Back after a long time

I spent the whole summer in Sri Lanka and now I'm back in Purdue.

The summer was quite eventful! ... Met up with a few old friends, went on a few trips ... But there was one thing that makes me really happy about the summer:

I lost 25 lbs!!! For the first time in my life I bought clothes that are smaller than the current size!

Two of my best friends (Malinda and Devaka), got me signed up at a local gym (Which I have to note, was the most expensive gym I've been to in Sri Lanka :P) ... And this time I somehow resisted the traditional rice and curry that I used to have for all three meals ... It was tough but it is a great feeling when you see a lower reading on the scale.

I feel good, but I have a new target weight to get to, it is not easy! :-)

I moved into a new apartment. Happy that I have way more space compared to the little dorm room I was in the last two semesters.

So I'm back to studies ... I'm taking CS 580 (Algorithms) and CS 541 (Databases) this semester in addition to my research work and the 20 hours of software development work that I do for my assistantship.

The best Sinhala song about a father's love

What is WSO2?

One of the best pieces of music from LOTR

Information Cards for Active Directory Users

This tutorial shows how simple it is to setup WSO2 Identity Solution with an existing LDAP directory.

A Dangerous Trend !

Prabath points out an important issue that has been bothering me for a long time.

There are such a lot of web applications nowadays that requests the users for their passwords for other applications. Of course they promise that those passwords will not be misused ... and oh yeah ... people do keep promises :P

What sort of a guarantee does those web applications give that the user's passwords are never leaked? Programmers make mistakes! And how can one be certain that there are no covert channels that may leak those password?

The answer is no once can ever be sure!

Another issue with this paradigm (or anit-pattern) is that it may become socially acceptable for one system to ask the user's authentication details of another system. This is extremely dangerous!!!... Why? ... Just think of how easy it will make it easy for one to phish now ... The attacker may obtain credentials of one system and now can easily trick the user to give up passwords his/her other accounts.

As Prabath points out it is really disappointing to see that this approach is promoted by most a lot of popular web applications.

War

Samisa's book on RESTful PHP Web Services

Read more about it here.

Identity as a Service

Here's an interesting presentation by Prabath :

Identity as a Service

View SlideShare presentation or Upload your own. (tags: cardspace identityopenidsoa)

twitbin and your twitter password

I just tried to install the twitbin firefox plugin. Well ... very nice interface!!!

BUT it seems like twitbin first sends my username and password to http://www.twitbin.com. Firefox will prompt you asking whether to remember the password for this site :P

I believe this is should NOT be done :(

A user should NEVER have to give his/her credentials of a certain web application to a 3rd party web application. How can I be 100% sure that those who developed the 3rd party web application wrote perfect code that never leaks my user name/password of my other web application?

Interestingly the twitbin.com privacy policy is very simple and short :

Our privacy policy is simple: we don’t store any personal data about you. We
do track the total minutes spent with twitbin open, and the number of users
who use it. We don’t have any way of seeing what you say, or who you say it
to. User sessions are authenticated through twitter, so your data passes to
them, not us.

You use twitbin at your own risk, we’ve tested it, it hasn’t crashed our
computers, but we just built this in a week. If you see a bug, let us know.

SOURCE: http://twitbin.com/blog/privacy/

Well ... why does firefox ask my permission whether it is OK to REMEMBER the password (and when done so there is an entry against http://twitbin.com) when I try to to login to twitter with my plugin? So is the statement "User sessions are authenticated through twitter... "still true? I haven't really gone through the messages that are exchanged between twitbin.com and the browser... but the fact that the browser remembers the twitter user name/password against http://www.twitbin.com is more than enough evidence for me! (Or is this a firefox bug? :-) )

This sucks! ... so people ... please be careful when you use these sort of applications!!!

Shankar on WSF PHP

Defence Map of Sri Lanka

http://www.cyberlk.com/defencemap/

WSF PHP : The ONLY SOAP stack for PHP with WS-Sec* support

This is based on Apache Axis2/C and Apache Rampart/C and is proven to completely interoperate with other WS-Sec* implementations!

Try the 2.0.0 version here.

New MSFT Ad

Adding a Calender Control in Joomla Content

It is quite easy ... Thanks Sudheera for help in figuring this out!

Include the following CSS and JS from the root of Joomla installation.


<link rel="stylesheet" type="text/css" media="all" href="/includes/js/calendar/calendar-mos.css" title="green" />
<script type="text/javascript" src="/includes/js/calendar/calendar.js"></script>
<script type="text/javascript" src="/includes/js/jscalendar-1.0/lang/calendar-en.js"></script>


Now you can use a text box to hold the date value and show the calender control on the "onclick" event:


<input id="date1" name="date1" onclick="return showCalendar('date1','y-mm-dd');" value="2008-06-23">


The calender control will use the initial value if any and if the value of the text box is null then it will use the current date!

Devaka's Spam Subjects!!!

http://devakar.blogspot.com/2008/09/funny-spam-mail-subjects.html

Update from Purdue

Well it has been about one and a half weeks since I came to Purdue ... I've been updating my twitter quite regularly about the things that happened so far.

I miss my family and friends back home, a lot ... I miss the great food my mother used to make and now I think by the end of this semester I will be able to loose a few pounds with my very primitive cooking ... :P ... Ah .. I have some pics of my new room ... will post them as soon as I get my new laptop :D

Yesterday we (Sahan, Nabeel et.al) drove down to Indianapolis and met most of old friends from the WSO2 days :-) ... It was really nice to meet up and talk about the old times.



Well my classes are starting tomorrow ... and it will be the start of a whole new set of challenges... Am certainly looking forward to it! :-)

The Breaking Of The Fellowship - LOTR

This is one of my favorites :-) :

When the cold of winter comes
Starless night will cover day
In the veiling of the sun
We will walk in bitter rain

But in dreams
I can hear your name
And in dreams
We will meet again

When the seas and mountains fall
And we come, to end of days
In the dark I hear a call
Calling me there,
I will go there
And back again

Source




5:15 to 7:21

Web Services Security with Apache Rampart – Part 2 (Message-Level Security)

Sometime back I blogged about Nandana's article on using transport level security with Apache Rampart policy based configuration. Here's the part two of the article which talks about using WS-SecurityPolicy to apply and enforce message level on SOAP messages using Apache Axis2 and Apache Rampart.

Back after a while ...

Hmm ... I've been away from blogging for more than a month ... so here's a recap of what I couldn't blog about :

• Had my first trip to London...




Interesting city ... I like it when it is sunny over there :-) ... Met some of my friends from my school days ...



See more pics here and here.


• A lot of projects made releases:


- Apache Axis2 - 1.4

- Apache Rampart -1.4 [We are working on getting the logo finalized :-) ]

- Apache Synapse - 1.2

- WSO2 WSAS - 2.3

- WSO2 ESB - 1.7

- WSO2 WSF C - 1.3.0

- WSO2 WSF PHP - 1.3.2



• Nadal beat Federer to claim his 4th French open title ... Looking forward to Wimbledon !!!



• WSO2 CTO, Paul became one of the top 25 CTOs of 2008




• We interop'ed at the MSFT TechED

Jonathan was there to demonstrate how the WSO2 SOA platform can be used with MSFT .NET to interoperate successfully. Read more here at Dr. Sanjiva's blog.


• Prabath did a webinar on OpenID

You can view the slides here.


• I went on a trip to Kukuleganga holiday resort
last weekend.
I recommend this place to anyone who likes to get away from the city ... Food is not great ... but the barbecue was very nice! Some pics here.


