David Brossard

Cosmin Nicolae Vacaroiu wrote:Hello,
XACML

Try out the following:
1. OASIS XACML website: oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
2. Axiomatics website: https://www.axiomatics.com/xacml-for-developers.html
3. XACML on wikipedia
4. XACML on my blog: http://www.webfarmr.eu/2010/09/xacml-101-a-quick-intro-to-attribute-based-access-control-with-xacml/

Hi,

The question is wrong. First of all, it asks for

Himai Minh wrote:Which container managed web service security mechanism must the development team use to allow web service clients to use the current security model?"

And it suggests the following answers:

Himai Minh wrote:
Choice:
A XKMS
B. XACML
C. XML digital signature
D. HTTP basic authentication
E annotations mapped to the JAX-WS-runtime.

None of these are web service security mechanisms. At best, annotations (which?) mapped to the JAX-WS runtime could considered as a potential answer.
HTTP Basic authentication is a mechanism through which a user can be authenticated. It largely pre-dates web services. It is not specific to web services and in a way, it's not even a recommended way to authenticate for web services, though it does work fine.

XKMS and XACML are not about authentication but rather key management and attribute-based access control respectively.
XML digital signature is about signing XML content. It is not specific to web services and it is not about authenticating but rather proving the authenticity of content and that it has not been tampered with.

Going back to your original question: Can we use both XACML and basic authentication in a container managed WS for authorization?

The anwer is yes. You can use HTTP basic authentication (or any other means of authN e.g. SAML) to authenticate the users and services trying to access your web service. You definitely want to have the authentication container-managed. What that means is that the application / web service / web app / API you are developing and installing in the container does not need to worry about authentication. It's handled by the container.

You can then use XACML (eXtensible Access Control Markup Language) to define XACML policies (access control policies) and then protect your web services. You would typically do that using either of a Servlet filter or a JAX-WS handler. They then act as a Policy Enforcement Point (PEP) which creates a XACML authorization request which is then sent to the Policy Decision Point (PDP).

I hope this clarifies things.

Cheers,
David.

Hi,

I want to count the occurrences of an Element based on the value of one its attributes. I have written the XSLT displayed below and tested it in an online XSLT tester and it works so far.

When I write my own Java code, though, I keep getting an error that Cannot convert #NUMBER to a NodeList. I cannot find a good answer though.

Here is my XSLT:

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xsl:template match="/"> <svg xmlns="http://www.w3.org/2000/svg" width='300px' height='300px'> <title>XACMListics</title> <text x='60' y='250' fill='blue'> <xsl:value-of select="count(/**/xacml3:Rule[@Effect='Deny'])" /> </text> </svg> </xsl:template> </xsl:stylesheet>

And here is how I invoke the transformation
private void countDenyOccurrences() throws Exception { try { logger.info("1. Instantiate a TransformerFactory"); TransformerFactory tFactory = TransformerFactory.newInstance(); logger.info("2. Process the stylesheet Source and generate a Transformer"); Transformer transformer = tFactory.newTransformer(xacmlSvgXslt); for (int i = 0; i < xacmlFiles.size(); i++) { logger.info("Processing file "+i+" / "+xacmlFiles.size()+"."); logger.info("3. Transform XML Source and send the output to a Result object"); ByteArrayOutputStream bos = new ByteArrayOutputStream(); Result output = new StreamResult(bos); transformer.transform(new StreamSource(xacmlFiles.get(i)), output); bos.flush(); String outputValue = bos.toString(); logger.debug(outputValue); } } catch (Exception e) { logger.error(e); e.printStackTrace(); throw e; } }

In the above code I iterate over a list of files and apply the XSLT to get the count of it and save it inside an XML SVG File as per the XSLT transformation which goes to a string (via a ByteArrayOutputStream). However even before I reach that point, I get the exception I mentioned at the top.

So what's the issue?

Thanks,
D.

Is there any possible way to avoid using an annotation to insert SOAP handlers in JAX-WS? It seems the XSD schema file that defines the format for sun-jaxws.xml does allow for <handler-chain> inside an <endpoint> element but when I try that I get an exception that there is invalid content in the jaxws file.
Today I have to write the following code:


package eu.webfarmr.demos; import javax.jws.HandlerChain; import javax.jws.WebMethod; import javax.jws.WebService; @WebService @HandlerChain(file="/handlers.xml") public class Calculator { @WebMethod public double add (double a, double b){ return a+b; } }

but I would really love to get rid of the annotation.

