Follow up on A Simple Comet Example: Long Polling vs Http Streaming

Wednesday Apr 23, 2008

In my previous comet blog, A Simple Comet Example: Hidden Frame and Long Polling", I illustrate comet by using a simple example of two frames. While it is good for illustration, there is a limitation. If you try to use two different browsers to access the counter and click really fast, then you may notice that one of the counter may be updated and then immediately changes to blank. This is because the comet response may come before the response of the http post. This is more significant in the case of Http Streaming. In this blog, we will explain how to resolve "blank problem" and change the example to use Http Streaming instead of Long Polling.

One More Frame

The "counter blank" problem can be solved easily by extracting the post action and put it in a different frame (button.html). In other words, we only keep the display related stuff in count.html.

In this case, post request is sent from button.html, not from count.html. And hence, count.html will only be updated by JavaScript only. (In contrast with my previous blog, the count.html can also be updated by Http Response.) Now, in index.html, there will three frames as follows:

    <iframe name="hidden" src="hidden_comet" frameborder="0" height="0" width="100%"><iframe>
    <iframe name="counter" src="count.html" frameborder="0" height="70%" width="100%"><iframe>
    <iframe name="button" src="button.html" frameborder="0" height="30%" width="100%"><iframe>

The next thing we need to do is to update one line of Java code in the doPost of the servlet to redirect back to button.html rather than count.html.

    req.getRequestDispatcher("button.html").forward(req, res);

You can download the updated sample here.

Http Streaming

Http Streaming is different from Long Polling by keeping the connection (until expiration) between client and server even after it delivers the data. In general, this will perform better. With the fix in the previous section, we can modify our example easily to Http Streaming by commenting out the following

• event.getCometContext().resumeCometHandler(this); in HiddenCometHandle.java
  In this case, the server will not resume the connection.
• parent.hidden.location.href = "hidden_comet" in updateCount JavaScript
  In this case, the browser will not reload the hidden frame again.

Like this post? | | | |

Posted at 06:08PM Apr 23, 2008 by swchan in Sun
Tags: comet frame hidden http long polling streaming

A Simple Comet Example: Hidden Frame and Long Polling

Thursday Apr 03, 2008

Recently, there is a great interest in Comet technology. One can find many interesting articles in Comet Daily. Comet allows server and client to keep a live connection for communication. This provides a mechanism for server to update clients, instead of having classical polling. In this blog, I am going to share my experience about using Comet with hidden frame and long polling in GlassFish v3 Technology Preview 2 builds. I try to make example as simple as possible to illustrate the basic interactions there. If you want to learn more about Comet, then I recommend Jean-Francois' blogs.

Set up GlassFish v3

Download GlassFish v3 Technology Preview 2, unzip the file and start the server with jvm option v3.grizzlySupport=true to enable comet.

    java -Dv3.grizzlySupport=true -jar glassfish-10.0-SNAPSHOT.jar

We need the above jvm-option in today's build. This will not be needed when comet is enabled by default.

Comet Servlet Code

The comet servlet code is adapted from grizzly sample comet-counter, which uses Ajax client. The details of our serlvet is as follows:

1. In init(ServletConfig), one registers a context path to CometEngine,

       ServletContext context = config.getServletContext();
    contextPath = context.getContextPath() + "/hidden_comet";
    CometEngine engine = CometEngine.getEngine();
    CometContext cometContext = engine.register(contextPath);
    cometContext.setExpirationDelay(30 * 1000);

   where "/hidden_comet" is url-pattern of the comet servlet in web.xml. For testing purpose, one keeps the connection for 30 sec.

2. In doGet(HttpServletRequest, HttpServletResponse), one looks up the CometContext and adds our CometHandler.

       CounterHandler handler = new CounterHandler();
    handler.attach(res);
    CometEngine engine = CometEngine.getEngine();
    CometContext context = engine.getCometContext(contextPath);
    context.addCometHandler(handler);

3. In doPost(HttpServletRequest, HttpServletResponse), one increments the counter and then invokes the CometContext.notify, which will trigger the CometHandler.onEvent above.

       counter.incrementAndGet();
    CometEngine engine = CometEngine.getEngine();
    CometContext<?> context = engine.getCometContext(contextPath);
    notify(null);