• Am enjoying the war on ultra mobile laptops. This is a very good site to keep track of the latest developments (Other than engadget of course)
  
  

Well ... thats it for now ... :-) ...

OpenId integration of WSO2 Identity Solution

http://wso2.org/library/3518 by Prabath

WSO2 WSAS - Data Services Wins the Gold at SearchSOA Products of the Year 2007

WSO2 WSAS wins the gold award in the Data services/integration category!!!

WSO2 Identity Solution 1.5 Released

WSO2 Identity Solution team is pleased to announce the release of WSO2 Identity Solution 1.5, feature-rich with OpenID.

The WSO2 Identity Solution enables LAMP and Java websites to provide strong authentication based on the new interoperable Microsoft CardSpace technology, released version 1.5 today.

This new release includes OpenID and OpenID Information Cards, further enhancing the WSO2 Identity Solution to cater to a wider audience for web based authentication. OpenID is a key feature in decentralizing single sign-on, much favored by many users.

The WSO2 Identity Solution also works with current enterprise identity directories, such as those based on the Lightweight Directory Access Protocol (LDAP) and Microsoft Active Directory, allowing them to leverage their existing infrastructure. In addition to the Identity Provider the WSO2 Identity Solution provides a Relying Party Component Set which plugs into the most common Web servers to add support for CardSpace authentication and now OpenID

WSO2 Identity Solution 1.5 can be downloaded from
http://wso2.org/downloads/solutions/identity.

Greatly appreciate your feedback and please report any issues found, using the public JIRA available at https://wso2.org/jira/browse/IDENTITY.

New features in version 1.5
---------------------------

* OpenID Provider and relying party component support
* OpenID information cards based on user name-token credential and self
issued credential
* SAML 2.0 support

Other Key Features
------------------

*Identity provider
-Simple management console
-Ability to connect to custom user stores (LDAP/Microsoft
ActiveDirectory, JDBC)
-Built in user store
-Support for the CardSpace default claim set
-Support for custom claim dialects and claims types
-Statistics/reporting/audit trail
-Ability to revoke information cards
-Issues information cards based on username-token credential and
self issued credential

*Apache HTTPD relying party module - mod_cspace
-CardSpace authentication support for static web content
-Support for any server side scripting language supported by
Apache2
-Easy integration interface for developers
-Support for content management frameworks such as Drupal,
MediaWiki
-Java Servlet Filter relying party component
-Provides an intuitive plug-in for J2EE web application
developers to enable CardSpace authentication
-Supports multi-valued claims
-Supports a set of simple operation modes

Training
--------

WSO2 Inc. offers a variety of professional Training Programs, including training on Identity Management with WSO2 Identity Solution and a number of other products.

For additional support information please refer to
http://wso2.com/training/course-catalog/


Support
-------

WSO2 Inc. offers a variety of development and production support programs, ranging from Web-based support up through normal business hours, to premium 24x7 phone support.

For additional support information please refer to
http://wso2.com/support/


- WSO2 Identity Solution Team

Web Services Security with Apache Rampart – Part 1 ( Transport Level Security )

A tutorial on setting up UsernameToken authentication using Apache Rampart by Nandana.

Access a Restricted EJB Method as a Web Service with UsernameToken Authentication

What if we need to expose an EJB as a web service? No problem ... we can simply use the org.apache.axis2.rpc.receivers.ejb.EJBMessageReceiver provided by Axis2. But what if the EJB's methods are access restricted?

I figured out that it is very easy to write a custom wrapper web service to expose such a protected EJB and use standard UsernameToken authentication on it.

Following are the steps I followed to try this out:

Step 1 : Basic EJB sample with OpenEJB

First I followed this "hello world" sample using OpenEJB and setup the OpenEJB container and deployed the EJB.

Step 2 : Modified "HelloBean" to restrict access to "sayHello" method

 @RolesAllowed({"committer"})
 public String sayHello() {
  return "Hello World!!!";
 }

Now only users with committer role can access this method.
The users used by the default login module implementation are listed in "conf/users.properties" of the OpenEJB distribution.

Step 3 : Develop and deploy a service to wrap the EJB


We basically have to write a service that is a client to this EJB. I engaged Rampart on this service and configured it with WS-SecurityPolicy to expect a UsernameToken. And then obtained the user name and password from security processing results and used those credentials in invoking the EJB.

Have a look at the following service class :

package org.acme;

import java.io.IOException;
import java.util.Properties;
import java.util.Vector;

import javax.naming.Context;
import javax.naming.InitialContext;
import javax.rmi.PortableRemoteObject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

import org.apache.axis2.context.MessageContext;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;


public class SimpleEJBService implements CallbackHandler {
 
 public String sayHello() throws Exception {
  
  
  Properties props = new Properties();
  props.put(Context.INITIAL_CONTEXT_FACTORY, "org.apache.openejb.client.RemoteInitialContextFactory");
  props.put(Context.PROVIDER_URL, "ejbd://127.0.0.1:4201");
  
  //Obtain the principal
  WSUsernameTokenPrincipal principal = getPrincipal();
  
  
               //Set the username and password  
  props.put(Context.SECURITY_PRINCIPAL, principal.getName());
  props.put(Context.SECURITY_CREDENTIALS, principal.getPassword());
  
  Context ctx = new InitialContext(props);
  Object ref = ctx.lookup("HelloBeanRemote");
  
  //Invoke method
  Hello h = (Hello)PortableRemoteObject.narrow(ref, Hello.class);
  String result = h.sayHello();
  return result;
  
 }
 
 /*
  * Traverse the security processing results of rampart and pick the UsernameToken information.
   */
 private WSUsernameTokenPrincipal getPrincipal() {
  MessageContext msgCtx = MessageContext.getCurrentMessageContext();
  Vector results = null;
  if ((results = (Vector) msgCtx
    .getProperty(WSHandlerConstants.RECV_RESULTS)) == null) {
   throw new RuntimeException("No security results!!");
  } else {
   for (int i = 0; i < results.size(); i++) {
    //Get hold of the WSHandlerResult instance
    WSHandlerResult rResult = (WSHandlerResult) results.get(i);
    Vector wsSecEngineResults = rResult.getResults();

    for (int j = 0; j < wsSecEngineResults.size(); j++) {
     //Get hold of the WSSecurityEngineResult instance
     WSSecurityEngineResult wser = (WSSecurityEngineResult)
       wsSecEngineResults.get(j);
     int action = ((Integer)wser.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
     if(action == WSConstants.UT) {
      WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal) wser
        .get(WSSecurityEngineResult.TAG_PRINCIPAL);
      return principal;
     }
    }
   }
  }
  
  return null;
 }

 public void handle(Callback[] callbacks) throws IOException,
   UnsupportedCallbackException {
  //Do nothing since we simply want to move forward 
  //user name and password to the EJB container
 }

}

The services.xml is as follows :

<service>
 <parameter name="ServiceClass" locked="false">org.acme.SimpleEJBService</parameter>
 <operation name="sayHello">
  <messageReceiver
   class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" />
 </operation>
 
 <module ref="rampart"/>

 <wsp:Policy wsu:Id="UTOverTransport" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
  <wsp:ExactlyOne>
    <wsp:All>
   <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     <wsp:Policy>
    <sp:TransportToken>
      <wsp:Policy>
     <sp:HttpsToken RequireClientCertificate="false"/>
      </wsp:Policy>
    </sp:TransportToken>
    <sp:AlgorithmSuite>
      <wsp:Policy>
     <sp:Basic256/>
      </wsp:Policy>
    </sp:AlgorithmSuite>
    <sp:Layout>
      <wsp:Policy>
     <sp:Lax/>
      </wsp:Policy>
    </sp:Layout>
    <sp:IncludeTimestamp/>
     </wsp:Policy>
   </sp:TransportBinding>
   <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
    <wsp:Policy>
     <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" />
     </wsp:Policy>
   </sp:SignedSupportingTokens>
   
   <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 
    <ramp:passwordCallbackClass>org.acme.SimpleEJBService</ramp:passwordCallbackClass>
   </ramp:RampartConfig>
   
    </wsp:All>
  </wsp:ExactlyOne>
 </wsp:Policy>
 
 
</service>

Note that I didn't bother with authentication of the incoming UsernameToken because this will be handled by the login module of the EJB container.

