Venu Gopal's Weblog: Venu Gopal's Weblog

Incase you get below mentioned error and you need to use a proxy to access your source repository using svn

svn: PROPFIND request failed on '/svn/glassfish-svn/trunk/v3/web/appserv-webtier'

svn: PROPFIND of '/svn/glassfish-svn/trunk/v3/web/appserv-webtier': Could not resolve hostname `svn.dev.java.net': No address associated with hostname (https://svn.dev.java.net)

then edit "servers" file and set http proxy host and port with appropriate values. This file will be present in your home
directory

~/.subversion/servers
http-proxy-host = xxx.xxx.xxx.com
http-proxy-port = 8080

If you get the below mentioned error when setting up Sailfin development workspace, then the problem can be that your

maven checkout and maven bootstrap-all commands have failed. Check the logs and update your sources or execute checkout and bootstrap-all commands again freshly.

build-pe:
[echo] ------------------------------
[echo] - Building GlassFish modules -
[echo] ------------------------------
[echo] Resolving appserv-docs binary dependency
Starting the reactor...

BUILD FAILED
File...... /home/venu/work/workspace/sailfin/bootstrap/maven.xml
Element... maven:reactor
Line...... 52
Column.... 40
Unable to obtain goal [build] -- /home/venu/work/workspace/sailfin/bootstrap/../../glassfish/bootstrap/maven.xml:264:40: Reactor subproject failure occurred

It is time to write in detail on how to use security features available in Sailfin, so here we go.

Before you begin follow these two common steps.

1. Download latest stable sailfin build from here.
2. Install Netbeans 6.0 with SIP plugin. You will find this installation document useful.

In this entry I will share on how to enable SIP Digest Authentication for SIP Servlet Application and authenticate using a SIP Client(We have tried Twinkle available with Ubuntu and X-Lite)


Step 1:

Create a new SIP Project in Netbeans as shown in Fig1.






Step 3 :  Netbeans generates the SIP servlet with empty methods, I changed it to look like what is seen in figure 3.







Step 4 :  Now that we have created the servlet, we will now proceed to configure the application server.
            To do this Start the application server and database using following commands

Powered by ScribeFire.

Sailfin milestone 3 is out and here is the list of features we added as per JSR 289. I will talk in detail on how to use each of these security features in my next blog.

We have provided support for

• run-as
  

             - can be configured using standard descriptors (sip.xml), example:
                  <servlet>
                        <servlet-name>SipSample</servlet-name>
                        <display-name>SipSample</display-name>
                        <servlet-class>com.sun.test.SipSample</servlet-class>
                        <load-on-startup>0</load-on-startup>
                        <run-as>
                            <role-name>externalUser</role-name>
                        </run-as>
                 </servlet>

• P-Asserted Identity authentication
        P-Asserted Identity form of authentication requires us to define trust rules. Sailfin allows users to achieve this using configuration elements defined in domain.xml. GUI and command line options enable users to configure trust rules. A SIP entity on the network can be part of the trust domain by adding its IP address or hostname under the element trusted-entity as shown below.  To enable users define custom trust rules sailfin provides a TrustHandler interface which the user can implement.
  

           example:

                  <identity-assertion-trust id="default_id_assertion" is-default="true">
                         <!--
                              <trust-handler class-name="org.jvnet.glassfish.comms.security.auth.impl.TrustHandlerImpl">
                                  <property name="certstore" value="/home/venu/certstore.jks"/>
                             </trust-handler>
                         -->
                          <trusted-entity id="tr" trusted-as="intermediate">
                                <ip-address>129.158.229.124</ip-address>
                         </trusted-entity>
                  </identity-assertion-trust>

more soon......

Powered by ScribeFire.

Recently I had opportunity to attend IMSAA conference held at IITB . It was a nice learning experience for a person like me who is new to the IMS world.
The conference was well organized [1] .  We (Sun Microsystems) showcased our opensource Communication Application server  named Sailfin,
you can find all that you will need on Prasad's blog.

I did not attend Prasad's tutorial as I knew most of it :), so instead opted to attend other tutorials. Dr.Simon gave an excellent tutorial on IMS Service Architecture and was always around answering questions , Dr.Archan in his tutorial talked a lot about Presence and shared his experience. I found both T1 and T6 tutorials very informative.

What caught my attention was a demo [2] given my IIIB students, they have done a good job of using and integrating Opensource products available and demonstrating their use. It was good to see
IIIB encouraging and preparing students to be more Industry ready!.

Finally here are some photos[3] of the event , courtesy "Prof Debabrata Das".



[1]http://www.iiitb.ac.in/imsaa2007/schedule.html
[2]http://www.iiitb.ac.in/imsaa2007/demo.html
[3]http://picasaweb.google.com/IMSAA2007

Powered by ScribeFire.

Recently we refactored and enabled Digest authentication support for both HTTP and SIP Container in Sun Java System Communication Application Server(SJSCAS/Sailfin).Supporting digest authentication with different backends can be done by writing custom Login modules and a custom realm.

1.Custom Login Module
2.Custom Realm

1.Custom Login module:
can be provided either by extendingcom.sun.enterprise.security.auth.login.DigestLogin abstract class or by implementing javax.security.auth.spi.LoginModule standard interface. If one chooses to extend from DigestLogin module class then below mentioned abstract method has to be implemented. The getGroups method returns all the groups the user belongs to.

protected abstract Enumeration getGroups(String username);

The login module has to be configured in login.conf file under $AS_INSTALL_HOME/domains/domain1/config/login.conf directory.
Eg: of JDBC Digest Login module in login.conf file is shown below

++++++

/* Copyright 2004 Sun Microsystems, Inc. All rights reserved. */
/* SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. */

fileRealm {
com.sun.enterprise.security.auth.login.FileLoginModule required;
};
ldapRealm {
com.sun.enterprise.security.auth.login.LDAPLoginModule required;
};
solarisRealm {
com.sun.enterprise.security.auth.login.SolarisLoginModule required;
};
jdbcRealm {
com.sun.enterprise.security.auth.login.JDBCLoginModule required;
};
jdbcDigestRealm {
com.sun.enterprise.security.auth.login.JDBCDigestLoginModule required;
};

++++++

Sample implementation of DigestLogin Module is shown below.

public class JDBCDigestLoginModule extends DigestLoginModule {

public JDBCDigestLoginModule() {
}

protected Enumeration getGroups(String username) {

   try {

    return this.getRealm().getGroupNames(username);

   } catch (InvalidOperationException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);

   } catch (NoSuchUserException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);

  }

   return null;

  }

}

2.Custom Realm :

Inorder to provide a custom realm one has to write a new custom realm[1] or modfiy existing realms by extending from com.sun.enterprise.security.auth.realm.DigestRealmBase abstract class. The method validate is an abstract method in DigestRealmBase.

public boolean validate(String username, DigestAlgorithmParameter[] params);

the implementors validate function will have to retrieve the password from the backend and invoke the validate method of the super class. The validate method syntax of the super class DigestRealmBase is shown below. The validate method will return true if digest validation has succeeded or false if digest does not match. The DigestAlgorithmParameter parameter shown below represents the digest algorithm parameters retrieved from incoming SIP/HTTP request.

protected final boolean validate(Password passwd, DigestAlgorithmParameter[] params) throws NoSuchAlgorithmException ;

com.sun.enterprise.security.auth.digest.api.Password is used to pass the password either a prehashed (username+realmname+password) password or plain text password to validate the digest.

public interface Password {

public static final int PLAIN_TEXT= 0;
public static final int HASHED = 1;

/**
* returns PLAIN_TEXT or HASHED.
* @returns int
*/
    public int getType();

/**
* returns password.
* @returns byte[]
*/
  public byte[] getValue();

}

This custom realm can be configured for use in SIP/HTTP applications as described in docs [2].

You can download sailfin/SJSCAS builds from https://sailfin.dev.java.net/.

[1]http://docs.sun.com/app/docs/doc/819-3659/6n5s6m58k?a=view
[2]http://docs.sun.com/app/docs/doc/819-3658/6n5s5nkmq?l=en&a=view#ablpi

Note : Interfaces and classes described above are subject to improvement and change in future milestone releases of SJSCAS

Powered by ScribeFire.

From past couple of months I have been working on implementing Security features for Sailfin. Sailfin is based on JSR 289 and all the functional specifications that are under development are posted here. You can post your comments on features,requirements using the template posted here.

JSR 289 requires Sailfin to support Digest Authentication and P-Asserted Identity. We have enabled Digest authentication for both SIP and HTTP containers and one should be able to try it out using latest builds. I will soon write on how to configure Digest authentication for HTTP, SIP Containers in SJSCAS/Sailfin.

Like Harold said in his blog this milestone has lots of fixes and it is not too late to provide feedback on any issues that you think needs to be fixed. So go ahead and file them....

Powered by ScribeFire.

We have a BOF(4108) at JavaOne  this year. Jiandong,Ashutosh and Shyam will be available to discuss how to build Secure Web Services in an interoperable manner using WSIT. To learn more please visit Hall E 134 Moscone Center on Thursday(May 10) at 7.55 PM.

Powered by ScribeFire.

Kumar recently wrote a nice article which covers some important details about WSIT Security Configuration. If you want to learn all about WSIT Security Token Validators then this is the article you need to read.

WSIT 1.0 allows different message parts(eg: Addressing Headers,SOAP Body etc..) to be either signed or encrypted. Netbeans  provides a easy way to configure message has to be secured. One can configure their application such that only responses from the server can be secured and request from the client to the server can be plain SOAP Message.



                                                          Snapshot 1: Input and Ouput Message parts

Snapshot 1 shows Message Parts tabs for Input and Output Message under the operation getAccountBalance. These tabs allow user to configure message parts to be Signed/Encrpted for getAccountBalance request from the client and getAccountBalance response from the server.




 
Snapshot 2 shows the message parts that are Signed, Encrypted by default. As seen the snapshot 2 user has the option to change the default configuration by adding/removing message parts.

For eg: If user wants to secure only the response message from the server and not the request then the user needs to unselect all the Message Parts under Input Message as shown in snapshot 3.




Snapshot 3: All Message Parts unselected (Message will be secured).

Note : Even though none of the message parts shown above may be secured but the SOAP Message may have
Security Header with Signature and Timestamp based on the Binding level policy.

WSIT is available as part of Glassfish v2.

Technorati Tags: WSIT, XWSS, Security, Webservices security, WCF, .Net, Glassfish, Security Policy, Netbeans , WS Security

XWSS 3.0 in WSIT by default generates InclusivePrefixList for Exclusive canonicalization algorithm under Signatures and not many implementations of WS Security support this element. So incase you face such a issue where WS Security implementation reject messages generated from WSIT for this reason. You can now disable use of InclusivePrefixList in outgoing messages generated by WSIT by adding “DisableInclusivePrefixList” policy assertion.

Server side policy assertion :
<sunsp:DisableInclusivePrefixListxmlns:sunsp="http://schemas.sun.com/2006/03/wss/server"></sunsp:DisableInclusivePrefixList>

Client side policy assertion :
<sunsp:DisableInclusivePrefixListxmlns:sunsp="http://schemas.sun.com/2006/03/wss/client"></sunsp:DisableInclusivePrefixList>

Sample Signature when DisableInclusivePrefixList is used.

<ds:Signature xmlns:ns10="http://schemas.xmlsoap.org/soap/envelope/" Id="1">
    <ds:SignedInfo> 
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />        
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />        
        <ds:Reference URI="#5002">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>            
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />            
            <ds:DigestValue>...........</ds:DigestValue>
        </ds:Reference>        
        <ds:Reference URI="#3">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>            
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />            
            <ds:DigestValue>...........</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>    
    <ds:SignatureValue>................</ds:SignatureValue>    
    <ds:KeyInfo>
        <wsse:SecurityTokenReference>
            <wsse:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
                            URI="#adf15bbb-2a98-4dd0-81f4-34072d05521a" />
        </wsse:SecurityTokenReference>
    </ds:KeyInfo>
</ds:Signature>

Technorati Tags: WSIT, XWSS, WS Security, WS SecurityPolicy, Policy, WCF, .Net, Signatures

powered by performancing firefox

Kumar and myself had  the opportunity to present on WSIT at Sun Tech Days 2007 Hyderabad. The title of the presentation was "JAX-WS and WSIT : Tangoing with .NET". The talk was well attended and we had to face some interesting questions :). Developers were excited about WSIT and .Net interoperability. The goal of the presentation was to introduce developers to JAXWS , Netbeans and various components of WSIT(Transactions, Optimization, Security,Reliable Messaging , WSIT programming model). Kumar did a demo on JAXWS and RM using Netbeans, this demonstrated how simple it was to write a Web service application and enable WSIT components. 

For those who are still wondering on what WSIT is all about and how it will benefit you or if you have more specific questions or issues, I recommend you to visit us at http://wsit.dev.java.net or post questions on WSIT forum or email us at users@wsit.dev.java.net / dev@wsit.dev.java.net .

WSIT is part of Glassfish v2 builds and can also be downloaded from WSIT .

powered by performancing firefox

In order to take advantage of new Message design provided in JAXWS 2.1 we revamped XWSS in WSIT milestone 3. XWSS 3.0 now has two implementations of WS Security one is based on DOM/SAAJ api's and other is based on JAXB and StAX api's . We have by default enabled JAXB and StAX based implementation. The performance benefits we get from the default implementation is really exciting. The burden of DOM and SAAJ is no longer needed to support most commonly used security scenarios. I will soon publish the performance improvement we have got over XWSS 2.0. Though the default implementation is efficient it has some limitations in this release of WSIT. We do not support XPATH , i,e we do not support SignedElements and EncryptedElements. We do support this under DOM based implementation.

Ability to switch between these two implementation automatically based on the SecurityPolicy will be supported in future releases of WSIT. In this release we can switch to DOM based WS Security implementation by adding DisableStreamingSecurity policy assertion in wsit-client.xml on client side and wsit.xml/ wsdl on the server side.

Client side assertion :

<sunsp:DisableStreamingSecurity xmlns:sunsp="http://schemas.sun.com/2006/03/wss/client"></sunsp:DisableStreamingSecurity>

Server side assertion :

<sunsp:DisableStreamingSecurity xmlns:sunsp="http://schemas.sun.com/2006/03/wss/server"></sunsp:DisableStreamingSecurity>

powered by performancing firefox

More and more emphasis on better Developer support has resulted in Webservices Security getting some focus on tools support. Jiandong,VB Kumar and myself did a technical session at JavaOne 2006 [ TS-3473 Building Secure and Trusted Web Services Using "Project Tango"] where we demonstrated Netbeans[TM] support, to configure webservices security. As the tools support was just out of the furnace, except to see more ease of use features and configuration support. Go here to get more information on Netbeans support for WSIT.

Netbeans helps developers to embed complex policy assertions into the wsdl just by few clicks of your mouse button , I am excited to see tools get better... more later.