SteverB

Moved

Thu, 03 Nov 2011 09:11:00 -1200

Hopefully you only noticed because things started working again.

OAuth Presentation

Tue, 27 Jul 2010 15:41:00 -1200

I finally got off my duff and presented to the local .NET user's group tonight. I think it went well, but my timing was a little fast.

In case you missed something, here are the slides: http://steverb.com/file.axd?file=2010%2f7%2fOAUTH.pdf and if you have any questions, feel free to shoot me an email

Fun With OAuth – Part 2

Tue, 25 May 2010 17:03:00 -1200

Now that we have a clue about calling an OAuth secured service using Javascript, let’s try it again with C#. That way we can do the calling from the server side and not have to worry about exposing our secret key to the browser. This example is using the OAuth libray found at: http://oauth.googlecode.com/svn/code/csharp/OAuthBase.cs. There are other, more full featured C# OAuth libraries available (http://code.google.com/p/oauth-dot-net/ for instance), I like this one because it’s simple and I can grok everything it’s doing.

   1:  OAuthBase oAuth = new OAuthBase();

2:

3:

   4:   //gather all the values we'll need for the header and signature

5:

   6:  string nonce = oAuth.GenerateNonce();

   7:  string timestamp = oAuth.GenerateTimeStamp();

   8:  string key = KEY;

   9:  string secret = SECRET;

  10:  Uri url = new Uri("http://www.steverb.com");

  11:  string normedURL = "";

  12:  string requestParams = "";

13:

14:

  15:  //generate signature

16:

  17:  string sig = oAuth.GenerateSignature(url, key, secret, "", "", "GET", timestamp, nonce, out normedURL, out requestParams);

18:

19:

  20:  //url encode the signature

  21:  sig = HttpUtility.UrlEncode(sig);

22:

23:

  24:  //build the header string using the previously defined values

  25:  StringBuilder sb = new StringBuilder("OAuth realm=\"\"");

  26:  sb.AppendFormat(",oauth_consumer_key=\"{0}\"", key);

  27:  sb.AppendFormat(",oauth_nonce=\"{0}\"", nonce);

  28:  sb.AppendFormat(",oauth_timestamp=\"{0}\"", timestamp);

  29:  sb.AppendFormat(",oauth_signature_method=\"{0}\"", "HMAC-SHA1");

  30:  sb.AppendFormat(",oauth_version=\"{0}\"", "1.0");

  31:  sb.AppendFormat(",oauth_signature=\"{0}\"", sig);

32:

33:

  34:  string header = sb.ToString();

35:

36:

  37:  //add the header to our web request

  38:  client.Headers[HttpRequestHeader.Authorization] = header;

Not too bad, and it’s almost as simple on the service side. Basically, the service will pull the non-encrypted data out of the header, check and make sure that the nonce hasn’t already been used, and encrypt the whole thing with the secret key that both the client and service know about.

   1:  //first grab the header out of the http request

   2:  string header = WebOperationContext.Current.IncomingRequest.Headers[HttpRequestHeader.Authorization];

3:

   4:  OAuthBase oAuth = new OAuthBase();

   5:  Dictionary<string, string> OAuthValues = new Dictionary<string, string>();

   6:  //remove the leading "OAuth" from the header...pesky

   7:  string AuthHeader = Regex.Replace(OAuthHeader, "OAuth", "");

   8:  string[] Headers = AuthHeader.Split(',');

9:

10:

  11:  //add each of the values in the header to our dictionary

  12:  foreach (string entry in Headers)

  13:  {

  14:      string m_entry = entry.Trim().TrimEnd('"');

  15:      string[] values = Regex.Split(m_entry, "=\"");

  16:      if (values.Count() > 1)

  17:      {

  18:          OAuthValues.Add(values[0].Trim(), values[1].Trim().TrimEnd('"'));

  19:      }

  20:  }

21:

22:

  23:  //grab the values out of our dictionary for the signature method

  24:  string nonce = OAuthValues["oauth_nonce"] ?? "";

  25:  string timestamp = OAuthValues["oauth_timestamp"] ?? "";

  26:  string key = KEY;

  27:  string secret = SECRET;

  28:  Uri url = new Uri("http://www.steverb.com");

  29:  string normedURL = "";

  30:  string requestParams = "";

31:

  32:  //generate a signature

  33:  string sig = oAuth.GenerateSignature(url, key, secret, "", "", "GET", timestamp, nonce, out normedURL, out requestParams);

34:

  35:  //compare it to the signature in the header

  36:  if (sig != OAuthValues["oauth_signature"])

  37:  {

  38:      return false;

  39:  }

  40:  else

  41:  {

  42:      return true;

  43:  }

Tada! As long as the encrypted signature matches then the OAuth is good. A quick point, for a real implementation we would really want to check and make sure that the nonce had not been used before and that the timestamp on the message was fairly recent (in order to prevent replay attacks).