I first copied all (probably we don't need all of them ...) openejb-* jars from the OpenEJB distro and the jar'ed org.acme.Hello interface to the "lib" directory of WSO2WSAS-2.2 standalone and deployed the service.

Step 4 : Web service client


Finally I generated a client stub using the WSDL2Java tool and developed my client code

package org.acme;

import org.acme.HelloEJBStub.SayHelloResponse;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axis2.client.Options;
import org.apache.axis2.client.ServiceClient;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.ConfigurationContextFactory;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyEngine;
import org.apache.rampart.RampartMessageData;

public class Client {

 public static void main(String[] args) throws Exception {

 //This is because we use a self signed SSL cert in WSO2WSAS
     System.setProperty("javax.net.ssl.trustStore", "/path/to/wso2wsas.jks");
     System.setProperty("javax.net.ssl.trustStorePassword", "wso2wsas");
     
     ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem("/path/to/my/client/repo");
  
  HelloEJBStub stub = new HelloEJBStub(ctx);
  ServiceClient client = stub._getServiceClient();

                //Engage Rampart
  client.engageModule("rampart");

  Options options = client.getOptions();


                //Set user name and password
  options.setUserName("jonathan");
  options.setPassword("secret");

                //Load and set UsernameToke/HTTPS policy
  options.setProperty(
    RampartMessageData.KEY_RAMPART_POLICY,
    loadPolicy("/path/to/simpl/usernametoken/over/https/policy.xml"));
  
                //Invoke service operation
  SayHelloResponse resp = stub.sayHello();

  System.out.println(resp.get_return());
 }

 private static Policy loadPolicy(String xmlPath) throws Exception {
  StAXOMBuilder builder = new StAXOMBuilder(xmlPath);
  return PolicyEngine.getPolicy(builder.getDocumentElement());
 }

}

Note that I have used "jonathan" as the user name and "secret" as the password. This user is there by default in the OpenEJB distro.

That's it !!! ... When I ran the client I got the following response:

Hello World!!!

And when I tried chaing the username I get :

Exception in thread "main" org.apache.axis2.AxisFault: This principle is not authorized.
 at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:479)
 at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:351)
 at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:397)
 at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:214)
 at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
 at org.acme.HelloEJBStub.sayHello(HelloEJBStub.java:433)
 at org.acme.Client.main(Client.java:32)

Now it is clear that the login module was not able to authenticate the user.

FBI top story - Taming the Tamil Tigers

FBI top story today : Taming the Tamil Tigers

CardSpace Authentication and Web Services Security Training

WSO2 now offers training sessions on CardSpace Authentication and Web Services Security. The first two sessions will be held on the 30th and 31st January respectively.

Interested? Register now !!!

How to Secure REST Style Web Services Invocations with WSO2 WSAS

See here to learn how you can enable authentication on a REST style invocation of a Web service in WSO2 WSAS

A talented pianist : David Sides

A guy with some amazing talent with the piano...

Akon - Don't Matter



One Republic/Timbaland - Apologize



Nickleback - Far Away



According to this he plays all his songs by ear!!!

UsernameToken authentication with the *nix account credentials

Ever wondered how we can enable users of a Linux box to authenticate against a web service?

Apache Rampart can be used with JPam to easily set this up. You can simply set up UsernameToken authentication (policy/sample01 in the Apache Rampart distro) and use this callback handler implementation to authenticate against PAM. Make sure you follow the instruction in INSTALL.txt in JPam distribution to set up JPam before using the callback handler.

Adding InfoCard login to a J2EE Web Application

This article by Dimuthu, explains how one can set up information card logins with J2EE web applications using WSO2 Identity Solution 1.0 java relying party servlet filter component.

WSO2 Registry 0.1 Released

WSO2 Registry enables you to store, catalog, index and manage your enterprise meta data in a simple, scalable and easy-to-use model. It is designed around community concepts such as tags, comments, ratings, users and roles. Think of the registry as a structured wiki designed to help you manage your meta-data in a simple business-friendly system.

In addition, the registry allows you to store more unstructured data such as Word documents, Excel spreadsheets and text formats. Using these approaches, you can build a catalog of enterprise information ranging from services, service descriptions to employee data and on going projects.

WSO2 Registry can be deployed in Application Servers and access using the Web UI or the APP interface. It can also be used as a Java library inside other Java programs as a resource store with all community features and versioning.

WSO2 Registry is released under the Apache License v2.0


Features List
- Storing and managing resources and collections
- Tagging, commenting and rating resources
- Managing users and roles
- Authentication and authorization
- Resource / collection versioning
- Tag based search
- Advanced search
- Activity log and filtering support for the activity logs
- APP based Remote Registry
- Media type handling support (experimental)
- Web based user interface with Web 2.0 look and feel

Release can be download from http://wso2.org/downloads/registry

OpenId Information Cards: CardSpace with a different token type?

Prabath, who is working on integrating OpenID with WSO2 Identity Solution has made some interesting notes about OpenID and CardSpace.

I certainly do agree with his points and I also fail to see the real value addition that OpenID information cards brings in when compared to CardSpace. Isn't it same old CardSpace with a different token type?

By the way ... we hope to have OpenID support integrated into our Identity Provider in the next release of the Identity Solution. So... stay tuned! :-)

WSO2 Identity Solution 1.0 is now available

We released the WSO2 Identity Solution last week with an Identity Provider and a set of relying party components.

The identity provider component supports issuance of information cards and tokens defined by Microsoft CardSpace specifications. Some of the main features are :

• Simple management console


• Ability to connect to custom user stores (LDAP/Microsoft ActiveDirectory, JDBC)


• Built in user store


• Support for the CardSpace default claim set


• Support for custom claim dialects and claims types


• Statistics/reporting/audit trail


• Ability to revoke information cards


• Issues information cards based on username-token credential and self issued credential

The relying party components includes an Apache2 HTTPD module (mod_cspace) and a Java servlet filter component. mod_cspace has useful features such as ability to enforce CardSpace authentication on static web content. Extensions for Drupal, MediaWiki are also available that can be easily configured with mod_cspace.

Documentation on setting up and using the identity provider and other relying party components are available at http://wso2.org/project/solutions/identity/1.0/docs/index.html

REST vs WS

This must have been very interesting : :-)

Songs about facebook !!!

And ... this is quite funny :

CSE Alumni Day Out

Overview of WS-SecurityPolicy

Nandana has posted an overview of WS-Security Policy.

WSO2 IS : Idnetity Provider updated to trust all valid RPs

During the Barcelona Catalyst OSIS Interop we figured out that we are too strict in validation of relying parties where we expected the admin of the identity provider or users of the identity provider to specifically register relying parties. Now we have removed this restriction and the identity provider now can issue tokens to any relying party with a certificate issued by a known CA.

In the case where a relying party doesn't meet the above requirement, users can add that as a trusted relying party after logging in with their user name/password or self issued information card.




