摘要: 加入PGP行列,享受免費身份服務
閱讀全文
近日, 朋友告訴我<<
深入Java 2平臺安全--體系架構、API設計和實現(第二版)>>這本書已經出版:
http://www.china-pub.com/computers/common/info.asp?id=14712英文原版的書名是
| Inside Sun? 2 Platform Security: Architecture, API Design, and Implementation, Second Edition |
我粗看了一下,發現書評中很多對本書翻譯質量的懷疑,下載了Sample章節,粗看了一下,發現未
盡人意,確實會給讀者的理解帶來很大的困難。
我覺得Security的興趣者無需太關注中文譯作,也不需質疑譯者和出版商,因為翻譯Security Topic的書籍
本身是一件非常困難的事情,除非譯者對Java Security的概念非常清晰,否則即使哪怕是一個概念上的誤譯,
到可能會導致讀者產生很離譜的誤解。
Sun Security的內容不象一些實踐性的topic,如Spring,Hibernate,Ajax那樣,可以通過大量的Sample來解釋,
它需要讀者具備一定的Security概念基礎后,才能解釋清楚(即概念的理解門檻比較高)。
所以,我還是建議,對于宮力大牛的大作,還是主張看英文版和JDK Specification,其實Sun的Java Security的
Spesification很多都是出自宮力之手,看著些Spesification當然沒有看故事書那么舒服,但認真咀嚼幾次,效果
總比看那些容易導致誤解的譯作要好得多。
目前,Java Security的書基本上有兩本:
IBM專家組們編寫的:
Sun專家組編寫的:
| Inside Sun? 2 Platform Security: Architecture, API Design, and Implementation, Second Edition |
| By Li?Gong, Gary?Ellison, Mary?Dageforde |
| ? | |
| Publisher | : Addison Wesley |
| Pub Date | : June 06, 2003 |
| ISBN | : 0-201-78791-1 |
| Pages | : 384 |
| Slots | : 1 |
這兩本書,前者更關注于J2EE實踐的角度出發,后者更偏重于從基礎概念與Java Platform的角度出發,都是很好的書,
很容易就能Emule到這兩本書。
我個人更偏向建議讀者先細讀后一本,然后再粗看前一本書的一些topic。
兩本書都基本上都沒有花很大力去解析Java沙箱(SandBox),Java權限控制模型等這些比較難搞得概念,有點遺憾,希望
自己也能盡快抽時間提供一篇深入淺出于Java Security的文章:)
摘要: 本文介紹了如何(用BouncyCastle提供的SecurityProvider)從pfx/p12證書文件中提取信息(如算法類型,算法長度,Subject信息,Issuer信息等)
閱讀全文
摘要: 本文簡要介紹如何CAS Proxy的原理及配置
閱讀全文
在GZFB群聽Rayman說,要搞Confluence跟AD的集成認證,由于沒聽清楚,還以為是SSO,立馬打開Confluence跟LDAP集成的文檔,細看了一把,發現并沒有實現域用戶到Confluence的SSO,只是Confluence做了一個LdapProvider,能夠讓用戶的認證實現轉移到LDAP上。
http://confluence.atlassian.com/display/DOC/Enable+LDAP+authentication該文檔是完整并且正確的,配置也非常簡單,Rayman很快就配置好了。我后來發現他的配置方法跟上述方法不一樣,他是根據以下的文檔配置的:
http://confluence.atlassian.com/display/DEV/Confluence+LDAP+Integration這兩種配置方式由比較大的區別:如果你的Confluence跟JIRA捆綁,請使用前者,否則,建議用后者。
最后,隆重推薦Rayman的Blog:
http://raymanzhang.cnblogs.com/一個曾經編寫了MDict的好同志
近日,我跟很多朋友討論如何提高自己的Blog在Google的排名我列舉一些比較重要的因素,其中,
1,內容的專業性,這一點可能Google會對你網頁做定性分析。
2,被Rank值很高的網站指向你,如果你的Blog的Link出現在IBM.com(9)/AOL.com(9)的首頁,那我估計你的Rank不會少于5.
3,寫Blog的同時要提供Blog的關鍵字,同時也是職業操守。
4,加入Google廣告,這個比較簡單,以我自己的Blog為例(http://openss.blogjava.net),
我在Blogjava的(cnblog.com也是一樣的)
管理->選項->Configure->公告
管理->選項->Configure->子標題
插入以下的Google廣告的JS代碼:
<script type="text/javascript">
<!--
google_ad_client = "pub-6825418521341757";
google_ad_width = 120;
google_ad_height = 240;
google_ad_format = "120x240_as";
google_ad_type = "text_image";
google_ad_channel ="6369214374";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
? src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
過1-2個月,你就會發現Rank值提高了。歡迎各位同胞加入討論。
摘要: SOA——號稱解凍2000億美金IT凍結資產的主要手段
閱讀全文
1,構造一個干凈的域,域名為domain002
2,構造該域里面的用戶
weblogic The default administration user DefaultAuthenticator
user0001 weblogic DefaultAuthenticator
user0002 user0002 DefaultAuthenticator
3,建立一個組,weblogicAdmin,同時在AD中也建立一個這樣的組
注意,在AD中的users而不是Builtin里面建組,因為兩者的DN是不一樣的。
4,將所有Weblogic中的user0001用戶都加入到改組。
5,測試AD的可連接性,下載一個LDAP Browser。
6,在Weblogic Console中的Security->Realm的Authentication配置一個新的LDAP Provider,類型為:Configure a new Active Directory Authenticator...
7,配置參數:
i) 轉到Active Directory那一Tab,看到HOST了吧?
