The London Groovy and Grails User Group will be holding their next meeting on Wednesday, 6th December 2006 at Skills Matter in London and for the first time ever the meeting will be available via a live web conference, so don't worry if you are not in London!

Speaking at this month's meeting will be Graeme Rocher, Grails Project Lead and CTO at Skills Matter. During his talk entitled; Grails Dynamic Tags: Making Tag Libraries Agile, Graeme will discuss Groovy Server Pages and its support for the creation of dynamic tag libraries without the need for configuration.

John Wilson, Groovy Committer, will also be presenting at this meeting. During his talk, entitled; The MetaClass: How Groovy works Under the Hood, John will shed light on the MetaClass so you can better understand its' function and see how to use it to get your Groovy programs smaller, clearer and faster.

For more information on attending this meeting or signing up for the web conference, please go to: http://skillsmatter.com/groovy-grails-ug

WS-Security provides a way to protect Web Services at the message level (SOAP) and it is independent of the protocol used (HTTP, JMS, ...). However, some services are still using HTTP based authentication for protection. JAX-RPC and its Oracle implementation provides a way to set the username and password in the client (Stub) using some properties on the Stub.

((Stub)port)._setProperty(Stub.USERNAME_PROPERTY, "username");
((Stub)port)._setProperty(Stub.PASSWORD_PROPERTY, "password");  

That's it...

Theses properties are shortcuts to the standard JAX-RPC properties:

javax.xml.rpc.security.auth.username
javax.xml.rpc.security.auth.password

This code is the same when you are using the Call interface.

OracleAS 10gR3, so OC4J standalone, is using the standard Java logging framework. Some of the benefits are easy configuration, and extensibility. The configuration of the level of logging of the different loggers has been exposes in the Oracle Application Server Console. To see the logger configuration, click on the Administration Tab and then Logger Configuration, you can then configure the different loggers.

By default the logger will write all the information in the default log.xml file, and for application lever logger it will go in the application.log. You may want to send the information in the console during development to debug/analyze your application. This is done using the configuration of the Handler. This information is currently not available in the Application Server Console, so I am documenting in the next steps how to send the information in the console (terminal window).

The configuration of the OracleAS Logging is saved in the $ORACLE_HOME/j2ee/home/config/j2ee-logging.xml file. In this file you can see that Oracle has defined various handlers where information can be sent:

• console-handler : Log the information in the console (the one we want to use in this sample)
• oc4j-handler : the default handler for most of the loggers, saving the information in the $ORACLE_HOME/j2ee/home/log/oc4j/log.xml using the Oracle Logger formatting
• oracle-webservices-management-auditing-handler : the handler used by the Web Services Auditing feature in the $ORACLE_HOME/j2ee/home/log/wsmgmt/auditing/log.xml
• oracle-webservices-management-logging-handler : the handler used by the Web Service Logging feature in the $ORACLE_HOME/j2ee/home/log/wsmgmt/logging/log.xml

As you may know, OracleAS Web Service provides out of the box support for Auditing of the SOAP messages. You just need to go in the administration page of the Web Service and enable the auditing. By default the messages are logged in the auditing log pointed above. But during development it is really interesting to see the SOAP Messages in the console without having to configure a Proxy to capture the request/response. The easiest way to do that is to edit the j2ee-logging.xml file and associate the console-handler to the auditing logger using the following configuration:

<logger name="oracle.webservices.management.auditing" level="NOTIFICATION:1" useParentHandlers="false">
<handler name="oracle-webservices-management-auditing-handler"/>
<handler name="console-handler"/>
</logger>

by doing this you will see the SOAP Message in the OC4J console that is running in your system.

You can also use this configuration with any loggers available in OC4J.

The Oracle Technology Network (OTN) "Greatest Hits" is a compilation of the most popular technical articles, software downloads, podcasts, sample code, and documentation, we've published in a given 12-month period. The compilation provides you with convenient access to the "best" of OTN as well as an insight into the interests of the Oracle developer and DBA communities.

• Oracle Technology Network (OTN) "Greatest Hits" page.

