This is an overview of the WSO2 Identity Server and a customization we built that will be contributed back into the product. There is also some additional content on Coding Standards and being an LDAP an Directory Server hater
SSO IN/With Drupal and Identitiy ManagementManish Harsh
This presentation is a result of research and evaluation for SSO and IDM majorly focused to Drupal CMS.
Enterprises, corporations and companies with multiple web properties are struggling to provide a better user experience and offer a single "corporate ID" and "Password" as the key for all.
This single ID should be used across all the properties and corporations should still be able to manage the access level and permission of the respective user based on the grants assigned to this ID in each web property.
• Around 16 years of IT experience Architect/Lead/Administration for middleware, Networking and System Administration for BFSI, Telecom and Retail companies.
• Specialized in multiple middleware technologies, like, JBoss6, JBoss5.x, Oracle Fusion middleware (SOA,OSB)11g, Weblogic 10g,9.x, 8.1, IBM WAS 7, WAS 6.1, Datapower appliance, Webservers like Apache 2.2, Apache 2.4, IPlanet 7, IPlanet 6, IBM HTTP servers 7.
• Knowledge and understanding on programing skills of basic Java, Visual Basic, Visual Studio 6, C++ along database query skills with products like Oracle 8, SQL server and MS Access.
• Working knowledge on ITIL V2/V3 model of service deliver, service support areas of service level, Incident, Problem, Change, Release Management and Service desk.
• Knowledge on networking and wireless networking (A/B/G/N) devices like, Switches, Routers, wireless routers, access points NAS etc.
• Knowledge on Load balancing, Proxy mechanism.
• Understanding on DevOps model, automation and some hands on skills with products like Ansible and chef.
• Customer support and services skills over the phone and mails (support background)
• Team lead and team player skills with strong multitasking, problem solving and analytical skills.
• Excellent communications and user interface skills, both written and verbal at all levels.
BriForum 2014 Boston
Dan Brinkmann presents on Identity Providers, SAML, and OAuth. An example of setting up Office 365 to use Active Directory Federation Services is also shown.
SSO IN/With Drupal and Identitiy ManagementManish Harsh
This presentation is a result of research and evaluation for SSO and IDM majorly focused to Drupal CMS.
Enterprises, corporations and companies with multiple web properties are struggling to provide a better user experience and offer a single "corporate ID" and "Password" as the key for all.
This single ID should be used across all the properties and corporations should still be able to manage the access level and permission of the respective user based on the grants assigned to this ID in each web property.
• Around 16 years of IT experience Architect/Lead/Administration for middleware, Networking and System Administration for BFSI, Telecom and Retail companies.
• Specialized in multiple middleware technologies, like, JBoss6, JBoss5.x, Oracle Fusion middleware (SOA,OSB)11g, Weblogic 10g,9.x, 8.1, IBM WAS 7, WAS 6.1, Datapower appliance, Webservers like Apache 2.2, Apache 2.4, IPlanet 7, IPlanet 6, IBM HTTP servers 7.
• Knowledge and understanding on programing skills of basic Java, Visual Basic, Visual Studio 6, C++ along database query skills with products like Oracle 8, SQL server and MS Access.
• Working knowledge on ITIL V2/V3 model of service deliver, service support areas of service level, Incident, Problem, Change, Release Management and Service desk.
• Knowledge on networking and wireless networking (A/B/G/N) devices like, Switches, Routers, wireless routers, access points NAS etc.
• Knowledge on Load balancing, Proxy mechanism.
• Understanding on DevOps model, automation and some hands on skills with products like Ansible and chef.
• Customer support and services skills over the phone and mails (support background)
• Team lead and team player skills with strong multitasking, problem solving and analytical skills.
• Excellent communications and user interface skills, both written and verbal at all levels.
BriForum 2014 Boston
Dan Brinkmann presents on Identity Providers, SAML, and OAuth. An example of setting up Office 365 to use Active Directory Federation Services is also shown.
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
Alfresco Summit 2013 (Barcelona and Boston)
This talk will provide an introduction to the OASIS SAML standard (Security Assertion Markup Language) and then describe in detail how we use OpenSAML to provide secure SSO to Alfresco Cloud in a multi-tenant environment, both in terms of Share and the core Repository. We will demonstrate the steps required for an Enterprise Network Admin to setup a trusted SAML connection ('circle of trust') to their chosen Identity Provider (IdP) such as Centrify, Ping Identity, ForgeRock OpenAM (formerly Sun OpenSSO) or potentially any other type of IdP that supports SAML v2.0. We will also discuss possible future requirements and improvements.
http://summit.alfresco.com/boston/sessions/implementing-secure-single-sign-sso-opensaml
http://www.youtube.com/watch?v=KroIZa1co6g
Microservices and Self-contained System to Scale AgileEberhard Wolff
Architectures like Microservices and Self-contained Systems provide a way to support agile processes and scale them. Held at JUG Saxony Day 2016 in Dresden.
Case Study: Plus Retail - Moving from the Old World to the New WorldForgeRock
A case study covering Plus Retail's transition from Oracle to ForgeRock's OpenAM, presented by AXI BV/NV Consultant Kurt Van Meerbeeck.
Learn more about ForgeRock Access Management:
https://www.forgerock.com/platform/access-management/
Learn more about ForgeRock Identity Management:
https://www.forgerock.com/platform/identity-management/
In Zusammenarbeit mit Microsoft und SofwareOne AG konnten wir am 3. Februar 2016 einen Workshop zur Microsoft-SQL-Lizenzierung durchführen. Die Referenten Alexander Egli, Beat Weissenberger und Detlef Werner gaben den Teilnehmern einen detaillierten Überblick über die Änderungen in der Lizenzierung von SQL Server 2012 sowie der aktuellen Lizenzierung von SQL Server 2014. Für die Version 2014 wurden folgende Szenarien besprochen:
Core-Lizenzierung
Lizenzierung in virtuellen Umgebungen
Hybride Szenarien mit Integration von Cloud-Komponenten
Ebenfalls wurden die Migration und Kostenbeispiele besprochen.
Identity Management for Web Application DevelopersWSO2
This WSO2 workshop on identity management for web application developers covered the following topics:
1. Identity Management 101
2. Proxy-based / Agent-based approaches for securing web apps.
3. Enable Single Sign On with OpenID Connect and SAML 2.0
4. Calling secured APIs from a web application.
5. Securing Single Page Applications (SPA)
6. Identity APIs for user provisioning and access control.
Technologies:
Apache modules for SAML and OIDC (mod_auth_mellon and mod_auth_openidc), Java, Tomcat, Angular JS, Python, WSO2 Identity Server, WSO2 API Manager
Audience: Web application developers
This presentation will help you better understand:
- The Oracle Embedded Value Proposition
- The Oracle Service Bus (OSB) Value Proposition
- The Challenge Of The Extended Enterprise
- Introducing the OSB Appliance (OSBA)
This slidedeck provides a quick overview about Active Directory Federation Services technology for federated authentication with Office 365 and other relying parties.
Acutelearn is the training institute which provides training on different technologies like VMware, Citrix, Netbackup, Storage, Scripting and other technologies
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
Alfresco Summit 2013 (Barcelona and Boston)
This talk will provide an introduction to the OASIS SAML standard (Security Assertion Markup Language) and then describe in detail how we use OpenSAML to provide secure SSO to Alfresco Cloud in a multi-tenant environment, both in terms of Share and the core Repository. We will demonstrate the steps required for an Enterprise Network Admin to setup a trusted SAML connection ('circle of trust') to their chosen Identity Provider (IdP) such as Centrify, Ping Identity, ForgeRock OpenAM (formerly Sun OpenSSO) or potentially any other type of IdP that supports SAML v2.0. We will also discuss possible future requirements and improvements.
http://summit.alfresco.com/boston/sessions/implementing-secure-single-sign-sso-opensaml
http://www.youtube.com/watch?v=KroIZa1co6g
Microservices and Self-contained System to Scale AgileEberhard Wolff
Architectures like Microservices and Self-contained Systems provide a way to support agile processes and scale them. Held at JUG Saxony Day 2016 in Dresden.
Case Study: Plus Retail - Moving from the Old World to the New WorldForgeRock
A case study covering Plus Retail's transition from Oracle to ForgeRock's OpenAM, presented by AXI BV/NV Consultant Kurt Van Meerbeeck.
