Re: [Dev] [Dashboard] Sharing a dashboard in UUF Dashboard Component

[Ayoma Wijethunga]

Hi Lasantha,

Fragment ID of a Fragment URL (part after hash sign) will not be sent in
the HTTP Request back to the server. Also "Referer" header sent by browsers
should not include fragment ID [1]. Hence, data will not be logged in
intermediate proxies or any sort of server side access logs, and will not
be exposed to external application via Referer header.

One concern is that the end user (and for example a shoulder surfer) will
be able to see the data part directly in the browser URL. It will open up a
security loophole if confidential information is sent in the fragment ID.
Such confidential information will include session identifiers, credentials
or tokens.

If this does not concern confidential information, I do not think this will
open up a security loophole.

It is best if you could further clarify if we are planning to pass any
confidential values in fragment ID. If so we might need to look at other
approaches.

@Team: Any other thoughts?

[1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36

Best Regards,
Ayoma.


On Fri, May 5, 2017 at 4:45 PM, Lasantha Samarakoon 
wrote:

> [+Adding security team]
>
> @Security team: In the above first approach, we suppose to store widget
> state details in the URL hash as the given example. Can this be a security
> loophole since it exposes some of the data (ex. search criteria) used by
> the widgets via the URL?
>
> *Lasantha Samarakoon* | Software Engineer
> WSO2, Inc.
> #20, Palm Grove, Colombo 03, Sri Lanka
> Mobile: +94 (71) 214 1576 <+94%2071%20214%201576>
> Email:  lasant...@wso2.com
> Web:www.wso2.com
>
> lean . enterprise . middleware
>
> On Fri, May 5, 2017 at 11:35 AM, Lasantha Samarakoon 
> wrote:
>
>> [Dashboard] Sharing a dashboard
>>
>> Hi all,
>>
>> I am currently working on dashboard sharing feature in UUF dashboard
>> component which will allow a user to share a dashboard with current state
>> (i.e. selected field values, chart drill-downs, etc.). To implement this we
>> need to maintain the state of each widget somewhere and retrieve those on
>> dashboard restoring process. The same feature has been implemented in the
>> previous dashboard version and it worked as follows.
>>
>> In the dashboard 2.0.0 the gadget state is persisted in the URL hash. The
>> dashboard exposes a client side API[1] for gadgets to persist and retrieve
>> data in URL hash.
>>
>> *APIs:*
>>
>>  wso2.gadgets.state.setGadgetState(state, callback);
>>
>> wso2.gadgets.state.getGadgetState(callback);
>>
>> wso2.gadgets.state.getGlobalState(callback);
>>
>> wso2.gadgets.state.setGlobalState(key, state, callback);
>>
>> Once the states are saved the URL will looks like;
>>
>> https://dashboard.example.com/portal/dashboard/my-dashboard#
>> /gadget-a/{data of gadget-a}/gadget-b/{data of gadget-b
>>
>> One of the main advantage of this approach is that a user can simply copy
>> the URL and share. If the permission has been granted others can view the
>> dashboard with exact state.
>>
>> In addition to the above approach there was another approach has come up
>> in our discussions to implement this feature, i.e. using the database as a
>> persistence medium for widget states.
>>
>> *Using database as persistence medium:*
>>
>> In this approach we need to introduce a new button to save the current
>> state of the dashboard in the database and provide a sharable link to
>> restore (somewhat similar to how the Google docs works). The sharable link
>> will looks like;
>>
>> https://dashboard.example.com/portal/shared/
>>
>> The  in the above URL can be used to fetch the state with other
>> meta-info from the database and restore the dashboard. Drawbacks of this
>> approach are as follows.
>>
>>1. User has to perform an extra action to get the sharable link.
>>2. Database will persist data for each share, so sometimes purging
>>will be needed.
>>
>> Appreciate your comments on above to finalize the approach we are going
>> to use on UUF dashboard component.
>>
>> [1] https://github.com/wso2/carbon-dashboards/blob/2.0.x/com
>> ponents/shindig-wso2-features/src/main/javascript/wso2featur
>> es/state/state.js
>>
>>
>> Thanks,
>>
>> *Lasantha Samarakoon* | Software Engineer
>> WSO2, Inc.
>> #20, Palm Grove, Colombo 03, Sri Lanka
>> Mobile: +94 (71) 214 1576 <+94%2071%20214%201576>
>> Email:  lasant...@wso2.com
>> Web:www.wso2.com
>>
>> lean . enterprise . middleware
>>
>
>


-- 
Ayoma Wijethunga
Associate Technical Lead
Platform Security Team
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Use char array as micro service parameter

[Ayoma Wijethunga]

%24 is the HTML block representation of $ [1]. Browser / AJAX library
should be doing this conversion before sending data to server. It might
have been transparent to us before, but since service logic itself is
handling the ByteBuffer now, it might be necessary to do the HTML decoding
separately.

Seems to be another reason for us to look at possibility of handling this
at framework level.

[1] https://www.w3schools.com/tags/ref_urlencode.asp

On Fri, Mar 24, 2017 at 5:14 PM, Denuwanthi De Silva 
wrote:

> When I do a POST request via, postman the special characters are rendered
> fine.
> Seems like this is happening with the ajax call
>
> On Fri, Mar 24, 2017 at 5:02 PM, Denuwanthi De Silva 
> wrote:
>
>> Hi,
>>
>> As discussed offline I used the msf4j Reuest object in my microservice
>>
>> @POST
>> @Path("/validatePassword")
>> public Response isValidPassword(@Context Request password) {
>>
>> Then I tried retreving a char[] out of it as following
>>
>> ByteBuffer fullContent = BufferUtil.merge(password.getFullMessageBody());
>> char[] passwordText = Charset.defaultCharset().decode(fullContent).array()
>>
>>
>> But the returned contains different values for special characters.
>>
>> For example, the actual password I gave was ABCabc01*$*
>> Then the value retreved in the microservice is ABCabc01
>>
>> *%24*
>> Is there a way we can handle this?The password is sent from frontendside
>> to backedn via an ajax call
>>
>> var password = $("#newPassword").val();
>> $.ajax({
>> type: "POST",
>> url: 
>> "/admin-portal/root/apis/passwordUtil-micro-service/validatePassword",
>> data: {newPassword: password},
>>
>>
>>
>>
>>
>> Thanks
>>
>> On Thu, Mar 23, 2017 at 9:54 PM, Ayoma Wijethunga  wrote:
>>
>>> Hi Jude,
>>>
>>> I think you got me wrong. StringBuilder internally uses char[] to store
>>> values (mutable sequence of characters [1] [2]). Therefore, we will not be
>>> creating (and leaving behind) immutable String objects as long as we use
>>> the StringBuilder properly.
>>>
>>> However, if you accidentally call a method such as
>>> stringBuilder.toString() or stringBuilder.append(String str) you will end
>>> up creating a immutable String in the memory. This is what I was trying to
>>> imply with my sentence.
>>>
>>> We should not really depend on garbage collection for any data structure
>>> storing passwords. If we are going to depend on GC for Arrays, there is no
>>> point of *not* using String. Instead, since "char" is a mutable
>>> primitive, it's possible to change the value to as desired (where as
>>> Strings are immutable). Therefore, after storing password in a char[] or a
>>> StringBuilder (which internally uses a char[]) you should clear the data,
>>> before leaving the reference for GC to pickup, to make sure memory is
>>> clean.
>>>
>>> However there is one issue associated with using StringBuilder for
>>> password storage. StringBuilder has a mechanism used to grow the char[]
>>> used internal, when such expansion is required
>>> (AbstractStringBuilder.expandCapacity). This can leave behind arrays
>>> that are not properly cleared in memory. This too can be addressed by
>>> setting proper initialCapacity when creating StringBuilder.
>>>
>>> Anyhow, during offline discussion we identified that why Thusitha
>>> suggested StringBuilder here was because, MSF4J by default
>>> supports StringBuilder as a parameter type. However, with further checking
>>> we identified that this StringBuilder is creating using Strings in MSF4J
>>> level. Therefore, instead of going through the StringBuilder approach, we
>>> will be directly using Byte stream of the request to ready passwords out
>>> into char[] which is much clearer and does not introduce any immutable
>>> Strings.
>>>
>>> [1] https://docs.oracle.com/javase/7/docs/api/java/lang/Stri
>>> ngBuilder.html
>>> [2] http://developer.classpath.org/doc/java/lang/StringBuild
>>> er-source.html
>>>
>>> Best Regards,
>>> Ayoma.
>>>
>>>
>>> On Thu, Mar 23, 2017 at 9:19 PM, Jude Niroshan <
>>> jude.nirosha...@gmail.com> wrote:
>>>
>>>> We just need to avoid using any method that accepts or returns a String
>>>>> in StringBuilder, to avoid intermediate level Strings.
>>>&

Re: [Dev] Use char array as micro service parameter

[Ayoma Wijethunga]

Hi Jude,

I think you got me wrong. StringBuilder internally uses char[] to store
values (mutable sequence of characters [1] [2]). Therefore, we will not be
creating (and leaving behind) immutable String objects as long as we use
the StringBuilder properly.

However, if you accidentally call a method such as stringBuilder.toString()
or stringBuilder.append(String str) you will end up creating a immutable
String in the memory. This is what I was trying to imply with my sentence.

We should not really depend on garbage collection for any data structure
storing passwords. If we are going to depend on GC for Arrays, there is no
point of *not* using String. Instead, since "char" is a mutable primitive,
it's possible to change the value to as desired (where as Strings are
immutable). Therefore, after storing password in a char[] or a
StringBuilder (which internally uses a char[]) you should clear the data,
before leaving the reference for GC to pickup, to make sure memory is
clean.

However there is one issue associated with using StringBuilder for password
storage. StringBuilder has a mechanism used to grow the char[] used
internal, when such expansion is required
(AbstractStringBuilder.expandCapacity). This can leave behind arrays that
are not properly cleared in memory. This too can be addressed by setting
proper initialCapacity when creating StringBuilder.

Anyhow, during offline discussion we identified that why Thusitha
suggested StringBuilder here was because, MSF4J by default
supports StringBuilder as a parameter type. However, with further checking
we identified that this StringBuilder is creating using Strings in MSF4J
level. Therefore, instead of going through the StringBuilder approach, we
will be directly using Byte stream of the request to ready passwords out
into char[] which is much clearer and does not introduce any immutable
Strings.

[1] https://docs.oracle.com/javase/7/docs/api/java/lang/StringBuilder.html
[2] http://developer.classpath.org/doc/java/lang/StringBuilder-source.html

Best Regards,
Ayoma.


On Thu, Mar 23, 2017 at 9:19 PM, Jude Niroshan 
wrote:

> We just need to avoid using any method that accepts or returns a String in 
> StringBuilder,
>> to avoid intermediate level Strings.
>
>
> ​I believe you are well aware about why the Strings and other sort of
> objects being discouraged to be used for passwords and other valuable
> information. It simply not to retain any information anywhere in heap or
> other intermediate volatile memory. Arrays can be quickly garbage collected
> and that valuable information can not be extracted again. ​
>
> http://stackoverflow.com/q/8881291/4506140
>
> Hope it helps :)
>
> Regards,
> Jude
>
>
> On Thu, Mar 23, 2017 at 3:42 PM, Ayoma Wijethunga  wrote:
>
>> Yes. That seems to address the requirement.
>>
>> We can accept InputStream as a parameter and then use the input stream to
>> read characters into a StringBuilder. I hope this was what you were
>> suggesting and this is supported with MSF4J.
>>
>> We just need to avoid using any method that accepts or returns a String
>> in StringBuilder, to avoid intermediate level Strings.
>>
>> Best Regards,
>> Ayoma.
>>
>> On Thu, Mar 23, 2017 at 3:17 PM, Thusitha Thilina Dayaratne <
>> thusit...@wso2.com> wrote:
>>
>>> Hi All,
>>>
>>> AFAIU char[] is not compliant with neither QueryParam nor FormParam
>>> according to [1]. Therefore from MSF4J (as a JAXRS engine) IMHO we couldn't
>>> support char[].
>>> What if we use StringBuilder instead of String. Then we can delete the
>>> StringBuilder as we want. WDYT?
>>>
>>> [1] - http://docs.oracle.com/javaee/7/api/javax/ws/rs/FormParam.html
>>>
>>> Thanks
>>>
>>> On Thu, Mar 23, 2017 at 3:10 PM, Denuwanthi De Silva <
>>> denuwan...@wso2.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have  a micro service which calls a password validation back end.
>>>> For that, it passes the password as microservice parameter.
>>>>
>>>> Due to security concerns we need to pass password as a char array
>>>> instead of a String[1].
>>>>
>>>> The password value is retrieved using jquery input field call and
>>>> passed as a char array.
>>>> Then it is passed to the microservice via an ajax call. But the
>>>> micorservice method Params does not support char[] type[1].
>>>>
>>>> Is there a way we can handle this without involving String type in the
>>>> intermediate level?
>>>>
>>>>
>>>>
>>>> [1]https://nvisium.com/blog/2016/03/31/secure-password-str

Re: [Dev] Use char array as micro service parameter

[Ayoma Wijethunga]

Yes. That seems to address the requirement.

We can accept InputStream as a parameter and then use the input stream to
read characters into a StringBuilder. I hope this was what you were
suggesting and this is supported with MSF4J.

We just need to avoid using any method that accepts or returns a
String in StringBuilder,
to avoid intermediate level Strings.

Best Regards,
Ayoma.

On Thu, Mar 23, 2017 at 3:17 PM, Thusitha Thilina Dayaratne <
thusit...@wso2.com> wrote:

> Hi All,
>
> AFAIU char[] is not compliant with neither QueryParam nor FormParam
> according to [1]. Therefore from MSF4J (as a JAXRS engine) IMHO we couldn't
> support char[].
> What if we use StringBuilder instead of String. Then we can delete the
> StringBuilder as we want. WDYT?
>
> [1] - http://docs.oracle.com/javaee/7/api/javax/ws/rs/FormParam.html
>
> Thanks
>
> On Thu, Mar 23, 2017 at 3:10 PM, Denuwanthi De Silva 
> wrote:
>
>> Hi,
>>
>> I have  a micro service which calls a password validation back end.
>> For that, it passes the password as microservice parameter.
>>
>> Due to security concerns we need to pass password as a char array instead
>> of a String[1].
>>
>> The password value is retrieved using jquery input field call and passed
>> as a char array.
>> Then it is passed to the microservice via an ajax call. But the
>> micorservice method Params does not support char[] type[1].
>>
>> Is there a way we can handle this without involving String type in the
>> intermediate level?
>>
>>
>>
>> [1]https://nvisium.com/blog/2016/03/31/secure-password-strings/
>> [2]https://jersey.java.net/apidocs/2.7/jersey/javax/ws/rs/QueryParam.html
>>
>>
>> Thanks,
>> --
>> Denuwanthi De Silva
>> Senior Software Engineer;
>> WSO2 Inc.; http://wso2.com,
>> Email: denuwan...@wso2.com
>> Blog: https://denuwanthi.wordpress.com/
>>
>
>
>
> --
> Thusitha Dayaratne
> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>
> Mobile  +94712756809 <+94%2071%20275%206809>
> Blog  alokayasoya.blogspot.com
> Abouthttp://about.me/thusithathilina
> <http://wso2.com/signature>
>
>


-- 
Ayoma Wijethunga
Software Engineer
Platform Security Team
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] [VOTE] Release WSO2 API Manager 2.1.0 RC1

[Ayoma Wijethunga]

[-] Broken - do not release (Due to a security related issue identified)

Thank you,
Ayoma.

On Sat, Jan 7, 2017 at 5:16 PM, Prakhash Sivakumar 
wrote:

> Hi all,
>
> Please keep the vote on hold as we are still analyzing security reports
> provided by the team and verifying the previous fixes.
>
> Thanks,
>
> On Fri, Jan 6, 2017 at 10:55 PM, Praminda Jayawardana 
> wrote:
>
>> Hi All,
>>
>> This is the 1st Release Candidate of WSO2 API Manager 2.1.0
>>
>> Please download, test the product and vote. Vote will be open for 72
>> hours or as needed.
>>
>> Source and distribution
>>
>> Run-time : https://github.com/wso2/produc
>> t-apim/releases/download/v2.1.0-rc1/wso2am-2.1.0-RC1.zip
>> Analytics : https://github.com/wso2/analyt
>> ics-apim/releases/download/v2.1.0-rc1/wso2am-analytics-2.1.0-RC1.zip
>> Tooling : https://github.com/wso2/devstu
>> dio-tooling-apim/releases/tag/v2.1.0
>>
>>
>> This release fixes the following issues:
>> Runtime : https://wso2.org/jira/issues/?filter=13623
>> Analytics : https://wso2.org/jira/issues/?filter=13624
>> Tooling : https://wso2.org/jira/browse/DEVTOOLAPI-1
>>
>>
>> Please vote as follows.
>> [+] Stable - go ahead and release
>> [-] Broken - do not release (explain why)
>>
>>
>> Thanks,
>> - WSO2 API Manager Team -
>>
>> ___
>> Architecture mailing list
>> architect...@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Prakhash Sivakumar
> Software Engineer | WSO2 Inc
> Platform Security Team
> Mobile : +94771510080 <+94%2077%20151%200080>
> Blog : https://medium.com/@PrakhashS
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ayoma Wijethunga
Software Engineer
Platform Security Team
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] WSO2 Committers += Farasath Ahamed

[Ayoma Wijethunga]

Congratulations Farasath!

On Mon, Oct 24, 2016 at 2:28 PM, Lahiru J Ekanayake 
wrote:

> Congratulations Fara :)
>
> On Mon, Oct 24, 2016 at 2:26 PM, Prakhash Sivakumar 
> wrote:
>
>> Congratz Fara :D
>>
>> On Mon, Oct 24, 2016 at 1:14 PM, Johann Nallathamby 
>> wrote:
>>
>>> Hi All,
>>>
>>> It's my pleasure to announce Farasath Ahamed as a WSO2 Committer.
>>> Farasath has been a valuable contributor for WSO2 Identity Server
>>> product, and in recognition of his contribution to WSO2, he has been voted
>>> as a WSO2 Committer.
>>>
>>> Farasath, congratulations and keep up the good work!
>>>
>>> Thanks & Regards.
>>>
>>> --
>>> Thanks & Regards,
>>>
>>> *Johann Dilantha Nallathamby*
>>> Technical Lead & Product Lead of WSO2 Identity Server
>>> Governance Technologies Team
>>> WSO2, Inc.
>>> lean.enterprise.middleware
>>>
>>> Mobile - *+9476950*
>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Prakhash Sivakumar
>> Software Engineer | WSO2 Inc
>> Platform Security Team
>> Mobile : +94771510080
>> Blog : https://medium.com/@PrakhashS
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
>
>
>
> *Lahiru J Ekanayake**Software Engineer*
> Mobile : +9471 8812629 / +94778509547
> Email : lahi...@wso2.com
> WSO2, Inc.; http://wso2.com/
> lean . enterprise . middleware.
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ayoma Wijethunga
Software Engineer
Platform Security Team
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IS] SCIM extension attributes missing in retrieval

[Ayoma Wijethunga]

Hi All,

When user is created with a SCIM extension schema [1], "User Retrievals"
does not include the extended schema attributes. Please advice on how we
can get these values using SCIM API.

Please find addition query level details below.

[1]
https://docs.wso2.com/display/IS510/Extensible+SCIM+User+Schemas+With+WSO2+Identity+Server

Thank you,
Ayoma.


*User Creation *

Request

curl -v -k --user admin:admin --data
'{"schemas":[],"userName":"SureshAtt","password":"Wso2@123",
*"wso2Extension":{"dob":"12/12/2012"}}'* --header
"Content-Type:application/json" https://localhost:9443/wso2/scim/Users


Response

{"id":"cf6db727-fb6c-40d8-9b72-e004f912e686",
*"wso2Extension":{"dob":"12/12/2012"}*
,"schemas":["urn:scim:schemas:core:1.0","urn:scim:schemas:extension:wso2:1.0"],"userName":"SureshAtt","meta":{"lastModified":"2016-08-28T21:32:40","location":"
https://localhost:9443/wso2/scim/Users/cf6db727-fb6c-40d8-9b72-e004f912e686
","created":"2016-08-28T21:32:40"}}



*LDIF*

dn: uid=SureshAtt,ou=Users,dc=WSO2,dc=ORG
objectClass: top
objectClass: identityPerson
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: wso2Person
objectClass: scimPerson
cn: SureshAtt
sn: SureshAtt
createdDate: 2016-08-28T21:32:40
*dateOfBirth: 12/12/2012*
lastModifiedDate: 2016-08-28T21:32:40
location: https://localhost:9443/wso2/scim/Users/cf6db727-fb6c-40d8-9b72-e00
 4f912e686
scimId: cf6db727-fb6c-40d8-9b72-e004f912e686
uid: SureshAtt
userPassword:: V3NvMkAxMjM=


*User Retrieval*

Request

curl -v -k --user admin:admin
https://localhost:9443/wso2/scim/Users/cf6db727-fb6c-40d8-9b72-e004f912e686


Response

{"id":"cf6db727-fb6c-40d8-9b72-e004f912e686","schemas":["urn:scim:schemas:core:1.0"],"name":{"familyName":"SureshAtt"},"userName":"SureshAtt","meta":{"lastModified":"2016-08-28T21:32:40","created":"2016-08-28T21:32:40","location":"
https://localhost:9443/wso2/scim/Users/cf6db727-fb6c-40d8-9b72-e004f912e686
"}}


-- 
Ayoma Wijethunga
Software Engineer
Platform Security Team
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [ESB] Unable to start ESB 5.0.0 Beta2 on top of IBM JDK

[Ayoma Wijethunga]

Hi Pubudu,

I hope you were checking with me about "ESBJAVA-4740" [1]. Was
"ESBJAVA-4772" mentioned by mistake?  Rajith is correct about
"ESBJAVA-4772", although "ESBJAVA-4740" has nothing to do with CSRFGuard.

[1] https://wso2.org/jira/browse/ESBJAVA-4740

Regards,
Ayoma

On Tue, Jul 19, 2016 at 10:49 PM, Rajith Roshan  wrote:

> Hi Pubudu,
>
> Can you try setting the following property[1] in
> "Owasp.CsrfGuard.Carbon.properties" file
> (SERVER_HOME/repository/conf/security) which is default set to [2]. We
> found same issue with G-Reg and overcame it by setting this property.
>
> [1] - org.owasp.csrfguard.PRNG.Provider=IBMJCE
> [2] - org.owasp.csrfguard.PRNG.Provider=SUN
>
> Thanks!
> Rajith
>
> On Mon, Jul 18, 2016 at 12:51 PM, Pubudu Priyashan 
> wrote:
>
>> Hi Senduran,
>>
>> We are currently facing the issue logged at [1] when starting the ESB
>> pack with IBM JDK. Can we please take a look and get this fixed with the
>> next release? This blocks us from testing the release on IBM JDK. Do let me
>> know if you require any further information. Thanks!
>>
>> [1] https://wso2.org/jira/browse/ESBJAVA-4772
>>
>>
>> Cheers,
>> Pubudu D.P
>> Senior Software Engineer - QA Team | WSO2 inc.
>> Mobile : +94775464547
>>
>> Linkedin: https://uk.linkedin.com/in/pubududp
>> Medium: https://medium.com/@pubududp
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Rajith Roshan
> Software Engineer, WSO2 Inc.
> Mobile: +94-72-642-8350 <%2B94-71-554-8430>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ayoma Wijethunga
Software Engineer
Platform Security Team
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] "Error 403 - Forbidden" when session expires in admin console

[Ayoma Wijethunga]

Hi Rajith,

"org.owasp.csrfguard.ValidateWhenNoSessionExists" is only relevant to
session timeout scenario Hasintha mentioned.

Regarding "/fileupload/resource", please have a look at "Integration
Checklist", last item from [1].

Let's have a look at "/carbon/generic" URL separately and see what is wrong.

[1]
https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f

Best Regards,
Ayoma.

On Sat, Jul 9, 2016 at 3:05 PM, Rajith Roshan  wrote:

> Hi Ayoma,
>
> We are facing this issue when uploading registry resource and uploading
> rxts when session gets expired. We have changed the 
> "org.owasp.csrfguard.ValidateWhenNoSessionExists"
> property to false. But it still gives the following error messages [1],[2].
> After reloading the page then issue does not happens.
>
> [1] - WARN {org.owasp.csrfguard.log.JavaLogger} -  potential cross-site
> request forgery (CSRF) attack thwarted (user:, ip:192.168.8.100,
> method:POST, uri:/carbon/generic/save_artifact_ajaxprocessor.jsp,
> error:request token does not match session token)
> [2] - WARN {org.owasp.csrfguard.log.JavaLogger} -  potential cross-site
> request forgery (CSRF) attack thwarted (user:, ip:192.168.8.100,
> method:POST, uri:/fileupload/resource, error:request token does not match
> session token)
>
>
> On Fri, Jul 8, 2016 at 8:03 PM, Ayoma Wijethunga  wrote:
>
>> Hi Team,
>>
>> We identified that disabling "ValidateWhenNoSessionExists" property
>> similar to following can resolve original session-timeout issue raised by
>> Hasintha.
>>
>> org.owasp.csrfguard.ValidateWhenNoSessionExists = false
>>
>>
>> Please add below lines in product "distribution" pom file to correct this
>> behavior. This was further updated in [1] and [2] (Integration Checklist).
>>
>> 
>>>
>>> >>> file="target/wso2carbon-core-${carbon.kernel.version}/repository/conf/security/Owasp.CsrfGuard.Carbon.properties"
>>>> token="org.owasp.csrfguard.ValidateWhenNoSessionExists = true"
>>>> value="org.owasp.csrfguard.ValidateWhenNoSessionExists = false"/>
>>>
>>>
>> [1]
>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit
>> [2]
>> https://docs.google.com/document/d/1A1T-t6IjIaxunjlSyjsGuKSC-x9xl3kilNCTpZVy-EM/edit#
>>
>> Thank you,
>> Ayoma.
>>
>> On Fri, Jul 8, 2016 at 6:35 PM, Dulanja Liyanage 
>> wrote:
>>
>>>
>>>
>>> On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga  wrote:
>>>
>>>> Hi All,
>>>>
>>>> Original issue reported by Hasintha is relevant to how we handle
>>>> session timeout conditions with CSRFGuard filter. We are working on this
>>>> and will update with a resolution.
>>>>
>>>
>>> The reason for this behavior is there's no session-existence check prior
>>> to the form POST. Before CSRFGuard this was not a problem, because, upon a
>>> failure due to session timeout one of the following would have happened:
>>>
>>>1. in the case of an ajaxprocessor - Request would be propagated to
>>>the respective admin service, and upon its session non-existence 
>>> exception,
>>>will be redirected to the login page.
>>>2. in the case of a non-ajaxprocessor - CarbonSecuredHttpContext
>>>will redirect to the login page before hitting the actual jsp/servlet.
>>>
>>> Since CSRFGuard is a filter, it intercepts before either of the above
>>> happen and sends a 403 forbidden - because that's what it's supposed to do.
>>>
>>> There's a platform level javascript function called sessionAwareFunction
>>> (in main.js) that can be used for this. Registry Browser uses that. We have
>>> to send the actual operation we want to do as a callback function to
>>> sessionAwareFunction. It will initially do a session validity check
>>> via /carbon/admin/jsp/session-validate.jsp and then execute what we want to
>>> do.
>>>
>>> We tried to come up with a centralized solution for this, but failed.
>>> Therefore, this need to be fixed at product-level.
>>>
>>> Please let us know if you see a better solution for this.
>>>
>>>
>>>> In general CSRFGuard should work without any per-page modifications,
>>>> since we are using JavaScript based attribute injection and header based
>>>> protection for AJAX requests. However, there

Re: [Dev] "Error 403 - Forbidden" when session expires in admin console

[Ayoma Wijethunga]

Hi Team,

We identified that disabling "ValidateWhenNoSessionExists" property similar
to following can resolve original session-timeout issue raised by Hasintha.

org.owasp.csrfguard.ValidateWhenNoSessionExists = false


Please add below lines in product "distribution" pom file to correct this
behavior. This was further updated in [1] and [2] (Integration Checklist).


>
> > file="target/wso2carbon-core-${carbon.kernel.version}/repository/conf/security/Owasp.CsrfGuard.Carbon.properties"
>> token="org.owasp.csrfguard.ValidateWhenNoSessionExists = true"
>> value="org.owasp.csrfguard.ValidateWhenNoSessionExists = false"/>
>
>
[1]
https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit
[2]
https://docs.google.com/document/d/1A1T-t6IjIaxunjlSyjsGuKSC-x9xl3kilNCTpZVy-EM/edit#

Thank you,
Ayoma.

On Fri, Jul 8, 2016 at 6:35 PM, Dulanja Liyanage  wrote:

>
>
> On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga  wrote:
>
>> Hi All,
>>
>> Original issue reported by Hasintha is relevant to how we handle session
>> timeout conditions with CSRFGuard filter. We are working on this and will
>> update with a resolution.
>>
>
> The reason for this behavior is there's no session-existence check prior
> to the form POST. Before CSRFGuard this was not a problem, because, upon a
> failure due to session timeout one of the following would have happened:
>
>1. in the case of an ajaxprocessor - Request would be propagated to
>the respective admin service, and upon its session non-existence exception,
>will be redirected to the login page.
>2. in the case of a non-ajaxprocessor - CarbonSecuredHttpContext will
>redirect to the login page before hitting the actual jsp/servlet.
>
> Since CSRFGuard is a filter, it intercepts before either of the above
> happen and sends a 403 forbidden - because that's what it's supposed to do.
>
> There's a platform level javascript function called sessionAwareFunction
> (in main.js) that can be used for this. Registry Browser uses that. We have
> to send the actual operation we want to do as a callback function to
> sessionAwareFunction. It will initially do a session validity check
> via /carbon/admin/jsp/session-validate.jsp and then execute what we want to
> do.
>
> We tried to come up with a centralized solution for this, but failed.
> Therefore, this need to be fixed at product-level.
>
> Please let us know if you see a better solution for this.
>
>
>> In general CSRFGuard should work without any per-page modifications,
>> since we are using JavaScript based attribute injection and header based
>> protection for AJAX requests. However, there might be special cases in
>> which these methodologies fail. Such incidences should be handled
>> case-by-case and we will be adding all the special cases we identified in
>> to the "Integration Checklist" of [1].
>>
>> We had a short offline session with Shavantha on the issue he is facing
>> and identified that there are methods that use "
>> *document.createElement('form')*" JavaScript call to build forms
>> dynamically. Since CSRFGuard JavaScript will not be able to identify such
>> forms, it is necessary to add CSRF token manually. Please see the
>> screenshot attached which is the page source of [2]. In such situations it
>> is required to use JSP Taglib to add CSRF token as an additional parameter.
>> Please follow [1] for additional details.
>>
>> We can of cause arrange quick sessions with teams to check on any
>> edge-case issues they are facing, relevant to CSRFGuard.
>>
>> [1]
>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f
>> [2]
>> https://localhost:9443/t/tenant.com/carbon/user/edit-user-roles.jsp?username=ADDOMAIN%2FAdministrator699&displayName=ADDOMAIN%2FAdministrator699
>>
>> Best Regards,
>> Ayoma.
>>
>> On Thu, Jul 7, 2016 at 11:35 AM, Shavantha Weerasinghe <
>> shavan...@wso2.com> wrote:
>>
>>> [+Dulanjan]
>>>
>>> Hi All
>>>
>>> When trying to add multiple roles to a user using a feature such as *Select
>>> all from page 1 to page 3* or clicking on a pagination number the same
>>> error comes and throws an error similar to[1]
>>>
>>> [1]
>>> [2016-07-07 11:34:37,139]  WARN - JavaLogger potential cross-site
>>> request forgery (CSRF) attack thwarted (user:, ip:127.0.0.1,
>>> method:POST, uri:/t/tenant.com/carbon/user/view-roles.jsp,
>>> error:required token is missing f

Re: [Dev] "Error 403 - Forbidden" when session expires in admin console

[Ayoma Wijethunga]

Hi Pubudu

This is only the pattern coming from kernel itself. Product level
exclusions are not there in the property file. Please check with product
team on this.

Best Regards,
Ayoma

On Fri, Jul 8, 2016 at 5:59 PM, Pubudu Priyashan  wrote:

> Hi Ayoma,
>
> I had a look at "
> repository/conf/security/Owasp.CsrfGuard.Carbon.properties" file and I
> can see the property [1] included in it. Can you please confirm that this
> is as expected? Thanks!
>
> [1] org.owasp.csrfguard.unprotected.Services=%servletContext%/services/*
>
> Cheers,
> Pubudu.
>
> Pubudu D.P
> Senior Software Engineer - QA Team | WSO2 inc.
> Mobile : +94775464547
>
> Linkedin: https://uk.linkedin.com/in/pubududp
> Medium: https://medium.com/@pubududp
>
>
> On Fri, Jul 8, 2016 at 5:50 PM, Ayoma Wijethunga  wrote:
>
>> Hi Pubudu / Senduran,
>>
>> This is not the exact same. "/carbon/proxyservices/" is one of EBS CSRF
>> exclusion patterns (referring to previous filter configuration [1]).
>>
>> As discussed with Senduran over the call we had, this pattern needs to be
>> added to OWASP CSRFGuard as a unprotected URL pattern ([2] section 6).
>>
>> Was the test performed on a pack with this configuration change? If so,
>> lets have a quick remote session to check this out.
>>
>> [1]
>> https://docs.google.com/document/d/16qTgkhOrhgH48ttnIuqEDG531cS1ouMLwqu1CtyfXLI/edit
>>
>> [2]
>> https://docs.google.com/document/d/1A1T-t6IjIaxunjlSyjsGuKSC-x9xl3kilNCTpZVy-EM/edit#
>>
>> Thank you,
>> Ayoma.
>>
>> On Fri, Jul 8, 2016 at 5:29 PM, Pubudu Priyashan 
>> wrote:
>>
>>> [+Senduran]
>>>
>>> We have found the same issue [1] in ESB wso2esb-5.0.0-pre-RC2.zip pack.
>>>
>>> [1] https://wso2.org/jira/browse/ESBJAVA-4741
>>>
>>> Pubudu D.P
>>> Senior Software Engineer - QA Team | WSO2 inc.
>>> Mobile : +94775464547
>>>
>>> Linkedin: https://uk.linkedin.com/in/pubududp
>>> Medium: https://medium.com/@pubududp
>>>
>>>
>>> On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga  wrote:
>>>
>>>> Hi All,
>>>>
>>>> Original issue reported by Hasintha is relevant to how we handle
>>>> session timeout conditions with CSRFGuard filter. We are working on this
>>>> and will update with a resolution.
>>>>
>>>> In general CSRFGuard should work without any per-page modifications,
>>>> since we are using JavaScript based attribute injection and header based
>>>> protection for AJAX requests. However, there might be special cases in
>>>> which these methodologies fail. Such incidences should be handled
>>>> case-by-case and we will be adding all the special cases we identified in
>>>> to the "Integration Checklist" of [1].
>>>>
>>>> We had a short offline session with Shavantha on the issue he is facing
>>>> and identified that there are methods that use "
>>>> *document.createElement('form')*" JavaScript call to build forms
>>>> dynamically. Since CSRFGuard JavaScript will not be able to identify such
>>>> forms, it is necessary to add CSRF token manually. Please see the
>>>> screenshot attached which is the page source of [2]. In such situations it
>>>> is required to use JSP Taglib to add CSRF token as an additional parameter.
>>>> Please follow [1] for additional details.
>>>>
>>>> We can of cause arrange quick sessions with teams to check on any
>>>> edge-case issues they are facing, relevant to CSRFGuard.
>>>>
>>>> [1]
>>>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f
>>>> [2]
>>>> https://localhost:9443/t/tenant.com/carbon/user/edit-user-roles.jsp?username=ADDOMAIN%2FAdministrator699&displayName=ADDOMAIN%2FAdministrator699
>>>>
>>>> Best Regards,
>>>> Ayoma.
>>>>
>>>> On Thu, Jul 7, 2016 at 11:35 AM, Shavantha Weerasinghe <
>>>> shavan...@wso2.com> wrote:
>>>>
>>>>> [+Dulanjan]
>>>>>
>>>>> Hi All
>>>>>
>>>>> When trying to add multiple roles to a user using a feature such as 
>>>>> *Select
>>>>> all from page 1 to page 3* or clicking on a pagination number the
>>>>> same error comes and throws an error similar to[1]
>>>>>
>>>>> [1]
>

Re: [Dev] "Error 403 - Forbidden" when session expires in admin console

[Ayoma Wijethunga]

Hi Pubudu / Senduran,

This is not the exact same. "/carbon/proxyservices/" is one of EBS CSRF
exclusion patterns (referring to previous filter configuration [1]).

As discussed with Senduran over the call we had, this pattern needs to be
added to OWASP CSRFGuard as a unprotected URL pattern ([2] section 6).

Was the test performed on a pack with this configuration change? If so,
lets have a quick remote session to check this out.

[1]
https://docs.google.com/document/d/16qTgkhOrhgH48ttnIuqEDG531cS1ouMLwqu1CtyfXLI/edit

[2]
https://docs.google.com/document/d/1A1T-t6IjIaxunjlSyjsGuKSC-x9xl3kilNCTpZVy-EM/edit#

Thank you,
Ayoma.

On Fri, Jul 8, 2016 at 5:29 PM, Pubudu Priyashan  wrote:

> [+Senduran]
>
> We have found the same issue [1] in ESB wso2esb-5.0.0-pre-RC2.zip pack.
>
> [1] https://wso2.org/jira/browse/ESBJAVA-4741
>
> Pubudu D.P
> Senior Software Engineer - QA Team | WSO2 inc.
> Mobile : +94775464547
>
> Linkedin: https://uk.linkedin.com/in/pubududp
> Medium: https://medium.com/@pubududp
>
>
> On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga  wrote:
>
>> Hi All,
>>
>> Original issue reported by Hasintha is relevant to how we handle session
>> timeout conditions with CSRFGuard filter. We are working on this and will
>> update with a resolution.
>>
>> In general CSRFGuard should work without any per-page modifications,
>> since we are using JavaScript based attribute injection and header based
>> protection for AJAX requests. However, there might be special cases in
>> which these methodologies fail. Such incidences should be handled
>> case-by-case and we will be adding all the special cases we identified in
>> to the "Integration Checklist" of [1].
>>
>> We had a short offline session with Shavantha on the issue he is facing
>> and identified that there are methods that use "
>> *document.createElement('form')*" JavaScript call to build forms
>> dynamically. Since CSRFGuard JavaScript will not be able to identify such
>> forms, it is necessary to add CSRF token manually. Please see the
>> screenshot attached which is the page source of [2]. In such situations it
>> is required to use JSP Taglib to add CSRF token as an additional parameter.
>> Please follow [1] for additional details.
>>
>> We can of cause arrange quick sessions with teams to check on any
>> edge-case issues they are facing, relevant to CSRFGuard.
>>
>> [1]
>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f
>> [2]
>> https://localhost:9443/t/tenant.com/carbon/user/edit-user-roles.jsp?username=ADDOMAIN%2FAdministrator699&displayName=ADDOMAIN%2FAdministrator699
>>
>> Best Regards,
>> Ayoma.
>>
>> On Thu, Jul 7, 2016 at 11:35 AM, Shavantha Weerasinghe <
>> shavan...@wso2.com> wrote:
>>
>>> [+Dulanjan]
>>>
>>> Hi All
>>>
>>> When trying to add multiple roles to a user using a feature such as *Select
>>> all from page 1 to page 3* or clicking on a pagination number the same
>>> error comes and throws an error similar to[1]
>>>
>>> [1]
>>> [2016-07-07 11:34:37,139]  WARN - JavaLogger potential cross-site
>>> request forgery (CSRF) attack thwarted (user:, ip:127.0.0.1,
>>> method:POST, uri:/t/tenant.com/carbon/user/view-roles.jsp,
>>> error:required token is missing from the request)
>>>
>>>
>>> Regards,
>>> Shavantha Weerasinghe
>>> Senior Software Engineer QA
>>> WSO2, Inc.
>>> lean.enterprise.middleware.
>>> http://wso2.com
>>> http://wso2.org
>>> Tel : 94 11 214 5345
>>> Fax :94 11 2145300
>>>
>>>
>>> On Wed, Jul 6, 2016 at 4:10 PM, Hasintha Indrajee 
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> When trying to perform operations through admin console, once the
>>>> session is expired we are getting a 403 from admin console. Seems like this
>>>> occurs due to CSRF filter blocking the request since the session is no
>>>> longer available at the server side.
>>>>
>>>> [2016-07-06 15:34:27,576]  WARN {org.owasp.csrfguard.log.JavaLogger} -
>>>> potential cross-site request forgery (CSRF) attack thwarted
>>>> (user:, ip:127.0.0.1, method:POST,
>>>> uri:/carbon/userprofile/set-finish-ajaxprocessor.jsp, error:request token
>>>> does not match session token)
>>>> --
>>>> Hasintha Indrajee
>>>> WSO2, Inc.
>>>> Mobile:+94 771892453
&

Re: [Dev] Launching the BPMN Explorer does not work after updating to Kernel 4.4.6

[Ayoma Wijethunga]

Sorry :
s/Tanya/Sudhama/g

On Fri, Jul 1, 2016 at 1:41 PM, Ayoma Wijethunga  wrote:

> Hi Tanya,
>
> This "csrf.js" file is not an actual JavaScript file. If you check
> section 4 of the document "Securing Jaggery Applications", you will notice
> that there is a new "servletMappings" which binds "JavaScriptServlet" with
> URL pattern "csrf.js". This Servlet is exposing a JavaScript which is
> then used by the template. I hope it is clear.
>
> However, noticed that a relevant PR [1] is not in a Jaggery release yet.
> We will check this with Jaggery team and update relevant version details in
> the document itself and in this email thread for your reference, as quick
> as possible.
>
> [1] https://github.com/wso2/jaggery/pull/155
>
> Thank you,
> Ayoma.
>
> On Fri, Jul 1, 2016 at 11:39 AM, Sudharma Subasinghe 
> wrote:
>
>> Hi,
>>
>> Error 405 - Method Not Allowed occurred for BPMN Explorer UI launching
>> request after adding configurations for jaggery apps.
>>
>> Are "/csrf.js" which is added in the header of HTML template in the app
>> and "/csrfPrevention.js" for management console same?
>>
>> Appreciate idea on this.
>>
>> Thanks
>> Sudhama
>>
>> --
>> Sudharma Subasinghe,
>> Software Engineer,
>> WSO2 Inc.
>> Email: sudhar...@wso2.com 
>> Mobile : +94 710 565 157 <%2B94%20718%20210%20200>
>>
>
>
>
> --
> Ayoma Wijethunga
> Software Engineer
> Platform Security Team
> WSO2, Inc.; http://wso2.com
> lean.enterprise.middleware
>
> Mobile : +94 (0) 719428123 <+94+(0)+719428123>
> Blog : http://www.ayomaonline.com
> LinkedIn: https://www.linkedin.com/in/ayoma
>



-- 
Ayoma Wijethunga
Software Engineer
Platform Security Team
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Launching the BPMN Explorer does not work after updating to Kernel 4.4.6

[Ayoma Wijethunga]

Hi Tanya,

This "csrf.js" file is not an actual JavaScript file. If you check section
4 of the document "Securing Jaggery Applications", you will notice that
there is a new "servletMappings" which binds "JavaScriptServlet" with
URL pattern "csrf.js". This Servlet is exposing a JavaScript which is then
used by the template. I hope it is clear.

However, noticed that a relevant PR [1] is not in a Jaggery release yet. We
will check this with Jaggery team and update relevant version details in
the document itself and in this email thread for your reference, as quick
as possible.

[1] https://github.com/wso2/jaggery/pull/155

Thank you,
Ayoma.

On Fri, Jul 1, 2016 at 11:39 AM, Sudharma Subasinghe 
wrote:

> Hi,
>
> Error 405 - Method Not Allowed occurred for BPMN Explorer UI launching
> request after adding configurations for jaggery apps.
>
> Are "/csrf.js" which is added in the header of HTML template in the app
> and "/csrfPrevention.js" for management console same?
>
> Appreciate idea on this.
>
> Thanks
> Sudhama
>
> --
> Sudharma Subasinghe,
> Software Engineer,
> WSO2 Inc.
> Email: sudhar...@wso2.com 
> Mobile : +94 710 565 157 <%2B94%20718%20210%20200>
>



-- 
Ayoma Wijethunga
Software Engineer
Platform Security Team
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] DSS Tryit Page issue

[Ayoma Wijethunga]

Hi Team,

Identified that *"issue 1"* occurred because TryIt does not load the
"csrfPrevention.js" JavaScript, which is responsible of injecting CSRF
token values into request. This is because TryIt application does not have
the usual carbon template applied.

[1] should fix the issue. I have verified this by modifying HTML content
using BurpSuite. However, I was unable to test same with DSS because I
cannot find "org.wso2.carbon.wsdl2form-4.5.3.jar" in any of the
library/plugins folders, even though it is available in
"./repository/components/default/configuration/org.eclipse.osgi/bundles/"
folder after server start. I didn't create the PR since, I could not test
it locally. Any advice on this?

Also, do we have any other applications such as "TryIt" that does not have
the usual carbon template applied, but uses resources available within
"/carbon" context (ex : /carbon/admin/jsp/WSRequestXSSproxy_
ajaxprocessor.jsp).

[1] https://github.com/wso2/carbon-commons/compare/4.4.x...ayomawdb:4.4.x

Regards,
Ayoma.

On Tue, Jun 21, 2016 at 5:38 PM, Manuri Amaya Perera 
wrote:

> Hi,
>
> I have added content type in tryit.xslt and sent a PR[1]. This resolved
> issue 2.
>
>
> [1] https://wso2.org/jira/browse/CCOMMONS-16
>
> On Tue, Jun 21, 2016 at 4:01 PM, Manuri Amaya Perera 
> wrote:
>
>> Hi Ayoma,
>>
>> I think setting the content-type can be done in [1].
>>
>> But this issue should occur for other products as well right?
>>
>> [1]
>> https://github.com/wso2/carbon-commons/blob/master/components/wsdl2form/org.wso2.carbon.wsdl2form/src/main/java/org/wso2/carbon/wsdl2form/WSDL2FormRequestProcessor.java
>>
>> Thanks,
>> Manuri
>>
>> On Tue, Jun 21, 2016 at 3:55 PM, Ayoma Wijethunga  wrote:
>>
>>> Hi Team,
>>>
>>> As Manuri mentioned, "issue 2" occurs because we are serving a
>>> JavaScript as the response for service call [1] with the content-type
>>> "text/html". This should be corrected to "application/javascript".
>>>
>>> Is there any possibility for us to send the "content-type" header in the
>>> response, based on the extension of the resource being loaded? This is the
>>> correct way forward.
>>>
>>> Issue is relevant to "X-Content-Type-Options:nosniff" header Tomcat
>>> filter is setting to prevent "MIME Sniffing" attacks. Also this is separate
>>> form CSRFGuard.
>>>
>>> [1]
>>> http://10.100.7.67:9783/services/echo?wsdl2form&resource=editarea/edit_area_full.js
>>> [2] http://www.slideshare.net/RonanDunne1/mime-sniffing-17014318
>>>
>>> Regards,
>>> Ayoma.
>>>
>>> On Tue, Jun 21, 2016 at 3:41 PM, Manuri Amaya Perera 
>>> wrote:
>>>
>>>>
>>>>
>>>> On Tue, Jun 21, 2016 at 3:26 PM, KasunG Gajasinghe 
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Tue, Jun 21, 2016 at 2:37 PM, Manuri Amaya Perera >>>> > wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> Please find the comments inline.
>>>>>>
>>>>>> On Tue, Jun 21, 2016 at 9:48 AM, Anupama Pathirage 
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> When we build the product DSS [1] with the latest Kernel Release
>>>>>>> (4.4.6), we have observed following issues in "Try it" page.  Appreciate
>>>>>>> any clue on this to get them resolved.
>>>>>>>
>>>>>>> *1) *In Https mode, Try it requests gives following error on send
>>>>>>> [2][3].
>>>>>>>
>>>>>>> WARN {org.owasp.csrfguard.log.JavaLogger} -  potential cross-site
>>>>>>> request forgery (CSRF) attack thwarted (user:, 
>>>>>>> ip:10.100.7.118,
>>>>>>> method:POST, uri:/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp,
>>>>>>> error:required token is missing from the request)
>>>>>>>
>>>>>>> Private proxy protocol will be attempted as cross-domain browser
>>>>>>> restrictions might be enforced for this endpoint.
>>>>>>>
>>>>>>> http://tryit.carbon.wso2.org";>
>>>>>>>Error connecting to the Tryit ajax proxy
>>>>>>> 
>>>>>>>
>>>>

Re: [Dev] DSS Tryit Page issue

[Ayoma Wijethunga]

ithub.com/wso2/product-dss/
>>>> [2] https://drive.google.com/open?id=0B16LG8jdYeP8ZEpyV1F5cmRsTDA
>>>> [3] https://drive.google.com/open?id=0B16LG8jdYeP8LWF2elVTbzFQOWs
>>>> [4] https://drive.google.com/open?id=0B16LG8jdYeP8VmtlWXEtdmRJUjQ
>>>>
>>>> Regards,
>>>> --
>>>> Anupama Pathirage
>>>> Associate Technical Lead
>>>> WSO2, Inc.  http://wso2.com/
>>>> Email: anup...@wso2.com
>>>> Mobile:+94 71 8273 979
>>>>
>>>>
>>>>
>>>
>>> ​[1] https://www.owasp.org/index.php/REST_Security_Cheat_Sheet​
>>> ​[2]
>>> http://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff​
>>>
>>> ​Thanks,
>>> Manuri​
>>>
>>> --
>>>
>>> *Manuri Amaya Perera*
>>>
>>> *Software Engineer*
>>>
>>> *WSO2 Inc.*
>>>
>>> *Blog: http://manuriamayaperera.blogspot.com
>>> <http://manuriamayaperera.blogspot.com>*
>>>
>>
>>
>>
>> --
>>
>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc.
>> email: kasung AT spamfree wso2.com
>> linked-in: http://lk.linkedin.com/in/gajasinghe
>> blog: http://kasunbg.org
>>
>>
>>
>
>
>
> --
>
> *Manuri Amaya Perera*
>
> *Software Engineer*
>
> *WSO2 Inc.*
>
> *Blog: http://manuriamayaperera.blogspot.com
> <http://manuriamayaperera.blogspot.com>*
>



-- 
Ayoma Wijethunga
Software Engineer
Platform Security Team
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [UUF] Convert an array to a javascript string array in nashorn.

[Ayoma Wijethunga]

gt;> index));
>>>>> });
>>>>>
>>>>>
>>>>> But I am getting the following errors when rendered the page(client
>>>>> side js) :
>>>>>
>>>>> var protocols = [object Array];<-- Syntax error
>>>>>
>>>>> When I use JSON.stringify in server side js, I get the following
>>>>> output :
>>>>>
>>>>> var protocols =
>>>>> ["AMQP-0-10","MQTT-default","AMQP-0-91","AMQP-8-0","AMQP-0-9"];
>>>>>   <-- Unexpected token &
>>>>>
>>>>> Any Idea ?
>>>>>
>>>>> Regards,
>>>>> Hemika
>>>>>
>>>>>
>>>>> Hemika Kodikara
>>>>> Software Engineer
>>>>> WSO2 Inc.
>>>>> lean . enterprise . middleware
>>>>> http://wso2.com
>>>>>
>>>>> Mobile : +9477762
>>>>>
>>>>> On Fri, Jun 10, 2016 at 12:51 PM, Milinda Perera 
>>>>> wrote:
>>>>>
>>>>>> Hi Hemika,
>>>>>>
>>>>>> If AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9 are
>>>>>> strings, following should work
>>>>>>
>>>>>> JSON.parse("[\"AMQP-0-10\", \"MQTT-default\", \"AMQP-0-91\",
>>>>>> \"AMQP-8-0\", \"AMQP-0-9\"]")
>>>>>>
>>>>>> Accroding to [1] within array " A *value* can be a *string* in
>>>>>> double quotes, or a *number*, or true or false or null, or an
>>>>>> *object* or an *array*. These structures can be nested."
>>>>>>
>>>>>> [1] http://www.json.org/
>>>>>>
>>>>>> Thanks,
>>>>>> Mili
>>>>>>
>>>>>> On Fri, Jun 10, 2016 at 12:33 PM, Hemika Kodikara 
>>>>>> wrote:
>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>> I am invoking the callOSGiService method in nashorn to get a list of
>>>>>>> protocols thats in andes of MB.
>>>>>>>
>>>>>>> I am getting the following output after invoking the callOSGiService
>>>>>>> :
>>>>>>> [AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9]
>>>>>>>
>>>>>>> But need to convert it into a javascript array(Probably a String
>>>>>>> array). Need to bind it to a dropdown(select element).
>>>>>>>
>>>>>>> I tried JSON.parse, but getting the following errors :
>>>>>>>
>>>>>>> jjs> JSON.parse("[AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0,
>>>>>>> AMQP-0-9]");
>>>>>>> :1 SyntaxError: Invalid JSON: :1:1 Expected json
>>>>>>> literal but found ident
>>>>>>> [AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9]
>>>>>>>  ^
>>>>>>>
>>>>>>> jjs> JSON.parse([AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0,
>>>>>>> AMQP-0-9]);
>>>>>>> ECMAScript Exception: SyntaxError: :1:28 Expected an operand
>>>>>>> but found default
>>>>>>> JSON.parse([AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9]);
>>>>>>> ^
>>>>>>>
>>>>>>> My OSGi method returns a Set.
>>>>>>>
>>>>>>> How can I achieve this ?
>>>>>>>
>>>>>>> Regards,
>>>>>>> Hemika
>>>>>>>
>>>>>>> Hemika Kodikara
>>>>>>> Software Engineer
>>>>>>> WSO2 Inc.
>>>>>>> lean . enterprise . middleware
>>>>>>> http://wso2.com
>>>>>>>
>>>>>>> Mobile : +9477762
>>>>>>>
>>>>>>> ___
>>>>>>> Dev mailing list
>>>>>>> Dev@wso2.org
>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Milinda Perera
>>>>>> Software Engineer;
>>>>>> WSO2 Inc. http://wso2.com ,
>>>>>> Mobile: (+94) 714 115 032
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> With regards,
>> *Manu*ranga Perera.
>>
>> phone : 071 7 70 20 50
>> mail : m...@wso2.com
>>
>
>
>
> --
> Sajith Janaprasad Ariyarathna
> Software Engineer; WSO2, Inc.;  http://wso2.com/
>



-- 
Ayoma Wijethunga
Software Engineer
Platform Security Team
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How to use Security Questions for Password Recovery

[Ayoma Wijethunga]

IMO we should use the 2nd approach by default. Please check following OWASP
recommendation :

Furthermore, since adversaries will try the "forgot password" reset flow to
> reset a user's password (especially if they have compromised the
> side-channel, such as user's email account or their mobile device where
> they receive SMS text messages), is a good practice to minimize unintended
> and unauthorized information disclosure of the security questions. This may
> mean that you require the user to answer one security question before
> displaying any subsequent questions to be answered. In this manner, it does
> not allow an adversary an opportunity to research all the questions at
> once. Note however that this is contrary to the advice given on the Forgot
> Password Cheat Sheet and it may also be perceived as not being
> user-friendly by your sponsoring business unit, so again YMMV. [1]


It is true that having multiple screens is not user-friendly, but IMO
security aspect is important than being user friendly in such sensitive and
infrequently used flow.

Also during PCI PA-DSS audits, I have experience where auditors recommend
2nd approach. This is based on section 7 of PCI PA-DSS Guide [2] which is
regarding disclosing information on need-to-know basis (even though PCI
PA-DSS purely speak about securing cardholder data, which does not include
security questions).

It is great if we can support both options and allow user to decide what to
use. However, IMO default should be the 2nd approach.

[1]
https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet

[2] https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf
[3]
https://security.googleblog.com/2015/05/new-research-some-tough-questions-for.html

On Thu, Apr 28, 2016 at 3:28 PM, Isura Karunaratne  wrote:

> Hi all,
>
> On Thu, Apr 28, 2016 at 12:08 PM, Malithi Edirisinghe 
> wrote:
>
>>
>> Hi All,
>>
>> I'm working on supporting user information recovery scenarios in IS user
>> portal [1].
>>
>> While discussing on the user aspects of password recovery with security
>> questions, with UX team we came across the below concern.
>>
>> 1. Should we view all of the security questions chosen by the user, from
>> each question set, in the same page
>>
>> 2. Should we view the question chosen from each question set in a
>> separate page, and make the user to go page by page answering each question
>>
>> If we chose option (1) we should be able to verify user answers for all
>> the questions in a one step. If all are answered properly we will let the
>> user to proceed, or else we will notify the user that he has not correctly
>> answered to one or more, in the next page.
>> If we chose option (2) in each step we will verify the user's answer to
>> the question prompted. If the first one is properly answered prompt the
>> second question and let him to proceed similarly or else break the flow.
>>
>> However, with information recovery service implementation at IS , we can
>> only support option (2) at the moment.
>> But, as it seems most of the sites opt for option (1).
>>
>>
> Yes. In the currently implementation we can support only option 2. When we
> are desiging  Identity Management Java API s for IS 5.3.0 release, it is
> better to support java API for both of above scenarios.
>
> Thanks
> Isura
>
>
> We would like to clarify on which option we should proceed with. Also,
>> would like to clarify on any security concerns with regard to above options.
>>
>> Appreciate your thoughts.
>>
>>
>> [1] https://wso2.org/jira/browse/IDENTITY-3300
>>
>> Thanks,
>> Malithi.
>> --
>>
>> *Malithi Edirisinghe*
>> Senior Software Engineer
>> WSO2 Inc.
>>
>> Mobile : +94 (0) 718176807
>> malit...@wso2.com
>>
>
>
>
> --
> Isura Dilhara Karunaratne
> Senior Software Engineer
>
> Mob +94 772 254 810
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ayoma Wijethunga
Software Engineer
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [Architecture] [REST APIs][Analytics] GET request with a payload

[Ayoma Wijethunga]

Agreed. Then again, if user needs to include more columns than he needs to
exclude we can introduce something like below and use the most suitable
depending on the length.

service?*include*=column1,column2*- only include columns specified by
user*
service?*exclude*=column1,column2   *- include all columns, excluding what
is provided by user*

Then again, there are even lower level limitations such as InnoDB limit on
maximum 1000 columns [2].

If we really have such as use case where this list can grow more than 2000
characters, maybe it is best to use POST only for such abnormal scenarios.

[1]
http://stackoverflow.com/questions/15090220/maximum-length-for-url-in-chrome-browser
[2] http://dev.mysql.com/doc/refman/5.7/en/column-count-limit.html

On Thu, Mar 24, 2016 at 12:03 PM, Udara Liyanage  wrote:

> Hi,
>
> IMO by using POST to do a GET  we are violating REST principals and may
> confuse users. You can see a query type API in [1] used by StackOverflow
> API. According to [2], it seems  about 2000 characters are allowed  most
> browsers which is a pretty large number where a normal GET request is
> highly unlikely to exceed in practical situation regardless of the number
> of fields exist.
>
>
> [1] https://api.stackexchange.com/docs/users
> [2]
> http://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers
>
> On Thu, Mar 24, 2016 at 11:38 AM, Gimantha Bandara 
> wrote:
>
>> Thank you for your suggestions.
>> We cannot exactly say that the number of columns/fields user will need.
>> It depends on how many fields a table has and how many the user want to get
>> from that table. So the url length might exceed. If so, we will have to go
>> with a new method with POST as it seems the only option.
>>
>> On Wed, Mar 23, 2016 at 9:34 PM, Lahiru Sandaruwan 
>> wrote:
>>
>>> Yes, if it is possible to put the columns names in the url as Ayoma
>>> mentioned, we must use that(First i thought it is a complex payload you
>>> want to send).
>>>
>>> Unless there are limitations, like column list doesn't exceed the url
>>> length limits, we should use GET.
>>>
>>> Thanks.
>>>
>>> On Wed, Mar 23, 2016 at 3:54 PM, Ayoma Wijethunga 
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> It is true that using GET request with a payload is not the best
>>>> option. Even though it is not strictly prohibited in specs, it can be
>>>> confusing [1]. REST architecture is very open about how we use HTTP
>>>> methods, but thinking in terms of REST architecture, I do not think using
>>>> POST is also the correct approach here [2] (maybe it is just the personal
>>>> preference).
>>>>
>>>> Let me summaries few examples on how others have addressed the same
>>>> requirement with GET requests.
>>>>
>>>> Facebook Graph API is using "field" query parameter for this [3]. For
>>>> example :
>>>>
>>>> Following Graph API call 
>>>> *https://graph.facebook.com/bgolub?fields=id,name,picture
>>>>> <https://graph.facebook.com/bgolub?fields=id,name,picture>* will only
>>>>> return the id, name, and picture in Ben's profile
>>>>>
>>>>
>>>> SharePoint syntax is not very eye candy [4][5], but it goes like :
>>>>
>>>>
>>>>> http://server/siteurl/_vti_bin/listdata.svc/DocumentsOne?$select=MyDocumentType,Title,Id&$expand=MyDocumentType
>>>>>
>>>>
>>>> YouTube API has the same in below form [6] :
>>>>
>>>> Example 1: Retrieve number of items in feed, index of
>>>>> first item in result set, and all entries in the feed:
>>>>> fields=openSearch:totalResults,openSearch:startIndex,entry
>>>>>
>>>>
>>>> LinkedIn has the same [7]
>>>>
>>>>
>>>>> https://api.linkedin.com/v1/people-search:(people:(id,first-name,last-name,positions:(id,title,summary,start-date,end-date,is-current,company:(id,name,type,size,industry,ticker))
>>>>>
>>>>
>>>> IMO Facebook Graph API has the cleanest mechanism.
>>>>
>>>> I believe that if we use a similar format we will not have to introduce
>>>> new resource paths. Instead we'll be able to provide all the columns,
>>>> unless user specifically request limited set of fields with a query
>>>> parameter. WDYT?
>>>>
>>>> [1]
>>>> http://stackoverflow.com/

Re: [Dev] [Architecture] [REST APIs][Analytics] GET request with a payload

[Ayoma Wijethunga]

Hi,

It is true that using GET request with a payload is not the best option.
Even though it is not strictly prohibited in specs, it can be confusing
[1]. REST architecture is very open about how we use HTTP methods, but
thinking in terms of REST architecture, I do not think using POST is also
the correct approach here [2] (maybe it is just the personal preference).

Let me summaries few examples on how others have addressed the same
requirement with GET requests.

Facebook Graph API is using "field" query parameter for this [3]. For
example :

Following Graph API call
*https://graph.facebook.com/bgolub?fields=id,name,picture
> <https://graph.facebook.com/bgolub?fields=id,name,picture>* will only
> return the id, name, and picture in Ben's profile
>

SharePoint syntax is not very eye candy [4][5], but it goes like :

http://server/siteurl/_vti_bin/listdata.svc/DocumentsOne?$select=MyDocumentType,Title,Id&$expand=MyDocumentType
>

YouTube API has the same in below form [6] :

Example 1: Retrieve number of items in feed, index of
> first item in result set, and all entries in the feed:
> fields=openSearch:totalResults,openSearch:startIndex,entry
>

LinkedIn has the same [7]

https://api.linkedin.com/v1/people-search:(people:(id,first-name,last-name,positions:(id,title,summary,start-date,end-date,is-current,company:(id,name,type,size,industry,ticker))
>

IMO Facebook Graph API has the cleanest mechanism.

I believe that if we use a similar format we will not have to introduce new
resource paths. Instead we'll be able to provide all the columns, unless
user specifically request limited set of fields with a query parameter.
WDYT?

[1]
http://stackoverflow.com/questions/5216567/is-this-statement-correct-http-get-method-always-has-no-message-body
[2] https://spring.io/understanding/REST
[3]
https://developers.facebook.com/docs/graph-api/using-graph-api#fieldexpansion
[4]
http://sharepoint.stackexchange.com/questions/118633/how-to-select-and-filter-list-items-lookup-column-with-sharepoint-2013-rest-feat
[5]
http://platinumdogs.me/2013/03/14/sharepoint-adventures-with-the-rest-api-part-1/
[6]
https://developers.google.com/youtube/2.0/developers_guide_protocol_partial#Fields_Formatting_Rules
[7] https://developer.linkedin.com/docs/fields?u=0

Best Regards,
Ayoma.

On Wed, Mar 23, 2016 at 8:13 PM, Lahiru Sandaruwan  wrote:

> Hi,
>
> I think using a POST with a body, for retrieving information is fine
> considering the requirement. GET with body is not recommended.
>
> Thanks.
>
> On Wed, Mar 23, 2016 at 2:31 PM, Gimantha Bandara 
> wrote:
>
>> Hi all,
>>
>>
>> We have a REST API in DAS to retrieve records in a specific table. It
>> supports GET method with the following url format.
>>
>> /analytics/tables/{tableName}/{from}/{to}/{start}/{count}
>>
>> Sending a GET request to above url will give the records between given
>> "from", "to" time range starting from index "start" with  "count"  page
>> size.
>>
>> Now we need to change the API, so that the user can define the record
>> columns/fields he wants. Current API will return the records with all the
>> values/columns. To do that, we can allow the user to define the columns he
>> needs, in the payload. But it seems that having a payload with a GET is not
>> the convention/the best practice.
>>
>> POST can be used to send the column names as a payload, but here we are
>> not making any updates to {tableName} resource. We will be just retrieving
>> records using a POST. So it also seems not the convention/the best practice.
>>
>> The only solution I can think of is, having a different resource path to
>> get the records with only specified fields/columns. Are there any other
>> solutions?
>>
>> Thanks,
>> Gimantha
>>
>>
>> ___
>> Architecture mailing list
>> architect...@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> --
> Lahiru Sandaruwan
> Committer and PMC member, Apache Stratos,
> Senior Software Engineer,
> WSO2 Inc., http://wso2.com
> lean.enterprise.middleware
>
> phone: +94773325954
> email: lahi...@wso2.com blog: http://lahiruwrites.blogspot.com/
> linked-in: http://lk.linkedin.com/pub/lahiru-sandaruwan/16/153/146
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ayoma Wijethunga
Software Engineer
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Clarification on OUT_ONLY ESB proxy service scenario

[Ayoma Wijethunga]

se for a request, it was possible to avoid this exception by setting
>>> the property OUT_ONLY for the in sequence as follows [2
>>> <https://docs.wso2.com/display/ESB403/Generic+Properties>].
>>>
>>> 
>>> >> type="STRING"/>
>>> 
>>>
>>> But this make the other client modes such as "quote" not working because
>>> it is trying to send a request which expects a response through an OUT_ONLY
>>> proxy which must be wrong in theoretically. So can you please let me know
>>> the proper way of handling above ESB exception while providing the support
>>> for both types of operations.
>>>
>>>
>>> [1]
>>> https://docs.wso2.com/display/ESB490/Sample+150%3A+Introduction+to+Proxy+Services
>>> [2] https://docs.wso2.com/display/ESB403/Generic+Properties
>>>
>>> Thanks and Regards,
>>> --
>>> Anupama Pathirage
>>> Associate Technical Lead
>>> WSO2, Inc.  http://wso2.com/
>>> Email: anup...@wso2.com
>>> Mobile:+94 71 8273 979
>>>
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Vijitha Ekanayake
>> Software Engineer*, *WSO2, Inc.; http://wso2.com/
>> Mobile : +94 777 24 73 39 | +94 718 74 44 08
>> lean.enterprise.middleware
>>
>
>
>
> --
> Anupama Pathirage
> Associate Technical Lead
> WSO2, Inc.  http://wso2.com/
> Email: anup...@wso2.com
> Mobile:+94 71 8273 979
> Blog:http://mycodeideas.blogspot.com/
>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ayoma Wijethunga
Software Engineer
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [APIM] Sample API (WeatherAPI) no longer works

[Ayoma Wijethunga]

Sounds great... Thanks Lakshman for the information. Just noticed that this
has been discussed in mailing list around October 30th. I will check 1.10.0.

Thanks again,
Ayoma.

On Thu, Dec 17, 2015 at 12:50 PM, Lakshman Udayakantha 
wrote:

> this has changed. Now API Manager has embedded calculator API. check the
> latest API Manager 1.10.0-SNAPSHOT
>
> On Thu, Dec 17, 2015 at 12:47 PM, Ayoma Wijethunga  wrote:
>
>> Hi All,
>>
>> API manager "Sample API" no longer works. OpenWeatherMap requires sending
>> an API Key from 9th October 2015 [1
>> <http://openweathermap.org/faq#error401>][2
>> <http://openweathermap.org/appid#get>]. Rate limited key is available
>> for free. Though extended rate limit is available for FOSS developers[1
>> <http://openweathermap.org/faq#error401>], this might not work for us,
>> because we have to distribute the API Key with APIM.
>>
>> If this is not corrected, users will get below error during invocations,
>> which can be frustrating for a new customer who is evaluating API Manager.
>>
>> {"cod":401,"message":"Invalid API key. Please see
>>> http://openweathermap.org/faq#error401 for more info."}
>>>
>>
>> Any idea if we continue using OpenWeatherMap or move to a different
>> sample implementation?
>>
>> FYI : Current free plan rate limits are as follows :
>>
>> Calls 10min: 600
>>> Calls 1day: 50,000
>>> Threshold: 7,200
>>> Hourly forecast: 5
>>> Daily forecast: 0
>>>
>>
>> [1] http://openweathermap.org/faq#error401
>> [2] http://openweathermap.org/appid#get
>>
>> Best Regards,
>> Ayoma Wijethunga
>> Software Engineer
>> WSO2, Inc.; http://wso2.com
>> lean.enterprise.middleware
>>
>> Mobile : +94 (0) 719428123 <+94+(0)+719428123>
>> Blog : http://www.ayomaonline.com
>> LinkedIn: https://www.linkedin.com/in/ayoma
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Lakshman Udayakantha
> WSO2 Inc. www.wso2.com
> lean.enterprise.middleware
> Mobile: *0714388124*
>
>


-- 
Ayoma Wijethunga
Software Engineer
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [APIM] Sample API (WeatherAPI) no longer works

[Ayoma Wijethunga]

Hi All,

API manager "Sample API" no longer works. OpenWeatherMap requires sending
an API Key from 9th October 2015 [1 <http://openweathermap.org/faq#error401>
][2 <http://openweathermap.org/appid#get>]. Rate limited key is available
for free. Though extended rate limit is available for FOSS developers[1
<http://openweathermap.org/faq#error401>], this might not work for us,
because we have to distribute the API Key with APIM.

If this is not corrected, users will get below error during invocations,
which can be frustrating for a new customer who is evaluating API Manager.

{"cod":401,"message":"Invalid API key. Please see
> http://openweathermap.org/faq#error401 for more info."}
>

Any idea if we continue using OpenWeatherMap or move to a different sample
implementation?

FYI : Current free plan rate limits are as follows :

Calls 10min: 600
> Calls 1day: 50,000
> Threshold: 7,200
> Hourly forecast: 5
> Daily forecast: 0
>

[1] http://openweathermap.org/faq#error401
[2] http://openweathermap.org/appid#get

Best Regards,
Ayoma Wijethunga
Software Engineer
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] DAS going OOM frequently

[Ayoma Wijethunga]

Hi Anjana,

Yes. Agreed, sorry I misread that.  In that case OOM should be fine after
the fix.

Thank you,
Ayoma.

On Wed, Dec 16, 2015 at 6:11 PM, Anjana Fernando  wrote:

> Hi Ayoma,
>
> Thanks for checking up on it, actually "getAllIndexedTables" doesn't
> return the Set here, it returns an array that was previously populated in
> the refresh operation, so no need to synchronize that method.
>
> Cheers,
> Anjana.
>
> On Wed, Dec 16, 2015 at 5:44 PM, Ayoma Wijethunga  wrote:
>
>> And, missed mentioning that when this this race condition / state
>> corruption happens all "get" operations performed on Set/Map get blocked
>> resulting in OOM situation. [1
>> <http://mailinator.blogspot.gr/2009/06/beautiful-race-condition.html>]
>> has all that explained nicely. I have checked a heap dump in a similar
>> situation and if you take one, you will clearly see many threads waiting to
>> access this Set instance.
>>
>> [1] http://mailinator.blogspot.gr/2009/06/beautiful-race-condition.html
>>
>> On Wed, Dec 16, 2015 at 5:37 PM, Ayoma Wijethunga  wrote:
>>
>>> Hi Anjana,
>>>
>>> Sorry, I didn't notice that you have already replied this thread.
>>>
>>> However, please consider my point on "getAllIndexedTables" as well.
>>>
>>> Thank you,
>>> Ayoma.
>>>
>>> On Wed, Dec 16, 2015 at 5:12 PM, Anjana Fernando 
>>> wrote:
>>>
>>>> Hi Sumedha,
>>>>
>>>> Thank you for reporting the issue. I've fixed the concurrent
>>>> modification exception issue, where, actually both the methods
>>>> "addIndexedTable" and "removeIndexedTable" needed to be synchronized, since
>>>> they both work on the shared Set object there.
>>>>
>>>> As for the OOM issue, can you please share a heap dump when the OOM
>>>> happened. So we can see what is causing this. And also, I see there are
>>>> multiple scripts running at the same time, so this actually can be a
>>>> legitimate error also, where the server actually doesn't have enough memory
>>>> to continue its operations. @Niranda, please share if there is any info on
>>>> tuning Spark's memory requirements.
>>>>
>>>> Cheers,
>>>> Anjana.
>>>>
>>>> On Wed, Dec 16, 2015 at 3:32 PM, Sumedha Rubasinghe 
>>>> wrote:
>>>>
>>>>> We have DAS Lite included in IoT Server and several summarisation
>>>>> scripts deployed. Server is going OOM frequently with following exception.
>>>>>
>>>>> Shouldn't this[1] method be synchronised?
>>>>>
>>>>> [1]
>>>>> https://github.com/wso2/carbon-analytics/blob/master/components/analytics-core/org.wso2.carbon.analytics.dataservice.core/src/main/java/org/wso2/carbon/analytics/dataservice/core/indexing/AnalyticsIndexedTableStore.java#L45
>>>>>
>>>>>
>>>>> >>>>>>>>>>>
>>>>> [2015-12-16 15:11:00,004]  INFO
>>>>> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
>>>>> schedule task for: Light_Sensor_Script for tenant id: -1234
>>>>> [2015-12-16 15:11:00,005]  INFO
>>>>> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
>>>>> schedule task for: Magnetic_Sensor_Script for tenant id: -1234
>>>>> [2015-12-16 15:11:00,005]  INFO
>>>>> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
>>>>> schedule task for: Pressure_Sensor_Script for tenant id: -1234
>>>>> [2015-12-16 15:11:00,006]  INFO
>>>>> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
>>>>> schedule task for: Proximity_Sensor_Script for tenant id: -1234
>>>>> [2015-12-16 15:11:00,006]  INFO
>>>>> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
>>>>> schedule task for: Rotation_Sensor_Script for tenant id: -1234
>>>>> [2015-12-16 15:11:00,007]  INFO
>>>>> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
>>>>> schedule task for: Temperature_Sensor_Script for tenant id: -1234
>>>>> [2015-12-16 15:11:01,132] ERROR
>>>>> {org.wso2.carbon.ntask.core.impl.TaskQuartzJobAdapter} -  Error in
>>>>> executing task: null
>>>>> java.util.ConcurrentModificationEx

Re: [Dev] DAS going OOM frequently

[Ayoma Wijethunga]

And, missed mentioning that when this this race condition / state
corruption happens all "get" operations performed on Set/Map get blocked
resulting in OOM situation. [1
<http://mailinator.blogspot.gr/2009/06/beautiful-race-condition.html>] has
all that explained nicely. I have checked a heap dump in a similar
situation and if you take one, you will clearly see many threads waiting to
access this Set instance.

[1] http://mailinator.blogspot.gr/2009/06/beautiful-race-condition.html

On Wed, Dec 16, 2015 at 5:37 PM, Ayoma Wijethunga  wrote:

> Hi Anjana,
>
> Sorry, I didn't notice that you have already replied this thread.
>
> However, please consider my point on "getAllIndexedTables" as well.
>
> Thank you,
> Ayoma.
>
> On Wed, Dec 16, 2015 at 5:12 PM, Anjana Fernando  wrote:
>
>> Hi Sumedha,
>>
>> Thank you for reporting the issue. I've fixed the concurrent modification
>> exception issue, where, actually both the methods "addIndexedTable" and
>> "removeIndexedTable" needed to be synchronized, since they both work on the
>> shared Set object there.
>>
>> As for the OOM issue, can you please share a heap dump when the OOM
>> happened. So we can see what is causing this. And also, I see there are
>> multiple scripts running at the same time, so this actually can be a
>> legitimate error also, where the server actually doesn't have enough memory
>> to continue its operations. @Niranda, please share if there is any info on
>> tuning Spark's memory requirements.
>>
>> Cheers,
>> Anjana.
>>
>> On Wed, Dec 16, 2015 at 3:32 PM, Sumedha Rubasinghe 
>> wrote:
>>
>>> We have DAS Lite included in IoT Server and several summarisation
>>> scripts deployed. Server is going OOM frequently with following exception.
>>>
>>> Shouldn't this[1] method be synchronised?
>>>
>>> [1]
>>> https://github.com/wso2/carbon-analytics/blob/master/components/analytics-core/org.wso2.carbon.analytics.dataservice.core/src/main/java/org/wso2/carbon/analytics/dataservice/core/indexing/AnalyticsIndexedTableStore.java#L45
>>>
>>>
>>> >>>>>>>>>>>
>>> [2015-12-16 15:11:00,004]  INFO
>>> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
>>> schedule task for: Light_Sensor_Script for tenant id: -1234
>>> [2015-12-16 15:11:00,005]  INFO
>>> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
>>> schedule task for: Magnetic_Sensor_Script for tenant id: -1234
>>> [2015-12-16 15:11:00,005]  INFO
>>> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
>>> schedule task for: Pressure_Sensor_Script for tenant id: -1234
>>> [2015-12-16 15:11:00,006]  INFO
>>> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
>>> schedule task for: Proximity_Sensor_Script for tenant id: -1234
>>> [2015-12-16 15:11:00,006]  INFO
>>> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
>>> schedule task for: Rotation_Sensor_Script for tenant id: -1234
>>> [2015-12-16 15:11:00,007]  INFO
>>> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
>>> schedule task for: Temperature_Sensor_Script for tenant id: -1234
>>> [2015-12-16 15:11:01,132] ERROR
>>> {org.wso2.carbon.ntask.core.impl.TaskQuartzJobAdapter} -  Error in
>>> executing task: null
>>> java.util.ConcurrentModificationException
>>> at java.util.HashMap$HashIterator.nextEntry(HashMap.java:922)
>>> at java.util.HashMap$KeyIterator.next(HashMap.java:956)
>>> at java.util.AbstractCollection.toArray(AbstractCollection.java:195)
>>> at
>>> org.wso2.carbon.analytics.dataservice.core.indexing.AnalyticsIndexedTableStore.refreshIndexedTableArray(AnalyticsIndexedTableStore.java:46)
>>> at
>>> org.wso2.carbon.analytics.dataservice.core.indexing.AnalyticsIndexedTableStore.addIndexedTable(AnalyticsIndexedTableStore.java:37)
>>> at
>>> org.wso2.carbon.analytics.dataservice.core.AnalyticsDataServiceImpl.refreshIndexedTableStoreEntry(AnalyticsDataServiceImpl.java:512)
>>> at
>>> org.wso2.carbon.analytics.dataservice.core.AnalyticsDataServiceImpl.invalidateAnalyticsTableInfo(AnalyticsDataServiceImpl.java:525)
>>> at
>>> org.wso2.carbon.analytics.dataservice.core.AnalyticsDataServiceImpl.checkAndInvalidateTableInfo(AnalyticsDataServiceImpl.java:504)
>>> at
>>> org.wso2.carbon.analytics.dataservice.core.AnalyticsDataServiceImpl.setTableSchema(Analyti

Re: [Dev] DAS going OOM frequently

[Ayoma Wijethunga]

ala:147)
>> at org.apache.spark.sql.execution.SparkPlan.execute(SparkPlan.scala:87)
>> at
>> org.apache.spark.sql.SQLContext$QueryExecution.toRdd$lzycompute(SQLContext.scala:950)
>> at
>> org.apache.spark.sql.SQLContext$QueryExecution.toRdd(SQLContext.scala:950)
>> at org.apache.spark.sql.DataFrame.(DataFrame.scala:144)
>> at org.apache.spark.sql.DataFrame.(DataFrame.scala:128)
>> at org.apache.spark.sql.DataFrame$.apply(DataFrame.scala:51)
>> at org.apache.spark.sql.SQLContext.sql(SQLContext.scala:755)
>> at
>> org.wso2.carbon.analytics.spark.core.internal.SparkAnalyticsExecutor.executeQueryLocal(SparkAnalyticsExecutor.java:710)
>> at
>> org.wso2.carbon.analytics.spark.core.internal.SparkAnalyticsExecutor.executeQuery(SparkAnalyticsExecutor.java:692)
>> at
>> org.wso2.carbon.analytics.spark.core.CarbonAnalyticsProcessorService.executeQuery(CarbonAnalyticsProcessorService.java:199)
>> at
>> org.wso2.carbon.analytics.spark.core.CarbonAnalyticsProcessorService.executeScript(CarbonAnalyticsProcessorService.java:149)
>> at
>> org.wso2.carbon.analytics.spark.core.AnalyticsTask.execute(AnalyticsTask.java:57)
>> at
>> org.wso2.carbon.ntask.core.impl.TaskQuartzJobAdapter.execute(TaskQuartzJobAdapter.java:67)
>> at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
>> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>> at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> at java.lang.Thread.run(Thread.java:745)
>> [2015-12-16 15:12:00,001]  INFO
>> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
>> schedule task for: Accelerometer_Sensor_Script for tenant id: -1234
>>
>> --
>> /sumedha
>> m: +94 773017743
>> b :  bit.ly/sumedha
>>
>
>
>
> --
> *Anjana Fernando*
> Senior Technical Lead
> WSO2 Inc. | http://wso2.com
> lean . enterprise . middleware
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ayoma Wijethunga
Software Engineer
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] DAS going OOM frequently

[Ayoma Wijethunga]

Plan$$anonfun$execute$1.apply(SparkPlan.scala:88)
> at
> org.apache.spark.sql.execution.SparkPlan$$anonfun$execute$1.apply(SparkPlan.scala:88)
> at
> org.apache.spark.rdd.RDDOperationScope$.withScope(RDDOperationScope.scala:147)
> at org.apache.spark.sql.execution.SparkPlan.execute(SparkPlan.scala:87)
> at
> org.apache.spark.sql.SQLContext$QueryExecution.toRdd$lzycompute(SQLContext.scala:950)
> at
> org.apache.spark.sql.SQLContext$QueryExecution.toRdd(SQLContext.scala:950)
> at org.apache.spark.sql.DataFrame.(DataFrame.scala:144)
> at org.apache.spark.sql.DataFrame.(DataFrame.scala:128)
> at org.apache.spark.sql.DataFrame$.apply(DataFrame.scala:51)
> at org.apache.spark.sql.SQLContext.sql(SQLContext.scala:755)
> at
> org.wso2.carbon.analytics.spark.core.internal.SparkAnalyticsExecutor.executeQueryLocal(SparkAnalyticsExecutor.java:710)
> at
> org.wso2.carbon.analytics.spark.core.internal.SparkAnalyticsExecutor.executeQuery(SparkAnalyticsExecutor.java:692)
> at
> org.wso2.carbon.analytics.spark.core.CarbonAnalyticsProcessorService.executeQuery(CarbonAnalyticsProcessorService.java:199)
> at
> org.wso2.carbon.analytics.spark.core.CarbonAnalyticsProcessorService.executeScript(CarbonAnalyticsProcessorService.java:149)
> at
> org.wso2.carbon.analytics.spark.core.AnalyticsTask.execute(AnalyticsTask.java:57)
> at
> org.wso2.carbon.ntask.core.impl.TaskQuartzJobAdapter.execute(TaskQuartzJobAdapter.java:67)
> at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> [2015-12-16 15:12:00,001]  INFO
> {org.wso2.carbon.analytics.spark.core.AnalyticsTask} -  Executing the
> schedule task for: Accelerometer_Sensor_Script for tenant id: -1234
>
> --
> /sumedha
> m: +94 773017743
> b :  bit.ly/sumedha
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Ayoma Wijethunga
Software Engineer
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] ESB proxy service for mix of TwoChannel and InOnly operations

[Ayoma Wijethunga]

Hi Jagath,

It was only a test service and I have attached class with this. Full source
is available at [1] as well.

Problem occurs with "void confirmOrder(-)" method because it is an InOnly
operation.  Unless "OUT_ONLY" property is applied on endpoint, ESB tries to
get return value of above operation invocation, resulting in the exception.

Hence, wanted to check with team what is the best approach to follow while
defining proxy for a WSDL that has both InOnly and TwoChannel operations in
a mix.

[1] https://svn.wso2.com/wso2/interns/2013/ayoma/Axis2

Thanks and best regards,
Ayoma.

On Fri, Dec 11, 2015 at 2:18 PM, Jagath Sisirakumara Ariyarathne <
jaga...@wso2.com> wrote:

> Hi Ayoma,
>
> Could you please share your OrderProcessor service class.
>
> Thanks.
>
> On Thu, Dec 10, 2015 at 5:10 PM, Ayoma Wijethunga  wrote:
>
>> Hi All,
>>
>> This is relevant to WSO2 ESB 4.9.0.
>>
>> In WSDL attached [1], there are five TwoChannelAxisOperation(s) and one
>> InOnlyAxisOperation. In such situation, if we create a single proxy service
>> in ESB with configuration [2
>> <https://drive.google.com/a/wso2.com/file/d/0B-0UyBaVrBStV3NhTG4wMWhvRFE/view?usp=drive_web>],
>> InOnlyAxisOperation will fail with below exception :
>>
>> ERROR - NativeWorkerPool Uncaught exception
>>> java.lang.UnsupportedOperationException: An access occurred that is not
>>> valid.
>>> at
>>> org.apache.axis2.description.InOnlyAxisOperation.getMessage(InOnlyAxisOperation.java:117)
>>> .
>>>
>>
>> ​​It was observed that it is possible to use "OUT_ONLY" and
>> "FORCE_SC_ACCEPTED" to correct this [3
>> <https://docs.wso2.com/display/ESB481/Sample+12%3A+One-Way+Messaging+in+a+Fire-and-Forget+Mode+through+ESB>]
>> [4
>> <https://docs.wso2.com/display/ESB481/HTTP+Transport+Properties#HTTPTransportProperties-FORCE_SC_ACCEPTED>].
>> But relevant transport property applies to endpoint, resulting in
>> TwoChannelAxisOperation to fail if applied.
>>
>> When creating proxy service for a web service, what is the best practice
>> to follow in order to avoid this type of problems?
>> Do we create,
>>
>>- separate proxy services for each set of operations
>>- use "switch" or "filter" mediator in the "in sequence" and "send"
>>to OUT_ONLY endpoint depending on operation
>>
>> or what is the best path to follow?
>>
>> [1]
>> ​​https://drive.google.com/a/wso2.com/file/d/0B-0UyBaVrBStMDczTkRmMkhxcDg/view?usp=drive_web​
>> <https://drive.google.com/a/wso2.com/file/d/0B-0UyBaVrBStR0x4TUR6LWJkYnM/view?usp=drive_web>
>> [2] ​​
>> https://drive.google.com/a/wso2.com/file/d/0B-0UyBaVrBStV3NhTG4wMWhvRFE/view?usp=drive_web
>> [3]
>> https://docs.wso2.com/display/ESB481/Sample+12%3A+One-Way+Messaging+in+a+Fire-and-Forget+Mode+through+ESB
>> [4]
>> https://docs.wso2.com/display/ESB481/HTTP+Transport+Properties#HTTPTransportProperties-FORCE_SC_ACCEPTED
>>
>> Thanks and best regards,
>> Ayoma Wijethunga
>> Software Engineer
>> WSO2, Inc.; http://wso2.com
>> lean.enterprise.middleware
>>
>> Mobile : +94 (0) 719428123 <+94+(0)+719428123>
>> Blog : http://www.ayomaonline.com
>> LinkedIn: https://www.linkedin.com/in/ayoma
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Jagath Ariyarathne
> Technical Lead
> WSO2 Inc.  http://wso2.com/
> Email: jaga...@wso2.com
> Mob  : +94 77 386 7048
>
>


-- 
Ayoma Wijethunga
Software Engineer
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
/*
 * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.wso2.fasttrack.axis2.orderprocessor.processor;

import java.math.BigDecimal;

import com.wso2.fasttrack.a

[Dev] [ESB] Sample 371 - ThrottleAssertion not correctly rendered in design view

[Ayoma Wijethunga]

Hi All,

Synapse Sample 371 [1
<https://github.com/wso2/product-esb/blob/master/modules/samples/product/src/main/conf/synapse/synapse_sample_371.xml>]
uses "ThrottleAssertion" to define throttle policy and it is not correctly
rendered in WSO2 ESB design view [2
<https://drive.google.com/a/wso2.com/file/d/0B-0UyBaVrBStdjM0NWlwc2lfY1E/view?usp=drive_web>].


When a policy is directly created using WSO2 ESB design view,
"MediatorThrottleAssertion" is used instead of "ThrottleAssertion".

Have we deprecated use of "ThrottleAssertion" in favour of
"MediatorThrottleAssertion"?

If so, I have created a pull request with corrections [3
<https://github.com/wso2/product-esb/pull/412>]. It is great if ESB team
could review the pull request.

[1]
https://github.com/wso2/product-esb/blob/master/modules/samples/product/src/main/conf/synapse/synapse_sample_371.xml
[2] ​​
https://drive.google.com/a/wso2.com/file/d/0B-0UyBaVrBStdjM0NWlwc2lfY1E/view?usp=drive_web
[3]  https://github.com/wso2/product-esb/pull/412
-- 
Ayoma Wijethunga
Software Engineer
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] ESB proxy service for mix of TwoChannel and InOnly operations

[Ayoma Wijethunga]

Hi All,

This is relevant to WSO2 ESB 4.9.0.

In WSDL attached [1
<https://drive.google.com/a/wso2.com/file/d/0B-0UyBaVrBStMDczTkRmMkhxcDg/view?usp=drive_web>],
there are five TwoChannelAxisOperation(s) and one InOnlyAxisOperation. In
such situation, if we create a single proxy service in ESB with
configuration [2
<https://drive.google.com/a/wso2.com/file/d/0B-0UyBaVrBStV3NhTG4wMWhvRFE/view?usp=drive_web>],
InOnlyAxisOperation will fail with below exception :

ERROR - NativeWorkerPool Uncaught exception
> java.lang.UnsupportedOperationException: An access occurred that is not
> valid.
> at
> org.apache.axis2.description.InOnlyAxisOperation.getMessage(InOnlyAxisOperation.java:117)
> .
>

​​It was observed that it is possible to use "OUT_ONLY" and
"FORCE_SC_ACCEPTED" to correct this [3
<https://docs.wso2.com/display/ESB481/Sample+12%3A+One-Way+Messaging+in+a+Fire-and-Forget+Mode+through+ESB>]
[4
<https://docs.wso2.com/display/ESB481/HTTP+Transport+Properties#HTTPTransportProperties-FORCE_SC_ACCEPTED>].
But relevant transport property applies to endpoint, resulting in
TwoChannelAxisOperation to fail if applied.

When creating proxy service for a web service, what is the best practice to
follow in order to avoid this type of problems?
Do we create,

   - separate proxy services for each set of operations
   - use "switch" or "filter" mediator in the "in sequence" and "send" to
   OUT_ONLY endpoint depending on operation

or what is the best path to follow?

[1]
​​https://drive.google.com/a/wso2.com/file/d/0B-0UyBaVrBStMDczTkRmMkhxcDg/view?usp=drive_web​
<https://drive.google.com/a/wso2.com/file/d/0B-0UyBaVrBStR0x4TUR6LWJkYnM/view?usp=drive_web>
[2] ​​
https://drive.google.com/a/wso2.com/file/d/0B-0UyBaVrBStV3NhTG4wMWhvRFE/view?usp=drive_web
[3]
https://docs.wso2.com/display/ESB481/Sample+12%3A+One-Way+Messaging+in+a+Fire-and-Forget+Mode+through+ESB
[4]
https://docs.wso2.com/display/ESB481/HTTP+Transport+Properties#HTTPTransportProperties-FORCE_SC_ACCEPTED

Thanks and best regards,
Ayoma Wijethunga
Software Engineer
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware

Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev