New features in Metro 1.3 and NetBeans

Recently, there've been couple of blogs about new features in Metro 1.2 release, and about some additional things that will be released with Metro 1.3.

I've been working on updating the NetBeans Metro plugin to make sure these features are easily configurable from our tools as well.

Today, I'd like to announce availability of NetBeans 6.5 builds that contain support for both Metro 1.2 and Metro 1.3 features. Click here to download your NetBeans 6.5 copy from Hudson continuous builds, or grab a daily builds. You shall get either JavaEE or Full bundle.
Note that in order to leverage the new features, you need to have Metro 1.2 or Metro 1.3 installed on top of your GlassFish installation.

The biggest changes you find in the UI are shown in the following screens:

  • Namespace Version Chooser - Metro 1.3 supports .NET 3.5 release, which has policy assertions in a different (standard based) namespaces than .NET3.0. Thus, you need to have a choice which version your service shall be developed with.

  • Kerberos - additional security profile available for 1.3 version with Kerberos support. Read more about Metro Kerberos support on Ashutosh's blog, and if you are not familiar with Kerberos itself, read more on Wikipedia

  • STS Issued Supporting Token Profile - new security profile based on Issued tokens.

  • Hash passwords - support for Hash Passwords in the Username Authentication with Symmetric Keys security profile. Read more about Hash Password support on Ashutosh's blog, and if you are not familiar with Digest Authentication itself, read more on Wikipedia

  • Encrypted Supporting Tokens - ability to encrypt supporting tokens.

There are some other things which I might forgot about, so let me know if you miss anything. Also, let me know if you find any errors, meet any exceptions, anything like that. Currently these are development builds, and release quality shall be met with NetBeans 6.5 release. However, I think the metro modules shall be stable enough already. Let me know ;O)


This is cool, especially Kerberos. I should discuss the doc impact with you, particularly on the WSIT tutorial.


Posted by Jeff Rubinoff on June 04, 2008 at 03:50 PM CEST #

Hi Jeff, thanks. The impact on tutorial shall not be high IMO. I glanced over it, and I don't even think we need to replace the screenshots at all. We might need to add a section on describing how to enable these new features. Currently they are enabled by default, but that will change moving forward to the release - I'll try to add a code soon that will detect the metro runtime version on the server and disable/enable these settings based on that information.

Posted by Martin on June 05, 2008 at 04:22 AM CEST #


Does anybody know if there is an article or similar where the authorization of webservices with wsit is explained?


Posted by Ranob on July 11, 2008 at 02:06 AM CEST #

Hi Martin,

The implementation of UsernameToken with digests is great but unfortunately Sun constrains its use with additional security mechanisms, such as transport level encryption, signatures, etc.

All this to ask: any idea of when we could expect to have plain SOAP username and digest support without being coerced in using the additonal security adornments ?

After all shouldn't one be able to decide which level of security to apply starting from the bottom up: are the WS-SEC specs really meant to be that restrictive ?

Posted by Andrew on July 11, 2008 at 03:05 AM CEST #

Regarding authorization of WebServices with WSIT, if you are using latest SailFin Distribution of GlassFish :

And install Metro 1.3 on top of it then you can call the methods

isUserInRole and getUserPrincipal on WebServiceContext and you can use the Java EE mechanisms of roles and principal/group to role mappings.

I can send a sample by email to you. An article on this will also be created soon.

Posted by kumar on July 15, 2008 at 08:13 PM CEST #

Regarding Support for Disgest Authentication without any other security mechanisms/signatures : Our understanding of the ws-policy spec and interop requirements with WCF do not allow the option of a plain username token.

But we realize that a lot of people want this option. If you can file a Bug on Metro we will fix this ASAP.

Posted by kumar on July 15, 2008 at 08:25 PM CEST #

Just to add on Authorization of WebServices in GlassFish :

If you are using EJB WebServices then you can use @RolesAllowed annotations on WebService methods.

The same support for Servlet WebServices is not yet there but would be fixed in near future.

Posted by kumar on July 17, 2008 at 02:15 AM CEST #

Great post and draw. Thank you for sharing.

Posted by Wow gold on October 29, 2009 at 10:48 PM CET #

I like this article

Posted by A&F Bags on November 04, 2009 at 10:51 PM CET #

this is cool, this is what we want dude......

Posted by link of london on November 06, 2009 at 12:17 AM CET #

Post a Comment:
Comments are closed for this entry.

The views expressed on this [blog; Web site] are my own and do not necessarily reflect the views of Oracle.


« July 2016