Category Archives: General

Windows Task Manager – Enhanced

Have you felt at any point that Windows “Task Manager” is limiting in functionality? If so, this blog will try to give a solution by which you will have much better details on various programs running on your Windows machine with lots of data at your finger tips.

By the way I haven’t done anything in this blog by myself, rather I would just point to a simple utility which will help you get these details… :).

The tool we will be using is Windows Sysinternals Process Explorer. It is provided as a free download from Microsoft.

Process Explorer:

http://technet.microsoft.com/en-us/sysinternals/bb896653

You will need to download and unzip the Process Explorer package. The application does not have an installer, so unzip it somewhere convenient so that you can launch it when needed.

Complete details on the features of this simple program is detailed in the URL above.

Some screenshots which will make you use this enhanced Task Manager in Windows.

1 2 3 4

Page Visitors: 368

Regular Expression

Its really awesome to see people sharing their knowledge to everyone out there. If you need regular expression while doing a piece of code or while doing a validation in your application, you don’t have to break your head designing this cryptic code yourself. There are awesome people out there who are good at it and they are willing to share this with the world. Recently i had a requirement to look for a particular country’s telephone number scanning through various web pages. I found a tool which does this but it had a generic regular expression for phone numbers. I am not at all good at regular expression and to be honest, i haven’t break my head trying to learn this… :).

Because i am lazy, i thought i will give in a try in Google before doing it myself from scratch. When i did, i found some very useful regular expression, all being shared and kept well in a site below:-

http://regexlib.com/Default.aspx

There is another blog which lists commonly used regular expression, not exhaustive, but worth scanning through for your requirement.

http://www.coffeecup.com/help/articles/regular-expression-examples/

I thought before i am too lazy to share it as a blog post, i wrote a quick blog for other readers.

Page Visitors: 129

How to keep yourself updated with latest technology trends

Its a quick read blog post and will not take more than 10 minutes to read the post completely.

Its very hard to cope with the every changing technology trends and keep yourself updated all the time. The technology also changes in such a fast pace that the things that you learn today cease to exists or gets replaced in a real fast pace manner.

But, we cannot run away from reality and we will have to keep our self update till you are in industry, otherwise, in no time the door will be opened for you to move out of the organization that you are working… 🙂

What i do?

I am not claiming that this is something you should do. Its one of the way what i try to do to make myself updated to some extend with the pace of technology change.

I go and subscribe myself to various RSS feeds, go frequently to some great sites (dzone, javalobby etc.) and look for blogs/articles which deserves a read. Once i decide on a blog post or an article, i first skim through it and see if it is very written. If so i start reading the first paragraph. If the blog really entices me, i try to put a time or save it in my pocket (bookmark application). When i get time, i start reading the blog with a notepad opened side by side. I try putting some notes in the notepad as i read. At one stage if the blog is so interesting, i try to put adequate things in my mind which i can use later on to churn my own blog in this topic. When i decide that the topic is good for me to write a blog myself, i start preparing a draft blog as i read. Things which i don’t know in this case deserves more read and i start googling stuff to get more details. My blog post slowly grows in size but without a structure. Slowly and steadily i try to put a structure to the blog post and start putting more sentences and figures. At the end of my read my blog will have my own content with some good attributions to the content from which i extract my blog. In the meantime if the blog deserves a practical session, i go on trying various tools and put these into practice.

If at the end i feel that my blog is a good candidate to be published and it does give reader a good though explanation on the topic, i put the reference section and go ahead and publish it.

Page Visitors: 1311

Application Security – SSO and FID

This post in no way is a comparison between SSO and FID. Theoretically both does have some similarities but there are some core differences because of which a comparison should be deemed unfair and unethical. Having said that, while I was posed with a question on OAuth, i did research a bit on this in the internet and this blog is a by-product of it. The blog post doesn’t go into detail on any of these but just gives some important links and relations with respect to it. They can use this as a very high level starting point in the quest to become proficient in this regard. I am still amateur and everything with regards to this post by the readers will be taken in positive sense and looked upon. If very good points are shared by the readers, it will be incorporated into the blog.

SSO (Single Sign-On) allows users to access multiple services using a single login credentials. In a true SSO, the user only has to provide credentials a single time per session, and then gains access to multiple services without having to sign in again during that session. But the term SSO, is being used at different place where it exactly doesn’t mean what i just said and can be bit confusing. You can have your our mechanisms of singing on to different application without user having to sign-on explicitly providing the credentials. This also application developers call as SSO. In true definition we cannot say that they are wrong but for a developer at times the term SSO can be bit ambiguous because of this. Some of the commonly used configurations are (detailed in wikipedia):

  • Kerberos based
  • Smart Card based
  • OTP token based
  • Integrated Windows Authentication
  • SAML (Security Assertion Markup Language) – an XML-based open standard using which authentication and authorization details can be passed between two parties, in particular between identity provider (IdP) and a service provider (SP). These terms will become more clear when we explain Federated Identity (FID) in detail. Just to give you some base details, here are their definitions from wikipedia:
    • Identity Provider (IdP), also known as Identity Assertion Provider, is responsible for issuing user identification to all the service provider on a need basis, establishing the credibility of the user interacting with their services.
    • Service Provider (SP) is a company/organization which provides various services to their customers.

Federated Identity (FID) is a place where the user stores their credentials. It can also be thought as a means by which to connect the various identity management systems together. In FID, the user stores the credentials with the home organization/service, called as “identity provider”. When a user accesses a service, the service ideally asks for a credential. Instead, the service provider trusts the identity provider and authenticates against it. Because of this, the user is not being prompted with supplying a valid credential. Google, Yahoo etc. are some of the platforms which allows users to login to third party web sites, application etc. using FID.

Now, is it right to interchangeably use SSO and FID. Theoretically its not wise to do so. Having said that both does provide a means of authentication with user entering credentials each time when accessing different services hosted separately. As wikipedia states, SSO is technically a subset of FID using which authentication aspect of security is taken care off.

I took in the direction of research and this blog post, to learn more on OAuth and what it is. To explain OAuth, i had to explain you what SSO and FID is. Now since we have a background of SSO and FID, lets come back to the main topic what I was after.

There are various technologies which are used as part of implementing FID. Along with some proprietary standards being employed, there are some well known standards like SAML, OAuth and OpenID. Now lets dive into each one in some detail. I could see many blogs/forums in internet which compares SAML and OAuth. As pointed out in this stackoverflow answer section, there isn’t any similarity between the two.

    • SAML (Security Assertion Markup Language) – the base details was covered earlier. Here, we will try to expand on this in more detail. As detailed earlier, three main parties are the principal (user), Identity Provider (IdP) and the Service Provider (SP). This is how it all works, the user requests for a service from the SP. The SP requests and obtains and identity assertion from the IdP. On the basis of this, the SP makes an access control decision which allows/denies the user from accessing the service which it requested.The below image is from a blog with gives a comparison between these various FID technologies which can be used.

A sample SAML use case

    • OAuth is an open-standard for authorization. It provides a method by which clients access the server resource on behalf of the resource owner. This can be used by end-users to authorize third party applications/services on behalf of them and without supplying credentials in the form of username/password. Now i think for a reader it is becoming more clear as to how relevant these technologies are with respect to FID.The below image is from a blog with gives a comparison between these various FID technologies which can be used.

A Sample OAuth use case

    • OpenID is an open-standard again which can be used for both authentication and authorization purposes. The user in this case registers himself with their preferred OpenID identity providers and use this account as a basis for signing into other applications supporting the OpenID authentication. The below image is from a blog with gives a comparison between these various FID technologies which can be used.

A Sample OpenID use case

Reference/Attributions

Page Visitors: 345

Quick Scheduling

Are your partners/friends etc. in different places and doesn’t have a common platform to let each other know of their Yes/No for a meeting? You can use this awesome web application to do it in a very easy fashion. How secure it is, i cannot comment, but if these details are fine to be seen by others, this seems very good option for doing just this.

http://doodle.com/

Disclaimer:- There might be other sites which aids you do just this but this is my suggestion. I am not saying that this is the best solution though.

Page Visitors: 115

Secured FTP – SFTP Vs. FTPS

I do work using various protocols such as FTP, SFTP, FTPS etc. as my application does interact with other application using these protocols for various integration needs. Recently i came to an interesting topic while looking for various protocols for evaluation purpose. All the various file transfer protocol namely FTP, SFTP and FTPS come into evaluation and it sparked a debate as to which one should be included for secured FTP, SFTP or FTPS. To answer this i had to do a bit of research on the internet and i don’t have to do anything of my own in my post. I just had to plagiarize various content in the internet as written by awesome authors. The reference for these have been given in my reference section below my post.

While doing the research i managed to pull out some important points in some structured manner which i would like to present below:

FTP protocol – takes roots in year 1980

Disadvantages

  • Lack of the uniform format for directory listing (this problem has been partially solved by introducing MLST command, but it’s not supported by some servers).
  • Presence of the secondary connection (DATA connection).
  • Standard FTP doesn’t provide security requirements as required in modern day application integration and this is the main reason for looking for other options to transfer data in a much secured fashion.
  • Even though the protocol is simple, it still isn’t very firewall friendly, because of the need to open two ports per session and the need in one of the more efficient permutations, to open one of the ports inbound.

The two mainstream protocols available for Secure FTP transfers are named

  • SFTP (SSH File Transfer Protocol – FTP over SSH) – Ideally SFTP doesn’t have anything to do with FTP or FTPS. It’s called as FTP over SSH as the FTP standard is there for a long time and it’s a popular one for file transfer. So some people do refer SFTP as FTP over SSH.
  • FTPS (FTP over SSL/TLS)

Advantages (Both)

  • Offer a high level of protection since they implement strong algorithms such as AES and Triple DES to encrypt any data transferred. To be more precise they use a combination of an asymmetric algorithm (RSA, DSA), a symmetric algorithm (DES/3DES, AES, Twhofish and so on), and a key-exchange algorithm.
  • Support a wide variety of functionality with a broad command set for transferring and working with files.

Notable differences between SFTP and FTPS is how connections are authenticated and managed.

SFTP (SSH File Transfer Protocol – FTP over SSH)

In General:

  • A connection gets authenticated using different techniques.  For a basic authentication it just requires a user id and password to connect to the SFTP server. The important difference with respect to standard FTP is that in this case any user ids and passwords supplied over the SFTP connection will be encrypted.
  • SSH keys and fingerprinting can also be used to authenticate SFTP connections in addition to, or instead of, passwords; whereas FTPS does not support this.
  • With respect to implementation, SFTP is a clear winner as opposed to FTPS, as it is more firewall friendly. It requires only a single port number 22 to be opened through the firewall. This port will be used for all SFTP communications, including the initial authentication, any commands issued, as well as any data transferred.

Pros:

  • Has good standards background that strictly defines most (if not all) aspects of operations
  • Has only one connection (no need for DATA connection)
  • The connection is always secured
  • The directory listing is uniform and machine-readable
  • The protocol includes operations for permission and attribute manipulation, file locking, and more functionality

Cons:

  • The communication is binary and can’t be logged “as is” for human reading
  • SSH keys are harder to manage and validate
  • The standards define certain things as optional or recommended, which leads to certain compatibility problems between different software titles from different vendors
  • No server-to-server copy and recursive directory removal operations

FTPS (FTP over SSL/TLS)

In General:

  • With FTPS, a connection is authenticated using a user id, password and through certificate(s).  Like SFTP, the users and passwords for FTPS connections will also be encrypted. When a FTPS client connects to a FTPS server, the client verifies if the server’s certificate is trusted. The certificate is considered trusted if either the certificate was signed off by a known certificate authority (CA), like Verisign, or if the certificate was self-signed (by your partner) and you have a copy of their public certificate in your trusted key store.
  • FTPS can be very difficult to patch through a tightly secured firewall since FTPS uses multiple port numbers. The initial port number (default of 21) is used for authentication and passing any commands.  However, every time a file transfer request (get, put) or directory listing request is made, another port number needs to be opened.  You and your trading partners will therefore have to open a range of ports in your firewalls to allow for FTPS connections, which can be a security risk for your network.

Pros:

  • Widely known and used
  • The communication can be read and understood by humans
  • Provides services for server-to-server file transfer
  • SSL/TLS has good authentication mechanisms (X.509 certificate features)
  • FTP and SSL/TLS support is built into many Internet communication frameworks

Cons:

  • Doesn’t have a uniform directory listing format
  • Requires a secondary DATA channel, which makes it hard to use behind the firewalls
  • Doesn’t define a standard for file name character sets (encodings)
  • Not all FTP servers support SSL/TLS
  • Doesn’t have a standard way to get and change file and directory attributes

Summary/Conclusion

In summary, SFTP and FTPS are both very secure with strong authentication options.  In general, SFTP is technologically superior to FTPS. Since SFTP is much easier to port through firewalls, and FTPS due to this reason (needs a range of opts to be opened) puts additional security treats to the network, I believe SFTP is the clear winner in case you need a secure FTP for your application integration needs.

In our protocol evaluation, considering the above points, I feel we can go with SFTP for secured file transfer and can omit FTPS. FTPS is omitted not because it is not suitable, but because it does the same things as SFTP and is superior in many ways as opposed to FTPS.

Reference

http://blog.goanywheremft.com/2011/10/20/sftp-ftps-secure-ftp-transfers/

http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c14329/FTPS-vs-SFTP-What-to-Choose.htm

https://www.eldos.com/sbb/articles/4672.php?page=all

Page Visitors: 1492

Spring Framework Vs. JEE – Part III

This is my final blog on this topic, hopefully. Part I of the blog can be found in here and Part II of this blog can be found in here.

I do at times think that my blog title itself is misleading or rather incorrect as I don’t feel that there needs to be a comparison between the two as both can exists together in one application without any issues at all. In fact if that’s the case we can use the best of both and be happy. But, there does exist this debate for a very long time and now a days Oracle also at times gives a comment to kill Spring Framework (buy and kill it to reduce competition, Oracle’s buying spree logic) and go with standards. Being the creators and maintainers of the Java language they do have the right to promote JEE but I feel they don’t have to have such a stance IMHO.

The community with full adoption of language has made it to a be a standard. Similarly when Spring Framework came in existence it was indeed helping Java developers use Java and avoid the complexities to develop enterprise application. In fact we have to give full credit to Spring Framework in keeping Java language alive and kicking. I have heard many times, even from my own managers that Java is too heavy and not that good for application development when you compare .NET. Spring to some extent have been bale to bring that easiness to it by taking the complexities away. At the moment also there might not be that much comparison between easiness with respect to .NET, but community is ready to develop applications using Java. Again for enterprise application comparing .NET and Java (JEE) is not that of a good idea because of so many reasons. Don’t want to divulge too much off the topic here.

As Kelly Tisdell mentions in his blog, JEE has definitely taken some page out of Spring Book and added onto its big Java bible and spreads a word across that “Java is standard, so migrate to JEE from Spring to be in standard”. It doesn’t say directly that stop using Spring but it has that tone in it.

Even after taking those pages, to develop an enterprise application from scratch using JEE does have its won complexities and Spring does have that easiness to it (might be subjective and debatable, but that what i feel). Most of nicer features in Spring has now crept into JEE under different names and much refined fashion (JEE have learned from mistakes and corrected it) for sure and that’s the reason developers have been prompted to think for this migration.

I wanted to put more facts in here rather than my opinions, but after so long I have indeed lost interest in filling in more details and i thought that i will just give my opinion and close this not so ending blog post.  Apologies for same.

In my opinion, Spring and JEE should marry each other and an enterprise application should be developed taking into good points from both. I am in no way saying that JEE or Spring scores over the other because both are really good platforms to develop your enterprise applications.

Page Visitors: 241