The WO2 Identity Solution identity provider instance for interop work is available at : https://identity.lk.wso2.com:12443/

Axis2 and Rampart Training

Deepal and I will be in San Francisco on the 1st of November and will be conducting these training sessions on Apache Axis2 and Apache Rampart.

The Apache Rampart session will be an introductory level training on how to deploy and configure the Rampart and Rahas modules with a set practical exercises.

Interested? Register here

Integrity and no-repudiation of resources

Trying to answer Dims' question here, I created a small appliation.

http://ww2.wso2.org:8081/restsig/index.html

Here I used a sevlet filter to to add HTTP headers to the response indicating where to find the signature and digest files when a resource is requested.

Sample response headers when /index.html is requested :

resource-sig: /restsig/index.html.sig
resource-xmlsig: /restsig/index.html.xmlsig
resource-md5: /restsig/index.html.md5
resource-sig-cert: MIIDCjCCAfKgAwIBAg...=

http://ww2.wso2.org:8081/restsig/index.html.sig
http://ww2.wso2.org:8081/restsig/index.html.md5

Furthermore in the case of HTML (assuming well formed) and XML files this app generates the XML signature as well.
http://localhost:8081/restsig/index.html.xmlsig

Now one can develop a simple browser plugin to verify the signature and digest (cerificate information can be made available as a header or a separate resource).

The source of this can be found here :
https://wso2.org/repos/wso2/people/ruchith/rest-stuff/sig

Mahela, Sanga, Malinga and Me !!!

Mahela Jayawardena - Captain of the Sri Lanka cricket team


Kumar Sangakkara - Vice-captain of the Sri Lanka cricket team


Lasith Malinga

WSO2 Identity Solution 1.0-beta Released !

WSO2 Identity Solution team is pleased to announce the release of WSO2 Identity Solution 1.0-beta.

Release artifacts can be downloaded from :
http://dist.wso2.org/products/solutions/identity/1.0-beta/

The online documentation is available here :
http://wso2.org/project/solutions/identity/1.0-beta/docs/index.html

WSO2 Identity Solution provides the following components to enable
CardSpace authentication for web applications.

* An Identity Provider
The identity provider includes an application to issue information cards and a security token service. Security token service can be deployed to issue tokens to trusted users. An identity selector will obtain tokens from the Identity Provider and authenticate the users to a
Web applications with those tokens.

* A set of Relying Party components
Relying party components include an Apache HTTPD module and a Servlet filter. The HTTPD module can be used with any Web application that is hosted with Apache HTTPD irrespective of the implementation language. The Servlet filter component is intended for Java based Web containers.

Key Features in this Release

* Identity provider
- Supports connecting to a JDBC or an LDAP user store
- Issues information cards based on username-token credential and self issued credential
- Allows adding custom claims and mapping them to user attributes in the user store
- Revocation of issued information cards
- Manage trusted relying parties
* Apache HTTPD relying party module - mod_cspace
* Java Servlet Filter relying party component

Reporting Problems
------------------------------------------------------------------------
Issues can be reported using the public JIRA available at
https://wso2.org/jira/browse/IDENTITY

Contact us

WSO2 Identity Solution developers can be contacted via mailing lists:
* For Users: identity-user@wso2.org
* For Developers:identity-dev@wso2.org
For details on subscriptions see
http://www.wso2.org/projects/solutions/identity#mail

Thank you for your interest in WSO2 Identity Solution

WSO2 Identity Solution Team

WSO2 User Manager 0.1 Relaeased

This release can be downloaded from
"http://dist.wso2.org/products/commons/usermanager/0.1/"

Features of User Manager 0.1
============================

* User Management usig "org.wso2.usermanager.readwrite.DefaultRealm".
1) Add/edit/delete users
2) Add/edit/delete rolels
3) Manage users and roles
4) Manage user and role authorizations

* Plugin to Existing user stores

1) org.wso2.usermanager.custom.jdbc.JDBCRealm - This can connect to existing RDBMS user stores via a JDBC driver and authenticate users. It can retrieve user properties from the users table. This is tested using MySQL and Derby database drivers.

2) org.wso2.usermanager.custom.ldap.LDAPRealm - This can connect to existing LDAP server and authenticate users and retrieve user attributes. This is tested using open ldap.

3) org.wso2.usermanager.custom.acegi.AcegiRealm - Can perform authentication provided the bean mapping for AuthenticationProvider.

* A web app to perform user verification using Emails
This consist of 3 jsp files and a single class. Extract the webapp and integrate register.jsp, signon.jsp and validate.jsp to your application. Add the WEB-INF/lib files and classes directory to your war file or classpath.


For more information please refer
"http://wso2.org/repos/wso2/trunk/commons/usermanager/distribution/README"

Yuvraj Singh 6 6 6 6 6 6

Managing users in your applications

At www.wso2.org we are working on a bunch of projects and all of them require user management at various levels. With WSO2 usermanager we are trying to come up with a library that will let the developers handle user authentication and authorization in applications in a homogeneous manner. This is code is available under Apache licence.

The usermanager's main point of entry into a user store (Database/LDAP directory) is a org.wso2.usermanager.Realm implementation. The next release of the usermanager will provide two such implementation for LDAP and JDBC. With a org.wso2.usermanager.Realm the application developer will be able to query the user store for tasks such as authentication, authorization and to obtain properties with respect to a certain user.

Web Services Authentication with Axis 2

by Ulf Dittmer
http://www.javaranch.com/journal/200709/Journal200709.jsp#a3

Keystore Explorer

Here's a simple tool to explore contents of a keystore.

Source code is available here :
https://wso2.org/repos/wso2/people/ruchith/kse

Apache Rampart 1.3 Released

This is the 1.3 release of Apache Rampart.

Apache Rampart 1.3 is a toolkit that provides implementations of the WS-Sec* specifications for Apache Axis2 1.3, based on Apache WSS4J 1.5.3 and the Apache AXIOM-DOOM 1.2.5 implementations.

You can download the releases from:
http://www.apache.org/dyn/closer.cgi/ws/rampart/1_3

There are two main Apache Axis2 modules provided with this release.

* rampart-1.3.mar
This provides support for WS-Security and WS-SecureConversation
features.
* rahas-1.3.mar
This module provides the necessary components to enable SecurityTokenService functionality on a service.

Apache Rampart 1.3 uses a configuration model based on WS-Policy and WS-Security Policy. It is important to note that the Apache Rampart 1.0 style configuration is also available even though being marked as deprecated.

Apache Rampart 1.3 can be successfully used with the next Apache Sandesha2 release targeted towards Apache Axis2 1.3 to configure WS-SecureConversation + WS-ReliableMessaging scenarios.

The rampart module was successfully tested for interoperability with other WS-Security implementations.

WS - Sec* specifications supported by Apache Rampart are as follows:

* WS - Security 1.0
* WS - Secure Conversation - February 2005
* WS - Security Policy - 1.1 - July 2005
* WS - Trust - February 2005
* WS - Trust - WS-SX spec - EXPERIMENTAL

Thank you for using Apache Rampart.

Apache Rampart team

Apache WSS4J 1.5.3 Released

Apache WSS4J Team is happy to announce the WSS4J-1.5.3 release.

Apache WSS4J is an implementation of the OASIS Web Services Security (WS-Security) from OASIS Web Services Security TC. WSS4J is a Java library that can be used to sign and verify SOAP Messages with WS-Security information.

You can download the releases from:
http://www.apache.org/dyn/closer.cgi/ws/wss4j/1_5_3

Apart from the binary and source distributions, we have an additional ZIP file that contains other required JAR files to install and run WSS4J.

Please refer to the *readme.* files in the distribution for further information regarding implemented features, additional information, links to the Wiki pages, etc.

Enjoy !

The WSS4J team

Struts2 tutorial

This is a nice tutorial that one can use to learn struts2 fast !

Apache Rampart-1.3-RC1 is available

Apache Rampart 1.3 - RC1 is available now ...
http://people.apache.org/~ruchithf/rampart/1_3_RC1/

Do give it a go and report any issues you have :

https://issues.apache.org/jira/browse/RAMPART

You Raise Me Up

This is one of my all time favourites. I originally heard Josh Groban's version



However there's a bit of a history to this wonderful song.

According to wikipedia this song has been recorded more than 473 time ... I stumbled upon a number of performances of this song by various artists :

- Westlife (featuring Secret Garden)


- Celtic Woman


And oh ... some figure skaters have used this songs as well :



For me this song is all about two of the greatest people in my life ... my parents.

Podcast on Rahas

Rahas is the WS-Trust implementation of Apache Rampart. I recently did a podcast with WSO2 Oxygen Tank about Rahas and its available here.

Apache Rampart: Timestamp validation fails! Why?

Timestamp validation fails! Why?

Apache AXIOM : LLOM -> DOOM

How can I convert an LLOM AXIOM tree into a DOOM AXIOM tree?

WSO2 WSAS 2.0 released

The WSO2 WSAS team is pleased to announce the release of the WSO2 WSAS 2.0

This release can be downloaded from http://wso2.org/projects/wsas/java


WSO2 WSAS 2.0 - Release Note - 23rd July 2007
=========================================
WSO2 WSAS is an integrated Web services Platform which offers a complete
middleware solution. It is a lightweight, high performing platform for
Service Oriented Architectures, enabling business logic and
applications. Bringing together a number of Apache Web services
projects, WSO2 WSAS provides a secure, transactional and reliable
runtime for deploying and managing Web services.

What is new in WSAS 2.0
----------------------------

* Data services support
Allows data in relational databases to be exposed as Web services, and to be included in Web mashups with ease.

* Eclipse IDE integration
Wizard based flows to automate most steps and make easy the process of developing, deploying and debugging Web services.

* Clustering support
Clustering support with state replication for high availability, along with load balancing, failover and cluster-wide management functions.

* Full support for WS-Security, WS-Trust, WS-Policy and WS-SecureConversation and XKMS. Extended security with support for WS-Security, WS-Trust, WS-Policy and WS-SecureConversation with
additional means for secure Web-based communications using public key infrastructure (PKI) with XKMS. This release of WSO2 WSAS also includes an inbuilt SecurityTokenService as defined in WS-Trust specification.

* EJB service provider support
Expose EJBs deployed on a remote J2EE application server (AS) as Web services.

* Axis1 backward compatibility
Easily deploy any Apache Axis1-based Web service and engage advanced WS-* services, such as WS-RM and WS-Policy in front of legacy Axis1 services.

Plus various bug fixes.

- -------------------------
Known Issues
------------

1. POJO to Web service feature is still at an experimental stage. One can upload jar/zip file and can create an AAR out of it. If you uploaded a jar/zip file which has a services.xml file in its
META-INF directory, when its transformed into AAR its services.xml will be replaced by the generated services.xml. In addition to this, the user cannot associate any library dependencies or web content with the generated AAR file.

Due to limitations in Axis2, method overloading is not supported, and hence the WSDL for services where methods are overloaded cannot be generated. Hence all WSDL based functionality related to services will not work for such services.

2. WS-Policy support is still in experimental stage and limited to single port scenarios.

3. You cannot have two different versions of the Apache Sandesha2 module in the system.

4. A true entry has been added to the HTTP & HTTPS transportSenders in order to overcome some issues with some browsers. In case of interoperability failures, please change the value of this parameter to false and retry.

------------------------
Reporting Problems
========================

Issues can be reported using the public JIRA available at
https://wso2.org/jira/browse/WSAS


- ------------------------
Contact us
========================

WSO2 WSAS developers can be contacted via mailing lists:
For Users : wsas-java-user@wso2.org
For Developers : wsas-java-dev@wso2.org
For details on subscriptions see http://www.wso2.org/projects/wsas/java#mail

Alternatively, questions can also be raised in the forums:
For Users : http://www.wso2.org/forum/181
For Developers : http://www.wso2.org/forum/184


Thanks for your interest in WSO2 WSAS
--- WSO2 WSAS Team

WSO2 WSAS 2.0-beta Released

The WSO2 WSAS team is pleased to announce the release of the WSO2 WSAS
2.0-beta

This release can be downloaded from http://wso2.org/projects/wsas/java

WSO2 WSAS is an integrated Web services Platform which offers a complete
middleware solution. It is a lightweight, high performing platform for
Service Oriented Architectures, enabling business logic and
applications. Bringing together a number of Apache Web services
projects, WSO2 WSAS provides a secure, transactional and reliable
runtime for deploying and managing Web services.

What is new in WSAS 2.0-beta
----------------------------

* Data services support
Allows data in relational databases to be exposed as Web services,
and to be included in Web mashups with ease.

* Eclipse IDE integration
Wizard based flows to automate most steps and make easy the process
of developing, deploying and debugging Web services.

* Clustering support
Clustering support with state replication for high availability,
along with load balancing, failover and cluster-wide management functions.

* Full support for WS-Security, WS-Trust, WS-Policy and
WS-SecureConversation and XKMS. Extended security with support for
WS-Security, WS-Trust, WS-Policy and WS-SecureConversation with
additional means for secure Web-based communications using public key
infrastructure (PKI) with XKMS. This release of WSO2 WSAS also includes
an inbuilt SecurityTokenService as defined in WS-Trust specification.

* EJB service provider support
Expose EJBs deployed on a remote J2EE application server (AS) as Web
services.

* Axis1 backward compatibility
Easily deploy any Apache Axis1-based Web service and engage advanced
WS-* services, such as WS-RM and WS-Policy in front of legacy Axis1
services.

---------------------------
Known Issues
---------------------------

1. POJO to Web service feature is still at an experimental stage.
One can upload jar/zip file and can create an AAR out of it.
If you uploaded a jar/zip file which has a services.xml file in its
META-INF directory, when its transformed into AAR its services.xml
will be replaced by the generated services.xml. In addition to this,
the user cannot associate any library dependencies or web content with
the generated AAR file.

Due to limitations in Axis2, method overloading is not supported, and
hence the WSDL for services where methods are overloaded cannot be
generated.
Hence all WSDL based functionality related to services will not work for
such services.

2. WS-Policy support is still in experimental stage and limited to single
port scenarios.

3. You cannot have two different versions of the Apache Sandesha2 module
in the system.

4. A true entry has been
added to the HTTP & HTTPS transportSenders in order to overcome some
issues with some browsers. In case of interoperability failures, please
change the value of this parameter to false and retry.

- ------------------------
Reporting Problems
========================

Issues can be reported using the public JIRA available at
https://wso2.org/jira/browse/WSAS


- ------------------------
Contact us
========================

WSO2 WSAS developers can be contacted via mailing lists:
For Users : wsas-java-user@wso2.org
For Developers : wsas-java-dev@wso2.org
For details on subscriptions see http://www.wso2.org/projects/wsas/java#mail

Alternatively, questions can also be raised in the forums:
For Users : http://www.wso2.org/forum/181
For Developers : http://www.wso2.org/forum/184


Thanks for your interest in WSO2 WSAS,
-- WSO2 WSAS Team

Apache Sandesha2 1.2 released

We are proud to announce the 1.2 release of Apache Sandesha2. This release is compatible with recently released Axis2 1.2.

