WSO2 IS : Idnetity Provider updated to trust all valid RPs

During the Barcelona Catalyst OSIS Interop we figured out that we are too strict in validation of relying parties where we expected the admin of the identity provider or users of the identity provider to specifically register relying parties. Now we have removed this restriction and the identity provider now can issue tokens to any relying party with a certificate issued by a known CA.

In the case where a relying party doesn't meet the above requirement, users can add that as a trusted relying party after logging in with their user name/password or self issued information card.




The WO2 Identity Solution identity provider instance for interop work is available at : https://identity.lk.wso2.com:12443/

Axis2 and Rampart Training

Deepal and I will be in San Francisco on the 1st of November and will be conducting these training sessions on Apache Axis2 and Apache Rampart.

The Apache Rampart session will be an introductory level training on how to deploy and configure the Rampart and Rahas modules with a set practical exercises.

Interested? Register here

Integrity and no-repudiation of resources

Trying to answer Dims' question here, I created a small appliation.

http://ww2.wso2.org:8081/restsig/index.html

Here I used a sevlet filter to to add HTTP headers to the response indicating where to find the signature and digest files when a resource is requested.

Sample response headers when /index.html is requested :

resource-sig: /restsig/index.html.sig
resource-xmlsig: /restsig/index.html.xmlsig
resource-md5: /restsig/index.html.md5
resource-sig-cert: MIIDCjCCAfKgAwIBAg...=

http://ww2.wso2.org:8081/restsig/index.html.sig
http://ww2.wso2.org:8081/restsig/index.html.md5

Furthermore in the case of HTML (assuming well formed) and XML files this app generates the XML signature as well.
http://localhost:8081/restsig/index.html.xmlsig

Now one can develop a simple browser plugin to verify the signature and digest (cerificate information can be made available as a header or a separate resource).

The source of this can be found here :
https://wso2.org/repos/wso2/people/ruchith/rest-stuff/sig

Mahela, Sanga, Malinga and Me !!!

Mahela Jayawardena - Captain of the Sri Lanka cricket team


Kumar Sangakkara - Vice-captain of the Sri Lanka cricket team


Lasith Malinga

WSO2 Identity Solution 1.0-beta Released !

WSO2 Identity Solution team is pleased to announce the release of WSO2 Identity Solution 1.0-beta.

Release artifacts can be downloaded from :
http://dist.wso2.org/products/solutions/identity/1.0-beta/

The online documentation is available here :
http://wso2.org/project/solutions/identity/1.0-beta/docs/index.html

WSO2 Identity Solution provides the following components to enable
CardSpace authentication for web applications.

* An Identity Provider
The identity provider includes an application to issue information cards and a security token service. Security token service can be deployed to issue tokens to trusted users. An identity selector will obtain tokens from the Identity Provider and authenticate the users to a
Web applications with those tokens.

* A set of Relying Party components
Relying party components include an Apache HTTPD module and a Servlet filter. The HTTPD module can be used with any Web application that is hosted with Apache HTTPD irrespective of the implementation language. The Servlet filter component is intended for Java based Web containers.

Key Features in this Release

* Identity provider
- Supports connecting to a JDBC or an LDAP user store
- Issues information cards based on username-token credential and self issued credential
- Allows adding custom claims and mapping them to user attributes in the user store
- Revocation of issued information cards
- Manage trusted relying parties
* Apache HTTPD relying party module - mod_cspace
* Java Servlet Filter relying party component

Reporting Problems
------------------------------------------------------------------------
Issues can be reported using the public JIRA available at
https://wso2.org/jira/browse/IDENTITY

Contact us

WSO2 Identity Solution developers can be contacted via mailing lists:
* For Users: identity-user@wso2.org
* For Developers:identity-dev@wso2.org
For details on subscriptions see
http://www.wso2.org/projects/solutions/identity#mail

Thank you for your interest in WSO2 Identity Solution

WSO2 Identity Solution Team

WSO2 User Manager 0.1 Relaeased

This release can be downloaded from
"http://dist.wso2.org/products/commons/usermanager/0.1/"

