WSO2 Venus

Sumedha KodithuwakkuHow to delete a random element from the XML payload with the use of Script mediator in WSO2 ESB

In WSO2 ESB, we can use the Script Mediator manipulate a XML payload. Here I have used JavaScript/E4X for accessing/manipulating the elements.

Example XML payload;

<name>Belgian Waffles</name>
<name>Strawberry Belgian Waffles</name>
<name>Berry-Berry Belgian Waffles</name>

Lets assume we want to remove the last food element (Berry-Berry Belgian Waffles); In this scenario, breakfast_menu is the root element and the set of children elements will be food.

The length of the child elements (food) can be obtained as follows;

var payload = mc.getPayloadXML();
var length =;

Then delete the last element as follows; Here the index of the last element would be length-1

delete payload.cuidInfo[length-1];

Complete Script Mediator configuration would be as follows;

<script language="js">
var payload = mc.getPayloadXML();
var length =;

The output of the script mediator would be as follows;

<name>Belgian Waffles</name>
<name>Strawberry Belgian Waffles</name>

Likewise  we can delete the required elements from the payload.

sanjeewa malalgodaHow to use SAML2 grant type to generate access tokens in web applications (Generate access tokens programatically using SAML2 grant type). - WSO2 API Manager

Exchanging SAML2 bearer tokens with OAuth2 (SAML extension grant type)

SAML 2.0 is an XML-based protocol. It uses security tokens containing assertions to pass information about an enduser between a SAML authority and a SAML consumer.
A SAML authority is an identity provider (IDP) and a SAML consumer is a service provider (SP).
A lot of enterprise applications use SAML2 to engage a third-party identity provider to grant access to systems that are only authenticated against the enterprise application.
These enterprise applications might need to consume OAuth-protected resources through APIs, after validating them against an OAuth2.0 authentication server.
However, an enterprise application that already has a working SAML2.0 based SSO infrastructure between itself and the IDP prefers to use the existing trust relationship, even if the OAuth authorization server is entirely different from the IDP. The SAML2 Bearer Assertion Profile for OAuth2.0 helps leverage this existing trust relationship by presenting the SAML2.0 token to the authorization server and exchanging it to an OAuth2.0 access token.

You can use SAML grant type for web applications to generate tokens.

Sample curl command .
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=&scope=PRODUCTION" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh, Content-Type: application/x-www-form-urlencoded" https://serverurl/token

How to invoke token API from web app and get token programmatically.

To generate user access token using SAML assertion you can add following code block inside your web application.
When you login to your app using SSO there would be access you will get SAML response. You can store that in application session and use it to get token whenever requires.

Please refer following code for Access token issuer.

import org.apache.amber.oauth2.client.OAuthClient;
import org.apache.amber.oauth2.client.URLConnectionClient;
import org.apache.amber.oauth2.client.request.OAuthClientRequest;
import org.apache.amber.oauth2.common.token.OAuthToken;
import org.apache.catalina.Session;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

public class AccessTokenIssuer {
    private static Log log = LogFactory.getLog(AccessTokenIssuer.class);
    private Session session;
    private static OAuthClient oAuthClient;

    public static void init() {
        if (oAuthClient == null) {
            oAuthClient = new OAuthClient(new URLConnectionClient());

    public AccessTokenIssuer(Session session) {
        this.session = session;

    public String getAccessToken(String consumerKey, String consumerSecret, GrantType grantType)
            throws Exception {
        OAuthToken oAuthToken = null;

        if (session == null) {
            throw new Exception("Session object is null");
// You need to implement logic for this operation according to your system design. some url
        String oAuthTokenEndPoint = "token end point url"

        if (oAuthTokenEndPoint == null) {
            throw new Exception("OAuthTokenEndPoint is not set properly in digital_airline.xml");

        String assertion = "";
        if (grantType == GrantType.SAML20_BEARER_ASSERTION) {
    // You need to implement logic for this operation according to your system design
            String samlResponse = "get SAML response from session";
    // You need to implement logic for this operation according to your system design
            assertion = "get assertion from SAML response";
        OAuthClientRequest accessRequest = OAuthClientRequest.
        oAuthToken = oAuthClient.accessToken(accessRequest).getOAuthToken();

        session.getSession().setAttribute("OAUTH_TOKEN" , oAuthToken);
        session.getSession().setAttribute("LAST_ACCESSED_TIME" , System.currentTimeMillis());

        return oAuthToken.getAccessToken();

    private static org.apache.amber.oauth2.common.message.types.GrantType getAmberGrantType(
            GrantType grantType) {
        if (grantType == GrantType.SAML20_BEARER_ASSERTION) {
            return org.apache.amber.oauth2.common.message.types.GrantType.SAML20_BEARER_ASSERTION;
        } else if (grantType == GrantType.CLIENT_CREDENTIALS) {
            return org.apache.amber.oauth2.common.message.types.GrantType.CLIENT_CREDENTIALS;
        } else if (grantType == GrantType.REFRESH_TOKEN) {
            return org.apache.amber.oauth2.common.message.types.GrantType.REFRESH_TOKEN;
        } else {
            return org.apache.amber.oauth2.common.message.types.GrantType.PASSWORD;

After you login to system get session object and initiate access token issuer as follows.
AccessTokenIssuer accessTokenIssuer = new AccessTokenIssuer(session);

Then keep reference for that object during session.
Then when you need access token request token as follows. You need to pass consumer key and secret key.

tokenResponse = accessTokenIssuer.getAccessToken(key,secret, GrantType.SAML20_BEARER_ASSERTION);

Then you will get access token and you can use it as required.

sanjeewa malalgodaHow to change endpoit configurations, timeouts of already created large number of APIs - WSO2 API Manager

How to add additional properties for already create APIs. Sometimes in deployments we may need to change endpoint configurations and some other parameters after we created them.
For this we can go to management console, published and change them. But if you have large number of APIs that may be extremely hard. In this post lets see how we can do it for batch of API.

Please note that test this end to end before you push this change to production deployment. And also please note that some properties will be stored in registry, database and synapse configurations. So we need to change all 3 places. In this example we will consider endpoint configurations only(which available on registry and synapse).

Changing velocity template will work for new APIs. But when it comes to already published APIs, you have to do following process if you are not modifying it manually.

Write simple application to change synapse configuration and add new properties(as example we can consider timeout value).
 Use a checkin/checkout client to edit the registry files with the new timeout value.
   you can follow below mentioned steps to use the checkin/checkout client,
 Download Governance Registry binary from and extract the zip file.
 Copy the content of Governance Registry in to APIM home.
 Go into the bin directory of the Governance Registry directory.
 Run the following command to checkout registry files to your local repository.
         ./ co https://localhost:9443/registry/path -u admin -p admin  (linux environment)
           checkin-client.bat co https://localhost:9443/registry/path -u admin -p admin (windows environment)
Here the path is where your registry files are located. Normally API meta data will be listed under each provider '_system/governance/apimgt/applicationdata/provider'.

Once you run this command, registry files will be downloaded to your Governance Registry/bin directory. You can find the directories with user names who created the API.
Inside those directories there are files with same name 'api' in the location of '{directory with name of the api}/{directory with version of the api}/_system/governance
/apimgt/applicationdata/provider/{directory with name of the user}\directory with name of the api}/{directory with version of the api}' and you can edit the timeout value by
using a batch operation(shell script or any other way).

Then you have to checkin what you have changed by using the following command.
     ./ ci https://localhost:9443/registry/path -u admin -p admin  (linux)
      checkin-client.bat ci https://localhost:9443/registry/path -u admin -p admin (windows)

Open APIM console and click on browse under resources. Provide the loaction as '/_system/governance/apimgt/applicationdata/provider'. Inside the {user name} directory
there are some directories with your API names. Open the 'api' files inside those directories and make sure the value has been updated.

Its recommend to change both registry and synapse configuration. This change will not be applicable to all properties available in API Manager.
This solution specifically designed for endpoint configurations such as time outs etc.

sanjeewa malalgodaHow to add secondry user store domain name to SAML response from shibboleth side. WSO2 Identity server SSO with secondary user store.

When we configure shibboleth as identity provider in WSO2 Identity server as described in this article( deployment would be something like below.

In this case shibboleth will act as identity provider for WSO2 IS and will provide SAML assertion to WSO2 IS. But actual permission check will happen from IS side and we may need complete user name for that. If we configured user store as secondary user store then user store domain should be part of name. But shibboleth do not know about secondary user store. So in IS side you will username instead of DomainName/UserName. Then it will be an issue if we try to validate permissions per user.

To over come this we can configure shibboleth to send domain aware user name from their end. Let say domain name is LDAP-Domain then we can set it from shibboleth side with following configuration. Then it will send user name like this LDAP-Domain/userName.


    <!-- This is the NameID value we send to the WS02 Identity Server. -->
    <resolver:AttributeDefinition xsi:type="ad:Script" id="eduPersonPrincipalNameWSO2">
        <resolver:Dependency ref="eduPersonPrincipalName" />

        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />


                eduPersonPrincipalNameWSO2 = new BasicAttribute("eduPersonPrincipalNameWSO2");
                eduPersonPrincipalNameWSO2.getValues().add("LDAP-Domain/" + eduPersonPrincipalName.getValues().get(0));


sanjeewa malalgodaHow to write custom throttle handler to throttle requests based on IP address - WSO2 API Manager

Please find the sample source code for custom throttle handler to throttle requests based on IP address. Based on your requirements you can change the logic here.

package org.wso2.carbon.apimgt.gateway.handlers.throttling;import;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.HttpStatus;
import org.apache.neethi.PolicyEngine;
import org.apache.synapse.Mediator;
import org.apache.synapse.MessageContext;
import org.apache.synapse.SynapseConstants;
import org.apache.synapse.SynapseException;
import org.apache.synapse.config.Entry;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.wso2.carbon.apimgt.gateway.handlers.Utils;
import org.wso2.carbon.apimgt.impl.APIConstants;
import org.wso2.carbon.throttle.core.AccessInformation;
import org.wso2.carbon.throttle.core.RoleBasedAccessRateController;
import org.wso2.carbon.throttle.core.Throttle;
import org.wso2.carbon.throttle.core.ThrottleContext;
import org.wso2.carbon.throttle.core.ThrottleException;
import org.wso2.carbon.throttle.core.ThrottleFactory;

import java.util.Map;
import java.util.TreeMap;

public class IPBasedThrottleHandler extends AbstractHandler {

    private static final Log log = LogFactory.getLog(IPBasedThrottleHandler.class);

    /** The Throttle object - holds all runtime and configuration data */
    private volatile Throttle throttle;

    private RoleBasedAccessRateController applicationRoleBasedAccessController;

    /** The key for getting the throttling policy - key refers to a/an [registry] entry    */
    private String policyKey = null;
    /** The concurrent access control group id */
    private String id;
    /** Version number of the throttle policy */
    private long version;

    public IPBasedThrottleHandler() {
        this.applicationRoleBasedAccessController = new RoleBasedAccessRateController();

    public boolean handleRequest(MessageContext messageContext) {
        return doThrottle(messageContext);

    public boolean handleResponse(MessageContext messageContext) {
        return doThrottle(messageContext);

    private boolean doThrottle(MessageContext messageContext) {
        boolean canAccess = true;
        boolean isResponse = messageContext.isResponse();
        org.apache.axis2.context.MessageContext axis2MC = ((Axis2MessageContext) messageContext).
        ConfigurationContext cc = axis2MC.getConfigurationContext();
        synchronized (this) {

            if (!isResponse) {
                initThrottle(messageContext, cc);
        }        // if the access is success through concurrency throttle and if this is a request message
        // then do access rate based throttling
        if (!isResponse && throttle != null) {
            AuthenticationContext authContext = APISecurityUtils.getAuthenticationContext(messageContext);
            String tier;            if (authContext != null) {
                AccessInformation info = null;
                try {

                    String ipBasedKey = (String) ((TreeMap) axis2MC.
                    if (ipBasedKey == null) {
                        ipBasedKey = (String) axis2MC.getProperty("REMOTE_ADDR");
                    tier = authContext.getApplicationTier();
                    ThrottleContext apiThrottleContext =
                                    getApplicationThrottleContext(messageContext, cc, tier);
                    //    if (isClusteringEnable) {
                    //      applicationThrottleContext.setConfigurationContext(cc);
                    info = applicationRoleBasedAccessController.canAccess(apiThrottleContext,
                                                                          ipBasedKey, tier);
                    canAccess = info.isAccessAllowed();
                } catch (ThrottleException e) {
                    handleException("Error while trying evaluate IPBased throttling policy", e);
        }        if (!canAccess) {
            return false;

        return canAccess;
    }    private void initThrottle(MessageContext synCtx, ConfigurationContext cc) {
        if (policyKey == null) {
            throw new SynapseException("Throttle policy unspecified for the API");
        }        Entry entry = synCtx.getConfiguration().getEntryDefinition(policyKey);
        if (entry == null) {
            handleException("Cannot find throttling policy using key: " + policyKey);
        Object entryValue = null;
        boolean reCreate = false;        if (entry.isDynamic()) {
            if ((!entry.isCached()) || (entry.isExpired()) || throttle == null) {
                entryValue = synCtx.getEntry(this.policyKey);
                if (this.version != entry.getVersion()) {
                    reCreate = true;
        } else if (this.throttle == null) {
            entryValue = synCtx.getEntry(this.policyKey);
        }        if (reCreate || throttle == null) {
            if (entryValue == null || !(entryValue instanceof OMElement)) {
                handleException("Unable to load throttling policy using key: " + policyKey);
            version = entry.getVersion();            try {
                // Creates the throttle from the policy
                throttle = ThrottleFactory.createMediatorThrottle(
                        PolicyEngine.getPolicy((OMElement) entryValue));

            } catch (ThrottleException e) {
                handleException("Error processing the throttling policy", e);
    }    public void setId(String id) { = id;
    }    public String getId(){
        return id;
    }    public void setPolicyKey(String policyKey){
        this.policyKey = policyKey;
    }    public String gePolicyKey(){
        return policyKey;
    }    private void handleException(String msg, Exception e) {
        log.error(msg, e);
        throw new SynapseException(msg, e);
    }    private void handleException(String msg) {
        throw new SynapseException(msg);
    }    private OMElement getFaultPayload() {
        OMFactory fac = OMAbstractFactory.getOMFactory();
        OMNamespace ns = fac.createOMNamespace(APIThrottleConstants.API_THROTTLE_NS,
        OMElement payload = fac.createOMElement("fault", ns);        OMElement errorCode = fac.createOMElement("code", ns);
        OMElement errorMessage = fac.createOMElement("message", ns);
        errorMessage.setText("Message Throttled Out");
        OMElement errorDetail = fac.createOMElement("description", ns);
        errorDetail.setText("You have exceeded your quota");

        return payload;
    }    private void handleThrottleOut(MessageContext messageContext) {
        messageContext.setProperty(SynapseConstants.ERROR_CODE, 900800);
        messageContext.setProperty(SynapseConstants.ERROR_MESSAGE, "Message throttled out");

        Mediator sequence = messageContext.getSequence(APIThrottleConstants.API_THROTTLE_OUT_HANDLER);
        // Invoke the custom error handler specified by the user
        if (sequence != null && !sequence.mediate(messageContext)) {
            // If needed user should be able to prevent the rest of the fault handling
            // logic from getting executed
        }        // By default we send a 503 response back
        if (messageContext.isDoingPOX() || messageContext.isDoingGET()) {
            Utils.setFaultPayload(messageContext, getFaultPayload());
        } else {
            Utils.setSOAPFault(messageContext, "Server", "Message Throttled Out",
                               "You have exceeded your quota");
        org.apache.axis2.context.MessageContext axis2MC = ((Axis2MessageContext) messageContext).

        if (Utils.isCORSEnabled()) {
            /* For CORS support adding required headers to the fault response */
            Map headers = (Map) axis2MC.getProperty(org.apache.axis2.context.MessageContext.TRANSPORT_HEADERS);
            headers.put(APIConstants.CORSHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, Utils.getAllowedOrigin((String)headers.get("Origin")));
            headers.put(APIConstants.CORSHeaders.ACCESS_CONTROL_ALLOW_METHODS, Utils.getAllowedMethods());
            headers.put(APIConstants.CORSHeaders.ACCESS_CONTROL_ALLOW_HEADERS, Utils.getAllowedHeaders());
            axis2MC.setProperty(org.apache.axis2.context.MessageContext.TRANSPORT_HEADERS, headers);
        Utils.sendFault(messageContext, HttpStatus.SC_SERVICE_UNAVAILABLE);

As listed above your custom handler class is : "org.wso2.carbon.apimgt.gateway.handlers.throttling.IPBasedThrottleHandler", the following will be the handler definition for your API.

<handler class="org.wso2.carbon.apimgt.gateway.handlers.throttling.IPBasedThrottleHandler">
<property name="id" value="A"/>
<property name="policyKey" value="gov:/apimgt/applicationdata/tiers.xml"/>

Then try to invoke API and see how throttling works.

John MathonA case of disruption gone wrong? Uber


June 2015 – France Taxi Drivers revolt, judge arrests 2 uber officials for illegal operation

March 2015 – Netherlands – preliminary judgment that Uber must stop its UberPop service

 June 2015 – San Francisco – The California Labor Commission ruled an Uber driver should be considered a company employee, not an independent contractor

May 2015 – Mexico – Hundreds of taxi drivers protested

April 2015 –  Chicago – an Uber driver shot a 22-year-old man who had opened fire on a group of pedestrians in Chicago

 April 2015 – Brazil – Sao Paulo court backs taxi drivers, bans Uber

April 2015 –  San Francisco – an Uber driver accused of running down a bicyclist 

March 2015 –  U.N. women’s agency backed out of a partnership with Uber after a protest by trade unions and civil society groups.

January 2015 – China –  government bans drivers of private cars from offering their services through taxi-hailing apps.

January 2015 – India – New Delhi police say service is re-instated after death of woman. 

December 2014 – Spain – Uber’s temporary suspension


“Disruption” gone awry

This could be a terrific example of “Disruption” gone wrong or not.

The traditional disruption model is a company produces a product at lower cost or better features that eats away at the lower end of the dominant players market.   This model leads to little awareness of the disruption in play.  The bigger companies happily usually give away the low margin producing business initially eaten by the new entrants.

In the case of Uber we have a different story.  Uber is displacing regular Taxi drivers around the world.  Unlike the car workers in Detroit or other industries which have experienced the pain of disruption there is rarely this kind of outcry especially against the disrupter who in many cases may be the next employer these workers may have to work for.   I have met many former taxi cab drivers who are happily Uber drivers now.

So, what is the reason for the more vociferous response to Ubers entrance?  There could be many reasons:

Let’s review the Uber model and approach as it is understood by me.   I don’t claim any special knowledge of Ubers business practices other than what I’ve learned in talking to drivers and seeing the news stories everybody else has.

Uber is quite forceful

Uber has moved into 200+ cities and 50 countries setting up shop and “using” locals within a few short years.  It has definitely been a shock to many people the rapidity with which Uber has been transforming this staid and seemingly heretofore permanently unchangeable business.

Uber has been quite heavy handed in its approach to penetrating foreign and US markets.   They have been aggressive in hiring tactics, competing strategies.  Whether they are legitimate or not they have raised considerable controversy for being unique.  Lyft a comparable service doesn’t garner quite the antagonism so this could be related to Uber’s tactics and public relations.

They suffered a public humiliation recently when a VP held an “off the record” meeting in which he explained how Uber was tracking people who were critical of it and was considering revealing personal details of the riders who criticized Uber as retribution.  They VP named a specific individual who he had looked into her travel records and could harm by revealing her personal information.   He suggested a multi-million dollar program like this could help Uber clean up its reputation with media and the public.  I’m not joking.    You can look through my tweets at @john_mathon to see how I called out the president of Uber to fire this individual and to institute new policies.

The main problem Uber seems to have is that they run afoul of local regulations, ignore the system that exists and try to establish they are different and can do it their way.

Uber seeks to exist outside the regulations

They claim they are unregulated because they connect with drivers and passengers via internet and cell phone apps which are not specified in the regulations in any country explicitly.   This is merely an oversight however.  Most countries and cities which regulate things like this will rapidly add clauses regarding the types of services Uber delivers.   How to regulate them is not clear which leads to many places wanting to ban the service until they work out the laws or there becomes more of a consensus how to deal with such a service.

Uber’s model inherently is a lower cost method of providing workers which means that they consistently offer a lower cost service than local companies can offer.  This obviously disrupts the local drivers of taxis and creates demand.  They purposely avoid compliance with local regulations seeking to keep the model that they originated with no changes.   They avoid training workers as many countries demand of taxi drivers, they eschew employing locals or dealing with medallions or other local regulations seeking always to be on the unregulated outside of the definition of “taxi” services where possible by using their simple hands off approach.

Uber vs Conventional Taxis

The traditional taxi ride

I am going to start by saying I exclude London taxis.   I have had the greatest experiences in London taxis.  I have found the drivers engaging, always interesting to talk to, always knowledgable and the service, the vehicles impeccable.  I estimate in all the trips I have taken 500 taxi rides in London.   Also, I have rarely ever had a real problem getting a taxi in London.  They really are an exception in my opinion.

The rest of the world:

In my history I have been ripped off by cab drivers more times than I care to admit.  I have been taken far afield of where I wanted to go either on purpose or accidentally on too many occasions.  I have found taxi drivers all the time that I have to give directions because they have no idea how to get to my destination.   I have had taxi drivers who stink, who smell of drugs, taxi cars that I felt very unsafe with, that smelled or were unhygienic.   I am sure many of the cabs I’ve been in were in violation of several laws for motor vehicles.  I’ve had trouble communicating with drivers, drivers who I’ve fought with, drivers who seemed incompetent or dangerous to drive with.  Drivers who were rude to me and other drivers or people.  I’ve found it sometimes impossible to find a taxi because of the load or strikes even though I looked for an HOUR.   I remember several drives where I feared for my life.  I’ve been in Taxis that have had accidents while I am in them.  I have also felt ripped off even by normal taxi fares paying sometimes over $100 for a simple drive from SFO to home less than 20 miles away that is the legitimate fare in some cases.

Overall, the situation has improved over the years but it still leads me to trepidation when getting into a Taxi.  I always make sure they are a real taxi.  I have been hassled by too many hucksters seeking to rip me off.  I now track my ride all the time with a mapping app to make sure I am going to the right place or the best route.  I make sure to always insist on a meter taxi.  Even with precautions the number of bad experiences is still too many.  This is one reason I think many people want an alternative.

In Sydney recently I was shocked when locals told me they hated their local taxi drivers.   Apparently this is a common perception because I went to a comedy show in London soon after and the comedian (from Sydney) was making a lot of fun of the Sydney taxi drivers.

My Uber experience

I have taken Uber in countries all over the world in Asia and Europe as well as in America in half a dozen cities.    My experience in uniformly much better than cabs except in London.   Uber drivers are rated after each ride.  They can be booted from the system if their rating falls even a fraction of 1 point.   Several disgruntled passengers early in an Uber drivers career will doom them and their income.  As a result the system works incredibly well.  The Uber drivers have always been incredibly pleasant, talkative and helpful when needed.  They have gone out of their way to help me.

In a few of the rides the cars were maybe 5 or more years old.  Still, compared to the 10 or 20 or 30 years old some of the taxis i’ve been in they seem positively new.  I’ve noticed that Uber drivers almost always soon get late model cars usually 2 years old or less.  They have ranged from BMW’s to fancy Japanese brands.   They usually have a range of comfort features including excellent air conditioning and heating as well as being universally clean and hygienic.     I really am not being paid in any way by Uber.   This is my actual experience.

When I read of these people who have had bad experiences in Uber taxis I am not entirely surprised.   The law of averages would automatically mean that at least some crazy incidents would occur if you have millions of rides and tens of thousands of employees you are going to run into every situation possible.

I have a couple complaints.

1) I frequently have found the process of finding your Uber driver is problematic.   The Uber drivers do not get the address you are located at even if you type it in.  This is considered a security risk apparently so this means frequently I’ve been texting the driver telling him where I am and finding it costs us a couple minutes to finally get in the car.

2) I believe the surge pricing system needs to be modified.    I understand all that goes into the current system but I find it very irritating.   I have a friend who uses Uber a lot more than me.  He says that surge zones can be quite small and a taxi can move into a surge zone to “up” their fees.   He claims that he has had on more than one occasion a situation where a driver cancelled his ride only to find that surge pricing went into effect immediately and when he got the next Uber he was paying 2 or 3 times what the fare just 2 minutes ago would have been.  He claims Uber doesn’t care if drivers abuse the system this way.  I don’t know how much this is done but I avoid surge pricing.

The Uber model as I understand it

Uber recruits drivers aggressively.   This has been subject of some concern to competitors who claim they actually employ people to go into competitors taxis and recruit drivers they like, then go only a block if they feel there is no chance of recruiting the driver.

A driver for Uber usually receives a phone from Uber.  They also have many rules and standards they ask drivers to adhere to. Uber does not help pay for the vehicle, the health insurance, car insurance or anything else for the driver although I understand they do help recruit group plans and reduced rates for some policies.   Uber takes 20% of the drivers fare.    This is far less than other types of service take.  So, taxi drivers feel like they make more from Uber.   Many taxi drivers have told me they get more rides on Uber and in spite of the lower cab ride fares they make more money.   Many of the drivers drive late model fancy vehicles that would seem to be outside the price range of the drivers.   I believe they are able to deduct their vehicle on taxes in the US at least which would greatly reduce the cost of the vehicle.

The main way Uber seems to have of enforcing its regulations is the same system effectively used and created originally by Ebay.   The rating system has been incredibly effective for E-bay which has grown to do billions of transactions / day efficiently and with little problems.   I know how many transactions E-bay does because they use WSO2 software to mediate all their messages to and from mobile applications and web services and all their services.  On peak days the number of transactions routinely exceeds 10 billion.    This is a well oiled machine.   People are remarkably concerned about their reputation in such rating systems.  You can imagine for Uber where your very livelihood would be in jeopardy that drivers are going to want you to give them a 5 star rating every time.  That explains pretty clearly why the service I’ve experienced is so good.

Another important selling point to the Uber system is its “first mover advantage.”   I believe this is very significant.  One of the big advantages of Uber is that I am a known quantity on their system wherever I go.  Also, they are a known quantity to me.   I can go to Paris, Sydney, New York or one of more than 200 cities in the world where they have drivers and be assured I’m not going to be ripped off and have generally the same quality of service.  I don’t have to worry about local currency and other issues I’ve mentioned.   So, I may have 2 or 3 Taxi app services on my phone but I won’t be subscribing to every local countries App based taxi service.  I will naturally want to use the ones that work in most or all the places I go.    There is a tremendous pressure for Uber to expand to maintain its first mover advantage in as many markets as possible.

Summary Comparison

This is simple.  I get rides predictably from Uber where I may find I wait for an hour or more in some cases with traditional taxis. This is especially a problem if you, like me have to make meetings and need to be sure to get a ride.   I can take an Uber taxi anywhere in the world and not worry about being ripped off.   I don’t hassle with local currency, tipping rules or the whole money exchange process which typically adds a tedious and problematic end to the taxi ride.  I walk out of the taxi as soon as I get to the destination which is so liberating.   I have never had an Uber driver take me to the wrong location or take me on a circuitous path.   The drivers are friendly, the cars clean, in good functioning order and frequently as nice as any car you could be in.   This applies whether I have been in Paris, Asia in many countries including China, London and other places in Europe.   It applies whether in Florida or Nevada, Boston, New York.    The Uber fare is always surprisingly lower than the local comparable fair.   The only exception to this would be during surge pricing or taking a TukTuk in Asian countries.  There doesn’t seem to be a “Uber TukTuk” service.

The Riots and Objections

I’ve spoken to many people and read many articles which seem to assume that the fact Uber drivers are not regulated by some government means they must be criminals, loaded up on drugs, dangerous, unsafe.  The refrain is you don’t know who you’re getting.   However, I have no idea why people would make this conclusion.   It makes no sense as you have even less idea of who is driving a local taxi.  The Uber system like with E-bay seems to put an incredible onus on drivers to behave well far more than the assumption that people seem to ascribe to local regulatory authorities.  They also seem to attract a more intelligent driver in my experience.  However, in spite of this unassailable reality many people have an innate hostility to Uber and its service.

Let’s take each of these points I made originally and consider the validity  as objectively as I can.

1) Uber is “disrupting in foreign countries which are not used to disruption

This seems clearly to have some truth to it.  Many countries haven’t seen a Toyota come in and displace millions of workers because in most cases they didn’t have an indigenous car manufacturing industry.   Many other disruptions have happened against high tech or large industrial companies which have high paid workers who usually aren’t protected as lower paid workers are.   So most people in the world and countries are not used to disruption like this.   It has come as a surprise to many people that Uber could offer a service and succeed in their markets.  Change itself is disturbing to people not used to it.

2) Many International countries may be much less “docile” on labor rights than the US.

Uber’s model means that they don’t employ the drivers.  A driver may receive a bad rating and lose their contract tomorrow.   Uber takes 20% leaving the driver to pay for their car, health and car insurance, maintenance etc… For most drivers this seems to result in a lot more money for them at cheaper fares for passengers and Uber still hauling in billions in income but the riders have no guaranteed income.   Nonetheless, this is a win-win-win if I’ve ever seen one but the down side is that drivers have no “protection” that many countries consider important.

California recently ruled that a driver was really an employee.   California is particularly a stickler about contractors always trying to find a way to get more tax revenues.  I doubt seriously california is concerned for the drivers health care or unemployment insurance or whatever.   However, the point is valid.  If Uber employed its drivers instead of using them as contractors they would have to change the formula drastically and possibly raise rates.

In most cases, becoming an employee would mean Uber would pay your taxes and insurance costs, possibly buy your vehicle, maintain it, similar to how many taxi companies work.  Another even more significant point is that Uber’s ability to fire an employee for a couple low ratings might disappear.   It might unravel the Uber model but I don’t think so.   I think they could still find a way to make the system work.   It would take changing their system, taking on additional liabilities and costs.  A lot of regulation to deal with and more hassle but they could do this and still maintain the basics of their service.   I think some countries or states or cities will require things like this and Uber will eventually have to deal with variations in its model.

3) Politicians and others see an opportunity to gain traction with voters by siding with existing taxi drivers or nationalist sentiment

I won’t venture to accuse any individual politician but this kind of thing must be happening.

4) Graft, i.e people paid off to present obstacles to Uber

Again, I have no idea that such techniques are in play in some places but common sense suggests it must be happening.  The opposite could be happening as well.  Unfortunately in my career I have known of situations where we have lost deals because we didn’t make appropriate contributions.  Fortunately I have worked for companies who refused to deal in such behavior and I know we lost deals as a result.  The fact is such behavior is more common than may be assumed by many people.

5) Genuine concerns that Uber is trampling on people

As I mentioned earlier many people may believe that Uber in fact does trample on people.   This is basically a political point and arguing it would be a waste of time for me.  The problem for Uber is that it is unlikely they can change the political situation of all the countries they want to deal in.  So, they are going to have to make concessions to their business model eventually.  They will presumably fight this as long as they can but at cost of being portrayed as the villain.

6) The pace of change Uber is forcing on people is too fast

Obviously Uber wants to grow as fast as it can and establish a foothold wherever they can.  They are moving at a blistering pace in acquiring new markets.  They just raised in May $1Billion just to expand in China.  Uber is the largest call Taxi service in many Chinese cities already reportedly.

People in general can be resistant to change.  For a business that has seen little impact from all the technology change of the last 50 years the resistance is natural but usually people don’t start blowing things up because they fear change.

7) Ubers model is flawed and may need to adjust especially in some countries to fit in with local laws

Due to the historical facts like medallions and local regulation of traditional taxi drivers it is eminently possible that Uber has an unfair advantage.   Frequently, local taxi cab drivers are employees and have costs and taxes that Uber drivers don’t have. This is typical for disruptive companies.   It is possible Uber will have to face special taxes or other restrictions which level the playing field.

A lot of people think Uber’s advantage is in its cost structure and lower fares.  I don’t find that is important.  To me the compelling advantages of Uber are in its service as I have described.  If their fares were the same or even higher than traditional cabs I would pay for the convenience.  So, I think they have considerable room for increased costs before it would really impact the business model.   Others believe that if Uber has to change its model to employ people or other changes it will kill their advantage.  I think not.

8) Uber has become a flashpoint that isn’t the real issue but a convenient scapegoat

Frequently one issue is used to deflect from the real purpose of something.  It is very possible that some are using the fear of Uber to drive other political change for their own purposes not because of a real concern for Uber’s purported damage or risk. I find the claims of people who say they are concerned about rape by Uber drivers or lack of safety or regulation as disingenuous.  There is no reason to believe that regular taxi cab drivers wouldn’t be just as likely to be rapists or more.  An incident is San Francisco claimed an Uber driver hit a biker on purpose.  Maybe the driver did but how many incidents with local cabs who have done the same thing?

Wired magazine wrote a review that said the Uber driver knows where you live so of course you’ll give 5 *’s.   Isn’t it true if I take a taxi to my home he’ll know my home as well?  If I don’t tip him/her well or he/she is a nefarious person.  People who would do something like that would be in serious trouble.  It seems more likely it would be one of the taxi drivers I’ve been with than an Uber driver who rob my home.

The article below is typical pointing out that Uber drivers have to pay for expenses.  They fail to mention that Uber drivers only pay 20% of the fare so they have ample income compared to regular taxi drivers to pay for these costs.

I believe that people who make these claims are either very poorly informed or have ulterior motives.   The writer of the article never mentions experiences with regular cabs.  Have those always been perfection?

Other Articles on this topic of interest:

A look at challenges Uber has faced around the world

Uber problems keep piling on

Yumani RanaweeraPatch Management System - developed, maintained, enhanced using WSO2 Carbon products

WSo2 support patching in brief

WSO2 support system issues patches to fix defects that are found in product setups. This patching procedure needs to be methodically handled as the fix that you are applying should correctly solve the issue, it should not introduce regression, it should be committed to relevant public code base, it should be committed to support environment and validated that it correctly fit in with existing code base.

Patch Management Tool (PMT)

In an environment where you have large customer base and expects many clarifications daily, there are chances of developers missing certain best practices. Therefore a process that forces and reminds you of what need to be done while the process should be embedded to the system. WSO2 Patch Management Tool, PMT was built for above purpose.

In the above process, we also need to maintain a database of patch information. In WSO2 support system, applying a patch to a server involves a method which ensures that a new fix is correctly applied to the product binaries. This patch applying procedure mainly relies on a numbering system. This means every patch has its own number. Since we support maintenance for many platform versions at the same time, there are parallel numbering systems for each WSO2 Carbon platform version. All above data should be correctly archived and should be available as an index when you need to create a new patch. PMT facilitates this by being the hub for all patches. Any developer who creates a new patch obtains the patch number for his work from PMT.

WSO2 support system involves many developers working parallel in different or same product components, based on the customer issues they are handling. In such space, it is important to have meta data such as the jar versions that are patched, commit revisions, patch location, integration test cases, integration test revisions, developer/QA who worked on the patch, patch released date to be archived. These information are needed at a time of a conflict or an error. PMT facilitates an environment to capture these information.

So as described in above the main purposes of PMT are managing patching process, generating patch numbers, archiving patch metadata and providing search facility. This was initially  introduced and designed by Samisa as a pet project for which Lasindu, Pulasthi helped with writing extensions as part of their intern projects and Yumani with QAing.

To cater the project requirements, WSO2 Governance Registry was chosen as the back end server with WSO2 user base connected via WSO2 IS as the user store and MySQL for registry. Later WSO2 User Engagement Server was integrated as  the presentation layer, using Jaggery framework to develop the presentation logic. From WSO2 G-Reg, we are using the RXT, LifeCycle and handler concepts, search/ filtering facilities and governance API. From WSO2 UES we are using webapp hosting capability. WSO2 IS is LDAP user store.

In the proceeding sections I will briefly describe how PMT evolved with different product versions, absorbing new features and enhancements.

First version in wso2greg-4.5.1

PMT was initially designed on G-Reg 4.5.1 version. Using the RXT concept, an artifact type called patch was built. This is to capture all metadata related to a patch. It also defines a storage path for patch metadata, a listing view which provides a quick glance on the existing patches. Few important parts of the rxt is discussed below;

Our requirement was to capture data on JIRA's basic information, client/s to whom its issued, people involved, dates, related documentation and repositories. So the RXT was categorized into tables as Overview, People Information, JIRA Information, Patch Information, Test Information and Dates.

<table name="Overview">
<table name="People Involved">
<table name="Patch Information">
<table name="Test Information">
<table name="Dates">

Each above <table> has the attributes related to them. Most of these were captured via <field type="options"> or <field type="text">

Above RXT (patchRXT) was associated to a Lifecycle to manage the patching process. Patch LifeCycle involves main stages such as Development, ReadyForQA, Testing, Release. Each above state includes a set of check list items, which lists the tasks that a developer or QA needs to following while in a particular Lifecycle state.

Sample code segment below shows the configuration of the 'testing' state:

  <state id="Testing">
                        <data name="checkItems">
                            <item name="Verified patch zip file format" forEvent="Promote">
                            <item name="Verified README" forEvent="Promote">
                            <item name="Verified EULA" forEvent="Promote">
                            <item name="Reviewed the automated tests provided for the patch">
                            <item name="Reviewed info given on public/support commits" forEvent="Promote">
                            <item name="Verified the existance of previous patches in the test environment" forEvent="Promote">
                            <item name="Auotmated tests framework run on test environment">
                            <item name="Checked md5 checksum for jars for hosted and tested" forEvent="Promote">
                            <item name="Patch was signed" forEvent="Promote">
                            <item name="JIRA was marked resolved" forEvent="Promote">
                         <data name="transitionUI">
                            <ui forEvent="Promote" href="../patch/Jira_tanstionUI_ajaxprocessor.jsp"/>
                            <ui forEvent="ReleasedNotInPublicSVN" href="../patch/Jira_tanstionUI_ajaxprocessor.jsp"/>
                            <ui forEvent="ReleasedNoTestsProvided" href="../patch/Jira_tanstionUI_ajaxprocessor.jsp"/>
                            <ui forEvent="Demote" href="../patch/Jira_tanstionUI_ajaxprocessor.jsp"/>
                    <transition event="Promote" target="Released"/>
                    <transition event="ReleasedNotInPublicSVN" target="ReleasedNotInPublicSVN"/>
                    <transition event="ReleasedNoTestsProvided" target="ReleasedNoTestsProvided"/>
                    <transition event="Demote" target="FailedQA"/>

As you may have noticed the Lifecycle transitionUI in which user is given an additional interface in between state changes. In above, on completion of all check list items of the testing state and at the state transition, it pauses to log the time that was spent on the tasks. This information will directly update the live support JIRA and is used for billing purposes. The ui-handlers were used to generate this transition UI dynamically. Later in the cycle wee removed it when Jagath and Parapran introduced a new time logging web application.

The various paths that the patch might need to be parked given the environment factors, we had to introduce different intermediate states such as 'ReleasedNotInPublicSVN', 'ReleasedNoTestsProvided'.  <transition event> tag was helpful in this. For example a patch can be promoted to 'released', or 'ReleasedNotInPublicSVN' or 'ReleasedNoTestsProvided' states or it can be demoted to FailedQA' states using <transition event> option. 


Performance Issues in G-Reg 4.5.1

When compared with the low concurrency rate we had at the time, the response time was high while PMT is hosted in G-Reg-4.5.1. This was even observed in JIRA details page. Suspect was that a *social* feature which pops up worklist items in the UI, as per the design at the time, use to run at each page refresh. Also there was a delay when working with Lifecycle state checklist items too.

Migrated to G-Reg 4.5.3

Considering the performance problems and some of the new enhancements to RXTs, PMT was migrated to G-Reg 4.5.3. Migration process was very smooth; there were no database schema changes. We were able to point to the same database that was used earlier. Above issue was solved in new version of G-Reg.

There was also RXT related enhancements, where we could now have a pop-up calender for dates opposed to the text box in the previous version.Filtering; In the earlier version patch filtering was done through a custom development which we had deployed in CARBON_HOME/repository/component/lib. But in the new version this was an inbuilt feature. There were also enhancements in G-Reg's governance API that we could laverage in generating reports and patch numbers. 

Moving historical data to live environment.

Prior to PMT, there was a use of Google spreadsheets to maintain patches related metadata. Since PMT is being used as repository to 'search' patches and related information; it was time to move old data also into PMT. All the previous data that were captured in 6 different spread sheets were moved to PMT. This involved data analysis, since some of the field names were different from spreadsheet to spreadsheet and from spreadsheets to PMT. After background adjustments, Ashan from support team moved the historical data by retrieving data from spreadsheets using dataservices and writing them to PMT using a RemoteRegistry API  [2 -svn location of gov-api code].

This added 900+ patches to the live system and also effected performance as below. This was done using data service to get data from spreadsheets and a java client to add them to PMT [attached].

Looking for new avenues


With the patch database becoming larger by data migrated from archives, as well as PMT being used daily by rotational support teams; there arose an issue where you get an unpredictable stability issues. PoolExhaustedException was one of which that was reproducible when the loaded database is idle for couple of days[1].

After checking into details, leading G-Reg engineers Ajith, Shelan proposed some changes to data-sources configuration which helped.

Introduced 'removeAbandoned' and 'removeAbandonedTimeout':
removeAbandonedTimeout="<This value should be more than the longest possible running transaction>"

Updated 'maxActive' to a higher value than the default value of 80.

But we had couple of more problems, we noticed that it the response time for listing the patches is unreasanably high. Some of the reasons that were isolated with the help of Ajith was that the default setting for versioning which was set to true. In G-reg Lifecycle related data used to be stored storing as properties, so when <versioningProperties>true</versioningProperties> is set, it massively grows the REG_RESOURCE_PROPERTY and REG_PROPERTY tables with the resource updates.The patch LifeCycle (contains 20 check list items) , when one patch resource going through all the LC states, it is adding more than 1100 records to REG_RESOURCE_PROPERTY and REG_PROPERTY when versioning is set to true.

Summary of Ajith's tests;

Versioning on:
Adding LC : 22
One click on check list item : 43
One promote or demote: 71.

Versoning off:
Adding LC : 22
One click on check list item : 00
One promote or demote: 24.

As a solution following were done;
1) Created a script to delete the unwanted properties

2) Disabled the versioning properties, comments and Ratings, from static configurations in registry.xml [2 -]

There was also another bug found related to artifact listing. There is a background task in G-Reg to cache all the generic artifacts. That help us to reduce the database calls when we need to retrieve the artifacts(get from cache instead of database).In G-Reg 4.5.3 it doesn't work for the custom artifacts such as patchRXT and it only works for service,policy,wsdl and schema.This issue was patched by the GReg team.

Process Validation:

With increase of number of users daily basis, fastening link with the process became very important. The existing UI at that time was G-Reg management console, but our requirement was to validate Lifecycle events with data in RXT.

Jaggery based web application and GReg upgrade

GReg migration to 4.6.0 version was done by Parapran to overcome above issues which was known and fixed in new GReg and a new jaggery based web application was developed by support intern at the time, Nazmin as per Yumani's design and Jagath and team's valuable feedback.

The intention of the new PMT application was to provide a very user friendly view and to assure the developers of the patches follow all necessary steps in creating a patch. For example a developer cannot proceed from the 'development' state if he has not updated the support JIRA, public JIRA, svn revision fields. If he selects to say automation testing is 'Not possible' he has to give reasons. If he has done tests, he has to give the test commit location etc. Yes, we had occasional disturbed use cases. Special thanks to Paraparan and Ashan who fixed these cases with no time.

Image 1: Patch Listing

Image 2: Patch Details

This application was highly appreciated by the users as it allowed auto generation of patch numbers, pre-populated data for customer projects, users, products and versions etc. As promised it duly validates all mandatory inputs by creating a direct bind to user activities.

Today, the application has been further developed to capture various patch categories such as ported patches, critical patches, preQA patches. GReg based life cycle is also further developed now to cator pre Patch creation and post patch creation tasks. It was Inshaf who implemented these enhancement. We are also working on new features such as updating customers with the ETAs for patches based on three point estimation, looping leads and rigorously following-up in delays.

The application was also deployed in an HA setup by Chamara, Inshaf and Ashan for higher scalability, where the back-end GReg is clustered to 4 nodes fronted by Nginx which is sitting between the client application and the BE. We have about 100+ engineers accessing this application daily with around 15 concurrency for adding patches to patch queue, generating patch numbers, progressing patches through patch life cycle and searching for meta information.

Additionally the PMT database is routinely queried for several other client programs such Patch Health clients, where we generate reports on patches which are not process complete, Service Pack generation where the whole of database is read to extract patches belonging to a given product version and its kernal, Reports for QA at the time of the release testing where they seek for use cases patched by the customer. Most of these client applications are written using governance API.

PMT is a good example of a simple use case which expanded to a full scale system. It is much used in WSO2 support today and we extended it to have many new features to support the increasing support demands. We have been able to leverage Jaggery framework to all UI level enhancements. Governance registry's ability of defining any type of governance asset and customizable life cycle management feature pioneered the inception of this tool and helped in catering the different data patterns that we wanted to preserve and life cycle changes that needed to be added later according to the changes in the process. We were able to add customized UIs to the application with the use of handler concept in GReg. When the front end jaggery web application was introduced, we had a very seamless integration since the back-end could be accessed via governance API. Increasing load demands were well supported by Carbon clustering and high availability concepts.

sanjeewa malalgodaHow to send specific status code and message based on different authentication faliures WSO2 API Manager

In WSO2 API Manager all authentication faliures will hit auth failure handler. There you will be able to change message body, content, header based on internal error codes.
As example if we got resource not found error while doing token validation then Error Code will be 900906. So in same way we will have different error codes for different failures.

So in this sample will generate custom message for resource not found issues while doing token validation.
For this we will specifically check error code 900906 and then route request to specific sequence.

Please refer following sequence and change to auth_failure_handler to call sequence.