Learn more about ForgeRock Access Management:
https://www.forgerock.com/platform/access-management/
Learn more about ForgeRock Identity Management:
https://www.forgerock.com/platform/identity-management/
In Zusammenarbeit mit Microsoft und SofwareOne AG konnten wir am 3. Februar 2016 einen Workshop zur Microsoft-SQL-Lizenzierung durchführen. Die Referenten Alexander Egli, Beat Weissenberger und Detlef Werner gaben den Teilnehmern einen detaillierten Überblick über die Änderungen in der Lizenzierung von SQL Server 2012 sowie der aktuellen Lizenzierung von SQL Server 2014. Für die Version 2014 wurden folgende Szenarien besprochen:
Core-Lizenzierung
Lizenzierung in virtuellen Umgebungen
Hybride Szenarien mit Integration von Cloud-Komponenten
Ebenfalls wurden die Migration und Kostenbeispiele besprochen.
Identity Management for Web Application DevelopersWSO2
This WSO2 workshop on identity management for web application developers covered the following topics:
1. Identity Management 101
2. Proxy-based / Agent-based approaches for securing web apps.
3. Enable Single Sign On with OpenID Connect and SAML 2.0
4. Calling secured APIs from a web application.
5. Securing Single Page Applications (SPA)
6. Identity APIs for user provisioning and access control.
Technologies:
Apache modules for SAML and OIDC (mod_auth_mellon and mod_auth_openidc), Java, Tomcat, Angular JS, Python, WSO2 Identity Server, WSO2 API Manager
Audience: Web application developers
This presentation will help you better understand:
- The Oracle Embedded Value Proposition
- The Oracle Service Bus (OSB) Value Proposition
- The Challenge Of The Extended Enterprise
- Introducing the OSB Appliance (OSBA)
This slidedeck provides a quick overview about Active Directory Federation Services technology for federated authentication with Office 365 and other relying parties.
Acutelearn is the training institute which provides training on different technologies like VMware, Citrix, Netbackup, Storage, Scripting and other technologies
Overview session of Microsoft's Azure Service Fabric Overview (v1.5.175), delivered at AzurePT community event in Lisbon, held March 26. The session describes all the main components of the platform, with a focus on its architecture.
Deploy Java, PHP, Ruby, Node.js, Go, .NET, Python and Docker applications with no code changes using GIT, SVN, archives or integrated plugins like Maven, Ant, Eclipse, NetBeans,
IntelliJ IDEA
CloudJiffy will automatically scale your application containers vertically and horizontally, ensuring you only pay for the resources you consume. No capacity planning or resouce wastage. CloudJiffy uses granular 128MB cloudlets.
CloudJiffy dashboard provides intuitive application topology wizard, deployment manager, access to log and config files, team collaboration functionality and integration
with CI/CD tools
In this session you will learn how you can run popular enterprise workloads from Microsoft, Oracle and SAP on AWS.
We will discuss how you can choose between installing and configuring your own applications or launching entire software stacks from Oracle, SAP and Microsoft in minutes by choosing from a large selection of pre-configured virtual machines images and templates. In both many cases, customers may be able to use their existing software licenses in the AWS cloud with no additional license fees.
This presentation is about Platform as a Service, a category of cloud computing services that enables customers to develop, run, and manage applications without building and maintaining their own infrastructure. The presentation also contains an overview of public cloud application platforms, such as Google Cloud Platform, AWS, Microsoft Azure and more.
The presentation was held by Volodymyr Davydenko (Engineering Consultant, GlobalLogic) at GlobalLogic Kyiv DevOps Career Day on June 9, 2018.
Enterprise Node - Securing Your EnvironmentKurtis Kemple
Just like any other language, Node is susceptible to vulnerabilities, dependency issues, and other problems that can bring down or prevent you from releasing new versions of your application.
Learn how to safe-guard your environment with things like private registries and vulnerability testing during your CI build in this one-hour lightning talk.
=================================
TOPICS COVERED:
Why is Securing Your Environment Important
• Protects Your Company from Potential Threats
• Improves Confidence in Code and Systems
• Helps You Meet Legal and Organization Restrictions
Securing Your Runtime
• N|Solid - Enterprise Runtime
• Containerization
• Monitoring
Securing Your Dependencies
• Whitelisting Modules
• NSP
Securing Your Applications
• HTTPS ALL THE THINGS
• Encrypt Sensitive Data
=================================
Everything you need to know about creating, managing and debugging Java applications on IBM Bluemix. This presentation covers the features the IBM WebSphere Application Server Liberty Buildpack provides to make Java development on the cloud easier. It also covers the Eclipse tooling support including remote debugging, incremental update, etc.
Similar to Introduction to the WSO2 Identity Server &Contributing to an OS Project (20)
Response on Proposal for Converting to a Gated CommunityMichael J Geiser
This is a response to the request from the HOA Board for proposal to Convert Bayside at Bethany Lakes into a Gated Community in reaction to a string burglaries in 2013
There have been a number of articles and other content appearing in SI that have not met the standards and guidelines the Skeptical communities expects
Agile Progress Tracking and Code Complete Date EstimationMichael J Geiser
Here are two tools that I found to be very effective in predicting Code Complete dates and the effect of scope changes and also tracking progress against a Development Plan over time
Release Planning is a Pain Point in many Agile shops. This is an outline of a process that has worked very well for me over time. I hope you find it useful also.
This was some thoughts for maturing our Agile SDLC with some specific notes on how to improve JIRA workflows. This was a discussion slide deck; it's very wordy
I’ve been keeping a collection of Linux commands that are particularly useful; some are from websites I’ve visited, others from experience
I hope you find these are useful as I have. I’ll periodically add to the list, so check back occasionally.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
2. Overview ofWSO2 Company and Platform
Summary ofWSO2 Identity Server
Demo of Identity Server Main Features
Demo of Single Sign On with SAML2 and OAuth
Development of Feature Extending OS Product
Process and Status of Contribution
I added the Code Commenting discussion notes
to the end of the deck.
3. Site: http://wso2.com
Company Overview: http://www.slideshare.net/wso2.org/wso2-platform-
introduction?related=2
The suite ofWSO2 products are 100% Open Source and based on Open Standards.
WSO2 monetizes the product by selling support much like RedHat (but without
the subscription-only Enterprise Edition).
Developers can extend the platform and customize code (we’ll see an example of
this later).
WSO2 says their key advantage is allWSO2 products are built on a common
foundation – “WSO2 Carbon”; a modular, reconfigurable, elastic, OSGi-based
architecture.This creates a strong stable base for building as well as integrating
with existing large-scale enterprise applications.
Open Services Gateway initiative
5. Product Site: http://wso2.com/products/identity-server/
WSO2 Identity Server enables enterprise architects and developers to
• Deliver an inter-Enterprise Single Sign-On/Signout environment.
• Simplify identity provisioning
• Guarantee secure online interactions
The WSO2 Identity Server decreases identity management and entitlement
management administration burden by:
• Including role based access control (RBAC) convention
• Fine-grained policy based access control - XACML
• SSO bridging to internal and external destination
WSO2 Identity Server is an entitlement management server for security and
identity management of :
• EnterpriseWeb applications
• Services
• APIs
6. Product Site: http://wso2.com/products/identity-server/
WSO2 Identity Server enables enterprise architects and developers to
• Improve customer experience by reducing identity provisioning time
• Guarantee secure online interactions
• Deliver a inter-Enterprise Single Sign-On/Signout environment.
The WSO2 Identity Server decreases identity management and entitlement
management administration burden by:
• Including role based access control (RBAC) convention
• Fine-grained policy based access control
• SSO bridging to internal and external destination
WSO2 Identity Server is an entitlement management server for security and
identity management of :
• EnterpriseWeb applications
• Services
• APIs
An open source Identity
& Entitlement
management server
7. User Stores and configurations in LDAP/AD/JDBC/others
Multiple integrated user stores
Multi-tenant
Multiple Identity Standards
OpenID
SAML2
OAuth 1.0a/2.0
SecurityToken Service withWS-Trust
Kerberos
IntegratedWindows AD Authentication
WS-Fed Passive
XACML 2.0/3.0
SCIM 1.1
WS-XACML
15. Decentralized Single Sign On
Single user profile
Widely used for community & collaboration
aspects
MultifactorAuthentication
OpenID relying party components
16. An open source Identity & Entitlement
management server
Authentication
Single Sign On
Provisioning
SCIMSPML
WSO2
APIs
Service Provisioning Markup Language
19. WSO2
SCIM Consumer (facilelogin.com)
SCIM Consumer (wso2.com)
wso2.com
facilelogin.com
Multitenancy maximizes resource sharing by allowing multiple
distinct and separate entities (tenants) use a single server/cluster
where each tenant is given the experience of using his/her own
server, rather than a shared environment. Multitenancy ensures
optimal performance of the system's resources such as memory
and hardware and also secures each tenant's personal data.
