Category Archives: Other

Website hacking XSS attack

Leave a comment

Posted by on March 21, 2013 in Other



JConsole with Cassandra DB

Most of the people cannot find the way to connect to the Cassandra DB process through the JConsole. Let me explain how to do in simple way.

1. First you have to download the Cassandra DB and do the following changes on $Cassandra_Home/conf/



2. Now Start the Cassandra DB now you can connect to the Cassandra Process through the JConsole.

URL – service:jmx:rmi:///jndi/rmi://:7199/jmxrmi
ex/ service:jmx:rmi:///jndi/rmi://


You don’t need to put Username and Password to connect.



Posted by on March 7, 2013 in java, Other


Tags: ,

How to attach JProfiler with WSO2 Products

JProfiler is very useful software for developers to monitor the memory usage, CPU usage, etc. of Java program. With in this post I’ll explain how to attached the JProfiler to the Carbon products. I’ll take latest Identity server 4.1.0 version as a Carbon product.

1. First thing is you need to download the JProfiler and install in to your machine. I have downloaded the JProfiler and installed in the following location.


2. Then you have to put the following line into the file located at $IS_HOME/repository/bin/

-agentpath:/home/dinuka/jprofiler7/bin/linux-x64/ \


3.Now go to $IS_HOME/repository/bin and start the


You can see Its waiting for connection from JProfiler.

4. Go to the location of JProfiler “/home/dinuka/jprofiler7/bin” and run the “jprofiler” file to start the JProfiler



Now go to Session->Start Center and select the tab “New Session” then click New Session


Select “Attach to Profiled JVM (local or remote)” and fill the details of Identity Server then click ok


5. You can select one of the following categories (Instrumentation or Sampling)



Then you can see Identity Server is Starting up.


Now JProfiler is connected Successfully


1 Comment

Posted by on March 5, 2013 in Identity Server, java, Other, wso2


Tags: , ,

Cassandra DB as Secondary user store in IS

The Apache Cassandra database is the right choice when you need scalability and high availability without compromising performance. So now the Cassandra User Store manager is available in IS from 4.1.0 release and we support the multiple credentials with Cassandra DB.

What is multiple credential support? see the following picture you can take some idea about this.
multiple credentials

Lets look at the configuration of Cassandra user as a secondary user store.

1. Extract the Cassandra DB and edit the following file $Cassandra_Home/conf/cassandra.yaml
Replace the following values with existing directory

data_file_directories: /home/dinuka/cassandra/data
commitlog_directory: /home/dinuka/cassandra/commitlog
saved_caches_directory: /var/lib/cassandra/saved_caches

2. Go to $Cassandra_Home/bin and run the cassandra file to start the Cassandra DB

3. Go to $IS_HOME/repository/conf/carbon.xml and do the following changes.
Enable HTTP transport for All Admin Services
i. Please uncomment following element


Enable Email usernames support
i. Please uncomment following element


4. Now you need to go to $IS_HOME/repository/conf/user-mgt.xml and do the configuration as follows. I’m running IS and Cassandra both in Same machine.

     <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
            <Property name="defaultRealmName">WSO2.ORG</Property>
            <Property name="kdcEnabled">false</Property>
            <Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
            <Property name="ConnectionName">uid=admin,ou=system</Property>
            <Property name="ConnectionPassword">admin</Property>
            <Property name="passwordHashMethod">SHA</Property>
            <Property name="UserNameListFilter">(objectClass=person)</Property>
            <Property name="UserEntryObjectClass">identityPerson</Property>
            <Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
            <Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
            <Property name="UserNameAttribute">uid</Property>
            <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
	    <Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
	    <Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
            <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
            <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
            <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
            <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
	    <Property name="ReadLDAPGroups">true</Property>
	    <Property name="WriteLDAPGroups">true</Property>
	    <Property name="EmptyRolesAllowed">true</Property>
            <Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
            <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
	    <Property name="GroupEntryObjectClass">groupOfNames</Property>
            <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
            <Property name="GroupNameAttribute">cn</Property>
            <Property name="MembershipAttribute">member</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
	    <Property name="UserDNPattern">uid={0},ou=Users,dc=wso2,dc=org</Property>
	    <Property name="SCIMEnabled">true</Property>
	    <Property name="maxFailedLoginAttempt">0</Property>

