摘要: 加入PGP行列,享受免费身份服务
阅读全文
近日, 朋友告诉我<<
深入Java 2平台安全--体系架构、API设计和实现(第二版)>>这本书已经出版:
http://www.china-pub.com/computers/common/info.asp?id=14712英文原版的书名是
| Inside Sun™ 2 Platform Security: Architecture, API Design, and Implementation, Second Edition |
我粗看了一下,发现书评中很多对本书翻译质量的怀疑,下载了Sample章节,粗看了一下,发现未
尽人意,确实会给读者的理解带来很大的困难。
我觉得Security的兴趣者无需太关注中文译作,也不需质疑译者和出版商,因为翻译Security Topic的书籍
本身是一件非常困难的事情,除非译者对Java Security的概念非常清晰,否则即使哪怕是一个概念上的误译,
到可能会导致读者产生很离谱的误解。
Sun Security的内容不象一些实践性的topic,如Spring,Hibernate,Ajax那样,可以通过大量的Sample来解释,
它需要读者具备一定的Security概念基础后,才能解释清楚(即概念的理解门槛比较高)。
所以,我还是建议,对于宫力大牛的大作,还是主张看英文版和JDK Specification,其实Sun的Java Security的
Spesification很多都是出自宫力之手,看着些Spesification当然没有看故事书那么舒服,但认真咀嚼几次,效果
总比看那些容易导致误解的译作要好得多。
目前,Java Security的书基本上有两本:
IBM专家组们编写的:
Sun专家组编写的:
| Inside Sun™ 2 Platform Security: Architecture, API Design, and Implementation, Second Edition |
| By Li Gong, Gary Ellison, Mary Dageforde |
| | |
| Publisher | : Addison Wesley |
| Pub Date | : June 06, 2003 |
| ISBN | : 0-201-78791-1 |
| Pages | : 384 |
| Slots | : 1 |
这两本书,前者更关注于J2EE实践的角度出发,后者更偏重于从基础概念与Java Platform的角度出发,都是很好的书,
很容易就能Emule到这两本书。
我个人更偏向建议读者先细读后一本,然后再粗看前一本书的一些topic。
两本书都基本上都没有花很大力去解析Java沙箱(SandBox),Java权限控制模型等这些比较难搞得概念,有点遗憾,希望
自己也能尽快抽时间提供一篇深入浅出于Java Security的文章:)
摘要: 本文介绍了如何(用BouncyCastle提供的SecurityProvider)从pfx/p12证书文件中提取信息(如算法类型,算法长度,Subject信息,Issuer信息等)
阅读全文
摘要: 本文简要介绍如何CAS Proxy的原理及配置
阅读全文
在GZFB群听Rayman说,要搞Confluence跟AD的集成认证,由于没听清楚,还以为是SSO,立马打开Confluence跟LDAP集成的文档,细看了一把,发现并没有实现域用户到Confluence的SSO,只是Confluence做了一个LdapProvider,能够让用户的认证实现转移到LDAP上。
http://confluence.atlassian.com/display/DOC/Enable+LDAP+authentication该文档是完整并且正确的,配置也非常简单,Rayman很快就配置好了。我后来发现他的配置方法跟上述方法不一样,他是根据以下的文档配置的:
http://confluence.atlassian.com/display/DEV/Confluence+LDAP+Integration这两种配置方式由比较大的区别:如果你的Confluence跟JIRA捆绑,请使用前者,否则,建议用后者。
最后,隆重推荐Rayman的Blog:
http://raymanzhang.cnblogs.com/一个曾经编写了MDict的好同志
近日,我跟很多朋友讨论如何提高自己的Blog在Google的排名我列举一些比较重要的因素,其中,
1,内容的专业性,这一点可能Google会对你网页做定性分析。
2,被Rank值很高的网站指向你,如果你的Blog的Link出现在IBM.com(9)/AOL.com(9)的首页,那我估计你的Rank不会少于5.
3,写Blog的同时要提供Blog的关键字,同时也是职业操守。
4,加入Google广告,这个比较简单,以我自己的Blog为例(http://openss.blogjava.net),
我在Blogjava的(cnblog.com也是一样的)
管理->选项->Configure->公告
管理->选项->Configure->子标题
插入以下的Google广告的JS代码:
<script type="text/javascript">
<!--
google_ad_client = "pub-6825418521341757";
google_ad_width = 120;
google_ad_height = 240;
google_ad_format = "120x240_as";
google_ad_type = "text_image";
google_ad_channel ="6369214374";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
过1-2个月,你就会发现Rank值提高了。欢迎各位同胞加入讨论。
摘要: SOA——号称解冻2000亿美金IT冻结资产的主要手段
阅读全文
1,构造一个干净的域,域名为domain002
2,构造该域里面的用户
weblogic The default administration user DefaultAuthenticator
user0001 weblogic DefaultAuthenticator
user0002 user0002 DefaultAuthenticator
3,建立一个组,weblogicAdmin,同时在AD中也建立一个这样的组
注意,在AD中的users而不是Builtin里面建组,因为两者的DN是不一样的。
4,将所有Weblogic中的user0001用户都加入到改组。
5,测试AD的可连接性,下载一个LDAP Browser。
6,在Weblogic Console中的Security->Realm的Authentication配置一个新的LDAP Provider,类型为:Configure a new Active Directory Authenticator...
7,配置参数:
i) 转到Active Directory那一Tab,看到HOST了吧?
