Tuesday Sep 21, 2010

Security annotations support in Sailfin CAFE

Recently we added security annotations support to CAFE on Sailfin. Though there is lot of work to be
done in this area, please give it a try.

@org.glassfish.cafe.api.security.LoginConfig
@org.glassfish.cafe.api.security.TransportProtected
@javax.annotation.security.RolesAllowed
@javax.annotation.security.DeclareRoles

JavaDocs can be found here

Here is musicstore sample bean annotated with security annotations. Though this eliminates the need for sip.xml for
security configuration, you still need to declare role to group or principal mapping in sun-sip.xml

Cafe Security Annotations

Sample security role mappings in sun-sip.xml

Security Role to Group mapping

Permanent link to this entry | Comments [0]

Friday Dec 18, 2009

Diameter documentation

Diameter documentation and release notes can be found here

Thursday Oct 29, 2009

Diameter Administration on SailFIn 2.0

Yamini has blogged about diameter configuration elements and Admin Cli commands here.

Installing diameter on Sailfin 2.0

Diameter will be soon available as a pay for Addon module on Sailfin 2.0. Naman has written how to install and configure diameter on sailfin 2.0 here.

Wednesday Oct 28, 2009

Subscribing to user state using Sun Diameter Sh API.

Here is a code snippet that shows how to subscribe to a user state using Sun Diameter Sh API . The Notifications from the Home subscriber server(HSS) can be received by a Message Driver Bean(MDB). The code snippet of the MDB is also shown below.

The below Admin console snaps of Sailfin 2.0 show Home Subscriber server (pone) configured with Connector Pool(openims_pool) and Connector resource (openims)

PeerConfiguration
Connector Pool and Resource configuration

Here are simple steps :
1.Using Sailfin 2.0 Admin console(Sailfin 2.0 also supports cli commands)
a)Create a Diameter application
b)Create a Diameter Peer ---- Diameter Peer screen also allows you to configure connector pool and resource.
2.Write a SIP Servlet with code snippet shown above
3.Write a MDB as shown above
4.Deploy the sar and jar and you should be done.

Friday Oct 16, 2009

Reading AVP value not directly exposed by Response API's in Sun Diameter stack


Here is a code snippet that shows how to read AVP’s that any of the response API’s does not directly expose.
In this case we see how to read Experimental Result Code AVP value.


Tuesday Jul 28, 2009

Diameter Online Charging(Ro) Javadocs available

Javadocs for Sun Diameter Online charging API's are now available here.

Thursday Jul 16, 2009

Updating user profile information in HSS using Sailfin diameter Sh API.

In the below code snippet we see how to read the user repository data from HSS,modify the data and update the HSS. Sh API makes this operation a breeze. OpenIMS HSS is one of the HSS server being used to test SH API's.

In simple steps :

1.Look up HSS server
2.Create ReadProfileKey with required information and validate it to ensure required information to construct a valid message is there.
3.convert the retrieved profile data into JAXB objects
4.Update the profile data using setter methods provided by JAXB
5.Create a UpdateKey
6.send out the modified information.


Use ViewImage option to look @ the code snippet...

Update userprofile information.

Wednesday Jul 15, 2009

Quick look @ Online Charging in Sailfin Communication server



Wrapping up development on Online and Offline charging API in Sailfin communication server. Here is a sample that shows a charging client accessing Ericsson Charging Server.

PartOne: Initial Request in Session based online charging.

View image to look at the source.
Session Charging

PartTwo: Update and Terminate Request in Session based online charging.
The below code snippet shows how to update a charging session and terminate one. The code snippet has comments to help you understand the code.

Updating and terminating charging session

Highlights of Diameter support in Sailfin
1.Easy to use API , interfaces provided for AVP's defined in 3GPP specs and RFC's
2.Easy to query additional AVP's in a Grouped AVP.
3.Easy to add new AVP support using dictionary or annotations.
4.Ability to send messages in a synchronous or asynchronous manner(Listener support to receive asynchronous responses)
5.Interfaces defined to build messages as per 3GPP specifications.
6.Easy to build custom messages as shown in the code snippet.
7.Diameter Resource adapter.
8.Sailfin Admin console and Admin GUI support for local/remote configuration
9.TLS support.

more later....

If you have questions write to dev-AT-sailfin.dev.java-DOT-net.

Friday May 29, 2009

Annotations and AVP code generation tool

As we progressed through adding features to diameter module in sailfin, we felt the need to speed up the process of adding new application support into Diameter base protocol. Inorder to enable this we added few annotations and came up with a tool that uses metadata from the dictionary to generate the huge number of AVP's the 3GPP specs define.
Hoping to improve the tool as we progress.... Will publish the updated API's and Annotations soon...

Tuesday Apr 14, 2009

Support for Diameter Sh API in sailfin

Sailfin project will soon support Diameter protocol and will have API's to enable applications to use Sh,Ro,Rf functionality. As we progress towards providing Diameter support in Sailfin, we have released Sh API's to solicit your valuable feedback. In course of time we will publish API's for Ro and Rf applications too.

Javadocs for Sh API is published here. I will keep writing here on Sh API', to start with let us quickly look at a simple sample on how to use Sh API in a SIP Servlet.








public class RegisterServlet extends SipServlet {
     protected void doInvite(SipServletRequest req) throws ServletException, IOException {

      
       ProfileData data = readUserState(req.getSubscriberURI().toString());
       SipServletResponse resp = req.createResponse(180);
       req.setExpires(2000000);
       resp.send();
     }

     private ProfileData readUserState(String user) {
      try {
        InitialContext context = new InitialContext();
        //configuration of HSS server is configured using Sailfin Admin UI.
        UserProfileServer connectionFactory = (UserProfileServer) context.lookup("eis/SH");
        UserProfileConnection connection = connectionFactory.createConnection();
        // Configure Key specifying information to read.
        ReadProfileKey rpk = new ReadProfileKey();
        rpk.addDataReference(DataReference.IMS_USER_STATE);
        eg:"sip:bob-AT-open-ims-DOT-test"
        UserIdentity uID = new UserIdentity(user, UserIdentityType.PUBLIC_USER_ID);
        rpk.setUserIdentity(uID);
        //validate if the constructed key is correct and all information needed is provided.
        rpk.validate();
        //perform a read operation from HSS server in synchronous mode.
        UserProfileReadResponse urr = connection.read(rpk, false);
        ProfileData data = urr.getProfileData();
        //read the information as bytes,XMLStream or JAXBObject
        System.out.println("User Profile data is" + new String(data.toBytes()));
        return data;
      } catch (KeyValidationException ex) {
       Logger.getLogger(RegisterServlet.class.getName()).log(Level.SEVERE, null, ex);
      } catch (ConnectException ex) {
       Logger.getLogger(RegisterServlet.class.getName()).log(Level.SEVERE, null, ex);
      } catch (NamingException ex) {
       Logger.getLogger(RegisterServlet.class.getName()).log(Level.SEVERE, null, ex);
      }
      return null;
}
}

We encourage users to look at Javadocs and provide us feedback. Please write to us at dev-AT-sailfin.dev.java.net

Wednesday Jan 07, 2009

P-Asserted-Identity authentication in Sailfin Communication Server

P-Asserted-Identity authentication in Sailfin is based on RFC 3325 and requirements from JSR 289,

Steps to configure P-Asserted-Identity authentication

We will break the steps to configure P-Asserted-Identity authentication module into following steps,

       1.Configuring security realm
       2.Configuring Trust
       3.Configuring security for SIP Applications

1.Configuring security realm

Refer to section Configuring security realm in my previous blog entry.

2.Configuring Trust

  • Open sailfin administration console, default url will be http://localhost:4848
  • Click on Configuration tab
  • Click on Trust configurations

You can now either create new trust configuration elements or edit if you have already have one.
When you create a new trust configuration you have the option to either choose static configuration or you can write your own custom trust handler(to determine if a host from which message is being received or sent to is trusted).

Here are some snapshots 1 & 2.

Default trust handler provided by Sailfin trusts all hosts and maps the value in P-Asserted-Identity to a format suitable to the container for use in authentication,authorization tasks.For eg: "Cullen Jennings" value will be mapped/formatted to "CullenJ".

3.Configuring security for SIP Applications.

  • Configuration as per JSR 289
           1.Login configuration
           2.Securing methods

  • Implementation specific configuration
           1.Configuring sun-sip.xml

Configuration as per JSR 289.

1.Login configuration

              JSR 289 specific configuration elements (standard configuration) are defined in sip.xml, sip.xml has   following additional elements under login-config.

As per JSR 289 sailfin supports P-Asserted-Identity authentication in two modes (SUPPORTED , REQUIRED). When SUPPORTED value is used then incoming SIP messages are processed as follows

a) if P-Asserted-Identity header is present then process it.

b) if P-Asserted-Identity header is not present then apply the authentication method configured in auth-method element.


<identity-assertion>

          <identity-assertion-scheme>>P-Asserted-Identity</identity-assertion-scheme>

          <identity-assertion-support></identity-assertion-support>

          <!-- SUPPORTED/REQUIRED are supported values for identity-assertion-support -->

</identity-assertion>

As per JSR 289 Sailfin supports P-Asserted-Identity authentication in two modes (SUPPORTED , REQUIRED). When SUPPORTED value is used then incoming SIP messages are processed as follows

  a) if P-Asserted-Identity header is present then process it.

  b) if P-Asserted-Identity header is not present then apply the authentication method configured in auth-method element.        

<login-config>

          <identity-assertion>

                  <identity-assertion-scheme>P-Asserted-Identity</identity-assertion-scheme>

                  <identity-assertion-support>SUPPORTED</identity-assertion-support>

          </identity-assertion>

</login-config>

                                or

<login-config>

          <auth-method>DIGEST</auth-method>

          <realm-name>realmperapp</realm-name>

          <identity-assertion>

                  <identity-assertion-scheme>Identity</identity-assertion-scheme>

                  <identity-assertion-support>REQUIRED</identity-assertion-support>

         </identity-assertion>

</login-config>


When P-Asserted-Identity scheme is REQUIRED by the application, the P-Asserted-Identity header MUST be present in the request. If the P-Asserted-Identity header is not present, Sailfin will reject the request with a 403 response. If authorization of the Identity specified by P-Asserted-Identity header fails, Sailfin will return a 403 response.

2.Securing methods

   JSR 289 defines security-constraint( auth-constraints and resource-collection) elements which enables users to configure SIP methods that need to be secured i,e accessed by authorized users.

please refer to sample sip.xml file for more details.

Implementation specific configuration

1.Configuring sun-sip.xml

Following elements and properties need to configured in sun-sip.xml

security-role-mapping  element to enable principal to role mapping

properties trust-id-ref  and trust-auth-realm-ref, please refer to my previous blog entry to know learn about these properties.


Thursday Dec 18, 2008

Configuring NonceManager for Digest and Identity authentication modules

Identity authentication and Digest authentication modules need NonceManager to cache call-id and nonce values respectively.
One can configure the max nonce age for these modules using NonceManager property under Security-Service element in domain.xml. maxNonceAge value is in milliseconds.
eg:
"property name="NonceManager" value="id=identity-nonce-config,maxNonceAge=350000;id=sip-nonce-config,maxNonceAge=3000"

NonceManager for Digest authentication module is sip-nonce-config whose default value is 600000 milliseconds.
NonceManager for identity authentication module is identity-nonce-config whose default value is 3600000 milliseconds.

Snapshot of configuring NonceManager using Admin UI is here

Thursday Nov 27, 2008

Configuration elements for Identity authentication(RFC 4474)

IdentityValidatorConfiguration :

property enables users to configure Identity (RFC 4474) authentication module in Sailfin, the property has name value pairs seperated by a comma as configuration parameters.This property can be configured under security element in domain.xml, use the Administration UI as shown here.


eg: maxClockSkew=30000, timestampFreshnessLimit=360000

  • maxClockSkew

This sets the maximum difference allowed between the system clocks of the sender and recipient. The value is specified in milliseconds.

  • timestampFreshnessLimit

Sets the maximum duration of time after which the timestamp becomes stale, the value MUST be specified in milliseconds and the default value is 600 seconds.

  • enableRevocationCheck

if this flag is set to true, the default revocation checking mechanism of the underlying PKIX service provider will be used, by default value is false.


  • certificateValidator

specifies the class name of custom certificate validator implemented by the user, this class must implement org.glassfish.comms.api.security.auth.CertificateValidator interface.

PrincipalMapper

is used by Identity and P-Asserted authentication modules of sailfin. PrincipalMapper is used convert user names to format understood by the Sailfin container, This property is optional and a default implementation is provided by Sailfin. This property points to a class name which implements com.sun.enterprise.security.auth.PrincipalMapper interface. This property can be configured under security element in domain.xml, use the Administration UI as shown here. Each application using P-Asserted / Identity authentication creates its own instance of PrincipalMapper implementation class.

Properties in sun-sip.xml

  • trust-auth-realm-ref

property is used by Identity and P-Asserted authentication modules and should point to any security realm with “assertedRealm” as jaas-context value.

  • trust-id-ref

property is used only by P-Asserted authentication module and should point to identity-assertion-trust configuration element in domain.xml. Trust-id-ref will have id value of “ identity-assertion-trust” element.



Wednesday Jan 09, 2008

Reactor subproject failure occurred

If you get the below mentioned error when setting up Sailfin development workspace, then the problem can be that your

maven checkout and maven bootstrap-all commands have failed. Check the logs and update your sources or execute checkout and bootstrap-all commands again freshly.

build-pe:
[echo] ------------------------------
[echo] - Building GlassFish modules -
[echo] ------------------------------
[echo] Resolving appserv-docs binary dependency
Starting the reactor...

BUILD FAILED
File...... /home/venu/work/workspace/sailfin/bootstrap/maven.xml
Element... maven:reactor
Line...... 52
Column.... 40
Unable to obtain goal [build] -- /home/venu/work/workspace/sailfin/bootstrap/../../glassfish/bootstrap/maven.xml:264:40: Reactor subproject failure occurred

About

venu

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today