I upgraded my Ubuntu installation and was having problems getting my web applications to start correctly in Tomcat 5.5. I'm not using the standard location for the webapps.
I was getting ajava.security.AccessControlException.
I had to modify my /etc/tomcat5.5/policy.d/50user.policy and had to add this:
grant codeBase "file:/home/timb/webapps/-" {
permission java.security.AllPermission;
};
I have an association between the scout table and the rank table but this is a many to many relationship. I didn't want to use HABTM because I wanted to keep the rank_date for each rank.
My model now has three tables for this relationship: scout, rank_scout, and rank. Frequently I want to list the current rank of a scout and with DRY, I don't want the find method all over the place. I added a method to the scout model to get the current_rank and also the current_rank_scout model.
To get the current_rank_scout, I need to select the row with the maximum rank_date.
I tried lots of different combinations (in all of these, 'scout' is the current scout model)
scout.rank_scouts.maximum(:rank_date)but this gave me the maximum value of rank date for the scout, close but I need the whole row.
scout.rank_scouts(:max => :rank_date)Nope, not even close there.
scout.rank_scouts.find(:conditions => {'max(rank_date)'})
but :conditions must be a hash (and even if it was a hash, this doesn't work right.
Of course, I'm just making this too hard. Thinking of it a different way, if I order the rows by rank date, I want the first row.
scout.rank_scouts.find(:first, :order => 'rank_date DESC')Ah Ha! That's what I needed. On to the next task.
"We're sorry, there is no weather for your location. Please try again later."
I was asked to present at the Department of Education's Software Developers Conference in early August and I received a lot of positive feedback. You can find the presentation on my Presentations page.
The session was called "eAuthentication in Higher Education" and I talked about some of the current federations that are in production:
The basic purpose of the session was to educate the developers and hopefully show them that federations are not a radical idea anymore. Their customers, the schools, are already implementing federations and they can integrate it into their software or else their competitors will.
Let's start with a basic math lesson. The transitive property of equality states:
If a = b and b = c then a = c.
But let's carry that over to trusting people.
If Chris trusts Nick and Nick trusts Stephanie then Chris will (probably) trust Stephanie.
The transitive property isn't quite so absolute whenever humans enter the equation.
So we have the trust relationships but these only extend so far. I may trust a friend of a friend but I wouldn't carry that to a friend of a friend of a friend of a friend. There are not indefinite levels of trust.
The boundaries of our trust make up our federation. A federation is a group of organizations that have agreed to trust each other.
eAuthentication is one particular federation that is managed by the US federal government and specifically by GSA. There are many other federations such as those that I listed above. The one key difference with the eAuthentication federation is that the federal government has mandated that every agency will participate in eAuthenticaiton. Every citizen who interacts with the government may potentially use the federation.
We originally deployed code with a client-config.wsdd but this is a bit unweildy when deploying the client to many different systems. What we really wanted to to instead was to call the setClientHandlers(Handler request, Handler response) method on the Call object.
We are using custom serializers for all of our data types but this caused problems. We need to register the TypeMappings so Apache Axis knows how to serialize the objects into XML and back. The original code looked like this:
QName qn = new QName(IDTSConstants.DTS_DEFAULT_NAMESPACE, “DTSResponseSignature”);
call.registerTypeMapping(DTSResponseSignature.class, qn,
new BeanSerializerFactory(DTSResponseSignature.class, qn),
new BeanDeserializerFactory(DTSResponseSignature.class, qn));
And everything worked fine when the client handlers were defined in the client-config.wsdd.
However, as soon as we removed the configuration from the client-config.wsdd and added the line:
We would get stack traces like this:
However, after a few days of debugging (argh!!!) it was a simple fix.
Change the registration of the TypeMapping to look like this:
QName qn = new QName(IDTSConstants.DTS_DEFAULT_NAMESPACE,
“DTSResponseSignature”);
tm.register(DTSResponseSignature.class, qn,
new BeanSerializerFactory(DTSResponseSignature.class, qn),
new BeanDeserializerFactory(DTSResponseSignature.class, qn));
In migrating to the XML Registy and Repository for the Education Community we needed to make sure that the data in the registry accurately reflected all of the elements in the static PESC Core Main schema. In the XML Registry there are now almost 1,000 data elements. This is way too hard to manually compare 1,000 elements against a static schema.
I thought it would be an interesting little trick to use the data within the files themselves to build a document showing the similarities and differences. Hey, both source documents are XML (actually XSD) so XSLT is the logical choice for me to do this.
