Monday, March 26, 2012

WSO2 Charon - released in time for the SCIM interop @ IETF 83

The M1 build of WSO2 Charon was released last week just in time for the very first SCIM interop event scheduled to start this week in Paris.

By the time of this writing Hasini Gunasinghe, the one who lead SCIM effort from WSO2 front is in France to participate in IETF 83.

Simple Cloud Identity Management [SCIM] is an emerging open standard which defines a comprehensive REST API along with a platform neutral schema and a SAML binding to facilitate the user management operations across SaaS applications, placing specific emphasis on simplicity and interoperability as well.



SCIM challenges the Service Provisioning Markup Language [SPML].SPML is an XML-based framework, being developed by OASIS, for exchanging user, resource and service provisioning information between cooperating organizations. SPML version 1.0 was approved in October 2003. SPML version 2.0 was approved in April 2006. So, it's been there for almost a decade but hardly ever caught the attention of the community. One good reason is SPML been very biased to SOAP/XML. This also made different vendors to implement their own provisioning APIs. This is what Google implemented for Google Apps.

"Major cloud service providers...have found that they need to become more agile when configuring customer access to these services. The ability to provision user accounts rapidly, accurately, and in standardized fashion helps both service providers and their enterprise customers to achieve productive, access-controlled service usage faster. To meet this goal, these service providers, along with vendors...have collaboratively developed the new draft protocol called Simple Cloud Identity Management (SCIM)," according to the Forrester Research, Inc. report, Understanding Simple Cloud Identity Management, July 15, 2011.

That's the birth of SCIM.

WSO2 was following the progress of SCIM specification from the very beginning and was very keen to get involved. We have very close use cases for SCIM with our Stratos Platform as a Service [PaaS]. With SCIM we believe we could have better integration with Google Apps, Salesforce and other SaaS providers. Users from WSO2 Stratos will be able to provision their accounts to different SaaS providers who support SCIM. Not just for cloud, but also for our standalone Identity Server product, we believe SCIM could add a strong value. Someone running WSO2 Identity Server behind a firewall would be able to provision it's users to SaaS applications running in the cloud.

This thought process led us to do the WSO2 SCIM implementation. And to date it's the only Java SCIM implementation available under open source Apache 2.0 license.

Of course, we wanted a name to go ahead - among many name proposed we picked Charon - the guy how ferries you to Hades - which was proposed by Charith Wickramarachchi, one of my colleagues at WSO2.

WSO2 Charon includes four main modules.
  • Charon-Core: The API implements of SCIM specification. It provides API for both server side and consumer side such that a SCIM Service Provider or a SCIM Consumer can be developed based on Charon-Core.
  • Charon-Deployment: A reference implementation of SCIM service provider. It is a Apache Wink based webapp that can be deployed in an application server and make the SCIM service provider be exposed.
  • Charon-Samples: This contains a set of samples illustrating the SCIM Consumer side use cases which can be run against a SCIM server.
  • Charon-Utils: This contains a set of default implementations for the extension points made available in Charon-Core.
WSO2 Charon in it's M1 release supports following features from the SCIM specification and planing to be feature complete by May this year.
  • User operations
    • Create(POST)
    • Retrieve(GET)
    • Update(PUT)
    • Delete(DELETE)
    • List(GET)
    • User Schema. 
  •  Group operations
    • Create(POST)
    • Retrieve(GET)
    • Update(PUT)
    • Delete(DELETE)
    • List(GET)
    • Group Schema
  • Representation : JSON
  • SCIM Client API
  • Response Codes
  • Authentication : HTTP Basic Auth
  • SCIM Resource endpoints exposed as JAX-RS based REST resources using Apache Wink
  • In Memory User Store
  • JAX-RS Response handling
With all these feature, WSO2 Charon is ready for the very first SCIM interop event scheduled to hold tomorrow, 28th March @ IETF 83 in Paris.

UnboundID, SailPoint, Technology Nexus, BCPSOFT, Ping, Gluu, Courion & Salesforce will be there for the first interop together with WSO2.

Saturday, March 24, 2012

The Java Colombo Lanuch

The first meetup of the Colombo Java User Group [JUG] was held on 15th March @ WSO2 #58 office...

It was a huge success - we were able to get more than 70 to attend the event while around 180 registered for the Colombo JUG just with a one month notice...



I was in a panel discussion which talked about secure coding with Java - with Hiranya, Srinath and Amila..

Some key areas I would like to highlight here from what we focused during the panel discussion..
  • Security concerns in application development - authentication, authorization, integrity, no-repudiation, confidentiality - best practices to follow while designing a login method -  exception shielding pattern.
  • How does Java security architecture address the above concerns -  JAAS, JGSS, Java Security Manager.
  • What are the security concerns in a distributed environment? 
  • What are the common types of attacks? and solutions - attacks like, Cross-site Scripting, Session Hijacking, SQL Injection, Log Injection were demonstrated during the session...
  • What are the security testing best practices?  - OWASP
After the panel - the brain storming session on 'Future of Java - Would Oracle kill Java ?" started...

It was quite interesting and was nicely moderated by Senaka.

Some key points highlighted during this session...
  • Oracle may not kill Java - but will look in to more commercial side of it by giving patches only for paying customers.
  • Oracle's response time so far for critical Java security bugs is highly satisfactory.
  • People were afraid when Oracle acquired MySQL and they had all reasons to kill MySQL but they did not. Further Oracle has contributed to improve the performance of MySQL.
  • What will happen to the J2ME? Most probably Android will kill J2ME.
  • Java7 adaptation is still slow.
  • No room for Java on iPad [iOS].
All-in-all it was nice couple of hours with Java enthusiasts...

Need to Thank everyone who contributed to the success of this event - specially WSO2, Dr. Sanjiva Weerawarana, Harindu, Hiranya and all other colleagues at WSO2.

Looking forward for the next Colombo JUG event sometime around late April...