|
|
|
|
|
The latest Enterprise Tech Tip is written by Ron Monzillo and covers JSR 196, Java Authentication Service Provider Interface for Containers. The document goes thru detailed steps on how to write, install, and configure a simple SAM (server authentication module) but also how to have your application bind to it. |
GlassFish v2 already supports the Servlet Container Profile for this JSR and community member Greg Luck has written (with the help of others) the Spnego implementation for SPNEGO and Kerberos to be used in GlassFish.
|
A new Tech Tip written by Jiandong Guo of the Application Server Web Services Security team was just posted. Read the tip and learn the basics of WS-SecureConversation. Also see an example that demonstrates how to enable secure conversations for a web service through the WS-SecureConversation support in Metro. You can find the tip here. Setting up the infrastructure can be tricky, so if you're getting started with WS-SecureConv, this is a good document to read. You can get to all the Tech Tips from this site or this blog. |
|
Does GlassFish support REST or SOAP Web Services? Both! REST through Jersey and SOAP through Metro (Jersey will be included in a future Metro release, see Roadmap).
Security is very important for SOAP Web Services and Jiandong
has a set of notes describing how Metro supports
WS-SX
(OASIS Web Services Security Exchange).
Check out the
Overview |
|
Java EE has a sophisticated security mechanism based on Roles, Principals and Realms but we need more examples for simple use-case scenarios. I think we will see more of these as a consequence of our general Open Source push and this will also help us improve implementations and specifications. Ron has been the Java EE security lead for many years and he has started writing some good entries in this area. Check Principal to Role Mapping and his latest How to Define ANYONE access. |
Please give us feedback on what we can do to make security easier for you to use.
|
Two new posts explaining advanced uses of Web Services security in Metro. First Ashutosh explains how to Run a Kerberos Token Profile based WS Security scenario as it was used at the Latest Plugfest at Redmont. This builds on an earlier entry describing earlier entry on the same topic. |
Then Kumar shows how to programmatically Access the SAML Assertion in a WSIT Secure Scenario.
|
SSL (Overview, SSL@TA) is the workhorse of secure browser-client communication - at least until the more efficient EEC (ECC@TA) gains adoption over it. SSL has been supported in GlassFish since v1 but GFv2 includes additional keystore features that are profile-specific, which are covered in detail in Kumar's tip on Using SSL with GFv2. Kumar's tip is based on an even more detailed entry where he covers SSL and CRL with GFv2. Check both out! |
|
A tip from
Jiandong:
Information on Web Services Security at Metro |
|
The Spnego Project provides a Kerberos-over-SPNEGO plugin for JSR 196-compliant application servers. These are security technologies which can support complex integration scenarios such as single-sign-on all the way from your operating system login to a remote web application. |
Greg Luck recently announced that the project team has completed a 1.0 release. They're doing development and testing on GlassFish V2, but their code shouldn't contain anything GlassFish-specific (since they align to JSR 196). Once other app servers support this standard, they too will be able to use the Spnego plugin. For more info, see the project's User Guide and FAQ.
|
One of the goals of GlassFish v2 is to incorporate all the features in SJS AS 8.2 EE (Enterprise Edition). For the most part this means adding features that everybody would want, but some features are mostly for backwards compatibility, or because of specialized needs. The tradeoffs are acheived via the notion of Profiles. Shing Wai has posted a good Overview of how the different Security features map to GF v1, GF v2 and its profiles and SJS AS 8.2 EE. His summary table is very useful, check it out! |
|
Greg's lastest blog talks about how to protect your web app against JavaScript used to execute JavaScript from an unwanted domain. The blog gives specific examples of cross site scripting (XSS) hacks and the code to guard against them. Although most solutions are for clients it also touches on how to improve server side code. Greg's previous blog on restricting access to AJAX services is quite popular and useful. |
|
Jean-Francois writes another informative article this time on adding SSL to Grizzly which uses NIO. This means that he is adding SSL over a framework that uses NIO SocketChannel (non-blocking) implementation. As he comments, SSL support has been in GlassFish since it's inception but that uses the blocking socket method. He goes over the obsticles that he faced and the solutions he came up with. He did say it was a bit like riding your bike in the snow. Doable but hard... |
|
GlassFish V2 is incorporating support for Comet through Grizzly and, as we gain more experience, we are improving this support. In his latest blog, Jean-Francois describes how to easily Secure the Comet Communication using SSL (not through a Cone of Silence). I'd expect continued improvements on Comet support through GF V2. |
|
ECC (Elliptic Curve Cryptography) is a new, cryptographic protocol that is very appealing when security needs are high or computational power is limited (like mobile devices) and is gaining backing in the industry. The latest Sun WebServer (7.0 Technology Preview) has Support for ECC, and so do GlassFish - experimental so far -, and Java. In his latest blog, Jyri reports on actual measurements of the connection cost for different security protocols on Sun's WebServer and shows Big Improvements for ECC. Check it out! |
The team of Sun's WebServer is a close relative of Project GlassFish and I feel a bit guilty I've not been able to keep up with all their interesting blogs in the last couple of months - maybe I'll be able to do some about it next week during Sun's USA shutdown...
|
Do you want security with the purchase you just did through your mobile? If so, learn about Elliptic Curve Cryptography (Wikipedia, Overview@Sun, ECC and IETF, SunLabs) as it significantly reduces the computational requirements needed to encrypt content. The latest news on ECC are Shing Wai's detailed instructions on How to Enable ECC in GlassFish / SJS AS 9.0. Do not miss this brief comment at the end: A preliminary benchmark of HTTPS with ECC in GlassFish on the Windows XP platform shows that the performance of ECC is double that of RSA... Also see ECC support in Sun's Web Server and ECC support in Java. |
PS. I had missed an interesting entry by Shing Wai: Using SSL for EJB; you may want to also check that one out.