KiWi in a Nutshell

This screencast, prepared by Thomas Kurz, explains KiWi’s most impressive features and how they can be used. Really good stuff, in my humble opinion.  🙂


(note: it’s spoken in German)

Advertisements
Posted in Semantic Web, Software Development, Wiki | Tagged , , , , , , , , , | Leave a comment

KiWi Release 0.8

Due to an active development process of features, natural chaos regarding organizational issues (e.g. Kenai was closed for public access) and a lot of urgent deadlines for proposals and papers, it has been a long time since we published a KiWi release. The last KiWi release 0.7 was announced in December 2009, as you can read on Sebastian Schafferts Blog. Last friday, however, we found some time to fix the last major bugs, test the newest features, provide some minor aesthetic surgeries and release the new prototype version 0.8. We are glad to present the new features of KiWi:

Configuration Wizard:

Mihai Radulescu implemented the configuration wizard that allows to easily deploy a fresh version of KiWi. With the wizards help one can chose the preferred database (standard for testing is h2 DB, alternatives are PostgreSQL and MySQL), the working path to store indexes and triples, and the extensions that should be installed. To run the wizard you should have a look at the installation HOWTO, where the basic step is to insert http://localhost:8080/kiwi.web.setup/wizard_database.seam in your local browser and follow the instructions.

Semantic Forms:

The Semantic Forms feature has been implemented by Rolf Sint. It allows to define forms by annotating form fields with RDFa, therefore providing the ability to store form data in a semi-structure format. Semantic Forms can be created in the Wiki-Editor by clicking on the ‘+’ sign at the top of the editor and choosing a pre-defined Semantic Form template. After defining the values of the Semantic Form it can either be stored as a modification to the current ContentItem or as a new ContentItem. Semantic Forms are a currently evolving technology that supports a lot of UseCases in the field of Semantic Web, for example in project, risk or idea management.

TagIT2:

As announced in the KiWi 0.7 release blog entry, TagIT2 had a usability stress test in January 2010 at the Salzburger Nachrichten Agentur (local newspaper for Salzburg, AT) under the lead of Thomas Kurz. It went very well and the results are very satisfying. Besides the existing TagIT2 functionality, KiWi 0.8 introduces the features for defining and importing routes (gpx-import) in TagIT2.

Identitiy & Permission Management:

The identity management hast been refactored to build a basis for the permission management. JBoss Seam’s identity management is still in use, but an identity is either a registered user or the pre-defined anonymous user, but never undefined. This allows us to assign and to withdraw roles and permissions for users that are signed-in and for those who are not.

KiWi 0.8 introduces global and individual permission management for single users and groups of users that is (hopefully) easy to maintain. Global permissions are defined in the admin extension under ‘manage permissions’, where users or groups can be assigned to read, write and admin roles. Individual permissions can be defined in the ‘individual permissions’ action in the Wiki view for each ContentItem. Identity and Permission Management were my contribution to KiWi 0.8.

Information Extraction

Marek Schmidt updated the information extraction service prototype with two major new features: Extractlets and Annotation Editor.

Extractlets are a new simple API which allows developers to easily write custom information extraction components to produce various kinds of suggestions (including links, tags, fragments and nested items), taking advantage of the natural language processing pipeline provided by GATE plugins.

The prototype of the annotation editor is now able to display information extraction suggestions and enables seamless annotation with all kinds of metadata supported by the KiWi system (links, tags, fragments, nested items).

Reasoning:

The Reasoner experienced a refactoring by Jakub Kotowski mainly to clean up the code, to make it nicer, more general and to prepare it for further features. The highlight is that a subset of OWL2 RL can be expressed in sKWRL and processed by the reasoner. The Explanation Service deals correctly with multiple derivations and detects cycles. Another interesting improvement is the partly separate TBox/ABox reasoning which is now mainly to speed up reasoning by firing only rules which can be satisfied with respect to the TBox.

Personalized Search

The KiWi users are now able to get their search result personalized based on their tagging activity.  The idea is to promote the returned items closer to user preferences at the first positions. Technically, we re-rank the regular search results by measuring the similarity of tags assigned to the content items retrieved in the search with a set of tags which denote user preferences. Fred Durao lead the Personalized Search improvement and the development of Social Capital Recommendations.

Social Capital Recommendations

The tag-based recommendations are now powered by a social capital factor, which considers the summation of collaborative work behind WiKi pages. The goal is to use the energy employed on the development of pages for increasing the performance of the recommendations. In addition to the collaborative work, the social capital factor is weighted by user expertise and the interactivity between social ties. The user expertise is calculated by the amount of contributions (i.e. tagging, editing, commenting, rating) an individual performs for the whole community, whereas the interactivity is accounted as the amount of activities a single user performs on the pages created by his/her social ties.

VMT 2.0:

The intern Arpad Borsos, who has been employed at Salzburg Research for the last 3 months, extended the vocabulary management tool (VMT), which evolved out of Rolf Sint’s Diploma Thesis, by means of user interaction and user interface. VMT 2.0 is now based on Smart GWT and uses the new SKOS standard. Furthermore, SKOS concept merging is now possible with VMT 2.0.

Ideator, Alpha-Version:

Rolf Sint and Thomas Kurz started a new use case scenario, the Ideator, which is implemented as an extension to KiWi. The main idea behind that use case is an application for collaborative idea management. Currently, the ideator enables the creation and categorization of ideas and impresses its users with a beautiful user interface.

Ideator Screenshot

Community Equity (CEQ):

Mihai Radulescu improved the CEQ feature by applying different ageing functions depending on the action type (e.g. the equity points gained with a comment action will deprecate faster than the one gained with an edit action).

There is a set of default ageing functions (one per action), which can be changed according with the user needs. For the moment this functionality is only provided on the service layer.
The current implementation provides support  for postgreSQL and h2 databases, MySQL and Oracle  will be supported in the next version.
There is a very basic UI for the CEQ functionality (Inspector -> Inspect CEQ values).

All in all, we are happy that we have found some time to bring KiWi 0.8 to the public and we’ll try to adapt to the “release early, release often” attitude, again. The code can now be found on the google code repository http://code.google.com/p/kiwi/. Have fun trying it out and see you next time with (hopefully) more features and less bugs 🙂

The reasoning refactoring was mainly to clean up the code (to make it
nicer, more general and to prepare it for further features (e.g. the
parser now can parse a lot more than the reasoner is able to process, the
abstract syntax tree classes are changed accordingly, etc.)), I tried to
improve efficiency but the difference is not significant. The highlight is
that a subset of OWL 2 RL can be expressed in sKWRL and processed by the
reasoner. Explanation is finally "fixed" and deals correctly with multiple
derivations and detects cycles (well, at least some of them...I did not
have the time to implement a complete detection). And for some it may be
interesting that there is a partly separate TBox/ABox reasoning which is
now mainly to speed up reasoning by firing only rules which can be
satisfied with respect to the TBox. Reason maintenance can be incorrect in
some cases - I have to improve the reasoner a bit to deal with it
efficiently.
Posted in Java Enterprise Edition, Software Development | Tagged , , , , | 1 Comment

Client Certificate Authentication with JBoss AS 4.2.3

I was currently trying to integrate foaf-ssl single-sign-on, which is a decentralized service to authenticate users with client certificates in Social Semantic Web applications, in KiWi. The idea behind foaf-ssl is that a user has its certificates inside of his browser and is asked to choose one certificate to authenticate with the application. The certificate contains a link to the WebID, which can be used to locate the users` foaf-file, where personal information like first and last name, birthday and eMail address can be found. In my opinion, this is a great opportunity to build applications that are able to import data about identities without annoying them with recurring registration processes and weak password protections.

To use foaf-ssl within your application you may like to build your own identity provider (idp) servlet, which checks the client certificates, extracts the web id from the certificate and redirects to a URL, which has been passed as a GET parameter to the servlet. The first step towards enabling such a service is the configuration of your application server. Henry Story provided a detailed description on how to configure Tomcat 6 to allow client certificate authentication. As JBoss AS 4.2.3 uses Tomcat 6 aswell internally, the configuration of JBoss AS does only slightly differ from the Tomcat 6 configuration.

First of all we’ll have a look into the server.xml file, where the application server connector configurations can be found. You’ll find that file in the ${JBoss.home}/server/default/deploy/jboss-web.deployer directory. The jboss-web.deployer is the Tomcat 6 bundle that JBoss AS integrate. Inside of the server.xml you’ll find a Connector that defines the SSL connections. If you haven’t changed the default configuration yet, the paragraph should be commented out. So the first step for you is to uncomment it and configure it in the following way:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
       scheme="https" secure="false" strategy="ms" address="${jboss.bind.address}"
       keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
       keystorePass="changeit" sslProtocol="TLS"
       truststoreFile="/usr/lib/jvm/java-6-sun-1.6.0.10/jre/lib/security/cacerts"
       truststorePass="changeit"
       SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation"
       acceptAnyCert="true" clientAuth="want" />

The default https port is 443, but ports below 1024 require that the server is started with root privileges, so we take the default port 8443 for testing purposes instead. As we do not only want to allow server-side authentication, but mutual authentication clientAuth must be at least set to “want”. There are three values for clientAuth: Set it to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn’t presented. A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.

As Henry already pointed out in his HowTo descriptions, servers authentify themselves by sending the client a certificate signed by a well known Certificate Authority (CA) whose public key is shipped in all browsers. Browsers use the public key to verify the signature sent by the server. If the server sends a certificate that is not signed by one of these CAs (perhaps it is self signed) then the web browser will usually display some pretty ugly error message, warning the user to stay clear of that site, with some complex way of bypassing the warning, which if the user is courageous and knowledgeable enough will allow him to add the certificate to a list of trusted certs. This warning will put most people off. It is best therefore to buy a CA certified cert.(Henry found one for €15 at trustico.) Usually the CA’s will have very detailed instructions for installing the cert for a wide range of servers. Anyway, for testing purposes it is fair enough to use self-signed certificates.

To enable https connections and persist server, as well as client certificates, it is important to specify the directory of the keystore and the truststore, which will be build in the following. The JVM comes together with a truststore, so you don’t have to create another one. However, you have to specify the directory of the JVM truststore. At least it didn’t work for me to pass on it.

The next step to complete is to build the keystore in the ${JBoss.home}/server/default/conf directory. This can be done with the help of the keytool program, which can be found in the ${JAVA.HOME}/bin directory. To create a keystore, export its certificate and import it into the JVM truststore, type the following command into the console:

.../server/default/conf$ keytool -genkey -alias server -keyalg RSA -keystore server.keystore
.../server/default/conf$ keytool -export -alias server -keystore server.keystore -file server.cer
.../server/default/conf$ keytool -import -v -trustcacerts -alias server -file server.cer -keystore
${JAVA_HOME}/jre/lib/security/cacerts.jks -keypass changeit -storepass changeit

After the first command you’ll be asked to fill out some information, for example the keystore password, the first name and last name, the organisation, the city, state, etc.. Note that you should write the host address (www.host.de, 127.0.0.1, etc.) instead of your first and last name for the server keystore, because otherwise the browser complains that the address produced in the keystore is not matching the address that a user typed into the browser.

Another important configuration of server.xml is the link to the custom SSLImplementation (SSLImplementation=”org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation”). This library has been provided by Bruno Harbulot and enables to accept any client certificates (when acceptAnyCert is set to true), not just those where the issuer has been trusted before.

Henry explains that necessity in the following paragraph:

Usually servers send in the request to the client a list of Distinguished Names of certificates authorities (CA) they trust, so that the client can filter from the certificates available in the browser those that match. Getting client certificates signed by CA’s is a complex and expensive procedure, which in part explains why requesting client certificates is very rarely used: very few people have certificates signed by well known CAs. Instead those services that rely on client certificate tend to sign those certificates themselves, becoming their own CA. This means that certificates end up being valid for only one domain. foaf+ssl bypasses this problem by accepting certificates signed by any CA, going so far as to allow even self signed certs. The server must therefore send an empty list of CAs meaning that the browser can send any certificate (TLS 1.1).

For this to work, the jsslutils library and the jsslutils-extra-apachetomcat6 library must be placed into the ${JBoss.home}/server/default/lib directory.

Having completed these steps should enable your JBoss application server to allow secured https connections which can use any kind of client certificates from the users` browser to authenticate them.

Posted in Application Server, Java Enterprise Edition, Software Development | Tagged , , , , | 1 Comment

mostly harmless!

This blog was created out of frustration.

I’ve been searching for documentations about SSL configuration on the JBoss Application Server and found almost nothing, especially not on the JBoss community web site (where I couldn’t even register to write a forum post, because of missing permission to create a new user Oo). The only hints that I found were pieces of configurations on other blogs, which mostly, but not completly helped me to solve my particular problem.

So what I’m doing now is giving away some more pieces of information that might help other people with similar problems, or at least they help me to remember what I did to solve them. Topics of this blog are:  Software development, especially in the area of enterprise applications with JEE, EJB and Seam, databases, identity management and similar topics.

So, in summary you’ll find here my contributions to the digital world… mostly harmless 🙂

Posted in Miscellaneous | Leave a comment