Major features of this release include.

Support for the replay model for WSRM 1.0
Improvements to the Rampart integration.
Improvements to the Client API

Also we could do a number of of bug fixes and improvements to the code based on the comments from users and developers.

You can download the source and binaries from,
http://ws.apache.org/sandesha/sandesha2/download.cgi

Apache Rampart 1.2 Released

This is the 1.2 release of Apache Rampart.

Apache Rampart 1.2 is a toolkit that provides implementations of the
WS-Sec* specifications for Apache Axis2 1.2, based on Apache WSS4J 1.5.2
and the Apache AXIOM-DOOM 1.2.4 implementations.

There are two main Apache Axis2 modules provided with this release.

* rampart-1.2.mar
This provides support for WS-Security and WS-SecureConversation
features.
* rahas-1.2.mar
This module provides the necessary components to enable
SecurityTokenService functionality on a service.


Apache Rampart 1.2 uses a configuration model based on WS-Policy and
WS-Security Policy and it is important to note that Apache Rampart 1.0
style configuration is also available even though being marked as
deprecated.

Apache Rampart 1.2 can be successfully used with the next Apache
Sandesha2 release targeted towards Apache Axis2 1.2 to configure
WS-SecureConversation + WS-ReliableMessaging scenarios.

The rampart module was successfully tested for interoperability with
other WS-Security implementations.

WS - Sec* specifications supported by Apache Rampart are as follows:

* WS - Security 1.0
* WS - Secure Conversation - February 2005
* WS - Security Policy - 1.1 - July 2005
* WS - Trust - February 2005
* WS - Trust - WS-SX spec - EXPERIMENTAL

Rampart-1.2 artifacts can be downloaded from :
http://www.apache.org/dyn/closer.cgi/ws/rampart/1_2

Thank you for using Apache Rampart.

Apache Rampart team

Apache WSS4J 1.5.2 Released

Apache WSS4J Team is happy to announce the WSS4J-1.5.2 release.

You can download the releases from:
http://www.apache.org/dyn/closer.cgi/ws/wss4j/1_5_2

Apart from the binary and source distributions, We have an additional
ZIP file that contains other required JAR files to install and run WSS4J.

This release of wss4j uses Apache XML Security 1.4.0.

Please refer to the *readme.* files in the distribution for
further information regarding implemented features, additional
information, links to the Wiki pages, etc.

Enjoy !

The WSS4J team

JNI wrapper for GPG

I'm looking for a JNI wrapper for GPG. Please ping me if you got any pointers.

This impl seems to be simply calling the shell commands available with GPG. And the mailing lists seems to be silent on this topic.

Apache Axis2/C 1.0.0 Released

Apache Axis2/C Team is pleased to announce the release of Apache Axis2/C
version 1.0.0
You can download this release from
http://ws.apache.org/axis2/c/download.cgi

Key Features

1. Support for one-way messaging (In-Only) and request response
messaging (In-Out)
2. Client APIs: Easy to use service client API and more advanced
operation client API
3. Transports supported: HTTP
a. Inbuilt HTTP server called simple axis server
b. Apache2 httpd module called mod_axis2 for server side
c. IIS module for server side
d. Client transport with ability to enable SSL support
e. libcurl based client transport
4. Module architecture, mechanism to extend the SOAP processing model
5. WS-Addressing support, both the submission (2004/08) and final
(2005/08) versions, implemented as a module
6. MTOM/XOP support
7. AXIOM, an XML object model optimized for SOAP 1.1/1.2 messages;
This has complete XML infoset support
8. XML parser abstraction
a. Libxml2 wrapper
b. Guththila pull parser support
9. Both directory based and archive based deployment models for
deploying services and modules
10. Description hierarchy providing access to static data of Axis2/C
runtime (configuration, service groups, services, operations and messages)
11. Context hierarchy providing access to dynamic Axis2/C runtime
information(corresponding contexts to map to each level of description
hierarchy)
12. Message receiver abstraction
a. Inbuilt raw XML message receiver
13. Code generation tool for stub and skeleton generation for a given
WSDL (based on Java tool)
a. Axis Data Binding (ADB) support
14. Transport proxy support
15. REST support (more POX like) using both HTTP POST and GET
16. Comprehensive documentation
a. Axis2/C Manual

Major Changes Since Last Release

1. Many Bug Fixes
2. IIS module for server side
3. libcurl based client transport
4. Improvements to overall API to make it more user friendly, stable
and binary compatible
5. Transport proxy support
6. Memory leak fixes

We welcome your early feedback on this implementation.
Thank you for your interest in Axis2/C.

-- Apache Axis2/C Team --

Congratulations Apache Axis2/C Team !!!

Apache Rampart Website

A very basic Apache Rampart website is up now. Created using "mvn site".

New house, no car and in Maryland without luggage

I just moved into a new house in Battaramulla and moving furniture and other preparations with unusual rainy weather conditions was quite a physical challenge :-). Especially my parents were really tired after the whole process. To make matters worse AMW (local Nissan agents) are still not done with fixing the front bumper and lights of my car (ts been more than a month now) - they are quick to blame the delay on the number of holidays that we had during April (sinhala and tamil new year) and May (vesak).

Well ... amidst all these I am to present the WSO2 Identity Solution at WSSC 2007! After getting my travel arrangements sorted out in the very last moment, I boarded a Srilankan airways flight to London. Transit in Heathrow was fine and I was happy to find a power adapter for the my HP laptop which I was going to use as the demo machine. The Virgin Atlantic flight to Washington DC was nice (They had a cartoon - flight security video which was funny ... hehe). At this point I'm half way through the extra large m&m's I bought in Colombo/Katunayake airport :D. I got through immigration with out much of a delay and found myself among a bunch of angry people who can't seem to find their baggage :-( ... I was hoping mine won't end up in somewhere like Hiti. Then it was a quite a long shuttle ride to Baltimore, Maryland to the hotel.

Just called the Virgin Atlantic baggage services and they said the bags are in London and that they will be able to get them over to my hotel sometime today! yipii :D ... So now I'm in my hotel room listening to some "baila" songs and trying to get some work done.

Axis2 1.2 Released

Just over 4 months since the original 1.1.1 release, we are very proud
to announce the release of Apache Axis2 version 1.2

Downloads are available at:
http://ws.apache.org/axis2/download.cgi

Apache Axis2 is a complete re-design and re-write of the widely used
Apache Axis engine and is a more efficient, more scalable, more modular
and more XML-oriented Web services framework. It is carefully designed to
support the easy addition of plug-in "modules" that extend its
functionality for features such as security and reliability.

Modules supporting WS-Security/Secure-Conversation (Apache Rampart),
WS-Trust (Apache Rahas), WS-Reliable Messaging (Apache Sandesha) and
WS-Eventing (Apache Savan) will be available after the Apache Axis2
1.2 release. Please see these projects' own sites for further information.