	<UserStoreManager class="org.wso2.carbon.user.cassandra.CassandraUserStoreManager">
		<Property name="Keyspace">User_KS</Property>
		<Property name="Host">localhost</Property>
		<Property name="Port">9160</Property>
		<Property name="PasswordDigest">SHA-256</Property>
		<Property name="StoreSaltedPassword">true</Property>
		<Property name="AuthenticateWithAnyCredential">true</Property>
		<Property name="DomainName">multipleCredentialUserStoreDomain</Property>
			<Credential type="Default">org.wso2.carbon.user.cassandra.credentialtypes.EmailCredential</Credential>
			<Credential type="Email">org.wso2.carbon.user.cassandra.credentialtypes.EmailCredential</Credential>
			<Credential type="PhoneNumber">org.wso2.carbon.user.cassandra.credentialtypes.PhoneNumberCredential</Credential>
			<Credential type="Device">org.wso2.carbon.user.cassandra.credentialtypes.DeviceCredential</Credential>
			<Credential type="External">org.wso2.carbon.user.cassandra.credentialtypes.ExternalProviderCredential</Credential>

5. Now you successfully done the configuration for secondary user store. for more details follow this configuration doc.

6. You can use the MultipleCredentialsUserAdmin service and write your own Java client to talk to IS and authenticate the users. IS 4.1.0 doesn’t support the UI functionality but it will be available with future releases.

7. I have created some Jmeter client to talk to IS to authenticate the users with multiple can download it here.


Leave a comment

Posted by on March 4, 2013 in Identity Server, java, Other, wso2


Tags: , , ,

WSO2 Identity Server Clustering with WSO2 Elastic Load Balancer

Wso2 IS is most useful product in the world, so many people are using this to achieve their day to day security  operations. So once we go to the hi available and high scalable system we need have multiple IS instances. So I’m going to explain how to make the IS cluster with two nodes.

First of all we need know about the high level scenarios so lets look at following diagram.


There is two proxy ports in LB to communicate the different transports According to the above diagram so we need to do this mapping in the IS nodes.
Here we are using one of clustering mechanism call “Well-Known Address based multicasting

Lets look at the LB configuration

1. By default it has two proxy ports exposed for http(8290) and https(8243) in $WSO2_ELB/repository/conf/axis2/axis2.xml

<!-- ================================================= -->
    <!--             Transport Ins (Listeners)             -->
    <!-- ================================================= -->
    <!--Default trasnport will be passthrough if you need to change please add it here -->
   <transportReceiver name="http" class="org.apache.synapse.transport.passthru.PassThroughHttpListener">
      <parameter name="port">8290</parameter>
      <parameter name="non-blocking"> true</parameter>
      <parameter name="httpGetProcessor" locked="false">org.wso2.carbon.transport.nhttp.api.PassThroughNHttpGetProcessor</parameter>
   <transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">
        <parameter name="port" locked="false">8243</parameter>
        <parameter name="non-blocking" locked="false">true</parameter>
        <parameter name="httpGetProcessor" locked="false">org.wso2.carbon.transport.nhttp.api.PassThroughNHttpGetProcessor</parameter>
        <!--parameter name="bind-address" locked="false">hostname or IP address</parameter-->
        <!--parameter name="WSDLEPRPrefix" locked="false">https://apachehost:port/somepath</parameter-->
        <parameter name="keystore" locked="false">
        <parameter name="truststore" locked="false">
        <!--<parameter name="SSLVerifyClient">require</parameter>
            supports optional|require or defaults to none -->

2. You have to go to $WSO2_ELB/repository/conf/loadbalancer.conf and define the cluster details as follows.

    identity {
        hosts         ;	
        domains   {
                tenant_range    *;

3. Now you can put the entry into the hosts file in linux to map the “” and your IP

4. Start the load balancer.

5. Now go to IS node 1 and do the following configuration on $WSO2_IS_node/repository/conf/axis2/axis2.xml
* first you have to enable the clustering in node 1.

    <clustering class="org.apache.axis2.clustering.tribes.TribesClusteringAgent" enable="true">

* put membership schema as “wka”

   <parameter name="membershipScheme">wka</parameter>

* Domain specification

   <parameter name="domain"></parameter>

* Local member port – this should be unique for each node. Local member port in ELB is 4000 by default

   <parameter name="localMemberPort">4100</parameter>

* You have to define the well known member as well.


* You have to map the http and https to the ELB proxy ports.

