Keeping Authentication outside of Application

Authentication and Authorization has been part and parcel of almost every application software that is built.  And as a developer, we spend lot of time and effort in incorporating these two in every application we built.  While I would like to leave the Authorization for another post for some other day in the future, I thought I would share some thoughts on the Authentication.

Typical setup looks like this…

tzWlAuXaxgcz (1)

While hand coding the Authentication gives the developer full control,  there are so many problems with this…

  • Obviously we end up re-inventing the wheel every time
  • Security aspect is always taken for granted
  • Support for various authentication approaches and multi factor authentication requirements would soon call for a lot of additional effort to cater to the business.

Thanks to so many authentication solutions available as commodity in today’s world, most of the application developers simply integrate their application code with the authentication solution that has been chosen.  This is certainly a good thing, since now the major responsibility around security aspects is pushed out of your application boundary.

Authentication - Decoupled.png

In the above setup, we see that our application is becoming responsible for making the decision asserting whether the user is authenticated or not.  As we all know, authentication is a favourite target for attackers to exploit and get access into the application and hence is the most vulnerable area.  And typically our application is built with dependencies to a whole bunch of 3rd party libraries and frameworks which inturn depends a whole set of other libraries and so on.   This would mean the surface area of the vulnerability is that much bigger and our application is only as secure as the weakest area in the entire codebase.

How about getting rid of authentication logic outside of our application ?  In today’s world, there is almost always a ReverseProxy setup in the DMZ(using Apache/Nginx etc.)   There are many modules available that handle authentication against LDAP/ActiveDirectory, and to make SAML requests and assertions.  Authenticated Requests are forwarded to the application with special headers carrying the Identity Information(username, email id etc.).

The advantage here is that, these libraries are far more visible and are hence far more vetted for vulnerabilities and are actively maintained, when compared to our application code that was handling the authentication logic.

Personally, I have used mod_auth_mellon with Apache and to make SAML integration with SAML based Identity Providers(IdP).  This is how my new setup looks like…

Authentication at ReverseProxy (1)

With this above setup, all I will have to check in my application is to ensure the requests are initiated ONLY from a whitelisted IP address and pick up the user context from the special headers passed to it.

Advertisements
Posted in Uncategorized | Leave a comment

On-Demand Routing network traffic via Tor

I have recently started using Tor Proxy for my browsing needs.   However, there are times where the latency delay seem to test my patience and I end up giving more weight to my browsing experience than the anonymity needs, especially when am trying to search for my work related needs.

But switching Off the Tor Proxy in my browser seemed quite a painful task…hence this script(courtesy: kremalicious.com) but have made minor tweaks for my needs…

!/usr/bin/env bash

# 'Wi-Fi' or 'Ethernet' or 'Display Ethernet'
INTERFACE=Wi-Fi

# Ask for the administrator password upfront
sudo -v

# Keep-alive: update existing `sudo` time stamp until finished
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &

# Let's roll

echo 'Switching to Tor Proxy...'
sudo networksetup -setsocksfirewallproxy $INTERFACE 127.0.0.1 9050 off
sudo networksetup -setsocksfirewallproxystate $INTERFACE on

echo 'Starting Tor...'
tor
sudo networksetup -setsocksfirewallproxystate $INTERFACE off

You can confirm if you are using Tor or not by going to this URL in your browser : check.torproject.org

Run this command in your terminal and your Mac’s network interface would switch to use Tor Proxy.  Simply terminate the command to switch back to not using Tor.

Posted in Uncategorized | Leave a comment

Am I a Developer? Architect? Neither?

I have always preferred to call myself a “Dev” and thats it.

To me, “Architect” is a loaded term. It could mean quite a lot of things in real world :
– Person who keeps himself up-to-date with the various technologies and solutions that is prevailing, trending and emerging
– Person who is not hands-on
– Person who is a power user of PowerPoint 😉
– Person who when needed, may not be able to fold his sleeves and get his hands dirty on a specific code problem, troubleshooting etc.

