14-06-2009, 09:19 AM
A SEMINAR REPORT ON
IBM WEBSPHERE SMASH
Submitted By
RATHEESH TCOMPUTER SCIENCE & ENGINEERING
SCHOOL OF ENGINEERING
COCHIN UNIVERSITY OF SCIENCE & TECHNOLOGY,
KOCHI-682022
AUGUST-2008 2
ABSTRACT
In todayâ„¢s market climate, there is increased pressure to build applications quickly to answer the situational needs of the business -- for example, applications to handle specific budget issues, users registering for an event, or the flow of an online transaction. These situational needs are being satisfied more easily than ever before by a growing number of services on the web and revolve around new programming approaches, mainly dynamic scripting languages such as PHP and Groovy. Sometimes the needs of the business call for the creation of strategic core business applications, but more often, an application is needed to fulfill a more tactical need. To make these types of situational applications feasible from a cost/benefit perspective, they should be simple to create, support reuse and sharing of services, and be quickly adaptable as the needs of the group or user change. IBM WebSphere sMash software is a development and execution platform based on the highly-acclaimed public incubator Project Zero (hosted at projectzero.org). WebSphere sMash advances Smart SOAâ„¢s simplicity and accelerates the alignment of Business and IT by allowing developers to quickly and simply deliver dynamic Web 2.0 based applications, enabling mashups. Using WebSphere sMash, you can:
• Quickly build and deliver situational applications that meet your clientsâ„¢specific needs
• Leverage REST technology to expose and consume web services and take advantage of your clientsâ„¢ exiting SOA investments
• Provide a cost effective solution that complies with key IT operations guidelines around manageability, scalability, and security
• Assemble server-side logic and build user interfaces for your clients using visual tooling
WebSphere sMash provides an agile development environment that supports today's hottest dynamic scripting languages, enables rapid aggregation of disparate services and feeds, and employs RESTful approaches to unleash critical information and services found within a company. This powerful combination allows companies to use technology to extend the reach of SOA, better align with business goals and uncover new opportunities to boost productivity or reach new markets. It also provides the environment for unlocking, transforming and mixing enterprise, departmental, Web and personal systems while enforcingenterprise- class security and governance. IBM Mashup Center stores information feeds from enterprise sources in RSS, ATOM or XML formats to maximize the types of information that can be unlocked and remixed. With the ability to merge, transform, filter, annotate or publish information in new formats, the software helps create a single view of disparate sets of information in minutes. sMash addresses a key part of the browser mashup security issue by keeping code and data from each of the sources separated, while allowing controlled sharing of the data through a secure communication channel. Performance evaluations have shown that SMash can be used in common enterprise mashup applications
INTRODUCTION
IBM WebSphere sMash is an agile Web application platform for developing and running modern Web applications. WebSphere sMash introduces a simple environment for creating, assembling and running applications based on popular Web technologies. WebSphere sMash is based on the following Web technologies:
• A dynamic scripting runtime for Groovy and PHP
• Application programming interfaces optimized for producing REST services
• Rich Ajax Web user interfaces
• Integration mash-ups and feeds
.
Chapter 2
THE PROBLEM IBM WEBSPHERE SMASH SOLVES
IBM WebSphere sMash addresses the increased pressure, in the market climate today, to build applications quickly to answer the situational needs of the business. Examples include applications to handle specific budget issues, users registering for an event, or the flow of an online transaction. With this increased pressure in the market climate, many of these situational applications are not being written because they are not affordable or not timely enough. To make this type of situational application feasible from a cost and benefit perspective, applications must have the following characteristics:
• Be simple to create
• Support reuse and sharing of services
• Be quickly adaptable as the needs of the group or user change
WebSphere sMash excels at creating these situational applications by supporting new programming approaches including dynamic scripting, REST, Rich Web Interfaces, and Feeds. Situational Applications Situational applications are developed when a developer automates or facilitates a particular business function, process or activity by producing a special-purpose piece of software. In addition to any added capability, that new application can modify, enhance, customize or extend 10 an existing application, or include and combine parts or components (or both) from multiple existing applications. Situational applications have the following characteristics:
• Frequently not recognized outside of the immediate department or business unit
• Built to solve an immediate, specific business problem with little concern whether the application fits other situations
• Developed in the most efficient, quick and easy manner possible
Chapter 3
PROJECT ZERO
Project Zero is a technology incubator project centered around agile development and the next generation of dynamic Web applications. The project introduces a simple environment for creating, assembling and running applications based on popular Web technologies. This environment includes a scripting runtime for Groovy and PHP with application programming interfaces optimized for producing REST-style services, integration mash-ups and rich Web interfaces. Project Zero represents
• The people that build and use WebSphere sMash
• The incubation of new technology that will deliver in future versions of WebSphere sMash
• The community of third party assets that leverage the WebSphere sMash platform
This community is an experiment in a new way to build commercial software, an approach called Community-Driven Commercial Development. Community-Driven means that we want feedback, insight, suggestions, criticism, and dialogs with the users of Project Zero. This interaction will yield a better solution that targets the problems you have and a technology that truly delivers on its objectives Commercial development using a transparent development process is enabled via an external web site providing
• A focal point for all sMash development activities
• Expose the IBM development process to the external developer community
• All design decisions are discussed and communicated via external forums
• Registered users can post comments and feedback to the forums 12
Blogs
• Development blog with interesting commentary, demos, and opinion
• News blog for project announcements
• Binary Downloads (257,738 and counting¦)
• Bug Tracking System (Bugzilla)
• Source code (Subversion) 14
Chapter 4
FEATURES
IBM® WebSphere sMash provides the following features:
• Application building in the Web 2.0 development style
• Dynamic scripting power and simplicity
• Community-based visual tools to develop business logic
• Visual design editors for constructing rich user interfaces
4.1 SPEED
WebSphere sMash provides the following functions to promote speed in your development
process:
Dynamic scripting languages
Increases productivity with reusable components and situational applications that require less time, fewer lines of code, and less specialized skill to produce. WebSphere sMash provides agile programming options using dynamic scripting with very few restrictions. The dynamic scripting languages currently supported are Groovy (for users with a strong affinity for Java) and PHP. An integrated runtime environment The application is the server, so no deployment is necessary. Also, WebSphere sMash follows the convention over configuration approach that eliminates unnecessary manual 15 coding. To optimize running agile scriptable applications, the virtual machine has also been enhanced. Agile applications that perform and scale As the need, scale, and volume of Web 2.0 situational applications grows, management systems like IBM WebSphere Extended Deployment can help run and manage these agile applications in an efficiently and cost effectively.
4.2 SIMPLICITY
WebSphere sMash provides the following functions to promote simplicity in your development process: REST services expose and leverage preexisting content The popularity of REST is due to its simplicity, which WebSphere sMash provides by using REST to expose and leverage services. Other simple technologies are used to expose feeds (RSS) and access content in other applications (for example HTTP and JMS). REST-style architecture maintains SOA principles REST-style architecture embraces both SOA and the Web, enabling a component-centric model in which various server-side and client components can be reused in a scalable but simplistic way. Assembly-style development produces fast composite applications For extreme efficiency, you can build applications by assembling existing services and feeds (from both internal and external sources) into composite situational applications. Assembly-style development can be achieved using dynamic scripting (for example, by writing a Groovy or PHP script to catch a feed, merge it, and aggregate it). You can also use a visual assembly editor in the following ways:
Use a visual UI editor, based on the Dojo toolkit, to create AJAX clients and other components.
Use a visual flow-based editor to assemble, combine, and coordinate a series of service calls together into a flow, or to configure components that can connect to other internal or external systems.
4.3 AGILITY
WebSphere sMash provides the following functions to promote agility in your development process: End-to-end development and runtime environment You can develop situational applications and components in highly agile ways. Creating assembly-style applications, for example, requires far fewer different development roles than traditional Web development, your work is not handed to multiple people. Also, the end-to-end browser-based tooling enables you to develop on both the client-side and server-side, plus you can deliver front end widgets for other tools that enable you to wire components together. Component-style development and delivery WebSphere sMash provides the ability to build reusable building blocks, content, templates, and patterns, and the ability to reuse any WebSphere sMash content in the form of front end widgets. Integrated environment to manage agile applications The integrated environment of WebSphere sMash is ideal for cost effectively enabling and managing Web 2.0 applications in highly optimal ways.
4.4 LEVERAGING REST
WebSphere sMash simplifies the task of creating applications using the Representational State Transfer (REST) architectural style. The most important HTTP methods are POST, GET, PUT and DELETE. These are often compared with the CREATE, READ, UPDATE, DELETE (CRUD) operations associated with database technologies. RESTful designs often make use of collections. A collection is a simple model for manipulating a set of resources. Collections have member items that you can add, remove, update and delete. You can also get a list of members in the collection, as shown in the following table.
4.5 APPLICATION AS THE SERVER
With the application as the server, you create an application and run it. There is no packaging or deploying an application to a server; rather the application is the server. When you run a WebSphere sMash application a runtime environment, including an HTTP stack, is included. Applications are maintained with dependency management. Deployment of an application involves installing the application from the repository. All scripts and classes are contained within your application and run within the Java„¢ process that is started. Any dependency declared in an application is included on the classpath statement. Therefore, you can zip up an application from one machine, copy it to another machine, unzip it and, after the applications dependencies are resolved, you can start it without any traditional deployment needed.
Chapter 5
COMPONENTS OF IBM WEBSPHERE SMASH
IBM® WebSphere® sMash consists of several components that work together to simplify building and deploying applications in a Web 2.0 environment. The following components provide the speed, agility and simplicity of WebSphere sMash
5.1 APPLICATION BUILDER
The WebSphere sMash application builder is a Web-based tool for developing WebSphere sMash applications. The application builder is itself a WebSphere sMash application, which means you can acquire and manage it the same way you do other WebSphere sMash applications.
5.2 CORE
The WebSphere sMash core provides a simple programming model as a guideline for building Web 2.0 applications using RESTful principles. The programming model allows developers to create RESTful resource handlers using either the Groovy scripting language (available by default) or the PHP programming language. The scripting support in WebSphere sMash allows developers to build applications quickly by following a few basic conventions. For basic database backed applications that have a Create/Retrieve/Update/Delete (CRUD) based interaction, the programming model includes the Zero Resource Model (ZRM) technology to easily model and access data as RESTful resources. Using the engine, you can create the database tables and run the appropriate SQL queries for retrieving the resource representations using either Javascript Object Notation (JSON) encoding or as ATOM feeds for easier integration with AJAX based clients. The engine also supports building rich user interfaces using AJAX technology provided by the Dojo toolkit.
WebSphere sMash includes a data abstraction layer to allow developers to work directly with SQL to query and update data associated with the application. This works with an API to update or retrieve remote resources using, for example HTTP(S) or using e-mail. WebSphere sMash also provides a host of features to secure the application. These features include the standard authentication methods as well as features to do third-party authentication using the OpenID protocol. With WebSphere sMash, you can use filters to remove active content from requests and responses. You can also prevent cross-site request forgery. These features provide secure development of content-centric Web 2.0 applications. The core engine of WebSphere sMash delivers simplicity by providing a command line utility that allows you to manage and create applications and their dependencies. The application structure builds on the convention over configuration theme by using a simple directory and artifact naming convention.
5.3 ASSEMBLE
The WebSphere sMash Assemble component provides the capability to access different services and assemble them into a WebSphere sMash application.
5.4 RELIABLE TRANSPORT EXTENSION
The reliable transport extension allows WebSphere sMash applications to communicate with each other using asynchronous messages.
5.4 DEPLOYMENT
Each WebSphere sMash application is a self contained entity containing all of the components necessary to run the application. This application centric approach removes the error prone task of deploying an application into a server. By adopting an application centric model WebSphere sMash not only simplifies deployment but also maximizes isolation.
Chapter 6
SECURITY CONSIDERATIONS
IBM® WebSphere® sMash implements system-level authentication and authorization. Applications can take advantage of WebSphere sMash security by defining security rules that determine which resources are protected, and how they are protected.
SECURITY RULES
WebSphere sMash security leverages the user service that defines the users and groups referenced in the security rules. Security rules define protected resources. Resources that are not covered by any security rule are not protected. If multiple rules match a given resource, only the first rule defined determines how that resource is protected. Each rule contains the following information:
conditions
Any supported conditions clause supported by the event handling subsystem. Common patterns will be based upon /request/path and /request/method values authType The type of authentication: Basic, Form or SSO. users An optional list of users, separated by commas, that are allowed to access these resources.
groups An optional list of groups, separated by commas, that are allowed to access these resources. roles An optional list of roles, separated by commas, that are allowed to access these resources. csrfProtect An optional parameter to specify whether this protected resource can be exempted from CSRF protection.
6.1 AUTHENTICATION
IBM WebSphere sMash authentication is based on the Java Authentication and Authorization Service (JAAS), which allows various types of login modules to be added to the programming model without changing the authentication model. The following list contains the types of authentication that are available:
• Basic authentication
• Form-based authentication
• Single sign-on authentication
• Programmatic login authentication
BASIC AUTHENTICATION
Basic authentication is defined in RFC 2617.
Basic authentication security flow
When a request is received for a protected resource:
1. The incoming request is checked for a valid token.
2. If no token is found, the incoming request is checked for user credentials and a login is attempted.
3. If the login is unsuccessful, then the client is sent a 401 status header along with a request for credentials. If the login is successful, then a token is generated for subsequent requests and an authorization check is performed.