The Problem With MVPs

Wed, 24 Mar 2010 16:24:00 -1200

The other day I had the chance to peruse the work of another developer, a Microsoft MVP. The code was less than impressive. To be frank, it stunk, but it stunk in a strange way. It had a weird combination of advanced technique and rank naiveté. There was separation of concerns, but it was much more convoluted than it needed to be. The work that the code performed was relatively trivial, but it was hidden behind a bag of patterns and the structure of the classes made finding the code that did the real work an exercise in spelunking.

I mentioned it to a friend of mine, and he shared his story about a hiring interview with an MVP carrying job candidate. The story was eerily similar. The candidate was well versed with the latest and greatest development methodologies, but seemed to lack a grasp of writing a simple “fizz-buzz”. To make matters worse, part-way through the interview the candidate starting listing their “requirements”, which conferences they’d be attending, which technologies they would use, etc.

I was flabbergasted. Granted, my friend was glad the candidate was so forthcoming with his lack of professionalism. It helped make his decision not to hire the guy much easier. After I thought about it a little bit more, I realized that the fault wasn’t totally with the MVPs in question. All of us share a little of the blame.

What’s All This MVP Stuff?

Microsoft’s Most Valuable Professional program recognizes professionals who share their knowledge of MS products with others. It’s a great deal for Microsoft and it’s a pretty good deal for the MVPs. Microsoft gets free technical support for their products and the MVPs get public recognition of their contributions to the community at large. The problem with the MVP program is what it doesn’t recognize. The MVP program does not recognize technical ability. It’s possible to be awarded an MVP in a development related area and not really be able to write code.

If you want an MVP award , you blog, you answer questions on the Microsoft forums and on StackOverflow. You talk a lot. Mind you, there’s nothing wrong with doing any of those things and a lot of reasons why we should encourage the behavior. Heck, I do those things. But you can do all of that without ever writing code beyond the level of a “hello world” presentation demo. You can do all of those things without knowing how to do anything but use a search engine, cut and paste and tirelessly self-promote.

If you compare the Microsoft and the Open Source communities, there is a striking contrast. If you want attention in the open source community you write code and you release some projects. You do stuff. If you want attention in the Microsoft community you talk.

How Is This My Fault?

Even with all of that, there isn’t really a problem with the MVP program. It’s working precisely the way Microsoft wants and needs it to. Microsoft gets free advertisement for its products and a never ending supply of people to offer handholding for users of its platforms. There’s really no reason for Microsoft to change things on their end, although it would be nice if Microsoft distinctly recognized developers that actually released more than hot air.

What we really need to fix are our expectations and perceptions of those that have been awarded an MVP. They might be great developers; I know some that are. They might be completely clueless; there are obviously a few in this category as well. The fact that a person has an MVP award doesn’t really tell us what kind of developer they are. The only thing we can know for sure is that they know how to answer questions on the internet and (depending on the MVP) give a pretty good semi-technical talk. Beyond that, we need to evaluate MVPs just as we would any other developer.

Fun With OAuth - Part 1

Sat, 13 Mar 2010 17:48:00 -1200

We’ve been working on implementing some sort of enterprise wide single sign-on (SSO) at work. As part of that we really needed some way to authenticate with web services without depending on Windows or Basic Authentication, which is a phenomenal pain in the butt.

Enter OAuth

OAuth is “An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.” In other words, you can authenticate with it from lots of different places.

The way full blown OAuth works is that you use an application that wants to access your data that resides in another service or application. The application wanting the data sends you to the authentication site for the service that has your data. You login, and then tell the service that you will allow the app to access your data. The service sends you back to the application with a request key. The application sends the request key to the service and the service sends the application an access key.

Once all that handshaking is done, the application takes the consumer secret and the consumer key (that the application already had) along with the recently obtained access key and a few other relevant pieces of info (timestamp, nonce, etc) and hashes them all together. The application then takes all this information and creates an OAuth header that it sends with any service requests. The service then uses the information in the header to identify the application acting on behalf of the user.

It sounds complicated because it kinda is, but once you’ve run through it a few times it starts to make sense. I suggest you read The Beginner’s Guide to OAuth to get a thorough understanding.

Why would you do this to yourself?

