Mobile 2.0

常见Java开源JMS消息中间件及特性简介

2008-06-26T15:24:00.000-07:00

JMS开源消息中间件有很多，本文对常见的几种进行了列举和简单比较，希望对MOM选型的个人和企业有所帮助
。
mom4j
mom4j是一个完全实现JMS1.1规范的消息中间件并且向下兼容JMS1.0与1.02.它提供了自己的消息处理存储使它独立于关系数据与语言,所以它的客户端可以用任何语言开发.

OpenJMS
OpenJMS是一个开源的Java Message Service API 1.0.2 规范的实现,它包含有以下特性：
*. 它既支持点到点（point-to-point）（PTP）模型和发布/订阅（Pub/Sub）模型。
*. 支持同步与异步消息发送
*. JDBC持久性管理使用数据库表来存储消息
*. 可视化管理界面。
*. Applet支持。
*. 能够与Jakarta Tomcat这样的Servlet容器结合。
*. 支持RMI, TCP, HTTP 与SSL协议。
*. 客户端验证
*. 提供可靠消息传输、事务和消息过滤

UberMQ
UberMQ完全实现了Java Message Service 规范。UberMQ是因为现有的许多JMS提供商已经违背了分布式计算的核心原则：快速与简单而开发的。

Hermes JMS 利用它提供的Swing UI可以很好的实现监控JMS providers。

ActiveMQ
ActiveMQ是一个开放源码基于Apache 2.0 licenced 发布并实现了JMS 1.1。它能够与Geronimo，轻量级容器和任Java应用程序无缝的给合。

Somnifugi
Somnifugi使得工作在同一个java虚拟机中的线程能实现消息互发。

MantaRay MantaRay基于peer-2-peer 技术。它具有以下特性:
1.它既支持点对点(point-to-point)的域，又支持发布/订阅(publish/subscribe)类型的域。
2.并且提供对下列类型的支持：经认可的消息传递,事务型消息的传递，一致性消息和具有持久性的订阅者支持。
3.消息过滤体制。
4.能与WebLogic and WebSphere 给合。
5.支持TCP, UDP 与 HTTP传输协。 Presumo Presumo也是一个实现Java Message Service API的JMS消息中间件。 JORAM JORAM一个类似于openJMS分布在ObjectWeb之下的JMS消息中间件。 JMS4Sdivad JMS4Sdivad是一个消息系统.它部分地实现了Java消息服务(JMS) API.

单实例模式数据库连接池+log4j

2008-06-26T14:13:00.000-07:00

http://www.mldn.cn/articleview/2007-4-8/article_view_1955.htm

英文翻译词典工具软件与在线翻译全搜罗

2008-05-08T07:33:00.000-07:00

无论是我们平时浏览网页还是阅读文献都会或多或少遇到几个难懂的英文词汇，这时我们就不免要翻词典了。网上的词典工具大概可以分为两种：离线词典，就是可以不用联网，只要下载安装并运行就可以方便取词翻译；另外一种是在线词典，它需要我们访问一个网站，而后输入要查找的词汇等。现在我们就来总结一下线上线下比较优秀的英汉词典。

一、在线词典

1、金山爱词霸（http://www.iciba.com/）
这是目前最好的线上词典工具之一。词汇量涵盖了150余本词典辞书，70余个专业领域，28种常备资料，中、日、英网际大辞海，提供在线及时更新，第一时间掌握流行词汇表达并为每个词汇都提供了真人发音和相关词汇释意。同时网站的界面也采用了简、繁、英、日等语言编写，便于不同的人群使用。
同时，爱词霸还提供了多种扩展功能，如QQ、MSN机器人、Firefox插件等，使你可以随时随地地翻译词汇。具体可以查看http://web.iciba.com/partner/ ，找到更多实用工具

不过，受词霸已经被谷歌（Google）收购，据传谷歌将于5月8日推出新版的词霸，名字可能定为谷歌金山词霸，除了词霸原有功能外，还增加了网络翻译、图片解释等。

2、海词在线词典（http://www.dict.cn/）
海词在线词典由在美国印第安纳大学的中国留学生范剑淼创建。正式使用于2003年11月27日（美国的感恩节）。虽然它的词汇量没有爱词霸庞大，但是它提供了大量例句并佩有真人发音，可以帮助矫正发音问题。
海词也提供了大量的小工具，你可以把它们添加到你的博客或者个人网站上来增加更多丰富多彩的功能。具体可以查看http://www.dict.cn/tools.html

3、译典通（http://www.dreye.com.cn/）
网站的所有者为英业达(上海)有限公司。译曲通提供了较大量的词汇并配有真人发音，同时可以查询同义词/反义词，词形变化等。另外还可以查询日语词汇，并配有日语、英语学堂。

4、雅虎字典（http://zidian.cn.yahoo.com/）
和爱词霸一样，具有词汇提示功能，比如你输入reci就会提示以其开头的所有单词，方便输入。雅虎字典一个最大的好处就是他能翻译网络词汇，在互联时代，像汉字一样，很多旧词有了新解，这时候你就可以通过网络词汇来查找它的亲含意了。不过，雅虎的单词翻译是由译典通提供的。

5、有道词典（http://dict.yodao.com/）
有道是网易自主研发的搜索引擎，并提供词典功能。有道词典的释义也是来自译典通，但又有很多创新，比如英英翻译、网络解释、例句查询、同义词、反义词等，还可以创建自己的单词本。

6、百度词典（http://dict.baidu.com/）
百度词典的释义来自译典通，并且没有太大改进。类似于Handbook一类的工具书。

此外，在线词典还有很多，比如林语堂《当代汉英大词典》、韦氏在线词典、英语多功能词典等。

7、星际译王（http://www.stardict.cn/）
提供了大量的词汇翻译，支持多语言翻译。不过你要使用他的全部功能必须注册成为会员，还好，注册会员是免费的。星际译王还提供了Firefox插件，如果你使用的Firefox浏览器，不妨试试看，插件下载：http://www.stardict.cn/browserplugin.php

8、沪江小d（http://dict.hjenglish.com/）
解释详细，并且带有大量的例句解释和参考网页。界面清新，并提供了大量的语言工具链接

二、线下词典、翻译软件

1、金山词霸（http://cp.iciba.com/index.shtml）
相信金山词霸是目前使用最为广泛的汉英双语工具。他不仅词汇量，而且能够桌面即时取词使用也相当方便，还可以查询多学科词汇，可以说是做的相当成功的一款词汇软件（难怪谷查检和百度都盯上他了）。下载地址：http://cp.iciba.com/index.shtml （收费软件）。

P.S. 谷歌（Google）发布的新版词霸将是一款全免费软件。

2、灵格斯词霸（http://www.lingoes.cn/）
也是词霸哦，不过他是灵格斯，他是一款全免费可在线更新词库的词典工具。它的安装文件非常小，目前最新版也只有2.8M。使用者可以根据自己的需要下载不同的词典库，如牛津高阶英语词典 (第6版)、朗文当代英语词典 (第4版) 、柯林斯高阶英语词典 (第4版) 等等。灵格斯只是一个外壳，你安装什么样的词典就能翻译什么样的词汇，所以你安装了法语、日语、甚至是爱斯基摩语词典，只要安装他就能翻译。其取词也比较人性化，只有当同时按下Ctrl键时才会取词，也就是在你想用的时候才会用。
词霸下载：http://www.lingoes.cn/zh/translator/index.html
词库下载：http://www.lingoes.cn/zh/dictionary/index.html

3、有道桌面词典（http://cidian.yodao.com/）
和有道线上词典配套的工具。当前版本为1.1，大小为2.7M精简版只有1.16M。可以在线翻译、网络释义、海量例句、屏幕取词等。是一款轻量级的词典工具。

4、星际译王（http://stardict.sourceforge.net/）
一款开源且免费的翻译工具。支持全文翻译、网络词汇、鼠标取词等。它是一个跨平台的国际化的词典软件，有选中区取词，通配符匹配，模糊查询等强大功能。目前已有两百多个词典，支持几十种语言,其中中文词汇有100多万。跨平台的国际词典软件！它功能强大，实用性强，“ 通配符匹配”，“鼠标查词”，“模糊查询”等功能倍受青睐！
下载：http://stardict.sourceforge.net/

5、babylon词典（http://www.babylon.com/）
来自以色列最强大的英文翻译软件 - Babylon Pro，在全球已有超过 70 个国家 2 千 2 百万人使用。Babylon-Pro 提供最专业英文翻译，有别于一般的翻译软件，Babylon 最迷人的是可外加其它语言字典，提供让您翻译一次可同时得到其它语言的翻译。例如您的字典清单中有英英、英中、英德、英日、英韩的字典时。当您查询一个英文单字时，她便同时一次给您所有英中德日韩文的翻译。有付费和免费服务两种。

[b]6、雅虎乐译（http://soft.cn.yahoo.com/ly/）
安装包小于1M，同时还有乐译绿色版无需安装、免除卸载，解压缩即可立即使用。集成了网络词汇、鼠标取词、中英文双语解释等。

7、沪江小d桌面词典（http://dict.hjenglish.com/client/）
是沪江小d的离线工具，海量词汇，支持剪贴板取词。

三、在线翻译
再简单总结一下常用的在线翻译网站：

1、Google在线翻译：
谷歌的语言工具提供多种语言互译，同时还提供了全站翻译等，翻译还算比较准确。访问：http://www.google.cn/language_tools?hl=zh-CN

2、Yahoo!在线翻译
和谷歌相似，提供多种语言的全文翻译，翻译准确率较高。http://fanyi.cn.yahoo.com/

3、百度在线翻译
提供了比较简单的翻译功能，并可以使用Google的翻译工具。http://site.baidu.com/list/104fy.htm

4、爱词霸在线翻译
提供了金山快译的部分功能，同样提供多各语言的互译。每次最多可以翻译500字，不过翻译结果也是来自Google。网址：http://fy.iciba.com/

5、微软Windows Live翻译
这是软件专门用于提供翻译服务的网站，微软的翻译还是相当准确的，每次最多翻译500字，同时也提供网站全站翻译，支持多种语言。具体网址：http://www.windowslivetranslator.com/Default.aspx

6、华译网在线翻译
这是一家专业的翻译公司提供的在线翻译服务。http://www.readworld.com/

7、金桥翻译中心
这是比较老牌的线上翻译服务公司，提供免费服务，本科毕业的时候在上面翻译过论文。http://www.netat.net/

8、联通华建
曾经用过，所以还记得网址，大家不妨试试：http://www.165net.com/

9、国外的一个免费翻译网站freetranslation.com
也是以前用过的，网址也很好记，感觉这个的翻译结果还是比较令人满意的，翻译的时候你可以选择“人工翻译”和“自动翻译”，“人工翻译”是收费服务：http://www.freetranslation.com/

网上的英语免费资源工具资源应该还有很多，以上只是总结了本人使用过或者是比较熟悉的，希望大家多补充 :-)。

本文转载自Dudo

security specifications

2008-05-04T22:38:00.000-07:00

WS-Security
WS-SecurityPolicy
WS-Trust
WS-SecureConversation
WS-Federation
Extensible Access Control Markup Language (XACML)
Extensible Rights Markup Language (XrML)
XML Key Management (XKMS)
XML-Signature
XML-Encryption
Security Assertion Markup Language (SAML)
.NET Passport
Secure Sockets Layer (SSL)
WS-I Basic Security Profile

Web Services Standards Bodies and Communities

2008-05-04T21:36:00.001-07:00

Web Services Standards Bodies and Communities

Here are some Web Services standards bodies and communities that support Web Services implementation.

ebPML. http://www.ebpml.org/

OASIS. http://www.oasis-open.org/

W3C. http://www.w3.org/2002/ws/

WS-I. http://www.ws-i.org/

SOAP-Specific

Here is a list of SOAP-specific resources.

Apach SOAP. http://xml.apache.org

DevelopMentor. http://www.develop.com/soap/

SOAPClient. http://www.soapclient.com/

SOAPLite. http://www.soaplite.com/

SOAPWeblog. http://soap.weblogs.com/

UDDI-Specific

Some UDDI-specific resources. UDDI has some good technical white papers on best practices.

UDDI.org. http://www.uddi.org/ (Now under OASIS. Refer to http://www.oasis-open.org/committees/uddi-spec/)

jUDDI.org. http://www.juddi.org/

Web Services Security

There are an increasing number of Web Services security resources. More references can be found in the Web Services security chapter.

OASIS Web Services Security TC. http://www.oasis-open.org/committees/wss/

RSA. http://www.rsasecurity.com/

Web Services Security Forum. RSA. http://www.rsasecurity.com/

XML Trust Center. http://www.xmltrustcenter.org/index.htm

Miscellaneous

These URLs contain some other categories, including security (such as XML Trust Center) and Web Services developer tools (such as Eclipse).

BPEL4WS. http://www.ebpml.org/bpel4ws.htm

SOAP-WRC/James Snell. http://www.soap-wrc.com/webservices/

TechMetrix. http://www.techmetrix.com/trendmarkers/topics/tmktopic.php?topic=asp

Web Services Security Forum. http://www.xwss.org/index.jsp

XML Trust Center. http://www.xmltrustcenter.org/index.htm

Vendor-Specific Web Services Sites

2008-05-04T21:35:00.000-07:00

These are vendor-specific Web Services Web sites that provide technical white papers and product evaluation copies for download.

Avinon. http://www.avinon.com/products/overview.html

BEA. http://www.bea.com/products/index.shtml

bindsystems. http://www.bindsystems.com/products.htm

bowstreet. http://www.bowstreet.com/products/businesswebfactory/index.html

CapeClear. http://capescience.capeclear.com/index.php and http://www.capeclear.com/products/index.shtml

C# Station. http://www.csharp-station.com/

IBM. http://www-3.ibm.com/software/info1/websphere/index.jsp?tab=highlights and http://alphaworks.ibm.com/webservices

IONA. http://www.xmlbus.com/

Killdara. http://www.killdara.com/products/vitiris/vitirisIntroduction.pdf, http://www.killdara.com/products/vitiris/index.htm and http://www.killdara.com/products/products.htm

Microsoft. http://www.microsoft.com/net

Mind Electric. http://www.themindelectric.com/

Novell (Silverstream). http://www.silverstream.com/Website/app/en_US/ProductsLanding

Progress eXcelon. http://www.exln.com/products/

Sun Microsystems. http://wwws.sun.com/software/ and http://dcb.sun.com/practices/webservices/

Systinet. http://www.systinet.com/products/index.html

WestBridge. http://www.westbridgetech.com/resources.html

XML Global. http://www.xmlglobal.com/prod/index.jsp

Web Services Resources and References

2008-05-04T21:32:00.000-07:00

Web Services Portals

The following portals contain a variety of Web Services sites with news, technical articles, and white papers. They not only provide some technical resources, but also references to other Web Services links. They are good starters.

ebXML.org. http://www.ebxml.org/
LearnXMLWS. http://www.vbws.com/
O'Reilly XML.com. http://www.xml.com/
SOAPRPC. http://www.soaprpc.com/
Value-added Web Service Suppliers. http://www.vawss.org/
Web Services Architect. http://www.webservicesarchitect.com/resources.asp
WebServices.org. http://www.webservices.org/

Web Services News

The following Web sites contain many news and product updates related to Web Services. Some of them provide email alerts for subscription.

CBDiForm. http://www.cbdiforum.com/report.php3?topic_id=9

CFOInfo. http://team.cfoinfo.com/ (Original website is www.cfoinfo.com, Now has moved. Login user id=s2b, password=shaston)

ecademy. http://www.theecademy.com/node.php?id=318

I.T. Director. http://www.it-director.com/ts-section.php?section=17 (or select Web Services column)

I.T. Works. http://www.itworks.be/webservices/

OASIS. http://www.oasis-open.org/cover/sgmlnew.html

SearchWebServices. http://searchwebservices.techtarget.com/

TheServerSide. http://www.theserverside.com/home/index.jsp

The Stencil Group. http://www.stencilgroup.com/ideas_scope_wsindex.html

TopXML. http://www.topxml.com/

W3C. http://www.w3.org/2001/03/WSWS-popa/

XML Web Services Magazine. http://www.fawcette.com/xmlmag/

XMLHack. http://www.xmlhack.com/

Xmethods. http://www.xmethods.net/
XML.org. http://www.xml.org/xml/news_market.shtml

Development Platforms and Tools, Including Tutorials and Articles

These Web sites contain good online tutorials and technical articles, from technology overview to specific technical details. Some of them have sample codes for download.

Advisor. http://advisor.com/Articles.nsf/vTechLookup!OpenView&RestrictToCategory=Web%20Services

Eclipse. http://www.eclipse.org/

IBM Web Services (developerWorks). http://www-106.ibm.com/developerworks/webservices/

Microsoft Web Services. http://msdn.microsoft.com/library/default.asp?url=/nhp/Default.asp?contentid=28000442

Sun Microsystems's Java™ Technology and Web Services. http://java.sun.com/webservices/

Sun ONE Studio™ (Forte). http://wwws.sun.com/software/sundev/index.html

Some Web Services Security Tools

2008-05-04T21:30:00.001-07:00

The following are some examples of useful Web Services security tools that are publicly available. These are not exhaustive, but they are fairly handy for understanding the new technology, evaluation, and Proof of Concept.

Titan (Security Hardening Tool). Titan is a fairly comprehensive platform-security assessment and hardening tool. You can download it from http://www.fish.com/titan/. To install it, uncompress the tar files, and run the installation script. The script "Titan" will scan the target host, and the script "TitanReport" will render the scanning analysis and recommendation.

VeriSign's Trust Services Integration Kit (XKMS). You can download TSIK version 1.1 from http://www.xmltrustcenter.org/developer/verisign/tsik/download.htm. There is a concise installation document. You need to add a few jar files (tsik.jar, xml_pilot_key.jar, xml_prod_key.jar, and xerces. jar) into the CLASSPATH in order to execute the sample programs or any home-grown programs.

IBM's XML Security Suite (XML-ENC, XML-DSIG, XACML). You can download the XML Security Suite (XSS4J) from http://alphaworks.ibm.com/tech/xmlsecuritysuite. You'll need to add some new jar files (xercesImpl.jar and xmlParserAPIs.jar from Xerces2 and xalan.jar and xml-apis.jar from Xalan2) to the CLASSPATH. The user interface for managing access rights control can be invoked by java com.ibm.xml.policy. tool.VisualTool.

Some Web Services Security Tools

2008-05-04T21:30:00.000-07:00

Web Services Deployment Platform

2008-05-04T21:21:00.000-07:00

SOAP Debugger. An example is XMLSpy, which is an XML editing utility with some SOAP debugging capability. You can download a trial copy from http://www.xmlspy.com.

Unit Testing. An example is jTest, which is a Java-based unit testing tool.

Stress/Load Testing. An example is Mercury Interactive's LoadRunner, which is an application stress test tool. Refer to http://www.mercuryinteractive.com for details.

Regression Testing. An example is Rationale Test Studio, which provides regression testing capability.

SOAP Testing/Performance Testing. Examples are Empirix's FirstAct (commercial product that simulates end-user SOAP client's testing; refer to http://www.empirix.com), PushtoTest (a SOAP testing utility; refer to http://www.pushtotest.com), and SOAPTest (a public utility for generating stress testing for SOAP clients; refer to http://www.parasoft.com/jsp/products/ home.jsp?product=SOAP).

Web Services Management/Network Services. These vendors provide routing of Web Services for different versioning and also network management tools for remote Web Services. Examples are http://www.flamenconetworks.com/ and http://www.talkingblocks.com/.

The Web Services Marketplace

2008-05-04T21:16:00.000-07:00

The Web Services Marketplace

1 Products

Vendor Product Categories

The vendor solutions in the Web Services marketplace can be described as follows:

Infrastructure

Application server
Middleware, such as JMS-enabled middleware
Edge server, such as cache (using XML database)
Registries, such as the UDDI or ebXML registry

Development Tools

Developer workbench that can wrap apps logic into a SOAP proxy, and publish it to UDDI
Automated testing tools, such as jTest

Web Services Tools

JMS-SOAP bindings, such as the JMS bridge
SDK, such as WSTK

Web Services Standards

Java, such as JAX, Web Services Developer Pack
C#
XML standards, such as SOAP, SOAP-SEC, XAML, SAML

Specialized Market

Porting .NET to Unix
Porting Java to Windows platform

Web Services Management

Metering Web Services calls performance and service level. This can also send alerts to administrators or system management tools based on user-defined business rules.
Security appliance, such as XML firewall for SOAP messages; appliance for SOAP message encryption and decryption.
Service versioning, such as mapping to different service end-point URLs based on the incoming SOAP request and user profile. This addresses many legacy systems or customized services that provide the same business functionality but exist in multiple versions and perhaps operate in different platforms.

Table 3-4 offers a sampler of the vendor products in the marketplace.

Table 3-4. A Sampler of Web Services Vendor Products
Category	Vendors	URIs
Application Servers	BEA	http://www.bea.com/products/index.shtml
	Sun ONE™	http://wwws.sun.com/software/products/appsrvr/home_appsrvr.html
	Novell IBM	http://www.silverstream.com/Website/app/en_US/ProductsLanding http://www-3.ibm.com/software/info1/websphere/index.jsp?tab=highlights
	Microsoft	http://www.microsoft.com/net
IDE/Development Environment	BEA	http://www.bea.com/products/index.shtml
	Sun ONE™	http://wwws.sun.com/software/products_categories/development_tools.html
	Novell	http://www.silverstream.com/Website/app/en_US/ProductsLanding
	IBM	http://www-3.ibm.com/software/info1/websphere/index.jsp?tab=highlights
	IONA	http://www.xmlbus.com/
	CapeClear	http://www.capeclear.com/products/index.shtml
	Bowstreet	http://www.bowstreet.com/products/businesswebfactory/index.html
	Avinon	http://www.avinon.com/products/overview.html
	Microsoft	http://www.microsoft.com/net
Service Registry	BEA	http://www.bea.com/products/index.shtml
	Sun ONE™	http://wwws.sun.com/software/product_categories/directory_servers_identity_mgmt.html
	Novell	http://www.silverstream.com/Website/app/en_US/ProductsLanding
	Systinet	http://www.systinet.com/products/index.html
	IBM	http://www-3.ibm.com/software/info1/websphere/index.jsp?tab=highlights
	The Mind Electric	http://www.themindelectric.com
	Microsoft	http://www.microsoft.com/net
Application Tools/Middleware	Sun ONE™	http://wwws.sun.com/software/product_categories/development_tools/html
	Bowstreet	http://www.bowstreet.com/products/businesswebfactory/index.html
	Systinet	http://www.systinet.com/products/index.html
	Novell	http://www.silverstream.com/Website/app/en_US/ProductsLanding
	XMLGlobal	http://www.xmlglobal.com/prod/index.jsp
	IBM	http://www-3.ibm.com/software/info1/websphere/index.jsp?tab=highlights
	Microsoft	http://www.microsoft.com/net
Process, Management, Methodology	Sun ONE™	http://wwws.sun.com/sofstware/products/message_queue/home_message_queue.html
	Bindsystems	http://www.bindsystems.com/products.htm
	Bowstreet	http://www.bowstreet.com/products/businesswebfactory/index.html http://www.silverstream.com/Website/app/en_US/ProductsLanding
	Novell IBM	http://www-3.ibm.com/software/info1/websphere/index.jsp?tab=highlights
	Microsoft	http://www.microsoft.com/net
.NET to Java Porting	Halcyon	http://www.halcyonsoft.com
.NET to Java Porting	Mono	http://www.go-mono.com/faq.html (Running .NET on Linux. This is still in the development stage. Currently, Mono provides a C# compiler on Linux, implements ADO.NET and ASP.NET. Please refer to the Mono status under http://www.go-mono.com/.
Java to .NET Porting	Microsoft	http://msdn.microsoft.com/visualj/jump/default.asp
Web Services Management	Amberpoint	http://www.amberpoint.com/
	Flamenco Networks	http://www.flamenconetwork.com/
	Talking Blocks	http://www.talkingblocks.com/
	Westbridge Technology	http://www.westbridgetech.com/

Vendor Products by Development Life Cycle

Table 3-5 shows some examples of vendor solutions that are available to meet different needs of the development life cycle.

Table 3-5. Marketplace for Different Development Life Cycle Stages
Development Life Cycle	Types of Development Tools	Examples of Vendors
Discovery	UDDI ebXML	Sun ONE™, IBM, BEA, The Mind Electric, Systinet, Novell (Silverstream), MicrosoftSun ONE™, XMLGlobal
Creation	Developer Workbench (IDE)	Sun ONE™ Studio, IBM, IONA, CapeClear, Bowstreet, Avinon, Microsoft
Transforming	JAX, XML, SQL Mapping	Sun (JAX), IBM (Xerces), XMLGlobal, Microsoft
Building	SOAP, WSDL	OSF (Apache), Sun ONE™ Studio, IBM, CapeClear, Bindsystems, The Mind Electric, Killdara, Microsoft
Deploying	Deploying tools	OSF (Apache ANT)
Testing	Local/remote testing	Jtest
Publishing	Publish to registries	Sun (JAXR), IBM (UDDI4J)

Some Publicly Available Development/Productivity Tools

Here are some development or productivity tools that can be downloaded as a free trial:

XMLSpy. For developing XML Schema, DTD, and validating XML well-formedness. The new version 4.2 also provides SOAP debugging.

The Java Web Services Developer Pack (JWSDP) from Sun Microsystems is a vendor-neutral Web Services Development Kit that avoids the need to purchase expensive Web Services packages. It provides basic tools but is not sufficient for serious or large-scale development. JWSDP provides:

Tomcat engine with ANT deployment tool
All-in-one JAR files—javamail, smtp, and so forth
JAX pack—JAXP, JAXM, JAXR, JAXB
UDDI browser and registry
Application deployment tool
Excellent tutorial book

How to Use JWSDP for Development

JWSDP can be used for proof of concept/prototyping, as a rudimentary development platform for road warriors, and for coding simple SOAP messages for integration testing. To best utilize JWSDP, you can run JWSDP on Linux, Solaris OE™, or Windows NT. You can run it with a SOAP server administration, or run it with Apache Cocoon for any-to-any delivery.

