Sunday, January 27. 2008
For a long time now I have been saying that I need to get the library within a public source repository, write documentation, etc... Thanks to Andreas Solberg, all of this is finally coming to fruition. He has setup a home page for xmlseclibs, as well as the xmlseclibs project at Google Code. Things are still in the early stages, so there is still no documentation, but at least everyone now has access to the source repositry, mailing list and bug tracker for it. Documentation is something sorely needly, so if anyone would like to help in this aspect, please contact me personally or send a message to the mailing list.
Saturday, January 26. 2008
My unemployment streak is coming to an end. Earlier this week I accepted a position at Mashery as Senior Software Architect, where I will be working full time with XML and web services. This is now also going to allow me to spend more time working on these within the PHP code base as well as libxml2. It's great when you get to work full time on the things you like to do. I'll still be working from the east coast and make the occasional trip to San Fransisco, which although I don't want to live there, I really enjoy visiting.
Everyone I know keeps telling me how great it must be to have some time off and all that jazz. I am curious if they actually have ever gone through an unexpected and forced lay off. As I don't start until the beginning of February, and my time off so far has been spent on pursuing my next job, I am going to finally take a week off before I start and unwind. Something much needed after all of this.
Saturday, January 5. 2008
2008 is sure off to a lousy start. I went back to work the first work day of the new year after some relaxing time off just to be told the entire IT department has been let go effective immediately. I am just praying this isn't an indication about how the rest of the year is going to go. I get enough of the open position emails, but the trouble is that I am not going to leave Maine. I like it here and it's a great place to raise a family. That being said, if anyone is looking or knows of someone looking for a developer in Maine (I'm trying to avoid doing Java full time) or that allows for a full time telecommuter, I would appreciate any leads: You either already have my email address or contact me via: =rob.richards.
As far as outside projects I am involved in and work on, I do plan on continuing working on them, although I might be a bit MIA for some time until I get settled. My apologies for tagging this in all categories, but hey I need to get maximum exposure here.
Wednesday, December 19. 2007
The other day, in my review of PHP Oracle Web Development, I mentioned that I was having problems enabling the oracle extension on Fedora 8. I really didn't need to get it running, but the sheer fact that I tried it and it wouldn't work, pissed me off enough to spend some time getting it resolved. Hopefully this helps anyone else having the same problem. I am currently using instant client 11.1, but I did try the 10.2 version with the same results. I assume that the steps I went through to get it working are the same for that version as well (other than the different directory). Anyways, the issue was a bit strange. When trying to run the configure script, I would receive the error:
cannot compute sizeof char*
This would only happen when the oracle extension (ext/oci8 or ext/pdo-oci) was enabled. So I started poking around the config.log and the oracle m4 file. The first thing I noticed was that libaio was missing. Having become so used to rpms detailing their dependencies (and the intstant client installing without issue), I hadn't realized that the instant client needed this lib. After a quick, yum install libaio, I tried again, yet still hit the same issue.
Continue reading "PHP, Oracle and SELinux"
Monday, December 17. 2007
The good folks from Packt Publishing were kind enough to send me a few books to review and I've been a little lax posting a review, so over the next few days I hope to have them all up. Overall I would have to say that PHP Oracle Web Development is a good book for a PHP developer needing to get up to speed quickly working with an Oracle database. I've worked with Oracle before using other languages, but never with PHP. I found the chapters progressed through the various topics in a logical and straightforward manner. It was easily to follow along, of course coding as you go, and easy to understand what was going on.
There were some features that, prior to this, I hadn't used before, such as their native XML support. Lately, I have been using DB2 and XQuery and was both surprised and glad to find the book cover some of this. Again, easy to understand and follow. After about 15 minutes, I was doing all sorts of crazy XML operations within Oracle.
The only place I found the book lacking was the initial setup of the environment. This is definitely a minor nit, but something that was a bit frustrating until I got it all working. The book tends to favor a Windows installation, which usually is simple anyways. I decided, however, to install on my linux box. The missing step came when I was trying to configure the oci8 extension in PHP. I was not using the instant client and had not setup the environment, so things weren't found. After checking the oci8 config.m4 in PHP, I found it was looking for ORACLE_HOME. A little searching and I found that all I needed was to execute a shell command (included in the Oracle install) to have them properly setup:
After that, install went smoothly. Now, the only other issue I am having is trying to configure PHP to work on my Fedora 8 system using the 11.1 instant client. The configure script (using PHP 5.2 from CVS that does support this Oracle version) doesn't like it for some reason. Something to work on another day.
All in all, I would definitely recommend this book, PHP Oracle Web Development, to a PHP developer needing to learn or at least have a reference book on integrating with Oracle.
Updated 12/19/2007: I finally resolved the instant client issue on Fedora 8. Also fixed my typos :/
I was meaning to write about some of the new openinfocard features this weekend, but instead I spent my time trying to get the openinfocard selector working against the Windows Live Beta site supporting Information Cards. I finally found the problem and really just could not believe it. A few months ago, I received a similar, yet unrelated, bug report against my own libraries. A person was using my wsse/xmlsec libs to communicate against a .NET SOAP service that required messages to be signed and told me that it would not work unless the XMLDSIG elements used a default namespace. This means that
Within my libraries, I do prefix namespaces. Unfortunately for that person, I did not believe them and stressed that it had to be a coding error either on their part or from the service provider. Note that I didn't just dismiss their report. I was unable to reproduce the issue, was not given access to test against their service, do successfully interoperate with other .NET systems, and have a large number of users implementing my code against .NET services employing encryption and digital signatures. I hadn't heard anything more and ended up forgetting about it... that is until now.
Over the weekend, I spent a good amount of time comparing tokens from various selectors and trying different parameters. There were only two differences between tokens from Openinfocard and those from CardSpace. The first, which I spent most of my time on, was the timestamps. CardSpace provides a full hour for token validity. Openinfocard, on the other hand, allows the token 10 minutes of validity. I have run into a number of problems in the past due to the clock from either the client or server not being in synch. A fudge factor is usually built into the interactions (the client might set their NotBefore time to a few minutes prior to the current time, and the server might allow an extra ten minutes past the expire time), but I have seen cases, especially due to day light savings and systems not being updated, that the clocks between the client and server are too far off and the token is not considered valid when submitted. Anyways, this didn't end up being the problem.
Come to find out, the Windows Live Beta site has the exact same problem when dealing with the SAML token as the bug reported I told you about before. The issue is unrelated to the client code (so thankfully it wasn't an issue in my library - written in PHP); Openinfocard, which is the selector having a problem working with Windows Live, is in fact written in Java, and also prefixes namespaces. After altering the openinfocard code to use default namespaces, building new jars, installing the new jars and restarting firefox (sounds simple, yet REALLY time consuming), I finally got Windows Live to accept my Infocard. The underlying problem itself still eludes me. All I know is that the issue lies on the server side. I have no idea if this is a problem stemming from a particular version of the .NET libraries or if a third party library is being used.
Either way, I would have expected more from Microsoft. It's forgivable that a developer from a small company might use an outside library to work with digital signatures (that also happens to be buggy), but for a company that pushes the WS-* stack (XML Digital Signatures being a core component of WS-Security) and provides core libraries for working with it, this is a serious issue. It also seems to not be isolated either; as exemplified by the same issue against a .NET SOAP service.
Now hopefully someone can get me some answers to where this problem stems from so in the future I have a little more insight if I personally end up encounter it when dealing with a SOAP service; or at least can provide some help to someone reporting the issue to me again.
Friday, December 14. 2007
A lot has been happening in the world of identity selectors and I'm finally getting around to mentioning some of it. In the past, you might have noticed that on my linux machine, outside of the openinfocard selector, I have had little to no luck with any other selectors. Things have finally changed in this regard. You might be aware of the DigitalME selector. I may be mistaken, but believe it to have been the first selector available for the Mac. There is still no Windows support, but I did find a Fedora 7 rpm available for download. As I had recently upgraded to Fedora 8, I decided to give it a try and was pleasantly surprised with the results. As you can see from the following screen shots, it is really clean and polished, oh I forgot to mention the big thing that is also works (for the most part).
If you look at the larger image, you will notice the selector divided between 2 parts. Within the "My Cards" section, I have selected the CData Personal card (notice its highlighted). To the right, you are presented with the claims that will be submitted with the card.; Personal Private Identitifier (which I have blurred out), my given and surname (Rob Richards) and finally my email address. The last two items listed (http://www.bandit-project.org/identity/claims/groupmembership and http://burtongroup.com/interop/2007/05/identity/cameratype) are optional claims for which I am not providing any data for.
As you can see, I am now successfully logged into the system. It breezed through some of the sites I test against and worked fine with my own managed card demo. I did run into a few glitches. I think the wrost happened to be when firefox had launched the selector and I accidentally clicked on something outside of the selector; cuasing it to go to the background. Well, my desktop ended up to be a bit useless at that point. Everything was greyed out, since I was the stages of selecting a card, but I couldnt get the selector to come back and no clicks or key presses did any good. I ended up having to reboot at that point (And this, folks, is why I test out new selectors within a VM).
Now, this doesn't mean I am switching my selectors. Although for most people, I would recommend using DigitalME over openinfocard, mostly due to the fact that openinfocard is currently a development selector with lots of debug code too, but also DigitalME looks slick; still not up to the CardSpace eyecandy level, but getting there. I have been using openinfocard for well over a year now and think I'll stick it out with it and see where it goes. Plus, there's plenty of work to be done on it, so when I have time I try to help (though pitiful it may be), with it.
One change in the works I am looking forward to see developed is the identity selector selector, which is currently in its infancy stage. The problem boils down to the possibilty of having multiple selectors installed. How does a browser determine which selector is launched when called for? On the simplest level, the identity selector selector would allow a user to specify which selector they would like to use, so when one is called the correct one is launched. This stems from a firefox extension to support CardSpace. Work is now being done for a plugable system so that selectors can fit within this framework, providing the user with choice rather than selector conflicts.
Another change that has occured is the usage of Infocarmation cards without the requirements of SSL. CardSpace rolled out this change in the 3.5 .NET release. Other selectors, such as the latest openinfocard releases, already support this functionality. You can test this against a little demo I wrote: Non-SSL Infocard support. This takes advantage of my latest infocard-lib library, which simply by passing False as the third paramter to the processCard function, handles the non-ssl enabled communications without any other code changes.
These are just a couple of the changes that have/are happening, but imo a little more noteable than others given an end user perspective. Personally I am excited over some of the changes that have been made to the openinfocard selector (i.e. remote card storage). Those, however, I will leave for another day. Given that there happens to be a nice snow storm heading into Maine this weekend, I expect to have plenty of time to present some of those changes.
Monday, December 10. 2007
Life and work have been eating up all my time, so I have had no time to write anything about what's been going on. I finally decided to take a break from work, sit down and try to catch up with things.
Although busy, I have been updating my libraries; adding deatures, fixing bugs and trying to get some structure going. The libraries are used by a good number of projects, so I figured it was about time to make some of the changes known. First off, I started tracking versions and keeping changelogs for the different libraries (Only those that have changed since I started version tracking have changelogs right now). The libraries can all be found on my Source Code page. As for some of the specific changes....
Continue reading "Library Updates and Other Dealings"
Friday, October 5. 2007
The other day I was reading some recent thoughts by Kim Cameron about Information Cards and CardSpace. It had gotten me thinking about the usage of cards and when they would be rolled out in the financial area. In particular, wouldn't it be really cool being able to used managed cards instead of having to enter credit card information when trying to purchase something online. You might ask what the benefit this would be... well I'll get to that in a minute. Today, while going reading through all the recent posts on Planet Identity, I was pleasantly surprised to come across an entry by Andre Durand from Ping Identity. He and another developer had put together a demo, integrating Information cards and an e-commerce site, demonstrated at Digital ID World 2007, that does exactly what I was thinking of. Now, how soon until reality is my question.
Anyways, here was what I had on my mind prior to seeing it. I for one, use temporary credit card numbers. This means that every time I want to make a transaction, I have to go to my financial institution, log in, generate a one-time use number and CVV, cut and paste those into the merchant's form fields and then hit submit. It would be greatly simplified if the merchant would accept cards, which means I just click on their "submit credit card i-card" button, at which point I would be asked for my credentials by my financial institution, and have a one-time generated card number, expir date and CVV automatically created and then submitted to the merchant's site. This would not only save me time and steps, but definitely eliminate the possibility that I accidentally sign into a phishing site, thus exposing my credentials and allow attackers access to my financial information.
The reason why Kim's article had gotten me thinking about this is that I don't see why financial institutions wouldn't be rushing to get this implemented out the in the real world. From their side, all they need to do is get the infrastructure in place to provide and manage the managed cards. They already have the software in place for users to provide credentials and retrieve the temporary numbers. On the merchant side, there also is little work involved. Provide the hooks and backend to handle submitted infocards. There is really no change to their existing software or business processes. They data points for the credit card (number, expir date, CCV, etc..) are the same, so all that would be required is to take the data from the submitted card and pass it off to the existing process. This also gets rid of the issue of trying to filter out card types in the selector from those that the merchant doesn't accept. My opinion is who cares? Nothing is stopping someone right now from entering in a Diner's Club card to a merchant who doesn't accept them. The user simply gets an error saying that they need to use a different type of card.
It would be great if the credit card companies could get say someone like Amazon to buy into this. It would get the things moving along in a major way. The only potential sticking point to this I could really come up with is getting all the credit card companies to agree on a common format. Worse case is that each has their own, but then it would be up to the merchant to make sure their software could understand all the different formats and parse them appropriately. I guess time will tell.
Wednesday, October 3. 2007
I have been in contact with the folks at the Maine Software Developers Association (MESDA) and they are interested in the possibility of starting a PHP user group here in Maine. Before anything is officially organized (aiming for the beginning of the year), they would like to find out the interest of such group from those in the area. Meetings would most likely take place at their facility in Westbrook, or somewhere in the Portland area. If anyone is interested, please contact me via email or i-name: =Rob.Richards.
MESDA will also be announcing this at their 15th annual conference and be seeking those interested in joining the user group. In order to help invigorate PHP development or at least educate some of the IT decision makers at the local companies around here about PHP, I will be doing a full day workshop on PHP at the conference on November 6th. The morning session, geared for anyone wanting to know how PHP could fit into their organization and what PHP 5 brings to the table, will cover an overview of PHP, its basics and overviews of the new features introduced in PHP 5. The afternoon session will be more coding oriented, taking a more detailed look using PHP 5, for the developers out there. This will be my first time at this conference. I'm not sure the cost for attendees is yet, but if last year is any indication, it will be around $130, which is a bargain for a conference.
So, to recap...
If anyone is interested in a Maine PHP user group and/or will be attending the MESDA conference, I'd like to hear from you. I can be reached via email or i-name: =Rob.Richards.
I can be reached via my i-name: =Rob.Richards