Experience at WSO2 as an Intern


Published on

My final report submitted at the end of six months of fruitful internship at WSO2 Lanka (pvt) Ltd.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Experience at WSO2 as an Intern

  1. 1. UNIVERSITY OF MORATUWA Faculty of Engineering Non-GPA Module 399: Industrial Training TRAINING REPORTField : Computer Science and EngineeringName : M.K.P.R. JayawardhanaRegistration Number : 080201NField : Computer Science and EngineeringTraining Establishment : WSO2 Lanka (pvt) LtdTraining Period : (28.02.2011 -24.06.2011) – (12.08.2011-23.09.2011)Date of Submission : 01.10.2011 Page | - 0 -
  2. 2. PREFACEThis document is presented at the end of the internship period I had from 28th February 2011 –23rd September 2011 at WSO2 Lanka (pvt) Ltd, No. 59, Flower Road, Colombo 07 as a traineesoftware engineer. The document is arranged into three main chapters that present differentaspects of the training I got. This contains basic information about the establishment and deepinformation on the training I received and my personal views on the internship periodconsidering the whole experience.The first chapter is dedicated to the information on the training establishment. Without having agood understanding about the functionalities of the company, the procedures, organizationhierarchy and structure it is difficult to comfortable move with the staff, getting things done inthe correct way. To give my maximum contribution while learning from the company I have tohave a good understanding on the business the company is involved in and the technologies anddevelopment standards and models they follow. With all these, this chapter also includes mypersonal score on the current performance of WSO2.The second chapter is totally dedicated to the experience I had in internship period. This includesall the technical work; I was exposed to as well as the non-technical experiences. This describeshow I completed the tasks I was given and how I resolved the difficulties I came across whiledoing them. In explaining the task, the implementations were mostly described using diagramsthat I feel it is the best way to present them and samples are given at relevant places which Iactually used for testing purposes and outcomes of them. This technical section in detaildescribes the functionality of the Entitlement handler and implementation of SAML to XACMLin the WSO2 Identity Server with an introduction to the tools I used and the security concepts Igot familiar with while doing that. The technologies I got exposed are also discussed with what Ihave learnt from them. The non-technical experiences such as trips and WSO2Con-2011 aredescribed considering the great effects they had on building up a professional personality withinme, getting to know more of the staff, company and industry practices.In the third chapter, I have discussed the effectiveness and personal feelings towards training asa whole. Also it provides a personal assessment on own experience and the whole industrialtraining programme from the co-ordination to the end, with suggestions to improve. Page | i
  3. 3. ACKNOWLEDGEMENTSAt the very beginning of this report on my work in the internship period, it‟s my privilege tothank the people who contribute to make it such a great experience for my life. If not for thesupport of them, from arranging training establishment selections to successful completion of the24 weeks, it would not be this effective.I heart fully thank Ms. Vishakha Nanayakkara, the former Head of Department, ComputerScience and Engineering, University of Moratuwa for the immense effort taken to provide uswith best training establishments. Also the guidance given on how to extract the value of thisinternship period was invaluable. Also I am so grateful to Dr. Malaka Walpola, the IndustrialTraining Coordinator for the huge commitment shown in making sure each and every student isgetting a training establishment. The support given by resolving our selections, organizing mockinterviews, coordinating with the industry and giving friendly guidance whenever needed isincomparably great.Also I must thank all the members in Industrial Training Division of the University of Moratuwaand NAITA (National Apprentice and Industrial Training Authority) for guiding us from thevery beginning and for the work carried out throughout our internship period to make it asuccess, giving us a complete experience in the industry.I am so grateful to Dr. Sanjiva Weerawarana, Founder, Chairman and CEO of WSO2 for givingus this invaluable opportunity to learn in an internationally recognized company within a friendlyenvironment. Then I would like to thank Mr. Supun Kamburugamuva, Technical Lead and Mr.Selvaratnam Uthaiyashankar who interviewed me and recommended me for the internship atWSO2. Also I am thankful to Mr. Samisa Abeysinghe, VP of Engineering for the given guidanceon how to improve and proceed using the resources provided and for giving us the opportunity tofeel the beauty of a technical career giving appropriate responsibilities. I am thankful to Ms.Udeshika Ratnavira, Senior Manager, Administration and HR, for the friendly support given inany issue I came up with. The work done in coordination with university and making us a part ofthe WSO2 family is really appreciated. Page | ii
  4. 4. I am so much grateful to the IS (Identity Server) team for all the support given throughout mystay at WSO2. I specially thank Mr. Asela Pathberiya, Senior Software Engineer, assignedmentor for me, for immense support and guidance given in completing any task given to me.Highly appreciate the support given at anytime, instead of the busy schedules and so grateful forthe kind clarifications done whenever I was stuck. Also I am thankful to Mr. Prabath SiriwardenaArchitect & Product Manager – Carbon Platform & Security, for great selection of worksassigned to me. The flow of work assigned to me, was well organized so that I could grow stepby step. I am thankful to the whole IS team including Mr. Thilina Buddhika and Ms. HasiniGanasinghe for the friendly environment and support given throughout my internship period.I am thankful to each and every member of the WSO2 family in technical, non-technical andsupport staff, for the friendly environment provided and been a helping hand whenever needed. Idid not have to worry having any technical issue or non-technical issue that there was alwayssomeone I could get help from or ask guidance.Thank you very much everyone for making this internship period such a fruitful experience formy life, widening my horizons! Page | iii
  5. 5. Table of Contents1 Introduction to the Training Establishment ....................................................................... 11.1 WSO2 Incorporated 11.2 Evolution of WSO2 31.3 WSO2 Vision 3 1.3.1 Reinvent the Technology .............................................................................................. 3 1.3.2 Reinvent the Business Relationship ............................................................................. 4 1.3.3 Reinvent the Support Model ......................................................................................... 4 1.3.4 Create a Great Place to Work ....................................................................................... 51.4 WSO2 Business Model 6 1.4.1 Support and Service model ........................................................................................... 61.5 Organizational Structure 9 1.5.1 Employee Hierarchy ..................................................................................................... 9 1.5.2 Communication .......................................................................................................... 10 1.5.3 The WSO2 Team ........................................................................................................ 101.6 WSO2 Products and Services 121.7 Performance of WSO2 13 1.7.1 Strengths ..................................................................................................................... 14 1.7.2 Weaknesses ................................................................................................................. 16 1.7.3 Service to Sri Lankan Society .................................................................................... 161.8 Suggestions to Improve 172 Training Experience ............................................................................................................ 182.1 Joining WSO2 Family 182.2 Induction 192.3 Development Environment 20 Page | iv
  6. 6. 2.4 Hands on Ws – Security 21 2.4.1 Sample Client for IS ................................................................................................... 23 2.4.2 Entitlement Handler .................................................................................................... 252.5 Implement SAML to XACML 312.6 Other Technical Experiences 43 2.6.1 Apache Team .............................................................................................................. 43 2.6.2 Training Sessions ........................................................................................................ 452.7 Other Non – Technical Experiences 45 2.7.1 Demonstration ............................................................................................................ 45 2.7.2 WSO2 Annual Trip ..................................................................................................... 46 2.7.3 Sports, Entertainment and other activities .................................................................. 482.8 WSO2Con – 2011 493 Conclusion ............................................................................................................................ 503.1 Importance of Industrial Training 503.2 Satisfaction 503.3 WSO2 as a Training Establishment 513.4 Overall Training Programme 52 Page | v
  7. 7. List of FiguresFigure 1.1 WSO2 Company Logo .................................................................................................. 1Figure 1.2 Employee Hierarchy ...................................................................................................... 9Figure 2.1 Entitlement Handler Structure ..................................................................................... 27Figure 2.2 Inside .mar file Entitlement Handler ........................................................................... 30Figure 2.3 Flow of secured server to server communication ........................................................ 33Figure 2.4 The Structure of the XACMLAuthzDecisionQueryType ........................................... 36Figure 2.5 The Structure of the SAML Response......................................................................... 40Figure 2.6 Signing Procedure ....................................................................................................... 41Figure 2.7 Validation Process ....................................................................................................... 41 Page | vi
  8. 8. 1 Introduction to the Training Establishment1.1 WSO2 Incorporated Figure 1.1 WSO2 Company LogoAs the name WSO2 stands for Web Services Oxygen, the company is truly about giving a deepbreath of relief to the people who are finding enterprise solutions in the web space. Beingfounded in 2005 by pioneers in XML and web services technologies and standards as well asopen source, WSO2 offers a complete SOA platform, 100% free and open source and with cloudapproach through WSO2 Stratos, the world‟s only 100% open source PaaS is offered by recenttimes.WSO2 is mainly focused on developing and producing top quality products and they have thebase on the free and open source Apache software stack. Hence all of the products are releasedunder the Apache Software License. The company consists of locally and globally recognized setof passionate software engineers who enjoy their dedication to the industry. Most of them arecommitters of software projects like Axis2, Rampart, Synapse, Sandesha, Transport, Cassandra,Commons of the Apache foundation and various other software communities including Eclipse,Ruby and Rails. All the products at WSO2 are developed around one core called „core carbonframework‟ which has the base in Apache Axis2 and company encourage employees to buildtheir own personal brand contributing these projects.In providing web based solutions, WSO2 is offering 12 servers that gather a perfectly designedenvironment to implement a business solution in agile manner. For example WSO2 – IS canshape into a customized environment providing authentication and authorization services to ashopping context or to a military context. StartosLive provides all the services of these servers100% free in the cloud environment. Page | 1
  9. 9. Being 100% free and open source, someone may wonder whether this can make a sustainablebusiness. The business strategy at WSO2 is providing training, support and consultancy for theirproducts to the customers. As products are free to download, test and play with, if the customeris willing to have WSO2 support and training to bring up a business solution for them, then theyare charged for that service. The company maintains a SOA developer portal called „WSO2Oxygen Tank‟ which includes a knowledge base, articles, webinars, screen casts and tutorialswhich simply creates an online resource center for anyone who is willing to try WSO2 productswith no cost.Apart from Apache, being an open source company WSO2 has built so many connections aroundthe world and can list few of them as follows,  The World Wide Web Consortium (W3C)  OpenID Foundation  NBQSA Competitions  AMQP Working Group  SOAP, WSDL and WS-SEC standards  OCERT and OAuth  Microsoft‟s InterOP Vendor Alliance  InfoCard Foundation  OASISWSO2 is a global company with offices in USA, UK and Sri Lanka and having customersworldwide. The UK office is mainly focused on marketing and customer relations and the newlyopened USA office at Palo Alto is in its growing stages regarding the technical developmentactivities. The branch in Sri Lanka act as the main research and development center of WSO2and have currently operate from three offices at No.59, Flower Rd, Colombo 07, No.50, FlowerRd, Colombo 07 and No.58, Dharmapala Mw, Kollupitiya.Being just 6 years old in the industry, WSO2 has shown immense growth that sometimes thecustomers have admired WSO2 above the industry giants like IBM and Oracle. Recently it hasbeing stated as one of the top ten open-source SOA companies in the world with a comparativelylittle team in size. WSO2 has brought lot of opportunities to Sri Lankans and growing smarterday by day to remark the Sri Lankan contribution to the software industry. Page | 2
  10. 10. 1.2 Evolution of WSO204th August 2005 is declared as the birthday of WSO2 and that selection was done as lot ofimportant things regarding the company has happened around that day, within August toSeptember, such as incorporation of the USA Company, incorporation of the Sri Lankancompany and incorporation of UK Company. At first the co-founders of WSO2 has named it as„Serendib Systems‟ and has later changed it due to a request of an investor [2].With the funding received by the investors company has then proceeded with implementation ofcarbon platform with bunch of experts they had by the time and after few hard times companyhad emerged into the middleware industry with lot of efforts and sacrifices from the team.Currently WSO2 stands as a competitor to the giants like Oracle and IBM who were at thebusiness for decades.1.3 WSO2 VisionWSO2 has a very clear vision regarding the platform, customers, employees and growth thateverything is decided on these basics. Following are the four categories WSO2 vision is createdof to lead the company to success and compete globally.1.3.1 Reinvent the TechnologyAt the WSO2 was founded on there were many giants in the industry like Oracle and IBM andstill WSO2 enters the market segment with the belief that they can re-invent that technology in abetter way. A way that is simpler and more straightforward from project conception to the finishat long-term production management. WSO2 had the advantage they could start from the scratch,and make full benefit of hindsight, and to develop the most advanced middleware platformavailable today. Having known the pitfalls in advance the platform was designed so defending toovercome the issues and increase performance. Having used OSGI framework, WSO2‟scomponent model enables a lean, high performance approach with self-consistency across theplatform. and fully customizable – adapting to your project Instead of forcing the project to adapt Page | 3
  11. 11. to the middleware, WSO2 provides flexibility to be customized as the customer needs. Buildingmulti-tenancy, elasticity, instant provisioning, and metering to the whole platform and making itavailable as a service (PaaS) in public and private clouds WSO2 is playing a great role in cloudcomputing too.1.3.2 Reinvent the Business RelationshipAlthough the technology at WSO2 is leading edge, the core value is recognized as the quality ofthe business relationship with the customer. So WSO2 has taken radical steps to a customer-oriented company.All the software is 100% open source, built in under a fully open and transparent developmentprocess at wso2.org mailing lists and at the ASF. There are no any license fees or trial versionthat expires within a period, as all the products are released under the Apache License 2.0 whichmeans that there is no any restriction on the products. There is no community license orevaluation license and anyone using the same version of product has the same functionalities.The value WSO2 brings to products uniquely is the relationship build with customers incustomizing the products to meet the maximum efficiency for the customer‟s context. Throughthe highest quality training, support, consulting services, 24x7x365 production support, or anentire solution, WSO2‟s sole objective is to tailor the world-class expertise to each customer‟sunique needs.1.3.3 Reinvent the Support ModelAs support is essential for a critical enterprise system WSO2 is providing a very good customersupport service, understanding the great responsibility of running such a system. Using theWSO2 online support system, a customer issue can quickly be directed to the best source ofexpertise with WSO2 developers on the product or committers to the open source project. WSO2support lets the customer interact directly with the best person in the world to resolve their issuesquickly as there are no separate support engineers. The people who build the product are supportengineers too as they know every nook and corner of the product well. When necessary, WSO2provide hot fixes, patches, and service packs to keep customer installation running efficiently. Page | 4
  12. 12. Going beyond production support, WSO2 support and service model allows customer topurchase just the services they need, without being forced to pay for bundled services of littlevalue. WSO2 believes that satisfied and successful customers are the best way to make WSO2 asuccessful company in the global middleware market.1.3.4 Create a Great Place to WorkAfter years in IBM Research, CEO and co-founder Sanjiva Weerawarana had a dream to notonly reinvent the technology, business relationships, and support model for enterprise software,but also to bring Silicon Valley-style entrepreneurialism to Sri Lanka. As a result the heart ofWSO2 development and operations is centralized in Colombo, Sri Lanka.With close relationships to the top local universities and building creative spirit and globalleadership in open source technologies, WSO2 has become a hotbed for local innovators. WSO2made being Apache committers is a reality for Sri Lankans, which was once an unreachabledream.WSO2 encouraged personal development of its employees even to actually leave the companyfor doctoral studies abroad. These employees are encouraged to return to WSO2, to found otherentrepreneurial companies in Sri Lanka, or to find employment in other organizations where theycan invest their talents to make Sri Lanka and the whole world a better place to live.  I love this vision of WSO2 a lot that it not running after money or fame. It has built a sustainable business that benefits both customers and the company with employees and finally adding value to Sri Lanka and the whole world. As mentioned from the vision WSO2 is truly a bed for innovators who are not afraid to try. Page | 5
  13. 13. 1.4 WSO2 Business ModelAs WSO2 is a 100% FOSS company the products are available at free-of-charge to bedownloaded by anyone and the source code is also available that utilizing a build tool like Mavenanyone can build the product doing any modifications they wish. Therefore to build a sustainablecompany has to adapt a different but feasible business model to operate on.WSO2 has adopted a very feasible and a unique business model to competitively move forwardin the middleware arena which already had industry giants as Oracle and IBM. Making itdownloadable as free-of-charge WSO2 attracts customer from Oracle and IBM where they haveto pay. That way was a good idea to enter the market as people will consider the capital a lot.But in an enterprise system a customer will not take the risk of lower performance, quality anddefinitely consider the availability of 24X7X365 support. And that was where WSO2 hasidentified as the opportunity to make money, selling software support, consultancy and trainingfor the product stack that is based on SOA and web services. Additionally, client projects arealso carried out.With this business model WSO2 has been able to compete with the giants existed in themiddleware industry and been preferred by customers over IBM, Oracle etc. just been six years.1.4.1 Support and Service modelThe services WSO2 offering are,  Consultation (Evaluation Support)  Training  Development Support  On sight trainings (lectures, seminars, conferences etc.).  Off sight trainings (webinars, podcasts, Self-Paced Training etc.)  Production SupportExcept these programs there are also Quick Start and Cloud Start programs. Page | 6
  14. 14. Evaluation SupportThis is designed to help customers in early stages of middleware projects, especially when thereare to meet advanced technology challenges. WSO2 experts can guide customers in technologyselection, product selection/evaluation and migration/integration strategies. For qualifiedcustomers some of the services are free of charge in this model. Quick Start Program (QSP)WSO2 Quick Start is a rapid program that brings world class expert developers and architectsonsite to work in collaboration with the customer‟s team. The program also includes follow-upsupport with a period of online Development Support. The QSP will be conducted within justone week. Cloud StartThe Cloud Start program is designed to get WSO2 Stratos, the carbon platform as a PasaS,installed and get ready for the customer enterprise. Cloud Start brings two senior WSO2engineers on site for 5 business days to work with the customer team. Mainly this programs istargeted on deploying and configuring WSO2 Stratos on the clients cloud infrastructure andproviding the relevant training on that. Development SupportAt this level of support the experts from WSO2 directly assist the clients‟ engineering teamduring development. WSO2 offers Development Support to help migrate, integrate, optimize andmanage the customer‟s enterprise middleware deployments. By providing a direct channelbetween client engineering teams and the team WSO2 during the critical development stages,this becomes a catalyst to the process to reach the intended product soon.Customers get these benefits through this model: • Migrating from expensive proprietary middleware products • Integrating with other middleware and infrastructure products • Tuning for performance and security • Developing custom product features Page | 7
  15. 15. Production SupportA system in production is defined as one that performs, or assists in performing legally bindingtransactions and is used by end-users, where a failure of a system in production will have animmediate economic impact on the organization. So understanding the critical nature of thisWSO2 has designed a support mechanism that guarantees WSO2 middleware infrastructureenables the client applications to be available 24x7x365 as mentioned in annex, A3. TheProduction Support customers are eligible to have the latest feature upgrades, product patchesand service packs.A Subscriber shall reasonably determine the severity level of Errors, according to these protocolsattached at Annex as A2. TurnKey PackagesAlthough WSO2 offers a full menu of products and services, they also offer complete turnkeysolution packages. One of the major support feature supplied from these are ongoing twenty fourhour enterprise-level maintenance on the entire client system, installing and provisioning ofWSO2‟s lean, high-performance Carbon platform to run, govern, manage, and monitor thesolution and also it provides a pre-validated architecture template set to address specific businessscenarios and requirements.Here the WSO2 staff manages and implement the project from conception to deployment tomaintenance for the customer in specific area such as:  Mobile Services Gateway  FIX Gateway  SAP Message Gateway  Customized solutionsWSO2 is committed to make the customer experience the best service from them and all the staffwork with dedication towards that. Page | 8
  16. 16. 1.5 Organizational StructureWSO2 has a very flat and informal structure inside the company and everyone is treated equally.At WSO2Con Mr. Samisa Abeysinghe mentioned that at „WSO2 we do not have resources, wehave the WSO2 team‟ which I experienced throughout the stay.1.5.1 Employee HierarchyThe sole purpose of keeping this hierarchy was for activities regarding management done byHuman Resources Management and had no effect in making a technical decision that even anidea from an intern like me are considered and accepted if it is well supported with facts. Thisflat hierarchy is so helpful in fast decision making at the agile software development that thecompany has put trust on its employees that they will do the most perfect thing in a situation. Figure 1.2 Employee Hierarchy Page | 9
  17. 17. 1.5.2 CommunicationCommunication inside WSO2 is so transparent that everything goes in the mailing lists of thecompany domain and this is also very fast in fixing anything. This transparency allowsmaximum productivity as and confusions are so lowered. Following are few mailing listsamongst them.Team – Anything regarding the whole WSO2 team goes here. Eg .Organizing trip, seating plansSupport – dev – This is focusing on support for the developers.Training – To discuss things related to training inside WSO2 and outside things that employeescan participate.Marketing – Discuss matter related to marketing strategy etc. Anyone can post their ideas hereon how to promote WSO2 productsOperations – Any issue regarding daily operations of the company goes here Eg. CleaningInfrastructure – Any matter regarding network, WSO2 servers etc. goes hereVacation – Any kind of leave taken should be informed hereNews – Any news regarding the industry that seems useful for the company are posted hereClub – Jokes and other stuff goes here for fun mostlyAlso there is no restriction to talk to anyone and even we could easily go to Dr. SanjivaWeerawarana and discuss any issue we had. All the doors are open for people to directlycommunicate and there was no need to go in a hierarchy.1.5.3 The WSO2 TeamThe WSO2 team consists of the best people for each field that is the key factor company isconquering the middleware market so soon. Following is the current combination of the team. Page | 10
  18. 18. Leadership – WSO2 is leaded by very experienced and people across the globe that guides thecompany for this much success in just 6 years. • Mr Sanjiva Weerawarana, PhD, Founder, Chairman and CEO • Mr Paul Fremantle, PhD, Co-Founder and CTO • Mr Jonathan Marsh, VP Business Development and Product Design • Ms Monica Pal, VP Marketing • Mr Lavi de Silva, VP Global Sales • Mr Samisa Abeysinghe, VP Engineering • Mr Devaka Randeniya, Senior Director of Sales • Mr Paul Broekhoven, Director, European Sales • Ms Padmika Dissanaike, VP Finance • Ms Puny Navaratne, Director, Legal • Ms Hasmin Abdul Cader, Director, Marketing • Mr Asanka Abeysinghe, Director, Solutions Architecture • Mr Mahesh Markus, Director, Support • Mr Afkham Azeez – Director, Architecture • Ms Udeshika Ratnavira, Senior Manager, Administration and HRAdvisors - The world class personalities and scholars who will be guiding the company throughout with their experience and valuable insights on the industry are as follows. • Mr Larry Augustin – Investor/Advisor • Mr Geir Magnusson Jr. – VP Engineering, Joost • Mr Brian Behlendorf – Founder & CTO, Collabnet • Mr Tom O‟Reilly – Founder, O‟Reilly Media • Mr Patrick Grady – Chairman & CEO, Rearden Commerce • Mr Tony Pizi – CIO Platform Engineering, Deutsche Bank Page | 11
  19. 19. Product Teams -The engineering team –The engineers who work on the development, research, design andtesting work fit into this category. Again divided according to the product they work on asIdentity Server team, Gadget Server team etc..The sales team – Deals with the customers and liaise between the customers and the developers.The marketing team – Works on marketing WSO2 products by means of sponsorships,advertisement campaigns, workshops, and webinars so on. Most of the events are organized withthe guidance of marketing team having the whole WSO2 team support.The finance team – Takes care of the accounts, income, and expenditure of the companyThe administration team – Provides vital administration and human resource work handlingsalary payments, foreign visit arrangements etc...1.6 WSO2 Products and ServicesThe high level product categorization of WSO2 is as attached in annex, A4. In all theseEnterprise Middleware Platform – Carbon, Cloud Middleware Platform – Stratos and Java PaaS– StratosLive, the following are the common servers that provide various services matching theenvironment that runs on. There are 12 servers as follows and I will only explain functionality ofIdentity Server as that is the server I worked in and got familiar with mostly.  WSO2 Application Server - for service hosting  WSO2 Enterprise Service Bus - for mediation services  WSO2 Message Broker for messaging services  WSO2 Data Services Server for managing data sources and data access  WSO2 Governance Registry and repository - for managing WSDL, schemas, policies, life cycles and versioning  WSO2 Gadget Server for portal services Page | 12
  20. 20.  WSO2 Web Services Frameworks for C, C++ and PHP – provide simple APIs for implementing web services and web service clients  WSO2 Identity Server - for authentication, single sign-on and access control  WSO2 Business Process Server(BPEL)  WSO2 Business Rules Server (JSR-94) For composing, orchestrating and monitoring business  WSO2 Complex Event Processing Server processes and activities.  WSO2 Business Activity Monitor (JMX)  WSO2 Mashup ServerIdentity Server (IS)The A1,2 image, in annex shows the architecture of the IS and A1,3 image shows thespecifications of the server. It uses leading edge technologies to provide adjustable high securityto web applications and web services. SAML 2.0, OpenID, OAuth, XACML, WS-Security arethe standards that IS adhere to which are the latest technologies in security. It uses apacherampart, WSS4j and neethi modules in addition to other dependencies of ASF that are commonto all WSO2 products.It integrates easily into existing user stores such as LDAP or Active Directory, supports multi-factor authentication and the cloud platform Stratos is totally secured by the IS.The most interesting part is no matter how complex the process is IS provides a good userexperience making the developers life easy. For example IS provides a simple user interface todefine a XACML policy, add it and remove it that allows even a person without a muchknowledge in XACML can handle to use it.1.7 Performance of WSO2WSO2 has performed incredibly well when turn back and see the path it has come just in sixyears [2] and currently boosting that journey more with putting more resources and been moreinnovative. In addition to the praises from customers, WSO2 has won several highly recognizedawards in the industry as follows: Page | 13
  21. 21.  Kuppinger Cole European Identity Award 2011 - WSO2 was recognized for the innovative features of its open source, multi-tenant WSO2 Identity as a Cloud Service  SD Times 100 Award - For the fourth consecutive year, WSO2 was recognized as one of the “top leaders and innovators” in the software industry by the editors of SD TIMES.  Red Herring Asia 100 Award - WSO2 was awarded the Red Herring Asia 100 Award in 2006 for being one of the most promising private technology companies in Asia.  InfoWorld Best Open Source Software (Bossie) Award - WSO2 was named InfoWorld 2009 Best of Open Source Software (Bossie) Award winner and recognized for delivering WSO2 Carbon  National Best Quality Software Awards (NBQSA) - WSO2 walked away with: -WSO2 Enterprise Service Bus : Gold Award under Infrastructure & Tools Category and Overall Gold Award. -WSO2 Gadget Server: Silver Award under Research & Development Category. -WSO2 Data Services Server: Bronze Award under Infrastructure & Tools Category.1.7.1 Strengths 1. The high qualified, dedicated team – I see the WSO2 team, as the main strength of WSO2. The engineering team consists of best brains of Sri Lanka who are world-class architects and developers having experience and contributions at global industry. WSO2 has at least few committers from all the products WSO2 use from ASF. The marketing team has the best of the profession and sales team too. And various people coming from various backgrounds and fields shares the common objective of adding value to the company using their expertise in every way they can. For example the engineering team involve in marketing activities hugely through blogging and tweeting and all the teams work together co-operating with each other as one family. 2. Flexible working culture – In WSO2, employees have flexible working hours and not forced to work at a particular time. With this, company has made a very friendly connection with the employee that as well as they enjoy the freedom at work; in gratitude there is no need to ask them to work when some urgent need arises. Employees Page | 14
  22. 22. voluntarily work with dedication as they in heart feel the need to contribute company back. Adapting flexible working culture is a challenge and its such a strength that WSO2 has been able to work out it in this way.3. No support engineers – As there are no support engineers all the discussions with the customers and supporting are done by same engineers who build the system and live with it. As those engineers know the product very well any issue can be easily fixed and can be well explained to the customers. That way engineers get a good feeling on what the customer‟s need, what they should provide via the product and customer get a very fast and clear support for their maximum satisfaction. So I call this a strength of WSO2.4. Innovative Carbon platform – No matter how nice we approach the customer, it is hard to long run a business if we do not have a good product to compete with the competitors. WSO2 has the very innovative carbon platform that allows them all these componentizing which satisfy the customer allowing them just to use what they want and just pay only for the services they use. The flexibility of the platform also allowed the WSO2 to present the first PaaS – StartosLive this soon, which Oracle said to come up with at 2015. The architecture of carbon platform best fits the today‟s enterprise need to have agile software that can shape up for the rapidly changing business needs.5. Being an Open Source company - This is a great strength of the company in product view. As the source code is available for anyone to have a look, day by day the product improves identifying bugs and fixing them. Approaching the customers has become easy with this also that people do not hesitate to try the products and see the functionality as its free. Page | 15
  23. 23. 1.7.2 WeaknessesThere is no any major weakness I could identify at WSO2. Only thing I see is there is a little lackof documentation in some areas on using WSO2 products. There are so many blogs written bythe engineers and WSO2-Oxygen Tank [5] provide lot of information on using products. But stillwith the number of products and services providing through the stack and different scenariosthey can be used, there is a lack of documentation. The company has identified this already as aweakness and encouraging the staff to complete documentations well having more attentiontowards Oxygen Tank.1.7.3 Service to Sri Lankan SocietyBringing open source concept to Sri Lanka itself is a great service for the country that it‟s themost appropriate model matching. Through WSO2 lot of Sri Lankan talent has found a place inglobal industry becoming Apache committers etc. as WSO2 encourage personal development ofthe employees. WSO2 has contributed a lot to make Sri Lanka, the country having largestnumber of committers to the Apache Software Foundation outside the United States through this.Most of the computer science graduates consider going abroad for employment after the degreeand having such a great place like WSO2 to work, being on own motherland is a great servicethe company is providing for the country, stopping it from loosing it‟s great resources.Encouraging going abroad for further studies, not just for employment WSO2 creates a wellexperienced work force for the future who have knowledge in leading edge technologies.Many WSO2 professionals provide mentoring to many undergraduate students who are doingtheir final year projects from many different universities in Sri Lanka and make universityundergraduates getting exposed into the global software industry and acquire great achievementseven through the internship they supports.WSO2Con is a perfect example for the fame the company is bringing in to Sri Lanka through thesoftware industry. Lot of experts visited Sri Lanka to attend this event and at every possibleoccasion it show case the Sri Lankan culture. One day if middleware industry could become thekey player of Sri Lankan economy, instead of garments, tea, rubber and house maids at middle-east, WSO2 will be the pioneer of that. Page | 16
  24. 24. 1.8 Suggestions to Improve 1. As mentioned in 1.6.2 improving documentation through Oxygen Tank to cover all the key topics regarding the products is a great improvement to achieve. That way anyone who just falls into a product will feel comfortable trying things with that and will be able to understand the power of it. Also when a new release is out some of the content get not valid for newer version and these things should be clearly stated or modified accordingly. So having some mechanism to update the content will be very useful. 2. Currently WSO2 is operating in three offices in Sri Lanka which are just bit separating the developing crew to each place. For the sake of getting to know each other and in case any co-ordination need at development, it is better if all the crew can stay at one building having freedom to discuss with each other easily. Also as most of the customer base is from USA, it will be beneficial to have more developers in Palo Alto office at California meeting the customers and that will make it easy and fast to provide on-site support. Page | 17
  25. 25. 2 Training Experience2.1 Joining WSO2 FamilyAt the very first day 28th Feb 2011, all fifteen of us selected to be interns at WSO2 were thereand our details were confirmed and given new email addresses in wso2.com domain. Ms.Udeshika Rathnavira introduced us to the company premises, showed the pantry area and wewere given laptops for the use at internship time.Mr. Samisa Abeysinghe, VP Engineering, WSO2, talked to us in the evening and added lot ofvaluable thoughts to us. He emphasized that there are no much rules and formality in the WSO2culture and we are free to use any of the resource there in order to learn and question and suggestabout anything. Also he highlights that it‟s in our hands to take full use of the given opportunityand the importance of the training received at internship period. These facts he pointed gotengraved in my mind and was a good start. Also on the very first day we were given a task to becomplete within a week as groups of five by Mr. Samisa Abeysinghe. A simple banking systemwas built in the very first week with my group formed with Malith Dhanushka, HasithaAravinda, Sumedha Sanjiva and Gokul Balakrishnan. The objective of this task was to have anidea about our java knowledge and object orientation concepts and informed us that GUI is notneeded.First our group gathered and discussed the specifications related to the domain and drew a classdiagram. As everyone is needed to code at least two java classes, we divided work concerningthat and relevance. SVN was used to host the project and we developed the system discussingamong ourselves resolving things as they arise.Mr. Afkham Azeez, Director of Architecture, WSO2 reviewed our code and give very usefulcomments to improve ourselves highlighting the mistakes we have done. He recommended fewweb sites and books for reference and emphasized that we should master an IDE, practicing thekey board shortcuts. Effective Java (2nd edition), Java Pitfalls were among the recommendedbooks.In a near date, we were assigned projects and I was given to „Implement SAML to XACML‟which was regarding the WSO2 – Identity Server and we got a mentor to guide us on the project Page | 18
  26. 26. and my mentor was Mr. Asela Bathberiya, Senior Software Engineer. With the friendly behaviorof all the staff, it was a nice place to work and I found it very special in WSO2 that even a littlemistake was not kept to hang on, that immediately it is corrected when noticed. High quality waskept not just in the code level but in all the levels of all the processes and environments.2.2 InductionMs. Udeshika Rathnawira - Senior Manager, Administration and HR with Ms HasminAbdulcader, Director marketing conducted an induction programme for fifteen of us and fewemployees who joined recently. It was a nice discussion done in a very friendly manner thatresolved our doubts and introduced us to the company culture. They described us the flathierarchy maintained within the organization and how each and every member of WSO2 familyis treated equally. They emphasized us that we should call everyone by their preferred first nameand not to use „Sir‟, „Madam‟, „Ayya‟ or „Akka‟. Hasmin briefly described about the businessmodel of the company and little bit of history too.At WSO2, 3.30 pm is set as tea time and each individual is supposed to come downstairs to thelobby area at that time. She also mentioned that all members used to share experiences and havea chat with fellows while having a snack and we should know each other in the company. It wasreally great and possible that WSO2 family was only about 150 by that time. Apart for tea time,anyone was also totally free to come to lobby area, watch TV and have some drink to getrefreshed while working. Also they told that there is no dress code that we are free to wearcasually. What I realized with all these was WSO2 has really created the office free as home foreveryone to work without any difficulty.We were informed that office hours are flexible, to make the life easier as they know intellectualwork cannot be forced. Working from home is an available option for employees and as internswe were not given that privilege as it contrasts the objectives of internship. Hasmin furtherexplained that as interns we will get lot of problems in doing things that we will need to get helpsfrom the staff that is impossible if we stay at home and work. We were told that we are suppose Page | 19
  27. 27. to be at office within 9am to 5pm and as we work on it was not that hard to stay at office thattime as It was such a perfect place to work.2.3 Development EnvironmentOS – As an open source company most of the WSO2 employees were using Ubuntu, an opensource linux OS and me too started to use Ubuntu as my primary OS. Installation of softwareincluding java installation were done using command line, Synaptic Package Manager and gotfamiliar with setting up environment variables on .bashrc file that was so different fromWindows. Though it was little difficult get used to at the beginning later I found that it is moreeffective than Windows OS I was used to.IDE – I was familiar with using NetBeans at university as lot of developers at WSO2 were usingIntelli IDEA as their IDE tried to use that. The key-board centric IDE seemed fine for me andcontinued to master that IDE and worked using that.SVN - The primary mechanism of version controlling used at WSO2 is SVN. At the beginningonly thing I did was checking out codes from WSO2 repo and later once we were given separatespaces there also committed the codes there and make them under version control.Maven – It‟s a very widely used open source software project management tool by Apache.Almost all the projects at WSO2 are managed using Maven with the pom.xml that describes thesoftware project being built, its dependencies on other external modules and components, and thebuild order. That makes the project build process easy. I may have called the command „mvnclean install‟ more than 1000 times within the internship period to build projects. In fixingdependencies Maven take the load of the developer to download them and fix with the project.Instead it dynamically downloads Java libraries and Maven plug-ins from one or morerepositories, reading the pom.xml at build time. Maven provides built-in support for retrievingfiles from the Maven2 Central Repository and other Maven repositories. Page | 20
  28. 28. FindBugs – This is a recommended tool for all the developers at WSO2 to use on any of thecode they write. The tool is so smart that it run through our code and analyzing the patterns,highlights where bugs are possible. To achieve high quality in coding with minimum bugs this isa great tool to use.TcpMon – This is a very much useful debug tool that allows viewing messages and resendingthem. We can set a listening port in TcpMon and it shows messages that come to the port andcontinue the message without any change. I hugely used this in testing the Entitlement Handler.SOAPUI – This is a widely used tool at WSO2 for all sorts of tests. It is a free and open sourcecross-platform functional testing solution. This is also used to trace messages as TcpMon andhave more additional features. I needed this in implementing SAML to XACML as TcpMon wasnot capable of tracing secured messages.2.4 Hands on Ws – SecurityThe IS team works mainly focusing on the security of the web applications and services. Itdevelops solutions for the growing challenge of the management of the identities of employees,vendors, partners, and customers across internal, shared, and SaaS services. IS is focused onwinning this challenge of providing sophisticated identity solution in a easy to implementmanner with minimum negative effects to the user experience and performance. In achieving thisgoal IS uses latest standards and technologies like SSO, OpenID, XACML and SAML.As the project I was assigned to complete was „Implement SAML to XACML‟ which was totallynew to me I did not know where to start. Also the only knowledge I had on security was things Iheard on hacking sites, viruses etc. and only solutions I knew were using a user name combinedwith a secret password that is long and hard to guess and using virus guard. Only after adiscussion with my mentor, Mr. Asela Pathberiya, I got to know how vast the subject is and gotpassionate about the project. With given guidance I started to read the project specificationdocument [4], though I hardly understood it and then had research on the related technologiesand security concepts. Page | 21
  29. 29. Following are the main concepts to be addressed in any system that is trying to provide securityto a web service or an application.  Authentication - Identifying the person correctly  Authorization - Giving individuals access to resources based on their identity  Confidentiality - Ensuring that information is accessible only to those authorized to have access  Integrity - Data cannot be modified / tampered without authorization  Non repudiation - Ensuring that a party in a dispute cannot say “I didnt send such a message”In relevant to the project of me I understood that IS is achieving authorization in a fine-grainedmanner using XACML policies and Integrity and Non-repudiation is achieved through xmlsignatures. Username and password were used for basic authentication.Having these concepts in mind I was given tasks to begin with to get familiarized with the stuff.At first my mentor recommended me to get familiar with Axis2 and I followed a tutorial in„WSO2 Oxygen Tank‟ [5].Following are the steps I followed 1. Wrote a web service and deployed it in Axis2 as a .war file. 2. Got the WSDL file and generated the stub classes. 3. Wrote the client to call the web service using the stubs.Doing this I got familiar with the IDE more and learned how to fix dependencies which I alwaysfall into trouble due to some version miss match kind of thing.With this experience I went ahead in getting familiarized with WSO2- IS specific things. Page | 22
  30. 30. 2.4.1 Sample Client for ISThis sample was to show how to authenticate a user and to allow that user to access authorizedresources (services), using the API of WSO2 IS. Simply this simulates few functions without thebrowser interface of the server.Scenario: After authentication, if user is authenticated having the role of admin, will haveprivileges to add or remove XACML policies, and evaluate them against sample requests.Following are the steps to be demonstrated. 1. Log into the server after authentication 2. Add a policy from local machine 3. Read the enabled policy of the server 4. Remove a policy 5. Evaluate the enabled policy against a requestI used sample XACML policies and requests to observe the functionality and while doing thatgot familiar with writing XACML policies and requests, understanding how it is achieving fine-grained authorization.Here is a pattern of the policies used in testing the functionality:<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" ><Description>Sample XACMLAuthorization Policy -01</Description> <Target> <Subjects>...</Subjects> <Resources>...</Resources> <Actions>...</Actions> </Target> <Rule>...</Rule></Policy> Page | 23
  31. 31. The Target element defines a set of conditions that must be met to pick up that policy andaccordingly the rule get applied giving the decision „Permit‟ or „Deny‟.Here is how a XACML request will look like:<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Subject>…</Subject> <Resource>…</Resource> <Action>…</Action> <Environment>…<Environment /></Request>According to the OASIS profile of XACML 2.0,  The <Subject> element defines who wants to access and it may have many attributes defined inside as child elements.  Only one <Resource> element is allowed to be present in one decision request and it defines the request the Subject is trying to access.  Only one <Action> element is allowed to be present in one request and it defines the action the Subject wants t perform on the Resource. (eg. read)  <Environment> element carries attributes if present that are not associated with Subject, Resource or Action. (eg. IssueInstant)Depending on the policies enabled in the PDP a request may have the decision as „Permit‟,„Deny‟, „Indeterminate‟ or „NotApplicable‟ if a matching policy is not found.While working on this I got introduced to the functionality of IS, coding standards of WSO2 andXACML. Also learnt few deferent methods to convert WSDL to java using Axis2, in mavenbuild and using browser UI of WSO2 - Enterprise Service Bus and I share that knowledge Igathered through two blog posts in my personal blog space, on „A sample on calling WSO2 IS Page | 24
  32. 32. functionalities through the API‟ (http://pushpalankajaya.blogspot.com/2011/04/sample-on-calling-WSO2-identity-server.html) and „How to convert WSDL to Java‟(http://pushpalankajaya.blogspot.com/2011/03/how-to-convert-wsdl-to-java.html).2.4.2 Entitlement HandlerAfter writing the above mentioned sample I got to realize the power of Identity Sever and howmuch function are happening when we just hit a button in the nice looking browser tab. As mynext task I got a work that made me realize the power of Axis2 in deeper. The task was to referthe Entitlement Mediator code that already exists in WSO2 IS and to build the same functionalityin an Axis2 handler. , Building ‘Carbon’ platformAs first I went through Entitlement Mediator code and could not understand many things. Readdocumentations and then decided to understand it observing its functionalities. For that I neededto build the mediator module and doing that I learnt lot of things. Though I could just fix thedependencies needed by the module and build it, my mentor suggested that it will be better Ibuild the whole carbon platform. It was a challenging experience by then, that almost all thedevelopers were committing new stuff fast, getting ready for the recent release. But finally whenI finished building „Carbon‟, the platform, in whole, I had a better idea on what is „‟Carbon‟ andhow WSO2 products are based on that while been componentized by OSGI framework. Also Igot familiar with pom.xml file that is used in Maven build and how to fix dependencies andproject properties through that. Remote DebuggingTo observe the functionalities I needed to get familiar with the remote debugging tool of IntellijIdea, the IDE I used. It was a very helpful feature to debug and see the code functionalities whenthere were no „main‟ methods as I was used to. For the purpose of monitoring the passingmessages I got familiar with using TCPMon and proceeded with understanding the EntitlementMediator using the new tools. Page | 25
  33. 33. The HandlerAs Entitlement Mediator is based on Apache Synapse, it has characteristics related with it andthe Entitlement Hander is based on Apache Axis2 which gives different characteristics [6]. Incontrast with synapse-mediators, axis2-modules give the facility to interleave handlers in a smartway using partial orderings and policy-driven model of configuring modules (through axis2.xml,module.xml) is unique to Axis2 which will allow applying the handler in selection of servicelevel.With that rough understanding I started to get familiar with the structure of an Axis2-Handler,running through an existing handler in the IS.With all these I got a better understanding on what needs to be done and following is thearchitecture of the Entitlement Handler.Scenario: When the Entitlement Module which includes the Entitlement Handler, is engaged toa particular service before letting the client consume the service, the handler check whether theclient is authorized to perform that action on the service. What handler does is 1. Read the relevant parameters from the Axis2 message context (Only support Username Token authentication for now) 2. Build a XACML request according to the read parameters 3. Pass the XACML request to a previously configured PDP and get the decision 4. Depending on the decision from PDP, continue the message or drop it without letting reach the service. Page | 26
  34. 34. Figure 2.1 Entitlement Handler Structure2.4.2.4 Packaging the Entitlement HandlerTo place the handler in a message path it should be included in a module. Following are the basicessentials for any axis2 handler to meet the intended functionalities that I followed. 1. Created the Module Implementation – There must be a class that implements „org.apache.axis2.modules.Module‟. 2. Created the Handlers – There can be one or more handlers and they can be ordered in module.xml. Each handler class should implement org.apache.axis2.engine.Handler interface 3. Created the module.xml as follows Page | 27
  35. 35. <module name="EntitlementHandler"class="org.WSO2.carbon.identity.entitlement.axis2handler.EntitlementModule"> <Description> The entitlement handler module extracts the user name, resource and action from thepassing axis2 message context and creates a XACML request with the details. Then pass it to theset up PDP and continue or drop the message, according to the decision from PDP. </Description> <InFlow> <handler name="EntitlementHandler" class="org.WSO2.carbon.identity.entitlement.axis2handler.EntitlementHandler"> <order phase="EntitlementPhase"/> </handler> </InFlow> <parameter name="remoteServiceUrl">https://localhost:9443/services/</parameter> <parameter name="remoteServiceUserName">admin</parameter> <parameter name="remoteServicePassword">admin</parameter> <parameter name="remoteIp"></parameter> <parameter name="decisionEvaluatorClass"></parameter> <parameter name="trustStoreLocation">/home/pushpalanka/Installations/WSO2is-3.0.1/resources/security/WSO2carbon.jks</parameter> <parameter name="trustStorePassword">WSO2carbon</parameter></module>Deployment configuration of the Entitlement Module was done using the above module.xml file.A module can be placed in one or more of the following flows in an Axis2 server.  InFlow - Represents the handler chain that will run when a message is coming in.  OutFlow - Represents the handler chain that will run when the message is going out. Page | 28
  36. 36.  OutFaultFlow - Represents the handler chain that will run when there is a fault, and the fault is going out.  InFaultFlow - Represents the handler chain that will run when there is a fault, and the fault is coming in.As seen in the file,Entitlement Handler is placed in the InFlow and the module only includes one handler.Flexibility of a module is that, at deployment, the module can be configured according to thecontext modifying this file. The parameters defined above file are the configurations used in mylocal machine for testing purposes and are read at deployment. Later when handler is in run theread in parameter are used in functions. 4. Modified the "axis2.xml" to add the custom phase (In this case defined Entitlement phase after the security phase)...<phaseOrder type="inflow"> <!-- System pre defined phases --> <phase name="Security"/>... <!-- System pre defined phases --> <!--After Postdispatch phase module author or service author can add any phase he wants --> <phase name="EntitlementPhase"/></phaseOrder>... Page | 29
  37. 37. 5. Package in a ".mar" (Module Archive) with the following format Figure 2.2 Inside .mar file Entitlement Handler 6. Deploy the module in Axis2 – Creation of a directory with the name "modules" in the "webapps/axis2/WEB-INF" directory of the servlet container, and then copying the ".mar" file to that directory 7. Add the line „<module ref="EentitlementModule"/>‟ in services.xml to informs the Axis2 engine that the module " EentitlementModule " should be engaged for this service.  The Entitlement Hanlder allows user to configure it for any other PDP, if user is not using WSO2 – IS. This is achieved with the help of flexibility given by module.xml. EntitlementDecisonEvaluator is the interface that user should implement in a class and define how to call the PDP and get the decision. CarbonEntitlementDecisonEvaluator is that implementation done for WSO2 – IS.TestingTo test the handler for intended functionalities used remote debugging and wrote a simple clientthat uses UsernameToken for authentication and a service that is secured by a ws-policy. Page | 30
