tag:blogger.com,1999:blog-69407281264790756122024-03-13T10:11:00.722-05:00Anil's Security & Identity Management BlogThis blog is a personal book on Security/ IDM related thoughts/opinions.
The blog posts are a personal opinion only and neither reflect the views of current/past employers nor any OTHER person living/dead on this planet.Unknownnoreply@blogger.comBlogger271125tag:blogger.com,1999:blog-6940728126479075612.post-44323738471370065732015-10-30T23:34:00.001-05:002015-10-30T23:55:31.185-05:00Can Big Data solve our Security Challenges?<div dir="ltr" style="text-align: left;" trbidi="on">
On a daily basis, you hear about some company getting hacked or losing customer records.<br />
<br />
This pattern has become so routine that the shock factor has gone away.<br />
<br />
The world has come to the acceptance that we cannot be secure. There will be hacks and customer records will be compromised.<br />
<br />
Is that the right thing?<br />
<br />
Should we have a callous attitude toward these recurring news stories?<br />
<br />
<ul style="text-align: left;">
<li>Do companies have a moral responsibility to keep their customer records safe?</li>
<li>Do governments have an obligation to keep personal details of its employees and citizens safe?</li>
</ul>
<div>
There can be many such questions whose answers depends on the perspective and the person answering.</div>
<div>
<br /></div>
<div>
You probably have now heard about the Ashley Madison saga.<br />
If you need a refresher or the latest, google is the best source.</div>
<div>
<a href="http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/">http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/</a></div>
<div>
<br /></div>
<div>
There has been a lot of focus on using data to make networks and systems safer, in recent times. You may have seen presentations on these topics.<br />
<br />
There can be Context Driven Authentication, Context Driven Authorization and Context Driven Audit in play. All these are critical for a secure system in operation.</div>
<div>
<br /></div>
<div>
But without the proper infrastructure and processing in place, it will be hard to deal with the plethora of data.</div>
<div>
<ul style="text-align: left;">
<li>Will Hadoop help? Isn't that more batch oriented?</li>
<li>If Map Reduce Framework is suited for batch processing, will the new Apache Spark processing help in real time processing of security data?</li>
<li>Do we need Lambda Architecture to tie in Near Real Time and Batch processing?</li>
<li>How about machine learning? (<a href="http://www.technologyreview.com/news/542971/antivirus-that-mimics-the-brain-could-catch-more-malware/">http://www.technologyreview.com/news/542971/antivirus-that-mimics-the-brain-could-catch-more-malware/</a>)</li>
</ul>
<div>
These questions may pop in mind when you think of using Big Data to solve security problems.<br />
<br />
If contextual data is collected for security decision making, you will need petabyte scale storage and processing. The processing has to be near real time (NRT).</div>
<div>
<br /></div>
<div>
It is encouraging to know that Apache Spark is petabyte tested at NetFlix. </div>
<div>
<a href="http://blog.hampisoftware.com/index.php/2015/10/03/is-apache-spark-ready-for-petabyte-scale/"><span class="dm" style="color: black; margin: 0px; padding: 0px;">http://blog.hampisoftware.com</span>/index.php/2015/10/03/is-apache-spark-ready-for-petabyte-scale/</a></div>
<div>
<br /></div>
</div>
<div>
Maybe Spark processing with HDFS elastic storage is the way forward.<br />
<br />
What are your thoughts? </div>
<div>
<br /></div>
<div>
Can Big Data and Security Intelligence solve our challenges with customer data compromise?</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-24334252030039938662014-04-09T12:33:00.003-05:002014-04-09T13:29:16.867-05:00JBoss CommunityProjects (including WildFlyAs): OpenSSL HeartBleed Vulnerability<div dir="ltr" style="text-align: left;" trbidi="on">
I want to take this post to summarize that "<i>JBoss community projects including WildFly Application Server are <b>not</b> directly affected by the OpenSSL HeartBleed Vulnerability</i>".<br />
<br />
<br />
<h2 style="text-align: left;">
JBossWeb APR</h2>
JBossWeb APR functionality requires OpenSSL 0.9.7 or 0.9.8 which is not affected by this vulnerability.<br />
<a href="https://docs.jboss.org/jbossweb/2.1.x/apr.html">https://docs.jboss.org/jbossweb/2.1.x/apr.html</a><br />
<br />
<br />
I have consulted the Red Hat Security Response Team before posting this note. We continue to monitor the situation.<br />
Feel free to report any anomalies using <a href="http://www.jboss.org/security">http://www.jboss.org/security</a><br />
<br />
We do recommend taking the appropriate precautions.<br />
<br />
Please use the links in the <i>references section</i> for gauging <b><i>indirect</i></b> exposure to the HeartBleed vulnerability.<br />
<br />
Indirect exposure may be possible:<br />
<ul style="text-align: left;">
<li>Maybe you have a web server in front of JBoss/WildFly Application Server that may be affected.</li>
<li>Maybe your operating system on which the JBoss community projects are running may be affected.</li>
<li>Maybe you have OpenSSL v1.0.1 used by your application infrastructure. </li>
</ul>
<br />
<br />
<ul style="text-align: left;">
</ul>
<h2 style="text-align: left;">
References</h2>
Please refer to the following articles for more information:<br />
<br />
Official OpenSSL Official Advisory: <a href="https://www.openssl.org/news/secadv_20140407.txt">https://www.openssl.org/news/secadv_20140407.txt</a><br />
HeartBleed Information: <a href="http://www.heartbleed.com/">http://www.heartbleed.com</a><br />
<br />
Red Hat Official Announcement: <a href="https://access.redhat.com/site/announcements/781953%20" target="_blank">https://access.redhat.com/site/announcements/781953 </a><br />
<br />
CVE: <a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160">https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160</a><br />
<br />
Amazon Web Services Advisory: <a href="https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/">https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/</a><br />
<br />
<br />
<br />
<h2 style="text-align: left;">
Official Linux Distribution Pages</h2>
<a href="https://rhn.redhat.com/errata/RHSA-2014-0376.html">https://rhn.redhat.com/errata/RHSA-2014-0376.html</a><br />
<a href="http://www.ubuntu.com/usn/usn-2165-1/%20" target="_blank">http://www.ubuntu.com/usn/usn-2165-1/ </a><br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-33712095737875379402013-11-21T10:00:00.002-06:002013-11-21T10:10:12.506-06:00SAML vs OAuth: Which one to use?<div dir="ltr" style="text-align: left;" trbidi="on">
Please follow my DZone article on this important topic: http://architects.dzone.com/articles/saml-versus-oauth-which-one</div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-6940728126479075612.post-54594588358734676662013-06-17T11:49:00.002-05:002013-06-17T11:59:05.596-05:00PicketBox XACML v2.0.9.Final ReleasedPicketBox XACML v2.0.9.Final has been released.<br />
<br />
You can download it from <a href="http://www.jboss.org/picketbox/downloads">http://www.jboss.org/picketbox/downloads</a><br />
<br />
Information available at <a href="https://community.jboss.org/wiki/PicketBoxXACMLJBossXACML">https://community.jboss.org/wiki/PicketBoxXACMLJBossXACML</a><br />
<br />
Mostly a bug fix release. Except that we have made the PDP evaluation configurable with locks.<br />
<br />
Release Notes - PicketBox - Version picketbox_xacml_2.0.9.Final
<br />
<h2>
Bug
</h2>
<ul>
<li>[<a href="https://issues.jboss.org/browse/SECURITY-738">SECURITY-738</a>] - XACML DatabaseResourceAttributeLocator fails when used with Oracle 11g Driver
</li>
<li>[<a href="https://issues.jboss.org/browse/SECURITY-742">SECURITY-742</a>] - JBossPDP.evaluate() lock should be flexible
</li>
</ul>
<h2>
Enhancement
</h2>
<ul>
<li>[<a href="https://issues.jboss.org/browse/SECURITY-734">SECURITY-734</a>] - Slow policy evaluation with a large number of policy sets
</li>
</ul>
<h2>
Release
</h2>
<ul>
<li>[<a href="https://issues.jboss.org/browse/SECURITY-743">SECURITY-743</a>] - Release PicketBox XACML 2.0.9.Final
</li>
</ul>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-73390264699777828962013-05-17T00:35:00.001-05:002013-05-20T22:35:50.414-05:00Authorization (Access Control) Best Practices<div dir="ltr" style="text-align: left;" trbidi="on">
After the recent wrestling match in the blogosphere that included vendors and analysts on XACML, I want to provide some best practices for access control/authorization.<br />
<br />
The wrestling match is covered in my earlier <a href="http://anil-identity.blogspot.com/2013/05/is-xacml-really-dead-should-we-all-go.html" target="_blank">post</a>.<br />
<br />
Let me insert my favorite punch line before I mention the best practices.<br />
<br />
<span style="background-color: white;"><span style="color: #e06666; font-size: large;"><i>Authentication is finite while Authorization is infinite.</i></span></span><br />
<br />
<br />
Best practices for access control:<br />
<br />
<h2>
1. Know that you will need access control/authorization.</h2>
<div>
Too many times architects spend majority of their system security design time on authentication and federated identity. This leads to limited time provided to authorization. Compared to authentication, authorization can get very complex over time. </div>
<div>
<br /></div>
<h2 style="text-align: left;">
2. Externalize the access control policy processing</h2>
<div>
You are headed toward disaster if your access control processing is embedded in your application. This is because access control requirements are never complete during the first phase of application development. Authorization rules or requirements change over the application lifecycle as business needs or environment change. If the access control processing is not decoupled from the application, you will face hardship. Lots of band-aid will be applied to the application code to meet the changing/ever-growing authorization requirements.</div>
<div>
<br /></div>
<h2 style="text-align: left;">
3. Understand the difference between coarse grained and fine grained authorization</h2>
<div>
<br /></div>
<div>
Google/Bing will help you understand the difference. Wikipedia will definitely help you here. Application designers tend to create a model of authorization (for simplicity) during initial design. Almost always, this model tends to be a simple coarse grained authorization model. The challenge is that the read world authorization needs for your application is not set in stone. It is an ever changing phenomenon that will just pull your model in all directions.</div>
<div>
<br /></div>
<h2 style="text-align: left;">
4. Design for coarse grained authorization but keep the design flexible for fine grained authorization</h2>
<div>
<br /></div>
<div>
This goes in line with item 2 where the access control policy has to be separated or decoupled from your application. If your initial design for the access control system or library is designed for coarse grained authorization, because of the low coupling, it becomes easier to incorporate fine grained authorization logic over time.</div>
<div>
<br /></div>
<h2 style="text-align: left;">
5. Know the difference between Access Control Lists and Access Control standards</h2>
<div>
<br /></div>
<div>
Access Control Lists (ACL) are pretty popular among system designers. The challenge is that they are proprietary and not usable across applications or domains. You may earn your bonus or accolades using ACLs in your application. Over time, they tend to become restrictive due to changing requirements.</div>
<div>
<br /></div>
<div>
There are 2 prominent access control standards that I list here:</div>
<div>
a) IETF OAuth2: this is a REST style Internet Scale lightweight resource authorization framework.</div>
<div>
b) OASIS XACML: standard for fine grained authorization. Has an access control architecture namely PEP (Policy Enforcement Point), PDP (Policy Decision Point), PIP (Policy Information Point) and PAP (Policy Administration Point).</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://community.jboss.org/servlet/JiveServlet/downloadImage/102-10840-35-2514/310-183/XACML.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="236" src="https://community.jboss.org/servlet/JiveServlet/downloadImage/102-10840-35-2514/310-183/XACML.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fig: Typical XACML Fine Grained Access Control Architecture</td></tr>
</tbody></table>
<div>
<br /></div>
<h2 style="text-align: left;">
6. Adopt Rule Based Access Control : view Access Control as Rules and Attributes</h2>
<div>
<br /></div>
<div>
Access Control should be viewed as rules on various entities (and their attributes) involved in the authorization check.</div>
<div>
<br /></div>
<div>
I am not forcing you to use XACML. But I would certainly encourage you to design your access control system in terms of rules and attributes. Have a look at my article on <a href="https://community.jboss.org/wiki/FineGrainedAccessControlStrategies" target="_blank">Access Control Strategies</a>. It is critical that you design your access control system as rules and attributes.</div>
<div>
<br /></div>
<div>
<i>Hey, Drools based access control system is certainly not bad as long as you decouple the access control system. It is a trade off between proprietary rigid ACLs and flexible fine grained XACML. You can manage your Drools Rules via Guvnor.</i></div>
<div>
<br />
<h2 style="text-align: left;">
7. Adopt REST Style Architecture when your situation demands scale and thus REST authorization standards </h2>
<br />
With the growing demand for web based services and APIs and the proliferation of mobile devices in the world, it has become essential to incorporate REST style architecture to your system design.<br />
<br />
It is essential for you to use OAuth2 standard for REST authorization. While OAuth2 takes care of defining the tokens and some rules for authorization (scope of authorization and actor/resource), it may still be essential for system architects to incorporate fine grained authorization. Certainly give a look at the REST Profile of XACML v3. There is also JSON binding available.<br />
<br />
<h2 style="text-align: left;">
8. Understand the difference between Enforcement versus Entitlement model</h2>
<br />
Prominent access control strategies and standards involve the Enforcement model. The access control system is trying to enforce access to a resource. This leads to a Yes/No type question. The enforcement model does not scale in a cloud or a resource constrained environment. <br />
<br />
Entitlement model is where in the access control system does not perform enforcement or access checks. Rather it answers questions such as "What permissions does this user have?". The question seeker will then use the returned answer to perform local enforcement.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-qZ2-TrRXVhQ/UZXGd81fk8I/AAAAAAAAFw8/3okM-vMyAMI/s1600/EnforcementEntitlement.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="392" src="http://2.bp.blogspot.com/-qZ2-TrRXVhQ/UZXGd81fk8I/AAAAAAAAFw8/3okM-vMyAMI/s400/EnforcementEntitlement.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Cloud Enforcement vs Entitlement Model</td></tr>
</tbody></table>
<br />
<div class="page" title="Page 1">
</div>
<br /></div>
<h2 style="text-align: left;">
References</h2>
<div>
<a href="https://community.jboss.org/wiki/PicketBoxXACMLJBossXACML" target="_blank">PicketBox XACML</a>: Open Source free implementation of OASIS XACML v2.<br />
<br />
<a href="https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cloudauthz" target="_blank">OASIS Cloud Authorization TC</a><br />
<br />
<br />
<iframe frameborder="0" height="400" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/21561115" width="476"></iframe><br />
<br />
Please do not forget to view the presentation above. :)<br />
<br />
<br /></div>
</div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-6940728126479075612.post-89987256361861063412013-05-08T16:48:00.001-05:002013-05-09T12:53:23.431-05:00Is XACML really dead? Should we all go OAUTH?<div dir="ltr" style="text-align: left;" trbidi="on">
Andras Cser from Forrester has a blog entry titled "<a href="http://blogs.forrester.com/andras_cser/13-05-07-xacml_is_dead" target="_blank">XACML is dead</a>". That is a catchy title for the blog post. :)<br />
<br />
As a participant in the creation of OASIS XACML v3 specification (<a href="http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html">http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html</a>) and having dabbled with an open source XACML implementation (<a href="https://community.jboss.org/wiki/PicketBoxXACMLJBossXACML" target="_blank">PicketBox XACML</a>), I would like to put forward some of my thoughts on this topic.<br />
<br />
Let me move forward with some general questions and my answers. One of those questions will be about XACML. After that, I am going to provide some feedback on Andras's blog entry.<br />
<br />
<b>Question</b> : Is XML dead? <br />
<b>Answer</b>: Probably not. Enterprise Integration still relies heavily on XML.<br />
<br />
<br />
<b>Question</b>: Is REST architecture the vogue?<br />
<b>Answer</b>: For new applications and new workflows, REST architecture is heavily favored. To some extent, this is due to the growing importance of Cloud Technologies and APIs.<br />
<br />
<br />
<br />
<b>Question</b>: Is JSON the best format for applications?<br />
<b>Answer</b>: It depends on where the applications are.<br />
<br />
For web applications and REST applications, JSON is certainly the better format compared to XML. But the challenge lies in securing JSON. JSON Token Format, Signature and Encryption are still work in progress at the IETF. <a href="http://bill.burkecentral.com/" target="_blank">Bill Burke </a>has done some excellent work with REST security at the RESTEasy project.<br />
<br />
For enterprise applications, XML is still the norm in backend integration and configuration.<br />
<br />
<br />
<br />
<b>Question</b>: Is there one security standard that I can use?<br />
<b>Answer</b>: Wishful thinking.<br />
<br />
You can pick the best one from the following: SAML, OAuth, XACML, PKI, SSL/TLS, XML Signature/Encryption, RSA, AES and a million others. <br />
<br />
The answer is it depends on the problem you are solving and which standard applies to the problem domain.<br />
<br />
<br />
<br />
<b>Question</b>: Are there standards for access control?<br />
<b>Answer</b>: There are two standards as far as I know.<br />
<br />
a) OASIS XACML: Language for defining access control policies. It also defines architectural elements such as PDP, PEP, PAP etc for access control infrastructure.<br />
<br />
b) IETF OAuth2: Authorization of resources at Internet Scale.<br />
<br />
<br />
<b>Question</b>: Are SAML and XACML dead?<br />
<b>Answer</b>: It depends on who you ask.<br />
<br />
Customers and large enterprises who have built their identity management infrastructure on SAML and XACML, will say that they are not dead.<br />
<br />
Going by the latest buzz around cloud/mobile services, you will think OAuth is the panacea to all security problems.<br />
<br />
<blockquote class="tr_bq">
<i>SAML and XACML are standards that are pretty mainstream in enterprises and large infrastructure. They are doing their work. </i></blockquote>
<br />
<br />
<b>Question</b>: Am I excited about OAuth?<br />
<b>Answer</b>: Definitely.<br />
<br />
<blockquote class="tr_bq">
<i>Given that the world is going mobile heavy, OAuth is an important step in the direction of secure mobility. The future is in Cloud and APIs. Securing the APIs is what OAuth is aiming toward.</i></blockquote>
<br />
<br />
Now, for the best part, let me talk about what I think about Andras's specific points.<br />
<br />
<i>Andras: Lack of broad adoption.</i><br />
This is a security standard. Security standards do not get a lot of press like standards from other verticals. XACML vendors are plenty and many customers are using XACML for their infrastructure. I certainly would like to see some additional adoption. But it is a work in progress.<br />
<br />
<i>Andras: <span style="background-color: white; border: 0px; color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 19.59375px; margin: 0px; padding: 0px; vertical-align: baseline;">Inability to serve the federated, extended enterprise</span></i><br />
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;">There is nothing in the XACML standard to prohibit this. It depends on the practitioners and architects.</span></span><br />
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;"><br /></span></span>
<i><span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;">Andras: </span></span><span style="background-color: white; border: 0px; color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 19.59375px; margin: 0px; padding: 0px; vertical-align: baseline;">PDP does a lot of complex things that it does not inform the PEP about.</span></i><br />
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;">PDP is supposed to perform the access control policy number crunching to give an answer back to the PEP's enforcement question. The answer certainly can carry obligation/advices.</span></span><br />
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;"><br /></span></span>
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;">I would like to bring your attention to the new TC at OASIS called the <a href="https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cloudauthz" target="_blank">OASIS Cloud Authorization TC</a> that I am co-chairing where we want to do a better job at defining the entitlement model compared to the classic enforcement mode (XACML/OAuth operate in). Please refer to my use case submission called <a href="https://lists.oasis-open.org/archives/cloudauthz/201303/msg00000.html" target="_blank">Context Driven Entitlements</a>.</span></span><br />
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;"><br /></span></span>
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;">I do agree that the PEP needs more information than what it gets via the classic enforcement model.</span></span><br />
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;"><br /></span></span>
<i><span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;">Andras: </span></span><span style="background-color: white; border: 0px; color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 19.59375px; margin: 0px; padding: 0px; vertical-align: baseline;">Not suitable for cloud and distributed deployment.</span></i><br />
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;">I do not think this is true at all.</span></span><br />
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;"><br /></span></span>
<i><span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;">Andras: </span></span><span style="background-color: white; border: 0px; color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 19.59375px; margin: 0px; padding: 0px; vertical-align: baseline;">Commercial support is non-existent.</span><span style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 19.59375px;"> </span></i><br />
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;">It depends on who you are talking to. There are pure XACML vendors such as Axiomatics. JBoss Middleware does have support for XACML. At the XACML interoperability events in the past, I have seen vendors such as Oracle, IBM and CA.</span></span><br />
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;"><br /></span></span>
<i><span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;">Andras: </span></span><span style="background-color: white; border: 0px; color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 19.59375px; margin: 0px; padding: 0px; vertical-align: baseline;">Refactoring and rebuilding existing in-house applications is not an option</span></i><br />
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;">Then those applications are doomed to fail when the requirements for access control change. I presume those applications are like "house of cards".</span></span><br />
<span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;"><br /></span></span>
<i><span style="color: #333333; font-family: Arial, sans-serif;"><span style="font-size: 14px; line-height: 19.59375px;">Andras: </span></span><span style="background-color: white; border: 0px; color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 19.59375px; margin: 0px; padding: 0px; vertical-align: baseline;">OAuth supports the mobile application endpoint in a lightweight manner.</span><span style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 19.59375px;"> </span></i><br />
<span style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 19.59375px;">There is nothing in the XACML standard that says it cannot support lightweight workflows. Even though OAuth is more suited for mobile workflows, it should not be an issue to have XACML policy engine integrated for finer access control. OAuth is geared toward lightweight authorization of resources under particular scopes. At internet scale, it works good. But it falls short when greater granularity of access control is needed.</span><br />
<blockquote class="tr_bq">
<i><span style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 19.59375px;">Remember OAuth does not have the granularity of XACML in terms of rules (Subject, Action, Environment, Attributes).</span> XACML is an extreme fine grained policy language framework.</i></blockquote>
<br />
<h2>
References</h2>
Gerry Gebel on XACML: <a href="http://analyzingidentity.com/2013/05/08/xacml-alive-and-well/" target="_blank">http://analyzingidentity.com/2013/05/08/xacml-alive-and-well/ </a><br />
<br />
Ray Sinnema on XACML: <a href="http://securesoftwaredev.com/2013/05/08/is-xacml-dead/">http://securesoftwaredev.com/2013/05/08/is-xacml-dead/</a><br />
<br />
Danny Thorpe on XACML: <a href="http://dannythorpe.com/2013/05/08/xacml-is-dead-long-live-xacml/">http://dannythorpe.com/2013/05/08/xacml-is-dead-long-live-xacml/</a><br />
<br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-2163461442382013162013-02-01T13:23:00.002-06:002013-02-05T09:12:30.800-06:00JAX-RS and HTTPOnly flag in Cookies<h3>
JAX-RS in Java</h3>
<br />
<a href="http://en.wikipedia.org/wiki/Java_API_for_RESTful_Web_Services" target="_blank">JAX-RS</a> is an important technology/standard/specification in the JavaEE family. Version 1.1 is included in Java EE 6. JAX-RS enables Java applications to become REST enabled.<br />
<br />
Currently JAX-RS v2.0 specification work is under development in the JCP.<br />
<br />
<h3>
HttpOnly Flag</h3>
<br />
<a href="https://www.owasp.org/index.php/HttpOnly" target="_blank">HttpOnly</a> flag in cookies sent from the server have an important behavior on the client side (browser based applications). Javascript applications cannot access the cookies marked with HttpOnly flag.<br />
<br />
This is a non-standard flag in the cookie standard. But all the major browser implementations support this. So it is important for all Java server runtimes and frameworks that deal with cookies to support HttpOnly.<br />
<br />
JavaEE6 has support for HttpOnly via the Servlet3 specification as well as support for configuration in the web.xml cookie-config xml element.<br />
<br />
JAX-RS 2.0 has been updated to incorporate HttpOnly flag in the NewCookie class (<a href="http://lists.jboss.org/pipermail/security-dev/2013-February/000783.html">http://lists.jboss.org/pipermail/security-dev/2013-February/000783.html</a>) Thanks to Bill Burke. [ Bill Burke created a JIRA issue with the spec: <a href="http://java.net/projects/jax-rs-spec/lists/issues/archive/2013-02/message/0">http://java.net/projects/jax-rs-spec/lists/issues/archive/2013-02/message/0</a> )]<br />
<br />
<h3>
HttpOnly in JAX-RS</h3>
<br />