HOST為你的AD的IP或者主機名,AD默認端口是389
ii) Principal為CN=user0001,CN=Users,DC=dlsvr,DC=com
其中,DC=dlsvr,DC=com為我的服務器的RootDN(例如DC=ibm,DC=com)
很討厭AD的一個地方是它采用與其他LDAP不一樣的命名方法,他用CN=User而不是OU=....,所以我前面的步驟才需要建立一個welogicAdmin的組。
iii)Credential為AD中user0001的密碼。
注意:ii)和iii)是用于連接AD用的,構造一個LDAPConnection需要用戶名密碼的,懂不懂:)
轉到user tab
iv) User Name Attribute:user0001
v) User Base DN:CN=Users,DC=dlsvr,DC=com
轉到group tab
vi) Group Base DN:CN=weblogicAdmin,CN=Users,DC=dlsvr,DC=com
vii) weblogicAdmin
保存
關鍵的步驟到了:
Security->Realms->myrealm->Providers->Authentication
有沒有看到Re-order the Configured Authentication Providers
對,就是這里需要調整一下順序。
把ActiveDirectoryAuthenticator調整到最上面(優先級最高)
然后設置ActiveDirectoryAuthenticator的General頁里面的Control Flag為Required。
接著DefaultAuthenticator里面的設成是OPTIONAL。
于是,AD取代了以前的DefaultAuthenticator了,如果兩個都Requried,那么也你要接受雙重認證,汗......一般不需要這樣。
注意:boot.properties里面的默認的Weblogic啟動賬號同樣受AD影響,你如果在AD里面禁止了Weblogic這個賬號,我保證你WLS啟動不了
本來,使用j_security_check是最簡單的Build-in認證方式,但CAS有自己的登錄入口,即login servlet,如果用該servlet,必須自己動手完成JAAS的登錄。于是,開始擴展CAS的edu.yale.its.tp.cas.auth.provider,在該包中的provider都擴展自authHandler接口,而CAS是在web.xml中定義了最終使用哪一個authHandler。
edu.yale.its.tp.cas.authHandler
edu.yale.its.tp.cas.auth.provider.WeblogicHandler
我自己寫了一個WeblogicHandler(edu.yale.its.tp.cas.auth.provider包中),專門讓CAS登錄到Weblogic Server,事實上,將來如果不用WLS,還可能使用Websphere,Jboss,AD之類。
后來發現,雖然能loginContext拿到Subject,但該Subject的Principal不能被頁面的request.getPrincipal()所取得,醒悟自己在做JAAS Login,查看weblogic文檔,原來Weblogic提供了
weblogic.servlet.security.ServletAuthentication
用于在Servlet端調用JAAS接口進行登錄,通過該接口登錄后,就如同User使用了標準的登錄機制登入了Weblogic。
于是,立即修改了login servlet測試一下,加入
try {
CallbackHandler handler = new SimpleCallbackHandler(
request.getParameter("username"),
request.getParameter("password"));
Subject mySubject = weblogic.security.services.Authentication
.login(handler);
weblogic.servlet.security.ServletAuthentication.runAs(
mySubject, request);
System.out.println("mySubject[" +mySubject.toString()+"]"+
"寫入Session");
} catch (LoginException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
然后,頁面果然就能拿到Pincipal了。
今天,有朋友在配置Tomcat SSL的時候,出現如下的異常:
java.security.UnrecoverableKeyException: Cannot recover key
而且他已經正確配置了keystoreFile和keystorePass。
后來我發現,他對Keystore中的Key使用了Password保護,而且
保護這個KeyEntry的KeyPass!=KeyStore的Keypass,導致出錯,
Tomcat SSL要求這兩個密碼必須相等。
解決辦法:
keytool -keypasswd -v -alias mykeyalias -keypass noequalpass -new equalpass -keystore mykeystore.jks -storepass equalpass
其中, mykeyalias是key在keystore中的別名,-keypass后面跟key的舊密碼"noequalpass", -new 是新密碼"equalpass",注意新密碼跟storepass一致。
附:Weblogic是支持不一致的KeystorePass和KeyPass的。
摘要: 如果不是從PirvilegedAction中擴展的類,那麼調用其中的方法JVM還會不會執行權限檢查?
閱讀全文
摘要: 2005年中國軟件產業最大規模前100家企業名單
閱讀全文
如果通過Windows的網絡屬性修改Ip/網關,真是太麻煩了。
最近一個項目經常要切換ip,所以我寫了兩個腳本:
c:\116.bat
netsh interface ip set address "本地連接" static 10.45.128.116 255.255.255.0 10.45.128.254 1
c:\172.bat
netsh interface ip set address "本地連接" static 172.17.9.222 255.255.255.0 172.17.9.51 1
這樣就可以設置IP/Mask/GateWay了,netsh命令真方便!
摘要: BEA Workshop Studio 3.0 依靠易用性和強大功能贏得EclipseCon2006的基于EC的開發工具第一首先
閱讀全文
摘要: Geronimo是IBM為第三世界準備的嗎?Beehive是BEA內部的次品代碼?
閱讀全文
摘要: BEA和IBM聯合發布了SDO規范,JCP似乎被忽略了,Java標準究竟由誰制定?