  38. 38. 2.5 Implement SAML to XACMLWith the experience got implementing the Entitlement Handler I could now understand whatneeds to be done here, very well. With guidance of my senior mentor Mr. Prabath Siriwardena, Itwas found that this can be easily implemented using the openSource library OpenSAML, whichwas already used in IS. I was advised to get familiar with the OpenSAML API before startingimplementation and so I went through several examples and tried to understand the pattern ofcoding with the API. This exercise was very useful for me not to get confused when startimplementation and I could focus more on the logic.ProblemsWhen I started a new project in IDE and tried to implement having OpenSAML library as andependency it gave me a very descriptive error message that “OpenSAML requires an XMLparser that supports JAXP 1.3 and DOM3. The JVM currently configured to use SUN XMLparser, which is known to be buggy, and cannot be used with OpenSAML. Please endorse afunctional JAXP library such as Xerces and Xalan.” As the error message says the solution too, Itried endorsing the mentioned libraries in my JAVA installation. But still there was an error inbootstrapping the OpenSAML library.SolutionsAfter trying various other things, my mentor came up with idea that as Identity Server is alreadyendorsed with those libraries to work with OpenSAML and I can start coding inside the sourcecode of IS, build it with Maven and observe functionalities using remote debugging. This was aperfect solution than bothering to endorse the libraries newly and need not have any issue later inintegrating this with IS as I already trying to implement it inside. Also fixing correctdependencies was automatically done with IS plug-ins and I got familiar with the source code ofIS more.After having hands on building XMLObjects using OpenSAML and getting familiar with howthe API behaves, thoroughly went through the specification document again having attention toeach and every word. Had few doubts regarding few things in the specification document and Page | 31
  39. 39. discussing with the mentor clarified them all, having assistance of the IS-team too. Figure 2.3shows the flow from the XACML request, until it get the decision in plain text, having securedinter-server communication.First approach was for XACML request to wrap into an OpenSAML - XADQ(XACMLAuthzDecisionQuery) which seemed comparatively less complex than the Responseside. Then at PDP the XACML request is extracted only if the signature and issuer are validatedcorrectly that guarantees the message in not altered. The received XACML request is thenforwarded to the PDP and get the decision as a java string. The received java string is thenunmarshalled into a XACML response object in OpenSAML library and wrapped into a SAMLresponse which is signed with private key and certified. Then at PEP the message is validatedagainst signature and issuer and read the decision given from the PDP to the previously sentrequest. Page | 32
  40. 40. PEP (Policy Enforcement Point) PDP (Policy Decision Point) XACML request (String) XACMLAuthzDecisionQuery (String) unmarshall Unmarshall XACMLAuthzDecisionQueryType XACMLAuthzDecisionQueryType (XMLObject) (XMLObject) Validate (Issuer/Signature) SAML XADAQ Get decision for request Set attributes (Issuer/Signature) marshall XACML response (String) XACMLAuthzDecisionQuery (String) XACMLResponse SAML Response (String) XACML response (String) Unmarshall unmarshall Response (XMLObject) ResponseType (XMLObject) Validate (Issuer and Signature) Wrap with DecisionStatementType (XMLObject) Get Assertion SAMLResponse Wrap with Assertion including issuer Validate Issuer Wrap with SAML response including Get Statement issuer and signature marshall Get XACML Response SAML Response (String) Get Decision Figure 2.3 Flow of secured server to server communication Page | 33
  41. 41. A sample XACML request used:<xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"> <xacml-context:Subject> <xacml-context:AttributeAttributeId="urn:oasis:names:tc:xacml:2.0:subject:subject-id"DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="testissuer"> <xacml-context:AttributeValue>admin</xacml-context:AttributeValue> </xacml-context:Attribute> </xacml-context:Subject> <xacml-context:Resource> <xacml-context:AttributeAttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-id"DataType="http://www.w3.org/2001/XMLSchema#string"> <xacml-context:AttributeValue>http://localhost:8280/services/echo/ </xacml-context:AttributeValue> </xacml-context:Attribute> </xacml-context:Resource> <xacml-context:Action> <xacml-context:AttributeAttributeId="urn:oasis:names:tc:xacml:2.0:action:action-id"DataType="http://www.w3.org/2001/XMLSchema#string"> <xacml-context:AttributeValue>read</xacml-context:AttributeValue> </xacml-context:Attribute> </xacml-context:Action><xacml-context:Environment/></xacml-context:Request> Page | 34
  42. 42. After making XACMLAuthzDecisionQuery out of the above request:<xacml-samlp:XACMLAuthzDecisionQueryType InputContextOnly="true" IssueInstant="2011-09-23T08:20:47.384Z" ReturnContext="false" Version="2.0" xmlns:xacml-samlp="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol"><saml:Issuer SPProvidedID="SPPProvierId"xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> https://XACMLPDP.example.com<m/saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ds saml xacml-context xacml-samlp"xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>cf2rlbqqDa5lwvoAKwRcLUxhaco=</ds:DigestValue> </ds:Reference> </ds:SignedInfo><ds:SignatureValue>AwhSsvaV3Y0Ne97TARUlce5H1bS3F2/MHl7QJ4gVddjsR+O2fvG8Kz0kE9Y6zbA+zotfmPbvK2TgCOz+LVZw2Clcn+4uJ/RZlOSbnlxmQyNgWT2vqMoEf83q+HiLE0afZv42gw1k=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZp Page | 35
  43. 43. ZXcxDTALBgNVBAo+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><xacml-context:Request> …</xacml-context:Request></xacml-samlp:XACMLAuthzDecisionQueryType>Following is the Structure of the above XACMLAuthzDecisionQueryType XACMLAuthzDecisionQueryType Signature Signed Info XACML Request Figure 2.4 The Structure of the XACMLAuthzDecisionQueryTypeFor the XACML response also a sample response was used and generated the SAML response insame kind of procedure meeting the constraints mentioned in the OASIS - SAML to XACMLprofile which was bit more complex than creating the XACMLAuthzDecisionQuery. The inputsand output looks as follows. Page | 36
  44. 44. A sample xacml response that will come as the decision from pdp:<xacml-context:Response xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"> <xacml-context:Result ResourceId="CE.pakgrid.org.pk:2119/jobmanager-lcgpbs-dteam/dteam"> <xacml-context:Decision>Permit</xacml-context:Decision> <xacml-context:Status> <xacml-context:StatusCodeValue="urn:oasis:names:tc:xacml:1.0:status:ok"/> </xacml-context:Status> <xacml-context:Obligationsxmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"> <xacml-context:Obligation FulfillOn="Permit"ObligationId="MappingData"> <xacml-context:AttributeAssignment AttributeId="User"DataType="http://www.w3.org/2001/XMLSchema#string">.poolname</xacml-context:AttributeAssignment> </xacml-context:Obligation> </xacml-context:Obligations> </xacml-context:Result></xacml-context:Response>The response says whether to allow the request to reach the service or not as the decision givenfrom PDP according to the enabled policies. Page | 37
  45. 45. A Sample SAML Response That Will Come To PEP From PDP:<samlp:Response IssueInstant="2011-09-23T08:24:35.878Z" Version="2.0"xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer SPProvidedID="SPPProvierId"xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://XACMLPDP.example.com</saml:Issuer><saml:Assertion ID="ohncaenlemlghggmfdncjionjejaimfnpckmaofj" IssueInstant="2011-09-23T08:24:35.809Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer SPProvidedID="SPPProvierId"xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://XACMLPDP.example.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#ohncaenlemlghggmfdncjionjejaimfnpckmaofj"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="ds saml xacml-context xacml-saml"xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>JaEObAc3AhIxT3cdovUIFElsn5E=</ds:DigestValue> </ds:Reference></ds:SignedInfo><ds:SignatureValue>dGRvdBmjOFTNsgHmVreFm400JMYFPHvOq/O3V0EQNad6eeiFU6KAus+1u8FkS7JEg5Q66z2VfKJ7xF+fTwBLhi0fZdFsYJebtuzOld2ostvyXbdL2f5Noxj3p1Ir1Cm3nwR+QK5k9FjT2T6xCw6AdvzcbzFImhsiO/DE1yv2QdY=</ds:SignatureValue> Page | 38
  46. 46. <ds:KeyInfo> <ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwQCUp/oV1vWc8/TrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo= </ds:X509Certificate> </ds:X509Data></ds:KeyInfo></ds:Signature> <saml:Statement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xacml-saml:XACMLAuthzDecisionStatementType"> <xacml-context: Response >…</xacml-context:Response> </saml:Statement> </saml:Assertion></samlp:Response>Following is the Structure of the above XACMLAuthzDecisionQueryType Page | 39
  47. 47. SAML Response SAML Assertion Statement XACML Response Figure 2.5 The Structure of the SAML ResponseIn achieving security at server to server communication in this context, the signing process playsa great role. It helps to avoid following two issues.  Tampering - Information in transit is changed and then sent on to the recipient.  Impersonation - Information passes to a person who pretends to be the intended recipient  It was noted that adding the signature in this way does not provide confidentiality and also it is not a requirement in the context.Completing this project, I got familiar with this concept of signing with pubic keys and privatekeys. Though it looks like an unreadable scratch for human eye, in the above given samplequeries and responses, it involves a lot of logic and calculations to provide securedtransformation of information. Page | 40
  48. 48. Signing • Document to be Signed • In Entitlement handler SAML Assertion or XACMLAuthzDecisionQuery • Calculate document finger print with an algorithm • Encrypt it with private key and set X509Certificate and and the public key • Generate digitally signed document embedding the signature into it Figure 2.6 Signing ProcedureValidation • Access the received docment and the digital signature seperately • Calculate the finger print using the same algorithm used • Decrypt the encrypted finger print sent with signature, using the public key of the sender • Comapre the calculated and decrypted finger prints • If they are same the message is not been altered Figure 2.7 Validation Process Page | 41
