Entries by Rob Richards

I am happy and proud to say that on May 7th at 9:59 pm, my second son, Chase, was born. He and Mom are doing great and Dean is just thrilled to be a big brother.

Support for dealing with encrypted SOAP messages was a feature that had been missing from my WS-* libraries pretty much due to my lack of time to implement it. When people ask for help interoperating with a SOAP server that requires encryption I typically just point them over to the WSF project. The problem has been that in many cases people are unable to install that framework, as they don't control the servers, or more recently I have gotten reports that they simply could not get it to work. Either it didn't support what they needed, wouldn't compile, or simple wouldn't work with even simple SOAP requests. I decided to finally set aside some time and implement the encryption/decryption portion of the library. Note that it was developed against some WCF services implementing message level security, so your mileage might vary against other platforms. Bug reports would be fastest way of getting any of those issues dealt with.

As part of the recent changes, I also finally got around to creating an official project for the libraries rather than just being ad-hoc files people pulled from my web site. The libraries are now officially part of the wse-php project hosted over at Google Code. It was a toss up between that and GitHub, but I really wanted to play around with Mercurial since I already use Git over at the Gnome project. Currently the libraries provide support for a portion of WS-Addressing and WS-Security that can be used with ext/soap in PHP. As time goes on I plan to add some support for simplified configuration of messaging as well as some other of the WS-* specs that might be useful when interoperating with other SOAP servers.

After quite some time, version 1.2.2 has finally been released. It can be downloaded at: http://xmlseclibs.googlecode.com/files/xmlseclibs-1.2.2.tar.gz

Changes include:

Features:
- Add support XPath support when creating signature. Provides support for
working with EBXML documents.
- Add reference option to force creation of URI attribute. For use
when adding a DOM Document where by default no URI attribute is added.
- Add support for RSA-SHA256

Bug Fixes:
- fix bug #5: createDOMDocumentFragment() in decryptNode when data is node
content (patch by Francois Wang)

Please submit any bugs or feature requests into the Issue Tracker.

Slides have been posted for the latest version of my Digital Identity talk.

The contents is a bit less technical than in the past and is aimed at wider audience than just developers. Please contact me if there are any questions on the material or topics presented. Rob Richards.

You can also find the slides from my OAuth presentation.

June 30th is a day I will never forget. It was the day I witnessed my sister pass away from lung cancer. A woman who was a non-smoker and lived an extraordinary life, I always believed Tracy would beat the odds. It really pisses me off. She wasn't a smoker, had a family, including 3 beautiful kids, yet was cut down in the prime of her life. She was only 3 years older than I and I cry foul!. All I can think of is the poem "Do Not Go Gentle Into That Good Night". We must all live life to the fullest which means taking advantage of every opportunity that arises and having the courage to do what we are afraid of doing. We all must "Rage, rage against the dying of the light."

I have always been the black sheep in my family. Doing things against the grain and not considered the norm. Although they didn't always agree with my choices, my family always supported my decisions. I really want to thank them with all my heart for that. Mom, I bet you never thought I would be where I am today Without everyone's support, I know I would never have achieved everything I have nor be where I am today. I thank you all for that. Julie, you have alway been there for me. No matter what I have been feeliing, you have always been there for me. No matter what you have always looked out for us.

Life is too short to just play by the book. We all need to take chances, do what makes us happy. How many of us regret not having had the courage to kiss the girl or say what we really want to say because we are scared of what other people think? My life hasn't been easy and I experienced all of this, so don't think its not normal. It wasn't until I realized that I don't really care what other people think as long as I am happy and I know what I am doing is right that I could truly live a life worth living. For that matter had I not been, I doubt that Julie and I would ever have gotten together, gotten married and eventually have our beautiful son Dean.

I ramble on..... I think the essence of what I am trying to say is that life is too short for fear, doubt, hate... We have to do what makes us happy. We need to experience everything that life has to give us. Being from farm country in Maine, I just have to quote Tim McGraw when he sings "Live Like You Were Dying". I really cannot sum it up better than his song.

Tracy, We love you.

Another php|tek has come and gone. Although a bit behind, I finally got my slides online for my Streaming XML talk. I lingered a little too long on a few topics so the XMLWriter portion was a bit rushed. If anyone has questions on any of the topics, feel free to drop me a line. I did promise a few people I would write a bit about XMLReader and XMLWriter, but it's slow going as I try to find the time. Hopefully in the not to distant future I can get to this. This Dad thing is really time consuming

I can remember back to last years php|tek. The morning of my web services workshop I found out that I was going to be a Dad. Needless to say that is one presentation I will never forget. It has been a long 9 months, but I am happy to say that I am now officially a father. My son Dean was born at 1:03 am on Jan 27th. Both Julie and Dean are doing well, though Dean gets to sleep much more than we do. Life sure is going to change dramatically, but none of us would have it any other way. Dean, if you happen to be reading this years from now, pulled from the archives of some search engine, I just have to say that you are the most precious thing to your mother and I (seeing you don't have any siblings....yet).

As many people have found out, entity handling in ext/xml is broken when used with libxml2 2.7.0-2.7.2. The problem lies with the way pre-defined entities are handled; or rather not handled when used with one of the newer libxml2 versions. The entities, &, < , >, ' and " never get passed to the user's callbacks, causing a big problem in quite a number of applications out there. Needless to say, I've received a good amount of hate mail over this problem. Got to love people. You never hear how grateful anyone ever is, but sure as hell once there is a problem they are all over you. Anyways, I digress.

Although I have been telling people for a few years now that they should use XMLReader rather than ext/xml, this breakage was not intentional; no matter what anyone says – Yes, I've had a few throw that out there. The good news is that the problem has finally been fixed, but will require both an updated PHP (5.2.9+) and libxml2-2.7.3, although none of them have yet been released. Until things are available, the available options are to either compile your own builds using the code from the libxml2 and PHP repositories, don't upgrade to libxml2 2.7.x yet if you haven't yet done so, build ext/xml with expat rather than libxml2, or lastly, convert your PHP code to use XMLReader.

My parting thought on this to everyone is just switch to the XMLReader extension. It's faster, easier to use and much more powerful.

While working on OAuth implementations for our clients at Mashery, one of the biggest issues I see developers running into is how to debug and fix invalid signature errors. There are numerous OAuth libraries out there, in fact we even have our own, so how do you determine which side is really generating the correct signature and which has a flaw in the logic? I find that using a third party library is a great way to quickly zero in on which side is at the root of the issue. The problem, however, is there are no readily available tools to do this. I have found a number of test applications, but they pretty much are for testing wether a consumer library/app is working correctly against them.

We mostly deal with providing the service provider side of OAuth, meaning numerous different endpoints, so these tools were of little help. I ended up writing a down and dirty signature generation app using the C# OAuth library (so Windows only folks). It will generate a signature based on the different OAuth parameters you enter. You can use this to compare the signature it generates to that from your consumer app or service provider. Full source code and more detailed information can be found on the Mashery Customer Solutions site. Time permitting, I may continue to add features to this tool. Hopefully others find this useful as well.

Source and Binaries: OAuth Signature Validation Tool

Slides have been posted for the latest version of my Digital Identity talk.

This talk has evolved since I first starting giving it, but the latest version simple needed more time to present. I was asked to combine all the topics (OAuth was to be its own presentation) into one, which I probably won't do again. Even just only covering the absolute basics, I found that there just isn't enough time to cover them all in the short amount of time, so some material was skimmed over. If anyone has any questions on any of the material, please feel free to contact me.