Something to Note. JWSDP has applied some special patches for JAR. There is also a version that is compatible with other stand-alone downloads of JAX Pack, Tomcat, or SOAP.

3.5.2 Selecting Your Web Services Tools

Selection Criteria

Here are some suggestions for selecting an appropriate Web Services tool for your IT shop:

General

Total cost of ownership
Reliability and support service of vendor (for example, financial stability, local support)
Standards compliance (for example, J2EE™, EJB™ 1.2, SOAP 1.2, WSDL 1.1)
Availability of technical documentation, such as examples, tutorial

Application Server Platform

Clustering features benchmarking—failover recovery time, any manual intervention
Logs—logging availability at different levels (for example, can it trace back different callers and intermediaries?)
Automated testing and deployment platform
Availability, of or integration with, other apps server analyzer tools (for example, thread performance analysis)

Web Services Development Platform

Automatic WSDL generation from IDE
IDE integration with other tools

Among these criteria, you may also look for:

SOAP 1.1/1.2 support; SOAP 1.2 has some considerable changes
Integration with J2EE™ application servers, and their positioning
Compatibility with other Web Services products, such as JMS bridge
Any proprietary features, such as Electric Server Page

3.5.3 Industry Development

There are three major Web Services development technologies in the industry:

ebXML. ebXML is a key technology supporting Web Services. It is backed by OASIS, CE/FACT, DISA, and many public communities. One motive driving these public communities is to use ebXML as an alternative for EDI-type transactions. ebXML uses SOAP 1.1 with Attachment as the transport and routing layer. It has much richer functionality and contents and is supported by business processes (such as BPSS) and better security.

SOAP. SOAP 1.0 used to be Microsoft NT-centric technology. IBM and other vendors have modified it to turn SOAP 1.1 into an open platform and submitted it to Apache Open Sources Foundation. SOAP 1.1 with Attachment is an extension to support object embedding with S/MIME, developed by HP and other vendors.

UDDI. UDDI is a business Service Registry that allows users to create, discover, and bind business services. IBM, Microsoft, and Ariba initially set up three different test UDDI sites. Recently, Ariba withdrew, but there is some discussion that HP will provide the UDDI test site on behalf of Ariba. SAP also now provides a public UDDI node.

Leading technology vendors such as IBM and Microsoft have large-scale initiatives in developing Web Services toolkits and White Papers. There are many Application Server and Middleware vendors developing components that support Web Services, including BEA Weblogic, webMethods, and TIBCO.

Many Web Services standard bodies have emerged since 2000. Among them, there are a few standard bodies (or related associations) that have large industry involvement:

OSF Apache. Open Source Foundation coordinates and distributes Web Services technology as public domain (http://www.apache.org)

UDDI.org. (now under OASIS) Standard body for promoting UDDI registry. It has recently transitioned to OASIS's management (http://www.uddi.org or http://www.oasis.open.org)

W3C. Worldwide Web Consortium that publishes and approves Internet-related standards (http://w3c.org)

Some examples of the supporting communities include:

OASIS. A community that supports ebXML standards and implementation (http://www.oasis-open.org/)

UN/CEFACT. Previously UN/EDIFACT, UN/CEFACT promotes EDI and also supports ebXML as the successor to EDI in collaboration with OASIS (http://www.ebxml.org/)

Open Application Group. A standards body that adopts the ebXML implementation (http://www.openapplications.org/)

DISA. A U.S. ANSI standard body that also adopts the ebXML implementation (http://www.disa.org/)

SOAP and ebXML

Web Services technology is intended to be platform- and vendor-neutral. It is expected that this technology be highly flexible for interoperability and integration. SOAP and ebXML standards are used for different reasons. This can be understood in the context of their underlying design principles and value proposition.

The initial design of SOAP does not cater to non-XML contents such as EDI transactions. SOAP 1.1 with Attachment is a major breakthrough; it uses MIME to embed binary objects. The original design principles behind SOAP also support non-HTTP transport, though it has not been implemented at all. The security design of SOAP is highly volatile and weak at this stage.

ebXML can be used to exchange XML contents (incorporating any XML document in the SOAP Body) and non-XML contents (embedding ANSI X12 transactions as attachments). The latter is the mechanism by which ebXML supports EDI documents. It now uses SOAP as the transport layer. ebXML differentiates from SOAP/UDDI by introducing business processes and JMS binding. It uses UML to model business processes. The business process and information models will help integrate with the business entities' back office applications. JMS binding provides a secure and reliable transport mechanism over HTTP.

Table 3-6 summarizes some facts about different Web Services technology thought leaders.

Table 3-6. Comparing Sun, Microsoft, and IBM Approaches
	Sun	Microsoft	IBM
Framework	Sun ONE™	.NET	IBM Web Services
Infrastructure	Open standards technology, e.g., J2EE™—Java™ and XML LDAP	.NET framework, including C#, VB, C++, VBScript, and JScript	WebSphere suite
Developer tools	Sun ONE™ Studio Sun ONE Integration Manager	Visual Studio.NET .NET framework SDK .NET enterprise servers	Web Services Toolkit Application Developer Studio Visual Age
Web Services dialects	Sun ONE™—Smart Web Services	Hailstorm (not available yet)	N/A
Discovery	UDDI ebXML	UDDI UpnP	UDDI
Security	WS-Security Liberty SAML	WS-Security	WS-Security
Business logic	J2EE™ ebXML WSCI	Biztalk BPEL4WS	J2EE™ ebXML BPEL4WS

Comparing Different Web Services Architecture

2008-05-04T21:14:00.000-07:00

Comparing Different Web Services Architecture
	Microsoft	Sun	IBM
Web Services standards support (SOAP 1.2, WSDL, UDDI)	Yes	Yes	Yes
Web Services architecture/framework	.NET	Sun ONE™	IBM Web Services
Comprehensive development environment and tools	.NET server .NET studio	Sun ONE™ Apps Server Sun ONE™ Integration Server Sun ONE™ Studio	WebSphere Application Server WebSphere Application Developer Studio
Expose EJB as Web Services	No (But can interoperate with other Web Services by exposing COM/COM+ objects through .NET interoperability.)	Yes	Yes
Synchronous (Sync) and Asynchronous (Async) message support	Sync—DCOM	Sync—JAXM, SAAJ Async—JAX-RPC	Sync—SAAJ Async—JAX-RPC
Methodology to design Web Services architecture	No	Yes—SunTone™, J2EE Patterns™	Partial—eBusiness patterns
When to Use	Wintel PC platform only PASSPORT/Active Directory already in use	Open platform and interoperability	WebSphere platform with proprietary extension

Metro Tooling - Netbeans, Eclipse, Ant, Maven...

2008-05-02T05:10:00.000-07:00

Metro - Glassfish Web Services stack comes with various tooling options. Here I provide the details details about the tooling options available for Metro.

Netbeans

Netbeans 5.5.1 comes with integrated Metro core (a.k.a JAX-WS RI) and a downloadable WSIT plugin. This allows you to develop web services solutions using easy to use GUI. NB 6 has integrated WSIT plugin.

More on Metro and Netbeans see:

Basic Web Services

Adding Quality of Service(WS-* and .NET 3.0 interop)

Eclipse

The instructions below are for Eclipse for JavaEE

Setup

This is onetime setup

After starting Eclipse, select the J2EE perspective: Windows>Open Perspective>Others>J2EE
In the lower window you should see a tab with label Servers. Select the tab and right click in the window and select new>Server.
To download the GlassFish server, select Download additional server adapters. Accept the license and wait for Eclipse to restart.
After Eclipse has restarted, you can create a new GlassFish V2 Java EE5 server.
In the creation dialog select Installed Runtimes and select the directory where your GlassFish installation resides.

How to create a Web service

To create the HelloWorld service, create a new dynamic Web project. Give it a name (e.g. helloworld) and select as target runtime GlassFish

In that project you can create the class HelloWorld

package sample;

import javax.jws.WebService;

@WebService
public class HelloWorld {
   public String hello(String param){
       return param + ", World";
   }
}

Deploy the service by selecting the project and select Run as>Run on server.
Check that in the server Window that helloworld project has status Synchronized. If this is not the case, right-click in the server window and select publish.
You can check that the GlassFish server is started and contains the Web service, by going to the admin console of GlassFish (localhost:4848)

See Arun's screen cast for the above steps.

Creating Web Service Client using Wsimport CLI

Create a new project for the HelloWorld client (an ordinary Java project suffices).
Select Add Glassfish v2 as Server Runtime in Build Path.

Right clieck->BuildPath->Add Library->ServerRuntime->Glassfish v2

Open a command window and go into the source directory of that project in Eclipse. For example, if the Eclipse workspace is in path c:\home\vivekp\workspace and the name of the project is echostringclient, then you need to go to c:\home\vivekp\workspace\helloworld\src. In this directory execute wsimport -keep http://localhost:8080/helloworld/HelloWorldService?wsdl. On Linux or with Cygwin on Windows, you need to escape the ? by using \? instead.
Select refresh in the project view to see the generated files.
Now you can create the client class HelloWorldClient
You can execute the client, by selecting the HelloWorldClient in the package explorer of Eclipse and selecting Run>Java Application. In the console window of Eclipse, you should see "Hello World".

Creating Web Service Client using Wsimport Ant Task

You can pretty much avoid steps 3 - 5 above by using an Ant build.xml file.

Select helloworldclient in Package Exp and create a new file build.xml
In this file (build.xml) copy the sample ant build script
Then select build.xml in the package explorer, then Right Click->Run As->Ant Build...
Invoke client target, it will run wsimport ant task and generate the client side stubs
Invoke run to invoke the endpoint and run the client or you can execute the client, by selecting the HelloWorldClient in the package explorer of Eclipse and selecting Run>Java Application. In the console window of Eclipse, you should see "Hello World".

Creating Web Service Client using SOAP UI Plugin

Inside Eclipse, install SOAP UI Plugin

Select "Help"/"Software Updates"/"Find and Install..."

Select the "Search for new features to install" option

Press the "New Remote Site" button and add http://www.soapui.org/eclipse/update/site.xml as the plugin URL

Select Finish and the follow the dialogs to install the soapUI feature

Create a new project for the HelloWorld client (an ordinary Java project suffices).
Select Add Glassfish v2 as Server Runtime in Build Path.

Right clieck->BuildPath->Add Library->ServerRuntime->Glassfish v2

Select the project and Right Click->Soap UI->Add SOAPUI Nature, SOAP UI WebService item will be added in Project Explorer
Select SOAP UI perspective

Right click on Projects->hellowworlclient->Add WSDL from URL, enter the deployed service URL: http://localhost:8080/helloworld/HelloWorldService?wsdl. This will import the wsdl and you will see HelloWorldPortBinding

Select HelloWorldPortBinding and Right Click->GenerateCode->JAX-WS Artifacts

Enter the appropriate info in the JAX-WS Artifacts window

Click Tools and enter the location of JAX-WS Wsimport, for example c:\glassfish\bin
Click OK
Then click Generate on JAX-WS Artifacts window, it will display dialog box the operation was successful. Switch back to Java Perspective, then refresh the src folder and you can see the wsimport generated classes

Now implement your client code

             
package sample;

public class HelloWorldClient {

   /**
    * @param args
    */
   public static void main(String[] args) {
       //Create Service
       HelloWorldService service = new HelloWorldService();

       //create proxy
       HelloWorld proxy = service.getHelloWorldPort();

       //invoke
       System.out.println(proxy.hello("hello"));
   }
}

You can execute the client, by selecting the HelloWorldClient in the package explorer of Eclipse and selecting Run>Java Application. In the console window of Eclipse, you should see "Hello World".

You can also use Wsimport and Wsgen Maven2 tools. For details see here.

Netbeans offers an easy to use a comprehensive Metro tooling choice. On Eclipse you can use SOAP UI or ant build script or CLI or even Mavem based tools, which does not look bad. There is RFE on Eclipse and looks like it is being looked at.

For the Quality Of Service features (WS-* features) it is little difficult as manually creating/modifying WSIT configuration is hard, so we need equivalent of WSIT Plugin in NetBeans for Eclipse. It will be great if anyone would like to do the WSIT plugin for Eclipse. Please let us know if you are willing to write a WSIT plugin for Eclipse.

Types of Web Applications

2008-05-02T03:14:00.000-07:00

Java Web-Frameworks

	Pro	Cons
JSF	Java EE Standard - lots of demand and jobs Fast and easy to develop with initially Lots of component libraries	Tag soup for JSPs Doesn't play well with REST or Security No single source for implementation
Spring MVC	Lifecyle for overriding binding, validation, etc. Integrates with many view options seamlessly: JSP/JSTL, Tiles, Velocity, FreeMarker, Excel, XSL, PDF Inversion of Control makes it easy to test	Configuration intensive - lots of XML Almost too flexible - no common parent Controller No built-in Ajax support
Stripes	No XML - Convention over Configuration Good documentation (easy to learn) Enthusiastic community	Small Community Not as actively developed as other projects Hard-coded URLs in ActionBeans
[Struts2]	Simple architecture - easy to extend Tag Library is easy to customize with FreeMarker or Velocity Controller-based or page-based navigation	Documentation is poorly organized Too much concentration on new features Googling results in Struts 1.x documentation
[Tapestry]	Very productive once you learn it Templates are HTML - great for designers Lots of innovation between releases	Documentation very conceptual, rather than pragmatic Steep learning curve Long release cycles - major upgrades every year
Wicket	Great for Java developers, not web developers Tight binding between pages and views Active community - support from the creators	HTML templates live next to Java code Need to have a good grasp of OO The Wicket Way - everything done in Java
Click	Really simple	Small Community
Seam	solves some JSF Problems like Bookmarking Groovy Support Integration with JPA and Hibernate (WebBeans)	Still JSF
ZK	Ajax Integration and Declarative Page Creation One single source of implementation, one Tree, one Grid etc Big Community, Fast Release Cycle	Licence Costs

(based on Raibles Design)

Types of Web Applications

There are tree types of web applications:

Consumer-facing, high-traffic, stateless applications:

Struts2
SpringMVC
Stripes

Internal, more desktop-like applications that are stateful:

JSF
Tapestry
Wicket

Media-rich applications that require a RIA framework like Flex

GWT
Flex
ZK

SOA Frameworks

2008-05-02T03:12:00.001-07:00

ESBs

Apache ServiceMix is a JSR-208, open-source ESB compliant with the Java Business Integration (JBI) specification. ServiceMix is a full ESB that can work with many different SOAP Stacks such as Axis, WSIF, XFire, ActiveSOAP and JAX-WS. ServiceMix also has full support for Routing, Transformation and Orchestration.
OpenESB implements an Enterprise Service Bus (ESB) runtime using Java Business Integration (JBI) as the foundation.
Mule is an open source ESB (Enterprise Service Bus) and integration platform with JBI Integration.
JBossESB

Webservice Frameworks

Apache CXF is an open source services framework. CXF helps you build and develop services using frontend programming APIs, like JAX-WS. These services can speak a variety of protocols such as SOAP, XML/HTTP, RESTful HTTP, or CORBA and work over a variety of transports such as HTTP, JMS or JBI.
Axis2 is an implementation of the SOAP ("Simple Object Access Protocol") submission to W3C.
Metro is a extensible, easy-to-use web service stack. It is a one-stop shop for all web service needs, from the simplest hello world web service to reliable, secured, and transacted web service that involves .NET services.

Tools

Apache Tuscany - a robust infrastructure that simplifies the development of SOA-based systems, including: Service Component Architecture (SCA), Service Data Object (SDO), and Data Access Service (DAS). Tuscany is not a ESB, but it's simplify the assembly of components of composite applications according to the SCA specification.
Apache Synpase - a robust, lightweight implementation of a highly scalable and distributed service mediation framework based on Web services specifications. Synapse is not a full ESB in the most common sense of the term.

WebServiceExternalSites

2008-05-02T02:46:00.001-07:00

External sites covering Web Services and XML

BEA Web Services Dev Center

IBM developerWorks Web Services corner

There are lots of interesting articles on Web Services here, many of which are Axis related. There is also a [ http://www-106.ibm.com/developerworks/webservices/library/ws-spec.html

listing] of "all current open standards and specifications that define the Web services family of protocols", though Soap with Attachments is mysteriously absent.

Macromedia Web Services Topic Center

MSDN Web Services

These are the microsoft pages; little Axis coverage but plenty on Web Service specifications.

Oracle XML Technology Center

PerfectXml.com

A great resource for XML and Web Services work. Includes links to book excerpts and tools.

Sun Java Technology and Web Services

XmlHack.com

Developer news from the XML community

Web Services Journal

WebServices.org

Web Services Industry Portal

WebServices.xml.com

The O'Reilly site is always up to date, interesting and useful. It doesn't advocate a single technology (REST, SOAP, RDF...), or a single product. As such, it retains its independence and value.

The XML FAQ

This is the list of Frequently-Asked Questions about the Extensible Markup Language (XML).

JavaOne Conference Bookstore - Best Sellers

2008-05-02T02:29:00.001-07:00

Here are the Top Ten Best Sellers for the bookstore for the week at this time

Rank	Title	Publisher
1	Java Concurrency in Practice ISBN: 0321349601	Addison Wesley
2	Core JavaServer Faces 2nd Edition* ISBN: 0131738860	Prentice Hall
3	Java Puzzlers ISBN: 032133678X	Addison Wesley
4	Effective Java Programming Language Guide ISBN: 0201310058	Addison Wesley
5	Rich Client Programming* ISBN: 0132354802	Prentice Hall
6	JBOSS Seam ISBN: 0131347969	Prentice Hall
7	SOA Using Java Web Services ISBN: 0130449687	Prentice Hall
8	Groovy in Action ISBN: 1932394842	Manning
9	RESTFul Web Services ISBN: 0596529260	O'Reilly
10	GWT in Action ISBN: 1933988231	Manning

* New SMI Press Title

SOA Books

2008-05-02T02:20:00.000-07:00

Web Services: Principles and Technology

SOA Using Java Web Services
http://soabook.com/
--SOA-J, AjaxTogether, SOAShopper,

SOA Principles of Service Design
http://www.soabooks.com/
http://www.soaspecs.com/
http://www.soasystems.com/
http://www.soamag.com/
--Covers crucial second-generation (WS-*) Web services standards: BPEL4WS, WS-Security, WS-Coordination, WS-Transaction, WS-Policy, WS-ReliableMessaging, and WS-Attachments

Service-Oriented Architecture: A Field Guide to Integrating XML and Web Services

Service-Oriented Architecture (SOA): Concepts, Technology, and Design
--A comprehensive study of SOA support in .NET and J2EE development and runtime platforms

Web Services Platform Architecture

Practical DWR 2 Projects

three popular frameworks to implement RESTful services

2008-05-02T02:17:00.001-07:00

Ruby on Rails, Restlet (for Java), and Django (for Python)

Sun Java Web Services Developer Pack (JWSDP) Related Books (Newest to Oldest)

2008-05-02T02:08:00.000-07:00

J2EE Platform Web Services by Ray Lai, Prentice Hall PTR, August 2003.
Java Web Services in a Nutshell by Kim Topley, Oreilly, June 2003.
Java Web Services For Experienced Programmers by Harvey M. Deitel & Paul J. Deitel, Prentice Hall, August 2002.
Developing Web Services with Java APIs for XML Using WSDP by Jay Foster & Mick Porter, Syngress, June 2002.

2008-05-02T02:06:00.001-07:00

到底什么是MSDN？MD5？SHA-1？

2008-04-16T07:48:00.000-07:00

让我们先来了解一些基本知识，了解hash。

Hash，一般翻译做“散列”，也有直接音译为"哈希"的，就是把任意长度的输入（又叫做预映射， pre-image），通过散列算法，变换成固定长度的输出，该输出就是散列值。这种转换是一种压缩映射，也就是，散列值的空间通常远小于输入的空间，不同的输入可能会散列成相同的输出，而不可能从散列值来唯一的确定输入值。

简单的说就是一种将任意长度的消息压缩到某一固定长度的消息摘要的函数。

HASH主要用于信息安全领域中加密算法，他把一些不同长度的信息转化成杂乱的128位的编码里,叫做HASH值. 也可以说，hash就是找到一种数据内容和数据存放地址之间的映射关系

了解了hash基本定义，就不能不提到一些著名的hash算法，MD5 和 SHA1 可以说是目前应用最广泛的Hash算法，而它们都是以 MD4 为基础设计的。那么他们都是什么意思呢？
这里简单说一下：

1) MD4
MD4(RFC 1320)是 MIT 的 Ronald L. Rivest 在 1990 年设计的，MD 是 Message Digest 的缩写。它适用在32位字长的处理器上用高速软件实现--它是基于 32 位操作数的位操作来实现的。

2) MD5
MD5(RFC 1321)是 Rivest 于1991年对MD4的改进版本。它对输入仍以512位分组，其输出是4个32位字的级联，与 MD4 相同。MD5比MD4来得复杂，并且速度较之要慢一点，但更安全，在抗分析和抗差分方面表现更好。
MD5是一种不可逆的加密算法，目前是最牢靠的加密算法之一，尚没有能够逆运算的程序被开发出来，它对应任何字符串都可以加密成一段唯一的固定长度的代码。
那么它有什么用呢？很简单，通过它可以判断原始值是否正确（是否被更改过）。一般用于密码的加密。而我们所提供的MD5校验码就是针对安装程序的唯一对应的一段代码。你可以使用任何MD5运算器对下载的文件进行运算，运算出来的结果如果完全符合我们提供的MD5校验码，那么说明你下载的这个程序没有被中途修改过。
　　这个特征码有如下特性，首先它不可逆，例如我有一段秘密的文字如："My Secret Words"，经算法变换后得到MD5码(b9944e9367d2e40dd1f0c4040d4daaf7)，把这个码告诉其他人，他们根据这个 MD5码是没有系统的方法可以知道你原来的文字是什么的。
　　其次，这个码具有高度的离散性，也就是说，原信息的一点点变化就会导致MD5的巨大变化，例如"ABC" MD5(902fbdd2b1df0c4f70b4a5d23525e932)和"ABC "（多了一空格）MD5(12c774468f981a9487c30773d8093561)差别非常大，而且之间没有任何关系，也就是说产生的MD5 码是不可预测的。
　　最后由于这个码有128位那么长，所以任意信息之间具有相同MD5码的可能性非常之低，通常被认为是不可能的。
　　所以一般认为MD5码可以唯一地代表原信息的特征，通常用于密码的加密存储，数字签名，文件完整性验证等。

3) SHA1 及其他
SHA1是由NIST NSA设计为同DSA一起使用的，它对长度小于264的输入，产生长度为160bit的散列值，因此抗穷举(brute-force)性更好。SHA-1 设计时基于和MD4相同原理,并且模仿了该算法。SHA-1是由美国标准技术局（NIST）颁布的国家标准，是一种应用最为广泛的hash函数算法，也是目前最先进的加密技术，被政府部门和私营业主用来处理敏感的信息。而SHA-1基于MD5，MD5又基于MD4。
论坛里提供的系统镜像文件的hash也就是微软官方提供的SHA-1值，下载后和此值对应，就说明你下载过程中文件没有被更改，属于原版。

什么是CRC
CRC的全称为Cyclic Redundancy Check，中文名称为循环冗余校验。它是一类重要的线性分组码，编码和解码方法简单，检错和纠错能力强，在通信领域广泛地用于实现差错控制。实际上，除数据通信外，CRC在其它很多领域也是大有用武之地的。例如我们读软盘上的文件，以及解压一个ZIP文件时，偶尔会碰到“Bad CRC”错误，由此它在数据存储方面的应用可略见一斑。

那么这些Hash算法到底有什么用呢？
Hash算法在信息安全方面的应用主要体现在以下的3个方面：

1) 文件校验
我们比较熟悉的校验算法有奇偶校验和CRC校验，这2种校验并没有抗数据篡改的能力，它们一定程度上能检测并纠正数据传输中的信道误码，但却不能防止对数据的恶意破坏。
MD5 Hash算法的"数字指纹"特性，使它成为目前应用最广泛的一种文件完整性校验和(Checksum)算法，不少Unix系统有提供计算md5 checksum的命令。
2) 数字签名
Hash 算法也是现代密码体系中的一个重要组成部分。由于非对称算法的运算速度较慢，所以在数字签名协议中，单向散列函数扮演了一个重要的角色。对 Hash 值，又称"数字摘要"进行数字签名，在统计上可以认为与对文件本身进行数字签名是等效的。而且这样的协议还有其他的优点。
3) 鉴权协议
如下的鉴权协议又被称作"挑战--认证模式：在传输信道是可被侦听，但不可被篡改的情况下，这是一种简单而安全的方法。

当然，hash函数并不是完全可靠，不同文件产生相同MD5和SHA1的几率还是有的，只是不高，在我们论坛里提供的系统光盘，你想对这么几个文件存在相同HASH的不同文件根本是不可能的。
论坛MSDN版块，提供的就是微软发布MSDN提供给程序员研究的Windows系统的镜像的HASH值——SHA-1，不提供MD5因为微软只提供了 SHA1。而论坛发布区发布的镜像是和这些值对应的镜像，你校验自己的镜像的HASH和MSDN信息区相应版本的SHA-1对应的上，说明你手中的光盘是微软通过MSDN发布的原盘。对不上还存在属于零售或通过销售渠道发布的镜像的可能。毕竟MSDN只是微软发布系统光盘的一个途径，MSDN只是给程序开发人员研究用的。
寻求原版的证实，对应SHA-1和MD5外，CRC的认证也是一个很重要的因素，CRC同样是校验文件的完整性，还有CDIMGE的封装版本。
微软出品的镜像都能通过CRC验证，当然也有人使用CRC自己进行制作可以得到通过CRC的镜像，那么这时候你需要对应镜像的SHA-1等了，所以，验证一个镜像的原盘可以通过对应多个数值来完成。

