|
|
|
|
While the GlassFish Forum is a great place to ask all sorts of questions, it's nice to see users taking the time to document their findings on their blogs. Some recent examples include :
|
• "JAVA Security Provider Error" from Marc on getting the proper security provider when porting an application from JBoss to GlassFish.
|
Now I need to make sure this is all integrated into the GlassFish Wiki if not already covered. A centralized place for how-to's in addition to the GlassFish Documentation sounds like a reasonable thing to avoid relying on the accuracy of search engines.
This week Harold gave the Metro Webinar, which is a good oppty to catch up with Metro news. There are two release families: GlassFish v2 and GF v3prelude uses the Metro 1.x releases while GlassFish v3 (post-prelude) will use Metro 2.0.
|
|
The latest 1.x release is Metro 1.4, out last Fall (see Jitu's Summary and GFv3 Prelude note). Jiandong recently published several notes explaining how to use it in STS (Security Token Service) scenarios: [1], [2], [3]; note that Jiandong reports a new 1.5 is being tested. The Metro 2.x family is still evolving; its first delivery will be in GFv3 and will implement JAX-WS 2.2 (see Rama's post), which includes support for WS-Addressing - Metadata using Policy project. Metro 2.0 can also used on Java SE, see Fabian's note. Full details on Metro 2.0 in its OnePagers; also see the Roadmap, with the usual warning about dates! |
|
Venu has blogged about RFC 4474 support in SailFin. This feature introduces a mechanism for securely identifying originators of SIP messages. A lot more information about this feature is available here and here.
It is also worthwhile to look at the following blogs to know more about security in SailFin.
|
Next week, I will post an entry on how SailFin handles some of the spec related issues in RFC 3261 and JSR 289.
A compilation of today's news of interest:
|
|
At MindBucket Paul provides a comparison of the (single-client) performance of Rails vs Merb. Rails is the incumbent in Ruby frameworks; Merb is a very interesting newcomer. Merb is thread-safe, and so will be Rails 2.0, but the comparison does not consider concurrency so that should be a key issue. The comparison includes numbers on GlassFish Server (and stay tuned for more fine-tuning for that case). From the NetBeans team, a Tutorial on Securing WebApps using Role-Based authentication. The tutorial has detailed step-by-step instructions using NetBeans 6.5 and GlassFish Server. Ludo addresses Rapid Deployment of Apps on GlassFish in a thread at the GlassFish Users Forum Also hints at future improvements (teaser!). Shay reports that Compass 2.1 M3 is now available with improved GlassFish support. From Mahipalsinh an explanation of how to Localize WebSynergy, so you can do it for your favorite language. And, on the section of important Industry News, Cisco buys Jabber, which should provide integrated IM in their offerings, and Amazon launches CDN service, a la Akamai, LimeLight and others. One of the nice things of working in this industry, it is never boring! |
|
The latest Enterprise Tech Tip is written by Ron Monzillo and covers JSR 196, Java Authentication Service Provider Interface for Containers. The document goes thru detailed steps on how to write, install, and configure a simple SAM (server authentication module) but also how to have your application bind to it. |
GlassFish v2 already supports the Servlet Container Profile for this JSR and community member Greg Luck has written (with the help of others) the Spnego implementation for SPNEGO and Kerberos to be used in GlassFish.
|
A new Tech Tip written by Jiandong Guo of the Application Server Web Services Security team was just posted. Read the tip and learn the basics of WS-SecureConversation. Also see an example that demonstrates how to enable secure conversations for a web service through the WS-SecureConversation support in Metro. You can find the tip here. Setting up the infrastructure can be tricky, so if you're getting started with WS-SecureConv, this is a good document to read. You can get to all the Tech Tips from this site or this blog. |
|
Does GlassFish support REST or SOAP Web Services? Both! REST through Jersey and SOAP through Metro (Jersey will be included in a future Metro release, see Roadmap).
Security is very important for SOAP Web Services and Jiandong
has a set of notes describing how Metro supports
WS-SX
(OASIS Web Services Security Exchange).
Check out the
Overview |
|
Java EE has a sophisticated security mechanism based on Roles, Principals and Realms but we need more examples for simple use-case scenarios. I think we will see more of these as a consequence of our general Open Source push and this will also help us improve implementations and specifications. Ron has been the Java EE security lead for many years and he has started writing some good entries in this area. Check Principal to Role Mapping and his latest How to Define ANYONE access. |
Please give us feedback on what we can do to make security easier for you to use.
|
Two new posts explaining advanced uses of Web Services security in Metro. First Ashutosh explains how to Run a Kerberos Token Profile based WS Security scenario as it was used at the Latest Plugfest at Redmont. This builds on an earlier entry describing earlier entry on the same topic. |
Then Kumar shows how to programmatically Access the SAML Assertion in a WSIT Secure Scenario.
|
SSL (Overview, SSL@TA) is the workhorse of secure browser-client communication - at least until the more efficient EEC (ECC@TA) gains adoption over it. SSL has been supported in GlassFish since v1 but GFv2 includes additional keystore features that are profile-specific, which are covered in detail in Kumar's tip on Using SSL with GFv2. Kumar's tip is based on an even more detailed entry where he covers SSL and CRL with GFv2. Check both out! |
|
A tip from
Jiandong:
Information on Web Services Security at Metro |
|
|
The Spnego Project provides a Kerberos-over-SPNEGO plugin for JSR 196-compliant application servers. These are security technologies which can support complex integration scenarios such as single-sign-on all the way from your operating system login to a remote web application. |
Greg Luck recently announced that the project team has completed a 1.0 release. They're doing development and testing on GlassFish V2, but their code shouldn't contain anything GlassFish-specific (since they align to JSR 196). Once other app servers support this standard, they too will be able to use the Spnego plugin. For more info, see the project's User Guide and FAQ.
|
One of the goals of GlassFish v2 is to incorporate all the features in SJS AS 8.2 EE (Enterprise Edition). For the most part this means adding features that everybody would want, but some features are mostly for backwards compatibility, or because of specialized needs. The tradeoffs are acheived via the notion of Profiles. Shing Wai has posted a good Overview of how the different Security features map to GF v1, GF v2 and its profiles and SJS AS 8.2 EE. His summary table is very useful, check it out! |
|
Greg's lastest blog talks about how to protect your web app against JavaScript used to execute JavaScript from an unwanted domain. The blog gives specific examples of cross site scripting (XSS) hacks and the code to guard against them. Although most solutions are for clients it also touches on how to improve server side code. Greg's previous blog on restricting access to AJAX services is quite popular and useful. |
|
Jean-Francois writes another informative article this time on adding SSL to Grizzly which uses NIO. This means that he is adding SSL over a framework that uses NIO SocketChannel (non-blocking) implementation. As he comments, SSL support has been in GlassFish since it's inception but that uses the blocking socket method. He goes over the obsticles that he faced and the solutions he came up with. He did say it was a bit like riding your bike in the snow. Doable but hard... |