HOST为你的AD的IP或者主机名,AD默认端口是389
ii) Principal为CN=user0001,CN=Users,DC=dlsvr,DC=com
其中,DC=dlsvr,DC=com为我的服务器的RootDN(例如DC=ibm,DC=com)
很讨厌AD的一个地方是它采用与其他LDAP不一样的命名方法,他用CN=User而不是OU=....,所以我前面的步骤才需要建立一个welogicAdmin的组。
iii)Credential为AD中user0001的密码。
注意:ii)和iii)是用于连接AD用的,构造一个LDAPConnection需要用户名密码的,懂不懂:)
转到user tab
iv) User Name Attribute:user0001
v) User Base DN:CN=Users,DC=dlsvr,DC=com
转到group tab
vi) Group Base DN:CN=weblogicAdmin,CN=Users,DC=dlsvr,DC=com
vii) weblogicAdmin
保存
关键的步骤到了:
Security->Realms->myrealm->Providers->Authentication
有没有看到Re-order the Configured Authentication Providers
对,就是这里需要调整一下顺序。
把ActiveDirectoryAuthenticator调整到最上面(优先级最高)
然后设置ActiveDirectoryAuthenticator的General页里面的Control Flag为Required。
接着DefaultAuthenticator里面的设成是OPTIONAL。
于是,AD取代了以前的DefaultAuthenticator了,如果两个都Requried,那么也你要接受双重认证,汗......一般不需要这样。
注意:boot.properties里面的默认的Weblogic启动账号同样受AD影响,你如果在AD里面禁止了Weblogic这个账号,我保证你WLS启动不了
本来,使用j_security_check是最简单的Build-in认证方式,但CAS有自己的登录入口,即login servlet,如果用该servlet,必须自己动手完成JAAS的登录。于是,开始扩展CAS的edu.yale.its.tp.cas.auth.provider,在该包中的provider都扩展自authHandler接口,而CAS是在web.xml中定义了最终使用哪一个authHandler。
edu.yale.its.tp.cas.authHandler
edu.yale.its.tp.cas.auth.provider.WeblogicHandler
我自己写了一个WeblogicHandler(edu.yale.its.tp.cas.auth.provider包中),专门让CAS登录到Weblogic Server,事实上,将来如果不用WLS,还可能使用Websphere,Jboss,AD之类。
后来发现,虽然能loginContext拿到Subject,但该Subject的Principal不能被页面的request.getPrincipal()所取得,醒悟自己在做JAAS Login,查看weblogic文档,原来Weblogic提供了
weblogic.servlet.security.ServletAuthentication
用于在Servlet端调用JAAS接口进行登录,通过该接口登录后,就如同User使用了标准的登录机制登入了Weblogic。
于是,立即修改了login servlet测试一下,加入
try {
CallbackHandler handler = new SimpleCallbackHandler(
request.getParameter("username"),
request.getParameter("password"));
Subject mySubject = weblogic.security.services.Authentication
.login(handler);
weblogic.servlet.security.ServletAuthentication.runAs(
mySubject, request);
System.out.println("mySubject[" +mySubject.toString()+"]"+
"写入Session");
} catch (LoginException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
然后,页面果然就能拿到Pincipal了。
今天,有朋友在配置Tomcat SSL的时候,出现如下的异常:
java.security.UnrecoverableKeyException: Cannot recover key
而且他已经正确配置了keystoreFile和keystorePass。
后来我发现,他对Keystore中的Key使用了Password保护,而且
保护这个KeyEntry的KeyPass!=KeyStore的Keypass,导致出错,
Tomcat SSL要求这两个密码必须相等。
解决办法:
keytool -keypasswd -v -alias mykeyalias -keypass noequalpass -new equalpass -keystore mykeystore.jks -storepass equalpass
其中, mykeyalias是key在keystore中的别名,-keypass后面跟key的旧密码"noequalpass", -new 是新密码"equalpass",注意新密码跟storepass一致。
附:Weblogic是支持不一致的KeystorePass和KeyPass的。
摘要: 如果不是從PirvilegedAction中擴展的類,那麼調用其中的方法JVM還會不會執行權限檢查?
阅读全文
摘要: 2005年中国软件产业最大规模前100家企业名单
阅读全文
如果通过Windows的网络属性修改Ip/网关,真是太麻烦了。
最近一个项目经常要切换ip,所以我写了两个脚本:
c:\116.bat
netsh interface ip set address "本地连接" static 10.45.128.116 255.255.255.0 10.45.128.254 1
c:\172.bat
netsh interface ip set address "本地连接" static 172.17.9.222 255.255.255.0 172.17.9.51 1
这样就可以设置IP/Mask/GateWay了,netsh命令真方便!
摘要: BEA Workshop Studio 3.0 依靠易用性和强大功能赢得EclipseCon2006的基于EC的开发工具第一首先
阅读全文
摘要: Geronimo是IBM为第三世界准备的吗?Beehive是BEA内部的次品代码?
阅读全文
摘要: BEA和IBM联合发布了SDO规范,JCP似乎被忽略了,Java标准究竟由谁制定?
