Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Experience at WSO2 as an Intern
1. UNIVERSITY OF MORATUWA
Faculty of Engineering
Non-GPA Module 399: Industrial Training
TRAINING REPORT
Field : Computer Science and Engineering
Name : M.K.P.R. Jayawardhana
Registration Number : 080201N
Field : Computer Science and Engineering
Training Establishment : WSO2 Lanka (pvt) Ltd
Training Period : (28.02.2011 -24.06.2011) – (12.08.2011-23.09.2011)
Date of Submission : 01.10.2011
Page | - 0 -
2. PREFACE
This document is presented at the end of the internship period I had from 28th February 2011 –
23rd September 2011 at WSO2 Lanka (pvt) Ltd, No. 59, Flower Road, Colombo 07 as a trainee
software engineer. The document is arranged into three main chapters that present different
aspects of the training I got. This contains basic information about the establishment and deep
information on the training I received and my personal views on the internship period
considering the whole experience.
The first chapter is dedicated to the information on the training establishment. Without having a
good understanding about the functionalities of the company, the procedures, organization
hierarchy and structure it is difficult to comfortable move with the staff, getting things done in
the correct way. To give my maximum contribution while learning from the company I have to
have a good understanding on the business the company is involved in and the technologies and
development standards and models they follow. With all these, this chapter also includes my
personal score on the current performance of WSO2.
The second chapter is totally dedicated to the experience I had in internship period. This includes
all the technical work; I was exposed to as well as the non-technical experiences. This describes
how I completed the tasks I was given and how I resolved the difficulties I came across while
doing them. In explaining the task, the implementations were mostly described using diagrams
that I feel it is the best way to present them and samples are given at relevant places which I
actually used for testing purposes and outcomes of them. This technical section in detail
describes the functionality of the Entitlement handler and implementation of SAML to XACML
in the WSO2 Identity Server with an introduction to the tools I used and the security concepts I
got familiar with while doing that. The technologies I got exposed are also discussed with what I
have learnt from them. The non-technical experiences such as trips and WSO2Con-2011 are
described considering the great effects they had on building up a professional personality within
me, getting to know more of the staff, company and industry practices.
In the third chapter, I have discussed the effectiveness and personal feelings towards training as
a whole. Also it provides a personal assessment on own experience and the whole industrial
training programme from the co-ordination to the end, with suggestions to improve.
Page | i
3. ACKNOWLEDGEMENTS
At the very beginning of this report on my work in the internship period, it‟s my privilege to
thank the people who contribute to make it such a great experience for my life. If not for the
support of them, from arranging training establishment selections to successful completion of the
24 weeks, it would not be this effective.
I heart fully thank Ms. Vishakha Nanayakkara, the former Head of Department, Computer
Science and Engineering, University of Moratuwa for the immense effort taken to provide us
with best training establishments. Also the guidance given on how to extract the value of this
internship period was invaluable. Also I am so grateful to Dr. Malaka Walpola, the Industrial
Training Coordinator for the huge commitment shown in making sure each and every student is
getting a training establishment. The support given by resolving our selections, organizing mock
interviews, coordinating with the industry and giving friendly guidance whenever needed is
incomparably great.
Also I must thank all the members in Industrial Training Division of the University of Moratuwa
and NAITA (National Apprentice and Industrial Training Authority) for guiding us from the
very beginning and for the work carried out throughout our internship period to make it a
success, giving us a complete experience in the industry.
I am so grateful to Dr. Sanjiva Weerawarana, Founder, Chairman and CEO of WSO2 for giving
us this invaluable opportunity to learn in an internationally recognized company within a friendly
environment. Then I would like to thank Mr. Supun Kamburugamuva, Technical Lead and Mr.
Selvaratnam Uthaiyashankar who interviewed me and recommended me for the internship at
WSO2. Also I am thankful to Mr. Samisa Abeysinghe, VP of Engineering for the given guidance
on how to improve and proceed using the resources provided and for giving us the opportunity to
feel the beauty of a technical career giving appropriate responsibilities. I am thankful to Ms.
Udeshika Ratnavira, Senior Manager, Administration and HR, for the friendly support given in
any issue I came up with. The work done in coordination with university and making us a part of
the WSO2 family is really appreciated.
Page | ii
4. I am so much grateful to the IS (Identity Server) team for all the support given throughout my
stay at WSO2. I specially thank Mr. Asela Pathberiya, Senior Software Engineer, assigned
mentor for me, for immense support and guidance given in completing any task given to me.
Highly appreciate the support given at anytime, instead of the busy schedules and so grateful for
the kind clarifications done whenever I was stuck. Also I am thankful to Mr. Prabath Siriwardena
Architect & Product Manager – Carbon Platform & Security, for great selection of works
assigned to me. The flow of work assigned to me, was well organized so that I could grow step
by step. I am thankful to the whole IS team including Mr. Thilina Buddhika and Ms. Hasini
Ganasinghe for the friendly environment and support given throughout my internship period.
I am thankful to each and every member of the WSO2 family in technical, non-technical and
support staff, for the friendly environment provided and been a helping hand whenever needed. I
did not have to worry having any technical issue or non-technical issue that there was always
someone I could get help from or ask guidance.
Thank you very much everyone for making this internship period such a fruitful experience for
my life, widening my horizons!
Page | iii
5. Table of Contents
1 Introduction to the Training Establishment ....................................................................... 1
1.1 WSO2 Incorporated 1
1.2 Evolution of WSO2 3
1.3 WSO2 Vision 3
1.3.1 Reinvent the Technology .............................................................................................. 3
1.3.2 Reinvent the Business Relationship ............................................................................. 4
1.3.3 Reinvent the Support Model ......................................................................................... 4
1.3.4 Create a Great Place to Work ....................................................................................... 5
1.4 WSO2 Business Model 6
1.4.1 Support and Service model ........................................................................................... 6
1.5 Organizational Structure 9
1.5.1 Employee Hierarchy ..................................................................................................... 9
1.5.2 Communication .......................................................................................................... 10
1.5.3 The WSO2 Team ........................................................................................................ 10
1.6 WSO2 Products and Services 12
1.7 Performance of WSO2 13
1.7.1 Strengths ..................................................................................................................... 14
1.7.2 Weaknesses ................................................................................................................. 16
1.7.3 Service to Sri Lankan Society .................................................................................... 16
1.8 Suggestions to Improve 17
2 Training Experience ............................................................................................................ 18
2.1 Joining WSO2 Family 18
2.2 Induction 19
2.3 Development Environment 20
Page | iv
6. 2.4 Hands on Ws – Security 21
2.4.1 Sample Client for IS ................................................................................................... 23
2.4.2 Entitlement Handler .................................................................................................... 25
2.5 Implement SAML to XACML 31
2.6 Other Technical Experiences 43
2.6.1 Apache Team .............................................................................................................. 43
2.6.2 Training Sessions ........................................................................................................ 45
2.7 Other Non – Technical Experiences 45
2.7.1 Demonstration ............................................................................................................ 45
2.7.2 WSO2 Annual Trip ..................................................................................................... 46
2.7.3 Sports, Entertainment and other activities .................................................................. 48
2.8 WSO2Con – 2011 49
3 Conclusion ............................................................................................................................ 50
3.1 Importance of Industrial Training 50
3.2 Satisfaction 50
3.3 WSO2 as a Training Establishment 51
3.4 Overall Training Programme 52
Page | v
7. List of Figures
Figure 1.1 WSO2 Company Logo .................................................................................................. 1
Figure 1.2 Employee Hierarchy ...................................................................................................... 9
Figure 2.1 Entitlement Handler Structure ..................................................................................... 27
Figure 2.2 Inside .mar file Entitlement Handler ........................................................................... 30
Figure 2.3 Flow of secured server to server communication ........................................................ 33
Figure 2.4 The Structure of the XACMLAuthzDecisionQueryType ........................................... 36
Figure 2.5 The Structure of the SAML Response......................................................................... 40
Figure 2.6 Signing Procedure ....................................................................................................... 41
Figure 2.7 Validation Process ....................................................................................................... 41
Page | vi
8. 1 Introduction to the Training Establishment
1.1 WSO2 Incorporated
Figure 1.1 WSO2 Company Logo
As the name WSO2 stands for Web Services Oxygen, the company is truly about giving a deep
breath of relief to the people who are finding enterprise solutions in the web space. Being
founded in 2005 by pioneers in XML and web services technologies and standards as well as
open source, WSO2 offers a complete SOA platform, 100% free and open source and with cloud
approach through WSO2 Stratos, the world‟s only 100% open source PaaS is offered by recent
times.
WSO2 is mainly focused on developing and producing top quality products and they have the
base on the free and open source Apache software stack. Hence all of the products are released
under the Apache Software License. The company consists of locally and globally recognized set
of passionate software engineers who enjoy their dedication to the industry. Most of them are
committers of software projects like Axis2, Rampart, Synapse, Sandesha, Transport, Cassandra,
Commons of the Apache foundation and various other software communities including Eclipse,
Ruby and Rails. All the products at WSO2 are developed around one core called „core carbon
framework‟ which has the base in Apache Axis2 and company encourage employees to build
their own personal brand contributing these projects.
In providing web based solutions, WSO2 is offering 12 servers that gather a perfectly designed
environment to implement a business solution in agile manner. For example WSO2 – IS can
shape into a customized environment providing authentication and authorization services to a
shopping context or to a military context. StartosLive provides all the services of these servers
100% free in the cloud environment.
Page | 1
9. Being 100% free and open source, someone may wonder whether this can make a sustainable
business. The business strategy at WSO2 is providing training, support and consultancy for their
products to the customers. As products are free to download, test and play with, if the customer
is willing to have WSO2 support and training to bring up a business solution for them, then they
are charged for that service. The company maintains a SOA developer portal called „WSO2
Oxygen Tank‟ which includes a knowledge base, articles, webinars, screen casts and tutorials
which simply creates an online resource center for anyone who is willing to try WSO2 products
with no cost.
Apart from Apache, being an open source company WSO2 has built so many connections around
the world and can list few of them as follows,
The World Wide Web Consortium (W3C) OpenID Foundation
NBQSA Competitions AMQP Working Group
SOAP, WSDL and WS-SEC standards OCERT and OAuth
Microsoft‟s InterOP Vendor Alliance InfoCard Foundation
OASIS
WSO2 is a global company with offices in USA, UK and Sri Lanka and having customers
worldwide. The UK office is mainly focused on marketing and customer relations and the newly
opened USA office at Palo Alto is in its growing stages regarding the technical development
activities. The branch in Sri Lanka act as the main research and development center of WSO2
and have currently operate from three offices at No.59, Flower Rd, Colombo 07, No.50, Flower
Rd, Colombo 07 and No.58, Dharmapala Mw, Kollupitiya.
Being just 6 years old in the industry, WSO2 has shown immense growth that sometimes the
customers have admired WSO2 above the industry giants like IBM and Oracle. Recently it has
being stated as one of the top ten open-source SOA companies in the world with a comparatively
little team in size. WSO2 has brought lot of opportunities to Sri Lankans and growing smarter
day by day to remark the Sri Lankan contribution to the software industry.
Page | 2
10. 1.2 Evolution of WSO2
04th August 2005 is declared as the birthday of WSO2 and that selection was done as lot of
important things regarding the company has happened around that day, within August to
September, such as incorporation of the USA Company, incorporation of the Sri Lankan
company and incorporation of UK Company. At first the co-founders of WSO2 has named it as
„Serendib Systems‟ and has later changed it due to a request of an investor [2].
With the funding received by the investors company has then proceeded with implementation of
carbon platform with bunch of experts they had by the time and after few hard times company
had emerged into the middleware industry with lot of efforts and sacrifices from the team.
Currently WSO2 stands as a competitor to the giants like Oracle and IBM who were at the
business for decades.
1.3 WSO2 Vision
WSO2 has a very clear vision regarding the platform, customers, employees and growth that
everything is decided on these basics. Following are the four categories WSO2 vision is created
of to lead the company to success and compete globally.
1.3.1 Reinvent the Technology
At the WSO2 was founded on there were many giants in the industry like Oracle and IBM and
still WSO2 enters the market segment with the belief that they can re-invent that technology in a
better way. A way that is simpler and more straightforward from project conception to the finish
at long-term production management. WSO2 had the advantage they could start from the scratch,
and make full benefit of hindsight, and to develop the most advanced middleware platform
available today. Having known the pitfalls in advance the platform was designed so defending to
overcome the issues and increase performance. Having used OSGI framework, WSO2‟s
component model enables a lean, high performance approach with self-consistency across the
platform. and fully customizable – adapting to your project Instead of forcing the project to adapt
Page | 3
11. to the middleware, WSO2 provides flexibility to be customized as the customer needs. Building
multi-tenancy, elasticity, instant provisioning, and metering to the whole platform and making it
available as a service (PaaS) in public and private clouds WSO2 is playing a great role in cloud
computing too.
1.3.2 Reinvent the Business Relationship
Although the technology at WSO2 is leading edge, the core value is recognized as the quality of
the business relationship with the customer. So WSO2 has taken radical steps to a customer-
oriented company.
All the software is 100% open source, built in under a fully open and transparent development
process at wso2.org mailing lists and at the ASF. There are no any license fees or trial version
that expires within a period, as all the products are released under the Apache License 2.0 which
means that there is no any restriction on the products. There is no community license or
evaluation license and anyone using the same version of product has the same functionalities.
The value WSO2 brings to products uniquely is the relationship build with customers in
customizing the products to meet the maximum efficiency for the customer‟s context. Through
the highest quality training, support, consulting services, 24x7x365 production support, or an
entire solution, WSO2‟s sole objective is to tailor the world-class expertise to each customer‟s
unique needs.
1.3.3 Reinvent the Support Model
As support is essential for a critical enterprise system WSO2 is providing a very good customer
support service, understanding the great responsibility of running such a system. Using the
WSO2 online support system, a customer issue can quickly be directed to the best source of
expertise with WSO2 developers on the product or committers to the open source project. WSO2
support lets the customer interact directly with the best person in the world to resolve their issues
quickly as there are no separate support engineers. The people who build the product are support
engineers too as they know every nook and corner of the product well. When necessary, WSO2
provide hot fixes, patches, and service packs to keep customer installation running efficiently.
Page | 4
12. Going beyond production support, WSO2 support and service model allows customer to
purchase just the services they need, without being forced to pay for bundled services of little
value. WSO2 believes that satisfied and successful customers are the best way to make WSO2 a
successful company in the global middleware market.
1.3.4 Create a Great Place to Work
After years in IBM Research, CEO and co-founder Sanjiva Weerawarana had a dream to not
only reinvent the technology, business relationships, and support model for enterprise software,
but also to bring Silicon Valley-style entrepreneurialism to Sri Lanka. As a result the heart of
WSO2 development and operations is centralized in Colombo, Sri Lanka.
With close relationships to the top local universities and building creative spirit and global
leadership in open source technologies, WSO2 has become a hotbed for local innovators. WSO2
made being Apache committers is a reality for Sri Lankans, which was once an unreachable
dream.
WSO2 encouraged personal development of its employees even to actually leave the company
for doctoral studies abroad. These employees are encouraged to return to WSO2, to found other
entrepreneurial companies in Sri Lanka, or to find employment in other organizations where they
can invest their talents to make Sri Lanka and the whole world a better place to live.
I love this vision of WSO2 a lot that it not running after money or fame. It has built a
sustainable business that benefits both customers and the company with employees and
finally adding value to Sri Lanka and the whole world. As mentioned from the vision
WSO2 is truly a bed for innovators who are not afraid to try.
Page | 5
13. 1.4 WSO2 Business Model
As WSO2 is a 100% FOSS company the products are available at free-of-charge to be
downloaded by anyone and the source code is also available that utilizing a build tool like Maven
anyone can build the product doing any modifications they wish. Therefore to build a sustainable
company has to adapt a different but feasible business model to operate on.
WSO2 has adopted a very feasible and a unique business model to competitively move forward
in the middleware arena which already had industry giants as Oracle and IBM. Making it
downloadable as free-of-charge WSO2 attracts customer from Oracle and IBM where they have
to pay. That way was a good idea to enter the market as people will consider the capital a lot.
But in an enterprise system a customer will not take the risk of lower performance, quality and
definitely consider the availability of 24X7X365 support. And that was where WSO2 has
identified as the opportunity to make money, selling software support, consultancy and training
for the product stack that is based on SOA and web services. Additionally, client projects are
also carried out.
With this business model WSO2 has been able to compete with the giants existed in the
middleware industry and been preferred by customers over IBM, Oracle etc. just been six years.
1.4.1 Support and Service model
The services WSO2 offering are,
Consultation (Evaluation Support)
Training
Development Support
On sight trainings (lectures, seminars, conferences etc.).
Off sight trainings (webinars, podcasts, Self-Paced Training etc.)
Production Support
Except these programs there are also Quick Start and Cloud Start programs.
Page | 6
14. 1.4.1.1 Evaluation Support
This is designed to help customers in early stages of middleware projects, especially when there
are to meet advanced technology challenges. WSO2 experts can guide customers in technology
selection, product selection/evaluation and migration/integration strategies. For qualified
customers some of the services are free of charge in this model.
1.4.1.2 Quick Start Program (QSP)
WSO2 Quick Start is a rapid program that brings world class expert developers and architects
onsite to work in collaboration with the customer‟s team. The program also includes follow-up
support with a period of online Development Support. The QSP will be conducted within just
one week.
1.4.1.3 Cloud Start
The Cloud Start program is designed to get WSO2 Stratos, the carbon platform as a PasaS,
installed and get ready for the customer enterprise. Cloud Start brings two senior WSO2
engineers on site for 5 business days to work with the customer team. Mainly this programs is
targeted on deploying and configuring WSO2 Stratos on the client's cloud infrastructure and
providing the relevant training on that.
1.4.1.4 Development Support
At this level of support the experts from WSO2 directly assist the clients‟ engineering team
during development. WSO2 offers Development Support to help migrate, integrate, optimize and
manage the customer‟s enterprise middleware deployments. By providing a direct channel
between client engineering teams and the team WSO2 during the critical development stages,
this becomes a catalyst to the process to reach the intended product soon.
Customers get these benefits through this model:
• Migrating from expensive proprietary middleware products
• Integrating with other middleware and infrastructure products
• Tuning for performance and security
• Developing custom product features
Page | 7
15. 1.4.1.5 Production Support
A system in production is defined as one that performs, or assists in performing legally binding
transactions and is used by end-users, where a failure of a system in production will have an
immediate economic impact on the organization. So understanding the critical nature of this
WSO2 has designed a support mechanism that guarantees WSO2 middleware infrastructure
enables the client applications to be available 24x7x365 as mentioned in annex, A3. The
Production Support customers are eligible to have the latest feature upgrades, product patches
and service packs.
A Subscriber shall reasonably determine the severity level of Errors, according to these protocols
attached at Annex as A2.
1.4.1.6 TurnKey Packages
Although WSO2 offers a full menu of products and services, they also offer complete turnkey
solution packages. One of the major support feature supplied from these are ongoing twenty four
hour enterprise-level maintenance on the entire client system, installing and provisioning of
WSO2‟s lean, high-performance Carbon platform to run, govern, manage, and monitor the
solution and also it provides a pre-validated architecture template set to address specific business
scenarios and requirements.
Here the WSO2 staff manages and implement the project from conception to deployment to
maintenance for the customer in specific area such as:
Mobile Services Gateway
FIX Gateway
SAP Message Gateway
Customized solutions
WSO2 is committed to make the customer experience the best service from them and all the staff
work with dedication towards that.
Page | 8
16. 1.5 Organizational Structure
WSO2 has a very flat and informal structure inside the company and everyone is treated equally.
At WSO2Con Mr. Samisa Abeysinghe mentioned that at „WSO2 we do not have resources, we
have the WSO2 team‟ which I experienced throughout the stay.
1.5.1 Employee Hierarchy
The sole purpose of keeping this hierarchy was for activities regarding management done by
Human Resources Management and had no effect in making a technical decision that even an
idea from an intern like me are considered and accepted if it is well supported with facts. This
flat hierarchy is so helpful in fast decision making at the agile software development that the
company has put trust on its employees that they will do the most perfect thing in a situation.
Figure 1.2 Employee Hierarchy
Page | 9
17. 1.5.2 Communication
Communication inside WSO2 is so transparent that everything goes in the mailing lists of the
company domain and this is also very fast in fixing anything. This transparency allows
maximum productivity as and confusions are so lowered. Following are few mailing lists
amongst them.
Team – Anything regarding the whole WSO2 team goes here. Eg .Organizing trip, seating plans
Support – dev – This is focusing on support for the developers.
Training – To discuss things related to training inside WSO2 and outside things that employees
can participate.
Marketing – Discuss matter related to marketing strategy etc. Anyone can post their ideas here
on how to promote WSO2 products
Operations – Any issue regarding daily operations of the company goes here Eg. Cleaning
Infrastructure – Any matter regarding network, WSO2 servers etc. goes here
Vacation – Any kind of leave taken should be informed here
News – Any news regarding the industry that seems useful for the company are posted here
Club – Jokes and other stuff goes here for fun mostly
Also there is no restriction to talk to anyone and even we could easily go to Dr. Sanjiva
Weerawarana and discuss any issue we had. All the doors are open for people to directly
communicate and there was no need to go in a hierarchy.
1.5.3 The WSO2 Team
The WSO2 team consists of the best people for each field that is the key factor company is
conquering the middleware market so soon. Following is the current combination of the team.
Page | 10
18. Leadership – WSO2 is leaded by very experienced and people across the globe that guides the
company for this much success in just 6 years.
• Mr Sanjiva Weerawarana, PhD, Founder, Chairman and CEO
• Mr Paul Fremantle, PhD, Co-Founder and CTO
• Mr Jonathan Marsh, VP Business Development and Product Design
• Ms Monica Pal, VP Marketing
• Mr Lavi de Silva, VP Global Sales
• Mr Samisa Abeysinghe, VP Engineering
• Mr Devaka Randeniya, Senior Director of Sales
• Mr Paul Broekhoven, Director, European Sales
• Ms Padmika Dissanaike, VP Finance
• Ms Puny Navaratne, Director, Legal
• Ms Hasmin Abdul Cader, Director, Marketing
• Mr Asanka Abeysinghe, Director, Solutions Architecture
• Mr Mahesh Markus, Director, Support
• Mr Afkham Azeez – Director, Architecture
• Ms Udeshika Ratnavira, Senior Manager, Administration and HR
Advisors - The world class personalities and scholars who will be guiding the company through
out with their experience and valuable insights on the industry are as follows.
• Mr Larry Augustin – Investor/Advisor
• Mr Geir Magnusson Jr. – VP Engineering, Joost
• Mr Brian Behlendorf – Founder & CTO, Collabnet
• Mr Tom O‟Reilly – Founder, O‟Reilly Media
• Mr Patrick Grady – Chairman & CEO, Rearden Commerce
• Mr Tony Pizi – CIO Platform Engineering, Deutsche Bank
Page | 11
19. Product Teams -
The engineering team –The engineers who work on the development, research, design and
testing work fit into this category. Again divided according to the product they work on as
Identity Server team, Gadget Server team etc..
The sales team – Deals with the customers and liaise between the customers and the developers.
The marketing team – Works on marketing WSO2 products by means of sponsorships,
advertisement campaigns, workshops, and webinars so on. Most of the events are organized with
the guidance of marketing team having the whole WSO2 team support.
The finance team – Takes care of the accounts, income, and expenditure of the company
The administration team – Provides vital administration and human resource work handling
salary payments, foreign visit arrangements etc...
1.6 WSO2 Products and Services
The high level product categorization of WSO2 is as attached in annex, A4. In all these
Enterprise Middleware Platform – Carbon, Cloud Middleware Platform – Stratos and Java PaaS
– StratosLive, the following are the common servers that provide various services matching the
environment that runs on. There are 12 servers as follows and I will only explain functionality of
Identity Server as that is the server I worked in and got familiar with mostly.
WSO2 Application Server - for service hosting
WSO2 Enterprise Service Bus - for mediation services
WSO2 Message Broker for messaging services
WSO2 Data Services Server for managing data sources and data access
WSO2 Governance Registry and repository - for managing WSDL, schemas, policies,
life cycles and versioning
WSO2 Gadget Server for portal services
Page | 12
20. WSO2 Web Services Frameworks for C, C++ and PHP – provide simple APIs for
implementing web services and web service clients
WSO2 Identity Server - for authentication, single sign-on and access control
WSO2 Business Process Server(BPEL)
WSO2 Business Rules Server (JSR-94) For composing, orchestrating
and monitoring business
WSO2 Complex Event Processing Server
processes and activities.
WSO2 Business Activity Monitor (JMX)
WSO2 Mashup Server
Identity Server (IS)
The A1,2 image, in annex shows the architecture of the IS and A1,3 image shows the
specifications of the server. It uses leading edge technologies to provide adjustable high security
to web applications and web services. SAML 2.0, OpenID, OAuth, XACML, WS-Security are
the standards that IS adhere to which are the latest technologies in security. It uses apache
rampart, WSS4j and neethi modules in addition to other dependencies of ASF that are common
to all WSO2 products.
It integrates easily into existing user stores such as LDAP or Active Directory, supports multi-
factor authentication and the cloud platform Stratos is totally secured by the IS.
The most interesting part is no matter how complex the process is IS provides a good user
experience making the developers life easy. For example IS provides a simple user interface to
define a XACML policy, add it and remove it that allows even a person without a much
knowledge in XACML can handle to use it.
1.7 Performance of WSO2
WSO2 has performed incredibly well when turn back and see the path it has come just in six
years [2] and currently boosting that journey more with putting more resources and been more
innovative. In addition to the praises from customers, WSO2 has won several highly recognized
awards in the industry as follows:
Page | 13
21. Kuppinger Cole European Identity Award 2011 - WSO2 was recognized for the
innovative features of its open source, multi-tenant WSO2 Identity as a Cloud Service
SD Times 100 Award - For the fourth consecutive year, WSO2 was recognized as one of
the “top leaders and innovators” in the software industry by the editors of SD TIMES.
Red Herring Asia 100 Award - WSO2 was awarded the Red Herring Asia 100 Award
in 2006 for being one of the most promising private technology companies in Asia.
InfoWorld Best Open Source Software (Bossie) Award - WSO2 was named InfoWorld
2009 Best of Open Source Software (Bossie) Award winner and recognized for
delivering WSO2 Carbon
National Best Quality Software Awards (NBQSA) - WSO2 walked away with:
-WSO2 Enterprise Service Bus :
Gold Award under Infrastructure & Tools Category and Overall Gold Award.
-WSO2 Gadget Server: Silver Award under Research & Development Category.
-WSO2 Data Services Server: Bronze Award under Infrastructure & Tools Category.
1.7.1 Strengths
1. The high qualified, dedicated team – I see the WSO2 team, as the main strength of
WSO2. The engineering team consists of best brains of Sri Lanka who are world-class
architects and developers having experience and contributions at global industry. WSO2
has at least few committers from all the products WSO2 use from ASF. The marketing
team has the best of the profession and sales team too. And various people coming from
various backgrounds and fields shares the common objective of adding value to the
company using their expertise in every way they can. For example the engineering team
involve in marketing activities hugely through blogging and tweeting and all the teams
work together co-operating with each other as one family.
2. Flexible working culture – In WSO2, employees have flexible working hours and not
forced to work at a particular time. With this, company has made a very friendly
connection with the employee that as well as they enjoy the freedom at work; in gratitude
there is no need to ask them to work when some urgent need arises. Employees
Page | 14
22. voluntarily work with dedication as they in heart feel the need to contribute company
back. Adapting flexible working culture is a challenge and its such a strength that WSO2
has been able to work out it in this way.
3. No support engineers – As there are no support engineers all the discussions with the
customers and supporting are done by same engineers who build the system and live with
it. As those engineers know the product very well any issue can be easily fixed and can
be well explained to the customers. That way engineers get a good feeling on what the
customer‟s need, what they should provide via the product and customer get a very fast
and clear support for their maximum satisfaction. So I call this a strength of WSO2.
4. Innovative Carbon platform – No matter how nice we approach the customer, it is hard
to long run a business if we do not have a good product to compete with the competitors.
WSO2 has the very innovative carbon platform that allows them all these
componentizing which satisfy the customer allowing them just to use what they want and
just pay only for the services they use. The flexibility of the platform also allowed the
WSO2 to present the first PaaS – StartosLive this soon, which Oracle said to come up
with at 2015. The architecture of carbon platform best fits the today‟s enterprise need to
have agile software that can shape up for the rapidly changing business needs.
5. Being an Open Source company - This is a great strength of the company in product
view. As the source code is available for anyone to have a look, day by day the product
improves identifying bugs and fixing them. Approaching the customers has become easy
with this also that people do not hesitate to try the products and see the functionality as its
free.
Page | 15
23. 1.7.2 Weaknesses
There is no any major weakness I could identify at WSO2. Only thing I see is there is a little lack
of documentation in some areas on using WSO2 products. There are so many blogs written by
the engineers and WSO2-Oxygen Tank [5] provide lot of information on using products. But still
with the number of products and services providing through the stack and different scenarios
they can be used, there is a lack of documentation. The company has identified this already as a
weakness and encouraging the staff to complete documentations well having more attention
towards Oxygen Tank.
1.7.3 Service to Sri Lankan Society
Bringing open source concept to Sri Lanka itself is a great service for the country that it‟s the
most appropriate model matching. Through WSO2 lot of Sri Lankan talent has found a place in
global industry becoming Apache committers etc. as WSO2 encourage personal development of
the employees. WSO2 has contributed a lot to make Sri Lanka, the country having largest
number of committers to the Apache Software Foundation outside the United States through this.
Most of the computer science graduates consider going abroad for employment after the degree
and having such a great place like WSO2 to work, being on own motherland is a great service
the company is providing for the country, stopping it from loosing it‟s great resources.
Encouraging going abroad for further studies, not just for employment WSO2 creates a well
experienced work force for the future who have knowledge in leading edge technologies.
Many WSO2 professionals provide mentoring to many undergraduate students who are doing
their final year projects from many different universities in Sri Lanka and make university
undergraduates getting exposed into the global software industry and acquire great achievements
even through the internship they supports.
WSO2Con is a perfect example for the fame the company is bringing in to Sri Lanka through the
software industry. Lot of experts visited Sri Lanka to attend this event and at every possible
occasion it show case the Sri Lankan culture. One day if middleware industry could become the
key player of Sri Lankan economy, instead of garments, tea, rubber and house maids at middle-
east, WSO2 will be the pioneer of that.
Page | 16
24. 1.8 Suggestions to Improve
1. As mentioned in 1.6.2 improving documentation through Oxygen Tank to cover all the
key topics regarding the products is a great improvement to achieve. That way anyone
who just falls into a product will feel comfortable trying things with that and will be able
to understand the power of it. Also when a new release is out some of the content get not
valid for newer version and these things should be clearly stated or modified accordingly.
So having some mechanism to update the content will be very useful.
2. Currently WSO2 is operating in three offices in Sri Lanka which are just bit separating
the developing crew to each place. For the sake of getting to know each other and in case
any co-ordination need at development, it is better if all the crew can stay at one building
having freedom to discuss with each other easily. Also as most of the customer base is
from USA, it will be beneficial to have more developers in Palo Alto office at California
meeting the customers and that will make it easy and fast to provide on-site support.
Page | 17
25. 2 Training Experience
2.1 Joining WSO2 Family
At the very first day 28th Feb 2011, all fifteen of us selected to be interns at WSO2 were there
and our details were confirmed and given new email addresses in wso2.com domain. Ms.
Udeshika Rathnavira introduced us to the company premises, showed the pantry area and we
were given laptops for the use at internship time.
Mr. Samisa Abeysinghe, VP Engineering, WSO2, talked to us in the evening and added lot of
valuable thoughts to us. He emphasized that there are no much rules and formality in the WSO2
culture and we are free to use any of the resource there in order to learn and question and suggest
about anything. Also he highlights that it‟s in our hands to take full use of the given opportunity
and the importance of the training received at internship period. These facts he pointed got
engraved in my mind and was a good start. Also on the very first day we were given a task to be
complete within a week as groups of five by Mr. Samisa Abeysinghe. A simple banking system
was built in the very first week with my group formed with Malith Dhanushka, Hasitha
Aravinda, Sumedha Sanjiva and Gokul Balakrishnan. The objective of this task was to have an
idea about our java knowledge and object orientation concepts and informed us that GUI is not
needed.
First our group gathered and discussed the specifications related to the domain and drew a class
diagram. As everyone is needed to code at least two java classes, we divided work concerning
that and relevance. SVN was used to host the project and we developed the system discussing
among ourselves resolving things as they arise.
Mr. Afkham Azeez, Director of Architecture, WSO2 reviewed our code and give very useful
comments to improve ourselves highlighting the mistakes we have done. He recommended few
web sites and books for reference and emphasized that we should master an IDE, practicing the
key board shortcuts. Effective Java (2nd edition), Java Pitfalls were among the recommended
books.
In a near date, we were assigned projects and I was given to „Implement SAML to XACML‟
which was regarding the WSO2 – Identity Server and we got a mentor to guide us on the project
Page | 18
26. and my mentor was Mr. Asela Bathberiya, Senior Software Engineer. With the friendly behavior
of all the staff, it was a nice place to work and I found it very special in WSO2 that even a little
mistake was not kept to hang on, that immediately it is corrected when noticed. High quality was
kept not just in the code level but in all the levels of all the processes and environments.
2.2 Induction
Ms. Udeshika Rathnawira - Senior Manager, Administration and HR with Ms Hasmin
Abdulcader, Director marketing conducted an induction programme for fifteen of us and few
employees who joined recently. It was a nice discussion done in a very friendly manner that
resolved our doubts and introduced us to the company culture. They described us the flat
hierarchy maintained within the organization and how each and every member of WSO2 family
is treated equally. They emphasized us that we should call everyone by their preferred first name
and not to use „Sir‟, „Madam‟, „Ayya‟ or „Akka‟. Hasmin briefly described about the business
model of the company and little bit of history too.
At WSO2, 3.30 pm is set as tea time and each individual is supposed to come downstairs to the
lobby area at that time. She also mentioned that all members used to share experiences and have
a chat with fellows while having a snack and we should know each other in the company. It was
really great and possible that WSO2 family was only about 150 by that time. Apart for tea time,
anyone was also totally free to come to lobby area, watch TV and have some drink to get
refreshed while working. Also they told that there is no dress code that we are free to wear
casually. What I realized with all these was WSO2 has really created the office free as home for
everyone to work without any difficulty.
We were informed that office hours are flexible, to make the life easier as they know intellectual
work cannot be forced. Working from home is an available option for employees and as interns
we were not given that privilege as it contrasts the objectives of internship. Hasmin further
explained that as interns we will get lot of problems in doing things that we will need to get helps
from the staff that is impossible if we stay at home and work. We were told that we are suppose
Page | 19
27. to be at office within 9am to 5pm and as we work on it was not that hard to stay at office that
time as It was such a perfect place to work.
2.3 Development Environment
OS – As an open source company most of the WSO2 employees were using Ubuntu, an open
source linux OS and me too started to use Ubuntu as my primary OS. Installation of software
including java installation were done using command line, Synaptic Package Manager and got
familiar with setting up environment variables on .bashrc file that was so different from
Windows. Though it was little difficult get used to at the beginning later I found that it is more
effective than Windows OS I was used to.
IDE – I was familiar with using NetBeans at university as lot of developers at WSO2 were using
Intelli IDEA as their IDE tried to use that. The key-board centric IDE seemed fine for me and
continued to master that IDE and worked using that.
SVN - The primary mechanism of version controlling used at WSO2 is SVN. At the beginning
only thing I did was checking out codes from WSO2 repo and later once we were given separate
spaces there also committed the codes there and make them under version control.
Maven – It‟s a very widely used open source software project management tool by Apache.
Almost all the projects at WSO2 are managed using Maven with the pom.xml that describes the
software project being built, its dependencies on other external modules and components, and the
build order. That makes the project build process easy. I may have called the command „mvn
clean install‟ more than 1000 times within the internship period to build projects. In fixing
dependencies Maven take the load of the developer to download them and fix with the project.
Instead it dynamically downloads Java libraries and Maven plug-ins from one or more
repositories, reading the pom.xml at build time. Maven provides built-in support for retrieving
files from the Maven2 Central Repository and other Maven repositories.
Page | 20
28. FindBugs – This is a recommended tool for all the developers at WSO2 to use on any of the
code they write. The tool is so smart that it run through our code and analyzing the patterns,
highlights where bugs are possible. To achieve high quality in coding with minimum bugs this is
a great tool to use.
TcpMon – This is a very much useful debug tool that allows viewing messages and resending
them. We can set a listening port in TcpMon and it shows messages that come to the port and
continue the message without any change. I hugely used this in testing the Entitlement Handler.
SOAPUI – This is a widely used tool at WSO2 for all sorts of tests. It is a free and open source
cross-platform functional testing solution. This is also used to trace messages as TcpMon and
have more additional features. I needed this in implementing SAML to XACML as TcpMon was
not capable of tracing secured messages.
2.4 Hands on Ws – Security
The IS team works mainly focusing on the security of the web applications and services. It
develops solutions for the growing challenge of the management of the identities of employees,
vendors, partners, and customers across internal, shared, and SaaS services. IS is focused on
winning this challenge of providing sophisticated identity solution in a easy to implement
manner with minimum negative effects to the user experience and performance. In achieving this
goal IS uses latest standards and technologies like SSO, OpenID, XACML and SAML.
As the project I was assigned to complete was „Implement SAML to XACML‟ which was totally
new to me I did not know where to start. Also the only knowledge I had on security was things I
heard on hacking sites, viruses etc. and only solutions I knew were using a user name combined
with a secret password that is long and hard to guess and using virus guard. Only after a
discussion with my mentor, Mr. Asela Pathberiya, I got to know how vast the subject is and got
passionate about the project. With given guidance I started to read the project specification
document [4], though I hardly understood it and then had research on the related technologies
and security concepts.
Page | 21
29. Following are the main concepts to be addressed in any system that is trying to provide security
to a web service or an application.
Authentication - Identifying the person correctly
Authorization - Giving individuals access to resources based on their identity
Confidentiality - Ensuring that information is accessible only to those authorized to have
access
Integrity - Data cannot be modified / tampered without authorization
Non repudiation - Ensuring that a party in a dispute cannot say “I didn't send such a
message”
In relevant to the project of me I understood that IS is achieving authorization in a fine-grained
manner using XACML policies and Integrity and Non-repudiation is achieved through xml
signatures. Username and password were used for basic authentication.
Having these concepts in mind I was given tasks to begin with to get familiarized with the stuff.
At first my mentor recommended me to get familiar with Axis2 and I followed a tutorial in
„WSO2 Oxygen Tank‟ [5].
Following are the steps I followed
1. Wrote a web service and deployed it in Axis2 as a .war file.
2. Got the WSDL file and generated the stub classes.
3. Wrote the client to call the web service using the stubs.
Doing this I got familiar with the IDE more and learned how to fix dependencies which I always
fall into trouble due to some version miss match kind of thing.
With this experience I went ahead in getting familiarized with WSO2- IS specific things.
Page | 22
30. 2.4.1 Sample Client for IS
This sample was to show how to authenticate a user and to allow that user to access authorized
resources (services), using the API of WSO2 IS. Simply this simulates few functions without the
browser interface of the server.
Scenario: After authentication, if user is authenticated having the role of 'admin', will have
privileges to add or remove XACML policies, and evaluate them against sample requests.
Following are the steps to be demonstrated.
1. Log into the server after authentication
2. Add a policy from local machine
3. Read the enabled policy of the server
4. Remove a policy
5. Evaluate the enabled policy against a request
I used sample XACML policies and requests to observe the functionality and while doing that
got familiar with writing XACML policies and requests, understanding how it is achieving fine-
grained authorization.
Here is a pattern of the policies used in testing the functionality:
<Policy PolicyId="urn:sample:xacml:2.0:samplepolicy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" ><Description>Sample XACML
Authorization Policy -01</Description> <Target>
<Subjects>...</Subjects>
<Resources>...</Resources>
<Actions>...</Actions>
</Target>
<Rule>...</Rule>
</Policy>
Page | 23
31. The Target element defines a set of conditions that must be met to pick up that policy and
accordingly the rule get applied giving the decision „Permit‟ or „Deny‟.
Here is how a XACML request will look like:
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Subject>…</Subject>
<Resource>…</Resource>
<Action>…</Action>
<Environment>…<Environment />
</Request>
According to the OASIS profile of XACML 2.0,
The <Subject> element defines who wants to access and it may have many attributes
defined inside as child elements.
Only one <Resource> element is allowed to be present in one decision request and it
defines the request the Subject is trying to access.
Only one <Action> element is allowed to be present in one request and it defines the
action the Subject wants t perform on the Resource. (eg. read)
<Environment> element carries attributes if present that are not associated with Subject,
Resource or Action. (eg. IssueInstant)
Depending on the policies enabled in the PDP a request may have the decision as „Permit‟,
„Deny‟, „Indeterminate‟ or „NotApplicable‟ if a matching policy is not found.
While working on this I got introduced to the functionality of IS, coding standards of WSO2 and
XACML. Also learnt few deferent methods to convert WSDL to java using Axis2, in maven
build and using browser UI of WSO2 - Enterprise Service Bus and I share that knowledge I
gathered through two blog posts in my personal blog space, on „A sample on calling WSO2 IS
Page | 24
32. functionalities through the API‟ (http://pushpalankajaya.blogspot.com/2011/04/sample-on-
calling-WSO2-identity-server.html) and „How to convert WSDL to Java‟
(http://pushpalankajaya.blogspot.com/2011/03/how-to-convert-wsdl-to-java.html).
2.4.2 Entitlement Handler
After writing the above mentioned sample I got to realize the power of Identity Sever and how
much function are happening when we just hit a button in the nice looking browser tab. As my
next task I got a work that made me realize the power of Axis2 in deeper. The task was to refer
the Entitlement Mediator code that already exists in WSO2 IS and to build the same functionality
in an Axis2 handler. ,
2.4.2.1 Building ‘Carbon’ platform
As first I went through Entitlement Mediator code and could not understand many things. Read
documentations and then decided to understand it observing its functionalities. For that I needed
to build the mediator module and doing that I learnt lot of things. Though I could just fix the
dependencies needed by the module and build it, my mentor suggested that it will be better I
build the whole carbon platform. It was a challenging experience by then, that almost all the
developers were committing new stuff fast, getting ready for the recent release. But finally when
I finished building „Carbon‟, the platform, in whole, I had a better idea on what is „‟Carbon‟ and
how WSO2 products are based on that while been componentized by OSGI framework. Also I
got familiar with pom.xml file that is used in Maven build and how to fix dependencies and
project properties through that.
2.4.2.2 Remote Debugging
To observe the functionalities I needed to get familiar with the remote debugging tool of Intellij
Idea, the IDE I used. It was a very helpful feature to debug and see the code functionalities when
there were no „main‟ methods as I was used to. For the purpose of monitoring the passing
messages I got familiar with using TCPMon and proceeded with understanding the Entitlement
Mediator using the new tools.
Page | 25
33. 2.4.2.3 The Handler
As Entitlement Mediator is based on Apache Synapse, it has characteristics related with it and
the Entitlement Hander is based on Apache Axis2 which gives different characteristics [6]. In
contrast with synapse-mediators, axis2-modules give the facility to interleave handlers in a smart
way using partial orderings and policy-driven model of configuring modules (through axis2.xml,
module.xml) is unique to Axis2 which will allow applying the handler in selection of service
level.
With that rough understanding I started to get familiar with the structure of an Axis2-Handler,
running through an existing handler in the IS.
With all these I got a better understanding on what needs to be done and following is the
architecture of the Entitlement Handler.
Scenario: When the Entitlement Module which includes the Entitlement Handler, is engaged to
a particular service before letting the client consume the service, the handler check whether the
client is authorized to perform that action on the service. What handler does is
1. Read the relevant parameters from the Axis2 message context (Only support Username
Token authentication for now)
2. Build a XACML request according to the read parameters
3. Pass the XACML request to a previously configured PDP and get the decision
4. Depending on the decision from PDP, continue the message or drop it without letting
reach the service.
Page | 26
34. Figure 2.1 Entitlement Handler Structure
2.4.2.4 Packaging the Entitlement Handler
To place the handler in a message path it should be included in a module. Following are the basic
essentials for any axis2 handler to meet the intended functionalities that I followed.
1. Created the Module Implementation – There must be a class that implements
„org.apache.axis2.modules.Module‟.
2. Created the Handlers – There can be one or more handlers and they can be ordered in
module.xml. Each handler class should implement org.apache.axis2.engine.Handler
interface
3. Created the module.xml as follows
Page | 27
35. <module name="EntitlementHandler"
class="org.WSO2.carbon.identity.entitlement.axis2handler.EntitlementModule">
<Description>
The entitlement handler module extracts the user name, resource and action from the
passing axis2 message context and creates a XACML request with the details. Then pass it to the
set up PDP and continue or drop the message, according to the decision from PDP.
</Description>
<InFlow>
<handler name="EntitlementHandler"
class="org.WSO2.carbon.identity.entitlement.axis2handler.EntitlementHandler">
<order phase="EntitlementPhase"/>
</handler>
</InFlow>
<parameter name="remoteServiceUrl">https://localhost:9443/services/</parameter>
<parameter name="remoteServiceUserName">admin</parameter>
<parameter name="remoteServicePassword">admin</parameter>
<parameter name="remoteIp">127.0.0.0</parameter>
<parameter name="decisionEvaluatorClass"></parameter>
<parameter name="trustStoreLocation">/home/pushpalanka/Installations/WSO2is-
3.0.1/resources/security/WSO2carbon.jks</parameter>
<parameter name="trustStorePassword">WSO2carbon</parameter>
</module>
Deployment configuration of the Entitlement Module was done using the above module.xml file.
A module can be placed in one or more of the following flows in an Axis2 server.
InFlow - Represents the handler chain that will run when a message is coming in.
OutFlow - Represents the handler chain that will run when the message is going out.
Page | 28
36. OutFaultFlow - Represents the handler chain that will run when there is a fault, and the
fault is going out.
InFaultFlow - Represents the handler chain that will run when there is a fault, and the
fault is coming in.
As seen in the file,
Entitlement Handler is placed in the InFlow and the module only includes one handler.
Flexibility of a module is that, at deployment, the module can be configured according to the
context modifying this file. The parameters defined above file are the configurations used in my
local machine for testing purposes and are read at deployment. Later when handler is in run the
read in parameter are used in functions.
4. Modified the "axis2.xml" to add the custom phase (In this case defined Entitlement phase
after the security phase)
...
<phaseOrder type="inflow">
<!-- System pre defined phases -->
<phase name="Security"/>
...
<!-- System pre defined phases -->
<!--After Postdispatch phase module author or service author can add any phase he wants -->
<phase name="EntitlementPhase"/>
</phaseOrder>
...
Page | 29
37. 5. Package in a ".mar" (Module Archive) with the following format
Figure 2.2 Inside .mar file Entitlement Handler
6. Deploy the module in Axis2 – Creation of a directory with the name "modules" in the
"webapps/axis2/WEB-INF" directory of the servlet container, and then copying the
".mar" file to that directory
7. Add the line „<module ref="EentitlementModule"/>‟ in services.xml to informs the
Axis2 engine that the module " EentitlementModule " should be engaged for this service.
The Entitlement Hanlder allows user to configure it for any other PDP, if user is not
using WSO2 – IS. This is achieved with the help of flexibility given by module.xml.
EntitlementDecisonEvaluator is the interface that user should implement in a class and
define how to call the PDP and get the decision. CarbonEntitlementDecisonEvaluator is
that implementation done for WSO2 – IS.
Testing
To test the handler for intended functionalities used remote debugging and wrote a simple client
that uses UsernameToken for authentication and a service that is secured by a ws-policy.
Page | 30
38. 2.5 Implement SAML to XACML
With the experience got implementing the Entitlement Handler I could now understand what
needs to be done here, very well. With guidance of my senior mentor Mr. Prabath Siriwardena, It
was found that this can be easily implemented using the openSource library OpenSAML, which
was already used in IS. I was advised to get familiar with the OpenSAML API before starting
implementation and so I went through several examples and tried to understand the pattern of
coding with the API. This exercise was very useful for me not to get confused when start
implementation and I could focus more on the logic.
Problems
When I started a new project in IDE and tried to implement having OpenSAML library as an
dependency it gave me a very descriptive error message that “OpenSAML requires an XML
parser that supports JAXP 1.3 and DOM3. The JVM currently configured to use SUN XML
parser, which is known to be buggy, and cannot be used with OpenSAML. Please endorse a
functional JAXP library such as Xerces and Xalan.” As the error message says the solution too, I
tried endorsing the mentioned libraries in my JAVA installation. But still there was an error in
bootstrapping the OpenSAML library.
Solutions
After trying various other things, my mentor came up with idea that as Identity Server is already
endorsed with those libraries to work with OpenSAML and I can start coding inside the source
code of IS, build it with Maven and observe functionalities using remote debugging. This was a
perfect solution than bothering to endorse the libraries newly and need not have any issue later in
integrating this with IS as I already trying to implement it inside. Also fixing correct
dependencies was automatically done with IS plug-ins and I got familiar with the source code of
IS more.
After having hands on building XMLObjects using OpenSAML and getting familiar with how
the API behaves, thoroughly went through the specification document again having attention to
each and every word. Had few doubts regarding few things in the specification document and
Page | 31
39. discussing with the mentor clarified them all, having assistance of the IS-team too. Figure 2.3
shows the flow from the XACML request, until it get the decision in plain text, having secured
inter-server communication.
First approach was for XACML request to wrap into an OpenSAML - XADQ
(XACMLAuthzDecisionQuery) which seemed comparatively less complex than the Response
side. Then at PDP the XACML request is extracted only if the signature and issuer are validated
correctly that guarantees the message in not altered. The received XACML request is then
forwarded to the PDP and get the decision as a java string. The received java string is then
unmarshalled into a XACML response object in OpenSAML library and wrapped into a SAML
response which is signed with private key and certified. Then at PEP the message is validated
against signature and issuer and read the decision given from the PDP to the previously sent
request.
Page | 32
40. PEP (Policy Enforcement Point) PDP (Policy Decision Point)
XACML request (String) XACMLAuthzDecisionQuery (String)
unmarshall
Unmarshall XACMLAuthzDecisionQueryType
XACMLAuthzDecisionQueryType (XMLObject)
(XMLObject)
Validate (Issuer/Signature)
SAML XADAQ
Get decision for request
Set attributes (Issuer/Signature)
marshall XACML response (String)
XACMLAuthzDecisionQuery (String)
XACMLResponse
SAML Response (String)
XACML response (String)
Unmarshall
unmarshall
Response (XMLObject)
ResponseType (XMLObject)
Validate (Issuer and Signature)
Wrap with DecisionStatementType
(XMLObject)
Get Assertion
SAMLResponse
Wrap with Assertion including issuer
Validate Issuer
Wrap with SAML response including
Get Statement
issuer and signature
marshall
Get XACML Response
SAML Response (String)
Get Decision
Figure 2.3 Flow of secured server to server communication Page | 33
44. A sample xacml response that will come as the decision from pdp:
<xacml-context:Response xmlns:xacml-
context="urn:oasis:names:tc:xacml:2.0:context:schema:os">
<xacml-context:Result ResourceId="CE.pakgrid.org.pk:2119/jobmanager-lcgpbs-
dteam/dteam">
<xacml-context:Decision>Permit</xacml-context:Decision>
<xacml-context:Status>
<xacml-context:StatusCode
Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</xacml-context:Status>
<xacml-context:Obligations
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
<xacml-context:Obligation FulfillOn="Permit"
ObligationId="MappingData">
<xacml-context:AttributeAssignment AttributeId="User"
DataType="http://www.w3.org/2001/XMLSchema#string">.poolname</xacml-
context:AttributeAssignment>
</xacml-context:Obligation>
</xacml-context:Obligations>
</xacml-context:Result>
</xacml-context:Response>
The response says whether to allow the request to reach the service or not as the decision given
from PDP according to the enabled policies.
Page | 37
45. A Sample SAML Response That Will Come To PEP From PDP:
<samlp:Response IssueInstant="2011-09-23T08:24:35.878Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer SPProvidedID="SPPProvierId"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://XACMLPDP.example.com</saml
:Issuer>
<saml:Assertion ID="ohncaenlemlghggmfdncjionjejaimfnpckmaofj" IssueInstant="2011-09-
23T08:24:35.809Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer SPProvidedID="SPPProvierId"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://XACMLPDP.example.com</saml
:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#ohncaenlemlghggmfdncjionjejaimfnpckmaofj">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ds saml xacml-context xacml-saml"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>JaEObAc3AhIxT3cdovUIFElsn5E=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>dGRvdBmjOFTNsgHmVreFm400JMYFPHvOq/O3V0EQNad6eeiFU6KA
us+1u8FkS7JEg5Q66z2VfKJ7xF+fTwBLhi0fZdFsYJebtuzOld2ostvyXbdL2f5Noxj3p1Ir1Cm3n
wR+QK5k9FjT2T6xCw6AdvzcbzFImhsiO/DE1yv2QdY=</ds:SignatureValue>
Page | 38
47. SAML Response
SAML
Assertion
Statement
XACML
Response
Figure 2.5 The Structure of the SAML Response
In achieving security at server to server communication in this context, the signing process plays
a great role. It helps to avoid following two issues.
Tampering - Information in transit is changed and then sent on to the recipient.
Impersonation - Information passes to a person who pretends to be the intended recipient
It was noted that adding the signature in this way does not provide confidentiality
and also it is not a requirement in the context.
Completing this project, I got familiar with this concept of signing with pubic keys and private
keys. Though it looks like an unreadable scratch for human eye, in the above given sample
queries and responses, it involves a lot of logic and calculations to provide secured
transformation of information.
Page | 40
48. Signing
• Document to be Signed
• In Entitlement handler SAML Assertion or
XACMLAuthzDecisionQuery
• Calculate document finger print with an algorithm
• Encrypt it with private key and set X509Certificate and
and the public key
• Generate digitally signed document embedding the
signature into it
Figure 2.6 Signing Procedure
Validation
• Access the received docment and the digital signature
seperately
• Calculate the finger print using the same algorithm used
• Decrypt the encrypted finger print sent with signature,
using the public key of the sender
• Comapre the calculated and decrypted finger prints
• If they are same the message is not been altered
Figure 2.7 Validation Process
Page | 41
49. Signing in code level
private static Assertion setSignature(Assertion assertion, String signatureAlgorithm,
X509Credential cred) throws IdentityException {
doBootstrap();
Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
signature.setSigningCredential(cred);
signature.setSignatureAlgorithm(signatureAlgorithm); Signing object is also
passed as it is needed
signature.setCanonicalizationAlgorithm
to create the
(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); fingerprint
KeyInfo keyInfo = (KeyInfo)
buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
X509Data data = (X509Data)
buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
X509Certificate cert = (X509Certificate)
buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
String value =
org.apache.xml.security.utils.Base64.encode(cred.getEntityCertificate().getEncoded());
cert.setValue(value);
data.getX509Certificates().add(cert);
keyInfo.getX509Datas().add(data);
signature.setKeyInfo(keyInfo);
assertion.setSignature(signature);
List<Signature> signatureList = new ArrayList<Signature>();
signatureList.add(signature);
//Marshall and Sign
MarshallerFactory marshallerFactory =
org.opensaml.xml.Configuration.getMarshallerFactory();
Page | 42
50. Marshaller marshaller = marshallerFactory.getMarshaller(assertion);
marshaller.marshall(assertion); Signer sign with the build
signature that is set with
org.apache.xml.security.Init.init(); keyinfo that includes the
X509 certificate built
Signer.signObjects(signatureList);
from credentials
return assertion;
}
It should be mentioned that with the OpenSAML library, signing and validation process can be
more easily done instead of the complexity behind the process.
2.6 Other Technical Experiences
2.6.1 Apache Team
This was a voluntary work that I joined with my interest to learn more on Apache products. This
was a wonderful experience that we were introduced how to contribute ASF. This was done in
milestone pattern that we met at the beginning and had a discussion which was guided by Mr.
Sagara Gunathunga, Committer/PMC member at The Apache Software Foundation and Tech
Lead at WSO2 and set bi-weekly milestone. Then again we meet after two weeks, review what
we have done and set next milestone.
I started my work with trying to write a sample for Apache-Transport-SMS module and had to
pause it for a while as I got stuck with installing Java Communication API in my machine. I was
advised not stay stuck in that and to proceed with solving some other issues in Apache jira and
resolved following documentation issues and wrote a post on my blog on „Documentation-patch
submission for Apache issues‟ (http://pushpalankajaya.blogspot.com/2011/09/documentation-
patch-submission-for.html) hoping someone at the beginning of contributing Apache will be
benefitted.
Page | 43
51. 1. Client.java in UserGuide has syntax errors - https://issues.apache.org/jira/browse/AXIS2-
4655
2. Configuration guide should clearly state the root elements and locations for axis2.xml
services.xml and module.xml - https://issues.apache.org/jira/browse/AXIS2-5069
3. RESTClient documentation example differs from RESTClient.java source file -
https://issues.apache.org/jira/browse/AXIS2-5138
Problem – Installation of Java Communication API was not successful even when followed the
steps in the guide and could not call the web service using a SMS.
Solution – Consulted several senior employees to catch the error and tried lot of options
including changing the OS to Windows. Finally found that developer of the SMS module is also
a employee at WSO2, Mr. Charith Wickramasinghe, who was on abroad and contacted him via
email and got guidance. With that could resolve the problem.
Have to add the following files in Axis2-HOME/lib directory and should pay attention to match
the versions using.
axis2-transport-sms-1.0.0.jar smslib-3.4.1.jar
mail-1.4.jar axis2-transport-base-1.0.0.jar
For Java Communication API installation should copy following files to jre-home/lib/ext/
directory and if does not work well should try copying to Axis2-Home/lib.
comm.jar
libLinuxSerialParallel.so
libLinuxSerialParallel_g.so
As next step I have to document this properly and submit the patch explaining the procedures
and as I gave priority to my main task this work was bit delayed. But as getting introduced to the
Apache community was the hard part, now I can proceed with this individually though I am out
of company. So I think I did the right thing giving priority to my main project „Implement
SAML to XACML‟ as it was my responsibility and this is my voluntary work that I can continue
even later.
Page | 44
52. 2.6.2 Training Sessions
After the release of Stratos, the cloud platform, WSO2 started a weekly training program which
was conducted by senior employees on topics suggested by the rest of staff and things that are
recognized as important. Every Wednesday from 10.30 – 12.30 this was conducted and in
moodle we could get registered for interested courses and learn new things. This was a great
opportunity for us to learn from the industry experts on what is needed in the industry and I
participated in the following sessions
HTTP Basics – Got introduced to how the web works basically and wrote the first ever servlet I
wrote in my life.
WS- security Basics – Got clarified few of the security concepts I had some ambiguities and
learnt more on PKI
XML basics – Learnt that XML is not just typing something with tags and got familiar with
namespace and shema
2.7 Other Non – Technical Experiences
In addition to the technical exposure I got at WSO2, there were so many activities I got exposed
within the internship period. WSO2 did not treat us in a different way as interns and gave all the
opportunities to participate in the events organized at office and enjoy with the staff.
2.7.1 Demonstration
Before I got my 6 weeks leave from WSO2 to take part in MIT-UOM mobile technology
incubation program I did a presentation on the work I did so far. It was held at the board room of
WSO2 office at #59 and Dr. Sanjiva Weerawarna, CEO, Dr. Srinath Perera, senior software
architect and member of IS team including Mr. Prabath Siriwardena and my mentor Mr. Asela
Pathberiya.
I got to know about this just a day before and anyway was a challenging experience. I tried to
present the Entitlement Handler that I have finished and while trying to demonstrate it in action
Page | 45
53. failed. Later I found that I have forgotten to start the server in debug mode and anyway no one
there depressed me and just encouraged me to continue the presentation and I explained it‟s
functionality without the demonstration.
This was a nice lesson I learnt to my life not to panic in such situations and glad that I
continued the presentation well without it. I learnt that we should always be prepared
for such things can go wrong sometimes and pretty sure that next time I will be more
defending for such situation with backup plans.
I also presented my proceedings in implementing SAML to XACML and this initiated a
discussion among the board on how things are going to be done and where this implementation is
going to reside in the architecture. It was also a very nice experience for me that I could be there
and see how things are decided at WSO2 with discussion that are so informally done giving
freedom for anyone to put up their ideas and support ideas with thoughts.
This demonstration is an unforgettable experience for my life and encouraged me to work hard
and I am so grateful for the given opportunity.
Also there were two training visits from the department during the internship time period. The
first visit was by Dr. Rapti de Silva and the last one was by Mr. Thilak Fernando from the
Department of Computer Science and Engineering. I explained my experience at WSO2 to them
and both of them gave me a good feedback and advised me to carry on the good work.
2.7.2 WSO2 Annual Trip
This year annual trip of WSO2 family was to Heritance Kandalama and lot of events was
organized to make it more fun for three days. We had so many luxury facilities there with the
courtesy of WSO2 and gathered so many beautiful memories. This was a great chance to meet
office staff in a non-official environment and they all treated us so friendly. Following are two
major activities which were held during the trip and I enjoyed very much. It was a great gift
given by the company for its employees to enjoy with their families getting rid of day to day
office work.
Page | 46
54. 2.7.2.1 Awurudu Games
As it was Singhalese and Tamil New Year season there was an event organized by the company
at the hotel premises. It was full lot of fun awurudu games and I too participated on several of
them. All the staff members and their family members participated in this event and catching
eggs, passing ice and adults event for eating buns were few hits there. All enjoyed the event
maximum and felt the spirit and beauty of the WSO2 family.
2.7.2.2 CSR Activity
Being at Heritance Kandalama, we did not just enjoy the luxury and stay, but also worked for the
spiritual relief and happiness. Here (http://pushpalankajaya.blogspot.com/p/csr-activity-with-
wso2-staff.html) is the blog page I wrote on this experience with the great pleasure I had, been a
contributor in the event.
After „Awurudu games‟ we visited Bellane Oya Primary School which was a less privileged
school and it was an idea of Dr. Sanjeewa Weerawarana, CEO of the company to help such a
school in the area. Funds were raised with contribution of both the company and employees and
finally volunteers could join in visiting the school, helping out them in clearing an area for
playground and checking for what else they need.
They warmly welcomed us when we approach there which was through a very narrow road and
this reminded me of my primary education at Kirindiwela Maha Vidyalaya, which was a bit
same as this school in background and this really guided me to my childhood. In his address to
the school children Dr. Sanjeewa mentioned that lot of employees of the company were like
those kids a time ago and emerged with courage. His intention of that was to encourage the
students and I am sure that at least few of them have raised their hopes and courage with that. It
would be a great occasion, if one of them can make it to WSO2 for their career in the future.
Page | 47
55. 2.7.3 Sports, Entertainment and other activities
The office premises of WSO2 is arranged more like to be a home with all the facilities for the
staff to work in a free environment, enjoying whatever they are doing. There is even a
basketball-court in the office premises and staff normally plays there at the evenings.
In addition to basketball court there are so many other activities available to enjoy at any time we
are feeling bored. Near lunch area there is carom- board, a foosball table and arrangements to
play table tennis, which I used to gather some team after lunch or tea and play for few minutes.
This was a great facility arranged there to relax bit, stretching our hands after working in front of
laptop and to work again refreshed. Also it was a place I got to know many of the staff.
In the Wesak season all the Wesak lanterns that decorated the office were made my office staff
together and there is a television at lobby area and in important occasion people gather there and
watch together.
At the earlier days of my internship at WSO2 each Friday there was a special talk by Dr. Sanjiva
regarding many aspects including the history of WSO2, future of WSO2, and also about
importance of blogging for the company as a marketing method specific for a middleware and
open source of company. I can very well remember one thing he mentioned that never to write
anything that we do not truly believe and to have the responsibility of whatever we write. He
gave lot of tips to improve ourselves as WSO2 promote personal branding of employees and he
so freely shared his experience and updated the staff on this going on regarding company
including the funds company received, new customers found, profits, growth and point out any
weaknesses and encourage people to do their maximum. I think this is a great idea to talk to staff
each week as whole and was so inspiring.
All these just represent the close connection inside the WSO2 family.
Page | 48