Google Site Search


Monday, December 31, 2007

Stolen BUSINESS Identity: An alarming trend

An eye-opening article by Scott Campbell in the latest issue (December 2007) of VARBusiness maganize, available online at Stolen Business Identity: Could It Happen To You?, talks about stealing the identities of business leaders for monetary gains. I do not think this is a fresh phenomenon, but an article raising this issue is certainly welcome to increase awareness.

Doug Green, executive vice president of CCT Technologies, doing business as ComputerLand of Silicon Valley, said he first heard of the alleged scam when a San Diego-based solution provider, Ricoh Business Solutions, called him to inquire about a RFP for 860 Hewlett-Packard (NYSE:HPQ) inkjet cartridges and 300 Intel (NSDQ:INTC) processors supposedly sent from ComputerLand of Silicon Valley. But Green said he only buys from authorized distributors and had never placed the order.

Upon further investigation, Green discovered that someone had built a Web site ( that closely resembled his company's own real Web site ( It lists the correct street address, but the phone number and e-mail address are not associated with the real ComputerLand of Silicon Valley, he said. "It looks sophisticated for a three-day turnaround from the time we found out about it," Green said.

A call to the phone number listed on the fake Web site was automatically forwarded to a voice mailbox for "Doug Green."

The fake Web site was registered on Sept. 4 and lists a Doug Green in Kentwood, Mich., as the administrator. A man who answered the Michigan phone number listed said he had never heard of Doug Green or ComputerLand of Silicon Valley. He said the phone number was his personal cell number and that the only Web site he had ever registered was for a youth soccer program in Grand Rapids, Mich.

This is really dangerous not only from a business perspective but also from an individual perspective (referring to the Michigan individual whose mobile number was compromised in a scam). I do not think it was difficult for the fraudsters to obtain the mobile number of the MI individual.

Scott McNealy, of Sun Microsystems fame had publicly opined:
The chief executive officer of Sun Microsystems said Monday that consumer privacy issues are a "red herring."

"You have zero privacy anyway," Scott McNealy told a group of reporters and analysts Monday night at an event to launch his company's new Jini technology.

"Get over it."

If a technological business leader makes such an open alarming statement about individual privacy, it certainly is a DANGEROUS road ahead for mankind. :(

While consumers are protected when their identities are stolen for the wrong reasons, a business owner/operator does not have the same privileges as highlighted in "What happens if your business identity is stolen?"
Business identity-theft complaints have been growing steadily since November, says Jay Foley, executive director of the not-for-profit Identity Theft Resource Center in San Diego. Often, they are from mom-and-pop businesses starting to conduct business on the Internet.
"They get ugly," Foley said. "The business has to fight off people who want to collect for these accounts."
Little reliable data on business identity theft exist, experts say, due to the different ways it is reported. Banks find it difficult to tell whether a small business problem is fraud, or related to the company going out of business. Police categorize it as "fraud" rather than "identity theft." The federal identity theft criminal definition does not cover businesses.
Fraudsters, though, easily can get business information through secretary of state offices and the D&B Business Directory.

Sen.Patrick Leahy has introduced a bill in the Senate called as the "The Identity Theft Enforcement and Restitution Act of 2007". A discussion of this bill is provided here : "Identity stolen? Senators want thieves to pay for your troubles". The latest I have heard about this bill is that it has passed the US Senate and is awaiting a decision in the US Congress. A great thing about this bill is that citizens who spend time correcting their post-identity-theft lives to return to the pre-identity-theft scenarios, can be entitled to monetary restitution from the offenders.

While we are on the topic, it certainly is a very welcome sign to hear Greg Garcia, US Cyber-Security Czar welcoming US citizens, residents and visitors to work with DHS to counter cyber-crime.
it's critical for everyone to take cyberrisks seriously, in hopes of meeting his department's ultimate goal: making the United States "the most dangerous place in the real world for cybercriminals to do business."

Thank you Mr.Garcia for this.

Friday, December 28, 2007

Tip 14: Disable Tomcat/JBossWeb Connectors

The location of the configuration file would be server.xml which would be under the conf directory for tomcat and under deploy/jboss-web.deployer for JBossWeb in JBoss 4.2.0

You will see multiple connector definitions based on protocol. 8080 for HTTP, 8009 for AJP and 8443 for HTTPS. If you want to disable any of these, all you have to do is uncomment the connector element for the relevant port.

When should you disable connectors?
- If Tomcat/JBoss is not fronted with Apache or any Native Web Servers (with mod_jk), then there is no need for the AJP connector. So disable the 8009 port connector by uncommenting it.
- If you do not care for HTTPS, but just want to cater to HTTP, then keep the 8443 connector commented out.

Tip 13: Ensure Just Https works on Tomcat

There may be cases where you want to disable the HTTP 8080 port and enable just the HTTPS or 8443 port in tomcat.

For that to happen, just ensure that you *uncomment* the 8443 port connector on Tomcat 6/JBoss 4.2 in server.xml

Tuesday, December 18, 2007

Orkut Scrap Virus

Orkut Scrapbook is another easy target for viruses and phishing scams. I did see some Portuguese/Spanish content scraps from my friends in my scrapbook and likewise they received the scraps from me.

But the comforting factor is that Google has disabled the scrapbook until they clean up all the scraps from the Orkut system. Google good job.

Doing a google search on Orkut Viruses, I did see a bunch of posts from 2006 pointing to a virus spreading scraps with a YouTube link. When users clicked on the link, it asked folks to download stuff which was a backdoor to trojans.

While you are reading this blog post, I STRONGLY suggest you to read the following cyber security tip from US-CERT:
Avoiding Social Engineering and Phishing Attacks

Existing Identity Systems

Just another view of the disjointed identity world. Convergence is still a long way off.

Existing Identity Systems

With the enterprise landscape getting complex, we neither need specifications/standards solving one thing ONLY nor the lack of interest in converging.

Now, I clearly understand what Kim Cameron means by an "Identity Meta System".

Jeff Hodges: New Technical White Paper (SAML vs OpenID)

Although in the draft stage, the following white paper is certainly a good step in understanding the key differences between OpenID and SAML.

Technical Comparison: OpenID and SAML

Sunday, December 16, 2007

SAML and JBoss

UPDATE (Dec 09):

The following content is outdated:

I know that there are many JBoss users hoping to see SAML v2.0 support in JBossAS. We will get there once OpenSAML v2.0 development by Internet2 middleware reaches some stable milestone. What I like about OpenSAML is that it provides a library to build components that are saml aware. A nice thing is that v2 will contain bindings like http redirect, http post etc that we can reuse.

Well, I am just thinking that there is broad expectation of saml2 support in JBoss. Why don't you tell me by leaving a comment?

UPDATE (Feb 09): Use the Identity Community Platform

UPDATE (Oct 08): We are working on a common identity project at JBoss. As part of this project, we will provide you Identity Management as well as Federated Identity stack (SAML etc).

Keep Kids Safe On the Internet

With the growing usage of the internet around the world, it is a fact that the population of young kids getting online is on the rise. With cheaper computers and wider broadband footprint, the days are gone when a parent could ignore kids getting computer savvy. There are hoards of toys imitating regular computers available for kids around age 2 and above. Hence it is natural for kids to progress to a regular computer as they grow. Now, the first thing that they will learn would be to use the browser. Then comes registration for chat rooms (where the dangers abound).

As they learn to search for stuff, they may use Google to search on their favorite shows, characters etc. This is where the search engines need to take leadership in providing a safe searching environment for Kids. There is mention of Google Safe Search, but I could not locate it.

Some resources:
1. Internet Safety Education
3. Keeping Internet Kids Safe (KIKS)
4. NetSafeKids
5. FBI:Parent's Guide to Internet Safety
5. CyberSmart! School Program
7. Ready Kids

Most important of all, kids need to be guarded from online predators.To Catch a Predator

Online Social Networking Sites such as MySpace are increasingly becoming dangerous traps for growing kids. Here is an instance of cyber-bullying that went FATALLY wrong. Frontier justice in an online world?

