Google Site Search


Monday, December 12, 2011

Java Identity JSR: A positive step

The latest JSR on Java Identity is a very positive step in fostering security in Java applications. Since the JSR targets Java SE (as well as Java EE), it will have a very beneficial impact on Java applications running within the VM. You do not require a Java EE application server to avail the Identity services. A presentation on the JSR, given by the spec lead, Ron Monzillo is available at A complaint I often hear from Java developers is the lack of consistent, standard API/annotations that they can use for securing their applications. JSR 351 aims to provide the necessary API as well as annotations. This should have happened long ago, but at least now, there is a positive attempt in the direction. I fervently hope that all the framework developers pay attention to this JSR (and not fall prey to the NIH syndrome). With the proliferation of Identity standards and the lack of coherence among them, it has become very hard for application writers to grasp the concepts of security. They usually take the easy way out (a simple password based system). I wish the JSR committee all the success. I am planning to be on the committee. You are welcome to participate. The proposed reference implementation is going to under the Apache 2.0 license and the tck will be free of charge. [Slide 10]

Friday, October 14, 2011

JavaOne11 Experiences :: JBoss AS7/PicketLink/SAML/OpenShift

I had the privilege of attending Java One in San Francisco this month. I had two talks this year.

1) Venue: JBoss Booth. Title: Trusted Security with PicketBox and PicketLink
2) Venue: Regular Session. Title: Experiences with Java EE Paas

In my view, this was a great conference for me. I had the opportunities to show case the SAML based SSO on web applications running on top of JBoss AS7 in the Red Hat's OpenShift Paas environment.

I also showcased Facebook/Google login to web apps running on JBoss AS7 deployed in OpenShift environment.

As part of my sessions, I created the following cheatsheet.

You should definitely give OpenShift a try. :)

Tribute to Steve Jobs:

Scott Stark and I had just finished making our presentation at Java One. I got an alert from Associated Press on my iPhone: "According to Apple, Steve Jobs has died". It was a shock to me. I showed the alert to Scott who was in the middle of answering offline questions from attendees and he was shocked too. Around 5:40pm. :(

Tuesday, August 30, 2011

Deploy Java Applications In The Cloud

A couple of years ago, I had played with Google App Engine. I liked the ease of deployment via eclipse and the fact that I could code in Java and deploy a web app. Then it hit me. All the restrictions and JVM API blacklist was tiring. You had to modify your libraries or applications to tailor to GAE restrictions.

Another potential solution is Heroku. It is popular. But the latest post from Adam announcing Java support is filled with hatred for Java EE. I am unsure how they are going to provide support for Transactions, Security etc (without custom coding) as that is provided by Java EE. Rich Sharples does a good job at dissecting the post.

Coming back to my topic of deploying Java Applications in the cloud, I have been quite excited to try out Red Hat's PAAS offering, the OpenShift. A user can now deploy Java EE 6 applications in the cloud. OpenShift will only get better over time. The dream of running your Java EE applications in the cloud is a reality. Hopefully Java developers will embrace OpenShift. They get access to JBoss AS7 instance to host their apps. Now that's progress in the cloud.

Thank you OpenShift.


How to videos for OpenShift.

Monday, August 29, 2011

JBoss AS 7 is Lightning and is now SAML enabled

If you have been impressed with JBoss Application Server v7.0 aka "Lightning", then I have a good news for you. You can now enabled SAML based SSO for your web applications using PicketLink.

A cheatsheet : JBoss Application Server v7.0 and SAML SSO.

The one stop cheatsheet page for various versions of JBoss AS is here.

Please do not hesitate to ask questions at the PicketLink user forum.

When SSL Certificate is the culprit

you may have heard of practitioners preaching SSL to mitigate man-in-the-middle attacks. For more information on MITM, read here.

SSL Certificates are issued by a Certificate Authority (CA). There are a large number of CAs around the world and most of the prominent browsers trust a set of CAs by default.

The latest news about a hacker getting SSL certificates issued under the Google name from a Dutch CA, is very alarming.

If the browser trusts a particular CA and that CA has issued a fradulent certificate, then it is very difficult for the browser to figure out the fraud unless they follow OCSP or remove that CA.

Update from Mozilla Firefox:

Mitigation in Mozilla Firefox:

Mozilla will be releasing an update to Firefox to further protect you
from this. Until the update is released you can manually delete this
certificate with these steps:

At the top of the Firefox window, click on the Edit menu and select Preferences.

Click on the Advanced panel
Select the Encryption tab
Click View Certificates
In the Certificate Manager window, select the Authorities tab
Scroll down to DigiNotar and select the DigiNotar Root CA
Click Delete or Distrust...
Click OK to confirm the deletion

Apparently DigiNotar Certificate shows up in Internet Explorer too.
Here is Microsoft Advisory.

Google Chrome is covered by its security features.

A Google spokesman provided CNET with this statement: "A Chrome security feature warned the user of the invalid certificate and blocked them from visiting the attacker's site. We're pleased that the security measures in Chrome protected the user and brought this attack to the public's attention. While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."

(Thanks to CNET)

If your favorite bank has a website with the URL starting with https, try to demand Extended Validation Certificates. CAs go through extended audits before issuing EV Certs and the address bar displays a green bar in the browser.


Diginotar and Hackers

Thursday, August 25, 2011

HTML5 Security Vulnerabilities by ENISA

ENISA (European Network and information Security Agency) has released an analysis report on the vulnerabilities that exist in the draft of HTML5. The full report is available at

You can read the press release at Web security: EU cyber-security Agency ENISA flags security fixes for new web standards/HTML5

If you just want the summary of the report, then look at pages 2 and 3.

Dr.Giles Hogben has been very impressive over the years with his research on Social Media, Cloud Computing and now Web Standards.

Monday, August 15, 2011

JavaEE enabled PAAS and Security

I am sure you have seen all the news reports on the JavaEE6 Enabled Cloud Platform called OpenShift. I am also pleased to share that Scott Stark and I are presenting a session at Java One 2011 with the following details:

Session ID: 26120
Session Title: Experiences with Java EE-Enabled PaaS
Venue / Room: Hilton San Francisco - Imperial Ballroom B
Date and Time: 10/5/11, 16:30 - 17:30
Track Enterprise Service Architectures and the Cloud
Optional Track: Java EE Web Profile and Platform Technologies

The session will delve into our experiences with Java EE6 in the Cloud. What we learned and what we missed, in providing EE6 support in the OpenShift platform. At the end, we will talk about the various strategies we are employing to provide Identity Management support to the OpenShift users.

I am quite surprised that I did not see any other session at J1 that broached EE and PaaS together with experiences, given the growing significance of Cloud Computing.

Thursday, August 11, 2011

PicketLink Released

It gives us immense pleasure in announcing the release of PicketLink from JBoss Community. This is an important step forward for the JBoss ecosystem.

Details can be found here.

As always, a cheat sheet for JBoss Application Server is at.

Friday, July 15, 2011

Java Keystore Tips

1. What are the two common types for Keystore?
The common ones are JKS (Default) and JCEKS (when you want to store symmetric keys).

2. Common Errors Given final block not properly padded

Cause: The Keystore password and the KeyPair password are not the same.

Tuesday, July 12, 2011

JBoss Application Server v7 is a lightning strike

An excellent blog post by Rich Sharples on a new lightning strike called as JBoss AS7 in the Java EE space. Please read it at Lightning Strikes !

Get JBoss AS7 from

Friday, July 8, 2011

PicketLink and SAML v1.1 Support

Even though SAML v1.1 has been deprecated in favor of SAML v2.0, there may be installations at users end, that require support for SAML v1.1

For this reason, PicketLink v2 now has SAMLv1.1 support.
It is documented here:

This article should form the dashboard for PicketLink-SAMLv1.1 support.