4. If authorization is unsuccessful, then a 403 unauthorized status header is returned to the client. If authorization is successful, the protected resource is served.
FORM-BASED AUTHENTICATION
Form-based security flow
You can request a protected resource or an unprotected form login .
Requesting a protected resource
When a request comes in for a protected resource, the following events occur:
1. The incoming request is checked for a valid token.
If a token is not found, then a 302 is sent to the client to redirect it to the login , as defined in the configuration file under the formLogin entry.
If a token is found, then the URI for the protected resource is added as a query parameter to the login URL. The form should post back to itself with an empty action when it is submitted.
2. A login is attempted with the incoming credentials.
If the login is unsuccessful, then the login is returned again with a 200 status code. If the login is successful, then a token is generated for subsequent requests, and a
302 status code is sent to the client to redirect it back to the original protected
resource, which is stored in the postLoginTargetURI query parameter. 24
3. The incoming request for the protected resource contains a valid token and an
authorization check is performed.
If authorization is unsuccessful, then a 403 unauthorized status header is returned
to the client.
If authorization is successful, then the protected resource is served.
Requesting an unprotected form login
When a request comes in for the form login , the following events occur:
1. A login is attempted with the incoming credentials.
If the login is unsuccessful, then a login is returned again with a 200 status
code.
If the login is successful, then a token is generated for subsequent requests, and a
302 status code is sent to the client to redirect it back to the a protected resource,
which is stored in the hidden postLoginTargetURI form field parameter.
2. The incoming request for the protected resource contains a valid token and an authorization check is performed. If authorization is unsuccessful, then a 403 unauthorized status header is returned to the client. If authorization is successful, the protected resource is served. If the FormBasedLoginHandler does not receive the parameter postLoginTargetURI, you are
redirected to the context root of the application where you can define a default file resource to
handle the request.
SINGLE SIGN-ON AUTHENTICATION
WebSphere sMash single sign-on is scoped to the WebSphere sMash application.
Single sign-on security flow
By default, WebSphere sMash single sign-on can be viewed in two types of requests. The first
type of request is the login, and the second type is requests sent to protected resources that can
occur multiple times.
Type 1 request
When a request is made to the single sign-on resource the following events occur:
1. The incoming request is checked for a valid token.
2. If no token is found, the incoming request is checked for user credentials and a login is attempted.
If the login is unsuccessful, then the client is sent a 401 status header, along with a request for credentials.
If the login is successful, then a token is generated for subsequent requests.
Type 2 request
When a request comes in for a protected resource, the following events occur:
1. The incoming request is checked for a valid token.
If a token is not found, then the client is sent a 401 status header indicating that it is not authenticated. This requires the client to authenticate using the SSO authentication resource as described in the Type 1 request section.
If a token is found, then the incoming request for the protected resource contains a valid token and an authorization check is performed.
2. If authorization is unsuccessful, a 403 unauthorized status header is returned to the client.
If authorization is successful, the protected resource is served.
PROGRAMMATIC LOGIN AUTHENTICATION
To enable programmatic login, configure the user registry for either LDAP or file based
repositories. The default user registry is file-based and only requires the zero.users file.
Programmatic login authentication security flow
When a request comes in for an unprotected resource, the following events occur:
1. You call the LoginService.login function with username and password as arguments.
If the login is unsuccessful, then the API returns false indicating that you are not
authenticated.
If the login is successful, then the token is generated, and your credentials are
populated in the GlobalContext and are accessible by the application.
Programmatic logout authentication security flow
When a request comes in for a protected resource, the following events occur:
1. You call the LoginService.logout function with zero arguments.
If the logoff is unsuccessful, then the API returns false indicating you are not
logged out.
If the logoff is successful, then the token is removed, and your credentials are
removed from the GlobalContext and are not accessible by the application.
6.2 OPEN ID AUTHENTICATION
OpenID consumer based authentication provides end users with a single digital identity that they
can use across the internet. It proves that an end user owns an identity URL without externalizing
their password or email address.
OpenID Description
OpenID is completely decentralized, meaning that anyone can choose to be a consumer or identity provider without registering or being approved by any central authority. End users can pick which identity provider they want to use and preserve their identity as they move between providers. The zero.security.openid package provides an OpenID consumer library that allows applications to use OpenID Identity Providers for third party authentication using the IBM® WebSphere® sMash Security Relying Party interface. The following sections of this article provide information about OpenID: Form-based security flow
You can request a protected resource or an unprotected form login , as described in the
following sections.
