jueves, 10 de mayo de 2007
AJAX files
Almost forgot, but my latest AJAX files are in the engineering server here, cannot run them there because of the PHP version :S
jueves, 3 de mayo de 2007
AJAX update
I was able to display the image, as i wanted to, in the popup window :o). Really it is no longer an AJAX problem, it is more about what the server sends and how to 'parse' that information to show it. Before i was only sending a text string, now i'm sending a xml response, in that way i'm able to parse the information in my javascript file, and decide how to show each piece.
Will post everything in the engineering server
miércoles, 2 de mayo de 2007
XML Signatures
If we want to provide certain level of security to our XML information, we can use the XML Security technologies. In the case of XML Signatures, the goal is to provide integrity and authentication.
XML signatures are flexible and usually are applied in three ways: detached, enveloping, and enveloped. The data signed is identified via a URI or XML transform.
There are libraries that implement XML digital signatures for many languages: C, Pearl, Java, among others. The bad thing about it is that as this technology is changing, those toolkits are changing and the documentation is not very good.
So, basically we end up with the following: our original XML file with its elements and the desired (and digitally signed) new XML file, in my case I wanted to sign each child element of the root element (enveloped signature).
So, I needed to program what converts my original XML to signed XML, for that i chose to work in JAVA, using DOM to parse my XML file and the Apache XML Security Toolkit to handle the digital signature elements. For example, to create a new digital signature we have the following function:
We get that functionality from the xml security jar file, we only need to import it:
import org.apache.xml.security.signature.*;
And we actually create the signature with the following lines (the transforms are indicating that it is an enveloped signature, that we want canonicalization and that we want to use the SHA1 algorithm to create the digital signature -- you have to previously load your key information --):
Trying to understand what steps you have to follow to sign your xml document was a challenge, the toolkit only provides examples and no documentation, so you I had to dedicate much more time than expected to this implementation.
After understanding what to do in the program, another challenging part was getting it to compile! I was really lost sometimes, as any newby would be, when it did not compile, I didn't know if the problem was in my code or what... anyway, in my case to compile, I had to include in my CLASSPATH all the jar files provided on the toolkit, so my usual compilation line looked like this:
And to run the file, you have to again include all the jar files...
At the end i was able to digitally sign the elements from my XML file :o)
XML signatures are flexible and usually are applied in three ways: detached, enveloping, and enveloped. The data signed is identified via a URI or XML transform.
- Detached XML signatures can sign content external to the XML document itself.
- Enveloping are those that sign an entire document
- Enveloped are those that can be applied within the same XML document, where the XML signature and the data are sibling elements within that document. Signs data that contains the signature itself as an element.
There are libraries that implement XML digital signatures for many languages: C, Pearl, Java, among others. The bad thing about it is that as this technology is changing, those toolkits are changing and the documentation is not very good.
So, basically we end up with the following: our original XML file with its elements and the desired (and digitally signed) new XML file, in my case I wanted to sign each child element of the root element (enveloped signature).
So, I needed to program what converts my original XML to signed XML, for that i chose to work in JAVA, using DOM to parse my XML file and the Apache XML Security Toolkit to handle the digital signature elements. For example, to create a new digital signature we have the following function:
XMLSignature sig = new XMLSignature(doc,"",XMLSignature.ALGO_ID_SIGNATURE_DSA);
We get that functionality from the xml security jar file, we only need to import it:
import org.apache.xml.security.signature.*;
And we actually create the signature with the following lines (the transforms are indicating that it is an enveloped signature, that we want canonicalization and that we want to use the SHA1 algorithm to create the digital signature -- you have to previously load your key information --):
Transforms transforms = new Transforms(doc);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS);
sig.addDocument("", transforms, org.apache.xml.security.utils.Constants.ALGO_ID_DIGEST_SHA1);
sig.sign(privateKey);
FileOutputStream f = new FileOutputStream(new File("signatureFileName.xml"));
XMLUtils.outputDOMc14nWithComments(doc, f);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS);
sig.addDocument("", transforms, org.apache.xml.security.utils.Constants.ALGO_ID_DIGEST_SHA1);
sig.sign(privateKey);
FileOutputStream f = new FileOutputStream(new File("signatureFileName.xml"));
XMLUtils.outputDOMc14nWithComments(doc, f);
Trying to understand what steps you have to follow to sign your xml document was a challenge, the toolkit only provides examples and no documentation, so you I had to dedicate much more time than expected to this implementation.
After understanding what to do in the program, another challenging part was getting it to compile! I was really lost sometimes, as any newby would be, when it did not compile, I didn't know if the problem was in my code or what... anyway, in my case to compile, I had to include in my CLASSPATH all the jar files provided on the toolkit, so my usual compilation line looked like this:
javac -cp .;bc-jce-jdk13-129.jar;commons-logging.jar;commons-logging-api.jar; serializer.jar;xalan.jar;xercesImpl.jar;xmlsec-1.3.0.jar Sign.java
And to run the file, you have to again include all the jar files...
java -cp .;bc-jce-jdk13-129.jar;commons-logging.jar;commons-logging-api.jar; serializer.jar;xalan.jar;xercesImpl.jar;xmlsec-1.3.0.jar Sign
At the end i was able to digitally sign the elements from my XML file :o)
AJAX
I really love AJAX, now that i learned about how it works i'm constantly looking at other websites thinking, hey! thay might be AJAX in all its mighty power :).
First, i want to state two great sources to get you started on AJAX: the W3C AJAX tutorial and a AJAX Design Strategies Article. In those places i learned so much about this technology and in fact the last one provides the following great image that shows how AJAX works:
First, i want to state two great sources to get you started on AJAX: the W3C AJAX tutorial and a AJAX Design Strategies Article. In those places i learned so much about this technology and in fact the last one provides the following great image that shows how AJAX works:
AJAX stands for Asynchronous Javascript And XML, according to the W3C AJAX tutorial it was made popular thanks to Google Suggests, other prime example of AJAX is Google Maps.
So, what is AJAX about??, well, it is about enhancing the User Interface of our web application, making it highly responsive to events triggered by the user. AJAX is not something new, is more a set of technologies that work together to give this highly responsive effect because it supports asynchronous and partial refreshes of a web page.
The partial refresh means that the server will receive a request, will send a response, but this response is not a new webpage, it is only the information requested and the client, thanks to javascript, will update the webpage content according to the information received. So only a small part of the webpage is updated.
The Asynchronous part is about leaving the server do its work, without having to wait for its response in the client.
With javascript a XMLHttpRequest will be generated in the client, but this request is in fact a HttpRequest, so the server does not need to do anything weird to process it. The server can return whatever you want, including XML data. Once the response arrives in the client side, the response is processed according to what is programmed in the javascript file and the user sees the same webpage, with a part of it updated.
In the case of my project i first tried to create a pop-up window with data (like the example of the library in the SUN site), including the picture of a CD, unfortunately, due to my lack of knowledge about javascript and php for the BlackBoard submission i did not have that part working, so the only AJAX interaction was displaying text inside the page.
For the presentation the popup was finally working!
What did i do? well for both interactions (text inside page and text inside popup window), i used a javascript file to handle the AJAX interaction (in client), a PHP script (on server) to retrieve the information from the XML file (on server), this php script is sending text formatted as HTML to the javascript in the client. **Note: The code for displaying a popup is from the SUN article, and it goes in the javascript file.
My next step would be to show a picture along with the data in that popup window. To finally be happy about the AJAX implementation (updates tomorrow)
So, what is AJAX about??, well, it is about enhancing the User Interface of our web application, making it highly responsive to events triggered by the user. AJAX is not something new, is more a set of technologies that work together to give this highly responsive effect because it supports asynchronous and partial refreshes of a web page.
The partial refresh means that the server will receive a request, will send a response, but this response is not a new webpage, it is only the information requested and the client, thanks to javascript, will update the webpage content according to the information received. So only a small part of the webpage is updated.
The Asynchronous part is about leaving the server do its work, without having to wait for its response in the client.
With javascript a XMLHttpRequest will be generated in the client, but this request is in fact a HttpRequest, so the server does not need to do anything weird to process it. The server can return whatever you want, including XML data. Once the response arrives in the client side, the response is processed according to what is programmed in the javascript file and the user sees the same webpage, with a part of it updated.
In the case of my project i first tried to create a pop-up window with data (like the example of the library in the SUN site), including the picture of a CD, unfortunately, due to my lack of knowledge about javascript and php for the BlackBoard submission i did not have that part working, so the only AJAX interaction was displaying text inside the page.
For the presentation the popup was finally working!
What did i do? well for both interactions (text inside page and text inside popup window), i used a javascript file to handle the AJAX interaction (in client), a PHP script (on server) to retrieve the information from the XML file (on server), this php script is sending text formatted as HTML to the javascript in the client. **Note: The code for displaying a popup is from the SUN article, and it goes in the javascript file.
My next step would be to show a picture along with the data in that popup window. To finally be happy about the AJAX implementation (updates tomorrow)
DOM
Well, i want to start talking about DOM because it is the technology that allowed me to create the AJAX and the XML Signatures implementation.
A DOM object will represent the XML document as a tree, everything is in memory, but you can go from one element to another and return in case that you need it, but to allow that it is more resource intensive.
The DOM technology is not new, it existed way before XML, but due to the XML sintaxis, they are a great match.
In the case of my project i'm using the DOM with a PHP script (used in the AJAX implementation) and with Java (used for the XML Signatures implementation).
DOM with PHP is really simple, and you can find good documentation searching on the internet. Next i'll show some lines of code using functions that are specially useful:
DOM with Java is simple too, the equivalent for the above php implementation would be:
A DOM object will represent the XML document as a tree, everything is in memory, but you can go from one element to another and return in case that you need it, but to allow that it is more resource intensive.
The DOM technology is not new, it existed way before XML, but due to the XML sintaxis, they are a great match.
In the case of my project i'm using the DOM with a PHP script (used in the AJAX implementation) and with Java (used for the XML Signatures implementation).
DOM with PHP is really simple, and you can find good documentation searching on the internet. Next i'll show some lines of code using functions that are specially useful:
$xmlDoc = new DOMDocument();
$xmlDoc->load("myXmlFile.xml");
$x=$xmlDoc->getElementsByTagName('element_name');
DOM with Java is simple too, the equivalent for the above php implementation would be:
File file = new File("myXmlFile.xml");and the documentation is pretty good too, so you just have to know what you need, research to figure out which functions will help you and you can parse the document to get the information that you want.
DocumentBuilder builder=
DocumentBuilderFactory.newInstance().newDocumentBuilder();
Document doc = builder.parse(file);
NodeList nodes = doc.getElementsByTagName("element_name");
Final Project... what really ended up there :o)
The XML technologies that really ended up being the ones explored for the Final Project were: AJAX, DOM and XML Signatures... and i feel so ashamed of myself because the only post that i made about the project was about XML Encryption... and i didn't include that technology in my project!!!
In my defense i've to say that the majority of the articles that i read about XML Security talked about the different design alternatives for your XML documents, and about possible use for those technologies. For example, in the case of web services, you are requesting information and a server sends you your response, usually in the form of an XML document, so, if an attacker is clever enough, he or she can modify what the server is sending you and in that case the xml that you receive is not valid information, but how to validate it? well, that is where the XML Signatures enter into action. I also read examples where the Body from a SOAP envelope was Digitally signed to prove the identity of the parties.
And well, they talk about that, and leave the implementation details in the dark, usually saying that as it is a new technology and is evolving there is no point in talking about x or y toolkit because it would surely change in the near future. So, when i started to get my hands around the implementation, i looked for a toolkit to do it, there are a few of them, in different programming languages, and i chose to work with the Apache XML Security Toolkit, because it was written on Java and i thought that later i could create a servlet.
The thing is, there is not much documentation, they even tell you that they don't have much, but that you are welcome at studying the sample code that they provide, which is great, but some of the codes don't have much comments. Anyway, the truth is that they were helpful, and when implementing is where i finally realized that i needed to parse the document!! that to include my digital signatures!! I really had the idea that it was a more automated process, but no, i needed to practically create a new xml document taking the original information and adding the signatures... For that DOM parsing was great and that is when i left out the XML Encryption, not intentionally, it is just that i started working on the signatures first.
As this post is already too big, in the next ones i will explain the three technologies implemented.
In my defense i've to say that the majority of the articles that i read about XML Security talked about the different design alternatives for your XML documents, and about possible use for those technologies. For example, in the case of web services, you are requesting information and a server sends you your response, usually in the form of an XML document, so, if an attacker is clever enough, he or she can modify what the server is sending you and in that case the xml that you receive is not valid information, but how to validate it? well, that is where the XML Signatures enter into action. I also read examples where the Body from a SOAP envelope was Digitally signed to prove the identity of the parties.
And well, they talk about that, and leave the implementation details in the dark, usually saying that as it is a new technology and is evolving there is no point in talking about x or y toolkit because it would surely change in the near future. So, when i started to get my hands around the implementation, i looked for a toolkit to do it, there are a few of them, in different programming languages, and i chose to work with the Apache XML Security Toolkit, because it was written on Java and i thought that later i could create a servlet.
The thing is, there is not much documentation, they even tell you that they don't have much, but that you are welcome at studying the sample code that they provide, which is great, but some of the codes don't have much comments. Anyway, the truth is that they were helpful, and when implementing is where i finally realized that i needed to parse the document!! that to include my digital signatures!! I really had the idea that it was a more automated process, but no, i needed to practically create a new xml document taking the original information and adding the signatures... For that DOM parsing was great and that is when i left out the XML Encryption, not intentionally, it is just that i started working on the signatures first.
As this post is already too big, in the next ones i will explain the three technologies implemented.
martes, 27 de marzo de 2007
XML Encryption
An interesting technology that I want to include in the final project is XML Encryption (right now I'm taking the data & network security course, so the security vocabulary is fresh in my memory ;) ).
I've found this article that gives a very good insight in this XML technology:
I've found this article that gives a very good insight in this XML technology:
"XML Encryption is not intended to replace or supersede SSL/TLS. Rather, it provides a mechanism for security requirements that are not covered by SSL. The following are a two important areas not addressed by SSL:
- Encrypting part of the data being exchanged
- Secure sessions between more than two parties
With XML Encryption, each party can maintain secure or insecure states with any of the communicating parties. Both secure and non-secure data can be exchanged in the same document. For example, think of a secure chat application containing a number of chat rooms with several people in each room. XML-encrypted files can be exchanged between chatting partners so that data intended for one room will not be visible to other rooms."
In short, the objective is to provide end-to-end confidentiality in the application layer, given that XML is an integral part of web-based bussines applications, security is a major concern. Along with XML Encryption we also have XML Signatures, which provide data integrity, i'll post about them soon.
Suscribirse a:
Entradas (Atom)