Note that both the PicketLink Identity Provider and the Security Token Server (STS) support both SAML v2 and v1.1

As always, pick the latest PicketLink v2 build from

Facebook over SSL only

If you use Facebook for your social networking needs, then do not forget to perform the following step to ensure FB is accessed over https/ssl only.

Go to:
Account -> Account Settings -> Account Security

Click "Change"
Check the "Browse Facebook on a secure connection (https) whenever possible" under "Secure Browsing (https)" section.

Click "Save"

Friday, April 1, 2011

PicketBox XACML v2.0.6.Final Released

I am pleased to announced the community release of PicketBox XACML v2.0.6.Final.

More details are available at:

What is new?
1. Core RBAC Profile of XACML v2.0
2. Reading policies by just specifying the directory location in the config file.
3. Bug fixes.


Monday, March 21, 2011

Does OAuth need more legs?

OAuth is currently being worked out at the IETF. One of the concepts that is prevalent right now in OAuth is the concept of "legs". I am glad that I am not the only one who thinks that "legs" is a bad choice for describing the number of parties involved in an exchange.

Refer to

Basically, a "leg" involves one party.

So, "two legged oauth" involves two parties. As an example, if two end points (without user intervention) agree on an exchange, then it is two legged. If the endpoints are trusted, from the same entity or within corporate firewall, then 2-legged oauth makes sense.

Now, if we bring in the "user" to the mix, then we increase a "leg". That is, we have a 3-legged oauth. An user approves another service such as twitter client (leg) to get/set/operate his account in a 3rd service such as twitter (leg).

In my view, "party" is the right choice as it is very intuitive to have "2 party oauth", "3 party oauth".

I definitely want to hear your opinion or any corrections in my understanding of OAuth.

Friday, March 18, 2011

Book Review: OpenAM by Indira Thangaswamy

Title: OpenAM
Author: Indira Thangaswamy
Publisher: Packt Publishing (January 25, 2011)
ISBN-10: 1849510229
ISBN-13: 978-1849510226

Link on Amazon:

My Rating: Buy

General Comments
Books on security projects are quite rare. It is also quite difficult to fully document the breadth of possibilities with Open Source Software. Toward this, I commend Indira’s efforts at writing a book on an open source product, OpenAM. Over the years, I have seen Indira answer user questions on the openam/opensso user forums. So he does know a lot about it. Writing books is not a joke. In the preface, Indira just hint at the pain he took in writing the book. Books take away quality family time. Kudos to Indira.

Detailed Review
Indira has done a fine job with the book. He has clearly divided the content into 3 areas. The first area that occupies the first few chapters are completely devoted to what OpenAM is, what problems that it solve and where do you get it from. Then the next few chapters that occupy the bulk of the book are devoted to HOW YOU do things with OpenAM. Finally, he closes the book with Troubleshooting and Diagnostics.

The first chapter begins quite well with a description of why Identity and Access Management (IAM) is required in the industry. The short example of the FBI breach in the early 2001 highlights the need for proper entitlement management. After an introduction of benefits of IAM, Indira moves on to the history of OpenAM starting its roots at Sun Microsystems in 2000. This is good for obtaining an historic perspective on OpenAM. The OpenSSO architecture diagram is valuable to users who want to grasp the elements of the software packaged in OpenAM.
The section on “what kind of problems does OpenSSO solve?” describes at an high level the features OpenSSO provides: Access Management, Federation, Securing Web Services and Entitlements. I particularly liked the table at the end of this section that gives a graphical description.

In the second chapter, Indira talks about configuring opensso on Tomcat. He also shows how to configure OpenSSO using the console.

The third chapter is all about administration. We see snapshots of the console as well as some CLI interactions to configure. I think the section on customizing the console with user schema needs some additional work (with examples of course).

I liked the fourth chapter that describes the various types of authentication as well as session services. The authentication types (Module, Level, Service etc) have been sufficiently described. If the reader is interested further, hopefully he can get additional information from the project guides.

Chapter 7 was decent with integration with salesforce and google apps. This chapter basically empowers the user to use SAAS based apps with OpenAM as the IDP. The console snapshots should be sufficient for the reader to get it to work. Since I did not try it out, I am not 100% whether this chapter needs additional work.

Suggestions for improvement
* Indira shows how to configure things with the console as well as the command line interface. You should try to add warning boxes in the book stating which settings need the CLI.
* I am not sure if the reader is able to obtain the ldap schema for various ldap servers. Or the openam console does it for you automatically. Please clarify in the book.
* In the administration of OpenAM, things can go wrong. There is very little information on what things need to be watched out, while administering the product. Showing console snapshots or CLI is not sufficient to administer. Please describe what the CLI parameters are.

Disclaimer: I am not endorsing the product OpenAM. All I am doing is reviewing a book on an open source project. I need to play around with OpenAM/OpenSSO such that Project PicketLink is interoperable with it.

Monday, February 21, 2011

JBoss users upgrade to Oracle/Sun JVM JDK 1.6 Update 24

This is a general alert for all Java applications. Hence affects the JBoss ecosystem users also.

Oracle has released update 24 of the JDK 1.6 to resolve the Security vulnerability as outlined in

So, please upgrade to Oracle JVM 1.6u24 asap.

As always, please refer to the community notification page at JBoss.

Wednesday, February 9, 2011

JBoss users upgrade to Oracle/Sun JVM JDK 1.6 Update 23 and apply FP Updater Tool

A serious vulnerability in the JVM was identified via CVE and has been handled by Oracle/Sun. Please see the following article for more details:

This is an issue that affects all Java applications that may be performing Double-String operations.

In summary, JBoss AS users should try to upgrade to JDK 1.6 Update 23 and use the Floating Point Updater Tool from here.

JDK/JRE6 Update 24 (forthcoming) will fix the issue. Until then please run the updater tool.

Reference Page for JBoss AS Security Vulnerabilities:

Additional information is available from Oracle Blog Post.


Tuesday, February 1, 2011

Usage:JBoss XACML

Project PicketBox from JBoss has an XACML engine that can be used in a Java environment.

Assuming that your configuration file is available, something like the following should work for you:

//Get hold of an InputStream to the config file 
ClassLoader tcl = Thread.currentThread().getContextClassLoader();
InputStream is = tcl.getResourceAsStream( MY_CONFIG_FILE );
PolicyDecisionPoint pdp = new JBossPDP(is);
//Form your RequestContext by some means
ResponseContext response = pdp.evaluate(request);
int decision = response.getDecision();
//Decision can be one of XACMLConstants.DECISION_DENY
RequestContext requestContext = RequestResponseContextFactory.createRequestCtx();
//Read the xacml request from input stream
requestContext.readRequest( is );
requestContext.readRequest( node );  //Parse xacml request as DOM node 

If you need to look at code examples:

Thursday, January 6, 2011

Get JBoss AS6 right away

If you are an user of JBoss AS 5.1, then you should upgrade to the latest JBoss AS6 which was released recently.  Apart from the regular bug fixes, you also get the Java EE 6 certified Web Profile...

More information is in Rich Sharples's blog post. JBoss AS 6 Released !

Happy EE coding!

If you need more info on EE6 development, do sign up for Pete Muir's Jan 19th webinar.

Also additional info is given by Dimitris.


Response: JBoss AS6 vs Glassfish 3.x

Arun Gupta now works for Red Hat Inc. He is now an advocate for WildFly Application Server and JBoss Developer.  This discussion is now of least significance. We converted Arun into a follower. ;)

* Sorry, this post is not anywhere related to security and identity mgmt. :)
* Arun Gupta (Oracle) is a great guy.  I am just giving a personal view as response to his blog post.
* Please use the latest version of JBoss AS ie. AS 7

Response To: Which Java EE 6 App Server ? - JBoss 6.0 or GlassFish 3.x

My Credentials:

There are Java source files written by me in JBoss Application Server since JBoss 3.x which means I have a right to give my personal opinion. In a nutshell, there are features that are part and parcel of JBoss AS users, that have been created by me.

General Response:

While Arun gives a fair assessment of Glassfish 3.x against the newly released JBoss AS 6.0, he makes some incorrect or subjective statements/assumptions.  Let us get to them right away.

I would like to state that I appreciate all that Arun has done for the evangelization of Java, EE, WS, Open Source etc over the years. He is the zone leader on Java DZone. He has been good to the technical community in general and I request him to continue doing that.

Problem Statement 1 from Arun:

The articles like "New JBoss puts Java EE 6 to Work" by PC World and others with similar heading are misleading when they say "one of the first enterprise-grade application servers to fully support Java EE 6". How can an App Server be enterprise-grade and yet not offer commercial support and minimal documentation ? And also Java EE 6 is already put to work in multiple GlassFish deployments so not sure what it means "puts to work".

Apache HTTP server (from the Apache Software Foundation) has over 60% usage among web servers in the world. Does that mean it is not enterprise grade because there is no commercial support from ASF?

Many commercial companies provide support for httpd via their products or direct support. But overall, the community just relies on the trust they place in the apache httpd developers and do not buy any commercial support.

JBoss AS including v6.0 has basically relied on technology that has been developed over the years, starting lets say JBoss AS 3.2.x.   Most of the older features remain the same. Hence there is no real need to create new documentation for these features in JBoss AS 6.0.  With each new major new release of JBoss AS, we add some simplification or new features that gets documented but overall we try (I am saying, we try)  to maintain backward compatibility with the features that JBoss AS community has loved, adopted and used over the years.

There are many companies that offer commercial support for the community version of JBoss AS (just google them). I am bringing this up with direct reference to the Apache httpd analogy above.  If you are a serious user (who wants commercial support), just adopt the JBoss EAP just like you adopt RHEL.

Problem Statement 2 from Arun:

Clustering support in Glassfish coming in 3.1


Arun, I am not sure how long you have actually looked at the enterprise market (ok, Java EE enterprise market).  We at JBoss have been dealing with the enterprise market almost since the beginning of the new millennium.

From an JavaEE Application Server perspective, no enterprise adoption will happen unless there is robust clustering support provided.  JBoss AS has built-in, robust/kick-ass clustering capabilities that is simple enough for beginners.  Just look for awesome videos of Bela Ban presenting the latest and greatest in JBoss clustering.

So, my statement is "Glassfish 3.x is not enterprise ready until they have clustering".  He He!!!

(Update:  From comments, I have learned that GF has had clustering but not in 3.x)

Does GF have JTS (Transaction Services)? Just checking.

General Discussion:

The key parameter for adoption of any large product/project such as JBoss AS, Apache httpd etc is the long term sustainability of the project. JBoss AS has been the flagship work of JBoss Inc and since the acquisition in 2006, has been an integral part of Red Hat Inc. Given Red Hat's commitment to Linux community via Fedora, I am confident that the JBoss AS community will continue to be strong.

The startup time of JBoss AS has been quoted as a deterrent in adoption in the media. We are working on that with each iteration. Look for JBoss AS7 in 2011 with great new features and startup.(Arun, you should definitely run the benchmark on non-mac VM.  I think the mac vm is a shade slower than the win/linux vm).

Important Note:  JBoss AS6 is certified for Java EE 6 Web Profile only.  But the AS contains the full feature set.  We have not certified the features outside the web profile. Most of these non-certified features have existed in JBoss AS for years and baked by the JBoss community to give them robust status. Also these features may have had certification under EE4 or 5. 


Given that, Oracle has won the 2010 Open Source Enemies Prize,  I will be extremely apprehensive of adopting Glassfish, if I were an user. (Other Reference is to the current Hudson Project Mess).

I wish Arun and all the readers of this blog post (including Oracle employees) a very Happy New Year 2011.

Java EE 6 has been a great step forward and I think the availability of multiple OSS AS such as JBoss AS6 and Glassfish is a good thing for the community. Kudos to the JCP (and EE members) for the continued support of this paradigm.