閱讀全文
摘要: 回答困撓人的javax.security.auth.login.LoginException:沒有為 XXX 配置LoginModules問題
閱讀全文
摘要: 關注最新的EclipseCon上,將有哪些精彩的Topic
閱讀全文
摘要: 發布Eclipse的Keytool Eclipse Plugin——代號SecureX
版本1.0.0
閱讀全文
摘要: 一個很簡單Emditor/Editplus的正則表達式用法,替換一個日期
閱讀全文
Stylus Studio 2006,世界上領先的XML Schema工具,stylus studio網站發布了幾個充分展示stylusstudio工具的視頻:
http://www.stylusstudio.com/videos/xmlschema1/xmlschema1.html包括下面的功能展示,非常值得一看。
How to generate an XML schema from an XML document
Generating XML schema from EDIFACT or X12
Creating an XML Schema from an existing DTD
How to associate an XML schema with an XML document
Troubleshooting and validating XML documents against their associated XML Schema
Visualizing an XML data model using Stylus Studio XML Schema's synchronized diagram view
Generating XML Schema Documentation using either the XS3P or XSD-doc formats
Navigating XML Schema types in Stylus Studio, including externally defined schema components
Modifying an XML Schema data model including: inserting a sequence, choice, or all compositor, and adding XML attributes
Drag and Drop, Copy-Paste operations in the XML Schema Editor
Refactoring of an XML Schema fragment
Generating XML instances corresponding to XML Schema components
Configuring the XML Schema diagram display options
Viewing and modifying XML Schema properties
(2006-03-14 20:03:53) 婷婷(16556907)
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
這個是因為你沒有裝好TrustCerts,如果你是用Tomcat,請務必檢查Tomcat使用的JDK下的JRE(jre/lib/security/cacerts)中,是否已經安裝了包含你所需的信任證書,如果沒有,請Import,Keytool -import的命令,很簡單的,如果你用的是Weblogic,你看看Weblogic Console的Keystore配置,有兩項,你關注的應該是TrustKeystore的屬性,里面默認的信任證書都是老外的那些,往里面Import你的證書就ok了。
禁止back space鍵:<body onkeydown="if(event.keyCode==8) return false;">
禁止ctrl+n:onkeydown="if(event.keyCode==78 && event.ctrlKey) return false;"
當我們不想讓用戶后退到a頁面
可以在a頁面跳轉后將a頁面的window.location=b頁面url,
這樣后來用戶想后退到a頁面時,進入的就是b頁面
使用java提供的方法,在jsp或者servlet中都可以
<%
response.setHeader("Pragma","No-cache");
response.setHeader("Cache-Control","no-cache");
response.setDateHeader("Expires",0);
%>
2,使用HTML標記,如下面:
<HEAD>
<METAHTTP-EQUIV="Pragma"CONTENT="no-cache">
<METAHTTP-EQUIV="Cache-Control"CONTENT="no-cache">
<METAHTTP-EQUIV="Expires"CONTENT="0">
</HEAD>
HKEY_CURRENT_USERSoftware\Policies\Microsoft\Internet Explorer\Restrictions
適用范圍:Windows NT/2000
通過修改注冊表,可以禁止用戶使用IE瀏覽器的“前進”/“后退”按鈕。
步驟1:運行注冊表編輯器,找到HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions子鍵。
步驟2:找到或新建“NoNavButtons”鍵值項,其數據類型是“字符串值”,設置其鍵值為“1”,表示禁用IE瀏覽器的“前進”/“后退”按鈕;設置其值為“0”,則表示啟用IE瀏覽器的“前進”/“后退”按鈕。
注意
如果希望修改計算機所有用戶的設置,其相應操作子鍵為: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\lnternet Explorer\Restions。同樣子鍵lnternet Explorer和Restrictions的鍵值項都必須新建。
<script language="JavaScript">
<!--
javascript:window.history.forward(1);
//-->
</script>
靈感寫回憶錄(118978) 10:48:44
要跳轉頁面的時候,this.location.replace("FooURL.html");便可,這樣連回退圖標都沒有
靈感寫回憶錄(118978) 10:49:07
喔,好像是location.href.replace,反正就是這樣,好久沒有寫了
摘要: 介紹如何使用PGP對BLog文章簽名
閱讀全文
據官方最新Security Advisories and Notifications報告(BEA06-118.00)顯示:
WeblogicServer的SSL身份信息會被惡意Application盜用。
威脅程度:低
嚴重程度:中等
WeblogicServer的SSL配置分兩部分,第一部分是Identtiy Keystore,第二部分是Trust Keystore,
BEA06-118.00揭示,當WeblogicServer被部署不信任的應用的時候,要額外小心,因為部署
在Weblogic Server上的應用可以使用你的Identity KeyStore來向其他Client偽冒身份。
后果是,Weblogic Server的身份被盜用。
Weblogic Server Sp4以前的版本都存在這個問題,必須通過SP5打包來解決這個問題。
下面是Solution:
- 將WebLogic Server 和WebLogic Express 8.1升級到 Service Pack 5.
- 安裝下面的補丁:
ftp://ftpna.beasys.com/pub/releases/security/CR243498_810sp5.zip
- 解壓并按照里面的Readme提示進行安裝
近日,在Matrix Security版上(
http://www.matrix.org.cn/thread.shtml?topicId=39543&forumId=55)提出一個問題,即他的程序不能正確運行,拋出異常Exception in thread "main" java.security.InvalidKeyException: Illegal key size。
我運行一下它的程序,Work Fine。
我發現很多人都遇到這樣的問題,而我自己的習慣是,每當我安裝JDK的時候,我總是非常討厭它已有的Policy File,我會立即到SUN的網站下載最"強"的PolicyFile(
http://java.sun.com/j2se/1.5.0/download.jsp#docs),安裝它可以解決讓你算法中的Key長度增加很多(更加安全),從而解決上面的Illegal key size的問題。
你可能問,為何SUN不把它集成到JDK中去而單獨弄一個鏈接出來給人下載?那是因為每個國家,尤其是美國,對涉及密碼的軟件產品控制非常嚴格,在美國國內,很多密碼算法長度都作了限制,而且某些算法在某些國家沒有申請專利,可以"濫"用,而在某些國家卻做了明確限制,不準使用,如此前提下,Sun必須按照慣例行事:)
Blended的意思是混合,意指開發的時候,用戶可以同時采用商業框架和開源框架。
BEA的現在的CEO,技術總裁(胖胖的那個),曾經說過,BEA是第一個開始從“究竟是否在商業產品中采用開源框架的問題”上脫離出來,而著手于如何讓用戶在開源框架和BEA先進的開發工具和平臺結合的基礎上受惠的公司。因此,Blended的含義我個人認為是,BEA已經開始憑借開源框架和IBM,Oracle等傳統封閉式體系的中間件提供商進行下一輪競爭,Blended讓BEA比IBM和Oracle更具有優勢,理由很簡單:第一,BEA的AquaLogic體系基本上是開放式,它不假定依賴于任何的產品如OS,DB。IBM,Oracle對開放式的態度不能夠跟BEA等同,因為他們有自己的DB2, Oracle9i。
第二,IBM和Oracle在捆綁式銷售方面曾經壓住了BEA,的確,捆綁式很有效,比如,買DB2+AIX,WebSphere就給你50%discount。但如今,BEA說,我的Weblogic支持Spring,Hibernate,甚至AppFuse.....對開發人員來說,這一切都太吸引了,你似乎選擇更小了。
Blended肯定會讓BEA走出困境,打破IBM和Oracle傳統的封閉式產品捆綁策略,讓開發人員迅速向AquaLogic Platform靠攏,憑借這一點,BEA足以在Apache,Eclipse社區建立威信,從而可以在未來的SOA標準制定上有更大的發言權。
3月份,在全球有三個BEA UserGroup講座值得關注,
第一個在3月8日(即明天),Eric Pascarello(Ajax in Action作者)在馬里蘭UG介紹Ajax的體系。
http://dev2dev.bea.com/pub/e/873第2個是NQ Suite的作者JackBe,他將于3月9日在華盛頓UG介紹如何構建安全,高性能和可擴展的Ajax應用,JackBe被公認為是Ajax領域的先鋒。
http://dev2dev.bea.com/pub/e/875第3個在莊表偉和曹曉剛將在3月12日在廣州UG聯手為我們講述RIA技術的體系和設計,前者將著重從體系架構的角度講述AJAX技術的設計模式,后者將著重以開發角度為我們講述設計一個RIA的應用的過程。
http://dev2dev.bea.com.cn/bbs/thread.jspa?forumID=29304&threadID=32776&tstart=0
摘要: 關于第2次BEA UserGroup的演講內容
閱讀全文
近日,BEA建議我提交廣州UG組織人員名單,并嘗試讓廣州UG在全國作為試點舉行俱樂部
制形式,這樣UG的活動范圍和形式更加多樣化,同時,BEA也會增加對UG的投入。
UG的目的非常明確,它希望增加程序員的影響力,當許多優秀程序員能夠組織起來,我們
或許能夠在某天實施程序員價值觀的反攻。
程序員的勞動并不卑微,因為程序員有能力改造信息世界,假如信息是你生活的一部分,請
尊重程序員。因為,Program is undercontrol by Programmer....
另外,各位參加Speaker的演講資料已經送審至BEA,由BEA統一安排。
鑒于BEA Speaker的演講主題可能由BEA統一規劃,所以,不一定在安排這次BEA UG活動中,
有可能安排在下次活動中。
人類生活在一個非常不安全的環境中,程序員也是。
以P2P信息為例,我們向網絡發布信息M1,M1能夠被你的支持者瀏覽到,同時也能被你的反對者看到,你有朋友,也有敵人。沒錯,我想講的話題是如何構建堅固的信任網絡,這種信任網絡能夠抵抗任何密碼分析。
比如,發布者A在網絡上發布<<XXXXXX的血案>>,很快,它會被掃描到并迅速被清理掉,究其原因,2點:
1,你發布信息的平臺不安全
2,你發布信息的方法不安全
針對1,平臺的不安全性是不能通過信息化制度來解決的,比如,你希望在163.com上發布信息M2,M3,但163.com不是一個開放式的自由平臺,你的信息M2,M3隨時可能被刪除,P2P很好,但它容易被封鎖,eDonkey的服務器在瑞士被封殺,負責人被拘留,這不能不引起我們的警示。如果,P2P的未來始終讓我感到堪憂。
針對2,那真的很直觀,有一個好消息,我們國家最近聲明沒有人因為發表不適宜的網絡言論被捕,這很好很好,但我還是希望有能力保障這一點,香港不是有人因為做P2P種子被判入獄,感到惋惜之際,它讓看到另一個賣點,匿名發布信息。
請讓我把話題帶入到——假定網絡不會被徹底隔離,但不信任的網絡環境下,我們如何最大限度地自由的工作?
I Guess it would be 信任擴張。
信任擴張的特點是:
1,我只發送信息給我信任的人
2,只有我信任的人才能看到我發送的信息
這通過PKI很容易解決,但我們如何能做到匿名性呢?
比如A同志需要發送M3給C同志,這個過程可能會被反對者U知道,于是,反對者擁有你發布的消息的證據,這一點可以通過間接發送來減少風險,即A指定B來發送M3給C,隨著間接發送者的個數的增加,反對者U要做的工作會越來越困難。
但問題是你A信任的B,C可能互相不信任,這違反了1,頭痛....
思路阻塞,今天只想到這里,明天繼續寫:)
今年,BEA力推Weblogic 9和SQA,產品線方面,我感覺BEA戰略開始向開源團體又邁進了一步,從BEAWorld2005以來,從Dev2dev.com網站可以看到不少關于如何在Weblogic上整合開源框架的文章,其中,我看到很多BEA資深工程師編寫關于Spring,Hibernate等技術的文章,不僅如此,我已經可以感受到Weblogic在改善用戶在WLS/WLP平臺上使用Spring,Hibernate所作出的努力,這種努力體現為,Weblogic改善了對AOP的支持,增加了Weblogic Platform體系的透明度,優化對Hibernate的性能等,并且,我在Dev2dev.com看到不少開源代碼框架,利用它們可以簡化我們在Weblogic Platform上部署開源框架的難度。
開源(OpenSource)是今年J2EE生態圈的主題,我認為它是未來2-3年的游戲規則,至少它是J2EE供應商(包括BEA、IBM、Oracle)和J2EE集成商都必須正視的一個問題,從Apache/Eclipse組織的發展態勢,我覺得它已經取得巨大的成功,現在,即使是任何一家J2EE公司都不敢無視Apache/Eclipse的一舉一動,輕視它們的后果可以見諸于Borland,一家曾經是領先的J2EE工具提供商,現在游戲規則已經幾乎將他驅出生態圈。
從去年,我已經感受到一種內在的驅動力在BEA.COM網站映射出來,今年開始,我從官方網站至少得到2個非常直觀但是非常有意義的信息:
1, 在開發工具上,BEA將Workshop Studio整合得非常強大,目的很明確,搶占國內開發者市場,目前,有兩種非常優秀的技術在Weblogic框架下,一種叫做Spring MVC,一種叫做PageFlow,一直以來,包括在早期的Workshop版本中,PageFlow都是BEA提倡的標準,其實它是Strut的衍生物,后來,自從Spring MVC面世后,這兩種技術開始正面碰撞,很難說從技術角度來判斷哪一種更優秀,但Spring MVC已經有足夠足夠大的開發者團體,BEA開始提供支持。通常,按照一家巨頭公司,比如IBM或者Oracle,他們的開發工具總是有一種很強烈的偏向,即以某一種技術框架來培養開發者的開發習慣,從而讓開發者限制與某一種技術框架中去 (這樣說其實我是想提及Microsoft)。BEA現在的策略其實很明確——SOA,從產品策略轉向服務策略,因此,在產品線上,它比然要以Customer和Developer為中心,因此,最終的結果是BEA的開發工具走向開源。
這對于所有客戶和開發者是一件絕對令人振奮的消息,最近,Rod.Johnson在提及BEA Workshop的時候:“Developers are using open source frameworks such as Spring to simplify writing enterprise Java applications, The latest release of BEA Workshop Studio is designed to make it easier to use Eclipse and develop in Spring. BEA’s continued support of the open source community can help to foster future innovation in the J2EE community.”