Major Changes Since 1.1:

• WSDL 2.0 fully support (reading, writing, and codegen)


• POJO annotation (JSR 181)


• JAX-WS integration


• JAX-WS -annotation


• Un-wrapping (Response)


• ADB - support for union and list


• Maven2 support


• JSON support


• Binary serialization (Fast infoset)


• Codegen support for WSDL with Multiple services


• HTTP code generation (both WSDL 1.1 and 2.0)


• Custom deployer support


• Message formatters


• Message Builders


• EJB Provider support

Known Issues and Limitations in 1.2 Release:

• Xml-beans databinding does not support response uwwrapping


• ADB databinding does not support minOccurs and maxOccures attributes in sequence and choice elements

Apache Axis2 1.2 is a major new release compared to Axis2 1.1. We are
striving for a simple and happy first time user experience as well as a
satisfying experienced user experience with this release. We welcome any
and all feedback at:
axis-user@ws.apache.org (please include "[axis2]" in the subject)
axis-dev@ws.apache.org (please include "[axis2]" in the subject)
http://issues.apache.org/jira/browse/AXIS2

Thank you for your interest in Apache Axis2!

The Axis2 Development Team
http://ws.apache.org/axis2/

Training courses on Apache Axis2 and Apache Rampart

I will be in Maryland, US in the second week of May. Is anybody
interested in attending tutorials on Apache Axis2 and Apache Rampart?
Both are 1/2 day programs.

This would be on Thursday the 10th of May.

Please drop me a note at training@wso2.com and let me know.

New wso2.com goes live

Checkout our new web corporate web site

WSO2 WSAS and WS-SX:WS-SecurityPolicy-1.2

WSO2 WSAS successfully completed Round3 of the WS-Policy interop. The WS-SecurityPolicy implementation of WSAS is from Apcahe Neethi2 and Aapche Rampart.

This interop used the WS-SecurityPolicy-1.2 specification from the OASIS WS-SX TC.

The WSO2 interop endpoints can be found here

xmlsec-1.4.0.jar in maven2 repo

Thanks to dims, xmlsec-1.4.0.jar is now available in http://people.apache.org/repo/m2-ibiblio-rsync-repository maven2 repository.

All those who are planning to use xmlsec-1.4.0 or who has rampart/wss4j SNAPSHOT dependencies can upgrade to 1.4.0 now! Note that the group id is org.apache.santuario, Santuario being the new TLP name of Apache XML-Security.

Next releases of Apache WSS4J and Apache Rampart will be using XML-Security-1.4.0

Trouble Importing my own card into Windows Cardspace

These days we are developing the identity provider component of the WSO2-Identity Solution and to get IE-7 identity selector to acquire tokens from our STS we need to be able to import a card generated and signed by our identity provider.

We generate cards with the help of the Apache XML-Security library. However Windows CardSpace is not able to accept the card and claims there's a problem with signature verification. But I can verify my cards using Apache XML-Security library.

I posted a question here in the "Windows CardSpace" MSDN forum. If anyone can shed some light on this issue please comment here or reply in the forum.

Beauty of Mathematics

This is from an email I received from one of my friends :

1 x 8 + 1 = 9
12 x 8 + 2 = 98
123 x 8 + 3 = 987
1234 x 8 + 4 = 9876
12345 x 8 + 5 = 98765
123456 x 8 + 6 = 987654
1234567 x 8 + 7 = 9876543
12345678 x 8 + 8 = 98765432
123456789 x 8 + 9 = 987654321


1 x 9 + 2 = 11
12 x 9 + 3 = 111
123 x 9 + 4 = 1111
1234 x 9 + 5 = 11111
12345 x 9 + 6 = 111111
123456 x 9 + 7 = 1111111
1234567 x 9 + 8 = 11111111
12345678 x 9 + 9 = 111111111
123456789 x 9 +10= 1111111111


9 x 9 + 7 = 88
98 x 9 + 6 = 888
987 x 9 + 5 = 8888
9876 x 9 + 4 = 88888
98765 x 9 + 3 = 888888
987654 x 9 + 2 = 8888888
9876543 x 9 + 1 = 88888888
98765432 x 9 + 0 = 888888888

1 x 1 = 1
11 x 11 = 121
111 x 111 = 12321
1111 x 1111 = 1234321
11111 x 11111 = 123454321
111111 x 111111 = 12345654321
1111111 x 1111111 = 1234567654321
11111111 x 11111111 = 123456787654321
111111111 x 111111111=123456789 87654321

WSO2 Identity Solution Alpha Released !

We are happy to announce the alpha release of WSO2 Identity Solution.

This release can be downloaded from the following location :

http://dist.wso2.org/products/solutions/identity/alpha/

Key features of this release includes

• An Apache2 module to enable CardSpace authentication on a web application.


• A ServletFilter component to enable CardSpace authentication on a Java servlet based web application.


• Two samples explaining the use of the above components. (Please follow instructions given in the README files)

Release artifacts :
-------------------------------------------------------------------------------
Binary distribution - identity-solution-alpha-bin.zip
Source distribution - identity-solution-alpha-src.zip

Project Information
-------------------------------------------------------------------------------
Web site - http://www.wso2.org/projects/identity
Issue tracker - https://wso2.org/jira/browse/IDENTITY
Mailing list - identity-dev@wso2.org


Thanks,
WSO2 Identity Solution Team

Me !!!

Chamil's camera in action :

Happy new year !!!

Warm wishes for a great 2007 :-)

Two Beds & A Coffee Machine - Savage Garden

This is yet another wonderful song I came across :-)

And oh ... youtube rocks !!! :-)

Apache Rampart 1.1 Released

Apache Rampart team is happy to announce the 1.1 release of Apache Rampart

You can download the releases from:

http://www.apache.org/dyn/closer.cgi/ws/rampart/1_1

Apache Rampart 1.1 is a toolkit that provides implementations of the
WS-Sec* specifications for Apache Axis 1.1, based on Apache WSS4J 1.5.1
and the Apache AXIOM-DOOM 1.2.1 implementation.
What is in this release

There are two main Apache Axis2 modules provided with this release.

* rampart-1.1.mar
* This provides support for WS-Security and WS-SecureConversation
features. rahas-1.1.mar
This module provides the necessary components to enable
SecurityTokenService functionality on a service.

Apache Rampart 1.1 introduces a new configuration model based on
WS-Policy and WS-Security Policy and it is important to note that Apache
Rampart 1.0 style configuration is now deprecated and will not be
available in next major version.

Apache Rampart 1.1 can be successfully used with the next Apache
Sandesha2 release targeted towards Apache Axis2 1.1 to configure
WS-SecureConversation + WS-ReliableMessaging scenarios.

The rampart module was successfully tested for interoperability with
other WS-Security implementations.

WS - Sec* specifications supported by Apache Rampart are as follows:

* WS - Security 1.0
* WS - Secure Conversation - February 2005
* WS - Security Policy - 1.1 - July 2005
* WS - Trust - February 2005
* WS - Trust - WS-SX spec - EXPERIMENTAL

Thank you for using Apache Rampart.

The Apache Rampart team

Apache WSS4J 1.5.1 Released

Apache WSS4J Team is happy to announce the WSS4J-1.5.1 release.

You can download the releases from:
http://www.apache.org/dyn/closer.cgi/ws/wss4j/1_5_1

Apart from the binary and source distributions, We have an additional
ZIP file that contains other required JAR files to install and run WSS4J.

Please refer to the *readme.* files in the distribution for
further information regarding implemented features, additional
information, links to the Wiki pages, etc.

The WSS4J core classes were improved to allow more flexibility and
control, and following issues were fixed afer the 1.5.0 release:

WSS-35, WSS-44, WSS-48, WSS-50, WSS-53, WSS-58, WSS-61

Enjoy !

The WSS4J team

Apache Rampart nightly builds are up !!!

Apache Rampart nightly build distros are available here

Now rampart has 11 different samples (samples/basic) explaining the basic parameter based configuration.You can try the samples in the distro with axis2-1.1 nightly builds

Any comments, issues or bugs : please fire a mail to the axis-dev@ws.apache.org list with the [Rampart] prefix in the subject.

