Google Site Search

Google
 

Tuesday, August 30, 2011

Deploy Java Applications In The Cloud

A couple of years ago, I had played with Google App Engine. I liked the ease of deployment via eclipse and the fact that I could code in Java and deploy a web app. Then it hit me. All the restrictions and JVM API blacklist was tiring. You had to modify your libraries or applications to tailor to GAE restrictions.

Another potential solution is Heroku. It is popular. But the latest post from Adam announcing Java support is filled with hatred for Java EE. I am unsure how they are going to provide support for Transactions, Security etc (without custom coding) as that is provided by Java EE. Rich Sharples does a good job at dissecting the post.

Coming back to my topic of deploying Java Applications in the cloud, I have been quite excited to try out Red Hat's PAAS offering, the OpenShift. A user can now deploy Java EE 6 applications in the cloud. OpenShift will only get better over time. The dream of running your Java EE applications in the cloud is a reality. Hopefully Java developers will embrace OpenShift. They get access to JBoss AS7 instance to host their apps. Now that's progress in the cloud.

Thank you OpenShift.

Reference:

How to videos for OpenShift.

Monday, August 29, 2011

JBoss AS 7 is Lightning and is now SAML enabled

If you have been impressed with JBoss Application Server v7.0 aka "Lightning", then I have a good news for you. You can now enabled SAML based SSO for your web applications using PicketLink.

A cheatsheet : JBoss Application Server v7.0 and SAML SSO.

The one stop cheatsheet page for various versions of JBoss AS is here.

Please do not hesitate to ask questions at the PicketLink user forum.

When SSL Certificate is the culprit

you may have heard of practitioners preaching SSL to mitigate man-in-the-middle attacks. For more information on MITM, read here.

SSL Certificates are issued by a Certificate Authority (CA). There are a large number of CAs around the world and most of the prominent browsers trust a set of CAs by default.

The latest news about a hacker getting SSL certificates issued under the Google name from a Dutch CA, is very alarming.

If the browser trusts a particular CA and that CA has issued a fradulent certificate, then it is very difficult for the browser to figure out the fraud unless they follow OCSP or remove that CA.

Update from Mozilla Firefox:
http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/


Mitigation in Mozilla Firefox:

http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert


Mozilla will be releasing an update to Firefox to further protect you
from this. Until the update is released you can manually delete this
certificate with these steps:

At the top of the Firefox window, click on the Edit menu and select Preferences.

Click on the Advanced panel
Select the Encryption tab
Click View Certificates
In the Certificate Manager window, select the Authorities tab
Scroll down to DigiNotar and select the DigiNotar Root CA
Click Delete or Distrust...
Click OK to confirm the deletion


Apparently DigiNotar Certificate shows up in Internet Explorer too.
Here is Microsoft Advisory.

Google Chrome is covered by its security features.

A Google spokesman provided CNET with this statement: "A Chrome security feature warned the user of the invalid certificate and blocked them from visiting the attacker's site. We're pleased that the security measures in Chrome protected the user and brought this attack to the public's attention. While we investigate, we plan to block any sites whose certificates were signed by DigiNotar."

(Thanks to CNET)

If your favorite bank has a website with the URL starting with https, try to demand Extended Validation Certificates. CAs go through extended audits before issuing EV Certs and the address bar displays a green bar in the browser.


References:

Diginotar and Hackers

Thursday, August 25, 2011

HTML5 Security Vulnerabilities by ENISA

ENISA (European Network and information Security Agency) has released an analysis report on the vulnerabilities that exist in the draft of HTML5. The full report is available at http://www.enisa.europa.eu/act/application-security/web-security/a-security-analysis-of-next-generation-web-standards/at_download/fullReport

You can read the press release at Web security: EU cyber-security Agency ENISA flags security fixes for new web standards/HTML5

If you just want the summary of the report, then look at pages 2 and 3.

Dr.Giles Hogben has been very impressive over the years with his research on Social Media, Cloud Computing and now Web Standards.

Monday, August 15, 2011

JavaEE enabled PAAS and Security

I am sure you have seen all the news reports on the JavaEE6 Enabled Cloud Platform called OpenShift. I am also pleased to share that Scott Stark and I are presenting a session at Java One 2011 with the following details:

Session ID: 26120
Session Title: Experiences with Java EE-Enabled PaaS
Venue / Room: Hilton San Francisco - Imperial Ballroom B
Date and Time: 10/5/11, 16:30 - 17:30
Track Enterprise Service Architectures and the Cloud
Optional Track: Java EE Web Profile and Platform Technologies

The session will delve into our experiences with Java EE6 in the Cloud. What we learned and what we missed, in providing EE6 support in the OpenShift platform. At the end, we will talk about the various strategies we are employing to provide Identity Management support to the OpenShift users.

I am quite surprised that I did not see any other session at J1 that broached EE and PaaS together with experiences, given the growing significance of Cloud Computing.

Thursday, August 11, 2011

PicketLink v2.0.0.final Released

It gives us immense pleasure in announcing the release of PicketLink v2.0.0.final from JBoss Community. This is an important step forward for the JBoss ecosystem.

Details can be found here.

As always, a cheat sheet for JBoss Application Server is at.