  49. 49. Signing in code levelprivate static Assertion setSignature(Assertion assertion, String signatureAlgorithm, X509Credential cred) throws IdentityException { doBootstrap();Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);signature.setSigningCredential(cred);signature.setSignatureAlgorithm(signatureAlgorithm); Signing object is also passed as it is neededsignature.setCanonicalizationAlgorithm to create the(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); fingerprint KeyInfo keyInfo = (KeyInfo)buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME); X509Data data = (X509Data)buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME); X509Certificate cert = (X509Certificate)buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME); String value =org.apache.xml.security.utils.Base64.encode(cred.getEntityCertificate().getEncoded()); cert.setValue(value); data.getX509Certificates().add(cert); keyInfo.getX509Datas().add(data); signature.setKeyInfo(keyInfo); assertion.setSignature(signature); List<Signature> signatureList = new ArrayList<Signature>(); signatureList.add(signature); //Marshall and SignMarshallerFactory marshallerFactory =org.opensaml.xml.Configuration.getMarshallerFactory(); Page | 42
  50. 50. Marshaller marshaller = marshallerFactory.getMarshaller(assertion);marshaller.marshall(assertion); Signer sign with the build signature that is set with org.apache.xml.security.Init.init(); keyinfo that includes the X509 certificate built Signer.signObjects(signatureList); from credentials return assertion; }It should be mentioned that with the OpenSAML library, signing and validation process can bemore easily done instead of the complexity behind the process.2.6 Other Technical Experiences2.6.1 Apache TeamThis was a voluntary work that I joined with my interest to learn more on Apache products. Thiswas a wonderful experience that we were introduced how to contribute ASF. This was done inmilestone pattern that we met at the beginning and had a discussion which was guided by Mr.Sagara Gunathunga, Committer/PMC member at The Apache Software Foundation and TechLead at WSO2 and set bi-weekly milestone. Then again we meet after two weeks, review whatwe have done and set next milestone.I started my work with trying to write a sample for Apache-Transport-SMS module and had topause it for a while as I got stuck with installing Java Communication API in my machine. I wasadvised not stay stuck in that and to proceed with solving some other issues in Apache jira andresolved following documentation issues and wrote a post on my blog on „Documentation-patchsubmission for Apache issues‟ (http://pushpalankajaya.blogspot.com/2011/09/documentation-patch-submission-for.html) hoping someone at the beginning of contributing Apache will bebenefitted. Page | 43
  51. 51. 1. Client.java in UserGuide has syntax errors - https://issues.apache.org/jira/browse/AXIS2- 4655 2. Configuration guide should clearly state the root elements and locations for axis2.xml services.xml and module.xml - https://issues.apache.org/jira/browse/AXIS2-5069 3. RESTClient documentation example differs from RESTClient.java source file - https://issues.apache.org/jira/browse/AXIS2-5138Problem – Installation of Java Communication API was not successful even when followed thesteps in the guide and could not call the web service using a SMS.Solution – Consulted several senior employees to catch the error and tried lot of optionsincluding changing the OS to Windows. Finally found that developer of the SMS module is alsoa employee at WSO2, Mr. Charith Wickramasinghe, who was on abroad and contacted him viaemail and got guidance. With that could resolve the problem.Have to add the following files in Axis2-HOME/lib directory and should pay attention to matchthe versions using.  axis2-transport-sms-1.0.0.jar smslib-3.4.1.jar  mail-1.4.jar axis2-transport-base-1.0.0.jarFor Java Communication API installation should copy following files to jre-home/lib/ext/directory and if does not work well should try copying to Axis2-Home/lib.  comm.jar  libLinuxSerialParallel.so  libLinuxSerialParallel_g.soAs next step I have to document this properly and submit the patch explaining the proceduresand as I gave priority to my main task this work was bit delayed. But as getting introduced to theApache community was the hard part, now I can proceed with this individually though I am outof company. So I think I did the right thing giving priority to my main project „ImplementSAML to XACML‟ as it was my responsibility and this is my voluntary work that I can continueeven later. Page | 44
  52. 52. 2.6.2 Training SessionsAfter the release of Stratos, the cloud platform, WSO2 started a weekly training program whichwas conducted by senior employees on topics suggested by the rest of staff and things that arerecognized as important. Every Wednesday from 10.30 – 12.30 this was conducted and inmoodle we could get registered for interested courses and learn new things. This was a greatopportunity for us to learn from the industry experts on what is needed in the industry and Iparticipated in the following sessionsHTTP Basics – Got introduced to how the web works basically and wrote the first ever servlet Iwrote in my life.WS- security Basics – Got clarified few of the security concepts I had some ambiguities andlearnt more on PKIXML basics – Learnt that XML is not just typing something with tags and got familiar withnamespace and shema2.7 Other Non – Technical ExperiencesIn addition to the technical exposure I got at WSO2, there were so many activities I got exposedwithin the internship period. WSO2 did not treat us in a different way as interns and gave all theopportunities to participate in the events organized at office and enjoy with the staff.2.7.1 DemonstrationBefore I got my 6 weeks leave from WSO2 to take part in MIT-UOM mobile technologyincubation program I did a presentation on the work I did so far. It was held at the board room ofWSO2 office at #59 and Dr. Sanjiva Weerawarna, CEO, Dr. Srinath Perera, senior softwarearchitect and member of IS team including Mr. Prabath Siriwardena and my mentor Mr. AselaPathberiya.I got to know about this just a day before and anyway was a challenging experience. I tried topresent the Entitlement Handler that I have finished and while trying to demonstrate it in action Page | 45
  53. 53. failed. Later I found that I have forgotten to start the server in debug mode and anyway no onethere depressed me and just encouraged me to continue the presentation and I explained it‟sfunctionality without the demonstration.  This was a nice lesson I learnt to my life not to panic in such situations and glad that I continued the presentation well without it. I learnt that we should always be prepared for such things can go wrong sometimes and pretty sure that next time I will be more defending for such situation with backup plans.I also presented my proceedings in implementing SAML to XACML and this initiated adiscussion among the board on how things are going to be done and where this implementation isgoing to reside in the architecture. It was also a very nice experience for me that I could be thereand see how things are decided at WSO2 with discussion that are so informally done givingfreedom for anyone to put up their ideas and support ideas with thoughts.This demonstration is an unforgettable experience for my life and encouraged me to work hardand I am so grateful for the given opportunity.Also there were two training visits from the department during the internship time period. Thefirst visit was by Dr. Rapti de Silva and the last one was by Mr. Thilak Fernando from theDepartment of Computer Science and Engineering. I explained my experience at WSO2 to themand both of them gave me a good feedback and advised me to carry on the good work.2.7.2 WSO2 Annual TripThis year annual trip of WSO2 family was to Heritance Kandalama and lot of events wasorganized to make it more fun for three days. We had so many luxury facilities there with thecourtesy of WSO2 and gathered so many beautiful memories. This was a great chance to meetoffice staff in a non-official environment and they all treated us so friendly. Following are twomajor activities which were held during the trip and I enjoyed very much. It was a great giftgiven by the company for its employees to enjoy with their families getting rid of day to dayoffice work. Page | 46
  54. 54. Awurudu GamesAs it was Singhalese and Tamil New Year season there was an event organized by the companyat the hotel premises. It was full lot of fun awurudu games and I too participated on several ofthem. All the staff members and their family members participated in this event and catchingeggs, passing ice and adults event for eating buns were few hits there. All enjoyed the eventmaximum and felt the spirit and beauty of the WSO2 family. CSR ActivityBeing at Heritance Kandalama, we did not just enjoy the luxury and stay, but also worked for thespiritual relief and happiness. Here (http://pushpalankajaya.blogspot.com/p/csr-activity-with-wso2-staff.html) is the blog page I wrote on this experience with the great pleasure I had, been acontributor in the event.After „Awurudu games‟ we visited Bellane Oya Primary School which was a less privilegedschool and it was an idea of Dr. Sanjeewa Weerawarana, CEO of the company to help such aschool in the area. Funds were raised with contribution of both the company and employees andfinally volunteers could join in visiting the school, helping out them in clearing an area forplayground and checking for what else they need.They warmly welcomed us when we approach there which was through a very narrow road andthis reminded me of my primary education at Kirindiwela Maha Vidyalaya, which was a bitsame as this school in background and this really guided me to my childhood. In his address tothe school children Dr. Sanjeewa mentioned that lot of employees of the company were likethose kids a time ago and emerged with courage. His intention of that was to encourage thestudents and I am sure that at least few of them have raised their hopes and courage with that. Itwould be a great occasion, if one of them can make it to WSO2 for their career in the future. Page | 47