Tongue twisters: eastern.ewu.edu & ewu.edu

I don’t know how many times I’ve been working with someone and while giving them the server’s full host name, I stumble over the phrase “.eastern.ewu.edu”. So, I’ve coined the term: “dot triple e”. Isn’t that so much easier to say than “.eastern.ewu.edu”? I think so as has most others that I shared my idea with.

But, why stop there? Is pronouncing “.ewu.edu” any better? (Try saying that 10 times fast.) Most of the time I hear it pronounced it gets mumbled through because its so hard to say. There are just too many oo’s and e sounds. We all know what the other person is trying to say, but we sound dumb doing it. Well, no longer… along with introducing “dot triple E”, I give you “dot double E”.

Paul Klinger has taken it one step further. Let’s short-hand the typing as well as the pronunciation:
.eastern.ewu.edu = .E³ (or  .3E is acceptable for the ASCII code impaired*)
.ewu.edu = .E² (.2E is acceptable for the ASCII code impaired*)

Thanks to the good thinking of Brian McCracken, the standard has also been amended to include: pronouncing the “dot” in either case is also optional. For example, “access double e”. I personally like the “dot”, but if you want to really streamline… here you go.

Perhaps you won’t choose to use these new terms, but now you’ll understand those that do.

* the squared symbol (²) can be generated by holding down the ALT key while typing “0178″ (without the double quotes), then releasing the ALT key. The cubed symbol (³) using “0179″.

 

ADFS v2.0 certificate bug

Over the past week or so I’ve been working to federate EWU with InCommon®. Most schools use Shibboleth®, but we already have Active Directory Federation Service (ADFS) in use here, so I’ve undertaken the challenge to use ADFS.

InCommon has a test service provider that I should be able to sign into if everything is configured properly. However when I connect I get a response that the “X509SerialNumber must have TextContent.” After digging through the saml responses to several other service providers, I found that many of the self-signed certs used by some of the SPs have a serial number of zero (0). When ADFS signs/encrypts the saml response, it does not return the serialNumber of the cert used, but instead returns an empty serialNumber xml element. (<serialNumber />). Shibboleth does not like that at all.

Now it is time to dig through the xml signing/encryption specs to determine who is right and who is wrong. Then go through the process of notifying the losing “vendor”. My gut says that I’ll probably be standing up a Shibboleth server by the time everything is said and done.

 

Oracle’s All, Any, and Some Operators

Once in a blue moon I see these Oracle SQL operators in code somewhere: ALL, ANY, and SOME. Their use is pretty obscure.  The Oracle Performance Tuning Guide and Reference (http://docs.oracle.com/cd/B10500_01/server.920/a96533/opt_ops.htm#1005317) breaks down what is going on with them behind the scenes.

How the CBO Evaluates the ANY or SOME Operator

The optimizer expands a condition that uses the ANY or SOME comparison operator followed by a parenthesized list of values into an equivalent condition that uses equality comparison operators and OR logical operators.

In the following example, the optimizer expands the first condition into the second:

salary > ANY (:first_sal, :second_sal)

is transformed into

salary > :first_sal OR salary > :second_sal

The optimizer transforms a condition that uses the ANY or SOME operator followed by a subquery into a condition containing the EXISTS operator and a correlated subquery.

In the following example, the optimizer transforms the first condition into the second:

x > ANY (SELECT salary
FROM employees
WHERE job_id = ‘IT_PROG’)

is transformed into

EXISTS (SELECT salary
FROM employees
WHERE job_id = ‘IT_PROG’
AND x > salary)

How the CBO Evaluates the ALL Operator

The optimizer expands a condition that uses the ALL comparison operator followed by a parenthesized list of values into an equivalent condition that uses equality comparison operators and AND logical operators.

In the following example, the optimizer expands the first condition into the second:

salary > ALL (:first_sal, :second_sal)

is transformed into

salary > :first_sal AND salary > :second_sal

The optimizer transforms a condition that uses the ALL comparison operator followed by a subquery into an equivalent condition that uses the ANY comparison operator and a complementary comparison operator. In the following example, the optimizer transforms the first condition into the second:

x > ALL (SELECT salary
FROM employees
WHERE department_id = 50)

is transformed into

NOT (x <= ANY (SELECT salary
FROM employees
WHERE department_id = 50) )

The optimizer then further transforms the second query into the following query using the rule for transforming conditions with the ANY comparison operator, followed by a correlated subquery:

NOT EXISTS (SELECT salary
FROM employees
WHERE department_id = 50
AND x <= salary)

Dexpot: Add Virtual Windows for Windows

Linux’s windowing system has had virtual windows for a long time. With virtual windows, one can move different applications to different “screens”. If I’m working 2 or 3 different projects I leave one with e-mail and other miscellaneous apps, then I group the various remote desktop, development apps, etc for each of my projects onto different windows/screens. This really helps keep me focused when I need to not be distracted.

Windows users can download Dexpot (http://dexpot.de/) and add this great feature to Windows. Dexpot has several plug-ins that allow you to decide which method you use to visually switch windows/screens. I usually use keyboard shortcuts, but the cube toggle is visually impressive.

Here’s a couple of screen shots:

TrueCrypt: Open-Source On-The-Fly Disk Encryption Software for Windows 7/Vista/XP, Mac OS X and Linux

Over the years I’ve found a few cool tools. So now I’m gonna share the best with you. Here’s number one: TrueCrypt.

TrueCrypt provides full disk and virtual volume encryption for Windows, Mac, and Linux. It’s easy to install and easy to use. TrueCrypt can create an encrypted file and mounts it as a drive. You drop the files in that you want to protect, then un-mount the drive. Your secrets are safe. Not even the NSA can break in if your password is sufficiently strong.

I’ve been using it for years before I back stuff up into the cloud. Check it out.

A new look for EagleNET

Sometime in the next few weeks, EagleNET will be getting a new, more modern look. Here are a few screenshots to give you an idea of what to expect. Before I begin I’m invoking the standard disclaimer: the final results may differ slightly that the screenshots below (click the images for a larger view).

The main menu has similar choices as before. Instead of tabs, there are large headings. If you have more headings than can fit on the page, you can use the arrows to slide them over.

Clicking one of the menu main items will present the standard items for that functional area. If the link that you click on is a sub menu, the items will fill in below the current menu.

If you want to get somewhere in a hurry, you have two options. The first is to use the pull down navigation. Click the Browse button and drill down into the page you want.

The second option is just under the Sign Out link; the search box. As you start typing in the page name you want to go to, matching results will be displayed. You can then click on the page that you want to jump right there.

Here’s an example of a functional page. This is the Time Sheet Entry that employees are accustomed to.

Functionally, all of the functional pages work the same as they did before.

I hope you’ll agree that the new changes to EagleNET’s look are positive ones. Let us know what you think in the comments section.

Getting Your App In On the SSO Fun

Looking to get in on the Eastern SSO fun with your web application? Check out my page on how to do it.

Using Powershell to Separate a WMP Playlist

I wanted to “export” the music from one of my Windows Media Player playlist to a standalone folder. My music is all organized into a hierarchy of folders so grabbing the various .mp3 and .wma would be labor intensive. So being the nerd that I am, I wrote a quick PowerShell script to copy the various songs to a specific folder. It’s not fancy, but it totally does the job.

cd C:\Users\John\Music\Playlists
[xml] $playlist = get-content "C:\Users\John\Music\Playlists\Intro.wpl"
 foreach ($song in $playlist.smil.body.seq.media) {
 write-host $song.src
 copy $song.src c:\music\intro
 }

WordPress Dual Auth Test

This is a quick test to see if my new plug-in for WordPress that uses CAS for browser based authentication and LDAP for api based authentication works.

I’m now editing this post with a different api-based tool.

Using a Database Stored Procedure to Authenticate CAS users

Ja-sig’s Central Authentication Service (CAS) supports multiple authentication sources, including using 3 database authentication types. They are:

  • BindModeSearchDatabaseAuthenticationHandler which uses the RDBMS’s user security to authenticate users. If CAS can connect to the database with the user’s username and password the credentials are considered legitimate.
  • QueryDatabaseAuthenticationHandler which passes the username into a specified query that returns the password. If the returned password matches that which was specified by the user the credentials are considered legitimate.
  • SearchModeSearchDatabaseAuthenticationHandler which queries a given table for a given username column and a given password column with the username and password provided by the user. If a record is return the user is considered legitimage.

I have a fourth scenerio which doesn’t lend itself to any of these solutions. I’d like to pass the username and password into a stored procedure and allow it to determine if the credentials are legitimate. This has some advantages like being able to directly record when the last successful or failed authentication was. I also have a future project of developing a solution to allow CAS to use one-time passwords (OTP), where the user could print out a list of 5 or 10 passwords that can be used to log in exactly one time. After being used, the user scratches that password off the list. This becomes very easy if a stored procedure is being used to provide the validation logic.

The solution I’ve developed is the StoredProcedureDatabaseAuthenticationHandler. It’s design has been mirrored after the other database handlers, and it’s derived from the same base class. It has 5 parameters:

  • dataSource (inherited) – review the CAS JDBC Authnetication page for details (required).
  • procedureName – the name of the stored procedure being called (required).
  • usernameParameterName – the name of the SP’s username parameter (required).
  • passwordParameterName – the name of the SP’s password parameter (required).
  • successReturnValue – the value that is returned in the SP’s resultset (1st column/1st row) upon successful validation (required).

After extracting the files and adding them to your build, you’ll want to add the following code to the authenticationHandler list in the the deployerConfigContext.xml file. Something similar to:

<bean class="org.jasig.cas.adaptors.jdbc.StoredProcedureDatabaseAuthenticationHandler">
  <property name="dataSource" ref="dataSource" />
  <property name="procedureName" value="p_validatePassword" />
  <property name="usernameParameterName" value="Username" />
  <property name="passwordParameterName" value="Password" />
  <property name="successReturnValue" value="yes" />
</bean>

You’ll also want to add the following snippet to your Maven POM file so that appropriate dependencies exist for building and running the unit test:

  <dependency>
          <groupId>org.jasig.cas</groupId>
          <artifactId>cas-server-support-jdbc</artifactId>
          <version>${cas.version}</version>
          <scope>compile</scope>
  </dependency>
  <dependency>
          <groupId>junit</groupId>
          <artifactId>junit</artifactId>
          <version>4.8.1</version>
          <scope>test</scope>
  </dependency>
  <dependency>
          <groupId>org.hsqldb</groupId>
          <artifactId>hsqldb</artifactId>
          <version>2.2.4</version>
          <scope>test</scope>
  </dependency>

You will likely need to add additional dependencies to get database connectivity working, but the CAS User’s Manual/Wiki has all of the necessary information.

StoredProcedureDatabaseAuthenticationHandler has been tested against Microsoft SQL Server and HyperSQL (hsqldb). In fact, the unit test that I developed are against HyperSQL 2.2.4. Please let me know if you have success with other database platforms.

My long term plan for this project is to submit it to Ja-sig for inclusion in the core/jdbc CAS framework. That way others get to benefit from it, and I don’t have to be solely responsible to maintain it.

In the same bundle, I’ve included the StoredFunctionDatabaseAuthenticationHandler class. Using Spring to connect to a Stored Procedure is nearly identical to connecting to a User-Defined Function/Stored Function. However I could never get it to work with hsqldb for unit testing as HyperSQL reports that only one parameter is being passed. My guess is that there is a bad interaction between Spring and HyperSQL as HyperSQL isn’t natively support by the Spring Framework. It does, however, work when connecting to Microsoft SQL Server, so I’m publishing the StoredFunctionDatabaseAuthenticationHandler code as well. The only real difference in use is the class name and one of the parameter name of procedureName becomes functionName:

<bean class="org.jasig.cas.adaptors.jdbc.StoredFunctionDatabaseAuthenticationHandler">
  <property name="dataSource" ref="dataSource"/>
  <property name="functionName" value="f_validatePassword" />
  <property name="usernameParameterName" value="Username" />
  <property name="passwordParameterName" value="Password" />
  <property name="successReturnValue" value="yes" />
</bean>

Attachment: ExtraCasJdbcAuthHandlers.zip

John Gasper is powered by WordPress Services at Eastern Washington University.
Please read the EWU Wordpress Policies and Terms of Use. Questions & comments? Contact the EWU Wordpress Team.
The materials hosted by EWU WordPress Services are not endorsed, sponsored, provided by, or on behalf of Eastern Washington University.