Features of User Manager 0.1
============================

* User Management usig "org.wso2.usermanager.readwrite.DefaultRealm".
1) Add/edit/delete users
2) Add/edit/delete rolels
3) Manage users and roles
4) Manage user and role authorizations

* Plugin to Existing user stores

1) org.wso2.usermanager.custom.jdbc.JDBCRealm - This can connect to existing RDBMS user stores via a JDBC driver and authenticate users. It can retrieve user properties from the users table. This is tested using MySQL and Derby database drivers.

2) org.wso2.usermanager.custom.ldap.LDAPRealm - This can connect to existing LDAP server and authenticate users and retrieve user attributes. This is tested using open ldap.

3) org.wso2.usermanager.custom.acegi.AcegiRealm - Can perform authentication provided the bean mapping for AuthenticationProvider.

* A web app to perform user verification using Emails
This consist of 3 jsp files and a single class. Extract the webapp and integrate register.jsp, signon.jsp and validate.jsp to your application. Add the WEB-INF/lib files and classes directory to your war file or classpath.


For more information please refer
"http://wso2.org/repos/wso2/trunk/commons/usermanager/distribution/README"

Yuvraj Singh 6 6 6 6 6 6

Managing users in your applications

At www.wso2.org we are working on a bunch of projects and all of them require user management at various levels. With WSO2 usermanager we are trying to come up with a library that will let the developers handle user authentication and authorization in applications in a homogeneous manner. This is code is available under Apache licence.

The usermanager's main point of entry into a user store (Database/LDAP directory) is a org.wso2.usermanager.Realm implementation. The next release of the usermanager will provide two such implementation for LDAP and JDBC. With a org.wso2.usermanager.Realm the application developer will be able to query the user store for tasks such as authentication, authorization and to obtain properties with respect to a certain user.

Web Services Authentication with Axis 2

by Ulf Dittmer
http://www.javaranch.com/journal/200709/Journal200709.jsp#a3

Keystore Explorer

Here's a simple tool to explore contents of a keystore.

Source code is available here :
https://wso2.org/repos/wso2/people/ruchith/kse

Apache Rampart 1.3 Released

This is the 1.3 release of Apache Rampart.

Apache Rampart 1.3 is a toolkit that provides implementations of the WS-Sec* specifications for Apache Axis2 1.3, based on Apache WSS4J 1.5.3 and the Apache AXIOM-DOOM 1.2.5 implementations.

You can download the releases from:
http://www.apache.org/dyn/closer.cgi/ws/rampart/1_3

There are two main Apache Axis2 modules provided with this release.

* rampart-1.3.mar
This provides support for WS-Security and WS-SecureConversation
features.
* rahas-1.3.mar
This module provides the necessary components to enable SecurityTokenService functionality on a service.

Apache Rampart 1.3 uses a configuration model based on WS-Policy and WS-Security Policy. It is important to note that the Apache Rampart 1.0 style configuration is also available even though being marked as deprecated.

Apache Rampart 1.3 can be successfully used with the next Apache Sandesha2 release targeted towards Apache Axis2 1.3 to configure WS-SecureConversation + WS-ReliableMessaging scenarios.

The rampart module was successfully tested for interoperability with other WS-Security implementations.

WS - Sec* specifications supported by Apache Rampart are as follows:

* WS - Security 1.0
* WS - Secure Conversation - February 2005
* WS - Security Policy - 1.1 - July 2005
* WS - Trust - February 2005
* WS - Trust - WS-SX spec - EXPERIMENTAL

Thank you for using Apache Rampart.

Apache Rampart team

Apache WSS4J 1.5.3 Released

Apache WSS4J Team is happy to announce the WSS4J-1.5.3 release.

Apache WSS4J is an implementation of the OASIS Web Services Security (WS-Security) from OASIS Web Services Security TC. WSS4J is a Java library that can be used to sign and verify SOAP Messages with WS-Security information.