   In addition, it forwards to count.html page for displaying the count.

       req.getRequestDispatcher("count.html").forward(req, res);

4. Next, one need to have a class implementing CometHandler interface. Among methods in CometHandler, the most interesting one is onEvent(CometEvent).

       public void onEvent(CometEvent event) throws IOException {
        if (CometEvent.NOTIFY == event.getType()) {
            int count = counter.get();
            PrintWriter writer = response.getWriter();
            writer.write("<script type='text/javascript'>parent.counter.updateCount('" + count + "')</script>\n");
            writer.flush();
            event.getCometContext().resumeCometHandler(this);
        }
    }

   In our case, it writes a Javascript back to client side. This will invoke the Javascript function updateCount in count.html. The onEvent also invokes resumeCometHandler. This is necessary as the polling connection will be dropped once it is used.

5. To compile the above Java code, one needs to include javax.javaee*.jar and grizzly-comet*.jar in classpath.

Client Code

On client side, I will illustrate the technique of hidden frame. Basically, the main page will have at least two frames. One of them does the long polling and is hidden from user. In our case, the index.html consists two frames as follows:

    <iframe name="hidden" src="hidden_comet" frameborder="0" height="0" width="100%"><iframe>
    <iframe name="counter" src="count.html" frameborder="0" height="100%" width="100%"><iframe>

The first frame, which is hidden, is pointed to our Comet Servlet above through GET method. The second frame is to display the counter and submit button for incrementing the counter. The Javascript in count.html is very simple as follows:

    <script type='text/javascript'>
        function updateCount(c) {
            document.getElementById('count').innerHTML = c;
            parent.hidden.location.href = "hidden_comet";
         };
    </script>

How does it work?

One can download the sources and war file from here, and deploy the war file. Using two browsers to access http://localhost:8080/grizzly-comet-hidden/index.html and click on "Click" button on each browser separately. Then one sees that counts in both browsers will be updated whenever one clicks on one of them. The mechanism is outlined as follows:

1. When the user accesses index.html, a browser will load two frames:
   • The "hidden" frame accesses our Comet Servlet through GET method. This allows the client to start long polling with server.
   • The "counter" frame loads a static count.html.
2. When the user clicks on the button in count.html, it submits a POST request to our Comet Servlet. This triggers the CometHandler onEvent method and redirects back to count.html to display the count. The onEvent triggers the updateCount() JavaScript in "counter" frame, which will
   • update the count and
   • invoke the Comet Servlet doGet for long polling in "hidden" frame,

Like this post? | | | |

Posted at 09:20PM Apr 03, 2008 by swchan in Sun
Tags: comet frame hidden long polling

Comparison of Security features in GlassFish and SJSAS 8.x EE

Friday May 25, 2007

Security is very essential, especially in the enterprise environment. In this blog, we will compare security of Profiles in GlassFish (GF) v2 and also note those feature availability in Sun Java System Application Server (SJSAS) 8.x Enterprise Edition. Note that Enterprise Profile is not available in public yet and will be in beta around July 2007. More information on Profiles in GlassFish v2 can be found here.

Comparison of Security with GF and SJSAS 8.x EE

Feature	GlassFish				SJSAS 8.x EE
	v1	v2 Development Profile	v2 Cluster Profile	v2 Enterprise Profile
Support JSR 196	no	yes			no
KeyStore for SSL	JKS			NSS
Key/Certificate management tools	keytool			certutil, pk12util, modutil
Java Security Manager	off (default)			on (default)	on
Support JDBCRealm	yes				no
SingleSignOn (SSO)	disable (default)			enable (default)
Virtual Server Realms	no	yes			no

With JDK 1.5 and NSS 3.11.4, Enterprise Profile in GlassFish v2 and SJSAS 8.x EE (but not available in GF v2 Cluster Profile) support the following:

• management of the PKCS#11 modules using modutil
• explicit reference of keys in PKCS#11 providers for https or iiop/SSL listeners. (Note that with JDK 1.5 or later, one can add PKCS#11 providers to a given JDK. But those keys cannot be references by current server.)
• Elliptic Curve algorithm for SSL and other crypto operations (need Enterprise Profile GlassFish v2 and JDK 1.6)

In SJSAS 8.2 EE and the coming GlassFish v2 Enterprise Profile, there is support for the use of private key in Solaris 10 Softtoken. As an example, let us take a look at how to set up Solaris 10 Softtoken.

