RSS

Monthly Archives: January 2013

Legacy systems as Services


Lets look at simple example.

Following organization using different systems to achieve their day to day operations (ex- Inventory controlling , HR management , Sales monitoring  ..etc). By the time this organization reach the huge market and operating as a large company.

System

Inventory controlling , HR management , Sales monitoring all those systems are independently operating. When the company need to use some of the data with in the two different system it will not possible with above existing system because those are tightly coupled.

Lets look at following system,

SOA-system

The same system once expose with defined interface to communicate with each other then the above three components act as services. Services may also be wrappers for existing Legacy systems to achieve the organization expectation.

With in the Organization system follows the global standard interface to communicate to each other then the system can expose to the out side world as well then it will improve the interoperability among organizations.

SOA-system-Intraoperability

 
Leave a comment

Posted by on January 19, 2013 in Other

 

Tags:

OAuth 2.0 Authorization Protocol


Oauth 2.0 having four types of scenarios as follows

1. Authorization code – A resource owner is able to authenticate directly with an authorization server, and passes on an “authorization code” to the client app.

Oauth-2.0-Authorization-code

2. Implicit – For client apps which are implemented in a browser using a scripting language (such as JavaScript). here client is not validating

Oauth-2.0-Implicit

3. Resource owner credentials – Where there is a high degree of trust between the resource owner and the client app (e.g. a trusted client app on a resource owner’s mobile device). we are using this scenario in mobile applications because redirection is not possible with mobile apps.

Oauth-2.0-Resource owner credentials

4. Client credentials – For access to protected resources that are under the control of the client app (and not any specific/individual resource owner). This is using for public resource as well as this scenario represented 2-legged OAuth

Oauth-2.0-Client credentials

 
Leave a comment

Posted by on January 17, 2013 in java, wso2

 

Tags: , ,

Multiple User Stores configuration in WSO2 Identity Server


You know wso2 products are very smart and customizable products. Here I’m going to explain one of another smart features came up with wso2 products. As a example will take WSO2 Identity server as a product.

Lets look at one of simple business scenarios.

1. I need connect multiple user stores.
ex/ different domain users in different databases to one single product.
2. All users can access same wso2 product (IS).

Multiple User Stores

First of all we need to do some configuration in Identity Server. Refer this post for additional information about data base configuration with wso2 products.

You have to create two databases in Mysql as FOO and BAR with database table structure. You can simply do this as follows.
Go to mysql command line and create two databases.

mysql > create database FOO;
mysql > create database BAR;

Go to command line and run the following commands to create the table structure.

 > mysql -u username -p FOO < $IS_HOME/dbscripts/mysql.sql
 > mysql -u username -p BAR < $IS_HOME/dbscripts/mysql.sql

Now we created databases properly.

1. master-datasource.xml – we have to configure three data sources for H2, FOO, BAR databases.

<datasources>      
        <datasource>
            <name>WSO2_CARBON_DB</name>
            <description>The datasource used for registry and user manager</description>
            <jndiConfig>
                <name>jdbc/WSO2CarbonDB</name>
            </jndiConfig>
            <definition type="RDBMS">
                <configuration>
                    <url>jdbc:h2:repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000</url>
                    <username>wso2carbon</username>
                    <password>wso2carbon</password>
                    <driverClassName>org.h2.Driver</driverClassName>
                    <maxActive>50</maxActive>
                    <maxWait>60000</maxWait>
                    <testOnBorrow>true</testOnBorrow>
                    <validationQuery>SELECT 1</validationQuery>
                    <validationInterval>30000</validationInterval>
                </configuration>
            </definition>
        </datasource>

       <datasource>
            <name>WSO2_MySQL_FOO_DB</name>
            <description>The datasource used for user manager bar.com</description>
            <jndiConfig>
                <name>jdbc/WSO2MySqlFooDB</name>
            </jndiConfig>
            <definition type="RDBMS">
                <configuration>
                    <url>jdbc:mysql://localhost:3306/FOO</url>
                    <username>root</username>
                    <password>root</password>
                    <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                    <maxActive>50</maxActive>
                    <maxWait>60000</maxWait>
                    <testOnBorrow>true</testOnBorrow>
                    <validationQuery>SELECT 1</validationQuery>
                    <validationInterval>30000</validationInterval>
                </configuration>
            </definition>
        </datasource>

       <datasource>
            <name>WSO2_MySQL_BAR_DB</name>
            <description>The datasource used for user manager bar.com</description>
            <jndiConfig>
                <name>jdbc/WSO2MySqlBarDB</name>
            </jndiConfig>
            <definition type="RDBMS">
                <configuration>
                    <url>jdbc:mysql://localhost:3306/BAR</url>
                    <username>root</username>
                    <password>root</password>
                    <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                    <maxActive>50</maxActive>
                    <maxWait>60000</maxWait>
                    <testOnBorrow>true</testOnBorrow>
                    <validationQuery>SELECT 1</validationQuery>
                    <validationInterval>30000</validationInterval>
                </configuration>
            </definition>
        </datasource>

2. user-mgt.xml – Have to refer created data sources for specific domains.
The first user store configuration take as primary user store and others are secondary.
In the primary user store we are not going to specify the domain name.

        <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
            <Property name="defaultRealmName">WSO2.ORG</Property>
            <Property name="kdcEnabled">false</Property>
            <Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
            <Property name="ConnectionName">uid=admin,ou=system</Property>
            <Property name="ConnectionPassword">admin</Property>
            <Property name="passwordHashMethod">SHA</Property>
            <Property name="UserNameListFilter">(objectClass=person)</Property>
            <Property name="UserEntryObjectClass">scimPerson</Property>
            <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
            <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
            <Property name="UserNameAttribute">uid</Property>
            <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
	    <Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
	    <Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
            <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
            <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
            <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
            <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
	    <Property name="ReadLDAPGroups">true</Property>
	    <Property name="WriteLDAPGroups">true</Property>
	    <Property name="EmptyRolesAllowed">true</Property>
            <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
            <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
	    <Property name="GroupEntryObjectClass">groupOfNames</Property>
            <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
            <Property name="GroupNameAttribute">cn</Property>
            <Property name="MembershipAttribute">member</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
	    <Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property>
	    <Property name="SCIMEnabled">true</Property>
	    <Property name="maxFailedLoginAttempt">0</Property>
        </UserStoreManager>

        <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
	    <Property name="ReadOnly">false</Property>
            <Property name="MaxUserNameListLength">100</Property>
            <Property name="IsEmailUserName">false</Property>
            <Property name="DomainCalculation">default</Property>
            <Property name="PasswordDigest">SHA-256</Property>
            <Property name="StoreSaltedPassword">true</Property>
            <Property name="UserNameUniqueAcrossTenants">false</Property>
            <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
	    <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
	    <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
	    <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
	    <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
	    <Property name="maxFailedLoginAttempt">0</Property>
            <Property name="dataSource">jdbc/WSO2MySqlFooDB</Property>
            <Property name="DomainName">foo.com</Property>	
        </UserStoreManager>
        
        <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
	    <Property name="ReadOnly">false</Property>
            <Property name="MaxUserNameListLength">100</Property>
            <Property name="IsEmailUserName">false</Property>
            <Property name="DomainCalculation">default</Property>
            <Property name="PasswordDigest">SHA-256</Property>
            <Property name="StoreSaltedPassword">true</Property>
            <Property name="UserNameUniqueAcrossTenants">false</Property>
            <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
	    <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
	    <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
	    <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
	    <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
	    <Property name="maxFailedLoginAttempt">0</Property>
            <Property name="dataSource">jdbc/WSO2MySqlBarDB</Property>
            <Property name="DomainName">bar.com</Property>	
        </UserStoreManager>

Once you done above configurations you can start the Identity server.

3. Log in to the IS (username :admin, password : admin)
Configuration ->Users and Roles
is

Select Users->Add new Users
is

Now you can create the user in different domains.

[username :test password :test123] – it will store at primary user store.
as well as you can create User with specifying the domain. then it will store at specified domain user store.
[username :foo.com/dinuka password:dinuka ]
[username :bar.com/malinda password:malinda]

is

is

once you done this you have to go to Roles and give the login permission to everyone role.
is

Now you can log in to the IS with any user in primary or secondary user store either specifying the domain name or without domain name.

[username :foo.com/dinuka password : dinuka] or
[username :dinuka password : dinuka]
Once you try to log in to the system with specifying the domain, IS will look at the specified domain user store to authenticate the user.
other wise it will go through all the define user stores starting from primary user store.

is

is

 
4 Comments

Posted by on January 11, 2013 in Identity Server, java, mysql, Other, wso2

 

Tags: ,

3-legged OAuth flow


I’m going to explain about behavior of 3-legged OAuth in simple way.

Just look at this.

3-legged OAuth

Lets think one of web applications call MyApp need to access my Facebook photos.
In this example: Resource Owner – me, Consumer – MyApp, Service Provider – Facebook.

Now try to compare this example with above explained scenarios.

1. – MyApp request temporary token form Facebook.
2. – Facebook give the temporary token to MyApp.
3. – MyApp will redirect to the Facebook login page to Autorize the Token.
4. – Me login to the Facebook and Grant access to MyApp
5. – Conform about Authorization to Me
6. – MyApp Request Access Token from Facebook.
7. – Facebook issue Access Token
8. – Request to Access the photos in my Facebook account.
9. – Issue the protected photos.

