Wednesday Jan 02, 2008

Using Digest Authentication with SIP Servlets

It is time to write in detail on how to use security features available in Sailfin, so here we go.

Before you begin follow these two common steps.
  1. Download latest stable sailfin build from here.
  2. Install Netbeans 6.0 with SIP plugin. You will find this installation document useful.

In this entry I will share on how to enable SIP Digest Authentication for SIP Servlet Application and authenticate using a SIP Client(We have tried Twinkle available with Ubuntu and X-Lite)


Step 1:

Create a new SIP Project in Netbeans as shown in Fig1.




Figure: 1


Step 2 :  Create a new Sip Servlet as shown in Figure 2






Figure 2

Step 3 :  Netbeans generates the SIP servlet with empty methods, I changed it to look like what is seen in figure 3.





Figure 3


Step 4 :  Now that we have created the servlet, we will now proceed to configure the application server.
            To do this Start the application server and database using following commands

            To start Sailfin Application server
                        asadmin start-domain domain1

            To start database   
                       asadmin start-database



Figure : 4

Step 5  Login into Admin console( http://localhost:4848 ) and create JDBC resource as shown in Figure 5



 Figure : 5






Step 6 : Now that we have created the JDBC resource we can now go ahead and create JDBC Digest Realm using the Admin console (shown in Figure 6)




Figure:  6


Step 7 :  Next step is to setup the backend . Connect to the database using Netbeans as shown in Figure 7 and run the following sql script.



Figure 7


Step 8 : Now that we have configured both the backend and the application server it is time to enable security in the SIP Servlet application.Create sip.xml and sun.xml as shown in Figure 8 and Figure 9.  The security constraint in sip.xml shows that REGISTER methods should be authenticated and only users with manager role should be allowed to register.





Figure 8





Figure : 9





Step 9 : Now build and deploy the application on to the Sip Application server. You can either do this using Netbeans or command line option (asadmin deploy <filename>).



Step 10 : Once the application is deployed run the SIP Client(In this case I used twinkle) . When the client tries to register user will be requested to enter authentication information as shown in Figure 10 and Figure 11 shows logs in Application server once the user is authenticated and authorized.




Figure: 10




Figure : 11


Powered by ScribeFire.

Monday Dec 31, 2007

Security in Sailfin Milestone3

Sailfin milestone 3 is out and here is the list of features we added as per JSR 289. I will talk in detail on how to use each of these security features in my next blog.

We have provided support for

  • run-as
             - can be configured using standard descriptors (sip.xml), example:
                  <servlet>
                        <servlet-name>SipSample</servlet-name>
                        <display-name>SipSample</display-name>
                        <servlet-class>com.sun.test.SipSample</servlet-class>
                        <load-on-startup>0</load-on-startup>
                        <run-as>
                            <role-name>externalUser</role-name>
                        </run-as>
                 </servlet>

  • P-Asserted Identity authentication
          P-Asserted Identity form of authentication requires us to define trust rules. Sailfin allows users to achieve this using configuration elements defined in domain.xml. GUI and command line options enable users to configure trust rules. A SIP entity on the network can be part of the trust domain by adding its IP address or hostname under the element trusted-entity as shown below.  To enable users define custom trust rules sailfin provides a TrustHandler interface which the user can implement.
           example:

                  <identity-assertion-trust id="default_id_assertion" is-default="true">
                         <!--
                              <trust-handler class-name="org.jvnet.glassfish.comms.security.auth.impl.TrustHandlerImpl">
                                  <property name="certstore" value="/home/venu/certstore.jks"/>
                             </trust-handler>
                         -->
                          <trusted-entity id="tr" trusted-as="intermediate">
                                <ip-address>129.158.229.124</ip-address>
                         </trusted-entity>
                  </identity-assertion-trust>

more soon......


Powered by ScribeFire.

International Conference on IP Multimedia Subsytems Architecture and Applications 2007 ( IMSAA 2007 )

Recently I had opportunity to attend IMSAA conference held at IITB . It was a nice learning experience for a person like me who is new to the IMS world.
The conference was well organized [1] .  We (Sun Microsystems) showcased our opensource Communication Application server  named Sailfin,
you can find all that you will need on Prasad's blog.

I did not attend Prasad's tutorial as I knew most of it :), so instead opted to attend other tutorials. Dr.Simon gave an excellent tutorial on IMS Service Architecture and was always around answering questions , Dr.Archan in his tutorial talked a lot about Presence and shared his experience. I found both T1 and T6 tutorials very informative.

What caught my attention was a demo [2] given my IIIB students, they have done a good job of using and integrating Opensource products available and demonstrating their use. It was good to see
IIIB encouraging and preparing students to be more Industry ready!.

Finally here are some photos[3] of the event , courtesy "Prof Debabrata Das".



[1]http://www.iiitb.ac.in/imsaa2007/schedule.html
[2]http://www.iiitb.ac.in/imsaa2007/demo.html
[3]http://picasaweb.google.com/IMSAA2007


Powered by ScribeFire.

