Latest Entries »

In this article i’m going to talk about how to secure your REST APIs, adding role based authentication to your REST API.

1.Creating REST API using Spring boot

Go to Spring Initializr portal and create spring boot application with web & AOP

Screenshot 2018-12-31 at 5.58.47 PM.png

2. Import the pom.xml in your IDE

Generate the project as a zip file. Extract it to a some place in your computer. Import the project in to your IDE

3. Check maven dependencies

Check the maven file should have spring-boot-starter-web,spring-boot-starter-aop dependency in it and add the additional dependecies as below(spring-boot-starter-json, commons-codec) your pom.xml will looks like below

<dependencies>
    <!-- Add typical dependencies for a web application -->
    <!-- Adds Tomcat and Spring MVC, along others -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-json</artifactId>
    </dependency>
    <dependency>
        <groupId>commons-codec</groupId>
        <artifactId>commons-codec</artifactId>
        <version>1.11</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-aop</artifactId>
    </dependency>
</dependencies>

4. Create REST APIs

  1. Create REST API for login as below

LoginController.java

package com.bokks.micro.springbootrestapi.controller;

import com.bokks.micro.springbootrestapi.model.APIToken;
import com.bokks.micro.springbootrestapi.model.Credentials;
import com.bokks.micro.springbootrestapi.model.User;
import com.bokks.micro.springbootrestapi.service.TokenService;
import com.bokks.micro.springbootrestapi.service.UserService;
import com.bokks.micro.springbootrestapi.util.CustomErrorType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.*;

@RestController
@RequestMapping("/authenticate")
public class LoginController {

    public static final Logger logger = LoggerFactory.getLogger(LoginController.class);

    @Autowired
    UserService userService; //Service which will do all data retrieval/manipulation work

    @Autowired
    TokenService tokenService;

    /**
     * This is the login api it requires input as json
     * {
     *   "username": "admin",
     *   "password": "admin123"
     * }
     * @param credentials
     * @return
     */

    @RequestMapping(value = "/login", method = RequestMethod.POST, produces = "application/json", consumes = "application/json")
    @ResponseBody
    public ResponseEntity<?> loginUser(@RequestBody Credentials credentials) {

        try {

            String username = credentials.getUsername();
            String password = credentials.getPassword();

            // Authenticate the user using the credentials provided
            authenticate(username, password);

            // Issue a token for the user
            String token = issueToken(username);

            // Return the token on the response
            return  new ResponseEntity<APIToken>(new APIToken(token), HttpStatus.OK);

        } catch (Exception e) {
            return new ResponseEntity<String>(e.getMessage(), HttpStatus.FORBIDDEN);
        }
    }

    private void authenticate(String username, String password) throws Exception {
        // Authenticate against a database, LDAP, file or whatever
        // Throw an Exception if the credentials are invalid
        // In this case authentiating using hardcoded values

        logger.info("Fetching User with username {}", username);
        User user = userService.findByUsername(username);
        if (user == null) {
            logger.error("User with username {} not found.", username);
            throw new Exception("No user found for the user name : " + username);
        }

        if(user.getPassword().equals(password)){
            logger.info("User with username {}  found. Going to issue the token", username);
        }else{
            throw new Exception("User credentials are invalid for user name: " + username);
        }


    }

    private String issueToken(String username) {
        // Issue a token (can be a random String persisted to a database or a JWT token)
        // The issued token must be associated to a user
        // Return the issued token
        logger.info("Creating Token for username {}", username);
        return  tokenService.createToken(username);

    }
}

This API requires additional classes to create Users and the token

User.java

package com.bokks.micro.springbootrestapi.model;

public class User {

   private String username;
   
   private String name;
   
   private int age;
   
   private double salary;

   private String password;

   private UserRoles userRole;

   public User(){
      username ="";
   }
   
   public User(String username, String name, int age, double salary, String password, UserRoles role ){
      this.username = username;
      this.name = name;
      this.age = age;
      this.salary = salary;
      this.password = password;
      this.userRole = role;
   }
   
   public String getUsername() {
      return username;
   }

   public void setUsername(String username) {
      this.username = username;
   }

   public String getName() {
      return name;
   }

   public void setName(String name) {
      this.name = name;
   }

   public int getAge() {
      return age;
   }

   public void setAge(int age) {
      this.age = age;
   }

   public double getSalary() {
      return salary;
   }

   public void setSalary(double salary) {
      this.salary = salary;
   }

   public String getPassword() {
      return password;
   }

   public void setPassword(String password) {
      this.password = password;
   }

   public UserRoles getUserRole() {
      return userRole;
   }

   public void setUserRole(UserRoles userRole) {
      this.userRole = userRole;
   }

// @Override
// public int hashCode() {
//    final int prime = 31;
//    int result = 1;
//    result = prime * result + (int) (username ^ (username >>> 32));
//    return result;
// }

   @Override
   public boolean equals(Object obj) {
      if (this == obj)
         return true;
      if (obj == null)
         return false;
      if (getClass() != obj.getClass())
         return false;
      User other = (User) obj;
      if (username != other.username)
         return false;
      return true;
   }

   @Override
   public String toString() {
      return "User [username=" + username + ", name=" + name + ", age=" + age
            + ", salary=" + salary + "]";
   }


}

Token.java

package com.bokks.micro.springbootrestapi.model;

import org.apache.commons.codec.binary.Base64;

public class Token {

    private long timestamp;

    private String token;

    private String username;

    public Token(long timestamp,String token,String username){
        this.token = token;
        this.timestamp = timestamp;
        this.username = username;
    }

    public long getTimestamp() {
        return timestamp;
    }

    public void setTimestamp(long timestamp) {
        this.timestamp = timestamp;
    }

    public String getToken() {
        return token;
    }

    public void setToken(String token) {
        this.token = token;
    }

    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    @Override
    public String toString() {
        String encodedToken = timestamp + "##" + token+ "##" + username;
        byte[] encodedBytes = Base64.encodeBase64(encodedToken.getBytes());

        return new String(encodedBytes);
    }


}

Create the API that you need to secure

RestApiController.java

package com.bokks.micro.springbootrestapi.controller;

import java.util.List;

import com.bokks.micro.springbootrestapi.filters.AuthenticationFilter;
import com.bokks.micro.springbootrestapi.filters.Secured;
import com.bokks.micro.springbootrestapi.model.User;
import com.bokks.micro.springbootrestapi.model.UserRoles;
import com.bokks.micro.springbootrestapi.service.UserService;
import com.bokks.micro.springbootrestapi.util.CustomErrorType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.util.UriComponentsBuilder;

@RestController
@RequestMapping("/expose")
public class RestApiController {

    public static final Logger logger = LoggerFactory.getLogger(RestApiController.class);

    @Autowired
    UserService userService; //Service which will do all data retrieval/manipulation work

    // -------------------Retrieve All Users---------------------------------------------

    @Secured(authorizedBy = {UserRoles.ADMIN,UserRoles.ROLE1}) // Annotation will allow Role based authorization fot the APIs
    @RequestMapping(value = "/version", method = RequestMethod.GET)
    public ResponseEntity<String> getVersion() {
        logger.info("API version details : SpringBootRestAPI Verion 1.0");
        return new ResponseEntity<String>("SpringBootRestAPI Verion 1.0", HttpStatus.OK);
    }

    @Secured(authorizedBy = UserRoles.ADMIN)
    @RequestMapping(value = "/user/", method = RequestMethod.GET)
    public ResponseEntity<List<User>> listAllUsers() {
        List<User> users = userService.findAllUsers();
        if (users.isEmpty()) {
            logger.info("No Users found");
            return new ResponseEntity(HttpStatus.NO_CONTENT);
            // You many decide to return HttpStatus.NOT_FOUND
        }
        return new ResponseEntity<List<User>>(users, HttpStatus.OK);
    }


    // -------------------Retrieve Single User------------------------------------------

    @RequestMapping(value = "/user/{username}", method = RequestMethod.GET)
    public ResponseEntity<?> getUser(@PathVariable("username") String username) {
        logger.info("Fetching User with username {}", username);
        User user = userService.findByUsername(username);
        if (user == null) {
            logger.error("User with username {} not found.", username);
            return new ResponseEntity(new CustomErrorType("User with username " + username
                    + " not found"), HttpStatus.NOT_FOUND);
        }
        return new ResponseEntity<User>(user, HttpStatus.OK);
    }

    // -------------------Create a User-------------------------------------------

    @RequestMapping(value = "/user/", method = RequestMethod.POST)
    public ResponseEntity<?> createUser(@RequestBody User user, UriComponentsBuilder ucBuilder) {
        logger.info("Creating User : {}", user);

        if (userService.isUserExist(user)) {
            logger.error("Unable to create. A User with name {} already exist", user.getName());
            return new ResponseEntity(new CustomErrorType("Unable to create. A User with name " +
                    user.getName() + " already exist."), HttpStatus.CONFLICT);
        }
        userService.saveUser(user);

        HttpHeaders headers = new HttpHeaders();
        headers.setLocation(ucBuilder.path("/api/user/{id}").buildAndExpand(user.getUsername()).toUri());
        return new ResponseEntity<String>(headers, HttpStatus.CREATED);
    }

    // ------------------- Update a User ------------------------------------------------

    @RequestMapping(value = "/user/{username}", method = RequestMethod.PUT)
    public ResponseEntity<?> updateUser(@PathVariable("username") String username, @RequestBody User user) {
        logger.info("Updating User with username {}", username);

        User currentUser = userService.findByUsername(username);

        if (currentUser == null) {
            logger.error("Unable to update. User with username {} not found.", username);
            return new ResponseEntity(new CustomErrorType("Unable to upate. User with username " + username + " not found."),
                    HttpStatus.NOT_FOUND);
        }

        currentUser.setName(user.getName());
        currentUser.setAge(user.getAge());
        currentUser.setSalary(user.getSalary());

        userService.updateUser(currentUser);
        return new ResponseEntity<User>(currentUser, HttpStatus.OK);
    }

    // ------------------- Delete a User-----------------------------------------

    @RequestMapping(value = "/user/{username}", method = RequestMethod.DELETE)
    public ResponseEntity<?> deleteUser(@PathVariable("username") String username) {
        logger.info("Fetching & Deleting User with username {}", username);

        User user = userService.findByUsername(username);
        if (user == null) {
            logger.error("Unable to delete. User with username {} not found.", username);
            return new ResponseEntity(new CustomErrorType("Unable to delete. User with username " + username + " not found."),
                    HttpStatus.NOT_FOUND);
        }
        userService.deleteUserByUsername(username);
        return new ResponseEntity<User>(HttpStatus.NO_CONTENT);
    }

    // ------------------- Delete All Users-----------------------------

    @RequestMapping(value = "/user/", method = RequestMethod.DELETE)
    public ResponseEntity<User> deleteAllUsers() {
        logger.info("Deleting All Users");

        userService.deleteAllUsers();
        return new ResponseEntity<User>(HttpStatus.NO_CONTENT);
    }

}

You can see in this API i have created annotation to secure the API “@Secured(authorizedBy = UserRoles.ADMIN)” . This is where i’m going to filter the roles and validate the user based on the token send in the HTTP request header.

5. Create the custom annotation

Creating custom annotation is similar to writing an interface, except that it interface keyword is prefixed with @ symbol. We can declare methods in annotation. Let’s see annotation example and then we will discuss it’s features.

My custom annotation class will looks like below.

Secured.java

package com.bokks.micro.springbootrestapi.filters;

import com.bokks.micro.springbootrestapi.model.UserRoles;

import java.lang.annotation.*;

@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE, ElementType.METHOD})
public @interface Secured {
    UserRoles[] authorizedBy() default {};
}

Now i will explain what is a custom annotation class

  • Annotation methods can’t have parameters.
  • Annotation methods return types are limited to primitives, String, Enums, Annotation or array of these.
  • Annotation methods can have default values.
  • Annotations can have meta annotations attached to them. Meta annotations are used to provide information about the annotation. There are four types of meta annotations:
    1. @Documented – indicates that elements using this annotation should be documented by javadoc and similar tools. This type should be used to annotate the declarations of types whose annotations affect the use of annotated elements by their clients. If a type declaration is annotated with Documented, its annotations become part of the public API of the annotated elements.
    2. @Target – indicates the kinds of program element to which an annotation type is applicable. Some possible values are TYPE, METHOD, CONSTRUCTOR, FIELD etc. If Target meta-annotation is not present, then annotation can be used on any program element.
    3. @Inherited – indicates that an annotation type is automatically inherited. If user queries the annotation type on a class declaration, and the class declaration has no annotation for this type, then the class’s superclass will automatically be queried for the annotation type. This process will be repeated until an annotation for this type is found, or the top of the class hierarchy (Object) is reached.
    4. @Retention – indicates how long annotations with the annotated type are to be retained. It takes RetentionPolicy argument whose Possible values are SOURCE, CLASS and RUNTIME

You can see in this annotation class i’m expecting the UserRoles, thats where i’m defining which APIs can use which roles.

My UserRoles class will looks like below

UserRoles.java

package com.bokks.micro.springbootrestapi.model;

public enum UserRoles{
    ADMIN,ROLE1,ROLE2,ROLE3,ROLE4;
}

How to use this annotation in your APIs. you can see in the RestApiController.java i have used it

@Secured(authorizedBy = {UserRoles.ADMIN,UserRoles.ROLE1}) // Annotation will allow Role based authorization fot the APIs
@RequestMapping(value = "/version", method = RequestMethod.GET)
public ResponseEntity<String> getVersion() {
    logger.info("API version details : SpringBootRestAPI Verion 1.0");
    return new ResponseEntity<String>("SpringBootRestAPI Verion 1.0", HttpStatus.OK);
}

Creating this annotation will not be enough to trigger your logic. So you need to implement your logic to check the authentication header.

6. Creating Filter to check the API token.

To do this i have to use Spring Around aspect. Before dive into it, I will explain what is Spring AOP.

Aspect Oriented Programming Core Concepts

  1. Aspect: An aspect is a class that implements enterprise application concerns that cut across multiple classes, such as transaction management. Aspects can be a normal class configured through Spring XML configuration or we can use Spring AspectJ integration to define a class as Aspect using @Aspect annotation.
  2. Join Point: A join point is the specific point in the application such as method execution, exception handling, changing object variable values etc. In Spring AOP a join points is always the execution of a method.
  3. Advice: Advices are actions taken for a particular join point. In terms of programming, they are methods that gets executed when a certain join point with matching pointcut is reached in the application. You can think of Advices as Struts2 interceptors or Servlet Filters.
  4. Pointcut: Pointcut are expressions that is matched with join points to determine whether advice needs to be executed or not. Pointcut uses different kinds of expressions that are matched with the join points and Spring framework uses the AspectJ pointcut expression language.
  5. Target Object: They are the object on which advices are applied. Spring AOP is implemented using runtime proxies so this object is always a proxied object. What is means is that a subclass is created at runtime where the target method is overridden and advices are included based on their configuration.
  6. AOP proxy: Spring AOP implementation uses JDK dynamic proxy to create the Proxy classes with target classes and advice invocations, these are called AOP proxy classes. We can also use CGLIB proxy by adding it as the dependency in the Spring AOP project.
  7. Weaving: It is the process of linking aspects with other objects to create the advised proxy objects. This can be done at compile time, load time or at runtime. Spring AOP performs weaving at the runtime.

AOP Advice Types

Base on the execution strategy of advices, they are as per following types.

  1. Before Advice: These advices runs before the execution of join point methods. We can use @Beforeannotation to mark an advice type as Before advice.
  2. After (finally) Advice: An advice that gets executed after the join point method finishes executing, whether normally or by throwing an exception. We can create after advice using @After annotation.
  3. After Returning Advice: Sometimes we want advice methods to execute only if the join point method executes normally. We can use @AfterReturning annotation to mark a method as after returning advice.
  4. After Throwing Advice: This advice gets executed only when join point method throws exception, we can use it to rollback the transaction declaratively. We use @AfterThrowing annotation for this type of advice.
  5. Around Advice: This is the most important and powerful advice. This advice surrounds the join point method and we can also choose whether to execute the join point method or not. We can write advice code that gets executed before and after the execution of the join point method. It is the responsibility of around advice to invoke the join point method and return values if the method is returning something. We use @Around annotation to create around advice methods.

The points mentioned above may sound confusing but when we will look at the implementation of Spring AOP, things will be more clear. Let’s start looking in to our scenario.

AuthenticationFilter.java

package com.bokks.micro.springbootrestapi.filters;

import com.bokks.micro.springbootrestapi.model.UserRoles;
import com.bokks.micro.springbootrestapi.service.TokenService;
import com.bokks.micro.springbootrestapi.service.UserService;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.reflect.MethodSignature;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Component;

import javax.servlet.http.HttpServletRequest;
import java.lang.reflect.Method;

@Aspect
@Component
public final class AuthenticationFilter {

    public static final Logger logger = LoggerFactory.getLogger(AuthenticationFilter.class);

    private static final String REALM = "example";
    private static final String AUTHENTICATION_SCHEME = "Bearer";
    @Autowired
    HttpServletRequest request;
    @Autowired
    TokenService tokenService;
    @Autowired
    UserService userService;

    private boolean isTokenBasedAuthentication(String authorizationHeader) {

        // Check if the Authorization header is valid
        // It must not be null and must be prefixed with "Bearer" plus a whitespace
        // The authentication scheme comparison must be case-insensitive
        logger.info("Check the token is in valid format it should followed with 'Bearer' plus a whitespace");
        return authorizationHeader != null && authorizationHeader.toLowerCase()
                .startsWith(AUTHENTICATION_SCHEME.toLowerCase() + " ");
    }

    private boolean isValidToken(String token) {

        // Check if the Authorization header is valid
        // It must not be null and must be prefixed with "Bearer" plus a whitespace
        // The authentication scheme comparison must be case-insensitive
        return tokenService.isTokenValid(token);
    }

    /**
     * This method will be invoke when the APIs having enable the @Secured annotation
     * Where this api will extract the roles assign for the specific apis and authetication
     * header send in the HTTP request.
     * Based on the authorization header method will revoke accessing to the API.
     * @param pjp
     * @return
     * @throws Throwable
     */
    @Around(" @annotation(com.bokks.micro.springbootrestapi.filters.Secured)")
    public Object validateAspect(ProceedingJoinPoint pjp) throws Throwable {

        try {
            MethodSignature signature = (MethodSignature) pjp.getSignature();
            Method method = signature.getMethod();
            boolean authorizedrequest = false;

            Secured authorizedByType = method.getAnnotation(Secured.class);
            UserRoles[] rolesOfTheAPI = authorizedByType.authorizedBy();


            String authorizationHeaderString = request.getHeader(HttpHeaders.AUTHORIZATION);
            logger.info("Header received for Authorization {}",authorizationHeaderString);
            String authorizationTokenWithoutAuthScehma = authorizationHeaderString.substring(AUTHENTICATION_SCHEME.length()).trim();
            logger.info("Token received for Authorization {}",authorizationTokenWithoutAuthScehma);

            if (!isTokenBasedAuthentication(authorizationHeaderString)||!isValidToken(authorizationTokenWithoutAuthScehma)) {
                logger.info("Unauthorized token found");
                return new ResponseEntity(HttpStatus.UNAUTHORIZED);
            }

            Enum userRole = getUserRolerFromToken(authorizationTokenWithoutAuthScehma);

            for (Enum rolesAllowed : rolesOfTheAPI) {
                logger.info("Roles allowed by the API {}",rolesAllowed);
                if (rolesAllowed.equals(userRole)) {
                    logger.info("Valid authorization found in the token provided for the {}",userRole);
                    authorizedrequest = true;
                }
            }

            if (authorizedrequest) {
                logger.info("Valid Authorization provided for method{}",method.getName());
                return pjp.proceed();
            }
            logger.info("Request UnAuthorized");
            return new ResponseEntity(HttpStatus.UNAUTHORIZED);
        }catch (Exception e){
            logger.error("Exception thwon while processing  : {}",e.getCause());
            return new ResponseEntity(e.getMessage(),HttpStatus.UNAUTHORIZED);
        }

    }

    private UserRoles getUserRolerFromToken(String token) {

        String userName = tokenService.findByToken(token).getUsername();
        UserRoles userRoles = userService.findByUsername(userName).getUserRole();

        return userRoles;
    }
}


If you check my code you can see my point cut as ” @annotation(com.bokks.micro.springbootrestapi.filters.Secured)” which means whenever this annotation triggers it will goes through my filter method. There you can implement your logic to check the authorization.

You can see on the top of the class i have autowired “HttpServletRequest” which provides me to get the header details of the request.

Ok we are now done with coding.

7. Build Application

since this is a maven application you can use spring boot maven plugin to bundle it as a spring boot application.

Add below on your pom.xml

<build>
    <plugins>
        <plugin><!-- Include if you want to make an executable jar[FAT JAR which
   includes all dependencies along with sprinboot loader] that you can run on 
   commandline using java -jar NAME -->
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
        </plugin>
    </plugins>
</build>

then build application using;

mvn clean install

8. Running the application

Since this is a SpringBoot application it carries embedded tomcat and you can bundle it as jar;

go to the build jar location

java -jar youapplication.jar

Screenshot 2018-12-31 at 6.43.52 PM.png

9. Testing

Get The API token from my service. invoke the login API.

Screenshot 2018-12-31 at 6.49.48 PM

Use the token received from the API to invoke the version API.

Screenshot 2018-12-31 at 6.54.58 PM.png

Now let’s see a user who is having ROLE3 as the user role, is able to access this version API.

Screenshot 2018-12-31 at 6.58.09 PM.png

Our API is not allowing user3 to access this API, because in the annotation i have only given permission to ADMIN and ROLE1.

Thats the end of it…

Happy Coding 🙂

You can find complete implementation in my github repo.

More over similar kind of annotation based implementation you can use in jersey as well. but its using ContainerRequestFilter to filter your request. You can see this on how to implement it in jersey based REST applications. This way it impressed me to implement in REST based spring application.

 

 

Advertisements

Security is fundamentally about protecting assets. Hence software systems should control the access from unwanted threats. Today there are different types of users in many corporate software systems. These different users has different levels of access to the system and these systems should need to control the access according to the user.

In this post i’m going to explain how to secure your unsecured web service using WSO2 ESB and how to invoke a secured service

  • Prerequisite

How to create a simple web service

How to create a proxy service

Above created web service doesn’t included any security features, as the first step you need to enable the security features to your proxy service using WSO2 ESB.

Enabling Security features in your proxy service 

1. Open the ESB management console

2.Click List under Services in the Main tab to view all available proxy services.

3.Click on the desired proxy service you need to enable security features(in my case OrderProcessingService).

4.Click Security under Quality of Service Configuration in the service dashboard to open the Security for the service page

Screen Shot 2014-09-15 at 2.27.32 PM

5. Select Yes for the Enable Security? field to view the pre-defined security scenarios.

6. Select the required security scenario ( UsernameToken in my case) and click  Next  to open the Activate Security

 PreDefined_Security_Scenarios

7. Select the domain and the role name which you need to enable security and select the admin in the User Groups to apply basic authentication to the admin user group

Screen Shot 2014-09-15 at 2.52.39 PM

8. Click Finish. An information message would appear to indicate that security was applied successfully.

Now you have enabled security to your web service by using WSO2 ESB.

And now its time to do something with your secured web service

Invoking the secure service(Creating secure client)

In the above steps when applying the security feature i have used UserName Token to authenticate users. In another word now our web service expects username and password as a soap header and the service can authenticate user using that information.

Username token is sent over HTTPS transport to secure the message. Therefore users need to specify a trust store which contains the server certificate (public key) with its password. Since this article uses same keystore as in the server by default it contains the server certificate. User name is given as an axis2 client option which is picked by the rampart. The password is picked from a call back handler which is given in the security policy. Following client program can be used to invoke the service with basic authentication.

System.setProperty("javax.net.ssl.trustStore", "/resources/wso2carbon.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");

CustomerOrderServiceStub stub = new CustomerOrderServiceStub("https://localhost:8243/services/OrderProcessingService");
HttpTransportProperties.Authenticator authenticator = new HttpTransportProperties.Authenticator();
authenticator.setUsername("admin");
authenticator.setPassword("admin");

stub._getServiceClient().getOptions().setProperty(HTTPConstants.AUTHENTICATE, authenticator);
stub._getServiceClient().getOptions().setProperty(Constants.Configuration.ENABLE_REST, Constants.VALUE_TRUE);

Now i will explain what these code snippet actually do…

javax.net.ssl.trustStore – Location of the Java keystore file containing the collection of CA certificates trusted by this application process (trust store).

If a trust store location is not specified using this property, the SunJSSE implementation searches for and uses a keystore file in the following locations (in order):

$JAVA_HOME/lib/security/jssecacerts

$JAVA_HOME/lib/security/cacerts

javax.net.ssl.trustStorePassword – Password to unlock the keystore file (store password) specified by javax.net.ssl.trustStore.

First it creates an Authenticator object and set the user name and password to that. Axis2 commons HTTP transport uses this value to create the HTTP headers. Basic authentication based authentication for User name token only works with the messages with content type application/xml. Therefore it is required to enable to REST to message.

Conclusion

Today Security is one of the major concern of any software system. Web service integration is commonly used to form integrated functionality. Depending on the service integrated such systems can have complex authorization logics. This article demonstrate on how to secure your back-end server using WSO2 ESB by following easy steps. Further that this article demonstrate how to invoke service and how users can be authenticated at the integrated service layer.It uses the Username Token in oder to authenticate the user and mutual authentication to secure the back end services.

Source

https://docs.wso2.com/display/ESB481/Securing+Proxy+Services

http://wso2.com/library/articles/2011/06/securing-web-service-integration/

 

The newer version of the GNOME desktop was released back in September 2013 and comes with a raft of improved features, apps and usability tweaks. From hi-res screen support to new client-side decoration of app windows, GNOME 3.10 is a compelling upgrade.

Screenshot from 2014-02-04 13:42:21

 

header-bars

The good news is that – providing you’re running Ubuntu 13.10, have a decent internet connection, and some command line aptitude (pun fully intended) – you do n’t have to stick with a stale version of GNOME.

Software requirments

  • Ubuntu 13.10

note : 

  • GNOME 3.10 has NOT been tested with Ubuntu 13.10; you upgrade at your own risk

Steps

First, let’s add the GNOME 3 PPA to Ubuntu’s Software Sources. This can be done using a GUI but it is far easier to achieve using the command line.

  • Open a new Terminal window and enter the following command, entering your user password when asked:
    sudo add-apt-repository ppa:gnome3-team/gnome3-next && sudo apt-get update
  • With the PPA added and our package list updated we can move on to installing GNOME 3.10 itself. To do this run the following command, again entering your user password when prompted:
    sudo apt-get update && sudo apt-get install gnome-shell ubuntu-gnome-desktop 
    
    Attention : It can take a while for all the necessary packages and components to be fetched and installed, so try to be patient.
  • Midway through the installation a prompt will appear in the Terminal asking you to choose what display manager – aka “login screen” – should be used by default.
  • This decision is entirely up to you; both Ubuntu’s Unity Greeter and the GNOME Display Manager let you easily switch between desktop sessions (handy if you want to keep Unity or another desktop around) but only GDM offers GNOME-specific features such as lock-screen notifications.When you’re ready to decide make your selection using the up/down arrow keys and hit ‘Enter/Return’ to confirm. The installation will then proceed. select gdm if you like GNOME Display Manager.

Screenshot from 2014-02-04 13:20:27

  • GNOME 3.10 comes with some great new features, applications – including Gnome weather, Music,Maps, etc, if you willing add those links add them using
    sudo add-apt-repository ppa:gnome3-team/gnome3-staging
    
    sudo add-apt-repository ppa:gnome3-team/gnome3
    sudo apt-get update && sudo apt-get dist-upgrade
  • To add some of the cool apps we mentioned earlier run:
    sudo apt-get install gnome-weather gnome-music gnome-maps cheese gnome-documents

    With that we’re done!

  • To see the effects you need to restart your computer, after appearing the login screen select the desktop manager you need to use.(Gnome or Gnome classic)

In blackberry if you want to create a buttonfiled first you have to create a ButtonField varaible. so from this buttonfield object you only can create predefined fuunctions in that you cannot have colors for the buttons and text. so to customize the button you have to create customize button object.

Here is how to create a it……..

//importing necessary blackberry packages

import net.rim.device.api.system.Display;
import net.rim.device.api.ui.Color;
import net.rim.device.api.ui.Field;
import net.rim.device.api.ui.Font;
import net.rim.device.api.ui.Graphics;
import net.rim.device.api.ui.Keypad;

//Custom buttonfiled will create by extending field class

public class CustomButtonField extends Field
{

private int backgroundColour;
private int highlightColour;
private int colour;
private int fieldWidth;
private int fieldHeight;
private String text;
private int padding = 15;
private double fontWidth;
private Font font;

public CustomButtonField(String text, int highlightColour, int backgroundColour)
{
super();
this.text = text;
this.highlightColour = highlightColour;
this.backgroundColour = backgroundColour;
colour = backgroundColour;

font = Font.getDefault();
fieldHeight = font.getHeight() + padding;
fontWidth = font.getHeight() / 4;
fieldWidth = (Display.getWidth() – 12) / 6;
this.setPadding(2, 2, 2, 2);
}
public CustomButtonField(String text, int highlightColour, int backgroundColour, int width, int height, int padding)
{
super();
this.text = text;
this.highlightColour = highlightColour;
this.backgroundColour = backgroundColour;
colour = backgroundColour;
font = Font.getDefault();
fieldHeight = height;
fieldWidth = width;
this.setPadding(2, padding, 2, padding);
}
public void setFont(Font font){
this.font = font;
}
public void setFocus(){
super.setFocus();
}
public boolean isFocusable(){
return true;
}

protected boolean keyChar(char character, int status, int time) {
if (character == Keypad.KEY_ENTER) {
fieldChangeNotify(0);
return true;
}
return super.keyChar(character, status, time);
}
protected boolean navigationClick(int status, int time)
{
fieldChangeNotify(0);
return true;
}

protected void onFocus(int direction)
{
colour = highlightColour;
invalidate();
}

Now let see how to use it in the application first import this class in to your project

then after that create  varibale called

private CustomButtonField cmdNext;

To invoke the field we created

cmdNext = new CustomButtonField(“Next”,0x0099FF ,0xDDDDDD);
cmdNext.setFont(Font.getDefault().derive(Font.BOLD));

we need to use it like this in here i’m using my custom color for the button, and i have change the font to bold

Here how it look likes…

in this simple code snippet you can change the size of the button, position of the text etc..

First of all need to clarify what is Push down automation in programming language it is Basically Check the validity of the Syntax

  • Finite Automata cannot recognize all Context Free languages.
  • Why Finite automata cannot recognize all Context Free Languages?
    –Finite automata can keep a record of the history of events (finite).
    –CFLs may generate strings carrying unbounded amount of information.

so in this case we need to check the validity of the context free language for that kind of situation we can have push down automation.

PDA recognizes all and only the context-free languages.
There are two versions of PDA
  • PDA that accepts a string by entering an accepting state.
  • PDA that accepts a string by emptying its stack, regardless of the state it is in.
What PDA actually Do….
First of all PDA will put the Starting symbol in to the stack. and after that in consume a character, then it will go and check with the stack top and pop the element from the stack and check through language’s grammar with the stack top and input symbol. if there is matching production in grammar it will put that matching production’s Non-terminals in to the stack.
as example
S->aA
A->aBC
B->b
C->c
in here if input string is “aabc” first it will put start symbol ‘S’ in to the stack. and after that it will put ‘A’ to the stack because input symbol is ‘a’.
then it goes to the second input in here it is also the ‘a’. now stack top is ‘A’. pop ‘A’ and get the production of ‘A’. it will be A-aBC so now it will put these non terminals of production ‘A’. it will put where as left most Non-terminal becoming stack top.like wise this will do until end of the string.
how to implement…..   
this PDA is developed for S-grammar
S-grammar rules are of the form A => aX where X belongs zero or more none terminals
in this implementation it take a-z characters as  terminals and A-Z characters as Non-terminals

Algorithm used

  • First of all when loading the form system will check the grammar line by line in production.txt file and while going through the text file it will create a parser table

As a example

If grammar is

S->aA

A->aBC|bB|cC

B->b

C->c  parser table for this grammar is

a b c d . . y z
A aBC bB cC
B b
C c
.
.
S aA
.
Z
  • First of all first Non- terminal character will be taken as the start symbol of this grammar. And to indicate the bottom of the stack system will put “$” character to the bottom of the stack at the beginning. After that system will put the start of the symbol grammar to the stack
  • When user input a character it will get input character at a time and get the stack top if it is Non-terminal.
  • By getting the input character and stack top using parser table can check which production should need to apply next.
  • After looking at the parser table it will put it in to the stack
  • Input string will be check with the stack top if it matches (if stack top is terminal) it will pop stack top otherwise it will look parser table according to the input and None-terminal.
  • This process carries out until input string gets end.
  • Or if that string doesn’t match operation will be terminate.

Example usage:

According above mention grammar If  input string is aabc

Data Structures Used

In this system it uses array data structure

  • For maintain parser table it uses a multi-dimensional array.
  • For maintain input string

Stack data structure

  • For maintain automation and for get the next parsing value

Assumptions made

  • All characters from a-z are taken as terminal all characters from A-Z are taken as the Non-terminal
  • Assuming the first character of the production as start symbol
  • Grammar should need to be written correctly

For example there must not be white space characters in production

what is a Netkit

Netkit is a set of tools and commands that can be used easily setup a virtual computer network