For Jax-RS 1.1 (included in Java EE 6), you will need to do something like the following:<br />
<br />
=============<br />
NewCookie cookie = new NewCookie(...);<br />
Response response = Response.ok().header("Set-Cookie", cookie.toString()+ ";HttpOnly").build();<br />
=============<br />
<br />
Example: <a href="https://github.com/picketlink/picketlink-extensions/blob/master/core/src/main/java/org/picketlink/extensions/core/rest/interceptors/PostSignInCookieInterceptor.java">https://github.com/picketlink/picketlink-extensions/blob/master/core/src/main/java/org/picketlink/extensions/core/rest/interceptors/PostSignInCookieInterceptor.java</a><br />
<br />
RESTEasy project has <i>ServerResponse</i> that extends JAX-RS Response class. This class is very important for pre and post processing interceptors.<br />
<br />
<h3>
References</h3>
<ol>
<li><a href="http://www.jboss.org/resteasy" target="_blank">RESTEasy </a></li>
<li><a href="http://java.net/projects/jsr311/lists/users/archive/2008-07/message/130" target="_blank">JAX-RS discussion on HttpOnly</a></li>
<li><a href="http://lists.jboss.org/pipermail/security-dev/2013-January/000776.html" target="_blank">PicketLink discussion on RESTEasy/HttpOnly</a></li>
</ol>
<br />
<pre wrap=""></pre>
<pre wrap=""></pre>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-75197731226144880142012-08-08T09:54:00.002-05:002012-08-29T22:45:03.212-05:00GMail can be key to your digital life<div dir="ltr" style="text-align: left;" trbidi="on">
Matt Honan (Wired) has this heart wrenching story of his digital life being erased. The door to this tragedy was his gmail account.<br />
<a href="http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/">http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/</a><br />
<br />
You have heard this story from many channels (twitter, facebook, email forwards etc). So I won't repeat it.<br />
<br />
But I do recommend enabling two factor authentication on your gmail account. It is additional inconvenience that is necessary to safeguard your gmail account and potentially your intertwined digital life.<br />
<br />
If you have a smartphone such as iphone or android, do not forget to review the section on Google Authenticator.<br />
<br />
<br />
Perform the following steps:<br />
1) Log into your gmail account.<br />
2) Go to settings via<br />
<a href="https://support.google.com/accounts/bin/answer.py?hl=en&answer=180744&topic=1056283&rd=1" target="_blank">https://support.google.com/accounts/bin/answer.py?hl=en&answer=180744&topic=1056283&rd=1 </a><br />
3) Now start the two step process by giving a phone number (such as mobile).<br />
4) Get the code via sms or voice. Activate your account.<br />
5) Two step authentication is enabled for your gmail account. You may want to set "trust the computer" you are using.<br />
<br />
Now for each additional device such as iphone or android or ipad you use to get email addresses, you can generate application specific passwords.<br />
<a href="https://accounts.google.com/IssuedAuthSubTokens#accesscodes">https://accounts.google.com/IssuedAuthSubTokens#accesscodes</a><br />
<br />
This is one time setup for each device. Hopefully, you should change this quarterly.<br />
<br />
<h3>
Google Authenticator (Smartphone Users)</h3>
Instead of using a call from Google each time you login from an unknown location or device, you can use the "Google Authenticator" mobile app available in the iphone app store and Android Market.<br />
<br />
1) Download "Google Authenticator" from your app store.<br />
2) Log into gmail account.<br />
3) <a href="https://accounts.google.com/b/0/SmsAuthConfig">https://accounts.google.com/b/0/SmsAuthConfig</a><br />
4) Start the Authenticator App.<br />
5) Press the + button. Then press the "Scan the barcode" button.<br />
6) Scan the barcode on the computer using your phone.<br />
7) Once the barcode is scanned, you will get a code displayed on the app.<br />
8) Enter the code into the computer screen in the text box.<br />
9) Click Verify. </div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-6940728126479075612.post-22681358927460638242012-07-23T22:27:00.002-05:002012-07-23T22:27:31.748-05:00PicketLink and Salesforce/Google Apps Integration<div dir="ltr" style="text-align: left;" trbidi="on">
Marek Posolda from the GateIn team has created an excellent article on integrating salesforce or google apps with JBoss. It is done via project <a href="http://jboss.org/picketlink" target="_blank">PicketLink</a>.<br />
<br />
The article is at <a href="https://docs.jboss.org/author/display/PLINK/3rd+party+integration">https://docs.jboss.org/author/display/PLINK/3rd+party+integration</a><br />
<br />
Marek also talks about GateIn integration with Salesforce and Google Apps using PicketLink at <a href="https://community.jboss.org/wiki/GateInSSOIntegrationWithSalesforceAndGoogleApps%20" target="_blank">https://community.jboss.org/wiki/GateInSSOIntegrationWithSalesforceAndGoogleApps </a><br />
<br />
<h4 style="text-align: left;">
References</h4>
<a href="https://community.jboss.org/wiki/GateInAndSAML2IntegrationForSSOAuthentication" target="_blank">GateIn SAML Integration Wiki</a></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-65823063065258377112012-06-11T01:49:00.000-05:002012-06-11T01:52:56.610-05:00LinkedIn has a wake up call<div dir="ltr" style="text-align: left;" trbidi="on">
All the IPO fun news - soaring personal assets - increasing cash pile must have gone a bit sour at LinkedIn now. They have probably started living on earth now, like the rest of us. I am referring to <a href="http://blog.linkedin.com/2012/06/09/an-update-on-taking-steps-to-protect-our-members/">http://blog.linkedin.com/2012/06/09/an-update-on-taking-steps-to-protect-our-members/</a> and <a href="http://www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.html">http://www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.html</a><br />
<br />
I have been a LinkedIn member since inception. It feels like close to decade+. I respect and utilize their services on a daily basis. Their advances in technology primarily big data analytics impresses me.<br />
<br />
But when customers/users provide you their information, then it is of utmost importance to safeguard it. <i><b>LinkedIn failed to do that</b></i>. But they are not alone. Everyday, we hear some data breach. The fundamental problem is that there is no easy way to secure anything. Passwords are useful to achieve the minimum level of security, with minimum set up. But they are not the best forms of security. Working toward preventing data breaches should be part of a daily routine.<br />
<br />
The blog post from <a href="http://www.linkedin.com/in/vicentesilveira" target="_blank">Vicente</a> is very assuring. In the next few years, LinkedIn will probably have fewer news reports about data breaches. Hopefully, <a href="http://www.linkedin.com/in/ganeshkrishnanlinkedin" target="_blank">Ganesh Krishnan</a> (from my alma mater, BMSCE) can shine.<br />
<br />
What LinkedIn needs to do is take their advances in big data analytics into security intelligence. <i>Salting/Hashing passwords is just the first step. You should incorporate device registration as well as use security analytics to thwart future breaches. Please be the first to show us the way with big data security analytics.</i><br />
<br />
Good Luck to LinkedIn!<br />
<br />
(<i>Now can we please do something about the "Who viewed your profile?" leaks on LinkedIn on mobile apps?</i>).</div>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-6940728126479075612.post-64614924026532459032012-05-27T01:13:00.000-05:002012-05-27T01:15:26.359-05:00When Access Control Systems Fail or are Absent,<div dir="ltr" style="text-align: left;" trbidi="on">
you can have squatters at your company. And they are not in camp sites in your parking lots or dressed differently - they mingle and coexist with your legitimate employees. How cool is that. :)<br />
<br />
<h3 style="text-align: left;">
Examples: </h3>
1. <a href="http://www.businessinsider.com/eric-simons-built-his-startup-squatting-at-aols-campus-2012-5" target="_blank">19 Year Old Kid builds a startup squatting at AOL</a>.<br />
2. <a href="http://www.virginmedia.com/movies/features/movie-myths-3.php?page=10" target="_blank">Young Steven Spielberg squatting at Universal Studios for 2 months</a>.<br />
<br />
The story of Steven Spielberg claiming that he squatted for 2months/years is rebutted in the media. It is a possibility. :) (<a href="http://www.anecdotage.com/index.php?aid=14372">http://www.anecdotage.com/index.php?aid=14372</a>)<br />
<br />
Another example of studio squatting <a href="http://en.wikipedia.org/wiki/Daedalus_Howell#Controversy">http://en.wikipedia.org/wiki/Daedalus_Howell#Controversy</a> <br />
<br />
<br />
So, give some love to access control systems. :)</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-68183955859245939442012-05-23T13:24:00.001-05:002012-05-23T19:14:01.863-05:00Growing need for Social Intelligence<div dir="ltr" style="text-align: left;" trbidi="on">
In the past, there were firewalls, employee agreements and corporate training to inculcate proper corporate etiquette in employees. As an employee, you were told that<br />
<ul style="text-align: left;">
<li>when you are in public, then sensitive corporate information was not to be uttered.</li>
<li>when you were sending an email outside the organization, your language/tone had to be watched.</li>
</ul>
Companies needed to maintain vigil and dilgence to safeguard their secrets, brand and Intellectual Property. Ok, that was the 90s.<br />
<br />
Then came the world of blogging. Wikipedia became the de-facto encyclopaedia of the world. Then came LinkedIn, Twitter, Facebook, Foursquare and your-favorite-social-network-or-location-or-web2.0-application came into existence and started getting popular. Of course, I did not forget Pinterest and Instagram. The iPhone revolutionized mobility. Who has not clicked a picture of a place or product or something and published on twitter/facebook? Instagram makes that easy.<br />
<br />
This is the 21st century I am referring to. Companies started to get involved in social media to maintain brand recognition, marketing and customer outreach.Nothing wrong with that. Many companies encouraged their employees to embrace openness and use social media.<br />
<br />
Things seem to be going well for everybody. I am sure we will see some employee crossing the line and mistakenly sharing private confidential information on the internet. <i>Remember congressman <a href="http://en.wikipedia.org/wiki/Anthony_Weiner">Anthony Weiner</a> 's episode of forgetting to use "D" at the beginning of his tweet. Rather than the tweet going as a direct message to one of the twitterers, it got shared with the world. The rest is history.</i><br />
<br />
Reading Network World's latest bit on <a href="http://www.networkworld.com/news/2012/051712-social-media-security-259387.html">security and social media</a>, I strongly feel that there is a need for <u><b>Social Intelligence</b></u>. Rather than people monitoring the social media to see if private information is getting divulged, we need intelligent software that can monitor the social world to flag rumours and threats to corporate brand. I believe many a times, employees step the thin line. not because they want to harm their employer, but because they do not know where the line starts and where it ends.<br />
<br />
Let there be Social Intelligence not to monger fear but as a valuable tool in safeguarding corporate brands and IP. Companies should not take the knee-jerk policy of banning social media from the enterprise. What you end up doing is lowering your employee morale, in this brave new world. Just manage your brand better via social intelligence.</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-10840141208650864412012-05-07T14:48:00.001-05:002012-05-07T14:48:15.750-05:00Obfuscate your maven settings passwords<div dir="ltr" style="text-align: left;" trbidi="on">
If you still have cleartext passwords in your settings.xml, then it is time for you to mask/obfuscate them. It will not be fool proof but definitely better than having your passwords in the open.<br />
<a href="https://community.jboss.org/wiki/MavenSettingsxmlMaskingPassword">https://community.jboss.org/wiki/MavenSettingsxmlMaskingPassword</a></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-38783059938665603092012-04-24T16:43:00.001-05:002012-04-24T16:43:26.478-05:00GSOC 12 at JBoss is ready to roll<div dir="ltr" style="text-align: left;" trbidi="on">
Google has announced the 1200+ students that will be participating via 180 organizations this year (2012). As announced a month ago, JBoss Community is one of the organizations participating in GSOC.<br />
<br />
We generated a large number of Ideas and identified many mentors for those ideas. It was an exciting phase. The Ideas page is at <a href="https://community.jboss.org/wiki/GSOC12Ideas">https://community.jboss.org/wiki/GSOC12Ideas</a><br />
<br />
Since the number of official gsoc slots has to be finite (you do the math - 1200 students from 180 organizations - so maybe anywhere from 2-20 slots per organization), we were lucky to finally get 8 slots allotted for JBoss Community.<br />
<br />
So after negotiations with gsoc office and our mentors, 8 students were identified. The list for JBoss community is announced at <a href="https://community.jboss.org/wiki/GSOC12JBossCommunityStudents">https://community.jboss.org/wiki/GSOC12JBossCommunityStudents</a><br />
<br />
Congratulations to the students accepted into the gsoc program via JBoss community. As true open source ambassadors, JBoss Community is not forgetting the students whose proposals have been rejected. We are working to include them in open source projects nevertheless. :)<br />
<br />
In the end, open source is the winner!</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-38343891371051445512012-04-09T21:48:00.002-05:002012-04-09T21:48:30.287-05:00PicketLink STS on JBoss AS 7.1.x<div dir="ltr" style="text-align: left;" trbidi="on">
Thanks to community member, Alex Jacinto, we now have a cheatsheet for PicketLink STS running on JBoss Application Server v7.1.x<br />
<a href="http://www.blogger.com/goog_978410760"><br /></a><br />
<a href="https://community.jboss.org/wiki/CheatsheetPicketLinkSecurityTokenServiceWithJBossAS71x">https://community.jboss.org/wiki/CheatsheetPicketLinkSecurityTokenServiceWithJBossAS71x</a><br />
<br />
Thanks Alex.</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-9467578166557708222012-04-04T14:32:00.002-05:002012-04-04T14:32:52.381-05:00Student interaction via GSOC has been awesome<div dir="ltr" style="text-align: left;" trbidi="on">
Last few years, JBoss Community projects participated on GSOC via the Fedora Program. This is the first year, we are participating as an independent entity in the GSOC program. So naturally we are excited as well as learning.<br />
<br />
So far the interaction with the student community has been very awesome. They have come to JBoss Community with questions, interests and passions that we would not normally have. Since the deadline for student proposals is April 6, they have been scampering with their proposals, hopping on to our email lists, IRC channels and forums.<br />
<br />
Currently, the students are primarily interacting via the email list (<b>gsoc@lists.jboss.org</b>) Signup: <a href="https://lists.jboss.org/mailman/listinfo/gsoc">https://lists.jboss.org/mailman/listinfo/gsoc</a> and IRC channel <i><b>#gsoc-jboss</b></i> on freenode (the log is at <a href="http://echelog.com/logs/browse/gsoc-jboss/1333490400">http://echelog.com/logs/browse/gsoc-jboss/1333490400</a> )<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.jboss.org/dms/GSoC/GSoC_commonbanner_1180px.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="57" src="http://www.jboss.org/dms/GSoC/GSoC_commonbanner_1180px.png" width="640" /></a></div>
<br />
The mentors that have signed up on the Ideas Page for JBoss Community (<a href="https://community.jboss.org/wiki/GSOC12Ideas">https://community.jboss.org/wiki/GSOC12Ideas</a>) are excited, not only to have received multiple proposals for their projects but also to have great questions on their respective projects.</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-38886449004064523242012-03-19T19:37:00.001-05:002012-03-19T22:24:50.139-05:00JBoss AS 7:: Social Login (Facebook Connect/ Google Authentication)<div dir="ltr" style="text-align: left;" trbidi="on">
<h2>
Background</h2>
There is no denying that Social Media is growing
leaps and bounds. The concept of social login has prevailed. Facebook
and Google have turned out to the holders of user information that can
be used to be the secure gateway into your web applications. Facebook /
Google Users are part of what is called "<b>Consumer Identity</b>". <br />
In
this article, we will look at a simple web application as part of the
PicketLink Social Project, that can help you visualize addition of
Facebook Connect / Google Authentication to your web applications. We
will use the fast, free and awesome JBoss Application Server v7 as the
runtime.<br />
<br />
<h2>
What is needed? </h2>
You will need to get hold of <br />
<ul>
<li>JBoss Application Server v7.1 (at the time of writing, v7.1.1.Final was the latest). </li>
<li>Use the self contained picketlink-reg.war.</li>
</ul>
<br />
<h2>
Steps to follow</h2>
<ol>
<li>Follow the JBoss AS7 user guide to extract the server. It is mainly just unzipping a zip archive.</li>
<li>Now copy the attached picketlink-reg.war to standalone/deployments directory of JBoss AS7.</li>
<li>You
need to make some configuration changes to
standalone/configuration/standalone.xml file to add a security domain as
well as a bunch of system properties.</li>
<li>Start JBossAS7 in the standalone mode. </li>
<li>Test the Web Application.</li>
</ol>
<br />
<h3>
Configuration Changes to be made in standalone.xml </h3>
TIP: I do attach my "standalone.xml" to this <a href="http://server.dzone.com/sites/all/files/standalone.xml">LINK</a>. <br />
<h3>
Define a security domain called "external_auth"</h3>
<div class="syntaxhighlighter " id="highlighter_637799">
<div class="bar">
<div class="toolbar">
<a class="item viewSource" href="http://server.dzone.com/articles/jbossas7-making-your-web#viewSource" style="height: 16px; width: 16px;" title="view source"> </a></div>
</div>
<div class="lines">
<div class="line alt1">
<code class="number"></code><span class="content"><span class="block" style="margin-left: 0px;"><code class="plain"><</code><code class="keyword">subsystem</code> <code class="color1">xmlns</code><code class="plain">=</code><code class="string">"urn:jboss:domain:security:1.1"</code><code class="plain">></code></span></span></div>
