ADFS v2.0 certificate bug

June 17, 2013 By Leave a Comment

Over the past week or so I’ve been working to federate EWU with InCommon®. Most schools use Shibboleth®, but we already have Active Directory Federation Service (ADFS) in use here, so I’ve undertaken the challenge to use ADFS.

InCommon has a test service provider that I should be able to sign into if everything is configured properly. However when I connect I get a response that the “X509SerialNumber must have TextContent.” After digging through the saml responses to several other service providers, I found that many of the self-signed certs used by some of the SPs have a serial number of zero (0). When ADFS signs/encrypts the saml response, it does not return the serialNumber of the cert used, but instead returns an empty serialNumber xml element. (<serialNumber />). Shibboleth does not like that at all.

Now it is time to dig through the xml signing/encryption specs to determine who is right and who is wrong. Then go through the process of notifying the losing “vendor”. My gut says that I’ll probably be standing up a Shibboleth server by the time everything is said and done.

 

Filed Under: Uncategorized

Oracle’s All, Any, and Some Operators

June 21, 2012 By Leave a Comment

Once in a blue moon I see these Oracle SQL operators in code somewhere: ALL, ANY, and SOME. Their use is pretty obscure.  The Oracle Performance Tuning Guide and Reference (http://docs.oracle.com/cd/B10500_01/server.920/a96533/opt_ops.htm#1005317) breaks down what is going on with them behind the scenes.

How the CBO Evaluates the ANY or SOME Operator

The optimizer expands a condition that uses the ANY or SOME comparison operator followed by a parenthesized list of values into an equivalent condition that uses equality comparison operators and OR logical operators.

In the following example, the optimizer expands the first condition into the second:

salary > ANY (:first_sal, :second_sal)

is transformed into

salary > :first_sal OR salary > :second_sal

The optimizer transforms a condition that uses the ANY or SOME operator followed by a subquery into a condition containing the EXISTS operator and a correlated subquery.

In the following example, the optimizer transforms the first condition into the second:

x > ANY (SELECT salary
FROM employees
WHERE job_id = ‘IT_PROG’)

is transformed into

EXISTS (SELECT salary
FROM employees
WHERE job_id = ‘IT_PROG’
AND x > salary)

How the CBO Evaluates the ALL Operator

The optimizer expands a condition that uses the ALL comparison operator followed by a parenthesized list of values into an equivalent condition that uses equality comparison operators and AND logical operators.

In the following example, the optimizer expands the first condition into the second:

salary > ALL (:first_sal, :second_sal)

is transformed into

salary > :first_sal AND salary > :second_sal

The optimizer transforms a condition that uses the ALL comparison operator followed by a subquery into an equivalent condition that uses the ANY comparison operator and a complementary comparison operator. In the following example, the optimizer transforms the first condition into the second:

x > ALL (SELECT salary
FROM employees
WHERE department_id = 50)

is transformed into

NOT (x <= ANY (SELECT salary
FROM employees
WHERE department_id = 50) )

The optimizer then further transforms the second query into the following query using the rule for transforming conditions with the ANY comparison operator, followed by a correlated subquery:

NOT EXISTS (SELECT salary
FROM employees
WHERE department_id = 50
AND x <= salary)

Filed Under: Uncategorized Tagged With:

Dexpot: Add Virtual Windows for Windows

June 14, 2012 By Leave a Comment

Linux’s windowing system has had virtual windows for a long time. With virtual windows, one can move different applications to different “screens”. If I’m working 2 or 3 different projects I leave one with e-mail and other miscellaneous apps, then I group the various remote desktop, development apps, etc for each of my projects onto different windows/screens. This really helps keep me focused when I need to not be distracted.

Windows users can download Dexpot (http://dexpot.de/) and add this great feature to Windows. Dexpot has several plug-ins that allow you to decide which method you use to visually switch windows/screens. I usually use keyboard shortcuts, but the cube toggle is visually impressive.

Here’s a couple of screen shots:

Filed Under: Cool Tool

TrueCrypt: Open-Source On-The-Fly Disk Encryption Software for Windows 7/Vista/XP, Mac OS X and Linux

June 3, 2012 By Leave a Comment

Over the years I’ve found a few cool tools. So now I’m gonna share the best with you. Here’s number one: TrueCrypt.

TrueCrypt provides full disk and virtual volume encryption for Windows, Mac, and Linux. It’s easy to install and easy to use. TrueCrypt can create an encrypted file and mounts it as a drive. You drop the files in that you want to protect, then un-mount the drive. Your secrets are safe. Not even the NSA can break in if your password is sufficiently strong.

I’ve been using it for years before I back stuff up into the cloud. Check it out.

Filed Under: Cool Tool

A new look for EagleNET

April 13, 2012 By 9 Comments

Sometime in the next few weeks, EagleNET will be getting a new, more modern look. Here are a few screenshots to give you an idea of what to expect. Before I begin I’m invoking the standard disclaimer: the final results may differ slightly that the screenshots below (click the images for a larger view).

The main menu has similar choices as before. Instead of tabs, there are large headings. If you have more headings than can fit on the page, you can use the arrows to slide them over.

Clicking one of the menu main items will present the standard items for that functional area. If the link that you click on is a sub menu, the items will fill in below the current menu.

If you want to get somewhere in a hurry, you have two options. The first is to use the pull down navigation. Click the Browse button and drill down into the page you want.

The second option is just under the Sign Out link; the search box. As you start typing in the page name you want to go to, matching results will be displayed. You can then click on the page that you want to jump right there.

Here’s an example of a functional page. This is the Time Sheet Entry that employees are accustomed to.

Functionally, all of the functional pages work the same as they did before.

I hope you’ll agree that the new changes to EagleNET’s look are positive ones. Let us know what you think in the comments section.

Filed Under: EagleNET

Getting Your App In On the SSO Fun

March 14, 2012 By Leave a Comment

Looking to get in on the Eastern SSO fun with your web application? Check out my page on how to do it.

Filed Under: Identity Management, Uncategorized

Using Powershell to Separate a WMP Playlist

January 11, 2012 By Leave a Comment

I wanted to “export” the music from one of my Windows Media Player playlist to a standalone folder. My music is all organized into a hierarchy of folders so grabbing the various .mp3 and .wma would be labor intensive. So being the nerd that I am, I wrote a quick PowerShell script to copy the various songs to a specific folder. It’s not fancy, but it totally does the job.

cd C:\Users\John\Music\Playlists
[xml] $playlist = get-content "C:\Users\John\Music\Playlists\Intro.wpl"
 foreach ($song in $playlist.smil.body.seq.media) {
 write-host $song.src
 copy $song.src c:\music\intro
 }
Filed Under: PowerShell Tagged With: ,

WordPress Dual Auth Test

January 5, 2012 By Leave a Comment

This is a quick test to see if my new plug-in for WordPress that uses CAS for browser based authentication and LDAP for api based authentication works.

I’m now editing this post with a different api-based tool.

Filed Under: CAS

Using a Database Stored Procedure to Authenticate CAS users

October 1, 2011 By 2 Comments

Ja-sig’s Central Authentication Service (CAS) supports multiple authentication sources, including using 3 database authentication types. They are:

  • BindModeSearchDatabaseAuthenticationHandler which uses the RDBMS’s user security to authenticate users. If CAS can connect to the database with the user’s username and password the credentials are considered legitimate.
  • QueryDatabaseAuthenticationHandler which passes the username into a specified query that returns the password. If the returned password matches that which was specified by the user the credentials are considered legitimate.
  • SearchModeSearchDatabaseAuthenticationHandler which queries a given table for a given username column and a given password column with the username and password provided by the user. If a record is return the user is considered legitimage.

I have a fourth scenerio which doesn’t lend itself to any of these solutions. I’d like to pass the username and password into a stored procedure and allow it to determine if the credentials are legitimate. This has some advantages like being able to directly record when the last successful or failed authentication was. I also have a future project of developing a solution to allow CAS to use one-time passwords (OTP), where the user could print out a list of 5 or 10 passwords that can be used to log in exactly one time. After being used, the user scratches that password off the list. This becomes very easy if a stored procedure is being used to provide the validation logic.

The solution I’ve developed is the StoredProcedureDatabaseAuthenticationHandler. It’s design has been mirrored after the other database handlers, and it’s derived from the same base class. It has 5 parameters:

  • dataSource (inherited) – review the CAS JDBC Authnetication page for details (required).
  • procedureName – the name of the stored procedure being called (required).
  • usernameParameterName – the name of the SP’s username parameter (required).
  • passwordParameterName – the name of the SP’s password parameter (required).
  • successReturnValue – the value that is returned in the SP’s resultset (1st column/1st row) upon successful validation (required).

After extracting the files and adding them to your build, you’ll want to add the following code to the authenticationHandler list in the the deployerConfigContext.xml file. Something similar to:

<bean class="org.jasig.cas.adaptors.jdbc.StoredProcedureDatabaseAuthenticationHandler">
  <property name="dataSource" ref="dataSource" />
  <property name="procedureName" value="p_validatePassword" />
  <property name="usernameParameterName" value="Username" />
  <property name="passwordParameterName" value="Password" />
  <property name="successReturnValue" value="yes" />
</bean>

You’ll also want to add the following snippet to your Maven POM file so that appropriate dependencies exist for building and running the unit test:

  <dependency>
          <groupId>org.jasig.cas</groupId>
          <artifactId>cas-server-support-jdbc</artifactId>
          <version>${cas.version}</version>
          <scope>compile</scope>
  </dependency>
  <dependency>
          <groupId>junit</groupId>
          <artifactId>junit</artifactId>
          <version>4.8.1</version>
          <scope>test</scope>
  </dependency>
  <dependency>
          <groupId>org.hsqldb</groupId>
          <artifactId>hsqldb</artifactId>
          <version>2.2.4</version>
          <scope>test</scope>
  </dependency>

You will likely need to add additional dependencies to get database connectivity working, but the CAS User’s Manual/Wiki has all of the necessary information.

StoredProcedureDatabaseAuthenticationHandler has been tested against Microsoft SQL Server and HyperSQL (hsqldb). In fact, the unit test that I developed are against HyperSQL 2.2.4. Please let me know if you have success with other database platforms.

My long term plan for this project is to submit it to Ja-sig for inclusion in the core/jdbc CAS framework. That way others get to benefit from it, and I don’t have to be solely responsible to maintain it.

In the same bundle, I’ve included the StoredFunctionDatabaseAuthenticationHandler class. Using Spring to connect to a Stored Procedure is nearly identical to connecting to a User-Defined Function/Stored Function. However I could never get it to work with hsqldb for unit testing as HyperSQL reports that only one parameter is being passed. My guess is that there is a bad interaction between Spring and HyperSQL as HyperSQL isn’t natively support by the Spring Framework. It does, however, work when connecting to Microsoft SQL Server, so I’m publishing the StoredFunctionDatabaseAuthenticationHandler code as well. The only real difference in use is the class name and one of the parameter name of procedureName becomes functionName:

<bean class="org.jasig.cas.adaptors.jdbc.StoredFunctionDatabaseAuthenticationHandler">
  <property name="dataSource" ref="dataSource"/>
  <property name="functionName" value="f_validatePassword" />
  <property name="usernameParameterName" value="Username" />
  <property name="passwordParameterName" value="Password" />
  <property name="successReturnValue" value="yes" />
</bean>

Attachment: ExtraCasJdbcAuthHandlers.zip

Filed Under: CAS

CASifying AiM™

July 15, 2011 By Leave a Comment

CASifying the AssetWORKS AiM application for use with SSO was extremely straight forward. AiM uses getRemoteUser() and thus it follows the standard setup using the JA-SIG CAS Client for Java.

The only gotcha we found is that AiM doesn’t do any initial authorization checking so the main page comes up for all users, not just those in the AiM database. We had to assign some reports to specific groups so that they didn’t show to the un-authorized users, but that was it. Everything else that they could see wasn’t an issue.  At some point we’ll probably add a custom filter than will provision users as their is a desire to put surveys for the campus community online.

Instructions

  1. Open the web.xml file for editing:
  2. Find the Filter with filter-name equal to “Form Based Authentication Filter”
  3. Paste the following fragment BEFORE this filter block.:
    4. <!-- CAS Filters Start -->
    <filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
    <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://login.ewu.edu/cas/login</param-value>
    </init-param>
    <init-param>
    <param-name>serverName</param-name>
    <param-value>http://it-aimtest.eastern.ewu.edu:8080</param-value>
    </init-param>
    </filter>
    <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <servlet-name>Screen Servlet</servlet-name>
    </filter-mapping>
    <filter>
    <filter-name>CAS Validation Filter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
    <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://login.ewu.edu/cas</param-value>
    </init-param>
    <init-param>
    <param-name>serverName</param-name>
    <param-value>http://it-aimtest.eastern.ewu.edu:8080</param-value>
    </init-param>
    </filter>
    <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <servlet-name>Screen Servlet</servlet-name>
    </filter-mapping>
    <filter>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <servlet-name>Screen Servlet</servlet-name>
    </filter-mapping>
    <!-- CAS Filters End -->
  4. Find “<servlet-class>com.maximus.fmax.common.framework.view.webapp.LoginServlet</servlet-class>”
  5. Replace the line with: “<jsp-file>/common/caslogout.jsp</jsp-file>”, so that
    6. <!-- Pre-CAS
    <servlet>
    <servlet-name>Login Servlet</servlet-name>
    <servlet-class>com.maximus.fmax.common.framework.view.webapp.LoginServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    </servlet>
    now looks like:-->
    <servlet>
    <servlet-name>Login Servlet</servlet-name>
    <jsp-file>/common/caslogout.jsp</jsp-file>
    <load-on-startup>1</load-on-startup>
    </servlet>
  6. Save the file.
  7. Copy cas-client-core-3.2.0.jar to {web-app-root}\WEB-INF\lib
  8. caslogout.jsp to {web-app-root}\common (not {web-app-root}\WEB-INF\common)
  9. Restart Tomcat.

Note: caslogout.jsp calls response.sendRedirect(“https://login.ewu.edu/”); and routes the user to CAS server giving them the option to logout of SSO.

Filed Under: Uncategorized
« Older Posts
John Gasper is powered by WordPress Services at Eastern Washington University.
Please read the EWU Wordpress Policies and Terms of Use. Questions & comments? Contact the EWU Wordpress Team.
The materials hosted by EWU WordPress Services are not endorsed, sponsored, provided by, or on behalf of Eastern Washington University.