2, 在Weblogic應用框架上,BEA至少從兩方面增強了其對Spring的支持,第一,BEA提供了經過嚴格測試的適合在Weblogic Server上運行Spring版本(目前的版本是1.2.6),如果Spring開發團體能在3月底推出Spring 2.0,那么,國內用戶可能有望在4月份看到Weblogic的Spring 2.0版本了:)第二,Weblogic Portal也從很多地方增強了Spring的支持,官方網站提到可以從Portal上的porlet直接Call Spring的Bean。BEA的對Spring/Hibernate等開源框架的支持,其實理由很簡單,因為它的Customer都在悄悄地使用這些技術了,無論在美國還是在中國,Spring已經被大量應用于政府,銀行,電信,電力等企業部門,是鐵板的事實,無論從開發者的角度還是客戶的角度,Spring都能大大簡化應用程序的開發和部署,BEA所做的一切純粹是順應客戶的要求。
對于BEA UG,我想也是很多人在關注Spring,看看BEA社團的消息,可以得知不少BEA在美國的馬里蘭州的UserGroup已經成功舉行了一次關于Spring在Weblogic9.2的實踐研討(http://dev2dev.bea.com/pub/e/854),這正是我想安排在下次廣州BEA的議題,因為廣州這邊,電信,電力,地稅等政府部門已經在研究Weblogic 9.2的可行性了。3月份將有很多精彩的BEA演講,大頭當然包含Rod Johnson和Patrick Linskey(大家跟他的在BEAWorld2005合照還在吧)在倫敦UG上的Spring框架在Weblogic上應用實踐探討,我把這些跟Spring相關的BEA UG研討會羅列一下:
1 BEA UK User Group: Building Enterprise Java Applications with WebLogic and the Spring Framework
In this talk Rod Johnson and Rob Harrop of Interface21 will explain how the Spring Framework can be used with BEA WebLogic to efficiently create powerful and flexible enterprise applications.
2 Advanced Kodo Topics – Blending Kodo with Spring (Webinar)
In this webinar, Rod Johnson and Patrick Linskey will introduce the audience to how to use the popular Spring Framework with the standards-based Kodo persistence framework.
3 Silicon Valley BEA dev2dev User Group: Use of the Spring Framework to Simplify Development of Applications Deployed on WebLogic Server
The use of the Spring Framework to simplify development of applications deployed on BEA's WebLogic Server.
今年,SpringSide(www.springside.org.cn)社團成立, 作為一個開源社團,所有成員做出的努力常常是無私的,SpringSide采用Apache的License,大家可以上上SpringSide網站,目前的版本是RC 0.1,我們希望在廣州BEA UG活動3月12日舉辦之前,完成0.8的版本。
Apache License更適合中國人,正式迎接Wayer Grant的挑戰
很久以前,我開始著手寫一些基于Security的插件,由于我使用Eclipse,Eclipse插件似乎本身對我很有幫助,我在從事插件開發的同時,只是寫一些很簡單的基于BouncyCastle的工具類。有一天,我看到了Portecle, 它是KeytoolGUI的一個分支,我覺得它的功能跟KeyStore 2.4大同小異,版權信息表明,2004年以后Wayne Grant并沒有再參與此軟件的任何開發。
Copyright ? 2004 Wayne Grant
2004 Mark Majczyk
2004-2005 Ville Skytt?
我著手在Protecle和KeytoolGUI的基礎上編寫一個安全插件,名為SecureX。Protecle和KeytoolGUI是基于Swing,我編寫了一個跟他們幾乎很相像的SWT使用界面(當然不少地方作了增強),我希望使用上述的copyright來發布該Eclipse插件,我這樣想的理由有兩個:
第一,SecureX不只是集成KeytoolGUI這個證書管理模塊,而且還會集成簽名,加密等模塊,這樣,我們將來開發界面應用的時候,我們開源隊伍可以同步開發,只要我們按照Eclipse RCP規范,我們不存在任何的集成問題。
第二,SecureX不希望使用GPL,而想使用Apache License。但由于Wayne Grant多次警告,如果我relicense(使用了他的代碼于SecureX,并將SecureX重新定位于Apache License),他將對我采取法律行動。其實,GPL跟Apache License的最大區別是,GPL要求修改代碼必須也遵守GPL,也就是說,如果我屈服于wayne, 將SecureX應用了GPL,其他人將無法將SecureX應用于商業用途,除非他們承諾他們的商業軟件遵循GPL,你說可能嗎:) 相比之下,Apache License更自由,它強調使用源代碼的人不需要公開自己的源代碼(修改后的源代碼),也就是說,如果SecureX使用Apache License,SecureX的用戶可以任意修改它,并且可以選擇以源代碼的方式或者二進制代碼的方式發布他們自己的成果(他們唯一需要做的是——在他們的成果中聲明使用了SecureX的代碼).
我第一次向Wayne發郵件,邀請他他的回信如下:
Hello David,
Some guidance for you.
I have copyright over KeyTool GUI. You therefore cannot call your
application "KeyTool GUI" or anything similar. Lazgo Software has copyright
and trademark over "KeyStore Explorer" so you cannot call it that either.
KeyTool GUI is GPL software. If your application contains code from KeyTool
GUI then your application as a whole must obey the GPL license. This means
that you must release your own code as GPL and not under any other license
terms. The headers in the existing code must be left how you found them -
that is with the GPL license and my copyright intact.
I have no wish to be listed as author of your application. Simply state on
your web site and in the application that your application is based on a
fork of KeyTool GUI of which I am the copyright owner. For an example see
the Portecle web site (http://portecle.sourceforge.net/) - Portecle is
similar to your app in that it is a fork of KeyTool GUI.
Let me know if you have any questions.
- Wayne.