<div class="line alt2">
<code class="number"></code><span class="content"><span class="block" style="margin-left: 84px;"><code class="plain"><</code><code class="keyword">security-domains</code><code class="plain">></code></span></span></div>
<div class="line alt1">
<code class="number"></code><span class="content"><span class="block" style="margin-left: 112px;"><code class="plain"><</code><code class="keyword">security-domain</code> <code class="color1">name</code><code class="plain">=</code><code class="string">"external_auth"</code> <code class="color1">cache-type</code><code class="plain">=</code><code class="string">"default"</code><code class="plain">></code></span></span></div>
<div class="line alt2">
<code class="number"></code><span class="content"><span class="block" style="margin-left: 140px;"><code class="plain"><</code><code class="keyword">authentication</code><code class="plain">></code></span></span></div>
<div class="line alt1">
<code class="number"></code><span class="content"><span class="block" style="margin-left: 168px;"><code class="plain"><</code><code class="keyword">login-module</code> <code class="color1">code</code><code class="plain">=</code><code class="string">"org.picketlink.social.auth.ExternalAuthLoginModule"</code> <code class="color1">flag</code><code class="plain">=</code><code class="string">"required"</code><code class="plain">/></code></span></span></div>
<div class="line alt2">
<code class="number"></code><span class="content"><span class="block" style="margin-left: 140px;"><code class="plain"><code class="keyword">authentication</code><code class="plain">></code></code></span></span></div>
<div class="line alt1">
<code class="plain"><code class="number"></code><span class="content"><span class="block" style="margin-left: 112px;"><code class="plain"><code class="keyword">security-domain</code><code class="plain">></code></code></span></span></code></div>
<div class="line alt2">
<code class="plain"><code class="plain"><code class="number"></code><span class="content"><span class="block" style="margin-left: 112px;"><code class="plain"><</code><code class="keyword">security-domain</code> <code class="color1">name</code><code class="plain">=</code><code class="string">"other"</code> <code class="color1">cache-type</code><code class="plain">=</code><code class="string">"default"</code><code class="plain">></code></span></span></code></code></div>
</div>
</div>
<code class="plain"><code class="plain"> What
Ihave done is inserted a block of security domain configuration inside
the security configuration and before the security domain "other".</code></code><br />
<br />
<h3>
<code class="plain"><code class="plain">Define a bunch of system properties.</code></code></h3>
<div class="syntaxhighlighter " id="highlighter_439491">
<div class="bar">
<div class="toolbar">
<code class="plain"><code class="plain"><a class="item viewSource" href="http://server.dzone.com/articles/jbossas7-making-your-web#viewSource" style="height: 16px; width: 16px;" title="view source"></a></code></code></div>
</div>
<div class="lines">
<div class="line alt1">
<code class="plain"><code class="plain"><code class="number"></code><span class="content"><span class="block" style="margin-left: 0px;"><code class="plain"><code class="keyword">extensions</code><code class="plain">></code></code></span></span></code></code></div>
<div class="line alt2">
</div>
<div class="line alt1">
<code class="plain"><code class="plain"><code class="number"></code><span class="content"><span class="block" style="margin-left: 0px;"><code class="plain"><</code><code class="keyword">system-properties</code><code class="plain">></code></span></span></code></code></div>
<div class="line alt2">
<code class="plain"><code class="plain"><code class="number"></code><span class="content"><span class="block" style="margin-left: 56px;"><code class="plain"><</code><code class="keyword">property</code> <code class="color1">name</code><code class="plain">=</code><code class="string">"CLIENT_ID"</code> <code class="color1">value</code><code class="plain">=</code><code class="string">"Insert_your_client_id"</code><code class="plain">/></code></span></span></code></code></div>
<div class="line alt1">
<code class="plain"><code class="plain"><code class="number"></code><span class="content"><span class="block" style="margin-left: 56px;"><code class="plain"><</code><code class="keyword">property</code> <code class="color1">name</code><code class="plain">=</code><code class="string">"CLIENT_SECRET"</code> <code class="color1">value</code><code class="plain">=</code><code class="string">"Insert_your_client_secret"</code><code class="plain">/></code></span></span></code></code></div>
<div class="line alt2">
<code class="plain"><code class="plain"><code class="number"></code><span class="content"><span class="block" style="margin-left: 0px;"><code class="plain"><code class="keyword">system-properties</code><code class="plain">></code></code></span></span></code></code></div>
<div class="line alt1">
</div>
<div class="line alt2">
<code class="plain"><code class="plain"><code class="number"></code><span class="content"><span class="block" style="margin-left: 14px;"><code class="plain"><</code><code class="keyword">management</code><code class="plain">></code></span></span></code></code></div>
<div class="line alt1">
<code class="plain"><code class="plain"><code class="number"></code><span class="content"><span class="block" style="margin-left: 56px;"><code class="plain"><</code><code class="keyword">security-realms</code><code class="plain">></code></span></span></code></code></div>
</div>
</div>
<code class="plain"><code class="plain">We
have defined a block for system properties at the end of the block for
extensions and the beginning of management. Please have a look at the
wiki article on <a href="http://community.jboss.org/wiki/JBossAS7SystemProperties" target="_blank">JBoss AS7 System Properties</a>, for more information.</code></code><br />
<br />
<code class="plain"><code class="plain">Note that I am assuming that your app is deployed on localhost. If the domain is different, then you have to define an additional system property called "RETURN_URL" that gives a value such as "http://thedomain/picketlink-reg/auth" (replace thedomain with whatever value you want).</code></code><br />
<br />
<h2>
<code class="plain"><code class="plain">How to test the web application?</code></code></h2>
<code class="plain"><code class="plain">You can go to <a href="http://localhost:8080/picketlink-reg/" target="_blank">http://localhost:8080/picketlink-reg/</a></code></code><br />
<code class="plain"><code class="plain">Now you can login either using Facebook Connect or Google Authentication.</code></code><br />
<code class="plain"><code class="plain">Note
that the attached web application just outputs the name of the
authenticated user and the email address. You can get more information
if desired by changing the configuration settings.</code></code><br />
<br />
<h2>
<code class="plain"><code class="plain">What changes do we need to make a web application use Facebook Connect or Google Authentication as its Authentication Mechanism?</code></code></h2>
<code class="plain"><code class="plain">You
will need to configure the ExternalAuthenticator in
WEB-INF/jboss-web.xml Look at how the attached picketlink-reg.war
application does it.</code></code><br />
<b><br /></b><br />
<b>Reference</b><br />
<a href="https://issues.jboss.org/browse/PLFED-272">https://issues.jboss.org/browse/PLFED-272</a><br />
<h2>
<code class="plain"><code class="plain">Attachments</code></code></h2>
<code class="plain"><code class="plain">picketlink-reg.war is available at <a href="http://dl.dropbox.com/u/20060733/picketlink-reg.war">http://dl.dropbox.com/u/20060733/picketlink-reg.war</a></code></code><br />
<code class="plain"><code class="plain">My standalone.xml is at <a href="http://server.dzone.com/sites/all/files/standalone.xml">Link</a>. You will need to change the client id and client secret.</code></code><br />
<br />
<code class="plain"><code class="plain">This article is also available at DZone. Link is <a href="http://server.dzone.com/articles/jbossas7-making-your-web">http://server.dzone.com/articles/jbossas7-making-your-web</a></code></code><br />
<br />
<span style="font-size: large;"><b><code class="plain"><code class="plain">Troubleshooting</code></code></b></span><br />
<ul>
<li>In the Facebook Developer console where your app settings exist, Edit Settings ->WebSite >
<ul>
<li>Site URL: Specify the url of your web application.</li>
<li>Site Domain: domain of your web application. (If testing locally, you can specify localhost)</li>
</ul>
</li>
</ul>
<br />
</div>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-6940728126479075612.post-58804765759833257142012-03-16T14:53:00.003-05:002012-03-16T15:22:36.333-05:00JBoss Community accepted into GSOC 12<div dir="ltr" style="text-align: left;" trbidi="on">
With great privilege and honor, I want to share this exciting piece of information that JBoss Community (<a href="http://www.jboss.org/">http://www.jboss.org</a>) has been officially accepted as a participating organization at the Google Summer of Code 2012.<br />
<br />
Please take a look at all the participating organizations. List is at <a href="http://www.google-melange.com/gsoc/accepted_orgs/google/gsoc2012">http://www.google-melange.com/gsoc/accepted_orgs/google/gsoc2012</a><br />
<br />
In my view, the GSOC Ideas Page (<a href="https://community.jboss.org/wiki/GSOC12Ideas">https://community.jboss.org/wiki/GSOC12Ideas</a>) is a <i><b>clear indication</b></i> of the amazing variety of Open Source Projects hosted at JBoss Community as well as the enthusiasm and team work displayed by all potential administrators and mentors.<br />
<br />
Here is to a successful summer for our mentors and students as part of GSOC 12.<br />
<br />
Special thanks to Dan Allen, James Cobb and all the participating mentors to have made this JBoss initiative for GSOC 12 possible.<br />
<br />
Real <b><i>Team Work</i></b> at JBoss Community to clear the first step in the GSOC 12 Program. </div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-52530339721164736502012-03-14T10:28:00.005-05:002012-11-19T15:37:54.229-06:00Book Review: Java Performance: Charlie Hunt, Binu John<div dir="ltr" style="text-align: left;" trbidi="on">
<span id="internal-source-marker_0.45007519942535057" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"><b>My Rating</b>: 5 out of 5 stars. (<u><i><b>Strong Buy</b></i></u>)</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<b><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">Why you need to buy this book?</span></b><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">1) There is no other strong book on Java Performance in the market.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">2) Written by experts who deal with improving the performance of the Hotspot Java VM, on a daily basis.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">3)
Extensive description on the internals of the Hotspot JVM. Previously
the JVM was a blackbox that would run your Java applications. This book
will lay out the JVM as an open book. So you have an opportunity to
master the JVM.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">4) It is from Addison Wesley who publish GREAT books.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"><b>My Favorite Chapters</b>:</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">Chapter 3: JVM Overview.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">Chapter 4: JVM Performance Monitoring</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">Chapter 5: Tuning the JVM, Step by Step</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><b><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"> </span></b><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"> <b>Review</b></span><b><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span></b><b><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">:</span></b><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">I
have had this book for a month now. But I have not read it completely.
The reason is that this is an advanced topic. The book goes into deep
lengths to describe the Hotspot JVM concepts that you have to tread very
slowly. I mean very very slowly.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">My
approach has been to go to the chapters which I am interested in. Then
go back to the chapters that give background information. I strongly
recommend that you keep this book close to your work area, because you
will require it often, to not only brush up on your reading but also to
use it as a reference, when you tune your Java applications. <i><b><u>BUT THIS
BOOK IS A DEFINITE MUST FOR YOUR COLLECTION</u></b></i>.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">Let us go chapter by chapter on the ones I have read.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">Chapter 2: Operating System Performance Monitoring</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">I particularly liked the treatment on “monitoring CPU utilization” on various operating systems (windows, linux etc).</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">There is a lot of information on Memory Usage Monitoring, Disk IO Monitoring that a performance engineer will definitely need.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">Chapter 3: JVM Overview</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">This is a brilliantly written chapter.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">Right
at the start, the authors state that the users of Java technology see
the JVM as a blackbox. My opinion : Well, this is the irony or fact or
destiny or whatever. Java Performance has been voodoo over the years.
Extensive documentation (that is not confusing) along with reasonable
JVM defaults, is the way to go.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">The
chapter does very well to talk about the ordinary object pointers
(OOPS) and the new JDK6+ feature called “compressed oops” to get 32bit
like performance on 64bit JVMs. The gist is that compressed oops feature
will improve the cpu cache utilization.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">The
chapter goes into great length to talk about class loading, internal VM
architecture etc. A very very good chapter. Read the section on
Garbage collection. There is great discussion on the generations as well
as on collectors etc.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">Chapter 7: Tuning the JVM step by step</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">This
chapter is just a <i><b>beauty</b></i>. There is around 70 pages devoted to this
chapter. So much content just for JVM tuning. Probably, this topic
requires a 1000 pages. But the authors have done the JVM tuning as part
of their jobs. So they have condensed the topic in to 70 pages based on
their years of experience. </span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">I
will update this review as I finish reading the other chapters. I can
grumble that the book is very intense but it is a happy grumbling.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"><b>Final Commentary</b>:</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">I
have attended talks by Charlie Hunt over the years. Charlie is
extremely knowledgeable and is very passionate about the JVM. No wonder,
he has turned up <i>a gem of a book</i>.</span><br />
<br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">Anil Saldhana</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">JBoss Community</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;">Chicago Java Users Group </span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span><a href="http://gan.doubleclick.net/gan_click?lid=41000613802463762&pid=UBM9780137142521&adurl=http%3A%2F%2Fwww.cdsbooksdvds.com%2Fproduct.jhtm%3Fsku%3DUBM9780137142521&usg=AFHzDLtUFmKrkkeYJSMEiGglWxDsNzdcMg&pubid=599297" rel="nofollow">Java Performance on Multi-core Platforms By Hunt, Charles J./ Hohensee, Paul/ John, Binu/ Dagastine, David (Google Affiliate Ad)</a><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline;"></span></div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-6940728126479075612.post-11358922674518015292012-03-09T12:30:00.000-06:002012-03-09T18:00:57.900-06:00Open Source and Security Response<div dir="ltr" style="text-align: left;" trbidi="on">
We live in a very interesting world. I term it interesting and not dangerous because I see a lot more good in this world than the bad. So unlike the media who love to portray the bad primarily, I would like to talk about the good in the world. A <i><b>good</b></i> in the world for the last few years has been <i style="color: #3d85c6;"><b>Open Source</b></i>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-XwecEmKI7g4/SIirdmVcLyI/AAAAAAAADNw/GfwyGivilCk/s1600/OpenSource.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://1.bp.blogspot.com/-XwecEmKI7g4/SIirdmVcLyI/AAAAAAAADNw/GfwyGivilCk/s320/OpenSource.jpg" width="320" /></a></div>
<br />
<br />
Open Source has given many benefits to this world including:<br />
<ul style="text-align: left;">
<li>Free alternatives to paid Operating Systems.</li>
<li>Free open alternatives to the Apple iPhone/iOS ecosystem.</li>
<li>Apache Software Foundation, JBoss community, Linux Foundation and other communities that have shipped and are shipping <b><i>great</i></b> free open source projects including Apache Httpd Web Server, JBoss Application Server, Linux Distributions etc.</li>
<li>Free alternatives to Microsoft Office Ecosystem.</li>
</ul>
<br />
Now let us look at Web Browsers. They have been our gateways to the Internet content. Of course, you need a ISP or a Wifi connection to get to the internet. But the browsers have been the main avenue to access the rich content that is on the internet. Browsers such as Mozilla Firefox, Google Chrome and Opera have been very beneficial to the world. All 3 of them take security of their users very seriously.<br />
<br />
I was reading about Google Chrome getting hacked in less than 5 minutes (<a href="http://it.slashdot.org/story/12/03/07/2352220/chrome-hacked-in-5-minutes-at-pwn2own">http://it.slashdot.org/story/12/03/07/2352220/chrome-hacked-in-5-minutes-at-pwn2own</a>). Ok, it was not <i>magic</i>. Definitely those guys had knowledge of some <i><b>zero-day</b></i> vulnerabilities, that they had not disclosed before, but used it to get to 60K. (Please read up on zero day at <a href="http://en.wikipedia.org/wiki/Zero-day_attack">http://en.wikipedia.org/wiki/Zero-day_attack</a>).<br />
<br />
Now let us talk about the value of Security Response to open source projects. Almost all major OSS foundations (Apache, JBoss, Linux etc) are backed by a proactive security response team who stay on top of vulnerabilities in their projects.<br />
<br />
As the number of open source projects is on the rise, it is <b>critical</b> that you adopt a open source project that <i>has an excellent security response team</i> as well as provides <i>newer versions of the project</i> with the fixes. Also the ball is in your park to stay on top of newer releases. If you are unable to manage the patches or get on newer versions of projects, then I suggest strongly that you adopt commercial versions of open source software such as the JBoss Platforms (EAP, SOA-P, EPP etc), Hadoop (Cloudera/MapR/HortonWorks) etc because these are backed by a security response team, who will provide the necessary patches. Trust me, all software at all times will have at least one vulnerability. Software does not get created by magic but by humans who are prone to mistakes.<br />
<br />
<i>For this reason, I feel that the security response is a critical aspect for Open Source Choice and Adoption.</i> Please visit Red Hat's Security Response for additional information: <a href="http://www.redhat.com/security">http://www.redhat.com/security </a><br />
as well as understanding the role of open source and security.<br />
<br />
We are currently at <a href="http://anil-identity.blogspot.com/2012/03/open-source-and-security-response.html">http://anil-identity.blogspot.com/2012/03/open-source-and-security-response.html </a><br />
<br />
<br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-33057003695649403972012-03-01T14:04:00.000-06:002012-03-01T14:05:04.160-06:00Open Source PicketLink v2.0.2.Final Released<div dir="ltr" style="text-align: left;" trbidi="on">
JBoss community project PicketLink has released the latest version to the community. The version is v2.0.2.Final. You can get a lot of details about this release at <a href="https://community.jboss.org/wiki/PicketLink202Final">https://community.jboss.org/wiki/PicketLink202Final</a><br />
<br />
The release will also be included as part of the forthcoming JBoss Application Server v7.1.1 release.<br />
<br />
Please use the community forum to ask questions or provide feedback. The forums are located at <a href="https://community.jboss.org/en/picketlink?view=discussions">https://community.jboss.org/en/picketlink?view=discussions</a><br />
<br />
The dashboard is at <a href="https://community.jboss.org/wiki/PicketLinkDashboard">https://community.jboss.org/wiki/PicketLinkDashboard</a> <br />
<br />
Enjoy!</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-26195632451510648612012-02-16T08:49:00.002-06:002012-02-16T08:52:58.438-06:00JBoss EAP is Common Criteria Certified - EAL4+ (Highest Level Security Certification)<div dir="ltr" style="text-align: left;" trbidi="on">
This morning, the press release has gone out to announce the certification of JBoss Enterprise Application Platform 5.1.0 and 5.1.1 at the highest level of evaluation in its category - EAL4+.<br />
<br />
The press release is available at <a href="http://finance.yahoo.com/news/JBoss-Enterprise-Application-bw-1345517824.html?x=0">http://finance.yahoo.com/news/JBoss-Enterprise-Application-bw-1345517824.html?x=0</a><br />
<br />
The CC Guide should be available soon at <a href="http://docs.redhat.com/docs/en-US/index.html">http://docs.redhat.com/docs/en-US/index.html</a><br />
<br />
I am confident that security conscious customers will find this news refreshing. </div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-59664477178673182182012-02-10T20:15:00.001-06:002012-02-10T20:15:14.073-06:00OpenShift Express Paas always comes to my rescue<div dir="ltr" style="text-align: left;" trbidi="on">
Most of us have been through this. You have to put up a demo for a customer, a conference or just to show something to a person living far away. Now assuming the other person is not on the corporate network, you have to look for a server that is hosted in the public. <i>Forget getting a computer outside your corporate DMZ</i>. You have to go through many hurdles. All the corporate security stuff come into play. We cannot blame anybody for being so paranoid, given the state of the world. <i>Everybody is getting hacked these days</i>. Now, the irony is that the demos may be a representation of some tech that is not critical from security perspective but has value when displayed to a viewer. That is why it is called a <b>DEMO</b>.<br />
<br />
You may say, there is Amazon EC2. Well, that's cool. I have used EC2 for some quick demos. But I have always had to stay on top of my toes because I would need to shut down the instances, once the job was done. The reason was that the credit card meter would be running (just like a long distance taxi meter).<br />
<br />
A couple of years ago, I did write some simple web apps on Google App Engine. They are probably still running. Wow, <b>Platform-as-a-service</b>. You write apps and don't have to worry about dev-ops, cap-ex,op-ex etc. Certainly for simple apps, your credit card meter is not running.<br />
<br />
The challenge with GAE was the restrictive API that you had to program against. It was a pain to code to a whitelisted api.<br />
<br />
Enter OpenShift, a PaaS from Red Hat. I have been running many demos on it for months. A cheatsheet I have is https://community.jboss.org/wiki/CheatSheetForPicketLinkOnRedHatOpenShift<br />
<br />
Why do I like <a href="https://openshift.redhat.com/app/">OpenShift Express Paas</a>?<br />
<ul style="text-align: left;">
<li>It's free.</li>
<li>It allows me to deploy standard Java EE web apps in minutes.</li>
<li>I do not have to worry about server administration.</li>
<li>I do not have to worry about checking if the web app is running.</li>
</ul>
I did put up another demo today for a key management app. Check it out here: <a href="http://symkey-anilsaldhana.rhcloud.com/keymg.jsp">http://symkey-anilsaldhana.rhcloud.com/keymg.jsp</a><br />
<br />
What are you waiting for? Give OpenShift PaaS a spin. </div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-2409822995834424722011-12-12T03:31:00.001-06:002011-12-12T03:34:31.953-06:00Java Identity JSR: A positive stepThe latest JSR on Java Identity is a very positive step in fostering security in Java applications. Since the JSR targets Java SE (as well as Java EE), it will have a very beneficial impact on Java applications running within the VM. You do not require a Java EE application server to avail the Identity services.
A presentation on the JSR, given by the spec lead, Ron Monzillo is available at <a href="https://oracleus.wingateweb.com/published/oracleus2011/sessions/25171/S25171_139221.pdf">https://oracleus.wingateweb.com/published/oracleus2011/sessions/25171/S25171_139221.pdf</a>
A complaint I often hear from Java developers is the lack of consistent, standard API/annotations that they can use for securing their applications. JSR 351 aims to provide the necessary API as well as annotations. This should have happened long ago, but at least now, there is a positive attempt in the direction. I fervently hope that all the framework developers pay attention to this JSR (and not fall prey to the NIH syndrome).
With the proliferation of Identity standards and the lack of coherence among them, it has become very hard for application writers to grasp the concepts of security. They usually take the easy way out (a simple password based system).
I wish the JSR committee all the success. I am planning to be on the committee. You are welcome to participate.
The proposed reference implementation is going to under the Apache 2.0 license and the tck will be free of charge. [Slide 10]Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6940728126479075612.post-91816498101548699412011-10-14T09:25:00.004-05:002011-10-19T14:16:11.747-05:00JavaOne11 Experiences :: JBoss AS7/PicketLink/SAML/OpenShiftI had the privilege of attending Java One in San Francisco this month. I had two talks this year.<br />
<br />
Talks:<br />
1) Venue: JBoss Booth. Title: Trusted Security with PicketBox and PicketLink<br />
2) Venue: Regular Session. Title: Experiences with Java EE Paas<br />
<br />
In my view, this was a great conference for me. I had the opportunities to show case the SAML based SSO on web applications running on top of JBoss AS7 in the Red Hat's OpenShift Paas environment.<br />
<br />
I also showcased Facebook/Google login to web apps running on JBoss AS7 deployed in OpenShift environment.<br />
<br />
As part of my sessions, I created the following cheatsheet.<br />
<a href="http://community.jboss.org/wiki/CheatSheetForPicketLinkOnRedHatOpenShift/"><br />
http://community.jboss.org/wiki/CheatSheetForPicketLinkOnRedHatOpenShift/</a><br />
<br />
You should definitely give OpenShift a try. :)<br />
<b><br />
Tribute to Steve Jobs:</b><br />
Scott Stark and I had just finished making our presentation at Java One. I got an alert from Associated Press on my iPhone: "According to Apple, Steve Jobs has died". It was a shock to me. I showed the alert to Scott who was in the middle of answering offline questions from attendees and he was shocked too. Around 5:40pm. :(Unknownnoreply@blogger.com0