The really nice thing about OAuth is that it works on a lot of platforms. There are implementations in C#, there are implementations in Ruby, there are implementations in Javascript. Awesome. So let’s use it.

Here, have some Javascript:

   1: function getHello(mToken, mWord)   2: {   3:    //create the message portion   4:     var message = {   5:         method: "GET",   6:         action: url,   7:         parameters: {oauth_version: "1.0",   8:         oauth_consumer_key: "myservicekey",   9:         oauth_timestamp: OAuth.timestamp(),  10:         oauth_nonce: OAuth.nonce(11),  11:         oauth_signature_method: "HMAC-SHA1"                          12:         }  13:     };  14:    15:    16:     //create the accessor portion     17:     var accessor = {  18:         consumerSecret: "myappssecretkey"  19:         tokenSecret: "theSecretIGoFromTheUserSigningIn"  20:     };  21:      22:     //sign the OAuth message  23:     OAuth.SignatureMethod.sign(message, accessor);  24:      25:     //generate the entire header (with signature included)  26:     var authorizationHeader = OAuth.getAuthorizationHeader("", message.parameters);  27:       28:     //make the ajax call  29:     $.ajax(  30:     {  31:         //set the OAuth authorization header before we send the web request  32:         beforeSend: function(req)   33:         {  34:             req.setRequestHeader("Authorization", authorizationHeader);  35:          },  36:          type: "GET",  37:          url: "http://myservice.com/Hello?World=" + mWord,  38:          contentType: "text/plain; charset=utf-8",  39:          dataType: "text",  40:          success: function(data) {  41:              $("#ingest_history").html("The REST Service said: " + data);  42:          }  43:     });  44: }  45:        

Here we have an example of calling a web service with OAuth. Now, what’s the service going to do with it?

The service is going to do the same thing. It’s going to take the publicly readable information in the header, and combine that with the secrets that it knows and make sure they match. I’ll post the code to do that next time.

WSDL Flattening Revisited

Wed, 17 Feb 2010 08:02:00 -1200

I apologize it has taken so long for me to post this, but as promised, here is the .cs file for the wsdl flattener.

FlatWSDL.cs (10.75 kb)

To use it, you need to modify your web config and add a reference to the library in the behavior extensions section:

(YOUR ACTUAL ENTRIES MAY VARY)

 <system.serviceModel>

   <extensions>

      <behaviorExtensions>

          <add name="FlatWSDL" type="SteverB.Services.Extensions.FlattenWsdlBehavior, SteverB.Services.Extensions, Version=1.0.0.0,  Culture=neutral, PublicKeyToken=[something]" />

      </behaviorExtensions>

   <extensions>

And then to turn it on, modify the service behavior by adding the <FlatWSDL /> tag:

<behaviors>

   <serviceBehaviors>

      <behavior name="MyBehavior">

         <serviceMetadata httpGetEnabled="true"/>

         <FlatWSDL />

      </behavior>

    </serviceBehaviors>

</behaviors>

I hope that helps someone!

Recursively Extracting A Zip File in Ruby

Fri, 12 Feb 2010 09:31:00 -1200

Recently I had the need to let a user upload a zip file and then have the Ruby app extract it and store it in a DB. I turned to google, but beyond some posts recommending using rubyzip to do the zip file handling I couldn't find anything showing a good way to do this recursively without first actually extracting the zip file to disk and then using the dir object.

After much adding and deleting code I have something that works reasonably well.

First you need to require rubyzip:

And then we can deal with the file.

   1:  require 'zip/zip'

   2:  require 'zip/zipfilesystem'

3:

   4:    def unzip(widget)

5:

   6:        #save the zip to disk so we can unzip it

   7:        filename = widget.guid + ".zip"

   8:        File.open(filename, "w") do |f|

   9:          f.write(widget.zip)

  10:        end

11:

12:

13:

  14:        Zip::ZipFile.open(filename) do |zipfile|

  15:        iterate_dir("", widget, zipfile)

  16:        end #zipfile open do

17:

18:

19:

  20:        #we're done with the file

  21:        File.delete(filename)

22:

  23:    end #unzip

24:

  25:    def iterate_dir(mdir, widget, zipfile)

26:

  27:      zipfile.dir.entries(mdir).each do |dir_entry|

  28:        file_path = mdir + "/" + dir_entry

29:

  30:        if !zipfile.file.directory?(file_path)

  31:              resource = Resource.new()

  32:              resource.widget_id = widget.id

  33:              resource.file_name = dir_entry

  34:              resource.mime_type = mime_type(file_extension(dir_entry))

  35:              resource.file_path = zipfile.file.expand_path(file_path)

  36:              resource.file_length = zipfile.file.size(file_path)

  37:              resource.data = zipfile.file.read(file_path)

  38:              resource.save

  39:        end

  40:      end

41:

  42:      zipfile.dir.entries(mdir).each do |dir_entry|

  43:        file_path = mdir + "/" + dir_entry

  44:        if zipfile.file.directory?(file_path)

  45:          iterate_dir(file_path, widget, zipfile)

  46:        end

  47:      end

  48:    end

49:

There is probably a better way to do this, and there is almost certainly a more idiomatically Ruby way to do it, but this works. No guarantees that I got all the blocks closed while cutting and pasting to this blog entry though. Good luck!

Error Handling in Ruby

Mon, 09 Nov 2009 01:57:00 -1200

I've recently begun learning Ruby by working my way through the Ruby Koans. I finally made it to the section on error handling, which answered a few questions for me.

Once again, Ruby has not surprised me (this is a good thing). There's just some minor syntactical differences. Specifically in place of "try, catch, finally" Ruby uses "begin, rescue, ensure".

begin
  fail "Oops"
rescue StandardError => ex
  #Do something with the error
ensure
  result = :code_that_always_runs
end

Since I haven't made it all the way through the koans yet I'm, probably missing something that seems obvious to long time Ruby users, but so far it's pretty damned simple.

Now For Something Completely Different

Tue, 20 Jan 2009 17:14:00 -1200

I’ve got a few more WCF posts in the cooker, but I thought it might be nice to start the new year off with something a little bit different. This past Thursday, my wife and I were fortunate enough to receive an invite to the Knoxville Symphony Orchestra’s “Blogger’s Night”.

I believe this is the second year that the KSO has put on a blogger’s night. The deal is that Knoxville area bloggers receive free symphony tickets in exchange for writing about the experience. And since my wife and I were in desperate need of some culture and a night out sans children I figured it was a fair trade. I was wrong. I definitely got the better end of the deal.

The performance we attended was Mozart and Mendelssohn, at the Tennessee Theater, with Navah Perlman performing the piano part in Mozart’s Concerto Number 24, in C minor.

The Tennessee Theater itself is gorgeous, with a 1920’s Spanish-Moorish design, and a jaw droppingly beautiful ambient lighting system. The acoustics were, I thought, spot on as well. I had no problems hearing the orchestra, and was even able to hear the conductor during a brief microphone outage during the introduction.

I’m a moderate Mozart fan, in that I like Mozart, have recordings of and can recognize most of his works, but I probably can’t name more than two. However, I now know that most of my Mozart recordings suck. I’ve never heard it played so well.

So, a thank you to the KSO for a wonderful, ear opening experience. I’m off to re-buy my meager classical music selection. To everyone else, get out there and listen to some music.

Passing Configuration Values into WCF Behaviors

Tue, 25 Nov 2008 10:23:00 -1200

Sometimes when creating a WCF behavior it'd be nice to be able to pass in some sort of instance specific configuration information. Fortunately, you can.

In the previous post we added a class that implemented BehaviorExtensionElement so that we could apply our IServiceBehavior via the config file. There are a few other methods that you can implement so that the BehaviorExtensionElement will pull settings from the config file. This way when you add the behavior you can tell it something special, like what the friendly name of the service is.

<serviceBehaviors>

        <behavior name="TrainingService.Service1Behavior">

          <AutoRegister ServiceName="TrainingService" />

        </behavior>

</serviceBehaviors>

Simply add a property to the behavior (IServiceBehavior in this instance), then in the class that implements BehaviorExtensionElement, add a property decorated with System.Configuration.ConfigurationProperty.

        [System.Configuration.ConfigurationProperty("ServiceName", DefaultValue = "", IsRequired = true)]

        public string ServiceName

get

                return (string)base["ServiceName"];

set

                base["ServiceName"] = value;

In this case, we are simply passing back to the IServiceBehavior.

Now add a ConfigurationPropertyCollection and a readonly PropertiesProperty

        private ConfigurationPropertyCollection _prop = null;

        protected override System.Configuration.ConfigurationPropertyCollection Properties

get

                if (this._prop == null)

                    this._prop = new System.Configuration.ConfigurationPropertyCollection();

                    this._prop.Add(new System.Configuration.ConfigurationProperty("ServiceName", typeof(string),

                        "", System.Configuration.ConfigurationPropertyOptions.IsRequired));

                return this._prop;

Now your IServiceBehavior can get its property set.