1. Initialize Solaris 10 Softtoken password if you have not.

   /bin/pktool setpin

2. Register the Solaris 10 Softtoken to NSS.

   modutil -dbdir $SJSAS_HOME/domains/domain1/config -force -add "Solaris 10 Softtoken" -libfile /usr/lib/libpkcs11.so -mechanisms RSA:DSA

3. Verify that the token is added properly and find out the corresponding token name.

   modutil -dbdir $SJSAS_HOME/domains/domain1/config -list

   A sample output is as follows:

   Using database directory ....
   
   Listing of PKCS #11 Modules
   -----------------------------------------------------------
     1. NSS Internal PKCS #11 Module
            slots: 2 slots attached
           status: loaded
   
            slot: NSS Internal Cryptographic Services                            
           token: NSS Generic Crypto Services
   
            slot: NSS User Private Key and Certificate Services                  
           token: NSS Certificate DB
   
     2. Solaris 10 Softtoken
           library name: /usr/lib/libpkcs11.so
            slots: 1 slot attached
           status: loaded
   
            slot: Sun Crypto Softtoken
           token: Sun Software PKCS#11 softtoken
   -----------------------------------------------------------
     

   In this case, the token name is "Sun Software PKCS#11 softtoken". And this will be used in subsequent commands.

4. Create a private key and certificate in Solaris 10 Softtoken.

   certutil -S -x -n mytestcert -t "u,u,u" -v 120 -s "cn=j2ee,ou=J2EE,o=Sun,L=Santa Clara,ST=California,C=US" -d $SJSAS_HOME/domains/domain1/config -h "Sun Software PKCS#11 softtoken"

   A sample output is as follows:

   Enter Password or Pin for "Sun Software PKCS#11 softtoken":
   
   A random seed must be generated that will be used in the
   creation of your key.  One of the easiest ways to create a
   random seed is to use the timing of keystrokes on a keyboard.
   
   To begin, type keys on the keyboard until this progress meter
   is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
   
   
   Continue typing until the progress meter is full:
   
   |************************************************************|
   
   Finished.  Press enter to continue: 
   
   
   Generating key.  This may take a few moments...
     

5. Change the cert-nickname to "Sun Software PKCS#11 softtoken:mytestcert" in your listeners.

6. Restart the server, then it will prompt the password for Solaris 10 Softtoken as follows:

   Please enter password for NSS slot Sun Software PKCS#11 softtoken>

Like this post? | | | |

Posted at 03:17PM May 25, 2007 by swchan in Sun
Tags: algorithm curve elliptic glassfish security softtoken solaris

JDBCRealm in GlassFish with MySQL

Monday Apr 23, 2007

In these few months, there were several discussions of using GlassFish JDBCRealm with MySQL. In this blog, I will share my experience about using GlassFish JDBCRealm with MySQL.

1. Download the MySQL Community Server. I have downloaded the Solaris 10 (x86, 32 bit TAR package), version 5.0.37, of the "MySQL Community Server".

2. Expand the download file.

   gunzip mysql-5.0.37-solaris10-i386.tar.gz
tar xf mysql-5.0.37-solaris10-i386.tar

3. cd mysql-5.0.37-solaris10-i386

   and read INSTALL-BINARY.

4. Set up the grant table.

   scripts/mysql_install_db

5. Start the MySQL server.

   bin/mysqld_safe

6. Set a password for the MySQL "root" user

   bin/mysqladmin -u root password YOUR_PASSWORD

7. Create database and table. The following is a sample command.

   bin/mysql -u root --password=YOUR_PASSWORD
   
   create database database01;
   use database01;
   create table usertable(userid varchar(10) primary key, password varchar(32) not null);
   create table grouptable(userid varchar(10), groupid varchar(20) not null, primary key (userid, groupid));
   alter table grouptable add constraint FK_USERID foreign key(userid) references usertable(userid);
   commit;
   grant all privileges on *.* to 'root'@'YOUR_HOST' identified by 'YOUR_PASSWORD' with grant option;
   

   Note that you may like to replace YOUR_PASSWORD and YOUR_HOST in above.

8. Populate user, group and passwor data. For the purpose of testing the database, you may try to use clear text password first as follows:

   insert into usertable values ('webuser', 'webuser');
   insert into grouptable values ('webuser', 'employee');
   

   For MD5, please take a look at another blog on JDBCRealm.

9. Download the JDBC driver from Connectors > Connector/J . I have downloaded mysql-connector-java-5.0.5-bin.zip

10. Unpack the package and copy the JDBC driver to $GLASS_HOME/lib.

    unzip mysql-connector-java-5.0.5-bin.jar
cd mysql-connector-java-5.0.5
cp mysql-connector-java-5.0.5-bin.jar $GLASSFISH_HOME/lib

11. Restart the GlassFish server in order to pick up the JBDC driver.

12. Create a Connector pool in Admin Console as follows:

    Name	MySQLPool
    Resource Type	javax.sql.DataSource
    Database Vendor	MySQL

    then click "Next" and add the following properties:

    serverName	YOUR_HOST
    port	3306
    databaseName	database01
    user	root
    password	YOUR_PASSWORD

    Note that different versions of the JDBC driver may have different properties. You may need to check the readme file there. Furthermore, you may need to remove extra default properties from Admin Console.

13. Create a DataSource jdbc/mysql associated with the above pool.

14. Create a JDBCRealm, named jdbcrealm with the following properties:

    datasource-jndi	jdbc/mysql
    user-table	usertable
    user-name-column	userid
    password-name-column	password
    group-table	grouptable
    group-name-column	groupid
    jaas-context	jdbcRealm
    digest-algorithm	none

    Note that if you are using MD5 for password data, then you need to set value of digest-algorithm to MD5.

15. Now a JDBCRealm is ready and it can be used by specifying it in deployment descriptors. If there is anything wrong and cannot authenticate, then one can turn on security log to FINE level and check if there is any exception in server.log.

Like this post? | | | |

Posted at 10:33AM Apr 23, 2007 by swchan in Sun
Tags: glassfish jdbcrealm mysql

Multiple Private Keys in a GlassFish domain

Friday Apr 06, 2007

GlassFish uses Java JKS for storing keys and certificates. Out of the box, the keyStore (keystore.jks) and the trustStore (cacerts.jks) reside in $GLASSFISH_HOME/domains/domain1. Even though there are several CA root certificates in cacerts.jks, there is only one private key in keystore.jks.

GlassFish supports the use of multiple private keys in a given domains. For instance, you may have two https listeners having different server private keys. This is a very useful scenario especially when one have EC key. So, in a given domain, we can have one https listener using RSA key for normal browser and one https listener using EC key for PDA.

In this blog, we will discuss the configuration when there are multiple private keys in a given domain of GlassFish. In this case, one needs to specify the private key / certificate to be used for SSL communication. If the information is not specified, then the server will pick up one which may not be desirable. Since one wants to be more precise in security environment, one would like to specify the corresponding certificate nickname in order to pick up the correct key.

There are two kinds of certificate nicknames: inbound, https outbound.

Inbound Certificate Nickname

One needs to specify the inbound cert-nickname for a given listener in domain.xml. For instance, in http listener, it is as follows:

    <http-listener ... security-enabled="true" ... />
      <ssl cert-nickname="s1as" ... />
      ...

Instead of hand-crafting the domain.xml, it would be a good idea to use Admin Console as follows: Configuration > HTTP Services > Http listeners > http-listener-2, and choose SSL tab and enter the valid alias value you want in "Certificate Nickname" textbox. Then one needs to restart the given domain (if there is a change of certificate nickname) in order to activate the change.

Similarly for iiop listeners.

Https Outbound Certificate Nickname

GlassFish also supports the https outbound from server. A private key / certificate is used for https outbound mutual SSL authentication. In this case, we can specify the https outbound certificate nickname as jvm-options in domain.xml:

    -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=YOUR_ALIAS

One can achieve this through Admin Console as follows: Application Server > JVM Settings > JVM Options > Add JVM option, and enter the above jvm option in the new textbox. Then one needs to restart the server in order to activate this change.

Like this post? | | | |

Posted at 02:36PM Apr 06, 2007 by swchan in Sun
Tags: glassfish keys multiple private