阅读全文
摘要: 回答困挠人的javax.security.auth.login.LoginException:没有为 XXX 配置LoginModules问题
阅读全文
摘要: 关注最新的EclipseCon上,将有哪些精彩的Topic
阅读全文
摘要: 发布Eclipse的Keytool Eclipse Plugin——代号SecureX
版本1.0.0
阅读全文
摘要: 一个很简单Emditor/Editplus的正则表达式用法,替换一个日期
阅读全文
Stylus Studio 2006,世界上领先的XML Schema工具,stylus studio网站发布了几个充分展示stylusstudio工具的视频:
http://www.stylusstudio.com/videos/xmlschema1/xmlschema1.html包括下面的功能展示,非常值得一看。
How to generate an XML schema from an XML document
Generating XML schema from EDIFACT or X12
Creating an XML Schema from an existing DTD
How to associate an XML schema with an XML document
Troubleshooting and validating XML documents against their associated XML Schema
Visualizing an XML data model using Stylus Studio XML Schema's synchronized diagram view
Generating XML Schema Documentation using either the XS3P or XSD-doc formats
Navigating XML Schema types in Stylus Studio, including externally defined schema components
Modifying an XML Schema data model including: inserting a sequence, choice, or all compositor, and adding XML attributes
Drag and Drop, Copy-Paste operations in the XML Schema Editor
Refactoring of an XML Schema fragment
Generating XML instances corresponding to XML Schema components
Configuring the XML Schema diagram display options
Viewing and modifying XML Schema properties
(2006-03-14 20:03:53) 婷婷(16556907)
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
这个是因为你没有装好TrustCerts,如果你是用Tomcat,请务必检查Tomcat使用的JDK下的JRE(jre/lib/security/cacerts)中,是否已经安装了包含你所需的信任证书,如果没有,请Import,Keytool -import的命令,很简单的,如果你用的是Weblogic,你看看Weblogic Console的Keystore配置,有两项,你关注的应该是TrustKeystore的属性,里面默认的信任证书都是老外的那些,往里面Import你的证书就ok了。
禁止back space键:<body onkeydown="if(event.keyCode==8) return false;">
禁止ctrl+n:onkeydown="if(event.keyCode==78 && event.ctrlKey) return false;"
当我们不想让用户后退到a页面
可以在a页面跳转后将a页面的window.location=b页面url,
这样后来用户想后退到a页面时,进入的就是b页面
使用java提供的方法,在jsp或者servlet中都可以
<%
response.setHeader("Pragma","No-cache");
response.setHeader("Cache-Control","no-cache");
response.setDateHeader("Expires",0);
%>
2,使用HTML标记,如下面:
<HEAD>
<METAHTTP-EQUIV="Pragma"CONTENT="no-cache">
<METAHTTP-EQUIV="Cache-Control"CONTENT="no-cache">
<METAHTTP-EQUIV="Expires"CONTENT="0">
</HEAD>
HKEY_CURRENT_USERSoftware\Policies\Microsoft\Internet Explorer\Restrictions
适用范围:Windows NT/2000
通过修改注册表,可以禁止用户使用IE浏览器的“前进”/“后退”按钮。
步骤1:运行注册表编辑器,找到HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions子键。
步骤2:找到或新建“NoNavButtons”键值项,其数据类型是“字符串值”,设置其键值为“1”,表示禁用IE浏览器的“前进”/“后退”按钮;设置其值为“0”,则表示启用IE浏览器的“前进”/“后退”按钮。
注意
如果希望修改计算机所有用户的设置,其相应操作子键为: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\lnternet Explorer\Restions。同样子键lnternet Explorer和Restrictions的键值项都必须新建。
<script language="JavaScript">
<!--
javascript:window.history.forward(1);
//-->
</script>
灵感写回忆录(118978) 10:48:44
要跳转页面的时候,this.location.replace("FooURL.html");便可,这样连回退图标都没有
灵感写回忆录(118978) 10:49:07
喔,好像是location.href.replace,反正就是这样,好久没有写了
摘要: 介绍如何使用PGP对BLog文章签名
阅读全文
据官方最新Security Advisories and Notifications报告(BEA06-118.00)显示:
WeblogicServer的SSL身份信息会被恶意Application盗用。
威胁程度:低
严重程度:中等
WeblogicServer的SSL配置分两部分,第一部分是Identtiy Keystore,第二部分是Trust Keystore,
BEA06-118.00揭示,当WeblogicServer被部署不信任的应用的时候,要额外小心,因为部署
在Weblogic Server上的应用可以使用你的Identity KeyStore来向其他Client伪冒身份。
后果是,Weblogic Server的身份被盗用。
Weblogic Server Sp4以前的版本都存在这个问题,必须通过SP5打包来解决这个问题。
下面是Solution:
- 将WebLogic Server 和WebLogic Express 8.1升级到 Service Pack 5.
- 安装下面的补丁:
ftp://ftpna.beasys.com/pub/releases/security/CR243498_810sp5.zip
- 解压并按照里面的Readme提示进行安装
近日,在Matrix Security版上(
http://www.matrix.org.cn/thread.shtml?topicId=39543&forumId=55)提出一个问题,即他的程序不能正确运行,抛出异常Exception in thread "main" java.security.InvalidKeyException: Illegal key size。
我运行一下它的程序,Work Fine。
我发现很多人都遇到这样的问题,而我自己的习惯是,每当我安装JDK的时候,我总是非常讨厌它已有的Policy File,我会立即到SUN的网站下载最"强"的PolicyFile(
http://java.sun.com/j2se/1.5.0/download.jsp#docs),安装它可以解决让你算法中的Key长度增加很多(更加安全),从而解决上面的Illegal key size的问题。
你可能问,为何SUN不把它集成到JDK中去而单独弄一个链接出来给人下载?那是因为每个国家,尤其是美国,对涉及密码的软件产品控制非常严格,在美国国内,很多密码算法长度都作了限制,而且某些算法在某些国家没有申请专利,可以"滥"用,而在某些国家却做了明确限制,不准使用,如此前提下,Sun必须按照惯例行事:)
Blended的意思是混合,意指开发的时候,用户可以同时采用商业框架和开源框架。
BEA的现在的CEO,技术总裁(胖胖的那个),曾经说过,BEA是第一个开始从“究竟是否在商业产品中采用开源框架的问题”上脱离出来,而着手于如何让用户在开源框架和BEA先进的开发工具和平台结合的基础上受惠的公司。因此,Blended的含义我个人认为是,BEA已经开始凭借开源框架和IBM,Oracle等传统封闭式体系的中间件提供商进行下一轮竞争,Blended让BEA比IBM和Oracle更具有优势,理由很简单:第一,BEA的AquaLogic体系基本上是开放式,它不假定依赖于任何的产品如OS,DB。IBM,Oracle对开放式的态度不能够跟BEA等同,因为他们有自己的DB2, Oracle9i。
第二,IBM和Oracle在捆绑式销售方面曾经压住了BEA,的确,捆绑式很有效,比如,买DB2+AIX,WebSphere就给你50%discount。但如今,BEA说,我的Weblogic支持Spring,Hibernate,甚至AppFuse.....对开发人员来说,这一切都太吸引了,你似乎选择更小了。
Blended肯定会让BEA走出困境,打破IBM和Oracle传统的封闭式产品捆绑策略,让开发人员迅速向AquaLogic Platform靠拢,凭借这一点,BEA足以在Apache,Eclipse社区建立威信,从而可以在未来的SOA标准制定上有更大的发言权。
3月份,在全球有三个BEA UserGroup讲座值得关注,
第一个在3月8日(即明天),Eric Pascarello(Ajax in Action作者)在马里兰UG介绍Ajax的体系。
http://dev2dev.bea.com/pub/e/873第2个是NQ Suite的作者JackBe,他将于3月9日在华盛顿UG介绍如何构建安全,高性能和可扩展的Ajax应用,JackBe被公认为是Ajax领域的先锋。
http://dev2dev.bea.com/pub/e/875第3个在庄表伟和曹晓刚将在3月12日在广州UG联手为我们讲述RIA技术的体系和设计,前者将着重从体系架构的角度讲述AJAX技术的设计模式,后者将着重以开发角度为我们讲述设计一个RIA的应用的过程。
http://dev2dev.bea.com.cn/bbs/thread.jspa?forumID=29304&threadID=32776&tstart=0
摘要: 关于第2次BEA UserGroup的演讲内容
阅读全文
近日,BEA建议我提交广州UG组织人员名单,并尝试让广州UG在全国作为试点举行俱乐部
制形式,这样UG的活动范围和形式更加多样化,同时,BEA也会增加对UG的投入。
UG的目的非常明确,它希望增加程序员的影响力,当许多优秀程序员能够组织起来,我们
或许能够在某天实施程序员价值观的反攻。
程序员的劳动并不卑微,因为程序员有能力改造信息世界,假如信息是你生活的一部分,请
尊重程序员。因为,Program is undercontrol by Programmer....