This is another simple example find out from Google

oauth_graph

 
Leave a comment

Posted by on January 9, 2013 in java, wso2

 

Tags: , ,

Database Configuration in WSO2 Carbon Products


Wso2 Carbon is an open source enterprise SOA midldeware platform. There is a facility to engage with different databases such as H2,Apache Derby,MS SQL Server,MySQL,Oracle,OpenEdge,PostgreSQL,IBM DB2 to hold the User Management data,Registry..etc.

Following diagram will help you to identify how we can configure the database in different way
Here I’m using WSO2 Identity Server as Carbon product and explaining two simple samples.
DB Configuration

Before going to discuss about samples we have to understand which configuration files that we need use.

First You have to go to $IS_HOME/repository/conf 
user-mgt.xml – all user store and user permission configurations.
registry.xml – all registry configurations.

Lets go to $IS_HOME/repository/conf/datasources 
master-datasources.xml – this is the common file that we used to define data sources configurations.

Move to above sample 1 there is a single mysql database to store User permission, Registry data and embedded LDAP for User Store (ex/ username, password,..etc ).

1.master-datasources.xml – first you have to define the mysql datasource
Go to mysql and create database call WSO2_MYSQL_CARBON_DB

create database WSO2_MYSQL_CARBON_DB

1.Then place the database name under name tag
2.Change the Jndi Config name jdbc/WSO2MysqlCarbonDB
3.Update url as jdbc:mysql://localhost:3306/WSO2_MYSQL_CARBON_DB
4.Set username and password rootroot123 5.Driver class name com.mysql.jdbc.Driver
5.Define driver class name as com.mysql.jdbc.Driver
6.Now you have to copy the driver into $IS_HOME/repository/components/lib

<datasource>
   <name>WSO2_CARBON_DB</name>
   <description>The datasource used for registry and user manager</description>
   <jndiConfig>
      <name>jdbc/WSO2CarbonDB</name>
   </jndiConfig>
   <definition type="RDBMS">
    <configuration>
      <url>jdbc:h2:repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000</url>
      <username>wso2carbon</username>
      <password>wso2carbon</password>
      <driverClassName>org.h2.Driver</driverClassName>
      <maxActive>50</maxActive>
      <maxWait>60000</maxWait>
      <testOnBorrow>true</testOnBorrow>
      <validationQuery>SELECT 1</validationQuery>
      <validationInterval>30000</validationInterval>
    </configuration>
   </definition>
</datasource>

2.registry.xml
Now you have to refer the created datasource in registry xml.
change datasource name as jdbc/WSO2MysqlCarbonDB

      <dataSource>jdbc/WSO2MysqlCarbonDB</dataSource>  

3.user-mgt.xml
Refer the created data source in here as well. This is for User permission data.

<Configuration>
     <AdminRole>admin</AdminRole>
     <AdminUser>
         <UserName>admin</UserName>
         <Password>admin</Password>
     </AdminUser>
     <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
     <Property name="dataSource">jdbc/WSO2MysqlCarbonDB</Property>
     <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.CommonLDAPRealmConfigBuilder</Property>
</Configuration>

Now if we look at User Store configuration we don’t need Jdbc connection because this is going to connect with LDAP so its different protocol. to understand follow this configuration.

<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
    <Property name="defaultRealmName">WSO2.ORG</Property>
    <Property name="kdcEnabled">false</Property>
    <Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
    <Property name="ConnectionName">uid=admin,ou=system</Property>
    <Property name="ConnectionPassword">admin</Property>
    <Property name="passwordHashMethod">SHA</Property>
    <Property name="UserNameListFilter">(objectClass=person)</Property>
    <Property name="UserEntryObjectClass">scimPerson</Property>
    <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
    <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
    <Property name="UserNameAttribute">uid</Property>
    <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
    <Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
    <Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
    <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
    <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
    <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
    <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
    <Property name="ReadLDAPGroups">true</Property>
    <Property name="WriteLDAPGroups">true</Property>
    <Property name="EmptyRolesAllowed">true</Property>
    <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
    <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
    <Property name="GroupEntryObjectClass">groupOfNames</Property>
    <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
    <Property name="GroupNameAttribute">cn</Property>
    <Property name="MembershipAttribute">member</Property>
    <Property name="UserRolesCacheEnabled">true</Property>
    <Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property>
    <Property name="SCIMEnabled">true</Property>
    <Property name="maxFailedLoginAttempt">0</Property>
    <Property name="DomainName">domain.com</Property>
</UserStoreManager>