Monday Sep 24, 2007

Implementing Custom Realms for Digest Authentication in Sun Java System Communication Application Server

Recently we refactored and enabled Digest authentication support for both HTTP and SIP Container in Sun Java System Communication Application Server(SJSCAS/Sailfin).Supporting digest authentication with different backends can be done by writing custom Login modules and a custom realm.

1.Custom Login Module
2.Custom Realm

1.Custom Login module:
can be provided either by extendingcom.sun.enterprise.security.auth.login.DigestLogin abstract class or by implementing javax.security.auth.spi.LoginModule standard interface. If one chooses to extend from DigestLogin module class then below mentioned abstract method has to be implemented. The getGroups method returns all the groups the user belongs to.

protected abstract Enumeration getGroups(String username);

The login module has to be configured in login.conf file under $AS_INSTALL_HOME/domains/domain1/config/login.conf directory.
Eg: of JDBC Digest Login module in login.conf file is shown below

++++++

/\* Copyright 2004 Sun Microsystems, Inc. All rights reserved. \*/
/\* SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. \*/

fileRealm {
com.sun.enterprise.security.auth.login.FileLoginModule required;
};
ldapRealm {
com.sun.enterprise.security.auth.login.LDAPLoginModule required;
};
solarisRealm {
com.sun.enterprise.security.auth.login.SolarisLoginModule required;
};
jdbcRealm {
com.sun.enterprise.security.auth.login.JDBCLoginModule required;
};
jdbcDigestRealm {
com.sun.enterprise.security.auth.login.JDBCDigestLoginModule required;
};

++++++

Sample implementation of DigestLogin Module is shown below.

public class JDBCDigestLoginModule extends DigestLoginModule {

public JDBCDigestLoginModule() {
}

protected Enumeration getGroups(String username) {

   try {

    return this.getRealm().getGroupNames(username);

   } catch (InvalidOperationException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);

   } catch (NoSuchUserException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);

  }

   return null;

  }

}


2.Custom Realm :

Inorder to provide a custom realm one has to write a new custom realm[1] or modfiy existing realms by extending from com.sun.enterprise.security.auth.realm.DigestRealmBase abstract class. The method validate is an abstract method in DigestRealmBase.

public boolean validate(String username, DigestAlgorithmParameter[] params);

the implementors validate function will have to retrieve the password from the backend and invoke the validate method of the super class. The validate method syntax of the super class DigestRealmBase is shown below. The validate method will return true if digest validation has succeeded or false if digest does not match. The DigestAlgorithmParameter parameter shown below represents the digest algorithm parameters retrieved from incoming SIP/HTTP request.

protected final boolean validate(Password passwd, DigestAlgorithmParameter[] params) throws NoSuchAlgorithmException ;

com.sun.enterprise.security.auth.digest.api.Password is used to pass the password either a prehashed (username+realmname+password) password or plain text password to validate the digest.

public interface Password {

public static final int PLAIN_TEXT= 0;
public static final int HASHED = 1;

/\*\*
\* returns PLAIN_TEXT or HASHED.
\* @returns int
\*/
    public int getType();

/\*\*
\* returns password.
\* @returns byte[]
\*/
  public byte[] getValue();

}

This custom realm can be configured for use in SIP/HTTP applications as described in docs [2].

You can download sailfin/SJSCAS builds from https://sailfin.dev.java.net/.

[1]http://docs.sun.com/app/docs/doc/819-3659/6n5s6m58k?a=view
[2]http://docs.sun.com/app/docs/doc/819-3658/6n5s5nkmq?l=en&a=view#ablpi



Note : Interfaces and classes described above are subject to improvement and change in future milestone releases of SJSCAS

Powered by ScribeFire.

Wednesday Aug 29, 2007

Sailfin/Sun Java System Communication Application Server/SJSCAS

From past couple of months I have been working on implementing Security features for Sailfin. Sailfin is based on JSR 289 and all the functional specifications that are under development are posted here. You can post your comments on features,requirements using the template posted here.

JSR 289 requires Sailfin to support Digest Authentication and P-Asserted Identity. We have enabled Digest authentication for both SIP and HTTP containers and one should be able to try it out using latest builds. I will soon write on how to configure Digest authentication for HTTP, SIP Containers in SJSCAS/Sailfin.




Tuesday Jun 12, 2007

Project Tango releases WSIT Milestone 5

Like Harold said in his blog this milestone has lots of fixes and it is not too late to provide feedback on any issues that you think needs to be fixed. So go ahead and file them....


Powered by ScribeFire.

Wednesday May 09, 2007

WS Security @ Java One 2007

We have a BOF(4108) at JavaOne  this year. Jiandong,Ashutosh and Shyam will be available to discuss how to build Secure Web Services in an interoperable manner using WSIT. To learn more please visit Hall E 134 Moscone Center on Thursday(May 10) at 7.55 PM.


Powered by ScribeFire.

Tuesday Apr 17, 2007

WSIT Security Configuration

Kumar recently wrote a nice article which covers some important details about WSIT Security Configuration. If you want to learn all about WSIT Security Token Validators then this is the article you need to read.

Tuesday Apr 03, 2007

Configuring Message Parts to be secured in WSIT 1.0

WSIT 1.0 allows different message parts(eg: Addressing Headers,SOAP Body etc..) to be either signed or encrypted. Netbeans  provides a easy way to configure message has to be secured. One can configure their application such that only responses from the server can be secured and request from the client to the server can be plain SOAP Message.



                                                          Snapshot 1: Input and Ouput Message parts

Snapshot 1 shows Message Parts tabs for Input and Output Message under the operation getAccountBalance. These tabs allow user to configure message parts to be Signed/Encrpted for getAccountBalance request from the client and getAccountBalance response from the server.




Snapshot 2 : Message Parts that are Signed and Encrypted by default
 
Snapshot 2 shows the message parts that are Signed, Encrypted by default. As seen the snapshot 2 user has the option to change the default configuration by adding/removing message parts.

For eg: If user wants to secure only the response message from the server and not the request then the user needs to unselect all the Message Parts under Input Message as shown in snapshot 3.




Snapshot 3: All Message Parts unselected (Message will be secured).

Note : Even though none of the message parts shown above may be secured but the SOAP Message may have
Security Header with Signature and Timestamp based on the Binding level policy.

WSIT is available as part of Glassfish v2.



Technorati Tags: , , , , , , , , ,

Wednesday Feb 28, 2007

WSIT at Sun Tech Days 2007 Hyderabad

Kumar and myself had  the opportunity to present on WSIT at Sun Tech Days 2007 Hyderabad. The title of the presentation was "JAX-WS and WSIT : Tangoing with .NET". The talk was well attended and we had to face some interesting questions :). Developers were excited about WSIT and .Net interoperability. The goal of the presentation was to introduce developers to JAXWS , Netbeans and various components of WSIT(Transactions, Optimization, Security,Reliable Messaging , WSIT programming model). Kumar did a demo on JAXWS and RM using Netbeans, this demonstrated how simple it was to write a Web service application and enable WSIT components. 

For those who are still wondering on what WSIT is all about and how it will benefit you or if you have more specific questions or issues, I recommend you to visit us at http://wsit.dev.java.net or post questions on WSIT forum or email us at users@wsit.dev.java.net / dev@wsit.dev.java.net .

WSIT is part of Glassfish v2 builds and can also be downloaded from WSIT .






powered by performancing firefox

Improved XWSS implementation in WSIT Milestone 3

In order to take advantage of new Message design provided in JAXWS 2.1 we revamped XWSS in WSIT milestone 3. XWSS 3.0 now has two implementations of WS Security one is based on DOM/SAAJ api's and other is based on JAXB and StAX api's . We have by default enabled JAXB and StAX based implementation. The performance benefits we get from the default implementation is really exciting. The burden of DOM and SAAJ is no longer needed to support most commonly used security scenarios. I will soon publish the performance improvement we have got over XWSS 2.0. Though the default implementation is efficient it has some limitations in this release of WSIT. We do not support XPATH , i,e we do not support SignedElements and EncryptedElements. We do support this under DOM based implementation.

Ability to switch between these two implementation automatically based on the SecurityPolicy will be supported in future releases of WSIT. In this release we can switch to DOM based WS Security implementation by adding DisableStreamingSecurity policy assertion in wsit-client.xml on client side and wsit.xml/ wsdl on the server side.


Client side assertion :

<sunsp:DisableStreamingSecurity xmlns:sunsp="http://schemas.sun.com/2006/03/wss/client"></sunsp:DisableStreamingSecurity>


Server side assertion :

<sunsp:DisableStreamingSecurity xmlns:sunsp="http://schemas.sun.com/2006/03/wss/server"></sunsp:DisableStreamingSecurity>



powered by performancing firefox

Tuesday Jan 31, 2006

Xml Webservices Security 2.0 EA2

Xml Web Services Security 2.0 EA2(XWSS 2.0 EA2) was released towards the end of 2005 bundled along with Java Web Services Developer Pack 2.0 (JWSDP2.0). I have tried to list down some of the key features that XWSS 2.0 provides when compared 1.x versions.


  • Support for JAXWS 2.0

  • Enhanced configuration to support users wanting finer level of control.

  • Programmatic API's to allow standalone users to secure SOAP messages in a WSS compliant manner.

  • Adoption of JSR 105 API's to perform digital signatures.

  • Confidentiality and Integrity protection of SOAP attachments.

  • SOAP 1.2 support.

  • Partial support for BSP 1.0 .


Apart from the above features XWSS 2.0 EA2 has lot of performance improvements and bug fixes. We continue to maintain backward compatibility in XWSS 2.0 making migration from XWSS 1.x seamless. We have been participating in various interop events to ensure we provide a interoperable solution to our customers. .



About

venu

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today