Kathir's Blog

Custom Policy Issue in Fusion 11g

kathir — Mon, 21 Jun 2010 12:55:43 +0000

In my SOA services 10g to 11g migration study I’ve struck in the custom policy part.
I’ve followed all the steps what oracle explained in the below url

Creating Custom Assertions

but whenever I’m trying to import the polcy file(step 6) in enterprise manager, I’m getting error.

Finally I found where the issue is. In their document (step 4) they simply mentioned to create jar file, but the structure of the jar should like below

sampleassertion/IpAssertionExecutor.class
META-INF/MANIFEST.MF
META-INF/policies/
META-INF/policies/oracle/
META-INF/policies/oracle/ip_assertion_policy
META-INF/policy-config.xml

Sweet Intro about WS-*

kathir — Tue, 12 Jan 2010 06:12:36 +0000

WS-Security

WS-Security defines how to attach XML Signature and XML Encryption headers to SOAP messages

WS-Security provides profiles for 5 security tokens

         1) Username (with opt. pwd digest)
         2) X.509 cert
         3) Kerberos ticket
         4) SAML assertion
         5) REL (Rights Expression Language) document

WS-Trust

Defines a framework for

        > Issuing, renewing, and validating security tokens
                   >STS (Security Token Service)
                   >Tokens are used by WS-Security
        > Brokering trust relationships within different trust domains

An application may span multiple security domains where each domain has its own Security Token Service (STS)

These multiple STSs can be chained with each other to broker trust among multiple security domains

This pattern is called “brokered trust”

WS-SecureConversation

WS-SecureConversation plays the same role in messagelevel security that SSL plays at the transport level

WS-SecureConversation defines the creation and sharing of security contexts between communicating parties

> The (SCT) element supports the requirements of security contexts

An SCT involves a shared secret used to sign and/or encrypt messages

> Derived keys are used for signing and encrypting messages associated with the security context
> WS-SecureConversation defines how derived keys are computed and passed

WS-Policy

WS-Policy enables one to specify policy information that can be used to access web services applications

A policy is expressed as one or more policy assertions

A policy assertion represents a capability or a requirement

For example, a policy assertion may stipulate that a request to a web service be encrypted, or a policy assertion can define the maximum message size that a web service can accept

The meaning of each assertion is specific to a particular domain, for example, security, reliability, or privacy

WS-PolicyAttachment

WS-PolicyAttachment defines how (WS-Policy) policies are attached to web services

Policies can be bound to WSDL or UDDI

WS-MetadataExchange

Defines how a client can request the metadata it needs to access and communicate with a web service endpoint

Metadata can be WSDL, WS-Policy, schema

Uses WS-Addressing to identify endpoints

WS-MetadaExchange works as follows:

> A requester sends a GetMetadata request message to an endpoint
> The endpoint replies with a GetMetadata response message including a reference to the metadata section requested

Enterprise Integeration Pattern related Frameworks

kathir — Wed, 30 Dec 2009 11:25:47 +0000

Apache Camel is a powerful open source integration framework based on known Enterprise Integration Patterns with powerful Bean Integration.

Apache camel home page:http://camel.apache.org/

EIS Notations

Apache Camel can be used as a routing and mediation engine for the following projects:

Apache ServiceMix which is the most popular and powerful distributed open source ESB and JBI container
Apache ActiveMQ which is the most popular and powerful open source message broker
Apache CXF which is a smart web services suite (JAX-WS)
Apache MINA a networking framework

Introduction to OpenSSO

kathir — Tue, 22 Dec 2009 11:29:49 +0000

I’ve been searching for a good introduction or article for OpenSSO latest one month.
Finally I got a good article which explains OpenSSO step by step in both technically also theoretically.

Introduction

Different between OAUth and OpenID

kathir — Tue, 15 Dec 2009 15:08:01 +0000

Initially I had confusion between OAuth and OpenID, so start using our search giant Google to find the solution.

Now I’m clear what is what.

OpenID:
It is only for Identification / Authentication. Here we need to prove oneself to the OpenID providers like who am I.

OAuth:
It is only Authorization; we are authorizing a third party service to access our personal information without providing our password.

Some interesting links:
Link1

Link2

Getting Started with JPA

kathir — Tue, 15 Dec 2009 12:44:10 +0000

I got a newsletter from DZone regarding JPA.
I feel it’s good for reference purpose also for learners.

Getting Started with JPA

How to accelerate user registration and login operation of our Web Application through OpenID Solution

kathir — Thu, 10 Dec 2009 12:00:44 +0000

JanRain releases a free version of its industry-leading OpenID solution.

RPX Basic enables websites to accelerate user registration and login success by allowing visitors to easily sign in with one of their existing third party accounts from AOL, Facebook, Google, MySpace, or Yahoo!.

Home:

http://rpxnow.com/

Steps:

* First we need to be a member of rpxbasic, for that we need to login using any one of our OpenIDs.

* Once we’ve logged in we can create a new application, it acts like a web application.

* Once we’ve created a application go it’s dashboard.

* Click “Quick Start Guide”, there you can get the details related to how to embed the scripts to enable login/signin operation in our web application.

The scripts are like:

Add the following javascript code to the bottom of each page where you’d like users to sign in:

Copy the following signin/signup link to your pages:


  Sign In

* Embed the above scripts in our index page; this will create a sign In link in the index page. This link will open a small window which asks the user to select a OpenID provider from a list.

* After successful login the total no of user are listed in rpxnow’s application dashboard.

How to use OpenID Technology in our Web Application

kathir — Thu, 10 Dec 2009 08:54:54 +0000

What is OpenID?

OpenID is an open, decentralized standard for authenticating users which can be used for access control, allowing users to log on to different services with the same digital identity where these services trust the authentication body.

Site:
http://openid.net/

Getting Started:
http://openid.net/add-openid/add-getting-started/

Java Library:
I’ve tried out the “JOpenID” library.

JOpenID Project Home:
http://code.google.com/p/jopenid/

Requirements:
JDK 1.6 , Tomcat6

Sample Servlet code:
I’ve changed the sample servlet which present in the JOpenID site

package openidtest;

import java.io.IOException;
import java.io.PrintWriter;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.expressme.openid.Association;
import org.expressme.openid.Authentication;
import org.expressme.openid.Endpoint;
import org.expressme.openid.OpenIdException;
import org.expressme.openid.OpenIdManager;
 

public class MainServlet extends HttpServlet {
 

    static final long ONE_HOUR = 3600000L;
    static final long TWO_HOUR = ONE_HOUR * 2L;
    static final String ATTR_MAC = "openid_mac";
    static final String ATTR_ALIAS = "openid_alias";
 

    OpenIdManager manager;
 

    @Override
    public void init(ServletConfig config) throws ServletException {
        super.init(config);
 

        //IF proxy
        java.util.Properties props = System.getProperties();
        props.put("proxySet", "true");
        props.put("proxyHost", "PROXY_IPADDRESS");
        props.put("proxyPort", "PROXY_PORT");
 

        manager = new OpenIdManager();
    }
 

    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {   
     String op = request.getParameter("op");   
     if (op==null) {       
      // check nonce:
      System.out.println(">>>>>>>> openid.response_nonce==>"+request.getParameter("openid.response_nonce"));
      checkNonce(request.getParameter("openid.response_nonce"));       
      // get authentication:       
      HttpSession session = request.getSession();       
      byte[] mac_key = (byte[]) session.getAttribute(ATTR_MAC);       
      String alias = (String) session.getAttribute(ATTR_ALIAS);       
      Authentication authentication = manager.getAuthentication(request, mac_key, alias);       
      String identity = authentication.getIdentity();       
      String email = authentication.getEmail();       
      // TODO: create user if not exist in database:       
       showAuthentication(response.getWriter(), authentication);   
     }   
     else if ("Google".equals(op) || "Yahoo".equals(op)) {
      manager.setReturnTo("http://"+request.getServerName()+":"+request.getServerPort()+"/OpenIDTest/openidtester");
      
      // redirect to Google/Yahoo sign on page:       
      String alias = manager.lookupExtNsAlias(op);      
      Endpoint endpoint = manager.lookupEndpoint(op);
      System.out.println(">>>>>>>> endpoint.getUrl()==>"+endpoint.getUrl());
      Association association = manager.lookupAssociation(endpoint);       
      HttpSession session = request.getSession();       
      session.setAttribute(ATTR_MAC, association.getRawMacKey());       
      session.setAttribute(ATTR_ALIAS, alias);       
      String url = manager.getAuthenticationUrl(endpoint, association);       
      response.sendRedirect(url);   
     }   
     else {       
      throw new ServletException("Bad parameter op=" + op);   
     }
    }
 

    void showAuthentication(PrintWriter pw, Authentication user) {   
     pw.print("");   
     pw.print(" Hi "+user.getFullname()+"!
Congratulations, you have successfully logged-in!");   
     pw.print("Indentity: "+user.getIdentity()+"
");   
     pw.print("Email: "+user.getEmail()+"
");   
     pw.print("Gender: "+user.getGender()+"
");   
     pw.print("Firstname: "+user.getFirstname()+"
");   
     pw.print("Lastname: "+user.getLastname()+"
");   
     pw.print("Language: "+user.getLanguage()+"");   
     pw.print("");   
     pw.flush();
    }
 

    void checkNonce(String nonce) {
        // check response_nonce to prevent replay-attack:
        if (nonce==null || nonce.length()<20)
            throw new OpenIdException("Verify failed.");
        long nonceTime = getNonceTime(nonce);
        long diff = System.currentTimeMillis() - nonceTime;
        if (diff < 0)
            diff = (-diff);
        if (diff > ONE_HOUR)
            throw new OpenIdException("Bad nonce time.");
        if (isNonceExist(nonce))
            throw new OpenIdException("Verify nonce failed.");
        storeNonce(nonce, nonceTime + TWO_HOUR);
    }
 

    boolean isNonceExist(String nonce) {
        // TODO: check if nonce is exist in database:
        return false;
    }
 

    void storeNonce(String nonce, long expires) {
        // TODO: store nonce in database:
    }
 

    long getNonceTime(String nonce) {
        try {
            return new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ")
                    .parse(nonce.substring(0, 19) + "+0000")
                    .getTime();
        }
        catch(ParseException e) {
            throw new OpenIdException("Bad nonce time.");
        }
    }
}

Web.xml





	
		MainServlet
		openidtest.MainServlet
	

	
		MainServlet
		/openidtester

How to call:-

http://:/OpenIDTest/openidtester?op=Yahoo

http://:/OpenIDTest/openidtester?op=Google

For Additional OpenID Provider:
As of now the sample servlet allows Google and yahoo as a OpenID Provider (OP), if we need more extract the “openid-providers.properties” from “jopenid-1.05.jar” file and add additional OP and its url. The file looks like

 
Google = https://www.google.com/accounts/o8/id
Yahoo = http://open.login.yahooapis.com/openid20/www.yahoo.com/xrds