Claim-based identity (part#1)

During this week I ‘ve been working with federated identity a very interesting topic that every day sounds more and more. This post is the first part of a quickstart I plan to write to help beginners to understand the stack of protocols involved in the solution to this common problem and in particular to Microsoft’s solution for it: codename «Geneva».

Let’s start by getting familiar with some vocabulary:

Security token: it is a serialized set of claims that in most of the cases is digitally signed by an issuing authority.
Issuing authority: any entity you trust.
Security Token Service (STS): is a software component (exposed by an issuing authority) applications trust for authetication.
Relaying party (RP): is an aplication that trust in the STS.
Claim: information about the user contained in a security token and required by a application (RP app.). In some point claims are analogous to attributes in the enterprise directory world.
identity provider STS (IP STS): is an STS capable of authenticate users, determining user identity tipically by validating his credentials (username & password).
Relaying party STS (RP STS): is an STS that relies in others STS to authenticate users and has the ability to generate the claims required by the relaying party application.

What is Geneva?

It is a set of Microsoft tecnologies that implements the shared industry vision for an interoperable identity metasystem. It comprises 3 components:

Geneva server (ADFS)
Windows Cardspace Geneva (CardSpace)
Geneva framework (Windows Identity Foundation)

If you are thinking in implementing an identity solution you must take a look at Geneva. Good starting points are the Identity Training Kit and this white paper. Depending on what you plan to do it is possible you need to understand how the things work under Geneva’s hood, I will try to give you some ligth about it starting by some web services protocols.

WS-* protocols

WS-* is a set of interoperable protocols to solve common concenrs (like security and confidentiality) when building enterprise applications. When working with Geneva some of this protocols are involved:

WS-Security: is a protocol that define some extension to SOAP that can be used when building secure Web services to implement message content integrity and confidentiality. (see ws-security specification)
WS-Trust: is an extension to WS-Security that defines methods for issuing, renewing, and validating security tokens and ways to establish assess the presence of, and broker trust relationships. It is used by STSs to expose endpoints. This video by Vittorio Bertocci explains this protocol in a very clear way, or you can also read the ws-trust specification.
WS-Policy: provides a flexible and extensible grammar for expressing the capabilities, requirements, and general characteristics of entities in an XML Web services-based system. In out context it is used is used by RP app/service to expose the required policy to be invoked. (see ws-policy specification)
SAML: is an XML-based standard for exchanging authentication and authorization data in the kind of tokens. Our tokens are expressed with SAML.
WS-Federation: is based on WS-Trust and provides some extentions interesting extension that amogn other things, define how to work with passive relaying parties like web browsers. This paper by Microsoft and IBM is a very good introduction to this protocol and the whole flow of messages in the authentication scenario.

If you prefer a single point of introduction instead of jumping among the provided links, I recommend you the book by Cabrera & Kurte called Web Services Architecture and Its specifications (ISBN: 978-0735621626) (watch out! it does not cover all the mentioned protocols but despite of that is a good starting point)

To be continue…

DDD: implementing object’s identity

One important thing to consider when implementing a domain-driven design is object identity.

In most languages, each object identity is determined by the memory address of the object, but if we are implementing a DDD then we shoud redefine object identity in terms of our domain. For example, let’s suppose we are working in a bank domain, and we have an Accout class, then you should define the identity of Account objects based on the account number.

When working with C#, there are four methods related to the identity of objects, all of them defined in the root class Object:

public virtual bool Equals(object obj);

public static bool Equals(object objA, object objB);

public virtual int GetHashCode();

public static bool ReferenceEquals(object objA, object objB);

Let’s analyze them one by one.

bool Equals(object obj)

By default this method will compare object’s memory address, but that is not correct when implementing a DDD. As mentioned before identity of our domain classes should be define in tern of domain concepts, so we should override this method. Continuing with the Account class example, this method should compare account number: same account number then same object.

public override bool Equals(object obj)

{

Account otherAccount = obj as Account;

if (otherAccount == null)

return false;

return this.Number.Equals(otherAccount.Number);

}

static bool Equals(object objA, object objB)

This method is static and just invokes Equals method of instance objA passing to it the objB as a parameter.

int GetHashCode()

This method is not directly related to object’s identity. It is used when a hash code is needed to represent the object, for example if we want to store the object in a hash-based struture like a hashtable. From msdn: » The default implementation of the GetHashCode method does not guarantee unique return values for different objects. Furthermore, the .NET Framework does not guarantee the default implementation of the GetHashCode method, and the value it returns will be the same between different versions of the .NET Framework. Consequently, the default implementation of this method must not be used as a unique object identifier for hashing purposes.»

When implementing a DDD we should override this method in our domain classes to return different values for not equal objects. In the Account class example we could use the account number as the hash code.

public override int GetHashCode()

{

return this.Number;

}

static bool ReferenceEquals(object objA, object objB)

This method simply compares memory addresses, the same behaivour that Equals default implementation.

Well, this is it, I hope this post to clear enough.

If you want to see some tests running to validate this and make your own test you can download my code from here.

In future posts I will write about the relation of this with the equals operator (==) and the importance of equals method when working with persistence frameworks like NHibernate.

¡Soy speaker!

Si. E n la última semana me confirmaron como speaker en dos eventos: Codecamp y Agiles2009.

El Codecamp es un evento organizado por Microsoft que este año será llevado el 26 de septiembre en las instalaciones de la Universidad de Palermo y en el contexto del mismo estaré exponiendo sobre herramientas open source para desarrollo en la plataforma .net.

Por su parte Agiles 2009 es el evento anual de la Comunidad Latinoamericana de Metodologias ágiles que se realizará del 6 al 9 de octubre en Florianópolis (Brasil). En este caso voy a dictar un workshop sobre estimación y planificación.

Finalmente también voy a estar participando del Agile Open Bahia Blanca el 29 de agosto.

Bueno, me esperan unos meses bastante movidos. Nos vemos en algunos de estos eventos, bye!

First days

Well, this is my 4th day here and I feel very comfortable. The environment is much more quiet than what I was used to. During these days I been reading about ISO standards, learning about the organization and working with Entity Framework.

Yesterday while I was working with the Entity Data Model Designer I got an error and my Visual Studio stopped working «forever». As usual I tried reopening it, but no way. Then MatiasW suggested me to open the visual studio command line tool and run «devenv.exe /?» to see if any of the options provides a way to fixed the problem. After two or three shots I got it, «devenv /ResetSkipPkgs» solved my I issue. Now you know: if you have any trouble with Visual Studio, try with devenv options before reinstalling it.

That ‘s all folks!

New blog

This week I moved to a new company and as part of my job I have to write a new blog in English. Because of this, I have decided that:

all the stuff related to my work, I will blog it in English in the company’s blog.
I will continue blogging here to write about academic topics and other personal stuff.
I will switch this blog to Spanish.

If you like to read my new blog, it is located at: http://blogs.southworks.net/nicopaez/.

After three months on windows7

It still seems much more stable than Vista (and it is a release candidate version!). I have successfully tested some other programs:

CorelDraw14
Google Chrome
RapidSVN
Eclipse
Jude UML
Paint.Net
Skype

Unfortunately Sony Wireless Manager stopped working, to be precise, the problem is that it does not recognize the modem. I still have the problem with Winamp and my touchpad, but I am happy despite of that.

titiritero: design decisions

During this week I refactored titiritero and in particular the implementation of the gameloop. The gameloop is a control structure that runs the simulation (give live to model) and updates the views. There are to ways of implementing it:

The first one, is with an infinite loop with a Thread.sleep inside, something like this:

shouldExecuteGameloop = true;
while(shouldExecuteGameloop ){
   this.runSimulation();
   this.updateView();
   Thread.sleep(simulationInterval);
}

The other alternative is using a Timer object and making the gameloop class to implement TimerTask interface, something like this:

Timer timer = new Timer(gameloop);
timer.start(simulationInterval);
...
gameloop.onTimerTask(){
   this.runSimulation();
   this.updateView();
}

I choose the first alternative because with the second one it could happen that the execution of a single loop of the gameloop takes to much time, so there could be more than one thread working simultaneously on the same object, producing an anomalous behaviors of the application.

Hello Southworks!

This post is just for testing, but stay aware, real posts will start in a few days!.

Open source: new versions

In the last couple of weeks some new versions of open source projects have gone live.

In my opinion the most interesting one is the first RTM release of Linq provider for NHibernate (NHibernate.Linq), at the moment it is a separete download, but it seems that it will be part of NHibernate’s Core package in future releases. [read more]

Also related to NHibernate, on July 14 it was published Castle Active Record 2.0 beta 1. It includes integration with NHibernate Search, basic Linq support and a feature to enable in-memory test. [read mode]

Spring Framework Team has schedule the release of Spring.Net 1.3 RC1 for July 29th, followed by the GA version on August 10th. [read more].

Finally, Sharp Architecture released the first RTM version on July 15th. [read more]

I hope to have some time during this week to show some examples of the new features of these new releases.

Enjoy it!

Wind of change

It’s been a while since my last post. It is because some things are changing: I ‘m leaving my job to continue my career in a another company, I’m working with my colleagues at university to implement some changes in our course and finally I am working on some proposals for upcoming conferences and publications (CodeCamp, IBM Developer works, Agiles2009, etc.).During this week, I will be posting some information about this proposals, so be around!.

Blog de NicoPaez

Ingeniería de Software, Docencia y Programación

Autor: NicoPaez