Lets move to Sample 2 you can see there are two databases connect with IS, one for user management and other for registry.
1.Create two data sources in master-datasources.xml as follows

       <datasource>
            <name>WSO2_CARBON_DB</name>
            <description>The datasource used for user permission data</description>
            <jndiConfig>
                <name>jdbc/WSO2CarbonDB</name>
            </jndiConfig>
            <definition type="RDBMS">
                <configuration>
                    <url>jdbc:mysql://localhost:3306/WSO2_MYSQL_CARBON_DB</url>
                    <username>root</username>
                    <password>root123</password>
                    <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                    <maxActive>50</maxActive>
                    <maxWait>60000</maxWait>
                    <testOnBorrow>true</testOnBorrow>
                    <validationQuery>SELECT 1</validationQuery>
                    <validationInterval>30000</validationInterval>
                </configuration>
            </definition>
        </datasource>

        <datasource>
            <name>WSO2_REGISTRY_DB</name>
            <description>The datasource used for registry</description>
            <jndiConfig>
                <name>jdbc/WSO2RegistryDB</name>
            </jndiConfig>
            <definition type="RDBMS">
                <configuration>
                    <url>jdbc:h2:repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000</url>
                    <username>wso2carbon</username>
                    <password>wso2carbon</password>
                    <driverClassName>org.h2.Driver</driverClassName>
                    <maxActive>50</maxActive>
                    <maxWait>60000</maxWait>
                    <testOnBorrow>true</testOnBorrow>
                    <validationQuery>SELECT 1</validationQuery>
                    <validationInterval>30000</validationInterval>
                </configuration>
            </definition>
        </datasource>      

2.registry.xml – refer H2 datasource

    <dataSource>jdbc/WSO2RegistryDB</dataSource>     

3.user-mgt.xml – refer mysql datasource

<Configuration>
    <AdminRole>admin</AdminRole>
    <AdminUser>
      <UserName>admin</UserName>
      <Password>admin</Password>
    </AdminUser>
    <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
    <Property name="dataSource">jdbc/WSO2CarbonDB</Property>
    <Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.CommonLDAPRealmConfigBuilder</Property>
</Configuration>  

This is the way that we can simply configure the different databases with Carbon Products.

 
1 Comment

Posted by on January 8, 2013 in Identity Server, java, mysql, wso2

 

Tags: , , , ,

XACML Authorization


XACML – eXtensible Access Control Markup Language

Here I’m going to explain where we can use WSO2IS as a XACML engine.

Lets look at the following example to understand Authentication and Authorization

1. This is simple billing system with three services
Create Account, View Account Details, Delete Account
Admin Role – Can access all three services
User Role – Can access View Account Details
Sample

Now user Dinuka going to login to this system, then the system is going to check whether the username and password are correct or not. This operation call Authentication

Think about this scenario: user call Malinda going to log in to the system and try to access the Delete Account service. First of all user should be Authenticated then have to check whether the logged in user has permission to access the service Delete Account. This operation call Authorization.

Actually above system is using Role Based Authorization

2. Now will try to understand how to use the XACML engine for Authorization
In this system we are using ESB(enterprise service bus), AS(application server), IS(Identity Server)

XACML

1. Request to Access Resource A – First of all ESB authenticate the user, then it will call to PEP(This is Entitlement mediator) .In this Entitlement mediator we have to define the Identity server details.

2. Is Authorized ? – PEP call to PDP(Policy Decision point) and ask whether this user Authorized to access the Resource A

3. Yes/No – PEP evaluate the policies in the Policy store and take the decision according to the defined policies.

If the Decision is Yes – we are allowing to user to access the resource.

The benefit of the above system is easily we can change the permission of the users without changing any other component such as ESB or AS. The only thing we have to do is change the policies in the policy store.

Let me explain the PAP (Policy Administration Point) – This is handling the administration part of the XACML engine (ex/ Upload polices, Edit policies ..etc.)

 
2 Comments

Posted by on January 7, 2013 in Identity Server, java, wso2

 

Tags: , , , , , , , ,

BulkEndpoit in Action with WSO2 Charon (SCIM Implementation)


Charon is one of Open source SCIM implementation offered under Apache 2.0 license.
For more details refer this presentation done by Hasini Gunasinghe

Bulkendpoint is essential requirement for the provisioning because we can process large amount of data at a time rather than doing one by one.
Ex/ we can provision 100 users at a time (In single request).

Design for bulk endpoint according to the following specification http://www.simplecloud.info/specs/draft-scim-api-01.html

1. Sequence Diagram

sequence-bulkendpoint

2. Class Diagram 

Class_diagram

 
Leave a comment

Posted by on January 7, 2013 in Identity Server, java, wso2

 

Tags: , , ,

 
%d bloggers like this: