Metro's Monthly Movie Review

Posted by Unknown on Wednesday, December 14, 2011

Each month a team member of Metro will be writing a movie review to share with you. And this month team member Erin Cheasley has reviewed 'Immortals'. Director – Tarsem Singh, Starring: Henry Cavill, Mickey Rourke, John Hurt & Stephen Dorff.

The first thing that comes to mind when you see the trailer for the movie is that it is another 300 movie take off, apart from both being the sword and sandals genre and shirts were optional the director for ‘Immortals’ had a lot more visual tricks up his sleeve and took another approach with the Greek Myth concept, quite a comparison to 300.

Immortals definitely portrays a storyline of a battle between good and evil. Evil King Hyperion is leading his army of murderous mask wearing villains across Greece searching for the magical bow that will free the imprisoned Titans so they can attack the gods. Whilst the hero Theseus who is displeased by King Hyperion’s attack is going on the quest to obtain the magical bow himself, and in the end finding courage and leadership abilities within him to lead his forces of good against evil, which eventually wraps up into one big battle. A highlight of the movie are the action sequences, the Director really captured a level of gore and violence that will have anyone’s jaws drop using slow motion action, it will not only give you chills but have you at the edge of your seat.

This is an age of myth, a world where the gods are real, people have visions of the future and magic exists so this movie is allowed to look weird, mystical and over the top. If Greek mythology tickles your fancy then this is a movie I would recommend. Having a keen interest for Greek mythology and the way this movie used every aspect of what Greek mythology is, I found the movie Immortals to be a worth look (and so to the shirtless men) and it maybe even better than the movie 300.

More aboutMetro's Monthly Movie Review

Metro's Monthly Movie Review

Posted by Unknown on Sunday, November 20, 2011

Each month a team member of Metro will be writing a movie review to share with you. And this month team member Merryn Schmidt has reviewed 'The Cup'. Director – Simon Wincer, Starring - Stephen Curry, Brendan Gleeson, Shaun Micallef & Daniel MacPherson.

'The Cup' is based on the true story of champion jockey Damien Oliver and his inspirational ride to win the 2002 Melbourne Cup. Damien (Stephen Curry) crosses the finish line onboard horse 'Media Puzzle', and salutes the heavens as a gesture to his older bother, Jason, who died tragically less then a week prior, in a track accident.

Unfortunately, ‘The Cup’ is not going to stop the nation as the actual race does, but it is certainly an entertaining and enjoyable flick. As the film is set in Melbourne, I appreciated the familiarity of locations such as the Yarra River and Flemington Race Course and the infusion of original photographs and film footage of the Melbourne Cup history over decades.

'The Cup' is a little slow ‘out of the gates’ and moves slowly to give an insight to the danger, the early starts, the half starving themselves, and the dedication jockeys, trainers, strappers and the like give to their careers, all so we can be enchanted by these majestic animals as the thunder down the track for our entertainment.


Released with perfect timing, during the Melbourne Spring Racing Carnival, ‘The Cup’ may attract good odds, but I have to say it is not a must see on the big screen. When you do see this film be warned you will require a tissue or two.
- by Merryn Schmidt
More aboutMetro's Monthly Movie Review

Advanced SSL configuration on IBM Http Server – Restrict unused HTTP methods and Verbose HTTP headers

Posted by Unknown on Tuesday, November 1, 2011

Restricting unused HTTP methods

The HTTP method is supplied in the request line and specifies the operation that the client has requested. Browsers will generally just use two methods to access and interact with web sites; GET for queries that can be safely repeated and POST for operations that may have side effects. This means, we need to disable unused http methods. some of them are:(PUT|DELETE|TRACE|TRACK|COPY|MOVE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL). Check with the application teams, if they need any of these methods for the application to work, before disabling them.

Testing before limiting http methods:

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx…
Connected to josephamrithraj.mp.
Escape character is ‘^]’.
OPTIONS / HTTP/1.1
Host: josephamrithraj.mp

HTTP/1.1 200 OK
Date: Thu, 14 Sep 2010 00:11:57 GMT
Server: Apache Web Server
Content-Length: 0
Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE

Connection closed by foreign host.

your IBM http servers configuration file [httpd.conf] has 2 sections named main and virtualhost sections. you need to add the following code at both the places. I am explaining this task using mod_rewrite module. So, first make sure that… mod_rewrite is enabled. then, add the following lines to your http.conf files main and virtualhost sections.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|TRACK|COPY|MOVE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL)
RewriteRule .* – [F]

Restart the web server after adding the above lines.


Now, when someone tried to use one of these http methods, they will get forbidden response since we specified [F] in the rewrite rule.

Testing after adding and restarting web server

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx...
Connected to josephamrithraj.mp.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host: josephamrithraj.mp

HTTP/1.1 200 OK
Date: Thu, 14 Sep 2010 00:15:44 GMT
Server: Apache Web Server
Content-Length: 0
Allow: GET, POST
Connection closed by foreign host.
Testing TRACE methods

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx...
Connected josephamrithraj.mp
Escape character is '^]'.
TRACE / HTTP/1.0
Host: josephamrithraj.mp
testing... <- ENTER twice HTTP/1.1 403 Forbidden Date: Thu, 14 Sep 2010 00:18:31 GMT Server: Apache Web Server Content-Length: 320 Connection: close Content-Type: text/html; charset=iso-8859-1

403 Forbidden

Forbidden

You don't have permission to access / on this server.


Connection closed by foreign host.
Disable verbose HTTP headers:


you might have seen this … when the web server [apache or ibm http server] throws errors page, sometimes it might show the information related to its version, build, modules etc. This is a security issue since you are giving away the details about your web server. for example, take a look at this:

Server: Apache/2.0.53 (Ubuntu) PHP/4.3.10-10ubuntu4 Server at xx.xx.xx.xx Port 80
The line in the server header expose important version and variant information about the Linux operating system and Apache software used on the machine, indirectly expose the possible security holes that are existed to the hackers, or at least make malicious attackers easier to identify your system for available attack points.
To ensure that the Apache HTTP web server does not broadcast this message to the whole world publicly and fix possible security issue, modify these two directives ServerTokes and ServerSignature in httpd.conf configuration file.

ServerTokens

This directive configures what you return as the Server HTTP response Header. The built-in default is ‘Full’ which sends information about the OS-type and compiled in modules. The recommended value is ‘Prod’ which sends the least information.

Options: Full | OS | Minor | Minimal | Major | Prod

“ServerTokens Prod”

This configures Apache to return only Apache as product in the server response header on very page request, suppressing OS, major and minor version info.

ServerSignature

This directive lets you add a line containing the server version and virtual host name to server-generated pages. It is recommended to set it to OFF and Set to "EMail" to also include a mailto: link to the ServerAdmin.

Options: On | Off | EMail

“ServerSignature Off”

This instructs Apache not to display a trailing footer line under server-generated documents, which displays server version number, ServerName of the serving virtual host, email setting etc..


Courtesy:http://josephamrithraj.wordpress.com/2010/09/16/advanced-ssl-configuration-on-ibm-http-server-restrict-unused-http-methods-and-verbose-http-headers/
More aboutAdvanced SSL configuration on IBM Http Server – Restrict unused HTTP methods and Verbose HTTP headers

Advanced SSL configuration on IBM Http Server – Client Authentication and Ciphers

Posted by Unknown

The Advanced SSL Configuration settings are

Client Authentication
Setting Ciphers
SSL for multiple IP virtual Hosts
Client Authentication:

If you enable client authentication, the server validates clients by checking for trusted certificate authority, Known as CA root certificates in the local key database. To enable client authentication, you need to use SSLClientAuth directive. The options to use with this stanza are:

None – The server requests no client certificate from the client.
Optional – The server requests, but does not require, a client certificate. If presented, the client certificate must prove valid.
Required – The server requires a valid certificate from all clients and returns a 403 status code if no certificate is present.
Required_reset – The server requires a valid certificate from all clients, and if no certificate is available, the server sends an SSL alert to the client. This enables the client to understand that the SSL failure is client-certificate related, and will cause browsers to re-prompt for client certificate information on subsequent access. make sure you have GSKit version 7.0.4.19 or later when you choose this option.
For example, If i want all the clients to be authenticated, then i need to add the following stanza
SSLClientAuth required

Ciphers

We set the cipher specification to use during secure transactions. The specified cipher specifications validate against the level of the Global Security Kit (GSK) toolkit that is installed on your system. Invalid cipher specifications cause an error to log in the error log. If the client issuing the request does not support the ciphers specified, the request fails and the connection closes to the client. IBM HTTP Server has a built-in list of cipher specifications to use for communicating with clients over Secure Sockets Layer (SSL). The actual cipher specification that is used for a particular client connection is selected from those which are supported by both IBM HTTP Server and the client.

Some cipher specifications provide a weaker level of security than others, and might need to be avoided for security reasons. Some of the stronger cipher specifications are more computationally intensive than weaker cipher specifications and might be avoided if required for performance reasons. When an SSL connection is established, the client (web browser) and the web server negotiate the cipher to use for the connection. The web server has an ordered list of ciphers, and the first cipher in that list which is supported by the client will be selected.

IBM HTTP Server supports the following SSL ciphers: SSLv3 and TLS and SSLv2

IBM recommends the following setting, keeping in mind both strong security and performance

## SSLv3 128 bit Ciphers
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

## Triple DES 168 bit Ciphers
## These can still be used, but only if the client does
## not support any of the ciphers listed above.
SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

## The following block enables SSLv2. Excluding it in the presence of
## the SSLv3 configuration above disables SSLv2 support.

## Uncomment to enable SSLv2 (with 128 bit Ciphers)
#SSLCipherSpec SSL_RC4_128_WITH_MD5
#SSLCipherSpec SSL_RC4_128_WITH_SHA
#SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
View the Ciphers which the server uses for Secure transactions

Set the LogLevel to info in the configuration file. Look in the error log for messages in this format: TimeStamp info_message mod_ibm_ssl: Using Version 2/3 Cipher: longname|shortname. The order that the cipher specifications are displayed in the error log from top to bottom represents the attempted order of the cipher specifications.