Technologists and regulators have to make adequate efforts at making the Internet safe for kids. But the responsibility of the parents is critical. In the end, it is the kids of the parents that are vulnerable.

Tuesday, December 11, 2007

Disable Tomcat Caching Principal

Tomcat caches the Principal (GenericPrincipal) in the catalina request object. If you want to disable this, such that every request goes through authentication and authorization, thereby providing you ability to refresh roles in a session, you can do the following:

cache="false" />

Place this in a context.xml in META-INF of your war file in stand alone tomcat or in WEB-INF of JBoss.

The above works for FORM authentication.

Remember, performance will be slow.

JACC EJBMethodPermission rant

The EJBMethodPermission has a constructor that takes the method signature as an array.

I am referring to:

public EJBMethodPermission(String EJBName,
String methodName,
String methodInterface,
String[] methodParams)

Creates a new EJBMethodPermission with name corresponding to the EJBName and actions composed from methodName, methodInterface, and methodParams.

EJBName - The string representation of the name of the EJB as it appears in the corresponding ejb-name element in the deployment descriptor.

methodName - A string that may be used to indicate the method of the EJB to which the permission pertains. A value of null or "" indicates that the permission pertains to all methods that match the other parameters of the permission specification without consideration of method name.

methodInterface - A string that may be used to specify the EJB interface to which the permission pertains. A value of null or "", indicates that the permission pertains to all methods that match the other parameters of the permission specification without consideration of the interface they occur on.

methodParams - An array of strings that may be used to specify (by typeNames) the parameter signature of the target methods. The order of the typeNames in methodParams array must match the order of occurence of the corresponding parameters in the method signature of the target method(s). Each typeName in the methodParams array must contain the canonical form of the corresponding parameter's typeName as defined by the getActions method. An empty methodParams array is used to represent a method signature with no arguments. A value of null indicates that the permission pertains to all methods that match the other parameters of the permission specification without consideration of method signature.


Now if methodParams is an empty array, it indicates a method with zero arguments where as if it is NULL, then it indicates all overloaded method signatures. This is a subtle aspect that can go horribly wrong for container vendors (if not given due attention :) )

Monday, December 10, 2007

Open Source Directory Servers

Reading the e-Week Article "It's the Directory, Stupid", I got thinking.

From a commercial scale perspective, Active Directory has done quite well. The author mentions that RedHat/Fedora has not really pushed the Directory Server into the enterprise. I am not going to comment on that but would like to say that the FreeIPA ( initiative is certainly an excellent platform for enterprise customers to handle Identity, Policy and Audit requirements in an heterogeneous infrastructure. The proponents of the FreeIPA program told me that there are customers who have deployed Active Directory based infrastructure would like Linux to inter operate with it.

Coming over to efforts on Java based Open Source Directory Servers, the prominent DS at the moment with rich feature set is the Apache Directory Server. On the other hand, the Sun Open Source Java Directory Server, OpenDS, has had some bumps along the road recently.

Multiple SMB infrastructure may be running on OpenLDAP, but I have to agree that when it comes to scalability at the enterprise level, it has fallen short (as mentioned in the eWeek article).

Friday, November 30, 2007

Why does Facebook want my Date of Birth?

This is a common problem with all internet websites. They want to know my date of birth. Because they want to ensure that either I am above 18 years old or that I need to be wished by other folks on my birthday.

How can I be sure that their database is not compromised? Just because I get a lengthy privacy safeguard letter or url from facebook, orkut and other websites, it does not mean that I can feel SAFE.

Look at a detailed look at psychological, social and privacy related issues with Online Social Networking sites at my blog entry.

Basically, what Facebook is trying to do is comply with COPPA (Children's Online Privacy Protection Act) to try and find if you are above the age of 13 years of age and in addition tell your friends about your birthday. By default, the birthday is public in your profile (which is another screwed up default).

I think the following would have sufficed and been better:
a) "Is your age 13 years or above?"
b) Please give us your date and month of birth.


Dangers of Facebook in a corporate environment:

Wednesday, November 28, 2007

The story of OpenDS and the departing Neil Wilson

Some of you may know about Sun's Open Source Java Based Directory Server called as "OpenDS"

To quote from their web page:
OpenDS is an open source community project building a free and comprehensive next generation directory service. OpenDS is designed to address large deployments, to provide high performance, to be highly extensible, and to be easy to deploy, manage and monitor.

Why was I interested in OpenDS?
The reason I was interested in OpenDS was that at JBoss, we needed an all java based LDAP server for automated testing. The alternative to OpenDS was and is ApacheDS. At the time of evaluation, ApacheDS had larger footprint with reference to number of third party dependencies. Hence we had chosen Sun's OpenDS for some basic ldap based automated testing. No, our test infrastructure is not build on ldap, if that is what you were thinking. We were using OpenDS as a small footprint ldap server to test our ldap integration for JBoss Application Server.

Why is this Blog Entry talking about OpenDS?
The reason I had to write this was the shocker sent by OpenDS founder, chief architect and everything - Neil Wilson. Here is his blog entry.
An Open Letter to the OpenDS Community and to Sun Microsystems

The letter is basically a bridge burning rant from the departing Neil. This signifies the future death of the OpenDS project. Even though Sun may have resources allocated to this project, the brain/the soul of this project was in the initial founders and they are let go. I do not know what exactly transpired between Neil's superiors and Neil&co, but it is certainly a loss for open source Java software world.

I have the utmost respect for Neil and I can say OpenDS was a good DS in the making. It still had a long way to go to match the other well trenched native LDAP servers.
Neil had single handedly created SLAMD. Slamd is a distributed load testing engine/framework sitting on top of a LDAPv3 compliant server. It was slick when I played with it 4-5 years ago.

Neil seems to be a gentleman. I came to this conclusion after emails shared over years on slamd and openDS on mailing lists, as well as the congratulatory blog post at the news of ApacheDS attaining LDAPv3 certification. Here is the blog entry.

Are we totally screwed with the potential demise of OpenDS?
Not really. We still have OpenLDAP and Red Hat Directory Server (not Java based though). Frankly, we can live without an all Java based Directory server. When such a need arises, we can choose Apache DS. In fact Apache DS is feature rich in comparison to OpenDS. :)


Competition between ApacheDS and OpenDS was essential to a healthy Java based Directory Server area. But in the end, ApacheDS prevails.

Both Alex Karusulu (Apache DS) and Neil Wilson (formerly OpenDS) are smart, energetic and passionate-about-ldap folks. So competition between these two projects was good for the ecosystem.

What will Neil do going forward?
I cannot speculate here or do some wishful thinking. I do not know him PERSONALLY.

It takes a long long long time to really build a directory server that is usable in production. Plus the ldap servers are a commodity now. So I would not predict that Neil would build another DS. I certainly hope that he remains active in the open source world so that folks can use the good practical skills that he has. Additionally, his Directory Server skills will be an asset in the consulting world (probably he will do that). :)

I am sure Neil will make it big in the Identity Management/Ldap market.
Good Luck to Neil in his future endeavors.

The new community leader of OpenDS has provided the perspective behind.
Sun is committed to a transparent, participatory Open Source OpenDS
community. We will continue our investement in OpenDS.

We very much appreciate the contributions from all current and former
Sun employees to the OpenDS Community. The OpenDS community remains
open to anybody that wants to contribute to it.

Some clarifications, in light of recent comments:

* The origin of OpenDS was a proprietary project at Sun.
Sun founded the OpenDS community in 2006 to host the evolution
of the project under an Open Source license.

* We recently discovered that the Governance document for OpenDS had
changed ([1]).


* Since the change had not been discussed with the broader community nor
with Sun, we wanted to have the change reverted. We asked the Sun
employees involved in the original change to back it out. They
refused and then resigned from the community, requiring the new
project owners to make the change.

* We did not ask anyone to resign from the OpenDS community and we
welcome and encourage community participation.

The OpenDS project team is fully committed to the Open Source
principles as our actions will show.

Ludovic Poitou, OpenDS Community Leader

Andy Oliver responds as:
This response is woefully insufficient. It also doesn't contradict what
Neil said exactly. You're not running this as an open source project.
So you welcome free labor but aren't ponying up the open source
development part.

Show some actions that indicates said commitment. Your (Sun) actions
have shown a lack of it and this email is nothing but "spin" and damage

You didn't asked them to just gave them no other choice.
Who cares about the semantic differences?

OpenDS is presently open source in license only. At present only a
community fork could correct this as you're only showing a commitment
to talking about how open sourcey you are without actually being so.


legolas wood says
Hello Neil,
I am sorry to hear that the project is going to such a way like this. An
open source project should be open in nature and somehow closed for
destructive changes. It should not be controlled by a company because
the company is providing the main artifacts.

You are leaving the project and this is not a good news for community
including me. I have solved dozen of my problems by using your reply in
the mailing list and it is not something that I forget. I should thank
you again both for all replys you have provided in the forum whether for
my questions or other people's questions.
I think community members should asks current board members to post an
official reply to this letter.

Thank you for posting the truth. I wish you a good future and a good job.
have good time.

Eduardo Pelegri-Llopartsays:
I do agree that Neil was extremely responsive and that he will be missed. But I think it is fair to give a chance to the current team to prove themselves.


Trey Drake, the former OpenDS Community leader has given his take here:


I agree with legolas. Neil was the face of OpenDS. He would answer user
queries and many times he would personally implement some of the feature
requests that we put in. This type of commitment will lack in the future. Eduardo says we need to give a chance to the current team (and we will. :) )

Additional Links from the media:
1) Sun bullied, used threats to gain control of open source project, former owner says
2) Does OpenDS need a fork
3) OpenDS Users Mailing List (All the drama is here for the month of November 2007)

Give me something to see before I go?

Sun CEO Jonathan Schwartz raving about the growing OpenDS community (In a picture of course). See Here. The picture is from Ludo's blog.

I am getting the feeling something fell through the cracks here, in this project. Company lay-offs is a business decision.

Disclaimer: The replies and additional updates including media links are provided to give overall
perspective to the story and the responses from folks. I am not passing any judgement on anybody here. I am just disappointed that there was so much drama in a potential successful project in the Open Source World.
"No More Updates to this blog entry. Please check the OpenDS users mailing list for November 2007 linked above for information"

UPDATE: The dust has settled on this matter. OpenDS development has continued. So back to business now. Neil Wilson has another blog post in continuation, Clarifications on the Open Letter.

Saturday, November 24, 2007

Online Social Networks : Tubing , Phishing Targets - What next?

The Online Social Network(OSN)s have been immensely popular in recent ages. They have ridden high on the basic nature of human beings - to socialize. Examples include, as of June 2007, MySpace had 114 million visitors [1].

With the proliferation of social networks on the internet and the need to get as many users as possible, in the shortest period of time, security has taken the back seat. The result - phising, identity theft, Cyber Stalking and attacks such as Tubing. This is what happens when security is not taken into consideration during the conception/design phase.

Just as the windows world is facing constant threats with Viruses, Trojans etc, any popular idea that does not try to be secure by design will find harmful glances from the cyber trash.

It is highly encouraging to see a position paper from ENISA on ensuring security in Online Social Networks.

Some of the notable points from the paper [1] are:
- Discourage banning of OSN from Schools.
- Cyber Stalking is increasing due to OSN.
- The OSN are encouraging users to divulge as much private information as possible (which in turn can be mined and misused for marketing/financial gains). This has been validated by a survey in the UK [3]

Out of the 10.8 million in the UK signed up for social sites, one in four have posted confidential or personal information, according to "Get Safe Online."

This issue has manifested further in developing economies such as India [4] [5] where people's lives has started revolving their daily interactions with Online Social Networks such as Orkut.

Ragini got on last year and already boasts of over 3,200 'friends' — a blend of a few real buddies, many passing acquaintances, strangers, and even people she hates in the real world.

Having the largest number of friends has become crucial for Ragini. On days that she gets less than 10 new be-my-friend requests or no messages (scraps) on her page, she gets depressed, claim her parents.

Competition for friends can be so fierce that some have even resorted to faking friend lists. Sixteen-year-old Mohit Kapoor, for example, has put up 20 benami (fake) profiles and keeps scrapping himself daily. "This not only pads the number of scraps I receive, but I can also brag about things indirectly," grins Mohit.

BBC [6] has an article on why an Internet watchdog is warning the youth to be careful with OSN.

The ICO also said young people could be putting themselves at risk of identity fraud because of the material they post on social networks such as Facebook and MySpace.

Many enterprises have jumped into Web 2.0 without even giving any special thoughts to Security. An article on it in InformationWeek [2] sheds light on this scary aspect.

The problem is that malicious hackers are increasingly focusing their attention on using Web 2.0 technologies as entries into unsecured companies. Hackers and spammers, for instance, can create their own pages on social networking sites and riddle them with malicious code to infect their social networking peers. One worm planted in a MySpace page infected more than 1 million users. And malware writers are beginning to target vulnerabilities in Ajax-based applications, which help make the Web 2.0 sites so dynamic.

Privacy Concerns
Many social networking sites like Facebook want your date of birth during registration. This piece of information is mandatory for you to use their service. I am unsure as to why this sensitive and risky information is needed rather than a check box that asks whether you are older than 18 years. Additionally, what is the guarantee that the company will keep this information safe from prying employees and potential sale to marketing companies. A good indicator of this is employees of social networking companies able to peek at your usage history on their sites, for example, what profiles you have been viewing lately [7].

[1] ENISA Position Paper No.1 Security Issues and Recommendations for Online Social Networks

[2] Study: Companies Dive Into Web 2.0 Without Securing Risks

[3] UK Survey Finds Social Networking Sites Raise Security Risks

[4] Social networking can be real pain

[5] Adults also prone to faking having online friends

[6] Young warned over social websites

[7] Facebook employees know what profiles you look at.

Be safe when you use and/or adopt Web 2.0 Applications.

Scott Wright is a 20 year veteran in the computer world and is currently a Security Management Consultant in Ottawa. He has pointed me to a poll that he has created. Please check it out and vote anonymously.

Does your organization allow you to access social networking sites (eg. Facebook) from its network?

Additionally, you should be aware that the more personally identifiable information is available on these social networking sites, the more spam you are going to receive, as per a new report: Spam gets dirty in 2008


Tuesday, November 20, 2007

Tip 12: Encrypt Datastore Passwords in JBoss JCA

JBoss JCA Encrypt DataStore Password

This wiki gives you the instruction to encrypt the data store password. Please also have a look at
for subtle details on PBE (Password Based Encryption) mainly the details on password, salt and IterationCount.

1. Note the Password Based Encryption deals with a tuple (password, salt, iterationcount). So ensure that you use the same salt and iteration count that you used during the opaque password generation in your MBean with JaasSecurityDomain.

Here is an example:
java -cp jbosssx.jar welcometopbe 15 somepassword server.password
Encoded password: E5rtGMKcXPP

Note the encoded password is my own cooked up (so it may not be the result of your command execution).

Now, this is how you configure your MBeans.

<mbean code=""
<arg type="java.lang.String" value="ServerMasterPassword"/>
<attribute name="KeyStorePass">
<attribute name="Salt">welcometopbe</attribute>
<attribute name="IterationCount">15</attribute>

As you see the salt and interation count in the MBean definition
is exactly the same used in the Password generation.

If you see this error in your log, it means that you are using a
different salt/iterationcount than the one you used during
password generation. Also verify that your DS depends on the MBean defining the JaasSecurityDomain.
Parameters missing

2. If JBoss cannot find the password file, then you will see an error such as:
ERROR [] Failed to decode password file

Here is an example of a postgres-ds.xml that encrypts the DS password.

