Wednesday, November 18, 2009

Apache Synapse's HTTP Sender

The factory-default HTTPS sender of Apache Synapse is “org.apache.synapse.transport.nhttp.HttpCoreNIOSSLSender”. The "HostnameVerifier" parameter of this transport sender can be used to control how Apache Synapse perform SSL handshaking. The “HostnameVerifier” parameter indicates how the URL's hostname and the server's SSL certificate's hostname should be matched during the SSL handshake. HostnameVerifier can can take one of the following 3 values values.

  • DefaultAndLocalHost
  • Strict
  • AllowAll


If the "HostnameVerifier" value is set to "DefaultAndLocalHost", then the SSL handshake will be successful only if one of the following is satisfied.

  • The hostname must match either the first CN, or any of the subject-alts of the server certificate (same way as Curl and Firefox). A wildcard can occur in the CN, and in any of the subject-alts. The only difference between DEFAULT and STRICT is that a wildcard (such as "*") with DEFAULT matches all subdomains, including "".
  • A host of "localhost", "localhost.localdomain", "", "::1" will always pass, no matter what is in the server's certificate.


If the "HostnameVerifier" value is set to "Strict", then the SSL handshake will be successful when the following criteria is met.

The hostname must match either the first CN, or any of the subject-alts of the server certificate. A wildcard can occur in the CN, and in any of the subject-alts. This will only check the first CN of the certificate similar to Sun Java 1.4. A wildcard such as "*" matches only subdomains in the same level, for example "". It does not match deeper subdomains such as "".

This works the same way as in Sun Java 1.4, Sun Java 5, Sun Java 6. This implementation appears to be compliant with RFC 2818 for dealing with wildcards.

This functionality is also very close to IE6. The one divergence from IE6 is how it only check the first CN. IE6 allows a match against any of the CNs present.


Setting "HostnameVerifier" to "AllowAll" turns hostname verification off. This implementation is a no-op, and never throws the SSLException.

Sunday, September 20, 2009

Installing ApacheDS on Unbuntu

  • Ubuntu - Jaunty Jackalope
  • 64 bit Architecture
Right now the "Basic User Guide" in the ApacheDS site is not up-to-date. So here is how to install ApacheDS on Ubuntu
  1. Download the "Linux Binary Installer - Linux x86_64" of ApacheDS from
  2. Change the permissions of the file as follows.
     chmod u+x apacheds-1.5.5-x86_64.bin
  3. Change to root and run the installer as follows. I picked the default proposed installation directories.
  4. Now the task is to locate the "startp script". If you picked the defaults while installing, it can be found in the /etc/init.d directory. Search for a file containing the name *apacheds*. In my case the start-up script was renamed as "apacheds-1.5.5-default". Now give the command as following as root.

    /etc/init.d/apacheds-1.5.5-default start

Initially when I tried to install, I faced the following problem since the start-up script was renamed to "apacheds-1.5.5-default". This trivial information was lacking in the "Apache DS Basic User Guide".
/etc/init.d/apacheds: No such file or directory

Tuesday, September 15, 2009

WSO2 ESB : AnonymousEndpoint has been marked for SUSPENSION, but no further retries remain

Are you are running WSO2ESB and receiving this error "AnonymousEndpoint has been marked for SUSPENSION, but no further retries remain" printed on console? This error occurs when trying to send the message again. If this error prints in the console repetitively, then WSO2ESB is trying send messages repetitively. So inspect "<syn:send/>" elements in the synapse config, and it may not be required.

Here is a scenario I ran into.

I am using WSO2ESB-2.1.1(or later) and trying to re-use an old synapse configuration. I am trying to use a proxy service.

In the synapse configuration, I have target endpoint specified in the proxy service, so <syn:send> is not required according to new rules. So when I removed <syn:send/> from the synapse config's inSequence it worked beautifully. BTW .. you have to restart the server.

Tuesday, September 8, 2009

Neethi Builders - XmlPrimtiveAssertion

When you build neethi Assertions, do you find instances of "" instead of proper Assertions? The issue is that your runtime has not picked up the "" file inside the META-INF/services directory. This problem mostly occur in old versions of Eclipse or in OSGI environment. So check if you have added the META-INF directory that contains the "" file to your classpath.

If you want to know the technical details, then please refer how Apache Neethi implemented the at .

Wednesday, June 10, 2009

Thursday, May 28, 2009

Key Signing Party

What a geekish party to have!!! That is one of the coolest geeky things I've heard. But I lost my PGP key sometime back when I formatted the hard disk. I forgot to backup.

Read all about the party here.

Friday, May 1, 2009

Decoupling the UI from Backend

The "minimal change prorogation" can be used as a verification test for loose coupling. I've been struggling to handle changes in a core component when it suddenly occurred to me that, "dhhaa tightly coupled". The changes propagated to the UI. The problem is that I have used the information experts to send data to the UI.

So I added a new rule to my experience. Use another set of classes called "Data Transfer Object" to transfer data to the UI. Problem solved!

Wednesday, April 29, 2009

Tabs vs Spaces - Code Formatting

Do you format code with tabs or spaces? It is not an a question of what is pretty. There is more to the story. I would like to quote from[1]

"On defaultly-configured Unix systems, and on ancient dumb terminals and teletypes, the tradition has been for the TAB character to mean move to the right until the current column is a multiple of 8. This is also the default in the two most popular Unix editors, Emacs and vi.

In many Windows and Mac editors, the default interpretation is the same, except that multiples of 4 are used instead of multiples of 8."

The code formatted on Windows using tabs look hideous on Unix, while if you use spaces it will be uniform on all operating systems.


Monday, April 20, 2009

Ubuntu - Firefox back/forward buttons not working

If you are on Ubuntu and back/forward buttons of Firefox suddenly stopped woking here is what to do.

Go to .mozilla/firefox folder and delete the following file.


Axis2 REST - IllegalArgumentException

If you are trying to invoke a web service deployed in Axis2 using REST and get the " IllegalArgumentException", the most probable cause is that parameter names given in the URL does not match with the argument names of the method. To verify the equality view the WSDL of the service and use the parameter names given in the WSDL.

Monday, February 23, 2009

WSO2 Platform

A SOA platform should provide,
  • service creation, managing and hosting
  • resource discovery and managing
  • systems integration, messaging routing and transformations
  • service orchestration
  • governance
WSO2 Carbon is an opensource platform that aims to facilitate all of the above requirements in a modular way. You can create, manage and host services using WSAS, manage resources and governance using Registry, system integration, messaging, routing and transformations using ESB and service orchestration using BPS.

Sunday, February 1, 2009

Making Good SOA Great

I've been shedding lot of sweat over this matter during last year. Finally Carbon is out and we want the world to know it.

Making Good SOA Great

Friday, January 30, 2009

SOA Contract-first Design

I was once questioned "Why should we care about contract-first design? It takes time. Look how quick I can do code-first approach". And let me attempt to answer that. Carefully designed contract-first design lasts years with minimal changes saving time effort and money.
  • If you do not design the contracts between services first, there will be complex integration problems between your services.
  • Existing code was not designed to exposed as services. Therefore operations will be either too fine grained or course grained. If the service interface has too fine grained operations there will too many messages going back and forth. If there was a contract design phase this can be eliminated.If the service has too coarse grained operations, it may not yield the intermediate results will be lost.
  • A good services have independent atomic operations.
If WSDL is what keeping you away from contract first design, well ... now there are free opensource tools that can write the WSDL for you. Carefully design the contract as a Java Interface and use one of these tools to generate the WSDL file. WSDL2Java in Axis2 is one such tool.

Wednesday, January 21, 2009

Java Caching Implementations

I had to do some database improvements by caching user permissions. Java caching is covered by JSR 107. I started looking at java opensource caching implementations. I found couple of products.

These are the first impressions I got while evaluating different implementations.
  • Apache JCS - Still requires EDU.oswego.cs.dl.util.concurrent
  • Ehcache - I managed to get it running on the first poc

So I settled down for Ehcache and right now I am very happy with it.