August 18, 2006

Protecting your online identity!

Writing about web page

This is a subject close to my heart seeing as I am involved in single sign on and password security and that like. Stephen Colbert makes a lot of sense :)

I particularly like his advice on strong passwords:

Ideally you should pick a password not even you can remember. Just close your eyes and slap the keyboard at random.

August 14, 2006

New web sign–on change password screen

Writing about web page

I've recently been working on a new system to allow easy, secure and informative passwords changes on the web.

At the moment if you are a main Warwick user, you can change your main ITS account password (from our NDS directory) via the managed desktop or on the web via the my.insite portal. In an effort to improve the usability and availability of password management, we decided to create a new single page that sits within the web sign–on project that would allow any user, not just central Warwick users to change their passwords.

We have a model whereby users that login to web sign–on can come from a variety of sources:

  • Central NDS directory
  • Warwick Alumni service ran externally
  • WBS Alumni service
  • WBS NDS directory
  • External user database for Warwick related users

A user does not have to worry about which of these types of user they are, they just login and the system works out where they are from and authenticates them securely at that source. Each of these sources can now optionally incorporate a password change interface that we are plugging into.

In the first instance the page will only allow central NDS users to change their passwords, but over the coming weeks we will add in as many of the other sources as we can.

Changing a password is actually a pretty boring thing really, however, we've made it a bit more interesting by giving some nice visual feedback about the strength of your password so that you can judge how strong your password is and understand why we are not letting you have a password of "letmein".

Change password screenshot

This is done through a fair bit of javascript and a bunch of AJAX calls back to the server to work out if your password is strong enough. Once all of the criteria are met, the "Change password" button is activated and it allows you to change your password.

The required password strength is probably going to be something people are going to take a little while to get used to as it is fairly strict. From the University approved new password policy:

4.1 Choice of passwords
Passwords should:

  • Be at least 8 characters long.
  • Contain at least three of the following four types of character: letters in
    lower, letters in upper case, numbers, and symbols (e.g. £$%^&*).
  • Be changed every six months for a new password (more often for
    systems requiring greater security).

In the long run we hope that this will mean that the average password strength is going to go up and this will raise people's awareness of what makes a stronger password and why it is important.

July 24, 2006

Shibboleth and Question Mark Perception

Writing about web page

I spent a fair bit of Thursday and Friday integrating (our newly upgraded to version 4) installation of Question Mark Perception with our Single Sign On system.

Perception does not support Shibboleth out of the box, but it does have a web integration layer called QMWise that allows external systems to push users and other data into the system bypassing Perception's internal authentication.

A project done at Leeds and funded by JISC has created a Java layer (QMShibb) that sits on top of QMWise and allows you to easily then protect that Java layer with Shibboleth or in fact any Single Sign On system you like.

QMShibb - Shibboleth enabling Questionmark Perception
QMShibb - Installing Tomcat with IIS 6
QMShibb - Installation, configuration and testing

With the help of a Perception consultant we got this working with our own Shibboleth based Single Sign On system sitting on top of the QMShibb java layer. So, hopefully we'll very soon be able to do a lot more with Perception as the old user management overhead has now more or less gone away.

To truely minimise the admin overhead, more work should be done with QMWise so that user groupings get pushing into Perception, but the removal of username/password issues will be a great time saver.

July 19, 2006

JISC – Access Management Showcase

Writing about web page

I went down to London yesterday to attend the JISC Access Management Showcase conference at the very posh One Great George Street in Westminster.

Overall I got some good little bits and pieces out of the day, but it was a bit disappointing.

The good:

  • Shibboleth 2.0. Shibboleth is moving towards being a proper Single Sign On system rather than the basic federated authentication system it is now. This means proxying credentials and single logout are on the way. However, this is still some way off. Our system does this already, but it would be nice to move to the standard if it is good enough
  • Levels of Assurance. LoA is a way of telling a service provider just how sure the identity provider is of a users identity. This means that if you login with a weak username and password you get LoA 1. If you login with biometrics you get LoA 4. This means that perhaps medical research data is available to you from your biometrics enabled computer at work, but only non–personal data when you login with a username/password from home
  • UK Federation. A few more details on the JISC/UKERNA/BETCA sponsored UK–wide federation. This is the next step on from SDSS and will be live for early adopters in August 2006 and for everyone in November 2006. Hopefully we can get in early on this as this is the next step away from Athens. We will hopefully be going live with Athens Shibboleth for next term, but in the long term, Athens will be going away and service providers will have relationships with the UK Federation rather than Athens. The government plans is that there will be a joined up federation that not only allows sharing of resources and identities across insitutions, but right across sectors right from schools, colleges, universities, research institutes and commercial enterprises.