<sequence name="_auth_failure_handler_" xmlns="">
    <property name="error_message_type" value="application/xml"/>   
    <filter source="get-property('ERROR_CODE')" regex="900906">
          <sequence key="sample"/>
    <sequence key="_build_"/>


<?xml version="1.0" encoding="UTF-8"?>
<sequence xmlns="" name="sample">
    <payloadFactory media-type="xml">
            <am:fault xmlns:am="">  
                <am:message>Resource not found</am:message>
                <am:description>Wrong http method</am:description>
    <property name="RESPONSE" value="true"/>
    <header name="To" action="remove"/>
    <property name="HTTP_SC" value="405" scope="axis2"/>
    <property name="messageType" value="application/xml" scope="axis2"/>

Dhananjaya jayasingheHow to generate a custom Error Message with Custom HTTP Status Code for unavailable Resources in WSO2 ESB

WSO2 ESB 4.8.1  does not throw any exception or error message when an API defined is access with incorrect HTTP method and it will just respond with 202.  In this blog post , i am explaining on how we can get a custom HTTP status code for the above.

In order to get a custom error message , you need to add following sequence to ESB which is not there by default.

<?xml version="1.0" encoding="UTF-8"?>
<sequence xmlns="" name="_resource_mismatch_handler_">
<payloadFactory media-type="xml">
<tp:fault xmlns:tp="">
<tp:type>Status report</tp:type>
<tp:message>Method not allowed</tp:message>
<tp:description>The requested HTTP method for resource (/$1) is not allowed.</tp:description>
<arg xmlns:ns="http://org.apache.synapse/xsd"
<property name="NO_ENTITY_BODY" scope="axis2" action="remove"/>
<property name="HTTP_SC" value="405" scope="axis2"/>

In ESB documentation [1] , it has explained that in order to handle non-matching resources, it is needed to define this sequence _resource_mismatch_handler_


Dhananjaya jayasingheHow to generate a custom Error Message with Custom HTTP Status Code for unavailable Resources in WSO2 API Manager

We are going to explain on how we can generate a custom HTTP Status code for a request which is addressed to a un-matching resource of an API.

Problem :

When an API exposed with resource "GET" , if the client invoke the API with "POST","PUT" or any other which is not "GET", By default API manager returns following.

"type":"Status report",
"message":"Runtime Error",
"description":"No matching resource found in the API for the given request"

In the RAW level you ll see it as follows

HTTP/1.1 403 Forbidden
Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Content-Type: application/xml; charset=UTF-8
Date: Mon, 29 Jun 2015 14:46:29 GMT
Server: WSO2-PassThrough-HTTP
Transfer-Encoding: chunked
Connection: Keep-Alive

<ams:fault xmlns:ams="">
<ams:message>No matching resource found in the API for the given request</ams:message>
<ams:description>Access failure for API: /sss, version: v1 with key: 4a33dc81be68d1b7a5b48aeffebe7e</ams:description>

Expected Solution :

We need to change this HTTP Response code 405 [1] with a custom error message.

Solution :

We need to create a sequence which builds the custom error message and the error code and deploy it in API manager's default sequences folder.

<?xml version="1.0" encoding="UTF-8"?>
<sequence xmlns="" name="converter">
<payloadFactory media-type="xml">
<am:fault xmlns:am="">
<am:message>Resource not found</am:message>
<am:description>Wrong http method</am:description>
<property name="RESPONSE" value="true"/>
<header name="To" action="remove"/>
<property name="HTTP_SC" value="405" scope="axis2"/>
<property name="messageType" value="application/xml" scope="axis2"/>

You can save this as converter.xml in wso2am-1.8.0/repository/deployment/server/synapse-configs/default/sequences folder.

Then we need to invoke this sequence in _auth_failure_handler_.xml which is located in the above sequences folder. In order to do that , we need to change it as follows.

<?xml version="1.0" encoding="UTF-8"?>
<sequence xmlns="" name="_auth_failure_handler_">
<property name="error_message_type" value="application/xml"/>
<filter source="get-property('ERROR_CODE')" regex="900906">
<sequence key="converter"/>
<sequence key="_build_"/>

Once you done the above changes, save them. Then you can test your scenario. If you are successful with this , you ll be able see following response

HTTP/1.1 405 Method Not Allowed
Content-Type: application/xml
Date: Mon, 29 Jun 2015 14:59:12 GMT
Server: WSO2-PassThrough-HTTP
Transfer-Encoding: chunked
Connection: Keep-Alive

<am:fault xmlns:am="">
<am:message>Resource not found</am:message>
<am:description>Wrong http method</am:description>

Explanation : 

By default, when we invoke an non-existing resource it will send the default 403 error code with the message "No matching resource found in the API for the given request". If you check the log of the WSO2 AM, you can see that it has thrown following exception in the backend.

[2015-06-29 10:59:12,103] ERROR - APIAuthenticationHandler API authentication failure Access failure for API: /sss, version: v1 with key: 4a33dc81be68d1b7a5b48aeffebe7e
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(
at org.apache.axis2.engine.AxisEngine.receive(
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(
at org.apache.axis2.transport.base.threads.NativeWorkerPool$
at java.util.concurrent.ThreadPoolExecutor.runWorker(
at java.util.concurrent.ThreadPoolExecutor$

When it throws above exception, the flow will hit the  _auth_failure_handler_.xml
sequence. So what we have done in this sequence, with using the filter mediator, we have filtered the error code "900906" and for that error code, we invoke our custom sequence and drop the message then.

In the custom sequence , we have used the payload factory mediator to create the payload and added required properties to make it as response. You can find the information further on each of those properties from [2][3][4]

Then after invoking the custom sequence, it will invoke the "_build_" sequence in the same folder which invoke the message builders to build the message.

I have used resources [4] on creating this blog post.


Chanaka FernandoWSO2 ESB Error Handling Tutorial - Part I (Client side error handling)

Recently, I found a nice video on facebook which was shared by Sanjiva Weerawarana (CEO @ WSO2), which was a narration by Matt Damon. The original paragraph was taken from a speech by Howard Zinn's 1970 speech.

According to that, world is topsy turvy (upside down). Wrong people are in power, Wrong people are out of power. But there is one thing missing in that speech. Which is that wrong people are using software, wrong people are not using software :).

Sorry about going out of the topic. But this speech has really moved me. Anyway, let's start talking about the subject. WSO2 ESB is the central hub of your SOA architecture. It will communicate with all kinds of heterogenous systems. These systems can go mad sometimes. In such a scenarios, WSO2 ESB should not go mad. If you haven't done proper error handling at WSO2 ESB, even though it does not go mad, people will feel that it has gone mad by looking at lengthy error logs and exceptions. So why do you let people to think in that way. Rather we can implement a proper error handling mechanism and make the WSO2 ESB looks solid at all time.

Here is a typical message flow in your enterprise system which involves WSO2 ESB.
In the above message flow, things can go wrong in all 3 components. 
  • Client Error
  • ESB Error
  • Server Error
In all 3 scenarios, we need to have a proper handling mechanism to identify the error scenarios as soon as they occur. Otherwise, it will cost your organization's business. This can be ranged from hundreds of dollars to millions of dollars. Let's discuss about error handling at each and every component depicted above.

Handling Client errors

Anything can go wrong at any time. That is a fact in this world. So is the Clients who are using the services/APIs exposed through WSO2 ESB. Here are some example scenarios where clients go mad during the message execution.

  • Sending wrong messages (non-allowed content)
  • Closing connections early
  • Sending requests to wrong URLs
    Let's discuss these scenarios one by one and learn about the error handling mechanisms which we can take to get over these.

Sending wrong messages

Let's say your client is sending XML messages to the ESB. Due to a mistake in the client code, let's say client sends the following message.

<soapenv:Envelope xmlns:soapenv="" xmlns:ser="http://services.samples" xmlns:xsd="http://services.samples/xsd">

In the above message, client is sending '&' character within the XML message (This is only an example). Let's say we have a very simple PassThrough Proxy service defined in the ESB. 

<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns=""
         <address uri="http://localhost:9000/services/SimpleStockQuoteService"/>

In this case, ESB will simply pass-through the message to the backend without worrying about the content. According to the capabilities of the back end server, it will respond with some message and ESB will pass the response to the client. No worries at this point. 

All good with the above proxy service. Let's add a log mediator with log level "full". Once we have this content-aware mediator in the message flow, ESB tries to convert the incoming data stream into a canonical XML message. Here comes the exception. Since this message contains wrong XML characters, ESB will fail during the message building process. Now the proxy looks like below.

<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns=""
         <log level="full"/>
         <address uri="http://localhost:9000/services/SimpleStockQuoteService"/>

Once we have this content-aware mediator in place, ESB will try to build the message and it will fail with an exception similar to this.

ERROR - NativeWorkerPool Uncaught exception ParseError at [row,col]:[8,29]
Message: The entity name must immediately follow the '&' in the entity reference.

This is fine, since the message is wrong. But what is wrong here is that client did not get any message from ESB related to this error scenario. Then client will timeout the connection after waiting for the configured time duration and you can see the following log in the ESB log console.

[2015-06-27 17:26:08,885]  WARN - SourceHandler Connection time out after request is read: http-incoming-2

We need to handle this situation with a proper error handler. We can define a fault sequence at the proxy service level. Then the message will go through this fault handler sequence and we can send a fault message to the client if we encounter this kind of message. Let's add the fault sequence to the proxy service.

<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns=""
         <log level="full"/>
         <makefault version="soap11">
            <code xmlns:soap11Env=""
            <reason expression="$ctx:ERROR_MESSAGE"/>
         <address uri="http://localhost:9000/services/SimpleStockQuoteService"/>
Once we have the fault sequence, client will get a fault message as the response for this message.

Closing connections early

Another common use case is that client closes the connection before the server respond back with the message. When this happens, you can observe the following error message in the server log file.

[2015-06-28 19:28:37,524]  WARN - SourceHandler Connection time out after request is read: http-incoming-1

This slowness can be occurred due to back end slowness or due to ESB server contention. In both scenarios, you need to increase the client timeout to get rid of this error. You can configure the client timeout to a considerable value which is greater than the maximum response time of the server. But configuring the client timeout only will not make this scenario work for you. The reason is that, even though the client has increased the timeout, ESB will close the connection after 60 seconds (default value). Therefore, you need to configure the client side HTTP connection timeout in the ESB_HOME/repository/conf/ file with the following parameter. Add this parameter if it is not already there.


Sending Requests to wrong URL

Sometimes, client may send requests to non existing URLs. For example, let's say you have an API defined in the ESB like below.

<api xmlns="" name="test" context="/test">
   <resource methods="POST GET" url-mapping="/echo">
         <log level="full"></log>
               <address uri="http://localhost:9000/services/SimpleStockQuoteService"></address>

According to the definition, you need to send the request to following URL.


But due to a mistake by the client, it sends a request to the following URL


Here what happens is, ESB will respond with 202 accepted message to the client. That is not the correct message ESB should send to the client since ESB is not processing this message correctly. What it should do is that, it needs to respond to the client with some error message such that client can go though error response and identify the root cause.

We need to define a special sequence for handling this kind of failed requests. You can define this sequence as given below.

<sequence xmlns="" name="_resource_mismatch_handler_">
   <payloadFactory media-type="xml">
         <tp:fault xmlns:tp="">
            <tp:type>Status report</tp:type>
            <tp:message>Not Found</tp:message>
            <tp:description>The requested resource (/$1) is not available.</tp:description>
         <arg xmlns:ns="http://org.apache.synapse/xsd" xmlns:ns3="http://org.apache.synapse/xsd" expression="$axis2:REST_URL_POSTFIX" evaluator="xml"></arg>
   <property name="RESPONSE" value="true" scope="default"></property>
   <property name="NO_ENTITY_BODY" action="remove" scope="axis2"></property>
   <property name="HTTP_SC" value="404" scope="axis2"></property>
   <header name="To" action="remove"></header>

In the above sequence, you can change the internal mediators as per your wish. But the name of the sequence should be as it is (_resource_mismatch_handler_). One you have this sequence in place, clients will get the following error message if they send requests to non-existing API resources.

<tp:type>Status report</tp:type>
<tp:message>Not Found</tp:message>
<tp:description>The requested resource (//echo-test) is not available.</tp:description>

I will be discussing about the rest of the 2 scenarios in a future blog post.

Handling back end Server errors

Handling ESB errors

Ajith VitharanaAdd third party library to custom feature developed for WSO2 product.

This is a great article which explain how to write a custom feature for WSO2 product.(

This blog post is going to explain how to add third party library to your custom feature.

1. You can create orbit bundle from that third part library.

Eg : This[i] is to make the Apache POI library as OSGI bundle.


2. Build your orbit bundle. (use maven)

3. Then you need to add that dependency to student-manager/features/org.wso2.carbon.student.mgt.server.feature/pom.xml file.


4. Add new <bundleDef> entry inside the <bundles> element in student-manager/features/org.wso2.carbon.student.mgt.server.feature/pom.xml file.

The format of the <bundleDef> should be , <bundleDef>[groupId]:[artifactId]</bundleDef>


org.apache.poi.wso2 - groupId of above dependency
poi                           - artifactId of above dependency

5. Build the student-manager project again, now you should see that poi_3.9.0.wso2v1.jar file in student-manager/repository/target/p2-repo/plugins directory.

6. Finally when you install student-manager feature to WSO2 server (from that p2-repo), that third party library(poi_3.9.0.wso2v1.jar) will automatically install.

Denis WeerasiriBird-eye view of Sri Lanka

If you are travelling to Sri Lanka or a nature lover haven't even heard about this beautiful island, these nature documentaries are for you.

Ocean of Giants

Land of Lakes

Forest of Clouds

Dhananjaya jayasingheHow to add a thread sleep to a Proxy Service

Here i am going to provide you a example on how we can create a mock service with WSO2 ESB and adding a sleep to that service.

In order to do that we need to use ;

  1. Payload Factory mediator to create the mock response
  2. script mediator to do a thread sleep
Here is the simple mock service proxy with a thread sleep.

<proxy xmlns=""
<property name="===Before sleep===" value="===Before sleep==="/>
<script language="js">java.lang.Thread.sleep(75000);</script>
<property name="===After sleep===" value="===After sleep==="/>
<payloadFactory media-type="xml">
<Response xmlns="">
<header name="To" action="remove"/>
<property name="RESPONSE" value="true" scope="default" type="STRING"/>
<property name="NO_ENTITY_BODY" scope="axis2" action="remove"/>

I have used the blog of miyuru [1] to create this.


Dhananjaya jayasingheWSO2 IS User Store as ReadOnly/ReadWrite LDAP secondary user store

In most of the testing scenarios, we need to connect our products in to a secondary user store which is ReadOnly or ReadWrite Ldap User stores.

This is a simple way to get it done with WSO2 Identity Server.

Not as other WSO2 products, IS ships LDAP User store as it's primary user store. So if we need to point any of the other products in to a LDAP secondary user store, we can easily use WSO2 IS for that.

Case 01: Pointing WSO2 AM to a ReadOnlyLDAP Secondary user store

  • Download, Extract, Start WSO2 IS
  • Download, Extract WSO2 AM
  • If we are running both products in the same machine, we need to change the offset of the AM
  • Open the carbon.xml file located in "wso2am-1.9.0/repository/conf" folder and change the Offset value to "1". (By default it is "0")
  • Start AM
  • Browse url https://localhost:9444/carbon/
  • Login with credentials admin/admin
  • From the left menu , click on "Configure"

  • Click on "User Store Management"
  • Then click on "Add Secondary User Store" button 
  • From the drop down at the top, select "ReadOnlyLdapUserStoreManager" as the user store manager class.
  • Then provide parameters as follow
    • Domain Name : Any Name (
    • Connection Name : uid=admin,ou=system
    • Connection URL : ldap://localhost:10389
    • Connection Password : admin
    • User search base : ou=Users,dc=wso2,dc=org
    • User Object Class : (objectClass=person)
    • Username Attribute : uid
    • User search filter : (&(objectClass=person)(uid=?))
  • Then click on Add. 
  • After few seconds, it will be displayed in the user Store list 
  • You can find these configurations in user-mgt.xml file located in  "wso2am-1.9.0/repository/conf" folder. But you need to focus on the parameter "User search base".  By default it is given as "ou=system". But with that you ll not be able to view the users of the secondary user store. Here i have added the correct parameter value " ou=Users,dc=wso2,dc=org"

Case 02: Pointing WSO2 AM to a ReadWriteLDAP Secondary user store

Please follow the documentation

Kavith Thiranga LokuhewageHow to use DTO Factory in Eclipse Che

What is a DTO?

Data transfer objects are used in Che to do the communication between client and server. In a code level, this is just an interface annotated with @DTO com.codenvy.dto.shared.DTO. This interface should contain getters and setters (with bean naming conventions) for each and every fields that we need in this object.
 For example, following is a DTO with a single String field.

public interface HelloUser {
String getHelloMessage();
void setHelloMessage(String message);
By convention, we need to put these DTOs to shared package as it will be used by both client and server side.

DTO Factory 

DTO Factory is a factory available for both client and server sides, which can be used to serialize/deserialize DTOs. DTO factory internally uses generated DTO implementations (described in next section) to get this job done. Yet, it has a properly encapsulated API and developers can simply use DTOFactoy instance directly.

For client side   : com.codenvy.ide.dto.DtoFactoryFor server side  : com.codenvy.dto.server.DtoFactory

HelloUser helloUser = DtoFactory.getInstance().createDto(HelloUser.class);
Above code snippet shows how to initialize a DTO using DTOFactory. As mentioned above, proper DtoFactory classes should be used by client or server sides. 

Deserializing in client side

//important imports

//invoke helloService
Unmarshallable<HelloUser> unmarshaller = unmarshallerFactory.newUnmarshaller(HelloUser.class);

helloService.sayHello(sayHello, new AsyncRequestCallback<HelloUser>(unmarshaller) {
protected void onSuccess(HelloUser result) {
protected void onFailure(Throwable exception) {

When invoking a service that returns a DTO, client side should register a callback created using relevant unmarshaller factory. Then, the on success method will be called with a deserialized DTO. 

De-serializing in server side

public ... sayHello(SayHello sayHello){
... sayHello.getHelloMessage() ...
Everest (JAX-RS implementation of Che) implementation automatically deserialize DTOs when they are used as parameters in rest services. It will identify serialized DTO with marked type -  @Consumes(MediaType.APPLICATION_JSON)  - and use generated DTO implementations to deserialize DTO. 

DTO maven plugin

As mentioned earlier, for DtoFactoy to function properly, it needs some generated code that will contain concrete logic to serialize/deserialize DTOs. GWT compiler should be able to access generated code for client side and generated code for server side should go in jar file.
Che uses a special maven plugin called “codenvy-dto-maven-plugin” to generate these codes. Following figure illustrates a sample configuration of this plugin. It contains separate executions for client and server sides. 
We have to input correct package structures accordingly and file paths to which these generated files should be copied. 

Other dependencies if DTOs from current project need them.
package - package, in which, DTO interfaces resides
outputDirectory -  directory, to which, generated files should be copied
genClassName - class name for the generated class
You should also configure your maven build to use these generated classes as a resource when compiling and packaging. Just add following line in resources in build section.


Kavith Thiranga LokuhewageGWT MVP Implementation in Eclipse Che

MVP Pattern

Model View Presenter (aka MVP) is a design pattern that attempts to decouple the logic of a component from its presentation. This is similar to the popular MVC (model view controller) design pattern, but has some fundamentally different goals. The benefits of MVP include more testable code, more reusable code, and a decoupled development environment.

MVP Implementation in Che

Note : Code example used in this document are from a sample project wizard page for WSO2 DSS.  

There are four main java components used to implement a Che component that follows MVP.

      1. Interface for View functionality
      2. Interface for Event delegation
      3. Implementation of View
      4. Presenter


To reduce the number of files created for each MVP component, No. 1 and No. 2 are created within a single java file. To be more precise, event delegation interface is defined as a sub interface within view interface.

View interface should define methods that will be used by presenter to communicate with view implementation. Event delegation interface should define methods that will be implemented by presenter so that view can delegate events to presenter using these methods.

Following code snippet demonstrates these two interfaces that we created for DSS project wizard page.

publicinterfaceDSSConfigurationViewextendsView<DSSConfigurationView.ActionDelegate> {
String getGroupId();
void setGroupId(String groupId);
String getArtifactId();
void setArtifactId(String artifactId);
String getVersion();
void setVersion(String version);

interfaceActionDelegate {
void onGroupIdChanged();
void onArtifactIdChanged();
void onVersionChanged();

VIew and Event Handler interfaces

Interface for view should extend from com.codenvy.ide.api.mvp.View interface. This com.codenvy.ide.api.mvp.View interface only defines a single method - void setDelegate(T var1).

... interface DSSConfigurationView extends View<DSSConfigurationView.ActionDelegate> ...

 Using generics, we need to inform this super interface about our event handling delegation interface.

View Implementation

View implementation often can extend from any abstract widget such as Composite. It may also use UIBinder  to implement the UI if necessary. It is possible to implement view by following any approach and using any GWT widget. The only must is that it should implement view interface (created in previous step) and IsWidget interface (Or extend any subclass of IsWidget).

public class DSSConfigurationViewImpl extends ... implements DSSConfigurationView {

/***Other code**/

// Maintain a reference to presenter
private ActionDelegate delegate;

// provide a setter for presenter
public void setDelegate(ActionDelegate delegate) {
this.delegate = delegate;

/***Other code**/

// Implement methods defined in view interface
public String getGroupId() {
return groupId.getText();

public void setGroupId(String groupId) {

/***Other code**/

// Notify presenter on UI events using delegation methods
public void onGroupIdChanged(KeyUpEvent event) {

public void onArtifactIdChanged(KeyUpEvent event) {

/***Other code**/

View implementation 

As shown in above code snippet (see full code), main things to do in view implementation can be summarised as below.

      1. Extend any widget from GWT and implement user interface by following any approach
      2. Implement view interface (created in previous step)
      3. Manage a reference to action delegate (presenter - see next section for more info)
      4. Upon any UI events inform presenter using the delegation methods so that presenter can execute business logic accordingly   


Presenter can extend from many available abstract presenters such as AbstractWizardPage, AbstractEditorPresenter and BasePresenter, anything that implements com.codenvy.ide.api.mvp.Presenter. It also should implement Action Delegation interface so that upon any UI events, those delegation methods will be called.

public class DSSConfigurationPresenter extends ... implements DSSConfigurationView.ActionDelegate {

// Maintain a reference to view
private final DSSConfigurationView view;

/** Other Code*/

public DSSConfigurationPresenter(DSSConfigurationView view, ...) {

this.view = view;
// Set this as action delegate for view

/** Other Code*/

/** Other Code*/

// Init view and set view in container
public void go(AcceptsOneWidget container) {

// Execute necessary logic upon ui events
public void onGroupIdChanged() {

// Execute necessary logic upon ui events
public void onArtifactIdChanged() {



Depending on the extending presenter, there may be various abstract method that needs to be implemented by presenter. For example, if you extend AbstractEditorPresenter, you need to implement initializeEditor(), isDirty() and doSave(), etc. methods. If it is AbstractWizardPage, you need to implement isCompleted(), storeOptions(), removeOptions(), etc methods.

Yet, as shown in above code snippet (seefullcode), following are the main things that you need to do in presenter.

      1. Extend any abstract presenter as needed and implement abstract methods/or override behaviour as needed
      2. Implement Action delegation interface
      3. maintain a reference to view
      4. set this as the action delegate of view using set delegate method
      5. init view and set view in the parent container (go method)
      6. use methods defined in view interface to communicate with view

The go method is the one that will be called by Che UI framework, when this particular component is need to be shown in IDE. This method will be called with a reference to parent container.

sanjeewa malalgodaWSO2 API Manager CORS support and how it works with API gateway - APIM 1.8.0

According to wiki cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated.  Also "Cross-domain" AJAX requests are forbidden by default because of their ability to perform advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce many security issues as described in cross-site scripting.

In WSO2 API Manager cross domain resource sharing is happening between AM and the client application.
See following sample CORS specific headers
< Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type
< Access-Control-Allow-Origin: localhost
< Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
'Access-Control-Allow-Origin' header in the response is set in API gateway by validating the 'Origin' header from the request.
(CORS related requests should have a 'Origin' header to identify the requesting domain).
Please refer following config element in api-manager.xml file.

    <!--Configuration to enable/disable sending CORS headers from the Gateway-->
    <!--The value of the Access-Control-Allow-Origin header. Default values are
        API Store addresses, which is needed for swagger to function.-->

    <!--Configure Access-Control-Allow-Methods-->
    <!--Configure Access-Control-Allow-Headers-->

We set the CORS related headers in the response from the APIAuthenticationHandler before we send the response back to the client application.

API gateway first we check the 'Origin' header value from the request (one sent by the client) against the list of defined in the api-manager.xml.
If this host is in the list, we set it in the Access-Control-Allow-Origin header of the response.
Otherwise we set it to null. If this is null, then this header will be removed from the response(not allow access).

See following sample curl commands and responses to see how this origin header change response.

curl -k -v -H "Authorization: Bearer 99c85b7da8691f547bd46d159f1d581" -H "Origin: localhost"
< HTTP/1.1 200 OK
< ETag: "b1-4fdc9b19d2b93"
< Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type
< Vary: Accept-Encoding
< Access-Control-Allow-Origin: localhost
< Last-Modified: Wed, 09 Jul 2014 21:50:16 GMT
< Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
< Content-Type: text/html
< Accept-Ranges: bytes
< Date: Wed, 24 Jun 2015 14:17:16 GMT
* Server WSO2-PassThrough-HTTP is not blacklisted
< Server: WSO2-PassThrough-HTTP
< Transfer-Encoding: chunked

 curl -k -v -H "Authorization: Bearer 99c85b7da8691f547bd46d159f1d581" -H "Origin: localhostXX"
< HTTP/1.1 200 OK
< ETag: "b1-4fdc9b19d2b93"
< Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type
< Vary: Accept-Encoding
< Last-Modified: Wed, 09 Jul 2014 21:50:16 GMT
< Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
< Content-Type: text/html
< Accept-Ranges: bytes
< Date: Wed, 24 Jun 2015 14:17:53 GMT
* Server WSO2-PassThrough-HTTP is not blacklisted
< Server: WSO2-PassThrough-HTTP
< Transfer-Encoding: chunked

As you can see Access-Control-Allow-Origin header is missed in 2nd response as we send origin which was not defined in cors configuration in api-manager.xml file.

John MathonThe Indisputable list of 10 most Innovative Influential Tech Companies

Innovation is the lifeblood of truly transformative business success but what is it and who has it?

2-bmwiremoteappcesaward1thevoltreportlowLatencyHeadTrackingmigraine reducer - cefaly-400x400

Let’s define innovation a little.  If we are looking for companies issuing the most number of patents that is one measure that is relatively meaningless.  Some companies encourage and facilitate patents and become patent machines.  Some companies are open source and opposed to patenting things.    Many companies don’t see any advantage to patenting things.    So, I don’t think it is a good measure of innovation or influence.


A lot of companies have some initial “innovation” spike where they generate ideas when they first get started and shortly thereafter as they build market.  They may or may not continue to be an influential or innovative company after that first spark.    A good example of that is Uber.  After the initial idea of connecting people by cell phone to get Taxis they have made a number of very interesting innovations including innovations in billing, innovations in new services such as UberBlack and UberSUV and I’ve even heard of UberIceCream delivery.  However, even though Uber looks to be a promising entry for influential and innovative I think it is still too early to tell.  I think we have to exclude companies less than 5 years old living off a single innovation that probably a single creator came up with and the natural evolution of that idea.    I don’t think we can call a company innovative or influential if it really has only had one instance of creativity.

One big question is do the innovations have to be commercial success to be considered innovative or influential?  Apple creating the smart cell phone is certainly hugely successful and the fact it generated the highest profitability of any company in history means this counts as innovation and influential under anybodies definition. Netflix created Chaos Monkey and other open source tools that have had significant impact on the way many companies manage their IT infrastructure and deliver their cloud services.  These things haven’t resulted in an iota of income to Netflix and yet it has had big impact on many people, companies and industries. I would say that Netflix’s innovation in delivering its service and the fact it has made much of that innovation open source means that it has impacted and influenced.  One could say these innovations have allowed them to succeed as a business delivering their services better than anyone else.

100 most influential people

One book I read tried to categorize the 100 most important influential people in history.   It did this by adding all the citations and the length of articles in books.    This seems like a possible answer to how objectively identify who are the most influential companies or innovative companies.   This book admits this system breaks down for more recent innovations so it won’t work.

I want to distinguish between companies which were once innovative and no longer seem to be producing innovations for some reason.   This is a list of companies which have done something for us lately not the has beens.

As a result of thinking about this I believe that deciding what companies are the most innovative and influential is subjective and probably can’t be objectively defined.    So, let’s start by listing those companies who are indisputably incredibly innovative and influential.   I will call this list the indisputables.

To summarize my list excludes very young companies that have only a single main innovation with numerous related innovations.  I exclude companies that were innovative and have not innovated significantly in the last 5 years.  I exclude companies outside of tech simply because this is my area of expertise.   I am not using a rigorous methodology because I think it’s not possible at this time.

This is my “indisputable list.”  It might be interesting to add a more disputable list of companies or maybe recently innovative new companies.

The Indisputable list of most Innovative Influential Tech Companies (Alphabetical Listing)

adobe photoshop01 Adobe_Systems_logo_and_wordmark.svg

1.  Adobe

Adobe has innovated in numerous fields and numerous ways over the years.  They have spearheaded the technology for creative professionals in a number of fields and they have made their impact on the web with Flash.  They have had amazing sticking power for some of their ideas like PDF format.   Most recently Adobe has been able to engineer a transition from a license oriented company to a SaaS company with a rising stock price something thought nearly impossible.   You have to admit that Adobe’s success is improbable.  The industries it caters to are notably fickle, resistant to long term value creation.  Yet Adobe has time after time produced lasting innovative change.


2. Amazon

I don’t believe anybody imagined Amazon would invent “The cloud.”   Jeff Bezos deserves a little credit for the durability and strength of innovation in his company.  Not many book retailers transform the world.  Let’s say NONE other than amazon.  The cloud is a $100 billion business in 2014.  Amazon has a good stake in the business it is creating and leads but it is only one of many companies taking advantage of the ideas it has pioneered.  Some of the recent innovations Amazon has spearheaded beside “the cloud” include the Echo which was released recently and its soon to be released Drone delivery service.   I don’t think if anyone seriously thinks of innovative companies you can exclude Amazon.  Amazon invented the Kindle, Amazon prime service and numerous other retail innovations that I think make it easily one of the most innovative companies in the world.

2-bmwiremoteappcesaward1apple logo

3. Apple

I remember purchasing an Ipod in the very early days of Ipods.  When it broke I decided to try a  a competitors product.  After all, in the consumer electronics industry there is hardly ever any company with >5% market share and the products are all roughly competitive.  I returned the competitive product within days when I learned how far off the competition was from Apple.  I am constantly astounded that Apple maintains a 70+% market share in markets where 5% is typical.  Competitors simply don’t “get it” even when the thing is sitting right in front of them.  How stupid are the competitors of Apple?  Some of the amazing things Apple has done recently that astound include the App Store which generated 600,000 apps in 2 years.  Nobody imagined this.   Apple single-handedly has changed what is considered a user interface to applications.  iTunes which revolutionized music delivery.  The iPad which I never thought would be successful or recently the iWatch which I refuse to comment on for fear of being wrong about Apple again.    Apple Pay, Apple Health, and soon Apple Car in Chrysler and other vehicles will be shipped.  Apple has so many things in the works it is single handedly transforming the world of consumer electronics and Internet of Things which is estimated at $10 trillion.  It is even moving into health care.  How can you seriously exclude Apple from a list of the most innovative influential companies EVER.

Cisco logo

4. Cisco

Cisco has been an incredible innovator over the years making the internet possible.   The evolution of communications technologies is “behind the scenes” for most people but a bewildering evolution of technologies over the years has proven Ciscos continuous innovation credentials.   Over the last 10 years it hasn’t been as clear that Cisco has been innovating as much or fast.   Companies such as Qualcomm communications and LG in Europe, have eaten their cake in mobile.   Cisco has been spearheading SDN which is a technology critical to making the cloud cheaper and easier to manage.


5. Google

This is another hands down no questions influential company.  When Google started people asked how would the company ever make money?  Nobody had any idea and it became a joke.  It is no joke today.  The company routinely innovates new services, new products on a torrid pace.   It is simply beyond question one of the most innovative companies ever.   Google recently has been experimenting with self-driving cars which nobody thought was even remotely possible a few years ago.  Delivery from first manufacturers is planned for 2020. Google consistently innovates in the software industry with its open source projects it drives progress in all aspects of software.  Its influence cannot be overestimated.  Some of the innovation I worry about.  Its almost monopoly position in many businesses such as personal cloud services, Google search, advertising mean it has more data and knowledge of every living person on this earth than any other government or company.   Recent innovations in Internet of things is very interesting and unproven.  They have been doing groundbreaking work on computer artificial intelligence with deep learning and using quantum computers.   Android is the only serious competitor to apples iOS for cell phones.  Their ability to maintain competitiveness with Apple points to the strength of their innovation.   I personally think many software aspects of their phones are better than Apples.

IBM Logo

6. IBM

I put IBM on the list because I believe that this is a company I never thought would be relevant today.  When Microsoft and the PC virtually destroyed the mainframe it seemed a virtual certainty the company would die or become a has been.  IBM continues to embrace and innovate in technology and services.  It has had to rebuild itself from the ground up.  It has recently done things such as Watson in artificial intelligence and is working on quantum computers.   It has significant efforts in open source projects, cloud and bigdata.  IBM is unbelievable in its ability to keep reinventing itself and remaining relevant.   While I see that it is struggling to remain on this list I am impressed by the its history of innovation as well.   I am convinced this is a company we have not heard the last from and is constantly underestimated.


7. Intel

This is another no-brainer.  Intel has been behind Moore’s law for decades.  Innovation at Intel at a breakneck pace was de rigueur.  Innovation on schedule.  150% a year year after year for decades.  Intel today is still the biggest CPU maker but it has not been as innovative in taking its hardware business into Mobile.  It has significant legs in IoT  but has missed the initial hobbyist and most cost-effective IoT hardware spaces.  I put Intel on notice that they’re indisputable record over time in innovation is tarnishing badly.  They need some big wins in IoT and in Quantum computers and / or some other areas nobody imagines.  Possibly cars, batteries or something new.


8. Netflix

Netflix started as a DVD rental company.  Many may not remember that.  Its transformation to the leading media distribution company hasn’t been easy.  There have been numerous changes.   Along the way Netflix broke it’s business in two.  Then reintegrated it.  It decided to build on the cloud initially and has spearheaded making the cloud work along the way using open source and contributing to the development of cloud technology that many companies now leverage.  Netflix started creating their own content, a revolutionary idea for what is primarily a technology company.


9. Salesforce

When Marc Benioff started Salesforce I spoke at many conferences where Marc would speak.  I saw the brilliance he was trying to achieve but they had significant obstacles.    Nobody knew if you could take a SaaS version of CRM and make it succeed.   Along the way Salesforce has innovated its way into a powerhouse that drives business around the world.  It has legitimized SaaS for businesses.    It has laid ruin to its competitors and created new paradigms for how businesses leverage their sales information.   The development of the platform was significant innovation in delivery of applications and integration.   Salesforce continues to innovate in social aspects of sales.


10. Tesla

I admit that Tesla is on the margin of my definition of innovative companies since it is young and basically has one product which is the S model electric car.    However, Tesla has innovated at an incredible pace and is innovating well outside the traditional car manufacturer.   I believe Tesla has created disruptive potential for the car service industry, the IoT car, the self-driving car, the user interface of a car, the safety of a car, the fuel industry and fuel distribution.  Innovating and disrupting each of these areas is not necessary to the basic business of building an electric car.  Tesla sees its success depends on solving the holistic problem for the car owner.   This is similar to Steve Job’s idea that to compel loyalty and grow an innovation you have to give the consumer the ability to use the innovation, service it, really live with it and grow with it.    I have written a blog about all this innovation Tesla has created that is disrupting multiple aspects of the car business.  See my blog  :tesla-update-how-is-the-first-iot-smart-car-connected-car-faring 


Just barely missed my list:

11. Samsung


13. SpaceX

14. Oracle


I want to make clear I do not consider this list comprehensive and am absolutely happy to have additional candidates to this list.   My conditions for companies to be on this list are that they have a history of world changing innovation more than once.  That they continue to innovate in the last 5 years.

Afkham AzeezAWS Clustering Mode for WSO2 Products

WSO2 Clustering is based on Hazelcast. When WSO2 products are deployed in clustered mode on Amazon EC2, it is recommended to use the AWS clustering mode. As a best practice, add all nodes in a single cluster to the same AWS security group.

To enable AWS clustering mode, you simply have to edit the clustering section in the CARBON_HOME/repository/conf/axis2/axis2.xml file as follows:

Step 1: Enable clustering

<clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent"

Step 2: Change membershipScheme to aws

<parameter name="membershipScheme">aws</parameter>

Step 3: Set localMemberPort to 5701

Any value between 5701 & 5800 are acceptable
<parameter name="localMemberPort">5701</parameter>

Step 4: Define AWS specific parameters

Here you need to define the AWS access key, secret key & security group. The region, tagKey & tagValue are optional & the region defaults to us-east-1

<parameter name="accessKey">xxxxxxxxxx</parameter>
<parameter name="secretKey">yyyyyyyyyy</parameter>
<parameter name="securityGroup">a_group_name</parameter>
<parameter name="region">us-east-1</parameter>
<parameter name="tagKey">a_tag_key</parameter>
<parameter name="tagValue">a_tag_value</parameter>

Provide the AWS credentials & the security group you created as values of the above configuration items.

Step 5: Start the server

If everything went well, you should not see any errors when the server starts up, and also see the following log message:

[2015-06-23 09:26:41,674]  INFO - HazelcastClusteringAgent Using aws based membership management scheme

and when new members join the cluster, you should see messages such as the following:
[2015-06-23 09:27:08,044]  INFO - AWSBasedMembershipScheme Member joined [5327e2f9-8260-4612-9083-5e5c5d8ad567]: /

and when members leave the cluster, you should see messages such as the following:
[2015-06-23 09:28:34,364]  INFO - AWSBasedMembershipScheme Member left [b2a30083-1cf1-46e1-87d3-19c472bb2007]: /

The complete clustering section in the axis2.xml file is given below:
<clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent"
<parameter name="AvoidInitiation">true</parameter>
<parameter name="membershipScheme">aws</parameter>
<parameter name="domain">wso2.carbon.domain</parameter>

<parameter name="localMemberPort">5701</parameter>
<parameter name="accessKey">xxxxxxxxxxxx</parameter>
<parameter name="secretKey">yyyyyyyyyyyy</parameter>
<parameter name="securityGroup">a_group_name</parameter>
<parameter name="region">us-east-1</parameter>
<parameter name="tagKey">a_tag_key</parameter>
<parameter name="tagValue">a_tag_value</parameter>

<parameter name="properties">
<property name="backendServerURL" value="https://${hostName}:${httpsPort}/services/"/>
<property name="mgtConsoleURL" value="https://${hostName}:${httpsPort}/"/>
<property name="subDomain" value="worker"/>

sanjeewa malalgodaEnable debug logs and check token expire time in WSO2 API Manager

To do that you can enable debug logs for following class.

Then it will print following log
log.debug("Checking Access token: " + accessToken + " for validity." + "((currentTime - timestampSkew) > (issuedTime + validityPeriod)) : " + "((" + currentTime + "-" + timestampSkew + ")" + " > (" + issuedTime + " + " + validityPeriod + "))");

Then whenever this call fails we need to check for this log during that time. Then we can get clear idea about validity period calculation.

To enable debug logs add below line to that reside in /repository/conf/

And restart the server. You need to do enable debug log in Identity Server side if you use IS as key manager scenario.

Then you can check how token validity period behave with each API call we make.

Pulasthi SupunWSO2 Governance Registry - Lifecycle Management Part 2 - Transition Validators

This is the second post of "WSO2 Governance Registry - Lifecycle Management" post series. In the first post - Part 1 - Check Items we gave a small introduction to lifecycle management in WSO2 Governance Registry and looked at how check items can be used and did a small sample on that. 

In this post we will look at Transition Validators as mentioned in the previous post. As mentioned in part 1 transition validations can be used within check items and it can also be used separately ( All the validators will be called only during a state transition, checking a check item will not call the validator ). we will take a look at the same config this time with two transition validation elements.

<aspect name="SimpleLifeCycle" class="org.wso2.carbon.governance.registry.extensions.aspects.DefaultLifeCycle">
<configuration type="literal">
<scxml xmlns=""
<state id="Development">
<data name="checkItems">
<item name="Code Completed" forEvent="Promote">
<permission roles="wso2.eng,admin"/>
<validation forEvent="" class="">
<parameter name="" value=""/>
<item name="WSDL, Schema Created" forEvent="">
<item name="QoS Created" forEvent="">
<data name="transitionValidation">
<validation forEvent="" class="">
<parameter name="" value=""/>
<transition event="Promote" target="Tested"/>
<state id="Tested">
<data name="checkItems">
<item name="Effective Inspection Completed" forEvent="">
<item name="Test Cases Passed" forEvent="">
<item name="Smoke Test Passed" forEvent="">
<transition event="Promote" target="Production"/>
<transition event="Demote" target="Development"/>
<state id="Production">
<transition event="Demote" target="Tested"/>

The first transition validation is within an check item ( this part was commented out in the previous post). And the second one is as a separate element, both are supported.

Writing Validators

A validator is java class that implements  the "CustomValidations" interface there are several validators that are already implemented and it is also possible to write you own custom validator and add it. we will be looking at one of the validators that is shipped with the product. a custom validator will need to written similarly . Please refer Adding an Extension documentation to see how a new extension can be added into the Governance Registry through the GUI.

The following is a validator that is shipped with the WSO2 Governance Registry.

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.governance.api.common.dataobjects.GovernanceArtifact;
import org.wso2.carbon.governance.api.exception.GovernanceException;
import org.wso2.carbon.governance.api.util.GovernanceUtils;
import org.wso2.carbon.governance.registry.extensions.interfaces.CustomValidations;
import org.wso2.carbon.registry.core.RegistryConstants;
import org.wso2.carbon.registry.core.exceptions.RegistryException;
import org.wso2.carbon.registry.core.jdbc.handlers.RequestContext;
import org.wso2.carbon.registry.core.session.UserRegistry;

import java.util.Map;

public class AttributeExistenceValidator implements CustomValidations {

private static final Log log = LogFactory.getLog(AttributeExistenceValidator.class);
private String[] attributes = new String[0];

public void init(Map parameterMap) {
if (parameterMap != null) {
String temp = (String) parameterMap.get("attributes");
if (temp != null) {
attributes = temp.split(",");

public boolean validate(RequestContext context) {
if (attributes.length == 0) {
return true;
String resourcePath = context.getResourcePath().getPath();
int index = resourcePath.indexOf(RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH);
if (index < 0) {
log.warn("Unable to use Validator For Resource Path: " + resourcePath);
return false;
index += RegistryConstants.GOVERNANCE_REGISTRY_BASE_PATH.length();
if (resourcePath.length() <= index) {
log.warn("Unable to use Validator For Resource Path: " + resourcePath);
return false;
resourcePath = resourcePath.substring(index);
try {
UserRegistry registry = ((UserRegistry) context.getSystemRegistry())
GovernanceArtifact governanceArtifact =
GovernanceUtils.retrieveGovernanceArtifactByPath(registry, resourcePath);
for (String attribute : attributes) {
if (!validateAttribute(governanceArtifact, attribute)) {
return false;
} catch (RegistryException e) {
log.error("Unable to obtain registry instance", e);
return true;

protected boolean validateAttribute(GovernanceArtifact governanceArtifact, String attribute)
throws GovernanceException {
return (governanceArtifact.getAttribute(attribute) != null);

The "init" method is were the parameter that are defined under the validator tag is initialized. The "validate" method is were your validation logic goes this is the method that is called to do the validation. What this validator does is check whether the attributes names given as a parameter actually exist in the given aspect. If the attribute does not exist the validation will fail.

Configuring the Validator

<validation forEvent="Promote" class="org.wso2.carbon.governance.registry.extensions.validators.AttributeExistenceValidator">
<parameter name="attributes" value="overview_version,overview_description"/>

The fully qualified class name needs to be provided as the class name, the "forEvent" attribute specifies the action on which the validation needs to be triggered here it is set to Promote. For a complete list of validators that are available please refer to Supported Standard Validators documentation. Now you can add the validator configuration we commented out in the First Post and check out the functionality of validators.

Please leave a comment you need any more clarification. The next post of this series will cover transition permissions.

Pulasthi SupunWSO2 Governance Registry - Lifecycle Management Part 1 - Check Items

The Lifecycle Management(LCM) plays a major role in SOA Governance. The default LCM supported by the WSO2 Governance Registry allows users to promote and demote life cycle states of a given resource. Furthermore, it can be configured to use checklists as well check out the documentation here.

The Lifecycle configuration templates allows advance users to extend its functionality through 6 data elements which are listed below
  • check items
  • transition validations
  • transition permissions
  • transition executions
  • transition UI
  • transition scripts
Bellow is the full template of the lifecycle configuration. in this article series we will take a look at each item and see how they can be used to customize lifecycle management in WSO2 Governance Registry. In this article we will look at check items. 

check items

Check items allow you to define a list, ideally an check list that can be used to control changes in lifecycle states and make sure specific requirements are met before the lifecycle is changed to the next state. It is also possible to
  • Define permissions for each check item
  • Define custom validations for each check item
To check this out we will create a sample lifecycle with a new set of check items. First we have to create a new  lifecycle. The steps to create a new lifecycle can be found here - Adding Lifecycles. There will be a default lifecycle configuration when you create one using the steps since it is a complex configuration we will replace it with the following configuration. 

<aspect name="SimpleLifeCycle" class="org.wso2.carbon.governance.registry.extensions.aspects.DefaultLifeCycle">
<configuration type="literal">
<scxml xmlns=""
<state id="Development">
<data name="checkItems">
<item name="Code Completed" forEvent="Promote">
<permission roles="wso2.eng,admin"/>
<validation forEvent="" class="">
<parameter name="" value=""/>
<item name="WSDL, Schema Created" forEvent="">
<item name="QoS Created" forEvent="">

<transition event="Promote" target="Tested"/>
<state id="Tested">
<data name="checkItems">
<item name="Effective Inspection Completed" forEvent="">
<item name="Test Cases Passed" forEvent="">
<item name="Smoke Test Passed" forEvent="">
<transition event="Promote" target="Production"/>
<transition event="Demote" target="Development"/>
<state id="Production">
<transition event="Demote" target="Tested"/>

As you can see several check items are listed below the "Development" and "Tested" states, the two main attributes in the check list data item is name and forEvent. 

name - The name of the check item, this is the text that will be displayed for the check item.
forEvent - The event that is associated with this check item, for example if the forEvent is set to "Promote" this check item must be clicked in order to proceed with the promote operation for that state.