Requesting a protected resource
When a request comes in for a protected resource, the following events take place:
1. The incoming request is checked for a valid token.
2. If a token is:
Not found or expired:
a. A 302 status code is sent to the client to redirect it to the login (as defined in the configuration file under the openidLogin entry).
b. A login is attempted with the incoming credentials.
c.The server internally connects to a URL specified in openid_url to determine the OpenId provider.
d. The client is redirected to the OpenID provider for authentication.
e. If the login is:
Unsuccessful, the OpenID Provider's login is returned again.
Successful, a token is generated for subsequent requests and a 302
status code is sent to the client to redirect it to the original protected resource (or was overriden by the postLoginTargetURI query parameter for the OpenID Login Form).
Found, then an authorization check is performed.
a. If authorization is:
Unsuccessful, a 403 unauthorized status header is returned to the client.
Successful, the protected resource is served.
Requesting an unprotected form login
When a request comes in for the OpenID login , the following events take place:
1. A login is attempted with the incoming credentials.
If the incoming request for the protected resource contains an invalid or missing token:
a. A login is attempted with the incoming credentials.
b. The server internally connects to URL specified in openid_url to determine the OpenId provider.
c. The client is redirected to the OpenID provider for authentication.
d. If the login is:
Unsuccessful, the login is returned again with a 200 status code.
Successful, a token is generated for subsequent requests and a 302
status code is sent to the client to redirect it to the protected resource (that was stored in the hidden postLoginTargetURI form field parameter).
If the incoming request for the protected resource contains a valid token:
a. An authorization check is performed.
b. If authorization is:
Unsuccessful, a 403 unauthorized status header is returned to the client.
Successful, the protected resource is served.
6.3 SECURITY TOKENS
IBM® WebSphere® sMash authentication provides the pluggable token support for various types of security tokens. By default, WebSphere sMash provides simple session based authentication. In addition to session based tracking of user login, WebSphere sMash provides LTPAToken2 support that is compatible with what is included in WebSphere Application Server 6.1. The following sections of this article provide information about the tokens supported and how that support is provided: Simple token support By default, WebSphere sMash uses a token based on a session and cookie combination for
storing user credentials with the limitation of the token being scoped to a single application.
LTPAToken2 support
Use of LTPA (Lightweight Third Party Authentication) tokens is considered an advanced topic
and should not be required for most applications. Another type of token support is LTPAToken2
support. To enable single sign on token sharing across applications or across servers,
LTPAToken2 is required.
Default configuration for token support
The cookie that is generated for tokens is scheme specific for SSL based authentication. If the authenticating request is SSL based, the cookie is created with the secure option enabled. If authentication is not SSL based, then the cookie is created with the secure option set to false. This cookie can be used for SSL and non-SSL requests after authentication is performed for a resource that is not SSL protected. The following example shows the default configuration (enabled by default and requiring no additional configuration) used for simple token support:
If WebSphere sMash cannot determine that the client request was actually SSL based (for example a proxy was rewriting the request from secured to unsecured after going through the firewall), then you can override the default value for whether the cookie should be be secure.
Chapter 7
PRODUCT OFFERINGS
IBM WebSphere sMash Production version of the WebSphere sMash platform, that includes a standard IBM commercial license, and is available from the following site: http://www-306.ibmsoftware/webservers/smash/. IBM WebSphere sMash provides stable modules and is available for purchase. IBM Reliable Transport Extension for WebSphere sMash Production version of the extended features for WebSphere sMash platform including messaging and reliable communications. Like the IBM WebSphere sMash platform, it includes a standard IBM commercial license, and is available from the following site: http://www-306.ibmsoftware/webservers/smash/. IBM WebSphere sMash, Developer Edition A community version of IBM WebSphere sMash. It includes a stable build of WebSphere sMash, and it is free for development and limited deployment from the http://projectzero.org site. 32 Project Zero Project Zero is the incubation project for IBM WebSphere sMash. It contains the newest function not yet available in the IBM WebSphere sMash production version. The Project Zero Web site also contains additional tooling for WebSphere available at the http:/projectzero.org site. From this community site, users can provide feedback, ask questions, and steer the development effort of IBM WebSphere sMash.
Chapter 8
CONCLUSION
Agile web application platform for developing and running modern web applications Simple environment for creating, assembling and running applications based on popular web technologies. IBM smash has an associated incubation project- project zero where users can provide comments, feedbacks and thereby steer its development process. SMash (for secure Mashup) is the perfect answer for the security of the so-called mashups. Chapter 9
REFERENCE
1.ibmsoftware/webservers/smash
2.projectzero.org
3.wikipedia.org