The bad:

  • I couldn't help but feel that there was not a lot of enthusiasm at the conference. Generally the sessions finished early as there were barely ever any questions. The final panel session didn't have a single question from an audience of over 100 people! It was actually a little embarrassing. I don't know if this was an indication of it being the end of long, hot day, people just not being interested or that everyone had been so well informed that they didn't need to know any more.

On the plus side, the news coming out of this conference was definately that Shibboleth is the way of the future, so we got on the right boat nice and early here at Warwick thankfully :)

June 19, 2006

SpringOne conference

Writing about web page

I spent last Wednesday, Thursday and Friday in Antwerp attending the SpringOne conference.

It's the first conference dedicated to the Spring Framework which is what we use to develop the majority of our application here in e-lab.

Chris blogged every session he went to so I won't go over those again.

For me the most interesting parts that came out of it were:

  1. New features of Spring 2.0 explained a lot better than the documentation (which is improving but still doesn't cover Spring 2.0 well enough I don't think)
  2. Discussion of rich domain models was interesting (which we've tried to do for a while), but everyone was talking like it was all new. There are a couple of new methods for achieving this with AOP or Spring 2.0's new @Configurable annotation
  3. Productivity improvements with Spring MVC, primarily the move towards convention over configuration (a big nod to Ruby)
  4. New namespace support in Spring 2.0 that will hopefully greatly reduce the reams and reams of XML that you always have to create and maintain
  5. AOP/AspectJ support, was there in Spring before 2.0, but it is much more powerful and documented now, it was great to see real world examples, even if they did sometimes take it too far
  6. Voca's presentation about how they had up to 500 people working on their new Spring based application that basically runs the UK's bank transfer systems, 100,000,000 transactions in 4 hours!!!

June 07, 2006

Apache with SSL and client auth on windows

I've always run any SSL I need on Tomcat on Windows as it was just really easy and less complicated and messy than getting Apache to work with SSL on Windows. Unfortunately I eventually needed to do it because of the extra power of Apache in that you can set different SSL options under different directories.

If you need to do client certificate authentication in Tomcat it is easy, but that is it, everything under that port is now protected with client auth.

In Apache you can do this:

<Location /clientauth>
SSLVerifyClient require
SSLVerifyDepth 2

Kindly a few people have written up some instructions on this:
Apache and SSL on Windows
Someone has also pre–built a Windows version of Apache with SSL built in:
Hunter Apache SSL builds as Apache doesn't provide it because they believe Windows is just not secure enough and allowing SSL on Windows lulls people into a false sense of security.

Anyway, most of it worked, but I just couldn't get Apache to trust my client certificates. The problem was this:

SSLEngine On
SSLCertificateFile conf/ssl/my.crt
SSLCertificateKeyFile conf/ssl/my.key
SSLCACertificatePath conf/ssl.crt
SSLCACertificateFile conf/ssl.crt/cabundle.crt

If you put certificates in the conf/ssl.crt path, when Apache starts up, it lists them all nicely saying that it has found them all, but will it trust them, will it hell. Only if you specifically put the certificate in the cabundle.crt (or whatever you've set SSLCACertificateFile to) will it work! Gah!

Anyway, working now so soon we should have a test membership of the SDSS federation so that we can do further tests on our Shibboleth SSO system.

June 01, 2006

Web groups and SSO integration for our web apps

I've recently been working on improving our Web Groups system. This is a central system that allows users to create their own arbitrary groups of Single Sign On users. These groups are then exposed through some web services which allow our other web apps to use them as the basis of permissions or grouping in whatever way they see fit.

Along with SSO, Web Groups is one of the systems that really helps us build very powerful systems with very easy and fine grained permissions…without having to actually do much work in each of those applications.

Web Groups now includes all sorts of groupings now such as:

  • Students in a department
  • Teaching staff in a department
  • Students going a particular course
  • A full or part time students in a department
  • Students in a particular year of a course
  • Tutor groups

All of this data is automatically pulled in from our Academic Data Store (ADS) project. This means that the data is always up to date. Previously if someone wanted to protect say a SiteBuilder page so that only people doing that module can see it, they had to find and keep up to date a list of the ITS usercodes of all students on that module. Now they just need to enter a group name and it'll be kept up to date for them.

If our groups are not good enough, people can make their own groups. So for instance you could create a group that is all the students on a module plus the 3 staff involved with that module. Again, this will all stay up to date as the students on that course change, even at the start of a new year.

We currently have a similar system in BlogBuilder, but we'll be moving over to this new system soon as it is more reliable, powerful and just plain faster.

By using these shared services such as SSO and Web Groups, we can build much more integrated and powerful solutions that we just probably couldn't get from an external vendor.

May 17, 2006

HTTPS Basic Auth RSS feeds for system monitoring

Most applications log messages out to a log file somewhere on a server but they are a pain to look at. You could setup log4j to append messages via email, but to me it seems unreliable. Also, you have to decide who is going to get these emails and they can be quite invasive if you don't always need to read them all.