However, Neal Ford has explained in a much better way here…am atleast able to relate to it well and also able to reflect upon myself…

  • Thing Big picture
  • Try and “know” various technologies in breadth and try and apply them to solve a business problem, and go “depth” on need basis
  • Is able to effectively provide solutions to business problems using Technology
  • And yes, “you should not be an ivory tower architect” where you stay too far away from code and become almost untouchable 🙂
Posted in Uncategorized | Leave a comment

Bye bye Blogger, Welcome WordPress

Thanks to V1 for this inspirational post.

After a very long time I am hoping to get back to blogging…

Somehow when I looked at my blogger site, it was looking quite dull and was very demoralizing.  I was using Google’s Blogger service.

Somehow, I always wanted to switch to WordPress.  Couple of options I had considered…

  1. Setup a local WordPress Site in my home and hook it up on the Internet.
  2. Setup a WordPress Site in AWS.  This means I will have to ensure I take care of things like backup etc.
  3. Setup a Bitnami Cloudhosting service.
  4. Or simply host it on WordPress.com, and go for an upgrade to make my blog.karthiks.in to point to my WordPress Blog

Yes, finally option #4 is what I chose!

I had to export my blogs and comments from Blogger to WordPress.  Based on some googling, I thought I will have to do some work to setup proper redirections between blogger and wordpress to ensure the permalinks are indeed “permanent” and any google search result to my old blog link should take the user to my blog in the new WordPress location, but looks like its taken care of automatically (still trying to figure out how!)

And now it’s all kind of setup and the fact that you are able to read this blog says that all is well 🙂

Posted in Uncategorized | Leave a comment

Simple function to switch between multiple Java versions

Recently we have started upgrade our java applications to start using Java 8.  Wanted to quick and easy way to switch between different versions of Java.

If I was using a debian variant of Linux(Ubuntu/Mint etc.), I could have used

sudo update-alternatives --config java

But am using a Mac, hence wrote this …

jvm() {
 export JAVA_HOME=`/usr/libexec/java_home -v "$1"`
 java -version
Posted in command, java, mavericks, tool, utility, version, yosemite | Leave a comment

Struggle with Python and IRB shell going into vi edit mode

I am certainly a fan of “vi” editor.  No doubts!  However, when it comes to working with interactive shells of ruby(irb) and python, I prefer not using “vi” mode.  I somehow feel that I loose the coolness of scripting and quickly testing my code.

Obviously since all these interactive shells depend on “readline” library behind the scenes, I thought it should be simple configuration to switch of “vi editing mode”.

Went to “~/.inputrc” and found that the editing-mode was set to “vi” mode as below
set -o vi
set editing-mode vi

I simply commented out the above two lines and now got my “irb” working fine.  However, python would still not respect the above change and continue to be in “vi edit mode”.

On further googling and not finding any useful hints in the first 3 pages of Google Search Results told me that something is really weird.

Later, I did find some page talking about another configuration file used by Python shell and the file is “~/.editrc”

You will find a line “bind -v”.  Simply commenting this took care of my problem that existed for 2 months 🙂

Posted in Uncategorized | Leave a comment

Ruby Conf 2013 – Pune

I had been to the Ruby Conf 2013 in Pune on 22nd and 23rd of this month.
Was quite excited to meet the Ruby Gurus like Jim Weirich – the author of “Rake” which is a defacto build tool in the Ruby world.  However, I was kind of taken aback by the fact that he was explaining and demonstrating the fundamentals of TDD that too in a Keynote speech.
Aaron Patterson’s Keynote was very very interesting.   He had shown his new “gadget” called “Google Glass”.  If you want to have a quick look at it, check out here.
Nick Sutterer’s talk stressed upon “NOT to be afraid of creating more classes”.  How can you break up your Controller/Model/Views into smaller maintainable classes/views using gems like Cells, Roar, Objectify etc.
There was a lot of motivation from the speakers to the audience requesting to contribute to the Open Source world.  Richard Schneeman has developed a site called CodeTriage which allows us to signup for various open source softwares, following which you would be sent a bug/issue every day.  You can contribute by simply reproducing an issue, fix an issue and even provide pull request to the developers.  This can provide a good start for anyone who would like to get their hands on the Open Source.  I have immediately signed up with Code Triage and have already started working on my first Rails bug.

Lightning Talks
In this section, the participants were given an opportunity to volunteer themselves to present a talk for about 5 minutes on any subject.
Myself and my friend Venkat had an opportunity presented a talk on “Developing Rich Internet Applications with Netzke framework (ExtJS and Rails)”.
Generally, such conferences would cover some fundamental/basic topics and some advanced topics running in parallell in two tracks.  However, in this conference, the focus was more towards the crowd who have just started in Ruby and had very little as takeaway for people looking forward for advanced topics.
Posted in Uncategorized | Leave a comment

Ubuntu 10.10 Upgrade – Logs out instead of Shutdown

I am like most of the Ubuntu favorites…awaiting for half-yearly upgrades from Canonical and making sure all my systems are up-to-date.

However my happiness was short lived after upgrading to Maverick(Ubuntu 10.10). Whenever I tried to shutdown or restart using the button in the bottom right corner, all that happens is a log out and back to login screen!!! However, when I call shutdown from terminal or from login screen, it behaves as expected!

Tried all sorts of suggestions after googling for over 3 months now…and YES! I managed to find a solution for my problem TODAY…feeling so relieved… When I executed “ck-list-sessions” in terminal, it showed 2 active sessions, one is mine and the other one is “hsqldb-server”.

I wondered why is HQLDB Server creating a session??? And even if so, why should that prevent the shutdown from happening…that too only when I click the shutdown button.

No idea. So what did I do….obviously, in my case, I did not require “hsqldb server”, so I simply uninstalled the same…and viola! my problem vanished! Hope this will help someone who also is going thru what I did in the last 3 months or so 🙂

Posted in Uncategorized | 2 Comments

Ruby Regexp Unescape

May not be a big deal to write it yourself…but I wrote this and was quite useful, where I had to do un-escaping of a Regex Pattern for some reasons…

class Regexp
def unescape
source = self.source.split('')
escape_on = false
unescaped_string = source.inject([]) {|r, char|
if char == "\\" and escape_on == false
escape_on = !escape_on
else
r << char
escape_on = false
end
r
}.join
end
end
Posted in Uncategorized | Leave a comment

Enable Disable Touchpad in Ubuntu with a Hot key

I have got this new Dell Vostro n3500 Laptop, which is really a solid machine. I am very happy to have made this choice.

As a hardcore UBUNTU User, I always liked to have any feature available in Windows to be made available in Ubuntu as well :)…

Recently, I realized that the “Fn+F6” shortcut to disable the Touchpad does not work… I am sure many of you would have encountered the annoying behavior of touchpad moving your cursor to some place while you are typing something…

The most ideal solution I would have liked is that, when I connect an external mouse, the touchpad should automatically be disabled. Apparently, I did not find any solution for this in the current version of Ubuntu 10.04(Lucid Lynx). Google did not help me either.

So, the next thing is, is there any way I can tell Ubuntu to disable touchpad when I start typing. Yes, there is such an option in the “Mouse Preferences”. But that is not working consistently atleast for me.

So, now this is what I did. I wrote a small Ruby script(I am a big big fan of Ruby) that can toggle the Touchpad ON and OFF.

Now, the next thing is to make it hooked to a keyboard shortcut like the one in Windows…Fn+F6. Apparently, I also found that I cannot assign the combination of “Fn” Key and “F6” to the Keyboard shortcut in Ubuntu. So for now, I have simply assigned “F6” key for this toggle switch tool.

The script is not a big deal, but in any case, its here…

touch_pad_setting = `synclient -l | grep TouchpadOff`
new_touch_pad_setting = touch_pad_setting =~ /1/ ? "0" : "1"
`synclient TouchpadOff=#{new_touch_pad_setting}`
Posted in Uncategorized | 2 Comments