<?xml version="1.0" encoding="UTF-8"?>

<!-- ===================================================================== -->
<!-- -->
<!-- JBoss Server Configuration -->
<!-- -->
<!-- ===================================================================== -->

<!-- ==================================================================== -->
<!-- Datasource config for Postgres -->
<!-- ==================================================================== -->


<type-mapping>PostgreSQL 8.0</type-mapping>

<mbean code=""
<arg type="java.lang.String" value="ServerMasterPassword"/>
<attribute name="KeyStorePass">{CLASS}${jboss.server.home.dir}/conf/server.password</attribute>
<attribute name="Salt">12345678</attribute>
<attribute name="IterationCount">17</attribute>

Sunday, November 18, 2007

HTTPOnly Cookies

To mitigate cross site scripting dangers, Microsoft pioneered the usage of HTTPOnly cookies.

One of the more common security problems plaguing Web servers is cross-site scripting. Cross-site scripting is a server-side vulnerability that is often created when rendering user input as HTML. Cross-site scripting attacks can expose sensitive information about the users of the Web site. In order to help mitigate the risk of cross-site scripting, a new feature has been introduced in Microsoft Internet Explorer 6. This feature is a new attribute for cookies which prevents them from being accessed through client-side script. A cookie with this attribute is called an HTTP-only cookie. Any information contained in an HTTP-only cookie is less likely to be disclosed to a hacker or a malicious Web site. The following example is a header that sets an HTTP-only cookie.

The cookie looks like:
Set-Cookie: USER=123; expires=Wednesday, 09-Nov-09 13:12:10 GMT; HttpOnly

This is certainly a positive step. Now Firefox (V3) has agreed to support HTTPOnly cookies. Opera (v9.5 onwards) also is going to have support for HTTPOnly cookies.

According to Johnathan Nightingale of Mozilla (over email), "This allows site authors to specify that certain cookies, e.g. session tracking cookies or those with otherwise sensitive information, be available only as part of the http request, and not accessible to script. This is opt-in, but it has the advantage that the user is protected without a need to involve them in the decision process. It also preserves the innocent cases of script-based cookie manipulation where no sensitive information is involved."

As far as I know, there is no support for configuration of cookies to be HttpOnly in Apache Tomcat. What you can probably do is create a tomcat valve, which on the return path pumps in the HttpOnly cookies via the header.

response.setHeader("Set-Cookie", something=" + value + "; HttpOnly");

UPDATE (25 SEPT 2008): There is HttpOnly support being included in the Servlet 3.0 specification, which will probably approved soon. This will make Tomcat/JBossWeb to support it asap. Check Rajiv Mordani's post.

Tubing - another phishing mechanism using YouTube

Apparently, there is a dangerous phishing scheme utilized to endanger YouTube fans as well as those who trust YouTube. The scheme is called TUBING.

What happens is that you get an email or other mechanism to watch a YouTube video. You have to note that the URL of the video will not be pointing to a YouTube server but rather a malicious server. As part of the video, you will be asked to install some code. If the code is accepted, then you have exposed yourself to attacks.

WebSense has a nice article on the topic of TUBING.

Because email addresses can be spoofed, IP addresses can be spoofed, https can be spoofed, it is advisable to scan the url before you try to open a YouTube video.

Saturday, November 17, 2007

I authenticated you but are you WHO you say you are?

Ok, you may say that the whole goal of the authentication process is to identify and ascertain that you ARE who you say are. But how has the authentication process progressed over years and how safe has it been?

Some thoughts:
a) Overwhelmingly majority of the world's authentication systems have been based on passwords. Dictionary attacks and weak passwords aside, this phenomenon has just led to disasters and nothing else. Your systems may have incorporated a Password Policy but over time your users get tired of coming up with new passwords because your system will not accept any of your old passwords. Remember that many of your users are smart and will create strong passwords, but they cannot generate them often, BECAUSE your system is not the only system that they interact with. They interact with a large number of systems. So they are more prone to create 2 or 3 strong passwords and try to use them around. Now, if you have a password policy, then they will not be able to use these small set of passwords they have generated, to keep themselves safe. What are they going to do? They will generate one - write it someplace or store it in a text file on their laptop. There you go. Your password policy brought you probably compliance with some regulation, but screwed your users.

b) There are many banks and financial institutions still using social security number as the primary means of identifying you, in place of regular user chosen "username". Of course, I understand that customer support costs money. Hence you chose the simplest means of uniquely identifying a US based customer. If you have read my earlier blog post about "The Underground Digital Economy", you will have jitters like I have about such approaches. The main point is that a PHISING email sent to any person will get an user entering his SSN as the username and password. The password is not very significant here because apart from the particular bank/financial institution being in danger, the SSN captured has basically exposed the victim to multiple frauds.

c) Multi Factor Authentication: This comes in multiple flavors, typically two factor authentication. You have another piece of credential apart from your password to identify you. This additional piece can be a token card, hardware device or some kind of a mutually agreed answer to a question. Well, Bruce Schneier is not very excited about the Two Factor Authentication.

d) Knowledge Based Authentication:I will not go into details about KBA. But you can read the harm caused by it. Also Bruce is not pretty convinced about Secret Questions.

There are other authentication mechanisms that I am NOT going to dive into.

Wish I could give you an answer to safely authenticate someone, without endangering your infrastructure as well as the legitimate user you were trying to authenticate. Once I know the answer, I will tell you.

Friday, November 16, 2007

Short Interview: Oasis XACML Interoperability Event at Burton Catalyst Conference

Hal Lockhart, OASIS XACML Chair had interviewed all the participants of the Oasis XACML Interoperability Event at the Burton Catalyst Analyst Conference in San Francisco. You can hear me rave about our efforts here in this podcast:

OASIS XACML Interop Event

Tuesday, November 13, 2007

W3C Security Context - First Working Draft

If you have not checked out the First Working Draft of "Web Security Context: Experience, Indicators, and Trust", then you may be missing out on what will probably be driving your safe internet browsing behavior in the next 3-10 years and beyond.

Some brownie points if you repeat the names of the editors.

Are you concerned about your privacy?

I am sure the answer is YES.

If you live in the US and inform the US Postal Service that you are moving to a new location, it invariably happens that you will receive a Welcome packet from USPS at your new address. Guess what the packet contains? Apart from the regular USPS stuff, you will see coupons from Home Depot and other neighborhood stores. How did they come to know that you were moving? Of course the USPS told them. Or they already provide coupons to USPS to place in the welcome packet. I prefer the latter to be the case.

Now, let me give you another instance. You go to ToysRUs or any other store, you will be asked, "Can I have your phone number?". You either will meekly tell them or ask them as to why they need it. The response will be that it is to send marketing material (coupons etc). I am sure that they are quite concerned that we do not receive enough junk mail and the USPS needs to justify a post man for your street. :)

The November 12th issue of Information Week has an excellent article on Privacy Vs. Personalization: Can Advertisers Ward Off Looming Threat Of Do Not Track List.
The summary is:
It's time to give consumers a say over all that data being collecting on them. Otherwise, a Do Not Track list--or worse--could be in the future.

I have been an Amazon customer for the last 10 years. They keep track of everything I do. What books I search on; What products I view, search and buy. Based on a book I bought 4 years ago, they will make new recommendations. I do not care so much about the data mining or whatever fancy term that they are doing, with my association with Amazon. But I will be very very worried if my online behavior is shared with non-amazon parties. Of course, Amazon's privacy policy will assure me that it will never happen.

Mathew Ingram
writes a nice article on "Facebook’s No-Pseudonym Policy Is Short-Sighted", in which he quotes a NewYorker cartoon
In the early days of the Web, about 15 years ago, The New Yorker ran a now legendary cartoon in which two dogs are sitting in front of a computer, and one is saying to the other, “On the Internet, no one knows you’re a dog.”

Google's social networking site, Orkut has an interesting feature that tells you who viewed your profiles recently. Well, this is clearly a violation of trust that an user has, when he registers with Orkut. Now how do I ensure that people do not know that I checked their profiles.

Look at this Business Week article on "Looming Online Security Threats in 2008"
Web-based services, including social networks MySpace and Facebook, are becoming prime targets for hackers seeking your personal information

The Underground Digital Economy

The October 2007 issue of the ISSA journal has a very alarming article called as "The Underground Digital Economy" by Dean Turner.

The summary of the article is : Driven by the promise of big profits, cybercriminals have built the foundation of an underground digital economy.

