Sunday, July 27, 2014

Securing the Internet of Things with WSO2 IS

The popularity of the Internet of Things (IoT) is demanding for more solutions to make it easier for users to integrate devices, with a wide-variety of on-premise and cloud services. There are many existing solutions which makes integration possible, but there are many gaps in several aspects including usability and security.


Node.js is a runtime environment for running JavaScript applications outside a browser environment. Node.js is based on the technology of the Google Chrome Browser. Node.js runs on nearly all the popular server environments include both Linux and Windows. Node.js benefits from a efficient, light-weight, non-blocking I/O model which is event-driven. This makes it an ideal fit for applications running across distributed devices.

Node.js also features a Package Manager, npm, which makes it easier for developers to use a wide variety of third-party modules in their application with ease. The Node.js package repository boasts to have over 85,000 modules. The light-weight and lean nature of the runtime environment also makes it very convenient to develop as well as host applications.


Node-RED is a creation of IBM’s Emerging Technology group and is position as a visual tool for wiring the internet of things. Based on Node.js, Node-RED focuses on modelling various applications and systems in a graphical flow making it easier for developers to build ESB-like integrations. Node-RED also uses Eclipse Orion making it possible to develop, test and deploy in a browser-based environment. Node-RED uses a JSON-based configuration model.

Node-RED provides a number of out-of-the-box nodes including Social Networking Connectors, Network I/O modules, Transformations, and Storage Connectors. The project also maintains a repository of additional nodes in GitHub. The documentation is easy to understand and introducing a new module is fairly straightforward.

WSO2 Identity Server

WSO2 Identity Server is a product designed by WSO2 to manage sophisticated security and identity management requirements of enterprise web applications, services and APIs. The latest release also features an Enterprise Identity Bus (EIB), which is a backbone that connects and manages multiple identities and security solutions regardless of the standards which they are based on.

The WSO2 Identity Server provides role-based access control (RBAC), policy-based access control, and single sign-on (SSO) capabilities for on-premise as well as cloud applications such a Salesforce, Google Apps and Microsoft Office 365.

Integrating WSO2 Identity Server with IBM Node-RED

What’s good about Node-RED is that it makes it easy for you to build an integration around hardware, making it possible to wire the internet of things together. On the other hand, the WSO2 Identity Server makes it very easy to secure APIs and applications. Both products are free to download and use and is based on the enterprise-friendly Apache License, which even makes it possible for you to repackage and redistribute. The integration brings together the best of both worlds.

The approach I have taken is to introduce a new entitlement node on Node-RED. You can find the source code on GitHub. I have made use the Authentication and Entitlement administration services of WSO2 IS in my node. Both of these endpoints can be accessed via SOAP or REST. Most read-only operations can be performed using an HTTP GET call and modifications can be done using POST with an XML payload.

The code allows you to either provide credentials using a web browser (using HTTP Basic Access Authentication), or to hard-code it in the node configuration. The graphical configuration for the entitlement node allows you to choose whether either or both of authentication and entitlement. Invoking the entitlement service also requires administrative access, and these credentials can either be provided separately or the same credentials used for authentication can be passed on.

Example Use-cases

To make it easier to understand I have used Node-RED to build an API that will let me expose a the contents of a file on my filesystem. The name of the file can be configured using the browser. This is a useful technique when designing Test Cases for processing hosted files or for providing resources such as Service Contracts and Schemas. I have inserted my entitlement node into the flow to ensure access to the file is secured.
The configuration as seen below will both authenticate and authorize access to this endpoint. I have also provided the administrative credentials to access the Entitlement Service and also uploaded a basic XACML policy to the WSO2 Identity Server.
When you access the endpoint, you should now see a prompt requesting your credentials.
Only valid user accounts that have been setup on WSO2 Identity Server will be accepted. Failed login attempts, authorizations and other errors will be recorded as warnings on Node-RED. These can be observed both on the browser as well as the command prompt in which you are running the Node.js server.