View the Ciphers were used for negotiating a connection

You can use the following LogFormat directive to view and log the SSL cipher negotiated for each connection:

LogFormat “%h %l %u %t \”%r\” %>s %b \”SSL=%{HTTPS}e\” \”%{HTTPS_CIPHER}e\” \”%{HTTPS_KEYSIZE}e\” \”%{HTTPS_SECRETKEYSIZE}e\”" ssl_common

CustomLog logs/ssl_cipher.log ssl_common

This logformat will produce an output to the ssl_cipher.log that looks something like this:

127.0.0.1 – - [01/Sep/2010:00:02:05 -0800] “GET / HTTP/1.1″ 200 1582 “SSL=ON” “SSL_RSA_WITH_RC4_128_MD5″ “128″ “128″

SSL for multiple IP virtual hosts

When you do not define an SSL directive on a virtual host, the server uses the directive default. You can define different (SSL) options for various virtual hosts. To enable SSL:

Specify the SSLEnable directive on the virtual host stanza in the configuration file, to enable SSL for a virtual host.
Specify a Keyfile directive and
Any SSL directives you want enabled for that particular virtual host.
Restart the server.
With all the above security options enabled, your virtual host may look like this:



SSLEnable

Keyfile keyfile.kdb

SSLCientAuth required

## SSLv3 128 bit Ciphers

SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5

SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher

SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher

SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

## Triple DES 168 bit Ciphers

## These can still be used, but only if the client does not support any of the ciphers listed above.

SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

## The following block enables SSLv2.
## Excluding it in the presence of the SSLv3 configuration above disables SSLv2 support.

## Uncomment to enable SSLv2 (with 128 bit Ciphers)

#SSLCipherSpec SSL_RC4_128_WITH_MD5

#SSLCipherSpec SSL_RC4_128_WITH_SHA

#SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5



Courtesy:http://josephamrithraj.wordpress.com/2010/09/04/advanced-ssl-configuration-on-ibm-http-server-client-authentication-and-ciphers/
More aboutAdvanced SSL configuration on IBM Http Server – Client Authentication and Ciphers

Virtual Users with SAML in WebLogic

Posted by Unknown on Monday, October 24, 2011

A small blogpost how you can use virtual users on your SAML Service Provider WebLogic Server. A virtual user is a user who is authenticated on the SAML Identity Provider and this user is transfered ( with all his attributes and roles )  in a SAML Token to the Service Provider, this user does not need to exists on the WebLogic server of the Service Provider.
Before you can use this feature you need to setup SAML 2.0 SSO on your WebLogic Domain. You can follow this blogpost for all the instructions. You can also do this with Web Services but then you need to follow this guide.

First we need to enable Generate Attributes on the Identity Provider Side.
Go to the myrealm security realm ->  Providers -> Credentials Mapping -> your SAML 2.0 Credential Mapping Provider -> Provider Specific.
Also do this on the imported Service Provider Partner located at the Management tab of your SAML 2.0 Credential Mapping Provider. Open the Service Provider Partner and also enable here Generate Attributes.

Next step is to configure the SAML Service Provider.
Go to the myrealm security realm ->  Providers ->  Authentication -> your SAML 2.0 Identity Assertion Provider -> Management Tab.
Open your imported Identity Provider Partner configuration.
Enable Virtual User and also enable Process Attributes.

Now we need to add an extra WebLogic SAML Authentication Provider. This provider will process the virtual user SAML token with all its attributes and roles.
Set the Control Flag to Sufficient also change the other authentication provider from Required to Sufficient.

Courtesy:http://biemond.blogspot.com/2011/09/virtual-users-with-saml-in-weblogic.html
More aboutVirtual Users with SAML in WebLogic

How to collect performance data on Linux

Posted by Unknown

Collect the following information when high CPU consumption is with IBM Java process:
Enable garbage collection trace to see whether Java garbage collection is thrashing if possible. If you want to enable Java garbage collection trace on IBM WebSphere Application Server, please refer to the following document: Enabling verbose garbage collection (verbosegc) in WebSphere application Server


Run the following command:

top -d delaytime -c -b > top.log

Where delaytime is the number of seconds to delay. This must be 60 seconds or greater, depending on how soon the failure is expected.


Create a script file, vmstat.sh with the following content:

#vmstat.sh
#output file name
VMSTAT_LOG=$1
LIMIT=288
#sleep for 5 miniutes
SLEEP_TIME=300
while true
do
i=0
echo >$VMSTAT_LOG
while [ $i -le "$LIMIT" ];
do
date >> $VMSTAT_LOG;
vmstat 5 12 >> $VMSTAT_LOG;
i=`expr $i + 1`;
sleep $SLEEP_TIME;
done
done

Create a script, ps.sh with the following content:

#ps.sh
#output file name
PS_LOG=$1
LIMIT=288
#sleep for 5 miniutes
SLEEP_TIME=300
while true
do
i=0
echo >$PS_LOG
while [ $i -le "$LIMIT" ];
do
date >> $PS_LOG;
ps -eLf >> $PS_LOG;
i=`expr $i + 1`;
sleep $SLEEP_TIME;
done
done

Run the scripts:

./ps.sh ps_eLf.log
./vmstat.sh vmstat.log

Notes: . The scripts ps.sh and vmstat.sh, as provided, roll over every 24 hours. . You might need to modify the scripts to meet your needs. . The preceding scripts will run forever. After the error condition is reached, you will have to terminate them.


When high CPU consumption occurs, collect the following logs:

netstat -an > netstat1.out


If the Web server is remote, run the following on the Web server system:

netstat -an > netstatwebserver1.out


Run the following:

kill -3 [PID_of_problem_JVM]


The kill -3 commands create javacore*.txt files

Note: If you are not able to determine which JVM process is experiencing the high CPU usage then you should issue the kill -3 PID for each of the JVM processes.



Wait two minutes.


Run the following:

kill -3 [PID_of_problem_JVM]


Wait two minutes.


Run the following:

kill -3 [PID_of_problem_JVM]


Wait two minutes.


Run the following:

netstat -an > netstat2.out



If the Web server is remote, run the following on the Web server system:

netstat -an > netstatwebserver2.out



If you are unable to generate javacore files, then perform the following:

kill -11 [PID_of_problem_JVM]

WARNING: kill -11 will terminate the JVM process, produce a core file, and possibly a javacore.


Review all output files and collect the following files for IBM Performance Analysis Tool for Java for Linux


ps_eLf.log
javacore*.txt files

Courtesy:http://wasissues.blogspot.com/
More aboutHow to collect performance data on Linux

Configuring OpenLDAP as a SiteMinder Policy Store

Posted by Unknown

SiteMinder supports OpenLDAP for use as a Policy Store. OpenLDAP provides a freely available, replicated directory that can be used as a redundant store for SiteMinder’s configuration information. Unfortunately, the SiteMinder documentation covering how to configure OpenLDAP is at best incomplete and at worst incorrect. This article breaks down the steps required to enable OpenLDAP to be a Policy Store and configure the Policy Server to leverage the directory. Keep in mind that SiteMinder currently only supports OpenLDAP 2.3.x. This means that only Master/Slave replication is supported. While this is sufficient to ensure the availability of the Policy Store, if the Master directory is down, no policy or key updates can be performed. This article also assumes that the Key Store is set to the default setting of using the Policy Store as the location to store key information. Switch the directory paths outlined below to use backslashes if these steps are being performed on Windows.

1. Download and Install OpenLDAP
This article does not cover the specific details on how to build and install OpenLDAP. The details for this can be found on the OpenLDAP site. A quick start guide is located there as well.

2. Download the OpenLDAP Schema Files for SiteMinder
OpenLDAP is considered a “Tier 2″ directory for SiteMinder. As such, the ability to configure the directory as a Policy Store is not automated. In order to obtain the needed schema files for the Policy Store, the “CA SiteMinder Tier 2 Directories- ESD Only” package must be downloaded. To download this file (current as of 10/12/2011):

1. Log in to the Technical Support Site
2. Click “Download Center” in the lefthand navigation
3. Type siteminder into the “Select a Product” field
4. Select the listed SiteMinder product
5. Select 12.0 in the “Select a Release” drop-down
6. Select SP3 in the “Select a Gen level” drop-down
7. Click the [GO] button
8. Scroll down to the bottom of the list of returned downloads
9. Download and unzip the “CA SiteMinder Tier 2 Directories- ESD Only” download to the Policy Server

3. Configure OpenLDAP To Support the SiteMinder Policy Store
The OpenLDAP server requires manual configuration to support its use as a SiteMinder Policy Store. The following steps are required:

3a. Copy the Policy Store schema files into the OpenLDAP schema directory
3b. Include the SiteMinder Policy Store schema files in the OpenLDAP configuration
3c. Ensure that SiteMinder can detect it is an OpenLDAP Policy Store
3d. Create the base Policy Store structure
3e. Restart OpenLDAP

Note that these instructions assume that the install location for OpenLDAP is under the /usr/local path and the default directories are used. For this example, the root of the directory is “dc=company,dc=com” for the location of the Policy Store. These steps will need to be modified if a different path or directory structure is used.

3a. Copy the Policy Store schema files into the OpenLDAP schema directory
The OpenLDAP schema needs to be extended to support the SiteMinder Policy Store objects. This is done by copying the schema files to the server and adding them into the slapd.conf configuration file. To copy the schema files:
.........
More Here

Courtesy:http://www.coreblox.com/blog/2011/10/configuring-openldap-as-a-siteminder-policy-store/
More aboutConfiguring OpenLDAP as a SiteMinder Policy Store

Twilight Opens begin, the Excitement of the Home Buyer Show & the release of our iPhone App is Close!!

Posted by Unknown on Wednesday, October 12, 2011

From the desk of Leah Calnan, Director of Metro Property Management...

So October has rolled around and with it has come Daylight Savings which we love. More time in the afternoon to do outdoor activities and enjoy the warm weather (when the warm weather decides to pop up) and for Metro it means the beginning of our Twilight Opens for Spring/Summer. During certain weeknight evenings we are now able to show potential tenants more properties during the week which is great news for both our Tenants and Owners. These times, we have been told, are often more convenient for 9-5 workers as it means their weekends are left free to enjoy the sunshine rather than searching for their new homes, if that is what they would prefer.