Dear all,

Does anyone know what are the most used app / web servers out there? If one focused on Websphere, Weblogic, Oracle App Server, Tomcat, and JBoss (am I forgetting a big one?), which would be the market share for each one?

Old stats from 2006 show that IBM WAS and Weblogic had a fairly equal share 25% each.

Cheers,
David.

Here is a solution, but is it the way to go? It almost feels like I am breaking some REST principle here...


In the implementation, write:

Message currentMessage = org.apache.cxf.phase.PhaseInterceptorChain.getCurrentMessage(); HttpServletRequest req = (HttpServletRequest) currentMessage.get("HTTP.REQUEST");

In my case, the type of the object is in fact org.eclipse.jetty.server.Request since I use Jetty. A bit of googling shows that (of course) org.eclipse.jetty.server.Request implements javax.servlet.http.HttpServletRequest (http://download.eclipse.org/jetty/stable-7/apidocs/org/eclipse/jetty/server/Request.html)

Hi,

I am using the example provided in Apache CXF 2.3.3 whereby a service interface and implementation are defined to have the following method:

@Get @HttpResource(location = "/customers/{id}") Customer getCustomer(@WebParam(name = "GetCustomer") GetCustomer getCustomer);

I was wondering how I could access the get parameters that might be sent in the implementation of the method? Is there a standardized, clean way, of doing it?

Example GET request URL could be: http://localhost:8080/customers/123?color=blue&size=M

where 123 is the customer id and color as well as size are the get parameters.

In addition, I do not understand how the GetCustomer object gets constructed...

Any help would be welcome.

Cheers,
David.

I couldn't agree more with your first statement. What I am doing now is a dummy demo where I have to use cookies. The problem you describe is exactly what I'm getting: cookie replay (if there is such a term) whereby I invalidate my session (i.e. I logout) but I can still go to sensitive parts of the website because the cookie is still there (as long as it has not expired).

Invalidating the session should take care of removing the cookie and that's exactly what I try doing - to no avail.

Again I entirely agree with your comment.

Hi all,

I have a simple Icefaces app where I use cookies. One of the cookies is an authentication token. I have a commandlink which I use to invalidate the session. Unfortunately (and I suppose quite expectedly), session invalidation doesn't remove any client cookies.

<ice:commandLink styleClass="topLink" action="#{sessionBean.actionSignOut}" id="commandSignOut" value="Sign out" />

I have found 2 ways to clear cookies. The first one is as follows:

HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest(); HttpServletResponse response = (HttpServletResponse) FacesContext.getCurrentInstance().getExternalContext().getResponse(); Cookie[] cookies = request.getCookies(); Cookie opentoken = null; for(Cookie c : cookies){ if (c.getName().equals("opentoken")){ logger.debug("found the cookie: "+c.getName()+" domain:"+c.getDomain()+" exp:"+c.getMaxAge()); // log4j debug statement opentoken = c; opentoken.setMaxAge(0); opentoken.setValue(""); // it is more elegant to clear the value but not necessary response.addCookie(opentoken); logger.debug("redirecting to "+request.getContextPath()); response.sendRedirect(request.getContextPath()); break; } }

The second is - I believe - merely a facade / shortcut to the former one:

Map<String,Object> props = new HashMap<String, Object>(); props.put("maxAge", 0); FacesContext.getCurrentInstance().getExternalContext().addResponseCookie("opentoken", "", props); // the cookie I want to overwrite (expire) FacesContext.getCurrentInstance().getExternalContext().addResponseCookie("tagada", "", props); // random dummy cookie to see whether any is inserted

References:
http://javaserverfaces.java.net/nonav/docs/2.0/javadocs/javax/faces/context/ExternalContext.html#addResponseCookie%28java.lang.String,%20java.lang.String,%20java.util.Map%29
http://download.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html

I think that my issue might be in my filters. I have 2 custom filters I wrote, one which deals with AuthN (and which gets the cookie), and one which deals with AuthZ. The cookie was set by an HTTP call from my webapp to a 3rd party authentication server which then redirects to my webapp. The cookie has therefore not been set by my webapp per se. Would that matter?

Does the code seem right to you? How can I possibly debug what I am doing incorrectly?

Thanks, and I hope this code helps others.

My code actually fails... It parses 2011-04-10T14:23:24Z into

java.util.GregorianCalendar[time=1302438204000
areFieldsSet=true
areAllFieldsSet=true
lenient=true
zone=sun.util.calendar.ZoneInfo[id="GMT"
offset=0
dstSavings=0
useDaylight=false
transitions=0
lastRule=null]
firstDayOfWeek=2
minimalDaysInFirstWeek=4
ERA=1
YEAR=2011
MONTH=3
WEEK_OF_YEAR=14
WEEK_OF_MONTH=1
DAY_OF_MONTH=10
DAY_OF_YEAR=100
DAY_OF_WEEK=1
DAY_OF_WEEK_IN_MONTH=2
AM_PM=1
HOUR=0
HOUR_OF_DAY=12
MINUTE=23
SECOND=24
MILLISECOND=0
ZONE_OFFSET=0
DST_OFFSET=0]

Why is it giving me a 4 hour offset?

Yes you are quite right, thanks for pointing it out:

Code amendment:

Calendar expiryDate = Calendar.getInstance(); expiryDate.setTimeZone(TimeZone.getTimeZone("GMT")); DateFormat formatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'"); Date parsedExpDate = formatter.parse(expiryDateValue); expiryDate.setTime(parsedExpDate); Calendar now = Calendar.getInstance();

Today I needed to parse a String of the following format into a date I could then compare. I chose to use java.util.Calendar since I was familiar with it. A bit of googling got me started.

String example: 2011-04-05T11:29:14Z
(this means 5th of April 2011 at 11:29AM Zulu time which is UTC which is the equivalent of 1:29PM CEST)

I started with the following format

DateFormat formatter = new SimpleDateFormat("yyyy-MM-ddTHH:mm:ssZ");
That failed. The reason is simple and explained in the javadocs (http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html). You need to escape characters with single quotes. I updated my code to

DateFormat formatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ");
That still failed for an altogether different reason. The fact I put Z at the end means the formatter expects to see a time zone indicator e.g. PST / GMT...

Being smart and fresh from the previous 'T' and single quote escaping, I decided to escape the 'Z'. Logical reasoning.

However, this had a negative consequence.

My code was now
Calendar expiryDate = Calendar.getInstance(); DateFormat formatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'"); Date parsedExpDate = formatter.parse(expiryDateValue); expiryDate.setTime(parsedExpDate);

This now meant that my date was in the default time zone as set by Calendar.getInstance() which happens to be Berlin/Germany for me (though I am miles and miles away from Berlin and not even in Germany). This actually changed my date by two hours.

This is very normal behavior by the Java lib but very confusing. Does it also mean there is no way to parse 2011-04-05T11:29:14Z directly? Do I really have to strip the Z and add GMT? My fixed code does the following:
Calendar expiryDate = Calendar.getInstance(); DateFormat formatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssZ"); Date parsedExpDate = formatter.parse(expiryDateValue.substring(0, expiryDateValue.length()-2)+"GMT"); expiryDate.setTime(parsedExpDate);

Thanks so much, that explains why there was so little on the topic on the net.

Hi all,

I am trying to get the value of a GET variable directly inside my webpage. Something similar to what can be done in JSP or PHP where you can say:

$_GET["some_variable"] (PHP)

The idea is that for some very simple cases you do not want to use a backing bean. Imagine I have a JSF webpage where the background color can be set via the GET variable

mypage.jsf?color=XXX

Or is this a breach of good design / pattern use? If so how would you handle the problem?

I had this error this morning and although googling did help me understand the cause, it didn't help me figure out the solution.

I have finally resolved it and figured I would share it for future reference.

This is an error due to JAXB. More specifically, this is due to the fact that 2 versions of JAXB are being used. In my case I took a WSDL and generated a client stub using Metro 2.0.1. It so happens that Metro 2.0.1 includes JAXB 2.2.1. My client was therefore generated using JAXB 2.2.1.

That said, the JDK 1.6 now comes with JAXB too, but a slightly older version (2.1.1 I believe) which leads to the following error message in your favorite IDE:

The attribute required is undefined for the annotation type XmlElementRef

The only way to solve it was to change the order of my build class path in Eclipse and to put the Metro libs before the JDK libs.

Did anyone find any other way?

Cheers,
David.