Re: [DISCUSS] SAML 2.0 Service Provider feature
After discussing with Colm on IRC, I went ahead and merged the PR. Regards. On 30/03/2017 14:30, Francesco Chicchiriccò wrote: On 30/03/2017 11:42, Colm O hEigeartaigh wrote: Hi Francesco, Good work! Thanks sir :-) A few questions for you: a) Is there any documentation available on how to set this up for a Syncope deployment? I'll give it a try once there is. There is something in the (updated) reference guide: https://github.com/Tirasa/syncopeSAML2SP/blob/SYNCOPE-1041/src/main/asciidoc/reference-guide/concepts/extensions.adoc#saml-20-service-provider Essentially, you need to download the IdP metadata into one XML file, then go into Admin Console > Extensions > SAML 2.0 and import. Then, edit the created IdP entry to set the appropriate mapping; I have been using: * username -> uid for TestShib * email -> EmailAddress for SSO Circle Now download SP metadata from the second tab from the same page: please be aware to access the Syncope deployment with some FQDN and localhost, so that metadata URLs are generated accordingly. SP metadata for Admin Console is also downloadable from http://your.host.name:9080/syncope-console/saml2sp/metadata Once downloaded, import such SP metadata into your SAML IdP. Then edit one of the users so that the mapping above is verified; I did it by: * setting username to 'myself' for TestShib (the test user available there) * setting email value to the one for the user I created at SSO circle Finally, log out from Admin Console: a new combo box is shown at the bottom of the login screen, from which you can choose one of configured IdPs: by selecting one, the SAML SSO process is triggered and - if all goes well - you will end up by logging into the Admin Console as the user authenticated via SAML. The same feature is available for Enduser UI, but requires to download / import into IdP some slightly different metadata: http://your.host.name:9080/syncope-enduser/saml2sp/metadata b) Does the code support both the "RP" and "IdP" initiated flows? Both would be useful, although we could always add the other at a later stage if not. At the moment only SP-initiated is supported. c) I see CXF's SAMLProtocolResponseValidator in the code but not the SAMLSSOResponseValidator. The SAMLSSOResponseValidator takes are of validating the SAML Response against the web SSO profile, or are you doing this manually somewhere? Exactly: most of checks performed by SAMLSSOResponsevalidator are done through SAML2SPLogic methods. d) There are some TransformerFactory instances that need to have the secure processing feature enabled. "some"? There should be only one, actually: please suggest the modifications and I'll push a commit for that. Thanks for reporting! Regards. On Tue, Mar 28, 2017 at 3:41 PM, Francesco Chicchiriccòwrote: Hi all, I have just submitted the PR #45 containing my work for SYNCOPE-1041: it basically introduces a new extension which allows to: 1. import IdP metadata and configure mapping to match internal users (also via admin console) 2. export SP metadata 3. enable Admin Console and Enduser to perform SAML-based SSO I have tested the feature with both https://www.testshib.org/ and http://www.ssocircle.com/en/ Please note that, as kindly suggested by Colm and Sergey, I did not re-implement the SAML assertion validation, but I did re-use cxf-rt-rs-security-sso-saml. At the moment, the code depends on WSS4J 2.1.9-SNAPSHOT, but 2.1.9 should be close enough. Please let me have your feedback. Regards. On 07/03/2017 17:25, Francesco Chicchiriccò wrote: On 07/03/2017 17:19, Colm O hEigeartaigh wrote: Hi Francesco, It's good to see support for SAML coming to Syncope. I'd encourage you to re-use the functionality developed in CXF to validate the SAML Response from the IdP: https://github.com/apache/cxf/blob/master/rt/rs/security/sso /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAML ProtocolResponseValidator.java https://github.com/apache/cxf/blob/master/rt/rs/security/sso /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/ SAMLSSOResponseValidator.java I spent a lot of time reading the specs and making sure the validation rules were all followed :-) That's very nice, thanks for the pointers! Regards. On Tue, Mar 7, 2017 at 11:00 AM, Francesco Chicchiriccò < ilgro...@apache.org wrote: On 07/03/2017 11:56, Sergey Beryozkin wrote: Hi Francesco Not sure if it can be relevant for this work but at the CXF level we have this SAML SP support: http://cxf.apache.org/docs/saml-web-sso.html, something Colm and myself worked upon earlier on. Thanks for the pointer, Sergey: I did already find it, though. This does not completely fit in our scenario since here the idea is to split the responsibilities in two: from one side the front-end web-fragment takes care of the SAML exchange, from the other side the Syncope core (e.g. the CXF application) works as
Re: [DISCUSS] SAML 2.0 Service Provider feature
On 30/03/2017 11:42, Colm O hEigeartaigh wrote: Hi Francesco, Good work! Thanks sir :-) A few questions for you: a) Is there any documentation available on how to set this up for a Syncope deployment? I'll give it a try once there is. There is something in the (updated) reference guide: https://github.com/Tirasa/syncopeSAML2SP/blob/SYNCOPE-1041/src/main/asciidoc/reference-guide/concepts/extensions.adoc#saml-20-service-provider Essentially, you need to download the IdP metadata into one XML file, then go into Admin Console > Extensions > SAML 2.0 and import. Then, edit the created IdP entry to set the appropriate mapping; I have been using: * username -> uid for TestShib * email -> EmailAddress for SSO Circle Now download SP metadata from the second tab from the same page: please be aware to access the Syncope deployment with some FQDN and localhost, so that metadata URLs are generated accordingly. SP metadata for Admin Console is also downloadable from http://your.host.name:9080/syncope-console/saml2sp/metadata Once downloaded, import such SP metadata into your SAML IdP. Then edit one of the users so that the mapping above is verified; I did it by: * setting username to 'myself' for TestShib (the test user available there) * setting email value to the one for the user I created at SSO circle Finally, log out from Admin Console: a new combo box is shown at the bottom of the login screen, from which you can choose one of configured IdPs: by selecting one, the SAML SSO process is triggered and - if all goes well - you will end up by logging into the Admin Console as the user authenticated via SAML. The same feature is available for Enduser UI, but requires to download / import into IdP some slightly different metadata: http://your.host.name:9080/syncope-enduser/saml2sp/metadata b) Does the code support both the "RP" and "IdP" initiated flows? Both would be useful, although we could always add the other at a later stage if not. At the moment only SP-initiated is supported. c) I see CXF's SAMLProtocolResponseValidator in the code but not the SAMLSSOResponseValidator. The SAMLSSOResponseValidator takes are of validating the SAML Response against the web SSO profile, or are you doing this manually somewhere? Exactly: most of checks performed by SAMLSSOResponsevalidator are done through SAML2SPLogic methods. d) There are some TransformerFactory instances that need to have the secure processing feature enabled. "some"? There should be only one, actually: please suggest the modifications and I'll push a commit for that. Thanks for reporting! Regards. On Tue, Mar 28, 2017 at 3:41 PM, Francesco Chicchiriccòwrote: Hi all, I have just submitted the PR #45 containing my work for SYNCOPE-1041: it basically introduces a new extension which allows to: 1. import IdP metadata and configure mapping to match internal users (also via admin console) 2. export SP metadata 3. enable Admin Console and Enduser to perform SAML-based SSO I have tested the feature with both https://www.testshib.org/ and http://www.ssocircle.com/en/ Please note that, as kindly suggested by Colm and Sergey, I did not re-implement the SAML assertion validation, but I did re-use cxf-rt-rs-security-sso-saml. At the moment, the code depends on WSS4J 2.1.9-SNAPSHOT, but 2.1.9 should be close enough. Please let me have your feedback. Regards. On 07/03/2017 17:25, Francesco Chicchiriccò wrote: On 07/03/2017 17:19, Colm O hEigeartaigh wrote: Hi Francesco, It's good to see support for SAML coming to Syncope. I'd encourage you to re-use the functionality developed in CXF to validate the SAML Response from the IdP: https://github.com/apache/cxf/blob/master/rt/rs/security/sso /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAML ProtocolResponseValidator.java https://github.com/apache/cxf/blob/master/rt/rs/security/sso /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/ SAMLSSOResponseValidator.java I spent a lot of time reading the specs and making sure the validation rules were all followed :-) That's very nice, thanks for the pointers! Regards. On Tue, Mar 7, 2017 at 11:00 AM, Francesco Chicchiriccò < ilgro...@apache.org wrote: On 07/03/2017 11:56, Sergey Beryozkin wrote: Hi Francesco Not sure if it can be relevant for this work but at the CXF level we have this SAML SP support: http://cxf.apache.org/docs/saml-web-sso.html, something Colm and myself worked upon earlier on. Thanks for the pointer, Sergey: I did already find it, though. This does not completely fit in our scenario since here the idea is to split the responsibilities in two: from one side the front-end web-fragment takes care of the SAML exchange, from the other side the Syncope core (e.g. the CXF application) works as back-end for the effective SAML assertion validation and generation. I'll look at the provided page and related implementation, anyway, thank you very much