        <!-- ================================================= -->
    <!-- In Transports -->
    <!-- ================================================= -->
    <transportReceiver name="http"
           Uncomment the following if you are deploying this within an application server. You
           need to specify the HTTP port of the application server
        <parameter name="port">9763</parameter>

       Uncomment the following to enable Apache2 mod_proxy. The port on the Apache server is 80
       in this case.
        <parameter name="proxyPort">8290</parameter>
    <transportReceiver name="https"
           Uncomment the following if you are deploying this within an application server. You
           need to specify the HTTPS port of the application server
        <parameter name="port">9443</parameter>

       Uncomment the following to enable Apache2 mod_proxy. The port on the Apache server is 443
       in this case.
        <parameter name="proxyPort">8243</parameter>

* Put the offset as 5 in $WSO2_IS_node/repository/conf/carbon.xml and start the IS node 1



In ELB side you can see this

Same as you have to do the configuration in IS node 2 download the axis2.xml here for node 2

6. Now you can start the identity server node 2

7. Then you can access the Identity server through the “

Leave a comment

Posted by on February 13, 2013 in Identity Server, Other, wso2


Tags: , ,

Authentication and Authorization with WSO2ESB and WSO2IS

This is very impotent post because I’m going to discuss how to secure the proxy service with Username Token  as well as Authorization with XACML policies.

For Authorization we are using the WSO2 Identity server and Inbuilt Entitlement mediator in WSO2 ESB.

Authentication and Authorization

You can see the high level view of the ESB and IS communication. Let me explain the scenario.

1. User going to access the proxy service with the user credentials.
2. ESB authenticate the user first
3. If the authentication pass then go to Identity Server through the Entitlement Mediator and call the get decision method with above credentials
4. Identity Server will look the XACML policies and return the decision.
5. If decision is “Permit” then proxy service allow to access the echo service
6. If decision is “Deny” or “Not applicable” proxy service not allow to access the echo service.

Lets look at the configuration of this setup. We are using ESB-4.6.0 and IS-4.1.0

1. You have to share the same User store with WSO2ESB and WSO2IS
refer the ESB user-mgt.xml and IS user-mgt.xml – this is done for Embedded LDAP coming with WSO2IS but you can configure any DB as your user store and share with both ESB and IS

2. Start the IS first and then ESB with port offset 1
3. Create “In sequence” in ESB
here you need to add the entitlement mediator as a first child of In Sequence

Select the entitlement and set the entitlement server url, username and password.
entitlement server url = https://localhost:9443/services/
username = admin
password = admin

Set the Fault mediators under OnReject as well as set the Send mediator under OnAccept

Set the Header mediator as follows and remove the security headers.

Click on the Namespaces and put the following entry.
Prefix – wsse

3. Create “Out sequence” in ESB
just put send and log mediators as follows

4. Now we need create the proxy service for echo service already in WSO2ESB
Add new proxy -> custom proxy then you can see the following window and you have to specify the following details.
Name – EchoProxy
Publishing WSDL – Specify source URI
then put the wsdl of the echo service as “http://localhost:8281/services/echo?wsdl&#8221;

Move next and select the “InSequence” that we created before.

Move next again and select the “OutSequence” as well.

finally click the finish
Now you have to create the new role “testRole” with admin permission and new user “testuser” with password “testuser” and assign the “testRole” because we are using this to control the access . then secure the created proxy with Username Token as follows




Now you complete the proxy service creation and lets move to Identity server configurations.

5. In Identity server we need to add the XACML Policy
Here I’m going to create the simple User base XACML policy.

Name – EchoServicePolicy
Specify the Role name as “testRole” as well as you have to specify the action as “read” because our Entitlement mediator send the action string as “read

Finish the policy and enable the policy to test.

Now you can evaluate the policy through the Tryit.


But if you click on the “Evaluate with PDP” you will not get Premit because still you not promote the XACML policy to the PDP.

to promote XACML policy to the PDP you can click on the button in front of the policy “sync with PDP“. Now try to “Evaluate with PDP”.

Now we done the configuration on Identity Server.

6. Go to ESB and select the EchoProxy service and go to TryIt.

Here we are using “testuser” which is under the role “testRole” so the XACML engine will permit to access the resource

Now go and remove the “testRole” form user “testuser” and try to access the service. Now you can see XACML engine is not permit to user to access the resource.


Tags: , ,

Legacy systems as Services

Lets look at simple example.

Following organization using different systems to achieve their day to day operations (ex- Inventory controlling , HR management , Sales monitoring  ..etc). By the time this organization reach the huge market and operating as a large company.


Inventory controlling , HR management , Sales monitoring all those systems are independently operating. When the company need to use some of the data with in the two different system it will not possible with above existing system because those are tightly coupled.

Lets look at following system,


The same system once expose with defined interface to communicate with each other then the above three components act as services. Services may also be wrappers for existing Legacy systems to achieve the organization expectation.

With in the Organization system follows the global standard interface to communicate to each other then the system can expose to the out side world as well then it will improve the interoperability among organizations.


Leave a comment

Posted by on January 19, 2013 in Other



%d bloggers like this: