mszCool's thoughts and cents revealed : Presentations - Demos - Samples

Windows Azure Tokens and Step-By-Step Guide for Austrian Customers

mszCool — Tue, 15 Dec 2009 18:11:06 GMT

Finally the last few hours I’ve been working on a (German) step-by-step guide for deploying applications to Windows Azure CTP.

For Austrian customers we are offering the last available tokens to enable last possible "free access" to Windows Azure before on January 4th commercial operation starts.

Read here how to get your free token (if you are an Austrian customer, only!!!)

Check-out my step-by-step guide on codefest.at to learn, how-to deploy your first application to Azure!

Merry Christmas and a Happy new Year (the first one:))!

Mario

ARC305 Downloads – My Session @ TechEd Europe in Berlin on “Always Responsive Apps & Services”

mszCool — Wed, 11 Nov 2009 15:46:29 GMT

Right before my session is going to start here in Berlin at 5.30 p.m. I found time to upload my demos and slides. The session is all about approaches and thoughts we implemented in a project together with Frequentis AG, a globally active ISV building solutions for public safety. These solutions span air traffic control, maritime communications, police- and fire-department control and communication etc.

All the approaches and information from the session is from a whitepaper I’ve published earlier and I’ve created together with architects from Frequentis.

I’ve published the PoC which is the demo-solution I use for the session earlier, but for TechEd I updated the PoC the whole solution to Visual Studio 2010 Beta 2.

Click here to download the Proof-of-Concept demo app (VS2010 b2).

Click here to download a PDF of my presentation.

Click here to get to the whitepaper we’ve published with Frequentis.

Important Notes for testing

If you want to test the PoC you need the following bits installed on your machine:

Visual Studio 2010 Beta 2

Microsoft CCR and DSS Runtime Toolkit

SQL Server Express Edition (DB-scripts included in the PoC download)

If you don’t have Microsoft CCR installed, then you can remove the CcrManager.cs class in the AsyncDemo.JobLibrary project in the Shared-folder of the solution. Furthermore you need to remove the references to the Microsoft.Ccr.*.dll assemblies.

Have much fun, I hope you enjoy(ed) my session:)

Identity Interop Update for our Interoperability Council: ADFS v2 and WIF Interop with Sun OpenSSO, Novell Access Manager, CA, OpenID and Sun Metro / WSIT

mszCool — Thu, 05 Nov 2009 13:30:10 GMT

As today we’re going to host our 3rd Microsoft Austria Interoperability Council, I thought that in addition to our existing results we’re presenting today, it’s a good time to publish an update of my Identity Interoperability Demos and samples I created earlier this year.

Furthermore, based on the feedback of members from our interop-council, I’d like to provide a few links with more information on Identity Interoperability between Microsoft Windows Identity Framework (WIF) and Active Directory Federation Services v2 (ADFS v2- both formerly codenamed Geneva Framework and Geneva Server).

The Foundation – OASIS Identity Metasystem

Primarily the foundation for all these interoperability thoughts is the Identity Metasystem vision originally started by Kim Cameron (Microsoft – see article on MSDN). More information on the official standards can be found on the following link:

http://docs.oasis-open.org/imi/identity/v1.0/identity.html

Sun Metro / WSIT Interoperability

The interop-identity PoC I’ve created demonstrates interoperability with Sun Metro / Web Services Interoperability Toolkit. For the PoC you need a Glassfish v2 application sever to host a Java-based Relying Party and integrate this RP with a .NET-based Security-Token-Service (STS) and a .NET-based client. The PoC shows, how you can integrate Java-based services in a Windows-based security-infrastructure based on standards.

Click here to download the lates version of my ID-Interop-PoC

Click here to view my previous blog-entry on how-to setup the PoC

Note, that the download package is a little big larger this time. You don’t need to download any additional bits. Everything including all Java-Pre-Requisites is included, except Microsoft Geneva Beta 2 (click here to download).

Interoperability with CA, Novell Access Manager, Sun Open SSO

While working with colleagues (Michael Steinböck, Dominik Paiha from Microsoft) on a proposal for a customer (who is also a member of the council) on identity interoperability, we’ve collected a number of additional resources on identity interoperability. First and foremost I would like to mention papers on interop between Sun Open SSO, Novell Access Manager and CA.

Click here to download Interop-Whitepapers for ADFS v2 (Geneva)

OpenID Interoperability with Microsoft ADFS v2 and WIF

Also a question continuously asked is the interoperability between the Microsoft-platform and OpenID. Of course OpenID can be used as a means of authentication on top of a WIF/ADFSv2-based STS.

Thanks to Matias Woloski who is working very close with Microsoft’s patterns & practices team, you can find more information and a conceptual view below (click image to enlarge):

Click to read Matias’ blog entry on OpenID integration

Click to get to DotNetOpenAuth, a library for .NET-OpenID-integration

Download .NET Open Auth here

Novell Bandit Project provides Information-Card Interoperability

In partnership with Microsoft, Novell is working on an initiative called “The Bandit Project”. This initative provides components and source code to implement a complete Identity Metasystem-based solution with STS, RP and even identity selectors (DigitalMe) for clients. To get these components to ensure complete interoperability of your Java- and browser-based components and end user experience on Linux, click the link below:

http://www.bandit-project.org/

Identity Interoperability with IBM Tivoli

At last year’s PDC 2008, Vittorio Bertocci and Kim Cameron demonstrated interoperability with IBM Tivoli access manager and ADFS v2 / Geneva Framework.

Take a look at Vittorio’s blog here for more details.

Click to view the session, directly, and get the info from live-demos.

Interoperability between Shibboleth and ADFS

Microsoft published a guide on interoperability between Shibboleth and the Microsoft platform for it’s previous version of Active Directory Federation Services, already. Of course this guide is still available.

Download Shibboleth – ADFS Interop here.

With ADFS v2, Microsoft is implementing the SAML 2 protocol in addition to the WS-* protocols which are available in both, ADFS v2 and the Windows Identity Framework. Having that said, interoperability will be given for Shibboleth and ADFS v2, as well. I’ve found the following references on this interoperability and I’ll continue my search to find or build more concrete step-by-step guides and samples on this kind of interoperability:

Geneva and SAML 2 from Don Schmidt of the identity-team

SAML 2 protocol and Shibboleth Interop-Announcement

Patterns & Practices Identity and Access Guide

Finally I wanted to share one last, extremely important resource. My friend Eugenio Pace from the Microsoft patterns and practices team in Redmond is currently working on a PnP-guide on identity and access management using ADFS v2 and WIF. This guide is currently under development and is published as a open project on www.codeplex.com. That means, feel free to start reading through the guide and provide the PnP team with feedback as much as you can and about all the things you would love to read there.

They are also working on a guidance on how-to implement BOTH, single-sign-on (which is available out-of-the-box in Geneva) and single-sign-off, which is a very special challenge, typically!"

Click here to get to the guides workspace on codeplex.

Click here to get to Eugenio’s blog.

Final thoughts

I think, these are some of the most important pieces of information, architects and developers need when it comes to thinking about identity interoperability. I personally strongly believe in all the parts of the identity metasystem vision and claims-based security. I also see, that most of the vendors are (slowly) moving towards this direction with their products and offerings.

So stay tuned, keep your eye on all these things.

Cheers
Mario

Internet Explorer 8 – All-In-One-Demo for Web Slices, Accelerators and Open Search Integration

mszCool — Fri, 30 Oct 2009 17:23:50 GMT

Today based on some customer project requirements, Max and I together created a very simple and easy-to-understand all-in-one demo to show, how-to integrate Internet Explorer 8 features into your own web sites.

Download the sample web site here!

As for us the localization of the content for our local audience was core, we published the whole documentation in German on our local team-blog including detailed explanations and code-snippets.

Take a look at the article in German on our team-blog here!

Generally speaking, in my opinion these new little gimmicks in IE8 are pretty cool for end users and are more than easy to be integrated into your web pages... and they do not disturb any other browsers, at all. So for me that’s just a win-win-situation...

Microsoft Office 2007 – Update Registration Info Tool for my Cousin…

mszCool — Wed, 28 Oct 2009 22:11:06 GMT

My cousin wanted to update the registration-information specified while installing Microsoft Office 2007. When he asked me I realized, that for the default values of user name and the initials Office 2007 offers a UI – but it doesn’t provide a possibility to update the company name. Furthermore I realized, that PowerPoint reads the information from the Installer-Data registry-hive.

So I created a little tool for him to update all registration information to have the right default values for Word, Excel and PowerPoint (haven’t tested with the other tools;)).

Download the source code for the tool here.

Download the binary for executing the tool directly, here.

I know, it’s not an architect’s job writing such little tools... but almost too often I love doing these little things:)) ... little fun stuff:))

DevCamp 2009 Conference – Key Note on Windows Azure with Step-By-Step Guide in Slides on how-to get your Azure Token!!

mszCool — Thu, 15 Oct 2009 09:35:36 GMT

It was a great pleasure for me to be part of the opening key note at our 3rd Developer Camp conference organized by some of our key partners in Austria (Techtalk, Cubido, CSS and Kentiko).

During this key note we introduced the Windows Azure platform to about 170 developers. Note that I also have a detailed description baked into the slides including screen shots to show you, how you can get access tokens for Windows Azure to test out the platform before the billing starts after PDC this November.

You can download the key note material incl. demos here.

Below are the direct URLs for requesting tokens for Windows Azure and SQL Azure:

Step 0: Register for Microsoft Connect if you haven’t done, yet
https://connect.microsoft.com/profile.aspx

Step 1: Fill out the sourvey “Register for Azure Services” on connect
http://go.microsoft.com/fwlink/?LinkID=129453
Note that for each Live-ID you can fill-out the survey just one time.

Step 2: Register for SQL Azure
http://go.microsoft.com/fwlink/?LinkID=149681&clcid=0x09

Step 3: Usually it takes about 48 – 72 hours before you get the confirmation (depending on the interest of users it might take longer).

Step 4: After you’ve received the keys, sign-in to Windows Azure
http://lx.azure.microsoft.com/fs

Step 5: Activate your Azure Account with the tokens by clicking on the account tab or navigate to it directly and enter your tokens:
https://windows.azure.com/cloud/account.aspx

Step 6: Activate Your SQL Azure Account with the token received by navigating to the SQL Azure homepage
https://sql.azure.com/InvitationCode.aspx

ASP.NET MVC Demo Application – Austrian Re-MIX Conference from October 1st 2009 – Updating (complex) object hierarchies using ModelBinder

mszCool — Fri, 02 Oct 2009 19:17:16 GMT

Yesterday we had our Austrian version of the Re-MIX conference in the Hilton Hotel at Stadtpark in Vienna. It was a great conference combined with a superb architect forum together with Simon Guest, who unveiled his thoughts on cloud computing… but more on that in a separate post, this one is about the ASP.NET MVC session I delivered in the late afternoon in the web dev track!

An ASP.NET MVC Walkthrough & Updating object hierarchies…

In my session “Introducing the ASP.NET MVC Web Development Framework” inspired by Phil Haack’s session at the last MIX-conference I demonstrated, what development with the ASP.NET MVC framework looks like.

Download the sample here

Download the slides here

In the session I created a simple application for displaying, modifying and adding events with event deliveries, from scratch. The following graphic shows the entity data model we’ve been working with:

As you can see, a single Event has multiple deliveries at different locations. While implementing the controller actions for adding new events and modifying existing events I was challenged by the question, “how the model binder updates object hierarchies”. And the point is – it doesn’t, automatically…

Based on Phil Haack’s tip on binding collections on his blog and based on a posting from Graham O’Neale here I completed my idea in this example. Below are the steps for combining the concepts from the previously mentioned blog entries:

1.) In my views for Editing and Adding events, add HTML and script - a table that will be dynamically expanded with new items through JavaScript for each new child-item I want to create (event delivery in my case – the parts in red are the important ones in the view):

<fieldset>
    <legend>Fields</legend>
    <p>
     <label for="Title">Title:</label>
     <%= Html.TextBox("Title") %>
     <%= Html.ValidationMessage("Title", "*") %>
    </p>
    <p>
     <label for="Description">Description:</label>
     <%= Html.TextBox("Description") %>
     <%= Html.ValidationMessage("Description", "*") %>
    </p>
</fieldset>

<table id="DeliveryTable">
    <tr>
        <th>
            Delivery Begin Date
        </th>
        <th>
            Delivery End Date
        </th>
    </tr>
</table>

<script type="text/javascript" language="javascript">

function AddDelivery() {

    // Add a row to the table
    var DeliveryTableBody =
     document.getElementById(
      "DeliveryTable").getElementsByTagName(
        "tbody").item(0);
    var ItemCount =
       DeliveryTableBody.childNodes.length - 1;

    var newChild = document.createElement("tr");
    var col1 = document.createElement("td");
    col1.innerHTML =
        "<input type='text'
         name='Event.Deliveries["
          + ItemCount + "].BeginDate' />";
    var col2 = document.createElement("td");
    col2.innerHTML = "<input type='text'
         name='Event.Deliveries[" + ItemCount +
         "].EndDate' />";
    newChild.appendChild(col1);
    newChild.appendChild(col2);
    DeliveryTableBody.appendChild(newChild);
}

</script>

2.) In my action method for adding events in the EventController I simply was required to update the signature of the action-method with the Form-postback-collection and a separate call to update model as shown below:

[Authorize]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Add(
       [Bind(Exclude="EventId")] Event ev,
       FormCollection postValues)
{
    //
    // Validate incoming stuff
    //
    if (string.IsNullOrEmpty(ev.Title))
        ModelState.AddModelError("Title",
                    "Title cannot be empty!");
    if (string.IsNullOrEmpty(ev.Description))
        ModelState.AddModelError("Description",
        "Please enter a description for your event!");
    //
    // Validation succeeded?
    // If yes, add the event, otherwise
    // return to the view
    //
    if (ModelState.IsValid)
    {
        DataContext.AddToEvent(ev);
        UpdateModel<IEnumerable<EventDelivery>>(
             ev.Deliveries, "Event.Deliveries");
        DataContext.SaveChanges();

        return RedirectToAction("Index");
    }
    else
    {
        return View();
    }
}

3.) When modifying existing items, the whole thing gets more tricky when working with the ADO.NET Entity Framework. Why? Simply because the ASP.NET MVC default model binder, when updating collections, unfortunately clears them and re-fills them with the items posted back in the Form postback-collection. That breaks the ADO.NET Entity Framework association set (the ASP.NET MVC model binder does not know about associations). Now you have two possibilities, either modify the source code of ASP.NET MVC (if possible I would stay with the thing as it gets delivered) or apply a little trick as I did. I just created a temporary Event, filled it from scratch with the postback-parameters and then copied the values to the existing and to new items as below. Of course the whole thing needs refinement (especially when mapping to existing items in collections), but I think it’s at least a starting point!

[Authorize]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Edit(int eventId,
                 FormCollection postValues)
{
    Event CurrentEvent =
    (from e in DataContext.Event.Include("Deliveries")
     where e.EventId == eventId
     select e).FirstOrDefault();

    if (CurrentEvent != null)
    {
        Event Temp = new Event();
        UpdateModel(Temp, "Event",
           new string[] { "Title",
                          "Description" });
        UpdateModel(Temp.Deliveries,
          "Event.Deliveries",
          new string[] { "BeginDate",
                         "EndDate" });
        CopyEvent(CurrentEvent, Temp);

DataContext.SaveChanges();

        return RedirectToAction("Index");
    }
    else
    {
        ModelState.AddModelError("General", "...");
        return View();
    }
}

I hope that’s a helpful posting for anyone who’s facing the same challenges when working with MVC:) Nevertheless, for those who want to have full control over HTML and want to have better testing possibilities, this framework is the right choice. If you’re rather the “productivity-kind-of-developer”, sticking with web forms might be the more convenient solution...

Presentation at Microsoft TechReady in the US on Always Responsive Applications and Services with samples using CCR (Concurrency and Coordination Runtime) as well as .NET 4.0 Task Parallel Library

mszCool — Fri, 31 Jul 2009 02:00:40 GMT

Today in the morning I gave a presentation at Microsoft’s largest internal conference for employees in Seattle, WA (called TechReady, about 5000-6000 Micorsoft employees are there on technical education).

The presentation I gave is essentially based on the whitepaper I’ve written and we’ve published a few weeks ago together with Frequenits AG on always responsive and scalable apps and services. You can find more details as well as the paper for download here.

While the presentation is strictly confidential, I can publish the demo scenarios. Therefore click the link below if you are interested in a complete scenario that shows asynchronous processing within clients and services as well as across services… of course I do not cover all possible “exceptions”, but it’s a starting point.

Click here to download the demo
(for Visual Studio 2010 Beta 1, only, I will provide a VS 2008 version with CCR-only implementations soon)

The demo scenario supports a few arguments discussed in my whitepaper as well as the presentation:

Performance comparison between Peer-2-Peer and Service-bus based communication metaphors.
Base classes for implementing the Command/Job/Queue patterns discussed in the whitepaper.
And finally – a mapping of these patterns to .NET Framework technologies that definitely help implementing the patterns themselves. I include two implementations, one that uses the Concurrency and Coordination Runtime from the Microsoft Robotics Studio and another one that uses the .NET Framework Task Parallel Library that we are going to publish with the .NET Framework 4.0. To switch between those two implementations, just modify the JobManagerFactory in the AsyncDemo.JobLibrary project to use one or the other implementation.

The project with Frequentis definitely showed me, that Asynchronous programming and thinking is not just for the sake of performance, it’s also for “responsiveness” and “availability”. The neat thing is, that simply by keeping a few things in mind, these things can go hand-in-hand.

Nevertheless, it was very special for me delivering this session at TechReady. Seven years ago, right before I started working for Microsoft in October 2002, Seattle was the place where I attended the first Microsoft conference of my life (and the first conference in the US, at all). And it was in the very same location as TechReady this year – in the Washington State and Convention Center, in the Sheraton Hotel and Hyatt Hotel in Seattle.

My session was in one of the Grand Ball Rooms in the Sheraton with about 100 attendees… and back in August 2002 I had my room in the Sheraton at the Windows .NET Server 2003 conference… at that time I would have never thought that I will hold a session in the same location at any time:) So this was special for me! And I hope it was not for the last time!

.NET Web Developers Road Show – ASP.NET, ASP.NET AJAX and Silverlight 3 in Action… Now Done and we’re back in the Office…

mszCool — Thu, 30 Apr 2009 11:28:35 GMT

Yesterday Max and I had the last delivery of our .NET Web Developers Road Show. Again we applied our new concept of building a complete application in a whole day. This time we built the event management application using...

a data access layer with the ADO.NET Entity Framework
an ADO.NET Data Service for making the data available filtered through some simple business rules.
ASP.NET for the web front facing application that allows users to search and register for events incl. ASP.NET AJAX.
Silverlight for two separate use cases:

a little Events-Photos RIA integrated into the ASP.NET web site
and a full Silverlight application for viewing event statistics and timelines.

Again it was a great pleasure travelling with Max through our country and delivering these sessions together. You can download the complete solution from Codeplex at

http://webdevroadshow.codeplex.com/

including the source-code and the presentation material. Interesting that the presentation is much larger than the source code although we spend most of the time during the events in Visual Studio typing code:)

Have much fun with trying the application and analyzing the source code... but also note that this is a demo application, only, where we made some drawbacks and simplifications in the architecture, of course.

Mario

BigDays 2009 - Presentations and Demos Downloads

mszCool — Wed, 01 Apr 2009 14:51:13 GMT

Yesterday we had the last delivery of our BigDays road show for 2009. It was a pleasure participating for me being a part of this largest road show through Austria, again.

This year I delivered two sessions, one on Windows Communication Foundation and one on ASP.NET web development (the second one together with Alex Duggleby from Security Research). The presentations are available for download under the following two links:

Both sessions were part of an idea Max and I had on developing a complete scenario demo application through all sessions of the track.

Btw. Max delivered great sessions in all developer tracks around the conference - for details take a look at his blog entry;)

The Rent-A-Worker Demo Application

The demo-scenario application was the Rent-A-Worker demo application. We published the whole application as an open-source project on codeplex:

Click here to get to the Rent-A-Worker project!

It is supposed to be used for finding workers and machines and renting them for your own building projects. The application was architecturally built with the following layers in mind. Each session in the track was dedicated to a single layer of the application:

Which technologies did we use for implementing Rent-A-Worker?

This year's BigDays were - based on the feedback from customers last year - focused towards released technologies and not any future technologies. Therefore we built our demo scenario with .NET Framework 3.5 Service Pack 1 in all layers (released in 2008). Below you find the technologies incl. links to downloads for the pre-requisites you need to run, test and extend the Rent-A-Worker demo application:

Visual Studio 2008 Professional Edition or higher

Visual Studio 2008 Service Pack 1

.NET Framework 3.5 and .NET Framework 3.5 Service Pack 1

SQL Server 2008 Express Edition or higher

Microsoft ASP.NET AJAX Control Toolkit

Microsoft ASP.NET MVC (we did not present it, but we included parts)

Microsoft Silverlight Tools and Silverlight SDK

Microsoft Composite WPF Application Guidance

Feedback, Questions?

If you have any feedback to the track, to Rent-A-Worker or the content itself feel free getting in touch with Max and me through our blogs. We would be more than happy about feedback on the whole track, our sessions, demos, contents, about what we should keep doing and what we should stop doing etc.

Cheers
Mario

Identity Interoperability - Geneva Beta 1 STS with .NET Client and Netbeans 6.5 / Metro 1.3 / WSIT / Java client working ... again ...

mszCool — Fri, 23 Jan 2009 17:48:10 GMT

In October I published a posting on Identity Interoperability based on a PoC I created of TechEd Europe Developers 2008 and our local DevCamp 2008 conference. The prototype was based on Codename "Zermatt" on the Microsoft-side and on NetBeans 6.5 Beta 2 as well as Metro 1.3 / WSIT Beta at this point of time... As I had to demonstrate the prototype within a customer engagement I updated the stuff to Microsoft Geneva Framework Beta 1, Netbeans 6.5 RTM and Metro 1.3 / WSIT RTW. Well, there have been some changes which essentially where driving me crazy... therefore I thought I'll give you an update and show, how you can make identity interoperability reality between those platforms with

an active STS based on Geneva Framework Beta 1
a .NET-based client using WCF of .NET Framework 3.5 SP1
a Java-based relying party implemented with Netbeans 6.5 RTM and Metro 1.3 RTW

Again I will discuss all the necessary details for making my samples running on your machine...

Sample Downloads for this posting

First of all, download the samples for this posting which I've updated from Zermatt to Geneva Framework Beta 1 and from Netbeans Beta to Netbeans 6.5 release and Metro 1.3 / WSIT RTW here:

Pre-Requisites

Before you can begin with the action make sure you download and extract the following packages to your local machine. I use the directory "D:\IdentityInterop2008" as a base directory... when you see this in one of the screen-shots map to your local base directory!

Microsoft-side
Java-side
- Java SDK (5 or 6)
- Netbeans 6.5 RTM
- Java Metro 1.3 RTM
- Dom4J 1.x (I have used this one)
- Jaxen (which is a pre-requisite for dom4j)
- Java Cryptography Extensions with support for higher bit-rates

Code Changes from Zermatt to Geneva Beta 1

I had to update my code as there are some not very well documented changes from Zermatt to Geneva Framework Beta 1;) There are two cool blog postings by Yossi Dahan summarizing the breaking changes:

http://www.sabratech.co.uk/blogs/yossidahan/2008/11/from-to-framework.html

http://www.sabratech.co.uk/blogs/yossidahan/2008/11/from-to-framework-part-ii.html

The download of this post also contains the updates of my demos from TechEd Europe 2008 developers...

Installing the Pre-Requisites on Java

As for the .NET-side the installation-process is pretty straight-forward (install Visual Studio and it's SP1 which includes .NET and then install Geneva Framework and you're done;)) I just outline, what you have to do on the Java-side to make things working...

Install Netbeans and install all Netbeans updates. Very important: install Glassfish v2 with Netbeans as well.
Install the Java Cryptopraphy Extensions policy files. for this purpose extract the JCE download and copy it to the files to the following directories:
C:\Program Files\Java\jre1.5.0_15\lib\security
and C:\Program Files\Java\jdk1.5.0_15\jre\lib\security
Make sure that the Glassfish v2 server is configured within your Netbeans 6.5 IDE as outlined in my previous post on this topic.
TRICKY if you've been working with Netbeans beta or RC: in the beta or RC versions of netbeans, the option for selecting .NET 3.5 / Metro compatibility and therefore enforcing the correct WS-* standard versions for the messaging are simply not available... no update install, nothing worked. The reason is very simple: Netbeans pre-releases were shipping with Metro while the RTM of Netbeans 6.5 does not ship with Metro 1.3, anymore...

As you can see, the interoperability option is disabled because Metro is not installed on my Glassfish instance. Therefore we need to install Metro. Unfortunately the documentation on how-to "install" Metro is pretty confusing. It tells to execute an ant-script that installs metro as you can see in the following screen-shot:

That means in a command prompt where I have all the Java environment variables set I execute the following statement:
<antdir>\ant <workdir>\metro\metro-on-glassfish.xml install
After you've executed this command while neither Netbeans nor Glassfish is running and you restart Netbeans, the .NET compatibility option should be available as follows:

Make the .NET-side running on your machine

Now that we have anything installed on the machines we can start making things running on your machines. For the Microsoft-side the first step is installing the certificates in the localhost's certificate store. For this purpose follow these steps:

Start the Microsoft Management Console (Run -> mmc.exe)
Select "File -> Add/Remove Snap In..."
In the dialog that fires up select "Certificates" in the left list.
Select "Computer" and then "Local Computer" in the options for opening the local machine's certificate store.
Import the certificates "localhost.pfx" and "sts.pfx" into the Machines "My" store by right-clicking "Personal" and selecting "All Tasks -> Import". The password for the PFX-files in my pre-requisites folder is password.
After you've imported the certificates into the My-Store, your certificate store should look as follows:
Import both certificates into the "Trusted People"-store as well so that the certificate validation can succeed!
Now start Visual Studio 2008 as administrator (so that WCF can register all listeners while debugging) and open the solution <working-directory>\Simple STS For Active Clients\SimpleSTSForActiveClients-VS2008.sln
For verifying if the Microsoft-side is working, start the projects SimpleActiveSTS-VS2008, ClaimsAwareWebService-VS2008 and NET.TestClient for debugging (or without debugging).
In the Client enter "net" and press enter. Your screen with the running applications should look as follows:

Make the Java-side running on your machine

After you've setup the Java-configuration as outlined before, the only things left are (a) opening and configuring my web service project and (b) configuring the certificates of your Glassfish domain. For this purpose follow these steps to make things running:

For a default configuration of Netbeans 6.5 installations, the first step is taking a look at where your Glassfish personal domain is going to be executed. For this purpose open Netbeans, switch to the "Servers" tab in your solution explorer / project explorer and view the properties of Glassfish:
In the dialog appearing you see, where your personal domain is going to be executed. This is important because this directory contains the *.jks files which are the certificate storage in the Java-solutions:

As you can see in the preceeding dialog, my example domain is running in the "D:\Data\.personalDomain" directory. There you will find two files, the cacerts.jks file (trusted certificates) and the keystore.jks (server certificates).
Now that you know these stores, you need to import the STS' certifcate into the cacerts.jks store. For this purpose you import the STS certificate from the file I provide within the "pre-requisites\sts.cer" file as follows from a Java command prompt:

keytool -import -alias sts -file sts.cer -keystore d:\data\.personalDomain\personalDomain\config\cacerts.jks
Next you need to export the Glassfish domain certificate from the keystore.jks file as follows:

keytool -export -alias s1as -file s1as.cer -keystore "d:\Data\.personalDomain\personalDomain\config\keystore.jks"
Finally the in step 4 exported certificate needs to be imported in the Windows certificate store, again into the Trusted People and the My store of the local machine. The following screen-shot shows the imported certificate in the Windows Certificate store highlighted - note that the certificate will be generated during the domain-creation / installation process and will have your machine-name in it's subject.

The "vaiom" certificate is the "s1as.cer" file I previously exported from the keystore.jks Glassfish store. Note that I have imported it into both, the "Personal" and the "Trusted People" store!
Therefore the next step is modifying a line of code in my STS implementation to match the Glassfish' certificate name for encrypting the SAML token. The following screen-shot outlines the place where you need to do that.

As the previous image shows, the string-constant javaGlassfishCertificateName needs to have the full machine-name in the first part of the common name (highlighted in the image). Note that if your machine is joined to a domain you need to enter the full domain name of the machine name as this is the way Glassfish generates the name for these certificates.
Now update the URL for your NET.TestClient project by opening the configuration "app.config" in the project and modifying the URL of the Java-Web service to match your machine-name and the ports used by Glassfish:
Now start the STS and the NET.TestClient from within Visual Studio (best without debugging by highlighting each of the projects and pressing CTRL-F5).
Next it's time to start the Netbeans IDE and open the project "<workingdir>\JavaNewService" that I am delivering in the downloads.
Verify the configuration by right-clicking the TestClaimsBased node in the Web Services node within Netbeans. The configuration should look as follows:
Now right-click the JavaNewService node in the proejct-explorer of Netbeans and select "Deploy". This should compile the project, start the Glassfish server and deploy the project. The output-window of Glassfish should show the URL where the project is running then as follows:
Now switch to the running NET.TestClient instance, enter Java and press enter (cross the fingers now;))
If your client's output looks as follows then you're fine, everything worked very well:
Switch to your Netbeans IDE and open the Glassfish output window. It should have all the claims extracted from the SAML-token in it's output window as follows:

Now you're done, everything is fine and the identity-interop experiment was successful... hope you enjoyed it and hope that this helps you in the future in your projects...

Have a nice weekend

Mario

Presentation on Microsoft's Software Factories and Modeling Strategy

mszCool — Mon, 22 Dec 2008 11:30:28 GMT

Last week I did a presentation at the technical university of Vienna on Microsoft's strategies for modeling and Software Factories. It was a great pleasure and fun for me to deliver this presentation as we had really interesting discussions afterwards with students on these topics.

Below you can find the assets I produced for this presentation as downloads:

PowerPoint Presentation Download (as PDF)
Simple WCF Service Factory Demo
Simple Test DSL created with the VS 2008 SDK

Although I haven't been blogging a lot about this topic, yet, I strongly believe in this strategy. Especially since I attended the Strategic Architect Forum where Jack Greenfield clarified on some recent developments publicly announced at PDC 2008 last October. The key-questions Jack answered, are for me:

UML and Microsoft - Why did Microsoft change it's perception according to UML and includes UML-diagrams with Visual Studio 2010 now while they were claiming it isn't a core strategy?
Well, simple and pragmatic: my understanding is that we think you can boost your productivity for most software products with factories and DSLs for about 60-80% of the development. For many more "specialized" developments that weren't part of your product-variation planning for some reasons (e.g. ROI) you still need to have structured processes and ways for covering these parts. This is exactly where UML and other general-purpose modeling-approaches can help, definitely. And I think that besides of the fact that customers want us to support UML, that is the major reason for doing so.
How does the future of DSL-Toolkit look like as Microsoft announced OSLO at PDC in October?
I think the easiest way to answer these questions is taking a look at Jack Greenfields and Stuart Kents blog. Click one of the following links below:

So the answer seems to be pretty simple according to these blog-postings: the much richer successor of GAX/GAT will be Microsoft Blueprints. For DSL Tools and Blueprints the product team wants to have a plan in place for smooth migration. But as I personally think that OSLO will take some more time to complete, I think we have some "time-buffer" here. In the meantime I think DSL-tools are a pretty good way to move on;) Currently I am thinking about creating a DSL for Composite WPF which might be a funny think... depends on how much time I have left in my vacation next week:))

Having that said I wish all of you a merry Christmas and a happy New Year;)

Mario

Azure Demo Solution - Cloud Computing Day 2008 Last Week with David Chappell

mszCool — Tue, 16 Dec 2008 20:29:18 GMT

Right immediately after my previous post the next one is following;) Last week on Friday, December 12th, we had a great event together with David Chappell in our new conference center right above our M.I.C. in Vienna.

At this cloud computing day, David gave a great insight on the Cloud Computing market in general and, of course, especially on Microsoft's offerings around the Windows Azure Services platform. David did a great job in talking about the different flavors of platforms that are available on the market from a variety of vendors (especially Microsoft, Amazon, Google and Salesforce.com). Also David was great in explaining the core business and architectural concepts of our own cloud offerings around Azure.

In the second part of the conference day I had the pleasure to once again step up and do a deep-dive coding session (although I shouldn't as an architect... but I still love getting my hands dirty if the topic and the prototype is cool and interesting;)). You can download the demo I presented by clicking the link below. I'd recommend to further read this posting to get an understanding of what I did;)

So I decided to implement a complete scenario to demonstrate some of the core concepts of the Azure Services platform (not touching other parts of the platform such as .NET services, SQL Services or Live Serivces;)). With the scenario I tried to show the following concepts:

Web Roles and Worker Roles and how-to use them.
Queue-based storage and how-to leverage queues for asynchronous communication between web- and worker-roles.
Finally the blob-storage as a means for storing binary data similar to file-systems in on-premise operating systems.

The scenario I decided to implement was a simple shop-application as you can see in the following graphics. The web-role was supposed to be the front-facing part of the shop while the worker-role was intended to process orders submitted through the shop in an asynchronous way. As a simple but nice example for order-processing I decided to use the Office Open XML APIs to generate a Microsoft Office Word 2007-based order-document that gets stored in the blob-storage and made accessible through the web role afterwards.

During the 90 min. demo I started building a simple ASP.NET application with no special things. I used the ASP.NET Session-object for storing my shopping based just for the sake of having a simple start-up for the demo-session without any new concepts. We then even deployed the session on the Azure online platform to demonstrate the admin-UI the current CTP is offering. We did that at the beginning as currently the deployment and configuration-update takes some time on the CTP (about 20 min. ... but unfortunately I then forgot to show the running application).

Hint about a question I got during the presentation on ASP.NET Session-State: of course the ASP.NET session state isn't persistent and therefore available across multiple instances of a web-role. For this purpose you would need to write your own session-state provider that leverages Azure-Table-Store or Blob-Store for getting persistent storage on sessions. There is actually an example of how-to do this for the session provider and even for other providers of ASP.NET such as Membership or Roles API!!! So that's the way of dealing with persistent sessions in Azure:) Hope that answered the question now:)

In the next step we created the Check-Out page that XML-serialized the contents of my Session-based shopping basked (which was a simple list of Product-items) and put it into an Azure Queue-Storage to make this stuff available for worker role instances that asynchronously processed the order (generated documents with Office Open XML APIs).

One question here was about scaling up worker-roles because I used "waiting loops" that where waiting for incoming messages on the loop with thread-sleeps of 10sec.. Of course that wasn't a very scalable approach, I tried to keep it simple. For scaling Worker Roles you have several but in my opinion very well-known approaches. Let me give you just a view of them: spawning threads whenever a new message was received or creating and running multiple instances of worker roles are ways for scaling out at this layer.

Then this brought up a second question - how is it about locking messages that are accessed from the Queue if multiple Worker Role instances (or threads) are running? And well, the answer is simpler than I thought (I didn't know that at the presentation). Actually the queue has mechanisms to avoid "parallel" access to the same message by multiple worker role instances. When you issue a GET-operation onto the queue, it makes (a) makes sure that the sender of the first GET-message that arrives for a message exclusively gets access to the message (we do not need to deal with that) and (b) you can add a HTTP header to your request where you can specify, for how long a message on the queue will be invisible to other requests for retrieving the message. The default-value here is 30 sec. and the max. value is 2 hours in the current CTP. If you just want to access the messages without making them invisible you can use a PEEK instead of a GET-request to the queue.

Afterwards the last question was whether there is a way for a worker role to be notified if a new message is available at the queue instead of querying the queue continuously as we did it in our example! Well, not really without using the .NET service bus and WCF here (I haven't found anything on this)... but the reason is pretty obvious for me, as well. Every storage-concept of the Azure services platform is accessed through REST-style APIs. That means whenever you want to get something from the storage you need to execute an HTTP request against the URL of your storage and that's it. For example, putting a message to a Queue is an HTTP post request with the XML-payload in the body to the Queue's URL. Retrieving a message from the queue and blocking it for a specified period of time is an HTTP GET request to the queue (the default-time is 30 sec. as outlined before) and retrieving a message without blocking it is an HTTP request with a custom verb (PEEK). So it always needs to be a pull-based access instead of being notified. Of course with a combination of using worker roles and WCF-services in the service bus you can "mimick" the behavior of being notified. I know this might be a weakness, but don't forget that we are (a) in an very early stage of the Azure platform and that (b) there are some more sophisticated aspects that allow you implementing more complex communication patterns such as the .NET service bus available which we didn't use at all in our demo.

In the next step we implemented the logic of the worker role that generated the document. We then finally stored the document in the Azure blob-storage which is a kind of a replacement of a file-system as we know it from on-premise operating systems. From this storage we accessed the documents in the last ASPX-page we created back in our worker role...

Well, and after that I was pretty tired because it was a long, hard and risky demo with these CTP-bits... but I am happy that anything worked out and I hope that you finally liked the presentation and the contents of this posting where I tried to also answer some of the questions I got during the demo-walk-through. For me it was great fun doing this in any case - it was a great day with David before lunch and it was so cool walking through this demo which I prepared until about 1 a.m. the evening before... cool stuff and I really believe in this kind of cloud-computing for many scenarios...

If you want to start working with these things, just try to request your access tokens (will take some time) through the following resources:

Azure Services Invitations on the Microsoft Connect platform (connect.microsoft.com) as mentioned during my session...

http://lx.azure.microsoft.com/ which is the official entry point for the Windows Azure serivces platform management console.

https://www.microsoft.com/azure/default.mspx which is Microsoft's official entry-point to the Azure services platform and information on the Azure services platform.

If you have any further feel free commenting on this blog post or contacting me through this blog here;) I'd be happy about any feedback from you:)

Cheers
Mario

TechEd Europe 2008 - Downloads and Architectural Thoughts

mszCool — Tue, 16 Dec 2008 19:32:11 GMT

A little late but nevertheless I managed to publish my demos from this year's TechEd Europe 2008 in Barcelona from my session on the identity meta system applied to real world projects in Austria.

As mentioned, the experience I summarized in the session comes from a project we've been driving in Austria in the electronic health care sector as outlined in issue 16 of the architecture journal in my article.

You can download the demo applications from my session at TechEd by clicking the link below:

Also here you can download the presentation material of my session by clicking below:

Essentially in my presentation I really focused on discussing four things where in my opinion the concepts from the identity meta system vision really helped us implementing our stuff:

Clear separation of concerns
Separation of where authentication happens from where authorization happens enables you switching authentication modes without affecting your back-end services. If authentication happens at all your services, you need to touch all the clients and services for doing so. If you separate authentication out into a Security Token Service you just need to touch your clients and the STS while the services at the back end can remain untouched. In the attached demos you need to work with the NET.SecondTestClient, the mszcool-ActiveSTS and the ClaimsAwareWebService-VS2008 projects to test out what I've shown in my session.
Simplification through Claims
Claims-based security helped us implementing the two-factor authentication that was a requirement for according to the strong data protection law. More on that later in this post.
Building bridges between domains and/or platforms
On the one hand side trust-chains between Security Token Services helped us separating out responsibilities and ownerships given based on political reasons while still remaining an easy possibility to change these responsibilities and ownerships by just merging or splitting STS'es if the political interests changed. On the other hand transformation of tokens from rather proprietary tokens to standardized tokens is another thing where the separation of concerns between authentication (STS) and authorization (Relying party service) really can help. In the attached demo you need to work with the JavaWebHostNew Netbeans 6.5 project as well as the NET.TestClient and the SimpleActiveSTS-VS2008 projects to try things I've shown in my session at TechEd.

Coming back to the second point I outlined above. If you're working with the NET.ThirdClient, the mszcool-activeSTS and the ClaimsSuperTokenService you can try out a simple implementation of our approach for making sure that only things are published into some e-health system if the patient explicitly agrees at leat two times. The model from a business point-of-view was the following:

For getting read access, a patient needs to explicitly authenticate with his e-card when visiting a doctor for a medical treatment at the reception. For the time of the treatment the doctor got read-only access to documents published in a variety of e-health services. For this purpose, the e-card STS issues a standard-token with standard-claims based on the e-card authentication. e-health services do not allow to update any content with this standard-token because the STS does not add a what we called super-token-claim.
For updating content in e-health services the patient needs to explicitly authenticate for each update-process in addition to the previously mentioned, first authentication step. During this authentication the client application sends the previously issued token as a means of authentication to the STS which leads the STS to add a super-token-claim to the issued token. Therefore e-health services detect the presence of the super-token-claim and allow writing / updating content to their storage.

Subsequent graphics should outline what's going on there. Take the first graphic as an example. Here the previously defined process is executed as needed. The client authenticated for read-stuff and gets a token for reading stuff without the super-token-claim. Later during the medical treatment the doctor wants to publish stuff and therefore the patient authenticates a second time. That second authentication includes the previously issued SAML token which leads the STS to include the super-token-claim in the newly issued token. With this newly issued token the client software of the doctor can issue an update on the back end e-health service of the current context.

If one of the authentication steps, either the first or the second one is missing, the STS won't issue a token with a super-token-claim. And therefore the e-health services should and can simply deny access to any updating operation - based on a simple query whether a claim has been added to the token issued by the STS or not. The following graphic demonstrates what happens if the client tries to update content in an e-health services without the first authentication-step so that you can better understand our selected approach and idea:

The neat thing is that the e-health services really just need to query the issued SAML-token from the STS for the super-token-claim. If it's there let updates happen, if not then not;) As simple as that. In classic scenarios they would need to manage sessions, state and all that stuff what is much more complicated.

In my opinion this really shows, how claims-based security (as a part of the concepts from the identity meta system vision) really simplifies complex processes in the security world by separating the responsibility of authentication from authorization and by making authorization as simple as querying standardized tokens for claims.

If you're interested in my approach for building bridges between platforms through the separation of concerns with STS'es and relying parties, just take a look at my previous posting which I created for TechEd 2008 and the local DevCamp conference here...

Any questions - feel free asking me through comments or the contact link here of the blogging-engine;)

Cheers
Mario

DevCamp 2008 - Making Security-Interoperability work with a Zermatt-based Security Token Service (STS), a .NET Client and a Java Web Service hosted in Glassfish

mszCool — Thu, 30 Oct 2008 19:07:05 GMT

(Click here to download my Security-Interop-Sample)
(Click here for downloading the presentation)

While I am here at PDC studying the most exciting new stuff from Microsoft around Software+Services and much more interesting platform-enhancements (Dublin, Velocity, Geneva etc.) I promised about more than a week ago at the DevCamp 2008 conference in Vienna that I will publish some details about a demo on security I've shown in my session about applying concepts from the Identity Meta System Vision in the real world for heterogeneous environments.

The session itself was all about taking the separation of concerns in terms of authentication and authorization that is proposed by federated identity patterns. Furthermore it was about learning, how this SoC can help you solving real world problems when it comes down to implementing security in your solutions.

Click here for downloading the presentation. I'd strongly recommend you do this before moving on in this post!

In the last demo I've shown a Security Token Service (STS) written with Microsoft Codename "Zermatt" that authenticates requests coming from a .NET-based client application through Windows Authentication and transforms the (proprietary;)) Windows-token into a standards-based SAML-token. Why that? Well, non-Windows based platforms won't be able to deal with a proprietary Windows-token for authorizing requests - especially if they're not running on Windows. But they will be able to work with SAML as it is just a signed XML with information about an authenticated user proofed by an identity provider (the security token service). The following picture shows the scenario I've implemented:

In this post I give you a step-by-step guide how-to setup the samples which you find for download under the following link:

Click here to download my Security-Interop-Sample

In the following sections I summarized the pre-requisites and steps you need to complete for making the sample above work!

Installation Pre-Requisites

Microsoft-Part of the Sample

Visual Studio 2008 with SP1 installed
(Service Pack 1 download here)
.NET Framework 3.5 (with SP1 installed)
Microsoft “Zermatt” (now Geneva Identity Framework) CTP
(I have included the version of Zermatt-CTP that I've used for developing the sample in the download so that at later point of times you can try this in an isolated environment without bothering with some breaking changes in Zermatt at first place;))

Java-Part of the Sample

Java2 SDK 1.5.0 with Update 15
Netbeans 6.5 Beta IDE with Glassfish v2
JCE Policy Files installed
Dom4j 1.6.1 and Jaxen 1.1.1 installed
Appropriate Java environment variables set for command prompts. For this purpose I added a sample “Java Command Prompt” batch file to the download (located in the "Pre-Requisites\Java"-directory). You need to adopt it based on your installation-path values on your machine.

Steps to make the Microsoft / .NET Side running:

Install the certificates using Zermatt Samples Utilities
The necessary batch-files for doing so are located in the Zermatt Directory (typically “C:\Program Files\Microsoft Code Name Zermatt\Samples\Utilities”) – execute the SamplesPreReqSetup.bat in a Visual Studio Command Prompt as Administrator.
Run Visual Studio 2008 as Administrator and open the SimpleSTSForActiveClients-VS2008.sln Visual Studio 2008 solution located in the “<your working folder>\DevCamp\Simple STS For Active Clients” directory. This is a modified and extended version of the standard Simple Active STS sample included with Microsoft Code Name “Zermatt”.
Right-click the solution and configure the startup-projects so that the STS, the .NET-based test service and the test-client start-up as shown in the following screen-shot:
Try the solution by pressing CTRL-F5 in Visual Studio to run everything without debugging. Important is that you follow the following steps in the running applications:

In the “ClaimsAwareWebSErvice-VS2008”-project enter “1” to take the included simple active STS as a security token service.
In the client application type in “net” to call the .NET-based service and verify whether the STS and the .NET-based service as well as the client are working properly on your machine!

Make the Java-Side working

Now, after the .NET-based solution is running, we can move forward by making the Java-version of our claims-based web service running. For that purpose follow the subsequent steps:

First of all run Netbeans Developer studio as administrator and make sure that all application server references are registered with your IDE. With the Netbeans 6.5 beta I’ve installed, just Glassfish v3 was included in the server list. So you need to add Glassfish v2 (which is the one I’ve tested the service with) to your services list. For that purpose follow the next sub-steps but note that by default Netbeans should create a personal domain during the installation of the IDE:

In the left panel switch to the services tab and open the “Servers” tree-view element.
Right-click the “Servers”-node and select “Add Server”
Select “Glassfish V2” from the list and leave the name below as it is.
Create a personal domain for the application server that will install some configuration files in your local user profile. These files also will include the certificate store for your development instance of the app-server.
Select a folder for the development domain where you would like to install the configuration files to as shown in the following screen (note that there it will be “D:\Data\.testDevDomain” which is what I will refer to later on, as well)
Then you will have to select an administrator user name and a password and afterwards you will need to specify the ports on which the server is running. Make sure that nothing else runs on these ports and note the ports as you will need them later on.

Then open the Java-project I’ve included in the samples-download. This project is located in the “<your working folder>\DevCamp\JavaWebHostNew” directory. Just let Netbeans point to that directory in the open-project dialog and it will detect that this is a Netbeans-project, automatically.
You probably will need to update a few references to point to dom4j and Jaxen as I use these libraries for some XML processing in the test application. Netbeans will warn you if you need to update the references. If so, switch to the “Projects” tab in the panel on the left, navigate to your project “JavaWebHostNew” and within there on the libraries-node. Right-click the “Libraries”-node and select “Add Jar / Folder” from the context menu. Add the “dom4j-1.6.1.jar” and the “jaxen-1.1.1.jar” files as libraries this way to your project. I’ve included them in the download in the “<your working folder>\DevCamp\Pre-Requisites\Java” directory”. Also remove all broken references from the project by right-clicking the project and going to the properties:
After all libraries and references are set-up correctly, you should be able to compile the solution using Netbeans, successfully. Next we can start configuring the application server appropriately to make this stuff running.
Next we need to install the Java cryptography policy extensions (JCE) with Java to be able to work with our certificates. For this purpose copy all files from the “<your working folder>\ DevCamp\Pre-Requisites\Java\jce”-directory to the “C:\Program Files\Java\jdk1.5.0_15\jre\lib\security”-directory and overwrite all files.
Now we need to install certificates for the two sides of the application – first the Java-service needs to be able to trust the STS and therefore it needs to have the STS’s public key in its trusted certificates store and second the .NET client and the STS need to have a way to trust the Java service and therefore we need to export the public key from the Java service’s certificate and import it into the Windows certificate store.
To ensure, that the Java-service is able to trust and validate tokens issued by the STS, execute the following steps on your machine.

Export the STS certificate from the Windows certificate store as DER-encoded file. Only export the public key. Store the file to a directory of your choice. The certificates are installed in the personal store of the local computer by the previously executed Microsoft Code Name Zermatt Samples Batch-file utilities when setting up the .NET based solution, before. You can get to the machine’s certificate store by starting a management console (mmc.exe) and selecting “File – Add / Remove Snap-In” and then select “Certificates” from the list, click the “Add >” button and then click okay. Make sure that you select “Computer Account” and “Local Computer” when adding the snap-in. You’ll find the certificate as shown in the following screen-shot:
Import the STS-public key certificate in the trusted certificates store of your Glassfish personal domain by executing the following command (typically the password you have to enter is changeit by default):
keytool -import -alias sts -file sts.cer -keystore "d:\Data\.testDevDomain\config\cacerts.jks"

Next we need to ensure that the STS and the client can trust the Java service. For this purpose we need to export the Java service’s certificate and import it in the Windows certificate store. To do so, follow these steps:

Execute the following command to export the default service certificate from glassfish with its public key. This certificate is typically called s1as.
Now import the certificate in the personal store of the local computer of the Windows Certificate store. Also import the certificate into the trusted people store so that the validation of the certificate can succeed.

Before we test the web service solution we need to make sure that the correct WS-Policy configuration is set for the Java Web Service. For this purpose open the “Web Services”-node in your Netbeans-project and double-click the “JavaTestService” Web Service in the project. In the designer then click the “Advanced…” button to open the web service configuration dialog and make sure that it looks as shown in the following two screen-shots:
Finally you can un-deploy and deploy the new service to Glassfish as shown in the following screen-shot.
It’s important that you note the URL on which your web service is listening depending on the ports you configured for your Glassfish application server instance and development-domain. Typically this should appear in the output-window within the Netbeans-IDE for Glassfish as shown in the following screen-shot:

Final steps and then running the application

After you have configured Glassfish, configured the Java Web Service and deployed it, successfully, you can try the interoperability solution between Java and .NET. For this purpose you need to update the .NET test-client’s configuration to point to your running Java web service and then run the application. The URL to the Java-service is configured in the client’s App.config (NET.TestClient in my sample solution) as shown in the following screen-shot:

Just one last step before running it – you need to update the STS so that it encrypts the SAML-token with the certificate of your Glassfish Java Web service. As these certificates are re-generated for each machine you need to update my code in the sample to make it work. Update the certificate-name in the project “SimpleActiveSTS-VS2008” of my solution in the file “MySecurityTokenService.cs” and change the common name of the certificate to yours (you should only need to replace the machine-name part of the common name which is “vaiom” in my sample and should be “yourmachinename” in your environment):

After you have updated this one you can try to run the solution and instead of calling the .NET-based service you can call the Java-service by entering “java” instead of “net” when the client asks you which web service it should call. The following screen-shot shows the resulting application in action.

In the console-windows you can see the .NET-based applications running: the claims-aware web service which is not called in this scenario, the security token service which issues a SAML-token based on the Windows identity the client authenticates with and the client itself that calls the Java service this time. In the background you can see the Netbeans IDE with the Glassfish output Window where clearly the Java application outputs the contents of the SAML token it gets passed from the STS. That SAML token just contains claims extracted from the Windows-token the client authenticated with against the STS. And that way we managed to make security-interoperability happen by transforming a proprietary Windows-token to a standardized SAML-token through an STS and give Java access to the contents of the Windows-token. Of course the Java-application could run on a Linux-box as well and still you would be able to use Windows and AD as the primary identity management system for managing users, groups etc. and include Java-services (or other services) running on any OS with your security-infrastructure as they don’t need to know about any details of the security infrastructure. The only thing they need to know is the Security Token Service which proofs the fact that the user has been authenticated successfully by passing a signed SAML-token through the client to the Java-service. In my opinion that shows one of the things that unveil the real power of a federated identity infrastructure based on the WS-* standards...

If you have any feedback or questions, feel free getting in touch with me through my blog;) ... of course I'd be happy about any feedback:)

Cheers
Mario