另外,各位参加Speaker的演讲资料已经送审至BEA,由BEA统一安排。
鉴于BEA Speaker的演讲主题可能由BEA统一规划,所以,不一定在安排这次BEA UG活动中,
有可能安排在下次活动中。
人类生活在一个非常不安全的环境中,程序员也是。
以P2P信息为例,我们向网络发布信息M1,M1能够被你的支持者浏览到,同时也能被你的反对者看到,你有朋友,也有敌人。没错,我想讲的话题是如何构建坚固的信任网络,这种信任网络能够抵抗任何密码分析。
比如,发布者A在网络上发布<<XXXXXX的血案>>,很快,它会被扫描到并迅速被清理掉,究其原因,2点:
1,你发布信息的平台不安全
2,你发布信息的方法不安全
针对1,平台的不安全性是不能通过信息化制度来解决的,比如,你希望在163.com上发布信息M2,M3,但163.com不是一个开放式的自由平台,你的信息M2,M3随时可能被删除,P2P很好,但它容易被封锁,eDonkey的服务器在瑞士被封杀,负责人被拘留,这不能不引起我们的警示。如果,P2P的未来始终让我感到堪忧。
针对2,那真的很直观,有一个好消息,我们国家最近声明没有人因为发表不适宜的网络言论被捕,这很好很好,但我还是希望有能力保障这一点,香港不是有人因为做P2P种子被判入狱,感到惋惜之际,它让看到另一个卖点,匿名发布信息。
请让我把话题带入到——假定网络不会被彻底隔离,但不信任的网络环境下,我们如何最大限度地自由的工作?
I Guess it would be 信任扩张。
信任扩张的特点是:
1,我只发送信息给我信任的人
2,只有我信任的人才能看到我发送的信息
这通过PKI很容易解决,但我们如何能做到匿名性呢?
比如A同志需要发送M3给C同志,这个过程可能会被反对者U知道,于是,反对者拥有你发布的消息的证据,这一点可以通过间接发送来减少风险,即A指定B来发送M3给C,随着间接发送者的个数的增加,反对者U要做的工作会越来越困难。
但问题是你A信任的B,C可能互相不信任,这违反了1,头痛....
思路阻塞,今天只想到这里,明天继续写:)
今年,BEA力推Weblogic 9和SQA,产品线方面,我感觉BEA战略开始向开源团体又迈进了一步,从BEAWorld2005以来,从Dev2dev.com网站可以看到不少关于如何在Weblogic上整合开源框架的文章,其中,我看到很多BEA资深工程师编写关于Spring,Hibernate等技术的文章,不仅如此,我已经可以感受到Weblogic在改善用户在WLS/WLP平台上使用Spring,Hibernate所作出的努力,这种努力体现为,Weblogic改善了对AOP的支持,增加了Weblogic Platform体系的透明度,优化对Hibernate的性能等,并且,我在Dev2dev.com看到不少开源代码框架,利用它们可以简化我们在Weblogic Platform上部署开源框架的难度。
开源(OpenSource)是今年J2EE生态圈的主题,我认为它是未来2-3年的游戏规则,至少它是J2EE供应商(包括BEA、IBM、Oracle)和J2EE集成商都必须正视的一个问题,从Apache/Eclipse组织的发展态势,我觉得它已经取得巨大的成功,现在,即使是任何一家J2EE公司都不敢无视Apache/Eclipse的一举一动,轻视它们的后果可以见诸于Borland,一家曾经是领先的J2EE工具提供商,现在游戏规则已经几乎将他驱出生态圈。
从去年,我已经感受到一种内在的驱动力在BEA.COM网站映射出来,今年开始,我从官方网站至少得到2个非常直观但是非常有意义的信息:
1, 在开发工具上,BEA将Workshop Studio整合得非常强大,目的很明确,抢占国内开发者市场,目前,有两种非常优秀的技术在Weblogic框架下,一种叫做Spring MVC,一种叫做PageFlow,一直以来,包括在早期的Workshop版本中,PageFlow都是BEA提倡的标准,其实它是Strut的衍生物,后来,自从Spring MVC面世后,这两种技术开始正面碰撞,很难说从技术角度来判断哪一种更优秀,但Spring MVC已经有足够足够大的开发者团体,BEA开始提供支持。通常,按照一家巨头公司,比如IBM或者Oracle,他们的开发工具总是有一种很强烈的偏向,即以某一种技术框架来培养开发者的开发习惯,从而让开发者限制与某一种技术框架中去 (这样说其实我是想提及Microsoft)。BEA现在的策略其实很明确——SOA,从产品策略转向服务策略,因此,在产品线上,它比然要以Customer和Developer为中心,因此,最终的结果是BEA的开发工具走向开源。
这对于所有客户和开发者是一件绝对令人振奋的消息,最近,Rod.Johnson在提及BEA Workshop的时候:“Developers are using open source frameworks such as Spring to simplify writing enterprise Java applications, The latest release of BEA Workshop Studio is designed to make it easier to use Eclipse and develop in Spring. BEA’s continued support of the open source community can help to foster future innovation in the J2EE community.”