There are a few key points necessary to make this work:
Start the XSL by declaring the XML Schema namespace and also importing the XML Verbatim stylesheet.
The main loop of the xsl looks like this (simplified a bit to remove other html cruft):
Now match on the xs:complexType element to print the matched element and the element from the other document.
Voila! Using a bit of CSS there in the html I can get nice color coded XML and display the old document and the new document side by side in an HTML page. This was really a lot simpler that I expected it to be.
I’ve been a fan of Tom Peters for many years. I got the book “In Search of Excellence” from my mother several years ago and it really struck a chord.
I’ve been reading several manifestos from Change This and Tom Peters’ manifesto “The “PSF” is Everything” is simply great. It is one of those things that both fires me up and motivates me while at the same time I say to myself “of course, this stuff is obvious”.
He talks of making a dramatic difference and being a “dream merchant.” One of my favorite passages, life is “far too short … I don’t have the time to be bored.” Wow. I’ve never understood people’s acceptance of mediocrity. If you aren’t striving to be the absolute best at what you do then why even bother getting out of bed in the morning.
I had an unfortunate set of events happen in the last few weeks. The Windows XP system that I use at home was getting pretty flaky. I had hooked up my sister’s hard drive to backup / recover a few files for her and when I ran a virus checker I was a little shocked. The HDD had about 275 distinct viruses! I didn’t think that was possible. So I cleaned everything up (including spyware) and thought all was well. Unfortunately my own system that I used for the recovery started acting up. I thought that maybe one of the viruses (virii?) got onto my system somehow and was messing things up. I now know that it was just a bad coincidence. The hard drive was in the final process of dying a slow and painful (to me) death.
Anyway, long story short (maybe not short enough), I had lots of files that needed to be recovered. I had backed up all of the critical files like documents and budgets and such but I never backed up the photos from my digital camera or the approximately 35 GB of music. I don’t have any real way to back up 35 GB of music anyway. I have access to the original sources on CD or from archive.org for live concerts, but that is such a hassle to re-rip the CDs.
I started to copy files to the new hard drive but got lots of CRC errors. This was going to be painful. I needed a utility to copy the files and ignore the CRC errors. Of course I know that the section that has the CRC error is toast, gone, kaput. But that’s OK I suppose. It is better than manually copying every single file individually.
I came across Copy It Anyway! which will copy a file or set of files with read errors. Usually the whole file is not bad, just enough for one sector. With MP3 or videos this will usually be OK.
There are a few problems with this utility. First and foremost, it can’t copy subdirectories. There are a few other minor quirks I’ll explain at the end but the inability to copy whole subdirectories made this a very time consuming problem to recover my files.
I needed a batch file to loop through the old hard drive and build the command line to call CIA (Copy It Anyway!).
I have a controller batch file that coordinates the rest of things.
doit.bat:
Let’s look at what this is doing line by line.
Hard coded locaton for my source files (f:\My Music). The power of this line is the /b which tells the dir command to only list bare filenames. When used in conjunction with the /s it will also display the full path. The “/a:d” tells dir to only display directories.
This is an old DOS trick to concatenate two files. The listing below this has the contents of fragment.txt. Note that there is no line feed after the = or this won’t work.
the end part “> nul” just suppresses any error messages.
Now we want only the first line of the file. “find” will give us this. Unfortunately there isn’t a clean way to do this without a lot of temporary files.
Here we are echoing the literal string “call process.bat” to the end of temp.bat. We’re not executing it yet.
Execute temp.bat. Remember that when calling batch files from another batch file you must use “call”. Otherwise, the calling script will end as soon as the called script is finished.
Now take the temp.txt and list all files that do NOT have “set filename=” in them. We’re writing it back out to filelist.txt. So each time through the loop filename.txt will be one line smaller.
These two lines go together. Basically, if we type filelist.txt and there is still something left in the file then goto START and loop the whole thing again. If the file is empty then it will stop.
fragment.txt:
process.bat:
Let’s look at what process.bat is doing.
%filename% was populated when we ran temp.bat in the calling batch file.
Sometimes there is no real substitute for a good unix utility. Sed is a classic utility to edit the incoming stream (sed=Stream EDitor). The regular expression “s/f:/c:/g” says search for all “f:” and globally (g at the end) replace it with “c:”. If your source or destination are different then you’ll need to modify this.
Just like in the previous file, prepend a SET onto the first line of the file.
This will set the environment variable %outname% for later use.
Make sure that the destination directory is created. Technically this isn’t required, but if I tried to copy files to a directory that didn’t exist CIA.exe would prompt me to create it. I put this here so I wouldn’t have to babysit the script.
Output what’s happening.
This will run CIA with the source and destination.
fragment2.txt:
There are a few problems with this script:
On the whole it was an interesting experience getting all the data off the old drive. I think I recovered the vast majority of the files. Some of the MP3s are trashed because the first few bytes were corrupt. Oh well, that’s better than ripping everything again.
Before I get started I want to point out the purpose of this document. I’m trying to get the Shibboleth 1.3 Identity Provider running with as few extra components as possible. This means no LDAP, no SSL, no pubcookie and really for now, no real WAYF and no real Service Provider. This is a cut down installation guide to get it going. We’ll explore more options once everything is working. Just to reiterate, the setup described here is not secure in any way!! Don’t use this as a guide for your production site.
Download the shibboleth-1.3??.tar.gz file from http://wayf.internet2.edu/shibboleth/beta/ (I happen to be using the b5 build for now but obviously you should download the latest one)
Extract the file to a directory of your choosing and run the ant build script. This is a pretty straightforward process. One note, the first directory you are prompted for is the location of keystores, tools and other such things and should not go in the Tomcat/webapps folder.
Fire up tomcat and see what happens out of the box. Ok, not much happens out of the box. I guess I need to start reading some of the documentation.
So IMO the best place to start reading about a java app is the web.xml within the WEB-INF directory. Looking there are the following things:
One thing that is missing is the security-constraint to tell Tomcat that these are protected resources. There is an example here: https://mail.internet2.edu/wws/arc/shibboleth-users/2005-03/msg00020.html . This example is for using LDAP but I’m going to go even simpler and use the static tomcat-users.xml file. This isn’t scalable but it will allow the IdP to get up and running then I can migrate it to use LDAP in a little bit. By default, Tomcat comes configured to read users from the tomcat-users.xml and the user ‘tomcat’ with the password ‘tomcat’ will work for our purposes. This user will have one role of ‘tomcat’.
In the example the protected resource is in the URL ‘/HS’. As of Shibboleth 1.3 this has been renamed ‘/SSO’ so make the appropriate modifications to your web.xml.
Copy the security-constraint (changing the url-pattern to /SSO) and copy the login-config to your web.xml.
After restarting Tomcat, the IdP servlet was throwing an exception about not having the right kind of XML parser so I renamed the default tomcat/common/endorsed jars and copied all of the jars from the shibboleth-idp-install/endorsed to tomcat/common/endorsed and restarted tomcat.
Ooh, that was bad. Now XML parser errors are spewing all over the place. In tomcat’s server.xml I had the xmlValidation=”true” attribute set in the Host tag. Set it back to false and it started working. (Working in as much as Tomcat started)
When I go to /SSO or /AA I get the following Shib Exception:
No protocol handler registered for location (http://localhost:8080/timb-idp/SSO).
org.opensaml.SAMLException: Request submitted to an invalid location.
By modifying the idp.xml to bump up the logging to DEBUG we can see what is happening.
The Identity Provider was trying to register a URL at example.org. So modify the AAUrl attribute of the idp.xml to point to my AA (http://localhost:8080/timb-idp/AA)
Ooh!! Lots more messages came out of the tomcat console before it blew up. Still got the same error message, but it took longer to get there. That’s progress!
Within the idp.xml, change providerId attribute to point to my webapp and change the three ProtocolHandler/Location tags to correspond to what I’m doing.
Now I get the error org.opensaml.SAMLException: Invalid data from Service Provider: no target URL received.
That makes sense. I didn’t tell my SSO webapp where I was trying to go once I got authenticated. I need to pass some parameters to the SSO servlet so it knows what to do once everything is working.
According to the latest copy of the specification guide the HTTP request to the SSO must contain the following parameters on the query string:
Providing all of those now works and it redirected me to the URL provided by the shire parameter.
We now have a more-or-less-working-yet-toally-insecure Identity Provider.
Next step is to put up a Service Provider that can consume these credentials.
So I’m going to try to install Shibboleth. I’m going to try a pure java installation that is now available with Shib 1.3.
A great diagram for the architecture and components of Shibboleth is available from Howard Gilbert’s Wiki here
