Tuesday, November 5, 2013

Understanding SSL





For understanding SSL , first thing to understand is Digital Certificate.

 Digitally signed CA certificate

 Below is the key point which define a digitally signed certificate-
It is standard for verifying a client ,server or any third party.

 It has following 4 key elements -
1. Organizational information
This section of the certificate contains information that uniquely identifies the owner of the certificate, such as organizational name and address. You supply this information when you generate a certificate using a certificate management utility.
2. Public key
The receiver of the certificate uses the public key to decipher encrypted text sent by the certificate owner to verify its identity. A public key has a corresponding private key that encrypts the text.
3. Certificate authority's distinguished name
The issuer of the certificate identifies itself with this information.
4. Digital signature
The issuer of the certificate signs it with a digital signature to verify its authenticity. This signature is compared to the signature on the corresponding CA certificate to verify that the certificate originated from a trusted certificate authority.

 SSL
SSL is a process used for authenticating a caller using digitally signed certificate .The cert can be signed by third party CA authority or self signed using utility tools.
One-Way SSL
One way SSL is used by clients to authenticate the server
The service provider i.e. the server shares its digital certificate with the client and client store it in its truststore.
Truststore keystore is the certificate repository where the server/client stores all the thirdparty certificates. 
Identity keystore is the certificate repository where server/client store its own certificate
Before the actual message is transmitted the handshake needs to be done and establish the connection successfully.
Client has the servers public key ( contained in the certificate that server shared).
One important point to remember is that there is unique private-public key pair which the server has.Public key is present in the certificate and shared with the client .Private key is kept secret.Any message encrypted using a private key can be decrypted only with its unique public key .

 Below are the steps to establish connection in case of One way SSL -

 1. Client requests for a protected resource from the server.
2. Server sends it's certificate to the client
3. Client validates the digital signature in the received certificate against the digital signature present in the certificate which the client already has in its trust store. If the digital signature match that means the digital certificate is generated from valid CA authority and has not been tampered in between.
4.Client request the server to prove server's identity (ownership).
5. So the server sends back message encrypted using servers private key .  
6. Client validates the servers identity using servers public key which was sent as part of digital certificate.
7.On successful validation a handshake is done and connection is established between client and the server.
8. Server sends the requested resource to the client.

 This is one way SSL and in case of 2 way SSL ,the server also validates the client similarly.




Posted by at No comments:
Labels: , , , ,

Sunday, September 8, 2013

SOAP handler with SAML Authentication


SOAP Handler
A SOAP message handler provides a mechanism for intercepting the SOAP message in both the request and response of the Web Service. You can create handlers in both the Web Service itself and the client applications that invoke the Web Service.
A simple example of using handlers is to access information in the header part of the SOAP message. You can use the SOAP header to store Web Service specific information and then use handlers to manipulate it.
You can also use SOAP message handlers to improve the performance of your Web Service. After your Web Service has been deployed for a while, you might discover that many consumers invoke it with the same parameters. You could improve the performance of your Web Service by caching the results of popular invokes of the Web Service (assuming the results are static) and immediately returning these results when appropriate, without ever invoking the back-end components that implement the Web Service. You implement this performance improvement by using handlers to check the request SOAP message to see if it contains the popular parameters.

Sample implementation of client handler with SAMP authentication - 

 public class SampleClientHandler implements Handler {

private final String CLASSNAME = "SampleClientHandler ";
public void destroy() {
// TODO Auto-generated method stub

}

public QName[] getHeaders() {
// TODO Auto-generated method stub
return null;
}

public boolean handleFault(MessageContext arg0) {
// TODO Auto-generated method stub
return false;
}

/**
 * Method to add the security part for saml in the soap header 
 */
public boolean handleRequest(MessageContext messageContext) {
try {
SOAPFactory soapFactory =SOAPFactory.newInstance();
SOAPElement security=soapFactory.createElement("Security", "wsse", ns);

String authNS = "urn:oasis:names:tc:SAML:1.0:assertion";
SOAPElement usernameToken = security.addChildElement("UsernameToken",                                            "wsse",authNS);
Name wsuId  = soapFactory.createName("wsu:Id");
Name xmlnsWsu  = soapFactory.createName("xmlns:wsu");
if(usernameToken==null){
System.out.println( "usernameToken ==null ");
}
usernameToken.addAttribute(wsuId, "UsernameToken-72");
usernameToken.addAttribute(xmlnsWsu, "xsd location");

SOAPElement userName = usernameToken.addChildElement("Username",                                                  "wsse",authNS);
userName.addTextNode(username);
SOAPElement password = usernameToken.addChildElement("Password", "wsse",authNS);
Name type  = soapFactory.createName("Type");
password.addAttribute(type,"PWD");

SOAPElement assertion = security.addChildElement("Assertion",                                                                 "ns1","urn:oasis:names:tc:SAML:1.0:assertion");
Name assertionID = soapFactory.createName("AssertionID");
Name issueInstant = soapFactory.createName("IssueInstant");
Name issuer = soapFactory.createName("Issuer");
Name majorVersion = soapFactory.createName("MajorVersion");
Name minorVersion = soapFactory.createName("MinorVersion");

assertion.addAttribute(assertionID, "disputes");
assertion.addAttribute(issueInstant, strSysdate);
assertion.addAttribute(issuer, "xyz.com");
assertion.addAttribute(majorVersion, "1");
assertion.addAttribute(minorVersion, "1");


SOAPElement authenticationStatement =                                                                                                      assertion.addChildElement("AuthenticationStatement", "ns1",authNS);
Name authenticationInstant = soapFactory.createName("AuthenticationInstant");
Name authenticationMethod = soapFactory.createName("AuthenticationMethod");
authenticationStatement.addAttribute(authenticationInstant, strSysdate);
authenticationStatement.addAttribute(authenticationMethod,                                                                          "urn:oasis:names:tc:SAML:1.0:am:password");

SOAPElement subject = authenticationStatement.addChildElement("Subject",                                                "ns1",authNS);
SOAPElement nameIdentifier = subject.addChildElement("NameIdentifier", "ns1",authNS);

nameIdentifier.addTextNode(strNameIdentifier);

SOAPElement subjectConfirmation = subject.addChildElement("SubjectConfirmation",                                  "ns1",authNS);
SOAPElement confirmationMethod =                                                                                                           subjectConfirmation.addChildElement("ConfirmationMethod","ns1",authNS);
confirmationMethod.addTextNode("urn:oasis:names:tc:SAML:1.0:cm:sender-vouches");

SOAPMessageContext soapMessageContext = (SOAPMessageContext)messageContext;
SOAPEnvelope soapEnvelop                                                                                                                       soapMessageContext.getMessage().getSOAPPart().getEnvelope();
soapEnvelop.getHeader().addChildElement(security);

return true;

} catch (SOAPException e) {
e.printstacktrace();
}
               return false;
}

public boolean handleResponse(MessageContext messageContext) {
//Log the respone received
SOAPMessageContext soapMessageContext = (SOAPMessageContext)messageContext;
logToSystem(soapMessageContext);

return false;
}

public void init(HandlerInfo arg0) {
// TODO Auto-generated method stub
}

/**
 * Method to log the resquest or response to the system.out printstream
 * @param soapMessageContext
 * @throws SOAPException
 * @throws IOException
 */
public void logToSystem(SOAPMessageContext soapMessageContext){

try {
SOAPMessage soapMessage  =soapMessageContext.getMessage();

soapMessage.writeTo(System.out);
//Log to logger file
/*ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
soapMessage.writeTo(byteArrayOutputStream);
String strXml = byteArrayOutputStream.toString();

logger.info(strXml);*/


} catch (Exception e) {
e.printstacktrace();
}

}

Posted by at No comments:
Labels: , , ,

Creating unmodifiable static map



Unmodifiable static map


public static final Map unmodifiableMap = Collections.unmodifiableMap(
new HashMap(){{
    put("key1","value1");
    put("key2","value2");
}}
);


Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)