YarcRamble

Some Oasis WS standards

yarc — Mon, 06 Sep 2010 12:41:56 +0000

A small check-list and reminder on some of the central ws security standards;

WS-Security: signing, encrypting and attaching tokens
WS-Trust: deals with security tokens (STS)
WS-SecureConversation: less overhead with frequent secure exchanges
WS-Policy: how to add constraints including reliability, transactions, security.
WS-SecurityPolicy: set constraints on various security attributes like transport level security, required parts to be signed or encrypted, algorithms
WS-Federation: how to broker identity between various realms

Web service security mechanisms (Metro, WSIT)

yarc — Mon, 06 Sep 2010 12:25:17 +0000

In project Metro – a java/glassfish web services stack – we have the Web Services Interoperability Technologies (WSIT) project. It caters for a number of novel, often security related, web service specifications, like WS-Trust, WS-SecureConversation, WS-SecurityPolicy, WS-ReliableMessaging, WS-AtomicTransactions/Coordination, WS-MetadataExchange and SOAP over TCP.

These are essential ingredients for an enterprise approach to web service solutions. Usefully, the WSIT team has provided a longish list with explanations on the different security mechanism options you might employ with WSIT. This is an educational list w.r.t. what one’s security options in general are for secure messaging. So, let’s have a brief summary;

“Username Authentication with Symmetric Keys”: Client logs in with username, password. Client generates secret key with servers certificate and shares this with server.
“Mutual Certificates Security”: As with option 1, but this time bidirectionally. The server needs to know the client’s public certificate to provide a server generated key. Provides additional confidence in the client I guess.
“Transport Security”: Simply using certificates over SSL. Provides transport layer security such that application layer negotiation – ploicy, tokens, usernames as well as business content – can be done in privacy.
“Message Authentication over SSL”: Option 3 in addition to that the same certificates are used to send an authentication token with the message. I’m a bit unclear on what advantages this provides? It is also a bit unclear to me whether this, as is with SAML, one may use a separate identity provider for the generation of the authentication token.
“SAML Authorization over SSL”: Client requests a service. The service issues an authentication request back to the client. The client asks a SAML identity provider for an authentication token. The client forwards the token and requests the service again. Note that you don’t need to use a separate token service; the client may form the SAML assertion itself.
“Endorsing certificate”: A third party is used to countersign the message. The client asks a third party to countersign the message and the server verifies.
“SAML Sender Vouches with certificates”: A variant of the normal SAML, but where there is an intermediary acting on behalf of the end-user. The underlying problem here is to make sure that the SAML assertion corresponds to the SOAP request, i.e. that the request actually originates from the subject of the SAML assertion (Thanks to Glen Mazza for putting this in simple terms). In this case, an intermediary takes care of signing and packaging the SAML assertion and the SOAP request on behalf of a client. The client has typically been authenticated with the intermediary using some other means.
“SAML Holder-of-Key (HOK)”: In difference to option 7, here the client itself signs the SAML assertion and SOAP request package, making it possible to verify that the request originates from the subject of the SAML assertion.
“Secure Token Service (STS) issued token”: The client asks an STS identity provider for an authentication token. The client forwards the token and requests the service.

It seems a bit confusing to mix message level security (ws-security) and transport level security in the same list of mechanisms. I reason one might have message level security with or without transport level security. And vice versa. Generally it seems that you have

basic authentication,
certificates/pki
a third party serving as an identity provider (Brokered Authentication) and an
endorsing mechanism.

In addition you may have transport layer security.

Another issue regards the difference between SAML and STS. My understanding is that the SAML protocol specifies

32% civilian death rate in drone attacks on pakistani soil?

yarc — Fri, 02 Jul 2010 06:50:31 +0000

Boingboing writes:

“Our study shows that the 114 reported drone strikes in northwest Pakistan, including 18 in 2010, from 2004 to the present have killed approximately between 834 and 1,216 individuals, of whom around 549 to 849 were described as militants in reliable press accounts, about 2/3 of total on average. Thus, the true civilian fatality rate since 2004 according to our analysis is approximately 32%.”.

They themselves quote http://counterterrorism.newamerica.net/drones.

It’s clearly hard to separate facts from fiction here. But 1/3 civilian casualty rate, if roughly right, is hard to justify I’d say.

soap 1.1 vs soap 1.2 content types

yarc — Thu, 01 Jul 2010 11:10:27 +0000

Playing around with Metro, I get this error in my tomcat log;

SEVERE: Unsupported Content-Type: application/soap+xml Supported ones are: [text
/xml]

I scratch my head, and find that

“These errors are related to SOAP 1.1 or 1.2 versions:
SOAP 1.1 uses text/xml
SOAP 1.2 uses application/soap+xml”

thanks to Adrian.

Get subdirs from wget and getting past robot disallows

yarc — Sat, 19 Jun 2010 05:46:18 +0000

I’m going to a place where there is no net, and was thinking of reading the metro manual. A naive approach

$ wget -r https://metro.dev.java.net/guide/

gets me nowhere however, as wget stops pretty fast and leaves a file that states

User-agent: CEE

Disallow:
User-agent: *

Disallow: /

I can do ‘-e robots=off’ mixed with some stuff from Voelkers excellent wget examples:

wget -P guide -e robots=off -r -p -k --no-parent -nH --cut-dirs=1 -e robots=off https://metro.dev.java.net/guide/

That does the trick.

Mda for integration

yarc — Tue, 15 Jun 2010 19:36:51 +0000

On a project I work on, we’re doing something I’ve only done as student exercises and never in a large scale commercial project. All interfaces that are exposed and used by external agents are development-wise managed by a model driven architecture (MDA). All web services exposed and file transfers that are shared with some external partner is governed this way. Let’s for brevity name all these exposed services. Architecturally, there is a separate integration server that handles all exposed services and there is an application server that relates to this integration server.

Now, we maintain a UML model of the exposed services, it’s dependent objetcs, as well as the service interfaces between the integration server and the application server.
We then use Andromda to transform the model to java source code, produce wsdl and xsds and the like.
- We use a custom cartridge dependent on Freemarker as a template engine for producing these source files.

So what do we gain by this?

I’m not entirely sure. We’ve sort of inherited this unusual and fancy setup. A common problem with integration work is that definitions and terms are maintained separately in on each agent being part of the relation and as such needs to be kept in synch. E.g. if an object definition changes then all its serializations, be it xsd or java, needs to be updated and on all hosts that partake in some exchange based on this object.

With an MDA approach which spans multiple hosts, one needs only one update however, and then the andromda wizardry will take care of that all serializations of this definition are generated and are identical.

One may counter however, that with a traditional dependent project (a jar or a maven2 pom) which contains the shared definitions, then all that synchronization work will do itself. And that’s probably true. But without some custom script, code or other magic, you won’t get synchronized xsd’s (and possibly wsdl’s if you embed your xsd’s).

Still, the advantage is debatable given the cost of maintaining and configuring the andromda and custom cartridges though.

Finally, you get very nice documentation and overviews. It is easier for a newbie to see the totality and understand the scope of the system.

hiding fullscreen citrix in linux

yarc — Fri, 11 Jun 2010 09:01:40 +0000

I remote to various workplaces over citrix. I’d prefer other technologies, but that’s another story. I work in fullscreen. But, I often need to switch out of my citrix environment and back to the linux host to do other things. This does the trick;

ctrl-f2, tells citrix that the next keystroke is to be passed through
alt-f9, this makes gnome pack away the window.

Thanks to Scott McDonald for this handy tip.

Mule debug and config files

yarc — Sat, 05 Jun 2010 19:03:38 +0000

1. You may attach a debugger by editing the wrapper.conf file;

wrapper.java.additional.3=-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005

Additionally, I added to the invocation of mule a -debug flag, e.g. in the hello example;

 exec "$MULE_BASE/bin/mule" -debug -config hello-http-config.xml

2. Let’s look at the hello example; The config.xml file consists of a set of definitional items, e.g.

and then continues with a model which consists of a set of services;

Each service seems to feature an , a and an section;

You may, it seems define multiple inbound-endpoints. It seems there is a vm:inbound-endpoint for every service and which precedes the component part.