什么是MSDN
MSDN是Microsoft Software Developer Network的简称。这是微软的针对开发者的开发计划。你可以在http://msdn.microsoft.com看到有关软件开发的资料。在VC++ 6.0中包括MSDN Library的光盘，其中包括VC++的帮助文件和许多与开发相关的技术文献，学习VC++编程经常要搜索一下MSDN Library。MSDN Library每个季度更新一次，可以向微软订阅更新光盘。
所以MSDN资源不是匿名就可以访问并看的到的，需要订购的客户才能看到并下载。
MSDN订购可以标准、教育或批量价格，从你喜欢的软件分销商那里购买。

CPA CPS CPC CPM CPO PPC PPL PPS CPTM

2008-04-16T01:35:00.000-07:00

经常有人问CPA CPS CPC 什么意思啊?
加广告似乎有这些方式的啊
CPA (Cost-per-Action) ：每次行动的费用，即根据每个访问者对网络广告所采取的行动收费的定价模式。对于用户行动有特别的定义，包括形成一次交易、获得一个注册用户、或者对网络广告的一次点击等。
　　CPC (Cost-per-click)：每次点击的费用。根据广告被点击的次数收费。如关键词广告一般采用这种定价模式。
　　CPM（Cost per Thousand Impressions）：每千次印象费用。广告条每显示1000次（印象）的费用。CPM是最常用的网络广告定价模式之一。
　　CPO (Cost-per-Order) ：也称为Cost-per-Transaction，即根据每个订单/每次交易来收费的方式。
　　PPC（Pay-per-Click）：是根据点击广告或者电子邮件信息的用户数量来付费的一种网络广告定价模式。
　　PPL（Pay-per-Lead）：根据每次通过网络广告产生的引导付费的定价模式。例如，广告客户为访问者点击广告完成了在线表单而向广告服务商付费。这种模式常用于网络会员制营销模式中为联盟网站制定的佣金模式。
　　PPS（Pay-per-Sale）：根据网络广告所产生的直接销售数量而付费的一种定价模式。
　　CPTM (Cost per Targeted Thousand Impressions) ：经过定位的用户（如根据人口统计信息定位）的千次印象费用。CPTM与CPM的区别在于，CPM是所有用户的印象数，而CPTM只是经过定位的用户的印象数。

另外收集一篇
什么是CPA、CPC、CPS、CPL、CPM、CPO、PPC、PPL、CPTM？

在有关网络广告的术语中，经常会遇到CPA、CPC、CPM、CPO、PPC、PPL、CPTM等缩写字母，这些都是有关网络广告定价方式的缩写短语，下面是《网络营销基础与实践》第二版第6章“网络广告基础”中对这些概念的解释。

关于网络广告定价模式的一组常用术语：

CPA (Cost-per-Action) ：每次行动的费用，即根
据每个访问者对网络广告所采取的行动收费的定价模式。对于用户行动有特别的定义，包括形成一次交易、获得一个注册用户、或者对网络广告的一次点击等。

CPC (Cost-per-click)：每次点击的费用。根据广告被点击的次数收费。如关键词广告一般采用这种定价模式。

CPL(Cost for Per Lead)：按注册成功支付佣金。

CPM（Cost per Thousand Impressions）：每千次印象费用。广告条每显示1000次（印象）的费用。CPM是最常用的网络广告定价模式之一。

CPO (Cost-per-Order) ：也称为Cost-per-Transaction，即根据每个订单/每次交易来收费的方式。

CPS(Cost for Per Sale)：营销效果是指，销售额。

PPC（Pay-per-Click）：是根据点击广告或者电子邮件信息的用户数量来付费的一种网络广告定价模式。

PPL（Pay-per-Lead）：根据每次通过网络广告产生的引导付费的定价模式。例如，广告客户为访问者点击广告完成了在线表单而向广告服务商付费。这种模式常用于网络会员制营销模式中为联盟网站制定的佣金模式。

PPS（Pay-per-Sale）：根据网络广告所产生的直接销售数量而付费的一种定价模式。

CPTM (Cost per Targeted Thousand Impressions) ：经过定位的用户（如根据人口统计信息定位）的千次印象费用。CPTM与CPM的区别在于，CPM是所有用户的印象数，而CPTM只是经过定位的用户的印象数。

Performance Improvement in a J2EE Application

2008-04-04T01:14:00.000-07:00

Performance Improvement in a J2EE Application

http://dev2dev.bea.com.cn/techdoc/2004122805.html

Java is hot. Just nine years old, it has become one of the leading development environments in the world. Millions of programmers and thousands of companies use it, and half of all IT managers expect to deploy J2EE applications this year.

But Java's popularity hasn't necessarily made it easy for the growing population of Java code jockeys. Ever-shortening production cycles have kept the heat on programmers, who increasingly work in large teams to meet production milestones. And every day those teams come face-to-face with an immutable law of software development: the more code you write, the more bugs you'll get - bugs that cost time and sap quality and performance from applications.

This article looks at performance tuning and optimization of memory usage of a J2EE application. Our setup uses the BEA WebLogic Application Server. We will consider the following:

The problem domain
Tuning the Java Virtual Machine
HTTP session management
Tuning the application server
Coding standards: laying ground rules for the future

The Problem Domain
We have a J2EE application with the following setup:

BEA WebLogic 6.1 Service Pack 5 as application/Web server.
Some popular RDBMS. This has no effect on our discussion.
Model I Web Architecture.
Eight stateless EJBs and six stateful EJBs.
HTTP session holding references to stateful EJBs.
Database Connection Pool with initial size 2 and maximum size 10.
Around 120 servlets in the Web tier.
XML/XSLT-based architecture.

The Problems
There was a memory issue with the application. When the server was started, the memory usage was around 7-8% of the total physical memory available. As the days went by and the application went into wider use, the memory usage grew to nearly 49-53% (over a 7-10 day period).

If the users logged off from their session by clicking the "Log off" button in the left-hand side menu, the application removed all the stateful beans from the server, but if a user just closed the browser window it didn't remove those beans and stayed in the container until the application server was restarted. As this continued, the number of EJB instances in memory shot up to 400 and above.

When BEA WebLogic Server loads more than ~400 EJBs, the Hotspot VM throws an OutOfMemory Exception. This occurs even though there appears to be more memory available.

Tuning the Java Virtual Machine
The Hotspot Virtual Machine was throwing an OutOfMemory Exception while trying to allocate PermGeneration space. The Hotspot VM uses different sections of memory. The permanent generation section is used for storing classes, methods, and symbols used by running Java objects. The initial size of the permanent generation section is 1 MB and the maximum size was 32 MB prior to 1.3.1 and 64 MB.

To get around this, we can set up the permGeneration space through a JVM switch with the following command line:

java -server -XX:MaxPermSize=128M.

Note that increasing the max perm size only delays a failure. It's up to your application to properly clean the unused objects. Also, the XX options are not supported across all JVMs.

HTTP Session Management
When the user closes the browser without logging off from the session, the EJBs in the user's session will not be garbage collected. This is the primary reason for having too many EJBs in memory. To get around this, the HTTP session management has to look into all possible combinations. We can set up a default session time-out period in web.xml (Web application deployment descriptor) as follows:

With this setting, the user's session will be automatically deactivated after x minutes of inactivity.

The other way is to code the session management using the following code when creating HTTP session

HttpSession session=new HttpSession ();
session.setmaxinactiveinternal(int timeoutSeconds);

This code will invalidate the user's session of timeoutSeconds of inactivity.

Note: If you do both of these steps, the value in the servlet code will override the value set up in the web.xml.

The only difference between these two methods is that the second one takes seconds as the parameter while the tag value takes minutes as the argument. Normally, when the session is invalidated the logoff servlet/JSP will have code to remove references to all objects/object graphs referenced by the particular session. But when the user just closes the browser button there is no way our logoff servlet/JSP will be called. In this scenario, even though the session is invalidated, the enclosed objects/object graphs will still be there. When the garbage collector tries to garbage collect this session, it will also have to garbage collect all of these enclosed objects. When we have large objects (objects with larger references/data), we can also use the HTTPSessionListener interface to perform some clean-up action.

javax.servlet.http.HTTPSessionListener Interface
This interface declares the following two call-back methods:

Public void sessionCreated(HttpSessionEvent event);
Public void sessionDestroyed(HttpSessionEven event);

These methods are called before a session is created/destroyed.

We can have a listener class that implements this interface and use these callback methods to control how sessions are created/destroyed. We need to register our listener class in the web.xml as follows:

MySessionListener

The advantage of using listener class along with the session timeout parameter in the web.xml file is that we will have more control of session management. If the session has large objects, then before the garbage collecter cleans up the objects, its time slice may disappear. In this case, it needs to wait for the next slice to clean up the objects.

Note: It is important that we design the application so that there is a single entry point. We need to start a new HTTP session in this class. All the remaining pages should check for the existence of HTTP session and for an error page when the session is null (Session Expired). This enables centralized control of HTTP sessions.

Tuning the Application Server
BEA WebLogic offers a number of parameters that we can set to optimize the bean pool size, including setting the initial size of the stateless bean pool. Some of the features include:

Use the to set it to minimum possible value for stateless session beans: By default, the value is 1000. As stateless session beans can be shared between concurrent users, it is better to set this value to a very minimum. The correct value for this tag depends upon the concurrent users and peak load situation of the application.

Use the tag to set the maximum bean pool size for the stateful session beans: The default value for this has no limit. The value set for this tag greatly affects the activation/passivation mechanism of BEA WebLogic Server. The appropriate value for this tag depends on the application's traffic. When the number of beans in this pool has reached the threshold and a request for a new bean instance has come, the WebLogic Server will pick one or more beans for this pool for passivation. The algorithm for picking up the bean instance for passivation is either LRU (Least Recently Used) or NRU (Not Recently Used).

If max-beans-in-cache is reached and EJBs in the cache are not being used, WebLogic Server passivates some of those beans. This occurs even if the unused beans have not reached their idle-timeout-seconds limit. If max-beans-in-cache is reached and all EJBs in the cache are being used by clients, WebLogic Server throws a CacheFullException.

Use the tag to set the time the WebLogic Server will wait before passivating an idle stateful session bean instance: The WebLogic Server will wait for the same amount of time before removing the bean from the swap space. Care should be taken in setting this value because once the passivated instance is removed from the swap space, there is no way to retrieve the state of the bean again.

For example, consider the following setting:

1200

The idle bean instances will be passivated after 20 minutes of inactivity. After another 20 minutes, the bean instance will be removed from the disk also. Now let's say at the 41st minute the user has called a method on the bean instance. The BEA WebLogic Server will throw the error shown in Listing 1.

WebLogic 6.1 Service Pack 5 provides a useful tag to get around this. The tag is described as follows:

If we set the value for this we can control the time the passivated beans will be removed from the disk. We can use this tag and set it to a very value so that we will always have our stateful EJBs (either in memory or on the disk). This will completely eliminate the bean deleted error.

Using WebLogic Managed Servers
BEA WebLogic allows you to create one or more servers within a single domain. One server will be the admin server; all other servers will be managed servers in the sense that they are managed by the admin server. An application, when put into production, should not be deployed in the admin server. The advantage of using managed servers is that we can start and stop them from the admin console. Thus even if the server holding the application stops responding (for any reason), we still have a chance to restart the server from the admin console.

Coding Standards: Laying Down the Rules for the Future
Managing a production system is even more difficult when the environment in which the system will run has not been taken into account in the design phase. System re-engineering is a simple task when careful consideration of the environment, boundaries, and context of the application is taken care of during the design phase. Design is an abstract definition of execution path. Solutions will be more scalable when the development is done by taking into account every minute detail of the design. There will be no hard and fast rules for system development as this depends on the particular problem domain in hand. But, there are some axioms that always help.

Have a clear idea about supplementary classes like String and StringBuffer: Use the appropriate class in appropriate situations. For example, using String class to build a long SQL query is inefficient and overloads the JVM string pool.

Clean up legacy objects like Hashtable as soon as you're done with them.

Call remove() method on EJB references explicitly: This will release the bean instance to the bean pool and reduce the number of bean instances created by the container.

Manage database connections carefully: Have a close() method called on them as soon as you're done with it. Don't open the connection as a first line in the class. Open the connection only when you need it.

Understand the business requirements and the context in which your code executes before you write a single line of code.

To sum up... "Create Objects as late as possible and remove them as early as possible".

用Axis开发Web Service

2008-04-03T07:34:00.001-07:00

选择Axis的理由:
1. 开发速度快
2. 可移植性好，可在不同的application server, web container中运行
3. 成熟稳定，Axis是从Apache SOAP(IBM SOAP4J)发展过来的，Axis 1.0在2002年10月发布，Axis是许多商业app server的基础，如WebSphere。

开发WSDL
开发Web Service应该从设计WSDL入手。对于使用了复杂数据类型的web service，如果对手写xml schema不是很熟悉可以先编写web service的java接口定义和表示相关的参数、返回值类的类，然后再用Axis的Java2WSDL工具生成wsdl的草稿。
修改生成的 wsdl草稿要考虑合理选择binding的方式，WSDL规范定义了两种binding style：rpc和document，rpc意味着web service的客户端和服务端使用远程方法调用的约定进行通信，而使用document意味着客户端和服务端用xml文档进行通信。WSDL还规定了两种use：encoded和literal，literal意味着soap body中的xml是用相应的schema约束的；encoded意味着具体的soap message语义需要指定编码规则(通常是所谓的SOAP encoding，在SOAP规范的第五部分定义，又叫section 5 encoding)来解释。所以在wsdl中共有style/use的四种组合: rpc/encoded, rpc/literal, document/encoded, document/literal。第三种方式没有实际应用。另外，Microsoft提出了一种所谓的document/literal wrapped的方式，它用一个与operation同名的元素作为所有参数的"包装器"。document/literal wrapped方式解决了document/literal方式无法表达operation名称的缺点。
rpc/encoded(Axis默认的方式)可以表达的对象图、多态的数据，wsdl定义的抽象的SOAP数据模型依赖于具体的实现，这可能带来互操作性问题(如Axis的默认使用multi -ref表达soap响应)，所以rpc/encoded是WS-I BP1.0规范所禁用的方式。

关于如何合理地选择的style/use方式请参考developerworks上的
http://www-106.ibm.com/developerworks/webservices/library/ws-whichwsdl/

用Axis 的Java2WSDL工具生成wsdl可以使用Axis发布时自带的命令行工具或ant task。但两者配置繁琐，本文以maven-axis-plugin为例说明如何使用。maven-axis-plugin的java2wsdl可以根据java的interface或class生产相应的wsdl。
使用该插件前先要下载：
maven plugin:download -DartifactId=maven-axis-plugin -DgroupId=maven-plugins -Dversion=0.6-jus -Dmaven.repo.remote=http://ultra/maven/
然后，需要配置该插件，使用java2wsdl至少需要配置两种信息：一是namespace和package之间的映射关系，二是要暴露为web service的class或interface的名称(FQCN)，以及该class的对应的service的location(也就是通过什么url 可以访问到该web service)和namespace。
示例：
# axis java2wsdl plugin settings
maven.java2wsdl.namespaceMappings = http://www.ceservice.com.cn/ce/PAPS/exception=com.erry,
http://www.ceservice.com.cn/ce/PAPScom.erry.webservice,
http://www.ceservice.com.cn/ce/PAPS/datatype/baseinfo=com.erry.webservice.VO.baseinfo,
http://www.ceservice.com.cn/ce/PAPS/datatype/srvsht=com.erry.webservice.VO.srvsht
maven.axis.classnames = com.erry.webservice.ServiceSheetServiceSoapBindingImpl
com.erry.webservice.ServiceSheetServiceSoapBindingImpl = http://localhost/services/ServiceSheetService,http://www.ceservice.com.cn/ce/PAPS

namespace 和package之间的映射关系的用maven.java2wsdl.namespaceMappings属性表示，其值为逗号分隔的 namespace=package；maven.axis.classnames指定要暴露为web service的class或interface的名称，如果有多个用逗号分隔。每个class或interface还要指定location和 namespace(两者用逗号分隔)。
配置完，运行maven axis:java2wsdl即在target/axis/wsdl目录下产生与class同名(FQCN)，wsdl为后缀的文件。

用Axis开发Web Service客户端的步骤
编写完wsdl后，可以用Axis的wsdl2java生成web service的客户端，wsdl2java生成的客户端是stub方式的。它包括endpoint借口、实现该接口的stub、 serviceLocator、可选的单元测试代码。其中，serviceLocator中hard code了服务端地址。可以用spring的dependency injection将服务器地址放在spring bean配置文件中。

使用maven-axis-plugin生成client代码首先需要配置，主要涉及的信息有wsdl文档的位置(maven.axis.url)， namespace和package的映射(maven.wsdl2java.namespaceMappings)，是否生成单元测试 (maven.axis.testcase)。maven.wsdl2java.namespaceMappings的格式和 maven.java2wsdl.namespaceMappings一样。
示例：
maven.axis.url = ${maven.src.dir}/conf/srvshtservice.wsdl
maven.axis.testcase = true
maven.wsdl2java.namespaceMappings = http://www.ceservice.com.cn/ce/PAPS/exception=com.erry,
http://www.ceservice.com.cn/ce/PAPS=com.erry.webservice,
http://www.ceservice.com.cn/ce/PAPS/datatype/baseinfo=com.erry.webservice.VO.baseinfo,
http://www.ceservice.com.cn/ce/PAPS/datatype/srvsht=com.erry.webservice.VO.srvsht

配置完后运行maven axis:wsdl2java即在target/axis/src目录下产生endpoint interface，stub， serviceLocator和data type对应的Java Class。如果maven.axis.testcase为true，则还在target/axis/test目录下生成相应的单元测试代码。

用Axis开发Web Service服务器端的步骤
Axis 的wsdl2java工具除了客户端代码外还可以生成服务器端代码的框架和web service部署说明文件(wsdd)。Axis生成的默认wsdd基本上能够满足一般的要求了。其中需要修改的有：将multi-ref设成 false，这只要在globalConfiguration中增加；在service中加入元素指定wsdl文件，而不是让Axis在运行时刻生成。元素中的文件路径是相对于web app的WEB-INF/classes目录的。

和生成客户端代码类似，使用 maven-axis-plugin生成server端框架带和部署说明文件首先需要配置。配置的内容除了wsdl文档的位置，namespace和 package的映射外还需要指定deploy scope，maven.axis.serverside设为true表示生成服务端代码。
示例：
maven.axis.url = ${maven.src.dir}/conf/srvshtservice.wsdl
maven.axis.deployscope = application
maven.axis.serverside = true
maven.axis.testcase = true
maven.wsdl2java.namespaceMappings = http://www.ceservice.com.cn/ce/PAPS/exception=com.erry,
http://www.ceservice.com.cn/ce/PAPS=com.erry.webservice,
http://www.ceservice.com.cn/ce/PAPS/datatype/baseinfo=com.erry.webservice.VO.baseinfo,
http://www.ceservice.com.cn/ce/PAPS/datatype/srvsht=com.erry.webservice.VO.srvsht

配置完后运行maven axis:wsdl2java即在target/axis/src目录下产生endpoint interface，data type对应的Java Class，JSE框架代码，部署说明文件等。

Axis开发调试工具
Axis自带了一个名为tcpmon的工具用于截获SOAP消息。使用该工具可以看到完整的HTTP请求和响应。本文以maven-axis-plugin为例说明如何启动该工具。
配置
# axis tcpmon plugin settings
maven.axis.tcpmon.listen.port=90
maven.axis.tcpmon.destination.host=localhost
maven.axis.tcpmon.destination.port=80
第一行是tcpmon监听端口，web service的客户端应该向该端口发出请求，第二、三行是web service服务端所在的主机和端口
配置完，运行maven axis:tcpmon即出现tcpmon swing界面。此时，可以运行web service的客户端了。

Java Web Service的客户端实现

2008-04-03T07:32:00.000-07:00

Java Web Service的客户端实现有三种
1. 生成的stub
2. 动态代理
3. 动态调用接口
其中生成stub是最常用的。stub是用JAX-RPC编译器根据WSDL文档生成的，其主要功能是将对endpoint接口的方法调用转化为SOAP 消息，并且负责将返回的SOAP响应转换为方法的返回值，把SOAP fault转化为方法的异常。JAX-RPC编译器产生的stub除了要实现endpoint接口外，还需要实现或继承 javax.xml.rpc.Stub接口或其实现的子类(Axis中是org.apache.axis.client.Stub)。 javax.xml.rpc.Stub接口主要定义了和网络通讯和认证相关的属性的设置和获取的机制。
Java Web Service的客户端实现有三种
1. 生成的stub
2. 动态代理
3. 动态调用接口
其中生成stub是最常用的。stub是用JAX-RPC编译器根据WSDL文档生成的，其主要功能是将对endpoint接口的方法调用转化为SOAP 消息，并且负责将返回的SOAP响应转换为方法的返回值，把SOAP fault转化为方法的异常。JAX-RPC编译器产生的stub除了要实现endpoint接口外，还需要实现或继承 javax.xml.rpc.Stub接口或其实现的子类(Axis中是org.apache.axis.client.Stub)。 javax.xml.rpc.Stub接口主要定义了和网络通讯和认证相关的属性的设置和获取的机制。其代码如下：
package javax.xml.rpc;
import java.util.Iterator;

public interface Stub {

// Standard property: The Web service's Internet address.
public static String ENDPOINT_ADDRESS_PROPERTY;
// Standard property: Password for authentication.
public static String PASSWORD_PROPERTY;
// Standard property: User name for authentication.
public static String USERNAME_PROPERTY;
// Standard property: Boolean flag for maintaining an HTTP session.
public static String SESSION_MAINTAIN_PROPERTY;

// Given a property name, get its value.
public Object _getProperty(java.lang.String name);
// Get the names of all the properties the stub supports.
public Iterator _getPropertyNames();
// Configure a property on the stub.
public void _setProperty(java.lang.String name, java.lang.Object value);
}

JAX -RPC编译器产生还可以产生一个和WSDL中service元素对应的Service接口，该接口组合了多个port，也就是多个Stub。该接口继承了javax.xml.rpc.Service。在J2EE环境中Service接口通常通过JNDI lookup得到。
在J2EE中使用生成的stub的典型用例如下:
代码：
package com.jwsbook.jaxrpc;
import javax.servlet.http.*;
import javax.servlet.*;
import javax.naming.InitialContext;

public class BookQuoteServlet_1 extends javax.servlet.http.HttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException,java.io.IOException {
try{
String isbn = req.getParameter("isbn");

InitialContext jndiContext = new InitialContext();

BookQuoteService service = (BookQuoteService)
jndiContext.lookup("java:comp/env/service/BookQuoteService");

BookQuote bookQuote = service.getBookQuotePort();

float price = bookQuote.getBookPrice( isbn );

java.io.Writer outStream = resp.getWriter();
outStream.write("The wholesale price for ISBN:"+isbn+
" = "+price+"");
}catch(javax.naming.NamingException ne){
throw new ServletException(ne);
}catch(javax.xml.rpc.ServiceException se){
throw new ServletException(se);
}
}
部署说明文件：

service/BookQuoteService
com.jwsbook.jaxrpc.BookQuoteService
BookQuote.wsdl
mh:BookQuoteService

一般都是通过JNDI查询到相应的Service接口，然后从Service接口中得到stub，最后调用web service的方法。部署文件中申明了名为"service/BookQuoteService"的Service接口，在代码里获取该接口的代码是 jndiContext.lookup("java:comp/env/service/BookQuoteService")，前缀"java: comp/env/"是所有J2EE资源在JNDI树种的parent Context。

在非J2EE环境中实现web service客户端
在非J2EE环境中也可以实现web service客户端，这时需要用到javax.xml.rpc.ServiceFactory(或其子类，在axis中是 org.apache.axis.client.ServiceFactory)的静态方法loadService得到service接口。接下来的调用代码和J2EE中的类似。

动态代理调用
动态代理调用是Java web service的另一种方式。对于使用该方式的客户端代码，和生成stub的方式相比较，其变化不是很大。它和生成stub的方式主要区别在于前者在编译时刻产生service接口和stub，后者则将这部分工作延迟到运行时刻。
动态代理调用的典型代码和部署说明文件：
package com.jwsbook.jaxrpc;
import javax.naming.InitialContext;

public class JaxRpcExample_2 {
public static void main(String [] args) throws Exception{
String isbn = args[0];

InitialContext jndiContext = new InitialContext();

javax.xml.rpc.Service service = (javax.xml.rpc.Service)
jndiContext.lookup("java:comp/env/service/Service");

BookQuote BookQuote_proxy = (BookQuote)
service.getPort(BookQuote.class);

float price = BookQuote_proxy.getBookPrice( isbn );

System.out.println("The price is = "+price);
}
}

service/Service
javax.xml.rpc.Service
BookQuote.wsdl
mh:BookQuoteService

由于不需要在编译时刻产生service接口和stub，用JNDI lookup和部署说明时只使用了javax.xml.rpc.Service。得到service接口后通过getPort方法可以取得动态代理的 stub。getPort有两种版本，getPort(java.lang.Class endpointInterface)和getPort(javax.xml.namespace.QName portName,java.lang.Class endpointInterface)，通常当WSDL中一个PortType有一种以上的绑定时，如果需要得到某个绑定的port接口就使用后者，否者使用前者。QName是该绑定的完全限定名称，有命名空间加上局部名构成。对应的QName对象的构造方法有构造函数法和静态valueOf法，实例如下：
// Use constructor method
QName portName =
new QName("http://www.Monson-Haefel/jwsbook/BookQuote",
"BookQuoteLiteralPort");

// Use static valueOf() method
String s = "{http://www.Monson-Haefel/jwsbook/BookQuote}BookQuoteLiteralPort";
QName qname2 = QName.valueOf(s);
valueOf方法接受的String参数以"{namespace}localName"的模式构成。
PortType有一种以上的绑定时还需要在JAX-RPC Mapping 文件中说明不指定QName版本的getPort方法对应的port绑定。示例：

xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:mh="http://www.Monson-Haefel.com/jwsbook/BookQuote"...>
...

com.jwsbook.jaxrpc.BookQuote

mh:BookQuote
mh:BookQuote_LiteralBinding
...

使用QName的动态代理调用实例：
package com.jwsbook.jaxrpc;
import javax.naming.InitialContext;
import javax.xml.namespace.QName;

public class JaxRpcExample_3 {
public static void main(String [] args) throws Exception{
String isbn = args[0];

InitialContext jndiContext = new InitialContext();

javax.xml.rpc.Service service = (javax.xml.rpc.Service)
jndiContext.lookup("java:comp/env/service/Service");

QName portName =
new QName("http://www.Monson-Haefel/jwsbook/BookQuote",
"BookQuoteLiteralPort");

BookQuote BookQuote_proxy = (BookQuote)
service.getPort(portName, BookQuote.class);

float price = BookQuote_proxy.getBookPrice( isbn );

System.out.println("The price is = "+price);
}
}
动态代理的底层实现是用java的反射机制和java.lang.reflect.Proxy完成的。

动态调用接口(DII)

动态调用接口的通常使用顺序：
1. 获得一个通用的service接口，比如通过JNDI lookup
2. 构造代表WSDL中port和operation的QName对象，作为service接口的createCall方法的参数，得到Call对象。
3. 准备operation所需的参数，如果是原子类型则需要将其包装成相应的对象类型。视operation是否有返回值调用invoke或invokeOneWay方法。
4. 如果operation定义了INOUT,OUT参数，则在invoke后调用getOutputValues，比如：java.util.List outputParams = call.getOutputValues();
完整的代码示例：
package com.jwsbook.jaxrpc;
import javax.naming.InitialContext;
import javax.xml.rpc.Service;
import javax.xml.rpc.Call;
import javax.xml.namespace.QName;

public class JaxRpcExample_4 {
public static void main(String [] args) throws Exception{
String isbn = args[0];

InitialContext jndiContext = new InitialContext();

javax.xml.rpc.Service service = (javax.xml.rpc.Service)
jndiContext.lookup("java:comp/env/service/Service");

QName portName =
new QName("http://www.Monson-Haefel.com/jwsbook/BookQuote",
"BookQuotePort");
QName operationName =
new QName("http://www.Monson-Haefel.com/jwsbook/BookQuote",
"getBookPrice");

Call call = service.createCall(portName,operationName);

Object [] inputParams = new Object[]{isbn};

Float price = (Float)call.invoke(inputParams);

System.out.println("The price is = "+price.floatValue());
}
}

WS-Federation：活动请求方概要

2008-04-02T08:26:00.001-07:00

WS-Federation：活动请求方概要

发布日期： 4/26/2004 | 更新日期： 4/26/2004

版本 1.0

2003 年 7 月 8 日

作者

Siddharth Bajaj，VeriSign

Giovanni Della-Libera，Microsoft

Brendan Dixon，Microsoft

Maryann Hondo，IBM

Matt Hur，Microsoft

Chris Kaler (Editor)，Microsoft

Hal Lockhart，BEA

Hiroshi Maruyama，IBM

Anthony Nadalin (Editor)，IBM

Nataraj Nagaratnam，IBM

Andrew Nash，RSA Security

Hemma Prafullchandra，VeriSign

John Shewchuk，Microsoft

本页内容

	1. 引言
	1.1. 目标和需求
	1.1.1 需求
	1.1.2. 非目标
	1.2. 标记约定
	1.3. 命名空间
	1.4. 术语
	2. 模型
	3.1. 单一登录
	3.2. 注销
	3.3. 属性
	3.4. 假名 (Pseudonym)
	4. 语法
	4.1. 请求安全性令牌
	4.2. 返回安全性令牌
	4.3. 注销语法
	4.4. 属性请求
	4.5. 假名请求
	5. 详解示例
	6. 其他示例
	6.1. 无资源 STS
	6.2. 第三方 STS
	6.3. 委派的资源访问
	7. 安全性令牌
	7.1. X.509v3
	7.2. Kerberos
	7.3. XrML
	7.4. SAML
	9. 安全考虑事项
	10. 致谢
	11. 参考资料

如果您在 WS-Federation：活动请求方规范的完整副本或您制作的部分副本中包含了以下内容，IBM、Microsoft、BEA Systems, Inc.、RSA Security, Inc. 和 VeriSign, Inc.（统称为“作者”）将据此授予您以任何媒介形式复制和公开 WS-Federation：活动请求方规范的权限，且不需要任何费用或特许权使用费：

•	指向此处规范的链接或 URL
•	WS-Federation：活动请求方规范中所注明的版权声明。

除了以上授予的版权许可证以外，作者没有明示或暗示地授予任何知识产权（包括他们拥有或控制的专利）的许可证。

WS -Federation：活动请求方规范是“按原件”提供的，作者不作以下任何明示或暗示的陈述或担保：包括（但不限于）对适销性、特殊用途的适用性、无侵权或所有权的担保；及担保 WS-Federation：活动请求方规范内容适用于任何用途，且这些内容的实施将不会侵犯任何第三方的专利、版权、商标或其他权利。

作者将不对由于任何使用或分发 WS-Federation：活动请求方规范产生的（或与之相关的）任何直接、间接、特殊、偶然或必然的损失负责。

WS-Federation：活动请求方规范在最终发布以前可能会发生变化，因此用户在使用此规范的内容时必须注意。

没有以暗示、禁止反言或其他方式授予其他权利。

摘要

此规范定义了活动请求方（如支持 SOAP 的应用程序）如何使用 WS-Federation 中定义的交叉信任领域身份、身份验证和授权联合机制。

模块结构

通过使用 XML、SOAP 和 WSDL 可扩展模型，各种 WS* 规范旨在通过互相组合来提供丰富的 Web 服务环境。WS-Federation：活动请求方自身不为 Web 服务提供完整的安全解决方案。WS-Federation：活动请求方是一个用于与其他 Web 服务和应用程序特定的协议结合使用的构造块，以适应各种各样的安全模型。

状态

此 WS-Federation 活动请求方规范是最初公开的草拟版，仅作为查看和评估用。BEA、IBM、Microsoft、RSA Security 和 VeriSign 希望在不远的将来能征求您的稿件和建议。BEA、IBM、Microsoft、RSA Security 和 VeriSign 不以任何方式做出关于此规范的担保或陈述。

1. 引言

WS-Federation 规范定义了一种联合不同信任领域间的身份、身份验证和授权的集成模型。该规范定义了如何将联合模型应用于活动请求方（如 SOAP 应用程序）。

返回页首

1.1. 目标和需求

此规范的主要目标是定义对那些应用于活动请求方的身份、身份验证和授权信息进行联合的机制。

返回页首

1.1.1 需求

以下列表指出了此规范的关键实施要求：

•	在活动请求方之间支持身份、身份验证和授权数据的共享
•	代理活动请求方环境中的信任和安全性令牌交换
•	活动请求方环境中身份信息和其他属性的可选隐藏或保护

返回页首

1.1.2. 非目标

以下主题则不属本文档讨论的范围：

•	消息安全性或信任建立/验证协议的定义
•	新安全性令牌格式的规范

返回页首

1.2. 标记约定

本文档中的关键字“必须 (MUST)”、“绝不可以 (MUST NOT)”、“必需的 (REQUIRED)”、“将 (SHALL)”、“将不 (SHALL NOT)”、“应该 (SHOULD)”、“不应该 (SHOULD NOT)”、“推荐的 (RECOMMENDED)”、“可以 (MAY)”和“可选的 (OPTIONAL)”将按 RFC 2119 中说明的进行解释。

当描述抽象数据模型时，此规范使用 XML 信息集中使用的标记约定。具体来说，抽象属性名称始终出现在方括号中（如 [some property]）。

当描述具体的 XML 架构时，此规范使用 WS-Security 的标记约定。具体来说，元素的 [children] 或 [attributes] 属性的每个成员都是使用类似于 XPath 的标记（如 /x:MyHeader/x:SomeProperty/@value1）描述的。使用 {any} 说明存在元素通配符 ()。使用 @{any} 说明存在属性通配符 ()。

返回页首

1.3. 命名空间

本文档使用到以下命名空间：

前缀	命名空间
S	http://www.w3.org/2002/06/soap-envelope
wsse	http://schemas.xmlsoap.org/ws/2003/07/secext
wsu	http://schemas.xmlsoap.org/ws/2002/07/utility
wp	http://schemas.xmlsoap.org/ws/2002/12/policy

返回页首

1.4. 术语

以下定义概述了本规范中的术语及用法。

活动请求方 －联合中的活动请求方是一个能发出（并接收）如 WS-Security 和 WS-Trust 中描述的 SOAP 消息的应用程序（可能是一个 Web 浏览器）。

声明 (Claim) －声明是实体所作的声明（如名称、标识、关键字、组、权限、功能、属性等）。

安全性令牌 (Security Token) － 安全性令牌 表示声明的集合。

已签名安全性令牌 (Signed Security Token) – 已签名安全性令牌 是由特定的权威机构断言并加密签名的安全性令牌（如 X.509 证书或 Kerberos 票证）。

所有权证明令牌 (Proof-of-Possession Token) － 所有权证明令牌 是一种包含发送方用来证明所有权证明数据的安全性令牌。一般情况下（但不是专有的），所有权证明信息是经过使用只有发送方和接收方才知道的密钥加密过的。

摘要 (Digest) – 摘要是八进制流的加密校验和。

签名 (Signature) －签名是一个以某种方式使用加密算法计算并绑定到数据的值，且该数据的预期接收者可以使用此签名来验证数据在签名者签署它以后没有被修改。

安全性令牌服务 (STS) － 安全性令牌服务 是一种颁发安全性令牌的 Web 服务（请参看 WS-Security 和 WS-Trust）。也即 STS 基于证据对信任该 STS 的实体做出声明。若要传递信任，服务就需要证据，如某个安全性令牌或安全性令牌组，并且使用它自己的信任声明颁发一个安全性令牌（需要注意的是，对于某些安全性令牌格式，这可能只需对原始令牌进行重颁发或共同签名）。这也形成了信任代理的基础。

信任 (Trust) －信任是一个实体希望依赖于第二方实体以预期的方式执行一组操作和/或对一组主题和/或范围做出一组断言的特性。

信任域/领域 (Trust Domain/Realm) － 信任域/领域是一个安全性空间，其中的请求目标能够判断来自某个源的特定凭据集是否满足该目标的相关安全性策略。目标可以遵从对第三方的信任，这样，就可以将受信任的第三方包括到信任领域 (Trust Realm) 中。

直接信任 (Direct Trust) － 直接信任 是当依赖方将由请求方发送的令牌中的所有声明（或一些声明子集）作为 true 接受时的信任方式。

直接代理信任 (Direct Brokered Trust) － 直接代理信任 是当一方在信任第二方，第二方依次信任或担保第三方时的信任方式。

间接代理信任 (Indirect Brokered Trust) － 间接代理信任 是直接代理信任的变体，第二方与第三方（或其他方）在其中进行协商，用于评估对第三方的信任的信任方式。

签名验证 (Signature validation) － 签名验证 是验证接收的消息与发送的消息是否相同的过程。

发送方身份验证 (Sender Authentication) － 发送方身份验证 是 Web 服务主角/角色之间的加强的身份验证，以指示 Web 服务消息（及其相关数据）的发送方。需要注意的是，如果存在身份验证的中介体，消息可能会有多个发送方。还要注意的是，如何判断谁是消息的第一创建人是依应用程序而定的（且不属本文范围），因为消息发信方可能独立于或隐藏在身份验证发送方的后面。

领域或域 (Realm or Domain) －领域或域表示安全性管理或信任的单个单元。

联合 (Federation) －联合是由领域集合（至少两个）建立的受信任关系。信任的级别可能会变化，但通常包括身份验证，并可能包括授权。

标识提供商 (Identity Provider) － 标识提供商 是一个担当针对终端请求方的对等实体身份验证服务，以及针对服务提供商的数据源身份验证服务（一般是安全性令牌服务的扩展）的实体。

单一登录 (SSO) － 单一登录 是身份验证序列的优化，用以去除终端请求方面临的重复操作的负担。为了方便 SSO，被称作标识提供商 (Identity Provider) 的元素可以代表请求方担当一个代理，以向请求关于此请求方信息的第三方提供身份验证活动的证据。这些标识提供商是受信任的第三方，并且需要得到请求方（以维护请求方身份信息，因为这些信息丢失可能会导致请求方身份的泄露）和 Web 服务双方的信任，Web 服务可能基于 IP 提供的身份信息的完整性授予对宝贵资源和信息的访问权限。

标识映射 (Identity Mapping) － 标识映射 是一种创建身份属性之间关系的方法。一些标识提供商可能会利用 id 映像。

注销－注销是主体表明它们将不再使用其令牌且领域中的服务可能破坏此主体令牌缓存的过程。

返回页首

2. 模型

WS-Federation 规范定义了一个模型和消息集合，用于在不同信任领域间代理信任并联合身份和身份验证信息。本章描述了如何将该模型应用于活动请求方（如 Web 服务请求方）。

WS-Federation 中描述的联合模型构建于 WS-Security 和 WS-Trust 建立的基础之上。因此，此概要定义了在活动请求方上下文内请求、交换及颁发安全性令牌的机制。

此规范中定义的模型允许支持不同（但兼容）的消息交换。例如，资源可以担当它自己的安全性令牌服务 (STS)，而并不使用一个单独的服务（或甚至 URI），从而减少一些步骤。后续的概要有望定义成具有特定交换模式的特性。

返回页首

3.1. 单一登录

因为活动请求方 能够发出它们自己的消息，所以它们可以利用 WS-Security、WS-Trust 和 WS-Federation 内定义的机制。

在高层次上，策略可以用来表明通信需求。请求方可以提前或通过错误响应从服务中获取策略。一般来说，在请求方对自身进行身份验证时，系统要求它们从其标识提供商（或 STS）处获得安全性令牌（或令牌）。IP/STS 通过联合方生成一个供使用的安全性令牌。该过程是通过使用 WS-Trust 中定义的机制来完成的。有些情况下，目标服务担当它自己的 IP/STS，这使得无需与其他服务进行通信。否则，请求方可能需要从服务特定的或服务所需的标识提供商或安全性令牌服务处获得其他的安全性令牌。下图说明了一种可能的流程。

然而，以上示例并没有说明这点，即用于安全性令牌的 WS-Trust 消息可能包括对请求方的质询。有关其他信息，请参考 WS-Trust。

返回页首

3.2. 注销

就像针对某个活动请求方登录不具代表性一样，它对注销也不具代表性。然而，对于那些需要注销的情况而言，则“可以”使用 WS-Federation 中定义的注销消息。

在需要联合注销消息的情况中，请求方的 IP/STS“应该”保持对其颁发令牌领域 — 特别是这些领域的 IP/STS（或资源，如果不同）的跟踪。当在请求方的 IP/STS 上接收注销时，此请求方的 IP/STS 就负责向有关方和授权方发出联合注销消息。发生此操作采用的确切机制取决于 IP/STS，但强烈“建议”使用 WS-Federation 中定义的注销消息。

当在某个领域中接收到联合的注销消息时，该领域“应该”清除所有的缓冲信息，并删除下图中说明的所有相关状态：

返回页首

3.3. 属性

对于活动请求方，属性服务是通过 WS-Federation 中描述的 WS-Policy 进行标识的。Web 服务和其他授权方可以使用由特定属性服务定义的消息获得或者甚至更新属性。

下图说明了一个由请求方向 Web 服务发出请求的情况。请求可能包括请求方的策略，或者可能已被缓存在服务中，或者请求方可能使用 WS-PolicyExchange。Web 服务向请求方的属性服务发出请求，以获得一些属性的值，WS-Policy 可以用来描述属性服务的位置。该服务被授权，属性即被返回。请求得到处理，并向请求方返回响应。

返回页首

3.4. 假名 (Pseudonym)

对于活动请求方而言，假名服务是通过 WS-Federation 中描述的 WS-Policy 来标识的。服务和其他授权方可以使用 WS-Federation 中定义的消息来获取或管理假名。

下图说明了请求方向某个 Web 服务发出请求的情况。该请求可能包括请求方的策略和请求方假名服务的位置，或它可能已被缓存在 Web 服务中。Web 服务向请求方的假名服务发出请求，以获取由安全性令牌授权的假名。授权此 Web 服务，假名即被返回。请求得到处理，并向请求方返回响应。

如 WS-Federation 中所描述的，假名和 IP/STS 可以作为令牌颁发过程的一部分进行交互。下图说明了一种情况，其中，请求方先前已针对特定的领域关联了一个假名和安全性令牌。当请求方请求一个该域/领域的安全性令牌时，系统就获得其假名和令牌，并返回给请求方。请求方就使用这些安全性令牌来访问 Web 服务。

返回页首

4. 语法

此部分定义了以上模型中描述的联合机制的语法。

返回页首

4.1. 请求安全性令牌

安全性令牌是使用 WS-Trust 规范中定义的消息进行请求的。

返回页首

4.2. 返回安全性令牌

安全性令牌是使用 WS-Trust 规范中定义的消息进行返回的。

返回页首

4.3. 注销语法

显式的注销通知是使用 WS-Federation 规范中定义的消息执行的。

同样地，联合的注销消息使用相同的消息元素。

返回页首

4.4. 属性请求

属性是使用 WS-Federation 规范所描述的属性服务所特有的消息来进行请求和更新的。此规范并不强制使用特定的属性存储技术。

返回页首

4.5. 假名请求

假名是使用 WS-Federation 规范中描述的消息和机制来进行请求和更新的。

返回页首

5. 详解示例

此部分提供了一个本规范中定义的协议的详解示例。确切流程可能会有很大不同；但是，以下图表和说明描述了一个通用的事件序列。

在此情况中，活动请求方试图访问一个要求安全性身份验证要经过资源的安全性令牌服务进行验证的服务。

步骤 1：获取策略

如果请求方还没有服务策略，就可使用 WS-MetadataExchange 中定义的机制获取该策略。

步骤 2：返回策略

请求的策略是使用 WS-MetadataExchange 中定义的机制返回的。

步骤 3：请求安全性令牌

请求方使用 WS-Trust () 中定义的机制从它的 IP/STS 请求一个安全性令牌（假定是短期的安全性令牌）。

步骤 4：颁发安全性令牌

IP/STS 使用 WS-Trust（和）中定义的机制返回一个安全性令牌（以及可选的所有权证明信息）。

步骤 5：请求安全性令牌

请求方使用 WS-Trust () 中定义的机制从用于目标 Web 服务的 Web 服务 IP/STS 请求安全性令牌。需要注意的是，这是通过策略或某个带外机制决定的。

步骤 6：颁发安全性令牌

Web 服务的 IP/STS 使用 WS-Trust () 中定义的机制返回一个令牌（以及可选的所有权证明信息）。

步骤 7：发送安全的请求

请求方使用 WS-Security 中描述的颁发令牌向附加并保护此消息的服务发送请求。

步骤 8：返回结果

服务使用它的安全性令牌发出一个安全回复。

返回页首

6. 其他示例

本部分描述了其他活动请求方情况的交互式图表。

返回页首

6.1. 无资源 STS

下图说明了以上的资源访问情况，但没有资源 STS。也即 Web 服务担当它自己的 STS：

返回页首

6.2. 第三方 STS

下图说明了以上的资源访问情况，但信任是通过第三方 STS 代理的：

需要注意的是，第三方 IP/STS 是通过策略或某个带外机制决定的。

返回页首

6.3. 委派的资源访问

下图说明了某个资源代表第一方资源访问来自另一方资源的数据：

本示例中，请求方使用 WS-Trust 中定义的颁发步骤 1 中的委派令牌。这就向 Web 服务 1 提供了必要的信息，使 Web 服务 1 在与 Web 服务 2 联系时能够代表请求方。

返回页首

7. 安全性令牌

当接受到安全性令牌时，接收者“应该”：

•	验证令牌是否经正确格式化
•	验证 STS 签名
•	验证令牌有效性时间间隔
•	验证策略请求的属性，如所需的身份验证类型、从身份验证时刻起的最大时间（如密码必须在 1 个小时以内提交），以及身份属性等。

本章描述了特定于令牌格式的需求，但并不强制特定令牌类型的用法。

返回页首

7.1. X.509v3

此规范对 X.509 令牌设置了以下要求：

•	除使用安全通道来传递令牌之外，令牌“必须”在整个令牌期间包含颁发机构的名称和颁发机构的签名。也即通过各断言的签名元素。需要注意的是，“建议”使用签名，即使是使用安全通道也是如此。
•	令牌“必须”包含主题标识符，以唯一地标识出被授予此令牌的主题。X.509 并不指定 Principal 字段的规则。遵守此规范的 X.509 令牌“应该”确保颁发的主体在各领域中是唯一的，并且该领域“应该”从主体名称中派生出来。
•	令牌“可以”包含初始身份验证的时间、有效性时间间隔以及执行的身份验证类型。
•	令牌“可以”包含证书吊销信息 (Certificate Revocation Information)，如 CRL 分发点
•	X.509 证书“必须”携带在 wsse:BinarySecurityToken 元素（它的 ValueType 是 wsse:X509v3）内。

返回页首

7.2. Kerberos

此规范对 Kerberos 令牌设置了以下要求

•	Kerberos 票证授权的票证“必须”携带在 wsse:BinarySecurityToken 元素（它的 ValueType 是 wsse:Kerberosv5TGT）内。
•	Kerberos 服务票证“必须”携带在 wsse:BinarySecurityToken 元素（它的 ValueType 是 wsse:Kerberosv5ST）内。
•	使用的对称密钥“应该”从所需领域中派生出来。

返回页首

7.3. XrML

此规范对 XrML 令牌设置了以下要求：

•	处理器“必须”支持带或不带包含的签名的 xrml:issuer 元素。除非 xrml:license 传送密钥（直接或间接），否则处理器“不应”包含所含的签名。
•	包含一个或多个 xrml:issuer 元素中签名的令牌“必须”声明 xrml:license 元素上的所有 XML 命名空间。
•	处理器“必须”包括一个用于标识 xrml:details 下颁发者的 xrml:issuer 元素。
•	当 xrml:license 令牌传送密钥（直接或间接）时，处理器“必须”在 xrml:issuer 元素内包含一个 xrml:validityInterval。xrml:validityInterval“必须”同时包含 xrml:notBefore 和 xrml:notAfter 元素。
•	令牌“应该”包含指示使用范围（如资源或领域）的接收者标识符 — 这是通过 grant resource 表示的，并且默认假定使用了此领域。

返回页首

7.4. SAML

此规范对 SAML 令牌设置了以下要求：

•	除非是使用安全通道传递该令牌，否则令牌“必须”包含颁发机构在整个令牌期间的签名。也即通过 SAML 断言的签名元素。需要注意的是，“建议”使用签名，即使是使用安全通道也是如此。
•	令牌“必须”包含主题标识符，以唯一地标识出被授予此令牌的主题。SAML 并不指定 NameIdentifier 元素的规则。遵守此规范的 SAML 断言“应该”确保颁发的标识符在各领域中是唯一的，并且该领域“应该”从主题标识符中派生出来。
•	令牌“应该”包含指示使用范围（如资源或领域）的接收者标识符 — SAML 断言中的 AudienceRestriction 或 Recipient 元素。
•	令牌“必须”包含初始身份验证的时间、有效性时间间隔以及执行的身份验证类型。SAML 断言中的有效性时间间隔是通过 Conditions 元素的 NotBefore 和 NotOnOrAfter 属性来满足的。初始身份验证类型和时间是通过 AuthenticationStatement 元素的属性来包含的。
•	令牌“可以”包含其他的标识信息。如果包含了其他信息，则描述这些其他信息的架构“必须”能被接收者所理解，否则，该令牌“必须”被拒绝。

返回页首

9. 安全考虑事项

本部分概述了未在 WS-Federation 和其他 Web 服务安全性规范中指出的安全考虑事项。

如果安全性令牌不是自我保护的，它就“应该”被包括在某种形式的消息完整性机制（如 WS-Security 中说明的机制）中。

如果涉及到隐私，则“可以”使用 WS-Security 中描述的机制，为授权的接收者加密安全性令牌。

返回页首

10. 致谢

此规范的制订是许多个人和团体共同努力的结果，包括：

Tim Hahn，IBM

Heather Hinton，IBM

Bronislav Kavsan，RSA Security

Anthony Moran，IBM

Robert Philpott，RSA Security

Yordan Rouskov，Microsoft

Shane Weeden，IBM

Jeff Spelman，Microsoft

返回页首

11. 参考资料

[关键字]

S. Bradner，Key Words for Use in RFCs to Indicate Requirement Levels， RFC 2119，Harvard University，1997 年 3 月。

[SOAP]

W3C 纪要， SOAP:Simple Object Access Protocol 1.1，2000 年 5 月 8 日。

SOAP 1.2，草案 http://www.w3.org/TR/soap12-part0/

SOAP 1.2，草案 http://www.w3.org/TR/soap12-part1/

SOAP 1.2，草案 http://www.w3.org/TR/soap12-part2/

[URI]

T. Berners-Lee、R. Fielding 和 L. Masinter，Uniform Resource Identifiers (URI):Generic Syntax， RFC 2396，MIT/LCS、U.C. Irvine、Xerox Corporation，1998 年 8 月。

[WS-Federation]

"Web Services Federation Language，BEA、IBM、Microsoft、RSA Security 和 VeriSign，2003 年 7 月。

[WS-Security]

"Web Services Security Language，IBM、Microsoft 和 VeriSign，2002 年 4 月。

"WS-Security Addendum，IBM、Microsoft 和 VeriSign，2002 年 8 月。

"WS-Security XML Tokens，IBM、Microsoft 和 VeriSign，2002 年 8 月。

[WS-Policy]

"Web Services Policy Framework，BEA、IBM、Microsoft 和 SAP，2002 年 12 月。

[WS-PolicyAttachment]

"Web Services Policy Attachment Language，BEA、IBM、Microsoft 和 SAP，2002 年 12 月。

[WS-PolicyAssertions]

"Web Services Policy Assertions Language，BEA、IBM、Microsoft 和 SAP，2002 年 12 月。

[WS-Trust]

"Web Services Trust Language，IBM、Microsoft、RSA 和 VeriSign，2002 年 12 月。

[WS-SecureConversation]

"Web Services Secure Conversation Language，IBM、Microsoft、RSA 和 VeriSign，2002 年 12 月。

[WS-SecurityPolicy]

"Web Services Security Policy Language，IBM、Microsoft、RSA 和 VeriSign，2002 年 12 月。

[XML-ns]

W3C 推荐，Namespaces in XML，1999 年 1 月 14 日。

WS-Federation: Active Requestor Profile

2008-04-02T08:25:00.000-07:00

Global XML Web Services Specifications

WS-Federation: Active Requestor Profile

Version 1.0
July 8, 2003

Authors

Siddharth Bajaj, VeriSign
Giovanni Della-Libera, Microsoft
Brendan Dixon, Microsoft
Maryann Hondo, IBM
Matt Hur, Microsoft
Chris Kaler (Editor), Microsoft
Hal Lockhart, BEA
Hiroshi Maruyama, IBM
Anthony Nadalin (Editor), IBM
Nataraj Nagaratnam, IBM
Andrew Nash, RSA Security
Hemma Prafullchandra, VeriSign
John Shewchuk, Microsoft

Copyright Notice

IBM, Microsoft, BEA Systems, Inc., RSA Security, Inc., VeriSign, Inc. (collectively, the "Authors") hereby grant you permission to copy and display the WS-Federation: Active Requestor Specification, in any medium without fee or royalty, provided that you include the following on ALL copies of the WS-Federation: Active Requestor Specification, or portions thereof, that you make:

A link or URL to the Specification at this location
The copyright notice as shown in the WS-Federation: Active Requestor Specification.