Easywords

Ok ... I finally started studying for my GRE ... :-) and I spent a couple of hours creating this !!!

The plan is to recognize as many words that we are most familiar with and prompt meanings and synonyms of words that are probably new.

I also started a new Google project called "Easywords" and hosted the simple Javascript code.

Out of all words available in a give paragraph I remove any of known words (these known words is a simple list of words that I compiled within the code itself). In doing this I remembered a nice feature in Ruby that used to popup among the code snippets shown in main page of the Ruby web site.
The code snippet from the Ruby site is shown below:

cities  = %w[ London
              Oslo
              Paris
              Amsterdam
              Berlin
              Colombo]

visited = %w[Berlin Oslo]
 
puts "I still need " +
     "to visit the " +
     "following cities:",
     cities - visited

The output of the above snippet is :

I still need to visit the following cities:
London
Paris
Amsterdam
Colombo

I'm not an expert in Javascript and I had to implement this manually to use the known list of words to search in the given paragraph to find occurrences of those words and remove them. But I'd love to find a better way to do this (like in what we can do in Ruby) in Javascript. If anyone of you out there have a better way... do send a patch :-) !!!

New Rampart Configuration

Apache Rampart is going through some changes these days. It is being modified to work on WS-SecurityPolicy. But we had a slight problem - the WS-SecurityPolicy spec does not provide all information required for rampart to be configured properly to produce and consume secured messages.

The proposed solution was to come up with a Rampart specific policy assertion that will hold all configuration information. This will be a top level policy assertion and will not be exposed through MEX interfaces such as ?wsdl.

An example Rampart configuration assertion we are using is as follows:

<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> 
    <ramp:user>alice</ramp:user>
    <ramp:encryptionUser>bob</ramp:encryptionUser>
    <ramp:passwordCallbackClass>org.apache.rampart.TestCBHandler</ramp:passwordCallbackClass>
  
    <ramp:signatureCrypto>
        <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
            <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
            <ramp:property name="org.apache.ws.security.crypto.merlin.file">interop/interop2.jks</ramp:property>
            <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
        </ramp:crypto>
    </ramp:signatureCrypto>
</ramp:RampartConfig>

Secure Message Exchanges with Multiple Users

This is a tutorial on Apache Rampart configurations in setting up a service to be able to receive and respond with encrypted and signed messages with multiple clients.

Bad day !!!

Yesterday 21st August 2006 was probably the worst day in my life... How about some crazy driver hitting your car on your way back home after work and then getting your home robbed in the same night...Well ... it happened :-(.

The thief stole my 2 wrist watches and mobile phone without which I feel crippled. The feeling that an unknown person was in my home going through my stuff is a very bad feeling. Sigh ... :-(

Apparently the same guy has robbed three more houses last night.

UsernameToken Authentication with Rampart

This article explains how Apache Rampart can be used in UsernameToken authentication with Axis2.

Travelin' Soldier - Dixie Chicks

I was browsing through a my youngest brother's song collection and stumbled upon this very nice song (Travelin' Soldier) by Dixie Chicks. I guess this is going to be one of my all time favourites :-). Check it out !!

Setting Up Keystores for a Client and a Service

There were a lot of queries on setting up keystores when using Apache WSS4J/Rampart with Axis1.x and Axis2. This is a step-by-step how to guide that will help one setup the keystores properly.

Got my flickr pro account !!!

I upgraded my flickr account to a pro account today ... it seems like a pretty good deal ...
The pro account allows unlimited photo sets, unlimited storage and a whopping 20 GB monthly upload limit.

Now I can use this as my pic backup :-)

ApacheCon Asia in Colombo, Sri Lanka in August!

ApacheCon Asia is the first ever Asian offering of the popular ApacheCon Conference of the Apache Software Foundation (ASF). ApacheCon Asia provides an excellent opportunity to experience first-hand what ASF technologies and development communities can do for you and your enterprise.

The program consists of two technical tracks in the main conference and a large number of tutorials. In addition a "hackathon" will be held the day before the conference where attendees can interact with various Apache project developers and learn and contribute!

Priced at a very affordable level, the conference will be held in Colombo, Sri Lanka from August 14th to 17th at the Trans Asia Hotel.

See http://www.asia.apachecon.com/ for further details. On-line registration will open shortly.

Register by Friday, August 4th and receive a 10% early bird discount!

Interested in sponsoring? See:
http://asia.apachecon.com/conference/sponsor/

The ApacheCon Asia Organizing Team.

Understanding Web Services Policy

This is a very good paper on WS-Policy by Asir and Dan. Nice work guys !

Hello World with Apache Axis2

Here's a simple tutorial of 6 steps to create an Axis2 service and a client to interact with it.

ApacheCon EU 2006 - Secure Web Services with Apache Axis2 and Apache WSS4J

Want to find out how to secure Apache Axis2? Apache Rampart is the
ideal module for the job !!!

If you are anywhere near Ireland on the 26th of June or really want
to know how it all works, come on over to ApacheCon EU 2006 where I
will be presenting a tutorial on "Secure Web Services with Apache
Axis2 and Apache WSS4J". see here for details.

Early bird registration is now open till the 6th of June. So hurry and
register now!

Apache Rampart 1.0 Released

We are happy to announce the 1.0 release of Apache Rampart.

Apache Rampart is the Apache Axis2 module that implements the WS-Security
specification based on Apache WSS4J 1.5.0 and the Apache AXIOM-DOOM
implementation.

In addition to the WS-Security features listed in the WSS4J web site

rampart provides:

* Ability to MTOM optimize parts of the message
* Convenient and intuitive configurations
* Mechanism to dynamically configure the module
* Experimental WS-SecurityPolicy support

This module was successfully tested for interoparability with other
WS-Security implementations.

You can download the rampart-1.0.mar from:

http://www.apache.org/dyn/mirrors/mirrors.cgi/ws/axis2/modules/rampart/1_0/

For documentation on configuration please refer

http://ws.apache.org/axis2/modules/rampart/1_0/security-module.html

Let "rampart" secure your messages !!!

Apache Rampart Team

Apache WSS4J 1.5.0 Released

We released WSS4J 1.5.0 today. Release note:

The WSS4J team is happy to announce the 1.5.0 release of
Apache WSS4J, the Web service security implementation.

You can download the releases from:

http://www.apache.org/dyn/closer.cgi/ws/wss4j/1_5_0

The distributions to the mirror(s) sites will be available in the next
few days.

Apart from the binary and source distributions, We have an additional
ZIP file that contains other required JAR files to install and run WSS4J.

Please refer to the *readme.* files in the distribution for
further information regarding implemented features, additional
information, links to the Wiki pages, etc.

Note that major refactoring from the 1.1.0 to 1.5.0 is mentioned in
the wiki :
http://wiki.apache.org/ws/FrontPage/WsFx/refactor

More information about WSS4J and related projects is available
on the WSS4J homepage:

http://ws.apache.org/wss4j

We hope you have fun with this new WSS4J :-)

The WSS4J team

01:02:03 04/05/06

I just got this from one of my friends :

Just in case you wanted to know this - that tomorrow it will be, at two
minutes and three seconds after 1:00 in the morning, the time and date will
show
01:02:03 04/05/06.


That won't ever happen again in our lifetime.

In fact it will be approx. 400 generations before it happens again.

:-)

UsernameToken with JavaScript

This is a simple sample that demonstrates a wsse:Usernametoken with plain text password and password digest.

SHA-1 function was imported from here and some util functions were imported form here.