Figures have been taken from the "Internet Security Threat Report" from Symantec.

Interesting revelation is:
A credit card from a US based bank will sell for USD 1 to USD6 while a full identity (US bank account information, CC data, date of birth, mother's maiden name and SSN, sell for USD 14-18

A question I have is - which phase of the WWW are we entering into? My thought resonates with the question I had put to Sir Tim Berners-Lee in person - "Does the current growing Internet Fraud menace keep him awake at night?". He basically had said "No".

IBM JDK Kerberos Login Module has a funny bug

Please refer to the discussion here to get some context:

As far as I know, login modules get a map of options. They are free to pick and choose the ones they want; not choke on the ones they do not like.

I have requested Marcus to pursue filing of a bug for the IBM JDK.

As far as I know, no such issues have been reported against the Kerberos module in the Sun JDK.

Friday, November 9, 2007

User Centric Identity

Should users control their online identity? It is a known fact that users like to use a pseudonym in the online social world (rather than identity themselves).

With the advent of Web 2.0, the paradigm has shifted towards the user. It is a push rather than a pull model as far as the web is concerned.

It is appropriate to say that the user has full rights over his identity. The 7 laws of Identity by Kim Cameron may be the first place to look for justification.

Here is a short write up on User Centric Identity that I found online:
Primer on User-centric Identity Access Management

Additionally, "Internet Scale Identity, Collaboration, and Higher Education"

Thursday, November 8, 2007

Second meeting with Kim Cameron

I was fortunate to hear a keynote speech by Kim Cameron, Identity Guru from Microsoft at the Computer Security Institute (CSI) 2007. I sat in the first row.

Why Cyberspace Needs Cardspace

He gave an excellent introduction to how the concept of CardSpace evolved, the utopian Passport initiative and the need for an Identity Metasystem.

At the end of the session, I went over to Kim. He did not recognize me right away but when I mentioned "JBoss", he remembered our first meeting at the Burton Catalyst Conference in June.

What do I like about Kim Cameron:
a) He is honest about what his intentions about an Identity Metasystem are.
b) He has a blog ( that runs on a Linux stack and WordPress (It was his way of reaching out to the OSS community).
c) He generated the 7 Laws of Identity which summarize the space of IDM and its needs accurately.

I do agree with Kim that we really really need an Identity Metasystem rather than the myriad of specifications/standards around it.

JBoss XACML v2.0.1-GA news

NOTE: JBossXACML v2.0.3.CR1 is here. <========

The release was done a few days ago. Not much changed from the Beta that was released earlier. We are still working on a Policy Management Console that makes it easier to perform Policy Construction and Management. I do not have any concrete dates for any console at the moment. So stay tuned.

I know that many of you are eager to try out XACML with JBoss and have all types of questions about whether we will implement a PEP, PDP and PAP at JBoss. PEP and PDP are important for JBoss AS v5.x. I have added support for XACML at the web and EJB layers in JBAS 5.0.x coming out in the future. PAP will happen at leisure.

I did give a presentation on OASIS SAML2 and XACML2 at the Computer Security Institute (CSI) Annual Conference in Washington, DC this week.
Robust Web-Based Security Using OASIS SAML and XACML

Wednesday, November 7, 2007

Tip 11: Refresh Security Roles within a Tomcat Session

This long outstanding JIRA issue has been on my mind for a long long time now. The blocking thing for this was always the performance aspect associated with the security roles refresh in the middle of the http session.

The JIRA issue is this:
Need a way to support refreshing security roles within a session

Well, no solution yet for the JBoss 4.2.x series (and for 3.2.x and 4.0.x series also).

But the simplest workaround is to do a full security check (authentication and authorization with each call). This was done anyway by default, except that the Jaas Security Cache in JBoss was pulling the subject out of the cache rather than go through the Jaas authentication process with each call.

Given this, there are 2 steps to perform for the workaround:
1) Disable Jaas Security Cache
- Go to conf/jboss-service.xml and set the "DefaultCacheTimeout" to zero.

<attribute name="DefaultCacheTimeout">0</attribute>

2) Disable Tomcat caching the principal as part of the session.
NOTE: This is a very important step. If you do not follow it correctly, you will see bad behavior and may lose hair.

Now you will need to figure out, what kind of auth method is used in your web application. How will you know? Look in the web.xml of your web application.

If it is BASIC as in,

<realm-name>JBoss JMX Console</realm-name>

then do the following, in your WEB-INF of your web application, create a context.xml with the following information(remember

cache="false" />

If it is FORM based login, as in

<realm-name>Tomcat Application</realm-name>

then do the following, in your WEB-INF of your web application, create a context.xml with the following information(remember,

cache="false" />

Similarly, if it is Client-cert, just replace FormAuthenticator with SSLAuthenticator.

Inform me if this does not work. I have done some basic testing with BASIC type of auth.

Motivation for the workaround:
For the web layer, the container security checks happen at the time of the user login. Once his auth and authorization checks are done, they are valid for the entire session. Now for custom requirements such as the roles being refreshed at arbitrary times during the session, there is no decent way of solving it other than
the aforementioned work around. The complexity does arise due to the way tomcat caches principal during the session.

Sunday, November 4, 2007

Congrats to Securent

Securent has been the leader in Enterprise Entitlements Management. They have tried to solve the access control/authorization maze to a large extent. Even though I am not familiar with their patented technology, I have met Sekhar and Anil T at the Burton XACML Interoperability in June 07.

I want to congratulate Rajiv, Sekhar and Anil on the acquisition by Cisco as publicized in Cisco News.

Gerry Gabel from Burton has written a nice piece about this here.


Death of PKI?

I hear stories about how PKI has not really taken off in the public domain even though it promised to solve a lot of issues with Internet Security.

Ever since Baltimore Technologies demise, PKI has really taken the backseat in terms of mindshare etc.
Baltimore's death spells gloom for PKI

I also read this humorous post by Gerry Gebel at the Burton Group.
When PKI meets the real world

I know that PKI has affected you or your enterprise in some form over your lifetime. What are your experiences with it?

Do you agree with the claim made that the "Death of PKI" has occurred?

Maybe I will ask Dr.Philip Hallam-Baker from Verisign next time I meet him .....

Interesting comment during the 3rd Annual PKI R&D Workshop.
As in other sessions, prominent themes of the discussion were that technology is a much smaller part of the problem than understanding the business needs of PKI implementers and selecting tools accordingly, and that when this is done, PKI can thrive. Bill Burr observed that the math in PKI is so cool that we try to bring everything up to its standard; instead we need to figure out how people can use PKI without understanding any of the esoteric details. Rich Guida noted that he sometimes feels like he and all the people who talk about the death of PKI dwell on "different planets;" in the pharmaceutical sector in particular, the use of PKI is "blossoming." Pawluk encouraged the group to get involved in the work of implementing the PKI Action Plan, and noted that the OASIS PKI Technical Committee that's driving it ( usually meets via telephone.

If you read the statement from Internet2 for the 5th Annual PKI R&D Workshop, it makes me wonder further:
The mathematics of public key cryptography is delightful, and critical to online security, but we still have much to learn about applying it in the real world in ways that are easy for humans to understand and use. Come join with experts from NIST, NIH, private industry and universities around the world for our fifth workshop on overcoming the challenges.

In my view, PKI is not dead. It is just that the original intent of the public having their own public key has not been realized.

Thursday, November 1, 2007

JBoss EAP will undergo CCE

Not sure if you have already seen the press release that went out. If not, take a look at my official blog entry:

Red Hat Expands Security Leadership by Seeking Common Criteria Certification for JBoss and MetaMatrix Solutions

Your excellency will be leading this effort.

Wednesday, October 31, 2007

Why is WS-Federation necessary when we have SAML v2.0?

This is a commonly asked question in the industry whenever there is any mention of "Federated Identity and related standards".

I have always been an avid supporter of the SAML specifications and was greatly thrilled to see Liberty, Shibboleth and SAML v1.1 find some common ground to beget SAML v2.0.

Now to the original question, who else to answer this than Don Schmidt, an highly respected expert in Federated Identity (Don is a key figure in Microsoft's Federated Identity story).

Here is the link to Don's blog entry:
WS-Federation 1.1 and SAML 2.0 have different goals

WS-Trust is an extremely important specification in the WS world. WS-Federation being the natural extension of trust semantics is an important necessity.

I do hope that all these federated Identity and trust related specifications can converge, in the near future. It is encouraging to see Kim Cameron preaching the concept of an "Identity MetaSystem" that will try to provide an unified view irrespective of the underlying protocols/mechanisms.

Friday, October 26, 2007

Tip10: Generate GUID or UUID

Stefan and I have been discussing the usage of java.util.UUID to generate a sso identifier similar to that done by tomcat's AuthenticatorBase. Since we wanted to avoid overlap with the random id generated by AuthBase, I suggested the usage of UUID.

So we decided to explore the level1 or time based UUID.

After sometime, Stefan gave up figuring out the way to instantiate level 1 UUID.

We found this mini-FAQ on UUID.

Java UUI Mini FAQ

Level 4 UUID should be sufficient.

An example of UUID usage is here >>>

Tip 9: Change SSL Implementation in JBoss/Tomcat

Sometime you may get some errors such as

java.lang.ClassNotFoundException: Error
loading SSL Implementation

:java.lang.ClassNotFoundException: No
ClassLoaders found for:

If you want to change the SSL implementation to the JBoss
SSL implementation (which is not really such a big difference),

then take a look at the
Tip 5

More specifically at:

<!-- SSL/TLS Connector with encrypted keystore password
configuration -->
<Connector port="9943"
scheme="https" secure="true"
sslProtocol = "TLS"

Friday, October 19, 2007

Tip 8: Securing JMX in JBossAS

Sometime ago, I wrote a technical white paper on "Securing JMX" basically to secure the JMX-Console, Web-Console and the invokers.

The JIRA issue for this is: White Paper on JMX Security

Now for the attachments:
Single HTML Page- Technical White Paper on Securing JMX

Monday, October 15, 2007

Instance Based Security

I am getting some requests to produce code to handle Instance Based Security for Non Application Server related code aka Business Code. The projects that are directly affected are JBoss Rules or Drools, jBPM, JBoss Portal and JBoss Seam.

The idea is to be able to CRUD level access for data driven applications.

In the past, OSAccess from Open Symphony has tried to address this space. Acegi Security for Spring has some support for Instance Based ACL.

Authorization concepts and solutions for J2EE applications is a nice technical article that talks about Role Based Access Control and Instance Based Access Control.

An ACL implementation will be simple and performant in comparison to an XACML based implementation which does have a learning curve attached.

Wednesday, October 10, 2007

Tip 7: SSO between Web Applications

If you need SSO between web applications deployed to the same HOST, then you can use the Apache Tomcat SingleSignOnValve. If you need to do SSO across a JBoss Cluster, then you will need the ClusteredSingleSignOnValve. Take a look at the following clustered single sign on white paper here.

More details are here: Single Sign On in JBoss

Additional reference:

Tip 6: Want Custom Principal Implementation

Occasionally, JBoss users would like to use their custom principal implementation in the web/ejb containers. To do this, follow:

Custom Principals in JBoss

You can verify by checking ejbContext.getCallerPrincipal().

Tuesday, October 9, 2007

eCrime: How do we deal with it?

I mentioned in my earlier blog post that APWG recently conducted a eCrime summit in Pittsburgh. So eCrime is a menace that affects all facets of our democratic societies.

Have a look at Dr.Philip Hallam-Baker's presentation from Google Tech Talks, January 2006. I know Dr.Hallam-Baker from various working groups at W3C and other standards groups. He is a Principal Scientist/Evangelist at Verisign.

Crime: The Real Internet Security Problem

Dr Hallam-Baker is a leading designer or Internet security protocols and has ... all » made substantial contributions to the HTTP Digest Authentication mechanism, XKMS, SAML and WS-Security. He is currently working on the DKIM email signing protocol, federated identity systems and completing his first book, The dotCrime Manifesto which sets out a comprehensive strategy for defeating Internet crime.

Dr Hallam-Baker has a degree in Electronic Engineering from Southampton University and a doctorate in Computer Science from the Nuclear Physics Laboratory at Oxford University.

ABSTRACT Internet Crime is a serious and growing problem. Phishing, Advance Fee and Consumer fraud continue to grow at alarming rates. Internet crime is a business that makes huge profits for some. But despite the fact that security has regularly polled as almost every type of Internet user's top priority over the past ten years, almost none of the security mechanisms developed in response are effectively controlling Internet crime.

How To Break Web Software - A look at security vulnerabilities in web software

From Google Tech Talk

Mike Andrews, Senior Consultant is the presenter.

Long presentation that mentions various statistics.

Browser Help Me. I want you to be Secure....

Wikipedia defines Phishing as:
In computing, phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay, PayPal and online banks are common targets. Phishing is typically carried out by email or instant messaging

Get the entire scoop here:

Some of the blame for the widespread proliferation of online scams and phishing rests with the victims. They fall prey easily and do not pay attention to security indicators in their user agents (aka browsers).

It is nice to know that organizations such as CABForum are actively working on making browsing secure, via the new concept of Extended Validation Certificates.
CAB Forum -

This is how it looks in Opera, as shown by Yngve Pettersen, Opera Security Czar.
EV in Opera

Recently, on the personal insistence of Yngve, I downloaded Opera. I was quite impressed by the security indicators displayed for sites with SSL enabled. It even read my Firefox bookmarks.

Yngve also has totally disabled SSLv2.0 from Opera 9.0 onwards
SSL v2 Disabled

The Anti-Phishing Working Group (APWG) recently held an eCrime summit in Pittsburg.

Why am I talking about all this? This is because I am one of the editors on an W3C Security Recommendation (in progress).
W3C Security Context

As the citizens of the online world, it is our responsibility to take precautions as well as force companies to be more secure in their offerings.

I have learned my lessons. I hope that you do not have to. :)

Take care when you get those emails or see lousy pop up windows on web sites.

If you are looking for free browser that is high on security, there is no other place than to look at Mozilla Firefox.

1) R. Dhamija et. al
2) Do Security Toolbars Actually Prevent Phishing Attacks?
3) Evaluation of EV and PIP attacks

Sunday, July 22, 2007

JBoss XACML v2.0.1-BETA released

NOTE: JBossXACML v2.0.3.CR1 <==========

Official Blog Entry is here:
JBoss Blog Notice

It gives me pleasure to inform the community about the release of JBoss XACML v2.0.1-BETA. The license is LGPL.

You can download it from

The Javadoc link is here:

The User Guide is here:
JBoss XACML User Guide

Why is XACML Important?
- Unlike Authentication, AccessControl/Authorization is a complex area where Role Based Access Control (RBAC) is inadequate in many enterprise situations. XACML is a specification that tries to mitigate this with complex policies that can be woven around a combination of subjects (users/user-agents etc), resources (on which the access control is desired) and Environment (IPAddress, Date, Time etc). You should be able to declaratively (via XML or construct policies) to say things like "Allow this portion of the web site to 18 year olds when the time is between 9am and 5pm", "You should update your own payroll information and can do it when you are employed and on Fridays only" etc.
- Enterprises have been doing this via ACLs and other proprietary mechanisms. Now they can use a standard way.

JDK 5 and later (Need JAXBv2)

Sun JAXB v2.0 and later ( I used v2.1.4).
You can use the one from here:

Sun XACML v2.0
Use the one from here:

JBoss v5.0 JavaEE Jar ( support. You can get this from JDK6 or any EE distibution).
JBoss JavaEE

Hal Lockhart, Bill Parducci, Anne Anderson (of the Oasis XACML TC for the specification), Rich Levinson, Dennis Pilipchuck (Oasis XACML Interoperability) and Seth Proctor (SunXACML Implementation)

We use the SunXACML implementation for the business logic, policy evaluation etc. It is an implementation detail. The users of JBossXACML will have to concern themselves with its interfaces and object model.

Please also refer to JBossXACML v2.0.1.GA release.

Saturday, June 30, 2007

Oasis XACML Interoperability Event at Burton Catalyst Conference

I am back after a trip to San Francisco to lead JBoss/Red Hat at the Oasis XACML Interoperability Event at the Burton Catalyst Conference. It was a tremendous successful culmination of almost 2 months of effort by 8 vendors (BEA, IBM, JBoss/Red Hat, Oracle, CA, Jericho Systems, SymLabs and Securent) to interoperate. The whole exercise was a great way to detect bugs/issues in the various products. The collaboration between the vendors was done with courtesy and zero-finger-pointing. There was never a feeling between us that we are competitors in many domains.

During the interop demo, users from various companies were pleasantly surprised that something like XACML standard existed to help solve their access control nightmares.

I got to meet Tony Nadalin from IBM again. Same goes with Hal Lockhart of BEA Systems. I wanted to meet Prateek Mishra from Oracle and I did. I also got to chat with Rich Levinson from Oracle, Sempo from Symlabs and Shekhar Sarrukkai from Securent. At the end of the event, I was fortunate to meet Gerry Gebel, VP, Identity and Privacy Strategies, Burton Group who was the individual who had sent me an invitation in March to check for participation.

Here is the official press release from Oasis.
Oasis XACML Interoperability Press Release

There will also be a Podcast beamed soon from Oasis which contains an interview of me (among others'). :)

UPDATE: Link for the podcast is: OASIS XACML Interop Event

If you need additional information, you can always contact me at ( anil DOT saldhana AT redhat DOT com).

I can vouch that this event raised a lot of eye brows in the industry because my blog post on xacml interop was perused consistently ever since it was published and it was a top hit on any google search, given that it was the only blog posting any details about the event. This basically demonstrates the interest in the community about xacml.

On my part, I will be releasing a beta version of JBoss XACML v2.0 (first beta and then the GA version) in the next 30 days. You will be able to use the lgpl licensed library in any Java Application. If you need a fancy GUI tool to go with it, I would invite you to contribute one. :) Why am I planning on a v2.0 straight away? The answer lies in the version of Oasis XACML Spec that it will support.

When Oasis XACML v3.0 comes out, then we can release JBoss XACML 3.0. ;)

Monday, June 25, 2007

Report on the W3C Workshop on E-Government and the Web

I was fortunate to make a presentation at the W3C Workshop on E-Government and the Web (June 18-19, 2007) to an audience that included Sir Tim Berners-Lee, technical representatives from Library of Congress, Other US Governmental Agencies, some UK Policy Makers (and technical representatives).

You can get hold of my paper as well as the slides there.

Three key points I stressed were:
a) Make E-Government Services secure for the Average Joe to use. It should be a collective effort from technologies, policies, processes and the people.
b) Let all the E-Government services be reachable from single point of contact (Portals) that may be favorite to various cross-sections of people. If I live in Chicago, the IL State Portal can be the window of entry to all E-Government services.
c) Use of Federated Identity standards that are being developed including OpenID (in the blogosphere), SAML and WS-Federation. This will enable identity to be transmitted across the various e-gov services.

José Manuel Alonso, W3C eGovernment Lead was telling me that at the previous eGovernment Workshop that was held in Spain, many of the government representatives had shared a concern that many of the European nations had issued National ID cards and brought out a lot of eServices, that were used sparingly. Hence he liked my paper which stressed on the need for a single point of entry via a portal. This will actually build some trust context.

The report for the Spain Workshop is available at:

Here is somebody talking about my presentation:

Initially prior to the Workshop, it was my desire to shake Sir.Tim's hands. But I got to sit beside him for 2-3 hours during the workshop (I hope some of the brilliance got transmitted to me - I can feel it). At the end of the first day of the workshop, I did discuss with Tim (he insisted on not calling him SIR. Tim), as to whether the current world of Phishing, online scams etc were not something he had envisioned when he invented WWW. I also asked him if security issues keep him awake at night. He said security is necessary (PGP, SSL etc) but he does not have sleepless nights. :)

Wednesday, June 13, 2007

Oasis XACML Interoperability at Burton getting close

It is probably 2 weeks left for the Oasis Interoperability Event at the Burton Catalyst Conference. I have already met Tony and Hal. I am hoping to meet Bill, Anne, Seth, Rich, Prateek, Anil (Securent), Dennis and others on the XACML TC.

Here is a summary I pulled for the interop exercise.
Abbreviations: PEP stands for Policy Enforcement Point and PDP stands for Policy Decision Point.

Here is a description of the interop: Two Use Cases each with potential multiple scenarios

Use Case: Authorization Decision

The Authorization Decision Interop will demonstrate that XACML 2.0 authorization decision requests generated by the */PEP/* of */Vendor A/* (*/PEP-A/*) are properly evaluated by the */PDP/* of */Vendor B /*(*/PDP-B/*), where Vendor A and Vendor B may be any of the vendors participating in the Interop.

Scenario 1: Authorization Decision: Customer Access
Customer from a web browser provides user name and password. After authentication, the PEP packages the customer username, customerId and an operation of "ViewAccount" in the context of the CustomerAccount web application in a xacml request and passes to a PDP for evaluation. The PDP can be from different vendors in the event.

Scenario 2: Authorization Decision: Customer Transaction
Customer tries to purchase 500 shates of XYZ stock. The PEP gathers information on the transaction (namely, operation of "Buy" and the number of shares "500") and creates a xacml request with other contextual information and passes it to a PDP for evaluation. The PDP can be from different vendors in the event.

Scenario 3: Authorization Decision: Account Manager Access
An account manager needs to approve a request. The PEP gathers information about the account manager and passes to a PDP to evaluate access to the account manager.

Scenario 4: Authorization Decision: Account Manager Approval
Account Manager needs to approve the stock purchase. The PEP gathers information about the Account Managers approval and then asks the PDP to evaluate whether the approval should go through.

Use Case: Policy Exchange
XACML Policies generated by one vendor are accessible and usable by the PDP of other vendors.

Friday, June 8, 2007

W3C Workshop on e-government and the Web

As a regular user of government services over the internet, I thought it was my duty to submit my thoughts to the workshop on e-government and the web hosted under the auspices of the W3C. The paper has been accepted and will be part of a discussion as highlighted here:

On 18th, there is a key note by Tim Berners-Lee. I am sure I will shake his hands. By inventing WWW, he has indirectly placed bread on my table as well as made this blog entry possible. :)

Fun will be when Tim attends my presentation. It will be on the next day, the 19th.

Wednesday, June 6, 2007

WS-Federation TC Kick-Off at Redmond,WA

I am at the Oasis WS-Federation TC kick-off meeting hosted by Microsoft at Redmond,WA, as the JBoss/RedHat representative.

Here is the link to introduction for WS-Federation

Understanding WS-Federation

Here is the link to the latest WS-Fed spec.
WS-Federation Specification

I was able to meet Federated Identity/Security experts and visionaries like Don Schmidt from Microsoft, Tony Nadalin from IBM, Dr.Arun Nanda from MS etc.

Actually it was a fun outing amidst serious business. Tony from IBM is really a fun person. ;)

Friday, June 1, 2007

Beauty of standards

As part of the XACML Interoperability preparations, I wrote client code that uses SAAJ 1.3 to build a soap message and send it across to any endpoint that supports scenario 1 of the interoperability process. I basically pass an endpoint url to this set of program code and I get a soap response from the end point, which when processed yield a xacml decision.

Basically, I was able to call the end-points of BEA,IBM, JBoss/RedHat,Oracle, Securent and Jericho Systems with the same piece of client code and the same SOAP request (which internally contains the XACMLAuthDecisionQuery Node) and get a PERMIT decision, irrespective of the implementation details of the XACML implementation at each of these endpoints.

I would like to salute standards that make interoperability a reality. The same salute goes to the faucet makers, who follow standards and who came to my rescue when the hand sprayer from the kitchen tap at my house snapped. All I had to do was, go to Home Depot and buy a generic one.