EXCEPT FOR THE COPYRIGHT LICENSE GRANTED ABOVE, THE AUTHORS DO NOT GRANT, EITHER EXPRESSLY OR IMPLIEDLY, A LICENSE TO ANY INTELLECTUAL PROPERTY, INCLUDING PATENTS, THEY OWN OR CONTROL.

THE WS-Federation: Active Requestor SPECIFICATION IS PROVIDED "AS IS," AND THE AUTHORS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR TITLE; THAT THE CONTENTS OF THE WS-Federation: Active Requestor SPECIFICATION ARE SUITABLE FOR ANY PURPOSE; NOR THAT THE IMPLEMENTATION OF SUCH CONTENTS WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.

THE AUTHORS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATING TO ANY USE OR DISTRIBUTION OF THE WS-Federation: Active Requestor SPECIFICATION.

The WS-Federation: Active Requestor Specification may change before final release and you are cautioned against relying on the content of this specification.

The name and trademarks of the Authors may NOT be used in any manner, including advertising or publicity pertaining to the Specification or its contents without specific, written prior permission. Title to copyright in the WS-Federation: Active Requestor Specification will at all times remain with the Authors.

No other rights are granted by implication, estoppel or otherwise.

Abstract

This specification defines how the cross trust realm identity, authentication and authorization federation mechanisms defined in WS-Federation are used by active requestors such as SOAP-enabled applications.

Modular Architecture

By using the XML, SOAP and WSDL extensibility models, the WS* specifications are designed to be composed with each other to provide a rich Web services environment. WS-Federation: Active Requestor by itself does not provide a complete security solution for Web services. WS-Federation: Active Requestor is a building block that is used in conjunction with other Web service and application-specific protocols to accommodate a wide variety of security models.

Status

This WS-Federation Active Requestor Specification is an initial public draft release and is provided for review and evaluation only. BEA, IBM, Microsoft, RSA Security and VeriSign hope to solicit your contributions and suggestions in the near future. BEA, IBM, Microsoft, RSA Security and VeriSign make no warrantees or representations regarding the specifications in any manner whatsoever.

1. Introduction

1.1. Goals and Requirements

1.1.1 Requirements

1.1.2. Non-Goals

1.2. Notational Conventions

4.1. Requesting Security Tokens

4.2. Returning Security Tokens

4.3. Sign-Out Syntax

4.4. Attribute Requests

4.5. Pseudonym Requests

5. Detailed Example

6. Additional Examples

6.1. No Resource STS

6.2. 3rd-Party STS

6.3. Delegated Resource Access

9. Security Considerations

10. Acknowledgements

11. References

1. Introduction

The WS-Federation specification defines an integrated model for federating identity, authentication and authorization across different trust realmss. This specification defines how the federation model is applied to active requestors such as SOAP applications.

1.1. Goals and Requirements

The primary goal of this specification is to define mechanisms for federation of identity, authentication, and authorization information as applied to active requestors.

1.1.1 Requirements

The following list identifies the key driving requirements for this specification:

Enable sharing of identity, authentication, and authorization data between and through active requestors
Brokering of trust and security token exchange in a active requestor environment
Optional hiding or protection of identity information and other attributes in a active requestor environment

1.1.2. Non-Goals

The following topics are outside the scope of this document:

Definition of message security or trust establishment/verification protocols
Specification of new security token formats

1.2. Notational Conventions

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

When describing abstract data models, this specification uses the notational convention used by the XML Infoset. Specifically, abstract property names always appear in square brackets (e.g., [some property]).

When describing concrete XML schemas, this specification uses the notational convention of WS-Security. Specifically, each member of an element's [children] or [attributes] property is described using an XPath-like notation (e.g., /x:MyHeader/x:SomeProperty/@value1). The use of {any} indicates the presence of an element wildcard (). The use of @{any} indicates the presence of an attribute wildcard ().

1.3. Namespaces

The following namespaces are used in this document:

Prefix	Namespace
`S`	http://www.w3.org/2002/06/soap-envelope
`wsse`	http://schemas.xmlsoap.org/ws/2003/07/secext
`wsu`	http://schemas.xmlsoap.org/ws/2002/07/utility
`wp`	http://schemas.xmlsoap.org/ws/2002/12/policy

1.4. Terminology

The following definitions outline the terminology and usage in this specification.

Active Requestor - An active requestor in a Federation is an application (possibly a Web browser) that is capable of issuing (and receiving) SOAP messages such as those described in WS-Security and WS-Trust.

Claim - A claim is a declaration made by an entity (e.g. name, identity, key, group, privilege, capability, attribute, etc).

Security Token - A security token represents a collection of claims.

Signed Security Token - A signed security token is a security token that is asserted and cryptographically signed by a specific authority (e.g. an X.509 certificate or a Kerberos ticket)

Proof-of-Possession Token - A proof-of-possession token is a security token that contains data that a sending party can use to demonstrate proof-of-possession. Typically, although not exclusively, the proof-of-possession information is encrypted with a key known only to the sender and recipient parties.

Digest - A digest is a cryptographic checksum of an octet stream.

Signature - A signature is a value computed with a cryptographic algorithm and bound to data in such a way that intended recipients of the data can use the signature to verify that the data has not been altered since it was signed by the signer.

Security Token Service (STS) - A security token service is a Web service that issues security tokens (see WS-Security and WS-Trust). That is, an STS makes claims based on evidence, to entities that trust the STS. To communicate trust, one service requires proof, such as a security token or set of security tokens, and issues a security token with its own trust statement (note that for some security token formats this can just be a re-issuance or co-signature on the original token). This forms the basis of trust brokering.

Trust - Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions about a set of subjects and/or scopes in a way that is expected.

Trust Domain/Realm - A Trust DomainRealm is a security space in which the target of a request can determine whether particular sets of credentials from a source satisfy the relevant security policies of the target. The target may defer trust to a third party thus including the trusted third party in the Trust Realm.

Direct Trust - Direct trust is when a relying party accepts as true all (or some subset of) the claims in the token sent by the requestor.

Direct Brokered Trust - Direct Brokered Trust is when one party trusts a second party who, in turn, trusts or vouches for, a third party.

Indirect Brokered Trust - Indirect Brokered Trust is a variation on direct brokered trust where the second party negotiates with the third party, or additional parties, to assess the trust of the third party.

Signature validation - Signature validation is the process of verifying that the message received is the same as the one sent.

Sender Authentication - Sender authentication is corroborated authentication among Web service actors/roles indicating the sender of a Web service message (and its associated data). Note that it is possible that a message may nave multiple senders if authenticated intermediaries exist. Also note that it is application-dependent (and out of scope) as to how it is determined who first created the messages as the message originator might be independent of, or hidden behind an authenticated sender.

Realm or Domain - A realm or domain represents a single unit of security administration or trust.

Federation - A federation is a trusted relationship established by a collection (at least two) of realms. The level of trust may vary, but typically includes authentication and may include authorization.

Identity Provider - Identity Provider is an entity that acts as a peer entity authentication service to end requestors and data origin authentication service to service providers (this is typically an extension of a security token service)

Single Sign On (SSO) - Single Sign On is an optimization of the authentication sequence to remove the burden of repeating actions placed on the end requestor. To facilitate SSO, an element called an Identity Provider can act as a proxy on a requestor's behalf to provide evidence of authentication events to 3rd parties requesting information about the requestor. These Identity Providers are trusted 3rd parties and need to be trusted both by the requestor (to maintain the requestor's identity information as the loss of this information can result in the compromise of the requestors identity) and the Web services which may grant access to valuable resources and information based upon the integrity of the identity information provided by the IP.

Identity Mapping - Identity Mapping is a method of creating relationships between identity properties. Some Identity Providers may make use of id mapping.

Sign-Out - A sign-out is the process by which a principal indicates that they will no longer be using their token and services in the realm can destroy their token caches for the principal.

2. Model

The WS-Federation specification defines a model and set of messages for brokering trust and federating identity and authentication information across different trust realms. This chapter presents how this model is applied to active requestors such as Web services requestors.

The federation model described in WS-Federation builds on the foundation established by WS-Security and WS-Trust. Consequently, this profile defines mechanisms for requesting, exchanging, and issuing security tokens within the context of active requestors.

The model defined in this specification allows for support of different but compatible message exchanges. For example, the resource may act as its own security token service (STS) and does not use a separate service (or even URI) thereby eliminating some steps. It is expected that subsequent profiles will be defined to characterize specific exchange patterns.

3.1. Single Sign On

Since active requestors are capable of issuing their own messages, they can make use of the mechanisms defined within WS-Security, WS-Trust, and WS-Federation.

At a high-level, policy is used to indicate communication requirements. Requestors can obtain the policy ahead of time or via error responses from services. In general, requestors are required to obtain a security token (or tokens) from their Identity Provider (or STS) when they authenticate themselves. The IP/STS generates a security token for use by the federated party. This is done using the mechanisms defined in WS-Trust. In some scenarios, the target service acts as its own IP/STS so communication with an additional service isn't required. Otherwise the requestor may be required to obtain additional security tokens from service-specific or service-required identity providers or security token services. The figure below illustrates one possible flow.

While the example above doesn't illustrate this, it is possible that the WS-Trust messages for security tokens may involve challenges to the requestors. Refer to WS-Trust for additional information.

3.2. Sign-Out

Just as it isn't typical for an active requestor to sign-in, it isn't typical to sign-out either. However, for those scenarios where this is desirable, the sign-out messages defined in WS-Federation MAY be used.

In situations where federated sign-out messages are desirable, The requestor's IP/STS SHOULD keep track of the realms to which it has issued tokens - specifically the IP/STS for the realms (or resources if different). When the sign-out is received at the requestor's IP/STS, the requestor's IP/STS is responsible for issuing federated sign-out messages to interested and authorized parties. The exact mechanism by which this occurs is up to the IP/STS, but it is strongly RECOMMENDED that the sign-out messages defined in WS-Federation be used.

When a federated sign-out message is received at a realm, the realm SHOULD clean-up any cached information and delete any associated state as illustrated in the figure below:

3.3. Attributes

For active requestors, attribute services are identified via WS-Policy as described in WS-Federation. Web services and other authorized parties can obtain or even update attributes using the messages defined by the specific attribute service.

The figure below illustrates a scenario where a requestor issues a request to a Web service. The request may include the requestor's policy or it may be already cached at the service or the requestor may use WS-PolicyExchange. The Web service issues a request to the requestor's attribute service to obtain the values of a few attributes, WS-Policy may be used to describe the location of the attribute service. The service is authorized so the attributes are returned. The request is processed and a response is returned to the requestor.

3.4. Pseudonyms

For active requestors, pseudonym services are identified via WS-Policy as described in WS-Federation. Services and other authorized parties can obtain or manage pseudonyms using the messages defined in WS-Federation.

The figure below illustrates a scenario where a requestor issues a request to a Web service. The request may include the requestor's policy and the location of the requestor's pseudonym service or it may be already cached at the Web service. The Web service issues a request to the requestor's pseudonyms service to obtain the pseudonyms that are authorized by the security token. The Web service is authorized so the pseudonym is returned. The request is processed and a response is returned to the requestor.

As described in WS-Federation, the pseudonym and IP/STS can interact as part of the token issuance process. The figure below illustrates a scenario where a requestor has previously associated a pseudonym and associated security token for a specific realm. When the requestor requests a security token to the domain/realm, the pseudonym and token are obtained and returned to the requestor. The requestor uses these security tokens for accessing the Web service.

4. Syntax

This section defines the syntax for the federation mechanisms described in the model above.

4.1. Requesting Security Tokens

Security tokens are requested using the message defined in the WS-Trust specification.

4.2. Returning Security Tokens

Security tokens are returned using the message defined in the WS-Trust specification.

4.3. Sign-Out Syntax

Explicit sign-out notification is performed using the message defined in the WS-Federation specification.

Similarly, federated sign-out messages use the same message element.

4.4. Attribute Requests

Attributes are requested and updated using messages specific to the attribute services as described in the WS-Federation Specification. This specification doesn't mandate a specific attribute store technology.

4.5. Pseudonym Requests

Pseudonyms are requested and updated using the messages and mechanisms described in the WS-Federation specification.

5. Detailed Example

This section provides a detailed example of the protocol defined in this specification. The exact flow can vary significantly; however, the following diagram and description depict a common sequence of events.

In this scenario, an active requestor is attempting to access a service which requires security authentication to be validated by the resource's security token service.

Step 1: Acquire Policy

If the requestor doesn't already have the policy for the service, it can obtain it using the mechanisms defined in WS-MetadataExchange.

Step 2: Return Policy

The requested policy is returned using the mechanisms defined in WS-MetadataExchange.

Step 3: Request Security Token

The requestor requests a security token from its IP/STS (assuming short-lived security tokens) using the mechanisms defined in WS-Trust ()

Step 4: Issue Security Token

The IP/STS returns a security token (and optional proof of possession information) using the mechanisms defined in WS-Trust ( and )

Step 5: Request Security Token

The requestor requests a security token from the Web services IP/STS for the target Web service using the mechanisms defined in WS-Trust (). Note that this is determined via policy or some out-of-band mechanism.

Step 6: Issue Security Token

The Web service's IP/STS returns a token (and optionally proof of possession information) using the mechanisms defined in WS-Trust ()

Step 7: Send secured request

The requestor sends the request to the service attaching and securing the message using the issued tokens as described in WS-Security.

Step 8: Return result

The service issues a secured reply using its security token.

6. Additional Examples

This section presents interaction diagrams for additional active requestor scenarios.

6.1. No Resource STS

The figure below illustrates the resource access scenario above, but without a resource STS. That is, the Web service acts as its own STS:

6.2. 3^rd-Party STS

The figure below illustrates the resource access scenario above, but trust is brokered through a 3rd-party STS:

Note that 3^rd-Party IP/STS is determined via policy or some out-of-band mechanism.

6.3. Delegated Resource Access

The figure below illustrates where a resource access data from another resource on behalf of the first resource:

In this example, the requestor used a as defined in WS-Trust to issue the delegation token in Step 1. This provides to Web Service 1 the necessary information so that Web Service 1 can act on the requestor's behalf as it contacts Web Service 2.

7. Security Tokens

When accepting security tokens, recipients SHOULD:

Verify the token is formatted correctly
Verify STS signature
Verify the token validity interval
Verify properties requested by policy such as required authentication type, maximum time since authentication instant (e.g. a password must have been submitted within 1 hour), identity properties etc.

This chapter describes token format-specific requirements but it does not mandate usage of a particular token type.

7.1. X.509v3

This specification places the following requirements on X.509 tokens:

Tokens MUST contain the name of the issuing authority and a signature of the issuing authority over the whole token unless a secure channel is used to communicate the token. That is, a signature element over the assertions. Note that it is RECOMMENDED that a signature be used even if a secure channel is used.
Tokens MUST contain the subject identifier uniquely identifying the subject for whom the token was granted. X.509 does not specify rules for Principal field. X.509 tokens conformant with this specification SHOULD assure the principals issued are unique across realms and also the realm SHOULD be derivable from the principal name.
Tokens MAY contain the time of initial authentication, validity interval and the type of authentication that was performed.
Tokens MAY contains Certificate Revocation Information, such as a CRL distribution point
X.509 certificates MUST be carried within a wsse:BinarySecurityToken element whose ValueType is wsse:X509v3.

7.2. Kerberos

This specification places the following requirements on Kerberos tokens:

Kerberos ticket-granting tickets MUST be carried within a wsse:BinarySecurityToken element whose ValueType is wsse:Kerberosv5TGT.
Kerberos service tickets MUST be carried within a wsse:BinarySecurityToken element whose ValueType is wsse:Kerberosv5ST.
The symmetric key used SHOULD be derived from the desired realm.

7.3. XrML

This specification places the following requirements on XrML tokens:

Processors that MUST support the xrml:issuer element with and without contained signatures. Processors SHOULD NOT include a contained signature unless the xrml:license conveys the key (directly or indirectly).
Tokens that contain signatures in one or more xrml:issuer elements MUST declare all XML namespaces on the xrml:license element.
Processors MUST include an xrml:issuer element identifying the issuer under xrml:details.
Processors MUST include within the xrml:issuer element an xrml:validityInterval when the xrml:license token conveys the key (directly or indirectly). The xrml:validityInterval MUST contain both xrml:notBefore and xrml:notAfter elements.
Tokens SHOULD contain a recipient identifier indicating the scope of usage (such as the resource or realm) - this is represented by grant resource, with the tacit assumption that the realm is used.

7.4. SAML

This specification places the following requirements for SAML tokens:

Tokens MUST contain a signature of the issuing authority over the whole token unless a secure channel is used to communicate the token. That is, a signature element over the SAML assertion. Note that it is RECOMMENDED that a signature be used even if a secure channel is used.
Tokens MUST contain the subject identifier uniquely identifying the subject for whom the token was granted. SAML does not specify rules for NameIdentifier element. The SAML assertions conformant with this specification SHOULD assure the identifiers issued are unique across realms and also the realm SHOULD be derivable from the subject identifier.
Tokens SHOULD contain a recipient identifier indicating the scope of usage (such as the resource or realm) - the AudienceRestriction or Recipient elements in the SAML assertion.
Tokens MUST contain the time of initial authentication, validity interval and the type of authentication that was performed. The validity interval in the SAML assertion is satisfied by the NotBefore and NotOnOrAfter attributes of the Conditions element. The initial authentication type and time are covered by the attributes of AuthenticationStatement element.
Tokens MAY contain additional identity information. If they do, the schema describing the additional information MUST be understood by the recipient or the token MUST be rejected.

8. Error Handling

Errors are handled using the mechanisms described in the WS-Security, WS-Trust, WS-Federation, and any referenced specifications. No additional error semantics or error codes are defined by this specification.

9. Security Considerations

This section outlines security considerations beyond those identified in WS-Federation and other Web service security specifications.

If a security token is not self-securing, it SHOULD be included in some form of message integrity mechanism such as the mechanisms described in WS-Security.

If privacy is a concern, the security tokens MAY be encrypted for the authorized recipient(s) using the mechanisms described in WS-Security.

10. Acknowledgements

This specification has been developed as a result of joint work with many individuals and teams, including:

Tim Hahn, IBM
Heather Hinton, IBM
Bronislav Kavsan, RSA Security
Anthony Moran, IBM
Robert Philpott, RSA Security
Yordan Rouskov, Microsoft
Shane Weeden, IBM
Jeff Spelman, Microsoft

11. References

[KEYWORDS]: S. Bradner, "Key Words for Use in RFCs to Indicate Requirement Levels", RFC 2119, Harvard University, March 1997.
[SOAP]: W3C Note, "SOAP: Simple Object Access Protocol 1.1", 08 May 2000.
Draft, SOAP 1.2, http://www.w3.org/TR/soap12-part0/
Draft, SOAP 1.2, http://www.w3.org/TR/soap12-part1/
Draft, SOAP 1.2, http://www.w3.org/TR/soap12-part2/
[URI]: T. Berners-Lee, R. Fielding, L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax," RFC 2396, MIT/LCS, U.C. Irvine, Xerox Corporation, August 1998.
[WS-Federation]: "Web Services Federation Language", BEA, IBM, Microsoft, RSA Security, VeriSign, July 2003.
[WS-Security]: "Web Services Security Language", IBM, Microsoft, VeriSign, April 2002.
"WS-Security Addendum", IBM, Microsoft, VeriSign, August 2002.
"WS-Security XML Tokens", IBM, Microsoft, VeriSign, August 2002
[WS-Policy]: "Web Services Policy Framework", BEA, IBM, Microsoft, SAP, December 2002.
[WS-PolicyAttachment]: "Web Services Policy Attachment Language", BEA, IBM, and Microsoft, SAP, December 2002.
[WS-PolicyAssertions]: "Web Services Policy Assertions Language", BEA, IBM, Microsoft, SAP, December 2002.
[WS-Trust]: "Web Services Trust Language", IBM, Microsoft, RSA, VeriSign, December 2002.
[WS-SecureConversation]: "Web Services Secure Conversation Language", IBM, Microsoft, RSA, VeriSign, December 2002.
[WS-SecurityPolicy]: "Web Services Security Policy Language", IBM, Microsoft, RSA, VeriSign, December 2002.
[XML-ns]: W3C Recommendation, "Namespaces in XML", 14 January 1999.

