Thursday Oct 01, 2009

Fuji simple service API and springDM

 What is Fuji simple service api?

The simple service provides the capability to invoke/interact with JAVA code outside of  JBI, Simple Service API provides a bridge between code that is hosted outside of a JBI component and service endpoints available on the NMR. The interface below shows what a user need to do in-order to use simple service api while provisioning an osgi service. for details see Fuji Simple Service API

 \* This interface represents a simple service provisioning contract with the
 \* JBI runtime environment.  The invoke method is called when a message
 \* exchange is addressed to this service instance.  Classes implementing this
 \* interface must be registered in the OSGi service registry in order to be
 \* available to consumers in the JBI runtime environment.  Further, the
 \* service registration must contain a property called "org.glassfish.openesb.serviceName" which
 \* contains the name of the service being offered.  Optionally, a property
 \* called "org.glassfish.openesb.endpointName" can also be specified.
public interface ServiceProvider { 
    ServiceMessage invoke(ServiceMessage message) throws Exception;

This blog shows how to integrate Fuji simple service api with spring/springDM  application, We will create a springDM application which instantiates the above provider Implementation , based on spring-config and spring-osgi-config files . In the diagram below the service provider is part of the spring application and the application context is created by the springDM module

Create a new springDM module, The Spring-OSGi project supplies a maven archetype that will create a SpringDM bundle project , example

 mvn archetype:create   -DarchetypeGroupId=org.springframework.osgi  

The structure of the project will look as below

 spring DM project

Change the pom , add dependency of the Fuji api

 go the src root of the application and add the following dependency to the springDM module pom


Write the POJO which implements ServiceProvider , note this POJO is part of the spring application, and can access any bean or the spring applicationContext, In the above diagram , represents the POJO which implements the ServiceProvider Interface. here is a sample code


import org.glassfish.openesb.api.service.ServiceMessage;
import org.glassfish.openesb.api.service.ServiceMessageFactory;
import org.glassfish.openesb.api.service.ServiceProvider;

public class MyProvider implements  ServiceProvider {
    ServiceMessageFactory msgFactory_;
    public ServiceMessage invoke(ServiceMessage message) throws Exception {
        // Print out the content of the message
        String payload = (String)message.getPayload();
        // One way exchange, so there's no need to return anything
        return null;

    public void setMessageFactory(ServiceMessageFactory factory) {
        msgFactory_ = factory;
    public void setAnotherBean (AnotherBeanI bean){
     //make use the bean


Define the spring beans in the spring config file bundle-context.xml 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns=""
       <bean name="anotherBean" class="" />
       <bean name="fujiService" class="">
         <property name="anotherBean" ref="anotherBean"/>

Let us define the beans to be exported as OSGI service, Once the bean MyProvider is exported as osgi service,  any JBI component will be able to access this bean by sending a normalized Message see simple service api for more details 

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans=""

 <service id="fujiServiceOsgi" ref="fujiService"

   <beans:entry key="org.glassfish.openesb.serviceName" value="abcService" />
   <beans:entry key="org.glassfish.openesb.endpointName" value="endpoint1" />


Based on the osgi service with the ServiceProvider Interface, an jbi  internal interpoint is activated, The activation of the endpoint is based on the osgi service properties as specified in the bean service definition shown above

  • org.glassfish.openesb.serviceName is used for the service name of the activated endpoint

  • org.glassfish.openesb.endpointName is used for the endpoint name of the activated endpoint

Install the springDM bundles into Fuji-Felix

In order to use springDM application one has to install all the required spring DM osgi bundles, see the set of osgi bundles which needs to installed and started, more details

Build and deploy the application

Go to the project folder and execute
  mvn clean build
In the felix console type install and start the springDM bundle just created
  install file:/ 

Invoking JBI-Endpoint from a spring application 

This would require a springDM application to import an osgi service registered by the Fuji/jbi runtime. Note the current Fuji implementation while activating an jbi endpoint , register an osgi service based on the endpoint properties, The endpoint properties are once again based on service name and the endpoint name, Assuming and endpoint had been activated by a JBI component with service-name = xyzService and endpoint-name=xyzEndpoint , how such a endpoint can be accessed from an spring application. In the diagram below the service consumer is part of the spring application .