 
In other news we recently attended the Home Buyer and Property Investor Show where we had a fantastic stall dressed in our eye catching Metro colours and enjoyed interacting with all of the people that came to the show be they current owners, tenants or brand new contacts that were simply interested in how we could manage their properties better and how we differ from other agencies. We handed out 250 Metro show bags (which was up from last year) and had much fun engaging with new people with a keen interest in what we do. We felt it was a busier year this year than last but we have yet to receive the attendance numbers from the event co-ordinators, either way there are plenty of people out there seeking investment properties.

Speaking of the purchase of investment properties... we held our final Self Managed Super Fund seminar for 2011. Many attended and really enjoyed it and felt they learnt something new, which was great. If you missed out feel free to contact my assistant Melissa Venn on 03 9831 3006 or via email at melissav@metropm.com.au , she can pass your details on to Nicholas Don of Metro Wealth who hosted the evening. Nic can offer you an obligation free Personal Review in which he will run through the benefits of SMSF with you on an individual basis and assess other financial matters that perhaps could be improved.


Also this month we will see our MetroPM iPhone application be released onto the Apple iTunes store for our clients and friends to download. We are in the final stages of approval and we will advise you as soon as it is released via our website, Facebook and Twitter so that you can be the first to use it and rate it! We think you will really enjoy the features that will assist you whether you are a current tenant, owner, investor looking to lease their property or a tenant looking for a new home. We will keep you posted as always.

Until next time...
More aboutTwilight Opens begin, the Excitement of the Home Buyer Show & the release of our iPhone App is Close!!

SiteMinder federation to SharePoint 2010

Posted by Unknown on Tuesday, October 4, 2011

This paper shows how to configure identity federation between CA SiteMinder and Microsoft SharePoint 2010, using the CA Federation Manager Add-on for SiteMinder. Two scenarios are presented. The first is an intra-organizational scenario that is useful where SiteMinder, the user accounts, and SharePoint are all maintained within the enterprise. The second is a traditional identity federation scenario where the user accounts are maintained outside of the enterprise hosting SharePoint. A federated identity environment features the following advantages:

· Helps control Information Technology (IT) costs and gain efficiencies. Federation targets areas that require lots of manual processes such as user account management, and access management. These manual processes are the focus of cost control.

· Enables compliance with expanding regulatory requirements. A standards-based identity federation can increase security of websites and portals and enable an organization to identify and authenticate a user only once. The organization can then use that identity information to access multiple systems which can include websites of external partners and various portals.

While both scenarios create a federated identity environment, the techniques or methodology used in the two lab scenarios is different. The two lab scenarios are:

1. Lab scenario 1 - Intra-organization scenario. In this lab scenario, SiteMinder is the Trusted Identity Provider for SharePoint and authenticates users to one or more user directories maintained within the organization. Once authenticated, these users (which may be employees, partners or customers) can access SharePoint as well as other applications protected by SiteMinder. This lab scenario uses the CA Federation Manager Add-on to SiteMinder (a.k.a., SiteMinder Federation Security Services) to generate a WS-Federation 1.0 token that is in turn read by SharePoint 2010.

2. Lab scenario 2 - Cross-organization, traditional Federation scenario. In this lab scenario, SiteMinder is deployed at the external partner organization, along with the CA Federation Manager Add-on, and Microsoft AD FS 2.0 is deployed within the enterprise where SharePoint is hosted. SiteMinder authenticates the partners to the partner organization's user directory and generates a SAML 2.0 token. AD FS 2.0, which acts as a security token service, translates the SAML 2.0 token into a WS-Federation token for use with SharePoint. In this lab scenario, we also configure SharePoint's native claims-based Windows provider to illustrate how employees within the enterprise could access SharePoint alongside partners who use the federated approach (The claims-based Windows provider is listed along with the other Identity Providers configured in ADFS 2.0, in the lab it is identified with as ADFSMachine.CompanyA.com).

Courtesy:http://interopvendoralliance.org/labs/siteminder-federation-to-sharepoint-2010.aspx
More aboutSiteMinder federation to SharePoint 2010

SiteMinder Overview

Posted by Unknown

CA SiteMinder is enterprise level web access management software which allows organizations to manage their web users and help control their access to applications, portals and web services.

SiteMinder consists of two core components:

Policy Server:

The Policy Server provides policy management, authentication, authorization, and accounting.

SiteMinder Agents:

Integrated with a standard Web server or application server, SiteMinder Agents enable SiteMinder to manage access to Web applications and content according to predefined security policies.

How CA SiteMinder Works:

The process for securely accessing web applications:

1. User attempts to access a protected resource.

2. User is challenged for credentials and presents them to the CA SiteMinder web agent or to the Secure Proxy Server.

3. The user’s credentials are passed to the Policy Server.

4. The user is authenticated against the appropriate user store.

5. The Policy Server evaluates the user’s entitlements and grants access.

6. User profile and entitlement information is passed to the application.

7. The user gets access to the secured application, which delivers customized content.

Courtesy:http://webspheresolution.wordpress.com/2011/09/29/siteminder-overview/
More aboutSiteMinder Overview

Earn Money With iPhone Apps

Posted by Unknown

Earn Money With iPhone Apps

The most comprehensive guide to creating lucrative iPhone applications (apps for short). Our guide explains how to create new iPhone apps and get them listed on the Apple iPhone App Store. Profit from iPhones now!



Click Here to find more about it
More aboutEarn Money With iPhone Apps

How To Create iPhone Apps With No Programming Experience

Posted by Unknown on Monday, October 3, 2011

How To Create iPhone Apps With No Programming Experience


Discover how to create iPhone apps easily with no programming experienced required. Learn from some of the top iPhone app developers to get your app created now.

Click Here to find more
More aboutHow To Create iPhone Apps With No Programming Experience

No 'Fence-Sitting' when it comes to Feedback

Posted by Unknown on Wednesday, September 21, 2011

From the desk of Leah Calnan, Director of Metro Property Management...
Recently I came across an interesting Blog from a marketing guru I follow named Seth Godin, a really interesting guy with some interesting ideas on all things marketing. Seth believes in advertising with a conscience and that businesses need to earn buzz by being remarkable, which is a principal I agree with entirely.

Below is his latest blog:

"Please complain"

Acquiring and processing user feedback is a choice. There are good reasons to hide from it:
  • You might believe that inviting disgruntled customers to call or write to someone who will actually take action will encourage them to become more disgruntled. If no one is listening, the thinking goes, then perhaps the annoyed will quietly go away.
  • You might believe that it's expensive to listen to squeaky wheels, particularly if you have someone in authority (as opposed to a low-paid clerk) actually listening and responding.
  • You might believe that the noisy minority don't share the objectives of the rest of your audience, particularly the higher-paying and silent majority.
On the other hand, you might believe:
  • That direct feedback in real time is a competitive advantage which will help you grow.
  • That assuaging an unhappy customer now is worth way more than negative word of mouth later.
Whichever strategy you choose, you should choose. It's the middle way that vexes... the pretending, the grudging acceptance, the insertion of many levels of filters - when you do this, you get none of the benefits of either plan.

If you want people to speak up, be clear and mean it. If you don't, don't pretend.

(If you'd like to follow Seth's blog visit http://sethgodin.typepad.com/)
More aboutNo 'Fence-Sitting' when it comes to Feedback

And out of the cold we come...

Posted by Unknown on Sunday, September 11, 2011

From the desk of Leah Calnan, Director of Metro Property Management...

So here we are in September & SPRING! and goodness hasn’t the year flown already! Lots happening at the office this month, to begin with I decided to surprise the team with a Team Appreciation Day which we were all very excited about (myself included). At the recent REIV Property Management Conference we heard from many innovative and inspirational speakers one of which had the idea to surprise your dedicated team, not just at Christmas or the End of Financial Year but unexpectedly throughout the year. So we had a lovely lunch and a movie as a way of saying thank you for all of the hard work they put in, day in and day out. It has been a big couple of months which is great and this was a lovely treat, we had lots of laughs.


The end of August saw my assistant Melissa and I attend a very interesting conference on Social Media, we had heard a few speakers talk on Social Media over the past few years however this seminar was a little different. The speakers were from America and seemed to have a broader insight into what was working and what was not and how people use social media today to not only to talk to friends and family but to investigate property, review their experiences and interact daily with their favourite companies.


We will be implementing a few new programs to assist our clients and tenants with regards to Social Media (although as most of you know we have a Facebook & Twitter account along with a Blog, the links are on the home page of the website), we see this as a way of the future, not just a fad and we love to embrace new technology here at Metro. In fact, we are very close to the release of our iPhone application which you will find has great functionality for both tenants and owners alike...exciting stuff.


In other news we are beginning to get organised for our Home Buyers & Investors Show stand on the 7th, 8th & 9th of October. Last year was a great experience and we met many new and current owners there at the show so why not come and say ‘Hi’ again this year. We have a limited number of free tickets this year so please contact Melissa at melissav@metropm.com.au if you would like a couple posted out to you in the coming month so that you may attend.

Until next time...
More aboutAnd out of the cold we come...

Finding a broadband comparison service online

Posted by Unknown on Wednesday, August 10, 2011

If you are thinking of finding a new broadband connection then by far and away the best and easiest way to do it is to search for one online. Firstly of all, it is cheaper to buy a broadband deal online. Because it is cheaper for companies to be set up on the net it means their overheads are lesser, so you can expect a better deal. You will also find that there is far more choice online, which makes things easier for you.

Of course, with all of this choice comes another problem in itself. You will find it difficult to narrow things down so that you can choose the right deal! The best way to get around this problem is to use a broadband comparison service on the internet. These sites make searching for broadband deals so much easier. You will be able to look at a range of different broadband deals next to each other so that you can really see which is the most valuable.

