Tongue twisters: eastern.ewu.edu & ewu.edu

I don’t know how many times I’ve been working with someone and while giving them the server’s full host name, I stumble over the phrase “.eastern.ewu.edu”. So, I’ve coined the term: “dot triple e”. Isn’t that so much easier to say than “.eastern.ewu.edu”? I think so as has most others that I shared my idea with.

But, why stop there? Is pronouncing “.ewu.edu” any better? (Try saying that 10 times fast.) Most of the time I hear it pronounced it gets mumbled through because its so hard to say. There are just too many oo’s and e sounds. We all know what the other person is trying to say, but we sound dumb doing it. Well, no longer… along with introducing “dot triple E”, I give you “dot double E”.

Paul Klinger has taken it one step further. Let’s short-hand the typing as well as the pronunciation:
.eastern.ewu.edu = .E³ (or  .3E is acceptable for the ASCII code impaired*)
.ewu.edu = .E² (.2E is acceptable for the ASCII code impaired*)

Thanks to the good thinking of Brian McCracken, the standard has also been amended to include: pronouncing the “dot” in either case is also optional. For example, “access double e”. I personally like the “dot”, but if you want to really streamline… here you go.

Perhaps you won’t choose to use these new terms, but now you’ll understand those that do.

* the squared symbol (²) can be generated by holding down the ALT key while typing “0178″ (without the double quotes), then releasing the ALT key. The cubed symbol (³) using “0179″.

 

ADFS v2.0 certificate bug

Over the past week or so I’ve been working to federate EWU with InCommon®. Most schools use Shibboleth®, but we already have Active Directory Federation Service (ADFS) in use here, so I’ve undertaken the challenge to use ADFS.

InCommon has a test service provider that I should be able to sign into if everything is configured properly. However when I connect I get a response that the “X509SerialNumber must have TextContent.” After digging through the saml responses to several other service providers, I found that many of the self-signed certs used by some of the SPs have a serial number of zero (0). When ADFS signs/encrypts the saml response, it does not return the serialNumber of the cert used, but instead returns an empty serialNumber xml element. (<serialNumber />). Shibboleth does not like that at all.

Now it is time to dig through the xml signing/encryption specs to determine who is right and who is wrong. Then go through the process of notifying the losing “vendor”. My gut says that I’ll probably be standing up a Shibboleth server by the time everything is said and done.

 

Oracle’s All, Any, and Some Operators

Once in a blue moon I see these Oracle SQL operators in code somewhere: ALL, ANY, and SOME. Their use is pretty obscure.  The Oracle Performance Tuning Guide and Reference (http://docs.oracle.com/cd/B10500_01/server.920/a96533/opt_ops.htm#1005317) breaks down what is going on with them behind the scenes.

How the CBO Evaluates the ANY or SOME Operator

The optimizer expands a condition that uses the ANY or SOME comparison operator followed by a parenthesized list of values into an equivalent condition that uses equality comparison operators and OR logical operators.

In the following example, the optimizer expands the first condition into the second:

salary > ANY (:first_sal, :second_sal)

is transformed into

salary > :first_sal OR salary > :second_sal

The optimizer transforms a condition that uses the ANY or SOME operator followed by a subquery into a condition containing the EXISTS operator and a correlated subquery.

In the following example, the optimizer transforms the first condition into the second:

x > ANY (SELECT salary
FROM employees
WHERE job_id = ‘IT_PROG’)

is transformed into

EXISTS (SELECT salary
FROM employees
WHERE job_id = ‘IT_PROG’
AND x > salary)

How the CBO Evaluates the ALL Operator

The optimizer expands a condition that uses the ALL comparison operator followed by a parenthesized list of values into an equivalent condition that uses equality comparison operators and AND logical operators.

In the following example, the optimizer expands the first condition into the second:

salary > ALL (:first_sal, :second_sal)

is transformed into

salary > :first_sal AND salary > :second_sal

The optimizer transforms a condition that uses the ALL comparison operator followed by a subquery into an equivalent condition that uses the ANY comparison operator and a complementary comparison operator. In the following example, the optimizer transforms the first condition into the second:

x > ALL (SELECT salary
FROM employees
WHERE department_id = 50)

is transformed into

NOT (x <= ANY (SELECT salary
FROM employees
WHERE department_id = 50) )

The optimizer then further transforms the second query into the following query using the rule for transforming conditions with the ANY comparison operator, followed by a correlated subquery:

NOT EXISTS (SELECT salary
FROM employees
WHERE department_id = 50
AND x <= salary)

CASifying AiM™

CASifying the AssetWORKS AiM application for use with SSO was extremely straight forward. AiM uses getRemoteUser() and thus it follows the standard setup using the JA-SIG CAS Client for Java.

The only gotcha we found is that AiM doesn’t do any initial authorization checking so the main page comes up for all users, not just those in the AiM database. We had to assign some reports to specific groups so that they didn’t show to the un-authorized users, but that was it. Everything else that they could see wasn’t an issue.  At some point we’ll probably add a custom filter than will provision users as their is a desire to put surveys for the campus community online.

Instructions

  1. Open the web.xml file for editing:
  2. Find the Filter with filter-name equal to “Form Based Authentication Filter”
  3. Paste the following fragment BEFORE this filter block.:
  4. <!-- CAS Filters Start -->
    <filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
    <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://login.ewu.edu/cas/login</param-value>
    </init-param>
    <init-param>
    <param-name>serverName</param-name>
    <param-value>http://it-aimtest.eastern.ewu.edu:8080</param-value>
    </init-param>
    </filter>
    <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <servlet-name>Screen Servlet</servlet-name>
    </filter-mapping>
    <filter>
    <filter-name>CAS Validation Filter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
    <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://login.ewu.edu/cas</param-value>
    </init-param>
    <init-param>
    <param-name>serverName</param-name>
    <param-value>http://it-aimtest.eastern.ewu.edu:8080</param-value>
    </init-param>
    </filter>
    <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <servlet-name>Screen Servlet</servlet-name>
    </filter-mapping>
    <filter>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <servlet-name>Screen Servlet</servlet-name>
    </filter-mapping>
    <!-- CAS Filters End -->
  5. Find “<servlet-class>com.maximus.fmax.common.framework.view.webapp.LoginServlet</servlet-class>”
  6. Replace the line with: “<jsp-file>/common/caslogout.jsp</jsp-file>”, so that
  7. <!-- Pre-CAS
    <servlet>
    <servlet-name>Login Servlet</servlet-name>
    <servlet-class>com.maximus.fmax.common.framework.view.webapp.LoginServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    </servlet>
    now looks like:-->
    <servlet>
    <servlet-name>Login Servlet</servlet-name>
    <jsp-file>/common/caslogout.jsp</jsp-file>
    <load-on-startup>1</load-on-startup>
    </servlet>
  8. Save the file.
  9. Copy cas-client-core-3.2.0.jar to {web-app-root}\WEB-INF\lib
  10. caslogout.jsp to {web-app-root}\common (not {web-app-root}\WEB-INF\common)
  11. Restart Tomcat.

Note: caslogout.jsp calls response.sendRedirect(“https://login.ewu.edu/”); and routes the user to CAS server giving them the option to logout of SSO.