I was discussing with a customer not familiar with the JAX-WS standard. I was writing him a mail explaining the difference when I found this nice article on the IBM DeveloperWorks library:

• [Web services hints and tips: JAX-RPC vs JAX-WS](http://www-128.ibm.com/developerworks/webservices/library/ws-tip-jaxwsrpc.html target=)

It is an opportunity for me to remind OracleAS users that the 10.1.3.1 stack in addition to the JAX-RPC support also provides support for:

• Attachments with MTOM, Soap with Attachment and DIME
• Annotations based development (JSR-181) that is part of JAX-WS
• WS-Security and WS-Reliability

I have been using JDeveloper for many years, since the first release ;-). But I've never payed attention to a simple and very useful feature. When you click the Help > About menu you can access all the System properties of the Java VM used by Jdeveloper by clicking on the Properties tab


Thanks to Gerard for the tip....

Prerequisites:

In this article you have

• already a Web Service deployed in OC4J that is running on the default HTTP port. The WSDL and Endpoint are available. In my sample the non secure Web Service endpoint is: http://127.0.0.1:8888/math-service/MathServiceSoapHttpPort

Add HTTPS to OC4J​

Creating of the Keystore​

The first thing to do to secure OC4J would be to create a new keystore that will contain the different certificates. The easiest way to do that for a Java developer is to use SUN's keytool:

keytool -genkey -alias oracle-server -dname "CN=Tug Grall, OU=Blog O=Grall And Co L=Redwood Shores, S=CA, C=US" -keyalg RSA -keypass welcome -storepass welcome -keystore server.keystore

You can copy the server.keystore into the $ORACLE_HOME/j2ee/home/config to simplify the next steps.

Configuring OC4J​

OC4J stand alone is using the notion of Web-Site to expose HTTP resources (Web Applications). The default-web-site is define is he $ORACLE_HOME/j2ee/home/config/default-web-site.xml. To secure an OC4J you can follow the steps describe in the OC4J Security guide that I have summarized in the following section.

What we want to achieve for the purpose of the demonstration is to have OC4J using HTTP and HTTPS, on port 8888 and 4443 for example.

1. Copy default-web-site.xml to secure-web-site.xml
2. Edit the secure-web-site.xml:
   • Change the web-site tag by changing the port to 4443 and adding the element secure="true"
   • Add the ssl-config element and point this to the new created keystore.

The file looks like:

<web-site   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/web-site-10_0.xsd"
  port="4443"
  secure="true"
  display-name="OC4J 10g (10.1.3) Default Web Site"
  schema-major-version="10"
  schema-minor-version="0" >
  ...
  <ssl-config keystore="server.keystore" keystore-password="welcome" />
  ...
</web-site>

3. Import the new Web site in your OC4J instance by editing the $ORACLE_HOME/j2ee/home/server.xml file. You need to add or replace the web-site tag. In my case I want to add the secure web site to my instance so the configuration looks like:

...
<web-site default="true" path="./default-web-site.xml" />
<web-site path="./secure-web-site.xml" />
...

Since we have copied the file from the default-web-site, all applications are available using HTTP and HTTPS

Start OC4J and test the HTTPS port​

Start OC4J using the standard Java command or shell script, I am adding the Java Network debug flag that would help you to see what is happening at the SSL level.

java -Djavax.net.debug=ssl -jar oc4j.jar

You should be able to access the service WSDL using the HTTPS port for example in my case:

• https://127.0.0.1:4443/math-service/MathServiceSoapHttpPort?WSDL

Consuming the Service using HTTPS​

Generate and configure a client Keystore​

Event if this is possible to use the same keystore for the server and the client, I will guide you in the steps to create a client certificate and import the certificate from the existing -server- one.

Here the command to create a new keystore:

keytool -genkey -alias oracle-client -dname "CN=John Doe, OU=Blog O=MyDummyClient, S=CA, C=US" -keyalg RSA -keypass welcomeClient -storepass welcomeClient -keystore client.keystore

The next step is to export the certificate from the server keystore to be able to import it in the client:

keytool -keystore server.keystore -export -alias oracle-server -file server.cer

You can now import the cerificate in the client keystore:

keytool -keystore client.keystore -import -file server.cer

Generate the proxy​

You have now the client certificate so you can use the Oracle Web Service Assembler to generate the proxy. The only specific thing you have to do is to specify which key store to use when running the tool. The command to use when generating the proxy is:

java -Djavax.net.ssl.trustStore=/Users/tgrall/ssl/client.keystore
    -Djavax.net.ssl.keyStore=/Users/tgrall/ssl/client.keystore
    -Djavax.net.ssl.trustStorePassword=welcomeClient
    -Djavax.net.ssl.keyStorePassword=welcomeClient
    -jar $ORACLE_HOME/webservices/lib/wsa.jar
    -genProxy
    -wsdl https://127.0.0.1:4443/math-service/MathServiceSoapHttpPort?WSDL