Java平台乱弹六

2008-04-02T04:34:00.000-07:00

26) 常见电子商务框架:
　　电子商务驱动着新的商务模式，底层商务Framework质量的好坏在很大程度上决定了系统的好坏。常见的框架如下。
　　AltoWeb Application Platform AltoWeb
　　Apache Cocoon Apache Software Foundation
　　BEA WebLogic Server 7.0 BEA Systems, Inc.
　　BlueBoot Services Manager Enba Asia Pte Ltd
　　Borland JBuilder Borland Software Corporation
　　Droplets User Interface Server 2.0 Droplets
　　e-Frames Aithent, Inc.
　　Enterprise Business Components Diamelle Technologies
　　Eontec Eontec
　　Expresso Framework Jcorporate Ltd
　　HP Application Server 8.0 Hewlett-Packard
　　IBM WebSphere IBM
　　Induslogic Xintegrate Web Services Edition Induslogic
　　Internet Shopping with Java Eastland Data Systems
　　iPlanet Application Server iPlanet E-Commerce Solutions
　　Oracle9i JDeveloper with Business Components for Java Oracle Corporation
　　realMethods Framework realMethods, Inc.
　　Roaming Wireless Framework ObjectVenture Inc.
　　SilverStream eXtend Director SilverStream Software
　　Sparx Application Platform Netspective Corporation
　　Struts Apache Software Foundation
　　Wakesoft Architecture Server Wakesoft

　　27) 常见Java企业应用集成平台:
　　企业应用集成(简称，EAI) 给传统的企业应用系统提供了很好的方式，使得企业面对新业务、新的商务模式时需要认真考虑的问题。下面是一些常用的集成平台。
　　AltioLive Altio Inc.
　　BEA WebLogic Integration BEA Systems, Inc.
　　Collaxa Web Service Orchestration Server Collaxa
　　DataMirror Transformation Server DataMirror
　　Droplets Droplets
　　eXtremeVista version 3.2 OpenConnect Systems, Inc.
　　Flamenco Web Services Network Flamenco Networks
　　IBM WebSphere MQ IBM
　　Induslogic Xintegrate Web Services Edition Induslogic
　　IONA Orbix E2A Web Services Integration Platform IONA
　　mPower Remote Manager ProSyst Software AG
　　OpenFusion Integration Server PrismTech Corp
　　Oracle9i Application Server Oracle Corporation
　　SonicXQ 1.0 Sonic Software Corporation
　　SpiritArchitecture SpiritSoft Inc
　　Tifosi Fiorano
　　XMLShark 1.4 infoshark

　　28) 常见Java开发Web Services工具包:
　　Java为Web Services，这种优秀的构架，提供了很好的开发工具包，各个软件厂商纷纷推出自己的开发工具包。Sun、IBM、Borland、Oracle、。。。。下面是一些常见的资源。
　　AltioLive Altio Inc.
　　AltoWeb Application Platform AltoWeb
　　Bali Spidertop Inc.
　　Borland Web Services Kit for Java Borland Software Corporation
　　Bowstreet Business Web Factory Bowstreet, Inc.
　　CapeConnect Cape Clear Software Inc.
　　CapeStudio Cape Clear Software Inc.
　　Collaxa Web Service Orchestration Server Collaxa
　　EZ JMS Talarian Corporation
　　Flamenco Web Services Network Flamenco Networks
　　Forte for Java/NetBeans Sun Microsystems, Inc.
　　GLUE The Mind Electric
　　Grand Central Network Grand Central
　　IBM Web Services Toolkit IBM
　　in2j Quintessence Systems
　　Induslogic Xintegrate Web Services Edition Induslogic
　　Infravio Web Services Management System Infravio, Inc.
　　IONA Orbix E2A Web Services Integration Platform IONA
　　Java Web Services Developer Pack (JWSDP) Sun Microsystems, Inc.
　　Oracle9i JDeveloper Oracle Corporation
　　Rio Project Sun Microsystems
　　Shinka Business Integraiton Platform 2.0 Shinka Technologies
　　SilverStream eXtend Workbench SilverStream Software
　　SonicXQ 1.0 Sonic Software Corporation
　　Systinet WASP Developer Systinet
　　WebGain Application Composer WebGain
　　XML Spy Suite 4.2 Altova, Inc.
　　XMLShark 1.4 infoshark

　　29) 常见数据库工具或驱动程序:
　　Java中的数据库驱动，或者数据库工具显得格外重要，因为这些是操控EIS的重要利器。如何选择很好的JDBC Drivers or Tools成为我们大家需要考虑的问题。下面是常见的一些资源。
　　CA AllFusion ERwin Data Modeler Computer Associates
　　DataDirect JDBC Drivers DataDirect Technologies (formerly MERANT DataDirec
　　DataMirror Transformation Server DataMirror
　　DbVisualizer Minq Software
　　Easysoft JDBC-ODBC
　　Bridge Easysoft
　　eXtensible Information Server (XIS) eXcelon Corp.
　　FrontierSuite ObjectFrontier
　　HiT JDBC/DB2 HiT Software, Inc.
　　HOBLink J-DRDA HOB
　　in2j Quintessence Systems
　　i-net OPTA i-net software
　　Ipedo XML Database 2.0 Ipedo,Inc.
　　iSQL-Viewer 100acres.org
　　Kodo JDO SolarMetric Inc.
　　MM.MySQL JDBC Driver Mark Matthews
　　NetDirect JSQLConnect NetDirect
　　OpenFusion JDO PrismTech Corp
　　OpenLink JDBC Drivers OpenLink Software
　　Oracle9i Business Components For Java (BC4J) Oracle Corporation
　　Oracle9iAS TopLink WebGain
　　Pervasive.SQL 2000i (ODBC, JDBC and JCL) Pervasive Software
　　PostgreSQL JDBC PostgreSQL Global Development Group
　　XML Spy Suite 4.2 Altova, Inc.
　　XMLShark 1.4 infoshark

Java平台乱弹五

2008-04-02T04:32:00.000-07:00

第五：
22) 常见团队开发工具:
Alcea Fast BugTrack Alcea Technologies Inc.
Borland JBuilder Borland Software Corporation
CA AllFusion Harvest Manager Computer Associates
CocoBase Enterprise O/R Thought Inc.
Code Co-op Reliable Software
Eclipse Workbench Eclipse Open Source Community
JLOOXTelecom LOOX Software
Jtest ParaSoft
MagicDraw UML 5.0 Teamwork Server No Magic
MKS Source Integrity Enterprise Edition MKS Inc.
Oracle9i SCM Oracle Corporation
Rational ClearCase Rational Software
Revize 3.5 Web Content Management and Delivery System Idetix Software Systems Inc.
Serena ChangeMan DS Serena Software
StarTeam Starbase Corporation
Together ControlCenter 5.5 TogetherSoft Corporation
Visual SlickEdit SlickEdit Inc.

23) 常见无线应用:
AmikaFreedom.com AmikaNow!
AVIDRapidTools AVIDWireless
Axion Cocoasoft
COOL:Plex/Websydian Computer Associates
iAnywhere m-Business Studio iAnywhere Solutions, a Sybase company
IBM WebSphere Transcoding Publisher IBM
iBus//Mobile Wireless JMS Softwired
Lutris Enhydra 3.5 Lutris Technologies
MicroPoint Visualize Inc.
Oracle9i Application Server Oracle Corporation
PointBase Micro PointBase
SavaJe PIM SavaJe Technologies
SilverStream eXtend Director SilverStream Software
Smart Device Mapping XEN Information Systems
WAP office suite Coldbeans
WAP Package - ProSyst mBedded Server ProSyst Software AG
Wireless-to-Host Seagull Software

24) 常见XML工具:

XML工具在SOAP、Web Services中越来越重要，在Java中也是如此，否则有名的JAX-系列就不会有。XML Spy、JBuilder很不错。还有。。。。。。。。。
4SuiteServer Fourthought
AltioLive Altio Inc.
Apache Cocoon Apache Software Foundation
Borland JBuilder Borland Software Corporation
Breeze XML Studio Version 2.5 The Breeze Factor
Brock and Jfaq Enhydra
BXXP Invisible Worlds
DataMirror DB/XML Transform DataMirror
DSML DSML.ORG
Electric XML The Mind Electric
Elixir Report Elixir Technology
HTML-XML Dual Viewer NetClue
IBM WebSphere Studio Application Developer 4.0 IBM
iMESSENGER Infoteria
Induslogic XSLWiz/Xintegrate Web Services Edition Induslogic
Informix Object Translator Informix
Ipedo XML Database 2.0 Ipedo,Inc.
iPlanet Integration Server iPlanet
jAllora HiT Software, Inc.
JLOOX LOOX Software
MobilityT v1.2 Macalla Software
Nepal Innovision
Oracle9i XDK Oracle Corporation
PolarLake PolarLake
SilverStream eXtend Composer SilverStream Software
SoftModeler Softera
Stylus Studio eXcelon Corp.
System Architect Popkin Software
Turbo XML TIBCO
XAServer X-Aware
xCommerce 2.0 SilverStream
XML Chat Application VBXML
XML Developer Stilo
XML Spy Suite 4.2 Altova, Inc.
XMLango DevSpace.com
XMLC Lutris Technologies
XMLShark 1.4 infoshark
XMLZip XML Solutions

25) 常见最具创意Java产品:
还记得Java Web Start吗？不知道你是否了解Eclipse、Together，都是很不错的工具。下面给出一些重要的资源。
AltioLive Altio Inc.
AltoWeb(R) Application Platform AltoWeb
Apache Cocoon Apache Software Foundation
BEA WebLogic Server 7.0 BEA Systems, Inc.
Borland JBuilder Borland Software Corporation
CA Unicenter Web Infrastructure Management for J2EE Computer Associates
Cittera CanyonBlue Inc
Collaxa Web Service Orchestration Server Collaxa
Compuware OptimalJ Compuware Corporation
DataMirror DB/XML Transform DataMirror
DataVista Spectrum Visualize Inc.
Droplets User Interface Server 2.0 Droplets
Eclipse Eclipse Open Source Community
EdgeXtend Persistence Software
Espial DeviceServer Espial
Espial Suite for TV Espial
Excelsior JET Excelsior, LLC
Forte for Java/NetBeans Sun Microsystems/NetBeans
FrontierSuite - MDA Platform ObjectFrontier
GLUE The Mind Electric
Headway reView Headway Software
HOBLink JWT HOB
HP Application Server 8.0 Hewlett-Packard
IBM WebSphere Studio Application Developer 4.0 IBM
ILOG JSolver ILOG
ILOG JViews For Workflow ILOG
in2j Quintessence Systems
InstallAnywhere Zero G Software
IntelliJ IDEA IntelliJ Software
Internet Shopping with Java Eastland Data Systems
Jconfig Samizdat Productions
JLOOXTelecom LOOX Software
JSuite? 6.0 Infragistics
Jtest ParaSoft
Juliet infotectonica
Kada Mobile Platform Kada Systems
Kronos Enterprise Scheduler 3.00 Indus Consultancy Services
LiveCluster? DataSynapse, Inc.
Lutris EAS 4.0 Lutris Technologies
Macromedia JRun Server Enterprise Deployment Wizard Macromedia
mBedded Server ProSyst Software AG
MKS Integrity Manager MKS Inc.
ObjectAssembler - Enterprise Edition ObjectVenture Inc.
OpenFusion JDO PrismTech Corp
Optimizeit Suite 4.11 VMGEAR
Oracle9i Application Server with Advanced Clustering Oracle Corporation
PointBase Micro PointBase
PopChart Server Enterprise CORDA Technologies
ReportMill ReportMill Software, Inc.
Rio Project Sun Microsystems
Saffeine Saffeine
SavaJe XE SavaJe Technologies
SilverStream eXtend Integrated Services Environment SilverStream Software
Sitraka JClass Sitraka
Sitraka JProbe Sitraka
Small Worlds Information Laboratory
SpiritCache SpiritSoft
SpiritIntellect SpiritSoft
SpiritWave SpiritSoft
Together ControlCenter 5.5 TogetherSoft Corporation
VantagePoint Visualize Inc.
Venus Application Publisher for JNLP Venus Software
Wakesoft Architecture Server Wakesoft
WebGain TopLink WebGain
XMLShark 1.4 infoshark

Java平台乱弹三

2008-04-02T04:29:00.001-07:00

8) 常见Java开发Studio:

当然，还有。。。。。。。。

Borland Enterprise Studio for Java Borland Software Corporation

mBedded Builder ProSyst Software AG

Oracle9i JDeveloper Oracle Corporation

Pramati Studio 3.0 Pramati Technologies

Rational Suite DevelopmentStudio Rational Software Corporation

Together ControlCenter 5.5 TogetherSoft Corporation

WebGain Studio 4.5 WebGain Inc.

"WebSphere Studio Application Developer 4.0 IBM

XML Spy Suite 4.2 Altova, Inc.

9) 常见Java IDE :

JBuilder、Together、WebSphere Developer、还有。。。。。。。。

AnyJ 3.5 NetComputing GmbH

BlueJ Monash University / University of Southern Denmark

Borland JBuilder Borland Software Corporation

CodeGuide Omnicore Software

CodeWarrior for Java Metrowerks

Compuware OptimalJ Compuware Corp

Eclipse Workbench and Java IDE Eclipse Open Source Community

Forte for Java/NetBeans Sun Microsystems

IntelliJ IDEA IntelliJ Software

Java Development Environment for Emacs (JDEE) Paul Kinnucan

JMaker Jidea

mBedded Builder ProSyst Software AG

NetBeans.org NetBeans.org

ObjectAssembler - Enterprise Edition ObjectVenture Inc.

Oracle9i JDeveloper Oracle Corporation

Pramati Studio 3.0 Pramati Technologies

SilverStream eXtend Workbench SilverStream Software

Sybase PowerJ Sybase, Inc.

Together ControlCenter 5.5 TogetherSoft Corporation

WebGain VisualCafe Enterprise Suite 4.5 WebGain Inc.

"WebSphere Studio Application Developer 4.0 IBM

XML Spy Suite 4.2 Altova, Inc.

10) 常见Java安装工具:

制作Java应用的安装程序确实很头疼，因为虚拟机，JVM，幸好还有。。。。。。。。。。。

DashO-Pro preEmptive Solutions

iBus Softwired

InstallAnywhere Zero G Software

InstallShield MultiPlatform InstallShield Software Corp.

Java Message Que Sun Microsystems

JExpress Professional DeNova

KeyTools S/MIME Baltimore Technologies

mBedded Builder ProSyst Software AG

Openmake From Catalyst Systems Catalyst Systems Corporation

Sitraka DeployDirector Sitraka

Venus Application Publisher for JNLP Venus Software

11) 常见Java消息工具:

JMS、MOM,您应该知道吧？那Message-Drivern Bean呢？JXAM呢？等等。

AshnaMQ Ashnasoft Corporation

BEA WebLogic Server 7.0 BEA Systems, Inc.

FioranoMQ Fiorano

iAnywhere m-Business Studio iAnywhere Solutions, a Sybase company

IBM WebSphere MQ (previously MQSeries) IBM

jBroker SilverStream Software

LiveCluster™ DataSynapse, Inc.

Open3 E-Business Messaging System Open3 Technologies, Inc.

OpenFusion Enterprise Messaging Server PrismTech Corp

Oracle9i Application Server Oracle Corporation

Pramati Message Server 1.0 Pramati Technologies

SmartSockets for JMS Talarian Corp.

SonicMQ 4.0 Sonic Software Corporation

SpiritWave SpiritSoft

SwiftMQ IIT GmbH

Sybase EAServer Sybase, Inc.

TIBCO Enterprise for JMS TIBCO Software Inc.

12) 常见Java建模工具:

软件工程有很多种方法，我们需要的不只是理论，还需要操控理论的利器。Together挺不错的。Rose当然可想而知了。。。

ArgoUML 0.8 Tigris

CA AllFusion Component Modeler Computer Associates

Cittera Canyon Blue Inc

COOL:Joe Computer Associates

Describe Embarcadero Technologies Inc.

Elixir CASE Elixir Technology

ERStudio 3.52a Embarcadero

ERwin Modeling Suite Computer Associates

HOW Professional Edition for Java Riverton

InLine UML Bridge for Rational Rose InLine Software

JVisionTM Object Insight

MagicDraw UML 5.0 No Magic

MetaMatrix Metadata Modeler MetaMatrix

Modelistic Modelistic Ltd

Oracle9i JDeveloper Oracle Corporation

PowerDesigner Sybase, Inc.

Rational Rose Professional J Edition Rational Software Corp.

Rose Secant Extreme Link Secant Technologies

RoseLink Ensemble Systems

SoftModeler Softera

System Architect Popkin Software

Together ControlCenter 5.5 TogetherSoft Corporation

WebGain Studio 4.5 WebGain Inc.

13) 常见Java性能调优、测试工具:

Optimizeit Suite、JProbe不会不知道吧？当然还有。。。。。。。。。

Borland Optimizeit Suite 4.11 VMGEAR

IBM VisualAge Micro Edition - MicroAnalyzer IBM

JProbe Suite Sitraka

Metamata Debug Enterprise Metamata

MKS Engineer Integrity MKS Inc.

Oracle9i JDeveloper Oracle Corporation

Rational PurifyPlus Rational Software

TowerJ Java Virtual Machine Tower Technology Corporation

TrueTime Java Edition Compuware NuMega

Java平台乱弹四

2008-04-02T04:25:00.001-07:00

14) 常见Java报表工具:

制作报表始终是开发企业应用信息系统很重要的部分，大家的印象中，Java报表工具很少，其实不是这样的。

ChartWorks Server Visual Mining, Inc.

Databeacon InterNetivity

DataVista Spectrum Visualize Inc.

e.Spreadsheet Engine Actuate Corporation

Elixir Report Elixir Technology

Embarcadero Technologies Describe Embarcadero Technologies

Enterprise Reports for Java EnterpriseSoft

FOP for XSLT Apache Software Foundation

Formula One for Java Tidestone

i-net Crystal-Clear i-net software

JasperReports JasperReports

Java SpatialX ObjectFX Corporation

JFreeReport The Object Refinery

JReport Jinfonet Software

Metamata RMILite Metamata

MIS JavaClient MIS

Oracle 9i Reports/Discoverer Oracle Corporation

Parallel Crystal Report Server Dynalivery Corporation

PopChart Server Enterprise CORDA Technologies

ReportMill ReportMill Software, Inc.

SilkMeter Segue Software

Sitraka JClass Enterprise Suite Sitraka

StyleReportEE Inetsoft Technology Corporation

Together ControlCenter 5.5 TogetherSoft Corporation

VantagePoint Visualize Inc.

VisualSoft FlexiReports VisualSoft Technologies

WebGain Quality Analyzer WebGain Inc.

15) 常见Java测试工具:

Java应用测试是很重要的步骤。XP、xUit、。。。。。。。JProbe、JUnit还不错。

Alcea Fast BugTrack Alcea Technologies Inc.

Assure Kuck & Associates

Bean-test Empirix

Global Checker for Java Uniscape.com

JBMS Developer Informix Cloudscape

JProbe Suite Sitraka

Jtest ParaSoft

JUnit junit.org

mBedded Builder ProSyst Software AG

MS Stress Test Tool MicroSoft

Optimizeit Suite 4.11 VMGEAR

Oracle9i JDeveloper Oracle Corporation

Precise/Indepth for J2EE Platform Precise Software Solutions, Ltd.

PureLoad Minq Software

QuickTest Professional Mercury Interactive

Rational Suite TestStudio Rational Software

SilkPerformer / SilkTest Segue Software

Test Mentor - Java Edition SilverMark, Inc.

TowerJ Java Virtual Machine Tower Technology Corporation

VisiComp 1.5 VisiComp

WebGain Quality Analyzer WebGain

WebLoad 4.5 Radview Software

WinRunner Mercury Interactive

16) 常见Java培训工具:

Java Productivity with JBuilder Borland Software Corporation

Java/iTV Course at Devicetop.com Devicetop.com (Espial)

JavaTM BluePrints for Wireless program Sun Microsystems

JCertify 5.0 EnterpriseDeveloper.com

Struts Fast Track Public Training baseBeans

17) 常见JVM:

BEA WebLogic JRockit Server Side VM BEA Systems, Inc.

Blackdown Java-Linux JVM Blackdown Java-Linux

Compaq Fast Virtual Machine Compaq

Excelsior JET Excelsior, LLC

HP ChaiVM Hewlett Packard

Java Hot Spot Performance Engine Sun Microsystems

Jeode PDA Edition Insignia Solutions

JSCP NSICom

Kada JVM Kada Systems

Oracle9i JVM Oracle Corporation

Perc NewMonics

SavaJe XE SavaJe Technologies

Sun's Java Plug-in supporting Windows XP Sun Microsystems

The J9 virtual machine IBM / Object Technology International

TowerJ Java Virtual Machine Tower Technology Corporation

18) 常见J2EE IDE:

Borland JBuilder Borland Software Corporation

CA Advantage Joe, formerly known as COOL:Joe Computer Associates

Forte for Java/NetBeans Sun Microsystems/NetBeans

IBM WebSphere Studio Application Developer 4.0 IBM

IntelliJ IDEA IntelliJ Software

ObjectAssembler - Enterprise Edition ObjectVenture Inc.

Oracle9i JDeveloper Oracle Corporation

Pramati Studio 3.0 Pramati Technologies

WebGain VisualCafe Enterprise Suite 4.5 WebGain

19) 常见J2ME IDE:

Borland JBuilder MobileSet Borland Software Corporation

CodeWarrior for Java Metrowerks

IBM VisualAge Micro Edition IBM

Oracle9i JDeveloper Oracle Corporation

20) 常见 J2SE IDE:

Borland JBuilder Borland Software Corporation

CodeGuide Omnicore Software

Forte for Java/NetBeans Sun Microsystems/NetBeans

IntelliJ IDEA IntelliJ Software

Oracle9i JDeveloper Oracle Corporation

VisualCafe Expert Edition WebGain

21) 常见Mobile数据库 :

Borland JDataStore Borland Software Corporation

Cloudscape IBM

db4o - database for objects db4o

Jeode Platform Insignia Solutions

Oracle9i Lite Oracle Corporation

Pervasive.SQL 2000i Pervasive Software

PointBase Micro 4.1 PointBase

SQL Anywhere Studio 8.0 iAnywhere Solutions

Java平台乱弹二

2008-04-02T04:24:00.001-07:00

4) 常见Java应用服务器:

Application Server，这样一种中间件产品现在可谓是风光。

Avenida Web Server Avenida

BEA WebLogic Server 7.0 BEA Systems, Inc.

Borland Enterprise Server Borland

Dynamo Application Server Art Technology Group

GemStone/J Brokat

HP Application Server 8.0 Hewlett-Packard

IBM WebSphere Application Server 4.0 IBM

IONA Orbix E2A Application Server Platform IONA Technologies

iPlanet Application Server iPlanet E-Commerce Solutions

iServer Servertec

Jacada For Java Jacada Ltd.

Jambala Application Server Ericsson

JBoss JBoss.org

JetStream WinDance Networks

JReport Enterprise Server Jinfonet Software

LiteWebServer 2.2 Gefion software

Lutris EAS 4.0 Lutris Technologies

Macromedia JRun 3.1 Macromedia

mPower Remote Manager ProSyst Software AG

Oracle9i Application Server Oracle Corporation

Orion J2EE app. server OrionServer aka IronFlare

OrionServer EPICUS

PowerTier 7.0 Persistence Software

Pramati Server 3.0 Pramati Technologies

Secant Extreme Enterprise Server for EJB Secant

ServletExec 4.1 New Atlanta Communications

SilverStream eXtend Application Server SilverStream Software

Sybase EAServer Sybase, Inc.

Total-e-Server HP Middleware

Unify eWave Engine Unify

Voyager Application Server 4.5 Recursion Software

WebObjects Apple Computer

WorkOut @Work Technologies

XML Canon/Developer TIBCO

5) 常见Java类库:

这些都是很不错的东东，不知道你是否用过ILOG。。。。。。。。。。

Actuate e.Spreadsheet Engine Actuate Corporation

Cafe Rete The Haley Enterprise

Careflow Development Kit CareFlowNet

CocoBase Enterprise O/R Thought Inc

Coffee Table 3Magic

Eclipse Eclipse Open Source Project

Electric XML The Mind Electric

Expresso Framework Jcorporate

Formula One for Java Tidestone

Host Access Class Library IBM

IAIK Crypto Toolkit Suite IAIK

ILOG JViews Component Suite ILOG Inc.

J/CarnacPro INT, Inc.

JCL in Pervasive.SQL 2000i SDK Pervasive Software

JClass Enterprise Suite Sitraka

Jconfig Samizdat Productions

JFreeChart The Object Refinery

JGL Recursion Software

JGo Graphics Library Northwoods Software

jKit/GO Instantiations

JLOOXGis LOOX Software

JSmartGrid 1.0 Eliad Technologies, Inc.

JSuite Infragistics Protoview

KeyTools Pro Baltimore Technologies

Oracle9i JDeveloper - BC4J BI Beans Oracle

realMethods Framework realMethods

Remote AWT for Java IBM

ROAD:BeanBox Specialized Software

SpatialX ObjectFX

Spirit eVisNet

StudioJ Rogue Wave

StyleReportEE Inetsoft Technology Corporation

The Centuris PKI Toolkits Phaos Technology

The Java Collection's Framework Sun Microsystems

VantagePoint Visualize Inc.

6) 常见Java组件:

Java类库中，命名空间的构想使得Java组件的开发、共享很方便。。。

BEA WebLogic Portal BEA Systems, Inc.

Coldtags suite Coldbeans Software

e.Spreadsheet Engine Actuate Corporation

eContent Jcorporate Ltd

Espial Espresso Espial

ICE Browser ICEsoft

ILOG JTGO ILOG

IPWorks! In software inc.

J/View3DPro INT, Inc.

Jconfig Samizdat Productions

JLOOXLayout LOOX Software

JSuite™ 6.0 Infragistics

Kronos Enterprise Scheduler 3.00 Indus Consultancy Services

NetCharts Visual Mining, Inc.

Oracle Business Components for Java Oracle Corporation

PGUI ProSyst Software AG

PopChart Live CORDA Technologies

PowerChart™ Server Edition Infragistics

Sitraka JClass Sitraka

Tiles (Components) Cedric Dumoulin

Validator David Winterfeldt

VisualSoft JBChart VisualSoft Technologies

VisualSoft JBProjectGantt VisualSoft Technologies

VisualSoft JBScheduler VisualSoft Technologies

Voice Essentials 1 Voice Components

7) 常见Java数据访问工具:

这些科都是好东西！

CA Advantage EDBC for Java Data Access Computer Associates

CocoBase Enterprise O/R Thought Inc.

FrontierSuite ObjectFrontier

i-net KONNEKTER i-net software

iSQL-Viewer 100acres.org Software

Kodo JDO SolarMetric Inc.

MVCSoft Persistence Manager MVCSoft Inc

NetDirect JDataConnect NetDirect

ObjectStore eXcelon

OpenFusion JDO PrismTech Corp

OpenLink JDBC Drivers OpenLink Software, Inc.

Oracle9i Business Components For Java (BC4J) Oracle Corporation

Oracle9iAS TopLink WebGain

PopChart Server Enterprise CORDA Technologies

XML Spy Suite 4.2 Altova, Inc.

Java平台乱弹一

2008-04-02T04:23:00.000-07:00

Java平台，自然有很多有魅力的地方。从JVM，到J2SE、J2ME、J2EE、J2EE Web Services、。。。还有Java开发工具、用Java开发的工具，无所不包，废话少说，开始进入正题。（修改JDJ提供的内容）很值得一看！

1) Java书:

Java 书籍，现在也有不少优秀的杰作。从Thinking in Java、Oreilly in a Nutshell，到Enterprise JavaBeans、Mastering EJB、Java Tools for Extreme Programming等等，还有Effective Java Programming Language Guide，还有，一些网站的图书，比如，Sun的J2EE Blueprints、Core J2EE Patterns。下面是一些常见的Java书籍。

Advanced Java 1.1 Programming McGraw-Hill

Advanced Java 2 Platform How to Program Prentice Hall PTR

Advanced Java Networking Prentice Hall

Advanced JavaServer Pages Prentice Hall PTR

Applied Java Patterns Prentice Hall PTR

Beginning Java 2- JDK 1.3 Edition Wrox Press

Beginning Java Networking Wrox Press

Building Java Enterprise Systems with J2EE Sams Publishing

Building Web Services with Java Sams Publishing

Core J2EE Patterns Best Practices and Design Strategies Prentice Hall

Core J2ME Technology and MIDP Prentice Hall PTR

Core Java 2, Volume 2 5/e Prentice Hall PTR

Core JFC 2/e Prentice Hall PTR

Core Servlets and JavaServer Pages Prentice Hall

Core Web Programming, 2/e Prentice Hall PTR

Database Programming with JDBC and Java O'Reilly & Associates

Developing Java Servlets Sams Publishing

Early Adopter J2SE 1.4 Wrox Press

Early Adopter Mac OS X Java Wrox Press

Effective Java Programming Language Guide Addison-Wesley

Enterprise JavaBeans 3rd Edition O'Reilly & Associates

Introduction to Engineering Programming: In C and Java John Wiley & Sons

J2EE Applications and BEA WebLogic Server Prentice Hall

J2EE Blueprints 1.0.1 Sun Microsystems

J2EE Unleashed Sams Publishing

Java (Teach Yourself) Addison-Wesley

Java 3D API Jump-Start Prentice Hall PTR

Java and XML 2nd Edition O'Reilly & Associates

Java and XSLT O'Reilly & Associates

Java Collections Apress

Java Cookbook O'Reilly & Associates

Java Cryptography O'Reilly & Assoc

Java Deployment with JNLP and WebStart Sams Publishing

Java Developer's Handbook Sybex

Java Enterprise in a Nutshell O'Reilly & Associates

Java Event Handling Prentice Hall PTR

Java Foundation Classes in a Nutshell O'Reilly

Java GUI Development Sams Publishing

Java How to Program, Fourth Edition Prentice Hall

Java in a Nutshell O'Reilly & Associates

Java Internationalization O'Reilly & Associates

Java Message Service O'Reilly & Associates

Java Network Programming O'Reilly & Associates

Java Performance Tuning O'Reilly & Associates

Java Platform Performance: Stategies and Tactics Addison-Wesley

Java Programming on Linux Waitegroup Press

Java RMI O'Reilly & Assoc

Java Security Handbook Sams Publishing

Java Security, 2nd Edition O'Reilly & Assoc

Java Servlet Programming O'Reilly & Associates

Java Servlets: By Example Manning Publications Co.

Java Swing O'Reilly

Java Thread Programming Sams Publishing

JavaServer Pages O'Reilly & Associates

JavaServer Pages Application Development Sams Publishing

JDBC API Tutorial and Reference Sun Microsystems

Jini and JavaSpaces Application Development Sams Publishing

JRun Web Application Construction Kit Macromedia Press

JSP and Java: The Complete Guide to Website Development, 1/e Prentice Hall PTR

JSP Tag Libraries Manning Publications

Just Java 2, 5/e Prentice Hall PTR

Learning Java O'Reilly & Associates

Marty Hall's Servlets and JavaServer Pages Training Course Prentice Hall PTR

Mastering Enterprise Java Beans The Middleware Company

Mastering Java 2 Sybex

Professional EJB Wrox Press

Professional J2EE EAI Wrox Press

Professional Java 2 Enterprise Edition with BEA Weblogic Server Wrox Press

Professional Java Server Programming J2EE 1.3 Edition Wrox Press

Professional JSP 2nd Edition Wrox Press

Professional WebObjects 5.0 with Java Wrox Press

Pure JFC Swing Sams Publishing

Pure JSP: Java Server Pages Sams Publishing

Sams Teach Yourself Java in 21 Days Sams Publishing

Sams Teach Yourself JavaServer Pages in 24 Hours Sams Publishing

Server-Based Java Programming Manning Publications Co.

Special Edition Using Enterprise JavaBeans 2.0 Que Publishing

Struts Fast Track: J2EE / JSP Framework baseBeans

The Complete Java 2 Certification Study Guide Sybex

The Complete Java 2 Training Course, 4/e Prentice Hall PTR

The Official Gamelan Java Applet Library Simon & Schuster

The Official VisiBroker for Java Handbook Sams Publishing

UML Components WebGain

Visual Age for Java 3.5 Prentice Hall PTR

Web Development with Java Server Pages Manning Publications Co.

Wireless Java Programming with J2ME Sams Publishing

Wireless Java: Developing with J2ME Apress

XML Development with Java 2 Sams Publishing

2) 企业数据库:

数据库作为信息中心，其地位可想而知。

Borland JDataStore Borland Software Corporation

CA Advantage Ingres Enterprise Relational Database Computer Associates

CACHE' InterSystems Corporation

Cloudscape IBM

CocoBase Enterprise O/R Thought Inc

DB4O - Database for Objects db4o

DBArtisan Embarcadero Technologies

eXtensible Information Server (XIS) eXcelon Corp.

GigaSpaces GigaSpaces Technologies Ltd.

IBM DB2 Universal Database v7.2 IBM

MySQL MySQL.com

Oracle9i Database Oracle Corporation

Pervasive.SQL 2000i Pervasive Software

PointBase Server PointBase Inc.

PostgreSQL PostgreSQL Global Development Group

Sybase ASE 12.5 Sybase, Inc.

Versant Developer Suite, ODBMS Versant

WebGain TopLink WebGain

3) 常见Java应用:

Java开发应用到底有多厉害，看看就知道很不一般。

2LKit for VJ++ 2LKit

AgentWare's Syndicator AgentWare

Appgen Moneydance Appgen Personal Software

AveAccess Environics Communications

BackOnline Freeback.com

BEA WebLogic Server 7.0 BEA Systems, Inc.

Borland JBuilder Borland Software Corporation

BuzzPower 3.0 BuzzCompany.com

Callista Connect DSSOnline

Casetracker Cezve Technology

Centra Centra Software

ChartWorks Designer Visual Mining, Inc.

DeployDirector Sitraka

Describe Embarcadero

Droplets Droplets

ECential ECommerce Component Evergreen

eForum/eContent Jcorporate

Espial Escape Espial

Extensity Application Suite Extensity

FatWire's UpdateEngine FatWire Software

Flashline Component Manager Flashline

Formula One for Java 8.0 Tidestone

Forte for Java/NetBeans Sun Microsystems/NetBeans

GameBlazer ZeBlazer Systems

GemStone/J 4.1 Brokat GemStone

HOBLink J-Term HOB

Homestead Homestead.com

HP Application Server 8.0 Hewlett-Packard Company

ICE Browser ICEsoft

ILOG JRules ILOG Inc.

Induslogic Xintegrate Web Services Edition Induslogic

InstallAnywhere Enterprise Edition Zero G Software

InstallShield MultiPlatform InstallShield

IntelliJ IDEA IntelliJ Software

Internet Shopping with Java Eastland Data Systems

Introscope V2 Wily Technology

IONA Orbix E2A Application Server Platform IONA Technologies

iPlanet Application Server, Enterprise Pro Edition iPlanet

JavaCC WebGain

JCertify 5.0 EnterpriseDeveloper.com

JExpress Professional DeNova, Inc.

Jive Forums Jive Software

JLOOX LOOX Software

JSOS Coldbeans Software

Kronos Enterprise Scheduler 3.00 Indus Consultancy Services

LimeWire LimePeer

LION bioscience iDEA Lion Bioscience

Lutris Enhydra 3.5 Lutris Technologies

MagicDraw UML 5.0 No Magic

mBedded Server ProSyst Software AG

My Sun Application via Sun.Com Sun Microsystems

Netbook, online betting Versant

Novera 4.6 TSI Software

ObjectAssembler - Enterprise Edition ObjectVenture Inc.

Oracle9i JDeveloper Oracle Corporation

PointBase Server Edition PointBase

PopChart Builder CORDA Technologies

QuestAgent Pro Jobjects

Readerware Readerware

Saffeine 1.0 Saffeine

SavaJe XE SavaJe Technologies

SlangMail SlangSoft

SourceGuard 4thpass

Sybase Ultralite Sybase, Inc.

TeamCenter 4.0. Inovie Software, Inc.

TimeCruiser 2.0 Enterprise Timecruiser

Together ControlCenter 5.5 TogetherSoft Corporation

Turbo XML TIBCO

WingDis 2.15 WingSoft Corp.

XMLSolutions Business Integration Platform XMLSolutions

YOUcentric YOUcentric

Zelix KlassMaster Zelix Pty Ltd

Oracle default port list

2008-04-02T00:49:00.000-07:00

Service	Port	Product	How to change
Oracle HTTP Server listen port / Oracle HTTP Server port	80	Oracle Application Server	Edit httpd.conf and restart OHS
Oracle Internet Directory(non-SSL)	389	Oracle Application Server
Oracle HTTP Server SSL port	443	Oracle Application Server	Edit httpd.conf and restart OHS
Oracle Internet Directory(SSL)	636	Oracle Application Server
Oracle Net Listener / Enterprise Manager Repository port	1521	Oracle Application Server / Oracle Database	Edit listener.ora and restart listener
Oracle Net Listener	1526	Oracle Database	Edit listener.ora and restart listener
Oracle Names	1575	Oracle Database	Edit names.ora and restart names server
Oracle Connection Manager (CMAN)	1630	Oracle Connection Manager	Edit cman.ora and restart Connection Manager
Oracle JDBC for Rdb Thin Server	1701	Oracle Rdb
Oracle Intelligent Agent	1748	Oracle Application Server	snmp_rw.ora
Oracle Intelligent Agent	1754	Oracle Application Server	snmp_rw.ora
Oracle Intelligent Agent	1808	Oracle Application Server	snmp_rw.ora
Oracle Intelligent Agent	1809	Oracle Application Server	snmp_rw.ora
Enterprise Manager Servlet port SSL	1810	Oracle Enterprise Manager
Oracle Connection Manager Admin (CMAN)	1830	Oracle Connection Manager (CMAN)	Edit cman.ora and restart Connection Manager
Enterprise ManagerAgent port	1831	Oracle Enterprise Manager
Enterprise Manager RMI port	1850	Oracle Enterprise Manager
Oracle XMLDB FTP Port	2100	Oracle Database	change dbms_xdb.cfg_update
Oracle GIOP IIOP	2481	Oracle Database	Edit listener.ora/init.ora and restart listener/database
Oracle GIOP IIOP for SSL	2482	Oracle Database	Edit listener.ora/init.ora and restart listener/database
Oracle OC4J RMI	3201	Oracle Application Server
Oracle OC4J AJP	3301	Oracle Application Server
Enterprise Manager Reporting port	3339	Oracle Application Server	Edit oem_webstage/oem.conf and restart OHS
Oracle OC4J IIOP	3401	Oracle Application Server
Oracle OC4J IIOPS1	3501	Oracle Application Server
Oracle OC4J IIOPS2	3601	Oracle Application Server
Oracle OC4J JMS	3701	Oracle Application Server
Oracle9iAS Web Cache Admin port	4000	Oracle Application Server	Webcache Admin GUI or webcache.xml
Oracle9iAS Web Cache Invalidation port	4001	Oracle Application Server	Webcache Admin GUI or webcache.xml
Oracle9iAS Web Cache Statistics port	4002	Oracle Application Server	Webcache Admin GUI or webcache.xml
Oracle Internet Directory(SSL)	4031	Oracle Application Server
Oracle Internet Directory(non-SSL)	4032	Oracle Application Server
OracleAS Certificate Authority (OCA) - Server Authentication	4400	Oracle Application Server
OracleAS Certificate Authority (OCA) - Mutual Authentication	4401	Oracle Application Server
Oracle HTTP Server SSL port	4443	Oracle Application Server	Edit httpd.conf and restart OHS
Oracle9iAS Web Cache HTTP Listen(SSL) port	4444	Oracle Application Server	Webcache Admin GUI or webcache.xml
Oracle TimesTen	4662	Oracle TimesTen
Oracle TimesTen	4758	Oracle TimesTen
Oracle TimesTen	4759	Oracle TimesTen
Oracle TimesTen	4761	Oracle TimesTen
Oracle TimesTen	4764	Oracle TimesTen
Oracle TimesTen	4766	Oracle TimesTen
Oracle TimesTen	4767	Oracle TimesTen
Oracle Enterprise Manager Web Console	5500	Oracle Enterprise Manager Web
iSQLPlus 10g	5560	Oracle i*SQLPlus
iSQLPlus 10g	5580	Oracle i*SQLPlus RMI Port
Oracle Notification Service request port	6003	Oracle Application Server
Oracle Notification Service local port	6100	Oracle Application Server
Oracle Notification Service remote port	6200	Oracle Application Server
Oracle9iAS Clickstream Collector Agent	6668	Oracle Application Server
Java Object Cache port	7000	Oracle Application Server
DCM Java Object Cache port	7100	Oracle Application Server
Oracle HTTP Server Diagnostic Port	7200	Oracle Application Server
Oracle HTTP Server Port Tunneling	7501	Oracle Application Server
Oracle HTTP Server listen port / Oracle HTTP Server port	7777	Oracle Application Server	Edit httpd.conf and restart OHS
Oracle9iAS Web Cache HTTP Listen(non-SSL) port	7779	Oracle Application Server	Webcache Admin GUI or webcache.xml
Oracle HTTP Server Jserv port	8007	Oracle Application Server
Oracle XMLDB HTTP port	8080	Oracle Database	change dbms_xdb.cfg_update
OC4J Forms / Reports Instance	8888	Oracle Developer Suite
OC4J Forms / Reports Instance	8889	Oracle Developer Suite
Oracle Forms Server 6 / 6i	9000	Oracle Application Server
Oracle SOAP Server	9998	Oracle Application Server
OS Agent	14000	Oracle Application Server
Oracle Times Ten	15000	Oracle Times Ten
Oracle Times Ten	15002	Oracle Times Ten
Oracle Times Ten	15004	Oracle Times Ten
Log Loader	44000	Oracle Enterprise Manager

多域单点登录SSO系统的实现

2008-04-01T23:01:00.000-07:00

天幻网新的规划中，将涉及到多域，如FFSKY.COM,FFSKY.CN等等，因此网上某些对同一域靠设置COOKIE的DOMAIN=".FFSKY.COM"的方式根本行8通，因此考虑用纯粹的PASSPORT的机制。
建设此系统前，我做了充分的准备工作，参考了网上N多的SSO系统实现的文章，包括国内和国外的，发现SSO系统有许多都是商业版的，基于JAVA的有许多现成的开源项目，甚至有WEBLOGIC内置的。而基于.NET的最完善的似乎是MS的PASSPORT，但貌似用户信息全部要汇总到MS的 PASSPORT网站，也就是说无法调用自己的用户数据库。另外还有现成的Discuz！论坛的PASSPORT，但只能用在两个站之间。还有一个基于. NET的SSO东东,但看了半天应该也是商业版的，要下载试用版还获取不要验证邮件- -b郁闷之下自己动手，丰衣足食~
自己所接触到的自有的 SSO系统的网站其实有印象的就2个，一个是MOP，一个是CSDN,但似乎都是同一域下的。看N篇参考文章之后唯一让偶感觉到可以在天幻实行的就是通过统一认证网站认证后返回到源网站，在URL地址中加入返回参数，而源网站通过解析该参数获取用户认证信息。这种方式可以跨多域.
其基本流程是：用户登录某网站，点击“登录”，然后转向到认证服务器（PASSPORT），在认证服务器完成认证后携带加密后的参数转回到原网站，原网站解析加密信息后给予用户已经登录状态。
但是网上很多资料都没有说清楚几点，正如我前一篇开工前文章中所说的：
1、TICKET加密方式，DES还是RSA
2、用户注销操作怎么处理，在A域超时，消息肯定要给S验证域，那当时用户还在B域里玩也，到底算他注销不。
3、用户从A域转到B域，是否还要到S验证域验证一下。还是在用户登陆时就将信息发给各服务域。
4、按SAML协议标准，有一个环节居然是服务域和注册域交互验证。这和原先的SSO流程不符合，看来可能还需要开发一个WEBSERVICE来遵循这个协议。

而我设计的天幻的SSO流程中，对以上几点是这样处理的：
1、使用AES衍生的Rijndael处理，因为DES强度太差，而且只有密钥，而RSA虽然有公钥和私钥，但生成的数据长度实在太长，不利于在浏览器中携带。而Rijndael算法有一个密钥和一个IV向量，可以在其中做双重验证用。
2、注销操作没办法做到各域同步，忽略这一问题，由各域自己控制用户超时量
3、引入自动监测机制，每张需要验证用户的页面如果发现用户没有登录，自动到PASSPORT域转一圈作为验证，如果在PASSPORT域发现用户已登录，则设用户已登录状态。
4、由于采用Rijndael加密，为了最大化安全性，将IV作为服务主机和认证主机之间私密交换的信息，我采用的是WEBSERVICE方式。

明确了以上的要素，整个单点登录系统就相对明确了。懒得画图，直接文字叙述实现方式吧，也不贴代码了，因为代码没有优化过，比较难看，同时也为了保证安全性,呼呼

1、自动判断是否登录流程

某可能会判断用户是否登录的页面，如果发现用户用户未登录（我都是判断SESSION（“NAME”）是否为空），并且用户浏览器支持COOKIE（即支持会话），且SESSION（“AUTOLOGIN”）为NULL，则先置用户SESSION（“AUTOLOGIN”）=“1”，然后自动将用户重定向到PASSPORT域进行鉴别，如果未登录，则直接返回，如果已登录，则重定向回的URL地址中加载认证字串。为了防止用户每点一张页面都要到登录域验证，所以需要加载一个认证是否已验证过的SESSION，以及浏览器是否支持SESSION。
其中唯一的隐患在于ASP.NET碰到用户浏览器虽然支持COOKIE功能但用户手动关闭COOKIE的话无法判断。但相信这种情况不会太常见，而通常非注册用户访问页面张数也不会超过10张，所以即使存在此类问题对服务器压力也会比较小。

2、子站点涉及的参数

我给每个子站点分配一个SITEID和一个密钥，他们是一一对应的。为什么要给每个子站点分配不同的？因为这样就能引入第三方开发的程序，而无需由第三方来读取网站数据库。同时也可以防止第三方程序密钥泄露造成可以模拟用户登录。
子站点在转到登录域的时候需要携带两个必要参数：SITEID和要转回的URL地址。SITEID用来让登录域判断要加密时使用的密钥（KEY），转回URL地址用以转回源地址用。

3、基本登录流程

在某子站点“登录”，转到登录域，登录域判断用户未登录（判断依据下述），要求用户输入必要信息（用户名/密码/是否记忆密码/验证码等），用户登录成功后写以下COOKIE信息：用户名、用户ID，用户IP、当前的SESSIONID、COOKIE有效时间（通常为几个小时）。然后用Rijndael算法，以当前的SESSIONID作为IV量，以对应该网站的KEY作为密钥，加密用户名、用户ID、IP、是否自动登录等等信息。同时，在数据库 ONLINEUSER表中将登录信息插入数据库，保存登录人登录状态的SESSION，其实就是保存IV值。将加密后的字符串，连带用户的USERID作为TICKET参数返回给请求的网站，格式样本如下：
http://www.ffsky.cn/index.aspxticket=38_4bku80WzbgHpgk034Wy5pOc%2f4cpIRI%2fLDHKDqITstQM%3d
其中38即为我的用户名CHOCOBO在数据库的ID号。
而FFSKY.CN网站判断我在未登录状态，且QUERYSTRING有TICKET参数，则开始尝试解析TICKET参数。首先就是提取USERID和加密后字符串，然后调用PASSPORT认证网站中的一个WEB SERVICE，这个WEB SERVER传入USERID后即会从数据库中读取并返回用户最近的SESSIONID，即IV值。FFSKY.CN网站靠分配给它的密钥和通过WEB服务得到的IV值即获取了我的相关信息。
获取相关信息后还需要有一点，即防模拟URL登陆，这里用的方式是判断IP地址，即解析数据库中有登录时的IP，然后通过IP地址比对来判断用户是否状态有变。如果A登陆后B直接粘贴A的URL地址是无法正常登陆的. 但同一内网的人如果这样做会怎么样呢？猛一看貌似比较难解决，但这里就需要用到一个小技巧了，就是一些牛X哄哄的安全公司用的一次密码技术。我们在调用 WEBSERVICE是否，在WEBSERVICE传会IV值后即将数据库中对应的IV值置空。也就是说这个KEY只能用一次，这样问题就迎刃而解了。

4、基本注销流程

注销流程其实应该分两个环节，子站注销和验证域注销。流程相当简单，先到子站的LOGINOUT。ASPX，在子站销毁SESSION，再重定向到验证域，在验证域销毁COOKIE中关键信息（USERID/当前SESSIONID等），在数据库中删除相关登录信息，再转回到原子网站。

5、自动登录

如前所述，用户访问某页面时自动会转到验证域判断是否登录过，而这时如果在验证域发现用户COOKIE中含有PASSWORD通过MD5加密过的信息，则会尝试自动登录机制。同时，如果用户在近期登录成功，即在COOKIE中有USERID信息，则尝试判断该COOKIE是否有效果，判断依据是看IP地址和COOKIE有效期，这里强置两点：1是IP地址必须和初始登录时一致，2是用户首次登录12小时后必须重新登录。如果一切PASS，则重新加密信息后转回请求页。

6、安全考虑

其实安全性主要有以下几方面攻击情况要考虑：
1）、暴力破密码：
在登录页加图片验证码，图片可以加强噪点等混淆机制，甚至可以将验证域用HTTPS方式。
2）、模拟COOKIE：
能获取某用户COOKIE信息有两类情况：掌握用户主机控制权，通过论坛等地方获取用户COOKIE部分参数内容（跨站攻击）。前者的话已无安全控制可言，而后者由于已经采用单一的域登录，理论上应该不可能通过跨站手法获取访问用户的COOKIE信息了。
3）、取得密钥模拟：
一是各子域密钥不同，二是采用Rijndael算法还有个IV量必须通过WEBSERVICE才能获取。两道锁应该比较安全了。
4）、模拟登陆URL地址
正如前面所述，通过一次密码的方式在WEBSERVICE中读取SESSIONID（即IV）后即将此值在数据库中去除。这样就可以防止第二方截取URL地址模拟登陆了。

结语：以上方式基本实现了天幻的SSO系统，其中还有很多小的编程细节和经验说也说8清楚，比如URL编码、取消自动登录、WEBSERVICE的IP验证……等等。此文仅描述流程部分，其中有许多是安全关注的焦点，编程部分还是看需要人的实力吧。这里就不做开源了，免得网站被无谓的攻击 ~O~ 发现以上流程有安全隐患漏洞的请留言，呼呼

Securing Web services

2008-04-01T22:57:00.000-07:00

The buzz accompanying Web services today no longer vibrates around system integration and XML interfaces, but around security — and the frantic, mish-mashed efforts to create security standards.

Web services are built with standard interfaces based on the Simple Object Access Protocol (SOAP) from the World Wide Web Consortium (W3C). But because SOAP is not secure at this point, Web services cannot achieve their mission of enabling business-to-business commerce and integration of business partners' disparate platforms, network executives say.

Without security in the Web services framework/architecture, development of other Web services standards for e-commerce also will suffer, including those to support reliable and asynchronous messaging, business-process workflow and transactional integrity.

"Security is a rollout inhibitor today, absolutely," says Mark Jones, vice president of business development for the National Student Clearinghouse (NSC), a nonprofit organization in Herndon, Va., that provides university enrollment and degree verification services to lenders and businesses. NSC knows the issues firsthand, as it is on the verge of deploying two Web services to streamline the collection and dispersal of its data to potentially millions of partners.

Jones likens the challenge of establishing Web services for partner-to-partner trading to using public-key infrastructure and electronic data interchange. While standards-based partner-to-partner transactions are great conceptually, they're difficult to implement. "Having just been through that for 10 or 15 years with EDI, [I know] it is a very tough problem to solve," he says. "No one has really perfected a way to do partner-to-partner trading yet. So we question the evolution of the standards and how well they will work."

Jones isn't alone. Recent surveys by Hurwitz Group and ZapThink show that security is the No. 1 obstacle to adoption of corporate Web services.

Of course, security can be added to SOAP via extensions, and so a flurry of work to do so is in progress — spanning three standards bodies that have produced complementary but sometimes overlapping protocols (see graphic).

Extensions will standardize ways for systems to prove their identities, validate user authorization and access credentials, guarantee confidential transactions, and ensure integrity and nonrepudiation.

While waiting on standards ratification and vendor implementation of those extensions, many network executives are limiting Web services to intranet projects or improvising security when Web services traverse corporate boundaries. Such improvisation includes homegrown security, fitting established Internet standards or proprietary products onto projects, or contracting with third parties to supply security services. NSC sidestepped the standards maze by using software from Flamenco Networks to wrap authentication, authorization and management capabilities around its Web services, says Doug Falk, NSC CIO.

"We probably could have started with weaker encryption and relied on a model using HTTP-S and authenticating based on a user ID and password. That would have worked for a period of time until someone raised concerns over that model being too weak," Falk says.

The rush is on

Meanwhile, XML standards bodies have been busy. The Internet Engineering Task Force (IETF), the Organization for the Advancement of Structured Information Standards (OASIS) and the W3C are working on or have completed no fewer than 13 security protocols usable with Web services. These include extensions for encryption, digital signatures, nonrepudiation and long-accepted standards such as Kerberos that are being folded into the Web services mold.

With so many cooks in the kitchen, the industry lacks a clear view of how individual Web services security specifications will be melded into an interoperable security framework.

To their credit, OASIS and W3C are comparing their efforts with the aim of clarifying the security work. "If any of these security specifications are going to work together, we have to work together," says Karl Best, director of technical operations for OASIS.

The cooperation began with WS-Security, a specification proposed by IBM, Microsoft and VeriSign in April and turned over to OASIS last month. WS-Security, which lets Web services pass secure and signed SOAP messages, has at its core the W3C's XML Encryption and XML Digital Signature and will add six other extensions for functions such as expressing security policies, trust relationships, federation and authorization. Then last month, OASIS and W3C sponsored a forum to compare and contrast work being done by both groups.

In addition to XML Digital Signature and XML Encryption, W3C is developing the XML Key Management Specification and a Web Service Architecture that includes a security framework. Meanwhile, OASIS is developing the Security Assertion Markup Language (SAML) for authentication and authorization, the Extensible Access Control Markup Language, Service Provisioning Markup Language and the XML Common Biometric Format.

