Pankaj Kr

Hi Folks,

I have written a Beanshell script to invoke any Ant task from any Beanshell script. Found it really useful in may day job and ended up writing an article about it. What do you think about the idea of executing Ant tasks from Beanshell scripts? About the script that I wrote? About the article?

Do you think this could be useful to you in any way?

Thanks,
Pankaj Kumar

Check out ssltool utility of JSTK for a Java equivalent of OpenSSL's s_client.

Take a look at http://www.infomosaic.net/.

Here is a definition of Web Service taken fromW3C Web Services Glossary:

A Web service is a software system designed to support interoperable machine-to-machine interaction over a network. It has an interface described in a machine-processable format (specifically WSDL). Other systems interact with the Web service in a manner prescribed by its description using SOAP-messages, typically conveyed using HTTP with an XML serialization in conjunction with other Web-related standards.

As per this definition, a WSDL based description of the interface is mandatory.

Another question for RMH:
Some people see Web Services as a better way to develop distributed Object Oriented architectures.
Some people see Web Services only for Service Oriented Architectures.
Certain aspects of Web Services, such as use of HTTP as transport and XML for payload, make it attractive for distributed OOA systems. At the same time, lack of capabilities such as Session, attributes/properties and reliable messaging, makes it hard to build rich distributed OOA systems.
How do you see the future in this regard?

This is question fot RMH.
I often hear people say that Security is a key obstacle in wide spread adoption of Web Services.
It was not until Netscape introduced SSL and HTTPS that commerce on the Web flourished. And despite the criticism of PKI and HTTPS, these technologies solve the problem of Web security in most people's mind.
SSL and other Transport oriented security mechanisms, such as HTTP-Basic and HTTP-Digest authentication, though applicable to Web Services (atleast those involving SOAP over HTTP and not using content-aware routers), are not seen as ultimate solution to the Web Services Security problem. In the beginning, there was some talk of using message level security such as S/MIME, but I don't hear much about that now.
A lot of people expect WS-Security, a specification originally authored by IBM, Microsoft and VeriSign, and now being standardized at OASIS, to solve the issue of Web Services Security once and for all.
That brings me to my questions:
1. Do you think that WS-Security is the right answer to Web Services Security problem? If yes, why? If no, why? What are different forces at work here?
2. What would be a good way to incorporate WS-Security in J2EE Web Services? Are the JAX-RPC handlers the right answer? or should this be pushed down to the J2EE container?
Best Regards,
Pankaj Kumar.

Not having worked with .Net, I am assuming that .Net takes the private key and the public key (as part of the certificate) from Windows certificate store (the same one that you access from IE, Outlook Express and other Windows applications).
If this is so, then you can easily export the certificate (and hence the public key), in a DER or PEM (BASE64 encoded) format (In IE, do Tools --> Internet Options --> Content --> Certificates; then select the certificate and click on Export ). Once you have this, you can import the certificate in a Java keystore using keytool and use it within a Java program to verify the signature.

Originally posted by John Todd:
Do you mean people inside (lets say: inside Nkorea) unable to download products from java site?

No. But if they do download and use in their applications, they might be (depending on the country) breaking laws of their own country.

I quote from my book:

The policy file deafult_US_export.policy, archived within [signed]US_export_policy.jar, specifies the permissions allowed by US export laws. Policy file default_local.policy, archived within [signed]local_policy.jar, specifies permissions that can be freely imported worldwide.
...
If you are within the US and want to use a larger keysize (than the ones allowed by default_local.policy), you can download JCE Unlimited Strength Jurisdiction policy files from Sun's J2SE dowload page ...

What you want to do is to bypass (or customize) the validation of server certificate at your end!
This is certainly doable, but non-trivial. Try the following steps:
1. Write your own X509TrustManager (by subcalssing javax.net.ssl.X509TrustManager) and supply passthru code for validation.
2. Use this trust manager for initializing a SSLContext object.
3. Retrieve a SocketFactory from this SSLContext object by calling getSocketFactory() method.
4. Supply this socket factory to the HttpsURLConnection.setDefaultSSLSocketFactory().
Now, your validation code will (should be!) called and you should be able to bypass the checks!
Let me know if this works. I haven't tried it myself so I would like to know if there is any caveat!

The industry practice, at this stage, is to hire a knowledgeable consultant!

Your numbers are quite close to my numbers ...
Well, encryption is compute-intensive and these numbers do not appear to be unreasonably large. Even if you support multiple users, it is unlikely that they will all be doing encryption at the same time.
To improve performance, you can try these:
1. Use BouncyCastle provider.
2. Use OpenSSL libraries through JNI. (in place of BouncyCastle). You can also try MS libraries if your application runs on Windows.
3. Buy faster CPU. Or even better, buy multi-CPU machines.
4. Buy special cryptographic accelerators.
None of these are really worth the effort unless you are sure that encryption delay is turning away paying customers.

I also ran the CipherTest program with BouncyCastle provider and the time to encrypt a 3MB file is around 1700 milli seconds. With the default provider, it is more than 2600 milli seconds. So, the BouncyCastle provider is certainly more efficient.
And yes, BouncyCastle s/w is free (but read the license for details).

Not sure what you mean by "lot of time"? What CPU does your machine have? What is the input buffer size? what is the observed time?
By the way, I wrote this simple program to take the timing measurements:import javax.crypto.KeyGenerator; import javax.crypto.SecretKey; import javax.crypto.Cipher; import java.io.*; public class CipherTest { public static void main(String[] args) throws Exception { long t1 = System.currentTimeMillis(); KeyGenerator kg = KeyGenerator.getInstance("DESede"); kg.init(112); SecretKey sk = kg.generateKey(); long t2 = System.currentTimeMillis(); Cipher cipher = Cipher.getInstance("DESede"); cipher.init(Cipher.ENCRYPT_MODE, sk); long t3 = System.currentTimeMillis(); byte[] dataBytes = readBytes(args[0]); long t4 = System.currentTimeMillis(); cipher.doFinal(dataBytes); long t5 = System.currentTimeMillis(); System.out.println("Key Generation time: " + (t2 - t1) + " ms."); System.out.println("Cipher initialization time: " + (t3 - t2) + " ms."); System.out.println("Data Input time: " + (t4 - t3) + " ms."); System.out.println("Encryption time: " + (t5 - t4) + " ms."); } private static byte[] readBytes(String fname) throws Exception{ FileInputStream fis = new FileInputStream(fname); ByteArrayOutputStream baos = new ByteArrayOutputStream(); byte[] buf = new byte[1024]; int n = 0; while ((n = fis.read(buf)) != -1) baos.write(buf, 0, n); return baos.toByteArray(); } }
And got the following output with a 47KB file:
Key Generation time: 1932 ms. Cipher initialization time: 70 ms. Data Input time: 30 ms. Encryption time: 81 ms.
With an input file of 3MB, the output is:
Key Generation time: 1993 ms. Cipher initialization time: 60 ms. Data Input time: 601 ms. Encryption time: 2774 ms.
I have a 900 MHz Athlon machine and am running JDK1.4.1.
How do these numbers compare with your observations?

You can take some timings within your code to get an idea of which operation is having maximum performance overhead -- is it the cipher initialization or the actual encryption? Do you need to do the initialization for every call? (this would be the case if secret key changes but looking at the code I get a feeling that this may be shared).
You can also try out some alternative libraries -- such as the one from BouncyCastle or one from OpenSSL (in this case, you will have to use JNI to invoke the encryption methods).