agent is in place it does not let you in if Access Manager is not running, so that is why I did not use my already working IDM app server instance. The Policy Agent is however only for Solaris 9 x86, I thought that it should not be a problem, but it was. Installation panel said that I needed Solaris operating system. The problem is that my uname looks like this:

/home/anovak$ uname -a
SunOS alman 5.10 janus-10 i86pc i386 i86pc

Notice that janus-10 string. First I thought that hacking /bin/uname would be enough, but it was not. I remember that somebody somewhere mentioned that DTrace can help with such a situation. Since my DTrace expertise is quite limited I thought I can learn something new - and yes it took me 2 hours 30 minutes of beautiful Sunday afternoon to assemble following script:

typedef struct utsname {

... see struct definition and copyright in /usr/include/sys/utsname.h ...
        sysname
        nodename
        release
        version
        machine
} utsname_t;


syscall::uname:entry
{
        printf("%s(0x%x)", probefunc, arg0);
        self->addr_in = arg0;
        self->interest = 1;
}

syscall::uname:return
/self->interest/
{
        copyoutstr("5.9", self->addr_in + 2 * 257, 20);
        this->name = (utsname_t *) copyin(self->addr_in, sizeof (utsname_t));
        printf("%s(0x%x) %s %s %s %s %s", probefunc, arg0, this->name->sysname, this->name->nodename, this->name->release, this->name->version, this->name->machine);

        /* copyoutstr("5.9", self->addr_in + 2 * 257, 20); */
        self->interest = 0;
}

The script was assembled in several steps - first I learned how to intercept uname syscall, that was the easy part. My impression was that the uname syscall then would read a file with the information, so I was looking for open and open64 sys calls, but nothing unusual was revealed.

Including struct and copyin came in later after reading docs about structs, unions and DTrace. However, after this I got stuck. I had a solution where I could put "5.9" instead of "5.10" by writing 4 chars, i.e. release[0] = '5', etc. But I thought that easier way should exist - that lead me to copyoutstr. However, I was not able to place "5.9" correctly. I thought that C type char[257] was equal to char*, so when I used pointer arithmetic I should add 2 and got pointer to 'release' string. No way. I broke sysname instead.

What now? Well, I wrote a simple C program with uname syscall and printed out the difference between pointers to 'sysname' and 'nodename'. Guess what. It is 257. So C layout of that structure is completely different than I thought... (but logical). That brought me to this final version.

What is the morale? On an internal mailing list as well as on this blog site I have found solution in three minutes :-).

Back to installation of policy agent - with the script above, it was easy and it worked. You need a few more things to have working demo - a) Define URL Policy in Access Manager with some subjects, b) Create new agent UrlAccessAgent and set it the same password as you did during the installation. c) Change login modules in IDM so that they first contain Access Manager. d) Modify AMAgent.properties, set com.sun.am.policy.am.headerAttributes=entrydn|sois_user as well as set com.sun.am.policy.am.fetchHeaders=true.

Last thing was to create an Acces Manager user from within Identity Manager, I just edited configurator. When both systems are up and running, you are presented Access Manager login page, after log in, you are immediately let into Identity Manager.

Posted by anovak @ 09:47 dop. CET

Po	Út	St	Čt	Pá	So	Ne
« prosinec 2009
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Today