You can download the releases from:
http://www.apache.org/dyn/closer.cgi/ws/wss4j/1_5_3

Apart from the binary and source distributions, we have an additional ZIP file that contains other required JAR files to install and run WSS4J.

Please refer to the *readme.* files in the distribution for further information regarding implemented features, additional information, links to the Wiki pages, etc.

Enjoy !

The WSS4J team

Struts2 tutorial

This is a nice tutorial that one can use to learn struts2 fast !

Apache Rampart-1.3-RC1 is available

Apache Rampart 1.3 - RC1 is available now ...
http://people.apache.org/~ruchithf/rampart/1_3_RC1/

Do give it a go and report any issues you have :

https://issues.apache.org/jira/browse/RAMPART

You Raise Me Up

This is one of my all time favourites. I originally heard Josh Groban's version



However there's a bit of a history to this wonderful song.

According to wikipedia this song has been recorded more than 473 time ... I stumbled upon a number of performances of this song by various artists :

- Westlife (featuring Secret Garden)


- Celtic Woman


And oh ... some figure skaters have used this songs as well :



For me this song is all about two of the greatest people in my life ... my parents.

Podcast on Rahas

Rahas is the WS-Trust implementation of Apache Rampart. I recently did a podcast with WSO2 Oxygen Tank about Rahas and its available here.

Apache Rampart: Timestamp validation fails! Why?

Timestamp validation fails! Why?

Apache AXIOM : LLOM -> DOOM

How can I convert an LLOM AXIOM tree into a DOOM AXIOM tree?

WSO2 WSAS 2.0 released

The WSO2 WSAS team is pleased to announce the release of the WSO2 WSAS 2.0

This release can be downloaded from http://wso2.org/projects/wsas/java


WSO2 WSAS 2.0 - Release Note - 23rd July 2007
=========================================
WSO2 WSAS is an integrated Web services Platform which offers a complete
middleware solution. It is a lightweight, high performing platform for
Service Oriented Architectures, enabling business logic and
applications. Bringing together a number of Apache Web services
projects, WSO2 WSAS provides a secure, transactional and reliable
runtime for deploying and managing Web services.

What is new in WSAS 2.0
----------------------------

* Data services support
Allows data in relational databases to be exposed as Web services, and to be included in Web mashups with ease.

* Eclipse IDE integration
Wizard based flows to automate most steps and make easy the process of developing, deploying and debugging Web services.

* Clustering support
Clustering support with state replication for high availability, along with load balancing, failover and cluster-wide management functions.

* Full support for WS-Security, WS-Trust, WS-Policy and WS-SecureConversation and XKMS. Extended security with support for WS-Security, WS-Trust, WS-Policy and WS-SecureConversation with
additional means for secure Web-based communications using public key infrastructure (PKI) with XKMS. This release of WSO2 WSAS also includes an inbuilt SecurityTokenService as defined in WS-Trust specification.

* EJB service provider support
Expose EJBs deployed on a remote J2EE application server (AS) as Web services.

* Axis1 backward compatibility
Easily deploy any Apache Axis1-based Web service and engage advanced WS-* services, such as WS-RM and WS-Policy in front of legacy Axis1 services.

Plus various bug fixes.

- -------------------------
Known Issues
------------

1. POJO to Web service feature is still at an experimental stage. One can upload jar/zip file and can create an AAR out of it. If you uploaded a jar/zip file which has a services.xml file in its
META-INF directory, when its transformed into AAR its services.xml will be replaced by the generated services.xml. In addition to this, the user cannot associate any library dependencies or web content with the generated AAR file.

Due to limitations in Axis2, method overloading is not supported, and hence the WSDL for services where methods are overloaded cannot be generated. Hence all WSDL based functionality related to services will not work for such services.