Friday, May 25, 2007

First roundtrip interoperability tested for XACML Interoperability

I am a voting member on the Oasis XACML Technical Committee representing JBoss/Red Hat. I am also leading Red Hat's participation at the XACML Interoperability event scheduled at the Burton Catalyst Conference at the end of June in San Francisco.

The last few days, the various vendors participating at the interop event have been discussing scenarios to test such that we maintain interest among the attendees as well as not make them so complex that the first ever interoperability event for XACML fails.

Given this, Jericho systems put their endpoint out for others to test. So the honor of being the first vendor ever to publicly place an endpoint for interoperability goes to Jericho systems.

I was able to test the public endpoint. So this makes me a participator in the first ever round trip interoperability exercise for XACML.

The SAML based XACML response received from Jericho endpoint has been framed for eternity here (an idea by Rich Levinson from Oracle Corp).
First SOAP Response

The honor of framing was mine and there goes my 2 minutes of fame. The rest of the fame will come when I put our endpoints out and other vendors are able to access.

Saturday, May 19, 2007

Sun OpenDS CheatSheet

Neil Wilson's cheat sheet to integrate OpenDS as a testing ldap engine in your java apps.

- Make sure that all of the OpenDS JAR files are in your application's

- When you're ready to start the server, you can do so as follows:

String configClass = "org.opends.server.extensions.ConfigFileHandler";
String configFile = "config/config.ldif";

DirectoryServer directoryServer = DirectoryServer.getInstance();
directoryServer.initializeConfiguration(configClass, configFile);

This will start the server inside the same JVM, and you should be able
to communicate with it using LDAP or using the internal operations API
that we have defined for plugins (via the classes in the
org.opends.server.protocols.internal package).

Saturday, May 12, 2007

New directions in JBoss Security

Well, JBoss Security is not just security specified by the Java EE specifications. With my active participation as the Red Hat representative on JSR-196 at the JCP and Oasis Technical Committees on SAML, XACML, PKI, EKMI and WS-Federation, I am always exploring new things that will make the users of JBoss security feel more secure and have confidence in adopting JBoss as the platform for secure computing.

Given this, I am always happy to interact with my users. You can always send me an email at anil (AT) saldhana (AT) redhat (dot) com. I may not answer immediately but will certainly get back to you, provided you are talking about some meaningful stuff. New features, new directions, new requirements will all be met with glee while RTFM type questions will be ignored.

I also represent on the Security Context Working Group at the W3C.

Have you noticed JBoss4.2.0.GA?

If you have not noticed Rajesh's email on the development mailing list, then you should look at the new JBoss 4.2.0.GA release to the community.

You can download it from:

The release notes:

For security, the following may be interesting:
[ JBAS-1824 ] JACC: * in web.xml should allow configurable authorization bypass
[ JBAS-2895 ] Extend SecureIdentityLoginModule to externalize the secret
[ JBAS-3400 ] JaasSecurityManagerService can show security provider/JCA algorithm information
[ JBAS-1537 ] When Tomcat error handler is invoked, JBossGenericPrincipal is returned instead of custom principal
[ JBAS-4158 ] JACC:WebUserDataPermission creation for unchecked policy should consider excluded constraints
[ JBAS-4149 ] Update Jacc Authorization to consider deployment level roles

There are other security related stuff in the release.

If you have an opportunity, just use it.

Friday, May 4, 2007

ApacheCon Europe 2007 Presentation

Today I finished a very successful presentation at the ApacheCon Europe 2007 in Amsterdam. The presentation is titled 'Understanding Apache Tomcat Security'. It basically is a presentation on writing custom valves/authenticators and realms.

The presentation is available at:
Understanding Apache Tomcat Security

Saturday, April 28, 2007

SSO using Kerberos/AD

I guess way too many apps rely on SSO using Kerberos on Windows with AD.

Here is a link for my future reference:
How to single sign-on with windowsXP,JNDI and AD just like and ADSI

Thursday, April 26, 2007

Tip 5: Encrypt the Keystore password in Tomcat server.xml

If you are using JBoss, then you can encrypt the keystore password as described here:

Wednesday, April 25, 2007

Internet Security

How secure is the Internet now?

The following quote by Charlie Kaufman sums it all:
Until a few years ago, you could connect to the Internet and be in contact with hundreds of millions of other nodes, without giving even a thought to security. The Internet in the ’90’s was like sex in the ’60’s. It was great while it lasted, but it was inherently unhealthy and was destined to end badly. I’m just really glad I didn’t miss out again this time. —Charlie Kaufman

I have picked up the quote from the presentation by Radia Perlman of Sun located at:

Another important aspect of Internet Security is where does the responsibility of security lie for web usage.
* Should the users be blamed for falling prey to Phishing attempts?
* Should the browsers be blamed for not being smart enough to detect suspicious web sites?

Here is a workshop at the W3C where there are some position papers that talk about these aspects:
W3C Workshop on Transparency and Usability of Web Authentication

Tuesday, April 24, 2007

TIP4: Ciphers for SSLv2 and SSLv3

If you want a list of ciphers that pertain to either sslv2 or sslv3, you can use openssl as follows:

$>openssl ciphers -v -ssl3

AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

$>openssl ciphers -v -ssl2
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

Thursday, April 19, 2007

Tip 3: Token based Perimeter Authentication

If you are faced with the challenge of integrating a third party security system with JBoss, then the following wiki may be useful to you:
Generic HeaderAuthenticator

In theory, an external system will do the authentication and then pass the authorization request back to JBoss/Tomcat. A token will be usually passed through the request headers.

Tip 2: Configure security domain for web/ejb

If you have a need to configure security domains for web applications (in jboss-web.xml) and ejb applications (jboss.xml), it may be easier for you to package them together into a single EAR and provide a jboss-app.xml at the application.xml level and specify the security domain there. This way, you do not need to configure the security domain in jboss-web.xml or jboss.xml

Tip 1: If security does not work in JBoss Application Server

Do not panic. Most probably you have made a mistake in configuration. Read the FAQ here:
JBoss Security FAQ

Note Q.4 which shows you how to debug the security layer.

Monday, April 9, 2007

SAML and XACML are ITU-T Recommendations

This may be old news. SAML (X.1141) and XACML (X.1142) are recommendations of the ITU-T.

Friday, April 6, 2007

XACML Obligations

I have been mulling over the concept of Obligations in the XACML specification. Basically the PDP can send authorization results back to the PEP with a list of obligations that the PEP has to fulfill as part of the authorization request. If the PEP is unable to fulfill an obligation, then it should throw an error.

I thought that when a legitimate authorization request comes to a PEP, which asks the PDP and gets a "PERMIT" with some obligations. If the PEP is unable to perform any obligation, then it flags an error and denies the access. I was WRONG. Anne Anderson from Sun corrected me on this. She basically told me that there is a semantic relationship between the PEP and PAP who decide on the semantics of obligations. So the PEP does a best-effort at an obligation. If it is not able to perform an obligation, it does not mean the access is denied.

Let us think about situations where a PEP may refuse to perform any of the obligations. Let us take the example of logging. Security and Peformance always do not go together well. In a high performant system, fine-grained authorization checks may be an overkill. The administrators may have turned off logging at the PEP level. In this case, the PEP cannot meet an obligation that asks for logging.

Thursday, March 29, 2007

WS-* Specs and Project Higgins

ws-* specifications have generated a lot of buzz in the industry. So has the SAML community. There is lots of convergence between the camps. Then there is CardSpace from Microsoft that relies heavily on a number of ws-* specifications.

A notable project that I am keeping my eyes on is the Project Higgins project that provides some mechanism to do things in a pluggable and a generic way.
Project Higgins
Another link for higgins is:What's the scoop?

By the way, a nice post from Jason Greene about signing/encryption stuff with ws-security implementation in JBoss Web Services here:
ws-security keystores and trust stores

Here is an interesting group of people working on the Identity Meta System called as "Identity Gang".
Identity Gang

Monday, March 19, 2007

Demos Links Please

There are multiple players in the Identity Space - CardSpace, SAML, Liberty, OpenID etc.

It will be good to list all the demos/presentations here for the uninitiated.

Open ID Presentation by Simon Willison