Access filters for JSON-RPC 2.0 services

Services on the web often have to be controlled for who and how accesses them. If they deal with sensitive data, such as usernames and passwords, you may want to ensure that all requests come in over encrypted HTTPS. If you’re running a private service, you may want to ensure that only selected internet hosts can make use of it. Or you may want to limit access to portions of the web API, such as administration, to selected users and clients.

For this purpose I created an Access Filter package for JSON-RPC 2.0 services. Today I released it to the public in its stable 1.1 version under a generous Apache 2.0 licence. I wanted filtering to be fast and robust, so the package was designed to be as simple and efficient as possible. It also nicely complements the proven Java libraries JSON-RPC 2.0 Base and JSON-RPC 2.0 Server.

The package defines four basic filters:

  • HostFilter Access filter ensuring JSON-RPC 2.0 requests originate from selected host names / IP addresses.
  • HTTPSFilter Access filter ensuring requests are passed over HTTPS.
  • X509ClientCertFilter Access filter ensuring HTTPS requests carry an X.509 client certificate with optional specified principal (subject DN).
  • APIKeyFilter Access filter ensuring clients present an API key for protected JSON-RPC 2.0 request methods.

There is a ready CompositeFitler which combines these four basic filters into a chain. You can then plug this filter chain into your JSON-RPC 2.0 service and call it prior to passing the incoming requests to the actual execution logic.

The CompositeFilter can be configured with a simple properties text file. The properties format is detailed in the JavaDocs for the CompositeFilterConfiguration class.

access.https.require=true
access.https.requireClientCert=true
access.https.clientCertPrincipal=cn=John Doe,ou=people,cd=company,dc=org
 
access.hosts.allow=*
 
access.apiKeys.require=true
access.apiKeys.exemptedMethods=ws.getName ws.getVersion ws.getTime
access.apiKeys.map.f70defbe-b881-41f8-8138-bea52b6e1b9c=sso.login sso.logout sso.getSession
access.apiKeys.map.08d1e641-b1c1-4d88-8796-e47c06430efb=sso.proxiedLogin sso.proxiedLogout sso.getSession
access.apiKeys.map.d881afe0-4d7d-4520-9fda-bffffc3022ba=sso.userCount sso.sessionCount sso.listUsers

Alternatively, you may devise your own custom filter chain, based on the AccessFilterChain class.

How do you use the CompositeFitler?

// Parse config from properties, create composite filter
java.util.Properties props = ...
CompositeFilter filter = new CompositeFilter();
filter.init(new CompositeFilterConfiguration(props)); 

// Invoke the filter for each incoming JSON-RPC 2.0 request

// Parse JSON-RPC 2.0 request
JSONRPC2Request request = JSONRPC2Request.parse(...);

// Set the message context, i.e. client host IP, etc.
MessageContext mctx = new MessageContext(...);

// Call the filter
AccessFilterResult result = filter.filter(request, mctx);

if (result.accessAllowed()) {
    // Continue with request processing...

}
else {
    // Return specified access denied JSON-RPC 2.0 error
    // to the calling client
    JSONRPC2Error error = result.getAccessDeniedError().toJSONRPC2Error();
}

The Access Filter package is available at Bitbucket: https://bitbucket.org/vdzhuvinov/access-filter/

We plan to integrate into the upcoming new releases of the Json2Ldap, NimbusSSO and AuthService web services from NimbusDS software.

If you have comments of feedback to share, get in touch or leave a ticket at the Bitbucket repo.

New public repos

The open source projects led by Dzhuvinov Software can now be followed through their new public Git repos at Bitbucket.

For an overview of the Git repos go to https://bitbucket.org/vdzhuvinov.

CORS Filter

CORS Filter is the first universal solution for fitting Cross-Origin Resource Sharing (CORS) support to Java web applications. CORS is a recent W3C effort to introduce a standard mechanism for enabling cross-domain requests in web browsers and participating servers.

Its Git repo is at https://bitbucket.org/vdzhuvinov/cors-filter

JSON-RPC 2.0 Base

Minimalist Java library for composing and parsing JSON-RPC 2.0 messages. No framework or transport layer dependencies. Batching left out for simplicity.

Its Git repo is at https://bitbucket.org/vdzhuvinov/json-rpc-2.0-base

JSON-RPC 2.0 Client

Minimal Java client-side library for dispatching requests and notifications to a JSON-RPC 2.0 server by means of HTTP(S) POST.

