New! E-book on OpenSAML


My book, A Guide to OpenSAML, covers the SAML authentication process in detail and how to implementing . It also covers the topics encryption, cryptographic signatures, SAML in general and more.

Read more about the book



Tuesday, September 9, 2014

OpenSAML book release!

After many late nights and tedious editing, I have finished my book on OpenSAML,  based on my experiences working with the OpenSAML library. A Guide to OpenSAML is a short book that introduces SAML, the SAML Web Browser Profile and the use of OpenSAML.


Buy it with your PayPal account

Or buy with credit card on Gumroad


The book has three parts, the first of which introduces SAML, SAML Web Browser Profile and OpenSAML. The next part goes deeper into explaining the Web Browser Profile more in detail and shows how to implement it using OpenSAML. The last part explains how to use some of the security functions in OpenSAML, like signatures and encryption.

The SAML Web Browser Profile is flexible and can be used in many different ways. The book shows the SAML Web Browser Profile with the following configurations:


  • SP initiated Single Sign-On
  • Authentication request using HTTP Redirect Binding
  • Assertion transported using HTTP Artifact Binding
  • SAML Artifact transported using HTTP Redirect Binding
  • Artifact resolution using SOAP Binding


The book explains the interaction from the Service Provider’s point of view. The implementation of the Identity Provider is not covered in this book.

The package contains the book in PDF format, three different e-reader formats(EPUB, MOBI, AZW3) and a sample project showing OpenSAML in action.

Thursday, July 24, 2014

CSRF in JSF 2.2

In a past project I worked on we were assigned with protecting the web application we were building against CSRF attacks. We solved this the usual way by generating a token for every session that had to be posted with every form.

We used JSF 2.1 but recently we upgraded to 2.2. When reading about the new features I stumbled upon a small note saying that it JSF now has built-in support for CSRF protection.
see http://jdevelopment.nl/jsf-22/ and search for Cross Site Request Forgery protection

I have not tried this but it seems like a very good thing. I had some problem finding out if something was needed to activate it but finally I found this documentation
http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html

As it seems all you have to do to activate the CSRF protection is to ass the URL pattern of the pages you want to protect inside a protected-views element in faces-config.xml. See the section called "Implementing CSRF Protection"

If someone tires it out, please comment and let me know of the results.

Wednesday, May 14, 2014

Software licenses in plain english

Often in projects, especially private hobby projects, I find myself getting a headache when trying to understand the software license for some library or graphics that I want to use. I have know found two sites that makes this a bit easier.

http://choosealicense.com/
https://tldrlegal.com/

Both sites lists popular licenses and simple tables showing what you have to, can and can not do with the licensed object. Very helpful.

Exception: "Apache xmlsec IdResolver could not resolve the Element for id reference" while decrypting

org.opensaml.xml.validation.ValidationException: Apache xmlsec IdResolver could not resolve the Element for id reference:

This is a common exception that can be thrown when verifying a signature after decryption an object.

To avoid this, it is often enough to configure your Decryptor using the following setting before decrypting.

decrypter.setRootInNewDocument(true);

Monday, May 5, 2014

Nullpointer exception in OpenSAML

This is a common exception to beginners in using OpenSAML. A common mistake when starting to use the OpenSAML library is to not initialise the library.
OpenSAML needs a couple of configuration files in order to work. The library is provided with a default set of these files that is sufficient for mot uses. Before starting the use the library the configurations must be loaded. This is done using the bootstrap function.

try {
   DefaultBootstrap.bootstrap();
} catch (ConfigurationException e) {
   throw new RuntimeException("Bootstrapping failed");
}      

If you do not do this before you start using the library, you might run into exceptions like.

Exception in thread "main" java.lang.NullPointerException
 at no.steras.opensaml.Main.main(Main.java:25)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:601)
 at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)

Tuesday, March 18, 2014

Authenticating to Google Fusion Tables from Server

A couple of weeks ago I started a project where I needed to save big amounts of data for later statistical analysis. The first data store I looked at was Google Fusion Tabels (because it was free...). The reason I didn't go for it was that there were quota limitation that didn't allow that much data.

But before I got to the point that I discarded it wrote a working backend on Google app engine that could write to a table. Here is the code. The hard thing here was authenticating to the Fusion tables. 

Working with Google APIs from Google App Engine should be very easy thanks to Google App engines support for service account, unfortunately Fusion tables API does not support this yet. So we need to use the harder way to use Application Accounts. Here is the code for authenticating and making request to Fusion tables. Please ignore bad exception handling.
private Fusiontables fusiontables = null;
   
    public void initiateFusionTablesAPI() {
        Collection scopes =
                Collections.singleton("https://www.googleapis.com/auth/fusiontables");

        String serviceAccountId = "768188911902@developer.gserviceaccount.com";

        String p12FileName = "/privatekey.p12";
        InputStream p12Stream = context.getResourceAsStream(p12FileName);
        PrivateKey serviceAccountPK = null;

        try {
            serviceAccountPK = SecurityUtils.loadPrivateKeyFromKeyStore(
                    SecurityUtils.getPkcs12KeyStore(), p12Stream,
                    "notasecret", "privatekey", "notasecret");
        } catch (GeneralSecurityException e) {
            e.printStackTrace();
        }

        GoogleCredential credential = new GoogleCredential.Builder()
                .setTransport(new NetHttpTransport())
                .setJsonFactory(new JacksonFactory())
                .setServiceAccountId(serviceAccountId)
                .setServiceAccountScopes(scopes)
                .setServiceAccountPrivateKey(serviceAccountPK)
                .build();



        fusiontables = new Fusiontables.Builder(
                new NetHttpTransport(), new JacksonFactory(), credential)
                .setApplicationName("Bysykkel-stats")
                .build();

    }

   
    public void storeInformation(){

    String sql = "INSERT INTO ...";
   
    try {
        Sqlresponse sqlresponse = fusiontables.query().sql(sql).execute();
        if (sqlresponse.getRows().size() != 1) {
            throw new RuntimeException("Error in sql response " + sqlresponse.toPrettyString());
        }
    }  catch (Exception e) {
            e.printStackTrace();

    }

    }


Further reading

This book covers, among other things, google fusion tables

Wednesday, March 12, 2014

Tool to test queries on Google Fusion tables

A couple of weeks ago I started a project where I needed to save big amounts of data for later statistical analysis. The first data store I looked at was Google Fusion Tabels (because it was free...). The reason I didn't go for it was that there were quota limitation that didn't allow that much data.

But another problem I found was that there is no good way to simply test out queries on a table. So I built a tool for it. So for those of you using Google Fusion Tables or thinking about it, go have a look.

The tool is here, https://rasmusson.github.io/fusion-tables-tool
Any ideas can be submitted here, https://github.com/rasmusson/fusion-tables-tool/issues


Further reading

This book covers, among other things, google fusion tables