 1. Import the osgi services, using the spring-osgi-config file, note the filter

<reference id="jbiService"
  filter="(org.glassfish.openesb.serviceName=xyzService)"  />

2. Use dependency injection to set the service reference into a bean

<bean id="someBean" class="" lazy-init="false">
  <property name="serviceReference" ref="jbiService" />
  <property name="service" ref="jbiService" />

3. Define the bean and Invoke

import org.glassfish.openesb.api.service.ServiceConsumer;
import org.glassfish.openesb.api.service.ServiceMessage;
import org.osgi.framework.ServiceReference;

public class BeanWithJbiServiceReference {
  private ServiceReference serviceReference;
  private ServiceConsumer service
  public void setServiceReference(ServiceReference serviceReference) {
   this.serviceReference = serviceReference;
  public void setService(ServiceConsumer service) {
   this.service = service;
  public void invokeJBIService(Object payload) throws Exception{
   ServiceMessage message = service.getServiceMessageFactory().createMessage();

Future Direction Idea is to provide capabilty which will let any spring bean or osgi service to be accessed seamlessly, based on service properties or configuration, Also Fuji going forward will provide native support for spring beans . Read On   

Wednesday Aug 19, 2009

Soap over jms

W3C has recently released W3C Candidate Recommendation for soap over jms,

The above document specifies how SOAP should bind to a messaging system that supports the Java Message Service. Binding is specified for both SOAP 1.1 and SOAP 1.2.

What does this bring to the table?

  • The primary objective is to ensure interoperability between the implementations of different Web services vendors

  • Also some providers of Web services use intermediary services such as routing gateways; or SOAP/HTTP to SOAP/JMS gateways, they will be interested in the standards

  • Reliable way of delivering soap message

Can interoperabilty be an issue here?

Binding soap to JMS leave the other platforms which are not based on java

Note some of the existing capabilty which some of the vendors offer

Wednesday Apr 29, 2009

Jms Messaging Bridge

What is a jms Bridge?

A messaging bridge consists of two destinations that are being bridged: a Source destination that the bridge reads messages from and a Target destination where the bridge sends the messages that it receives from the source destination. Many of the jms provider provide the jms bridge capabilty. However it is also easy to build a custom JMSbridge using JMSJCA

Building jms bridge using java or Composite Application

1. Using standalone java application

JMSJCA support connecting to various JMS Providers like Sun Java Message Queue, JBossMQ, Websphere Message Queue or MQSeries, Weblogic JMS Server, JMS Grid, STCMS. So if one want to build bridge which does not require support for XA transaction. One can easily use the JMSJCA as library  for the purpose as it provide a unified interface for accessing the JMS Providers. The diagram below shows the flow of message.


2. Using javaee container

However one may like to make the bridge more reliable. and like to treat the receiving of messages from the source and delivering the same to the target as atomic, i.e want the bridge to support XA transaction, then it will ideal to use javaee container for that purpose, We will show a sample piece of pseudo code which use MDB to build a bridge.

More Info on How to create a MDB and jms Message Producer using JMSJCA in glassfish is available here

Lets say that the requirement is to build a bridge for Sun-Java-Message-Queue to Websphere-Message-Queue , One can use the following logic in the MDB

public void onMessage(Message sunJavaMessage){

     //sunJavaMessage is the received message from Sun Java MQ ,

  1.  Create a producer, for say Websphere Message Queue(WMQ)

  2.  Transform message Header, Properties, Body from  SunJava-MQ to WMQ message

  3.  Send the message


Note that the step 2 , is the crucial step which one need to implement. While implementing the Message Conventer one has to take care of the following

  • iterate over jms Message Properties, copy from source to destination

  • handle vender specific properties, i.e properties starting with JMS_

  • copy message Body, note Text, Map, Byte,Object, Stream Message needs to handled seperately

  • copy relevant jms headers (like jms type, correlationId, timestamp, priority, expiration etc)

Some of the advantages of using a javaee container along with JMSJCA are

  • The ejb(mdb) container takes care of the reliable delivery

  • One can have a scalable messaging bridge

  • Resource Management, Connection pooling , MDB Instance pooling is done by the container

  • In case of a crash, the appServer/ejb container takes care of recovery

  • leverage the JMSJCA monitoring capabilty

  • redelivery handling

  • JMSJCA message wrapping

3. Building jms bridge using Composite Application

Idea is, Can we build a jms messaging bridge without any java-code , One can create a composite application which uses jmsbc-->bpel-->jmsbc . Note One limitation of building a bridge using jmsbc is that not all the jms message type is supported by jmsbc, Only supported Message are TextMessage, BytesMessage and MapMessage. Also if one require to convert all the message Header , Properties from source to destination , then one has to create a more involved wsdl. More info on creating composite applications using  JMSBC and BPEL. The diagram below shows the flow of message.

step a) Create a CompositeApp using jmsbc-->bpel-->jmsbc 


step b) Use the bpel mapper to map message properties , header and body

Use the bpel mapper to copy the message headers, properties and body, Note this takes care of only part of the message conversation, However one can always specify the message parts which maps to other message properties, see the link for more info

More info on Messaging Bridge and their JMS provider

  1. Weblogic Messaging Bridge

  2. Sun Java Message Queue

  3. Jboss Messaging Bridge

  4. ActiveMQ bridge

  5. SoniqMQ Bridge

Tuesday Feb 24, 2009

WS-SecureConversation, Improve performance of your Webservice

Public key cryptography

WS-Security make extensive use of the public key cryptography. Public key cryptography(asymmetric key) is computationally more expensive than symmetric key cryptographic, see the following link for more  info, so the solution is to make use of combination of asymmetric and symmetric key cryptography.  


While message authentication is useful for simple or one-way messages, parties that wish to exchange multiple messages typically establish a secure security context in which to exchange multiple messages. A security context is shared among the communicating parties for the lifetime of a communications session. Once the context and secret have been established (authenticated), Derived Keys can be used for signing and encryption of the messages. Some of features of ws-secureconversation are

  • similar to SSL

  • create a security context

  • message processing is  much faster at both client and webservice endpoint

  • transparent to the user 


 Esstablishing Security Context

A security context needs to be created and shared by the communicating parties before being used. This is done by creatring a Security Context Token(SCT). The specification defines three different ways of establishing a security context among the parties of a secure communication.

  • SCT created by a  STS(security token service)

  • SCT created by one of the communicating parties and propagated with a message

  • SCT created through negotiation/exchanges

WS-Secure Conversation is built on top of two other web services specifications, they are WS-Security and WS-Trust. In metro/wsit each web service enabled for WS-SecureConversation has an associated STS that is used to issue and manage security contexts

To request a Security Context Token(SCT) , an RequestSecurityToken(RST) is sent to the webservice endpoint which is setup using secure conversation , the request is transparently routed to the trust service which responds with a RequestSecurityTokenResponse , the response is send back to the client, Note the sample below also show DerivedKeyToken, we will talk about derived keys in a moment.

 Sample SecurityContextToken and DerivedKeyToken



                xmlns:ns16="" wsu:Id="_3">
    <wsse:SecurityTokenReference wsu:Id="_5002">
        <wsse:Reference ValueType="" URI="#uuid-4063ae9b-fe66-4e09-a5fb-8fda903f34d8" />


note the element /wsc:SecurityContextToken/wsc:Identifier This required element identifies the security context using an absolute URI. Each security context URI MUST be unique to both the sender and recipient. It is RECOMMENDED that the value be globally unique in time and space 

Derived Keys  

A security context token implies or contains a shared secret. This secret MAY be used for signing and/or encrypting messages, but it is RECOMMENDED that derived keys be used for signing and encrypting messages associated only with the security context

Using a common secret, parties may define different key derivations to use. For example, four keys may be derived so that two parties can sign and encrypt using separate keys. In order to keep the keys fresh (prevent providing too much data for analysis), subsequent derivations may be used 

 how the derived keys are used


How Keys are derived? 

A subset of the mechanism defined for TLS in RFC 2246. Specifically, P_SHA-1 function is used to generate a sequence of bytes that can be used to generate security keys. the algorithm is refered to as:

This function is used with three values – secret, label, and seed. The secret is the shared secret that is exchanged (note that if two secrets were securely exchanged, possible as part of an initial exchange, they are concatenated in the order they were sent/received).Secrets are processed as octets representing their binary value (value prior to encoding). The label is the concatenation of the client's label and the service's label. These labels can be discovered in each party's policy (or specifically within a <wsc:DerivedKeyToken> token). Labels are processed as UTF-8 encoded octets. If either isn't specified in the policy, then a default value of "WS-SecureConversation" (represented as UTF-8 octets) is used. The seed is the concatenation of nonce values (if multiple were exchanged) that were exchanged (initiator + receiver). The nonce is processed as a binary octet sequence (the value prior to base64 encoding). The nonce seed is required, and MUST be generated by one or more of the communicating parties.The P_SHA-1 function has two parameters – secret and value. The label and the seed is concatenated to create the value. That is:

P_SHA1 (secret, label + seed)

Syntax For Derived Keys

<DerivedKeyToken wsu:Id="..." Algorithm="...">


for more details for each of the element see the specification

How To Configure in Composite Application/WSIT editor

GlasfishESB , metro support the following security profiles, chose one of the security profile in the CASA editor and then configure for secure-conversation

  • Username Authentication with Symmetric Keys

  • Mutual Certificates Security

  • Transport Security (SSL)

  • Message Authentication over SSL

  • SAML Authorization over SSL

  • Endorsing Certificate

  • SAML Sender Vouches with Certificates

  • SAML Holder of Key

  • STS Issued Token

  • STS Issued Token with Service Certificate

  • STS Issued Endorsing Token

how to configure

Thursday Feb 12, 2009

Mtom, Soap with Attachment in Composite Applications

Mtom is used to optimize the transmission of soap message over the wire. MTOM uses a  wire format of a SOAP message by selectively encoding portions of the message, whilst still presenting an XML Infoset to the SOAP application. Optimization is available only for element content that is in a canonical lexical representation of the xs:base64Binary data type  

This article talks how to use mtom in glassfish esb, what are the limitation current implementation has , how to overcome the same

[Read More]

Thursday Feb 05, 2009

Soap1.2 in GlassfishESB

This article show how to use soap1.2 in glassfishesb or javacaps or openesb, also talks about some of the point to note in terms of changes or the differences with soap1.1 

[Read More]



« March 2015