----------------------------------
Dear Waner Grant:
I've written a Keytool Eclipse Plugin which support most features of KeyStore
2.4.
As you know, KeyStore 2.4 is written in Swing, I rewirte your
application by SWT.
So that it has a native look and more, I integrate my XML signature module
in this
application.
For more info, see
http://dev2dev.bea.com.cn/bbs/thread.jspa?forumID=29304&threadID=31955&tstart=0
And i will publish this Eclipse Plugin in next two weeks. Becasue wanner
Grant
is the first author of this software, So I plan to use his name as first
author and mine
as the second author. Will this be reasonable?
Any Advice would be great appreciately.
Wayne的目的很簡單,他要求我不能使用Keytool GUI或者KeyStore Explorer類似的名稱, 并且他要求我
必須使用GPL的許可證,這一點我非常不滿,我于是回信給他,強調我要求relicense GPL。我知道我這樣
說有點對牛彈琴,因為他應該不會授權我relicense。
The shell is all written by me. And I will add signature and
Watermark feature to this software, I only use some
Util Class of your KeyTool GUI such as KeyPairUtil, DigestUtil
and X509CertUtil etc and of Course,I will not change the code
and the header of them!
Feel ease if I don't plan to abidance by GPL :) I like Apache
License only.
The new release of SecureX Eclipse Plugin will all be free but
i will opensource in the next release becasue the code is too
bad:(
Beta SecureX plugin will be publish next week, so if you have more
advice, please let me know.
regards
david
Wayne的回復同樣讓我感到很大的壓力,除非我必須遵循GPL,否則我似乎無所作為:
David,
>I only use some
>Util Class of your KeyTool GUI such as KeyPairUtil, DigestUtil
>and X509CertUtil etc and of Course,I will not change the code
>and the header of them!
>
>Feel ease if I don't plan to abidance by GPL :) I like Apache
>License only.
If an application contains GPL code then the whole application must be GPL.
Your choices are:
1) to not use any of KeyTool GUI code in your application
2) or to license your application through the GPL.
To do anything else will break the terms of the GPL license that protect
KeyTool GUI - you will be breaking the law. You can check this for yourself
in the GPL license - http://www.gnu.org/licenses/gpl.html. Section 2 b is
the relevant part:
"You must cause any work that you distribute or publish, that in whole or in
part contains or is derived from the Program or any part thereof, to be
licensed as a whole at no charge to all third parties under the terms of
this License."
Basically you are deriving something from KeyTool GUI code that is GPL -
even if you are only using a couple of files they are covered by the GPL
license and anything they are used for must also be GPL as a whole.
If you go ahead and any KeyTool GUI code within your application and do not
license it as GPL then I will be forced to take action. The reason I chose
GPL as the license was to protect it from being re-licensed.
>The new release of SecureX Eclipse Plugin will all be free but
>i will opensource in the next release becasue the code is too
>bad:(
Again you cannot do this under the terms of the GPL - if you release a GPL
project then the source code must be available. I believe the same applies
with Apache.
Get in touch if you have any questions.
Cheers,
既然我必須遵循GPL,我只能學微軟的骯臟招數——模仿,并且聲明我會重寫他的所有類,
同時,我明確,China跟USA的國情有所不同,我完全有能力選擇Apache License而繞過
源代碼創建者的授權(授權我Relicense)。
我的回信如下:
Wayne:
>If you go ahead and any KeyTool GUI code within your application and do not
>license it as GPL then I will be forced to take action.
I do think there must be some difference between countries, And when worked in
USA, GPL should be respected but what about in Other Countries that have no
law about GPL :)
>The new release of SecureX Eclipse Plugin will all be free but
>i will opensource in the next release becasue the code is too
>bad:(
What I mean is that i won't released source code that related your Keytool GUI
until I entirely rewrite your util class(KeyPairUtil, DigestUtil and X509CertUtil).
Btw, I don't think KeyStore 2.X or 3.X can continued well when my free released of
SecureX upgrade to 2.0(now it is 0.9, 1.0 next two week) in which I plan to integrated
more features.
Another question: Should GPL prevent you from released KeyStore 2.4 from KeyTool GUI?
Wayne, take it easy, just Debate promote Understanding and Collaboration......
Can you tell me which ACTION will you take to?
Wayne的回信讓我感到振奮,他提到我的plan work只限制用于于Eclipse,意義不大,并且他說Portcele
和JKeyManager都沒有超越過他的工作——KeyStore Explorer。他承認我的工作將會損害他的商業利益,
但他將會迎接這種挑戰。最后,他他的觀點同樣尖銳——不能修改GPL,除非不要使用他的代碼。
David,
>I do think there must be some difference between countries, And when worked
>in
>USA, GPL should be respected but what about in Other Countries that have no
>law about GPL :)
I don't want to get into a debate about software licenses and law. Nobody
is going to sue you no matter what happens - it would serve no purpose. All
I am asking is that you obey the existing software licenses for my code. It
is GPL and therefore cannot be relicensed to anything else except by the
copyright holder - that is, me. Others have created forks of the KeyTool
GUI soure and respected this (for example see, Portecle). I appreciate that
you have gotten in contact with me about what you are doing. However, you
did ask for my advice and I have advised you not to break the existing
license. GPL is still open source so why not use it?
> >The new release of SecureX Eclipse Plugin will all be free but
> >i will opensource in the next release becasue the code is too
> >bad:(
>
>Btw, I don't think KeyStore 2.X or 3.X can continued well when my
>free released of
>SecureX upgrade to 2.0(now it is 0.9, 1.0 next two week) in which I plan to
>integrated
>more features.
David, others have tired (Portcele, JKeyManger) and none have succeeded in
surpassing my latter work. I wish you every success with your work but your
prediction of 90% coverage of features is an exaggeration even with your
planned work. In addition you are limiting your audience by writing a
plug-in for Eclipse. The bulk of my current users do not even know what
Java is far less Eclipse. You will get many users I am sure but as for it
hurting my work - more mature efforts have failed. I do honestly welcome
the challenge - it always inspires me to create new features :)
>Another question: Should GPL prevent you from released KeyStore 2.4 from
>KeyTool GUI?
As I own the copyright to KeyTool GUI I can decide what license to release
it under. It is my own work after all :)
>Wayne, take it easy, just Debate promote Understanding and
>Collaboration......
No problem - I will discuss this with you as long as you require. I wish
you no ill will - I am simply attempting to protect my open source work.
>Can you tell me which ACTION will you take to?
I hope to take no action. I am happy for you to build on as much of my open
source work as you like. I have had no problem with others building on the
old GUI and utility classes - but they did obey the license. As you say you
only require the use of a couple of crypto utility classes. All I require
is your agreement that you will license as GPL or not use my code.
I truely hope we can resolve this matter.
Talk to you soon.
Cheers,
- Wayne.
面對Wayne的軟硬兼施,我的言辭可能過于刻薄,并且我本人可能對收費軟件過于介意,于是
開始回擊:
Wanye,
I do really have two worries:
1. I hope sofeware is free, GPL's finally object is make more software free and
opensource is just a measure. After you make KeyStore Explorer a branch from
original KeyTool GUI, it is you that firstly not follow the GPL, right? Of course, because
you are the author, you are the owner, and you'll the authorize yourself to not
follow.
2. I checkout the protecle project( http://portecle.sourceforge.net/) which you recommend,
and i started to agree what you said:
->David, others have tired (Portcele, JKeyManger) and none have succeeded in
_>surpassing my latter work.
Protecle is just KeyTool GUI 1.7 and add only jar sign, little features are added. And
most important, it doesn't provide a native look. What's that mean? It means that when my OS is
using GBK, Protecle and KeyTool GUI 1.7 can not display correctly.
3. You say that:
-> In addition you are limiting your audience by writing a plug-in for Eclipse.
I forgot to tell you, that you make are wrong, I am writing SecureX follow the RCP standard
so that it can work as Eclipse Plugin or work stand alone. That means I can let my audience to use
SecureX even they don't have Eclipse installed.
Please Check : http://wiki.eclipse.org/index.php/Rich_Client_Platform
4. You suggested that
-> I hope to take no action. I am happy for you to build on as much of my open
-> source work as you like. I have had no problem with others building on the
-> old GUI and utility classes - but they did obey the license. As you say you
-> only require the use of a couple of crypto utility classes. All I require
-> is your agreement that you will license as GPL or not use my code.
I must let anyone knows that my purpose is to make software free, and open
is only a sort of means. I always hope that software should not PAY BEFORE USE.
I am worried that follow GPL will let most of my future work serve your KeyStore
Explorer(which is not open or free).
And when i and my teammates added more features on SecureX, it means that
this RCP framework standarded has enought features, I will open the framework (2.0 version)
so that others can plugin their secure feature into SecureX framework(thty only needed
to follow the RCP Plugin standarded) and they can choose open their source or not(Like
what Eclipse look now) and they can choose free manner or charge manner.
5, You are worried that my work will hurt you work:
-> You will get many users I am sure but as for it
-> hurting my work - more mature efforts have failed. I do honestly welcome
-> the challenge - it always inspires me to create new features :)
I guess you are worried that KeyStore Explorer will turn to use SecureX and your
earning will reduce?
If that's true, I must get off you worry:
You can add features to my SecureX framework and not evened to disclose you code(see
RCP Standard above) and make it charge :) My License won't prevent you from charge and won't
require to opensource.
My MSN is : scut_hzq@hotmail.com but i use it rarely.
Wait for you reply.
Wayne的回信讓我感到我在表述GPL的時候有誤,我感到有些慚愧,他提到他的KeyStore Explorer不可能
使用我的SecureX(如果我的SecureX被License為GPL),我檢查我上面的回信,確實是我寫錯了,我應該
擔心的是GPL讓SecureX很難應用于商業用途。
David,
>I do really have two worries:
>1. I hope sofeware is free, GPL's finally object is make more
>software free and
>opensource is just a measure.
If you use the GPL then nobody, including me, can use your work in a
non-open source project - I would have to make my own work GPL - which I
have no intentions of doing. My current work is closed source and will
remain so. If you use another open source license such as Apache or MIT
then the opposite is true - such licenses are more liberal when it comes to
commercial uses for software.
>After you make KeyStore Explorer a branch from
>original KeyTool GUI, it is you that firstly not follow the GPL, right? Of
>course, because you are the author, you are the owner, and you'll the
>authorize yourself to
>not follow.
That's correct - only the copyright owner can relicense GPL software. Note
that that meqans that I cannot relicense any of your work for my purposes.
>I must let anyone knows that my purpose is to make software free, and
>open is only a sort of means. I always hope that software should not PAY
>BEFORE
>USE.
That was my purpose for KeyTool GUI and why I chose the GPL - nobody but me
can relicense it.
>I am worried that follow GPL will let most of my future work serve your
>KeyStore Explorer(which is not open or free).
As I said above I cannot use any GPL code in my work. By using the GPL your
work will be protected. In addition I can assure you that I will not even
be looking at your code.
>5, You are worried that my work will hurt you work:
I am not worried. I welcome the competition.
> My MSN is : scut_hzq@hotmail.com but i use it rarely.
I have added you to my contacts list and should be online for much of today.
It sounds like we are getting closer to an understanding. You want to
protect your work and make sure it will always be free for others to use,
right? The solution appears to be to use the GPL. Which would be the best
thing to do anyway from a legal standpoint as no licenses would be broken.
Cheers,
- Wayne.
在中國,GPL跟Apache這兩種許可證,其實根本沒有人去關心,因為大部分人都是用盜版,
誰又會去關心許可證?
我承認我使用了wayne的代碼,他寫了不少工具類,并且我使用了它們,如果因為GPL阻止
了我選擇其他的License,我寧愿違反它。
Wayne后續的郵件我不方便公開,因為我們就license這個問題上翻臉了,Wayne甚至這樣說:
I will not be rejoining any open source projects for KeyTool GUI or any
other projects. Why on earth would I want to give my work away for nothing?
I think that I have done enough already by writing KeyTool GUI in the
first place.