2, 在Weblogic应用框架上,BEA至少从两方面增强了其对Spring的支持,第一,BEA提供了经过严格测试的适合在Weblogic Server上运行Spring版本(目前的版本是1.2.6),如果Spring开发团体能在3月底推出Spring 2.0,那么,国内用户可能有望在4月份看到Weblogic的Spring 2.0版本了:)第二,Weblogic Portal也从很多地方增强了Spring的支持,官方网站提到可以从Portal上的porlet直接Call Spring的Bean。BEA的对Spring/Hibernate等开源框架的支持,其实理由很简单,因为它的Customer都在悄悄地使用这些技术了,无论在美国还是在中国,Spring已经被大量应用于政府,银行,电信,电力等企业部门,是铁板的事实,无论从开发者的角度还是客户的角度,Spring都能大大简化应用程序的开发和部署,BEA所做的一切纯粹是顺应客户的要求。
对于BEA UG,我想也是很多人在关注Spring,看看BEA社团的消息,可以得知不少BEA在美国的马里兰州的UserGroup已经成功举行了一次关于Spring在Weblogic9.2的实践研讨(http://dev2dev.bea.com/pub/e/854),这正是我想安排在下次广州BEA的议题,因为广州这边,电信,电力,地税等政府部门已经在研究Weblogic 9.2的可行性了。3月份将有很多精彩的BEA演讲,大头当然包含Rod Johnson和Patrick Linskey(大家跟他的在BEAWorld2005合照还在吧)在伦敦UG上的Spring框架在Weblogic上应用实践探讨,我把这些跟Spring相关的BEA UG研讨会罗列一下:
1 BEA UK User Group: Building Enterprise Java Applications with WebLogic and the Spring Framework
In this talk Rod Johnson and Rob Harrop of Interface21 will explain how the Spring Framework can be used with BEA WebLogic to efficiently create powerful and flexible enterprise applications.
2 Advanced Kodo Topics – Blending Kodo with Spring (Webinar)
In this webinar, Rod Johnson and Patrick Linskey will introduce the audience to how to use the popular Spring Framework with the standards-based Kodo persistence framework.
3 Silicon Valley BEA dev2dev User Group: Use of the Spring Framework to Simplify Development of Applications Deployed on WebLogic Server
The use of the Spring Framework to simplify development of applications deployed on BEA's WebLogic Server.
今年,SpringSide(www.springside.org.cn)社团成立, 作为一个开源社团,所有成员做出的努力常常是无私的,SpringSide采用Apache的License,大家可以上上SpringSide网站,目前的版本是RC 0.1,我们希望在广州BEA UG活动3月12日举办之前,完成0.8的版本。
Apache License更适合中国人,正式迎接Wayer Grant的挑战
很久以前,我开始着手写一些基于Security的插件,由于我使用Eclipse,Eclipse插件似乎本身对我很有帮助,我在从事插件开发的同时,只是写一些很简单的基于BouncyCastle的工具类。有一天,我看到了Portecle, 它是KeytoolGUI的一个分支,我觉得它的功能跟KeyStore 2.4大同小异,版权信息表明,2004年以后Wayne Grant并没有再参与此软件的任何开发。
Copyright © 2004 Wayne Grant
2004 Mark Majczyk
2004-2005 Ville Skyttä
我着手在Protecle和KeytoolGUI的基础上编写一个安全插件,名为SecureX。Protecle和KeytoolGUI是基于Swing,我编写了一个跟他们几乎很相像的SWT使用界面(当然不少地方作了增强),我希望使用上述的copyright来发布该Eclipse插件,我这样想的理由有两个:
第一,SecureX不只是集成KeytoolGUI这个证书管理模块,而且还会集成签名,加密等模块,这样,我们将来开发界面应用的时候,我们开源队伍可以同步开发,只要我们按照Eclipse RCP规范,我们不存在任何的集成问题。
第二,SecureX不希望使用GPL,而想使用Apache License。但由于Wayne Grant多次警告,如果我relicense(使用了他的代码于SecureX,并将SecureX重新定位于Apache License),他将对我采取法律行动。其实,GPL跟Apache License的最大区别是,GPL要求修改代码必须也遵守GPL,也就是说,如果我屈服于wayne, 将SecureX应用了GPL,其他人将无法将SecureX应用于商业用途,除非他们承诺他们的商业软件遵循GPL,你说可能吗:) 相比之下,Apache License更自由,它强调使用源代码的人不需要公开自己的源代码(修改后的源代码),也就是说,如果SecureX使用Apache License,SecureX的用户可以任意修改它,并且可以选择以源代码的方式或者二进制代码的方式发布他们自己的成果(他们唯一需要做的是——在他们的成果中声明使用了SecureX的代码).
我第一次向Wayne发邮件,邀请他他的回信如下:
Hello David,
Some guidance for you.
I have copyright over KeyTool GUI. You therefore cannot call your
application "KeyTool GUI" or anything similar. Lazgo Software has copyright
and trademark over "KeyStore Explorer" so you cannot call it that either.
KeyTool GUI is GPL software. If your application contains code from KeyTool
GUI then your application as a whole must obey the GPL license. This means
that you must release your own code as GPL and not under any other license
terms. The headers in the existing code must be left how you found them -
that is with the GPL license and my copyright intact.
I have no wish to be listed as author of your application. Simply state on
your web site and in the application that your application is based on a
fork of KeyTool GUI of which I am the copyright owner. For an example see
the Portecle web site (http://portecle.sourceforge.net/) - Portecle is
similar to your app in that it is a fork of KeyTool GUI.
Let me know if you have any questions.
- Wayne.
----------------------------------
Dear Waner Grant:
I've written a Keytool Eclipse Plugin which support most features of KeyStore
2.4.
As you know, KeyStore 2.4 is written in Swing, I rewirte your
application by SWT.
So that it has a native look and more, I integrate my XML signature module
in this
application.
For more info, see
http://dev2dev.bea.com.cn/bbs/thread.jspa?forumID=29304&threadID=31955&tstart=0
And i will publish this Eclipse Plugin in next two weeks. Becasue wanner
Grant
is the first author of this software, So I plan to use his name as first
author and mine
as the second author. Will this be reasonable?
Any Advice would be great appreciately.
Wayne的目的很简单,他要求我不能使用Keytool GUI或者KeyStore Explorer类似的名称, 并且他要求我
必须使用GPL的许可证,这一点我非常不满,我于是回信给他,强调我要求relicense GPL。我知道我这样
说有点对牛弹琴,因为他应该不会授权我relicense。
The shell is all written by me. And I will add signature and
Watermark feature to this software, I only use some
Util Class of your KeyTool GUI such as KeyPairUtil, DigestUtil
and X509CertUtil etc and of Course,I will not change the code
and the header of them!
Feel ease if I don't plan to abidance by GPL :) I like Apache
License only.
The new release of SecureX Eclipse Plugin will all be free but
i will opensource in the next release becasue the code is too
bad:(
Beta SecureX plugin will be publish next week, so if you have more
advice, please let me know.
regards
david
Wayne的回复同样让我感到很大的压力,除非我必须遵循GPL,否则我似乎无所作为:
David,
>I only use some
>Util Class of your KeyTool GUI such as KeyPairUtil, DigestUtil
>and X509CertUtil etc and of Course,I will not change the code
>and the header of them!
>
>Feel ease if I don't plan to abidance by GPL :) I like Apache
>License only.
If an application contains GPL code then the whole application must be GPL.
Your choices are:
1) to not use any of KeyTool GUI code in your application
2) or to license your application through the GPL.
To do anything else will break the terms of the GPL license that protect
KeyTool GUI - you will be breaking the law. You can check this for yourself
in the GPL license - http://www.gnu.org/licenses/gpl.html. Section 2 b is
the relevant part:
"You must cause any work that you distribute or publish, that in whole or in
part contains or is derived from the Program or any part thereof, to be
licensed as a whole at no charge to all third parties under the terms of
this License."
Basically you are deriving something from KeyTool GUI code that is GPL -
even if you are only using a couple of files they are covered by the GPL
license and anything they are used for must also be GPL as a whole.
If you go ahead and any KeyTool GUI code within your application and do not
license it as GPL then I will be forced to take action. The reason I chose
GPL as the license was to protect it from being re-licensed.
>The new release of SecureX Eclipse Plugin will all be free but
>i will opensource in the next release becasue the code is too
>bad:(
Again you cannot do this under the terms of the GPL - if you release a GPL
project then the source code must be available. I believe the same applies
with Apache.
Get in touch if you have any questions.
Cheers,
既然我必须遵循GPL,我只能学微软的肮脏招数——模仿,并且声明我会重写他的所有类,
同时,我明确,China跟USA的国情有所不同,我完全有能力选择Apache License而绕过
源代码创建者的授权(授权我Relicense)。
我的回信如下:
Wayne:
>If you go ahead and any KeyTool GUI code within your application and do not
>license it as GPL then I will be forced to take action.
I do think there must be some difference between countries, And when worked in
USA, GPL should be respected but what about in Other Countries that have no
law about GPL :)
>The new release of SecureX Eclipse Plugin will all be free but
>i will opensource in the next release becasue the code is too
>bad:(
What I mean is that i won't released source code that related your Keytool GUI
until I entirely rewrite your util class(KeyPairUtil, DigestUtil and X509CertUtil).
Btw, I don't think KeyStore 2.X or 3.X can continued well when my free released of
SecureX upgrade to 2.0(now it is 0.9, 1.0 next two week) in which I plan to integrated
more features.
Another question: Should GPL prevent you from released KeyStore 2.4 from KeyTool GUI?
Wayne, take it easy, just Debate promote Understanding and Collaboration......
Can you tell me which ACTION will you take to?
Wayne的回信让我感到振奋,他提到我的plan work只限制用于于Eclipse,意义不大,并且他说Portcele
和JKeyManager都没有超越过他的工作——KeyStore Explorer。他承认我的工作将会损害他的商业利益,
但他将会迎接这种挑战。最后,他他的观点同样尖锐——不能修改GPL,除非不要使用他的代码。
David,
>I do think there must be some difference between countries, And when worked
>in
>USA, GPL should be respected but what about in Other Countries that have no
>law about GPL :)
I don't want to get into a debate about software licenses and law. Nobody
is going to sue you no matter what happens - it would serve no purpose. All
I am asking is that you obey the existing software licenses for my code. It
is GPL and therefore cannot be relicensed to anything else except by the
copyright holder - that is, me. Others have created forks of the KeyTool
GUI soure and respected this (for example see, Portecle). I appreciate that
you have gotten in contact with me about what you are doing. However, you
did ask for my advice and I have advised you not to break the existing
license. GPL is still open source so why not use it?
> >The new release of SecureX Eclipse Plugin will all be free but
> >i will opensource in the next release becasue the code is too
> >bad:(
>
>Btw, I don't think KeyStore 2.X or 3.X can continued well when my
>free released of
>SecureX upgrade to 2.0(now it is 0.9, 1.0 next two week) in which I plan to
>integrated
>more features.
David, others have tired (Portcele, JKeyManger) and none have succeeded in
surpassing my latter work. I wish you every success with your work but your
prediction of 90% coverage of features is an exaggeration even with your
planned work. In addition you are limiting your audience by writing a
plug-in for Eclipse. The bulk of my current users do not even know what
Java is far less Eclipse. You will get many users I am sure but as for it
hurting my work - more mature efforts have failed. I do honestly welcome
the challenge - it always inspires me to create new features :)
>Another question: Should GPL prevent you from released KeyStore 2.4 from
>KeyTool GUI?
As I own the copyright to KeyTool GUI I can decide what license to release
it under. It is my own work after all :)
>Wayne, take it easy, just Debate promote Understanding and
>Collaboration......