RSS has been a great step forward in opting into information on the web rather than emails. So, why not do the same for system messages.

My particular use case involves some data from our Web Sign On system and these messages are quite sensitive so it is no good just publishing a public RSS feed.

My solution looks something like this:

1) I have a listener class within SSO that monitors activity and logs it in the usual way.
2) I have another listener that receives messages from the logging listener that looks for unusual activity, such as repeated login failures or lots of requests for the same IP address. When it finds something unusual, it puts an entry into the feed that will be displayed to the admin user. This is done with the Rome Atom/RSS java utilities project. This is a great open source project that allows you to easily create/read feeds in all different formats.

SyndEntry entry;
SyndContent description;
entry = new SyndEntryImpl();
entry.setTitle("Warning for user " + user);
entry.setPublishedDate(new Date());
entry.setUri("" + entry.getPublishedDate().getTime());
description = new SyndContentImpl();
description.setValue(logMessage + "<br><br>" + authFailures);



These SyndEntry's are generic enough to be turned into any kind of feed, be it Atom, RSS 2.0 or RSS 1.0.

3) I then have a controller that pulls all of those messages and puts them in a feed for that admin user view view:

SyndFeed feed = new SyndFeedImpl();

feed.setTitle("SSO brute force warning log");
feed.setDescription("This feed shows warnings when users repeatedly fail to login");


response.setContentType("application/xml; charset=UTF-8");
SyndFeedOutput output = new SyndFeedOutput();
output.output(feed, response.getWriter());

4) This page is protected by our SSOClientFilter. This will allow HTTP Basic Auth, but only over SSL. As I don't trust Bloglines or anyone with my username and password, I just need to put the address into Thunderbird or a similar RSS reader like this:
The "forcebasic=true" on the end tells the SSOClientFilter to use Basic Auth rather than redirecting to our SSO login screen as it would usually if it was requested by me in the browser. When Thunderbird tries to read the feed, it is prompted for authentication and so prompts me the user in Thunderbird for my username and password and sends those securely to the feed.

5) Hey presto, we have an authenticated RSS system log:

  <?xml version="1.0" encoding="UTF-8" ?> 
 <rss xmlns:taxo=""
xmlns:dc="" version="2.0">
  <title>SSO brute force warning log</title> 
  <description>This feed shows warnings when users repeatedly fail to login</description> 
  <title>Warning for user cusyac</title> 
  <description>The last 3 login attempts for user cusyac were failures. Check wsos_auth.log
Tue May 16 17:37:47 BST 2006|Auth failed|cusyac|Username/password not found|137.205.x.x<br>
 Tue May 16 17:36:38 BST 2006|Auth failed|cusyac|Username/password not found|137.205.x.x<br>
Tue May 16 17:34:37 BST 2006|Auth failed|cusyac|Username/password not found|137.205.x.x<br></description> 
  <pubDate>Tue, 16 May 2006 16:42:58 GMT</pubDate> 
  <guid isPermaLink="false">1147797778580</guid> 

May 16, 2006

Factories are not meant to be this beautiful

Writing about web page

Follow the link above to see some amazing pictures from "Transparent Factory in Dresden" which is the VW factory that makes Phaetons.

And pick up your car from the car tower:


May 14, 2006

Audi A4 1.9 TDi (100) Sport for sale

Audi A4 2003 (03) AUDI A4 1.9 TDI 100 Sport 4dr Diesel Saloon
27,000 miles
PAS,Drivers airbag, Passenger airbag, Side airbags, ABS, Remote central locking. 17" alloys.
Perfect condition, one owner. Full Audi Service History. 11 months tax and MOT.
Price: £12,495

This is pretty much the suggested price from Parkers and it is in great condition.

If you're interested, contact me or comment here.

So, I'm selling my Audi, but I've had it for 3 years and even though I'll miss it, it is time to move on :)
As standard I've put the car in Auto Trader , but I thought as a little experiment I would put it on here too. If I sell it through this page, then great, but I kind of want to see how high up in Google I get and how many people land on this page.

Update: Decided to keep it in the end, just isn't worth getting rid of considering how much I've invested in it over the last 3 years...may as well enjoy it now that I've paid for the depreciation

August 2022

Mo Tu We Th Fr Sa Su
Jul |  Today  |
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31            


Search this blog

Most recent comments

  • One thing that was glossed over is that if you use Spring, there is a filter you can put in your XML… by Mathew Mannion on this entry
  • You are my hero. by Mathew Mannion on this entry
  • And may all your chickens come home to roost – in a nice fluffy organic, non–supermarket farmed kind… by Julie Moreton on this entry
  • Good luck I hope that you enjoy the new job! by on this entry
  • Good luck Kieran. :) by on this entry


Not signed in
Sign in

Powered by BlogBuilder