Another good thing to do is to try to piece together your broadband contract with your home phone contract and you satellite television contract. Doing this normally leads to some sort of discount on all three, and you can still search for comparison sites so that you can look at these deals alongside one another. To find out about broadband phone and digital TV deals you should also search for the review sites online so that you can get the reviews of the best ones. for instance if you are thinking of signing up to a deal with Sky, you should be looking for a Sky broadband review site so you can find out how they perform in terms of their customer service. Just take your time making your decision, and make sure you know exactly what you are signing up for, before you sign up for it!
More aboutFinding a broadband comparison service online

Finding a quality server cabinet for less online

Posted by Unknown

If you run a business that relies on computers then you will be well aware of how important it is to have a good contact that can deal with any computer issues you have. If any parts fail in your computer system it is imperative that you are able to get the replacement parts you need quickly and easily with plenty of choice too. It’s not always easy to do this, so to help yourself in the future you should work on finding a website that can service all your needs. If you find a decent site then you can go back to it and back to it, knowing that you will be able to solve your problems quickly and easily.

Finding the right site depends largely on what your system requires, but if you have things like a server cabinet that might need changing from time to time, it is important that you find a site which is able to give you plenty of options. A server cabinet can be expensive, but there are some sites which will offer new, used and refurbished parts, meaning you can save a bit of money on occasions.

Some sites are fantastic both for sourcing the more unusual parts and keeping in stock the parts that you require more frequently. You should look out for companies who keep a ready stock of things like Netgear routers, because this is the sort of thing that you are going to need sent out the very next day, so stock is important in this respect.

To find the right sort of site you it is best to search for something like computer parts UK to make sure you end up with a company that is based closely. Otherwise, you could find that you are subject to very expensive delivery fees. Look for companies that will source parts for you even if they don't have a stock of them themselves, and try to make sure that the site you find is able to deliver quickly and cheaply and able to offer you plenty of options when it comes to buying computer parts.
More aboutFinding a quality server cabinet for less online

Spring is Nearly Upon Us!

Posted by Unknown on Thursday, August 4, 2011

From the desk of Leah Calnan, Director of Metro Property Management...
Before & After Pics of Reception Area
Wow so it is August and isn’t it a little warmer? And with the sun setting a little later in the day it feels like Spring is just around the corner. Spring cleaning is already happening at our office, to be exact a freshening up/renovation of our reception is starting to come together. Gone is the pink and purple carpet and we are loving our beautiful new tiles and the repositioning of the reception desk means more room for our new client couch and chairs which we will have very shortly. We have had some lovely comments so far and we will continue with carpet replacement throughout the office in the coming months.

In other news at Metro as mentioned last month myself and Samantha Taylor of our office will be attending the ARPM Conference in Sydney this month. Speakers include professionals like Fiona Blayney, Director of her own real estate business development and recruitment firms and highly sought after speaker who’s energy and passion never cease to amaze me, Paul Tonich who will speak on Social Media and it’s impact, Jonathon Handford - Managing Director of Newman Estate Agents who will speak on the UK’s approach on property management and then there’s James Castrission & Justin Jones who became famous for crossing the Tasman Sea in a kayak who will speak on their challenges and how to overcome adversity. These are just a few of the speakers and their topics so as you can see it will be a real mix of ideas which is really very exciting and we hope to get a lot out of our time there.

A couple of months ago now I gave an interview for which myself and the team were filmed for Business Victoria they approached me as they had discovered that our team had embarked on some tailored Customer Service based training last year and were interested in our team culture for a short video for their website (known as a Vodcast). My assistant Melissa and I attended the launch of this Vodcast and it was great to see and meet the other businesses that were involved in other Vodcasts being launched. There were so many different ideas and great advice given that other small to medium businesses can access via these Vodcasts that will be put online shortly, we will of course keep you posted of the link once they are up. Some of my team were quite shocked to learn they could soon be ‘stars’ as around 800 people per month had viewed the previous series of Vodcasts on the www.business.vic.gov.au website.

And finally a big thank you to all that came along to our recent Self Managed Super Fund Seminar and for all of your fabulous feedback. I was so thrilled that so many of you attended and got so much out of listening to Nicholas Don from Metro Wealth and his colleague Paul Kusli on the night. I wish you all the best in continuing to grow your wealth and am happy to have introduced you all to some new ideas. Again, we will keep you posted on our next Seminar evening in the near future.

Until next time...(enjoy the warmth, albeit temporary)
More aboutSpring is Nearly Upon Us!

The Question: “I’m Bored, What Can We Do Today?”

Posted by Unknown on Wednesday, July 13, 2011

From the desk of Leah Calnan, Director of Metro Property Management
With the school holidays coming to a close this weekend you may be asking yourself “What else can I do to entertain the kids?” (or maybe they are asking you?). Well we have found a few relatively inexpensive things to do to keep them active and occupied.


Firstly there is ‘The Enchanted Maze’ garden located at Arthurs Seat. Four mazes for you and the kids to get lost in (and hopefully find your way out of by dinner time!) It is something many children may not have experienced and so much fun will be had. Not only do the different mazes have different points of interest for the kids, ie: finding the 5 Buddhas in the Hampton Court Maze or stopping off to play on the beach hut and pier, complete with sandpit in the Turf Maze Labyrinth, but there are also plenty of other activities including an area with brain teaser challenges, a small animal farm, sculpture park which has large sculptures carved out of tree stumps and plenty of interesting little gardens for you to enjoy. There’s even a cafe if you don’t wish to bring along your own picnic. For more information visit their website at http://ow.ly/5E5Dk  

Our second idea is to take the kids to the ‘St Kilda Adventure Playground’. A great playground full of different things for the children to jump, climb, run and swing from. There’s a big aeroplane, wooden horse with saddle, big metal slide, trampolines, go-kart path, a small basketball court, they can ride on a dinosaur, have a zip on the flying fox, play on the pirate ship, big tepee and a big wooden castle. Open 10am - 5.30pm on weekends it is staffed & tea and coffee is provided. Again, for more info visit http://ow.ly/5E5dJ

Lastly have the kids ever ridden a pony? Well now’s your chance to take them. ‘Ace-Hi Ranch’ is a large property just south of Rosebud in the Mornington Peninsula. The experience is that of the Wild West and as for the kids they will just love it. They cater for all age groups and levels of horse-riding experience (or lack thereof!). Take a pony ride, a scenic horse ride or even a bush ‘n’ beach ride. The ranch also includes a free range style of wildlife park set on 10 acres and gives all visitors the chance to view their native animals in their typical surroundings. They have over 14 varieties of birds including- Emu's, Parrots, Cockatoos, Peacocks & Fowl. Visitors are welcome to feed & pat their furry friends - Koala's, Wombat's, Kangaroo's, Wallaby's, Deer & Dingo's.... a very cool experience for the kids to go to back to school and tell their friends about. Visit http://ow.ly/5E5CL  


So there’s our Top 3 ideas, we hope you enjoy them and if you don’t get a chance to do them these holidays maybe keep them in mind for the next lot of holidays when you are asked the age old question “What can we do today?”.

Until next time.....
More aboutThe Question: “I’m Bored, What Can We Do Today?”

Busy Bees this July!

Posted by Unknown on Sunday, July 3, 2011

From the desk of Leah Calnan, Director of Metro Property Management...
And here we are at July. As usual much has been happening and will be happening this month here at Metro PM. The first weekend of July saw the team head out to the Red Emperor for a beautiful Chinese banquet as a reward for all of their hard work this year. Many laughs and stories were told and a great time was had by all.

Leah & Matt

Rebecca, Eleanor & Melissa

Josh, Hayley, Tracey & Dave

June, Chen, Rod & Merryn

Peter & Jan

This month we continue with the office renovations – out go the carpets in the foyer and meeting rooms and in goes the crisp white tiling and funky new seating for our guests. Later in the month we will be also carpeting throughout the office entirely which will be lovely as we have lived with the pink, grey and mauve carpet for quite sometime now and you know what they say, ‘a change is as good as a holiday’.

Our team have been busy little bees as it’s all hands on deck putting together our End of Financial Year Packs from the 1st July onwards and we aim to have them all out by the 14th of this month, so keep an eye out in your mail box. In your specialised EOFY folder you will find the Annual Statement for your property/s 2010/2011, as well as some information on Metro Wealth and a handy checklist to help you prepare for your tax return.

In other news Samantha Taylor from our office and myself will be off to Sydney early August to attend a fantastic event called ARPM or the Australasian Residential Property Management Conference. The event runs over 2 days and I am looking forward to hearing from some world class property management and real estate gurus. I am also excited about discovering what fantastic new ideas myself and the team can implement into Metro Property Management in order to keep us at the top of our game in providing the best possible service to our clients. So we’ll keep you posted of what comes about from our little trip interstate.

Until next time...
More aboutBusy Bees this July!

Don’t Rest on Your Laurels, Be Proactive with Your Finances!

Posted by Unknown on Wednesday, June 8, 2011

From the desk of Leah Calnan, Director of Metro Property Management...

In this blog I thought I’d take the time to let you know about a fantastic service we have started to offer this year called Metro Wealth, some of you may already have read about this service but for many of you this may be the first time you will have heard about it and boy we have seen some fantastic results for our clients.

Metro Wealth is a joint initiative between Metro Property Management and Nicholas Don of Odyssey Financial. This new business has been established to assist Metro owners (and those interested in allowing Metro to become their Property Manager/s) in achieving the best possible results from their current property investments and improving their current position.

Instead of having to visit a number of separate and different business’ and service providers, then having to try to co-ordinate each piece of advice and assistance themselves, Metro Wealth is able to provide a holistic solution with one main point of contact for its members. Metro Wealth have assembled a team of professionals to assist with everything financial from initial advice through to implementation of a financial plan to ongoing management and then to annual or more regular reviews.

As a member you are entitled to a complimentary membership package which will provide all of the necessary products and services, from financial planning, mortgages, superannuation and tax advice. Metro Wealth also has exclusive access to many amazing brand new properties that you may be interested in purchasing.

I am so pleased to let you know that already this year over 80 people have already joined Metro Wealth. Those clients have had a review of their current situation and financial position along with many purchasing another property. These clients were never aware they could afford to make a purchase until they sought the assistance of Nicholas Don and the Metro Wealth Team.

If you yourself would like to become a Metro Wealth member, visit http://www.metrowealth.com.au/ or simply contact me on (03) 9831 3000 to chat about it further or email me at leah@metropm.com.au

Until next time...

Leah Calnan
More aboutDon’t Rest on Your Laurels, Be Proactive with Your Finances!

The Launch Day of 'AMIA' Apartments - Brunswick

Posted by Unknown on Tuesday, May 31, 2011

From the desk of Leah Calnan, Director of Metro Property Management...

Well the time has finally come for us to launch the fabulous AMIA Apartments to the public this coming Saturday the 4th June from 11.00am - 12.30pm.

Come and enjoy a morning coffee, tea or hot chocolate on us from the coffee cart whilst you decide which apartment you’d love to make your new home! Brand new apartments in a designer complex in the central hub of everything that Brunswick has to offer! These luxurious 1 & 2 bedroom apartments grant a superior level of peace, privacy and exclusivity. Open plan living, quality galley-style kitchen with dishwasher, modern bathroom, separate laundry and private balconies. There is a selection of different styles, floor plans & levels available.

Many of the Metro team will be there on the day to greet you with an AMIA/Metro Promo Bag containing all you will need to apply for these fantastic properties - applications, floor plans as well as some goodies such as a Metro shopping bag, jelly beans and various info and vouchers from local businesses surrounding AMIA are all included.


We hope to see you there and should you have any further queries on the apartments please do not hesitate to call our Leasing Specialist Samantha Taylor on 0434 313 588 or 9831 3000 or visit http://www.metropm.com.au/ for more information.

Until next time...
More aboutThe Launch Day of 'AMIA' Apartments - Brunswick

CA Identity Manager High Availability & JBoss Clustering

Posted by Unknown on Thursday, May 26, 2011

CA Identity Manager 12.x uses caching for transactions. The utilization of this feature can cause synchronization issues if the application is setup in a high availability mode without application server clustering.

An example I can give is a project I was involved with using JBoss as the CA IdM application server. As such I will be addressing JBoss clustering in this entry.

JBoss uses a Hypersonic database to manage internal JMS data (JMS Queues). JBoss uses the JMS queues for tracking tasks and processes within the application. It is recommended to use a shared MS SQL database for the JMS database. There are documents available online which explain how to migrate from Hypersonic to MS SQL. In my example we opted to use the same MS SQL infrastructure used by Identity Manager to house the JMS database. In simplified terms, the steps to accomplish to clustering of IdM on JBoss is as follows:

1. Create a new SQL database (JBOSS_JMS)
2. Create a user/owner for this DB (jbossjms)
3. Migrate JBoss to SQL from the Hypersonic DB
4. Bring all services back up and test to ensure the migration was successful
5. Follow the procedures in the IdM documentation to configure JBoss clustering

More Here

Courtesy:http://www.idmworks.com/blog/ca-identity-manager-high-availability-jboss-clustering
More aboutCA Identity Manager High Availability & JBoss Clustering

Oracle Fusion Stack 11g Install Videos

Posted by Unknown

  • Oracle Identity Manger 11g
  • Oracle Access Manager 11g
  • Oracle Adaptive Access Manager 11g
  • Oracle Identity Federation 11g
  • Oracle Internet Directory 11g
  • Oracle Virtual Directory 11g
  • Oracle HTTP Server
  • Oracle Directory Integration Platform 11g
  • Oracle WebLogic Server 11g
  • Oracle Database 11gR2
  • Oracle Identity Navigator 11g
  • Oracle Authorization Policy Manager
  • Oracle Platform Security Services





  1. Installing Oracle Enterprise Linux 5 Update 3 on VMWare
  2. Installing and Configuring Oracle Database 11g Revision 2 (11gR2)
  3. Installing WebLogic Server 11gR1 (10.3.3)
          More Here
    Courtesy:http://idmrockstar.com/blog/2011/04/oracle-fusion-stack-11g-install-videos/
More aboutOracle Fusion Stack 11g Install Videos

Configuring Design Console for OIM 11g

Posted by Unknown on Thursday, May 5, 2011

In OIM 11g, Design Console still is a required tool for system configuration, custom development and customization. But differently from OIM 9.x, Design Console 11g does not have its own installer anymore. It is installed and configured along with the OIM server installation.

One of the common questions around Design Console 11g is: if there is no installer anymore, how do I get it working on my desktop/laptop without installing the whole Identity and Access Management pack?

This is an easy task and this post describes the steps for getting it done:

1. If you don't have a JDK 1.6 in your laptop, you will have to install it.

2. Run the configuration script for OIM once again. The script is available at $IAM_HOME/bin (where IAM_HOME is the folder where the ‘Identity and Access Management Pack’ was installed). You have to run the ‘config.sh’ that is available at $IAM_HOME/bin folder and NOT the one available at ‘$IAM_HOME/common/bin/config.sh’

3. In the configuration wizard, select ‘Design Console’ checkbox ONLY.


4. In the next screen, enter the OIM server host and port name. The wizard will configure the Design Console files for you
Courtesy:http://fusionsecurity.blogspot.com/
More aboutConfiguring Design Console for OIM 11g

New Additions to the Team & an Exciting New Development in Brunswick!

Posted by Unknown on Monday, May 2, 2011

From the desk of Leah Calnan, Director of Metro Property Management...

Well April passed as quickly as it had come and now here we are in May.

This past month we have added a couple of new members to the Metro team. Karli Wise and Danielle Burian, they each join us in an ‘Assistant Property Management’ role and we are thrilled to have them both on board.

Karli has a strong background in real estate having previously worked for many years in customer service/admin across different roles & fields including a stint in commercial real estate. Karli enjoys a busy and fast paced environment, which she feels Property Management offers and boy is she right, you are never twiddling your thumbs in Property Management!

Danielle also comes to us with experience in both reception and customer service within the Real Estate industry, she holds a Bachelor of Business as well as recently completing her Agents Representative certificate. Danielle has a passion for property and she has attended a few investment & property seminars in the past, these have opened her eyes to many potential investment opportunities. Danielle says that her Business degree has given her an “in-depth knowledge of economic and social aspects of business that I feel will assist me in my role here”.

In other news Metro is excited to be launching the completion and subsequent leasing of ‘AMIA’ in Brunswick another fantastic development by Caydon, the team that brought us ‘The Marque’ apartments in Collingwood late last year (of which we lease and manage just under 50 apartments). Metro will be holding an official launch day on Saturday the 4th of June so if you are keen to be one of the first to register to see these apartments on their very first open day then please just email Samantha Taylor our Leasing Specialist for this building at samanthat@metropm.com.au or call us on 03 9831 3000. To see some of the fantastic floor plans that will be on offer for lease with Metro please take a look at http://www.amialiving.com.au/ you won’t be disappointed.

And finally just a tip from us to start organising yourself for the End of Financial Year, yes it’s fast approaching. As usual if you are an owner of ours you will be receiving your ‘End of Financial Year 2010-11 packs’ with the help of good old ‘Australia Post’ by the 14th of July this year.

All in all another busy month here at Metro.

Until next time...
More aboutNew Additions to the Team & an Exciting New Development in Brunswick!

GralicWrap Anti-Phising Software

Posted by Unknown on Thursday, April 28, 2011

GralicWrap

Phishing scam artist send official-looking emails with authentic looking logos from valid organizations and companies and other identifying email information taken directly from genuine Webpages.

These authentic emails are an attempt to get you to sign in and gain your password and login information. Electronic mail is one of the top methods of identity theft.

To allow these phishing messages in email form, look even more real life, the scam / phisher will position a link so that the link looks like it will to the genuine Webpage, but it in reality it takes you to a counterfeit scam website or possibly a popup box will appear that looks identically, resembling the official site.

You can stop phishing scams with a good and effective Gralicwrap anti-phishing software

Anti Phishing, delete spam, viruses and other unwanted emails right at the server. Gralicwrap learns from good and bad spam using the good filter method to effectively block and stop spam.

Gralicwrap anti phishing software is made up of computer programs which will attempt to identify the phishing content that may be contained in a website or email that has been sent to you. This software is normally to be found as an integrated tool within web browsers and email servers and will display the real name of the domain for the website that you are visiting. In doing this it is hoped it will prevent sites which are fraudulent from being able to masquerade as ones that are actually legitimate. Today such a function may well be included as a built in feature of a lot of web browsers.
More aboutGralicWrap Anti-Phising Software

SAML EJB Integration with PicketLink STS

Posted by Unknown on Monday, April 25, 2011

In this document we show how to use PicketLink STS to validate SAML assertions and authenticate EJB clients.
Required software: JDK 6, PicketLink version 1.0.3 or superior. (Feature available starting 1.0.3.CR2)

Process Overview

The following picture illustrates the process of using SAML assertions to authenticate clients of EJB applications:

saml-sts-module.png

The client must first obtain the SAML assertion from PicketLink STS by sending a WS-Trust request to the token service. This process usually involves authentication of the client. After obtaining the SAML assertion from the STS, the client includes the assertion in the security context of the EJB request before invoking an operation on the bean. Upon receiving the invocation, the EJB container extracts the assertion and validates it by sending a WS-Trust validate message to the STS. If the assertion is considered valid by the STS (and the proof of possession token has been verified if needed), the client is authenticated.



On JBoss, the SAML assertion validation process is handled by the SAML2STSLoginModule. It reads properties from a configurable file (specified by the configFile option) and establishes communication with the STS based on these properties. We will see how a configuration file looks like later on. If the assertion is valid, a Principal is created using the assertion subject name and if the assertion contains roles, these roles are also extracted and associated with the caller's Subject.

EJB3 Integration Example

In this section we present a sample EJB3 application that authenticates clients by validating their SAML assertions with PicketLink STS. The deployments for both the EJB3 application and the STS can be found attached in this document.