2.1. outbound and inbound endpoints seem to match on path, e.g.

matches

2.2. Which method on components are called? Seems there is a fair amount of reflection going on. With the

mule will pick a unique public method from ChitChatter that doesn’t match

“ignoredMethods=[getClass, clone, equals, hashCode, getInvocationHandler, get*, wait, is*, notify, toString, notifyAll]”

If there are more than one match, you add a method parameter, url style;

2.3. How does Mule know which types to use when calling and filtering?

a. In

HttpRequestToNameString is an AbstractTranformer and returns a NameString.

b. Greeter.greet(NameString) receives this data.

c. In the filtering-router, the router selects according to type;

d. in the component class is called after the transformer NameStringToChatString is called. Input is then ok.

Unagile TOGAF

yarc — Sat, 22 May 2010 07:10:21 +0000

I’m TOGAF certifying myself. Going through an 800 page book. Authorless by the way. A set of contributors are listed, but there are no editors and authors per se. That’s quite unusual.

Anyway, one cannot help but think of how software engineering was before agile came along, when one works with this framework. A majority of the methodological steps are about defining things (architectures and all that follows). As opposed to implementing and realizing. And the number of documents and textual deliverables is staggering. It seems so cumbersome and bureaucratic. It reminds me of the definitions, plans and specifications that were prescribed by pre-agile software development methods.

Now, the proponents of TOGAF will surely put forward that the framework must be tailored to the needs and constraints of the business and case at hand. And that one may, given the right circumstance, skip and trim to make the process lighter. Hmm.

That echoes arguments we heard from pre-agile s/w development method proponents when agile came with it’s fairly revolutionary approach as well. And then there were the chorus from pre-agile s/w development method proponents saying that the agile way would go off the rails and it would be chaos without clear definitions and full specifications before the actual development could start.

I realize that enterprise architectural work is quite different from software development. And it might be that in fact you need to be as stringent and document centric as TOGAF prescribes.

But still..

reuse of visual content in java projects

yarc — Fri, 05 Mar 2010 13:19:55 +0000

Hm.. what are my options when you want to reuse some visual content rendered by some other runtime component?

Let’s say you have war A that renders some pages. Let’s say you’re writing another war (B) and you suddenly want to reuse some ot the content from A. Let’s say you want to inherit, but also tweak. Parameterize I guess. I could..

do: jstl ”/>in a jsp page. This includes rendered content however, so you don’t get to influence the content before rendering.

do: response.sendRedirect(); on the server side. Ditto disadvantage as above.


make a jsp taglib. I principle I guess you may put anything in the start and end tag methods, but in practice it is at best an unelegant method for reusing visual content with some size and layout
use maven2’s war plugin’s overlay functionality. This works, but is somewhat crude, and requires good control over naming and directories.
make a (jsf 2.0+) facelet taglib. No disadvantages, but a huge added bonus that you may include all kinds of fancy layout and composition as you would normally do with facelets. And paramterization works just fine.


So this last option is the only good option in my opinion. Let’s have a look;
Component A
In web.xml you define the taglib;

 javax.faces.FACELETS_LIBRARIES
 
 /META-INF/mfoTags.taglib.xml
 
 
In META-INF (nowhere else, or the inter-module/war dependency will not work) you define mfoTags.taglib.xml (and it needs to have both taglib and xml as postfixes) :

 
 http://yarc.name/mfoFaceletTags
 
 siteNav
 ../WEB-INF/tags/siteNav.xhtml
 
 

..and you need (at least) an empty faces-config.xml:





Finally, you need to package this as a jar (not a war). My solution here was to make a symbolic link since I wanted component A to remain a war since it is used as a war component on it’s own.
That’s it. Now for the user of this component;
Component B
You need to include a classpath ref to the above mentioned jar.
In the .xhtml file you’re going to refer to the facelet tag

 
 
 
 ...
 
 
 ...
 
 
 

–
If that isn’t simple and beautiful, then I don’t know what. Almost poetry.  
Week-end time!
Thanks to Laliluna for small tricks and hints and the excellent facelet documentation.