Big Data Analytics in M2M WHITE PAPER Big Data Analytics In M2M Bidirectional Event Based Communication With Java WebSocket WHITE PAPER Table of Contents Introduction ...................................................................................... 3 What is WebSocket? ......................................................................... 3 Project Tyrus ..................................................................................... 3 Uses for WebSockets ........................................................................ 3 How It Works .................................................................................... 3 Architect and Developer Perspective ............................................... 4 Sample Machine Interaction WebSocket Application ...................... 9 Conclusion ....................................................................................... 14 References ...................................................................................... 14 2 | © 2015, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all rights reserved. Introduction When we hear the phrase, ‘Full Duplex communication’, the first thing that comes to mind is a telephone call, and then, software TCP communication over plain sockets. As the web gets richer and more interactive, clients and servers can communicate and send notifications in real-time. Users are demanding for information as soon as it is made available. If one has to refresh a page to get new information, it is already too late. Luckily, a protocol that supports direct data exchange is now available; it is none other than WebSocket. WebSockets are designed to be implemented in web browsers and web servers. WebSockets can also be useful for standalone client-server applications, a subject covered in this white paper. To highlight this, I will use plain Java for both client and server. What is WebSocket? WebSocket is an advanced technology that makes it possible to open an interactive communication session between clients and a server. With this API, you can send messages to a server and receive event-driven responses. It provides full-duplex communication over a single TCP connection. This is an independent TCP-based protocol. Its only relationship to HTTP is that HTTP servers interpret its handshake as an upgrade request. Project Tyrus Tyrus is the open source JSR 356 - Java API for WebSocket reference implementation, for easy development of WebSocket applications. It is a Java project that has been released separately. It is the only API that gives a java based WebSocket client and provides separated containers for those servers that do not use GlassFish. In this paper, I use this API to highlight the non-browser WebSocket client and the ability to run a WebSocket server as a plain Java program. Uses for WebSockets • Live, event-based machine interaction • Financial tickers • Social feeds • Sports updates • Multiplayer games • Multimedia chat • Collaborative editing/coding • Location-based apps • Clickstream data • Online education How It Works The client establishes a WebSocket connection through a process known as the WebSocket handshake. This process starts with the client sending a regular HTTP request to the server. An upgrade header is included in the request that informs the server that the client wishes to establish a WebSocket connection. 3 | © 2015, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all rights reserved. This is a simplified example of the initial request headers. GET ws://WebSocket.example.com/ HTTP/1.1 101 WebSocket Protocol HTTP/1.1 Handshake Origin: http://example.com Handshake Date: Wed, 16 Oct 2013 10:07:34 GMT Connection: Upgrade Connection: Upgrade Host: WebSocket.example.com Upgrade: WebSocket Upgrade: WebSocket If the server provisions the WebSocket protocol, it agrees to the upgrade and communicates this through an upgrade header in the response. After handshake success by the HTTP, a TCP/IP connection will take care of sending and receiving messages by both the client and the server. Architect and Developer Perspective Server-Client Implementation Options • C++ : libWebSockets • Ruby : em-WebSocket • Errlang : Shirasu.ws • Python : Tornado, pyWebSocket • Java : JettyWebSocket, • PHP : Ratchet, phpws jWebSocket, Tyrus, • DotNET : Fleck, ASP.NET 4.5, Spring STOMP SuperWebSocket, • Node.JS : ws, Socket.IO, XSocket.NET WebSocket-Node Security in WebSocket 1. Header level security HTTPS’ header field is included in the client’s opening handshake for WebSocket. This is used to inform the server about the script’s origin while generating the WebSocket connection request. The server may then decide to accept or reject the handshake request accordingly. This allows the server to protect against unauthorized cross-origin use of a WebSocket server by scripts using the WebSocket API in a browser. Non-browser clients may use the origin header to specify the origin of the request. WebSocket servers should be careful about receiving such requests. The WebSocket opening handshake from the client must include Sec-WebSocket-Key and Sec-WebSocket-Version HTTP header fields. To make HTTP requests, use XMLHttpRequest that allows the setting of headers as a part of that request. Therefore, to be better secured, we can send our own Sec-WebSocket-Key and Sec-WebSocket-Version HTTP header fields and validate them in our server filter. 2. URL security 4 | © 2015, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all rights reserved. Some servers provide credential authentication and Servlet Security mechanisms; for example, JBoss (WildFly). This provides a basic level of authentication, using a username and password. The following steps are required to set up client authentication before the WebSocket handshake is initiated from the client. Download WildFly 8.1, unzip, and add a new user by invoking the following script: ./bin/add-user.sh -a -u u1 -p p1 -g g1 This will add user “u1″ with password “p1″ in group “g1″. The group specified here needs to match as defined in <role-name> in the deployment descriptor. Deploy the sample by giving the command: mvn wildfly:deploy Write your deployment descriptor as below: <?xml version="1.0" encoding="UTF-8"?> <web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web- app_3_1.xsd"> <security-constraint> <web-resource-collection> <web-resource-name>WebSocket Endpoint</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>g1</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>file</realm-name> </login-config> <security-role> <role-name>g1</role-name> </security-role> </web-app> Some key points to understand about this descriptor: 5 | © 2015, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all rights reserved. <url-pattern> indicates that any request made to this application will be prompted for authentication <auth-constraint> defines the security role that can access this resource <login-config> shows that file-based realm is used with basic authentication <security-role> defines the security roles referenced by this application In this case, the page that creates the WebSocket connection is protected by basic authentication. Now, when the application is accessed at localhost:8080/endpoint-security, a security dialog box pops up, as shown below: Enter “u1″ as the username and “p1″ as the password to authenticate. These credentials are defined in the group “g1″ which is referenced in the deployment descriptor. Any other credentials will keep bringing the dialog box back. As soon as the request is successfully authenticated, the WebSocket connection is established. If you are interested in securing only the WebSocket URL, then change the URL pattern from <url-pattern>/*</url-pattern> to <url-pattern>/WebSocket</url-pattern>. In MotorClientEndpoint.java, change the URL to create WebSocket endpoint from client.connectToServer(WordgameClientEndpoint.class, new URI("ws://localhost:8025/ motorServer/motor")); to client.connectToServer(WordgameClientEndpoint.class, new URI("ws://u1:p1@localhost:8025/ motorServer/motor")); Securing WebSocket using WSS and HTTPS/TLS: The steps below describe how to set up a secure WebSocket connection between the server and a standalone WebSocket client using SSL. Like HTTPS, we have WSS for WebSocket. Here, I use Tomcat server to demonstrate. Create keystore using Java keytool: Open the command prompt and run the following command. This will generate a keystore file in current location. Use the command as below: keytool -genkey -alias tomcat -dname "CN=test, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keyalg RSA -ext san=dns:testserver.com,ip: 10.144.1.100 Added hostname and system ip to host file: Navigate to “C:\Windows\System32\drivers\etc” and open host file. Add new entry as “Ipaddress“ “hostname”. For Example : 10.144.1.100 motorserver.com Restart the machine and start the tomcat. Download InstallCert java file from web. 6 | © 2015, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all