Monthly Archives: November 2013

Regular Expression

Its really awesome to see people sharing their knowledge to everyone out there. If you need regular expression while doing a piece of code or while doing a validation in your application, you don’t have to break your head designing this cryptic code yourself. There are awesome people out there who are good at it and they are willing to share this with the world. Recently i had a requirement to look for a particular country’s telephone number scanning through various web pages. I found a tool which does this but it had a generic regular expression for phone numbers. I am not at all good at regular expression and to be honest, i haven’t break my head trying to learn this… :).

Because i am lazy, i thought i will give in a try in Google before doing it myself from scratch. When i did, i found some very useful regular expression, all being shared and kept well in a site below:-

http://regexlib.com/Default.aspx

There is another blog which lists commonly used regular expression, not exhaustive, but worth scanning through for your requirement.

http://www.coffeecup.com/help/articles/regular-expression-examples/

I thought before i am too lazy to share it as a blog post, i wrote a quick blog for other readers.

Page Visitors: 135

How to keep yourself updated with latest technology trends

Its a quick read blog post and will not take more than 10 minutes to read the post completely.

Its very hard to cope with the every changing technology trends and keep yourself updated all the time. The technology also changes in such a fast pace that the things that you learn today cease to exists or gets replaced in a real fast pace manner.

But, we cannot run away from reality and we will have to keep our self update till you are in industry, otherwise, in no time the door will be opened for you to move out of the organization that you are working… ūüôā

What i do?

I am not claiming that this is something you should do. Its one of the way what i try to do to make myself updated to some extend with the pace of technology change.

I go and subscribe myself to various RSS feeds, go frequently to some great sites (dzone, javalobby etc.) and look for blogs/articles which deserves a read. Once i decide on a blog post or an article, i first skim through it and see if it is very written. If so i start reading the first paragraph. If the blog really entices me, i try to put a time or save it in my pocket (bookmark application). When i get time, i start reading the blog with a notepad opened side by side. I try putting some notes in the notepad as i read. At one stage if the blog is so interesting, i try to put adequate things in my mind which i can use later on to churn my own blog in this topic. When i decide that the topic is good for me to write a blog myself, i start preparing a draft blog as i read. Things which i don’t know in this case deserves more read and i start googling stuff to get more details. My blog post slowly grows in size but without a structure. Slowly and steadily i try to put a structure to the blog post and start putting more sentences and figures. At the end of my read my blog will have my own content with some good attributions to the content from which i extract my blog. In the meantime if the blog deserves a practical session, i go on trying various tools and put these into practice.

If at the end i feel that my blog is a good candidate to be published and it does give reader a good though explanation on the topic, i put the reference section and go ahead and publish it.

Page Visitors: 1616

Application Security – SSO and FID

This post in no way is a comparison between SSO and FID. Theoretically both does have some similarities but there are some core differences because of which a comparison should be deemed unfair and unethical. Having said that, while I was posed with a question on OAuth, i did research a bit on this in the internet and this blog is a by-product of it. The blog post doesn’t go into detail on any of these but just gives some important links and relations with respect to it. They can use this as a very high level starting point in the quest to become proficient in this regard. I am still amateur and everything with regards to this post by the readers will be taken in positive sense and looked upon. If very good points are shared by the readers, it will be incorporated into the blog.

SSO (Single Sign-On) allows users to access multiple services using a single login credentials. In a true SSO,¬†the user only has to provide credentials a single time per session, and then gains access to multiple services without having to sign in again during that session. But the term SSO, is being used at different place where it exactly doesn’t mean what i just said and can be bit confusing. You can have your our mechanisms of singing on to different application without user having to sign-on explicitly providing the credentials. This also application developers call as SSO. In true definition we cannot say that they are wrong but for a developer at times the term SSO can be bit ambiguous because of this. Some of the commonly used configurations are (detailed in wikipedia):

  • Kerberos based
  • Smart Card based
  • OTP token based
  • Integrated Windows Authentication
  • SAML (Security Assertion Markup Language) – an XML-based open standard using which authentication and authorization details can be passed between two parties, in particular between identity provider (IdP) and a service provider (SP). These terms will become more clear when we explain Federated Identity (FID) in detail. Just to give you some base details, here are their definitions from wikipedia:
    • Identity Provider (IdP), also known as Identity Assertion Provider, is responsible for issuing user identification to all the service provider on a need basis, establishing the credibility of the user interacting with their services.
    • Service Provider (SP) is a company/organization which provides various services to their customers.

Federated Identity (FID) is a place where the user stores their credentials. It can also be thought as a means by which to connect the various identity management systems together. In FID, the user stores the credentials with the home organization/service, called as “identity provider”. When a user accesses a service, the service ideally asks for a credential. Instead, the service provider trusts the identity provider and authenticates against it. Because of this, the user is not being prompted with supplying a valid credential. Google, Yahoo etc. are some of the platforms which allows users to login to third party web sites, application etc. using FID.

Now, is it right to interchangeably use SSO and FID. Theoretically its not wise to do so. Having said that both does provide a means of authentication with user entering credentials each time when accessing different services hosted separately. As wikipedia states, SSO is technically a subset of FID using which authentication aspect of security is taken care off.

I took in the direction of research and this blog post, to learn more on OAuth and what it is. To explain OAuth, i had to explain you what SSO and FID is. Now since we have a background of SSO and FID, lets come back to the main topic what I was after.

There are various technologies which are used as part of implementing FID. Along with some proprietary standards being employed, there are some well known standards like SAML, OAuth and OpenID. Now lets dive into each one in some detail. I could see many blogs/forums in internet which compares SAML and OAuth. As pointed out in this¬†stackoverflow¬†answer section, there isn’t any similarity between the two.

    • SAML (Security Assertion Markup Language) – the base details was covered earlier. Here, we will try to expand on this in more detail. As detailed earlier, three main parties are the principal (user), Identity Provider (IdP) and the Service Provider (SP). This is how it all works, the user requests for a service from the SP. The SP requests and obtains and identity assertion from the IdP. On the basis of this, the SP makes an access control decision which allows/denies the user from accessing the service which it requested.The below image is from a¬†blog¬†with gives a comparison between these various FID technologies which can be used.

A sample SAML use case

    • OAuth is an open-standard for authorization. It provides a method by which clients access the server resource on behalf of the resource owner. This can be used by end-users to authorize third party applications/services on behalf of them and without supplying credentials in the form of username/password. Now i think for a reader it is becoming more clear as to how relevant these technologies are with respect to FID.The below image is from a¬†blog¬†with gives a comparison between these various FID technologies which can be used.

A Sample OAuth use case

    • OpenID¬†is an open-standard again which can be used for both authentication and authorization purposes. The user in this case registers himself with their preferred OpenID identity providers and use this account as a basis for signing into other applications supporting the OpenID authentication. The below image is from a blog with gives a comparison between these various FID technologies which can be used.

A Sample OpenID use case

Reference/Attributions

Page Visitors: 486

Quick Scheduling

Are your partners/friends etc. in different places and doesn’t have a common platform to let each other know of their Yes/No for a meeting? You can use this awesome web application to do it in a very easy fashion. How secure it is, i cannot comment, but if these details are fine to be seen by others, this seems very good option for doing just this.

http://doodle.com/

Disclaimer:- There might be other sites which aids you do just this but this is my suggestion. I am not saying that this is the best solution though.

Page Visitors: 140