2. WS-Policy support is still in experimental stage and limited to single port scenarios.

3. You cannot have two different versions of the Apache Sandesha2 module in the system.

4. A true entry has been added to the HTTP & HTTPS transportSenders in order to overcome some issues with some browsers. In case of interoperability failures, please change the value of this parameter to false and retry.

------------------------
Reporting Problems
========================

Issues can be reported using the public JIRA available at
https://wso2.org/jira/browse/WSAS


- ------------------------
Contact us
========================

WSO2 WSAS developers can be contacted via mailing lists:
For Users : wsas-java-user@wso2.org
For Developers : wsas-java-dev@wso2.org
For details on subscriptions see http://www.wso2.org/projects/wsas/java#mail

Alternatively, questions can also be raised in the forums:
For Users : http://www.wso2.org/forum/181
For Developers : http://www.wso2.org/forum/184


Thanks for your interest in WSO2 WSAS
--- WSO2 WSAS Team

WSO2 WSAS 2.0-beta Released

The WSO2 WSAS team is pleased to announce the release of the WSO2 WSAS
2.0-beta

This release can be downloaded from http://wso2.org/projects/wsas/java

WSO2 WSAS is an integrated Web services Platform which offers a complete
middleware solution. It is a lightweight, high performing platform for
Service Oriented Architectures, enabling business logic and
applications. Bringing together a number of Apache Web services
projects, WSO2 WSAS provides a secure, transactional and reliable
runtime for deploying and managing Web services.

What is new in WSAS 2.0-beta
----------------------------

* Data services support
Allows data in relational databases to be exposed as Web services,
and to be included in Web mashups with ease.

* Eclipse IDE integration
Wizard based flows to automate most steps and make easy the process
of developing, deploying and debugging Web services.

* Clustering support
Clustering support with state replication for high availability,
along with load balancing, failover and cluster-wide management functions.

* Full support for WS-Security, WS-Trust, WS-Policy and
WS-SecureConversation and XKMS. Extended security with support for
WS-Security, WS-Trust, WS-Policy and WS-SecureConversation with
additional means for secure Web-based communications using public key
infrastructure (PKI) with XKMS. This release of WSO2 WSAS also includes
an inbuilt SecurityTokenService as defined in WS-Trust specification.

* EJB service provider support
Expose EJBs deployed on a remote J2EE application server (AS) as Web
services.

* Axis1 backward compatibility
Easily deploy any Apache Axis1-based Web service and engage advanced
WS-* services, such as WS-RM and WS-Policy in front of legacy Axis1
services.

---------------------------
Known Issues
---------------------------

1. POJO to Web service feature is still at an experimental stage.
One can upload jar/zip file and can create an AAR out of it.
If you uploaded a jar/zip file which has a services.xml file in its
META-INF directory, when its transformed into AAR its services.xml
will be replaced by the generated services.xml. In addition to this,
the user cannot associate any library dependencies or web content with
the generated AAR file.

Due to limitations in Axis2, method overloading is not supported, and
hence the WSDL for services where methods are overloaded cannot be
generated.
Hence all WSDL based functionality related to services will not work for
such services.

2. WS-Policy support is still in experimental stage and limited to single
port scenarios.

3. You cannot have two different versions of the Apache Sandesha2 module
in the system.

4. A true entry has been
added to the HTTP & HTTPS transportSenders in order to overcome some
issues with some browsers. In case of interoperability failures, please
change the value of this parameter to false and retry.

- ------------------------
Reporting Problems
========================

Issues can be reported using the public JIRA available at
https://wso2.org/jira/browse/WSAS


- ------------------------
Contact us
========================

WSO2 WSAS developers can be contacted via mailing lists:
For Users : wsas-java-user@wso2.org
For Developers : wsas-java-dev@wso2.org
For details on subscriptions see http://www.wso2.org/projects/wsas/java#mail

Alternatively, questions can also be raised in the forums:
For Users : http://www.wso2.org/forum/181
For Developers : http://www.wso2.org/forum/184


Thanks for your interest in WSO2 WSAS,
-- WSO2 WSAS Team