Custom permissions

As you can see in the "Development" state there is a sub element as follows
<permission roles="eng,admin"/>

In this element it is possible to define a set of roles that are allowed to check this check item. in this sample only engineers and admins are allowed to check this item

Custom validations
<validation forEvent="" class="">
<parameter name="" value=""/>

As seen in the commented out section under the "Code Completed" check item it is also possible to define custom validations. But the validations will only be called when during a state transition. we will look into custom validations under "transition validations" in the next post. 

Now you can save the newly created lifecycle configuration and use it in an artifact like an "api" or "service" and see its functionality.

We will look at Transition Validations and how to use them in the next post of this series.

Afkham AzeezHow AWS Clustering Mode in WSO2 Products Works

In a previous blog post, I explained how to configure WSO2 product clusters to work on Amazon Web Services infrastructure. In this post I will explain how it works.

 WSO2 Clustering is based on Hazelcast.

All nodes having the same set of cluster configuration parameters will belong to the same cluster. What Hazelcast does is, it calls AWS APIs, and then gets a set of nodes that satisfy the specified parameters (region, securityGroup, tagKey, tagValue).

When the Carbon server starts up, it creates a Hazelcast cluster. At that point, it calls EC2 APIs & gets the list of potential members in the cluster. To call the EC2 APIs, it needs the AWS credentials. This is the only time these credentials are used. AWS APIs are only used on startup to learn about other potential members in the cluster. Then it tries to connect to port 5701 of those potential members, and if 5701 is unavailable, it does a port scan up to 5800. If one of those ports are available, it will do a Hazelcast handshake to make sure that those are indeed Hazelcast nodes, and will add them to the cluster if they are Hazelcast nodes.

Subsequently, the connections established between members are point to point TCP connections.  Member failures are detected through a TCP ping. So once the member discovery is done, the rest of the interactions in the cluster are same as when the multicast & WKA (Well Known Address) modes are used.

With that facility, you don't have to provide any member IP addresses or hostnames, which may be impossible on an IaaS such as EC2.

sanjeewa malalgodaHow to enable AWS based clustering mode in WSO2 Carbon products (WSO2 API Manager cluster with AWS clustering)

To try aws based clustering on AWS you can change the membership scheme to AWS, and then provide the following parameters in the clustering section of the axis2.xml file. Before you try this on API Manager 1.8.0 please download this jar[JarFile] files and add them as patch.

1. accessKey       
<parameter name="accessKey">TestKey</parameter>

2. secretKey
 <parameter name="secretKey">testkey</parameter>

3. securityGroup       
<parameter name="securityGroup">AWS_Cluster</parameter>

4. connTimeout (optional)
5. hostHeader (optional)
6. region (optional)
7. tagKey (optional)
8. tagValue (optional)

See following sample configuration. Edit clustering section in the CARBON_HOME/repository/conf/axis2/axis2.xml file as follows.

<clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent"
        <parameter name="AvoidInitiation">true</parameter>
        <parameter name="membershipScheme">aws</parameter>
        <parameter name="domain"></parameter>
        <parameter name="localMemberPort">5701</parameter>
        <parameter name="accessKey">test</parameter>
        <parameter name="secretKey">test</parameter>
        <parameter name="securityGroup">AWS_Cluster</parameter>

By default, Hazelcast uses port 5701. It is recommended to create a Hazelcast specific security group. Then, an inbound rule for port 5701 from s
g-hazelcast needs to be added to this security group.
Open the Amazon EC2 console.
Click Security Groups in the left menu.
Click Create Security Group and enter a name (e.g. sg-hazelcast ) and description for the security group, click Yes, Create .
On Security Groups page, select the security group sg-hazelcast on the right pane.
You will see a field below the security group list with the tabs Details and Inbound. Select Inbound.
Select Custom TCP rule in the field Create a new rule.
Type 5701 into the field Port range and sg-hazelcast into Source.

Then when we initialize cluster all nodes in same security group will be added as WKA members.
Once you done with configurations restart servers.

Then you will following message in carbon logs.
[2015-06-23 10:02:47,730]  INFO - HazelcastClusteringAgent Cluster domain:
[2015-06-23 10:02:47,731]  INFO - HazelcastClusteringAgent Using aws based membership management scheme
[2015-06-23 10:02:57,604]  INFO - HazelcastClusteringAgent Hazelcast initialized in 9870ms
[2015-06-23 10:02:57,611]  INFO - HazelcastClusteringAgent Local member: [5e6bd517-512a-45a5-b702-ebf304cdb8c4] - Host:, Remote Host:null, Port: 5701, HTTP:8280, HTTPS:8243, Domain:, Sub-domain:worker, Active:true
[2015-06-23 10:02:58,323]  INFO - HazelcastClusteringAgent Cluster initialization completed
Then spawn next instance. When next server startup completed you will see following message in current node.
[2015-06-23 10:06:21,344]  INFO - AWSBasedMembershipScheme Member joined [417843d3-7456-4368-ad4b-5bad7cf21b09]: /
Then terminate second instance. Then you will see following message.
[2015-06-23 10:07:39,148]  INFO - AWSBasedMembershipScheme Member left [417843d3-7456-4368-ad4b-5bad7cf21b09]: /
This means you have done configurations properly.

John MathonServices, Micro-services, Devices, Apps, APIs what’s the difference?

What is the difference between a Device and a Service?

DropCam-PRO_Front_72dpi       VSapi-icon-512x512-9b21

The internet of things is going to have a big impact on technology and business.   Let’s look at some ways we should change how we think of services and devices.

We are facing some interesting paradigm changes as our Platform 3 software platform evolves.   Platform 3 is the combination of new technologies related to mobile, the cloud and social that are redefining how we make software and deliver it.

block diagram platform 3

How should we think about managing devices versus a service.   In some ways these things are very similar.   We want to manage these things similarly in the sense that it would be ideal to think of physical devices as simply conduits of information to and from the physical world without having to worry about their physical aspects too much.   We do this with multi-tiered architecture.  Separating the physical layer from the abstract layers we use in programming.

A service, micro-service and a device all have the following features in common:

Common Features:

1.  Have an interface for communicating, managing, getting data to and from, a clearly defined set of APIs
2. There can be many instances
3. Need authentication to control access and entitlement to control aspects available to each entity requesting access
4. The interaction can be request-reply or publish-subscribe
5. The location of the service or device may be important
6. Provides a minimal set of functions around a single purpose that can be described succinctly
7. Have a cost of operating, maximum throughput and operational characteristics and configuration details per instance
8. may be external or owned by external party
9. Usually has a specific URI to refer to a particular entity
10. has access to a limited set of data defined in advance
11. Can depend on or be depended on by many other services or devices
12. Can be part of larger groups of entities in multiple non-hierarchical relationships
13. Orchestration of higher level capabilities involves interacting with multiple services or devices
14. Needs to be monitored for health, managed for security, for failure and have configuration changed and all the corresponding best practices management aspects of this
15. Services and devices both have social aspect where people may want to know all about or comment on the specific service or device or the class of services and devices
16. Can be infected with malware, viruses or compromised in similar ways
17. Can have side effects or be purely functional
18. May have data streams associated with their activity

Some differences between Services and Devices:

1. Services:are Multi-tenant with data isolation per tenant.  Devices usually have only one tenant.
2. Devices: Physical existence can be compromised physically, stolen, tampered with.
3. Devices:  Possibly have a physical interface for humans.  Services do not.
4. Devices may have data embedded in the device whereas services usually are designed to be stateless
5. Devices may be mobile with changing location
6. Devices connectivity can be marginal at times with low bandwidth or nonexistant
7. A device may have compromised functionality but still work fine usually services are working or not working
8. Service failover can be as simple as spinning up new virtual instances.  Physical failure usually involves  physical replacement.   Service failure may point to a physical device failure but is usually not dependent on any particular physical device, i.e. can be replicated on similar abstract hardware.
9. A physical device may produce erroneous results or be out of calibration
10. Services can be scaled dynamically instantly whereas devices need manual component to be scalable.
11. Devices have a physically unique identification such as a MAC address or NFC id whereas services are usually fungible and identified by a URI uniquely.

Publish and Socialize to Facilitate Reuse

Enterprise Store or Catalog

It is apparent that devices and services have a large number of common characteristics. Especially important are the social aspects and interdependence which means that it is desirable to consider sharing the same interface to look at services, micro-services, devices, APIs.

Apps are more like devices and depend on services.   Apps, Services and Devices share a number of characteristics as well.

To make all these things more reusable it is desirable to put them in a store of repository where people can comment and share useful information to prospective users.   Thus the concept of the Enterprise Store makes complete sense where the store can store any asset that might be shared.

Each asset including APIs, Mobile Apps, Service, Micro-service can have social characteristics, health characteristics, instances, owners, belong to groups, need to be permission’d and allocated.  Further, you will undoubtedly want to track usage, monitor and maintain the asset through upgrades, lifecycle.    You will also want to revoke permission, limit usage or wipe the device.

Apps are usually built up from APIs and Devices.  Orchestration of multiple devices and services together makes having a common interface a good idea as well.   Using this interface you can see the dependencies and easily combine APIs, Devices and Apps to build new functionality.


Device management vs Service Management

There are some difference outlined above between services and devices.

Additional security capabilities are needed with physical devices similar to the kinds of things that cell phones and EMM can do.  EMM systems have the ability to insure encryption of data at rest, box the data on the device and delete it with or without the owners permission or physical possession of the device.   Geofencing is an important capability for devices since some devices when outside a defined area may be considered stolen.

It’s also important to be able to tell if a device is being tampered with or has been compromised and set up appropriate measures to replace or recover the device.

Devices  inherently collect data that is user specific or location specific that has implications for privacy.

The fact that devices can sometimes have marginal or zero connectivity means the management must be able to take advantage of opportunities when a device is connected as well as to set reminders and queue activities for when a device does become available.

Since the inventory of devices is more problematic and can’t be “dynamically created on demand”  a link to the acquisition systems and automatic configuration and security management services is desirable.    Monitoring their health and being responsive to impending failure is important whereas a service will fail for completely different reasons.

There are other issues with devices versus service management that can be encapsulated in an abstraction layer.

Device Management Platform

The Connected Device Management Framework Layer

For many reasons an IoT or IIoT architecture with many devices presents problems for management that need to be abstracted to be effectively managed.

1.  The communication layers differ depending on the device.  Today there are well over a dozen different protocols and physical layer standards.  This number will decline hopefully as the market converges but the different requirements for communication are real and will require different solutions so there will never be a single “IoT” protocol or communication paradigm.  Some devices have  persistent always-on communication but many devices cannot afford that level of connectivity.  Some have marginal connectivity to the point with NFC devices where not much more than presence is communicated.    Some devices have mesh capability to help propagate messages from other devices and some don’t.  As a result of differing power and physical limitations there is a need for multiple protocols and different connectivity models that will never go away.

2.  Some devices have APIs that can be directly communicated with, some are passive devices only reporting information and can take no action, some are only action and don’t report or measure anything.  Some talk to a server that is their proxy.  Some devices have SDKs.  Some have GPS capability and some can only report their proximity to other devices.

3.  Due to the variety of manufacturers some devices will only work in a relatively proprietary environment and some are much more standards compliant and open.

Due to all these variations that seem impossible to bridge in the short term it is my belief that the only way to support a variety of devices is through an abstraction layer with support for multiple device types, protocols, connectivity.

WSO2 has created such a device abstraction layer which is called the “Connected Device Management Framework (CMDF)” which allows a variety of standards and proprietary protocols and management interfaces to be added.  The LWM2M standard for device management which is an outgrowth of the OMA mobility standard can be supported as well as other standards or even proprietary management can be added into this open framework.  I believe other vendors should adopt such a CMDF layer.

The CDMF layer includes management capabilities, device definition, communication and orchestration, data management and understanding relationships of devices and services.

The general management capabilities of all management platforms include things like security, device catalog, upgrading, device health can be abstracted and delegated to specific handlers for different devices.   The need for this is important because there is no hope that the vast array of manufacturers will agree to a common standard soon.  Even in the case such an agreement could be reached there would still leave billions of legacy devices that may need to be worked with.   So, a CMDF is the way to go.

IoT Cloud Teiring

Tiered Data Architectures

Most industrial applications of IoT devices will incorporate the notion of functional and regional grouping of devices.    Many IoT devices will put out voluminous amounts of data.  Storing all that data in the cloud would represent a 100-fold increase in cloud storage needs.   It is not really practical to store all data from all devices for all time and to do so in a single place as the data usually is better used locally.

As an example, imagine all the video feeds from security cameras across a company.  Unless there is an incident it is usually not necessary to keep the entire full resolution copy of all those devices for all time.   So, when an incident is discovered you might tag more detailed information should be maintained or to do research you may want to pull certain information from a region or all regions but in general after an expiration period you would maintain more and more abstracted versions of the original data.

A management architecture for services or devices should support the notion of regional data stores, regional services and devices as well as being able to catalog devices by tags that represent functional capabilities such as all security devices, all mobile phones, all telepresence devices, all devices in Sales or Finance.  It should be possible to tier data along various functional, regional or other criteria as fits the application.

API Management overview

Multi-tiered services / device architecture

There is a need in service and device management to support multi-tiered architectures.   The best practice around multi-tiering is that it promotes agility by enabling abstraction of a service or device.   The service or device can be replaced at will, improved at a differing pace than the services that depend on it.

So, you can modify the physical device to a competitive device or to a new API to the device or new functionality without having to change the code of all the applications that depend on that device.     Similarly if you change the applications that use devices the devices themselves shouldn’t have to change to support the applications.

Multi-tiered architectures started primarily by the need to isolate database design from application design.  The database designers could design databases to be efficiently organized to promote maximum performance without impacting the application design.   New fields could be added to support new features and existing applications which didn’t need that feature wouldn’t have to be changed.   More important they wouldn’t crash or fail unexpectedly when you made changes because they were insulated from changes.

In a similar way it should be the case that devices are abstracted into service APIs or proxies that represent idealized devices or views of a device that insulates you from changes to devices and similarly allows you to change applications without having to change devices.

Other Stories you may find interesting:

Merging Microservice Architecture with SOA Practices

Do Good Microservices Architectures Spell the Death of the Enterprise Service Bus?

Management of Enterprises with Cloud, Mobile Devices, Personal Cloud, SaaS, PaaS, IaaS, IoT and APIs

Chanaka FernandoExtending WSO2 ESB with a Custom Transport Implementation - Part II

This blog post is a continuation to my previous blog post where I have described the concepts of WSO2 ESB transports mechanism. Since we have covered the basics, let's start writing some real code. I will be using the ISO8583 standard as my subject to this custom implementation. I will be grabbing some content from this blog post for my reference to ISO8583 java implementation (Business logic). Thanks Manoj Fernando for writing such an informative post.

Idea of the custom transport implementation is to provide a mechanism to write your business logic which can plug in to the WSO2 ESB runtime. I am not going to tell more about ISO8583 or it's internal implementations. I will be using already implemented java library jPos for this purpose.  It has the functionality to cover the basic use cases of ISO8583 implementations.

Sample use case

Let’s take the scenario of a certain financial application needing to make a credit transaction by sending an XML message that needs to be converted to an ISO8583 byte stream before passed on to the wire through a TCP channel.


First, we need to define our ISO8583 field definition.  This might be a bit confusing to some.  If we are dealing with a specification, why do we need a field definition?  This is because that ISO8583 specification is not hard-binding any data elements and/or field ordering. It is entirely up to the application designer to define which field types/IDs need to be placed for their specific transactional requirements.

At a glance, the field definition file looks like the following.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE isopackager SYSTEM "genericpackager.dtd">
      name="Message Type Indicator"
      name="Primary Account number"
      name="Processing Code"


Please refer to [1] & [2] for a complete reference of ISO8583.   As per now, let me just say that each field should have an ID, a length and type specified in its definition.  I have only listed a snippet of the XML config here, and you may find the full definition jposdef.xml inside the codebase.
I have created a simple maven project to implement this transport.  Make sure that you have included the jPOS dependencies on pom.xml as follows.

To implement the transport sender, you need to subclass the AbstractTransportSender and implement its sendMessage method as follows.

public class ISO8583TransportSender extends AbstractTransportSender {

public void sendMessage(MessageContext msgCtx, String targetEPR,
OutTransportInfo outTransportInfo) throws AxisFault {

try {
URI isoURL = new URI(targetEPR);
ISOPackager packager = new GenericPackager(this.getClass()

ASCIIChannel chl = new ASCIIChannel(isoURL.getHost(),
isoURL.getPort(), packager);

                        writeMessageOut(msgCtx, chl);

} catch (Exception e) {
throw new AxisFault(
"An exception occured in sending the ISO message");


     * Writting the message to the output channel after applying correct message formatter
     * @param msgContext
     * @param chl
     * @throws org.apache.axis2.AxisFault
     * @throws
    private void writeMessageOut(MessageContext msgContext,
                                 ASCIIChannel chl) throws AxisFault, IOException {
        ISO8583MessageFormatter messageFormatter = (ISO8583MessageFormatter)BaseUtils.getMessageFormatter(msgContext);
        OMOutputFormat format = BaseUtils.getOMOutputFormat(msgContext);
        messageFormatter.writeTo(msgContext, format, null, true);

Within the TransportSender, we are extracting the URL and then create the relevant entities for the Message Formatter and pass the control to the MessageFormatter. Within the MessageFormatter, we can send the actual message to the back end server.

public class ISO8583MessageFormatter implements MessageFormatter {

    private ASCIIChannel asciiChannel;
    public byte[] getBytes(MessageContext messageContext, OMOutputFormat omOutputFormat) throws AxisFault {
        return new byte[0];

    public void writeTo(MessageContext messageContext, OMOutputFormat omOutputFormat, OutputStream outputStream, boolean b) throws AxisFault {
        ISOMsg isoMsg = toISO8583(messageContext);
        ASCIIChannel chl = this.asciiChannel;
        try {
        } catch (Exception ex) {
            throw new AxisFault(
                    "An exception occured in sending the ISO message");

    public String getContentType(MessageContext messageContext, OMOutputFormat omOutputFormat, String s) {
        return null;

    public URL getTargetAddress(MessageContext messageContext, OMOutputFormat omOutputFormat, URL url) throws AxisFault {
        return null;

    public String formatSOAPAction(MessageContext messageContext, OMOutputFormat omOutputFormat, String s) {
        return null;

    public ISOMsg toISO8583(MessageContext messageContext) throws AxisFault {
        SOAPEnvelope soapEnvelope = messageContext.getEnvelope();
        OMElement isoElements = soapEnvelope.getBody().getFirstElement();

        ISOMsg isoMsg = new ISOMsg();

        Iterator<OMElement> fieldItr = isoElements.getFirstChildWithName(
                new QName(ISO8583Constant.TAG_DATA)).getChildrenWithLocalName(

        String mtiVal = isoElements
                .getFirstChildWithName(new QName(ISO8583Constant.TAG_CONFIG))
                .getFirstChildWithName(new QName(ISO8583Constant.TAG_MTI))

        try {

            while (fieldItr.hasNext()) {

                OMElement isoElement = (OMElement);

                String isoValue = isoElement.getText();

                int isoTypeID = Integer.parseInt(isoElement.getAttribute(
                        new QName("id")).getAttributeValue());

                isoMsg.set(isoTypeID, isoValue);


            return isoMsg;

        } catch (ISOException ex) {
            throw new AxisFault("Error parsing the ISO8583 payload");
        } catch (Exception e) {

            throw new AxisFault("Error processing stream");


    public ASCIIChannel getAsciiChannel() {
        return asciiChannel;

    public void setAsciiChannel(ASCIIChannel asciiChannel) {
        this.asciiChannel = asciiChannel;


Here within the formatter, we are transforming the XML message into ISO8583 binary message and send to the back end server.

This is only an example of dividing your message sending logic to message sender and message formatter. You can design your implementation according to your requirement. Sometimes, you may not need specific formatter but you can do the formatting part also in the sender itself. But I have delegated a part of the message handling to message formatter for demonstration purpose.

Likewise, you can write a message receiver and message builder for receiving the messages via iso8583 protocol. I will leave that as an exercise for the reader.

Once we have the message sender and formatter implemented, we need to register them in the axis2.xml file. Let's go to the axis2.xml file and add following 2 entries there.

        <messageFormatter contentType="application/iso8583"

<transportSender name="iso8583" class="org.wso2.transport.iso8583.ISO8583TransportSender"/>

Once you create the jar file from your custom transport implementation code, place it is ESB_HOME/repository/components/lib directory.

If you are done with the above steps, you can start the ESB server.

Let's create a sample API to interact with this custom transport implementation. Here is the API definition.

<api xmlns="" name="iso8583" context="/iso8583">
   <resource methods="POST GET">
         <log level="full"></log>
         <property name="OUT_ONLY" value="true"></property>
         <property name="FORCE_SC_ACCEPTED" value="true" scope="axis2"></property>
         <property name="messageType" value="application/iso8583" scope="axis2"></property>
            <endpoint name="isoserver">
               <address uri="iso8583://localhost:5000"></address>

In the above configuration, I have specified the messageType as application/iso8583 such that it will engage the correct message formatter within the mediation flow. 

Now we need to create a sample TestServer to test the functionality of the ISO8583 back end server. We can create a MockServer using the jpos library itself. Here is the code for the TestServer.

public class TestServer implements ISORequestListener {
    static final String hostname = "localhost";
    static final int portNumber = 5000;

    public static void main(String[] args) throws ISOException {

        ISOPackager packager = new GenericPackager("jposdef.xml");
        ServerChannel channel = new ASCIIChannel(hostname, portNumber, packager);
        ISOServer server = new ISOServer(portNumber, channel, null);

        server.addISORequestListener(new TestServer());

        System.out.println("ISO8583 server started...");
        new Thread(server).start();

    public boolean process(ISOSource isoSrc, ISOMsg isoMsg) {
        try {
            System.out.println("ISO8583 incoming message on host ["
                    + ((BaseChannel) isoSrc).getSocket().getInetAddress()
                    .getHostAddress() + "]");

            if (isoMsg.getMTI().equalsIgnoreCase("1800")) {

                receiveMessage(isoSrc, isoMsg);

        } catch (Exception ex) {
        return true;

    private void receiveMessage(ISOSource isoSrc, ISOMsg isoMsg)
            throws ISOException, IOException {
        System.out.println("ISO8583 Message received...");
        ISOMsg reply = (ISOMsg) isoMsg.clone();
        reply.set(39, "00");


    private static void logISOMsg(ISOMsg msg) {
        System.out.println("----ISO MESSAGE-----");
        try {
            System.out.println("  MTI : " + msg.getMTI());
            for (int i = 1; i <= msg.getMaxField(); i++) {
                if (msg.hasField(i)) {
                    System.out.println("    Field-" + i + " : "
                            + msg.getString(i));
        } catch (ISOException e) {
        } finally {



You can run the above program to mimic the ISO8583 server and then we can send a message from a client like Advanced REST Client plugin in the chrome browser. Our message payload should be like below.

              <field id="3">110</field>
              <field id="5">4200.00</field>
              <field id="48">Simple Credit Transaction</field>
              <field id="6">645.23</field>
              <field id="88">66377125</field>

When we send this message from client, ESB will accept the message and execute the message sender we have written and then selects the message formatter and send to the mock back end server. You can see the following log printed in the TestServer side if you have done all the things right.

ISO8583 server started...
ISO8583 incoming message on host []
ISO8583 Message received...
----ISO MESSAGE-----
  MTI : 1800
    Field-3 : 000110
    Field-5 : 000004200.00
    Field-6 : 000000645.23
    Field-48 : Simple Credit Transaction
    Field-88 : 0000000066377125

When you are have configured the ESB, you will get exceptions if you do not copy following jar files to the lib directory alongside with custom transport jar file.

  • jpos-1.9.0.jar
  • jdom-1.1.3.jar
  • commons-cli-1.3.1.jar

Now we have written our message sender and message formatter implementations. Likewise, you can implement the message receiver and message builder code also. I have created an archive with all the relevant artifacts which I have developed for this blog post and uploaded them to github. You can download all the projects and relevant jar files from following location.

Chanaka FernandoExtending WSO2 ESB with a Custom Transport Implementation - Part I

WSO2 ESB is considered as one of the best and highest performing open source integration solutions available in the market. One of the astonishing features of the WSO2 ESB is the extensibility of the solution to meet your custom requirements. This means a LOT, if you have dealt with proprietary solutions provided big players (you name it). With this blog post, I will be discussing about one of the not so frequently used but THE BEST extension point in WSO2 ESB which is implementing a custom transport.

Given that WSO2 ESB is an extensible solution, that does not mean that it is lacking OOTB features. In fact it provides the most complete feature set provided by any open source integration solution in the market. But as you know, it is not a silver bullet (In fact we can't make silver bullets). Therefore, you may encounter some scenarios where you need to write a custom transport implementation to connect with one of your systems.

I will be taking ISO8583 messaging standard to write this custom transport implementation. It is used heavily in the financial transactions domain for credit card transaction processing. One of the reasons to select this as my custom transport implementation is that there is an already written code for this transport by Manoj Fernando in this blog post. Since my focus of this blog post is to describe about writing a custom transport implementation, I think I am not re-writing what Manoj has written.

Enough talking. Let's do some real work. WSO2 ESB mediation engine can be depicted in the following diagram.

  • As depicted in the above diagram, requests/responses coming from clients/servers (Inbound) will be hitting the ESB through the transport layer. It will select the proper transport receiver  implementation by looking at the request URI (eg: HTTP, TCP, JMS, etc.)
  • Transport will hand over this message to the appropriate message builder according to the content-type (if specified) specified in the message.
  • Then the message will be handed over to the Axis engine(In Flow) where it does the QOS related operations. 
  • After that, message will be handed over to the mediation engine for executing the mediation logic configured with mediators.
  • Then again, message will be going through the Axis engine (Out Flow) for any QOS related operations.
  • Message formatter will be selected according to the content-type provided in the message.
  • Then the message will be passed back to the relevant transport sender implementation to send the message from ESB to client/server (Outbound)

Alright.. Alright .. Now we know what happens to a message coming towards the WSO2 ESB and what happens when message is going out of the same. I have highlighted 4 terms in the previous section. Those 4 terms are

  • Transport Receiver
  • Message Builder
  • Message Formatter
  • Transport Sender
These would be the classes we need to implement for our custom transport implementation. WSO2 ESB has provided the interfaces for these implementations such that you need to focus only on the business logic rather than knowing the internals of WSO2 ESB. We will be using following interfaces to write our custom implementation.

  • org.apache.axis2.transport.base.AbstractTransportListener
  • org.apache.axis2.builder.Builder
  • org.apache.axis2.transport.MessageFormatter
  • org.apache.axis2.transport.base.AbstractTransportSender
Now we have the ground covered for our custom transport implementation. Let's do some coding. I will be transferring this discussion to my next blog post since this is getting too long here.

Hiranya JayathilakaExpose Any Shell Command or Script as a Web API

I implemented a tool that can expose any shell command or script as a simple web API. All you have to specify is the binary (command/script) that needs to be exposed, and optionally a port number for the HTTP server. Source code of the tool in its entirety is shown below. In addition to exposing simple web APIs, this code also shows how to use Golang's built-in logging package, slice to varargs conversion and a couple of other neat tricks.
// This tool exposes any binary (shell command/script) as an HTTP service.
// A remote client can trigger the execution of the command by sending
// a simple HTTP request. The output of the command execution is sent
// back to the client in plain text format.
package main

import (

func main() {
binary := flag.String("b", "", "Path to the executable binary")
port := flag.Int("p", 8080, "HTTP port to listen on")

if *binary == "" {
fmt.Println("Path to binary not specified.")

l := log.New(os.Stdout, "", log.Ldate|log.Ltime)
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
var argString string
if r.Body != nil {
data, err := ioutil.ReadAll(r.Body)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
argString = string(data)

fields := strings.Fields(*binary)
args := append(fields[1:], strings.Fields(argString)...)
l.Printf("Command: [%s %s]", fields[0], strings.Join(args, " "))

output, err := exec.Command(fields[0], args...).Output()
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
w.Header().Set("Content-Type", "text/plain")

l.Printf("Listening on port %d...", *port)
l.Printf("Exposed binary: %s", *binary)
http.ListenAndServe(fmt.Sprintf("", *port), nil)
Clients invoke the web API by sending HTTP GET and POST requests. Clients can also send in additional flags and arguments to be passed into the command/script wrapped within the web API. Result of the command/script execution is sent back to the client as a plain text payload.
As an example, assume you need to expose the "date" command as a web API. You can simply run the tool as follows:
./bash2http -b date
Now, the clients can invoke the API by sending an HTTP request to http://host:8080. The tool will run the "date" command on the server, and send the resulting text back to the client. Similarly, to expose the "ls" command with the "-l" flag (i.e. long output format), we can execute the tool as follows:
./bash2http -b "ls -l"
Users sending an HTTP request to http://host:8080 will now get a file listing (in the long output format of course), of the current directory of the server. Alternatively users can POST additional flags and a file path to the web API, to get a more specific output. For instance:
curl -v -X POST -d "-h /usr/local" http://host:8080
This will return a file listing of /usr/local directory of the server with human-readable file size information.
You can also use this tool to expose custom shell scripts and other command-line programs. For example, if you have a Python script which you wish to expose as a web API, all you have to do is:
./bash2http -b "python"

Lali DevamanthriMicroservices with API Gateway

Let’s imagine that you are developing a native mobile client for a shopping application. you would have to implement a product details page, which displays following information,

  • Items in the shopping cart
  • Order history
  • Customer reviews
  • Low inventory warning
  • Shipping options
  • Various recommendations,  (other products bought by customers who bought this product)
  • Alternative purchasing options


In a monolithic application architecture, Those data would retrieve by making a single REST call (GET<productId>) to the application. A load balancer routes the request to one of N identical application instances. The application would then query various database tables and return the response to the client.

But if you use microservice architecture the data which need to displayed must retrieve by multiple microservices. Here are some of the example microservices we would need.

  • Shopping Cart Service – items in the shopping cart
  • Order Service – order history
  • Catalog Service – basic product information, such as it’s name, image, and price
  • Review Service – customer reviews
  • Inventory Service – low inventory warning
  • Shipping Service – shipping options, deadlines, and costs drawn separately from the shipping provider’s API
  • Recommendation Service(s) – suggested items

All above  microservice would have a public endpoint (https://<serviceName&gt; and client would have to make many requests to retrieve the all necessary data. If app need to make hundreds of request to render a one page, the app would be inefficient. Also if already existing microservices response with different data type, the app have to handle it too.

Due to these reasons, its wise to use an API Gateway for encapsulates the internal microservices and provides an API that respond to each client. The API Gateway is responsible for request meditions and compose a singe respond.
A great example of an API Gateway is the Netflix API Gateway. The Netflix streaming service is available on hundreds of different kinds of devices including televisions, set-top boxes, smartphones, gaming systems, tablets, etc. Initially, Netflix attempted to provide a one-size-fits-all API for their streaming service. However, they discovered that it didn’t work well because of the diverse range of devices and their unique needs.

Chanaka FernandoMonitoring Garbage Collection of WSO2 ESB

Garbage Collection has been one of the most important features of Java programming language which made it the automatic choice for developing enterprise applications. WSO2 ESB has been written entirely in Java. Garbage Collection is pretty much related to the performance of a Java program. WSO2 ESB is a java program and it needs to provide the maximum performance to the users who use that for their enterprise integrations. From this blog post, I will be discussing about different tools which we can use to monitor the GC performance of WSO2 ESB.

1) Monitoring GC activity using jstat command

We can use the jstat command line tool which comes with the JDK to monitor the GC activity on a java program. Let's start the WSO2 ESB server by executing the file located under ESB_HOME/bin directory.

sh start

Then we need to find the process ID of this java process using the following command

ps -ef | grep wso2esb | grep java

501 13352 13345   0  7:25PM ttys000    1:18.41

We can execute the jstat command with the process ID

jstat -gc 13352 1000

In the above command, last argument is the time gap in which it prints the statistics. For the above command, it will print statistics every 1 second.

 S0C       S1C      S0U   S1U      EC          EU            OC            OU        PC          PU     YGC   YGCT   FGC  FGCT    GCT   
49664.0 50688.0  0.0    0.0   246272.0 135276.4  175104.0   91437.3   114688.0 61223.4     24    0.954   1      0.864    1.818
49664.0 50688.0  0.0    0.0   246272.0 135276.7  175104.0   91437.3   114688.0 61223.4     24    0.954   1      0.864    1.818
49664.0 50688.0  0.0    0.0   246272.0 135281.1  175104.0   91437.3   114688.0 61223.4     24    0.954   1      0.864    1.818
49664.0 50688.0  0.0    0.0   246272.0 135281.1  175104.0   91437.3   114688.0 61223.4     24    0.954   1      0.864    1.818
49664.0 50688.0  0.0    0.0   246272.0 135281.1  175104.0   91437.3   114688.0 61223.4     24    0.954   1      0.864    1.818
49664.0 50688.0  0.0    0.0   246272.0 135281.2  175104.0   91437.3   114688.0 61223.4     24    0.954   1      0.864    1.818

49664.0 50688.0  0.0    0.0   246272.0 135285.7  175104.0   91437.3   114688.0 61223.4     24    0.954   1      0.864    1.818

The above output provides a detailed information on the GC activity going on with the java program.

  • S0C and S1C: This column shows the current size of the Survivor0 and Survivor1 areas in KB.
  • S0U and S1U: This column shows the current usage of the Survivor0 and Survivor1 areas in KB. Notice that one of the survivor areas are empty all the time.
  • EC and EU: These columns show the current size and usage of Eden space in KB. Note that EU size is increasing and as soon as it crosses the EC, Minor GC is called and EU size is decreased.
  • OC and OU: These columns show the current size and current usage of Old generation in KB.
  • PC and PU: These columns show the current size and current usage of Perm Gen in KB.
  • YGC and YGCT: YGC column displays the number of GC event occurred in young generation. YGCT column displays the accumulated time for GC operations for Young generation. Notice that both of them are increased in the same row where EU value is dropped because of minor GC.
  • FGC and FGCT: FGC column displays the number of Full GC event occurred. FGCT column displays the accumulated time for Full GC operations. Notice that Full GC time is too high when compared to young generation GC timings.
  • GCT: This column displays the total accumulated time for GC operations. Notice that it’s sum of YGCT and FGCT column values.
2) Monitoring GC activity using JVisualVM an VisualGC 

If you need to monitor the GC activity in a graphical manner, you can use the jvisualvm tool which comes with the JDK by installing the Visual GC plugin.

Just run jvisualvm command in the terminal to launch the Java VisualVM application. 

Once launched, you need to install Visual GC plugin from Tools -> Plugins->Available Plugins (Tab) option

After installing Visual GC, just open the application(by double clicking) from the left side column and head over to Visual GC section

As depicted in the above diagram, you can visually monitor the GC activities of the WSO2 ESB using the jvisualvm tool.

3) Monitoring GC activity using GC log file

In most of the production use cases, we don't need to interact with the running process through different programs. Instead, we would like to have the GC logging as an internal part of the program itself. We can enable GC logging for the JVM such that it will log all the GC activities into a separate log file such that monitoring tools can interpret this file separately without interacting with the application directly.

You can enable GC logging in to an external log file by adding the following flags to startup script of the WSO2 ESB (

    -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps \
    -Xloggc:/Users/chanaka-mac/Documents/wso2/wso2esb-4.8.1/repository/logs/gc.log \

When you start the server with these flags included in the file, you can observe that gc.log file is populating with the relevant GC activities as depicted below.

Chanakas-MacBook-Air:logs chanaka-mac$ tail -f gc.log 
2015-06-20T20:04:22.222-0530: 20.347: [GC [PSYoungGen: 253355K->31555K(285184K)] 354302K->132534K(460288K), 0.0179690 secs] [Times: user=0.02 sys=0.00, real=0.02 secs] 
2015-06-20T20:04:23.031-0530: 21.156: [GC [PSYoungGen: 262979K->33422K(288256K)] 363958K->134431K(463360K), 0.0183790 secs] [Times: user=0.02 sys=0.00, real=0.01 secs] 
2015-06-20T20:04:23.797-0530: 21.922: [GC [PSYoungGen: 264846K->35384K(292352K)] 365855K->136426K(467456K), 0.0192760 secs] [Times: user=0.02 sys=0.00, real=0.02 secs] 
2015-06-20T20:04:24.468-0530: 22.593: [GC [PSYoungGen: 271928K->33834K(292864K)] 372970K->134994K(467968K), 0.0195170 secs] [Times: user=0.03 sys=0.00, real=0.02 secs] 
2015-06-20T20:04:25.162-0530: 23.287: [GC [PSYoungGen: 270378K->29641K(288768K)] 371538K->130840K(463872K), 0.0186680 secs] [Times: user=0.03 sys=0.00, real=0.02 secs] 
2015-06-20T20:04:26.547-0530: 24.672: [GC [PSYoungGen: 267721K->2845K(290816K)] 368920K->104320K(465920K), 0.0069150 secs] [Times: user=0.02 sys=0.00, real=0.01 secs] 
2015-06-20T20:04:29.429-0530: 27.554: [GC [PSYoungGen: 240925K->9509K(294400K)] 342400K->111496K(469504K), 0.0123910 secs] [Times: user=0.04 sys=0.00, real=0.02 secs] 
2015-06-20T20:04:32.290-0530: 30.415: [GC [PSYoungGen: 248613K->28794K(268288K)] 350600K->134734K(443392K), 0.0373390 secs] [Times: user=0.13 sys=0.01, real=0.03 secs] 
2015-06-20T20:04:37.493-0530: 35.618: [GC [PSYoungGen: 249742K->21673K(287744K)] 355682K->152515K(462848K), 0.0903050 secs] [Times: user=0.16 sys=0.02, real=0.09 secs] 
2015-06-20T20:04:37.584-0530: 35.709: [Full GC [PSYoungGen: 21673K->0K(287744K)] [ParOldGen: 130841K->80598K(175104K)] 152515K->80598K(462848K) [PSPermGen: 57507K->57484K(115200K)], 0.8345630 secs] [Times: user=1.68 sys=0.14, real=0.83 secs] 

From the above log, we can extract information related to GC activities going on within the WSO2 ESB server.

  1. 2015-06-20T20:04:22.222-0530: – Time when the GC event started.
  2. 20.347 – Time when the GC event started, relative to the JVM startup time. Measured in seconds.
  3. GC – Flag to distinguish between Minor & Full GC. This time it is indicating that this was a Minor GC.
  4. PSYoungGen – Collection type. 
  5. 253355K->31555K – Usage of Young generation before and after collection.
  6. (285184K) – Total size of the Young generation.
  7. 354302K->132534K – Total used heap before and after collection.
  8. (460288K) – Total available heap.
  9. 0.0179690 secs – Duration of the GC event in seconds.
  10. [Times: user=0.02 sys=0.00, real=0.02 secs] – Duration of the GC event, measured in different categories:
    • user – Total CPU time that was consumed by Garbage Collector threads during this collection
    • sys – Time spent in OS calls or waiting for system event
    • real – Clock time for which your application was stopped. As Serial Garbage Collector always uses just a single thread, real time is thus equal to the sum of user and system times.

I hope this blog post have provided you a comprehensive guide on monitoring GC activities with WSO2 ESB for tuning the performance. I will discuss about GC performance of different algorithms with WSO2 ESB in a future blog post.

Happy GC Monitoring !!!

Yumani property

Hazelcast, uses heart beat monitoring as a fault detection mechanism where, the nodes sends heart beats to other nodes. If a heart beat message is not received by a given amount of time, then Hazelcast assumes the node is dead. This is configured via property. By default, this is set to 600 seconds.

The optimum value for this property would depend on your system.

Steps on how to configure the
  1. Create a property file called, and add the following properties to it.
  2. Place this file in CARBON_HOME/repository/conf/ folder of all your Carbon nodes.
  3. Restart the servers.

sanjeewa malalgodaHow to import, export APIs with WSO2 API Manager 1.9.0

API Manager 1.9.0 we have introduced API import/export capability. With that we will be able to to download API from one platform and export it to other platform.
With this feature we will retrieve all the required meta information and registry resources for the requested API and generate a zipped archive.
And then we can upload that to other API Manager server.

To try this first you need to get web application source code from this git repo(

Then build and generate web application.
After that you have to deploy that in API Manager. For that you may use web application ui. Login to management console as admin user and go to this link.

Home     > Manage     > Applications     > Add     > Web Applications

Then add web application.
Zipped archive of API will consists of the following structure

|_ Meta Information
   |_ api.json
|_ Documents
   |_ docs.json
|_ Image
   |_ icon.
   |_ -.wsdl
|_ Sequences
   |_ In Sequence
   |_ Out Sequence
   |_ Fault Sequence
API Import accepts the exported zipped archive and create an API in the imported environment.

This feature has been implemented as a RESTful API.

Please use following curl command to export API.
Here you need to provide basic auth headers for admin user.
And need to pass following parameters.

Name of the API as > name=test-sanjeewa
Version of API > version=1.0.0
Provider of API > provider=admin
curl -H "Authorization:Basic YWRtaW46YWRtaW4=" -X GET "https://localhost:9443/api-import-export/export-api?name=test-sanjeewa&version=1.0.0&provider=admin" -k >
Now you will see downloaded zip file in current directory.

Then you need to import downloaded zip file to other deployment.
See following sample command for that.

Here file is above downloaded archive file.
And service call should go to the server we need to import this API. Here i'm running my second server with port offset one. So url would be "https://localhost:9444"
curl -H "Authorization:Basic YWRtaW46YWRtaW4=" -F file=@"/home/sanjeewa/work/" -k -X POST "https://localhost:9444/api-import-export/import-api"
Now go to API publisher and change API life cycle to publish(by default imported APIs will be in created state once you imported).

Then go to API store and subscribe,use it :-)
Thanks thilini and chamin for getting this done.

Hasitha AravindaSetting Up Mutual SSL in WSO2 ESB and Testing Using SOAP UI

This Blog post is an updated version of Asela's Blog 

Exchanging Certificates with Client and Server. 

First step is to create Client Key Store and Client Trust Store. Here I am using Java Keytool, which can be found in JDK bin directory.

1) Create Client ( let's call wso2client ) Key Store (wso2clientkeystore.jks)

keytool -genkey -keyalg RSA -keystore wso2clientkeystore.jks  -alias wso2client -dname "CN=wso2client" -validity 3650 -keysize 2048

Provide Store password and Key password.

2) Create Client Certificates. 

keytool -export -keyalg RSA -keystore wso2clientkeystore.jks -alias wso2client  -file wso2client.cert

3) Create Client Trust Store (wso2clientTrustStore.jks)

keytool -import -file wso2client.cert -alias wso2client -keystore wso2clientTrustStore.jks

Provide Trust store password.

4) Export ESB Server Certificate

keytool -export -keyalg RSA -keystore /repository/resources/security/wso2carbon.jks -alias wso2carbon -file wso2carbon.cert

Provide wso2carbon store password "wso2carbon"

5) Import Client Certificate wso2client.cert to WSO2 ESB client-trustStore.jks

keytool -import -file wso2client.cert -alias wso2client -keystore /repository/resources/security/client-truststore.jks

Provide wso2carbon store password "wso2carbon"

6) Import ESB Server Certificate wso2carbon.cert to client-trust store 

keytool -import -file wso2carbon.cert -alias wso2carbon -keystore wso2clientTrustStore.jks

Configure WSO2 ESB Server 

1) Edit https transportReceiver in axis2.xml, which is located in /repository/conf/axis2/ folder and Add SSLVerifyClient to require as follows.

2) Restart ESB Server.

Note: This will Enable Mutual SSL for Proxies on https transport in ESB.

Create Test Proxy

Create a test proxy with Following Content

Testing Test Proxy Using SOAP UI

1) Open SOAP UI and create a SOAP UI project using Test Proxy WSDL. ( https://localhost:9443/services/Test?wsdl )

2) Try to Invoke Test Proxy with default configuration.

As shown bellow, it will fail with This is because Soap UI doesn't have wso2client key store and trust store.

3) Let's Add Key store and Trust Store to Project.  Open Test Project Properties. -> WS-Security Configuration -> Key Store -> Add Key Store as shown in following picture. -> Select wso2clientkeystore.jks

4) Enter store password for wso2clientkeystore.jks

5) Similarly add Client Trust store to SOAP UI ( An optional step for this tutorial )

6) Select SSL Keystore to wso2clientkeystore.jks.

7) Invoke Request 1 again with SSL configuration.

Now you will be able to invoke Test proxy service with Mutual SSL enabled.

In Next blog, I will discuss how to Enable Mutual SSL only for One proxy.

Hasitha AravindaSetting Up Mutual SSL in WSO2 ESB - Enable only for selected proxy services

This Blog post is an updated version of Asela's Blog 

I am using same environment described in my previous blog for this tutorial

Configure WSO2 ESB Server 

1) Edit https transportReceiver in axis2.xml, which is located in /repository/conf/axis2/ folder and Add SSLVerifyClient to optional as follows.
2) Restart ESB Server.

Note: This will make Mutual SSL optional for proxy services exposed on https transport.

Now you will able to Invoke Test Proxy without SSL KeyStore property in SOAP UI. To verify this remove value of SSL KeyStore and Invoke Request 1 Again.

Enable Mutual SSL for Test Proxy

1) Create a ESB XML local entry called MutualSSLPolicy.xml with following content.

2) Add following parameters to Test Proxy. 

( Add these parameters to proxy services you want to enable mutual authentication. )'

3) Final Test proxy will look like this

Testing With SOAP UI 

1) Try Request 1 without SSL KeyStore parameter. Request Fails with SOAP Fault

2) Now try with SSL KeyStore Parameter, Now you will able to invoke Test Proxy Service.

John MathonMost Enterprises are incompetent to manage the infrastructure they have

Virtual Enterprises

what hapens online

This may sound insulting but the fact is that almost all companies are not really competent to buy, manage and handle the lifecycle of technology for the enterprise.  In most cases they are incompetent at security aspects of physical infrastructure.   If you have already invested in some physical infrastructure it may not be cost-effective to eliminate it but you should seriously consider the real need for each addition to the physical infrastructure you manage.

Why almost all companies should NOT be managing the technology they use:

1) Do not know which technologies in many cases are the most cost effective, easily managed, best tools to use

I have been in companies that simply buy the most expensive fastest servers (financial industry) as if they were buying sports cars.  Which router do you buy?   What is the best choice of hardware memory, CPU speed, number of CPUs for your organization?   Assuming you buy the hardware for a specific application what happens when that application changes and different hardware is needed?   Do you need SDN would it be helpful?    Most companies make these decisions because of a relationship with a specific vendor or some individual who has become infatuated with a particular technology.  Few have the discipline to make the choice taking into account the full cost of the choices they make.

2) Do not know how to manage the lifecycle costs and usually have not considered the full cost of technology maintenance in their calculations.

What happens when that shiny box you bought is 3 years old and there are dozens of newer boxes 5 times more powerful?  How do you handle situations where you have high maintenance costs for a technology?  Do you keep maintaining it or move to something with less maintenance costs?   What happens if you have to keep this technology 10 or 20 years in the company? How do you handle integrating it with new technology, keeping it alive?

3) Do not know how to share the resources or may not even have the ability to share the technology effectively.

You buy or have bought expensive new technology.  Do you know how to share this technology within your organization to get the most cost effectiveness?   In many cases it may simply not be possible to share the technology across your organization sufficiently to gain maximum cost savings.  Have you fully considered the costs of wasted servers, wasted hardware sitting idle much of the day or underused?  The energy or environmental cost as well as the financial burden.

4) Do not know how to maintain the technology they purchase or decide when it is a good idea to sunset a technology and move on.   They will continue using antiquated technology well beyond its intended lifetime.

Most companies if they use a technology successfully will keep that technology around virtually forever.   Many older companies are still running IBM mainframe software for critical business functions.  This costs them billions in many cases per year.   While in those cases it may be justifiable to keep that technology alive no sane CIO should consider repeating this and investing in technology today that will be costing billions years and years from now considering that there is NO NEED to do this.  With the cloud you can minimize those kinds of longer term dependencies.   You may find it hard to unravel old decisions that were justified and continue to be worthwhile but most companies can choose shared resources that they put the maintenance burden on a separate organization to be shared among many companies.

Most companies don’t manage their hardware or software maintenance well leading to more downtime, unexpected outages and more cost than they need.

5) They do not know how to manage the security of the technology they have and frequently have attacks and losses due to badness, i.e. poor practices, poor maintenance, lack of knowledge or employee training.

Security in today’s age of government spying and hacking from all over the world is a tough sophisticated job.   Most companies experience dozens, even more than 100 security incidents a year.   The average company patches critical software with security patches 30-60 days after the vulnerability was discovered.  This 30-60 day window means essentially that most companies are effectively completely vulnerable to sophisticated attackers.   It is expensive and hard to train employees on best security practices, to monitor and track every possible avenue of loss.

6) Not competent to interview and assess who to hire to do 1-5.

Even if after reading all this you decide your business requires you to purchase technology and manage it yourself are you competent to hire the right people to do the jobs above?  Do you even know the right questions to ask?  How are you sure they are doing the best job?  The best practices are being employed well?  How do you manage such assets?  What if you lose such assets?   I have worked at companies whose job was to provide security technology or banks where they had high standards for security or needs to maintain technology competence yet they frequently fell below the bar.  Hiring and retaining the talent needed to do these tasks at a high level is nontrivial.


Most companies are not in the business of technology and it is a waste of their time and energy to manage technology.   Most companies are not technology companies although more and more need to consider technology as a key part of their business that doesn’t mean they need to manage the technology they use.

In this age of rapid evolution of technology and the connected business almost every business deals with technology as an important part of their business but that doesn’t mean they need to own everything, manage everything.   You should very carefully consider which things you consider worth making the significant investment to own or manage technology yourself.

Chanaka FernandoGarbage Collection and Application Performance

Automatic Garbage Collection is one of the finest features of the Java programming language. You can find more information about Garbage Collection concepts from the below link.

Even though GC is a cool feature in the JVM, it comes at a cost. Your application will stop working (Stop the World) when GC happens in the JVM level. Which means that, GC events will affect the performance of your java application. Due to this, you should have a proper understanding about the impact of GC for your application. 

There are two general ways to reduce garbage-collection pause time and the impact it has on application performance:

  • The garbage collection itself can leverage the existence of multiple CPUs and be executed in parallel. Although the application threads remain fully suspended during this time, the garbage collection can be done in a fraction of the time, effectively reducing the suspension time.
  • The second approach is leave the application running, and execute garbage collection concurrently with the application execution.

These two logical solutions have led to the development of serial, parallel, and concurrent garbage-collection strategies , which represent the foundation of all existing Java garbage-collection implementations.

In the above diagram, serial collector suspends the application threads and executes the mark-and-sweep algorithm in a single thread. It is the simplest and oldest form of garbage collection in Java and is still the default in the Oracle HotSpot JVM.

The parallel collector uses multiple threads to do its work. It can therefore decrease the GC pause time by leveraging multiple CPUs. It is often the best choice for throughput applications.

The concurrent collector does the majority of its work concurrent with the application execution. It has to suspend the application for only very short amounts of time. This has a big benefit for response-time for sensitive applications, but is not without drawbacks. 

Concurrent Mark and Sweep algorithm

Concurrent garbage-collection strategies complicate the relatively simple mark-and-sweep algorithm a bit. The mark phase is usually sub-divided into some variant of the following:

  • In the initial marking, the GC root objects are marked as alive. During this phase, all threads of the application are suspended.

  • During concurrent marking, the marked root objects are traversed and all reachable objects are marked. This phase is fully concurrent with application execution, so all application threads are active and can even allocate new objects. For this reason there might be another phase that marks objects that have been allocated during the concurrent marking. This is sometimes referred to as pre-cleaning and is still done concurrent to the application execution.

  • In the final marking, all threads are suspended and all remaining newly allocated objects are marked as alive. This is indicated in Figure 2.6 by the re-mark label.

The concurrent mark works mostly, but not completely, without pausing the application. The tradeoff is a more complex algorithm and an additional phase that is not necessary in a normal stop-the-world GC: the final marking.

The Oracle JRockit JVM improves this algorithm with the help of a keep area, which, if you're interested, is described in detail in the JRockit documentation . New objects are kept separately and not considered garbage during the first GC. This eliminates the need for a final marking or re-mark.

In the sweep phase of the CMS, all memory areas not occupied by marked objects are found and added to the free list. In other words, the objects are swept by the GC. This phase can run at least partially concurrent to the application. For instance, JRockit divides the heap into two areas of equal size and sweeps one then the other. During this phase, no threads are stopped, but allocations take place only in the area that is not actively being swept. 

There is only one way to make garbage collection faster: ensure that as few objects as possible are reachable during the garbage collection. The fewer objects that are alive, the less there is to be marked. This is the rationale behind the generational heap.

Young Generation vs Old Generation

In a typical application most objects are very short-lived. On the other hand, some objects last for a very long time and even until the application is terminated. When using generational garbage collection, the heap area is divided into two areas—a young generation and an old generation—that are garbage-collected via separate strategies.

Objects are ussually created in the young area. Once an object has survived a couple of GC cycles it is tenured to the old generation. After the application has completed its initial startup phase (most applications allocate caches, pools, and other permanent objects during startup), most allocated objects will not survive their first or second GC cycle. The number of live objects that need to be considered in each cycle should be stable and relatively small.

Allocations in the old generation should be infrequent, and in an ideal world would not happen at all after the initial startup phase. If the old generation is not growing and therefore not running out of space, it requires no garbage-collection at all. There will be unreachable objects in the old generation, but as long as the memory is not needed, there is no reason to reclaim it.

To make this generational approach work, the young generation must be big enough to ensure that all temporary objects die there. Since the number of temporary objects in most applications depends on the current application load, the optimal young generation size is load-related. Therefore, sizing the young generation, known as generation-sizing, is the key to achieving peak load.

Unfortunately, it is often not possible to reach an optimal state where all objects die in the young generation, and so the old generation will often often require a concurrent garbage collector. Concurrent garbage collection together with a minimally growing old generation ensures that the unavoidable, stop-the-world events will at least be very short and predictable. 

Chanaka FernandoUnderstanding Java Garbage Collection for beginners

Java is one of the heavily used languages in enterprise application development. One of the key features of the Java language is it's capability to clear out memory automatically. This gives application developer more freedom to think about his business logic rather than worrying about memory management of the application. This may be the utmost reason for the selection of java language for complex business application development. 

Java uses a technology called Automatic Garbage Collection (GC) for clearing out any unused memory from your application. During this blog post, I will be discussing about Java memory model and how GC works within the Java virtual machine (JVM). In fact every java application runs on top of its own JVM.

Java Memory model

Each thread running in the Java virtual machine has its own thread stack. The thread stack contains information about what methods the thread has called to reach the current point of execution. I will refer to this as the "call stack". As the thread executes its code, the call stack changes. The thread stack also contains all local variables for each method being executed (all methods on the call stack). A thread can only access it's own thread stack. Local variables created by a thread are invisible to all other threads than the thread who created it. Even if two threads are executing the exact same code, the two threads will still create the local variables of that code in each their own thread stack. Thus, each thread has its own version of each local variable.

All local variables of primitive types ( boolean, byte, short, char, int, long, float, double) are fully stored on the thread stack and are thus not visible to other threads. One thread may pass a copy of a primitive variable to another thread, but it cannot share the primitive local variable itself. The heap contains all objects created in your Java application, regardless of what thread created the object. This includes the object versions of the primitive types (e.g. Byte, Integer, Long etc.). It does not matter if an object was created and assigned to a local variable, or created as a member variable of another object, the object is still stored on the heap. 

A local variable may be of a primitive type, in which case it is totally kept on the thread stack.

A local variable may also be a reference to an object. In that case the reference (the local variable) is stored on the thread stack, but the object itself if stored on the heap.

An object may contain methods and these methods may contain local variables. These local variables are also stored on the thread stack, even if the object the method belongs to is stored on the heap.

An object's member variables are stored on the heap along with the object itself. That is true both when the member variable is of a primitive type, and if it is a reference to an object.

Static class variables are also stored on the heap along with the class definition.

Objects on the heap can be accessed by all threads that have a reference to the object. When a thread has access to an object, it can also get access to that object's member variables. If two threads call a method on the same object at the same time, they will both have access to the object's member variables, but each thread will have its own copy of the local variables. 

Java Heap Memory

As discussed in the previous section, Java heap memory is responsible for storing all the objects created during the runtime of a program and all the member variables and the static variables with its class definitions. This is the area of memory which needs to be carefully controlled. Below diagram depicts the memory model of the JVM heap.

Young Generation

Most of the newly created objects are located in the Eden memory space. 

When Eden space is filled with objects, Minor GC is performed and all the survivor objects are moved to one of the survivor spaces.

Minor GC also checks the survivor objects and move them to the other survivor space. So at a time, one of the survivor space is always empty.

Objects that are survived after many cycles of GC, are moved to the Old generation memory space. Usually it’s done by setting a threshold for the age of the young generation objects before they become eligible to promote to Old generation.

Old Generation

Old Generation memory contains the objects that are long lived and survived after many rounds of Minor GC. Usually garbage collection is performed in Old Generation memory when it’s full. Old Generation Garbage Collection is called Major GC and usually takes longer time.

Stop the World Event

All the Garbage Collections are “Stop the World” events because all application threads are stopped until the operation completes.

Since Young generation keeps short-lived objects, Minor GC is very fast and the application doesn’t get affected by this.

However Major GC takes longer time because it checks all the live objects. Major GC should be minimized because it will make your application unresponsive for the garbage collection duration. So if you have a responsive application and there are a lot of Major Garbage Collection happening, you will notice timeout errors.

The duration taken by garbage collector depends on the strategy used for garbage collection. That’s why it’s necessary to monitor and tune the garbage collector to avoid timeouts in the highly responsive applications.

Permanent Generation

Permanent Generation or “Perm Gen” contains the application metadata required by the JVM to describe the classes and methods used in the application. Note that Perm Gen is not part of Java Heap memory.

Perm Gen is populated by JVM at runtime based on the classes used by the application. Perm Gen also contains Java SE library classes and methods. Perm Gen objects are garbage collected in a full garbage collection.

Garbage Collection

As already mentioned in the beginning of this post, Garbage Collection is one of the prime features of the java programming language. Many people think garbage collection collects and discards dead objects. In reality, Java garbage collection is doing the opposite! Live objects are tracked and everything else designated garbage. As you'll see, this fundamental misunderstanding can lead to many performance problems.

Let's start with the heap, which is the area of memory used for dynamic allocation. In most configurations the operating system allocates the heap in advance to be managed by the JVM while the program is running. This has a couple of important ramifications:
  • Object creation is faster because global synchronization with the operating system is not needed for every single object. An allocation simply claims some portion of a memory array and moves the offset pointer forward. The next allocation starts at this offset and claims the next portion of the array.
  • When an object is no longer used, the garbage collector reclaims the underlying memory and reuses it for future object allocation. This means there is no explicit deletion and no memory is given back to the operating system.     

Garbage Collection Roots

Every object tree must have one or more root objects. As long as the application can reach those roots, the whole tree is reachable. But when are those root objects considered reachable? Special objects called garbage-collection roots (GC roots; see below figure) are always reachable and so is any object that has a garbage-collection root at its own root.

There are four kinds of GC roots in Java:

Local variables are kept alive by the stack of a thread. This is not a real object virtual reference and thus is not visible. For all intents and purposes, local variables are GC roots.

Active Java threads are always considered live objects and are therefore GC roots. This is especially important for thread local variables.

Static variables are referenced by their classes. This fact makes them de facto GC roots. Classes themselves can be garbage-collected, which would remove all referenced static variables. This is of special importance when we use application servers, OSGi containers or class loaders in general. 

JNI References are Java objects that the native code has created as part of a JNI call. Objects thus created are treated specially because the JVM does not know if it is being referenced by the native code or not. Such objects represent a very special form of GC root, which we will examine in more detail in the Problem Patterns section below.

Marking and Sweeping Away Garbage

To determine which objects are no longer in use, the JVM intermittently runs what is very aptly called a mark-and-sweep algorithm . As you might intuit, it's a straightforward, two-step process:

  • The algorithm traverses all object references, starting with the GC roots, and marks every object found as alive.
  • All of the heap memory that is not occupied by marked objects is reclaimed. It is simply marked as free, essentially swept free of unused objects.

Garbage collection is intended to remove the cause for classic memory leaks: unreachable-but-not-deleted objects in memory. However, this works only for memory leaks in the original sense. It's possible to have unused objects that are still reachable by an application because the developer simply forgot to dereference them. Such objects cannot be garbage-collected. Even worse, such a logical memory leak cannot be detected by any software. Even the best analysis software can only highlight suspicious objects. 

Garbage Collection Algorithms and Performance

As I have already mentioned previously, GC event is a "Stop the World" operation where application stop its execution during this time period. Therefore, it is very important to choose a proper GC algorithm for your performance critical enterprise application. There are 5 GC algorithms available with the Oracle JVM.

Serial GC (-XX:+UseSerialGC): Serial GC uses the simple mark-sweep-compact approach for young and old generations garbage collection i.e Minor and Major GC. Serial GC is useful in client-machines such as our simple stand alone applications and machines with smaller CPU. It is good for small applications with low memory footprint.
Parallel GC (-XX:+UseParallelGC): Parallel GC is same as Serial GC except that is spawns N threads for young generation garbage collection where N is the number of CPU cores in the system. We can control the number of threads using -XX:ParallelGCThreads=n JVM option. Parallel Garbage Collector is also called throughput collector because it uses multiple CPUs to speed up the GC performance. Parallel GC uses single thread for Old Generation garbage collection.
Parallel Old GC (-XX:+UseParallelOldGC): This is same as Parallel GC except that it uses multiple threads for both Young Generation and Old Generation garbage collection.
Concurrent Mark Sweep (CMS) Collector (-XX:+UseConcMarkSweepGC): CMS Collector is also referred as concurrent low pause collector. It does the garbage collection for Old generation. CMS collector tries to minimize the pauses due to garbage collection by doing most of the garbage collection work concurrently with the application threads. CMS collector on young generation uses the same algorithm as that of the parallel collector. This garbage collector is suitable for responsive applications where we can’t afford longer pause times. We can limit the number of threads in CMS collector using -XX:ParallelCMSThreads=n JVM option.
G1 Garbage Collector (-XX:+UseG1GC): The Garbage First or G1 garbage collector is available from Java 7 and it’s long term goal is to replace the CMS collector. The G1 collector is a parallel, concurrent, and incrementally compacting low-pause garbage collector. Garbage First Collector doesn’t work like other collectors and there is no concept of Young and Old generation space. It divides the heap space into multiple equal-sized heap regions. When a garbage collection is invoked, it first collects the region with lesser live data, hence “Garbage First”. You can find more details about it at Garbage-First Collector Oracle Documentation.

That is enough for this lengthy blog post. I am planning to write several blog posts on GC tuning in the future.

Happy GC !!!


Madhuka UdanthaGenerate a AngularJS application with grunt and bower

1. Install grunt, bower, yo.. etc. If you have miss any.
npm install -g grunt-cli bower yo generator-karma generator-angular

Yeoman is used to generate the scaffolding of your app.
Grunt is a powerful, feature rich task runner for Javascript.

2. Install the AngularJS generator:
npm install -g generator-angular

3. Generate a new AngularJS application.
yo angular

The generator will ask you a couple of questions. Answer them as you need.

4. Install packages/libs  
bower install angular-bootstrap --save
bower install angular-google-chart --save

5. Start the server.
npm start
grunt server

Lasantha FernandoIntegrating WSO2 Products with New Relic

Recently, I had a chance to play around with New Relic [1] and integrate WSO2 products with New Relic. It turns out, that integrating new relic is WSO2 servers is quite straight forward.
  1. Download the newrelic agent as instructed in [2] or in the NewRelic APM Getting Started guide.
  2. Unzip to <CARBON_HOME> directory. The agent should be installed under <CARBON_HOME>/newrelic
  3. Make sure the license key and application name are correct in <CARBON_HOME>/newrelic/newrelic.yml.
  4. Add the following line to <CARBON_HOME>/bin/ java command at the end.   

  5.  -javaagent:$CARBON_HOME/newrelic/newrelic.jar \  

    The last part of the should be as follows.

     while [ "$status" = "$START_EXIT_STATUS" ]  
    $JAVACMD \
    -Xbootclasspath/a:"$CARBON_XBOOTCLASSPATH" \
    -Xms256m -Xmx1024m -XX:MaxPermSize=256m \
    -XX:+HeapDumpOnOutOfMemoryError \
    -XX:HeapDumpPath="$CARBON_HOME/repository/logs/heap-dump.hprof" \
    $JAVA_OPTS \
    -javaagent:$CARBON_HOME/newrelic/newrelic.jar \ \
    -classpath "$CARBON_CLASSPATH" \
    -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \"$CARBON_HOME/tmp" \
    -Dcatalina.base="$CARBON_HOME/lib/tomcat" \
    -Dwso2.server.standalone=true \
    -Dcarbon.registry.root=/ \
    -Djava.command="$JAVACMD" \
    -Dcarbon.home="$CARBON_HOME" \
    -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
    -Djava.util.logging.config.file="$CARBON_HOME/repository/conf/etc/" \
    -Dcarbon.config.dir.path="$CARBON_HOME/repository/conf" \
    -Dcomponents.repo="$CARBON_HOME/repository/components/plugins" \
    -Dcom.atomikos.icatch.file="$CARBON_HOME/lib/" \
    -Dcom.atomikos.icatch.hide_init_file_path=true \
    -Dorg.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true \
    -Dcom.sun.jndi.ldap.connect.pool.authentication=simple \
    -Dcom.sun.jndi.ldap.connect.pool.timeout=3000 \
    -Dorg.terracotta.quartz.skipUpdateCheck=true \ \
    -Dfile.encoding=UTF8 \
    -DapplyPatches \
    org.wso2.carbon.bootstrap.Bootstrap $*

  6. Start the WSO2 server. If the agent was picked up successfully, you should see additional log entries similar to following at startup.

  7.  May 14, 2015 14:17:54 +0530 [1866 1] com.newrelic INFO: New Relic Agent: Loading configuration file "/home/lasantha/Staging/wso2am-1.8.0/newrelic/./newrelic.yml"May 14, 2015 14:17:55 +0530 [1866 1] com.newrelic INFO: New Relic Agent: Writing to log file: /home/lasantha/Staging/wso2am-1.8.0/newrelic/logs/newrelic_agent.log  

  8. After server is started up properly, use the server for sometime as you would normally use e.g. send requests to the server, browse the management console etc. You should be able to see statistics when you are logged into your new relic dashboard when you view APM stats under the application name you have given.
New Relic dashboard showing stats about the JVM

Dashboard for viewing application request stats
Now that you've setup your WSO2 product properly with stats being published to New Relic, its time to know about those little caveats and gotchas! New Relic uses JMX to collect statistics from any Java server. However, by default, it listens to stats from a pre-defined set of beans. This will give you stats about request to the management console of a WSO2 server. However, WSO2 products use a different set of ports and publishes stats to a different set of MBeans for traffic related to HTTP/HTTPS NIO transport. These MBeans are not captured by default in New Relic, dashboard. 

But to capture these stats, all you need to do is register an additional set of stats to a new relic custom dashboard. To do that you need to create custom jmx instrumentation when configuring New Relic. The following link [3] can provide more details about custom JMX instrumentation on New Relic. You can find some JMX examples as well in [4].

And for the final link...! A list of JMX MBeans that are available for monitoring HTTP/HTTPS synapse NIO transport is available in [5]

Madhuka UdanthaGit simple Feature Branch Workflow

In my previous post, I wrote about git work flows. Now I will going to try out simple 'Feature Branch Workflow'.
1. I pull down the latest changes from master
git checkout master
git pull origin master

2. I make branch to make changes 
git checkout -b new-feature

3. Now I am working on the feature

4. I keep my feature branch fresh and up to date with the latest changes in master, using 'rebase'
Every once in a while during the development update the feature branch with the latest changes in master.

git fetch origin
git rebase origin/master

In the case where other devs are also working on the same shared remote feature branch, also rebase changes coming from it:

git rebase origin/new-feature

Resolving conflicts during the rebase allows me to have always clean merges at the end of the feature development.

5. When I am ready I commit my changes
git add -p
git commit -m "my changes"

6. rebasing keeps my code working, merging easy, and history clean.
git fetch origin
git rebase origin/new-feature
git rebase origin/master

Below two points are optional
6.1 push my branch for discussion (pull-request)
git push origin new-feature

6.2 feel free to rebase within my feature branch, my team can handle it!
git rebase -i origin/master

Few point that can be happen in developing phase.
Another new feature is needed and it need some commits from my new branch 'new-feature' that new feature need new branch and few commits need to push to it and clean from my branch.

7.1 Creating x-new-feature branch on top of 'new-feature'
git checkout -b x-new-feature  new-feature

7.2 Cleaning commits
//revert a commit
git revert --no-commit
//reverting few steps a back from current HEAD
git reset --hard HEAD~2

7.3 Updating the git
//Clean new-feature branch
git push origin HEAD --force

John MathonManagement of Enterprises with Cloud, Mobile Devices, Personal Cloud, SaaS, PaaS, IaaS, IoT and APIs

The traditional tools for Enterprise Asset management and app management, performance management are challenged by the cloud.   Existing security tools are inadequate and are challenged by the new aspects of Enterprise Virtualization and new technology.  These new aspects:

  1. Personal Cloud
  2. SaaS Applications
  3. PaaS
  4. IaaS services
  5. Mobile Devices
  6. IoT Devices
  7. APIs and Cloud Services, Web Services
  8. Mobile Apps

These technologies turn traditional enterprise 4-walls paradigm security management into “Swiss Cheese.”   In many cases traditional Enterprise management tools are incapable of dealing with these new capabilities at all.

As a result Enterprises have taken on new applications to help manage some of these technologies in a one-off approach.  MDM mobile device management software is one tool used.   Most organizations employ best practices training for employees on most of the other technologies or depend on the vendor of those technologies to provide sufficient management information.   Frequently these management consoles or information are not integrated.

In some cases it may be possible to extend traditional Enterprise performance management and asset management to include some of the new technologies but most companies simply depend on employees to follow best practices or ignore the shadow IT problem and hope for the best.  Some are vigilant in trying to discourage shadow IT resulting in probably much less productivity of employees and the enterprise itself or turn employees seeking productivity into rogue employees.

The virtual enterprise needs a new set of management tools that are designed to manage devices, applications and services in a cloud world and provide security and management of the “holey” enterprise.

This is the “New Enterprise” and in fact many enterprises today may already be completely virtual.   This means traditional Enterprise Asset Management tools more focused on hardware are useless.  They have no traditional hardware to manage.

What we need is a new “Asset Management, performance management, operations management” capability that includes all these technologies above as a unified set of tools in our new virtual world.

Since I don’t know of any tool that exists that combines all these features I am going to dream for a bit about what such a tool would entail and what it’s requirements would be.

First, the tool would have to understand all 7 of the technologies listed above.     A lot of the products share common characteristics that makes a centralized administration, monitoring and usage sensible.   All of the assets mentioned have a set of url’s, login’s, key’s, security tokens or certificates and since they are all of the cloud type they all have APIs except possibly Mobile Apps.

All of these virtual services are multi-tenant and / or user specific.   Most of them can have many instances in an enterprise owned by different groups in the company or different individuals.   They all have the need to be tracked in usage and when compromised or a departure occurs they need to be cleaned or repurposed.

One can imagine an asset store which allows you to add easily any asset of the above types.   Ideally, the tool would automatically discover services when possible or interface to APIs periodically to update the list of known devices or virtual services and applications being used.

There may be a cost to such tools and those costs should be tracked.   When new employees come onboard you may need to allocate some of these services and devices, similarly when they leave this has to be backed out.   Ideally you should be able to organize the assets by numerous tags, such as location, group, type of asset.   You should be able to aggregate costs, usage, incidents, instances or any other metric that makes sense.

Many assets of this type are related to each other.   For instance a number of personal cloud services may be linked to an individual.   Devices, apps may also be linked to an individual.  Devices may be linked to an office or part of an office.   For physical devices it would be good to be able to locate the devices on a map.   For virtual services it would be good to have summaries of the riskiness of the data they contain, what kinds of threats have taken place or down time incidents.  For mobile apps it would be good to be able to see the dependency on APIs, so that if an API is experiencing a problem we can assume the app dependent on it will experience a problem.

I would think a good feature would be to track the version of the firmware or app for each service or instance being used.  It should be possible to force upgrade of devices and applications if needed.

One of the major benefits of such an overarching management application would be to help account for all the holes in the organization where information can go, to provide a way to isolate and govern that information separate from the employees personal services.   Possibly to track the content or purge it when needed.

The system would also be useful for helping manage large numbers of IoT devices, their dependencies on each other and other services.  It would be integrated with device management so that upgrades could be systematically applied and vulnerabilities understood.

It should support the social aspects of these assets helping employees find assets and understand how to use them.

I believe this kind of asset management platform is essential for the new virtual enterprise.   I have been saying for a while we need a way to operate with the cloud and the inevitable swiss cheese this makes of Enterprise security.

WSO2 has an Enterprise Store, an App ManagerDevice Manager and API Manager and of course Identity Management.   All of these can be used to provide some of the functionality I describe.     In particular the Enterprise Store can host any kind of asset I described above and provide a social front end for users to find and learn about the assets or make requests.   I see the future of these types of tools as critical to the Enterprise adoption of cloud and IoT in the future.

Other Articles you may find interesting like this:

Put it in the Store – The new paradigm of enterprise social asset sharing and reuse: Just put it in the store.

The Enterprise Store – App, API, Mobile

Here are some user stories for such an application:

User Story
Regular Employee see, search in a user friendly way the available external APIs, internal APIs I may use as well as mobile apps, web apps, SaaS services or other assets
Regular Employee to see, search or in a user friendly way see the relationship of assets to each other and to groupings or other individuals
Regular Employee See the all the virtual services and devices I use (or am registered for) and the health and status of all these virtual services and devices I use
Regular Employee See the usage and cost for the services I use
Regular Employee See other people’s comments, ratings, user docs and other information about any asset in the system
Regular Employee register services I use in the cloud such as google docs, dropbox, etc.. that may have corporate information on them and the credentials for the service
Regular Employee register IoT, Mobile devices I use
Regular Employee request an existing service, app, API for my use
Regular Employee inform that some service is compromised, in need of repair or will not be used anymore
Regular Employee to log a message with helpful advice, complaint, video, bug report or any content which would be usefully associated with an asset or group of assets
Regular Employee I can see the status of all my comments, tickets or other requests that are pending
Regular Employee I want to be notified via email or sms of incidents related to the assets I use
Regular Employee I can make a ticket request for a new asset type to be included in the store
Operations be able to do all that a regular employee can do for all assets or the assets I am responsible for
Operations be able to see more detailed health and status of all assets I am responsible for
Operations be able to act on behalf of a regular employee or set of regular employees to request, register or do any of the regular employee activities and that my acting on behalf of the employee is logged as well
Operations be able to go into the administrative API and perform tasks related to any asset including security, performance, upgrading
Operations be able to see the bigdata generated by the asset and perform queries against the logs and bigdata
Operations to be notified if any asset has a change of status or has something logged against it that may be of interest to me
Operations to be able to revoke instances, create instances of any service, set limits on the usage of services, devices or any asset
Operations to be able to configure new services or devices, allocate number of instances, security constraints and policies, fault tolerant policies, scaling policies, approval policies for requests for the services or devices
Operations to be able to move an asset to a different lifecycle stage such as from development to test to staging, production
Operations be able to configure the lifecycle of services or devices
Operations to create an incident, modify or cancel.  notify everyone involved with an asset affecting the availability, usage criteria and information about an eissue
Operations can set up SLA for any service or device
Developer be able to clone or create a new development environment for a service or device
Developer be able to set up continuous integration, test and deployment scripts
Developer be able to request the service or version of a service advance in its lifecycle
Developer be able to see all versions of the service or device I am working on and information related to the health or operation of that service or device
Developer be able to close a ticket related to services or devices I am responsible for
Developer to be able to examine in any depth the logs or other data associated with any service or device
Developer to be able to create or assign relationships between services and devices, to create new groups or tags associated with devices or services that links these or show a dependence
Developer to be able to create dashboards or analytical tools that themselves are services based on information and bigdata associated with services or devices
Developer be able to see more detailed health and status of all assets I am responsible for
Management to have configurable dashboards of operating metrics, costs, usage, incidents or other useful information for management
Management to be able to research history of the management data related to all assets
Management to see statistics and dashboards with respect to a single instance, the class of instances, the group responsible, the person responsible or any other tags associated with devices and services
Management to establish rules and policies for security,
Management to be able to configure new services or devices, allocate number of instances, security constraints and policies, fault tolerant policies, scaling policies, approval policies for requests for the services or devices
Overall the system must support numerous common personal cloud services, should enable automatic logon and scanning of content and activity to insure compliance, creation of accounts, deletion of accounts, transfer or copying of data
Overall the system must support numerous common SaaS applications and tie into their administrative and performance APIs to augment the information available in the dashboards
Overall the system must support numerous common internal use only APIs, external APIs we provide or provided by others, different tiers of usage, entitlement limitations or other policies around those APIs such as cost
Overall the system must support numerous common IaaS vendors and monitor usage, link to management APIs to be able to manage the IaaS infrastructure
Overall the system must support common PaaS platforms and enable monitoring of virtual containers, instances and tie those to assets in the store
Overall the system must support numerous common mobile devices and allow the MDM of those devices
Overall the system must support numerous common IoT devices and allow the MDM of those devices
Overall the system must support numerous common apps that users can download or come pre-configured for them
Overall the system should support any amount or type of content to be placed on the wall of an asset, group, tag or class
Overall the system should support security protocols, OAUTH2 and OPEN_ID or other protocols to support minimal need for the users to specify passwords or security themselves. In the case the service or device doesn’t support that then the system should be able to hold critical security information and invoke it to perform operations on behalf of the user
Overall the system should support an unlimited number of instances of devices or services even hundreds of thousands and to enable efficient management of large number of devices, services
Overall the system should support monitoring performance, be able to perform health checks automatically, create geofencing for devices, policy based management for deviations from the norm
Overall the system should support new user profiles with combinations of permissions and asset types not envisioned at this time

sanjeewa malalgodaPlanning large scale API Management deployment with clustering - WSO2 API Manager

When we do capacity we need to consider several factors. Here i will take basic use case as scenario and explain production recommendations.

With default configuration we can have following TPS per gateway node.
Single gateway = 1000 TPS
Single gateway by adding 30% buffer = 1300

Normally following are mandatory for HA setup

WSO2 API Manager : Gateway - 1-active. 1-passive
WSO2 API Manager : Authentication - 1-active. 1-passive
WSO2 API Manager : Publisher - 1-active. 1-passive
WSO2 API Manager : Store - 1-active. 1-passive

You can compute exact instance count

Hardware Recommendation
Physical :
3GHz Dual-core Xeon/Opteron (or latest), 4 GB RAM (minimum : 2 GB for JVM and 2GB for the OS, 10GB free disk space (minimum) disk based on the expected storage requirements (calculate by considering the file uploads and the backup policies) . (e.g if 3 Carbon instances running in a machine, it requires 4 CPU, 8 GB RAM 30 GB free space)
Virtual Machine :
2 compute units minimum (each unit having 1.0-1.2 GHz Opteron/Xeon processor) 4 GB RAM 10GB free disk space. One cpu unit for OS and one for JVM. (e.g if 3 Carbon instances running require VM of 4 compute units 8 GB RAM 30 GB free space)
EC2 : c3.large instance to run one Carbon instance. (e.g if 3 Carbon instances EC2 Extra-Large instance) Note : based on the I/O performance of c3.large instance, it is recommended to run multiple instances in a Larger instance (c3.xlarge or c3.2xlarge).

When we setup clusters normally we will have gateway cluster, store-publisher cluster and key manager clusters separately.
Let me explain why we need this.
In API Manager all store and publisher clusters need to be in same cluster as they need to do cluster communications related to registry artifacts.
When you create API from publisher it should immediately appear in store node. For this registry cache should be shared between store and publisher.
To do that replication we need to have them in single cluster.

In the same way we need to have all gateway nodes in single cluster as they need to share throttle counts and other run time specific data.

And having few(10-15) gateway nodes in single cluster will not cause any issue.
Only thing we need to keep in mind is when node count increases(within cluster) cluster communication may take very small additional time.

So in production deployments normally we will not cluster all nodes together.
Instead we will cluster gateways, key managers, Store/publishers separately.

Isuru PereraJava Garbage Collection

In this blog post, I'm briefly introducing important concepts in Java Garbage Collection (GC) and how to do GC Logging. There are many resources available online for Java GC and I'm linking some of those in this post.

Why Garbage Collection is important?

When we develop and run Java applications, we know that Java automatically allocates memory for our applications. Java also automatically deallocates memory when certain objects are no longer used. As Java Developers, we don't have to worry about memory allocations/deallocations as Java takes care of the task to manage memory for us.

This memory management is a part of "Automatic Garbage Collection", which is an important feature in Java.  It is important to know how Garbage Collection manages memory in our programs.

See Java Garbage Collection Basics, which is a great "Oracle by Example (OBE)" tutorial to understand the basics in Java GC.

See also Java Garbage Collection DistilledWhat is Garbage Collection?Java Garbage Collection IntroductionJVM performance optimization, Part 3: Garbage collection and the whitepaper on Memory Management in the Java HotSpot™ Virtual Machine

Java GC is also an important component when tuning performance of the JVM.

Marking and Sweeping Away Garbage

GC works by first marking all used objects in the heap and then deleting unused objects. This is called a mark-and-sweep algorithm.

GC also compacts the memory after deleting unreferenced objects to make new memory allocations much easier and faster.

JVM references GC roots, which refer the application objects in a tree structure. There are several kinds of GC Roots in Java.

  1. Local Variables
  2. Active Java Threads
  3. Static variables
  4. JNI references
When the application can reach these GC roots, the whole tree is reachable and GC can determine which objects are the live objects.

Java Heap Structure

Java Heap is divided in to generations based on the object lifetime. This allows the GC to perform faster as the GC can mark and compact objects in particular generation. Usually in Java applications, there are many short lived objects and there will be less objects remaining in the heap for a long time. 

Following is the general structure of the Java Heap. (This is mostly dependent on the type of collector).

Java Memory

There are three Heap parts.
  1. Young Generation
  2. Old Generation
  3. Permanent Generation

We can define the heap sizes with JVM arguments. See Java Non-Standard Options.

Following are some common arguments.
  • -Xms - Initial heap size
  • -Xmx - Maximum heap size
  • -Xmn - Young Generation size
  • -XX:PermSize - Initial Permanent Generation size
  • -XX:MaxPermSize - Maximum Permanent Generation size

Young Generation

Young Generation usually has Eden and Survivor spaces.

All new objects are allocated in Eden Space. When this fills up, a minor GC happens. Surviving objects are first moved to survivor spaces. When objects survives several minor GCs (tenuring threshold), the relevant objects are eventually moved to the old generation based on the age.

Old Generation

This stores long surviving objects. When this fills up, a major GC (full GC) happens. A major GC takes a longer time as it has to check all live objects.

Permanent Generation

This has the metadata required by JVM. Classes and Methods are stored here. This space is included in a full GC.

In Java 8, the PermGen is removed.

"Stop the World"

When certain GC happens, all application threads are stopped until the GC operation completes. These kind of GC events are called as "Stop the World" events/pauses.

When GC tuning, one of the main targets is to reduce the time for "Stop the World" pause.

Java Garbage Collectors

Following are some garbage collectors available in Java 7 and there are different scenarios to use those. See Java Garbage Collectors in OBE tutorial, Types of Java Garbage CollectorsGarbage Collection in Java (1) - Heap Overview and Understanding Java Garbage Collection.

  1. The Serial GC
  2. The Parallel Scavenge (PS) Collector
  3. The Concurrent Mark Sweep (CMS) Collector
  4. The Garbage First (G1) Collector
See Java HotSpot VM Options for specific flags to enable above collectors.

My test runs revealed that the Parallel GC and the Parallel Old GC flags activate the Parallel Scavenge Collector (Java 1.7.0_80).

Following are some of my observations when using different collectors with Java 7 (I got the Young & Old Garbage Collectors from the GC configuration tab after opening a Java Flight Recording in Java Mission Control).

Garbage Collectors
NameJVM FlagYoung CollectorOld Collector
Serial GC-XX:+UseSerialGCDefNewSerialOld
Parallel Old-XX:+UseParallelOldGCParallelScavengeParallelOld
Parallel New-XX:+UseParNewGCParNewSerialOld
Concurrent Mark Sweep-XX:+UseConcMarkSweepGCParNewConcurrentMarkSweep
Garbage First-XX:+UseG1GCG1NewG1Old

JVM GC Tuning Guides

See following:


A GC can be triggered by calling System.gc() from a Java program. However, a call to System.gc() does not guarantee that the system will a run a GC.

Using this method is not recommended and we should let the JVM to run GC whenever needed.

The finalize() method

An object's finalize() method is called during GC. We can override the finalize method to clean up any resources. 

GC Logging

There are JVM flags to log details for each GC. See Useful JVM Flags – Part 8 (GC Logging)

See Understanding Garbage Collection Logs.

Following are some important ones. Last two flags log the Application times

GC Logging Flags
-XX:+PrintGCPrint messages at garbage collection
-XX:+PrintGCDetailsPrint more details at garbage collection
-XX:+PrintGCTimeStampsPrint timestamps at garbage collection
-XX:+PrintGCApplicationStoppedTimePrint the application GC stopped time
-XX:+PrintGCApplicationConcurrentTimePrint the application GC concurrent time

Note: "-verbose:gc" is same as "-XX:+PrintGC".

The "-Xloggc:" flag can be used to output all GC logging to a file instead of standard output (console).

Following flags can be used with "-Xloggc" for log rotation.

GC Log File Flags to be used with -Xloggc
-XX:+UseGCLogFileRotationEnable GC log rotation
-XX:NumberOfGCLogFiles=nSet the number of files to use when rotating logs, must be >= 1. Eg: -XX:NumberOfGClogFiles=100
-XX:GCLogFileSize=sizeThe size of the log file at which point the log will be rotated, must be >= 8K. Eg: -XX:GCLogFileSize=8K

Note: Evan Jones has found that JVM statistics cause garbage collection pauses.

Viewing GC Logs

The GCViewer is a great tool to view GC logs created from above mentioned flags.



This blog post briefly introduced Java Garbage Collection, Java Heap Structure, Different Type of Garbage Collectors and how to do GC logging. I strongly recommend to go through the links and read. Those resources have much more details and this blog post is just a summarized post on Java GC.

Some resources have outdated information and it's better to run some sample programs and try out.

I used sample Java2D demo as explained in OBE tutorial to test different garbage collectors. If you used my Java Installation Script, all Java demos will be installed inside $JAVA_HOME/demo.

Following are some example commands I used.

#Default Collector
$JAVA_HOME/bin/java -XX:+UnlockCommercialFeatures -XX:+FlightRecorder -Xmx20m -Xms3m -XX:PermSize=20m -XX:MaxPermSize=40m -jar $JAVA_HOME/demo/jfc/Java2D/Java2Demo.jar
#Serial GC
$JAVA_HOME/bin/java -XX:+UnlockCommercialFeatures -XX:+FlightRecorder -Xmx20m -Xms3m -Xmn1m -XX:PermSize=20m -XX:MaxPermSize=40m -XX:+UseSerialGC -jar $JAVA_HOME/demo/jfc/Java2D/Java2Demo.jar
#Parallel GC
$JAVA_HOME/bin/java -XX:+UnlockCommercialFeatures -XX:+FlightRecorder -Xmx20m -Xms3m -Xmn1m -XX:PermSize=20m -XX:MaxPermSize=40m -XX:+UseParallelGC -jar $JAVA_HOME/demo/jfc/Java2D/Java2Demo.jar
#Parallel Old GC
$JAVA_HOME/bin/java -XX:+UnlockCommercialFeatures -XX:+FlightRecorder -Xmx20m -Xms3m -Xmn1m -XX:PermSize=20m -XX:MaxPermSize=40m -XX:+UseParallelOldGC -jar $JAVA_HOME/demo/jfc/Java2D/Java2Demo.jar
#Concurrent Mark Sweep GC
$JAVA_HOME/bin/java -XX:+UnlockCommercialFeatures -XX:+FlightRecorder -Xmx20m -Xms3m -Xmn1m -XX:PermSize=20m -XX:MaxPermSize=40m -XX:+UseConcMarkSweepGC -jar $JAVA_HOME/demo/jfc/Java2D/Java2Demo.jar
#Parallel New GC
$JAVA_HOME/bin/java -XX:+UnlockCommercialFeatures -XX:+FlightRecorder -Xmx20m -Xms3m -Xmn1m -XX:PermSize=20m -XX:MaxPermSize=40m -XX:+UseParNewGC -jar $JAVA_HOME/demo/jfc/Java2D/Java2Demo.jar
#Garbage First (G1) collector
$JAVA_HOME/bin/java -XX:+UnlockCommercialFeatures -XX:+FlightRecorder -Xmx20m -Xms3m -XX:+UseG1GC -jar $JAVA_HOME/demo/jfc/Java2D/Java2Demo.jar

#GC Logging
#-XX:+PrintGCDetails -XX:+PrintGC -XX:+PrintGCDateStamps -XX:+PrintGCApplicationStoppedTime -XX:+PrintGCApplicationConcurrentTime -Xloggc:gc.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=100 -XX:GCLogFileSize=1024K

sanjeewa malalgodaHow to add API using curl commands using 3 steps in UI design/implement/manage

 Listing these instructions as it can help to anyone.

Create a API with the normal add api with design/implement/manage calls.
Execute following three commands so the API will be created, this is how we create API from the UI.

curl -F name="test-api" -F version="1.0" -F provider="admin" -F context="/test-apicontext" -F visibility="public" -F roles="" -F apiThumb="" -F description="" -F tags="testtag" -F action="design" -F swagger='{"apiVersion":"1.0","swaggerVersion":"1.2","authorizations":{"oauth2":{"scopes":[],"type":"oauth2"}},"apis":[{"index":0,"file":{"apiVersion":"1.0","basePath":"","swaggerVersion":"1.2","resourcePath":"/test","apis":[{"index":0,"path":"/test","operations":[{"nickname":"get_test","auth_type":"Application & Application User","throttling_tier":"Unlimited","method":"GET","parameters":[{"dataType":"String","description":"AccessToken","name":"Authorization","allowMultiple":false,"required":true,"paramType":"header"},{"description":"RequestBody","name":"body","allowMultiple":false,"required":true,"type":"string","paramType":"body"}]},{"nickname":"options_test","auth_type":"None","throttling_tier":"Unlimited","method":"OPTIONS","parameters":[{"dataType":"String","description":"AccessToken","name":"Authorization","allowMultiple":false,"required":true,"paramType":"header"},{"description":"RequestBody","name":"body","allowMultiple":false,"required":true,"type":"string","paramType":"body"}]}]}]},"description":"","path":"/test"}],"info":{"title":"test-api","termsOfServiceUrl":"","description":"","license":"","contact":"","licenseUrl":""}}' -k -X POST -b cookies https://localhost:9443/publisher/site/blocks/item-design/ajax/add.jag

curl -F implementation_methods="endpoint" -F endpoint_type="http" -F endpoint_config='{"production_endpoints":{"url":"http://appserver/resource/ycrurlprod","config":null},"endpoint_type":"http"}' -F production_endpoints="http://appserver/resource/ycrurlprod" -F sandbox_endpoints="" -F endpointType="nonsecured" -F epUsername="" -F epPassword="" -F wsdl="" -F wadl="" -F name="test-api" -F version="1.0" -F provider="admin" -F action="implement" -F swagger='{"apiVersion":"1.0","swaggerVersion":"1.2","authorizations":{"oauth2":{"scopes":[],"type":"oauth2"}},"apis":[{"index":0,"file":{"apiVersion":"1.0","basePath":"","swaggerVersion":"1.2","resourcePath":"/test","apis":[{"index":0,"path":"/test","operations":[{"nickname":"get_test","auth_type":"Application & ApplicationUser","throttling_tier":"Unlimited","method":"GET","parameters":[{"dataType":"String","description":"AccessToken","name":"Authorization","allowMultiple":false,"required":true,"paramType":"header"},{"description":"RequestBody","name":"body","allowMultiple":false,"required":true,"type":"string","paramType":"body"}]},{"nickname":"options_test","auth_type":"None","throttling_tier":"Unlimited","method":"OPTIONS","parameters":[{"dataType":"String","description":"AccessToken","name":"Authorization","allowMultiple":false,"required":true,"paramType":"header"},{"description":"RequestBody","name":"body","allowMultiple":false,"required":true,"type":"string","paramType":"body"}]}]}]},"description":"","path":"/test"}],"info":{"title":"test-api","termsOfServiceUrl":"","description":"","license":"","contact":"","licenseUrl":""}}' -k -X POST -b cookies https://localhost:9443/publisher/site/blocks/item-design/ajax/add.jag

curl -F default_version_checked="" -F tier="Unlimited" -F transport_http="http" -F transport_https="https" -F inSequence="none" -F outSequence="none" -F faultSequence="none" -F responseCache="disabled" -F cacheTimeout="300" -F subscriptions="current_tenant" -F tenants="" -F bizOwner="" -F bizOwnerMail="" -F techOwner="" -F techOwnerMail="" -F name="test-api" -F version="1.0" -F provider="admin" -F action="manage" -F swagger='{"apiVersion":"1.0","swaggerVersion":"1.2","authorizations":{"oauth2":{"scopes":[],"type":"oauth2"}},"apis":[{"index":0,"file":{"apiVersion":"1.0","basePath":"","swaggerVersion":"1.2","resourcePath":"/test","apis":[{"index":0,"path":"/test","operations":[{"nickname":"get_test","auth_type":"Application & ApplicationUser","throttling_tier":"Unlimited","method":"GET","parameters":[{"dataType":"String","description":"AccessToken","name":"Authorization","allowMultiple":false,"required":true,"paramType":"header"},{"description":"RequestBody","name":"body","allowMultiple":false,"required":true,"type":"string","paramType":"body"}]},{"nickname":"options_test","auth_type":"None","throttling_tier":"Unlimited","method":"OPTIONS","parameters":[{"dataType":"String","description":"AccessToken","name":"Authorization","allowMultiple":false,"required":true,"paramType":"header"},{"description":"RequestBody","name":"body","allowMultiple":false,"required":true,"type":"string","paramType":"body"}]}]}]},"description":"","path":"/test"}],"info":{"title":"test-api","termsOfServiceUrl":"","description":"","license":"","contact":"","licenseUrl":""}}' -F outSeq="" -F faultSeq="json_fault" -F tiersCollection="Unlimited" -k -X POST -b cookies https://localhost:9443/publisher/site/blocks/item-design/ajax/add.jag

Rushmin FernandoApplication / Subscription Sharing in WSO2 API Manager 1.9

How it works

This feature enables the users in the same organization (group) to share the applications and subscriptions. All the applications and subscriptions created by a user in an organization, are visible to the other users in the same organisation.

How does API Manager know the organization of a user ?

WSO2 API Manager Store and Publisher web apps support more than one authentication mechanism. e.g. Authentication via Carbon user stores, SAML based SSO.

As a result, the way the organization of a user should be determined accordingly.

API Manager is shipped with a default implementation for the default authentication mechanism, and API Manager has the flexibility to plug-in a different implementation. 

This article explains how application / subscription sharing can be done with the default implementation.

Enabling application / subscription sharing

Uncomment the following line in APIM_HOME/repository/conf/api-manager.xml

Use case

1) A user and give his/her organization during the signing up process. ( See Fig. 1).
user_a and user_b belongs to org_1

Fig. 1

2) Then the user create a new application. (See Fig. 2)
    user_a creates app_a.

Fig. 2

3) Since user_b also belongs to org_1 he can see the application which user_a created. ( See    Fig. 3)

Fig. 3

4) user_a subscribes to WeatherAPI (See Fig. 4)

Fig. 4

5) Since user_b also belongs to org_1 he can see the subscription to WeatherAPI.
( See Fig. 5)

Fig. 5

sanjeewa malalgodaDeploy WSO2 API Manager across multiple datacenters - High availability for API Manager

Here in this post i will discuss how we can deploy WSO2 API Manager across multiple data centers.

Problems with normal clustered deployment across multiple data centers.
  • The databases are accessed (by the gateway node on Secondary data center) over two regions. (This will slow down the server startup as there are multiple DB calls get invoked)
  • Publishing API to gateway is done through web-service calls across data centers.
  • Since the Gateway at Secondary site uses the KayManager node at Master site (Please correct us, if we have mistaken this), API access token validation is done through web-service calls across data centers.
  • As we observed gateways in both deployments will not be synced-up properly.
  • Throttle counts will be maintain per data center.
So this will not be scalable solution as servers need to communicate across data centers.
Large number of database calls and web service calls may cause extreme slowness and in future that may cause to lot of other issues.
In this this kind of situations ideal solution would be having one master data center and few read only data centers.
Still we will not be able to overcome issues happen due to missing cluster communicate across nodes. But we will be able to perform basic tasks across all data centers.

Master data center.
API store, publisher, gateway, key manager will be deployed here and all are connected to read/write databases.
All API creation subscription creation, token generation should happen here.
Once new API published it will be pushed to some servers like dropbox or file server(artifact server). Then read only nodes have to pick API config from there(we may not be able to use deployment synchronizer here).
That way only we can avoid API publishing call between data centers.

Read only data centers.
In this data canters we will have gateway and key management nodes and those will only serve API requests.
In this data center we will have database servers which are synch up with master data center databases. We can have replicated database cluster and replicate data.
Also we may not be able to enable clustering across data centers. Due to that data centers may keep their own throttle counters etc(which we cannot avoid).

Here is a sample deployment diagram for suggested solution.

Shiva BalachandranWhy is it important to Optimize your website to mobile viewing audience?


Block 3, cracking why we need responsive sites.

Originally posted on Block Three Creative:

With the numerous capabilities now being offered by the mobile devices market, browsing the internet has become that much more frequent and easier. So the question stands, why should your website be mobile first?

The answer lies in understanding the user behavior on which devices users mostly or frequently access the internet. This information may differ country to country depending on how mobile friendly, smartphone users are or their access to internet.


As the image above shows you,  smartphones used to access the internet is at 80%; which means more and more of your customers are online through their smartphones. The sooner you understand and grasp the potential the easier it’ll be to understand why its important your website should be mobile friendly.

Your website acts as your 24×7 employee, give it the right tools to sell and your website automatically generates the leads.

More on the “fundamental tools for…

View original 9 more words

Lali DevamanthriCollaboration of Devs and Ops , Hi DevOPs!!

What is DevOps?

There is no definitive answer, only lots of opinions about what is covered under DevOps and what’s not.  It Born of the need to improve IT service delivery agility, the DevOps movement emphasizes communication, collaboration and integration between software developers and IT operations. Rather than seeing these two groups as silos who pass things along but don’t really work together, DevOps recognizes the interdependence of software development and IT operations and helps an organization produce software and IT services more rapidly, with frequent iterations.

First, whole point of devops is that change the culture of dev and ops. Yeah but the reality is that many companies want to designate someone as the DevOps engineer. Usually a more accurate title for that person would be Automation Engineer or something along those lines but we work within the constraints we are given.

Common DevOps mistakes when scaling

When it come to scaling,  most companies are pretty decent at scaling up infrastructure, and pretty awful at scaling up code (at least on the infrastructure side of things i.e Ops.) Lot of people taking a 2000 line mentality into a 20000 line project. Some companies have engineers that can code a large architecture and keep scalability in mind but they get hamstrung by their ops people.

The main issue when scaling up is cultural change. When the organization is small, everything relies on one go-to guy under a lot of pressure to work quickly. Choices are made which aren’t always the best ones or the most scalable and every fix is a quick and dirty job. Naturally, documentation is an afterthought.

When the same organization grows, the same person is likely very insecure about the choices he or she has made. Collaboration with the new guys is often an issue.

Management also often makes the common mistake of pushing to retrofit automation tools before standardization and process which creates as many problems as it solves and introduces new risks. Design your infrastructure in modules as soon as possible. Make it so each module can easily be replaced added or removed as needed. Also document stuff and don’t feed the IT hero culture.

Other common pitfalls would be,

  • Premature optimization.
  • Reinventing the wheel… in a completely non-scalable way.
  • Not using indexes/foreign keys.
  • Fashion driven development (mongo, hey!)
  • Not creating a stateless infrastructure where possible
  • Not throwing hardware at a problem first (is your database server a bit slow? have you tried just installing an SSD/upgrading the RAM?)
  • Not doing performance testing before optimizing
  • Not admitting that used schema sucks
  • Not admitting that the method use for the database sucks, not the database itself. Yes, the problem is us, it is not the database.
  • Thinking that things are easy.
  • Wanting to solve problems with new technologies with fancy names.
  • Jumping into those technologies without researching them.
  • Not hiring a devops person, but instead getting me a developer to act like a sysadmi
  • Taking prototypes turning them into production, then complaining when they crash. Prototypes which were explicitly stated as things that would-not-scale.

Fashion driven development really hits home. Its understandable how it happens. I mean, who doesn’t want to be an early adopter of the latest framework, DB etc…. But in the real world, you really need to have an actual data driven argument for why the new system is actually measurably better than the tried and true. Most engineers learn this eventually.

Exposing too much information about your environment is another problem.  People start to hardcode around that information and it makes scaling hard. For example work  environment where have three data centers: west, central and east. Servers in those data centers have a number associated with its location in the hostname. I have seen far too much code wired to this information. If we added/removed a location there would be a ton of refactoring. Staying ambiguous makes changing architecture and technology easier.

Every year DevOps deal with at least a few clients where the founder knows that their infrastructure is buggy and insecure, but there’s often a main “First Hire” developer that is very reluctant to let you look under the hood, ostensibly because they are embarrassed by what’s there. Dont judge, because those decisions get made, often under extreme pressure from people who may or may not understand the technical risks and tradeoffs. Hopefully DevOPs will be able to close the gap somewhat for founders so they can make better informed decisions regarding this stuff and maybe even work more harmoniously with their technical people.

Lali DevamanthriApache Lucene™ 5.2.0 available

Apache Lucene is a high-performance, full-featured text search engine
library written entirely in Java. It is a technology suitable for nearly any application that requires full-text search, especially cross-platform.

This release contains numerous bug fixes, optimizations, and improvements,
some of which are highlighted below.

* Span queries now share document conjunction/intersection code with
boolean queries, and use two-phased iterators for faster intersection by
avoiding loading positions in certain cases.
SpanQuerys allow for nested, positional restrictions when matching documents in Lucene. SpanQuery’s are much like PhraseQuerys or MultiPhraseQuerys in that they all restrict term matches by position, but SpanQuerys can be much more expressive.

* Added two-phase support to SpanNotQuery, and SpanPositionCheckQuery and
its subclasses: SpanPositionRangeQuery, SpanPayloadCheckQuery,
SpanNearPayloadCheckQuery, SpanFirstQuery.
The basic SpanQuery units are the SpanTermQuery and the SpanNearQuery.

* Added a new query time join to the join module that uses global
ordinals, which is faster for subsequent joins between reopens.

* New CompositeSpatialStrategy combines speed of RPT with accuracy of SDV.
Includes optimized Intersect predicate to avoid many geometry checks. Uses

* New LimitTokenOffsetFilter that limits tokens to those before a
configured maximum start offset.

* New spatial PackedQuadPrefixTree, a generally more efficient choice
than QuadPrefixTree, especially for high precision shapes. When used, you
should typically disable RPT’s pruneLeafyBranches option.
PackedQuadPrefixTree subclass of QuadPrefixTree, this SpatialPrefixTree uses the compact QuadCell encoding.

* Expressions now support bindings keys that look like zero arg functions

* Add SpanWithinQuery and SpanContainingQuery that return spans inside of
/ containing another spans.

* New Spatial “Geo3d” API with partial Spatial4j integration. It is a set
of shapes implemented using 3D planar geometry for calculating spatial
relations on the surface of a sphere. Shapes include Point, BBox, Circle,
Path (buffered line string), and Polygon.
The release is available for immediate download here

Prabath Siriwardena

WSO2 Identity Server

The Inside Story

WSO2 was my second job since graduation.

As anyone who is excited of his first day at work, I walked into this amazing, yet quite simple office building in Flower road, right opposite to the Ladies' college. I knew nothing yet what I had to do - and thrown into a bunch of people who were developing a product called 'WSO2 Identity Solution'.

WSO2 was nothing big like it is today. If I am not mistaken - we had  no more than 30 engineers.

It was 1st of November 2007 - the entire Identity Solution team was busy working for its 1.0.0 release. Oh - yes.. I've been there since 1.0.0 release! and I am the only one yet remains in the team till its 5.0.0 release, which was in June 2014. This qualifies me enough to write this blog post. I've been with the team all the way through-out - all the way with sweet gains and bitter pains.

We had only three people actively working on the Identity Solution product in 2007. Do not count me yet - I just joined. It was Ruchith, Dimuthu and Dumindu. Nandana was there too, but he was mostly working on the Apache Rampart project.

Identity Solution 1.0.0 was released in December, 2007.

WSO2 Identity Solution 1.0.0 Released!

I still remember, Dimuthu was arguing with Ruchith - 'Are you sure we want to release this now?'. Dimuthu was an amazing character in the Identity Solution team - and since then we are extremely good friends. After some years she went on maternity leave and came back - I wrote the following email to the team list (email group), which is a clear reflection of who Dimuthu was :-). She is now a Director at WSO2 and also leading the WSO2 App Factory.
The ring tone heard for a while with no one to pick - once again I hear from my next desk... 
The humming came around tea - comes once again and we know it's tea.... 
Sound of a 'punch' on the desk, hear we again - she has fixed an issue.. 
She is back - and she is a mother now - of a wonderful kid... 
She was a starting member of Axis2 and a key contributor to Rampart, WSO2 Carbon and Identity Server... 
More than anything else she is the 'Mother of User Manager'.. 
It's my utmost pleasure to welcome back DimuthuL - after the maternity leave..
(29th November, 2010)
Ruchith was the key architect behind the Identity Solution and also the first product lead. Interestingly, he is  also the very first WSO2 employee. Most of the Apache Rampart code is written by Ruchith. WSO2 had a great foundation on SOAP - and was actively involved in Apache Axis2 development. If someone is new to Rampart, it is the Axis2 module for SOAP security.

By December 2007 we only had very few products: Web Services Application Server (WSAS), Enterprise Service Bus (ESB), Data Services Solution (later became Data Services Server), Registry (later became Governance Registry) and the Identity Solution (later became Identity Server).

Identity Solution 1.0.0 only had the support for Information Card (InfoCard). Information Card is an open standard, mostly pushed by Microsoft, lead by Kim Cameron. Since WSO2 had a very strong foundation on WS-Security and WS-Trust, implementing the Information Card specification was quite straightforward. We were among the very few Java implementations that had support for Information Card by that time. We also actively participated in most of the interop events. On my first day at WSO2 I didn't meet Ruchith, he was in USA participating in an Information Card  interop event. Interop events definitely helped us to regulate the product in the right direction and validate our implementation. By the way, there was a popular joke at that time - an interop event is a place where all the other vendors test with Microsoft and fix anything that does not work with them :-).

In this article written by Dimuthu, explains how to add Information Card support for Java EE web applications:

Identity Solution 1.0.0 was an Information Card provider. In addition to the product release we also released a set of Information Card relying party components along with the product. One was a Java EE servlet filter and the other one was an Apache module. Dumindu was the one who developed the Apache module - he was the C guy in the Identity Solution team.

How to setup an Information Card relying party with Apache:

It was the era lot of changes started to happen in the field of Internet identity. Kim Cameron, the chief Identity Architect of Microsoft was one of the pioneers who lead the effort. He started building the famous Seven Laws of Identity with the community contribution. I was passionate about Kim's writings and he was a hero for me. Later when I got an opportunity to visit Microsoft in April 2008, with Ruchith to participate in an Information Card design event - I was hoping - I would be able to meet Kim - but unfortunately he didn't come for the event. Later - after many years - I met Kim several times and got the opportunity exchange few ideas. Arguably Kim is known as the father of the modern Internet Identity.

OpenID, in 2005 - followed the footsteps of SAML - and started to challenge Information Card, which was the most emerging standard by then and there was a lot of buzz around it. It was initiated by the founder of LiveJournal - Brad Fitzpatrick. The basic principle behind both OpenID and SAML, is the same. Both can be used to facilitate web single sign on and cross-domain identity federation. OpenID was not competing with Information Card, even though most got confused, when to use what.

It was my first task, to add OpenID support for WSO2 Identity Solution. It took almost 3+ months and shipped with Identity Solution 1.5.0 in April 2008 - just before the April holidays. In addition to OpenID 1.1 and 2.0  we also added OpenID InfoCard support. OpenID InfoCard specification talks about how to send OpenID claims in an Information Card. By the way, IS 1.5.0 was the first release which I acted as the release manager. For both IS 1.0.0 and 1.5.0 Chanaka (Jayasena) did the complete UI theming.

Information Cards vs OpenID Information Cards:

Both IS 1.0.0 and 1.5.0 used struts to build it's web interface. Most of the WSO2 products had got rid of struts by then -  IS was the only remaining product. There was a rumor - it was because of Ruchith, Identity Solution was able to still go ahead with struts :-).

There was a discussion going on at that time to build a common framework to build all WSO2 products. With that, ESB won't have its own web interface, App Server won't have its own web interface - all the products will share the same web interface - same look and feel and the same object model. It was in early 2008 - we had the WSO2 Carbon kickoff meeting at the Trans Asia hotel (now Cinnamon Lake Side), Colombo. Both Ruchith and me were there representing the Identity Solution team. If I remember correctly I was the only one at that meeting who didn't speak a single word :-).

WSO2 Carbon later became an award winning framework to build servers - based on OSGi.

Just after the IS 1.5.0 release, we had a client interested in implementing OpenID support with it. This was my first client engagement as well as the very first client for the Identity Solution. Ruchith and I had to fly to London. We were informed about the client engagement a month or two before - but none of us was keen to apply for VISA. At that time it took minimum three weeks to get UK VISA. But it was just a week or two before we applied. Both of us were given an earful by our CTO, Paul. For everyone's surprise - both of us got VISA just within 3 days :-). Even today we do not know how that magic happened!

It was my first trip out of the country and I was lucky to be accompanied with Ruchith, who was an amazing guide! We met Paul (our CTO) in London and all three of us went to the client. Just before we entered into the client premise, Paul turned to us - first to Ruchith - 'You are the security expert' - then to me  - 'You are the OpenID expert'. We went in.

After finishing our stuff with our first Identity Solution client - both Ruchith and me flew to Seattle to participate in a technical design meeting at Microsoft around the future of Information Card. Then again we had to return back to London to finish some more stuff with our client. Interestingly, in our return trip to London - only at the hotel reception at the Holiday Inn, we found there were no hotel bookings for us. We got Udeshika (who is our Vice President of Administration now) on phone and she settled everything for us.

Few weeks after returning back to Colombo from 3 weeks long UK/USA trip - I had to get ready for the first ever Identity Solution webinar. Unlike nowadays we did not have webinars frequently, then. It was on 'Understanding OpenID' - I was over-joyed by the response!

Ruchith left the company in July, 2008 for his higher-studies. He joined University of Purdue and after completing his Ph.D last year,  now works for Amazon. The photo above was taken at Ruchith's farewell - from left to right - Dimuthu, Dumindu, Ruchith, Nandana and me. The image on Dumindu's shirt is an Information Card.

Never they leave.. just checking out.. :

Everyone started to be fascinated about Carbon and OSGi. The plan was to build WSO2 WSAS and the ESB on top of WSO2 Carbon, first. Focus on the Identity Solution was diluted a bit during this time. Security was a key part in the Carbon core and the entire Identity Solution team had to work on the migration - to make the User Manager component OSGi compliant and make it a part of the Carbon platform.

WSO2 User Manager started as a WSO2 Commons project and it had its own release cycle and its own product page. It was just a library and included in all WSO2 products. User Manager knows how to connect you to an LDAP, Active Directory or to a JDBC based user store. Most of the User Manager code by that time was written by Dimuthu - she was called User Manager Manager :-)

Nandana was the Rampart guy. He was actively contributing to the Apache Rampart and Rahas. During the initial Carbon release Nandana played a key role in bringing them into the Carbon platform.

After the initial release of WSO2 WSAS and ESB on top of Carbon - next came the Identity Solution, Registry and the Mashup Server. It was almost a complete re-write. After Ruchith left the company for higher-studies I was appointed as the Product Manager of Identity Solution and had to lead the migration effort to Carbon platform. It was easy by then, since the complete pain was taken by ESB and WSAS teams - we knew who to meet when hit with an issue.

During the same period, in April 2009, Thilina joined Identity Solution team. In the above photo - from left to right Thilina, Nandana and me.

Thilina's addition to the team reduced our load on migration. His first contribution was to implement SAML 2.0 token profile support for Apache Rampart. Rampart was a key component in Identity Solution and one of our customers was waiting for the next Identity Solution,  requested  SAML 2.0 token profile support. In addition to that Thilina also implemented XMPP based authentication for OpenID logins. XACML 2.0 support was also another customer requirement. For anyone new to XACML, XACML is the de facto standard for policy based access control. I implemented that on top of Sun XACML implementation (later we forked Sun XACML as WSO2 Balana and implemented XACML 3.0 on top of it).

After IS 1.5.0 - it took more than an year to do the next IS release - which was IS 2.0.0.

Sumedha, who was leading the Data Services Solution, by that time (now the Director of API Architecture) came up with a suggestion to rename the product to Data Services Server. We followed the same approach and in July 2009 released the Identity Server 2.0.0. IS 2.0.0 is the very first version of the Identity Server built on top of WSO2 Carbon platform.

Even though we added XACML support for IS 2.0.0 - it was at very basic level. There was no editor - you simply need to write the policy by hand. The first comment from one of customers was : 'Nice - but you got to have a PhD in XACML to write policies with your Identity Server'. He was not kidding - we took it dead seriously. Later when Asela joined the IS team - he worked on developing one of the best XACML policy editors for the Identity Server.

Couple of months after the IS 2.0.0 release, in September 2009,  Nandana left the company to pursue higher-studies. He joined Universidad Politécnica de Madrid as a Ph.D student. Following photo was taken during  Nandana's farewell.

Soon after Nandana left, Thilina stepped up and filled the vacuum created by the absence of Nandana. By then we had Dimuthu, Thilina and me in the Identity Server team. In October 2009, we released Identity Server 2.0.1. In addition to the bug fixes we also added WS-Federation passive profile support for IS 2.0.1. Just after a month from the 2.0.1 release, I did a demo and a talk on its support for WS-Federation passive profile at the ApacheCon 2009 - in November. It was my first ApacheCon and also its the 10th anniversary of the ApacheCon.

I met Nandana who left WSO2 in September, at the ApacheCon.

We didn't add much to the Identity Server 2.0.2 release done in November 2009 and the Identity Server 2.0.3 release in February 2010. Mostly those were bug fix releases. Focus on Identity Server new features faded down a bit during this period mostly due to the increased interest on cloud.

Around mid 2009, during a company dinner with the board at the Hilton Hotel Colombo, I met Paul. Paul mentioned company's interest to move into the cloud and had identified to offer the WSO2 Governance Registry and the WSO2 Identity Server as cloud services to get started with.

Governance as a Service (GaaS) was the first ever WSO2 cloud offering. It was in January, 2010. Next to follow was Identity as a Service (IDaaS) in February, 2010. Thilina played a major role in adding muti-tenancy support for Identity Server. OpenID, Information Card, XACML all were made available as cloud services. In 2011, we were awarded with the KuppingerCole European Identity Award in cloud provider offerings category.

Still the Identity Server team was just 3 members: Dimuthu, Thilina and me. Most of the time Dimuthu focused more on the user management component.  It was the time we got few new faces. Amila (Jayasekara) joined the Identity Server team in March 2010,  Asela in April and  Hasini in September.  We were six then. Around the same time Dimithu went on maternity leave - Amila and Hasini started looking into what Dimuthu did. We were back to 5 members. 

Interestingly Asela joined WSO2 as a QA engineer and straightway started testing Identity Server. He is an amazing guy - and also a batch mate of Thilina from the University of Moratuwa. After few months of testing Identity Server and reporting bugs - we felt it was enough him having in QA and took him directly to the Identity Server development team. Just as a twist of fate, once Asela joined the development team he had to fix the bugs reported by himself as a QA engineer :-)

Once Hasini joined the team, Amila shifted from focusing on user manager to Rampart and WSS4J improvements. He worked on upgrading Rampart to work with WSS4J 1.6.

Once done with the IDaaS deployment - we  again started worrying about adding more ingredients into the Identity Server product. Initially GaaS had its own login and IDaaS had its own . There were also more cloud offerings to follow - ESB, App Server, Data Service Server and many more. One critical requirement raised, due to the need to login multiple times for each cloud service was, the support for single sign on (SSO) between all WSO2 cloud services. We already had support for OpenID - but then again we picked SAML over OpenID to cater our need there.

SAML was mostly used to facilitate web single sign on. It can be just within the same domain or between domains. SAML v2.0 - in 2005 - was built on the success of SAML 1.1 and other similar single sign on standards. It unified the building blocks of federated identity in SAML v1.1 with the inputs from Shibboleth initiative and the Liberty Alliance's Identity Federation Framework. It was a very critical step towards the full convergence for federated identity standards

Someone had to implement SAML and add it to the Identity Server. Naturally it was Thilina, who already had experience working with SAML - while implementing SAML 2.0 token profile support for Apache Rampart. Thilina implemented SAML 2.0 Web SSO and SLO profiles for Identity Server.

OAuth was another area of focus for us. OAuth 1.0 was the first step towards the standardization of identity delegation. I started adding OAuth 1.0 2-legged support for Identity Server - and in May, 2010 - when we released the Identity Server 3.0.0 - both the SAML 2.0 and OAuth 1.0 features were included.

2-legged OAuth with OAuth 1.0 and OAuth 2.0:

Asela played the release manager role of the  Identity Server 3.0.1 - released in September, 2010 - as a bug fix release.

Even though we had support for XACML in Identity Server we were left behind with two issues. We didn't have a proper XACML editor and also we didn't have the support for XACML 3.0. We implemented XACML support on top of Sun XACML and by that time it was a dead project and only had 2.0 support. Asela was our choice to work on this. His first serious task, after joining the Identity Server team was to implement a XACML policy wizard. It was not easy. We did not want to build just another editor. After some iterations Asela came up with one of the best policy editors out there for XACML. We included it for the first time in Identity Server 3.2.0, which was released in June, 2011.

IS 3.2.0 also had another key feature addition apart from the XACML policy editor. So far we shipped all WSO2 products with an H2 based user store. It was Amila who integrated Apache Directory Server LDAP with the Identity Server and all the other WSO2 products. Later, except Identity Server all the rest went back to use the same H2 based user store. In addition to that, Amila also integrated Kerberos KDC support from Apache DS with the Identity Server. Identity Server 3.2.0 could act as a Kerberos key distribution center.

While the team was working for the next Identity Server release, we had an interesting event in Sri Lanka : National Best Quality ICT Awards 2011. WSO2 participated there for the first time in 2010 and WSO2 ESB won the overall gold. 2011 was the first for WSO2 Identity Server. Along with the Identity Server, WSO2 Governance Registry, WSO2 Carbon and WSO2 Application Server were submitted for the awards, under different categories. Identity Server was submitted under the 'Research and Development' category. All three products were selected for the first round. Senaka (Gov Registry), Hiranya (Application Server), Sameera (Carbon) and I (Identity Server) presented each product before the judge panel. We went to the second round - and to the finals. We knew nothing about the awards till those were announced at the awards ceremony on 8th October. I missed the awards night - was with a customer in New Jersey, USA. It was Paul who passed me the message first, over chat - that Identity Server has won a Gold. I was with Amila and Asanka - we were thrilled by the news. Governance Registry won a Silver award, Carbon won a Merit award and Application Server won the overall Gold.

In the following photo Thilina (third from the left) is carrying the award for the WSO2 Identity Server.

In November 2011, we did the Identity Server 3.2.2 release. It had more improvements to the current feature set. One key improvement was to support OAuth 1.0 3-legged OAuth.

In December 2011 Identity Server 3.2.3 was released. Hasini was the release manager. One of the key improvements we did for IS 3.2.3 was to introduce a Thrift interface for the XACML PDP engine. Till then it was only SOAP and later we found that Thrift was 16 times faster than just SOAP over HTTP. IS 3.2.3 was a huge success. Even today,  the largest deployment of the Identity Server is based on IS 3.2.3. One of our clients runs Identity Server over a 4 million+ user base in Saudi Arabia, as an OpenID Provider.

The following photo was taken at the ELM office Saudi Arabia, who implemented the OpenID support with WSO2 Identity Server 3.2.3. Later they also did a case study with us.

Since IS 3.2.3 - it took almost an year to do the next release : Identity Server 4.0.0 . During this time we got two new faces to the team - Suresh and Johann. I knew Suresh well - since he did the internship at WSO2 and I also supervised his final year University project. Suresh and his team implemented OpenID based authentication for SOAP based services with WS-Security. Also they implemented some of the WS-Federation features to Apache Rampart. Johann was totally new to the WSO2 Identity Server team.

IS 4.0.0 had major improvements and feature additions. Thilina developed OAuth 2.0 support for IS 4.0.0 and also it became a key part of the WSO2 API Manager's success. It was the time WSO2 made its entry into the API Management market. Both Sumedha and I were initially involved in building it and later Sumedha lead it alone. I was mostly there since security is a key part of it. Thilina and Johann both got involved in the initial API Manager implementation. Johann mostly worked on integrating API Manager with WSO2 Business Activity Monitor for statistics.

In July 2012, both Thilin and Amila left the company to pursue higher-studies. Currently Thilina is a Ph.D student at the Colorado State University and Amila doing his Ph.D at the Indiana University Bloomington.

Asela was still busy with XACML. He is one of the top experts on it and writes the blog It was high-time that we wanted to bring XACML 3.0 support to IS. Sun XACML project was dead silent and we made the decision to fork and add XACML 3.0 support on top of it. We called it WSO2 Balana. Interestingly Srinath came up with that name. Balana is a famous checkpoint closer to Kandy, Sri Lanka, which protected the hill country from British invasion. Asela himself did almost all the development to add XACML 3.0 support for Balana.

Another feature which we added to IS 4.0.0 was SCIM. One of the key standards for Identity Provisioning by that time was SPML. But it was too complex, bulky and biased to SOAP. People started to walk away from SPML. In parallel to the criticisms against SPML - another standard known as SCIM (Simple Could Identity Management - later it was changed to System for Cross-domain Identity Management) started to emerge. This was around mid 2010 - and initiated by Salesforce, Ping Identity, Google and others. WSO2 joined the effort sometime in early 2011.

SCIM is purely RESTful. The initial version supported both JSON and XML. SCIM introduced a REST API for provisioning and also a core schema (which also can be extended) for provisioning objects. SCIM 1.1 was finalized in 2012 - and then it was donated to the IETF. Once in IETF, it had to change the definition of SCIM to System for Cross-domain Identity Management and it's no more supporting XML - only JSON.

Hasini was our in-house SCIM expert. Not only she just implemented the SCIM support for Identity Server, she was also a SCIM design team committee member. SCIM was developed as a WSO2 Commons project - under the name WSO2 Charon. The name was suggested by Charith. The Charon 1.0.0 was released in March, 2012 just in time for the very 1st SCIM interop in Paris. Hasini represented WSO2 at the interop event.

One limitation we had in our SAML Web SSO implementation was that - we did not support attributes. It was Suresh who implemented SAML Attribute Profile support for the Identity Server.

We also did more improvements to our XACML implementation, targeting the 4.0.0 release. Johann was the one who brought in WS-XACML support to the Identity Server. In addition to the SOAP/HTTP, Thrift interfaces, we also added an WS-XACML interface to our XACML PDP. This is one of the standard ways to communicate between a XACML PEP and a PDP. WS-XACML is quite heavy and has huge impact on the performance. If not for a strong customer requirement - we might not have added WS-XACML to the Identity Server.

We also further improved our Active Directory user store manager. It was just read-only and Suresh implemented read/write capabilities and also later added the support for Active Directory Lightweight Directory Services (AD LDS).

Another feature we added to IS 4.0.0 was the Integrated Windows Authentication (IWA) support. With this, if you are already logged into your Windows domain, you need not to re-login to Identity Server. This was developed by Pulasthi - who was an intern then. After the graduation Pulasthi joined WSO2 in 2014 and joined the Identity Server team. The IWA support in IS 4.0.0 was just limited to the Identity Server's management console login. This was not available for SAML/OpenID based logins. Identity Server 5.0.0 later added that support.

With all these new features - Identity Server 4.0.0 was released in November 2012.

After the Identity Server 4.0.0 release we found an interesting client who was developing a mobile navigation app for a user base more than 600 millions. They were interested in using Identity Server. Suresh, Tharindu and I were there onsite for a week and came up with a design. Due to the large number of users - we all agreed to go ahead with a user store based on Apache Cassandra. In fact client suggested that and Tharindu who was an expert on Big Data was with us to confirm it. We implemented a Cassandra based user store manager and plugged in Cassandra as a user store to the Identity Server. With this feature and some minor improvements Identity Server 4.1.0 was released in February, 2013. We also added the support for multiple user stores at a very primary level to IS 4.1.0.

Identity Server team by now was five members: Hasini, Asela, Johann, Suresh and me. Everyone lifted themselves to fix the gap created by the absence of Thilina and Amila. Darshana and Pushpalanka joined the Identity Server team a couple of months after the IS 4.1.0 release. I knew both of them even before joining WSO2. The final year University project Darshana did was supervised by me. It was an interesting one - to build a XACML policy engine based on a RDBMS. Pushapalnka was an intern at WSO2 and during her internship period she did some interesting work around XACML.

The immediate next release after the IS 4.1.0 was 4.5.0. The main focus of IS 4.5.0 was to enhance the user-friendliness of its user management UI and strengthen its multiple user store support. In addition to that Suresh worked on adding OpenID Connect core support and Johann worked on implementing SAML 2.0 grant type for OAuth 2.0 profile.

Prior to IS 4.5.0 - and after IS 4.1.0 - the entire Identity Server team had to work hard on a customer project. We developed most of the features that went with IS 4.5.0 and bundled them to IS 4.2.0 (this version was never released). The entire team was so desperate to make the project a success - but - due to some stuff that are not under our control - we lost the project. This was the time Dulanja, Ishara, Venura and Dinuka joined the Identity Server team. Venura later left WSO2 to join a company in Singapore and Dinuka left to USA with his wife who got admission to a University for higher-studies. Dulanja and Ishara are still with WSO2,  later played a key role in the Identity Server 5.0 release.

In the following photo Johann, Asela and I were at a Walmart store, on our way back from the above client, after successfully completing the deployment. Some customers we win - some we loose - that's the life.

Hasini left the company in June 2013 for higher studies. It was few month prior to IS 4.5.0 release. She joined the University of Purdue. Following photo was taken at her farewell at the JAIC Hilton hotel Colombo.

Darshana was the release manager for the Identity Server 4.5.0 and was released in August 2013. Pushpalanka also played a key role in this release by developing the user store management component - that let you add and configure multiple user stores from the Identity Server's management console.

WSO2 Identity Server 4.6.0 was released few months after 4.5.0, in December 2013. It had only one feature, Identity Provider initiated SAML SSO support. Johann played the release manager role for this release.

The 4.6.0 release was the end of one generation of the Identity Server. Nobody knew that till we released Identity Server 5.0.0 in May 2014. We took a completely new approach to IS 5.0.0. Till then we were developing just isolated features. We changed that approach and started to build user experiences - instead of features. You need to develop features to build user experiences - but the angle you look into that is completely different. When you look into something from a different angle - what you see is different too.

Fifteen fundamentals behind WSO2 Identity Server 5.0.0:

Building Identity Server 5.0.0 was not just a walk-in-the-park. It went through several iterations.  We had to throw-away some stuff when we found better ways of doing that. In addition to the identity broker support with identity token mediation and transformation, IS 5.0.0 also introduced a new user interface for end users. Prior to that, both the administrators and end users, had to use the same management console, and the functions available were filtered out by the role of the user. With IS 5.0.0 we built a whole new dashboard with jaggery - which is a home-grown framework to write webapps and HTTP-focused web services for all aspects of the application: front-end, communication, server-side logic and persistence in pure java-script.  This was initiated by Venura - who started developing the dahsboard in jsp - and then after couple of months - Venura moved to the WSO2 App Manager product, since it required some security expertise. After Venura left the team, Ishara took over - and we changed everything from jsp to jaggery. Venura left the company to Singapore after several months working in the App Manager team.

WSO2 Identity Server 5.0.0 - Authentication Framework: 

WSO2 Identity Server 5.0.0 release was a huge success. Most of the Identity Server deployments are now on IS 5.0.0 than any of its previous releases. The best thing about IS 5.0.0 is - it opened up a whole new world (being able to act as an identity broker) - and 5.0.0 release is the first step towards that direction - but an immensely sound foundation.

During the IS 5.0.0 release we got three new faces - Thanuja, Isura and Prasad. Even though they had very little experience at WSO2 by then, their contribution to the 5.0.0 release was fabulous.

Following photo was taken on the day we released Identity Server 5.0.0. From left, Suneth (who is from the QA team - and worked on Identity Server testing with Pavithra and Ushani. Pavithra was the QA lead for IS testing for so many releases), Isura, Ishara, Johann, me, Darshana, Dulanja, Thanuja and Prasad. Suresh, Pushpalanka and Chamath who also contributed to 5.0.0 release a lot, missed the shot.

On the same day Identity Server 5.0.0 was released, Johann was made the product manager. I was planning to move into the WSO2 Mountain View, USA office and Johann was carefully groomed into this position, for several months. Even-though I left the Identity Server team officially in May - I worked very closely with the team till I left the country to USA, on 14th January, 2015.

Following token was given to me by the team on my last day at the WSO2 Colombo office. It's a representation of all great memories I had with the Identity Server team, since its inception.

Prabath SiriwardenaOAuth 2.0 with Single Page Applications

Single Page Applications (SPA) are known as untrusted clients. All the API calls from an SPA are made from a java-script (or any scripting language) running in the browser.

The challenge is how to access an OAuth secured API from an SPA?

Here, the SPA is acting as the OAuth client (according to the OAuth terminology), and it would be hard or rather impossible to authenticate the OAuth client. If we are to authenticate the OAuth client, the credentials should come from the SPA - or the java-script itself, running in the browser - which basically open to anyone who can see the web page.

The first fundamental in an SPA accessing an OAuth secured API is - the client cannot be authenticated in a completely legitimate manner.

How do we work-around this fundamental?

The most common way to authenticate a client in OAuth is via client_id and client_secret. If we are to authenticate an SPA, then we need to embed the client_id and client_secret to the java-script. This will give anyone out there the liberty to extract out those from the java-script and create their own client applications.

What can someone do with a stolen client_id/client_secret pair?

They can use it to impersonate a legitimate client application and fool the user to get his consent to access user resources on behalf of the legitimate user.

OAuth has security measures to prevent such illegitimate actions, by itself.

Both in the authorization code and the implicit grant types, in the grant request the client can send the optional parameter redirect_url. This tells the authorization server, where to redirect the user with the code (or the access token) - after authenticating and providing the consent at the authorization server. As a counter measure for the above attack, the authorization server must not just respect the redirect_url in the grant request blindly. It must validate it against the redirect_url registered with the authorization server at the time of client registration. This can be an exact one to one match or a regular expression.

In this way, even if the client_id and client_secret are stolen, the rogue client application will not be able to get hold of the access_token or any of the user information.

Then what is the risk of loosing the client_id and client_secret?

When you register an OAuth client application with an authorization server - the authorization server enforces throttling limits on the client application. Say for example, a given client application can only do 100 authentication requests within any one minute time interval. By stealing the client_id and client_secret the rogue client application can impact the legitimate application by eating all available request quota - or the throttling limit.

How do we avoid this happening in a SPA, where both the client_id and client_secret are publicly visible to anyone accessing the web page?

For an SPA there is no advantage in using the authorization code grant type - so it should use implicit grant type instead. authorization code grant should only be used in cases where you can protect the client_secret. Since an SPA cannot do that - you need not to use it.

One approach to overcome this drawback in an SPA is - make the client_id - a one-time-thing. Whenever you render the java-script - you get a new client_id and embed the new client_id in the java-script, and invalidate it - at its first use. Each instance of the application, rendered on the browser will have its own client_id, instead of sharing the same client_id in all the instances.

At the authorization server end, all these generated client_ids will be mapped to a single parent client_id - and the throttling limits are enforced on the parent client id.

Now if a rogue client application still want to eat the full or part of the request quota assigned to the legitimate application - then for each request it has to load the legitimate web application and scrape through it to find the client_id embedded in it and then use it. That means for each authentication request that goes to the authorization server - should have a request that goes to the SPA to load the java-script, prior to that. This can be protected by enforcing denial of service attack protection measures at the SPA end - and possibly black list the rogue client.

The next challenge is how to protect the access token. In an SPA access token will also be visible to the end user. When using implicit grant type the access token will be returned to the browser as an URI fragment and will be visible to the user. Now, the user (who is a legitimate one) can use this access token (instead of the application using it) to access the back-end APIs - and eat all the API request quota assigned to the application.

The second fundamental in an SPA accessing an OAuth secured API is - the access token cannot be made invisible to the end-user.

One lighter solution to this is - enforce a throttling limit at the per client per end-user level - in addition to the per client level. Then - the rogue end-user will just eat up the quota of his own - won't affect the other users accessing the same application.

Let's take another scenario - say its not the end user - but someone else steals the user's access token from the URI fragment and then wants to use it to access resources on behalf of the legitimate user.

As a protective method for this, we need to make the lifetime of the access token returns back in the URI fragment extremely short and also in its first usage, invalidate it. To get a new access token - immediate one (the access token) before has to be provided - in case authorization server finds the sequence (of access token) is broken at any point then it will invalidate all the access tokens issued against the original access token returned back in the URI fragment. This pattern is known as 'rolling access tokens'.

In summary, this blog suggests three approaches to protect single page applications in accessing OAuth 2.0 secured APIs.
  • One-time client_ids mapped to a single parent client_id
  • Per application per user throttling policies
  • Rolling access tokens

Keheliya GallabaFew tips on tweaking Elementary OS for Crouton

Activating Reverse Scrolling

 If you're a fan of reverse scrolling (or natural scrolling as some people call it) in Mac OS X, you can activate the same in Elementary OS by going to System Settings > Tweaks > General > Miscellaneous, and turn on Natural Scrolling. But I noticed in Elementary OS Luna for crouton, that setting resets to false after restarting. You can fix it by adding the following command as a startup application (System Settings > Startup Applications > Add)
/usr/lib/plugs/pantheon/tweaks/ true

Getting back the minimize button

Method 1: Start dconf-editor and go to org > pantheon > desktop > gala > appearance and change "button layout" to re-order buttons in the window decoration. Eg: "menu:minimize,maximize,close"

Method 2: Run the following command.
gconftool-2 --set /apps/metacity/general/button_layout --type string ":minimize:maximize:close"

Note: To install dconf-editor use the command:
sudo apt-get install dconf-tools

To install elementary-tweaks use the command:
sudo add-apt-repository ppa:mpstark/elementary-tweaks-daily
sudo apt-get update
sudo apt-get install elementary-tweaks

Krishantha SamaraweeraTestNG Using Groups to run same test case with different configurations

Real world problem -  One of my colleague wanted to run a test class with different server configurations. Basically he needs to restart the server with different configuration parameters and run the same test class pointing to restarted server. To achieve this, I've suggested TestNG Groups based approach. TestNG listener based approach also considered but had to skip it as it will introduce more listeners to our test structure.

In this example, two TestNG groups were introduced and @BeforeTest & @AfterTest annotations were used to reconfigure the server in each test group execution. Test was design to have single class to include all configuration methods and another test class to hold the tests case. In the test suite XML two test segments were introduced by including groups to run. 

Execution result of above suite as follows 

 T E S T S
Running TestSuite
BeforeMethod G1
AfterMethod G1
BeforeMethod G2
BeforeMethod G2
Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.664 sec

Results :

Tests run: 4, Failures: 0, Errors: 0, Skipped: 0

Krishantha SamaraweeraTestNG Using @Factory and @DataProvider

Combination of data providers and factory annotations in TestNg can be used to reiterate the same test class with different test data. This will enable users to use the same class seamlessly without duplicating the test class code. Lets look at what each annotation does and real usage of it.

@Factory -  Can be used to execute all the test methods present inside a test class, using separate instance of the same class.  That means running the class in parametrized way by providing different inputs to class constructor.

@DataProvider - A test method that uses DataProvider will be executed a multiple number of times based on the data provided by the DataProvider. The test method will be executed using the same instance of the test class to which the test method belongs.

Below code segment will illustrate usage of @Factory with @DataProvider annotation.

Execution result of the class as follows. You can see that 8 test methods have been executed with different user mode parameters. 
 T E S T S
Running TestSuite
Before Running the class userMode is Admin
Inside method 1 Admin
Inside method 2 Admin
Before Running the class userMode is Tenant
Inside method 1 Tenant
Inside method 2 Tenant
Before Running the class userMode is AdminUser
Inside method 1 AdminUser
Inside method 2 AdminUser
Before Running the class userMode is TenantUser
Inside method 1 TenantUser
Inside method 2 TenantUser
Tests run: 8, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.625 sec

Results :

Tests run: 8, Failures: 0, Errors: 0, Skipped: 0

Prabath SiriwardenaIdentity Broker Pattern : 15 Fundamentals

A recent research done by the analyst firm Quocirca confirms that many businesses now have more external users than internal ones: in Europe 58 percent transact directly with users from other businesses and/or consumers; for the UK alone the figure is 65 percent. If you look at the history, most enterprises grow today via acquisitions, mergers and partnerships. In U.S only, mergers and acquisitions volume totaled to $865.1 billion in the first nine months of 2013, according to Dealogic. That’s a 39% increase over the same period a year ago — and the highest nine-month total since 2008.

Gartner predicts by 2020, 60% of all digital identities interacting with enterprises will come from external identity providers.

I have written two blog posts in detail highlighting the need for an Identity Broker.
The objective of this blog post is to define fifteen fundamentals that should be ideally supported by an Identity Broker to cater future Identity and Access Management goals.

1st Fundamental 

Federation protocol agnostic :

  • Should not be coupled into a specific federation protocol like SAML, OpenID Connect, OpenID, WS-Federation, etc.
  • Should have the ability to connect to multiple identity providers over heterogeneous identity federation protocols. 
  • Should have the ability to connect to multiple service providers over heterogeneous identity federation protocols.
  • Should have the ability transform ID tokens between multiple heterogeneous federation protocols.

2nd Fundamental

Transport protocol agnostic : 

  • Should not be coupled into a specific transport protocol – HTTP, MQTT
  • Should have the ability read from and write into multiple transport channels.

3rd Fundamental

Authentication protocol agnostic : 

  • Should not be coupled into a specific authentication protocol, username/password, FIDO, OTP. 
  • Pluggable authenticators.

4th Fundamental 

Claim Transformation :

  • Should have the ability to transform identity provider specific claims into service provider specific claims and vice versa.
  • Simple claim transformations and complex transformations. An example of complex claim transformation would be to derive the age from the date-of-birth identity provider claim - or concatenate first name and last name claims from the identity provider to form the full name service provide claim.

5th Fundamental 

Home Realm Discovery:

  • Should have the ability to find the home identity provider corresponding to the incoming federation request looking at certain attributes in the request. 
  • The discovery process should be pluggable.
  • Filter based routing.

6th Fundamental 

Multi-option Authentication:

  • Should have the ability present multiple login options to the user, by service provider. 
  • Based on the service provider who initiates the authentication request, the identity broker will present login options to the user.

7th Fundamental

Multi-step Authentication:

  • Should have the ability present multiple step authentication (MFA) to the user, by service provider. 
  • Multi-factor Authentication (MFA) is an instance of multiple step authentication, where you plug in authenticators that do support multi-factor authentication into any of the steps.

8th Fundamental

Adaptive Authentication:

  • Should have the ability change the authentication options based on the context. 
  • The identity broker should have the ability to derive the context from the authentication request itself as well as from other supportive data.

9th Fundamental

Identity Mapping:

  • Should have the ability map identities between different identity providers. 
  • User should be able to maintain multiple identities with multiple identity providers and switch between identities when login into multiple service providers.

10th Fundamental

Multiple Attribute Stores:

  • Should have the ability connect to multiple attribute stores and build an aggregated view of the end user identity.

11th Fundamental

Just-in-time Provisioning:

  • Should have the ability to provision users to connected user stores in a protocol agnostic manner.

12th Fundamental

Manage Identity Relationships:

  • Should have the ability to manage identity relationships between different entities and take authentication and authorization decisions based on that. 
  • A given user can belong to a group, role and be the owner of devices from multiple platforms.
  • A device could have an owner, an administrator, a user and so on.

13th Fundamental

Trust Brokering:

  • Each service provider should identify which identity providers it trusts.

14th Fundamental

Centralized Access Control:

  • Who gets access to which user attribute? Which resources the user can access at the service provider?

15th Fundamental

Centralized Monitoring:

  • Should have the ability to monitor and generate statistics on each identity transaction, flows through the broker. 
  • The connected analytics engine should be able to do batch analytics, realtime analytics and predictive analytics. 

Muhammed ShariqTroubleshooting WSO2 server database operations with log4jdbc-log4j2

If you are using WSO2 Carbon based servers and are facing issues related to the database, there are few steps you should take in order to rectify those issue. Since Carbon 4.2.0 based products use Tomcat JDBC Connection Pool, first thing you could do is to try tuning the datasource parameters in the master-datasources.xml (or *-datasources.xml) file located in the ${CARBON_HOME}/repository/conf/datasources/ directory. Some of the parameters you might want to double check is;

  1. Set the "validationQuery" parameter 
  2. Set "testOnBurrow" to "true"
  3. Set a "validationInterval" and try tuning it to fit your environment
For a detailed explanation about those properties and also addition parameters that can be used to tune the JDBC pool, please visit the Tomcat site listed above.

Even though these parameters might help fix some of the JDBC issues you'd encounter, there might be instances where you'd want additional information to understand what's going on between the WSO2 server and the underlying database. 

We can use log4jdbc-log4j2 which is an improvement of the log4jdbc to do an in depth analysis JDBC operations between the WSO2 server and the database. In this post I'll be explaining how to configure log4jdbc-log4j2 with WSO2 servers.  

To setup a WSO2 server to log4jdbc-log4j2, follow the steps below (In the post I am assuming that the server has already been configured to point to the external database and setup with the necessary JDBC driver etc)
  1. Download log4jdbc-log4j2 jar and copy it to the ${CARBON_HOME}/repository/components/lib directory. 
  2. Prepend "jdbc:log4" to the JDBC url, <url> parameter in the datasource configuration, so the url would look like;
  3. jdbc:log4jdbc:mysql://localhost:3306/governance

  4. Change the "driverClassName" to "net.sf.log4jdbc.sql.jdbcapi.DriverSpy" as follows;
  5. net.sf.log4jdbc.sql.jdbcapi.DriverSpy

  6. To direct the log4jdbc-log4j2 output to a separate log file, add the following entries to the file located in the conf/ directory
  7. log4j.logger.jdbc.connection=DEBUG, MySQL
    log4j.logger.jdbc.audit=DEBUG, MySQL

  8. Finally, you need to start the server with the system property;

Note: You can set the system property in the file located in the bin/ directory for ease of use.

Now that you have the log4jdbc-log4j library and the required configurations in place, you can start using the server. The JDBC debug logs will be printed in the mysql-profile.log file located in the logs/ directory. There are six different loggers you can use to troubleshoot different types of problems, check section 4.2.2 of this page for more information on the different logging options.

Good luck !!!

Krishantha SamaraweeraSimpleWebServer for HTTP Header Testing

SimpleWebServer is socket server. It listens for incoming connections and echo the Content type back to the client with expected response code and some data. This server mainly facilitates HTTP header testing when message routes though WSO2 ESB.

Initializing the Server

You can start the new server instance by providing port and expected response code.  

SimpleWebServer simpleWebServer = new SimpleWebServer(9006, 200);

Stop the server


Sample Test Case

Following test case verifies HTTP header content types of ESB outbound and inbound messages. The client sends HTTP request with different content types. The server set the same contentType and expected response code to the HTTP response and send it back.

Shiva BalachandranThe basic need to knows before setting up your Website!


Block 3 – On the rise.

Originally posted on Block Three Creative:

Okay, so you decided to set up your website. That’s Great!!! But here are some need to knows before you consider taking the leap into the internet.


“A domain name is a unique name that identifies a website….Each website has a domain name that serves as an address, which is used to access the website.” definition via

First, you need to make sure the domain name you’re looking for is available, you can do that by visiting domain name sellers like


If it is available then your next step will be to purchase the domain! If you’re unlucky you can either go for another domain or it will show you other alternate domain names available like shown in the image below.

other domains

Side Note – Purchasing your domain name for the more than 1 year provides less budget constraints in the future which is on yearly renewals.

View original 147 more words

Madhuka UdanthaWorkflows for Git

There are many Workflows for Git

  • Centralized Workflow
  • Feature Branch Workflow
  • Gitflow Workflow
  • Forking Workflow

In Centralized Workflow, Team develop projects in the exact same way as they do with Subversion. Git to power your development workflow presents a few advantages over SVN. First, it gives every developer their own local copy of the entire project. This isolated environment lets each developer work independently of all other changes to a project—they can add commits to their local repository and completely forget about upstream developments until it's convenient for them.

Feature Branch Workflow is that all feature development should take place in a dedicated branch instead of the master branch. This encapsulation makes it easy for multiple developers to work on a particular feature without disturbing the main codebase. It also means the master branch will never contain broken code.

Gitflow Workflow provides a robust framework for managing larger projects. it assigns very specific roles to different branches and defines how and when they should interact. You also get to leverage all the benefits of the Feature Branch Workflow.

The Forking Workflow is fundamentally different than the other workflows. Instead of using a single server-side repository to act as the “central” codebase, it gives every developer a server-side repository. Developers push to their own server-side repositories, and only the project maintainer can push to the official repository. The result is a distributed workflow that provides a flexible way for large, organic teams (including untrusted third-parties) to collaborate securely. This also makes it an ideal workflow for open source projects.

Dhananjaya jayasingheWSO2 APIManager - API is not visible to public

WSO2 API Manager  is releasing new versions time to time. So, people are migrating from old versions to new versions. In that situation, after the migration some times people are experiencing some problems like ;

  • API is not visible at all in API Store
  • API is not visible to public , but can see after logged in.

API is not visible at all in API Store

This can be due to the problem in indexing of APIs.  WSO2 APIM is providing the search capability of APIs with it's Solr based indexing feature.  Once there is a problem in indexing , it can cause to Not to displace the migrated APIs at all. 

How to fix ?

It is needed to allow the APIM to do the indexing again. In order to do that , it is needed to do the following steps.

1. Remove/Backup the solr directory located in WSO2AM directory
2. Change the value of "lastAccessTimeLocation" property in registry.xml file located in WSO2AM/repository/conf to an arbitrary value. 

Eg: By default the value of the above entry is as follows :


You can change it to 


Note: About entry contains the last time it created the indexing on WSO2 AM in milliseconds. When we change it , if there is no resource available, APIM will create the indexing again and build the content for solr directory.

3. After the above step, restart the server and let it to be idle for 3-5 mins. Then you will be able to see the APIs if the problem was with the API indexing.

API is not visible to public, but can see after logged in

This can be caused due to a permission issue for the migrated API. By default, if we create an API with visibility as public,  APIM will create a resource for that API in registry with "system/wso2.anonymous.role" role with read permission. 

Eg: If i create an API called foo and with visibility set to public, i can see following permissions in registry.

So i can see my API with out log in to the API Store as bellow.

If i remove the anonymous permission from the registry resource, as bellow, It will not be visible to public. 

So, if you are experiencing a problem like this, You need to search for this API in registry and then check whether it has the read permission for the role "system/wso2.anonymous.role". If not just check by adding that permission. 

Then if it is working fine, You can check your migration script for the problem of not migrating the permissions correctly.

Dinusha SenanayakaWSO2 App Manager 1.0.0 released

WSO2 App Manager is the very latest product added to WSO2 product stack.

App Manager can work as a Apps Store for web apps and mobile apps while providing whole set of other features.

  • Single sign on/ Single sign out between web apps
  • Role/permission based access control for web apps
  • Capability to configure federated authentication for web apps
  • Subscription maintenance in App Store
  • Commenting, Rating capabilities in App Store
  • Statistic monitoring for apps usage 

Above are the core features comes with App Manager. Have a look at App Manager product page to get an idea about whole other features and its capabilities.

Isuru PereraFlame Graphs with Java Flight Recordings

Flame Graphs

Brendon D. Gregg, who is a computer performance analyst, has created Flame Graphs to visualize stack traces in an interactive way.

You must watch his talk at USENIX/LISA13, titled Blazing Performance with Flame Graphs, which explains Flame Graphs in detail.

There can be different types of flame graphs and I'm focusing on CPU Flame Graphs with Java in this blog post.

Please look at the Flame Graphs Description to understand the Flame Graph visualization.

CPU Flame Graphs and Java Stack Traces

As Brendon mentioned in his talk, understanding why CPUs are busy is very important when analyzing performance. 

CPU Flame Graphs is a good way to identify hot methods from sampled stack traces.

In order to generate CPU Flame Graphs for Java Stack Traces, we need a way to get sample stack traces.

Brendon has given examples to use jstack and Google's lightweight-java-profiler. Please refer to his perl program on generating CPU Flame Graphs from jstack and his Java Flame Graphs blog post on using the lightweight-java-profiler.

While trying out these examples, I was thinking whether we can generate a CPU Flame Graph from a Java Flight Recording Dump.

Hot Methods and Call Tree tabs in Java Mission Control are there to get an understanding of "hot spots" in your code. But I was really interested to see a Flame Graph visualization by reading the JFR dump. In this way, you can quickly see "hot spots" by using the Flame Graph software.

Note: JFR's method profiler is sampling based.

Parsing Java Flight Recorder Dump

In order to get sample stack traces, I needed a way to read a JFR dump (The JFR dump is a binary file).

I found a way to parse JFR dump file and output all data into an XML file. 

java oracle.jrockit.jfr.parser.Parser -xml /temp/sample.jfr > recording.xml

Even though, this is an easy way, it takes more time and the resulting XML file is quite large. For example, I parsed a JFR dump around 61MB and the XML was around 5.8GB!

Then I found out about the Flight Recorder Parsers from Marcus Hirt's blog.

There are two ways to parse a JFR file.

  1. Using the Reference Parser - This API is available in Oracle JDK
  2. Using the JMC Parser - This is available in Java Mission Control.

For more info, see the Marcus' blog posts on Parsers. He has also given an example for Parsing Flight Recordings.

As stated in his blog, these APIs are unsupported and there is a plan to release a proper Parsing API with JMC 6.0 and JDK 9.

Converting JFR Method Profiling Samples to FlameGraph compatible format.

I wrote a simple Java program to read a JFR file and convert all stack traces from "Method Profiling Samples" to FlameGraph compatible format.

I used the JMC Parser in the program. I couldn't find a way to get Method Profiling Samples using the Reference Parser. I was only able to find the "vm/prof/execution_sample" events from the reference parser and there was no way to get the stack trace from that event.

The JMC Parser was very easy to use and I was able to get the stack traces without much trouble.

The code is available at Please refer the README file for complete instructions on building, running and generating a FlameGraph from a JFR dump.

Following is the FlameGraph created from a sample JFR dump.

Flame Graph Reset
I got the JFR dump by running a sample application, which consumes more CPU resources. Original source files were obtained from a StackOverflow answer, which explains a way to find a thread consuming high CPU resources. Please note that the package name and line numbers are different in the FlameGraph output when comparing with original source code in StackOverflow Answer. (I will try to share the complete source code later).

I used following JVM arguments:

-XX:+UnlockCommercialFeatures -XX:+FlightRecorder -XX:StartFlightRecording=delay=1s,duration=20s,name=Fixed,filename=/tmp/highcpu.jfr,settings=profile -XX:FlightRecorderOptions=loglevel=info

Then I used following command to generate the FlameGraph

jfr-flame-graph$ ./ -f /tmp/highcpu.jfr -o /tmp/output.txt
FlameGraph$ cat /tmp/output.txt | ./ --width 550 > ../traces-highcpu.svg


  • This blog post explains a way to generate CPU Flame Graphs from a Java Flight Recording using a simple Java program.
  • Program is available at GitHub:
  • The program uses the (unsupported) JMC Parser


It's nice to see Srinath's tweet has so many retweets!
Brendon has also mentioned about my program in his Flame Graphs page!

Madhuka UdanthaChart Types and Data Models in Google Charts

Different data model is need for different chart types. This post is basically covering google chart types and support of data models.

Bar charts and Column chart
Each bar of the chat represent the value of elements of x-axis. Bar charts display tooltips when the user hovers over the data. For a vertical version of this chart called the 'column chart'.
Each row in the table represents a group of bars.
  • Column 0 : Y-axis group labels (string, number, date, datetime)
  • Column 1 : Bar 1 values in this group (number)
  • Column n : Bar N values in this group (number)

Area chart
An area chart or area graph displays graphically quantities data. It is based on the line chart. The area between axis and line are commonly emphasized with colors, textures and hatchings.
Each row in the table represents a set of data points with the same x-axis location.
  • Column 0 : Y-axis group labels (string, number, date, datetime)
  • Column 1 : Line 1 values (number)
  • Column n : Line n values (number)

Scatter charts
Scatter charts plot points on a graph. When the user hovers over the points, tooltips are displayed with more information.

Each row in the table represents a set of data points with the same x-axis value.
  • Column 0 : Data point X values (number, date, datetime)
  • Column 1 : Series 1 Y values (number)
  • Column n : Series n Y values (number)
(This is only fake sample data for chart representing)

Bubble chart
A bubble chart is used to visualize a data set with two to four dimensions. The first two dimensions are visualized as coordinates, the third as color and the fourth as size.
  • Column 0 : Name of the bubble (string)
  • Column 1 : X coordinate (number)
  • Column 2 : Y coordinate (number)
  • Column 3 : It is optional. A value representing a color on a gradient scale  (string, number)
  • Column 4 : It is optional. A Size - values in this column (number)

Bubble Name is  "January"
X =  22
Y =  12
Color = 15
Size  = 14

Summary Of the Data model and Axis in chart types.

The major axis is the axis along the natural orientation of the chart. For line, area, column, combo, stepped area and candlestick charts, this is the horizontal axis. For a bar chart it is the vertical one. Scatter and pie charts don't have a major axis. The minor axis is the other axis.
The major axis of a chart can be either discrete or continuous. When using a discrete axis, the data points of each series are evenly spaced across the axis, according to their row index. When using a continuous axis, the data points are positioned according to their domain value. The labeling is also different. In a discrete axis, the names of the categories. In a continuous axis, the labels are auto-generated.
Axes are always continuous
  • Scatter
  • Bubble charts
Axes are always discrete
  • The major axis of stepped area charts (and combo charts containing such series).

In line, area, bar, column and candlestick charts (and combo charts containing only such series), you can control the type of the major axis:

  • For a discrete axis, set the data column type to string.
  • For a continuous axis, set the data column type to one of: number, date, datetime.

Yumani RanaweeraAdding proxy server behind WSO2 ESB

When the message flow needs to be routed through a proxy, you need to add following parameters to transportSender configuration in axis2.xml.
http.proxyHost - proxy server's host name
http.proxyPort - port number of the proxy  server
http.nonProxyHosts - any host that need to by pass above proxy

Else you can set Java networking properties. -Dhttp.proxyPort=5678 -Dhttp.nonProxyHosts=localhost||

This scenario illustrates how a routing via proxy and nonproxy happens. I have echo service in an AppServer which is fronted by HTTP proxy. I also have SimpleStockQuoteService in localhost which is set as a nonProxyHost.

I have my transport sender in axis2.xml configured as below:
<transportSender name="http" class="org.apache.synapse.transport.passthru.PassThroughHttpSender">
 <parameter name="non-blocking" locked="false">true</parameter>
 <parameter name="http.proxyHost" locked="false"></parameter>
 <parameter name="http.proxyPort" locked="false">8080</parameter>
 <parameter name="http.nonProxyHosts" locked="false">localhost</parameter>

Proxy rout:
<proxy name="Echo_viaProxy" transports="https http" startOnLoad="true" trace="disable">
    <address uri=""/>    

When you send a request to above SimpleStckQ_viaProxy, the request will be direct to which will route to BE (http://localhost:9000/services/SimpleStockQuoteService).

<proxy name="StockQuote_direct"
transports="https http"
<address uri="http://localhost:9000/services/SimpleStockQuoteService"/>
When you send a request to above StockQuote_direct, the request will be directly served by SimpleStockService in localhost.

known issue and fix: is fixed in 4.9.0 M4.

Lali DevamanthriAlert High severity JIRA issues through WSO2 ESB JIRA & TWILIO connectors

The below section describes how to configure cloud to cloud integration with WSO2 ESB Connectors using WSO2 Developer Studio.


Query new (open) high severity issues created in JIRA system and alert them by a SMS.


The latest version of Developer Studio can be downloaded from [1]

Import connectors

Before you start creating ESB artifacts with connector operation, the necessary connectors should be imported into your workspace. You can download the ESB connectors from [2]

  • Create a  new ESBConfig project (SampleConnectorProject)
  • Right click on the created ‘SampleConnectorProject’ project and select ‘Import Connector’ from the context menu.


  • Then browse the location of the connector zip and select the relevant connectors zip (, to import.
  • Create Sequence, Proxy or REST API and the imported connectors will be appeared in the tool palette.


Create ESB Artifacts with Connector Operations

The detailed configurations on how to perform various operations on Jira Connector and Twilio connector can be found in [3] and [4] respectively.

  • Create a Sequence[5] with name ‘AlertSequence’
  • Connect to Jira


Drag and drop the ‘init’  JIRA operation from the tool palette before use any other Jira connector operations.

This configuration authenticates with Jira system by configuring the user credentials and login url. Provide username and password and url for Jira System.


  • Get high severity issues created.

Drag and drop ‘searchJira’ operation from the tool palette to retrieve data from Jira system.


Set query to get open , highest severity issues in property window.

priority = Highest AND resolution = Unresolved AND status = Open


  • Loop through retrieved issues

Jira system response have following  format.


According to response there are two issues in high priority and open. To loop through them Drop Iterator mediator.


Set ‘Iterate Expression’ property to “//issues”of Iterator mediator.


  • Extract the issue link from iterated issue.

Drop a Property mediator into the iterator. Set values as follows. It will concat issue link and “WSO2 ALERT” message.


  • Connect to Twilio

Drop Twilio Init operation from palette and provide required account details to authenticate.



  • Send extracted issue link as a SMS alert

Drop a Twilo sendSMS mediator.

Set ‘To’ value to receiver phone number . (‘From’  value needs to be find in your Twilio account).

Simply place the ‘body’ with property value.


  • It might be useful to add Log mediators for log sequence status intermediately.


  • Triggering sequence in periodically

ESB Scheduled Task component can be use to invoke the sequence we created. Create a Shedule Task[6] name “AlertTask” in same project.


In properties, get the ‘Task Properties’ pop-up configuration window. Set ‘sequenceName’  to “AlertSequence” , ‘injectTo’ to “sequence” and ‘message’


In AlertTask properties change ‘interval’ to 900, which is 15 minutes, and ‘count’ to -1 .

Create the deploy archive to deploy in WSO2 ESB

  • Create a Composite Application Project (SampleCAPP) from Developer Studio and include the SampleConnectorProject as Dependencies.


Deploying in WSO2 ESB

  • Download WSO2 ESB 4.8.0 from [7].
  • Install the Connectors (Jira Connector and Twilio Connector)  [8].

After install connectors in ESB server make sure to activate them.

  • Deploy the ‘SampleCAPP’ in Developer Studio[9]

Check issues intermittently by client REST application

This issues review scenario completely time synchronized. If someone needs to check whether are there high priority issues immediately, we should be able to invoke the sequence.

Considering user makes request from REST client.

  • Create REST API artifact in Sample SampleConnectorProject[10]

A REST API allows you to configure REST endpoints in the ESB by directly specifying HTTP verbs (such as POST and GET), URI templates, and URL mappings through an API.


  • Drop AlertSequence into insequence from pallet Defined Sequences section.


Make sure to set value ‘true’ for Continue Parent property in AlertSequence, Iterator mediator.


  • Drop ‘Respond’ mediator. (this will redirect results to user)


Now deploy the  SampleCAPP.  In management console, REST api menu page will show the SampleRESTAPI, and API Invocation URL. Using this url, we can simply check the issues created with high priority intermittently.












Chandana NapagodaManage SOAPAction of the Out Message

 When you are sending a request message to a backend service through WSO2 ESB, there could be some scenarios where you need to remove or change the SOAPAction header value.

Using header mediator and property mediator which are available in WSO2 ESB, we can remove SOAPAction or set it empty.

Set SOAPAction as Empty:
<header name="Action" value=""/>
<property name="SOAPAction" scope="transport" value=""/>

Remove SOAPAction:
<header action="remove" name="Action"/> 
<property action="remove" name="SOAPAction" scope="transport"/>

Modify SOAPAction:

When setting SOAPAction one of the below approches can be used

1) .
<header name="Action" value="fixedAction"/>
<header expression="xpath-expression" name="Action"/>
More Info: Header Mediator

If we need to monitor the messages getting passed between ESB and backend service, we can point TCPMon[1] in between back-end and ESB. Using TCPMon, we can monitor messages and their header information(Including SOAPAction).

Bottom of the TCPMon there is a special control available to view Messages in XML format.


Read more about WSO2 ESB: Enterprise Integration with WSO2 ESB

Pavithra MadurangiConfiguring Active Directory (Windows 2012 R2) to be used as a user store of WSO2 Carbon based products

The purpose of this blog post is not to explain the steps on how to configure AD as primary user store. Above information is covered from WSO2 Documentation. My intention is to give some guide on how to configure AD LDS instance to work over SSL and how to export/import certificates to the trust store of WSO2 servers.

To achieve this, we need to

  1. Install AD on Windows 2012 R2
  2. Install AD LDS role in Server 2012 R2
  3. Create an AD LDS instance
  4. Install Active Directory Certificate Service in the Domain Controller (Since we need to get AD LDS instance work over SSL)
  5. Export certificate used by Domain Controller.
  6. Import the certificate to client-truststore.jks in WSO2 servers.

Also this information is already covered from following two great blog posts by Suresh. So my post will be an updated version of them and will fill some gaps and link some missing bits and pieces.

1. Assume you have only installed Windows 2012 R2 and now you need to install AD too. Following article clearly explains all the steps required.

Note : As mentioned in the article itself, it is written assuming that there's no existing Active Directory Forrest. If you need to configure the server to act as the Domain Controller for an existing Forrest, then following article will be useful

2) Now you've installed Active Directory Domain Service and the next step is to install AD LDS role. 

- Start - > Open Server Manager -> Dashboard and Add roles and feature

- In the popup wizard, Installation type -> select Role-based or feature based option and click the Next button. 

- In the Server Selection, select current server which is selected by default. Then click Next.

- Select AD LDS (Active Directory Lightweight Directory Service ) check box in Server Roles  and click Next.

- Next you'll be taken through wizard and it will include AD LDS related information. Review that information and click Next.

- Now you'll be prompted to select optional feature. Review it and select the optional features you need (if any) and click next.

- Review installation details and click Install.

- After successful AD LDS installation you'll get a confirmation message.

3. Now let's create an AD LDS instance. 

- Start -> Open Administrative Tools.  Click Active Directory Lightweight Directory Service Setup Wizard.

-  You'll be directed to Welcome to the Active Directory Lightweight Directory Services Setup Wizard. Click Next.

- Then you'll be taken to Setup Options page. From this step onwards, configuration is same as mentioned in 

4. As explained in above blog, if you pick Administrative account for the service account selection, then you won't have to specifically create certificates and assign them to AD LDS instance. Instead the default certificates used by the Domain Controller can be accessed by AD LDS instance.

To achieve this, let's install certificate authority on Windows 2012 server (if it's not already installed). Again I'm not going to explain it in details because following article covers all required information

5. Now let's export the certificate used by Domain controller

- Go to MMC (Start -> Administrative tools -> run -> MMC)
- File -> Add or Remove Snap-ins
- Select certificates snap-in and click add.

-Select computer account radio button and click Next.
- Select Local computer and click Finish.

Now restart the Windows server.

- In MMC, click on Certificates (Local Computer) -> Personal -> Certificates.
- There you'll find bunch of certificates.
- Locate root CA certificate, right click on it -> All Tasks and select Export.

Note : The intended purpose of this certificate is all. (Not purely for server authentication.) It's possible to create a certificate for server authentication and use it for LDAPS authentication. [1] and [2] explains how it can be achieved.

For the moment I'm using the default certificate for LDAPS authentication.

- In the Export wizard, select Do not export private key option and click Next.
- Select DER encoded binary X.509 (.cer) format and provide a location to store the certificate.

6. Import the certificate to trust store in WSO2 Server.

Use following command to import the certificate to client-truststore.jks found inside CARBON_HOME/repository/resource/security.

keytool -import -alias adcacert -file/cert_home/cert_name.cer -keystore CARBON_HOME/repository/resource/security/client-trustsotre.jks -storepass wso2carbon

After this, configuring user-mgt.xml and tenant-mgt.xml is same as explained in WSO2 Documentation.

Chanaka FernandoWSO2 ESB tuning performance with threads

I have written several blog posts explaining the internal behavior of the ESB and the threads created inside ESB. With this post, I am talking about the effect of threads in the WSO2 ESB and how to tune up threads for optimal performance. You can refer [1] and [2] to understand the threads created within the ESB.



Within this blog post, I am discussing about the "worker threads" which are used for processing the data within the WSO2 ESB. There are 2 types of worker threads created when you start sending the requests to the server

1) Server Worker/Client Worker Threads
2) Mediator Worker (Synapse-Worker) Threads

Server Worker/Client Worker Threads

These set of threads will be used to process all the requests/responses coming to the ESB server. ServerWorker Threads will be used to process the request path and Client Worker threads will be used to process the responses.

Mediator Worker (Synapse-Worker) Threads

These threads will only be started if you have iterate/clone mediators in your ESB mediation flow. These threads will be used for processing iterate/clone operations in separate threads for parallel processing of a single request.

WSO2 ESB uses the java ThreadPoolExecutor implementation for spawning new threads for processing requests. Both the above mentioned thread categories will be using this implementation underneath.

The java.util.concurrent.ThreadPoolExecutor is an implementation of the ExecutorService interface. The ThreadPoolExecutor executes the given task (Callable or Runnable) using one of its internally pooled threads.

The thread pool contained inside the ThreadPoolExecutor can contain a varying amount of threads. The number of threads in the pool is determined by these variables:
  • corePoolSize
  • maximumPoolSize

If less than corePoolSize threads are created in the the thread pool when a task is delegated to the thread pool, then a new thread is created, even if idle threads exist in the pool.

If the internal queue of tasks is full, and corePoolSize threads or more are running, but less than maximumPoolSize threads are running, then a new thread is created to execute the task.

These parameter of the thread pools can be configured in the following configuration files in the WSO2 ESB

ServerWorker/ClientWorker Thread pool (ESB_HOME/repository/conf/


The default values given in the standalone ESB pack would be enough for most of the scenarios. But you need to do some performance testing with a similar load and tune these values accordingly. In the above configuration, there are 2 commented out parameters.

worker_thread_keepalive_sec - If the pool currently has more than corePoolSize threads, excess threads will be terminated if they have been idle for more than the keepAliveTime. This provides a means of reducing resource consumption when the pool is not being actively used. If the pool becomes more active later, new threads will be constructed.

worker_pool_queue_length - This is the task queue length to which new tasks will be delegated by the server when there are new data to be processed. The length of this queue is -1 (infinite) by default. This is one of the most important parameter when you are tuning the server for capacity. When you have infinite length queue, it will never reject any request. But the drawback with this value is that, if there are less number of processing threads and you have a peak load, the server can easily go into OOM status since the task queue will hold all the requests coming in to the server. You need to decide on a considerable value for this queue length rather than keeping this value as -1. If you have a limited value for this queue length, it will reject some requests in a high load scenario. But the server will not crash (OOM). This would be better rather than loosing all the requests. Another disadvantage of having -1 as the queue length would be that server will never create the max number of threads but only create core number of threads in any kind of load. 

MediatorWorker (SynapseWorker) Threads (ESB_HOME/repository/conf/

synapse.threads.core = 20
synapse.threads.max = 100
#synapse.threads.keepalive = 5
#synapse.threads.qlen = 10

The same theory which I have described above can be applied when tuning this thread pool. Apart from that, It is always better to have a matching core value with the ServerWorker threads if you have used iterate/clone mediators heavily in your mediation flow. Considerable value for these parameters would like below.

synapse.threads.core = 100
synapse.threads.max = 200

I hope this would help you when tuning WSO2 ESB server for your production deployments.

Lali Devamanthrivote for SourceForge Community Choice

The vote for July 2015 Community Choice SourceForge Project of the Month is now available, and will run until June 15, 2015 12:00 UTC. Here are the candidates:

Octave-Forge: Octave-Forge is a central location for the collaborative development of packages for GNU Octave. The Octave-Forge packages expand Octave’s core functionality by providing field specific features via Octave’s package system. For example, image and signal processing, fuzzy logic, instrument control, and statistics packages are examples of individual Octave-Forge packages. Download Octave-Forge now.

Smoothwall: Smoothwall is a best-of-breed Internet firewall/router, designed to run on commodity hardware and to provide an easy-to-use administration interface to those using it. Built using free and open source software (FOSS), it’s distributed under the GNU Public License. Download Smoothwall now.

Robolinux: RoboLinux is a Linux desktop solution for a home office, SOHO, and enterprise users looking for a well-protected migration path away from other operating systems. Download Robolinux now.

NAS4Free: NAS4Free is an embedded Open Source Storage distribution that supports sharing across Windows, Apple, and UNIX-like systems. It includes ZFS, Software RAID (0,1,5), disk encryption, S.M.A.R.T / email reports, etc. with following protocols: CIFS (samba), FTP, NFS, TFTP, AFP, RSYNC, Unison, iSCSI, UPnP, Bittorent (initiator and target), Bridge, CARP (Common Address Redundancy Protocol) and HAST (Highly Available Storage). All this can easily be setup by its highly configurable Web interface. NAS4Free can be installed on Compact Flash/USB/SSD media, hard disk or booted of from a Live CD with a USB stick. Download NAS4Free now.

NamelessROM: NamelessRom is an opportunity to have a voice to the development team of the after-market firmware that you run on your device. The main goal of NamelessRom is to provide quality development for android devices, phones, and tablets alike. NamelessRom developers are available nearly 24/7 and respond to bug reports and feature requests almost instantly. This availability will allow you, the end-user, to have direct input into exactly what features and functions are included on the firmware that you run. Download NamelessROM now.

CaesarIA (openCaesar3): CaesarIA is an open source remake of Caesar III game released by Impressions Games in 1998, it aims to expand the possibilities of the classical city-building simulators and to add new features showing the city life. Now the game work with Windows, Linux, Mac, Haiku, and Android. The original Caesar3 game is needed to play openCaesar3. Download CaesarIA (openCaesar3) now.

gnuplot development: A famous scientific plotting package, features include 2D and 3D plotting, a huge number of output formats, interactive input or script-driven options, and a large set of scripted examples. Download gnuplot development now.

Battle for Wesnoth: The Battle for Wesnoth is a free, turn-based tactical strategy game with a high fantasy theme, featuring both single-player and online/hotseat multiplayer combat. Fight a desperate battle to reclaim the throne of Wesnoth, or take hand in any number of other adventures. Download Battle for Wesnoth now.

SharpDevelop: SharpDevelop is the open-source IDE for the .NET platform. Write applications in languages including C#, VB.NET, F#, IronPython and IronRuby, as well as target rich and reach: Windows Forms or WPF, as well as ASP.NET MVC and WCF. It starts from USB drives, supports read-only projects, comes with integrated unit and performance testing tools, Git, NuGet, and a lot more features that make you productive as a developer. Download SharpDevelop now.

Dedunu DhananjayaHow to fix Incompatible clusterIDS in Hadoop?

When you are installing and trying to setup your Hadoop cluster you might face a issue like below.
FATAL org.apache.hadoop.hdfs.server.datanode.DataNode: Initialization failed for Block pool (Datanode Uuid unassigned) service to master/ Exiting. Incompatible clusterIDs in /home/hadoop/hadoop/data: namenode clusterID = CID-68a4c0d2-5524-486e-8bc9-e1fc3c5c2e29; datanode clusterID = CID-c6c3e9e5-be1c-4a3f-a4b2-bb9441a989c5
I just quoted first two line of the error. But full stack trace would look like below.

You might haven't formatted your name node properly. But if this was in test environment you can easily delete data and name node folders, and reformat the HDFS. To format you can run below command.

hdfs namenode -format
But if you have a lot of data in your Hadoop cluster and you can't easily format it. Then this post is for you.

First stop all Hadoop processes running. Then login into you name node. Find the value of property. Run below command with your namenode folder.
cat <>/current/VERSION
Then You will see a content like below.
#Thu May 21 08:29:01 UTC 2015
Copy the clusterID from nematode. Then login into the problematic slave node. Find folder. Run below command to edit the VERSION file.
vim <>/current/VERSION 
Your datanode cluster VERSION file will look like below. Replace the cluster ID you copied from name node.
#Thu May 21 08:31:31 UTC 2015
Then everything will be okay!

Dedunu DhananjayaHadoop MultipleInputs Example

Let's assume you are working for ABC Group. And they have ABC America airline,  ABM Mobile, ABC Money and ABC hotel blah blah. ABC this and that. So you got multiple data sources. They have different types/columns. So you can't run single Hadoop Job on all the data.

You got several data files from all these businesses.
(Edited this data file 33 time to get it aligned. ;) Don't tell anyone!)

So your job is to calculate the total amount that one person spent for ABC group. For this you can run jobs for each company and then run another job to calculate the sum. But what I'm going to tell you is "NOOOO! You can do this with one job." Your Hadoop administrator will love this idea.

You need to develop custom InputFormat and a custom RecordReader. I have created both of these classes inside custom InputFormat class. Sample InputFormat should look like below.

nextKeyValue() method is the place where you should code according to your data files.

Developing custom InputFormat classes is not just enough. Also you need to change the main class of your job. You main class should look like below.

Line no. 26-28 adds your custom inputs to the job. Also you don't want to set Mapper class separately because you can't set it too. If you want you can develop separate mapper classes for your different file types. I'll write a blog post about that method also.
To build the JAR from my sample project you need Maven. Run below command to build JAR from Maven project. You can find the JAR file inside the target folder once you build the project.
mvn clean install
| |----/airline.txt
| |----/book.txt
With this change you may have to change the way you run the job. My file structure looks like above. I have different folders for different types. You can run job from the command below.
hadoop jar /vagrant/muiltiinput-sample-1.0-SNAPSHOT.jar /user/hadoop/airline_data /user/hadoop/book_data /user/hadoop/mobile_data output_result
If you have followed all the steps properly you will get job's output like this.

Job will create a folder called output_result. If you want to see the content you can run below command.
hdfs dfs -cat output_result1/part*
I ran my sample project on my sample data set. My result file looked like below.
12345678 500
23452345 937
34252454 850
43545666 1085
56785678 709
67856783 384
Source code of this project is available on GitHub

Enjoy Hadoop!

Nandika JayawardanaHow to Cluster WSO2 BPS 3.2.0

Cluster Architecture

Server clustering is done mainly in order to achieve high availability and scalability.

High Availability

High availability means there is redundancy in the system such that service is available to outside world irrespective of individual component failures. For example, if we have a two node cluster, even if one node fails, the other node would continue to serve requests till the failed node is restored again.


Scalability means increasing the processing capacity by adding more server nodes.

Load Balancer

Load balancing is the method of distributing workload to multiple server nodes.  In order to achieve proper clustering function you would require a Load Balancer. The function of the load balancer is to monitor the availability of the server nodes in the cluster and route requests to all the available nodes in a fair manner. Load balancer would be the external facing interface of the cluster and it would receive all the requests coming to the cluster. Then it would distribute this load to all available nodes. If a node has failed, then the load balancer will not route requests to that node till that node is back online.

WSO2 Business Process Server Cluster Architecture

In order to build a wso2 business process server cluster you would require the following.

  1.        Load balancer
  2.       Hardware / VM nodes for BPS Nodes
  3.       Database Server
Following diagram depicts the deployment of a two node WSO2 bps cluster.

Load Balancer will receive all the requests and distribute the load (Requests) to the two BPS nodes. BPS Nodes can be configured as master node and slave node. A BPS cluster can have one master nodeand multiple slave nodes.

BPS Master Nodes / Slave Nodes

Master node is where the workflow artifacts (Business processes / Human Tasks) are first deployed.  The slave nodes will look at the configuration generated by the master node for a given deployment artifact and then deploy those artifacts in its runtime.
WSO2 BPS requires this method of deployment because it does automatic versioning of the deployed bpel /human task artifacts. Hence, in order to have the same version number for a given deployment artifact across all the nodes, we need to do the versioning at one node (Master Node).
A BPS server decides whether it is a master node or a slave node by looking at its configuration registry mounting configuration. We will look at that configuration in detail later.

BPS and Registry

In the simplest terms, registry is an abstraction over a database schema. It provides an API using which you can store data and retrieve data to a database. WSO2 BPS embeds the registry component and hence has a build in registry.  Registry is divided into three spaces.

Local Registry

Local registry is used to store information local to a server node.

Configuration Registry

                Configuration Registry is used to store information that needs to be shared across same type of server nodes. For example, configuration registry is shared across BPS server nodes. However, this same configuration registry would not be shared across another type of server nodes.

Governance Registry 

Governance Registry is used to store information that can be shared across multiple clusters of different type of servers. For example governance registry can be shared across BPS and ESB cluster. In the above diagram, these different registry configurations are depicted as individual databases.
BPS Master Node refers to the configuration registry using a Read/Writelink while the BPS Slave nodes refer to the configuration registry using a Read/Only link.

BPS and User Store and Authorization

BPS management console requires a user to login to the system in order to do management activities. Additionally various permissions levels can be configured for access management. In human tasks, depending on the logged in user, what he can do with tasks will change.
All this access control/authentication/authorization functions are inherited to the BPS server from carbon kernel.  You can also configure an external LDAP/Active directory to grant users access to the server. All this user information / permission information is kept in the user store database. In the above diagram, UM DB refers to this database. This database is also shared across all the cluster nodes.

BPS Persistence DB

BPS handles long running processes and human tasks. This means, the runtime state of the process instances/ human task instances have to be persisted to a database. BPS persistence database is the databases where we store these process / t ask configuration data and process / task instance state.

Configuring the BPS Cluster

Now that we have understood the individual components depicted in the above diagram, we can proceed to implement our BPS cluster.  I will break down the steps in configuring the cluster into following steps.  The only major difference between the master node and slave node is in registry.xml configuration.
If you are using two machines (hardware or VM) all other configurations are identical for master node and slave node except IP addresses, ports and deployment synchronizer entry.  However, if you are configuring the cluster on the same machine for testing purpose , you will need to change multiple files as port conflicts can occur.

  1. Create database schemas.
  2. Configure the master-datasource.xml  ( Registry and User manager databases )
  3. Configure  ( BPS Persistence database )
  4. Configure registry.xml ( Different for master node and slave node)
  5. Configure the user-mgt.xml
  6. Configure axis2.xml
  7. Configure tasks-config.xml
  8. Configure bps.xml
  9. Configure carbon.xml
  10. Configure the server start-up script

Creating database Schema's

WSO2 BPS supports the following major databases.
1.       Oracle
2.       MySQL
3.       MSSQL
4.       PostgreSQL

                In the above diagram, we have depicted 5 databases. We can use H2 as the local registry for each BPS Node. We can create one schema for registry and configure registry mounting configuration for configuration registry and governance registry. Hence we will have to create 3 more databases for registry, user store and BPS persistence db.

Database Schema Requirement

DB Name

Configuration/Governance Registry
User store database
BPS Persistence database

You can find the corresponding SQL scripts for creating registry databases from wso2bps-3.2.0/dbscripts directorySQL script for bps persistence database can be found at wso2bps-3.2.0/dbscripts/bps directory.

As an example of creating a database, we will show the steps for creating a database using MySql.

mysql> create database REGISTRY_DB;
mysql> use REGISTRY_DB;
mysql> source /dbscripts/mysql.sql;
mysql> grant all on REGISTRY_DB.* TO username@localhost identified by "password";

Download and copy the MySql connector to /repository/components/lib directory. 

Configuring master-datasources.xml

You can configure data sources for registry and user store in master-datasources.xml file found in / repository/conf/datasources directory.

<datasources-configuration xmlns:svns="http://org.wso2.securevault/configuration">

      <description>The datasource used for registry and user manager</description>
      <definition type="RDBMS">
        <configuration>          <url>jdbc:h2:repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000</url>
          <validationQuery>SELECT 1</validationQuery>

      <description>The datasource used for registry- config/governance</description>
      <definition type="RDBMS">
          <validationQuery>SELECT 1</validationQuery>

      <description>The datasource used for registry- local</description>
      <definition type="RDBMS">
          <validationQuery>SELECT 1</validationQuery>

Most of the entries are self-explanatory.

Configure  ( BPS Persistence database )

Open /repository/conf/datasources.propertiesand add the relevant entries such as database name, driver class and database connection url.  Following is the matching configuration for mysql.

synapse.datasources.bpsds.validationQuery=SELECT 1

You need to do this for each node in the cluster.

Configure registry.xml

Registry mount path is used to identify the type of registry. For example” /_system/config” refers to configuration registry and "/_system/governance" refers to governance registry. Following is an example configuration for bps mount. I will highlight each section and describe them below.
I will only describe the additions to the registry.xml file below. Leave the configuration for local registry as it is and add following new entries.

Registry configuration for BPS master node

<dbConfig name="wso2bpsregistry">

<remoteInstance url="https://localhost:9443/registry">
  <cacheId>root@jdbc:mysql://localhost:3306/ REGISTRY_DB</cacheId>

<mount path="/_system/config" overwrite="true">

<mount path="/_system/governance" overwrite="true">

Let’s look at above configuration in detail. We are identifying the data source we configured in the master datasources xml using the dbConfig entry and we give a unique name to refer to that datasource entry which is “wso2bpsregistry”;
          Remote instance section refers to an external registry mount. We can specify the read only/read write nature of this instance as well as caching configurations and registry root location. Additionally we need to specify cacheID for caching to function properly in the clustered environment. Note that cacheId is same as the jdbc connection URL to our registry database.
We define a unique name “id” for each remote instance which is then referred from mount configurations. In the above example, our unique id for remote instance is instanceId. In each of the mounting configurations, we specify the actual mount patch and target mount path.

Registry configuration for BPS Salve node

<dbConfig name="wso2bpsregistry">

<remoteInstance url="https://localhost:9443/registry">
  <cacheId>root@jdbc:mysql://localhost:3306/ REGISTRY_DB</cacheId>

<mount path="/_system/config" overwrite="true">

<mount path="/_system/governance" overwrite="true">

This configuration is same as above with readOnly property set to true for remote instance configuration.

Configure user-mgt.xml

In the user-mgt.xml enter the datasource information for user store which we configured previously in master-datasoures.xml file. You can change the admin username and password as well. However, you should do this before starting the server.

  <Property name="dataSource">jdbc/WSO2UMDB</Property>

Configure axis2.xml

We use axis2.xml to enable clustering. We will use well known address (WKA) based clustering method. In WKA based clustering, we need to have a subset of cluster members configured in all the members of the cluster. At least one well known member has to be operational at all times.
In the axis2.xml , find the clustering section.

<clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent"  enable="true">
  <parameter name="membershipScheme">wka</parameter>
  <parameter name="localMemberHost"></parameter>
  <parameter name="localMemberPort">4000</parameter>

Change enabled  parameter to true. Find the parameter membershipSchema and set wka option. Then configure the loadMemberHost and LocalMemberport Entries. Under the memberssection, add the host name and port for each wka member. As we have only two nodes in our sample cluster configuration, we will configure both nodes as WKA nodes.

Configure task-config.xml

BPS packages the task server component as well. By default, when we enable clustering, this component waits for two task server nodes. Hence we need to change this entry in order to start the bps server. Open task-config.xml and change task server count to 1.

Configure bps.xml

In bps.xml, you need to configure the following entries.
Enable distributed lock

This entry enables hazelcast based synchronizations mechanism in order to prevent concurrent modification of instance state by cluster members.

 Configure scheduler thread pool size


Thread pool size should always be smaller than maxActive database connections configured in file.   When configuring the thread pool size allocate 10-15 threads per core depending on your setup. Then leave some additional number of database connections since bps uses database connections for management API as well.

Example settings for a two node cluster.
                MySQL Server configured database connection size   250.
                maxActive entry in file for each node 100
                SchedulerTreadPool size for each node 50

Define a unique node id for each node in the cluster
This value has to be a unique string for each node in the cluster.

Configure carbon.xml

If you want automatic deployment of artifacts across the cluster nodes, you can enable deployment synchronizer feature from carbon.xml.


Deployment synchronizer functions by committing the artifacts to the configured svn location from one node (Node with AutoCommit option set to true) and sending cluster messages to all other nodes about the addition / change of the artifact. When the cluster message is received, all other nodes will do an svn update resulting in obtaining the changes to relevant deployment directories. Now the server will automatically deploy these artifacts.
For the master node, keep AutoCommit and AutoCheckout entries as true. For all other nodes, change autoCommit entry to false.

Configure the server start-up script

In the server startup script, you can configure the memory allocation for the server node as well as jvm tuning parameters.  If you open the or wso2server.bat file located at the /bin directory and go to the bottom of the file , you will find those parameters.  Change them according to the expected server load.

Following is the default memory allocation for a wso2 server.

-Xms256m -Xmx1024m -XX:MaxPermSize=256m

Cluster artifact deployment best practices

  1. Always deploy the artifact on the master node first and on slave nodes after some delay.
  2.  Use deployment synchronizer if a protected svn repository is available in the network.
  3. Otherwise you can use simple file coping to deploy artifacts 

Sajith RavindraA possible reason for "Error while accessing backend services for API key validation" in WSO2 API manager


When try to validate a token in WSO2 API manager if it returns the error,
<ams:fault xmlns:ams="">
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Error while accessing backend services for API key validation</ams:description>

Most likely cause of this problem is an error with Key Manager. This error means that it could not validate the tokens because it could not access the back-end or in other words, the  the Key Manager.

I had a distributed API manager 1.6 deployment and when I tried to generate a token for a user this error was returned. I went and had a look on the Key Manager's wso2carbon.log since it indicates an error in Key Manager. In the log file I noticed the following log But there was nothing wrong in Key Manager,

{org.wso2.carbon.identity.thrift.authentication.ThriftAuthenticatorServiceImpl} - Authentication failed for user: admin Hence, returning null for session id. {org.wso2.carbon.identity.thrift.authentication.ThriftAuthenticatorServiceImpl} 

 And In the API Gateway's log file following error was logged,

TID: [0] [AM] [2015-04-06 21:08:15,918] ERROR {} -  API authentication failure {} Error while accessing backend services for API key validation
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(
        at org.apache.axis2.engine.AxisEngine.receive(
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(
        at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$
        at java.util.concurrent.ThreadPoolExecutor.runWorker(
        at java.util.concurrent.ThreadPoolExecutor$
Caused by: java.lang.NullPointerException
        at org.apache.commons.pool.impl.StackObjectPool.borrowObject(


When I investigated the problem further I realized that I have NOT put the correct super user name and password in /repository/conf/api-manager.xml  in the gateway (or the user name and password used to log into the management console). When I used the correct user name and password the problem was solved. 

This error occurs because the Gateway could not connect to Key Manager validation service due to invalid credentials. 

In api-manager.xml following 3 sections contians <Username> and <Password> and make sure thy are correct,
1) <AuthManager> 


This is not the only possible reason for the above mentioned error. Some other common causes are(but not limited to),
- Mis-configured master-datasources.xml file of Key manager
- Connectivity issue between Gateway and Key Manager
- Connectivity issues between Database and Key Manager
- Key manager is not reachable
- etc .....
I suggest you should have a look at the Key manager log file when you investigate this error and it's very likely you would find a clue

John MathonAre we living in an age of Magic? Is Elon Musk a magician?

The age of Magic


The ability to do things is becoming more and more feasible from a purely engineering point of view.

NETHERLANDS-BUSINESS-AUTO-TESLA021_14A_HYPERLOOP ARTelon-musk-in-the-dragon-v2-640x356

Is Elon Musk a magician?

Elon is building the first re-usable space transportation system something the US government spent $150 billion trying to do 20 years ago.  He seems to be doing it for somewhere between 1/40th and 1/100th the cost that NASA  developed the Space Shuttle system for unsuccessfully.

Elon built the Tesla which is a car that accelerates from 0 – 60 in 2.8seconds, faster than any gas powered car, is safer than any gas powered car ever built and has a 98-99% customer satisfaction in the first 2 years of sales and improves itself by downloading new versions of itself overnight.

A couple years ago the State of California passed a bond measure to build a high speed rail between San Francisco and Los Angeles.  The initial cost was estimated at $20+ billion dollars.    Unfortunately, since the initial estimate costs have skyrocketed to an estimated $60 billon+.

Elon Musk proposed building a “hyperloop” instead of the train.   A hyperloop running at 750mph would take 30 minutes instead of 2 hours.   Analysis of the project costs are currently at $6-7 billion or 1/10th the cost of the train system.

I have no idea if the costs are correct but I have read through the description of the project and it seems doable.  The technology to be employed is pretty much off the shelf.   No unknown technology or materials are needed to do this project.  The cost of operating it would be a small fraction of what a rail system would cost.

The fact that it is virtually free from friction allows the system to use very little energy, so a major component of operational cost is vastly reduced as well as maintenance of rails, engines or other components.  Sure there will be some maintenance and other costs but the lower operating costs would make this system the system of choice even if it cost twice what the rail system will cost.  In fact, it is projected to cost less initially to build it and vastly less to operate as well as being 4 times faster.

So, is Elon Musk just lucky, a magician, super brilliant or will all these things crash and burn for reasons we just haven’t seen yet?  Why is it he thought of these things and it didn’t occur to lots of people?

“Unbelievable” technology that is available today or in delivery.


128GB chips have been available for years that fit on the surface of your finger which means we have the ability to write a trillion transistors in the space of your thumb.   That’s unimaginable.  Do any of you know how we do that?   An IBM engineer once told me the theoretical limit of chips density was 64,000 transistors on a bigger surface area.  He was off by about a factor of 100,000,000.    I don’t know how to describe being able to “print” one trillion transistors in such a small space as other than magic.   Not only that it costs tens of dollars not millions.

My cell phone is able to transmit and receive data at >1million bytes/second.  10 years ago smart phones didn’t exist and wireless technology allowed you more like 1 thousand bytes/second.  I remember the first time my mother saw a cell phone and I explained that people could call me on it.  She looked at me like I had said something completely crazy and unbelievable.   She honestly didn’t think it was possible.   When the phone rang  my mothers expression was the closest thing I think I’ve ever seen to someone seeing a miracle.

We have cell phones with screens that are resistant to scratching, resistant to cracking and last years without smudging.   I get that if you put diamond onto the surface of a transparent material it would be harder but wow, for someone who protected his screen religiously for decades it does seem awfully convenient we figured out how to make such resilient transparent material.

These are very real tangible to ordinary people “miracles” but below the surface are many “miracles” that are no less amazing.


New 3D memory technology that uses resistive approach in layers is being brought to market by numerous players.  This technology will bring the dream of virtually unlimited 3 dimensional storage that is super fast and cheap.    In 10 years we will probably have 128 terabyte memory that are a thousand times faster than current SSD on our laptops.   Of course, we likely won’t have laptops if I’m right.

Software development has experienced at least a 10 fold to 100 fold increase in productivity in the last 10 years.   Surprisingly this has nothing to do with the technology improvement in hardware as in the past. It is due to open source, APIs, PaaS, DevOps. What I call the 3rd platform for software.  (Okay, I admit a commercial for my company but the software is available ubiquitously also from other open source vendors.)

I could go on and on with improvements in every field.

The question I am asking is Elon Musk a magician or is something else going on?

Caution:  Spoilers here.   Let me explain the magic Elon Musk uses.

I believe instead we have reached the age of Magic and whether Elon believes this or not he is leveraging it. This means we have reached a state where the things we can do technologically exceed what most people think we can do.

If you have an idea to do something, for instance, I want to go to Mars.  With some cash this is doable because we have the technology you just may not realize it.  It’s also not as much cash needed as you might think.

So, is it simply almost a naïveté that allowed Elon to achieve these dreams?   Did he KNOW that the technology was available?  Was he just lucky naive?   He admits to a fair amount of naïveté in his video interviews.

He describes how he first went to look on the NASA website for when NASA would be offering Mars rides.   He was surprised they had no plan to go to mars.   So, he decided to spark curiosity and get people excited about space again by doing some inspiring trifle hoping it would trigger an interest.    He says what he figured out was not that people weren’t inspired enough to go to Mars they simply didn’t believe it was possible.   In other words people lacked the “awareness” of what was possible.

Let me be clear.  I realize that Elon worked unbelievably hard and he sacrificed nearly his entire wealth and he is indisputably brilliant in multiple dimensions.  There are few who appreciate what he’s done but there were no breakthrough technologies to do what he did that I am aware of.  Almost all the companies he’s built have used off the shelf technology brilliantly engineered.

What this means is that if you have an idea for virtually anything, say you want to go to Mars or you want to cure cancer or eliminate hunger or whatever?  Is the thing that is stopping you or us from doing this simply a lack of will or belief and not technological?

The Age of Magic

The pace of progress has been so blistering that most people are simply unaware of how advanced we have become in many fields.

We have assumed so many things aren’t possible because frankly most people simply don’t know what is possible.  We have crossed things off off our list like my mother had.   If you haven’t been tracking all the technology improvements in the last 10 years you may not realize what is possible.

That is not surprising because keeping up on the technological changes is daunting.  There is a lot.

The past paradigm

In the past some new miracle of technology revelation happened, like we discover the vaccine for polio that fundamentally changed what was possible and made advances suddenly possible.     This was then followed by a period of mad creation and disruption.   We started building vaccines for lots of diseases and a revolution happened.   To those who experienced numerous diseases this surely seemed like magic at first.  Then we became used to it.

Certainly the first microscope or telescope brought the perception of magic and amazing revelations.

The same happens in Art or any creative endeavor.  When a discovery or new thing is created there is initially a “wow” factor and rapid advancement.

The New Paradigm

There was no “fundamental technology” discovery that enabled Elon to build these technologies.  Even the hyperloop doesn’t require anything but off the shelf components.   NASA did supply Elon with a material called Pica that enables him to build vastly superior heat shields but it was already invented.  He uses off the shelf Panasonic batteries for the Tesla.

Let me not impugne Elon Musk’s engineering skill.  There is no doubt these things are amazing engineering achievements and his skill in managing the process of bringing to market all these products is unquestioned.   In some sense he just had the courage to try.

I don’t believe in luck.  In my experience luck is the application of massive repeated “doing” that spontaneously finds opportunities but without the “doing” the luck doesn’t happen.  Sorry, so Elon’s not lucky.  He’s truly hard working and brilliant too.  No doubt.   He’s not super-human or an alien or a time traveler or a magician.   Also, I don’t believe this is a bubble and “unreal” in the sense that there is some illusion about these things he’s done.

When the internet came about 20 years ago many of us saw that amazing disruptive things would happen but the internet is just one of a vast panapoly of new technologies that is enabling not simply the cloud but physical creativity that was unimaginable before.

There is so much technology available now in the form of materials and computer related advancements but also in small stuff.  Low power stuff and just the ability to control and be smart with things.

One of the key abilities which allows massive growth in understanding in engineering ability is being able to see smaller and smaller dimensions.  We have microscopes that can see the quantum foam of the electron around a proton in a hydrogen atom.   We have developed a lot of technology that allows us to manipulate at incredibly tiny scales.  This has allowed us to count, assemble and feedback genetic code thousands of times faster than before at a fraction of the cost, to be able to assemble incredibly small electronic or biologic things.

Ushering in a new age of innovation

Being able to see at the tiny scale allows us to understand what is really happening and fix it or engineer around it.   This I believe is a large part of our “magic” ability.

Right now our technological ability far exceeds the applications of that technology that currently exists.  That’s the definition of the age of Magic.  There are so many ideas that are possible that even the hobbyist with few resources can create industry changing innovation.    In a sense Elon was just a hobbyist with a lot of money.

With kickstarter and other ways to enable small entrepreneurs we are seeing an explosion of innovation but without all the technical possibilities brought about because of the “magic” we live in there would be precious few successes or interest.

The bigger picture

The point is that many “problems” or “ideas” that 10 or 20 years ago seemed impossible or science fiction magic now appear to be eminently doable and it is just a matter of someone having the belief that it can be done and then scrupulously following the engineering trail to find the technology needed to build the magic.

Let’s say you wanted to build a robot for the home.  Today we have much of the technology to build real robots that we’ve all seen in movies.  The recognition software we have developed in just the last few years would enable a robot to “see” objects and recognize them, to read text or do other basic tasks.   We have figured out how to make robots walk “naturally” and to move smoothly.  We have the improvements in motor systems and control systems that is embeddable.     We also have with Siri and Google Now the ability to answer questions or to take commands and perform actions.   The age of robots cannot be far off.

There is no doubt we will see more robots in the home before a decade is out.   The first I want is a pick up robot.  I want a fairly unobtrusive robot that will just pick up stuff and put it where it belongs.   Clothes, food and such.   The next would be to do the laundry and dishes.   These are constrained tasks that are doable with our technology.

The rate of advancement is hardly slowing down

Discovery of the epigenetic code in DNA was a big advance that will lead to massive improvements in our understanding and ability to engineer improvements in healthcare.     The combination with IoT and BigData could create massive reduction  in healthcare costs and improvement of consistency in results.

Solar energy is on the cusp of a big “inflection” point.  Recent reductions in costs and efficiency of solar cells are turning what was an “iffy” proposition to an economic absolute win.    Energy is closely related to quality of life.

The “Cloud” and the virtualization of compute technology is already having massive effects but we are just in the infancy of this movement that will transform businesses and personal life in a decade.

Graphene, correlated-oxide, diamond infused glass, you name it.  We have new materials like the Pica Elon is using to build things that were science fiction before.

Our ability to leverage the quantum world as nature has done will enable truly unbelievable things in the next few decades.    We have done so in tunneling diodes central to computers but we will be building quantum computers soon in quantity.   They may give us “magic” computational capability.

We are in an incredible period of advancement in physics that few understand.  The implications of this will be truly staggering and affect our ability to engineer magical products that nobody even thought possible. We have discovered our world is not the simple one that Einstein imagined (:)) but that what we perceive as reality is actually  emergent from Twistor space.   You can read about that here.


We don’t need new physics to feel the age of magic.   The technology around us today is already being vastly underutilized in terms of the improvements in our lives.   It is simply a matter of will and belief that holds us back.   If I were a kid growing up today I don’t know how I could restrain myself from wanting to study engineering and science.   Without knowing what is available you can’t figure out what is possible.

Articles you may find interesting along these lines:

Artificial Intelligence

The greatest age of technology

Roger Penrose.  The smartest man to ever live and Twistor theory

Virtual Reality

Healthcare Improvements

Democracy revolutionized by new technology

Madhuka UdanthaOptions for Google Charts

In Google chart some different chart type contains different format of data sets

Google Chart Tools is with their default setting and all customizations are optional. Every chart exposes a number of options that customize its look and feel. These options are expressed as name:value pairs in the options object.
visualization supports a colors option that lets you specify

"colors": ['#e0440e', '#e6693e', '#ec8f6e', '#f3b49f', '#f6c7b6']


Lets create function to pass those

1 AddNewOption = function (name,value) {
2 options = $scope.chart.options
3 $scope.chart.options[name] = value;
4 };

Now use this option to improve our scatter chart

1 AddNewOption('pointShape','square');
2 AddNewOption('pointSize',20);


Now we can do more play with Google chart options.

Crosshair Options

Crosshairs can appear on focus, selection, or both. They're available for scatter charts, line charts, area charts, and for the line and area portions of combo charts.

When you hover over the points with crosshair option you can see some helping axis for the point. 


Here is crosshair API for to play more.

  • crosshair: { trigger: 'both' }
    display on both focus and selection

  • crosshair: { trigger: 'focus' }
    display on focus only

  • crosshair: { trigger: 'selection' }
    display on selection only

  • crosshair: { orientation: 'both' }
    display both horizontal and vertical hairs

Harshan LiyanageHow to change the logging behaviour of http-access log in WSO2 Carbon based products

In this blog post I'm gonna tell you how to change the default behavior of access logging of WSO2 Carbon based products.

You may have seen the access log files with names such as "http_access_2014-08-19.log" created at <WSO2_PRODUCT_HOME>repository/logs folder. This log file contains the all the information related to tracking the clients who called to your server. Every request to the WSO2 Carbon server will be recorded in this log file as below. - - [24/May/2015:00:00:04 +0530] "GET /carbon/dialog/css/jqueryui/jqueryui-themeroller.css HTTP/1.1" 200 4020 "https://localhost:9443/carbon/admin/login.jsp" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36" - - [24/May/2015:00:00:04 +0530] "GET /carbon/admin/css/carbonFormStyles.css HTTP/1.1" 200 2050 "https://localhost:9443/carbon/admin/login.jsp" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36" - - [24/May/2015:00:00:04 +0530] "GET /carbon/dialog/css/dialog.css HTTP/1.1" 200 556 "https://localhost:9443/carbon/admin/login.jsp" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36" - - [24/May/2015:00:00:04 +0530] "GET /carbon/styles/css/main.css HTTP/1.1" 200 1240 "https://localhost:9443/carbon/admin/login.jsp" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36" - - [24/May/2015:00:00:04 +0530] "GET /carbon/admin/js/jquery.ui.tabs.min.js HTTP/1.1" 200 3594 "https://localhost:9443/carbon/admin/login.jsp" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36" - - [24/May/2015:00:00:04 +0530] "GET /carbon/admin/js/main.js HTTP/1.1" 200 15367 "https://localhost:9443/carbon/admin/login.jsp" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36"

Now lets look at how to change this logging behavior. Please note that the all changes mentioned below must be done to "org.apache.catalina.valves.AccessLogValve" configuration in <WSO2_PRODUCT_HOME>repository/conf/tomcat/catalina-server.xml file.

Changing the prefix and suffix of access-log file name

You might be need to change the default prefix (http_access_) and suffix (.log) of the generated access log files. For example if you need to get the access log files as wso2_mdm_2014-08-19.txt  please change the prefix and suffix parameter of AccessLogValve configuration as below.

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="${carbon.home}/repository/logs"
               prefix="wso2_mdm_" suffix=".txt"

Disabling the access log rotation

By default Tomcat server will create a new log file each day by including timestamp for the file name. The objective of this default behavior is to avoid issues when the log file eventually becomes larger. But when you set the rotatable property to "false", it will disable this default behavior and will use a single log file. When you run your carbon server with following configuration, it will use a single access log file (wso2_mdm.log) throughout its entire life-time.

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="${carbon.home}/repository/logs"
               prefix="wso2_mdm" suffix=".log"
               pattern="combined" rotatable="false" />

Removing the timestamp from current access-log file name & enabling rotation

There might be some scenarios where you need to remove the timestamp from the current access log file name with log rotation enabled. For example if you need to get the name of current file name of the access log file as wso2_mdm_.log and tomorrow you need to rename it to "wso2_mdm_2015-05-20.log" and use a new log file named "wso2_mdm_.log" . You can do it by setting the renameOnRotate parameter of AccessLogValve configuration to be "true".  

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="${carbon.home}/repository/logs"
               prefix="wso2_mdm_" suffix=".log"
               pattern="combined" renameOnRotate="true" />

There are some more configuration changes you can do to change the default access log behavior. You can find it by referring to the official tomcat documentation [1].



Ajith VitharanaAccess token related issues - WSO2 API Manager

Create an API with following details.

Name      : StockquoteAPI
Context   : stockquote
Version   : 1.0.0
Endpoint :
Resource : GetQuote
Query      : symbol

1. Invoke with invalid token.

Client side errors:

401 Unauthorized

 <ams:message>Invalid Credentials</ams:message>
 <ams:description>Access failure for API: /stockquote, version: 1.0.0 with key: lI2XVmmRJ9_B_rbh1rwV7Pg3Pp8</ams:description>

Backend error :

[2015-05-16 22:22:14,630] ERROR - APIAuthenticationHandler API authentication failure Access failure for API: /stockquote, version: 1.0.0 with key: lI2XVmmRJ9_B_rbh1rwV7Pg3Pp8
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(
    at org.apache.axis2.engine.AxisEngine.receive(
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$
    at java.util.concurrent.ThreadPoolExecutor.runWorker(
    at java.util.concurrent.ThreadPoolExecutor$

Solution: Double check the token.

2. Invoke  API with invalid token type.

Eg: Invoke  API with application token , But resource is allowed only for the application user tokens.

Client Errors:

401 Unauthorized

   <ams:message>Incorrect Access Token Type is provided</ams:message>
   <ams:description>Access failure for API: /stockquote, version: 1.0.0 with key: lI2XVmmRJ9_B_rbh1rwV7Pg3Pp8a</ams:description>

Back end Error:

[2015-05-16 22:29:05,262] ERROR - APIAuthenticationHandler API authentication failure Access failure for API: /stockquote, version: 1.0.0 with key: lI2XVmmRJ9_B_rbh1rwV7Pg3Pp8a
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(
    at org.apache.axis2.engine.AxisEngine.receive(
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$
    at java.util.concurrent.ThreadPoolExecutor.runWorker(
    at java.util.concurrent.ThreadPoolExecutor$

Solution: Edit  API from publisher and go to the manage wizard. Then check for the authentication type.

3. Invoke non-existing API resource.

Client Errors:

403 Forbidden

 <ams:message>No matching resource found in the API for the given request</ams:message>
 <ams:description>Access failure for API: /stockquote, version: 1.0.0 with key: lI2XVmmRJ9_B_rbh1rwV7Pg3Pp8a</ams:description>

Back end Error:

[2015-05-16 22:40:00,506] ERROR - APIKeyValidator Could not find matching resource for /GetQuote1?symbol=ibm
[2015-05-16 22:40:00,507] ERROR - APIKeyValidator Could not find matching resource for request
[2015-05-16 22:40:00,508] ERROR - APIAuthenticationHandler API authentication failure Access failure for API: /stockquote, version: 1.0.0 with key: lI2XVmmRJ9_B_rbh1rwV7Pg3Pp8a
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(
    at org.apache.axis2.engine.AxisEngine.receive(
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$
    at java.util.concurrent.ThreadPoolExecutor.runWorker(
    at java.util.concurrent.ThreadPoolExecutor$

Solution: Edit  API from publisher (Design wizard) and double check the availability of the resource names.

4. Token has generated without scope (scope as default), But API resource configured with scope.

Client Errors:

403 Forbidden

 <ams:message>The access token does not allow you to access the requested resource</ams:message>
 <ams:description>Access failure for API: /stockquote, version: 1.0.0 with key: 1e1b6aa805d4bfd89b6e36ac48345a</ams:description>

Back end Error:

[2015-05-16 23:08:57,103] ERROR - APIAuthenticationHandler API authentication failure Access failure for API: /stockquote, version: 1.0.0 with key: 1e1b6aa805d4bfd89b6e36ac48345a
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(
    at org.apache.axis2.engine.AxisEngine.receive(
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$
    at java.util.concurrent.ThreadPoolExecutor.runWorker(
    at java.util.concurrent.ThreadPoolExecutor$

Solution: Generate new token with scope(s).
curl -k -d "grant_type=password&username=admin&password=admin&scope=stock" -H "Authorization: Basic THUwUVlFUUIxYVRKY3B6YTIxQnFxa0ZhU1I0YTo0ZE1FRUs3N1k4emZhSU56aVdGbTB1aFNBdjBh, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token

5. Invoke with expired token.

Client Errors

401 Unauthorized

 <ams:message>Access Token Expired</ams:message>
 <ams:description>Access failure for API: /stockquote, version: 1.0.0 with key: 8d438b49d9b24c752ce2b89c24bc198</ams:description>

Back end error:

[2015-05-17 13:30:50,155] ERROR - APIAuthenticationHandler API authentication failure Access failure for API: /stockquote, version: 1.0.0 with key: 8d438b49d9b24c752ce2b89c24bc198
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(
    at org.apache.axis2.engine.AxisEngine.receive(
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$
    at java.util.concurrent.ThreadPoolExecutor.runWorker(
    at java.util.concurrent.ThreadPoolExecutor$

Solution : You need to re-generate a token. If it is user token , you can use the refresh token to generate new token.

curl -k -d "grant_type=refresh_token&refresh_token=<retoken>&scope=PRODUCTION" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token

6. Token generated with 60 seconds life span , but API can invoke with that token after 60 seconds.


The default token validation time is 3600 seconds that is configured in identity.xml file.
But there is another configuraion called "TimestampSkew"
You can find the usage of that configuration here

According to that description, token will be valid until the TimestampSkew eventhough the generated time less than the TimestampSkew.

7. User can generate access token, but API is not subscribed to that application.

Client Errors

401 Unauthorized

 <ams:message>Invalid Credentials</ams:message>
 <ams:description>Access failure for API: /stockquote, version: 1.0.0 with key: b31077463e7e7856762234c5d0b599</ams:description>
Back end Error

[2015-05-17 22:32:44,609] ERROR - APIAuthenticationHandler API authentication failure Access failure for API: /stockquote, version: 1.0.0 with key: b31077463e7e7856762234c5d0b599
    at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(
    at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(
    at org.apache.axis2.engine.AxisEngine.receive(
    at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(
    at org.apache.axis2.transport.base.threads.NativeWorkerPool$
    at java.util.concurrent.ThreadPoolExecutor.runWorker(
    at java.util.concurrent.ThreadPoolExecutor$

Solution: Logged in to the store and subscribe API to application.

Shani Ranasinghe[WSO2-ESB] URI- template encoding in WSO2 ESB for reserved characters

 In a recent engagement with the WSO2 ESB, I've come across a situation where WSO2 ESB does not encode some reserved characters when using a URI-template as the endpoint to a get call.

In this particular instance it was the '&' that was not getting encoding and the <space>.

The reason is that WSO2 ESB uses the libraries  and it ends up not encoding the characters correctly.

As a solution to this, we can use the script mediator in WSO2 ESB. We could get the value in the script mediator and encode it using the  javascript encode uri method, and encode our values correctly.

An example as shown below:

<?xml version="1.0" encoding="UTF-8"?>
<resource methods="POST">
<log level="full"/>
<property name="uri.var.fullname" expression="//APIRequest/Fullname/text()"/>
<property name="uri.var.address" expression="//APIRequest/HomeAddress/text()"/>
<script language="js">var fullname = mc.getProperty('uri.var.fullname');var homeAddress = mc.getProperty('uri.var.address'); mc.setProperty("uri.var.fullname",encodeURIComponent(fullname)); mc.setProperty("uri.var.address",encodeURIComponent(homeAddress)); </script>
<header name="Content-Type" scope="transport" action="remove"/>
<http method="get"
In this what is done is that the API request values has been extracted and stored in a property using a property mediator.

Then by using the script mediator  we make use of javascript and store the value as a var and encode it using the "encodeURIComponent" method.

In the "encodeURIComponent" yet, we still have some characters that are not encoded. These include the !'()*~.


John MathonVirtual Virtual Reality, Virtual Anthropomorphic Reality, Virtual Functional Reality, Virtual Extended Reality

Virtual Reality

I categorize virtual reality into these 4 different types.   They are progressively more difficult technologies but each will progress independently.   VVR, VAR, VFR, VER represent the 4 ways VR technology can be used.   VVR is about creating false worlds or artificial computer generated worlds.  VAR is about transferring ourselves in the real world virtually (telepresence).  VFR is about using using VR for functional purposes like building things. VER is about extending our perception to new senses and new environments that require our brains to adapt to these new senses.

VVR – Virtual virtual reality


VVR is like the Matrix completely made up worlds for play or learning.

We are seeing the development of goggles giving us more virtual reality experience for gaming coming to market now, specifically Oculus.  So, VVR is happening as we speak.  This was attempted years ago but limited capability of the transducers and vertigo created by the headsets limited their use.  These problems appear to have been mitigated.   Improvements in 3d rendering, display technology and standards for transmission all suggest the possibility of virtual reality becoming mainstream in the next 10 years.

VAR – Virtual anthropomorphic reality

VAR is extending our presence through the network to physical devices whose purpose is to give us and others a human like experience for purposes of creating a life-like proxy in the real world.   Some people call this telepresence.  Another term with imprecise definition is Augmented reality.  Maybe VAR could be Virtual Augmented Reality.

telepresence-lineup 140501_TECH_TelepresenceRobot_Prod.jpg.CROP.promovar-medium2

This market is already vibrant as well.  There are more than a dozen telepresence virtual reality robot like devices on the market ranging in price from $1,000 to $16,000 in price.   With wheels for transport, a large battery to operate for a long time, camera, audio and a big screen for projecting your face you can project and move around in a separate locations as if you were there.

Recently Oculus purchased Surreal Vision which is allowing them to bring telepresence to Oculus and to paint 3d worlds more realistically.

I have seen these devices at a few companies and at conferences wandering the halls or attending meetings virtually.   Over time I expect that these devices could become more sophisticated, hence the anthropomorphic adjective.

female telepresence robot

Eventually these devices sensory inputs and outputs would reflect more than just audio and visual information.   It may be possible to transmit and receive touch sensations.

thevoltreport usc_robot_touch

These sensations can be fed back to the human as resistance in movement of body parts or even transduced as pressure on our senses at a similar point to the robots touch.

Eventually smell, temperature, breeze, radiance could be simulated resulting in a more lifelike experience for the robot controller.  The value of these additional senses is to create a more powerful experience and complete experience for the VAR subject but also to provide a more realistic feedback to the remote audience that the VAR subject is there experiencing the same things they are.

VFR – Virtual functional reality

VFR is about extending our ability to manipulate and see real world things at a level humans can’t do today either macroscopically (large devices) or microscopically.

robot playing violinrobot doctor

Today, examples of VFR include robot doctors who have been quite successful to enable doctors to perform surgery remotely. There is no reason to believe such control and dexterity wouldn’t be useful for jobs where physical presence of a human would be dangerous or difficult.  Construction of large things, space construction, construction in nuclear areas or where there are dangerous infectious agents or even as in the case of doctors bringing in specialists would all be extremely useful.

Also, prosthesis are necessary whenever we are controlling devices substantially bigger than us, heavier or more remote.

Robot-gestures-011 h_robonaut_construction_02

This technology requires the ability to translate human movement to robot movement in a more direct natural way.  Such control would require transducing as life-like as possible the sensations at the remote location or environment to the VFR worker and to enable the VFR worker to work as naturally as possible to control the robot on the other side of the VR connection.

girl pilots fighting robot body suit

The VFR technology could also be extended to the micro world.  Robots inserted into the body may be able to perform operations under human command.


VER – Virtual extended reality (The final frontier)

VER is about extending our physical capabilities beyond their current abilities possibly needing brain implants or other more direct stimulation to the brain to translate the new senses to the human brain directly.


Intel inside the brain.

Neural electrode array wrapped onto a model of the brain. The wrapping process occurs spontaneously, driven by dissolution of a thin, supporting base of silk. (C. Conway and J. Rogers, Beckman Institute)

Neural electrode array wrapped onto a model of the brain. The wrapping process occurs spontaneously, driven by dissolution of a thin, supporting base of silk.
(C. Conway and J. Rogers, Beckman Institute)

Ultimately brain / Network / Computation connection might allow humans to have instantaneous access to any information in the world ever created and the ability to virtually be connected to anywhere.

Bandwidth Requirements

The bandwidth requirements of all this depends on the resolution required.   For an immersive 3d visual field that is of the quality of real life we might need a bandwidth of 3 gigabits/second.  With compression and some smarts I’m guessing we could live with 30-100megabits/second.    Most senses will be orders of magnitude less in data requirements.    So, it is possible to imagine a completely translocated image of the world in 3d brought to us in realtime and vice versa to enable others to share in our reality.   It wouldn’t be cheap and if it was only visual it wouldn’t be complete.   Ideally eventually the sense of touch and physical duplicates who can replicate more than sight and sound would be needed but this is not hard to imagine given the technology we have today.


Ten years ago people at home frequently had thousands of bits/second to their home and their phones or data communications over wireless was practically nonexistent.  If you had it, very slow at hundreds of bits/second.   Ten years later cell phone 4rth generation LTE is common which allows communication at 10s of millions of bits/second over wireless and many homes have 100s of millions of bits/second.

We are talking about a 10,000 increase in communication throughput in 10 years.  I am frankly shocked this was possible.  Nyquist-Shannon showed in 1959 that there were theoretical limits to the amount of data one could transmit over a certain bandwidth.  Todays cell phones seem to break these laws (they don’t but seem close). They achieve these amazing feats by employing a tremendous amount of sophistication combining data from multiple antenna with mathematically complex calculations.  Cell phones are able to do what should be impossible, transmit and receive 10s of millions of bits of data to each individual portable device over the open air with thousands of other devices in the same vicinity doing the same thing.

What if we could do this again and get another 10,000 increase in bandwidth? One question is what would be the use of 10,000 times the performance we have today?  Such a level of performance would be mind-boggling and seemingly unnecessary.  It may be impossible to achieve wirelessly but wired communications could easily see such increases.

The purpose of such communication bandwidth for the average person could only be for virtual reality.   If I could create a 3d impression of a distant place here to a realistic enough level I may not need to travel to X to basically experience X.    I believe the technology to deliver this bandwidth is going to happen and it may take 10 or 20 years but it will happen.

There are other purposes.  We could have more immersive, higher realism streaming movies or more impressive gaming.   Some have suggested car to car communication could soak up some of that bandwidth.  I believe these will happen too but the VR is the most impactful and disruptive technology.


The continued acceleration and improvement of bandwidth makes it possible to do more and more over virtual connections than physical connections.  Today you can buy a device for a few thousands dollars that rolls around with your face on a screen.  The device is cute and allows you to be someplace else virtually.   You can control the remote robot with a joystick and run into people in the hall, come up to them at their desk and talk to them.

It’s not hard to imagine that these devices become more and more anthropomorphic.  If the remote “me” was connected such a way that I could control it simply by moving my body the way I would normally then I could become more and more virtual.   Technology that Stephen Hawking uses today allows him to communicate through an infrared sensor mounted on his eyeglasses.  Neuroscientists are working with Stephen on direct brain wave connection.

While a physical suit as depicted in pictures above could be used to translate movement into motion for remote robots technology such as  MYO armband


allow you to translate arm gestures into real world action.

Or for a direct brain control device:  New advances in brain control

There is no doubt this technology will transform the way we communicate, attend meetings, do work and even expand our ability to perform in new work environments.

We can see the utility of this in some of the technology being adopted today but I believe that over the next 5-10 years this technology will become more and more mainstream.

Madhuka UdanthaGoogle Chart with AngularJS

Google Charts provides many chart types that is useful for data visualization. Charts are highly interactive and expose events that let you connect them to create complex dashboards. Charts are rendered using HTML5/SVG technology to provide cross-browser compatibility. All chart types are populated with data using the DataTable class, making it easy to switch between chart types. Google chart contains main five elements

  • Chart has type
  • Chart has data. Different data fomat will have for some charts but basic format will be same.
  • Chart contains css style
  • Chart has options where it says chart title, axis labels
  • Chart format will focus on color format, date format and number format

Here I am trying to have one data set and try to switch my charts.
In data you will have columns and rows (first element will be the label).

1 = {"cols": [
2 {id: "month", label: "Month", type: "string"},
3 {id: "usa-id", label: "USA", type: "number"},
4 {id: "uk-id", label: "UK", type: "number"},
5 {id: "asia-id", label: "Asia", type: "number"},
6 {id: "other-id", label: "Other", type: "number"}
7 ], "rows": [
8 {c: [
9 {v: "January"},
10 {v: 22, f: "22 Visitors from USA"},
11 {v: 12, f: "Only 12 Visitors from UK"},
12 {v: 15, f: "15 Asian Visitors"},
13 {v: 14, f: "14 Others"}
14 ]},
15 {c: [
16 {v: "February"},
17 {v: 14},
18 {v: 33, f: "Marketing has happen"},
19 {v: 28},
20 {v: 6}
21 ]},
22 {c: [
23 {v: "March"},
24 {v: 22},
25 {v: 8, f: "UK vacation"},
26 {v: 11},
27 {v: 0}
29 ]}
30 ]};

First we need to added google chart  for your angular project then to the html file.

1. Added "angular-google-chart": "~0.0.11" into the “dependencies” of the package.json

2. Added ‘ng-google-chart.js’  file for html page, and define a “div” for chart

<script src="..\node_modules\angular-google-chart\ng-google-chart.js"></script>

<div google-chart chart="chart" style="{{chart.cssStyle}}"/>

3. Build the Controller

1 angular.module('google-chart-example', ['googlechart']).controller("ChartCtrl", function ($scope) {
2 var chart1 = {};
5 chart1.type = "BarChart";
6 chart1.cssStyle = "height:400px; width:600px;";
7 //used that I have show in above script
8 = {"cols": [
9 //labels and types
10 ], "rows": [
11 //name and values
12 ]};
14 chart1.options = {
15 "title": "Website Visitors per month",
16 "isStacked": "true",
17 "fill": 20,
18 "displayExactValues": true,
19 "vAxis": {
20 "title": "Visit Count", "gridlines": {"count": 6}
21 },
22 "hAxis": {
23 "title": "Date"
24 }
25 };
27 chart1.formatters = {};
29 $scope.chart = chart1;
31 });

4. Let add few button for switching charts.

1 <button ng-click="switch('ColumnChart')">ColumnChart</button>
2 <button ng-click="switch('BarChart')">BarChart</button>
3 <button ng-click="switch('AreaChart')">AreaChart</button>
4 <button ng-click="switch('PieChart')">PieChart</button>
5 <button ng-click="switch('LineChart')">LineChart</button>
6 <button ng-click="switch('CandlestickChart')">CandlestickChart</button>
7 <button ng-click="switch('Table')">Table</button>

5. Now add the function for do the axis transformation and chart switching

1 $scope.switch = function (chartType) {
2 $scope.chart.type=chartType;
3 AxisTransform()
4 };
6 AxisTransform = function () {
7 tempvAxis = $scope.chart.options.vAxis;
8 temphAxis = $scope.chart.options.hAxis;
9 $scope.chart.options.vAxis = temphAxis;
10 $scope.chart.options.hAxis = tempvAxis;
11 };

6. Here we go!!!



sanjeewa malalgodaHow to use Authorization code grant type (Oauth 2.0) with WSO2 API Manager 1.8.0

1. Create API in WSO2 API Manager publisher and create application in API store. When you create application give some call back url as follows. http://localhost:9764/playground2/oauth2client
Since i'm running playground2 application in application server with port offset 1 i used above address. But you are free to use any url.

2. Paste the following on browser - set your value for client_id

Sample command
curl -v -X POST --basic -u YOUR_CLIENT_ID:YOUR_CLIENT_SECRET -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "client_id=YOUR_CLIENT_ID&grant_type=authorization_code&code=YOUR_AUTHORIZATION_CODE&redirect_uri=https://localhost/callback" https://localhost:9443/oauth2/token

Exact command:

3. Then it will return something like this. Copy the authorization code from:
Response from step 02:

4. Get the access token and ID token from following

Sample command:
curl -v -X POST --basic -u YOUR_CLIENT_ID:YOUR_CLIENT_SECRET -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "client_id=YOUR_CLIENT_ID&grant_type=authorization_code&code=YOUR_AUTHORIZATION_CODE&redirect_uri=https://localhost/callback" https://localhost:9443/oauth2/token

Exact command:
curl -v -X POST --basic -u O2OkOAfBQlicQeq5ERgE7Wh4zeka:Eke1MtuQCHj1dhM6jKsIdxsqR7Ea -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "client_id=O2OkOAfBQlicQeq5ERgE7Wh4zeka&grant_type=authorization_code&code=e1934548d0a0883dd5734e24412310&redirect_uri=http://localhost:9764/playground2/oauth2client" http://localhost:8280/token

Response from step 04:

5. Now call your API with the access token from step-4

curl -k -H "Authorization: Bearer 2de7da7e3822cf75fd7983cfe1337ec"

Lakmal WarusawithanaConfigure Apache Stratos with Docker, CoreOS, Flannel and Kubernetes on EC2

Docker, CoreOS, Flannel and Kubernetes are latest cloud technologies, integrated into Apache Stratos and make more scalable and flexible PaaS, thereby enabling developers/devops to build their cloud applications with ease.

This post will focus on how you can create Kubernetes cluster using, CoreOS, Flannel on top of EC2. Then the later part will discuss how you can create application using docker based cartridges.

Setting up CoreOS, Flannel and Kubernetes on EC2

This section will cover how to  creates an elastic Kubernetes cluster with 3 worker nodes and a master. Also this includes;

I have followed [1] and also includes workaround I did for overcome some issues arose during my testing.

First of all, we need to setup some supporting tools which we need.

Install and configure kubectl

Kubectl is client command line tool provide by the kubernetes team for monitor and manage kubernetes cluster. Since I am using a mac bellow steps for set it up in mac. But you can find more details setting up on other OS at [2]

chmod +x kubectl
mv kubectl /usr/local/bin/

Install and configure AWS Command Line Interface

Below steps for setting up on Mac. For more information please see [3]
sudo python
sudo pip install awscli

If you encountered any issue, following command may help to resolve them

sudo pip uninstall six
sudo pip install --upgrade python-heatclient

Create the Kubernetes Security Group

aws ec2 create-security-group --group-name kubernetes --description "Kubernetes Security Group"

aws ec2 authorize-security-group-ingress --group-name kubernetes --protocol tcp --port 22 --cidr

aws ec2 authorize-security-group-ingress --group-name kubernetes --protocol tcp --port 80 --cidr

aws ec2 authorize-security-group-ingress --group-name kubernetes --protocol tcp --port 4500 --cidr

aws ec2 authorize-security-group-ingress --group-name kubernetes --source-security-group-name kubernetes

Save the master and node cloud-configs

Launch the master

Attention: Replace <ami_image_id> below for a suitable version of CoreOS image for AWS. But I recommend to use CoreOS alpha channel ami_image_id (ami-f7a5fec7), because I have faced many issues with other channels AMIs. (at the time I have tested)

aws ec2 run-instances --image-id <ami_image_id> --key-name <keypair> \
--region us-west-2 --security-groups kubernetes --instance-type m3.medium \
--user-data file://master.yaml

Record the InstanceId for the master.

Gather the public and private IPs for the master node:
aws ec2 describe-instances --instance-id <instance-id>
   "Reservations": [
           "Instances": [
                   "PublicDnsName": "",
                   "RootDeviceType": "ebs",
                   "State": {
                       "Code": 16,
                       "Name": "running"
                   "PublicIpAddress": "",
                   "PrivateIpAddress": "",

Update the node.yaml cloud-config

Edit node.yaml and replace all instances of <master-private-ip> with the private IP address of the master node.

Launch 3 worker nodes

Attention: Replace <ami_image_id> below for a suitable version of CoreOS image for AWS. Recommend to use same ami_image_id used for the master.

aws ec2 run-instances --count 3 --image-id <ami_image_id> --key-name <keypair> \
--region us-west-2 --security-groups kubernetes --instance-type m3.medium \
--user-data file://node.yaml

Configure the kubectl SSH tunnel

This command enables secure communication between the kubectl client and the Kubernetes API.

ssh -i key-file -f -nNT -L 8080: core@<master-public-ip>

Listing worker nodes

Once the worker instances have fully booted, they will be automatically registered with the Kubernetes API server by the kube-register service running on the master node. It may take a few mins.

kubectl get minions

Now you have successfully installed and configure kubernetes cluster with 3 worker (minions) nodes. If you want to try out more kubernetes sample please refere [4].

Lets setup Stratos now.

Configure Apache Stratos

I am recommending config Stratos in different EC2 instances. Create m3.medium instance from Ubuntu 14.04 ami. (I have used ami-29ebb519) Also make sure you have open following ports in the security group used. 9443, 1883, 7711

SSH into the created instance and follow the below steps to setup Stratos

  1. Download Stratos binary distribution ( ) and unzip it. This folder will be referred as <STRATOS-HOME> for later reference.
  2. This can be done using any of the following methods:
    • Method 1 - Download the Stratos binary distribution from Apache Download Mirrors and unzip it. As per today (09/02/2015) Stratos 4.1.0 not done the GA release I recommend to use method 2 with master branch, until GA release available.
    • Methods 2 - Build the Stratos source to obtain the binary distribution and unzip it.
      1. git checkout tags/4.1.0-beta-kubernetes-v3
      2. Build Stratos using Maven.
      3. Navigate to the stratos/ directory, which is within the directory that you checked out the source:
        cd <STRATOS-SOURCE-HOME>/  
      4. Use Maven to build the source:
        mvn clean install
      5. Obtain the Stratos binary distribution from the <STRATOS-SOURCE-HOME>/products/stratos/modules/distribution/target/ directory and unzip it.
  3. Start ActiveMQ:
    • Download and unzip ActiveMQ.
    • Navigate to the <ACTIVEMQ-HOME>/bin/ directory, which is in the unzipped ActiveMQ distribution.
    • Run the following command to start ActiveMQ.
    • ./activemq start
  4. Start Stratos server:
    • bash <STRATOS-HOME>/bin/ start

If you wish you can tail the log and verify Stratos server is starting without any issues:
tail -f <STRATOS-HOME>/repository/logs/wso2carbon.log

Try our Stratos,kubernetes sample

Apache Stratos samples are located at following folder in git repo.


Here I will use simple sample called “single-cartridge” application which is in application folder. First you have to change the kubernetes cluster information with relevant information of you have setup.

Edit <STRATOS-SOURCE-HOME>/samples/applications/single-cartridge/artifacts/kubernetes/kubernetes-cluster-1.json and changed following highlighted to suite to your environment.

     "clusterId": "kubernetes-cluster-1",
     "description": "Kubernetes CoreOS cluster",
     "kubernetesMaster": {
                 "hostId" : "KubHostMaster1",
                 "hostname" : "",
       "privateIPAddress": "Kube Master Private IP Address",
                 "hostIpAddress" : "Kube Master Public IP Address",
                 "property" : [

       "portRange" : {
          "upper": "5000",
          "lower": "4500"

       "kubernetesHosts": [
                    "hostId" : "KubHostSlave1",
                    "hostname" : "",
          "privateIPAddress": "Kube Minion1 Private IP Address",
                    "hostIpAddress" : "Kube Minion1 Public IP Address",
                    "property" : [
                    "hostId" : "KubHostSlave2",
                    "hostname" : "",
"privateIPAddress": "Kube Minion 2 Private IP Address",
                    "hostIpAddress" : "Kube Minion 2 Public IP Address",
                    "property" : [
                    "hostId" : "KubHostSlave3",
                    "hostname" : "",
          "privateIPAddress": "Kube Minion 3 Private IP Address",
                    "hostIpAddress" : "Kube Minion 3 Public IP Address",
                    "property" : [
         "value":"Apache Stratos instance Public IP Address"
         "value":"Apache Stratos instance Public IP Address"

To speed up sample experience you can login to all 3 minions and pull docker image which we are going to used in the sample. This step is not mandatory but it will help to cache docker image in configured minions.

docker pull stratos/php:4.1.0-beta

core@ip-10-214-156-131 ~ $ docker images
REPOSITORY                      TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
stratos/php                     4.1.0-beta          f761a71b087b        18 hours ago        418 MB

You can just run the following automated sample script located.


You can used kubectl commands to view created pods in the kubernetes cluster from you local machine with SSH tunneling.

kubectl get pods

Lakmals-MacBook-Pro:ec2-kubernetes lakmal$ kubectl get pods
POD                                    IP                  CONTAINER(S)                                          IMAGE(S)                 HOST                LABELS                                                     STATUS
8b60e29c-b1d1-11e4-8bbb-22000adc133a        php1-php-domain338c238a-4856-4f00-b881-19aecda74cf7   stratos/php:4.1.0-beta     name=php1-php-domain338c238a-4856-4f00-b881-19aecda74cf7   Running

Locate your browser to

https://<Stratos-Instance-IP>:9443/console and login as admin:admin which is coming default.


Dedunu DhananjayaIMAP Java Test program and JMeter Script

One of my colleagues wanted to write a JMeter script to test IMAP. But that code failed. So I also got involved in that. JMeter BeanShell uses Java in the backend. First I tried with a Maven project. Finally I could write a code to list the IMAP folders. Java implementation is shown below.

Then we wrote a code to print IMAP folder count for JMeter BeanShell. Code is show below.

Complete Maven project is available on GitHub -

Dedunu DhananjayaIncrease memory and CPUs on Vagrant Virtual Machines

Last post I showed how to create multiple nodes in a single Vagrant project. Usually "ubuntu/trusty64" box comes with 500MB. For some developers need more RAM, more CPUs. From this post I'm going to show how to increase the memory and number of CPUs in a vagrant project. Run below commands

mkdir testProject1
cd testProject1
vagrant init
Then edit the Vagrant file like below.

Above changes will increase memory to 8GB and also it will add one more core. Run below commands to start the vagrant machine and get the SSH access.

vagrant up
vagrant ssh
If you have an existing project, you just have to add these lines. When you restart the project memory would be increased.

Dedunu DhananjayaMultiple nodes on Vagrant

Recently I started working with Vagrant. Vagrant is a good tool that you can use for development. From this post I'm going to explain how to create multiple nodes on Vagrant project.
mkdir testProject
cd testProject
vagrant init

If you run above commands, it will create a Vagrant project for you. Now we have to do changes to the vagrant file. Your initial vagrant file will look like below.

You have to edit Vagrantfile add content like below.

Above sample vagrant file will create three nodes. Now run below command to start Vagrant virtual machines.

vagrant up

If you followed the instruction properly, you will get and output like below.

If you want to connect to master node, run below command.

vagrant ssh master
If you want to connect to slave1 node, run below command.

vagrant ssh slave1
What ever the machine you want to connect you just have to type vagrant ssh . Hope this will help you!

Chathurika Erandi De SilvaTesting NTLM Grant Type with API Manager

In this post i will discuss about testing NTLM grant type in API Manager. You will need the following to get this working


1. WSO2 API Manager latest version
2. Windows 2008 machine (should have java and ant configured)
3. Active directory setup

Let me first explain bit about NTLM before going in to details.

NTLM: Windows challenge / response

This is a interactive authentication process that involvs a three way communication to get the authentication done. This involves a client, server and a domain controller

Following diagram describes the process in a high level

Figure1: NTLM authentication in a high level

More information can be found in Microsoft NTLM

API Manager relevance of NTLM

Here the following components will come together to make the authentication process a success

1. API Manager: Server
2. Client : Some sort of API invoker
3. Domain controller: Active Directory

The steps of NTLM authentication with regards to API Manager can be described as below

1. Client generates the hash value of the password
2. Client sends the username to the server
3. The server generates the random 16 bit challenge and sends to client
4. Client uses the challenge and encrypts with its hash value and sends to server
5. The server sends the username, challenge sent to the client and the repsonse from the client to the domain controller
5. Domain controller obtains password of the user from the database, calculates the hash value of the password, users it to encrypt the challenge and checks whether the received encrypted value is similar to what's calculated. If so, the authentication is successful. 

Then the client can establish the communication to the server.

Testing the NTLM Grant Type in API Manager

Setting up NTLM in Windows

First of all we have to configure NTLM in the windows environment. To do that follow the below steps

1. Use the windows environment given in the preconditions
2. Go to Administrative tools and select Local Security Policies
3. On the left panel, expand Local Policies and select Security Options to display a list of security policies. Right-click on LAN Manager authentication level and click Properties to display the Properties screen.

Figure 2: Configuring NTLM

 3. Select "Send LM and NTLM Reponses" from the properties drop down

Now the NTLM is configured.

Setting up the API Manager

1. Unzip the API Manager folder 
2. Configure API Manager to use Active Directory as the user store (read more on configuring Active Directory for API Manage)
3. Go to API Manager Home/samples/NTLMGrantClient 
4. Configure the build file as instructed
5. Run the build file

When run, the relevant source code acting as the client will authenticate using the NTLM and then generate the access code for the API. The API can be successfully invoked using this access token.

Kalpa Welivitigoda/home when moving from Ubuntu to Fedora

After using Ubuntu (13.10) for like almost one year I decided to move back to Fedora (Fedora 21). This is going to be a short post on my experience on mounting the same /home I used in Ubuntu for Fedora.

I had a separate partition for /home in Ubuntu which I needed to be mounted as the /home in Fedora as well. In anaconda (Fedora installer) I choose to configure the partitions manually. In the manual partitioning window, it listed all the partition I had under Ubuntu (it was smart that it listed them under the label Ubuntu 13.10). I mounted the / of Ubuntu with re-formatting to be the same in Fedora. And for /home, I mounted the same /home in Ubuntu to be the same in Fedora. But /home was listed under both "New Fedora 21 Installation" and "Ubuntu 13.10" as well. I proceeded. During the installation I created the same user ("kalpa") which was there Ubuntu. It took a considerable amount of time for the "User creation" phase of the installation. This is to set the file permission for the new user. Time taken for the process may change based on the number of files that are there in home. The rest of the installation went smooth. And I have no issue with /home up to now using Fedora 21.

Prabath SiriwardenaTwo Security Patches Issued Publicly for WSO2 Identity Server 5.0.0

Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab contacted WSO2 security team on 19th March and reported following three vulnerabilities in WSO2 Identity Server 5.0.0.

1) Reflected cross-site scripting (XSS, IDENTITY-3280)

Some components of the WSO2 Identity Server are vulnerable to reflected cross-site scripting vulnerabilities. The effect of this attack is minimal because WSO2 Identity Server does not expose cookies to JavaScript.

2) Cross-site request forgery (CSRF, IDENTITY-3280)

On at least one web page, CSRF protection has not been implemented. An attacker on the internet could lure a victim, that is logged in on the Identity Server administration web interface, on a web page e.g. containing a manipulated tag. The attacker is then able to add arbitrary users to the Identity Server.

3) XML external entity injection (XXE, IDENTITY-3192)

An unauthenticated attacker can use the SAML authentication interface to inject arbitrary external XML entities. This allows an attacker to read arbitrary local files. Moreover, since the XML entity resolver allows remote URLs, this vulnerability may allow to bypass firewall rules and conduct further attacks on internal hosts. This vulnerability was found already before being reported by Wolfgang Ettlinger and all our customers were patched. But the corresponding patch was not issued publicly. Also this attack is not harmful as it sounds to be since in all our production deployments, WSO2 Identity Server is run as a less privileged process, which cannot be used to exploit or gain access to read arbitrary local files.

WSO2 security team treats all the vulnerabilities that are reported to, top most important and we contacted the reporter immediately and started working on the fix. The fixes were done on the reported components immediately - but we wanted to make sure we build a generic solution where all the possible XSS and CSRF attacks are mitigated centrally.

Once that solution is implemented as a patch to the Identity Server 5.0.0 - we tested the complete product using OWASP Zed Attack Proxy and CSRFTester. After testing almost all the Identity Server functionality with the patch - we released it to all our customers two weeks prior to the public disclosure date. The patch for XXE was released few months back. Also I would like to confirm that none of the WSO2 customers were exploited/attacked using any of theses vulnerabilities.

On 13th May, parallel to the public disclosure, we released both the security patches publicly. You can download following patches from
  • WSO2-CARBON-PATCH-4.2.0-1194 
  • WSO2-CARBON-PATCH-4.2.0-1095 
    WSO2 thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab for responsibly reporting the identified issues and working with us as we addressed them, at the same time we are disappointed with the over-exaggerated article published on threatpost. The article was not brought into the attention of WSO2 security team before its being published, although the WSO2 security team responded to the query by the reporter immediately over email. Anyway we are fully aware that such reports are unavoidable and not under our control.

    WSO2 security team is dedicated to protect all its customers and the larger community around WSO2 from all sort of security vulnerabilities. We appreciate your collaboration and please report any of the security issues you discover related to WSO2 products to 

Lali DevamanthriStandardized Service Contract?

The SOA architectural style is fundamentally about separation; establishing smaller, separate units of capability that create a more agile application and infrastructure environment. Most of the core SOA principles such as loose coupling, abstraction, virtualization etc depend upon the existence of a contract.

The concept of service contract appears in various guises at different points in both the software process and the service lifecycle. Contractual mechanisms are needed to:

  • specify the service that will be provided to the consumer regardless of how the service is implemented
  • specify constraints on how the service is to be implemented
  • specify the commercial terms and associated logistics that govern the way in which the service is provided and used.

a contract means rights and obligations, and not all the obligations are from the provider of the service : ie, the server offers a service, provided the client respects the conditions of calling it, not only on a syntactic point of view. For example, you could have a service which is implemented with some limitations in terms of enterprise capabilities (read availability, throughput, response time, security, …), for any valid reason (cost, time, resources, …). If one needs the same service in different conditions (for example 24×7), this has an impact on the implementation and should be paid for by the client. The server should check the preconditions before trying to execute the service.

MBA expert advice in this matter is :

Technology -wise, how the maintenance and upgrade and associated downtime (and to which part of the business/systems) will be handled

Business-wise, exit strategy (e.g. supplier change, bankrupt, takeover), how will this be handled by both parties.

Any way,There is no standard for the specification of SLAs. The most referenced and complete specifications that relate to SLAs for SOA environments, and in particular web services, are the Web Service Level Agreement (WSLA) language and framework and the Web Services Agreement Specification (WSAgreement).
The HWSLAH is a specification and reference implementation developed by IBM that provides detailed SLA specification capabilities that enable the runtime monitoring of SLA compliance.

Madhuka UdanthaGrammar induction

Few days I was working for pattern mining on huge files and came across with millions of pattern (even different length from 2 to 150).  Now I am looking for regex generation algorithms and came across by ‘Grammar induction’ which we knew some thing when in university time. But this is much more Smile to do.

Grammar induction

Grammar induction, also known as grammatical inference or syntactic pattern recognition, refers to the process in machine learning of learning a formal grammar (usually as a collection of re-write rules or productions or alternatively as a finite state machine or automaton). There is now a rich literature on learning different types of grammar and automata, under various different learning models and using various different methodologies. So researcher need to go back for book and read them .

Grammatical inference[1] has often been very focused on the problem of learning finite state machines of various types (Induction of regular languages), since there have been efficient algorithms for this problem since the 1980s.A more recent textbook is de la Higuera (2010) [1] which covers the theory of grammatical inference of regular languages and finite state automata. More recently these approaches have been extended to the problem of inference of context-free grammars and richer formalisms, such as multiple context-free grammars and parallel multiple context-free grammars. Other classes of grammars for which grammatical inference has been studied are contextual grammars, and pattern languages. Here is some summary of the topic

  • Grammatical inference by genetic algorithms[2]
  • Grammatical inference by greedy algorithms
    • Context-free grammar generating algorithms
      • Lempel-Ziv-Welch algorithm[3]
      • Sequitur
  • Distributional Learning algorithms
    • Context-free grammars languages
    • Mildly context-sensitive languages

Induction of regular languages
Induction of regular languages refers to the task of learning a formal description (e.g. grammar) of a regular language from a given set of example strings. Language identification in the limit[4] is a formal model for inductive inference. A regular language is defined as a (finite or infinite) set of strings that can be described by one of the mathematical formalisms called "finite automaton", "regular grammar", or "regular expression", all of which have the same expressive power. A regular expression can be

  • ∅ (denoting the empty set of strings),
  • ε (denoting the singleton set containing just the empty string),
  • a (where a is any character in Σ; denoting the singleton set just containing the single-character string a),
  • r+s (where r and s are, in turn, simpler regular expressions; denoting their set's union)
  • rs (denoting the set of all possible concatenations of strings from r 's and s 's set),
  • r+ (denoting the set of n-fold repetitions of strings from r 's set, for any n≥1), or
  • r* (similarly denoting the set of n-fold repetitions, but also including the empty string, seen as 0-fold repetition).

The largest and the smallest set containing the given strings, called the trivial overgeneralization and under-generalization respectively.

Brill[5] Reduced regular expressions

  • a (where a is any character in Σ; denoting the singleton set just containing the single-character string a),
  • ¬a (denoting any other single character in Σ except a),
  • • (denoting any single character in Σ)
  • a*, (¬a)*, or •* (denoting arbitrarily many, possibly zero, repetitions of characters from the set of a, ¬a, or •, respectively), or
  • rs (where r and s are, in turn, simpler reduced regular expressions; denoting the set of all possible concatenations of strings from r 's and s 's set).

Given an input set of strings, he builds step by step a tree with each branch labeled by a reduced regular expression accepting a prefix of some input strings, and each node labelled with the set of lengths of accepted prefixes[5]. He aims at learning correction rules for English spelling errors, rather than at theoretical considerations about learnability of language classes. Consequently, he uses heuristics to prune the tree-buildup, leading to a considerable improvement in run time.

[1] de la Higuera, Colin (2010). Grammatical Inference: Learning Automata and Grammars. Cambridge: Cambridge University Press.

[2] Dupont, Pierre. "Regular grammatical inference from positive and negative samples by genetic search: the GIG method." Grammatical Inference and Applications. Springer Berlin Heidelberg, 1994. 236-245.

[3] Batista, Leonardo Vidal, and Moab Mariz Meira. "Texture classification using the Lempel-Ziv-Welch algorithm." Advances in Artificial Intelligence–SBIA 2004. Springer Berlin Heidelberg, 2004. 444-453.

[4] Gold, E. Mark (1967). "Language identification in the limit". Information and Control 10 (5): 447–474.

[5] Eric Brill (2000). "Pattern–Based Disambiguation for Natural Language Processing". Proc. EMNLP/VLC

Sagara GunathungaTimeout and Circuit Breaker Pattern in WSO2 Way

When we develop enterprise scale software systems it's hard to avoid mistakes, sometimes these mistakes teach us very important lessons to avoid same mistake over again and also to craft softwares in much better way.  Sometimes experienced developers recognize these repetitive solutions and fromalize them as Design Patterns. Sometimes without knowing we may practise these patterns, in this post I try to describe two design patterns called 'Timeout' and 'Circuit Breaker' and how are they used in WSO2 stack specially within WSO2 ESB.    

Timeout Design Pattern 

Timeout pattern is not something new, it has been used widely from early days of computing and networking. The basic idea here is when one system communicate with another, systems should not wait infinity to receive messages instead after waiting for a pre-defined interval systems should release their resources and should assume that other party can't communicate at this time.  

- Timeout improves fault isolation,  this is very important factor to avoid failures of one system propagate into another.  

- Timeout also helps to manage and use system resources properly, since caller will not wait infinity it's possible to release expensive resources such as DB transactions, network connections etc. 

- Timeout is one way to achieve another important design principle called "Fail Fast", this means if a transaction/activity can't complete it should notify or throw a suitable error as early as possible. 

    Now let's look at how Timeout design pattern is implemented in WSO2 ESB. In WSO2 ESB external systems are represented as "Endpoints", these Endpoints encapsulate access URIs, QoS policies and availability of external systems.

    In ESB configuration language <timeout> element is used to configure timeout settings. Most important properties are given below.
    • duration  - This specify the time duration for timeout. 
    • responseAction - This specify what ESB should do to the current message once the timeout is exceeded. There are 2 possible values 
      1. discard - simply discard current message. 
      2. fault - redirect current message to immediate fault sequence.   

    As an example during the fault sequence one can persist those messages temporally and try to deliver them once the remote system is alive, WSO2 ESB supports out of the box concept called store-and-forward for this.
    Example Timeout Configuration

     <endpoint name="TimeoutEP">  
    <address uri="http://localhost:9764/CalculatorService-war_1.0.0/services/calculator_service/call">
    In this sample, we try to call RESTful endpoint available on http://localhost:9764/CalculatorService-war_1.0.0/services/calculator_service/call URL and timeout value is set to 200 ms once the above limit exceed messages will re-route to error handling sequence.

    Here I have given a ESB REST API which calls above endpoint. In this sample once the timeout exceeded client will notify with a error message.

     <api name="CalAPI" context="/cal">  
    <resource methods="GET">
    <endpoint key="TimeoutEP"/>
    <header name="To" action="remove"></header>
    <property name="RESPONSE" value="true"></property>
    <property name="NO_ENTITY_BODY" scope="axis2" action="remove"></property>
    <log level="full"></log>
    <payloadFactory media-type="xml">
    <ns:MyResponse xmlns:ns="http://services.samples">
    <ns:Error>We can't response you at this time, we will reponse through E-mail soon</ns:Error>

    Circuit Breaker Pattern

    In his book Michael T. Nygard formalized and nicely presented Circuit Breaker pattern. I would recommend to read another excellent writing of Martin Fowler about this pattern.  

    This is how Fowler introduce Circuit Breaker pattern.

    "The basic idea behind the circuit breaker is very simple. You wrap a protected function call in a circuit breaker object, which monitors for failures. Once the failures reach a certain threshold, the circuit breaker trips, and all further calls to the circuit breaker return with an error, without the protected call being made at all. Usually you'll also want some kind of monitor alert if the circuit breaker trips."
    [Source - ] 

    Circuit Breaker pattern define three states. 
    • Closed - Circuit is closed and communication with remote party is possible without any communication issues. 
    • Open  - After N times of failures Circuit goes to  open state.
      • For certain time interval system does not try to send messages to remote system further. 
      • Client receive an error message.   
    • Half-Open - After certain time interval system try to send limited number of messages to remote system, if the communication is successful Circuit is reset to Closed state.   

    Here is a simple state change diagram according to the Circuit Breaker pattern.

    WSO2 ESB  Endpoint includes feature-rich error handling mechanism that can be used to implement Circuit Breaker pattern. One difference is WSO2 ESB endpoints status names are different from Circuit Breaker paten status names.

    Now let's look at an example Endpoint definition, which in fact an improved version of above TimeoutEP.

     <endpoint name="CircuitBreakerEP">  
    <address uri="http://localhost:9764/CalculatorService-war_1.0.0/services/calculator_service/call">

    Following are the important configuration details of above example. 
    1. initialDuration - Once the endpoint reach to 'suspended' state ( 'open' state  in Circuit Breaker pattern), it waits for 400 ms to perform next retry.
    2. retriesBeforeSuspension - This is the failure count to move endpoint into 'Suspended' ( 'open' state  in Circuit Breaker pattern) state. 
    3. retryDelay - This is the delay in between failure calls.  
    You can use above "CalAPI" to test this endpoint as well. 

     <api name="CalAPI" context="/cal">  
    <resource methods="GET">
    <endpoint key="CircuitBreakerEP"/>
    <header name="To" action="remove"></header>
    <property name="RESPONSE" value="true"></property>
    <property name="NO_ENTITY_BODY" scope="axis2" action="remove"></property>
    <log level="full"></log>
    <payloadFactory media-type="xml">
    <ns:MyResponse xmlns:ns="http://services.samples">
    <ns:Error>We can't response you at this time, we will reponse through E-mail soon</ns:Error>

    Internal Implementation

    I have included following details to clarify pattern implementation in terms of WSO2 ESB concepts, you may skip this section if you are not interested about internal implementation details.

    Following two diagrams illustrate state flow of original Circuit Breaker pattern and WSO2 ESB implementation. Basically WSO2 ESB Endpoint "Active" state is identical to "Closed" state of the pattern and "Open" state is identical to ESB Endpoint "Suspended" state. One main difference is, in WSO2 ESB there is no separate state as "Half-Open", "Suspend" state encapsulates logics belong to both "Open" and "Half-Open" states.

    Another difference  is, in WSO2 ESB after 1st failure, Endpoint is moved into "Timeout" state and successive attempts will be executed from "Timeout" state.
    Circuit Breaker pattern flow. 

    WSO2 ESB  internal flow 

    Following are some advanced configurations that can be used to achieve more flexible and  more complex implementations of Circuit Breaker pattern.

    1. errorCodes - You can define what the failure code that Circuit Breaker should act on. Complete list of supported status codes can be found here
    2. progressionFactor, maximumDuration - By combining  with "retriesBeforeSuspension" property you can form more complex and dynamic retry behaviours, for more details refer here

    NOTE  : - In WSO2 API Manger, API-Gateway is a lightweight ESB node hence above discussed "Timeout" and "Circuit Breaker" pattern implementations can be seamlessly used in WSO2 API Manger as well.  

    Shani RanasingheUnable to get the hostName or IP address of the server when starting WSO2 Products

    Today I faced an issue when a wso2 server that needed restarting did not start up, after shutting down due to the error

    {org.apache.synapse.ServerConfigurationInformation} -  Unable to get the hostName or IP address of the server {org.apache.synapse.ServerConfigurationInformation} <hostname> : <hostname> : Name or service not known
    at org.apache.synapse.ServerConfigurationInformation.initServerHostAndIP(
    at org.apache.synapse.ServerConfigurationInformation.<init>(
    at org.apache.synapse.ServerConfigurationInformationFactory.createServerConfigurationInformation(
    at org.wso2.carbon.mediation.initializer.ServiceBusInitializer.initESB(
    at org.wso2.carbon.mediation.initializer.ServiceBusInitializer.activate(

    The issue in my case was that it was not a wso2 bug. It is an issue with the machine.

    The OS I was using was ubuntu. The issue was that the hostname was not correctly set.

    The easy way  - temporary fix

    1) Run the following command. (assuming the hostname you want to set is abc001)

                        #    hostname abc001

    2) To verify the hostname just run the following command

                               # hostname

    it should output the hostname that we set as the output.

    Proper fix

    1) We need to fix this properly. In that case, we need to change the /sysconfig/network file.

    open this file as sudo or super user, and change the hostname in that file to be the hostname you require.


    2) Then you need to update the etc/hosts file, to reflect this change. you should map the entry


                          <local-ip> abc001

    3) After that you need to restart the network service.

                       #service network restart
                       #/etc/init.d/network restart

    4) Then verify the hostname has been set by running the command

                        # hostname



    Shani Ranasinghe[WSO2 APIM] - The Basic Architecture of WSO2 APIM - Part 1

    After a long time I decided to write a blog post, and this time about APIM. Mainly because my new team is the WSO2 APIM . Today I received a training from Nuwan Dias (WSO2 APIM team) on the basic architecture of APIM, and that training inspired me to come up with this article.

    To start off with, yes I did have a prior knowledge on the WSO2 APIM and have worked on it on various instances. But the training I received today cleared many doubts and managed to organize my knowledge on the WSO2 APIM very clearly. Hence, this article is focused for dummies, to gather a basic idea on the WSO2 APIM architecture.

    So, before I start there are some main components of WSO2 APIM which I will introduce briefly.

     1) The API Publisher
     2) The API Store
     3) The API Gateway
     4) The Key Manager

    The Publisher

    This is the component that is responsible for the work flows associated with API creation. This is where an API developer will have most of the work to do. API Publisher is a jaggery application (Jaggery is a framework to write webapps and HTTP-focused web services for all aspects of the application: front-end, communication, Server-side logic and persistence in pure Javascript). The publisher allows the creation of the API by allowing the developer to fill in a form. This form consists of many details such as, the API name, version ,throttling level etc.

    There are basically two ways of creating an API.
    •  Filling out the form in create API  on the WSO2 APIM.
    •  By importing a Swagger document (Swagger is a simple yet powerful representation of your RESTful AP) to WSO2 APIM.      
    API's created in this component initially is of the Created State. An API is associated with many states.

     The Store

    The Store is the component that exposes the published API's. The API's which are created in the publisher needs to be pushed to published state in order for the user to view the API's in the API Store. The API store is responsible for maintaining the API access. Whilst the API Store is responsible for many other activities, I would like to believe that it's main responsibility is to allow users interact with the API's and  subscribe to them.

    How the subscription and access is maintained is that the Store will show API's in a tenant domain, when the domain is selected upon navigating to the Store by a user.As mentioned before, these API's are only API's which are in the published state. For a user to access this API, the user requires to create an Application in the API Store. In a practical scenario, let's say there's an API to get weather information, and in my application I need to get the data for a functionality I intend to deliver. Then I would create an application, which would be an OAuth application, in the APIM Store. For a API I can subscribe using this created application which would maintain the subscriptions to API's. when this is done, I can create a token. This token will be a consumer secret and consumer key pair, which are in the world of OAuth terms for something similar to username/password. With this  the store also provides me an access token, which is a APPLICATION type token. With these tokens an application can access the subscribed API and obtain the service.

    The API store, just like the Publisher is a Jaggery web application.

    The Gateway

    The gateway is the access point for a external user to obtain the services offered by the API.

    When the Publisher publishes the API a synapse config (Apache Synapse is a lightweight and high-performance Enterprise Service Bus (ESB)) of the API is sent to the Gateway. In a typical production deployment this is the component that will be exposed. The gateway its self is an ESB, and hence sequences can be enforced on these API's. The API when invoked would be running this synapse config, and this config would have a set of handlers which are being called in sequence.These handlers are:
    •  Security handler
    •  Throtling handler
    •  Stats Handler
    •  Google analytics Handler (disaled by default)
    •  Extentions Handler
    These handlers are required to run in sequence because each handler populates the message context in the synapse and passes it on, which is required by the next handler in sequence. The gateway has endpoints for token and revoke which are proxies for the actual endpoint which is embedded into the keymanager component.

    The Keymanager

    The Keymanager is the component which handles the authorization/authentication part. The Keymanager can be configured to be the WSO2 IS as well. The API manager Key manager handles the security related aspects and issues and verifies keys, to the store and from the gateway.

    There is a JAX-RS web app embedded into the key manager which has the implementations for token endpoints and revoking tokens. These are the endpoints to which the gateway calls upon requesting tokens.

    With these four components being introduced, I will next discuss on how a API is published, how it is involved in the store, gatway and keymanaer in my next blog post.

    Till then, I hope this gives you a heads up on the API Manager Basic architecture and hope you read about it more. If Interested I have noted references below for your use.



    Shani Ranasinghe[WSO2 APIM] - The Basic Architecture of WSO2 APIM - Part 2- The Publisher - under the hood

     As a continuation of my previous post  The Basic Architecture of WSO2 APIM - Part 1, this post will concentrate on the publisher module, and its major functions. It is recommended that you read the aforementioned post in order to clearly understand the concepts described in this post.

    The Publisher is the starting point of an API life cycle. An API is created at the API Publisher by an API publishers. The Publisher is also a major component in the WSO2 APIM and was introduced in my earlier post.

    To start off with let me bring up the basic outline of the Publisher in a graphical mode.

     An API Publisher will ideally interact with the API Publisher module to create and manage an API. The API Publisher is a jaggery web app which provides and easy to work with GUI.

    Databases associated with the API Publisher

     The database configuration can be found at <APIM_HOME>/repository /conf/datasources/master-datasources.xml

        - Registry Database
          The db handles all registry related storage.
        - AM_DB
           This db stores information required for the APIM.
           This db stores information such as user permissions.

    Logging in 

    The end user will log into the API Publisher by entering the username and password in the GUI provided by the web app. Once the credentials are entered the API Publisher will validate it against the authentication manager set in the api-manager.xml found at repository/conf. It is defined under the tag <AuthManager>. This is the server which the Publisher and the store will point to for authentication. By default it will be the embedded LDAP which is the user store which is being pointed by localhost which is started on the APIM server it self. In a typical production deployment this could either be WSO2 IS, or any other IDP (identity provider).

    When the end user logs into the API Publisher in a SSO configured environment, it will send a SAML request to the Authentication Server. The Authentication server will process the authentication and send a signed response. The API Publisher then will validate this with the key stores.

    Once the authentication is completed it checks for authorization in the UM_DB by checking for publisher permissions. Once the authentication and the authorization succeeds it will succeed in allowing the user to access the API Publisher.

    Creating an API

    There are two ways of creating an API.
       1. By Filling out the form in the API Publisher web app
       2. By Importing a Swagger doc.

    When the API Publsher creates an API, the API information is stored in the Registry Database. This is specifically stored at the governance space of the registry database.Together with the API the swagger document related to the created API is also stored in the Registry database.

    When the API is created a synapse config of the API is also stored at the API Gateway. Since the API Gateway is a WSO2 ESB, the API is also capable of having sequences defined in the API definition.

             </custom in sequence>
              </custom out sequence>

    In parallel to this, when the APi is created, the AM_DB is also updated. A reference to the API is stored in this database tables. Since we have all the information of the API in the REG_DB, we only store a subset of the API information in the AM_DB, which is required for AM functionality.

    When an API is created it is by default in the "created" state.

    I hope this gives you a clear understanding on what happens in the publisher end, under the hoods.

    In my next few blog posts I am planning to discuss on the  rest of the modules, API Store, and  API Gateway. these will cover the Key manager as well.


    Shani Ranasinghe[WSO2 APIM] - The Basic Architecture of WSO2 APIM - Part 3- The Store - under the hood

     In continuation to my previous post two posts on the The Basic Architecture of WSO2 APIM - Part 1  &   The Basic Architecture of WSO2 APIM - Part 2- The Publisher - under the hood  , this post is going to briefly discuss the architecture of the API Store component.  These posts are mainly targeted for dummies on WSO2 APIM. The aforementioned posts are a recommended read in order to understand this post clearly.

    First off all, what is the API Store?

    The API store is the play ground for the API consumer. An API consumer can self-register,  discover on API functionalities, subscribe to the API's, evaluate and interact with API's.

    The APIM store is also a jaggery web app.

    Databases associated with the API Store

     The database configuration can be found at <APIM_HOME>/repository /conf/datasources/master-datasources.xml

        - Registry Database
          The db handles all registry related storage.
        - AM_DB
           This db stores information required for the APIM.
               * The AM_ tables store information related to API's.
               * The IDN_ tables store information related to OAuth Identity.

    View API

    The APIM store is multi tenanted, and hence, at login, if multiple tenants are registered, it will prompt to select the tenant.

    Upon selection of tenant, the API's which are published by that tenant can be viewed on the API store. Here the APIM-Store will extract API's to display from the registry_db through a cache.

    When logged in, a user can view the API in a much detailed version and also edit it if permission is granted.

    The store has a feature where it shows the recently added api's for convenience.

     An Application & Subscribe to an API

    An Application in the APIM world is a concept of detaching API's from consumers.

    An Application is a single entity to which api's can be subscribed to. This application is created on the AM_DB database and when the api is subscribed the subscription is also recorded on the APIM.

    This application is then the unit of reference in the APIM store.

    According to WSO2 docs an application is defined as ,

    An application is primarily used to decouple the consumer from the APIs. It allows you to :
    • Generate and use a single key for multiple APIs
    • Subscribe multiple times to a single API with different SLA le
     Creating Keys

    Creating keys in order to invoke an API can be done in the APIM store. Once the application is created, we can create tokens for that application.

    When it comes to tokens, we can create application tokens (access tokens) and application user tokens. The types are APPLICATION & APPLICATION_USER. Access tokens are tokens which the application developer gets.

    In the APIM Store when we create these tokens, we get the consumer_key and consumer_secret which is per application. The APIM store will talk to the APIM Key manager (in future releases there will be the capability of plugging in a custom Key manager, but for the time being it is either only the WSO2 APIM key manager or WSO2 IS as a keymanager) and the key manager will generate the keys. These keys will be stored in the AM_DB as well.

    The tokens generated are associated to the application with a validity period.

     Note : Consumer key is analogous to a user name and the consumer secret it analogous to a user password.

    Regenerating Tokens

    The WSO2 APIM allows the regeneration of access tokens. In this process  there are 3 steps that will be executed.

     1) The existing token will be revoked.
     2) A new token will be generated
     3) The validity period of the token will be updated in the database.

    When these three steps are performed the new generated token will be returned.


    The store indexes the API's in order for better performance. the index info can be found at /solr location in the registry. Information on this can be found at [1].


    In the APIM store internals, many workflows are used. One such example of this is the  subscription creation.

    In the subscription creation a workflow executor is used. This workflow executors have two methods.

         1. execute.

         2. complete

     In order for it to be more clear on the workflow implementations, let me bring up a diagram explaining it.

    The implementation of the workflow could take two paths.

    1) The default implementation
         this is where the method "complete" is directly called within the method "execute" method.
    2) A custom workflow definition.
       for example's sake we are using WSO2 BPS as the workflow execution unit here.  We need to write a custom workflow executor and use it in the APIM. Via a web service the external workflow will be executed.  (for the soap service, the call back URL would be the BPS url)

    When a workflow is executed, the workflow detail is being put into the AM_WORKFLOWS in the AM_DB, and the status of the workflow is being moved to ON_HOLD. Once the complete is called, it updates the status to either APPROVED or REJECTED.

    More detailed information on this can be found at [2] & [3].



    Shani Ranasinghe[WSO2 APIM] - The Basic Architecture of WSO2 APIM - part 4- Gateway & Key Manager - Under the hoods

    In this post I will briefly introduce how the Gatway and the Key manager interacts in order for an API to be successfully invoked.

    Let me bring up a diagram first.

    In a real world distributed deployment, only the WSO2 APIM Gateway would be  exposed to the outside world. So with the creation of keys for a certain application that would be subscribed to many API's, (If you are not familiar with this context, please refer to the blog post I had written before The Basic Architecture of WSO2 APIM - Part 2- The Store - under the hood  for a crash course) you would be able to invoke an API via the gateway.

    Ideally an Application would have the consumer_key and the consumer_secret hardcoded in the application it self. When invoking the API, the username, password would have to be added and the application would pass in the username, password, consumer_key and consumer_secret  to the gateway. The Gateway has some token API's [1]. which are
       - /token
       - /revoke

    When calls are made to these API's,  the gateway calls the Key manager Jax-RX  in order to verify the access the token.  The key-manager would call the AM_DB, retrieve the access token, and verify the access token.  it will return the API Info DTO which includes the meta data of the access token, which includes the validity period, refresh token and scopes.

    When the API's are invoked, the Gateway does not call the Key manager at every invocation.  The APIM Gatway makes use of a cache  for this. However, this cache can be turned off. [2]

    Invoking the API

    When the API's are invoked there are several authorization grant types that we could use. The WSO2 APIM supports the same grant types the WSO2 IS supports.  The password grant type is used only when the application is a trusted application  Client Credentials grant type requires only the consumer_key & consumer_secret. [1].

    API Handlers

    When the API's is created it will store the synapse configuration of the API in the WSO2 APIM Gateway, being another ESB (WSO2 ESB).  When the api is invoked and it hits the Gateway, it will execute the API's in and out sequences  which would have a set of handlers. The API when created would have a set of default handlers defined in the API [3].

       1) Security handler/ APIAuthenticationHandler
         The security handler is to validate the Oauth token used to invoke the API.
      2) Throttle handler/ APIThrottleHandler
         Throttles the request based on the throttle policy. This is done based on two counts, 
         the global count and the local count.

       3) Stats hander/ APIMgtUsageHandler
         Helps to push data to the BAM for analytics.
       4) Google analytics handler/ APIMgtGoogleAnalyticsTrackingHandler
          Pushes events to Google analytics for analytics.

       5) Extentions handler/ APIManagerExtensionHandler
         Executes extention's sequences

     Each of these handler classes has 2 methods
      1) handle request
      2) handle response

     These methods have been overridden in each of these handlers to accomplish the task that the handler is written for. There is also a possibility that you could write your own handler, and plug it in. Details on this could be found at [4].

    I hope you were able to gain a basic knowledge on what happens internally when an API is invoked on the WSO2 APIM, on a highlevel.  By going through the references you would be able to gain a much detailed knowledge on the APIM gateway and WSO2 APIM as a whole.



    Shani Ranasinghe[WSO2 APIM] - The Basic Architecture of WSO2 APIM -part 5- Statistics in APIM

    In this blog post I will briefly go about how the APIM publisher and store are able to draw up graphs with statistical information on the API's. This blog post is targetted for new bee's who would like to get a bird's eye view on the functionality.

    In the WSO2 APIM Gatway, as I explained in my previous post The Basic Architecture of WSO2 APIM - part 3- Gateway & Key Manager - Under the hoods, it has a set of handlers defined per API.  One of these handlers is the APIMgtUsageHandler , which would invoke the org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageDataPublisher .  The APIMgtUsageDataPublisher  is configured to publish the events to the BAM server that has been configured with the APIM. 

    Illustrated by a diagram is the process of publishing of stats and viewing them on the publisher /store app's 

    The WSO2 APIM Gateway would  publish the events  via the thrift protocol to the WSO2 BAM server. The BAM is more likely a BAM cluster in the real world production environment. The BAM server then writes the data to a No Sql database, cassandra.  Then the BAM Analyzer to which the APIM tool box is deployed to, will fetch the data batch by batch from the  cassandra database.  The BAM Analyzer  is capable of summarizing the data, by using hive. The hive scripts have to pre written and deployed in the server. The BAM analyzer then will push the summarized data to an RDBMS.

    The WSO2 APIM Store and the WSO2 Publisher then will pull the data from the RDBMS  and will display the data in the APIM Store and publisher analytics pages.

    This is a very brief explanation of what happens in the APIM when statistics are to be displayed.

    Detailed information can be found  at the references listed below.




    Lali DevamanthriTech Giants in Image Recognition Supremacy

    The race to exascale isn’t the only rivalry stirring up the advanced computing space. Artificial intelligence sub-fields, like deep learning, are also inspiring heated competition from tech conglomerates around the globe.

    When it comes to image recognition, computers have already passed the threshold of average human competency, leaving tech titans, like Baidu, Google and Microsoft, vying to outdo each other.

    The latest player to up the stakes is Chinese search company Baidu. Using the ImageNet object classification benchmark in tandem with Baidu’s purpose-built Minwa supercomputer, the search giant achieved an image identification error rate of just 4.58 percent, besting humans, Microsoft and Google in the process.

    An updated paper [PDF] from a team of Baidu engineers, describes the latest accomplishment carried out by Baidu’s image recognition system, Deep Image, consisting of “a custom-built supercomputer dedicated to deep learning [Minwa], a highly optimized parallel algorithm using new strategies for data partitioning and communication, larger deep neural network models, novel data augmentation approaches, and usage of multi-scale high-resolution images.”

    “Our system has achieved the best result to date, with a top-5 error rate of 4.58% and exceeding the human recognition performance, a relative 31% improvement over the ILSVRC 2014 winner,” state the report’s authors.

    The Baidu colleagues add that this is significantly better than the latest results from both Google, which reported a 4.82 percent error rate, and Microsoft, which days prior had declared victory over the average human error rate (of 5.1 percent) when it achieved a 4.94 percent score. Both companies were also competing in the ImageNet Large Scale Visual Recognition Challenge.

    Dedunu DhananjayaAlfresco 5.0.1 Document Preview doesn't work on Ubuntu?

    I recently installed Alfresco for testing in vagrant instance. I used Ubuntu image for the vagrant instance. But I forgot to install all the libraries which is necessary to be installed on Ubuntu before you install alfresco. But fortunately alfresco worked with out those dependencies.

    Above link gives you what are the libraries you should install before you install Alfresco. You should run below command to install libraries.
    sudo apt-get install libice6 libsm6 libxt6 libxrender1 libfontconfig1 libcups2
    But still office document previews didn't work properly. Some documents worked properly but some of them did't. Then I tried to debug it with one of my colleagues. We found below text in our logs

    Then we tried to run soffice application from terminal. Look what we got!
    /home/vagrant/alfresco-5.0.1/libreoffice/program/oosplash: error while loading shared libraries: cannot open shared object file: No such file or directory
    Then we realised that we should install that library on Ubuntu. Run below command on Ubuntu server to install the missing library.

    sudo apt-get install libxinerama1

    Make sure you run both commands above!

    Hiranya JayathilakaUsing Java Thread Pools

    Here's a quick (and somewhat dirty) solution in Java to process a set of tasks in parallel. It does not require any third party libraries. Users can specify the tasks to be executed by implementing the Task interface. Then, a collection of Task instances can be passed to the TaskFarm.processInParallel method. This method will farm out the tasks to a thread pool and wait for them to finish. When all tasks have finished, it will gather their outputs, put them in another collection, and return it as the final outcome of the method invocation.
    This solution also provides some control over the number of threads that will be employed to process the tasks. If a positive value is provided as the max argument, it will use a fixed thread pool with an unbounded queue to ensure that no more than 'max' tasks will be executed in parallel at any time. By specifying a non-positive value for the max argument, the caller can request the TaskFarm to use as many threads as needed.
    If any of the Task instances throw an exception, the processInParallel method will also throw an exception.

    package edu.ucsb.cs.eager;

    import java.util.ArrayList;
    import java.util.Collection;
    import java.util.List;
    import java.util.concurrent.*;

    public class TaskFarm<T> {

    * Process a collection of tasks in parallel. Wait for all tasks to finish, and then
    * return all the results as a collection.
    * @param tasks The collection of tasks to be processed
    * @param max Maximum number of parallel threads to employ (non-positive values
    * indicate no upper limit on the thread count)
    * @return A collection of results
    * @throws Exception If at least one of the tasks fail to complete normally
    public Collection<T> processInParallel(Collection<Task<T>> tasks, int max) throws Exception {
    ExecutorService exec;
    if (max <= 0) {
    exec = Executors.newCachedThreadPool();
    } else {
    exec = Executors.newFixedThreadPool(max);

    try {
    List<Future<T>> futures = new ArrayList<>();

    // farm it out...
    for (Task t : tasks) {
    final Task task = t;
    Future f = exec.submit(new Callable<T>() {
    public T call() throws Exception {
    return task.process();

    List<T> results = new ArrayList<>();

    // wait for the results
    for (Future f : futures) {
    return results;
    } finally {


    Sajith KariyawasamSetting up a VM cluster in VirtualBox

    You may come across a requirement to setup a cluster of virtual machines which need to be able to communicate among themselves as well as to access internet within each virtual machine instance. With the default network settings in VirtualBox you won't be able to achieve inter-VM communication. For that you need to setup a Host-only adapter.

    Go to VirtualBox UI, File --> Preferences --> Network --> Host-only networks

    Click "Add", and fill out IPV4 address as and Network Mask In the DHCP Server tab, untick enable DHCP server to disable it.

    Now we have configured the host-only adapter. We can use this adapter when creating new virtual machines.

    My requirement is to setup 2 virtual machines with the IP s and
    I will show you how to setup one virtual machine.

    Select the virtual machine you need to configure your network settings, and click on "Settings" icon --> Then click on "Network", you will get a UI as follows.

    There, you tick on "Enable Network Adapter", Select Host-only Adapter in Attached to dropdown, and select the hostonly adapter that we configured earlier (vboxnet0) Click on the next tab to configure NAT, as follows.

    Now you have configured both host-only and NAT Start your virtual machine.
     But still, if you do an "ifconfig" from your virtual machine you will not see any 192.168.xx ip has assigned. You need to do one more setting as follows.

    Go to /etc/network/interfaces file and add following.

     auto lo
     iface lo inet loopback

     # Host-only interface
     auto eth0
     iface eth0 inet static


    Restart your virtual machine and now you will see your interface is up. Same way, you can configure your virtual machine and so on....

    You can ping from machine to and vise-versa

    Madhuka UdanthaAdding Configuration file for Python

    'configuration files' or 'config files' configure the initial settings for some computer programs. They are used for user applications. Files can be changed as needed. An administrator can control which protected resources an application can access, which versions of assemblies an application will use, and where remote applications and objects are located. It is important to have config files in your applications. Let look at how to implement python config file.

    The 'ConfigParser' module has been renamed to 'configparser' in Python 3. The 2to3 tool will automatically adapt imports when converting your sources to Python 3. This post I will be using Python 2. The ConfigParser class implements a basic configuration file parser language which provides a structure similar to what you would find on Microsoft Windows INI files.

    1. We have to create two files. config file and python file to read this config. (Both are locate in same directory for this sample. you can locate in directory when you need)

    • student.ini

    2. Add some data for configure files

    The configuration file consists of sections, led by a [section] header and followed by name: value entries. Lines beginning with '#' or ';' are ignored and may be used to provide comments. Here we can below lines for configure file

    1 [SectionOne]
    2 Name: James
    3 Value: Yes
    4 Age: 30
    5 Status: Single
    6 Single: True
    9 [SectionTwo]
    10 FavouriteSport=Football
    11 [SectionThree]
    12 FamilyName: Johnson
    14 [Others]
    15 Route: 66

    3. Let try to read this configure files in python

    1 import os
    2 import ConfigParser
    4 path = os.path.dirname(os.path.realpath(__file__))
    5 Config = ConfigParser.ConfigParser()
    7 print Config.sections()
    8 #==>['Others', 'SectionThree', 'SectionOne', 'SectionTwo']

    4. Let modify the code more standard with function.

    1 import os
    2 import ConfigParser
    4 path = os.path.dirname(os.path.realpath(__file__))
    5 Config = ConfigParser.ConfigParser()
    9 def ConfigSectionMap(section):