No problem - I will discuss this with you as long as you require. I wish
you no ill will - I am simply attempting to protect my open source work.
>Can you tell me which ACTION will you take to?
I hope to take no action. I am happy for you to build on as much of my open
source work as you like. I have had no problem with others building on the
old GUI and utility classes - but they did obey the license. As you say you
only require the use of a couple of crypto utility classes. All I require
is your agreement that you will license as GPL or not use my code.
I truely hope we can resolve this matter.
Talk to you soon.
Cheers,
- Wayne.
面对Wayne的软硬兼施,我的言辞可能过于刻薄,并且我本人可能对收费软件过于介意,于是
开始回击:
Wanye,
I do really have two worries:
1. I hope sofeware is free, GPL's finally object is make more software free and
opensource is just a measure. After you make KeyStore Explorer a branch from
original KeyTool GUI, it is you that firstly not follow the GPL, right? Of course, because
you are the author, you are the owner, and you'll the authorize yourself to not
follow.
2. I checkout the protecle project( http://portecle.sourceforge.net/) which you recommend,
and i started to agree what you said:
->David, others have tired (Portcele, JKeyManger) and none have succeeded in
_>surpassing my latter work.
Protecle is just KeyTool GUI 1.7 and add only jar sign, little features are added. And
most important, it doesn't provide a native look. What's that mean? It means that when my OS is
using GBK, Protecle and KeyTool GUI 1.7 can not display correctly.
3. You say that:
-> In addition you are limiting your audience by writing a plug-in for Eclipse.
I forgot to tell you, that you make are wrong, I am writing SecureX follow the RCP standard
so that it can work as Eclipse Plugin or work stand alone. That means I can let my audience to use
SecureX even they don't have Eclipse installed.
Please Check : http://wiki.eclipse.org/index.php/Rich_Client_Platform
4. You suggested that
-> I hope to take no action. I am happy for you to build on as much of my open
-> source work as you like. I have had no problem with others building on the
-> old GUI and utility classes - but they did obey the license. As you say you
-> only require the use of a couple of crypto utility classes. All I require
-> is your agreement that you will license as GPL or not use my code.
I must let anyone knows that my purpose is to make software free, and open
is only a sort of means. I always hope that software should not PAY BEFORE USE.
I am worried that follow GPL will let most of my future work serve your KeyStore
Explorer(which is not open or free).
And when i and my teammates added more features on SecureX, it means that
this RCP framework standarded has enought features, I will open the framework (2.0 version)
so that others can plugin their secure feature into SecureX framework(thty only needed
to follow the RCP Plugin standarded) and they can choose open their source or not(Like
what Eclipse look now) and they can choose free manner or charge manner.
5, You are worried that my work will hurt you work:
-> You will get many users I am sure but as for it
-> hurting my work - more mature efforts have failed. I do honestly welcome
-> the challenge - it always inspires me to create new features :)
I guess you are worried that KeyStore Explorer will turn to use SecureX and your
earning will reduce?
If that's true, I must get off you worry:
You can add features to my SecureX framework and not evened to disclose you code(see
RCP Standard above) and make it charge :) My License won't prevent you from charge and won't
require to opensource.
My MSN is : scut_hzq@hotmail.com but i use it rarely.
Wait for you reply.
Wayne的回信让我感到我在表述GPL的时候有误,我感到有些惭愧,他提到他的KeyStore Explorer不可能
使用我的SecureX(如果我的SecureX被License为GPL),我检查我上面的回信,确实是我写错了,我应该
担心的是GPL让SecureX很难应用于商业用途。
David,
>I do really have two worries:
>1. I hope sofeware is free, GPL's finally object is make more
>software free and
>opensource is just a measure.
If you use the GPL then nobody, including me, can use your work in a
non-open source project - I would have to make my own work GPL - which I
have no intentions of doing. My current work is closed source and will
remain so. If you use another open source license such as Apache or MIT
then the opposite is true - such licenses are more liberal when it comes to
commercial uses for software.
>After you make KeyStore Explorer a branch from
>original KeyTool GUI, it is you that firstly not follow the GPL, right? Of
>course, because you are the author, you are the owner, and you'll the
>authorize yourself to
>not follow.
That's correct - only the copyright owner can relicense GPL software. Note
that that meqans that I cannot relicense any of your work for my purposes.
>I must let anyone knows that my purpose is to make software free, and
>open is only a sort of means. I always hope that software should not PAY
>BEFORE
>USE.
That was my purpose for KeyTool GUI and why I chose the GPL - nobody but me
can relicense it.
>I am worried that follow GPL will let most of my future work serve your
>KeyStore Explorer(which is not open or free).
As I said above I cannot use any GPL code in my work. By using the GPL your
work will be protected. In addition I can assure you that I will not even
be looking at your code.
>5, You are worried that my work will hurt you work:
I am not worried. I welcome the competition.
> My MSN is : scut_hzq@hotmail.com but i use it rarely.
I have added you to my contacts list and should be online for much of today.
It sounds like we are getting closer to an understanding. You want to
protect your work and make sure it will always be free for others to use,
right? The solution appears to be to use the GPL. Which would be the best
thing to do anyway from a legal standpoint as no licenses would be broken.
Cheers,
- Wayne.
在中国,GPL跟Apache这两种许可证,其实根本没有人去关心,因为大部分人都是用盗版,
谁又会去关心许可证?
我承认我使用了wayne的代码,他写了不少工具类,并且我使用了它们,如果因为GPL阻止
了我选择其他的License,我宁愿违反它。
Wayne后续的邮件我不方便公开,因为我们就license这个问题上翻脸了,Wayne甚至这样说:
I will not be rejoining any open source projects for KeyTool GUI or any
other projects. Why on earth would I want to give my work away for nothing?
I think that I have done enough already by writing KeyTool GUI in the
first place.
