sharon "syber" beynon: enterprise java, security, IDM developer

Fun with OAM 11g SDK

2012-01-15T14:17:00.001-05:00

OAM 11g was a step backward from 10g, but slowly - as of .5 - it's becoming usable again. Bringing back custom authentication plugins and schemes was vital, and then there's the topic of this post, the indispensable; AccessServerSDK.

I am still not pleased - Certain things are still missing, like the "originally requested URL" - making it impossible to do something like, allow a user to self-register and return to their original destination. I read that Oracle are working on the request, but who knows how long it will take with all the legitimate bugs out there.

OFM OAM SDK 11g

The 11g SDK is a simple Java API. Download and extract "ofm_oam_sdk_generic_11.1.1.5.0_disk1_1of1.zip" - no installer necessary. Sort of.

To get started, create a 10g gate in the OAM console, and copy the generated ObAccessClient.xml to your "AccessServerSDK" home folder within the subfolders: oblix\lib. For example, on my workstation, I created "C:\Oracle\asdk\oblix\lib".

From that point, you can copy the AccessServerSDK directory ("C:\Oracle\asdk") to setup multiple clients on developer or test machines, no worries, as long as the path is the same for everyone.

Add your oam-sdk jar to the project classpath - that's it. See Oracle API for a basic example or keep reading.

The fun part is using the SDK to authenticate a user for a valid SSO session they can take with them. I will get to that in a second, let's show the basic concept first.

Basic OAM SDK client class

Let's start with logging in with a basic OAM SDK client. To run this test, update: configLocation, login, password, resource for your environment.

You can use any http resource already protected in OAM, or create a new one with any FORM type Authentication Scheme.

The resource format is : "//HostnameFromHostIdentifier:80/ResourcePath"

In my environment, I need the code to work on Windows or Unix, so there are two configLocation values - use is determined by the java System Property for OS.

import java.util.Hashtable;

import oracle.security.am.asdk.AccessClient;
import oracle.security.am.asdk.AccessException;
import oracle.security.am.asdk.AuthenticationScheme;
import oracle.security.am.asdk.ResourceRequest;
import oracle.security.am.asdk.UserSession;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * To generate the Access SDK log, you must provide a logging configuration file
 * when you start the application. e.g.
* java -Djava.util.logging.config.file=JRE_DIRECTORY/lib/logging.properties
 */
public class Simple10gClient {
  protected static final Logger log = LoggerFactory.getLogger(Simple10gClient.class);

  // assume all resources are http GETs
  public static final String res_type = "http";
  public static final String ms_method = "GET";

  // Using standard location for SDK; will choose based on OS.
  public static String configLocation = "/Oracle/Middleware/asdk";
  public static String winConfigLocation = "C:/Oracle/asdk";
  private static AccessClient ac;

  private Simple10gClient() {}

  // simple test 
  public static void main(String argv[]) {
    String anonResource = "//AccessServerSDK_HostID:443/ResourceProtectedWithNoPasswordScheme";
    String login = "testuser1";
    String password = null;

    try {
      String sId = Simple10gClient.authenticate(anonResource, login, password);

      Simple10gClient.isLoggedIn(sId);

      Simple10gClient.shutdown();
      
    } catch (Exception e) {
      e.printStackTrace();
    }
  }

  @SuppressWarnings("rawtypes")
  private static void setupAccessClient() {
    try {
      String os = System.getProperty("os.name").toLowerCase();
      if (os.indexOf("win") > -1) {
        configLocation = winConfigLocation;
      }
      // "C:/Oracle/asdk/oblix/lib/ObAccessClient.xml" must exist/be valid:
      log.info("getAccessClient() config:" + configLocation );
      ac = AccessClient.createDefaultInstance(configLocation , AccessClient.CompatibilityMode.OAM_10G);
      log.info("Nap:" + AccessClient.getNAPVersion() + " SDK:" + AccessClient.getSDKVersion());
      Hashtable diagnostic = ac.getServerDiagnosticInfo();
      for (Object key : diagnostic.keySet()) {
        log.info("Server Diagnostic " + key + "==" + diagnostic.get(key));
      }
      diagnostic = ac.getClientDiagnosticInfo();
      for (Object key : diagnostic.keySet()) {
        log.info("Client Diagnostic " + key + "==" + diagnostic.get(key));
      }

    } catch (AccessException ae) {
      if (ae.getMessage().indexOf("OAMAGENT-02055") > -1) {
        log.error("AccessServerSDK - is this agent webgate configured? " + ae);
      } else {
        log.error("Access Exception: " + ae.getMessage(), ae);
      }
    }
  }

  public static String authenticate(String resource, String login, String pw) {
    log.debug("authenticate() user=" + login + " res:" + res_type + " " + resource);
    try {
      if (ac == null || !ac.isInitialized()) {
        setupAccessClient();
      }
      ResourceRequest rrq = new ResourceRequest(res_type, resource, ms_method);
      if (rrq.isProtected()) {
        log.info("Resource is protected: " + resource);
        AuthenticationScheme authnScheme = new AuthenticationScheme(rrq);
        if (authnScheme.isForm()) {
          log.info("Form Authentication Scheme: " + authnScheme.getName());
          Hashtable creds = new Hashtable();
          // to know credential key names, either you write the AuthN scheme yourself
          // or go with the Oracle example.
          creds.put("userid", login);
          if (pw != null && pw.length() > 0)
            creds.put("password", pw);
          UserSession session = new UserSession(rrq, creds);
          if (session.getStatus() == UserSession.LOGGEDIN) {
            if (session.isAuthorized(rrq)) {
              log.info("User is logged in and authorized, level " + session.getLevel());
            } else {
              log.info("User is logged in but NOT authorized");
            }
            log.info("User sessionToken:" + session.getSessionToken());
            return session.getSessionToken();
          } else {
            log.warn("User is NOT logged in");
            return null;
          }
        } else {
          log.warn("non-Form Authentication Scheme.");
        }
      } else {
        log.warn("Resource is NOT protected.");
      }
    } catch (AccessException ae) {
      log.error("authenticate() Access Exception: " + ae.getMessage());
    }
    return null;
  }

  public static void logout(String sessionId) {
    try {
      if (ac == null || !ac.isInitialized()) {
        setupAccessClient();
      }
      oracle.security.am.asdk.UserSession session = new UserSession(ac, sessionId);
      log.info("is logout required? " + session);
      if (session.getStatus() == 1)
        session.logoff();
    } catch (Exception ae) {
      log.error("logout() Access Exception: " + ae.getMessage(), ae);
    }
  }

  /**
   * @param sessionId
   */
  public static boolean isLoggedIn(String sessionId) {
    // 0 for AWAITINGLOGIN
    // 1 for LOGGEDIN
    // 2 for LOGGEDOUT
    // 3 for LOGINFAILED
    // 4 for EXPIRED
    try {
      if (ac == null || !ac.isInitialized()) {
        setupAccessClient();
      }
      oracle.security.am.asdk.UserSession session = new UserSession(ac, sessionId);
      log.info("isLoggedIn  startTime:" + session.getStartTime() + " status:" + session.getStatus());
      java.util.Date since = new java.util.Date(session.getStartTime());
      log.debug("since? " + since);
      return session.getStatus() == 1;
    } catch (Exception ae) {
      log.error("isLoggedIn() Access Exception: " + ae.getMessage(), ae);
    }
    return false;
  }

  public static void shutdown() {
    try {
      if (ac != null)
        ac.shutdown();
    } catch (Exception e) {
      log.warn("AccessServerSDK shutdown error " + e);
    }
  }
}

Right click and Run in eclipse, and you should see something like:

- authenticate() user=testuser1 resource:http //AccessServerSDK_HostID:443/ResourceProtectedWithNoPasswordScheme
- getAccessClient() config:C:/Oracle/asdk
- Nap:3 SDK:OAMAccessSDK_Ver_11.1.1.5
- Server Diagnostic oamserverhostname5575=={}
- Client Diagnostic oamserverhostname5575=={host=oamserverhostname, port=5575, priority=1, createtime=1326647958849}
- Resource is protected.
- Form Authentication Scheme.
- User is logged in and authorized for the request at level 3
- User sessionToken:LEHZ+zmSIZiamCTmHNQh9S+4JH0R8AvJ0eVwLPkUwmZArWb9qOg
KHYtEKrNTYHmEjt/UcqfFQ3Bq+mWud7APd0lqZlf31IigqrUAKJn7wRbRHanIpIQ1ygj64s
FjCoP6CwSTvSGeLY6gv49okJCM/2QivVqWb2Ce1Xwru89Vs/ZaE7YVXfjS8DnWwPBqYR8kQ
ONN348NI2cRMSMbryhG4neWah7rSFtJDH/gwAU55xwpE4SCcfTsXor8Qm7Ag==

Using the OAM SDK to authenticate a web client

My next step is wildly insecure, but a good shortcut for this example. Using the session ID generated with the SDK login, construct a valid SSO cookie and send the user on their merry authenticated way.

First, in the OAM console: Create a resource for your AccessServerSDK host, path "ResourceProtectedWithNoPasswordScheme" and add a "No Password Authentication Scheme" to it. I created my own AuthN scheme, setting the level to 3 - because I needed to match the authentication level of the forwarding online resource.

Create a LogMeIn servlet class taking a request parameter for login ID, and log the user in with a request parameter (see what I mean about being wildly insecure!):

String login = request.getParameter("login");
  String anonResource = "//AccessServerSDK_HostID:443/ResourceProtectedWithNoPasswordScheme";

      try {
        String sessId = Simple10gClient.authenticate(anonResource, login, null);
        log.info("Anon authenticate sessId:" + sessId);

        // using the Session ID, create a ObSSOCookie and give it to the user
        if (sessId != null) {
          Cookie obCookie = new Cookie("ObSSOCookie", sessId);
          obCookie.setDomain(".domain.com");
          // obCookie.setHttpOnly(true); -- not sure why Weblogic 10.3.5 wasn't able to find this method
          obCookie.setPath("/");
          response.addCookie(obCookie);

          // now send a response.redirect to a level 3 protected resource, user is logged in

        }
      } catch (Exception e) {
        response.getOutputStream().print("Exception " + e);
        log.error("logmein failed", e);
      }

Deloying on the OIM/OAM WLS Domain

There was a bit of a gotcha using this sdk jar on the same domain as OIM/OAM - class/jar conflicts. Easily solved by adding a weblogic.xml to the war WEB-INF, requesting that weblogic look at the web libraries only.

  <wls:container-descriptor>
    <wls:prefer-application-packages>
 <!-- add package names from the Oracle Access Server SDK -->
 <wls:package-name>com.oblix.*</wls:package-name>
 <wls:package-name>oracle.security.am.*</wls:package-name>
    </wls:prefer-application-packages>
  </wls:container-descriptor>

The end result of this is that you now can authenticate with standard username / password, check if the value of an ObSSOCookie is a valid session token, and generate for the end-user a valid SSO token to continue their with session on other OAM protected resources.

Spring Security with SSO Headers - integrating with OAM WebGate

2011-12-30T14:47:00.001-05:00

How to integrate java web applications with SSO? Usually a simple J2EE filter looking for the correct header name can suffice, however, if you want to take advantage of Spring Security you need to set it up with a "PreAuthentication" filter. This states that spring is not performing authentication, it's already done.

This solution may be overkill, but it provides more control/log info, and the ability to test outside of the SSO environment without implementing alternate authentication providers (although it would also be possible to have a form/database authentication fallback as well).

My environment: J2ee (any app server) fronted by a Oracle Access WebGate protected web server.

Spring Security 2.5+ (tested with 3.0.5)

What I need: Convert Request Headers OAM_REMOTE_USER and ROLES to map to an authenticated principal.

Making it usable: Allow a fallback security configuration for local testing.

Step 1. PreAuthentication Config

There are two custom beans in this file "HeaderAuthenticationFilter" and "HeaderAuthenticationDetails" and three configuration properties:

security.principal.header.name=OAM_REMOTE_USER
security.roles.header.name=ROLES
security.test.principal=no_header_in_test_mode

applicationContext-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
  xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
            http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.5.xsd
            http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd
            http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd"
  default-lazy-init="true">

  <bean
    class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />

  <!-- this bean name must match the filter name defined in security.xml below -->
  <bean id="ssoHeaderFilter"
    class="com.sharnibey.sample.security.HeaderAuthenticationFilter">
    <property name="principalRequestHeader" value="${security.principal.header.name}" />
    
    <!-- fall back to other authentication providers is OAM SSO is not there -->
    <property name="exceptionIfHeaderMissing" value="false" />
    <!-- hard code a testUserId for local tests -->
    <property name="testUserId" value="${security.test.principal}" />

    <property name="authenticationManager" ref="authenticationManager" />

    <property name="authenticationDetailsSource">
      <bean class="com.sharnibey.sample.security.HeaderAuthenticationDetails">
        <!-- look for the request header set by the webgate and map to local 
          roles -->
        <property name="roleHeaderName" value="${security.roles.header.name}" />
        <property name="userRoles2GrantedAuthoritiesMapper">
          <bean
            class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
            <property name="convertAttributeToUpperCase" value="true" />
          </bean>
        </property>
        <!-- setup a testing role if not deployed with a webgate - this only 
          applies if ENV_NAME != uat/prod -->
        <property name="testingRoles">
          <set>
            <value>USER</value>
          </set>
        </property>        
        <!-- all available roles for this application -->
        <property name="allRoles">
          <set>
            <value>USER</value>
            <value>ADMIN</value>
          </set>
        </property>
      </bean>
    </property>
  </bean>
  <bean id="preauthAuthProvider"
    class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
  </bean>
  <!-- magically map the user header to a valid user object -->
  <bean id="preAuthenticatedUserDetailsService"
    class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService" />

  <bean id="securityContextHolderAwareRequestFilter"
    class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter" />
</beans>

PreAuthentication Code

public class HeaderAuthenticationFilter 
    extends AbstractPreAuthenticatedProcessingFilter {
  protected final Logger log = LoggerFactory.getLogger(HeaderAuthenticationFilter.class);
  private String principalRequestHeader = "OAM_REMOTE_USER";
  /**
   * Configure a value in the applicationContext-security for local tests.
   */
  private String testUserId = null;
  /**
   * Configure whether a missing SSO header is an exception.
   */
  private boolean exceptionIfHeaderMissing = false;

  /**
   * Read and return header named by principalRequestHeader from Request
   * 
   * @throws PreAuthenticatedCredentialsNotFoundException
   *             if the header is missing and
   *             exceptionIfHeaderMissing is set to true.
   */
  protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
    String principal = request.getHeader(principalRequestHeader);

    if (principal == null) {
      if (exceptionIfHeaderMissing) {
        throw new PreAuthenticatedCredentialsNotFoundException(principalRequestHeader
            + " header not found in request.");
      } if (StringUtils.isNotBlank(testUserId)) {
          log.warn("spring configuration has a test user id " + testUserId);
          principal = testUserId;
      } else if (request.getSession().getAttribute("session_user") != null) {
// A bit of a hack for testers - allow the principal to be 
// obtained by session. Must be set by a page with no security filters enabled.
// should remove for production.
        principal = (String) request.getSession().getAttribute("session_user");
      }
    }
    // also set it into the session, sometimes that's easier for jsp/faces
    // to get at..
    request.getSession().setAttribute("session_user", principal);
    return principal;
  }

  /**
   * Credentials aren't applicable here for OAM WebGate SSO.
   */
  protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
    return "password_not_applicable";
  }

  public void setPrincipalRequestHeader(String principalRequestHeader) {
    Assert.hasText(principalRequestHeader, "principalRequestHeader must not be empty or null");
    this.principalRequestHeader = principalRequestHeader;
  }

  public void setTestUserId(String testId) {
    if (StringUtils.isNotBlank(testId)) {
      this.testUserId = testId;
    }
  }

  /**
   * Exception if the principal header is missing. Default false
   * @param exceptionIfHeaderMissing
   */
  public void setExceptionIfHeaderMissing(boolean exceptionIfHeaderMissing) {
    this.exceptionIfHeaderMissing = exceptionIfHeaderMissing;
  }

  public void setAuthenticationDetailsSource(AuthenticationDetailsSource source) {
    log.info("testing authenticationDetailsSource set " + source);
    super.setAuthenticationDetailsSource(source);
  }
}

public class HeaderAuthenticationDetails extends AuthenticationDetailsSourceImpl {
  protected final Logger log = LoggerFactory.getLogger(HeaderAuthenticationDetails.class);

  /**
   * Can be setup in applicationContext-security if the ROLES header value is
   * not found.
   */
  private Set testingRoles = new HashSet();

  /**
   * Security principal will only contain roles from "allRoles" - letting us
   * cut down the irrelevant values setup by the webgate SSO header.
   */
  protected Set allRoles = new HashSet();

  /**
   * setup in applicationContext-security
   */
  private String roleHeaderName = "ROLES";

  protected Attributes2GrantedAuthoritiesMapper grantedAuthoritiesMapper 
    = new SimpleAttributes2GrantedAuthoritiesMapper();

  public HeaderAuthenticationDetails() {
    super.setClazz(PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails.class);
  }

  /**
   * Build the authentication details object. If the specified authentication
   * details class implements {@link MutableGrantedAuthoritiesContainer}, a
   * list of pre-authenticated Granted Authorities will be set based on the
   * roles for the current user.
   */
  public Object buildDetails(Object context) {
    Object result = super.buildDetails(context);
    List userGas = new ArrayList();
    if (result instanceof MutableGrantedAuthoritiesContainer) {
      Collection userRoles = getUserRoles(context, allRoles);
      userGas = grantedAuthoritiesMapper.getGrantedAuthorities(userRoles);
      ((MutableGrantedAuthoritiesContainer) result).setGrantedAuthorities(userGas);
    }
    return result;
  }

  /**
   * Allows the roles of the current user to be determined from the context
   * object
   * 
   * @param context
   *            the context object (HttpRequest, PortletRequest etc)
   * @param mappableRoles
   *            the possible roles determined by the
   *            MappableAttributesRetriever
   * @return Collection subset of mappable roles current user has.
   */
  protected Collection getUserRoles(Object context, Set mappableRoles) {
    ArrayList requestRoles = new ArrayList();
    if (((HttpServletRequest) context).getHeader(roleHeaderName) != null) {
      String[] roles = ((HttpServletRequest) context).getHeader(roleHeaderName).split(",");
      for (int i = 0; i < roles.length; i++) {
        if (mappableRoles.contains(roles[i])) {
          requestRoles.add(roles[i]);
        }
      }
    } else if ( testingRoles != null) {
      log.warn("Failed to retrieve Roles from Header, for debug purposes set to testingRole");
      requestRoles.addAll(testingRoles);
    } else {
      log.warn("Failed to retrieve Roles from Header, setup as 'user' role.");
      requestRoles.add("USER");
    }
    // add them to the session for convenience
    ((HttpServletRequest) context).getSession().setAttribute(RequestUtil.SESSION_ROLE_KEY, requestRoles);
    return requestRoles;
  }

  /**
   * @param mapper
   *            The Attributes2GrantedAuthoritiesMapper to use
   */
  public void setUserRoles2GrantedAuthoritiesMapper(Attributes2GrantedAuthoritiesMapper mapper) {
    grantedAuthoritiesMapper = mapper;
  }

  /**
   * All available roles for this application
   * 
   * @param allRoles
   */
  public void setAllRoles(Set allRoles) {
    this.allRoles = allRoles;
  }
  /**
   * @param roleHeaderName
   */
  public void setRoleHeaderName(String roleHeaderName) {
    this.roleHeaderName = roleHeaderName;
  }
  /**
   * @param testingRole
   */
  public void setTestingRoles(Set testingRole) {
    this.testingRoles = testingRole;
  }
}

web.xml updates

These snippets will look familiar if you've ever used spring security; define the filter, map to all resources. Spring contextConfiguration locations should have your resource properties loaded first, then security config, and everything else.

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value> 
 classpath:/ctx/applicationContext-resources.xml 
 classpath:/ctx/applicationContext-security.xml 
 /WEB-INF/security.xml
 /WEB-INF/applicationContext*.xml
    </param-value>
  </context-param>

  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>

  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Final Step - Setup Spring Security

security.xml is application specific, but my sample application is based on appfuse - JSF version - so it should cover most example uses.

The intercept-url element defines the roles or authentication states that are required to access a URL path. Roles should be comma-delimited.

To restrict pages by user type instead of user role the following values can be used:
IS_AUTHENTICATED_ANONYMOUSLY - Allow access to any user.
IS_AUTHENTICATED_REMEMBERED - Allow access to logged-in users or users with a "remember me" cookie.
IS_AUTHENTICATED_FULLY - Allow access to logged-in users.

To remove all Spring Security processing from a page use the filters="none" attribute.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
 xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

 <http auto-config="true" lowercase-comparisons="false">
  <intercept-url pattern="/images/**" filters="none" />
  <intercept-url pattern="/styles/**" filters="none" />
  <intercept-url pattern="/scripts/**" filters="none" />
  <intercept-url pattern="/javax.faces.resource/**"
   filters="none" />

  <!-- direct xhtml access disallowed -->
  <intercept-url pattern="/**/*.xhtml" access="ROLE_NOBODY" />

  <!-- local authentication is unused, but this is how it's configured -->
  <intercept-url pattern="/j_security*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
  <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />

  <intercept-url pattern="/a4j.res/**"
   access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER" />
  <intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
  <intercept-url pattern="/user/**" access="ROLE_ADMIN,ROLE_USER" />

  <!-- show request headers and session variables for any user -->
  <intercept-url pattern="/env.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />

  <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

  <!-- matches the bean name for HeaderAuthenticationFilter class above -->
  <custom-filter position="PRE_AUTH_FILTER" ref="ssoHeaderFilter" />

  <form-login login-page="/login" authentication-failure-url="/login?error=true"
   login-processing-url="/j_security_check" always-use-default-target="true"
   default-target-url="/" />
 </http>

 <authentication-manager alias="authenticationManager">
  <authentication-provider ref="preauthAuthProvider" />

  <!-- this is an example of alternate user authentication providers, although 
   we only have the PRE_AUTH_FILTER defined above, so it isn't used. -->
  <authentication-provider>
   <user-service>
    <user authorities="ROLE_USER" name="guest" password="guest" />
   </user-service>
  </authentication-provider>
 </authentication-manager>
</beans:beans>

If you read this far, and you want a Ready-To-Go example of how all this fits together, leave a comment and I will upload a full-source war to a temporary share site. Please don't put your email in the comments.

OIM Recon LDAP - adding fields

2011-12-30T12:07:00.003-05:00

First, grab your metadata from MDS: MW_HOME/Oracle_IDM[1,2]/server/bin/

Setup weblogic.properties


wls_servername=oim_server1
application_name=oim
metadata_from_loca=/data/temp
metadata_to_loca=/data/temp
metadata_files=/db/LDAPUser,/db/RA_LDAPUSER.xml,/metadata/iam-features-ldap-sync/LDAPUser.xml

weblogicExportMetadata.sh/bat (connect as weblogic to the AdminServer e.g. t3://localhost:7001)

OIM Default/Existing Field Example

TO show you the fields that are required for update, here's a generic example to describe the LDAP/recon process for the OIM Role (user type) field to the LDAP attribute employeetype:

metadata/db/LDAPUser: Attribute appears twice, under "reconFields" and reconToOIMMappings:

reconFields

<reconAttr>
<oimFormDeescriptiveName>Role</oimFormDescriptiveName> (Attribute Name from OIM user attribute config)
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">employeetype</reconFieldName>
<reconColName>RECON_USR_EMP_TYPE</reconColName>
<emDataType>string</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="usr_emp_type"/> (name of field in USR table)
</reconAttr>

reconToOIMMappings

<reconAttr>
<oimFormDescriptiveName>Role</oimFormDescriptiveName> (Attribute Name from OIM user attribute config)
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">employeetype</reconFieldName> (LDAPUser.xml fieldname)
<reconColName>RECON_USR_EMP_TYPE</reconColName>
<emDataType>string</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="usr_emp_type"> (name of field in USR table)
<Transformation name="OneToOne">
<Parameter name="employeetype" fieldname="employeetype"/> (name of field in OVD)
</Transformation>
</targetattr>
</reconAttr>

/metadata/dbRA_LDAPUSer.xml: Attribute and recon field defined, under "entity-attributes" and "target-fields":

entity-attributes

<attribute name="Role"> (Attribute Name from OIM user attribute config)
<type>string</type>
<required>false</required>
<searchable>true</searchable>
<MLS>false</MLS>
<attribute-group>Basic</attribute-group>
<metadata-attachment/>
</attribute>
<attribute-map>
<entity-attribute>Role</entity-attribute>
<target-field>RECON_USR_EMP_TYPE</target-field>
</attribute-map>

target-fields

<field name="RECON_USR_EMP_TYPE">
<type>string</type>
<required>false</required>
</field>

/metadata/iam-features-ldap-sync/LDAPUser.xml: Mapping is defined, under "entity-attributes", "target-fields" and "attribute-maps"

<attribute name="Role">
<type>string</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<field name="employeeType">
<type>string</type>
<required>false</required>
</field>
<attribute-map>
<entity-attribute>Role</entity-attribute>
<target-field>employeeType</target-field>
</attribute-map>

Now a real example - Adding Lock Fields

The problem with a fully integrated OIM/OAM/Ldap Sync/OVD 11g is that it's broken.

Users lock themselves through OAM webgate login, correctly setting the oblockouttime - but OIM knows nothing about it. I have no idea how to get a unix-style epoch time (oblockouttime) through the reconcile process to OIM - if anyone knows how to convert to a date type, that would be awesome?

Oracle SR response not forthcoming (after several weeks), we looked for alternatives. Found an OVD field which was set during lockout: pwdaccountlockedtime.

First OVD must know about the target LDAP attribute. OAM schema (ob* attributes) should have been loaded to OVD, this is the relevant objectclass containing the OAM lockout info:

objectclasses: ( 1.3.6.1.4.1.3831.0.1.21 NAME 'oblixPersonPwdPolicy' DESC 'Oracle Access Manager defined objectclass' SUP top 
AUXILIARY MAY ( obpasswordcreationdate $ obpasswordhistory $ obpasswordchangeflag $ obpasswordexpmail $ oblockouttime $ oblogintrycount $ obfirstlogin $ obresponsetries $ oblastloginattemptdate $ oblastresponseattemptdate $ obresponsetimeout $ oblastsuccessfullogin $ oblastfailedlogin $ etc. etc. ) )

Next, to have two-way updates (LDAP back to OIM) you need a RECON field, I added these two to the RA_LDAPUSER table in the OIM database: lock date and number of failed login attempts.

describe RA_LDAPUSER 

 ... rest of the RA_LDAPUSER table above ...
RECON_ORCLUSERLOCKEDON DATE 
RECON_LOGINATTEMPTS    NUMBER(19)

LDAPUser

<reconAttr>
<oimFormDescriptiveName>Locked On</oimFormDescriptiveName> (This field must match the OIM Attribute Name - see Configuration, User Attributes to confirm)
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">pwdaccountlockedtime</reconFieldName>
<reconColName>RECON_ORCLUSERLOCKEDON</reconColName>
<emDataType>date</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="Date" name="pwdaccountlockedtime"/> (This field must match your OVD or LDAP)
</reconAttr>
<reconAttr>
<oimFormDescriptiveName>usr_login_attempts_ctr</oimFormDescriptiveName> (This field must match the OIM Attribute Name - see Configuration, User Attributes to confirm)
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">oblogintrycount</reconFieldName>
<reconColName>RECON_LOGINATTEMPTS</reconColName>
<emDataType>number</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="oblogintrycount"/> (This field must match your OVD or LDAP)
</reconAttr>

<reconAttr>
<oimFormDescriptiveName>Locked On</oimFormDescriptiveName> (This field must match above - the OIM Attribute Name)
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">pwdaccountlockedtime</reconFieldName>
<reconColName>RECON_ORCLUSERLOCKEDON</reconColName>
<emDataType>date</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="Date" name="usr_locked_on"> (This field must match the USR table column name)
<Transformation name="OneToOne">
<Parameter name="pwdaccountlockedtime" fieldname="pwdaccountlockedtime"/>
</Transformation> (This field must match your OVD or LDAP)
</targetattr>
</reconAttr>
<reconAttr>
<oimFormDescriptiveName>usr_login_attempts_ctr</oimFormDescriptiveName>
<reconFieldName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">oblogintrycount</reconFieldName>
<reconColName>RECON_LOGINATTEMPTS</reconColName>
<emDataType>number</emDataType>
<formFieldType/>
<targetattr keyfield="false" encrypted="false" required="false" type="String" name="usr_login_attempts_ctr">
<Transformation name="OneToOne">
<Parameter name="oblogintrycount" fieldname="oblogintrycount"/>
</Transformation>
</targetattr>
</reconAttr>

RA_LDAPUSER.xml

<attribute-map>
<entity-attribute>Locked On</entity-attribute>
<target-field>RECON_ORCLUSERLOCKEDON</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>usr_login_attempts_ctr</entity-attribute>
<target-field>RECON_LOGINATTEMPTS</target-field>
</attribute-map>

<field name="RECON_ORCLUSERLOCKEDON">
<type>date</type>
<required>false</required>
</field>
<field name="RECON_LOGINATTEMPTS">
<type>number</type>
<required>false</required>
</field>

LDAPUser.xml

<attribute name="Locked On">
<type>date</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>
<attribute name="usr_login_attempts_ctr">
<type>number</type>
<required>false</required>
<attribute-group>Basic</attribute-group>
<searchable>true</searchable>
</attribute>

<field name="pwdaccountlockedtime">
<type>date</type>
<required>false</required>
</field>
<field name="oblogintrycount">
<type>number</type>
<required>false</required>
</field>

<attribute-map>
<entity-attribute>Locked On</entity-attribute>
<target-field>pwdaccountlockedtime</target-field>
</attribute-map>
<attribute-map>
<entity-attribute>usr_login_attempts_ctr</entity-attribute>
<target-field>oblogintrycount</target-field>
</attribute-map>

Re-import LDAP/Recon config

Back to the OIM_HOME server bin directory, run weblogicImportMetadata.sh/bat

Doesn't appear to need a restart, but I usually run "PurgeCache.sh All" at the same time.

Test reconciliation

Run the scheduled job; LDAP Full User Group reconcile - look to error details, fix typos and run again.

An open house at site3.ca

2011-12-22T11:25:00.002-05:00

So here's this naff video i made talking to the folks at Site 3 coLaboratory - check it out: http://site3.ca/news/how-does-it-work/

OIM 11g really delete deleted

2011-12-07T15:50:00.001-05:00

I run through a *lot* of accounts testing in OIM/OAM 11.1.1.5. Things happen, accounts get borked.

Easiest way to keep your UAT system from getting out of hand is to delete sometimes, but the Reuse ID functionality in OIM is extremely dangerous (i.e. it doesn't work).

So I suggest using this SQL to clean your deleted test accounts (this is not something I would do in production!)

delete from oud where oiu_key in (select oiu_key from oiu where usr_key in (select USR_KEY from USR where usr_status='Deleted'));
delete from osi where req_key in (select req_key from req where orc_key in (select orc_key from orc where orc.usr_key in (select USR_KEY from USR where usr_status='Deleted')));
delete from osi where osi_assigned_to_usr_key  in (select USR_KEY from USR where usr_status='Deleted');
delete from osh where osh_assigned_to_usr_key  in (select USR_KEY from USR where usr_status='Deleted');
delete from rcd where rce_key in (select rce_key from rce,orc where rce.orc_key = orc.orc_key and orc.usr_key  in (select USR_KEY from USR where usr_status='Deleted'));
delete from rch where rce_key in (select rce_key from rce,orc where rce.orc_key = orc.orc_key and orc.usr_key in (select USR_KEY from USR where usr_status='Deleted'));
delete from rcu where rce_key in (select rce_key from rce,orc where rce.orc_key = orc.orc_key and orc.usr_key  in (select USR_KEY from USR where usr_status='Deleted'));
delete from rcb where rce_key in (select rce_key from rce,orc where rce.orc_key = orc.orc_key and orc.usr_key  in (select USR_KEY from USR where usr_status='Deleted'));
delete from rce where orc_key in (select orc_key from orc where orc.usr_key in (select USR_KEY from USR where usr_status='Deleted'));
delete from oio where orc_key in (select orc_key from orc where orc.usr_key  in (select USR_KEY from USR where usr_status='Deleted'));
delete from oiu where usr_key  in (select USR_KEY from USR where usr_status='Deleted');
delete from oti where orc_key in (select orc_key from orc where orc.usr_key in (select USR_KEY from USR where usr_status='Deleted'));
delete from osi where orc_key in (select orc_key from orc where orc.usr_key in (select USR_KEY from USR where usr_status='Deleted'));
delete from orc where usr_key  in (select USR_KEY from USR where usr_status='Deleted');
delete from upd where upp_key in (select upp_key from upp where upp.usr_key in (select USR_KEY from USR where usr_status='Deleted'));
delete from upp where usr_key  in (select USR_KEY from USR where usr_status='Deleted');
delete from usg where usr_key  in (select USR_KEY from USR where usr_status='Deleted');
delete from uhd where uph_key in (select uph_key from uph where uph.usr_key in (select USR_KEY from USR where usr_status='Deleted'));
delete from uph where usr_key  in (select USR_KEY from USR where usr_status='Deleted');
delete from pcq where usr_key  in (select USR_KEY from USR where usr_status='Deleted');
delete from rcu where usr_key  in (select USR_KEY from USR where usr_status='Deleted');
delete from RECON_USER_MATCH where USR_KEY in (select USR_KEY from USR where usr_status='Deleted');
delete from RECON_ROLE_MATCH where RE_KEY in (select re_key from RECON_EVENTS where usr_key in (select USR_KEY from USR where usr_status='Deleted'));
delete from RECON_ROLE_MEMBER_MATCH where RE_KEY in (select re_key from RECON_EVENTS where usr_key in (select USR_KEY from USR where usr_status='Deleted'));
delete from RA_LDAPROLEMEMBERSHIP where RE_KEY in (select re_key from RECON_EVENTS where usr_key in (select USR_KEY from USR where usr_status='Deleted'));
delete from RECON_HISTORY where RE_KEY in (select re_key from RECON_EVENTS where usr_key in (select USR_KEY from USR where usr_status='Deleted'));
delete from RA_LDAPUSER where RE_KEY in (select re_key from RECON_EVENTS where usr_key in (select USR_KEY from USR where usr_status='Deleted'));
delete from RECON_EVENTS where usr_key in (select USR_KEY from USR where usr_status='Deleted');
delete from usr where usr_key in (select USR_KEY from USR where usr_status='Deleted');

OIM 11g SPML Modify Request

2011-12-07T14:37:00.001-05:00

This post is a follow-on from my post about getting the SPML service to work security-wise.

Now we're using CXF to send a mod request - including User Defined Fields (UDF). My UDF is TermsAgreement, if you're not sure what to use, I'm not surprised.

In API code, if it's Thor API you need to use USR_UDF_ATTRIBNAME.. if it's Oracle API you need to use exactly as appears on User Configuration -> User Attributes tab; in the "Attribute Name" column.

Also verify with what's in your OIM metadata/iam-features-requestactions/model-data/ModifyUserDataset.xml - the value of what you set for AttributeReference name="YourAttributeName"

Also, it doesn't seem to love spaces.

The full source project: http://wikisend.com/download/608008/spmlclient-11.1.1.5.cxf.jar

private static final QName SERVICE_NAME = new QName("http://xmlns.oracle.com/idm/identity/webservice/SPMLService",
   "SPMLService");

 public static void main(String args[]) throws Exception {
 
  URL wsdlURL = new URL("http://localhost:14000/spml-xsd/SPMLService?wsdl");
  // URL wsdlURL = SPMLService.WSDL_LOCATION;

  SPMLService ss = new SPMLService(wsdlURL, SERVICE_NAME);
  SPMLRequestPortType port = ss.getSPMLServiceProviderSoap();

  Map ctx = ((BindingProvider) port).getRequestContext();
  ctx.put("ws-security.username", "xelsysadm");
  ctx.put("ws-security.password", "the password");

  // adding logging
  Client client = ClientProxy.getClient(port);
  client.getInInterceptors().add(new LoggingInInterceptor());
  client.getOutInterceptors().add(new LoggingOutInterceptor());

  ServiceHeaderType serviceHeader = new ServiceHeaderType();

  System.out.println("Invoking spmlModifyRequest...");
  oracle.iam.wsschema.model.spmlv2.core.ModifyRequestType modifyBody = new oracle.iam.wsschema.model.spmlv2.core.ModifyRequestType();
 
  java.util.List modCapData = new java.util.ArrayList();

  oracle.iam.wsschema.model.spmlv2.core.CapabilityDataType modCap = new oracle.iam.wsschema.model.spmlv2.core.CapabilityDataType();
  java.util.List modCapAny = new java.util.ArrayList();
  modCap.getAny().addAll(modCapAny);
  modCap.setMustUnderstand(Boolean.TRUE);
  modCap.setCapabilityURI("urn:oasis:names:tc:SPML:2:0:reference");
  modCapData.add(modCap);
  modifyBody.getCapabilityData().addAll(modCapData);
  modifyBody.setRequestID("RequestID-763892610");

  oracle.iam.wsschema.model.spmlv2.core.ExecutionModeType async = oracle.iam.wsschema.model.spmlv2.core.ExecutionModeType.ASYNCHRONOUS;
  modifyBody.setExecutionMode(async);
  modifyBody.setLocale("en");

  oracle.iam.wsschema.model.spmlv2.core.PSOIdentifierType modifyBodyPsoID = new oracle.iam.wsschema.model.spmlv2.core.PSOIdentifierType();

  java.util.List modifyBodyPsoIDAny = new java.util.ArrayList();
  java.lang.Object modifyBodyPsoIDAnyVal1 = null;
  modifyBodyPsoIDAny.add(modifyBodyPsoIDAnyVal1);
  modifyBodyPsoID.getAny().addAll(modifyBodyPsoIDAny);
  modifyBodyPsoID.setID("identity:6C9B96E99FC8DC32E040E50A3D5252F5");

  java.util.List mods = new java.util.ArrayList();
  oracle.iam.wsschema.model.spmlv2.core.ModificationType modType = new oracle.iam.wsschema.model.spmlv2.core.ModificationType();

  oracle.iam.wsschema.model.spmlv2.core.SelectionType component = new oracle.iam.wsschema.model.spmlv2.core.SelectionType();
  java.util.List componentAny = new java.util.ArrayList();
  component.getAny().addAll(componentAny);
  java.util.List componentNamespacePrefixMap = new java.util.ArrayList();
  component.getNamespacePrefixMap().addAll(componentNamespacePrefixMap);
  component.setPath("/identity");
  component.setNamespaceURI("http://www.w3.org/TR/xpath20");
  modType.setComponent(component);

  oracle.iam.wsschema.model.common.pso.ProvisioningObjectType modsData = new oracle.iam.wsschema.model.common.pso.ProvisioningObjectType();

  oracle.iam.wsschema.model.common.pso.Identity idAttribs = new oracle.iam.wsschema.model.common.pso.Identity();
  oracle.iam.wsschema.model.common.pso.UnboundedAttributes unboundedIdAttribs = new oracle.iam.wsschema.model.common.pso.UnboundedAttributes();

                // Must use these unbounded attributes for UDFs.
  java.util.List modsDataIdentityAttributesAttr = new java.util.ArrayList();
  DsmlAttr udfAttr = new DsmlAttr();
  udfAttr.setName("TermsAgreement");
  udfAttr.getValue().add("1.0");
  modsDataIdentityAttributesAttr.add(udfAttr);
  unboundedIdAttribs.getAttr().addAll(modsDataIdentityAttributesAttr);
  idAttribs.setAttributes(unboundedIdAttribs);


                // Standard attributes for SPML modifications follows.
  idAttribs.setActiveEndDate(javax.xml.datatype.DatatypeFactory.newInstance().newXMLGregorianCalendar(
    "2011-06-14T16:07:20.498-04:00"));
  idAttribs.setActiveStartDate(javax.xml.datatype.DatatypeFactory.newInstance().newXMLGregorianCalendar(
    "2011-06-14T16:07:20.514-04:00"));

  oracle.iam.wsschema.model.common.pso.MultiValuedString deptNum = new oracle.iam.wsschema.model.common.pso.MultiValuedString();
  java.util.List deptNumValue = new java.util.ArrayList();
  deptNumValue.add("12345");
  deptNum.getValue().addAll(deptNumValue);
  idAttribs.setDepartmentNumber(deptNum);

  oracle.iam.wsschema.model.common.pso.MultiValuedString firstName = new oracle.iam.wsschema.model.common.pso.MultiValuedString();
  java.util.List firstNameValue = new java.util.ArrayList();
  firstNameValue.add("Hello");
  firstName.getValue().addAll(firstNameValue);
  idAttribs.setGivenName(firstName);

  idAttribs.setHireDate(javax.xml.datatype.DatatypeFactory.newInstance().newXMLGregorianCalendar(
    "2011-06-14T16:07:20.514-04:00"));

  oracle.iam.wsschema.model.common.pso.MultiValuedString mail = new oracle.iam.wsschema.model.common.pso.MultiValuedString();
  java.util.List mailValue = new java.util.ArrayList();
  mail.getValue().addAll(mailValue);
  idAttribs.setMail(mail);

  idAttribs.setMiddleName("MiddleName");

  oracle.iam.wsschema.model.common.pso.MultiValuedBinary passwd = new oracle.iam.wsschema.model.common.pso.MultiValuedBinary();
  java.util.List passwdValue = new java.util.ArrayList();
  passwdValue.add("Testing123!".getBytes());
  passwd.getValue().addAll(passwdValue);
  idAttribs.setPassword(passwd);

  idAttribs.setPreferredLanguage("fr");

  idAttribs.setUserType("NONW");

  modsData.setIdentity(idAttribs);

  oracle.iam.wsschema.model.common.pso.Member modsDataMember = new oracle.iam.wsschema.model.common.pso.Member();
  // Entity ID / USR_KEY from OIM
  modsDataMember.setIdentityPSOID("3");

  modsData.setMember(modsDataMember);
  modType.setData(modsData);

  oracle.iam.wsschema.model.spmlv2.core.ModificationModeType modTypeModificationMode = oracle.iam.wsschema.model.spmlv2.core.ModificationModeType.REPLACE;
  modType.setModificationMode(modTypeModificationMode);
  mods.add(modType);
  modifyBody.getModification().addAll(mods);

  oracle.iam.wsschema.model.spmlv2.core.ReturnDataType modifyBodyReturnData = oracle.iam.wsschema.model.spmlv2.core.ReturnDataType.DATA;
  modifyBody.setReturnData(modifyBodyReturnData);

  oracle.iam.wsschema.model.spmlv2.core.ModifyResponseType modReturn = port.spmlModifyRequest(modifyBody,
    serviceHeader);
  System.out.println("spmlModifyRequest.result=" + modReturn);

       }

And since some people are assembling the requests in other clients, here's an example of the request by the above code:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-1">
        <wsse:Username>xelsysadm</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">the password</wsse:Password>
      </wsse:UsernameToken>
    </wsse:Security>
    <ServiceHeader xmlns:ns9="http://xmlns.oracle.com/idm/identity/OperationData" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns6="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns3="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns2="urn:oasis:names:tc:SPML:2:0" xmlns="urn:names:spml:ws:header"/>
  </soap:Header>
  <soap:Body>
    <ns2:modifyRequest xmlns="urn:names:spml:ws:header" xmlns:ns2="urn:oasis:names:tc:SPML:2:0" xmlns:ns3="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns9="http://xmlns.oracle.com/idm/identity/OperationData" returnData="data" requestID="RequestID-763892610" executionMode="asynchronous" locale="en">
      <ns2:capabilityData mustUnderstand="true" capabilityURI="urn:oasis:names:tc:SPML:2:0:reference"/>
      <ns2:modification modificationMode="replace">
        <ns2:component path="/identity" namespaceURI="http://www.w3.org/TR/xpath20"/>
        <ns2:data>
          <ns6:identity>
            <ns6:attributes>
              <ns6:attr name="TermsAgreement">
                <ns6:value>1.0</ns6:value>
              </ns6:attr>
            </ns6:attributes>
            <ns6:activeEndDate>2011-06-14T16:07:20.498-04:00</ns6:activeEndDate>
            <ns6:activeStartDate>2011-06-14T16:07:20.514-04:00</ns6:activeStartDate>
            <ns6:departmentNumber>
              <ns6:value>12345</ns6:value>
            </ns6:departmentNumber>
            <ns6:givenName>
              <ns6:value>Hello</ns6:value>
            </ns6:givenName>
            <ns6:hireDate>2011-06-14T16:07:20.514-04:00</ns6:hireDate>
            <ns6:mail/>
            <ns6:middleName>MiddleName</ns6:middleName>
            <ns6:password>
              <ns6:value>VGVzdGluZzEyMyE=</ns6:value>
            </ns6:password>
            <ns6:preferredLanguage>fr</ns6:preferredLanguage>
            <ns6:userType>NONW</ns6:userType>
          </ns6:identity>
          <ns6:member>
            <ns6:identityPSOID>3</ns6:identityPSOID>
          </ns6:member>
        </ns2:data>
      </ns2:modification>
    </ns2:modifyRequest>
  </soap:Body>
</soap:Envelope>

The Logging Mess

2011-11-15T10:48:00.000-05:00

Fantastic article (because we both came to the same conclusion) about logging options in JEE.

Also, oracle weblogic logging is the worst thing I have ever seen.

OIM 11g SPML Client test

2011-06-29T10:51:00.002-04:00

OIM (Oracle Identity Manager) 11g has a default security policy attached to the spml-xsd SOAP endpoint that is overly difficult to deal with.

The default endpoint policy is oracle/wss11_saml_or_username_token \
with_message_protection_service_policy

However, the "message protection" requirement is not configured with a signing certificate.

Detach this policy and attach: "oracle/wss_username_token_service_policy" and restart oim.

Creating a client with JAX-WS or CXF is super easy now! Using the Eclipse "new webservice client wizard" and the Apache CXF runtime, enter WSDL and generate.

Add the "ws-security.username" and credentials to the client class, and it starts to look much easier.

If you want the full CXF generated source, the jar is:
http://wikisend.com/download/608008/spmlclient-11.1.1.5.cxf.jar

public class TestClass {

private static final QName SERVICE_NAME = new QName(
   "http://xmlns.oracle.com/idm/identity/webservice/SPMLService",
   "SPMLService");

 public static void main(String args[]) throws Exception {
  URL wsdlURL = new URL("http://your-identity-host/spml-xsd/SPMLService?wsdl");

  SPMLService ss = new SPMLService(wsdlURL, SERVICE_NAME);
  SPMLRequestPortType port = ss.getSPMLServiceProviderSoap();

  Map ctx = ((BindingProvider) port).getRequestContext();
  ctx.put("ws-security.username", "xelsysadm");
  ctx.put("ws-security.password", "the password");

  ServiceHeaderType serviceHeader = new ServiceHeaderType();

  ValidateUsernameRequestType validateUser = new ValidateUsernameRequestType();
  validateUser.setUsername("sbeynon");
  ValidateUsernameResponseType retValUser = port
    .spmlValidateUsernameRequest(validateUser, serviceHeader);
  System.out.println("spml validate user =" + retValUser.isValid());
  }
}

There's a follow on to this post, showing an example SPML Modify Request

2011 fencing, fire swords

2011-06-06T17:50:00.001-04:00

2011 fencing, fire swords, a set on Flickr.

how cool is it when you turn 30 and throw a keg/fencing party? 30 straight rounds.

2011 May - Toronto Mini Maker Faire

2011-05-08T19:32:00.001-04:00

2011 May - Toronto Mini Maker Faire, a set on Flickr.

First Toronto Mini Maker Faire was a bunch of fun and awesome.

C code - a mixup for Password Based Key Derivation 2 (PBKDF2)

2011-04-07T16:38:00.000-04:00

PolarSSL is a fantastic (simple and modular) C library for all your crypto needs, except one little thing I needed. PolarSSL being easy and cross platform, I grabbed the gnulib equivalent - changed the sha1 call - and it slotted in easily!

I love when things are easy!

#include <math.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "polarssl/sha1.h"

// Note: hLen, dkLen, l, r, T, F, etc. are horrible names for
// variables and functions0, but they are used in RFC 2898 to describe
// the PBKDF2 algorithm, which improves validation of the
// code vs. the RFC.
//
// dklen is expressed in bytes. (16 for a 128-bit key)


/*
 ** Implement PKCS#5 PBKDF2 as per RFC 2898.  The PRF to use is hard
   coded to be HMAC-SHA1.  Inputs are the password P of length PLEN,
   the salt S of length SLEN, the iteration counter C (> 0), and the
   desired derived output length DKLEN.  Output buffer is DK which
   must have room for at least DKLEN octets.  The output buffer will
   be filled with the derived data. 
 *
 *  PBKDF2 (P, S, c, dkLen)
 *
 *  Options:        PRF        underlying pseudorandom function (hLen
 *                             denotes the length in octets of the
 *                             pseudorandom function output)
 *
 *  Input:          P          password, an octet string (ASCII or UTF-8)
 *                  S          salt, an octet string
 *                  c          iteration count, a positive integer
 *                  dkLen      intended length in octets of the derived
 *                             key, a positive integer, at most
 *                             (2^32 - 1) * hLen
 *
 *  Output:         DK         derived key, a dkLen-octet string
 */

int ok_pbkdf2_sha1 (const char *P, int Plen,
  const char *S, int Slen,
  unsigned int c,
  char *DK, size_t dkLen)
{
  unsigned int hLen = 20;
  char U[20];
  char T[20];
  unsigned int u;
  unsigned int l;
  unsigned int r;
  unsigned int i;
  unsigned int k;
//  int rc;
  char *tmp;
  size_t tmplen = Slen + 4;
  /*
   *     2. Let l be the number of hLen-octet blocks in the derived key,
   *        rounding up, and let r be the number of octets in the last
   *        block:
   *
   *                  l = CEIL (dkLen / hLen) ,
   *                  r = dkLen - (l - 1) * hLen .
   *
   *        Here, CEIL (x) is the "ceiling" function, i.e. the smallest
   *        integer greater than, or equal to, x.
   */

  l = ((dkLen - 1) / hLen) + 1;
  r = dkLen - (l - 1) * hLen;

  /*
   *     3. For each block of the derived key apply the function F defined
   *        below to the password P, the salt S, the iteration count c, and
   *        the block index to compute the block:
   *
   *                  T_1 = F (P, S, c, 1) ,
   *                  T_2 = F (P, S, c, 2) ,
   *                  ...
   *                  T_l = F (P, S, c, l) ,
   *
   *        where the function F is defined as the exclusive-or sum of the
   *        first c iterates of the underlying pseudorandom function PRF
   *        applied to the password P and the concatenation of the salt S
   *        and the block index i:
   *
   *                  F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
   *
   *        where
   *
   *                  U_1 = PRF (P, S || INT (i)) ,
   *                  U_2 = PRF (P, U_1) ,
   *                  ...
   *                  U_c = PRF (P, U_{c-1}) .
   *
   *        Here, INT (i) is a four-octet encoding of the integer i, most
   *        significant octet first.
   *
   *     4. Concatenate the blocks and extract the first dkLen octets to
   *        produce a derived key DK:
   *
   *                  DK = T_1 || T_2 ||  ...  || T_l<0..r-1>
   *
   *     5. Output the derived key DK.
   *
   *  Note. The construction of the function F follows a "belt-and-
   *  suspenders" approach. The iterates U_i are computed recursively to
   *  remove a degree of parallelism from an opponent; they are exclusive-
   *  ored together to reduce concerns about the recursion degenerating
   *  into a small set of values.
   *
   */

  tmp = malloc (tmplen);
  if (tmp == NULL)
    return -1;

  memcpy (tmp, S, Slen);

  for (i = 1; i <= l; i++)
    {
      memset (T, 0, hLen);

    for (u = 1; u <= c; u++) {
   if (u == 1) {
       tmp[Slen + 0] = (i & 0xff000000) >> 24;
       tmp[Slen + 1] = (i & 0x00ff0000) >> 16;
       tmp[Slen + 2] = (i & 0x0000ff00) >> 8;
       tmp[Slen + 3] = (i & 0x000000ff) >> 0;

       sha1_hmac (P, Plen, tmp, tmplen, U);
   }
   else {
     sha1_hmac (P, Plen, U, hLen, U);
   }
   for (k = 0; k < hLen; k++) {
     T[k] ^= U[k];
     }
 }

      memcpy (DK + (i - 1) * hLen, T, i == l ? r : hLen);
    }

  free (tmp);

  return 1;
}


int test_PBKDF2()
{ 
 // 128 bit key (16 bytes ) 
 unsigned int dkLen = 16;
 // number of iterations for key creation
 unsigned int iterations = 4096;

 int i,j;
    unsigned char *DK;
 const char *passwd = "short";
 const char *salt = "an extremely long wordy salt & vinegar chips";

 // test the polarssl sha1 implementation
 //sha1_self_test(1);

 printf("\n\n****---***---***---***---***---***---****\n\n");

 // see http://anandam.name/pbkdf2/
 // for PBKDF2 Verification

 DK = malloc (dkLen);

 ok_pbkdf2_sha1 (passwd, strlen(passwd), salt, strlen(salt), iterations, DK, dkLen);
 printf("PBKDF2 test  \n");
 printf("Salted   : %s\n", salt);
 printf("Password : %s\n", passwd);
 printf("Iterations : %d\n", iterations);
 printf("keyByteLen : %d\n", dkLen);

 printf("Length   : %d\n", strlen(DK));

 printf("Expected : f2c11c3445258d8bf9a44fc3c98e00c6\n");
 printf("Returned : ");
 
 for (j = 0; j < (int)dkLen ; j++) {
  printf("%02x",DK[j]);
 }

 free(DK);
 return 1;
}

Solaris SPARC x64 ELF mismatch Oracle JDK fix

2011-04-05T12:50:00.000-04:00

things that are stupid #168:

Test command "opatch lsinventory" fails on 64 bit unless the env variable JVM_D64 is set.

export JVM_D64=-d64

Error details:
java.lang.UnsatisfiedLinkError: /xxx/oracle_common/oui/lib/solaris/liboraInstaller.so: ld.so.1: java: fatal: /xxx/oracle_common/oui/lib/solaris/liboraInstaller.so: wrong ELF class: ELFCLASS64 (Possible cause: architecture word width mismatch)

Find out which process is on which port (windows)

2011-03-26T23:34:00.001-04:00

This is something I do all the time in Unix, I have a script :)

Far less often in windows, so here's a note to self:

netstat -a -n -o

tasklist /svc /FI "PID eq 768"

aside. Why is skype using port 80 ?!

Fallout from product amalgamation

2011-03-22T13:04:00.000-04:00

You'd think the Oracle Identity Manager Admin guide might lead one easily to the path of changing a list of Challenge Questions.. nothing so easy for the monstrous amalgam of products that is Oracle Identity Management 11g.

Lucky the docs from version nine are still online, and the answer is:

Design Console -> Administration -> Lookup Definition -> Lookup.WebClient.Questions

Localization is another matter (properties file in the oim web app directory)

back from australia - rsa hacked

2011-03-19T12:40:00.000-04:00

Great news - Australia is still awesome. My family is great, the barrier reef is gorgeous, the blue mountains are amazing and the great ocean road is beautiful - everywhere smells like gum trees and the koalas were literally falling over themselves to be noticed :) hahaha.. not really, they slept, but i did cross the path of one koala in the wild as he moved between the trees and a wild echidna.

Here's a few shots from the trip (by state):
QLD
NSW
VIC

When I return from vacation there's usually an offensive pile of work waiting.. not so bad this time, but look what i come back to :

RSA hacked and all the second-factor token generators could be compromised.. how is not clear.

Using an external, central source for authentication technology, which is shrouded in mystery, doesn't look so good anymore. One seriously organized hack has compromised an authentication technology used by scores of banks and government institutions.

And what to do now? Use your PIN accompanying the token code and you'll be fine.

OK, so why pay for & distribute the wee plastic thing if we're only protected by a PIN? Are all the token providers similarly affected?

Personally, I see second factor implementations as too unwieldy to be effective. Most banks eschew them for a variety of preventative measures. Validation of login source, chaining authentication with knowledge requests, image selection, and preventing key-loggers by using keyboard/number-pad image-clicks - with random arrangement of the buttons!

tis the season

2010-12-16T12:58:00.000-05:00

An artificial stress has been mandated by the seasonal IT shutdown (change freeze).

I have been many roles for many projects over the past few weeks, and they all have a similar theme - get things done before the IT department shuts down for several weeks.

Does it matter what we're "getting done" .. I'm not sure I know anymore.

As a result, I'm moving from task to task, my TODO list getting longer every day. Things are bound to get sloppy. IMHO, this change-freeze sounds reasonable on paper, but is not the way to maintain a secure and considered project path. Errors and insecurity are bound to jump in.

On the other hand, in about a week I get a couple of days off. Thank-you Christian majority :)

firesheep

2010-10-31T15:11:00.002-04:00

Like anyone working in security, I thought Firesheep was fun, cheeky and an important message:

Nothing is safe on a public/open wifi network, nothing is safe on http.

I am particularly amused by techcrunch reporting;

"Developer Eric Butler has exposed the soft underbelly of the web with his new Firefox extension, Firesheep, which will let you essentially eavesdrop on any open Wi-Fi network and capture users’ cookies."

Soft underbellies aside; as usual it's up to you, the end user. Most of these sites have a https option which nullifies simple side-jacking security concerns.

Public/social sites don't care about your security -- what are you thinking putting private information on the internet, right? ;) besides, https is slower.

The message is (should be), protect yourself - don't complain to facebook if your account is highjacked when you use public networks! As linked in the techcrunch article, you can easily combat firesheep with : force TLS firefox add-on.

(SSL is an implementation of TLS)

PassWindow - cheap and simple authentication

2010-10-19T19:26:00.002-04:00

I've spent my recent time investigating options for authentication. We used to care how good a password encryption algorithm was, but why bother cracking authentication stores when it's so much easier to obtain credentials or find an unused account with a "default" style P@ssword?

With the combination of "something you know" and "something that you have" we can begin to determine that 1. There is a person on the other side of the screen and 2. It's the person we expect.

I'm a big fan of simple. Like one-time-passwords from my days at uni - we were given a dot-matrix printed page of 50 random strings, and crossed them off with each use. It's cheap and effective. Of course, if someone obtains/copies your paper, not so great.

There's a great new option from Aussie investor Matthew Walker: PassWindow.

Basically, your card - credit card, staff ID, etc - has a transparent window with random segments of a old-school 7 segment digit display (think digital clock).

The authenticating challenge generates complementary segments and asks you to center the card on target corners. You enter the digit(s): Multiple digits or several digits over an interval.

The puzzle pieces have to fit to obtain the secret entry code! How fun is that?

I can see this being a great choice for banking, but also government IDs - not for authentication, but to provide a validity bit check, for example when you visit a doctor and show your health card.

The downside to the technology is adding that transparent window might not be that straightforward - most plastic cards are opaque. And if someone has obtained your credentials and copied your card, you'd never know.

An e-mail: "Site 3 coLaboratory - spreading some art/technology love"

2010-06-09T13:55:00.001-04:00

Hey, are you interested in collaborating with other technophiles and artists on projects, presenting/attending workshops on the awesome toys/art/hacks you've created - or will create !! -- or using space and equipment you might not have at home?

I have just the place in mind!! :) I'm a member of Site 3 coLaboratory - we're opening shop at Bloor and Ossington next month - and we're looking for members, associate members and cool collaborators!

Our members are former Toronto Hacklab folk, crazy artists, engineers,
physicists, special-effects guys, pyrotechs, leather and metalworkers.

If this seems interesting, contact me!

low tech security

2010-05-05T15:46:00.000-04:00

We're not great at choosing and remembering secure passwords, admit it?!

While my wordly combinations of aussie slang / l33t are contributing (marginally) to making my online life more secure ;) - I've been embarrassingly compromised more than once. Thus I would give anything for an easy way to meet the ridiculous password requirements and not get tripped up by my nonsensical security answers!

Enter the grid solution! I've seen this in commercial enterprise, but this example is a free, low-tech password vault.

There are some people drawbacks; starting at corner/edges, reusing passwords. However, assuming you're the kind of person who chooses this solution, let's assume you'd avoid this ;)

If you turn the solution about, and start challenging with grid co-ordinates, you're coming close to infringing on patented 2nd-factor authentication from Entrust. Although if you go down that road, why don't we start challenging with connect-the-dots, next item in the series, etc ;D

In personal news, I discovered the game NETHACK! today.

Security in web application design

2010-03-14T11:40:00.008-04:00

Security is something I think about constantly. It's part of the "unwritten" requirements. We usually only receive requirements for functionality, i.e. "the system must ..." but the unspoken agreement is that the functions will be usuable and secure.

Usability is a whole article, let's focus on where security fits into user-interaction end of design.

What are we concerned about? User Input, malicious or otherwise.

Starting with web input, three things we can do: reduce, restrict and sanitize.

Reduce: data from forms or URL parameters is not trusted, don't allow it unless you need to! Users are a trusting bunch, don't let them down: ENFORCE SSL. Don't even allow http access.

Restrict: Input can be restricted to a certain set; length, character format, value options. Value options are safest, instead of directly passing on input, convert it to one or more values in a server-side list. Examples include address fields, product codes, etc.

Setting javascript or form validation, e.g. using maxlength or specifying select options, means nothing if we don't enforce validation on the server!

Compare expectations to input instead of using it directly;
if ("expectedData".equals(request.getParameter("data")) {}
Not:
String data = request.getParameter("data");

Sanitize: If you must pass on user input, then sanitize. Here's a simple trick, use Commons Validation library: check every field for alphanumeric only.

There's a list of XSS protection tricks at OWASP.

Authentication

Do you use cookies for session authentication? If so, are you using them well?

Use the maximum amount of cookie information to protect your users.

Restrict the cookie to your own domain
use the secure flag (of course you're using HTTPS)
restrict to HTTP only, requires JDK 6 - see http://www.owasp.org/index.php/HTTPOnly

if I didn't know how good I was at math, would I have been as good at anything?

2010-03-07T11:53:00.002-05:00

I'm drinking coffee and reading Scientific American - two of life's inestimable pleasures - and I came across the article "Numbers War: School Battles Heat Up Again in the Traditional versus Reform-Math Debate"

Imagine if they stopped teaching algebra, geometry, and polynomials in high schools - would it be a real detriment to society?

Imagine the fun we could have if we looked at the topics which have reference to real world situations? The wave function can be made fun to learn with the right teaching!

My personal beef with mathematical education is the lack of choice. By age 12-13 families and students are mostly sure which broad path to look forward to: academic or applied. Aren't they?

I cannot however, underestimate the ways of thinking that only became my tools to use after bashing on through some difficult concepts - and only by repetition.

I'm not in favour of simplifying education, but in teaching children what they need to know, and how to find out what they don't yet know.

Teach them to learn.

Finding the directories that are eating up the hard disk

2010-01-21T15:26:00.003-05:00

By user home:

du -k /home/ | sort -n | tail -10

All. This generally takes forever:

cd /
du -k | sort -n | tail -10

Web Application Configuration - custom settings per target environment

2009-11-08T19:04:00.007-05:00

The issue comes up in every new project - how to create a custom build or customized configuration for each environment. There will be different configurations for JDBC connections, SOAP endpoints, etc. loaded as ResourceBundles, Spring properties, and so on.

Stack overflow has a discussion on configuration patterns where most of the potential solutions are represented. Many externalize the files (not packaged in the war/ear) to a hardcoded file path or to a location on the appserver classpath. Other solutions have multiple properties files and rely on the build script to replace the main application.properties.

These are good solutions, elements of each have been used in projects I've worked on. The externalized properties file or jar is often more hassle in reality, as the build guys are often not the developers - and every extra deploy step is more application downtime.

The build script option is also something I wish to avoid. I want my maven pom to speak for itself with no extra plugins or build hassles.

In my experience, the best solution is multiple properties files, one per environment, bundled in the ear/war and a single set-and-forget JVM property.

The key is letting the application choose a config based on where it's deployed. It's a bad to use IP or hostname for such choices, so choose something that's done once, but is still within the developers/build guys control.

When you setup each application server: set a JVM custom property called "ENV_NAME" that contains the environment name indicator. e.g. local, dev, stage, prod.

This value can then be used anywhere in your J2EE application, from front-end to back as simply as:

    if ("dev".equals(System.getProperty("ENV_NAME")) {
        // do what you need for dev env. 
    }

Make testing easier by loading custom props! Add a static block to your base TestCase class, and call:

System.setProperty("ENV_NAME", "local")

Pretty clunky so far, but now we can take advantage of the Spring property configurator to load environment specific files. (This version was tested on spring 2.5, but have been using this setup since 1.2).

Create a default myapp-config.properties in the classpath root. This is the fallback.

Add a folder for each target environment to your src classpath.

Copy myapp-config.properties with customized values for the target environment to a new folder matching ENV_NAME; e.g. /dev/myapp-config.properties containing the dev JDBC settings.

<beans xmlns="http://www.springframework.org/schema/beans"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">

 <!-- Configurer that replaces ${..} placeholders with values from properties
 Customized to load properties file from classpath, based on path from JVM ENV_NAME value 
 e.g. ENV_NAME=dev Configurer will look for classpath:/dev/myapp-registration.properties -->
 <bean id="propertyConfigurer" class="com...myapp.util.EnvNameBasedConfigurer">
  <property name="ignoreResourceNotFound" value="true" />
  <property name="locations">
   <list>
    <value>myapp-config.properties</value>
   </list>
  </property>
 </bean>

I'm a little behind the times already, because I think spring3 can already handle this sort of thing - but not every app is ready to go with spring3 yet.

Added bonus example called in the constructor; loading a customized log4j setup file.


/**
 * This class extends the Spring Property Configurer for the 
 * purpose of loading environment specific property files. This 
 * implementation relies on a JVM system propery named 
 * "ENV_NAME" the value sets up which classpath
 * folder name property files will be loaded.
 *
 * For example if ENV_NAME == dev, the resource[s] will be
 * loaded from "classpath:/dev/resourcename"
 *
 * The WebSphere administrator should set ENV_NAME as a custom JVM
 * property in each server instance Process Definition. 
 * JBoss users should alter JAVA_OPTS setting in the run.bat files. 
 * Standard (not enforced) should be: local, dev, uat, or prod.
 * 
 * @author s.n.beynon
 * @version $Revision: 1.4 $ $Date: 2009/11/03 16:46:52 $
 */
public class EnvNameBasedConfigurer extends PropertyPlaceholderConfigurer {

  private static Logger log = null; 
  public static final String SEP = "/";
  public static final String APPNAME = "myapp";
  private static final String LOGSUFFIX = "-log4j.xml";

  public EnvNameBasedConfigurer() {
    super();
    setup();
  }
  /**
   * @return String env name; dev, uat, prod - default return blank
   */
  public static String env() {
    return System.getProperty("ENV_NAME", "");
  }
  
  /*
   * normally would do this setup stuff in an initializing servlet
   * call here because we want our custom log config setup before
   * spring loads our configuration.
   */
  private void setup() {
    System.out.println("spring and log4j configuration loading.");
    try {
      // standard environment log setup (unix log path)
      String logconfig = APPNAME + LOGSUFFIX;
      // configure different logging based on ENV here.
      // developers all use win32; appname-win-log4j.xml
      // dev/uat/prod are unix; appname-envname-log4j.xml
      if (System.getProperty("os.name").indexOf("Win") > -1) {
        logconfig = APPNAME + "-win" + LOGSUFFIX;
      }
      else if (!"".equals(env())) {
        // 
        logconfig = APPNAME + "-" + env() + LOGSUFFIX;
      }
      // from classpath load the standard log4j.xml
      URL url = Loader.getResource(logconfig);
      // custom environment log config not found, fallback to default
      if (url == null) logconfig = APPNAME + LOGSUFFIX;
      System.out.println("Configuring log from config file: " + url.getFile());
      DOMConfigurator.configure(url);

      log = Logger.getLogger(EnvNameBasedConfigurer.class);
    } catch (Throwable t) {
      t.printStackTrace();
    }
  }

  /**
   * Override the Property Loader resource configuration based on System
   * Property value "ENV_NAME". If ENV_NAME is set, property file will be
   * loaded from a directory named by that value (in the classpath). 

   * 
 For example, System.setProperty("local") will load files
   * from the "local" directory. 
 
 If that directory does not
   * contain the requested class path resource, will fall back to original
   * name.
   * 
   * @see org.springframework.core.io.support.PropertiesLoaderSupport#setLocation(org.springframework.core.io.Resource)
   */
  public void setLocation(Resource resource) {

    Resource localized = new ClassPathResource(env() + SEP + resource.getFilename());
    if ("".equals(env())) {
      log.warn("Expected to find system property ENV_NAME - Not Found!");
      localized = new ClassPathResource(resource.getFilename());
    }
    if (localized.exists()) {
      super.setLocation(localized);
      return;
    }
    // fall back to what was supplied to this method
    super.setLocation(resource);
  }

  /**
   * Override the Property Loader resource configuration based on System
   * Property value "ENV_NAME". If ENV_NAME is set, property files will be
   * loaded from a directory named by that value (in the classpath). 

   * 
 For example, System.setProperty("local") will load files
   * from the "local" directory. 
 
 If that directory does not
   * contain the requested class path resource, will fall back to original
   * name.
   * 
   * @see org.springframework.core.io.support.PropertiesLoaderSupport#setLocations(org.springframework.core.io.Resource[])
   */
  public void setLocations(Resource[] resources) {
    log.debug("EnvNameBasedConfigurer setLocations from classpath for ENV_NAME:" + env());
    if ("".equals(env())) {
      log.warn("Expected to find system property ENV_NAME - Not Found!");
    }

    Resource[] envResources = new Resource[resources.length];
    for (int i = 0; i < resources.length; i++) {
      log.debug("setLocations " + resources[i]);
      try {
        Resource localized = new ClassPathResource(env() + SEP
            + resources[i].getFilename());
        if (localized.exists()) {
          envResources[i] = localized;
        }
        else {
          envResources[i] = new ClassPathResource(resources[i].getFilename());
        }
        log.debug(envResources[i]);
      } catch (Exception e) {
        log.warn(e);
      }
    }
    super.setLocations(envResources);
  }

}

This one class demonstrates using ENV_NAME - a static System Property set on the JVM startup, thus available at any time - to load a custom log4j configuration for the environment. The same method can be used to load a custom ResourceBundle or static properties.

It is important to have a default/fallback configuration, this should be the production configuration. If the ENV_NAME is missing, then it's likely the production resources are firewalled from accidental dev/uat access, and if the ENV_NAME is missing in production then the default configuration is the correct file.

struts2 regex validation for a phone number

2009-11-03T14:50:00.003-05:00

Struts2 bundled (built-in) validator regex type could really have some better examples!

Here's a basic phone number regex sample for a standard North American telephone number e.g. 123-456-7890

Key point is to use start/end pattern indicators ^ and $ - otherwise 123-456-78901234 etc. will also match!


 <field name="person.phone">
 <field-validator type="required" circuit="true">
  <message>${getText("error.phone.required")}</message>
 </field-validator>
    <field-validator type="regex">
        <param name="expression"><![CDATA[^[\d]{3}-[\d]{3}-[\d]{4}$]]></param>
        <message>${getText("error.phone.format")}</message>
    </field-validator>
 </field>

simon willison on redis

2009-10-24T11:21:00.003-04:00

Proving again and old-school c is still fast and relevant, he talks about a "data structure" storage server (that which is not a database, but still a means to store data). Any programmer can see why this would be a valuable hook for the debugging process (think HSQL, MockDB, etc).

The fascinating tidbit at the end of the article is what got me interested however:
hurl.it

"Hurl makes HTTP requests. Enter a URL, set some headers, view the response, then share it with others. Perfect for demoing and debugging APIs. "

Sounds like a great addition to a system test toolkit for anyone who works on web apps.

WebSphere Trust Access Interceptor

2009-10-11T10:44:00.011-04:00

Background - What is a TAI?

To correlate between external authentication (e.g. SSO with Oracle AM WebGate, IBM TAM, etc.) and the WebSphere Application Server (WAS) User Registry identity, use a Trust Association Interceptor within the WebSphere security layer.

Lightweight Third Party Authentication (LTPA) is the mechanism by which WAS supports SSO. With LTPA a token is created with the user data and expiry time, signed by the LTPA keys (which why multiple nodes in a cell must have their LTPA keys in sync). The LTPA token can be forwarded by authenticated resources. This token passes to other servers, in the same cell or in a different cell, either through cookies (for Web resources) or through the authentication layer Security Authentication Service (SAS) or CSIv2 for EJBs.

A TAI is an identity provider, it takes information from an HTTP request, and, assuming trust is validated, provides either a principal (to be filled in by the User Registry) or a fully populated subject. In either case the user must exist in the WAS User Registry. The option for the TAI to populate the Subject allows the implementer to override existing group membership in the WAS LDAP.

Trust Interceptors operate completely within the WebSphere security layer, usually loaded on server startup from AppServer lib ext directory. The interceptor is only executed when an authenticated resource is requested via HTTP(S), i.e. the web.xml has a security constraint for that URL. If the user has already authenticated to any participating cell in the WebSphere deployment, they will have a valid LTPA token for the resource; the interceptor will skip.

This interceptor implementation is an adjunct to the security system; fallback to the usual authentication mechanism is always possible. Make note that a TAI is available for web authentication only (as opposed to JAAS); there is no intercepting programmatic login or access to Enterprise Beans.

The negotiation stage is only executed only if the target is defined as protected by the implementing class. Targets are evaluated in the isTargetInterceptor method.

For more information, this article is dated now, but a great start to WAS security.

Implementation

I have implemented TAIs for WAS v6.0, v6.1 and v7.0. Slight differences, but I will cover my implementation for v6.1.

Basically, implement the interface com.ibm.wsspi.security.tai.TrustAssociationInterceptor from the websphere_apis.jar.

Order of execution is:

1. initialize(Properties props) - on server startup.
2. boolean isTargetInterceptor (HttpServletRequest req) - on each request - if true, continue to negociate.
3. TAIResult negotiateValidateandEstablishTrust (HttpServletRequest req, HttpServletResponse res)

TAI Result holds either a string user id to be retrieved from the Registry, or the fully qualified Subject.

Initialize

Load your TAI settings, a list of regex patterns to intercept, the name of the SSO Request Header, etc. Will be loaded from the referenced properties file or from the console custom properties. Console settings override.

public int initialize(Properties props) throws WebTrustAssociationFailedException {
// read the Resource Bundle and add to static properties
// *console values* will overwrite props file.
try {
ResourceBundle rb = Constants.getResourceBundle();
Enumeration keys = rb.getKeys();
while (keys.hasMoreElements()) {
String key = (String) keys.nextElement();
log.debug("Prop from " + key + "=" + rb.getObject(key));
taiProps.put(key, rb.getObject(key));
}
} catch (Exception e) {
// check the constants RESOURCE_PKG/RESOURCES values to see
// if the properties files exist!
log.warn("Did not find/load iaatai_en.properties " + e.getMessage());
// No rethrow, console might be used to set properties.
}
try {
// read properties from console config add to static list
if (props != null) {
props.list(System.out);
taiProps.putAll(props);
}
// setup url patterns and header names from props.
configureFromProperties();
} catch (Throwable t) {
log.error("Initialization error (props not loaded)", t);
}
// return zero for success - any other value is failure.
return 0;
}

isTargetInterceptor

Should the target URL be intercepted? For this, setup a Map (cache) of URLs, and from the properties compare to set of Regex Patterns to intercept.

public boolean isTargetInterceptor(HttpServletRequest request) {
log.info("isTargetInterceptor: Check URI " + request.getRequestURI());
try {
// if we can get away without regexing, do so
if (targetUris.contains(request.getRequestURI())) {
log.debug("Found uri in cache");
return true;
}
// iterate over the patterns (values)
Iterator urlPatterns = targetUrlPatterns.values().iterator();
while (urlPatterns.hasNext()) {
Pattern p = (Pattern) urlPatterns.next();
// log.debug("Test URI pattern: " + p.pattern());
Matcher m = p.matcher(request.getRequestURI());
if (m.matches()) {
log.debug("Matched Pattern " + p.pattern());
targetUris.add(request.getRequestURI());
return true;
}
}
} catch (Exception e) {
log.error("ERROR: isTargetInterceptor", e);
}
log.info("TAI will not intercept this target URI");
return false;
}

Negotiate Trust

Quick and easy - direct mapping to a WAS registry ID. The simplest way, if the SSO header exists map it to an existing user.

public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest request,
HttpServletResponse response) throws WebTrustAssociationFailedException {
log.debug("negotiateValidateandEstablishTrust starting.");
String ssoId = null;
TAIResult result = TAIResult.create(401);
ssoId = request.getHeader(Constants.HEADER_USER_ID);
if (ssoId != null && !"".equals(ssoId)) {
return TAIResult.create(HttpServletResponse.SC_OK, wasId);
}
// no header, return the default result, unauthorized 401
return result;
}

Another option for TAI's using Basic Authentication:

public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest req,
HttpServletResponse resp) throws WebTrustAssociationFailedException {
log.debug("negotiateValidateandEstablishTrust");

String basicAuth = req.getHeader("Authorization");
TAIResult tairesult;
if (basicAuth == null || basicAuth.equals("") || !basicAuth.startsWith("Basic ")) {
tairesult = challengeClient(resp);
}
else {
String userId = null;
String passwd = "";
try {
String basicDecoded = new String(Base64.decode(basicAuth.substring(6), '='),
"UTF-8");
int i = basicDecoded.indexOf(':');
if (i == -1) {
userId = basicDecoded;
}
else {
userId = basicDecoded.substring(0, i);
passwd = basicDecoded.substring(i + 1);
}
log.debug("negotiateValidateandEstablishTrust userID:" + userId);
if (userId != null && (passwd == null || passwd.length() == 0)) {
log.warn("negotiateValidateandEstablishTrust FAILED, no password for "
+ userId);
tairesult = challengeClient(resp);
}
else {
Subject subject = doBasicWASLogin(userId, passwd);
tairesult = TAIResult.create(200, userId, subject);
}
} catch (LoginException e) {
log.error("negotiateValidateandEstablishTrust " + userId, e);
tairesult = challengeClient(resp);
} catch (UnsupportedEncodingException e) {
tairesult = null;
}
}
log.info("negotiateValidateandEstablishTrust " + tairesult.getStatus());
return tairesult;
}

private TAIResult challengeClient(HttpServletResponse resp)
throws WebTrustAssociationFailedException {
resp.setHeader("WWW-Authenticate", wwwAuthenticateHeader);
resp.setStatus(401);
return TAIResult.create(401);
}

private Subject doBasicWASLogin(String user, String pass) throws LoginException {
Subject subject = null;
CallbackHandler callbackhandler = WSCallbackHandlerFactory.getInstance()
.getCallbackHandler(user, pass);

LoginContext logincontext = new LoginContext(basicLoginTarget, callbackhandler);
log.debug("doBasicWASLogin built LoginContext");
logincontext.login();
log.debug("doBasicWASLogin login done");
return logincontext.getSubject();
}

For our actual implementation, we break user types into two paths by the application URL. getRealm is a custom function not shown here, it translates URLs to just a context root and maps to a list of Anonymous/MustExistInRegistry type apps.

Anonymous user mapping. Each user with a valid header is allowed in, and if they don't exist the user is created.

Must-exist users are higher security and must exist in the WAS registry before access.

public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest request,
HttpServletResponse response) throws WebTrustAssociationFailedException {
log.debug("negotiateValidateandEstablishTrust starting.");
String ssoId = null;
String wasId = null;
String realm = "";
String lang = "en";
// http authenticate response
TAIResult result = TAIResult.create(401);
try {

// headers will be set by GA runtime, actual header
// name is configured via properties.
ssoId = request.getHeader(Constants.HEADER_USER_ID);
lang = request.getHeader(Constants.HEADER_LANG_ID);
if (ssoId == null
&& "true".equals(taiProps.getProperty("DEBUG_HEADER_VALUE", "false"))) {
log.warn("SSO_ID null, but DEBUG_HEADER_VALUE found to be true.");
ssoId = "debuguser " + new Random().nextInt();
}

if (ssoId == null) {
// SSO *not* protecting this resource, no SSO_ID header &
// DEBUG_HEADER_VALUE not set.
log.warn("TAI cannot trust, no header. Should we be intercepting this URL?");
throw new WebTrustAssociationUserException("Null SSO user");
}

// retrieve the name of the application, used to decide if anon/mustexist
realm = getRealm(request);
wasId = mapToAnonOrMustExistId(ssoId, realm);

// Anonymous users will be auto-created
log.debug(realm + ":requires that users exist? " + mustexistRealms);
boolean mustExist = (mustexistRealms != null && mustexistRealms.contains(realm));
// Setup the sharedState user credentials
Map sharedState = null;

// Using the sharedState map is an example of creating the subject
// to change the user credentials or state. It may not be necessary
// in your implementation. If not, simply return an ID WAS will
// recognize:
// TAIResult.create(HttpServletResponse.SC_OK, wasId);

UserRegistryLookup userRegLookup = new UserRegistryLookup();
try {
// lookup the user, group, etc 
sharedState = userRegLookup.getSharedState(wasId, lang, realm);
} catch (EntryNotFoundException enf) {
log.warn("No match for wasId " + wasId);
// Check for another chance - create the user
// then attempt to read sharedState for newly created.
if (!ismustexist) {
createNewUser(ssoId, wasId, lang, realm);
log.debug("WAS user created, return TAIResult OK.");
return TAIResult.create(HttpServletResponse.SC_OK, wasId);
}
}
if (sharedState != null) {
// Create the subject and add credentials
Subject authenticatedPrincipal = new Subject();
authenticatedPrincipal.getPublicCredentials().add(sharedState);
// N.B. the principal field (arg1) is unnecesary when
// providing the Subject object.
log.debug("Return the authenticated principal. " + wasId);
return TAIResult.create(HttpServletResponse.SC_OK, wasId,
authenticatedPrincipal);
}

} catch (Throwable e) {
// most actions do not throw, this must be a catastrophic failure
log.error("Trust ERROR for:" + ssoId + "::" + wasId, e);
throw new WebTrustAssociationFailedException(e.getMessage());
}
// return the default result, unauthorized 401
return result;
}

Reading the User Registry - creating a Shared State from scratch. This give the TAI the option to alter user groups/roles.

public Map getSharedState(final String user, final String lang, final String realm)
throws NamingException, RemoteException, EntryNotFoundException,
CustomRegistryException {

Hashtable secTable = new Hashtable();
InitialContext _ctx = VmmServiceManager.getInitialContext();

// Retrieve the local UserRegistry implementation.
// For v6.0 this is WMM-UR (WMM custom registry)
// Impl: com.ibm.websphere.security._UserRegistry_Stub
// v6.1 Use com.ibm.ws.wim.registry.WIMUserRegistry
UserRegistry reg = (UserRegistry) _ctx.lookup("UserRegistry");
log.info("Got User Registry "
+ (reg != null ? reg.getRealm() : "NULL"));
if (reg == null) {
log.error("Failed connnection to WMM User Registry ");
return null;
}

// Retrieves the user registry uniqueID based on the uid specified
// in the NameCallback. Unique ID is the full DN.
String uniqueID = reg.getUniqueUserId(user);
log.debug("From user registry: uniqueID " + uniqueID);

// read the WAS user ID from registry userID@realm
String wsUserId = WSSecurityPropagationHelper
.getUserFromUniqueID(uniqueID);
log.debug("wsUserId from WSSecurityPropagationHelper "
+ wsUserId);

// Retrieves display name from the user registry based on the
// WAS UserId.
String securityName = reg.getUserSecurityName(wsUserId);
// display name from user registry
log.debug("securityName from user registry " + securityName);

// Retrieves the groups associated with the uniqueID.
List groupList = null;
try {
groupList = reg.getUniqueGroupIds(wsUserId);
log.debug("found groupList " + groupList);
} catch (Exception e) {
log.warn("ERROR retrieving groupList " + e.getMessage());
groupList = new ArrayList();
}


// N.B. This is the ideal place to override group membership.
// Example, set all users in the group name "Realmusers".
try {
String usersGroupUniqueId = reg.getUniqueGroupId(realm + "users");
groupList.add(usersGroupUniqueId);
} catch (Exception e) {
log.warn("ERROR finding users group " + realm + " " + e);
}
// Creates the java.util.Hashtable with the information that you
// gathered from the UserRegistry implementation.
log.debug("Now creating the subject shared state. " + realm
+ " " + uniqueID);
secTable.put(AttributeNameConstants.WSCREDENTIAL_USERID, securityName);
secTable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, uniqueID);
secTable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,
securityName);
// secTable.put(AttributeNameConstants.WSCREDENTIAL_REALM,
// reg.getRealm());
secTable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groupList);

// Adds a cache key that is used as part of the lookup mechanism for
// the created Subject. The cache key can be an object, but should have
// an implemented toString() method. Make sure that the cacheKey
// contains enough information to scope it to the user and any
// additional attributes that you are using. If you do not specify this
// property the Subject is scoped to the returned WSCREDENTIAL_UNIQUEID,
// by default.
secTable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, realm
+ uniqueID);
return secTable;
}

Updating and creating users in the TAI requires a privileged request. The entire class to setup users and update properties is included here:

public class VmmServiceManager implements VmmService {
private static final Logger log = Logger.getLogger(VmmServiceManager.class);

/**
* Provider URL for JNDI lookup - default provider for WAS - first Node only.
*/
public static String providerURL = "corbaloc:iiop:localhost:10031";

/**
* Constructor for Virtual Member Manager Service Manager.
*/
public VmmServiceManager() {
super();
}

/**
* @return InitialContext for the current environment.
* @throws NamingException
*/
public static InitialContext getInitialContext() throws NamingException {

Hashtable env = getEnv();
if (env.size() == 2) {
return new InitialContext(env);
}
return new InitialContext();
}

/**
* @return Hashtable containing INITIAL_CONTEXT_FACTORY and
*         PROVIDER_URL
* @throws NamingException
*/
private static Hashtable getEnv() throws NamingException {
ResourceBundle rb = Constants.getResourceBundle();
// look for a server specific provider url
String serverid = System.getProperty(Constants.SERVER_NAME);
log.info("getInitialContext SERVER_NAME=" + serverid);
String providerURL = null;
try {
providerURL = rb.getString("provider.url." + serverid);
} catch (Exception e) {
// no providerURL for this serverid (serverid may have been null).
try {
// look in properties for the default provider URL
providerURL = rb.getString("provider.url");
} catch (Exception e2) {
// no providerURL, WAS will use the local provider.
}
}
log.info("Init Ctx lookup using providerURL=" + providerURL);
Hashtable env = new Hashtable(2);
if (providerURL != null) {
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.ibm.websphere.naming.WsnInitialContextFactory");
env.put(Context.PROVIDER_URL, providerURL);
}
return env;
}

/**
* @return LocalServiceProvider Wim Client com.ibm.websphere.wim.Service
*/
public LocalServiceProvider getLocalServiceProvider() {
//http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=
// /com.ibm.websphere.javadoc.doc/vmm/com/ibm/websphere/wim/client/
// LocalServiceProvider.html
try {
// holds reference to "ejb/com/ibm/websphere/wim/ejb/WIMServiceHome"
LocalServiceProvider service = new LocalServiceProvider(getEnv());

return service;
} catch (Exception e) {
log.error("LocalServiceProvider setup fail.", e);
}
return null;
}

/**
* @param userId
* @param lang
* @param containerDn
* @return boolean success flag
*/
public boolean createUser(final String userId, final String lang,
String containerDn) {

LocalServiceProvider service = null;
try {

service = getLocalServiceProvider();
if (service == null)
return false;

// containerDn has to be null - empty string is bad.
if (containerDn != null && containerDn.trim().length() == 0) {
containerDn = null;
}
DataObject root = SDOHelper.createRootDataObject();
// API entity type might be "PersonAccount" or "Person"
// this is unclear to me. using the SchemaConstants field.
// leave the 2nd param blank to use the default container.
DataObject entity = SDOHelper.createEntityDataObject(root, containerDn,
SchemaConstants.DO_PERSON_ACCOUNT);
entity.set(Constants.UID, userId);
entity.set(Constants.CN, userId);
entity.set(Constants.SN, userId);
List displayName = new ArrayList();
displayName.add(userId);
entity.set(Constants.DISPLAY_NAME, displayName);
entity.set(Constants.PREFERRED_LANGUAGE, lang);

log.info("PersonAccount object assembled " + entity);

// Assemble a logged-in subject with admin (create-user) rights.
Subject adminSubject = retrieveAdminSubject();
log.info("VMM AdminSubject logged in " + adminSubject);

root = doSecureCreate(adminSubject, root);

log.info("PersonAccount create completed: " + root);
return true;
} catch (Throwable t) {
log.error("PersonAccount create failed", t);
}
return false;
}

/**
* @param uniqueId
* @param lang
* @return boolean success flag
*/
public boolean updateUser(final String uniqueId, final String lang) {

LocalServiceProvider service = null;
try {

service = getLocalServiceProvider();
if (service == null)
return false;
DataObject root = SDOHelper.createRootDataObject();
DataObject entity = SDOHelper.createEntityDataObject(root, null,
SchemaConstants.DO_PERSON_ACCOUNT);
entity.createDataObject(SchemaConstants.DO_IDENTIFIER).set(
SchemaConstants.PROP_UNIQUE_NAME, uniqueId);

List displayName = new ArrayList();
displayName.add(lang);
entity.set(Constants.DISPLAY_NAME, displayName);
entity.set(Constants.PREFERRED_LANGUAGE, lang);

log.info("PersonAccount object for update " + entity);

// Assemble a logged-in subject with admin (update-user) rights.
Subject adminSubject = retrieveAdminSubject();
log.info("VMM AdminSubject logged in " + adminSubject);

root = doSecureUpdate(adminSubject, root);

log.info("PersonAccount update completed: " + root);
return true;
} catch (Throwable t) {
log.error("PersonAccount update failed", t);
}
return false;
}

/**
* @param adminSubject
* @param userRoot
* @return DataObject
* @throws PrivilegedActionException
*/
@SuppressWarnings("unchecked")
protected DataObject doSecureCreate(final Subject adminSubject, final DataObject userRoot)
throws PrivilegedActionException {

return (DataObject) WSSubject.doAs(adminSubject,
new java.security.PrivilegedExceptionAction() {
public Object run() throws PrivilegedActionException {
// Subject is associated with the current thread context
return AccessController.doPrivileged(new CreateUserPrivileged(
userRoot));
}
// Subject is re-associated with the current thread context
}); // end doAs admin.
}

@SuppressWarnings("unchecked")
protected DataObject doSecureUpdate(final Subject adminSubject, final DataObject userRoot)
throws PrivilegedActionException {

return (DataObject) WSSubject.doAs(adminSubject,
new java.security.PrivilegedExceptionAction() {
public Object run() throws PrivilegedActionException {
// Subject is associated with the current thread context
return AccessController.doPrivileged(new UpdateUserPrivileged(
userRoot));
}
// Subject is re-associated with the current thread context
}); // end doAs
}

/**
* Create new user in the WebSphere Repository. This private class runs
* inside PrivilegedAction; must implement PrivilegedAction interface.
*/
class CreateUserPrivileged implements PrivilegedExceptionAction {
private DataObject rootWithNewUser;

/**
* @param containsUserObj
*/
public CreateUserPrivileged(DataObject containsUserObj) {
this.rootWithNewUser = containsUserObj;
}

/**
* Cannot throw specific exceptions on this method signature, so return
* the DataObject, or general Exception with cause.
* 
* @return Object DataObject if success, null otherwise.
* @throws Exception
*             RemoteException, WIMExcpetion
* @see java.security.PrivilegedExceptionAction#run()
*/
public Object run() throws Exception {
// Subject cut off from the current thread context.
LocalServiceProvider service = getLocalServiceProvider();
if (service == null)
return null;
log.debug("Connected to WIM service " + service.getClass().getName());
return service.create(rootWithNewUser);

}
}

/**
* Update user in the WebSphere Repository. This private class runs inside
* PrivilegedAction; must implement PrivilegedAction interface.
*/
class UpdateUserPrivileged implements PrivilegedExceptionAction {
private DataObject rootWithUser;

/**
* @param containsUserObj
*/
public UpdateUserPrivileged(DataObject containsUserObj) {
this.rootWithUser = containsUserObj;
}

/**
* Cannot throw specific exceptions on this method signature, so return
* the DataObject, or general Exception with cause.
* 
* @return Object DataObject if success, null otherwise.
* @throws Exception
*             RemoteException, WIMExcpetion
* @see java.security.PrivilegedExceptionAction#run()
*/
public Object run() throws Exception {
// Subject cut off from the current thread context.
LocalServiceProvider service = getLocalServiceProvider();
if (service == null)
return null;
log.debug("Connected to WIM service " + service.getClass().getName());
return service.update(rootWithUser);

}
}

/**
* @return Subject logged-in administrator subject.
* @throws NamingException
*/
private Subject retrieveAdminSubject() throws NamingException {
// hard-set the locale to ensure the expected file is always found.
// see also, IaaTrustAssociationInterceptor notes.
ResourceBundle rb = Constants.getResourceBundle();
final String wasAdminUser = rb.getString("admin.user");
final String wasAdminPasswd = rb.getString("admin.pass");
// log.debug("REMOVE ME LATER " + wasAdminUser + " " +
// wasAdminPasswd);

// This will only work with admin credentials, see props
Subject adminSubject = null;
LoginContext lc = null;
try {
lc = new LoginContext("WSLogin", new WSCallbackHandlerImpl(
wasAdminUser, wasAdminPasswd));
lc.login();
adminSubject = lc.getSubject();

} catch (Throwable t) {
log.error("LoginContext error " + t.getMessage());
// everything falls apart
}
return adminSubject;
}

Axis SSL for a non-trusted Certificate - Dev, Testing, only.

2009-10-08T16:09:00.010-04:00

The problem is the Entrust 2048 SSL certificates which were recently issued, every platform I use normally has no trouble accepting them (no imported certificates required!), but deploying on the IBM WebSphere 6.1 JDK/Server is nothing but pain.

My errors without an import - "No trusted certificate found":

00000026 WSX509TrustMa E   CWPKI0022E: SSL HANDSHAKE FAILURE:  
A signer with SubjectDN "blah" was sent from target host:port "blah:443".  
The signer may need to be added to local trust store
"../base_v61/profiles/was61profile1/config/cells/CellName/nodes/NodeName/trust.p12" located in 
SSL configuration alias "NodeDefaultSSLSettings". 
The extended error message from the SSL handshake exception is: 
"No trusted certificate found".

My errors after attempting to import to trust.p12 - "End user tried to act as a CA"

WSX509TrustMa E   CWPKI0022E: SSL HANDSHAKE FAILURE:  
A signer with SubjectDN "blah" was sent from target host:port "blah:443".  
The signer may need to be added to local trust store 
"../base_v61/profiles/was61profile1/config/cells/CellName/nodes/NodeName/trust.p12"
located in SSL configuration alias "NodeDefaultSSLSettings". 
The extended error message from the SSL handshake exception is: 
"End user tried to act as a CA".

No matter what I import or try, I keep seeing "End user tried to act as a CA". Well if that's the way it's going to be IBM-TrustManager, that's the way I'm going to play.

My solution, though designed and tested on IBM runtimes is JDK independent.

My first play was to switch to xfire, which is just about the coolest/simplest SOAP implementor out there - and I know it uses the commons httpclient package.

Use Easy SSL TrustManager implementation, so easy to override.

EasySSLTrustManager is designed to accept self-signed certs, not those that are completely borked. So for me, it was required that I copy the httpclient contrib source and add a quick try/catch around the checkClientTrust and checkServerTrusted. This way I still see errors, but the ssl communications proceeds unhindered.

Then I tried to do the same for an Axis client. There are a few misleading pages on the Axis wiki; which I completely disregarded in favour of control by AxisProperties.

I'm running on Axis 1.4, but my stubs were generated years ago and I don't want to bother regenerating.

Here's the great site that set me on the "Axis client even with self-signed SSL cert" path.

My implementation, however, is much simpler, and reuses the EasySSLTrustManager :)

We create a TrustAllSSLSocketFactory that implements Axis' SecureSocketFactory


import java.io.IOException;
import java.security.SecureRandom;
import java.util.Hashtable;

import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;

import org.apache.axis.components.net.JSSESocketFactory;
import org.apache.axis.components.net.SecureSocketFactory;
import org.apache.commons.httpclient.contrib.ssl.EasyX509TrustManager;

/**
* Custom SSL socket factory to ignore certificate errors.
* 
* Based loosely on org.apache.axis.components.net.SunJSSESocketFactory
* Praise to open source libraries.
*/
public class TrustAllSSLSocketFactory extends JSSESocketFactory implements
SecureSocketFactory {
/**
* Constructor TrustAllSSLSocketFactory
* @param attributes
*/
@SuppressWarnings("unchecked")
public TrustAllSSLSocketFactory(Hashtable attributes) {
super(attributes);
}

/**
* Init the SSL socket factory with our own Trust Manager.
* 
* This overrides the parent class to provide our SocketFactory
* implementation.
* 
* @throws IOException
*/
protected void initFactory() throws IOException {

try {
SSLContext context = getContext();
sslFactory = context.getSocketFactory();
} catch (Exception e) {
if (e instanceof IOException) {
throw (IOException) e;
}
throw new IOException(e.getMessage());
}
}

/**
* Gets a custom SSL Context with no keystore and a Trust All Manager.
* 
* @return SSLContext 
* @throws Exception
*/
protected SSLContext getContext() throws Exception {

try {
// congifure a local SSLContext to use created keystores
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, new TrustManager[] { new EasyX509TrustManager(null) },
new SecureRandom());

return sslContext;
} catch (Exception e) {
throw new Exception("Error creating context for SSLSocket!", e);
}
}

}

Now we tell Axis about it's new SSL Socket Factory.

I chose to do so in the WSProxy class initializing method, but it can exist any where before the call.

public class SampleWSProxy implements SampleWS {
private String _endpoint = null;
private com.example.application.webservice.ISampleWS iSampleWS = null;

public ISampleWSProxy() {
_initISampleWSProxy();
}

private void _initISampleWSProxy() {
try {
// this Axis default class only works for self-signed certs,
//  or certs loaded by custom keystore. NB. Has version for Sun JDK also.
// AxisProperties.setProperty("axis.socketSecureFactory",
// "org.apache.axis.components.net.IBMJSSESocketFactory");

// this works for all certs - even when an exception is thrown
// connection ignores the invalid cert and moves on :)
AxisProperties.setProperty("axis.socketSecureFactory",
"full.package.to.TrustAllSSLSocketFactory");

String socketSecureFactory = AxisProperties
.getProperty("axis.socketSecureFactory");
System.out.println("axis.socketSecureFactory : " + socketSecureFactory);

iSampleWS = (new ISampleWSServiceLocator())
.getSampleWS();
if (iSampleWS != null) {
if (_endpoint != null) {
((javax.xml.rpc.Stub) iSampleWS)._setProperty(
"javax.xml.rpc.service.endpoint.address", _endpoint);
}
else {
_endpoint = (String) ((javax.xml.rpc.Stub) iSampleWS)
._getProperty("javax.xml.rpc.service.endpoint.address");
}
// Staging has a test/generic provisioning web service
// with default username password as: admin
// callers may/must override! :)
((javax.xml.rpc.Stub) iSampleWS)._setProperty(
javax.xml.rpc.Stub.USERNAME_PROPERTY, "admin");
((javax.xml.rpc.Stub) iSampleWS)._setProperty(
javax.xml.rpc.Stub.PASSWORD_PROPERTY, "admin");

}

} catch (javax.xml.rpc.ServiceException serviceException) {
}
}
... end of _initISampleWSProxy .. followed by available web service methods ...
}

building on solaris - make can't find ar

2009-10-07T14:46:00.001-04:00

Happens all the time while making apache, always have to google the solution!

" ar: command not found "

Solution:

export PATH=$PATH:/usr/ccs/bin/
make

.. back on the path to win.

WebSphere Global Security OFF

2009-09-30T13:59:00.003-04:00

This is a massive pain, WAS 6.1 is failing with my new SSL certs with larger (2048) size keys. No matter how perfectly configured my Node Default Trust Store looks with it's happy Signer Certificate, the SSL connection still fails.

I changed a setting to do with SSL - I knew that was a bad idea! Server won't let me back in the console, time to turn off security.

To disable global security either edit the security.xml file or use the wsadmin tool.

$WAS_HOME\config\cells\cellname\security.xml

Using WAS command-line client wsadmin (run with was user or root privileges):
1. Open a connection to local WAS in offline mode
wsadmin -conntype NONE

2. Turn off global security
wsadmin> securityoff

3. Save
wsadmin> $AdminConfig save

under appreciated: the web front end

2009-09-29T22:17:00.003-04:00

It should be the most important thing - it's what we see and interact with! Sadly, in my experience web front ends are treated like an afterthought. "Too many functional requirements to worry about the page view"

Well, here's a master of the front end, and a brilliantly written article about @font-face - embedding web fonts. I look forward to more from Mr DuLac!

imagining dimensions and books

2009-09-21T14:51:00.003-04:00

I love well visualized physics, but please note: this book/blog is *imagining up* the images and ideas that match the math of String/M-theory. And believe me, the Math-English translator is a bit iffy at the best of times ;)

Anyway, please enjoy "Imagining the 10th Dimension" and be sure to listen to "But aren't there 11 dimensions".

You Tube Channel

From the description, I am reminded of a fascinating victorian-era novella (I thought it was about physics!) called: Flatland: a romance of many dimensions. If you ever see it in the wild, pick it up.

watchmen - saving humanity

2009-03-18T09:42:00.000-04:00

By now, I expect that you all have watched The Watchmen. If not, stop wasting your time. Leave now.

Also, if you can't handle tongue-in-cheek, adult discussion, stop reading, get of the internet.

The question raised is; what are you prepared to do - to save all of us from ourselves?

Many authors put forth that mankind is it's own worst enemy. We are destructive, flawed. Where are the would-be saviors? why aren't more "solutions" coming forward? Oh, right .. we're also apathetic.

We dodge real solutions because of their immediate cost, without regard to indirect return. This applies to life choices, business decisions as well as the world environmental and economic situation.

Let's run a hypothetical here. If we could fix the rampant environmental "Global Weirding", save the coral and retain biodiversity, prevent the sea level rise, etc. etc. But to do so, we had to immediately sacrifice six million people... Who would make that choice? it's only 0.001% of our population.

And what if it were by volunteer efforts. Would enough step forward? There are about a million suicides a year, it might work.

Then instead of all that, we say, lets get a handle on the population for the sake of the planet. Limit each human to beget one child - thus, each couple two. How would we *begin* to enforce this globally?

Better to continue to war with other humans as an organic population check.

And, which hypothetical suggestion do you think might raise the most outrage?

Post Scriptum. why are men so obsessed with penises - blue or otherwise?

crazy good or crazy bad? - you already know i mean both!

2009-03-17T21:30:00.003-04:00

today was uncomfortably hot; my office is reedeekerous! i have zee sniffles.. *pouts* .. and i went a wee bit crazy!

Also, i felt left out because I don't own any green. Well, hello world, St Patrick's was originally celebrated with *BLUE*. The internets says so!

I'm busy doing the fiddly stuff at work. Not really busy per se.. just trying to finish so I can stop paying attention and meditate upon my upcoming vacation.

It's been more than a year since my last round-the-world super-vacation (east eu, india, thailand and oz). I badly need some time to stop thinking and hit reset. Granted, I'm sniffling and fairly pathetic, but the day that I skip out on both drinking & my painting class to come home and nap is a sad day indeed!

Also, if you already know all of the items on "the stuff you should have seen list" - I probably want to have sex with you. really. man, woman or other. nerds are hawt.

You already know I mean both!

Another random fact, throughout my life I have wondered why people say "toot sweet".. for the first time I saw it written; tout de suite. How terrifically do we butcher french?

last.fm concerts in your calendar

2009-03-12T19:57:00.004-04:00

Cool and simple; loading last.fm Toronto concerts into my google calendar. How awesome is ical now we have the tools?

things that are weird for me

2009-03-06T11:28:00.005-05:00

People asking me to do something, and immediately offering a vague back-scratch in return.

This feels shady.

If someone asks a favour, I will think about whether I can do it - considering how much personal time and effort is required, in addition to literal capability. If I can, I will always say yes. I assume if future-me asks a similar weighted favour, it is thus more likely to be a yes.

I assume other people are like me. They mostly aren't.

Among the Inept, Researchers Discover, Ignorance Is Bliss - New York Times

2009-03-01T13:13:00.002-05:00

Incompetent individuals are less able to recognize competence in themselves or others. Published by the New York Times.

The findings, the psychologists said, support Thomas Jefferson's assertion that "he who knows best knows how little he knows."

what kind of transactional?

2009-02-03T13:40:00.005-05:00

An an article of transactions. Human perception is too often way off course.

While I love the spring based transaction manager - simply configure by method name wildcard matches! (not really that simple, but close) - I heartily dislike the lack of thought surrounding transaction management in a "set once, and forget" situation like this.

time to shake it up?

2009-02-01T22:29:00.004-05:00

There's no question I've been having a fantastic time recently. I couldn't be more excited about how my oil painting is progressing - and the anatomy for artists study is invaluable... and lexulous (srabulous) is back on facebook!

And that's just my personal life. My working life never slows down - we have a great product on a flexible core component set, and it looks like this year will see even wider adoption.

I credit the success during expansion to a couple of changes; one process, the second design. The design is relatively obvious, but I'm sure I could have implemented it more elegantly, implementation of multi-version services through a single stable public model - while working on the core private implementations without affecting clients.

The process change has been enforcing of the maven build/release - even in the DEV environment. No release goes out without a unique version. Even during the quiet of December, it was worth the extra few minutes - for my sanity's sake :)

It's always a hard call when it comes to staying the current course or finding something new. I'm trying to think about what's best for my career. On the one hand, my current team are awesome and the boys next door make me laugh, the technology is slowly coming up to date (previously JDK 1.4 - now JDK 6), however it's a strong focus on integration and back-end services - rather than full application design.

I guess I want it all! From back end design to fancy web 2.0 front end stuff :)

Asperger Test (AQ Test) - Pie Palace

2008-12-29T15:41:00.001-05:00

OK, so I'm a 38/50 where "Scores over 32 are generally taken to indicate Asperger's Syndrome or high-functioning autism, with more than 34 an "extreme" score."

Now tell me, dear audience, what is the polite way to tell a friend he should take the test?

We've already established I'm more than a little socially awkward, and sure to phrase it poorly :)

Asperger Test (AQ Test) - Pie Palace

processing input

2008-11-16T17:27:00.004-05:00

For the first time, I will admit to being a pop-culture addict. On the premise of "research" I'm beginning to see the art in everything - but mainly comics recently ;)

what we brag about

2008-08-21T20:19:00.004-04:00

You can tell so much about people from the things they brag about .. and how long ago it happened. Like someone in their late 20s talking about something they did in school/university.. I barely remember that time of my life.

Anyway, this got me thinking about the things I brag about. Most of the things I'm truly proud of are work-related, or general nerd or programming related.

Or my impressive occasional binge drinking bouts.

I hardly every speak of the things that truly make me happy. Like my artistic endeavors and my love of travel. What must people think of me?

summer of art and rainfall

2008-08-10T10:51:00.003-04:00

Taking on two 3 hour classes per week (Foundation Drawing II and Abstract Painting) has been fantastic and tiring. I have barely had time to think, except to plan how I can spend more time doing art, and wondering if I will ever be any good :)

Due to constraints at my current client (i.e. they are still using JDK 1.4.2) and a whole host of other reasons, most of my work is completely straightforward. The most complex of my tasks are those that involve people, and there's only one way to get used to that.. patience and practice. I've been in several senior roles, but the personalities in this mix are something else again. Lucky I don't mind apologizing and starting over when I get a bit too intense.

This is what I miss about Australia, it was OK to be direct. Eventually my edge will wear off.. but frankly, my edge is the reason I'm so damn excellent. C'est la vie.

This summer it hit home that I'm permanently on this planet, in this city, doing my thing and no one else influences my decisions. And I'm finally truly single. I spent such a long time wondering why I was, in fact, I still do, but I at least I appreciate it now.

At the time I thought it was my biggest mistake, but at the same time, I don't see how it could have gone any other way. Maybe other people would work it, but I don't do relationships where I'm at the end of the list of todo items.. and I couldn't connect when he only let me in on the thoughts that had been tried, tested and sanitized.

tagging gone mad

2008-05-04T13:55:00.004-04:00

ROTFL.. well I just let tagcow at my flickr archive. It's an interesting concept of semantically tagging images. Presumably they have some object/facial recognition software behind this - although they don't specify what/how.

I was allowed to upload a couple of photos and identify the people in them (I was in a hurry to see the result, so I only did two: syber and frobozz).

What I ended up with is hilarious, sometimes obvious and more than occasionally wrong.. my brother-in-law is tagged as frobozz multiple times.

Who wants to be tagged as a lady?? "lady syber" (which includes one of my german housemate - does she look like me?)

Especially this classic, me holding some pig crackling and checking out my freely lymphing scraped knee.

A brilliant summary here; two of my friends drinking becomes "two men bar".

This one is by far my favorite: frobozz faster easier together accerating hpc man sitting front servers floor mouth wire keyboard lap. Not only did it pick up *all* the text in the image (a tiny OCR error on accelerating), and identify the objects correctly, but it noticed the "mouth wire"!!! I didn't even see that!

So, the verdict on tagcow. Good idea. "A" for effort. Fail for tagging every freaking photo with useless information like "guy", "woman", "sitting".

And what the hell is up with the typing errors? Is this really an automated system, or is it a bunch of low-wage outsourced workers typing like mad?

Schmap Australia Second Edition: Photo Inclusion

2008-05-03T08:26:00.004-04:00

I'd like to share some happy news. One of my Australian photos - Brighton Beach (looking north to the city centre) - was selected for inclusion in the Schmap Australia Guide.

This is obviously a great way to promote their guide, and obtain free media, however, I still think it's cool =)

Browser Options

2008-04-09T08:39:00.004-04:00

It's good to see that with IE8, software developers are finally recognizing the value of choice.

Long gone are the days when anyone bothers complaining about browser implementations anymore.. We know there's always going to be workarounds, it's kind of like a treasure hunt for the coolest hacks now ;).

What a hit IE Tab is with Firefox users.. way behind the game as usual, but with IE8, Microsoft have give us IE7 mode!

Of course that doesn't help me access my company SAP Portal, which only works in IE6 (not Netscape, Safari, Firefox, not IE7, and nothing seems to work in IE8!).

It's been around for a while now, and it will probably be some time before I can let go of "Multiple IEs". And life was good.

the internet is wonderful (as in, still fills me with wonder)

2008-02-27T21:25:00.007-05:00

I think friend feed is fabulous. I suggest you sign up to it immediately so I can stop asking you how you are, and simply read your feed.

I stumbled upon it today - it's an aggregator of internet lives. As most of my life is online, it is my life. Cutest thing: i can have imaginary friends :)

The other site that popped into my life today is Google's recent acquisition; GrandCentral. "snipped--removed-my-account-sick-of-wrong-numbers!--"

I picked a random US number. What the hey! They don't have Canada (an irritatingly common omission), and many family/friends are in Australia, so it's just another international number. What's great (aside from magical online voicemail bizo; I don't enjoy talking on the phone) is the ability to direct the call to one or more variable numbers.

I'm terribly excited about the current WebSphere Portal SSO implementation I'm assigned to. The requirements are to build "sample" porlets to demonstrate capabilities. Do you know what that means?

No interface niceties, pure code.

Also, the WebSphere Portal V6 is pretty excellent in terms of configuring rules for personalization, etc. It's no wonder I was at the office til after 7 tinkering with it ;)

As a result, it was so damn cold when I left, my face went numb in minutes. My nose started running, but I couldn't feel it until it hit my mouth. *ewrweurwerughghhghhhh*

pure blue sky, pure winter cold

2008-02-10T21:32:00.001-05:00

The sky is clear, and the air is frozen. Ah Toronto, I'm back from Australia's summer and just when I was starting to like (well maybe not like, but, get used to!) the snow, you went and froze all that melt water and turned the pavements into a giant skating course.

Although, I would like to note, there are brilliant Torontonians out there who hate wading through/jumping over the slush puddles on street corners.

Enterprise 2.0 - tried selling any reality lately?

2007-12-06T01:07:00.001-05:00

Bex Huff on what Enterprise 2.0 should mean. Stop trying to be everything to everyone, and let everyone at everything.. See what survives.

Too long have we been trying to force people to use information and functions the way a few UI/business analysts tell us to. Allow software to evolve, create a 2.0 approach to your business.

read more on bex' blog | digg story

Rands In Repose: The Nerd Handbook

2007-11-21T15:04:00.001-05:00

Consider the Nerd. Where would we be without him(her)(me)? This handbook is your user guide.

Now all I need is a guide to finding one for myself ;)

how lovely (nobodyhere)

2007-11-16T10:49:00.000-05:00

"I'd like to
apologize for all
this."

It thinks like me - except realized into a site that's beautiful and funny and bizarre (nobodyhere).

Every Day is a Great Day With Pascal

2007-11-08T11:35:00.000-05:00

Do you need cheering up ? Or to send a cheery message?

Spread the Good Day message : Cold Hard Flash: Every Day is a Great Day With Pascal: Flash animation news and links

RAD deployed applications

2007-11-05T13:41:00.000-05:00

Because I always forget the path:

[workspace]\.metadata\.plugins\org.eclipse.wst.server.core\tmp[0-9]

The Art of Happiness - Dalai Lama has nuthin on Dan Gilbert

2007-11-04T12:53:00.000-05:00

Incredible research which points to the fact that happiness is produced, regardless of circumstances. Or perhaps, in spite of, in his examples.

I propose that much unhappiness comes from wondering why, as successful people, we aren't happier than we are!?

TED | Talks | Dan Gilbert: Why are we happy? Why aren't we happy? (video)

"tis nothing good or bad, but thinking makes it so" -- shakespeare

Geeze I love graphs :)

No offense to the Dalai Lama - in fact, they are both talking about the same thing. I attended his recent talk in Toronto.. he's a delightful, cheeky, charming speaker. His proposals are almost too obvious.

Find peace within yourself and you will be able to intellectually find peace with those you don't like. Teach children kindness and compassion in school and they will grow up to be better people.

*sigh* Too easy.

What is the Google Collections Library?

2007-10-31T09:58:00.001-04:00

Generic collections (commons extreme makeover by google) What is the Google Collections Library?

An excellent article, and something we should all remember; "write less code, have less to test"!

A week of content management

2007-10-27T21:03:00.000-04:00

An exhausting week of training lays behind me. I'm only just recovering!

Oracle made another acquisition, added to their Fusion Middleware line (which to me, is "apps that do stuff, with nothing in common"). Stellent content server has been Universal Content management, and we were lucky enough to have a week with a trainer who had been working with the product for a decade.

The product looks smooth, the core architecture is true SOA. That is, SOA from the start, not services slapped on top of an application. Features seem to be strongly influenced by necessity. The main complaint in the class was: admin interface is ugly, and things aren't where I expect.

For me it seemed fairly obvious :) But no bragging, because liking an interface that was so obviously programmer-designed, isn't something to be proud of! ;)

I cruised through the week.. and hacked through the product after finishing all the exercises early.. and the verdict is; I can't wait to get out into the field!

I love being in the office, I like people and having my own cube.. I'm also a junkie for meeting new people and solving their problems.

I like the sound of that: syber, your friendly problem-solving junkie. Show me your issues!

Note to self. synchronized singleton access

2007-10-11T12:49:00.002-04:00

So, what's the best thread safe singleton instantiation.. I must look this up sometime.

Here's what we have now.


public static SingletonObject getInstance() {
 if (instance == null) {
  synchronized (SingletonObject.class) {
                        // might have been preempted just after first check 
                        // but before the synchronized statement was executed
   if (instance == null) {
    instance = new SingletonObject();
   }
  }
 }
 return instance;
}

Struts2 panic and WebSphere fiddling

2007-09-12T19:31:00.000-04:00

Absolute panic overcame me yesterday.

I'm about to wrap up a grueling rewrite of several ancient and poorly written (circa 2000) java apps, plus two truly hideous Net.Data apps.. which, to alleviate the pain and tedium, I decided to rewrite in Struts2. Not something I have a boatload of experience with, but I like to jump in the deep end ;)

The Net.Data apps were several pages in a single file. Back and forth with functions and HTML, several forms per page, with variables floating in and out everywhere. No scope, no state, no layers.

So chuffed by my rejuvenated Struts2 elegance, I deployed to WebSphere ND 6.1 - to find that every single action was 404. JSPs served, so I knew it was working, just not actions.

I even tried changing the extension to html! lol - it was nearly 8pm and I really wasn't thinking ;)

When I eventually got smart, i.e. googled it, I found a simple (somewhat dodgy) fix from IBM: Add a Web Container property called com.ibm.ws.webcontainer.invokeFiltersCompatibility

Wanting to do things correctly

2007-08-21T22:22:00.000-04:00

I wonder sometimes whether I am excessively correct about my approach to my work. After years of experience, I believe it is much faster for me to do things correctly.

Do it right up front, and making adjustments later does not make you want to rip people's limbs off.

I'm convinced of it, but is that just the obsessive-compulsiveness talking?

For example, I refuse to update code that isn't formatted correctly. Unused imports bug the hell out of me. Missing javadoc, doctypes. I must fix them.

Sometimes its only a few keystrokes of effort (Cntrl-Shift-F or O), but sometimes it's a lot more. Many people I work with seem to be quite OK with misaligned braces.

I can only hope that those who come after me appreciate alignment ;)

Maintaining composure and optimism

2007-06-28T16:07:00.000-04:00

After all these years in the industry, the people far outshadow the technology when it comes to influencing daily job satisfaction.

After dealing with an argumentative, finger-pointing, badly smelling individual who refuses to live in the same reality as the rest of the team; I went home yesterday with a ripping headache and totally dispirited.

Today, I have *chocolates* for the assistance I gave a colleague outside my department, and my manager telling me I deserve a bonus.

Yay! Like dory said in Finding Nemo, "just keep on swimming".

HTML from history

2007-06-22T17:40:00.000-04:00

Found in a production application. Client shall remain nameless. How far haven't we come?

<meta equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="Generator" content="Microsoft Word 97">
<title> -- removed -- </title>

<META NAME="Template"
CONTENT="C:\Program Files\Microsoft Office\Office\html.dot">

tnsnames.ora - both handy and annoying when lost!

2007-04-25T12:27:00.000-04:00

I have become so accustomed to have SIDs configured in tnsnames.ora - never having to remember anything.

After migrating to a new laptop yesterday, I lost all my connection information (doh!) and have had to resort back to the SQL Plus connect string. How beautiful it is:

sqlplus user/password@//10.10.10.10:1521/sid

select random

2007-04-23T16:02:00.000-04:00

And they call SQL a "standard" ;)

Select a random row with MySQL:

SELECT column FROM table
ORDER BY RAND()
LIMIT 1

Select a random row with PostgreSQL:

SELECT column FROM table
ORDER BY RANDOM()
LIMIT 1

Select a random row with Microsoft SQL Server:

SELECT TOP 1 column FROM table
ORDER BY NEWID()

Select a random row with IBM DB2

SELECT column FROM table
ORDER BY RAND()
FETCH FIRST 1 ROWS ONLY

Select a random record with Oracle:

SELECT column FROM
( SELECT column FROM table
ORDER BY dbms_random.value )
WHERE rownum = 1

Note. I'm not complaining too seriously, in my work I mostly use Oracle (occasionally DB/2 but that can't be helped). I am aware of the wealth of functionality available at Oracle over say, MySQl, which mostly excuses the differing syntax.

Hard, Soft, Weak and Phantom

2007-03-06T11:18:00.000-05:00

The title sounds so exciting until I explain I'm referring to Java references. I was asked to explain weak references in an interview. I'm so careful with my words I said I couldn't explain it well enough.

The sum total my knowledge is that I can create a WeakHashMap whereby the keys are weakly referenced, and thus objects are able to be garbage collected. I gather it might be useful for a caching, but I've always used third party caching implementations. And quite frankly, performance issues I encounter are generally latency, not memory problems.

Pardon the expression, but I thought this explanation was rather weak, so I passed.

Naturally I wish to rectify this abysmal lack of understanding, and I found a rather nice summary of the reference types here.

Soft references were previously unknown to me, although if the following is true they seem more useful that Weak; "in practice softly reachable objects are generally retained as long as memory is in plentiful supply".

Routine which is not "a rut"

2007-03-04T14:29:00.000-05:00

There was a time, many years ago, when it was possible to predict my location and activities to the hour. Even weekends.

When I had just started working at Sausage Software, newly moved to Melbourne and I was (unbeknownst to myself at a conscious level) quite happy. Happiness that comes from doing what you love, feeling secure and feeling that many doors are open.

Compared to the stress of final year engineering, too busy to have a job and often running out of money to the point where food became a luxury.. it was much easier to be happy. The intervening years have spoiled me to the point where the simple things are no longer appreciated as much.

I welcome the idea of a predictable pattern of work, play, sleep, etc. I have learned the correct balance in the past year. I hope :)

Routine only becomes a rut if you don't enjoy it.

the revolution is here

2007-03-02T19:21:00.000-05:00

It's winter, evening, Toronto. I have arrived.

Actually I arrived here at the start of the week, and possibly already have a job. This would be nice, it's important to keep busy and stay out of trouble ;)

Now it's time to catch up with everyone.. though after being put through the wringer all week - recruiters and interviews - I think the phone will be off the hook for a little while first.

new zealand photos

2007-02-12T05:19:00.000-05:00

Photos from the past few days are online.

My obvious favorite is the squished car after the incident with the branch ;)

The best kind of accident

2007-02-08T14:32:00.000-05:00

I had an accident last night.. a rain storm came up suddenly and wind knocked a large branch out of a tree on top of my car. Luckily the branch landed mostly horizontally, severely bowing the roof and bonnet - so the worst of it was a shower of glass. Completely unhurt, except for a hundred little red spots on my arms and knees :)

The car is no good, and I declined the insurance so my excess is large. Anyone who knows me, will know that I am simply happy to be alive. Money comes and goes.

The true heroes of this tale are the many locals who stopped to offer help, and one incredible local farmer who stayed with me until the police arrived.. calming me down, keeping me dry and doing all the things I would have done if I hadn't fallen to pieces; cleaning the branch off the highway and pulling the car completely off the road.

Then the police officer himself, granted he is probably used to seeing this sort of thing, was fabulous. He loaded all my luggage and drove me all the way back to Waitomo Caves village! Not to mention, he turned out to be a really charming guy.

Thank you to the locals of Waitomo and Te Kuiti.

green glowing butts

2007-02-07T20:54:00.000-05:00

The fascinating enzyme 'luciferase', sometimes used my genetic researchers to pinpoint gene activity, is also responsible for the spellbinding spectacle on the roof of the Waitomo Caves.

I spent this morning floating down a stream in a raft looking at the glowing worms above... feeling like I was outside looking at a starlit sky, except for the edges of the roof when I could almost touch them.

Which is somewhat gross, as their feeding trap is strings of mucous which snare insects to be reeled in. Somewhat like fishing with a spiderweb.

The second cave I went through was less glow-wormy, more limestone formations. The forms were beautiful, but I have been to so many caves now, the highlight for me was actually a ~1000 year old skeleton of the now extinct moa.

The entire region is shaped by the former seabed limestone layers, which are so perfect and even it looks like fortifications in many places. Then a sheep runs in front of it, and spoils my imaginings ;)

A fascinating change from the thermal wonders and boiling mud of Roturua. I cannot wait to show photos!

wandering around nz

2007-02-04T13:53:00.000-05:00

Today is my 5th day in New Zealand and it's such an incredible country - amazing natural sights and all crammed into such a small place!

I have seen amazing rainforest and my first full day was a 6 hour hike to the Pinnacles on the Coromandel Pennisula.. then fell asleep (like the dead!) camping next to a rushing stream. I drove up the coast, it's all rocky, so I headed west to the Bay of Plenty and have visited 3 incredible beaches and 3 waterfalls in the last couple of days :D

I have been around Tauranga for two nights, hoping to go swimming with dolphins today, but the weather is too rough.. :( ..hopefully I will have another chance up north.

Yesterday I went to Rotorua and did some hiking there, around the "buried village". This was one of the first Maori/European villages preserved from the 1860s by a massive eruption. Followed by a walk down the waterfall and a cappuccino at the tea room :)

Today I'm off to a volcanic park called Hell's Gate!

it doesn't get better than this

2007-01-30T19:07:00.000-05:00

Less than 24 hours before I get on the plane.

what are you reading? words, words, words

2007-01-22T02:54:00.000-05:00

I am fascinated by the way language shapes people's thinking. Differences in languages fascinate me, and I love to learn about the history of my own language.

I have found a most excellent assortment of essays on words at Dr Bill Long's site. This was the only site that came up in Google to give me the origin of the original phrase; "Give him an inch and he'll take an Ell", where an ell is a unit of length approximately 45". A saying is obviously more effective when exaggerated :)

Another one of my favorite sites is the source of my phrase a week.

We may be what we eat, but we are usually judged by what we say ;)

i'll take you to a sidestreet..

2007-01-03T04:34:00.000-05:00

Everything is all loose ends at the moment, a seemingly endless list of things to do. I must start writing things down before I start to fray.

It's always a surprise to me to find people will miss me when I leave a place. I can't remember being much other than excited for people when I find out they are leaving..

Does that make me:
a) an asshole who doesn't give a damn,
b) too stuffed full of buddhist non-attachment propaganda to react normally,
c) someone who's sincerely happy for a friend, as there's always email/chat,
d) all of the above and worse!

Life seems much shorter and more enjoyable when you turn yours upside-down every so often.

Q. When was time travel invented? A. Yes.
-- (from tai of eastpole)

thinking about what matters

2006-12-29T02:01:00.000-05:00

I can always count on being with my family to remind me what really matters. Here are a group of people who don't talk about other people, no filler.. we all talk about what is next for us and what is changing.

Perhaps because, in my family, everything is always changing :)

Not as drastically as my life is about to change, yet in interesting ways. My sister is seeking to live more frugally at the same time as reducing her ecological footprint. She's such a model citizen - so I gave her a bicycle for Christmas ;) She gave me a superb bracelet made from glass pieces picked up from the beach.. and my younger brother a 24 CD holder made from scrap PCB material.

She makes me feel guilty. Probably this will make me improve myself. And this is how the world changes; one breath at a time.

a happy time of year

2006-12-16T16:40:00.000-05:00

Christmas for the last 6 years is the time when everyone else goes off to spend time with family and I hang about working late and enjoy getting stuff done without looming deadlines. This year, I'm still enjoying getting work done without deadlines - but I'm also in the crowd that's going off to see family. I can't imagine anything more exciting than wrapping up a bunch of toys and books for my gorgeous nephews and home-made Christmas cards.

I may not be the sweetest person year round ;) .. but I love my family and I love doing stuff for them.

Work is allowing me to do things for others also. Our business influence has been diverted by other happenings, and we've turned to the task of beefing up test coverage. This is an ancient but robust design with EJB-CMP persistence and a long user transaction scope. Tests have consisted of either developers constructing objects or cactus based tests. Not good - developers tend to create only sensible objects and container tests are enough extra work that the tests are not often run.

I've simplified with a wonderful library called XStream. At any point during a transaction I can export my entire state to XML and save into a test resources folder. Unit tests can now run - without dummy test data being setup, no dependencies on environment and outside the container - with a full and accurate representation of a user transaction!

The beautiful side effect is that support staff can do the same thing with client transactions in production :)

the year that was - violence and bigotry

2006-11-26T05:27:00.000-05:00

I just watched the final of 60 minutes, including a montage of clips from the past year. So much antagonism between cultures and beliefs.

I can understand from an anthropological and historical point-of-view that we punish those who don't conform. They damage our community and values. In a time of pure survival this would have been dangerous.. today, our natures are all wrong. So damaging it makes me question the positives of belief, yet I believe religion will ultimately be better than the atheist view - people need something higher. In fact, we deserve it :)

There is no need for cultures to clash in the western world, yet it exists.

However, in resource poor areas (Africa and the mid-east) I can only see this becoming worse.

Why isn't there a religious edict about tolerance of other beliefs??! (And why do I watch TV?)

which is worse - drugs or sex?

2006-11-04T07:42:00.000-05:00

I'm deeply disturbed that a man of influence in that arrogant and confused country, the United States, will admit to buying drugs, and not to sex with a man.

If God gave man free will, and you can't use it to find good, then at least use it to cause least harm. In my moral universe, consenting - even paid for - sex is not likely as damaging as drugs.

I believe, literal interpretations of the Bible have caused more damage than good throughout history.

a change is as good as a holiday ;)

2006-11-03T20:17:00.000-05:00

I love the new blogger! I'm a sucker for "beta" anything ;) I don't need a holiday right now, but change is always good .. even when it's bad.. kinda like pizza.

Poor blogger and their "unplanned outages".

Isn't it terrible that we let the money managers get away with not paying for core system maintenance - until there is an outage? Systems developers and admins of the world have got to put their foot down - force the "business" to make time and budget for core support, or the business will suffer.

Just because we can't say when, how and what will happen - they force us to back down. We are left sheepishly looking at our hands .. saying quietly that there will come a time when A Bad Thing will happen.

To top it off, we're the ones left feeling guilty when it does happen.

back to civilisation

2006-10-22T07:37:00.000-04:00

What a weekend! I'm so exhausted my eyes can barely focus! But so happy.

I explored caves, mazes and farms. I love my nephews.. I love being a kid with them.

From random

And now with even more photos ! Family in Tassie album.

every instant second a suspension of forever

2006-10-11T05:12:00.000-04:00

I have not been doing enough thinking recently. My work has elements of challenge, but not nearly enough. My friends are sweet and wonderful, none of them throws out harsh gritty baits (like I do). How am I supposed to progress when my life is a breeze? Did I ever really want this?

every instant second a suspension of forever
a frail continuous sequence spanning over lives

I have been learning - meeting interesting people and doing new things. Though for that last few weeks I felt dissociated, aware of what's going on, but not having any emotion attached to it. Fantastic that I seem to have achieved some kind of buddhist ideal, but I don't think I like being calm.

Honestly, I think the truth is that I don't like being alone. At least when you're intent on destroying yourself in fun ways there's a thousand people who are right there with you.

My day

2006-09-27T18:33:00.000-04:00

So far it's been a pretty excellent birthday, I'm awake and I have full use of my faculties. I'm going to be late for work because I'm treating myself to a leisurely morning including toasted wholemeal muffins and my necessary double shot espresso. I say it everyday, but today I mean it even more, thank god for coffee.

I've learnt much in the last year, rather than done too much. I've finally admitted to myself that people - family particularly - are the most important thing to me. I have learnt so much about my flaws, and by slowing down and looking at them, I can attempt to compensate for, or even correct them.

I'm sure the people who know me would appreciate that. I have a mouth faster than reason, somedays when I intend to say, "hey how are you" what comes out has the same impact as "your mama sucks dogs". I wish I were exaggerating.

My childhood of extreme shyness and never speaking left me way behind the eightball on expressing myself as I intended.

red!

2006-09-09T23:25:00.000-04:00

i went red.. pity it never lasts like this.. but thanks to digital + internet, everything can last forever:

From red 20060910

learn something new every day

2006-09-07T07:26:00.000-04:00

Well I do *try* to learn something new every day, but rarely is it so useful;

http://www.lifehacker.com/software/life-hacks/keep-headphone-wires-from-getting-tangled-152499.php

reading new scientist (blogs) isn't such a waste of time after all ;)

outgeeked by mum

2006-09-03T04:53:00.000-04:00

my mum has never shied away from technology, which I've always thought was cool.. until now.

she's got a cooler phone than me!! (the new 3G motorola handset) and I'm a tad jealous.

this is worse than when I was a 19 year old and she was going out every Friday night, and I was at home painting or on irc - lucky I'm such entertaining company, cause the denizens of the internet are a little lacking :P

i got the message and the message is clear

2006-08-17T18:02:00.000-04:00

People who are making robots or suggesting pets to keep the elderly company are wasting their time..

Soon it will not be an issue and all elderly will be computer savvy - they will spend their twilight years playing computer games and chatting to other old fogues. No mobility required!

My mother is nearly 60 and happily whiles away her days pottering in the garden, reading the occasional novel and playing 5-or-more, bejeweled and Settlers I!

melbourne is diversity

2006-08-12T04:00:00.000-04:00

This city is awesome. Our mayor is chinese-australian and our deputy major is *flaming*.

Sydney might have the mardi gras, but we got the culture.

I just wish this diversity was reflected in our Federal parliament. Aren't we all sick of looking at the tired old white guy with crazy brows?!

new iPod and neat iTunes companion

2006-08-11T22:24:00.000-04:00

Just in time for my new video ipod (black of course!) I have discovered the yahoo (konfabulator) widget iTunes Companion - super-duper. It updates cover art - all the albums I've bought and ripped have been updated like magic! Highly recommended and please donate to mister Knut August Johansen - clearly he is a genius.

I've been chatting to my super-awesome mountie friend from Van, and it makes me miss Canada so badly. My boy is way up north in Ontario this weekend - playing survivorman and getting drunk with his buddies. I'm here.. which ain't bad. It's just far.

Upgrading from J2EE v!.crap to v3 was more painful that I first imagined.. 1.1 CMP had to be completely redone for EJB 2.0. The beautiful old-style architecture we had, simple Value Object/DTO access to the data, was based on the Value Object being extended by the Bean object. Ha! that makes all the data fields part of the EJB and completely breaks the 2.0 spec.

Why didn't they see that coming in 2001? ;P

Umoonasaurus and Opallionectes

2006-07-30T07:57:00.000-04:00

I think it's wicked that they have fossils made up of opal (abc science news). Coober Pedy (SA) is probably the only place in the world where animals are "opalised". That alone is worth the trip to Adelaide!

Nothing further to report. I am back on my lonesome - and feeling it.

Some pictures from frobozz' visit are on flikr.

2006-07-04T08:13:00.000-04:00

sunset from camberwell safeway

you'll never guess the best place to watch the sunset

2006-06-29T08:06:00.000-04:00

If there were an award for "Best view from a grocery store" or "Best place to watch the sunset in Melbourne", Safeway/Target Camberwell would almost certainly win both categories.

Many times I have walked home (the store is between me and the train station) and seen a row of people watching the sun set while leaning on the railing out front of the shops.

Tonight was spectacular, the city glowed with the cresent moon and the first star of the evening directly above. Heartstopping. Everyone I passed smiled at me - though perhaps that's because I was smiling first ;)

i might just be hooked

2006-06-26T05:21:00.000-04:00

It's created by a group called Mind Candy - how could I not get hooked? I love candy - i love puzzles!

I received my USB coffee warmer today - perfect accessory for the funky absent minded programmer whose coffee goes cold every time she gets on a roll/get interrupted/wanders off to chat ;)

In the box was also this weird little card; #027 Bar Open. "cool! they know where my favorite local jazz bar is?!? Awesome targeted marketing!"

Not so much.

It's a diabolical mega puzzle, with a online controller and puzzle cards of different levels. Of course, they game me the easy one. Teasing! Solved it, solved the freebies and now I'm jonesin' for more.

mmm.. mind candy.

google dream job super awesomeness

2006-06-25T03:18:00.000-04:00

one of my favorite people in the entire universe - glentron! - has been working at google for a while now, and since his blog showed up in blogger.com's "blogs we've noticed recently" i though everyone i know should know that glen is still super awesome..

he made that thing that synchronizes my firefox thingers!!! i never have to lose a bookmark again.. or wait til i get home from the office to look up that whatever!

i love him more than ever now! useful people deserve prizes! and lots of good sex. however, as i am in australia, i think i will just send him some candy.. :)

i always miss cherry ripes when i'm away ;)

boundin'

2006-06-21T08:31:00.000-04:00

I love pixar. So nice to know there are Jackalopes around!

Good and cute things may seem stupid to most people. Those people can take their superciliousness and pretend to be cool elsewhere.

Simple goodness makes people happy.. and that's what life is really about.

there are no stupid questions, only stupid people

2006-06-15T08:34:00.000-04:00

I know that it's completely uncharitable and unfair.. but I have a cold, I'm not in vegas and people on forums complaining about eclipse not working like RAD make me want to squirt lemon juice into their eyes.

WebSphere Studio -> RAD is a sore association for me. It's *not* the real server - how many times have the bugs come out once deployed to the integration or test server??

Maybe.. (unlikely).. the products aren't bad per se, but they are often associated with big-bad-ugly projects. EARs with >five utility/framework/EJB projects - what the fuck is the framework this time? - .. countless EJBs, layers, validations, rules, redirections and some laughable (if one wasn't working on them) attempts at implementing patterns which ended up like jigsaw puzzles!

I think I feel better now.

Did I ever say how much I love being a developer? :)

vegas and the grand canyon :)

2006-06-12T02:42:00.000-04:00

I dislike the idea of vegas, I can't understand why people go there. Except for right now!

JBoss world is there - with it's preponderance of hot java geeks - and my own hot geek is going to Vegas for Cisco Networkers this coming week too. Then onto the Grand Canyon - a destination high on my list of "must sees".

This is about the only time I'd want to be there and I'm stuck in frozen Melbourne. Why can't I have everything my way?

It isn't so bad, I'm playing with Seam. Being a weekend thing, I can barely keep up with the commits coming through - someone needs to send Gavin King on vacation! Working from CVS means staying in line with EJB3/appserver requirements du jour. e.g. NoSuchMethodError this week; http://www.jboss.org/index.html?module=bb&op=viewtopic&t=84602

I have randomly popped the EJB3 Alpha8 jars into the AS lib directory.. and moved out some other random ones. My apps are working again - yay :) but I feel like I will be punished for violating the appserver with this brutal surgery, so strong is the drill to not fuck with the appserver lib directory.

Coding is more fun when you break the big stuff :]

did they not feel feel canadian enough?

2006-06-05T04:02:00.000-04:00

Seems the youth of Toronto are just as disenfranchised and attention seeking as any other easily misled group, but even understanding the urge of youth to stand up against the perceived injustices of the world, nothing makes sense about setting bombs in Canada.

True, Toronto is the least Canadian part of Canada (as the biggest city), it always gets the ribbing of being too big, too rude, too american ;P Perhaps, but I'v always considered us safer and more reasonable than most of the world.

These were local guys, from the GTA and surrounds, probably in mid/lower class (speculation) neighbourhoods. How did things get so wrong for them? Do they not understand what it is to be Canadian? People around the world would give up a limb to be in their place! I'm sure Canadian Muslims have no grudge against Torontonians - or do they, sections of them, and we have no idea?

With only a couple of weeks until Canada Day, I'm extra sad to hear about this. I hope everyone is thinking about how we can share the great things about being Canadian with everyone.

Exploding things is cool, but Canadians dying is so not.

2006-05-21T02:00:00.000-04:00

The beautiful and sweet clothilde and the drunk but super-happy syber!

IBM - too often the enemy within ranks

2006-05-21T01:52:00.000-04:00

Friday was such an interesting day.. and night. I got my Victorian driving license (and sadly had my Canadian one punched and invalidated), arrived at work happy and bouncy as a spring lamb (before they become tasty dinner!), and found everyone stuck, looking for the reason behind the crypto initialization exception.

My first thought - after a quick mental check that it wasn't my fault - was what the hell are we using security for? Then I got all excited, finally something interesting!?

I replicated the actions, got the stack, slightly more descriptive than the others (possibly because I saw the original) and traced it back to the IBM JCE jars. Google led me straight to the answer: "IBM JCE Certification expires on May 18, 2006" .. uh what was the date Friday? hahahah! Nice work. IBM is sometimes (too often) a developers worst enemy!

With the project winding down, still a week until systest (perhaps less), we're all feeling pretty good.. and went out for lunch. I had a glass of wine and mellowed out for once. Not that my life is stressful, but apparently I'm "edgy" ;) I'd say I'm easily excitable. It's all apt.

Went out with an old friend to another old friend's birthday drinks. Had a fabulous time, but once again I found myself wondering why I let myself get led astray into bad habits? Drinking is OK, but not getting smashed, forgetting my reason and smoking. It's not me. It's me trying to be what other people want.

What do you do when your friends are bad for your health?

Folks don't change, they just reveal

statement: what is wrong with middle america.

2006-05-10T06:20:00.000-04:00

Teller: I haven't decided yet if I'm going to see The Da Vinci Code. I want to see it, but if I do I'll feel like I'm. . . supporting. You know?
Bank AVP: . . . Supporting?
Teller: The Devil!

Long pause

Bank AVP: Tom Hanks is the devil?

48 Clifty Kirkmansville Road
Clifty, Kentucky

winter settles on melbourne

2006-05-07T06:10:00.000-04:00

The leaves of the massive tree in my yard have mostly fallen, I'm using a little ceramic heater and wearing fluffy flannelette pyjamas (hello kitty ones, of course) and winter is definitely here.

I've decided something is missing in my life recently (aside from the tall, dark and handsome one). My mission in coming to Australia was to sort myself out, to stop being a workaholic and balance myself.

Ha. What a doomed idea. I love my work. Recently I find myself - instead of coding on a Saturday morning - *shopping* and wondering why the fashion is for tatty looking lacy messy clothes, instead of the sharp, clean styles I prefer.

I'm becoming the kind of person I don't like - or more accurately; respect.

Instead of staying up last night coding, I was downloading music from musicmp3.ru - entire CDs for around $1.

At first I thought, right on! All the music I actually want - including the European stuff that itunes stores Canada and Australia don't let me buy - and at affordable prices. I signed on for $29 credit.. (Yes, I take risks on the internet, but I investigated first and it "felt" legit.. It's strange that I'll use my credit card online, but I'd rather stab myself than give my real phone number).. anyway, I sucked down some compliations that I would normally never have paid for; Cafe Del Mar's, MOS, Buddha Bar. And some new stuff, that I would have paid for; Gnarls Barkly, Gotan Project, Zero 7, Ladytron and Pendulum.

I was _pretty happy indeed_ .. then I thought, Heavens to Murgatroid, this doesn't feel ethical.. or right at all. Isn't the point of paying for music that at least a homeopathic trace of the money goes to the artist?

But how is it right that I pay $17 for the same music that costs me $10 in Canada - even with conversion, it's not in any way equivalent.

All this copy-control and DRM bullshit, when I just want to listen to the music I paid for. I can see the point, but don't agree at all. I can't listen to my Cat Empire CD because I can't move it to my ipod - and I will not be caught carrying a CD - like some renegade from the 90s.

Also, I can't listen to any bought music at work because iTunes is unable to negociate the corporate proxy.

*Sigh* rant over. Summary, I am dubious about whether it's right or wrong to buy from musicmp3.ru - but cheap, good music feels so right!

BTW. Google Talk is the only non-browser application which gets through the corp proxy. Good for google.