As you should expect, different tenant are logically isolated as if
there were on separate virtual machines/instances. There is even
the ability to physically isolate the user datastores but use the same
server infrastructures
20. An open source Identity & Entitlement
management server
Role Based Access Control (sorta)
21. An open source Identity & Entitlement
management server
Role Based Access Control
Policy Based Access Control (sorta)
XACML
22. An open source Identity & Entitlement
management server
Role Based Access Control
Policy Based Access Control
SOAP
XACML / WS-XACML
23. An open source Identity & Entitlement
management server
Role Based Access Control
Policy Based Access Control
SOAP
REST
XACML
24. eXtensible Access Control Markup Language
Implements XACML 3.0
Support for multiple PIPs
Policy distribution
Decision / Attribute caching
UI wizard for defining policies
Notifications on policy updates
TryIt tool to testWIP
27. Laptop BasedVMs
Need a good great laptop: quad core i7, 32Gb RAM, 500GB SSD =
~$1500 (I have aThinkPad w540)
Maybe can get away with ~$425 for 32Gb RAM and a big (750Gb)
SSD if your current laptop can take the RAM (16Gb OK)
Requires you to do provisioning and set up networking
Must decide betweenVirtualBox &VMware (LinuxVMM is like
LDAP, Open Office or Isla Nublar; best avoided when possible)
If everyone doesn’t standardize , you can ‘t easily shareVMs
Availability and access for others limited to when your laptop is
online
Networking and Port security can cause problems even with NAT
Linux networking with multipleVMs on a laptop that changes
network connections is problematic.
Almost need to have Linux host OS
Docker andVagrant are your friend
28. AWS
Can use “normal” laptop
Everyone can access anywhere anytime
Per hour costs are quite reasonable; especially if you shut down
when not working;
Is $25-$50/month recurring OpEx for AWS better than $2000
CapEx? For a new laptop (but you should lease your laptop
regardless so you can refresh your tech more often...)
AWS provisioning and networking abstracts many PITA details for
you
Having REAL AWS experience is a HUGE plus on your resume...
Want to learn Linux? This is a great start (plus you should be
taking courses on EdX anyway)
https://www.edx.org/course/introduction-linux-linuxfoundationx-
lfs101x-2
29. Feature Gap
Set up Dev environment
Mapped requirements to features and
planned implementation
30. TheWSO2 JDBC UserStore doesn’t have a
Password Reuse Policy (I know...REALLY??!!)
This is a must-have feature for almost anyone
WSO2 is Java & Open Source; we do Java.
How hard could it be?
What could go wrong?
We already scheduledWSO2 onsite for “Quick
StartWeek ” engagement and just added this
to the agenda and breakout sessions
31. The high level requirements for Password Reuse Policy.
• Settings properties file will allow configuration of:
• Time-based Password Reuse (# of days before reuse)
• Frequency-based Password Reuse (# of interim passwords before reuse)
• Admins will be allowed to chose eitherTime-based and/or Frequency-based Password
Reuse on/off and settings
• These will be additive; if the admin sets the timeThreshold=90 and
frequencyTheshold=10 then a password cannot be reused for 90 days regardless of how
many times it changes and a password cannot be reused for 10 password changes (even
if the user only changes the password once every 90 days).
• Data must be persisted securely to support this policy
• Data maintenance will be implement to remove unneeded records and must happen
during the password change event
• More...
(this was a short, low resolution summary of the User Stories describing the feature)
32. WSO2 uses Apache Felix andOSGi framework for a dynamic
component based application
The OSGi specification defines modular systems and a service
platforms for Java that implement a complete and dynamic
component model.
Applications or components, packaged the form of bundles for
deployment (i.e. jars) , can be remotely installed, started, stopped,
updated, and uninstalled without requiring a JVM restart.
The OSGi specifications have evolved beyond the original focus of
service gateways, and are now used in applications ranging from
mobile phones to the Eclipse IDE.
34. The component class contains the
annotations needed to specify the
component and when it is activated
@scr.component name="org.wso2.custom.identity.mgt.internal.CustomIdentityMgtServiceComponent"
immediate="true"
The class implements activate() and
deactivate() methods; think JUnit’s setUp()
and tearDown() methods
35. Our WSO2 component model extends the existing IdentityMgtEventListener
class and override functionality where the behavior has to change.
The original IdentityMgtEventListener essentially updates the Password for a
user if the Password Composition Policy and other existing tests pass.
Example: a user has to provide the correct currentPassword and a newPassword and
the newPassword must comply with all Password Composition Policy tests before a
user's password is changed.
Our added functionality will:
instantiate our new PasswordHistoryPolicyManager class where needed in the
CustomIdentityMgtEventListener
Call methods on the PasswordHistoryPolicyManager class as needed for new
functionality
Run updated or reimplemented code and call super as needed
36. Actual Implementation of the New Policy
Calls DAO to get Password History of a user
Determines if new Password complies with
the Frequency and ElapsedTime thresholds
limiting reuse
Calls DAO to insert new Password History
data for a user
Calls DAO to perform Password History
database table data maintenance
38. WSO2 implements OSGi and Felix...
Deployment Procedure
Add the new table to the UserStore schema
Run DDL in target database schema
Compile jar
mvn clean install
Copy jar from maven repository toWSO2 "dropin" directory
from
C:Usersmgeiser.m2repositoryorgwso2sampleorg.wso2.custom.identity.
mgt1.0.0-SNAPSHOTorg.wso2.custom.identity.mgt-1.0.0-SNAPSHOT.jar
to
<IS_HOME>/repository/components/dropins
Copy configuration file from GIT to <IS_HOME>/repository/conf/security
Restart the WSO2 Identity Server service
39. Code reviews, unit tests and functional testing have indicated a few
improvements that are needed before this new component is fully “Production
Ready"
DDL Refactoring / Improvements
DRI - IDN_IDENTITY_PASSWORD_HISTORY.USER_NAME and
IDN_IDENTITY_PASSWORD_HISTORY.TENANT_ID are FKs but no DRI is defined
Covering Indexes - SQL Execution Plans (and inspection) indicates additional indexes are
needed
Data Maintenance on User Delete Event
When a Password is changed, the Password History entries for a user is trimmed to only keep
the number of passwords the are required to the Frequency andTime thresholds.
An additional component will be needed that will extend the User Management Service
Component and delete all IDN_IDENTITY_PASSWORD_HISTORY entries for a user when the
user is deleted.
Currently the records will be orphaned in the table. Eventually the orphaned records will
affect the efficiency of the system and wastes storage. This needs to be fixed ASAP
Doing this data maintenance based on the delete user event is best; running a periodic job
that finds orphaned records is "computationally expensive" and gets more resource intensive
as the number of users in the system grows.
40. Requirement Definition and Dropin component submitted (pending final
revisions) toWSO2 via our Account Manager
WSO2 architects and reviewers will review code and artifacts and
respond with questions
WSO2 will add to roadmap based on capacity to update and test
Since requirements definition and working code exists as Dropin, this will help
to minimize this effort and timeline
New DB table and DB traffic will slow down adoption slightly for testing
High complexity compared to other submitted features
Code will be available as a dropin to other users until official adoption
WSO2 will often include developers blogs and other contributions in the
WSO2 documents site if it contributes to the community.
I'll be writing up a page for this Dropin and attempt to get it on-line on
late July or early August
42. Architecturally, an LDAP/DirectoryServer solution has drawbacks compared to a relational database solution:
LDAP is designed for a high read-to-write ratio (10:1 or 100:1 is most often quoted as optimal for LDAP based directories).
For any Password Policy that tracks attempted authentications, the Directory Server must update data once for every read
that checks passwords (i.e. any authentication attempt). Idle and maximum (a.k.a soft and hard) timeouts are another
required feature. Even though the Policy Server caches information whenever possible, implementing timeouts require
updates to the User DataStore so that the timeout information can be shared among all Policy Servers.
LDAP is an Access Protocol (LDAP = Lightweight DirectoryAccess Protocol) not a data store. LDAP data stores use some
storage app, usually a RDBMS like H2, MySQL, Oracle or SQL Server) in a black-box configuration. The implementer must
support this application and the additional backup, restore, sizing, HA and other Operational needs through the tools
provided which is additional to their existing oprerations procedures and skills
Customization of the datastore for LDAP based datastores is complex and leads to applications reusing existing attributes
to store data instead of correctly named attributes (like stateOrProvence) being reused for another attribute instead of a
precisely named attribute name.
LDAP adds an additional layer of abstraction and latency to your application but really doesn’t add any advantage for his
extra complexity. Applications such asWSO2 can access a JDBC baseddatastore or an LDAP datastore.
LDAP Connection Pooling support is non-existent or is very limited; this can be a scalability and performance concern.
LDAP is not a transactional protocol. Generally, Identity Management is closely coupled to other database transactions
and the ability to have changes to the Identity Management user store and other schema participate in transactions is
important. Not having transactions means rollbacks of an update requires a compensating transaction to “undo” the
update.
LDAP and Directory Servers do not have DRI, locking, or check constraints even if the relational database the LDAP
implementation is built on supports them.
43. Architecturally, an LDAP/DirectoryServer solution has drawbacks compared to a relational database solution:
Directory Server data has limited DataTyping . There areStrings, Numbers (Integer), Time, Telephone Numbers,
Boolean, Binary, Distinguished Name and Bit Strings data types in directory servers. Decimal (and all non-integer
numeric) data and complex types (objects) must be stored as a string or serialized/deserialized and explicitly cast if used in
any application (SQL, JavaVisual basic…). And there are limits on searchability and indexability (and indexing in general);
especially for non-native data types . Relational database (like Oracle) datatypes map to Java SQL datatypes without any
casts.
LDAP has no equivalent structure to stored procedures (and packages). It is desirable to have the SQL for data input and
output abstracted from the calling applications to minimize the risk and impact to existing applications of future changes
to the User DataStore. Decoupling the release cycles of the database and Business logic as much as possible is a more
agile approach
A Directory Server has minimal Error Handling internally and externally error handlers must be coded and implanted in all
ode that calls into the Directory Server. Relational databases’ Error Handling allows for better and more consistent
exception handling, resolution, and logging and encapsulates these functions from the calling application.
44. Remember, you are writing code for other people, including
(especially) your future self. They/you will have to debug or
modify the code.
Commenting is necessary because you need to tell people
what you intended to do and why you chose to do it a
specific way.
While what the code does should be "self-evident" (an oxymoron
usually) from inspection of the code, you need to communicate
what you INTENDED to do; it is possible you made a logic error.
Comments also do NOT slow you down (as some people
say) ; I’ve timed it. I spend at most 10 to 20 minutes
commenting an entire class. It is impossible to argue that is
not time well spent.
Comments are NOT counted as LOCs and absolutely do
NOT add to maintainability costs; they do just the opposite.
45. Also, just as there are many ways to skin a cat
(that is really an awful expression, isn't it?), there
are many ways to implement the logic on how to
fulfill a requirement.
I’m sure you always have an insightful and well-
reasoned thought process behind why you implement
a bit of logic in a certain way. You need to document in
comments why you chose a specific implementation.
Commenting will answer questions without future
maintainers guessing (and second-guessing)) your
reasons and allow them to determine if the
implementation is still the best implementation as the
application evolves and business requirements are
refined or changed over time
46. Not all classes need the same level of
commenting
DTOs do not require much commenting, just a
sentence or two that relates it to the other code
Implementations (like the 3 Password History
classes in the previous example) often have more
bytes of comments than code
Level of commenting in other classes vary
47. Comment Content should be
What you intended to implement (the code
shows what you did implement)
Explanations of how tricky and clever bits of
logic work (for people not as smart as you)
What User Stories have the requirements
you’re implementing
Design Decisions (for example: why you
chose HashMap overTreeMap or
LinkedHashMap)
Err on the side of too much commenting
48. I have a simple one class that illustrates the point.
This is a quick “down and dirty” app that is meant to run from Eclipse.
Evaluate the MontyHallProblem_NoComments.java version of the class first and
then evaluate the MontyHallProblem.java code.
GitHub Website: https://github.com/mgeiser/MontyHallProblem
Git Repo: https://github.com/mgeiser/MontyHallProblem.git