Re: [DISCUSS] SAML 2.0 Service Provider feature
Hi Francesco, Good work! A few questions for you: a) Is there any documentation available on how to set this up for a Syncope deployment? I'll give it a try once there is. b) Does the code support both the "RP" and "IdP" initiated flows? Both would be useful, although we could always add the other at a later stage if not. c) I see CXF's SAMLProtocolResponseValidator in the code but not the SAMLSSOResponseValidator. The SAMLSSOResponseValidator takes are of validating the SAML Response against the web SSO profile, or are you doing this manually somewhere? d) There are some TransformerFactory instances that need to have the secure processing feature enabled. Thanks, Colm. On Tue, Mar 28, 2017 at 3:41 PM, Francesco Chicchiriccòwrote: > Hi all, > I have just submitted the PR #45 containing my work for SYNCOPE-1041: it > basically introduces a new extension which allows to: > > 1. import IdP metadata and configure mapping to match internal users (also > via admin console) > 2. export SP metadata > 3. enable Admin Console and Enduser to perform SAML-based SSO > > I have tested the feature with both > > https://www.testshib.org/ > > and > > http://www.ssocircle.com/en/ > > Please note that, as kindly suggested by Colm and Sergey, I did not > re-implement the SAML assertion validation, but I did re-use > cxf-rt-rs-security-sso-saml. > At the moment, the code depends on WSS4J 2.1.9-SNAPSHOT, but 2.1.9 should > be close enough. > > Please let me have your feedback. > Regards. > > On 07/03/2017 17:25, Francesco Chicchiriccò wrote: > >> On 07/03/2017 17:19, Colm O hEigeartaigh wrote: >> >>> Hi Francesco, >>> >>> It's good to see support for SAML coming to Syncope. I'd encourage you to >>> re-use the functionality developed in CXF to validate the SAML Response >>> from the IdP: >>> >>> https://github.com/apache/cxf/blob/master/rt/rs/security/sso >>> /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAML >>> ProtocolResponseValidator.java >>> https://github.com/apache/cxf/blob/master/rt/rs/security/sso >>> /saml/src/main/java/org/apache/cxf/rs/security/saml/sso/ >>> SAMLSSOResponseValidator.java >>> >>> I spent a lot of time reading the specs and making sure the validation >>> rules were all followed :-) >>> >> >> That's very nice, thanks for the pointers! >> Regards. >> >> On Tue, Mar 7, 2017 at 11:00 AM, Francesco Chicchiriccò < >>> ilgro...@apache.org >>> wrote: On 07/03/2017 11:56, Sergey Beryozkin wrote: Hi Francesco > > Not sure if it can be relevant for this work but at the CXF level we > have > this SAML SP support: > > http://cxf.apache.org/docs/saml-web-sso.html, > > something Colm and myself worked upon earlier on. > > Thanks for the pointer, Sergey: I did already find it, though. This does not completely fit in our scenario since here the idea is to split the responsibilities in two: from one side the front-end web-fragment takes care of the SAML exchange, from the other side the Syncope core (e.g. the CXF application) works as back-end for the effective SAML assertion validation and generation. I'll look at the provided page and related implementation, anyway, thank you very much indeed. FYI, this class https://github.com/apache/wss4j/blob/trunk/ws-security-commo n/src/main/java/org/apache/wss4j/common/saml/OpenSAMLUtil.java has been already extremely useful to me, since OpenSAML 3 documentation is practically absent. Regards. On 07/03/17 10:49, Francesco Chicchiriccò wrote: > Hi all, >> I have made a proposal at [1] and opened SYNCOPE-1041 for the purpose. >> >> I am already working on it, and it should be ready on time for Syncope >> 2.0.3. >> >> The idea is to embed the whole implementation in a PR, with option of >> further discussing before merge. >> >> Also, I would like to include, in the 2.0.3 release notes, a public >> "thank you" statement to the University of Helsinki similar to the one >> we made for 1.1.0 [2]. >> >> WDYT? >> Regards. >> >> [1] https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCU >> SS%5D+SAML+2.0+Service+Provider+feature >> [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Ad+libit >> um#Adlibitum-1.1.0(April5th,2013) >> > >> -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
Re: [DISCUSS] SAML 2.0 Service Provider feature
Hi all, I have just submitted the PR #45 containing my work for SYNCOPE-1041: it basically introduces a new extension which allows to: 1. import IdP metadata and configure mapping to match internal users (also via admin console) 2. export SP metadata 3. enable Admin Console and Enduser to perform SAML-based SSO I have tested the feature with both https://www.testshib.org/ and http://www.ssocircle.com/en/ Please note that, as kindly suggested by Colm and Sergey, I did not re-implement the SAML assertion validation, but I did re-use cxf-rt-rs-security-sso-saml. At the moment, the code depends on WSS4J 2.1.9-SNAPSHOT, but 2.1.9 should be close enough. Please let me have your feedback. Regards. On 07/03/2017 17:25, Francesco Chicchiriccò wrote: On 07/03/2017 17:19, Colm O hEigeartaigh wrote: Hi Francesco, It's good to see support for SAML coming to Syncope. I'd encourage you to re-use the functionality developed in CXF to validate the SAML Response from the IdP: https://github.com/apache/cxf/blob/master/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java https://github.com/apache/cxf/blob/master/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java I spent a lot of time reading the specs and making sure the validation rules were all followed :-) That's very nice, thanks for the pointers! Regards. On Tue, Mar 7, 2017 at 11:00 AM, Francesco Chicchiriccò
Re: [DISCUSS] SAML 2.0 Service Provider feature
On 07/03/2017 17:19, Colm O hEigeartaigh wrote: Hi Francesco, It's good to see support for SAML coming to Syncope. I'd encourage you to re-use the functionality developed in CXF to validate the SAML Response from the IdP: https://github.com/apache/cxf/blob/master/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java https://github.com/apache/cxf/blob/master/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java I spent a lot of time reading the specs and making sure the validation rules were all followed :-) That's very nice, thanks for the pointers! Regards. On Tue, Mar 7, 2017 at 11:00 AM, Francesco Chicchiriccò
Re: [DISCUSS] SAML 2.0 Service Provider feature
Hi Francesco, It's good to see support for SAML coming to Syncope. I'd encourage you to re-use the functionality developed in CXF to validate the SAML Response from the IdP: https://github.com/apache/cxf/blob/master/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.java https://github.com/apache/cxf/blob/master/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java I spent a lot of time reading the specs and making sure the validation rules were all followed :-) Colm. On Tue, Mar 7, 2017 at 11:00 AM, Francesco Chicchiriccòwrote: > On 07/03/2017 11:56, Sergey Beryozkin wrote: > >> Hi Francesco >> >> Not sure if it can be relevant for this work but at the CXF level we have >> this SAML SP support: >> >> http://cxf.apache.org/docs/saml-web-sso.html, >> >> something Colm and myself worked upon earlier on. >> > > Thanks for the pointer, Sergey: I did already find it, though. > > This does not completely fit in our scenario since here the idea is to > split the responsibilities in two: from one side the front-end web-fragment > takes care of the SAML exchange, from the other side the Syncope core (e.g. > the CXF application) works as back-end for the effective SAML assertion > validation and generation. > > I'll look at the provided page and related implementation, anyway, thank > you very much indeed. > > FYI, this class > > https://github.com/apache/wss4j/blob/trunk/ws-security-commo > n/src/main/java/org/apache/wss4j/common/saml/OpenSAMLUtil.java > > has been already extremely useful to me, since OpenSAML 3 documentation is > practically absent. > > Regards. > > On 07/03/17 10:49, Francesco Chicchiriccò wrote: >> >>> Hi all, >>> I have made a proposal at [1] and opened SYNCOPE-1041 for the purpose. >>> >>> I am already working on it, and it should be ready on time for Syncope >>> 2.0.3. >>> >>> The idea is to embed the whole implementation in a PR, with option of >>> further discussing before merge. >>> >>> Also, I would like to include, in the 2.0.3 release notes, a public >>> "thank you" statement to the University of Helsinki similar to the one >>> we made for 1.1.0 [2]. >>> >>> WDYT? >>> Regards. >>> >>> [1] https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCU >>> SS%5D+SAML+2.0+Service+Provider+feature >>> [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Ad+libit >>> um#Adlibitum-1.1.0(April5th,2013) >>> >> > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
Re: [DISCUSS] SAML 2.0 Service Provider feature
Hi Francesco On 07/03/17 11:00, Francesco Chicchiriccò wrote: On 07/03/2017 11:56, Sergey Beryozkin wrote: Hi Francesco Not sure if it can be relevant for this work but at the CXF level we have this SAML SP support: http://cxf.apache.org/docs/saml-web-sso.html, something Colm and myself worked upon earlier on. Thanks for the pointer, Sergey: I did already find it, though. This does not completely fit in our scenario since here the idea is to split the responsibilities in two: from one side the front-end web-fragment takes care of the SAML exchange, from the other side the Syncope core (e.g. the CXF application) works as back-end for the effective SAML assertion validation and generation. I'll look at the provided page and related implementation, anyway, thank you very much indeed. Thanks, right, what that CXF module offers is an ability to redirect the users to the SAML2 IDP and validate the saml assertions when the user is returned from there and make sure the security session is set. FYI, this class https://github.com/apache/wss4j/blob/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/OpenSAMLUtil.java has been already extremely useful to me, since OpenSAML 3 documentation is practically absent. I believe we also use those utils or may be other OpenSAML related code, Colm would know more about it If that module does not quite work for Syncope then it is fine :-), just wanted to make sure you are aware of it Cheers, Sergey Regards. On 07/03/17 10:49, Francesco Chicchiriccò wrote: Hi all, I have made a proposal at [1] and opened SYNCOPE-1041 for the purpose. I am already working on it, and it should be ready on time for Syncope 2.0.3. The idea is to embed the whole implementation in a PR, with option of further discussing before merge. Also, I would like to include, in the 2.0.3 release notes, a public "thank you" statement to the University of Helsinki similar to the one we made for 1.1.0 [2]. WDYT? Regards. [1] https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+SAML+2.0+Service+Provider+feature [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Ad+libitum#Adlibitum-1.1.0(April5th,2013) -- Sergey Beryozkin Talend Community Coders http://coders.talend.com/
Re: [DISCUSS] SAML 2.0 Service Provider feature
On 07/03/2017 11:56, Sergey Beryozkin wrote: Hi Francesco Not sure if it can be relevant for this work but at the CXF level we have this SAML SP support: http://cxf.apache.org/docs/saml-web-sso.html, something Colm and myself worked upon earlier on. Thanks for the pointer, Sergey: I did already find it, though. This does not completely fit in our scenario since here the idea is to split the responsibilities in two: from one side the front-end web-fragment takes care of the SAML exchange, from the other side the Syncope core (e.g. the CXF application) works as back-end for the effective SAML assertion validation and generation. I'll look at the provided page and related implementation, anyway, thank you very much indeed. FYI, this class https://github.com/apache/wss4j/blob/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/saml/OpenSAMLUtil.java has been already extremely useful to me, since OpenSAML 3 documentation is practically absent. Regards. On 07/03/17 10:49, Francesco Chicchiriccò wrote: Hi all, I have made a proposal at [1] and opened SYNCOPE-1041 for the purpose. I am already working on it, and it should be ready on time for Syncope 2.0.3. The idea is to embed the whole implementation in a PR, with option of further discussing before merge. Also, I would like to include, in the 2.0.3 release notes, a public "thank you" statement to the University of Helsinki similar to the one we made for 1.1.0 [2]. WDYT? Regards. [1] https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+SAML+2.0+Service+Provider+feature [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Ad+libitum#Adlibitum-1.1.0(April5th,2013) -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: [DISCUSS] SAML 2.0 Service Provider feature
Hi Francesco Not sure if it can be relevant for this work but at the CXF level we have this SAML SP support: http://cxf.apache.org/docs/saml-web-sso.html, something Colm and myself worked upon earlier on. Sergey On 07/03/17 10:49, Francesco Chicchiriccò wrote: Hi all, I have made a proposal at [1] and opened SYNCOPE-1041 for the purpose. I am already working on it, and it should be ready on time for Syncope 2.0.3. The idea is to embed the whole implementation in a PR, with option of further discussing before merge. Also, I would like to include, in the 2.0.3 release notes, a public "thank you" statement to the University of Helsinki similar to the one we made for 1.1.0 [2]. WDYT? Regards. [1] https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+SAML+2.0+Service+Provider+feature [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Ad+libitum#Adlibitum-1.1.0(April5th,2013)
[DISCUSS] SAML 2.0 Service Provider feature
Hi all, I have made a proposal at [1] and opened SYNCOPE-1041 for the purpose. I am already working on it, and it should be ready on time for Syncope 2.0.3. The idea is to embed the whole implementation in a PR, with option of further discussing before merge. Also, I would like to include, in the 2.0.3 release notes, a public "thank you" statement to the University of Helsinki similar to the one we made for 1.1.0 [2]. WDYT? Regards. [1] https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+SAML+2.0+Service+Provider+feature [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Ad+libitum#Adlibitum-1.1.0(April5th,2013) -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/