EJB3 Sample App

Our EJB3 application consists of a simple stateless session bean. The session interface can be seen bellow:

/*
* JBoss, Home of Professional Open Source.
* Copyright 2010, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/

package org.jboss.test.security.ejb3;
 
 
import java.security.Principal;
 
 
/**
*
* This is the remote interface of session beans used in the EJB3 security tests.
*
*
* @author Stefan Guilhen
*/

public interface SimpleSession
{
   /**
    *
    * This is a method available for regular users and administrators. Implementations must annotate either the class or
    * this method with {@code @RolesAllowed({"RegularUser", "Administrator"})} to enforce that only these roles should
    * be granted access to this method.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeRegularMethod();
 
 
   /**
    *
    * This is a method available for administrators only. Implementations must annotate either the class or this method
    * with {@code @RolesAllowed({"Administrator"})} to enforce that only administrators should be granted access to
    * this method.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeAdministrativeMethod();
 
 
   /**
    *
    * This is a method available for all authenticated users, regardless or role. Implementations must annotate this
    * method with {@code @PermitAll} to specify that all security roles should be granted access.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeUnprotectedMethod();
 
 
   /**
    *
    * This is a method that is unavailable for everybody. Implementations must annotate this method with
    * {@code @DenyAll} to specify that access should be restricted for everybody.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeUnavailableMethod();
 
 
}

And this is the implementation class:

/*
* JBoss, Home of Professional Open Source.
* Copyright 2010, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/

package org.jboss.test.security.ejb3;
 
 
import java.security.Principal;
 
 
import javax.annotation.Resource;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.Remote;
import javax.ejb.SessionContext;
import javax.ejb.Stateless;
 
 
/**
*
* Stateless session bean implementation used in the EJB3 security tests.
*
*
* @author Stefan Guilhen
*/

@Stateless
@Remote(SimpleSession.class)
@RolesAllowed({"RegularUser", "Administrator"})
public class SimpleStatelessSessionBean implements SimpleSession
{
 
 
   @Resource
   private SessionContext context;
 
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb3.SimpleSession#invokeRegularMethod()
    */

   public Principal invokeRegularMethod()
   {
      // this method allows the same roles as the class.
      return this.context.getCallerPrincipal();
   }
 
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb3.SimpleSession#invokerAdministrativeMethod()
    */

   @RolesAllowed({"Administrator"})
   public Principal invokeAdministrativeMethod()
   {
      // this method overrides the roles defined by the class to grant access to admnistrators only.
      return this.context.getCallerPrincipal();
   }
 
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb3.SimpleSession#invokeUnprotectedMethod()
    */

   @PermitAll
   public Principal invokeUnprotectedMethod()
   {
      // this method overrides the roles defined by the class to grant access to all roles.
      return this.context.getCallerPrincipal();
   }
 
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb3.SimpleSession#invokeUnavailableMethod()
    */

   @DenyAll
   public Principal invokeUnavailableMethod()
   {
      // this method should never be called - it overrides the class roles to deny access to all roles.
      return this.context.getCallerPrincipal();
   }
}

The session defines four methods: invokeRegularMethod (available to both Administrators and RegularUsers), invokeAdministrativeMethod (available to Administrators only), invokeUnprotectedMethod  (available to all authenticated clients), and invokeUnavailableMethod (annotated with @DenyAll and thus unavailable to all roles).

Besides the sample session classes, our ejb3-sampleapp.jar contains the application policy definition for the EJBs:





  
  
     
        
            useFirstPass
            sts-config.properties
        
        
            useFirstPass
            ejb3-sampleapp-users.properties
            ejb3-sampleapp-roles.properties
        
     
  


The policy defines two login modules: SAML2STSLoginModule and UsersRolesLoginModule. The first will be responsible for validating the assertion with the STS in order to authenticate the client, while the second will be responsible for retrieving the client's roles from a properties file. In order to validate the SAML assertions, SAML2STSLoginModule needs information about the STS, like its endpoint URL, service name, port name, etc. This information is supplied by the sts-config.properties file:

serviceName=PicketLinkSTS
portName=PicketLinkSTSPort
endpointAddress=http://localhost:8080/picketlink-sts-1.0.0/PicketLinkSTS
username=JBoss
password=JBoss

The last two properties specify the username and password that will be used to authenticate the JBoss server to the STS when the WS-Trust validate message is dispatched. In other words, SAML2STSLoginModule needs to authenticate to the STS when validating the SAML assertions and these properties specify the username and password that will be used for that.

In our sample applications we will have three users (UserA, UserB, UserC), each with different roles. The ejb3-sampleapp-roles.properties file specifies the roles that have been assigned to each user:

UserA=RegularUser,Administrator
UserB=RegularUser
UserC=Guest

As we can see, UserA is both a RegularUser and Administrator, so he should be able to call all methods except for invokeUnavailableMethod. UserB is a RegularUser, so he should be able call invokeRegularMethod and invokeUnprotectedMethod methods. UserC is a Guest and should be able to invoke only the unprotected method of our sample EJB.

For the sake of completeness, here we can see the jboss.xml file of our ejb3-sampleapp.jar:



      -//JBoss//DTD JBOSS 5.0//EN
      http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd>

   java:/jaas/ejb3-sampleapp

All the configuration files can be found in the ejb3-sampleapp.jar that has been attached to this document.

PicketLink STS

Our PicketLink STS application is a tweaked version of the picketink-sts.war file that is available in the PicketLink project downloads page. More specifically, we created a new security domain for the STS in jboss-web.xml, included an application policy for the new domain that uses the UsersRolesLoginModule to authenticate STS clients, included the users and roles properties files,  and changed the required role in web.xml to STSClient.

This is the content of the STS web.xml:



   -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN
   http://java.sun.com/dtd/web-app_2_3.dtd>


  
     PicketLinkSTS
     org.picketlink.identity.federation.core.wstrust.PicketLinkSTS
  
  
      PicketLinkSTS
      /*
  

 
    
       TokenService
       /*
       GET
       POST
    
    
       STSClient
    
  

  
      BASIC
      PicketLinkSTSRealm
  

  
      STSClient
  


STS callers must all have the STSClient role in order to send a WS-Trust request to the STS.

The STS security domain is specified by the jboss-web.xml file:




  java:/jaas/sts-domain

The application policy for the sts-domain is defined in the sts-jboss-beans.xml file:





  
  
     
        
            sts-users.properties
            sts-roles.properties
        
     
  


The sts-users.properties specify the username/passwords of the STS callers:

JBoss=JBoss
UserA=PassA
UserB=PassB
UserC=PassC

The sts-roles.properties specify the roles of the STS callers:

JBoss=STSClient
UserA=STSClient
UserB=STSClient
UserC=STSClient

Notice that the JBoss user represents the JBoss server during the SAML validation process. All other users are the clients of the EJB3 sample application - they send a message to the STS to acquire a SAML assertion before calling the methods on the EJB3 application.

Client Application

The SAMLEJB3IntegrationTest shows what happens when each of the users (UserA, UserB, and UserC) acquire a SAML assertion from PicketLinkSTS and invoke all methods on the sample EJB3. Let's take a look at the code:

/*
* JBoss, Home of Professional Open Source Copyright 2009, Red Hat Middleware
* LLC, and individual contributors by the @authors tag. See the copyright.txt
* in the distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it under the
* terms of the GNU Lesser General Public License as published by the Free
* Software Foundation; either version 2.1 of the License, or (at your option)
* any later version.
*
* This software is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
* details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this software; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
* site: http://www.fsf.org.
*/

package test;
 
import java.security.Principal;
import java.util.Hashtable;
 
import javax.ejb.EJBAccessException;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.rmi.PortableRemoteObject;
 
import org.jboss.security.client.SecurityClient;
import org.jboss.security.client.SecurityClientFactory;
import org.jboss.test.security.ejb3.SimpleSession;
import org.picketlink.identity.federation.api.wstrust.WSTrustClient;
import org.picketlink.identity.federation.api.wstrust.WSTrustClient.SecurityInfo;
import org.picketlink.identity.federation.core.wstrust.SamlCredential;
import org.picketlink.identity.federation.core.wstrust.WSTrustException;
import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
import org.w3c.dom.Element;
 
/**
*
* This class tests the usage of SAML assertions to authenticate clients of EJB3 applications on JBoss. This is
* accomplished by having the client first obtain a SAML assertion from the PicketLink STS service and then use
* the assertion as the credential when calling the protected EJB3.
*
*
* The protected EJB3 application used in this test has configured the {@code SAML2STSLoginModule}. This login
* module sends the SAML assertion to the STS for validation in order to authenticate the caller. A second login
* module, {@code UsersRolesLoginModule}, has been used to provide the client's roles.
*
*
* @author Stefan Guilhen
*/

public class SAMLEJB3IntegrationTest
{
 
   private Hashtable env;
  
   public static void main(String[] args) throws Exception
   {
      SAMLEJB3IntegrationTest test = new SAMLEJB3IntegrationTest();
      test.testSAMLEJB3Integration("UserA", "PassA");
      test.testSAMLEJB3Integration("UserB", "PassB");
      test.testSAMLEJB3Integration("UserC", "PassC");
   }
  
   public SAMLEJB3IntegrationTest()
   {
      // initialize the JNDI env that will be used to lookup the test EJB.
      this.env = new Hashtable();
      this.env.put("java.naming.factory.initial", "org.jnp.interfaces.NamingContextFactory");
      this.env.put("java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces");
      this.env.put("java.naming.provider.url", "localhost:1099");
   }
  
   public void testSAMLEJB3Integration(String username, String password) throws Exception
   {
      // create a WSTrustClient instance.
      WSTrustClient client = new WSTrustClient("PicketLinkSTS", "PicketLinkSTSPort",
            "http://localhost:8080/picketlink-sts-1.0.0/PicketLinkSTS",
            new SecurityInfo(username, password));
     
      // issue a SAML assertion using the client API.
      Element assertion = null;
      try
      {
         System.out.println("\nInvoking token service to get SAML assertion for " + username);
         assertion = client.issueToken(SAMLUtil.SAML2_TOKEN_TYPE);
         System.out.println("SAML assertion for " + username + " successfully obtained!");
      }
      catch (WSTrustException wse)
      {
         System.out.println("Unable to issue assertion: " + wse.getMessage());
         wse.printStackTrace();
         System.exit(1);
      }
 
      // use the SecurityClient API to set the assertion in the client security context.
      SecurityClient securityClient = SecurityClientFactory.getSecurityClient();
      securityClient.setSimple(username, new SamlCredential(assertion));
      securityClient.login();
     
      // invoke the EJB3 bean - the assertion will be propagated with the security context.
      System.out.println(username + " invoking secure EJB3 session bean");
      Context context = new InitialContext(env);
      Object object = context.lookup("SimpleStatelessSessionBean/remote");
      SimpleSession session = (SimpleSession) PortableRemoteObject.narrow(object, SimpleSession.class);
     
      // invoke method that requires the Administrator role.
      try
      {
         Principal principal = session.invokeAdministrativeMethod();
         System.out.println(principal.getName() + " successfully called administrative method!");
      }
      catch (EJBAccessException eae)
      {
         System.out.println(username + " is not authorized to call administrative method!");
      }
     
      // invoke method that requires the RegularUser role.
      try
      {
         Principal principal = session.invokeRegularMethod();
         System.out.println(principal.getName() + " successfully called regular method!");
      }
      catch (EJBAccessException eae)
      {
         System.out.println(username + " is not authorized to call regular method!");
      }
 
      // invoke method that allows all roles.
      try
      {
         Principal principal = session.invokeUnprotectedMethod();
         System.out.println(principal.getName() + " successfully called unprotected method!");
      }
      catch (EJBAccessException eae)
      {
         // this should never happen as long as the user has successfully authenticated.
         System.out.println(username + " is not authorized to call unprotected method!");
      }
 
      // invoke method that denies access to all roles.
      try
      {
         Principal principal = session.invokeUnavailableMethod();
         // this should never happen because the method should deny access to all roles.
         System.out.println(principal.getName() + " successfully called unavailable method!");
      }
      catch (EJBAccessException eae)
      {
         System.out.println(username + " is not authorized to call unavailable method!");
      }
   }
}

As we can see, the assertion is first obtained using the WSTrustClient API. Once the assertion has been acquired, we use the SecurityClient API to  push it to the client-side security context. Then we attempt to call all methods on the sample EJB3 session and print the results of these calls.

Deploying and Running the EJB3 Sample Application on JBoss AS5

In order to get the sample application running you must first install the PicketLink jar files on JBoss. This is accomplished by copying picketlink-fed-1.0.3.jar and picketlink-bindings-jboss-1.0.3.jar (both attached in this document) files to the JBOSS_HOME/server/partition/lib folder. After installing the required PicketLink libs you must copy the ejb3-sampleapp.jar and picketlink-sts-1.0.0.war to JBOSS_HOME/server/partition/deploy.

After copying the required PicketLink jars and deploying the sample application and the STS war, start your JBoss partition. If everything is ok, you should see something like the following in the log:

21:02:10,099 INFO  [SessionSpecContainer] Starting jboss.j2ee:jar=ejb3-sampleapp.jar,name=SimpleStatelessSessionBean,service=EJB3
21:02:10,108 INFO  [EJBContainer] STARTED EJB: org.jboss.test.security.ejb3.SimpleStatelessSessionBean ejbName: SimpleStatelessSessionBean
21:02:10,152 INFO  [JndiSessionRegistrarBase] Binding the following Entries in Global JNDI:

    SimpleStatelessSessionBean/remote - EJB3.x Default Remote Business Interface
    SimpleStatelessSessionBean/remote-org.jboss.test.security.ejb3.SimpleSession - EJB3.x Remote Business Interface

21:02:10,306 INFO  [TomcatDeployment] deploy, ctxPath=/
21:02:11,375 INFO  [WSDLFilePublisher] WSDL published to: file:/opt/workspace-jboss/jbossas-trunk/build/target/jboss-6.0.0-SNAPSHOT/server/default/data/wsdl/picketlink-sts-1.0.0.war/PicketLinkSTS.wsdl
21:02:11,482 INFO  [DefaultEndpointRegistry] register: jboss.ws:context=picketlink-sts-1.0.0,endpoint=PicketLinkSTS
21:02:11,543 INFO  [TomcatDeployment] deploy, ctxPath=/picketlink-sts-1.0.0

In order to compile the sample client application, you need to have ejb3-sampleapp.jar, picketlink-fed-1.0.3.jar (both attached in this document), and jbossall-client.jar (found in JBOSS_HOME/client) in your classpath. If using an IDE like Eclipse, all jars referenced by jbossall-client.jar will be automatically included in the classpath. If not, you may need to add these jars manually.

In order to run the client, all you have to do is specify the aforementioned classpath:

java -cp CLASSPATH test.SAMLEJB3IntegrationTest


If everything has been configured and deployed properly, you should see the following output:

Invoking token service to get SAML assertion for UserA
SAML assertion for UserA successfully obtained!
UserA invoking secure EJB3 session bean
UserA successfully called administrative method!
UserA successfully called regular method!
UserA successfully called unprotected method!
UserA is not authorized to call unavailable method!

Invoking token service to get SAML assertion for UserB
SAML assertion for UserB successfully obtained!
UserB invoking secure EJB3 session bean
UserB is not authorized to call administrative method!
UserB successfully called regular method!
UserB successfully called unprotected method!
UserB is not authorized to call unavailable method!

Invoking token service to get SAML assertion for UserC
SAML assertion for UserC successfully obtained!
UserC invoking secure EJB3 session bean
UserC is not authorized to call administrative method!
UserC is not authorized to call regular method!
UserC successfully called unprotected method!
UserC is not authorized to call unavailable method!

As we can see, each user had access to the expected methods. Authentication was performed by the SAML2STSLoginModule, which validated the supplied assertion with PicketLink STS, and the roles were provided by the UsersRolesLoginModule.

EJB2 Integration Example

In this section we present the EJB2 version of the sample application (ejb2-sampleapp.jar which can be found attached to this document).  The sample session bean performs the same operations as in the EJB3 example, but let's take a look at the classes anyway.

The remote and home interfaces look as follows:

/*
* JBoss, Home of Professional Open Source.
* Copyright 2010, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/

package org.jboss.test.security.ejb2;
 
import java.rmi.RemoteException;
import java.security.Principal;
 
import javax.ejb.EJBObject;
 
/**
*
* This is the remote interface of the session bean used in the EJB2 SAML security test.
*
*
* @author Stefan Guilhen
*/

public interface SimpleEJB2Session extends EJBObject
{
   /**
    *
    * This is a method available for regular users and administrators. The deployment descriptor must enforce that
    * only users in RegularUser or Administrator roles are granted access to this method.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeRegularMethod() throws RemoteException;
 
   /**
    *
    * This is a method available for administrators only. The deployment descriptor must enforce that only users in the
    * Administrator role are granted access to this method.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeAdministrativeMethod() throws RemoteException;
 
   /**
    *
    * This is a method available for all authenticated users, regardless or role. The deployment descriptor must
    * contain an {@code unchecked} element for this method.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeUnprotectedMethod() throws RemoteException;
 
   /**
    *
    * This is a method that is unavailable for all roles. The deployment descriptor must add this method to the
    * {@code exclude-list} element.
    *
    *
    * @return the caller's {@code Principal}.
    */

   public Principal invokeUnavailableMethod() throws RemoteException;
 
}

/*
* JBoss, Home of Professional Open Source.
* Copyright 2010, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/

package org.jboss.test.security.ejb2;
 
import java.rmi.RemoteException;
 
import javax.ejb.CreateException;
import javax.ejb.EJBHome;
 
/**
*
* This is the home interface of the session bean used in the EJB2 SAML security test.
*
*
* @author Stefan Guilhen
*/

public interface SimpleEJB2SessionHome extends EJBHome
{
   /**
    *
    * Creates and returns a reference to the {@code SimpleEJB2Session} interface.
    *
    *
    * @return a reference to the {@code SimpleEJB2Session} remote interface.
    */

   public SimpleEJB2Session create() throws CreateException, RemoteException;
 
}

And here we can see the implementation class:

/*
* JBoss, Home of Professional Open Source.
* Copyright 2010, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/

package org.jboss.test.security.ejb2;
 
import java.rmi.RemoteException;
import java.security.Principal;
 
import javax.ejb.CreateException;
import javax.ejb.EJBException;
import javax.ejb.SessionBean;
import javax.ejb.SessionContext;
 
public class SimpleEJB2SessionBean implements SessionBean
{
    private SessionContext context;
 
    /**
     *
     * {@code ejbCreate} method required by the EJB2 specification.
     *
     *
     * @throws CreateException if an error occurs while creating the session bean.
     */

    public void ejbCreate() throws CreateException
    {
    }
 
    /*
     * (non-Javadoc)
     *
     * @see javax.ejb.SessionBean#ejbActivate()
     */

    public void ejbActivate()
    {
    }
 
    /*
     * (non-Javadoc)
     *
     * @see javax.ejb.SessionBean#ejbPassivate()
     */

    public void ejbPassivate()
    {
    }
 
    /*
     * (non-Javadoc)
     *
     * @see javax.ejb.SessionBean#ejbRemove()
     */

    public void ejbRemove()
    {
    }
 
    /*
     * (non-Javadoc)
     *
     * @see javax.ejb.SessionBean#setSessionContext(javax.ejb.SessionContext context)
     */

    public void setSessionContext(SessionContext context)
    {
        this.context = context;
    }
 
    /*
     * (non-Javadoc)
     *
     * @see org.jboss.test.security.ejb2.SimpleEJB2Session#invokeRegularMethod()
     */

    public Principal invokeRegularMethod()
    {
       // this method can be invoked by RegularUser and Administrator roles.
       return this.context.getCallerPrincipal();
    }
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb2.SimpleEJB2Session#invokerAdministrativeMethod()
    */

   public Principal invokeAdministrativeMethod()
   {
      // this method can be invoked by the Administrator role only.
      return this.context.getCallerPrincipal();
   }
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb2.SimpleEJB2Session#invokeUnprotectedMethod()
    */

   public Principal invokeUnprotectedMethod()
   {
      // this method can be invoked by any role.
      return this.context.getCallerPrincipal();
   }
 
   /*
    * (non-Javadoc)
    *
    * @see org.jboss.test.security.ejb2.SimpleEJB2Session#invokeUnavailableMethod()
    */

   public Principal invokeUnavailableMethod()
   {
      // this method cannot be invoked by any role.
      throw new EJBException("Excluded method - no access should be allowed");
   }
}

The application policy definition (ejb2-sampleapp-jboss-beans.xml), the properties files used by the UsersRolesLoginModule, the STS configuration file, and the META-INF/jboss.xml file are all very similar to the ones found in the EJB3 example. For this reason we are not going to show them here.

Now, the authorization rules must be defined in the META-INF/ejb-jar.xml deployment descriptor:



      -//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN
      http://java.sun.com/dtd/ejb-jar_2_0.dtd>


   EBJ2 SAML Tests
  
     
         A secured stateless session bean
         SimpleEJB2Session
         org.jboss.test.security.ejb2.SimpleEJB2SessionHome
         org.jboss.test.security.ejb2.SimpleEJB2Session
         org.jboss.test.security.ejb2.SimpleEJB2SessionBean
         Stateless
         Container
     
  

  
     
         The role required to invoke administrative methods
         Administrator
     
     
         The role required to invoke regular methods
         RegularUser
     

     
     
        
        
            SimpleEJB2Session
            invokeUnprotectedMethod
        
        
            SimpleEJB2Session
            Home
            create
        
     

     
     
         Administrator
        
            SimpleEJB2Session
            Remote
            *
        
     

     
     
         RegularUser
        
            SimpleEJB2Session
            Remote
            invokeRegularMethod
        
     

     

     
         A method that no one can access in this deployment
        
            SimpleEJB2Session
            invokeUnavailableMethod
        
     
  


As we can see, the invokeUnprotectedMethod is available to all roles. The Administrator role can call all methods on the bean except for invokeUnavailableMethod, which is in the exclude-list section. The RegularUser role is allowed to call only the invokeRegularMethod method besides the unprotected method.

Client Application

The client application for the EJB2 example is also very similar to the one used to test the EJB3 SAML integration. The main differences are the lookup code and the way we use to establish the client-side security context.

/*
* JBoss, Home of Professional Open Source Copyright 2010, Red Hat Middleware
* LLC, and individual contributors by the @authors tag. See the copyright.txt
* in the distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it under the
* terms of the GNU Lesser General Public License as published by the Free
* Software Foundation; either version 2.1 of the License, or (at your option)
* any later version.
*
* This software is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
* details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this software; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
* site: http://www.fsf.org.
*/

package test;
 
import java.rmi.AccessException;
import java.security.Principal;
import java.util.Hashtable;
 
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.rmi.PortableRemoteObject;
 
import org.jboss.test.security.ejb2.SimpleEJB2Session;
import org.jboss.test.security.ejb2.SimpleEJB2SessionHome;
import org.picketlink.identity.federation.api.wstrust.WSTrustClient;
import org.picketlink.identity.federation.api.wstrust.WSTrustClient.SecurityInfo;
import org.picketlink.identity.federation.core.wstrust.SamlCredential;
import org.picketlink.identity.federation.core.wstrust.WSTrustException;
import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
import org.w3c.dom.Element;
 
/**
*
* This class tests the usage of SAML assertions to authenticate clients of EJB2 applications on JBoss. This is
* accomplished by having the client first obtain a SAML assertion from the PicketLink STS service and then use
* the assertion as the credential when calling the protected EJB2.
*
*
* The protected EJB3 application used in this test has configured the {@code SAML2STSLoginModule}. This login
* module sends the SAML assertion to the STS for validation in order to authenticate the caller. A second login
* module, {@code UsersRolesLoginModule}, has been used to provide the client's roles.
*
*
* @author Stefan Guilhen
*/

public class SAMLEJB2IntegrationTest
{
 
   private Hashtable env;
  
   public static void main(String[] args) throws Exception
   {
      SAMLEJB2IntegrationTest test = new SAMLEJB2IntegrationTest();
      test.testSAMLEJB2Integration("UserA", "PassA");
      test.testSAMLEJB2Integration("UserB", "PassB");
      test.testSAMLEJB2Integration("UserC", "PassC");
   }
  
   public SAMLEJB2IntegrationTest()
   {
      // initialize the JNDI env that will be used to lookup the test EJB.
      this.env = new Hashtable();
      this.env.put("java.naming.factory.initial", "org.jboss.security.jndi.JndiLoginInitialContextFactory");
      this.env.put("java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces");
      this.env.put("java.naming.provider.url", "localhost:1099");
   }
  
   public void testSAMLEJB2Integration(String username, String password) throws Exception
   {
      // create a WSTrustClient instance.
      WSTrustClient client = new WSTrustClient("PicketLinkSTS", "PicketLinkSTSPort",
            "http://localhost:8080/picketlink-sts-1.0.0/PicketLinkSTS",
            new SecurityInfo(username, password));
     
      // issue a SAML assertion using the client API.
      Element assertion = null;
      try
      {
         System.out.println("\nInvoking token service to get SAML assertion for " + username);
         assertion = client.issueToken(SAMLUtil.SAML2_TOKEN_TYPE);
         System.out.println("SAML assertion for " + username + " successfully obtained!");
      }
      catch (WSTrustException wse)
      {
         System.out.println("Unable to issue assertion: " + wse.getMessage());
         wse.printStackTrace();
         System.exit(1);
      }
 
      // invoke the remote EJB using the assertion as the credential.
      this.env.put("java.naming.security.principal", username);
      this.env.put("java.naming.security.credentials", new SamlCredential(assertion));
 
      System.out.println("Invoking secure EJB2 session bean with " + username + " SAML assertion");
      Context context = new InitialContext(env);
      Object object = context.lookup("SimpleEJB2Session/home");
      SimpleEJB2SessionHome home = (SimpleEJB2SessionHome) PortableRemoteObject.
         narrow(object, SimpleEJB2SessionHome.class);
      SimpleEJB2Session session = home.create();
     
      // invoke method that requires the Administrator role.
      try
      {
         Principal principal = session.invokeAdministrativeMethod();
         System.out.println("User " + principal.getName() + " successfully called administrative method!");
      }
      catch (AccessException ae)
      {
         System.out.println("User " + username + " is not authorized to call administrative method!");
      }
     
      // invoke method that requires the RegularUser role.
      try
      {
         Principal principal = session.invokeRegularMethod();
         System.out.println("User " + principal.getName() + " successfully called regular method!");
      }
      catch (AccessException ae)
      {
         System.out.println("User " + username + " is not authorized to call regular method!");
      }
 
      // invoke method that allows all roles.
      try
      {
         Principal principal = session.invokeUnprotectedMethod();
         System.out.println("User " + principal.getName() + " successfully called unprotected method!");
      }
      catch (AccessException ae)
      {
         // this should never happen as long as the user has successfully authenticated.
         System.out.println("User " + username + " is not authorized to call unprotected method!");
      }
 
      // invoke method that denies access to all roles.
      try
      {
         Principal principal = session.invokeUnavailableMethod();
         // this should never happen because the method should deny access to all roles.
         System.out.println("User " + principal.getName() + " successfully called unavailable method!");
      }
      catch (AccessException ae)
      {
         System.out.println("User " + username + " is not authorized to call unavailable method!");
      }
 
   }
}

In this case we are using the JndiLoginInitialContextFactory to set the SAML assertion in the security context just to show an alternative to the SecurityClient API. The JndiLoginInitialContextFactory gets the principal and credentials from the InitialContext properties and pushes them to the security context.

NOTE: The JndiLoginInitialContextFactory approach doesn't work for EJB3 beans on JBoss AS 5.1.0.GA. An issue (JBAS-7010) has been flagged and a fix is available for JBoss 5 EAP and JBoss AS 6. So if you are using JBoss AS 5.1.0.GA make sure to use the SecurityClient API to invoke EJB3 beans using SAML.

Deploying and Running the EJB2 Sample Application on JBoss AS5

If the PicketLink libs haven't been installed yet, you need to do this before deploying the sample application and the STS. This is accomplished by copying picketlink-fed-1.0.3.jar and picketlink-bindings-jboss-1.0.3.jar (both attached to this document) files to the JBOSS_HOME/server/partition/lib folder. After installing the required PicketLink libs you must copy the ejb2-sampleapp.jar and picketlink-sts-1.0.0.war to JBOSS_HOME/server/partition/deploy.

In order to compile the EJB 2 sample client application, you need to have ejb2-sampleapp.jar, picketlink-fed-1.0.3.jar (both found in this document), and jbossall-client.jar (found in JBOSS_HOME/client) in your classpath. If using an IDE like Eclipse, all jars referenced by jbossall-client.jar will be automatically included in the classpath. If not, you may need to add these jar manually.

In order to run the client, just specify the aforementioned classpath:

java -cp CLASSPATH test.SAMLEJB2IntegrationTest

If everything has been configured and deployed properly, you should see the following output (similar to the output produced by the EJB3 client application we've shown before):

Invoking token service to get SAML assertion for UserA
SAML assertion for UserA successfully obtained!
Invoking secure EJB2 session bean with UserA SAML assertion
User UserA successfully called administrative method!
User UserA successfully called regular method!
User UserA successfully called unprotected method!
User UserA is not authorized to call unavailable method!

Invoking token service to get SAML assertion for UserB
SAML assertion for UserB successfully obtained!
Invoking secure EJB2 session bean with UserB SAML assertion
User UserB is not authorized to call administrative method!
User UserB successfully called regular method!
User UserB successfully called unprotected method!
User UserB is not authorized to call unavailable method!

Invoking token service to get SAML assertion for UserC
SAML assertion for UserC successfully obtained!
Invoking secure EJB2 session bean with UserC SAML assertion
User UserC is not authorized to call administrative method!
User UserC is not authorized to call regular method!
User UserC successfully called unprotected method!
User UserC is not authorized to call unavailable method!

More aboutSAML EJB Integration with PicketLink STS