既然他已经对开源不敢任何兴趣,我又何必再跟他纠缠呢,他继续写他的商业软件,我继续
为我的SecureX添加新的功能,我的目标并不是KeyStore Explorer, 我只是想让更多人能使用
我的SecureX插件更方便地使用Java证书库。
CAS的作用是负责单点登录,登录细节当然要自己写,CAS3有一个这样的AuthenticationHandler 接口,继承关系如下
1,AbstractAuthenticationHandler implements AuthenticationHandler
2,AbstractUsernamePasswordAuthenticationHandler extends AbstractAuthenticationHandler
AbstractUsernamePasswordAuthenticationHandler 正是你认证管理的着手点,你写一个类,如WeblogicAuthenticanHandler去扩展它。
你先看看下面的接口:
public interface AuthenticationHandler {
/**
* Method to determine if the credentials supplied can be authenticated.
*
* @param credentials The credentials to authenticate
* @return true if authenticated and false they are not
* @throws AuthenticationException An AuthenticationException can contain details about why a particular authentication request failed.
* AuthenticationExceptions contain code/desc.
*/
boolean authenticate(Credentials credentials) throws AuthenticationException;
}
authenticate这个接口是每个Hander都必须实现,当然,AbstractHandler将它转交给 authenticateInternal 方法去实现。
认证有两种情况,成功或者失败,true or false。
我使用Weblogic的LoginModule
loginContext = new LoginContext("WeblogicUsernamePasswordModule", new WeblogicCallbackHandler(username, password, url));
它抛出个各种不同的认证异常让我轻松判断认证过程中发生了什么事情,
/**
* Attempt authentication
*/
try
{
// If we return without an exception, authentication succeeded
loginContext.login();
}
catch(FailedLoginException fle)
{
System.out.println("Authentication Failed, " + fle.getMessage());
loginsccess=false;
}
catch(AccountExpiredException aee)
{
System.out.println("Authentication Failed: Account Expired");
loginsccess=false;
}
catch(CredentialExpiredException cee)
{
System.out.println("Authentication Failed: Credentials Expired");
loginsccess=false;
}
catch(Exception e)
{
System.out.println("Authentication Failed: Unexpected Exception, " + e.getMessage());
loginsccess=false;
}
如果一切正常,授权开始了。
if(loginsccess==true)
{
/**
* Retrieve authenticated subject, perform SampleAction as Subject
*/
subject = loginContext.getSubject();
System.out.println("User["+ username+"]["+ password+"] Login Success, Subject is"+subject.toString());
return true;
}
else
{
System.out.println("User["+ username+"]["+ password+"] Login Fail, Check!!!!!");
return false;
}
OK,获得了Subject,那你就可以获得principal,编程式授权便有了依据。
同时,你还可以用Weblogic的声明式授权,直接在web.xml中定义资源的授权规则。
更多关于认证授权,请看[Weblogic Security In Action]
http://dev2dev.bea.com.cn/bbs/servlet/D2DServlet/download/81-26770-158358-1697/WeblogicSecurityInAction(1).swf
曾几何时,wayne_grant编写了一个KeyTool GUI,但后来,他转而投诚到收费软件行列,KeyTool GUI变成了过去,连下载的URL也被remove掉了,free evaluation copy的KeyStore Explorer 2.4是现在收费的最新版本。咋看了一眼,发现它的客户居然还不少:
http://www.lazgosoftware.com/kse/customers.html。
我一直想提供一个KeyTool GUI的Eclipse插件,过年的时候,我把KeyTool GUI(用Swing编写)和我自己写的Eclipse签名管理插件一起集成到一个新的Eclipse Plugin上,我发现KeyTool GUI并不适合作为Eclipse插件进行集成,我决定重写它,取名为SecureX。
我现在已经完成的工作包括:
1,新建,保存,打开查看证书库,设置KeyStore密码,类型.
支持证书类型包括:
JKS
JCEKS
PKCS #12
BKS
UBER
同时可以在证书库类型间进行转换。
2,生成密钥对(RSA,DSA)
3,导入信任证书
4,查看数字证书内容(包括证书链)
5,导入密钥对
我正在进行的工作包括:
6,导出数字证书 (X.509 or PKCS #7, DER or PEM) ,密钥对
7,查看Security Provider
8,检查CRL
9,XML方式输出KeyStore
10,产生CSR请求
11,导入CA对CSR签名后的Reply
12,克隆KeyPair
13, 对CSR,Jar签名
上面描述的功能涵盖了KeyStore Explorer 2.4 90%的功能,和Swing编写的KeyStore Explorer很大的不同点是:
1, SecureX插件将支持XML数字签名(使用Axis)以及数字签章功能,它是用SWT编写,以Eclipse RCP发布的Eclipse插件,而KeyStore Explorer仅仅是一个Keystore工具。
2, KeyStore 2.4对中文支持太差,很多地方都是乱码,新版本SecureX插件将提供全中文界面,方便中国同胞使用。
3,SecureX插件是Key Tool Eclipse Plugin,它支持在线更新,完全免费,而KeyStore Explorer是一个商业产品,价格较为昂贵。
4,SecureX插件还提供符合标准Eclipse RCP规范的发行包,用户在任何平台下都能运行SecureX。
下面是SecureX的截图:
其他功能仍然在编写中,第一个Beta版本将于2月中下旬发布。
我用Hibnernate(JDBC太麻烦了)写图片到Blob字段,产生转型异常,
Configuration config = new Configuration().configure();
// config.addClass(TSealTemplate.class);
SessionFactory sf= config.buildSessionFactory();
//SessionFactory sf = HibernateSessionFactory.getSessionFactory();
s = sf.openSession();
Transaction tx = s.beginTransaction();
TSealTemplate c = new TSealTemplate();
c.setUserid("USER0001");
c.setSealTemplBlob(Hibernate.createBlob(buffer));
s.save(c);
s.flush();
s.refresh(c, LockMode.UPGRADE);
BLOB blob = (BLOB) c.getSealTemplBlob();
关于此问题在JavaEye上有一篇文章讨论,原因是
java.sql.Blob不能强制传唤成oracle.sql.BLOB
解决方法如下:
SerializableBlob blob=(SerializableBlob)c.getSealTemplBlob();
BLOB blob2 = (BLOB)blob.getWrappedBlob();
OutputStream out = blob2.getBinaryOutputStream();