Calling the Service using secure endpoint​

Configure the Java Environment to use the client store is made using the following System properties:

• javax.net.ssl.trustStore
• javax.net.ssl.keyStore
• javax.net.ssl.trustStorePassword
• javax.net.ssl.keyStorePassword

This could be done using different approach, property file, -D command line parameter or programmatically. To simply the example I am using the programmatic approach, the following code is part of the main method of the Client class:

...
System.setProperty("javax.net.ssl.trustStore", "/Users/tgrall/ssl/client.keystore");
System.setProperty("javax.net.ssl.keyStore", "/Users/tgrall/ssl/client.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "welcomeClient");
System.setProperty("javax.net.ssl.keyStorePassword", "welcomeClient");
...
// Adding Debug information
System.setProperty("javax.net.debug", "ssl");
...

It is possible to change the Endpoint dynamically in the Proxy using the setEndpoint method.

...
democlient.proxy.MathServiceSoapHttpPortClient myPort = new democlient.proxy.MathServiceSoapHttpPortClient();
...
String ep = "https://127.0.0.1:4443/math-service/MathServiceSoapHttpPort";
myPort.setEndpoint(ep);
System.out.println("Result of the operation is "+ myPort.add(2,2));
...

You should now be able to run the client and call the service using HTTPS. This would look like:

Oracle Open World is getting very close... And I am very excited to go to lot of sessions, two of them looks very interesting in the Oracle Develop track:

• Rod Johnson - Spring Update: What's New and Cool in Spring 2.0 (Monday 10/23/2006, 12:45 PM - 1:45 PM in the Hilton Hotel Grand Ballroom A)
• Brian Behlendorf - Bringing Open Source Software Development Practices and Principles Into Your Company (Tuesday 10/24/2006, 1:15 PM - 2:15 PM in the Hilton Hotel Grand Ballroom A)

This is quite exciting to have Open Source gurus coming to present to the Oracle conference, and explain how to use the new Spring in their projects or leverage Open Source practices to improve development in house... Take a look to the full program of Oracle Develop.

Start to use the Oracle OpenWorld Schedule Builder to organize your week in SF, if you have not registered yet for OOW click here.

WS-Security provides a standard way to secure Web Services. Since based on SOAP it is agnostic of the stack you are using. When using JAX-RPC implementation, you are running in a J2EE container. In this post I am giving a tip to access the Principal object.

I have a service service, and I need to access some user information in its implementation class ( org.tug.ws.sample.SimpleServiceImpl ). This service is secure with WS-Security, with for example simple authentication, the following screenshot, is the configuration of inbound security in OracleAS 10gR3:


So the service is secured, here the code that you have to add in your service implementation (or handlers) to access the Principal object.

1. Implement javax.xml.rpc.server.ServiceLifecycle
2. Implement the init(Object context) method to access the ServletEndpointContext, that you can for example put as a local member of your implementation class.

public void init(Object context) {
  _servleContext = (ServletEndpointContext)context;
}

3. Then you can access the principal object using the getUserPrincipal() method:

...
if (_servleContext.getUserPrincipal() != null ) {
  Principal userPrincipal = _servleContext.getUserPrincipal();
  ...
}
...

You can find more information about the Security in J2EE 1.4 Web Services in the Designing Web Services with the J2EE 1.4 Platform tutorial.

Update on Wednesday october 4th: Frank Nimphius, has use this entry to create a more detail article about End to End Security with Web Services Security.

Last week I discussed dynamic languages with some consultants. This discussion was done in the context of integration of scripting technologies into Java EE environment. So the integration to the VM is important, I also think that the learning curve is a thing to consider.

It is true that, like any developer Iike to learn things everyday, this is why I have done some development with PHP, with Ruby On Rails, and obviously with Groovy, Javascript and many other dynamic languages.

The discussion moved quickly to an argument about which language is the best... Hard to say, but I would expect that to be more productive in enterprise it is better to use a "Java Like" syntax that allows you to leverage the power of scripts. Based on this comment it is for me a no brainer to say that Groovy is more interesting to a core Java developer than JRuby (or other Jython, Jacl, ...). I do not even want to go in the details about VM integration, performances and so on...

So in this context, A. Sundararajan has posted a very interesting comparison of Java, Groovy and JRuby syntaxes.