Its Git repo is at https://bitbucket.org/vdzhuvinov/json-rpc-2.0-client

JSON-RPC 2.0 Server

Simple server framework for processing JSON-RPC 2.0 requests and notifications.

Its Git repo is at https://bitbucket.org/vdzhuvinov/json-rpc-2.0-server

Pretty JSON

Pretty JSON formatter for Java.

Its Git repo is at https://bitbucket.org/vdzhuvinov/pretty-json

Java Property Utils

Typed retrieval of java.util.Properties as boolean, integer, floating point, string and enum values.

Its Git repo is at https://bitbucket.org/vdzhuvinov/java-property-utils

JsWorld 2.7 with improved date/time parsing

JsWorld iconWith version 2.7 JsWorld received a small upgrade and a few small fixes to date, time and date/time parsing in JavaScript.

Case-insensitive parsing of dates

Weekday and months names, both in their full and abbreviated versions, are now parsed irrespective of case. This is done while taking care of world locales that don’t have the notion of case (quite many actually).

So, for example, if you have the en_GB locale and your date format pattern is set to

POSIX_LC.en_GB.d_fmt = "%d/%b/%Y"

then the following input will parse to the same date:

17/Apr/2010 -> 2010-04-17
17/apr/2012 -> 2012-04-17
17/APR/2012 -> 2012-04-17

Do write us when you wish to have such features added to JsWorld. This particular one was requested by a customer who wanted to have more flexible parsing of dates. I’m considering making the date/time parser even more flexible, while staying completely on the safe side.

Fixed bugs in %e, %k, %l parsing

JsWorld 2.7 also fixes a few bugs that may cause incorrect parsing of date/time values against format templates that use the %e (day of the month as a decimal number, space padded), %k (hour in 24-h clock as a decimal number) and the %l (hour in 12-h clock as a decimal number) patterns.

If you’re subscribed you should receive an email how to get this update shortly.

Browser-side JS numeric, currency and date/time formatting

JsWorld iconIt’s now four years since JsWorld‘s inception and today the JavaScript l10n library is used in a range of web applications, from international online retail to finance and enterprise SaaS.

What are the advantages of applying numeric, currency and date/time formatting on the browser-side?

1. Clean separation of data and presentation.

In the spirit of modern Ajax + Web 2.0 apps the web server can supply the raw numeric, currency or date/time values in raw JSON or HTML which the browser-side JavaScript then formats accoring to the current locale. You can then have your business logic focus on the raw data and services, while the front-end is taking care of the presentation.

Example of currency data supplied as JSON:

{ "amount":"1500000.99", "currency":"GBP", "locale":"en_GB" }

Which then JsWorld takes to format accordingly as British Pounds :

£1,500,000.99

The data may alternatively be supplied as unformatted HTML elements which are then walked by a piece of JavaScript applying localised formatting according to their class (or some other attribute, e.g. “data-” in HTML5).

<span class="date">2012-01-09</span>

Which then if the current locale is set to Portuguese/Brazil (pt_BR) is converted to

9 de janeiro de 2012

JsWorld comes with a simple API which gives you plenty of flexibility in how the data is fed to the browser. It could arrive through JSON/XHR or XML or it could be static HTML.

2. Agile development

Now that you have clean separation between business data + logic and presentation layer your engineers can proceed with greater speed in developing and maintaining your applications. The back-end developers can concentrate on the data and the service process, your front-end developers on the user experience – without having to worry about intricacies of data l10n – this is JsWorld’s task.

3. Conserve server resources

The localisation of data, if done repeatedly or on large data sets, can consume quite a bit of CPU resources. If you do that in your PHP/Java servlet/Ruby/etc code on the server-side this will cost your own resources. So why not shift this load to the browser-side? The effects could be small or more significant, depending on your web app and the amount of traffic you serve.

JsWorld is now in its 2.5 release and supports over 300 languages, 200 countries and 100 currencies.

JsWorld 2.5 with updated locale definitions

JsWorld iconJust before going into the Christmas holidays we got out a new release of JsWorld, the most comprehensive JavaScript library for localised formatting and parsing of numbers, currency and date/times.

What is in the new release?

The locale definitions were updated to match the latest CLDR data from Unicode. JsWorld now supports 354 world locales, with some of them reflecting important recent changes, such as the new Indian Rupee sign which became official in 2011.

JsWorld 2.5 also fixes a bug which resulted in incorrect formatting of midnight time using AM/PM notation. Thanks to our customer who reported this problem.

The next locale updates are expected in the first half of 2012.

Merry Christmas to all of you 🙂

The God particle – a projected reality?

The Large Hadron Collider, image CERN

According to quantum theory observation affects reality. Could the God particle, the Higgs Boson, simply be projected reality?

One of the most astounding discoveries of quantum mechanics is that the very act of watching affects the observed reality. This was demonstrated in the minuscule world of waves and particles by a highly controlled experiment where electrons under observation change their “regular” wave-like behaviour to particle-like.

Today’s news are filled with reports from the latest experiments at CERN claiming that the God particle, the elusive Higgs boson, was finally proven to exist. Since ancient times people have strived to explain the universe. The so-called Standard Model theory is the modern take of scientists at that. A theory, however, must be proven experimentally in order to be accepted as true, and there a crucial missing piece for many years was the Higgs boson. And now that its existence is finally validated, scientists are one step closer to proving their theory of (almost) everything.

But wait a minute – if observation plays such a gigantic role in the subatomic world – what is then the likelihood of the detected traces of the Higgs particle simply being observer effects of the experiment and that mammoth machine behind it, the Large Hadron Collider? How much of these building blocks of matter is simply there because we’re looking for them?

Fantasy turned reality – ironically, this was the title of the Economist’s cover story on the God particle today 🙂

Би Ти Ви или как ни се програмира съзнанието

Гледате ли телевизия и добре ли се чувствате след новините?

Илиан, мой приятел от салсата и рейки, редовно ни провокира с разни неща за размисъл, които после генерират едно огромно количество коментари 🙂 Поводът днес беше следния “цигарен” колаж за една от нашите национални телевизии Би Ти Ви и що за информационен канал са те.

Ако сте запознати с невролингвистичното програмиране (NLP) лесно ще забележите, че от всички местни телевизии Би Ти Ви са най-напред с техниките за повлияване на съзнанието. А целта – тя е съвсем проста – повече пари от реклами и повече власт. Защото в същината бизнес моделът на големите съвременни телевизии е съвсем прост – събиране на максимално количество втренчени погледи за продаване на реклами. А когато зад тях стоят и хора с желание за власт и политически интереси – тогава и пропаганда. Повече или по-малко скрита.

Лесно е да се види защо Би Ти Ви са толкова “добри”. Нужно е само да се сетим, че телевизията е клонинг от медийната империя на Рупърт Мърдок, който има нескрити политически и властови интереси, при това глобални. За една такава медийна машина като News Corporation, простираща се на пет континента, просто няма как да не разполагат с персонала и похватите за едно такова ТВ програмиране. Не изключвам при създаването на Би Ти Ви специален екип от компанията майка да е бил пратен тук в България именно с цел такъв инструктаж.

Най-простият начин да установите как даден информационен канал ви действа психически е като се запитате как се чувствате. По-добре ли се чувствате след това? Или нещо сериозно е разбъркало мозъка ви?

А последното, това при Би Ти Ви се прави като по учебник 🙂

Забележете например как се формулират текстовете на новините. Просто на ниво думи и граматика. Всяка новина обикновено тръгва с кратко въвеждащо отрицателно изречение, което после бива последвано от постепенно по-дълги изречения. Първото изречение е кратко за да фиксира вниманието (шок) и да наложи общ емоционален фон на цялото послание, а последващите изречения са “въвеждане” на самото послание (защото при тях човек вече по-малко мисли и по-лесно се приемат подсъзнателно).

А защо има толкова много негативизъм в новините?

Отговорът е лесен: колкото по-стресиран, несигурен и дезориентиран е човек, толкова по-вероятно е да остане с убеждението, че нещо му липсва. И после – дрън – идва сублимния момент – време за реклама 🙂

При това рекламата често се вкарва на максимален контраст. Примерно, сцена с прегърбени и мизерно изглеждащи пенсионери чакащи на опашка с оръфани дрехи. И веднага след това – дрън – реклама на козметичен продукт, където се показва супер и до нереална красота обработен образ на жена манекенка 🙂

За внушаване на недоимък (т.е. че ти трябва нещо) любима думичка е НЯМА. Тя най-добре се вкарва във въвеждащите кратки изречения за дадена новина, при това най-отпред.

Няма да има увеличения на пенсиите.

Дори положителна новина по-този начин бива обръщана чрез отрицателно изречение, където отново в началото се заковава това НЯМА. Примерно, новина че болница в еди кой си град ще продължи да работи се обръща на следното

Няма да бъде закрита болницата в…

И други такива:

Не беше постигнато съгласие на срещата на…

Няма пари за бюджет 2012…

Но думите като такива са само малко част от информационния поток. Изследвания са показвали, че понякога над 80% от информацията се приема по-други канали, като интонация и езика на тялото.

Разпускащи, усмихнати и спокойни ли изглеждат говорителите по новините?

Или по-скоро имате усещане за някакво неспокойствие (дори на външен план уж да не изглежда така)?

Обърнете внимание на тона, интонацията и скоростта на изговаряне на думите. По принцип, когато човек говори малко по-бързо и монотонно, тялото е вдървено, а погледът сравнително неподвижен – тогава зрителят възприема повече сигнали за несигурност. Все едно сте ученик пред дъската, а водещият е някой даскал, който не ви мисли доброто 🙂

Мой колега също сподели и друга психологическа особеност на гледането на телевизията, а именно че при прикован и неподвижен поглед мозъкът по-принцип е податлив на хипнотично въздействие.

А за капак на менталното програмиране при Би Ти Ви идва лозунгът “Новините – Всички гледни точки“… са нашите 🙂

Решението да излезете от тази матрица е съвсем лесно – просто изключете дистанционното. Може би в началото няма да е лесно, защото гледането на телевизия и особено на новините може да е станало почти зависимост. Но ще си струва, за доброто на вашата душа и ум 🙂

Аз не гледам новини по телевизията и това никак не значи, че не съм информиран какво става в България. Даже по-ясни започнаха да ми стават много неща 🙂 Светът извън телевизията е много по-спокоен и там има много повече решения и хубаво настроение отколкото предполагате 🙂

LDAP schema for Secure Remote Password authentication

Here is a simple LDAP schema for storing Secure Remote Password (SRP-6a) authentication credentials. It defines an object class srp6Account which can be attached to any directory entry to enable SRP-6a authentication for it. The SRP salt and verifier are stored in a text attribute called srp6Verifier.

dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: schema
attributeTypes: ( 1.3.6.1.4.1.31487.3.1 
 NAME 'srp6Verifier' 
 DESC 'Stores SRP6 salt and verifier, in hex and delimited by semicolon' 
 EQUALITY caseIgnoreMatch 
 ORDERING caseIgnoreOrderingMatch 
 SUBSTR caseIgnoreSubstringsMatch 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 
 SINGLE-VALUE 
 USAGE userApplications )
objectClasses: ( 1.3.6.1.4.1.31487.3.2 
 NAME 'srp6account' 
 DESC 'Account with SRP-6a authentication support' 
 SUP top 
 AUXILIARY 
 MAY srp6Verifier )

The following format is suitable for storing the Secure Remote Password credentials:

srp6Verifier: [hex-string-salt];[hex-string-verifier]

The salt and the verifier are hex encoded (to save space and avoid ambiguity) , separated by a semicolon.

Example:

srp6Verifier: b24c9bc199aafd143a94;10b3a3986ec57075d1a8f83bafc3350f582f6bd08064d3a09b9f5b4cdcf21c6ee

Check out Nimbus SRP if you’re looking for a solid and well documented Secure Remote Password library.

New prices

This week the [d]zhuvinov [s]oftware website was redesigned and received new prices too!

As of today the prices for JsWorld, the JSON-RPC Shell and new Nimbus SRP library are listed in three major currencies: Euros, British pounds and US dollars. With that more people should be able to shop in their own currency.

In the next few days we’ll add more docs to the Nimbus SRP library. It came about as a side-product of the most recent Json2Ldap feature – support for Secure Remote Password (SRP-6a) authentication for LDAP directory users. After having reviewed so many implementations of the protocol, and having found nothing that truly suit us, we sat down and coded Nimbus SRP. From scratch and with the lessons from the other works in the field. Today Web SRP 1.1 is probably the most complete and versatile toolkit you can get. Stay tuned!