既然他已經對開源不敢任何興趣,我又何必再跟他糾纏呢,他繼續寫他的商業軟件,我繼續
為我的SecureX添加新的功能,我的目標并不是KeyStore Explorer, 我只是想讓更多人能使用
我的SecureX插件更方便地使用Java證書庫。
CAS的作用是負責單點登錄,登錄細節當然要自己寫,CAS3有一個這樣的AuthenticationHandler 接口,繼承關系如下
1,AbstractAuthenticationHandler implements AuthenticationHandler
2,AbstractUsernamePasswordAuthenticationHandler extends AbstractAuthenticationHandler
AbstractUsernamePasswordAuthenticationHandler 正是你認證管理的著手點,你寫一個類,如WeblogicAuthenticanHandler去擴展它。
你先看看下面的接口:
public interface AuthenticationHandler {
/**
* Method to determine if the credentials supplied can be authenticated.
*
* @param credentials The credentials to authenticate
* @return true if authenticated and false they are not
* @throws AuthenticationException An AuthenticationException can contain details about why a particular authentication request failed.
* AuthenticationExceptions contain code/desc.
*/
boolean authenticate(Credentials credentials) throws AuthenticationException;
}
authenticate這個接口是每個Hander都必須實現,當然,AbstractHandler將它轉交給 authenticateInternal 方法去實現。
認證有兩種情況,成功或者失敗,true or false。
我使用Weblogic的LoginModule
loginContext = new LoginContext("WeblogicUsernamePasswordModule", new WeblogicCallbackHandler(username, password, url));
它拋出個各種不同的認證異常讓我輕松判斷認證過程中發生了什么事情,
/**
* Attempt authentication
*/
try
{
// If we return without an exception, authentication succeeded
loginContext.login();
}
catch(FailedLoginException fle)
{
System.out.println("Authentication Failed, " + fle.getMessage());
loginsccess=false;
}
catch(AccountExpiredException aee)
{
System.out.println("Authentication Failed: Account Expired");
loginsccess=false;
}
catch(CredentialExpiredException cee)
{
System.out.println("Authentication Failed: Credentials Expired");
loginsccess=false;
}
catch(Exception e)
{
System.out.println("Authentication Failed: Unexpected Exception, " + e.getMessage());
loginsccess=false;
}
如果一切正常,授權開始了。
if(loginsccess==true)
{
/**
* Retrieve authenticated subject, perform SampleAction as Subject
*/
subject = loginContext.getSubject();
System.out.println("User["+ username+"]["+ password+"] Login Success, Subject is"+subject.toString());
return true;
}
else
{
System.out.println("User["+ username+"]["+ password+"] Login Fail, Check!!!!!");
return false;
}
OK,獲得了Subject,那你就可以獲得principal,編程式授權便有了依據。
同時,你還可以用Weblogic的聲明式授權,直接在web.xml中定義資源的授權規則。
更多關于認證授權,請看[Weblogic Security In Action]
http://dev2dev.bea.com.cn/bbs/servlet/D2DServlet/download/81-26770-158358-1697/WeblogicSecurityInAction(1).swf
曾幾何時,wayne_grant編寫了一個KeyTool GUI,但后來,他轉而投誠到收費軟件行列,KeyTool GUI變成了過去,連下載的URL也被remove掉了,free evaluation copy的KeyStore Explorer 2.4是現在收費的最新版本。咋看了一眼,發現它的客戶居然還不少:
http://www.lazgosoftware.com/kse/customers.html。
我一直想提供一個KeyTool GUI的Eclipse插件,過年的時候,我把KeyTool GUI(用Swing編寫)和我自己寫的Eclipse簽名管理插件一起集成到一個新的Eclipse Plugin上,我發現KeyTool GUI并不適合作為Eclipse插件進行集成,我決定重寫它,取名為SecureX。
我現在已經完成的工作包括:
1,新建,保存,打開查看證書庫,設置KeyStore密碼,類型.
支持證書類型包括:
JKS
JCEKS
PKCS #12
BKS
UBER
同時可以在證書庫類型間進行轉換。
2,生成密鑰對(RSA,DSA)
3,導入信任證書
4,查看數字證書內容(包括證書鏈)
5,導入密鑰對
我正在進行的工作包括:
6,導出數字證書 (X.509 or PKCS #7, DER or PEM) ,密鑰對
7,查看Security Provider
8,檢查CRL
9,XML方式輸出KeyStore
10,產生CSR請求
11,導入CA對CSR簽名后的Reply
12,克隆KeyPair
13, 對CSR,Jar簽名
上面描述的功能涵蓋了KeyStore Explorer 2.4 90%的功能,和Swing編寫的KeyStore Explorer很大的不同點是:
1, SecureX插件將支持XML數字簽名(使用Axis)以及數字簽章功能,它是用SWT編寫,以Eclipse RCP發布的Eclipse插件,而KeyStore Explorer僅僅是一個Keystore工具。
2, KeyStore 2.4對中文支持太差,很多地方都是亂碼,新版本SecureX插件將提供全中文界面,方便中國同胞使用。
3,SecureX插件是Key Tool Eclipse Plugin,它支持在線更新,完全免費,而KeyStore Explorer是一個商業產品,價格較為昂貴。
4,SecureX插件還提供符合標準Eclipse RCP規范的發行包,用戶在任何平臺下都能運行SecureX。
下面是SecureX的截圖:
其他功能仍然在編寫中,第一個Beta版本將于2月中下旬發布。
我用Hibnernate(JDBC太麻煩了)寫圖片到Blob字段,產生轉型異常,
Configuration config = new Configuration().configure();
// config.addClass(TSealTemplate.class);
SessionFactory sf= config.buildSessionFactory();
//SessionFactory sf = HibernateSessionFactory.getSessionFactory();
s = sf.openSession();
Transaction tx = s.beginTransaction();
TSealTemplate c = new TSealTemplate();
c.setUserid("USER0001");
c.setSealTemplBlob(Hibernate.createBlob(buffer));
s.save(c);
s.flush();
s.refresh(c, LockMode.UPGRADE);
BLOB blob = (BLOB) c.getSealTemplBlob();
關于此問題在JavaEye上有一篇文章討論,原因是
java.sql.Blob不能強制傳喚成oracle.sql.BLOB
解決方法如下:
SerializableBlob blob=(SerializableBlob)c.getSealTemplBlob();
BLOB blob2 = (BLOB)blob.getWrappedBlob();
OutputStream out = blob2.getBinaryOutputStream();