The IETF's work centers on standards for transport-level security on which OASIS and W3C are building application-level security protocols.

The groups need to develop a conceptual "security stack" model that illustrates how various protocols will rely on each other, rather than compete, says Ann Thomas Manes, a security expert who works with OASIS and W3C and is CTO for Web service security vendor Systinet. "The higher-level items take advantage of the lower levels of the stack. So WS-Security depends on XML Digital Signature, XML Encryption, SAML and SOAP," she says.

Corporations pushing ahead

Such a model is logical, but generates only passing interest from corporations on the cutting edge that want to push their Web services over the firewall now.

"At this point we are using a standard firewall system with Secure Sockets Layer encryption, and we have built our own Web services gateway for authentication and authorization," says Gereon Fredrickson, senior director of technology products for Galileo International, a provider of data to the travel industry.

While Galileo waits for the interoperability that standards promise, a handful of vendors offer a collection of middleware software and services to boost Web services security, including BEA Systems, Cape Clear, Flamenco, Grand Central Networks, IBM, Iona, Kenamea, Microsoft, Oracle, Sonic, Sun, Systinet and Tibco.

Galileo, which went live with its first external Web service last month, is waiting for the security standards landscape to flatten. "There is still some shake-out that has to happen before we see where the actual standards will settle. Then we'll see where we can use those," Fredrickson says.

Signs of a settling have begun in that the WS-Security specification is generally regarded as a competent starting point. It specifies how communication among Web services will be secured and describes how to put security protocols to use within SOAP. WS-Security adds security information to the headers of SOAP messages using XML Encryption, XML Digital Signatures and identity protocols such as SAML or Kerberos, an IETF standard.

"In terms of pure Web services security, we are just starting out," says Bob Sutor, director of e-business standards strategy for IBM. "But WS-Security starts to lay the foundation."

Settlement also is happening around workflow specifications that will aid in deploying security at execution points when multiple Web services applications are tied together across a number of organizations.

Last month, IBM and Microsoft combined their respective Web Services Flow Language and XLANG to create the Business Process Execution Language for Web Services. The language lets users specify a collection of Web services and the order in which they need to be executed as part of a business process such as filling an order. It joins similar efforts from Sun on Web Services Choreography Interface and protocols included in OASIS's electronic business XML specification.

With the stages of a business process defined in a workflow, security tenants such as encryption, authentication and access control can be defined per stage instead of blanketing the transaction as a whole. The workflow lets certain forms of security be applied only where they are needed.

"If you manage the workflow of a transaction, you can trace each step and make sure security is occurring," says Bernhard Borges, managing director of the advanced technology group at PricewaterhouseCoopers Consulting. He says workflow builds a foundation that finally lets multiple Web services be aggregated into a business transaction.

"Once you get the bits and pieces of workflow, you can start to apply security," Borges says.

However, experts say it could take two to five years before the standards are mature enough for corporate customers to make use of them.

"Without a security and trust infrastructure, Web services will be dead on arrival," says Phillip Hallam-Baker, principal scientist for VeriSign. "But people shouldn't be concerned that this is a problem that won't get solved, because there is very large agreement on the basic approach on how to go about this."

A standards mishmash
The Organization for the Advancement of Structured Information Standards (OASIS) and World Wide Web Consortium (W3C) have pinpointed 13 specifications likely to form the foundation of a Web services security framework.

Standard (proposed or final)	Standards body/Status	Description
SAML Security Assertion Markup Language	OASIS/Final vote	Exchanges user and machine authentication and authorization information.
XACML Extensible Access Control Markup Language	OASIS/Committee review	Expresses policies for information access.
SPML Service Provisioning Markup Language	OASIS/In committee	Defines how to exchange user, resource and service provisioning information.
WS-Security	OASIS/Forming technical committee	Extends Simple Object Access Protocol with XML security protocols.
XrML Extensible Rights Management Language	OASIS/Gathering requirements	Manages copyrights of digital content.
XCBF XML Common Biometric Format	OASIS/Defining scope of work	Defines XML codings for Common Biometric Exchange File Format.
XML Digital Signature	W3C/Completed	Provides integrity, signature assurance and non-repudiation.
XML Encryption	W3C/Final vote in committee	Encrypts and decrypts digital content.
XKMS XML Key Management Specification	W3C/Working draft	Provides a method for obtaining cryptographic keys.
Transport Layer Security/ Secure Sockets Layer	IETF/RFC 2246	Secures Internet traffic between two points.
SASL Simple Authentication and Security Layer	IETF/RFC 2222	Adds authentication to connection-based protocols.
Kerberos	IETF/RFC 1510	Provides tickets for authenticating users.
BEEP Blocks Extensible Exchange Protocol	IETF/RFC 3080	Helps establish quality of service over the Internet.

Java开源身份验证

2008-04-01T22:31:00.000-07:00

JOSSO(Java Open Single Sign-On)是一个开源的J2EE-based的SSO(SSO：单一登录技术是一种认证和授权机制，它允许注册用户只需要在任一成员网站上登录一次，而后授权访问其他连接的分支网站，无需再进行验证登录)基础结构.它的目的是提供一种用来解决在统一平台上进行用户集中认证的方案.

更多JOSSO信息

Acegi Security

Atlassian Seraph

Seraph 是一个非常简单,可插入的J2EE Web应用程序安全框架.它主要基于以下几个核心组成部分:拦截器,它允许在安全事件发生(如登录/登出)的前后运行相应的代码.认证器,依赖一个后台用户系统来验证一个用户.控制器,这个控制器用来管理安全机制是否启用和失效.角色权限设置等.

更多Atlassian Seraph信息

Kasai

Kasai是一个开源100%基于Java的认证与授权框架.它提供一个完善的,易于管理的许可方案来与你应用程序相结合的.这个框架的目的是为多用户应用程序提供一个使用简单但强大的安全环境.

更多Kasai信息

Gabriel

Gabriel是一用户权限验证安全框架.它的API很小并且易于使用.

更多Gabriel信息

Shibboleth

Shibboleth是一个针对SSO的开源项目。Shibboleth项目主要应用在校园内Web资源共享，以及校园间的应用系统的用户身份联合认证.

更多Shibboleth信息

OpenSAML

OpenSAML1.1是一组开源的Java与C++类库.它实现了SAML(Security Assertion Markup Language)1.0与1.1规范.

更多OpenSAML信息

SourceID

SourceID开源的联合身份认证管理.它提供了实现SAML,ID-FF和WS-Federation安全协议的工具包与项目.

更多SourceID信息

jGuard

jGuard是一个基于JAAS(java authentication and authorization security)的Java安全框架.这个开源项目主要是简单地解决Web应用程序访问控制问题.

更多jGuard信息

Jpam

Jpam 是一个连接Java与PAM的一个中间件.PAM(Pluggable Authentication Modules)是一个在Linux,Solaris,Mac OS X和其它Unix系统上使用的标准安全体系.JPAM允许运行在这些平台上的Java程序使用PAM认证.

更多Jpam信息

Sun's XACML

这是一个开源的访问控制策略引擎.它用Java实现了所有XACML1.1标准必须实现的规则,同时也实现了一些可选的规则.

更多Sun's XACML信息

Yale CAS

耶鲁大学开发的单点登录（Single Sign On）系统称为CAS（Central Authentication Server）被设计成一个独立的Web应用程序(cas.war)。它目前用几个Java Servlet作为实现并且通过一个Https服务器来运行。

更多Yale CAS信息

CAS Generic Handler

CAS Generic Handler是一个插件它使得CAS具备利用不同方法((LDAP, database, files, NIS,...)来验证用户的能力。

更多CAS Generic Handler信息

JCas

JCas实现了一个免费,开源基于Java的CAS服务器.

更多JCas信息

OSUser

OSUser是OpenSymphony框架的一部分，它为用户管理提供了一组易于使用的API.这组提供的功能包括：
证书(Credentials)-用于验证用户的身份；
访问控制(Access Control)-决定是否允许用户去执行某一个任务；
管理(Management)-用于修改基础数据;
概要(Profile)-用户的个人详细资料和数据。
OSUser当前还没有正式发布但是可以通过CVS下载到1.0版本的源码包。完整的OSUser1.0版本也将很快会发布。

更多OSUser信息

JSecurity

JSecurity是一个强大、灵活的Java开源安全框架。它能够简捷地处理认证、授权，集成session管理和单点登录(SSO：single sign-on)。

更多JSecurity信息

OpenSSO

Open Web SSO项目是SSO(单一登录)的一个开源实现。OpenSSO为部署在各种不同Web或应用服务器上的Web应用提供集中身份认证功能。这个项目基于Sun Java^TM System Access Manager,核心代码之上。

更多OpenSSO信息

JBoss SSO Framework

JBoss SSO Framework是一个组件集能够很容易集成到现有的web应用中提供单一登录功能.该框架已经能够支持一些重要的SSO标准如SAML。整个系统包括以下组件：

1.联合服务器(Federation Server)– 一个联合服务器用于为放置在不同安全域(security domain)中的web应用程序安全地传播Federation Token。

2.Token编排框架(Token Marshalling Framework)– 这是一组灵活的/可插件的Java API用来marshal/unmarshal一个Federation Token。该系统默认提供一个SAML兼容的编排器(Marshaller) 。

3.身份管管理框架(Identity Management Framework)–这是一组灵活的/可插件的Java API用来连接中中央身份存储库(Identity Store)。该系统默认提供一个Provider来连接基于LDAP的身份存储库。

更多JBoss SSO Framework信息

openid4java

openid4java这个Java类包能够为Java Web应用添加OpenID认证。

更多openid4java信息

JA-SIG CAS

JA-SIG CAS（Central Authentication Service）为Web应用系统提供了单点登录服务。它的特性包括：一个开放和具有很好文档支持的协议；一个Java开源服务器组件；提供多种类型的客户端包括Java、.Net、PHP、Perl、Apache、uPortal等；能够与uPortal、BlueSocket、TikiWiki、 Mule、 Liferay、Moodle集成使用。

更多JA-SIG CAS信息

JRadius

JRadius 是一个开源的Java RADIUS客户端与服务器框架。JRadius客户端用于帮助你在你的Java应用程序中实现RADIUS验证和账号管理。JRadius服务器是一个 RADIUS处理引擎通过FreeRADIUS中的rlm_jradius模块进行存取/访问。

更多JRadius信息

Securing Web Services with Single Sign-On

2008-04-01T22:29:00.000-07:00

Web Services are arguably the most heterogenous distributed technology ever. A typical Web services setup will make use of many different technologies, object models and programming languages, which might include simple Perl scripts and standalone Web services implemented in C++ or Java, through to sophisticated applications build on top of J2EE application servers. Being able to interact across such diverse environments is one of the strengths of Web services, but it has a price: it becomes difficult to secure such systems. It is hard to find a common security standard for all involved technologies. Today we will talk about single sign-on, the security architecture that brings a flexible an interoperable way of securing heterogenous systems.

Single Sign-On - The Basic Concept

The main problem with using most common security architectures with Web services is that the security infrastructure is very distributed and these architectures usually require that key security features and alghorithms are implemented by all parts of the system. The unfortunate truism of all security systems is that the level of security of the whole system is the same as the level of the security of its weakest part. This obviously leads to inflexibility because we have to either avoid certain technologies or compromise the security of a whole system. Avoiding technologies is generally impractical and negates the very reason Web services are so popular: they are able to bridge between any technology. One possible solution to this problem is the single sign-on (SSO) architecture.

The basic idea of the single sign-on security architecture is to shift the complexity of the security architecture to the so-called SSO service and thus release other parts of the system from certain security obligations. In the SSO architecture, all security alghorithms are found in the single SSO server which acts as the single and only authentication point for a defined domain. Thus, there is a second benefit to an SSO approach to autnentication/registration: a user has to sign-on only once, even though he may be interacting with many different secure elements within a given domain. The SSO server, which can itself be a Web service, acts as the wrapper around the existing security infrastructure that exports various security features like authentication and authorization. We will concentrate mainly on authentication in the SSO environment in this article. Actually, there are two scenarios of the SSO. We will start with the simplest first.

The simple SSO scenario

In the simple SSO scenario, the authenticated party first calls the SSO server and requests the authentication token that identifies it in the particular domain. In order to get the token, it must first provide the correct authentication credentials. There are various forms for those credentials: it might be, for example, a simple username/password or certificate, but other methods can be implemented. The SSO server performs a validation of the users' credentials using the underlying security infrastructure, and only then issues a ticket that the calling application uses for authentication against other applications. In the simple scenario, the token doesn't impose any specific information, it is simply the unique identification of the user in some defined scope and time. After the invoked application receives the token, it validates it by passing it to the SSO server that then performs the actual checks. The following picture illustratives the concept:

Figure 1: The Simple SSO Scenario

The main advantages of the SSO approach are evident:

Encapsulation of the underlying security infrastructure in the SSO server. Implementation, deployment and maintenance are much easier as all communicating parties in the distributed system don't need to individually implement all of the security features and mechanisms.

The SOAP interface to the SSO server makes the SSO architecture universal. As we mentioned earlier, the SSO is itself a Web service. If the SSO server exposes the WSDL of its interface, the SSO API can be instantly generated and made available.

The SSO server enhances security of the whole system as the security credentials don't need to be passed around. The only point that accepts security credentials is the SSO server itself. Moreover, the SSO solution often allows federation, so the authentication can be performed in a broad scope (outside of the particular security domain) while the security credentials stay within the particular security domain.

Advanced SSO - using SAML

SSO server invocations were necessary in the previous simple SSO scenario each time the user was challenged for identity verification. A more advanced approach permits the token itself to contain some valuable security information that allows validation without having to call the SSO server each time. The token contains the authentication or authorization information. This information is 'signed' by the SSO server, so provided the token recipient trusts this server, it doesn't have to do any further verification. The described scenario is outlined in the following diagram:

Figure 2: The enhanced SSO Scenario

There is a new standard for exchanging security-related information in XML called Security Assertions Markup Language (SAML). This is currently being completed at OASIS and its first release is expected at the time of this article's publishing. Basically, the security information described by SAML is expressed in the form of assertion statements about security subjects (e.g. users, machines or services). SAML defines the protocol by which the service consumer issues the SAML request and the so-called SAML authority returns the SAML response with assertions. There are three kinds of assertions:

The Authentication statement informs about the authentication of a particular subject in a specific time and scope.
The Authorization decision allows or denies a subject access to a specific resource.
The Attributes further qualify the subject (e.g. credit line info, citizenship etc.).

The use of SAML isn't limited to the SSO scenario. It can be used in a much broader sense. If our Web services applications understand SAML it shouldn't be difficult to flexibly reconfigure the security architecture without lenghty re-coding.

You can take a look at a the SAML authorization request below. Notice that it contains the user credentials (username and encrypted password in our case) and some descriptions like response requirements, credentials types, etc.

 RequestID="1fgtTGzMXSqpN++/LcFpBmZWrQg=">
 AuthenticationStatement
   
     
       
       
         
           http://www.oasis-open.org/committies/security/docs/draft-sstc-core-25/password
         
         
           cGFzc3dvcmQ=

The response to this request contains the authentication assertion with one attribute/condition that specifies the time period when the authentication is valid:

 MajorVersion="1" MinorVersion="0"
 ResponseID="upuSGdmqx7ov01mExYlt+6bDCWE=">
 
   
 
    IssueInstant="2002-03-03T14:33:58.456" Issuer="WASPCard"
   MajorVersion="1" MinorVersion="0">
        NotOnOrAfter="2002-03-03T15:03:58.466"/>
            AuthenticationInstant="2002-03-03T14:33:55.201"
       AuthenticationMethod="http://www.oasis-open.org/committies/security/docs/draft-sstc-core-25/password">
         
           
           
             
               http://www.oasis-open.org/committies/security/docs/draft-sstc-core-25/password

NOTE: The SAML authentication assertion is signed, so the receiving party can easily do the proof-of-origin check and decide if it trusts the SAML assertion issuer.

Installation

We will need to install Systinet WASP Server Advanced and WASP Card in order to successfully run the following demos. This chapter outlines only basic steps of the installation process. if you want to know further details, please follow links marked Detailed info in the text.

NOTE: You'll need to download the latest (3.0.3 final) release of the WASP Server in order to successfully run the demos.

Make sure that the Sun Java SDK 1.3.x is installed on your machine.
Copy the jaas.jar archive from the Sun JAAS 1.0 package (you can download it from http://java.sun.com/products/jaas/index-10.html) to the lib\ext subdirectory of all installations of your Java Runtime Environment.
Copy the jce1_2_1.jar, local_policy.jar, sunjce_provider.jar and US_export_policy.jar archives from the Sun JCE 1.2.1 package (you can download it from http://java.sun.com/products/jce/index-121.html) to the lib\ext subdirectory of all installations of your Java Runtime Environment.
Change the following section in the java.security file in all installations of your Java Runtime Environment from:

security.provider.1=sun.security.provider.Sun security.provider.2=com.sun.rsajca.Provider
to

security.provider.1=com.sun.crypto.provider.SunJCE security.provider.2=au.net.aba.crypto.provider.ABAProvider security.provider.3=sun.security.provider.Sun security.provider.4=com.sun.rsajca.Provider
NOTE: There are usually at least two installations of the Java Runtime Environment (JRE) on your computer. One is in the Java SDK in its jre subfolder and the other is in the JavaSoft\JRE subdirectory of the main Program Files directory (e.g. C:\Program Files\JavaSoft\JRE. You have to install JAAS 1.0, JCE 1.2.1 and change the java.security file in both JREs. See more details about the security installation requirements here.
Download and install the Sun J2EE. You will find the software here.
Download and install WASP Server Advanced for Java version 3.0.3. You can download it from http://www.systinet.com/products/wasp_advanced/download/license.html. Then you will need to unzip it and run the install.bat script from its bin subdirectory. The more detailed description of the WASP Server installation is.
Install the WASP Server security by running the install-security.bat script from the WASP bin subdirectory. Enter all default values except the server host name (the first entry) where you should specify your hostname (I recommend you use 'localhost'). You can get more details about the WASP security installation at http://www.systinet.com/products/wasp_advanced/doc/htmldata/installation_guide_body.html#security_install.
Download the WASP Card from http://www.systinet.com/eap/wasp_card/download/license.html. Copy the cloudclient.jar and RmiJdbc.jar archives from the lib\cloudscape subdirectory of your J2EE installation to the etc\lib subdirectory of your WASP Card installation directory.
Download the demo files. Unzip them to the c: drive, so they reside in the c:\wasp_demo directory. Then change environment variables to point to directories with your Java, J2EE, WASP Server and WASP Card installations in the env.bat in the bin subdirectory of the demo sources. Then start the Cloudscape database using the startDB.bat script from the bin subdir of the demo sources installation.
Install the WASP Card by running the install.bat script from the bin subdirectory of the WASP Card installation. Accept all default values that the script offers. See more details about the WASP Card installation here.
Stop the WASP Server using the stopserver.bat script from the bin subdir of the demo sources installation. DON'T STOP THE SERVER OTHER WAY THAN with the stopserver.bat script or all the changes done by the WASP Card installation will be lost.
Start the WASP Server again using the startserver.bat script.
Run the WASP Card HTTP browser console by pointing your browser to http://localhost:6060/waspcard/console and use the Register link on the left to register a user with username 'test' and password 'password'. You'll also need to specify some other attributes like e-mail address, full name etc.

NOTE: Depending on the Cloudscape version, you may get an error when issuing the first command in the WASP Card console because the database upgrade might take place. The subsequent commands should work without any problem.

Now we're ready to run the demos.

Simple SSO scenario - the hands-on example

We're still trying to make money in a bear market: the simple stock quote example we've used in past tutorials demonstrates the first, simple SSO approach. All SSO functionality is implemented in the client and server header processors (com.systinet.demos.simple.ClientAuthenticator and com.systinet.demos.simple.ServerAuthenticator). The client header processor takes the username and password from the call context where it was stored by the client application (com.systinet.demos.simple.StockClient), binds to the SSO server web service and then obtains the authentication token by calling its generateAuthenticationToken method providing it with the passed username and password. The token is attached to the SOAP message that is traveling to the stock quote web service. There, it is extracted from the SOAP message by the server header processor (com.systinet.demos.simple.ServerAuthenticator) that binds to the SSO web service and calls its verifyAuthenticationToken method for the token authentication. The authentication result and the username are passed through the call context to the server-side web service. Note that there are some simple token caching alghorithms implemented on both client and the server. Also, the secure SOAP communication is used for talking to the SSO web service as the passed token must obviously be kept private.

NOTE: All scripts used in the following steps are located in the bin subdirectory of the demo files.

Follow those steps to run the demo:

Run the Cloudscape DB server using the startDB.bat script.
Run the WASP Server with the startserver.bat script.
Deploy the simple SSO demo web service using the deploy_simple.bat script.
Run the client application with the run_simple.bat script and look at the client and server consoles.
Undeploy the simple SSO demo web service with the undeploy_simple.bat script.

NOTE: You'll need to specify the WASP admin username and password (username 'admin' / password 'changeit') when deploying/undeploying. You can simply accept all default values by pressing Enter.

Exploring SAML

The next demo shows authentication using SAML. You can run the GUI and issue the SAML request by clicking the Get Token button. Then you can check out the SAML request and response. The Call Service button sends the SOAP message with the SAML authentication assertion appended as a SOAP header to the simple authorization web service that accepts the request, extracts it from the SOAP message and then performs the verification. Note that verification is performed by verifying the SSO server digital signature: no call to the SSO server is neccessary.

The All SAML-related code is in the com.systinet.demos.saml.AuthenticatedService and com.systinet.demos.saml.AuthenticatedServiceFrame Java sources.

You'll need to run those commands to run the SAML demo:

Run the Cloudscape DB server using the startDB.bat script.
Run the WASP Server with the startserver.bat script.
Deploy the simple SSO demo web service using the deploy_saml.bat script.
Run the client application with the run_saml.bat script and check out SAML Request, SAML response and the server verification description.
Undeploy the SAML SSO demo web service with the undeploy_saml.bat script.

You can use the WASP Console (point the HTTP browser to http://localhost:6060/admin/console) for showing all the SOAP messages exchanged between AuthenticatedService and the GUI client. Authenticate yourself to the WASP Console (use admin/changeit username/password) and expand the SAMLSSO package and the SAMLSSO service in it. Then enable the debugging, re-run the example and then check out the SOAP conversation. You should see that the SAML token that is sent from the GUI client to the AuthenticatedService web service in the SOAP message header is digitally signed. We can't see the digital signature displayed in the GUI as it is transparently verified and removed by the WASP framework.

NOTE: All communication in this example isn't encrypted in order to allow the transport spoofing. Obviously, in real-life example encryption must be employed

Review

In this part of the Web services tutorial we learned how to secure applications with a single sign-on utlility. We introduced the simple scenario where the client gets the authentication token from the SSO service and appends it to the outcoming request. The receiving party can validate the incoming token by calling the SSO service. We've also shown how SAML, the standard format for the security information exchange, can enhance the SSO architecture. In the next article we'll begin to explore how to use UDDI.

Mobile 2.0

常见Java开源JMS消息中间件及特性简介

单实例模式数据库连接池+log4j

英文翻译词典工具软件与在线翻译全搜罗

security specifications

Web Services Standards Bodies and Communities

SOAP-Specific

UDDI-Specific

Web Services Security

Miscellaneous

Vendor-Specific Web Services Sites

Web Services Resources and References

Web Services News

Development Platforms and Tools, Including Tutorials and Articles

Some Web Services Security Tools

Some Web Services Security Tools

Web Services Deployment Platform

The Web Services Marketplace

The Web Services Marketplace

1 Products

Vendor Product Categories

Table 3-4. A Sampler of Web Services Vendor Products

Vendor Products by Development Life Cycle

Table 3-5. Marketplace for Different Development Life Cycle Stages

Some Publicly Available Development/Productivity Tools

How to Use JWSDP for Development

3.5.2 Selecting Your Web Services Tools

Selection Criteria

3.5.3 Industry Development

SOAP and ebXML

Table 3-6. Comparing Sun, Microsoft, and IBM Approaches

Comparing Different Web Services Architecture

Comparing Different Web Services Architecture

Metro Tooling - Netbeans, Eclipse, Ant, Maven...

Netbeans

Eclipse

Setup

How to create a Web service

Creating Web Service Client using Wsimport CLI

Creating Web Service Client using Wsimport Ant Task

Creating Web Service Client using SOAP UI Plugin

Types of Web Applications

Java Web-Frameworks

Types of Web Applications

Consumer-facing, high-traffic, stateless applications:

Internal, more desktop-like applications that are stateful:

Media-rich applications that require a RIA framework like Flex

SOA Frameworks

ESBs

Webservice Frameworks

Tools

WebServiceExternalSites

JavaOne Conference Bookstore - Best Sellers

SOA Books

three popular frameworks to implement RESTful services

Sun Java Web Services Developer Pack (JWSDP) Related Books (Newest to Oldest)

到底什么是MSDN？MD5？SHA-1？

CPA CPS CPC CPM CPO PPC PPL PPS CPTM

Performance Improvement in a J2EE Application

Performance Improvement in a J2EE Application

用Axis开发Web Service

Java Web Service的客户端实现

WS-Federation：活动请求方概要

WS-Federation：活动请求方概要

本页内容

1. 引言

1.1. 目标和需求

1.1.1 需求

1.1.2. 非目标

1.2. 标记约定

1.3. 命名空间

1.4. 术语

2. 模型

3.1. 单一登录

3.2. 注销

3.3. 属性

3.4. 假名 (Pseudonym)

4. 语法

4.1. 请求安全性令牌

4.2. 返回安全性令牌

6.2. 3^rd-Party STS