This is just a simple PHP script that looks in your web server’s log files directory, looking for access logs and feeding them to webalizer.

To get it to run, you’ll need a web server with webalizer installed

Download the script

Interesting reading here

This is utterly preposterous and wholly inappropriate – it should NOT be allowed!

Can you believe it? William Wallace’s sword, currently housed in The Wallace Monument in Stirling, is to be shipped off to America for “Tartan Day”. I ask you, what a load of balderdash and codswallop. This makes me so angry. Apparently the sword is regarded as “The Guardian of Scotland” but all Stirling council can see in it is a chance to pedle their tawdry wares to the Americans, who like to regard us as a bunch of tartan clad haggis munchers who live in turf roofed hovels up a misty glen at the foot of Granny’s Heilan’ Ben. Boke!

Something as precious as a 700 year old freedom fighter’s sword being stood in a railway station. Is this actually legal? What sort of reception would London councils get if they wanted to ship the crown jewels to some public ammenity in Stornoway?

Wallace’s sword on the other hand can be manipulated for tartan tattery. They’re even comparing it to themselves when they say that the cost of transporting it is no more than the cost incurred for transporting their own fat bahookies!

For someone who ultimately inspired the Battle of Bannockburn and Scottish independance, to then wrap that in money spinning cap doffing tartan pish is nothing short of criminal

Read the paper here

Larach-l?¨n inntinneach

SAMUEL, which Guanxi uses to compose SAML messages, uses JAXP to get an XML parser. I decided to use JAXP as it doesn’t tie a user of SAMUEL to a particular parser but it creates a problem when trying to sign SAML Responses, when the AA sends Assertions back to the SP:

<samlp:Response InResponseTo=”a825424eaebb5885a906cd5e5a5c5e09″ IssueInstant=”2005-03-11T11:36:00Z” MajorVersion=”1″ MinorVersion=”1″ ResponseID=”666″>

To sign either a whole document, or an element within a document, you must be able to identify an ID attribute, which the signature will work on:

XMLSignature sig = new XMLSignature(doc, “”, XMLSignature.ALGO_ID_SIGNATURE_DSA);
sig.addDocument(“#666″, transforms, org.apache.xml.security.utils.Constants.ALGO_ID_DIGEST_SHA1);

The “standard” way of identifying an ID attribute is to prefix it with “id”:
< … id=”666″ … >
I say “standard” as it’s the one that will work, although it breaks if you import another document fragment that also contains an ID attribute identified by “id”. In short, there’s no standard!

Shibboleth uses the ResponseID attribute as it’s ID attribute and the only way to set that as the ID attribute is to use:
Element.setIdAttributeNS(null, “ResponseID”, true)
but that’s only available in DOM3, and the current Xerces DOM3 implmentation is in beta2.

So, what to do? The only way to sign Responses is to use DOM3 but loaded via JAXP. If JAXP finds a DOM3 compliant parser then we can sign Responses but if not, we can’t. You can still send Responses to the SP without signatures but I’d rather sign them, so I’ll have to move to DOM3, beta2!

Hold on though, this is Java. You don’t get a choice as JAXP doesn’t support DOM3. You have to hard wire DOM3 jars to the application. So, I’ll have to wait until JAXP supports DOM3 before signing Responses.

Hold on again, I hear you shout, JAXP 1.3 is out and supports DOM3. Well, read this, from Sun:

“JAXP 1.3 would not be legally usable with J2SE 1.4 because J2SE 1.4 has JAXP 1.2 in it…”

As I’m developing on OS X and I want to support SAMUEL on OS X I’m stuffed until Apple release Tiger and their JDK1.5 implementation. As usual, there’s a workaround for us who lack JDK1.5.

In the meantime, the W3C are starting to work on this.

It’s all explained here

This site has an interesting summary and comparison of the various web frameworks on offer at the moment. It compares and contrasts:

• Spring
• JSF
• Struts
• Tapestry
• WebWork

Having already used Struts and Spring, I’ve decided to take an interest in JSF as the next Struts subproject, Shale, will integrate the two. The news from the Struts project is of change:

“Struts Shale … is … an entirely new codebase … an MVC framework for web applications, like Struts Classic, but it’s a fresh start. Struts Shale is the best choice for developers eager to leverage the latest technologies, like JavaServer Faces.”

Also, JSF UI components seem to be taking over the Struts html tag library, as, to quote the developer of Struts:

“If you have an existing Struts based application, then, I encourage you to evaluate a migration towards using JSF components instead of the original Struts HTML tags. Not only are the original tags effectively superceded by JSF, they are also not undergoing active development at the moment.”

It looks like the immediate future will be an integration of Controller level frameworks with the JSF View tier to get your MVC:

Struts and JSF? What’s all that about? Have a read here and find out.

Spring and JSF? Find out more here.

Just finished developing a simple WAYF for Guanxi. All it does is takes GET requests from a Shibboleth SP, displays a list of institutions Guanxi recognises and redirects the browser to the chosen institution’s IdP SSO service.

Next steps are to put in some kind of security so that we only accept GETs from SPs we know about

IQ-trust.xml holds cerificate information on IdPs.

To generate a private/public keypair for your IdP in your keystore:

keytool -keystore idp.jks -genkey -alias idp -keypass idppass

Enter keystore password: keystorepass
What is your first and last name?
[Unknown]: shorigin.uhi.ac.uk
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=shorigin.uhi.ac.uk, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

Note that everything is empty except for the “first and last name”. Shibboleth uses the subject of the X509 certificate to find your IdP’s certificate in IQ-trust.xml. To get your certificate into the SP:

keytool -keystore idp.jks -alias idp -file idpcert.pem -rfc -export

This exports your IdP’s public key in an X509 certificate. Then, to import it into your shibboleth SP:
openssl x509 -in idpcert.pem -subject -nameopt RFC2253,sep_comma_plus_space

you should see output to the screeen such as (note, I’ve removed a chunk for security reasons!):

—–BEGIN CERTIFICATE—–
MIIC9zCCArUCBEGrFBYwCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAkdCMRIwEAYD
VQQIEwlIaWdobGFuZHMxDTALBgNVBAcTBFNreWUxDDAKBgNVBAoTA1VISTEMMAoG
A1UECxMDV1dXMRMwEQYDVQQDEwpHdWFueGkgU1NPMB4XDTA0MTEyOTEyMjAzOFoX
DTA1MDIyNzEyMjAzOFowYTELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUhpZ2hsYW5k
tC8fdfl6dcqlERgmNiixe4O/YaXlMhm+FYwXqzXzVkn+Ljc4r0KsYzfGf5VW8ms4
VmXwK+qCF+k3iRrdQECFFh2FPsnX0YiTt2eNAvdkDkkqlocIsEtpLXqqZJ6tluQc
JinJGcPAQv9LqEfeNmBO8zdBIkM3DnUesHoUpHcwCwYHKoZIzjgEAwUAAy8AMCwC
FB4nt7aRB4TdVqodcwqwkjXeT/KHAhQjfWRjE9wlCYO2vGzzVFiYt08uDQ==
—–END CERTIFICATE—–

The final step is to copy the text output you see on the screen and bung it into a <KeyAuthority> element in IQ-trust.xml:

<KeyAuthority>
  <ds:KeyName>shorigin.uhi.ac.uk</ds:KeyName>
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>MIIC9zCCArUCBEGrFBYwCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAkdCMRIwEAYD
VQQIEwlIaWdobGFuZHMxDTALBgNVBAcTBFNreWUxDDAKBgNVBAoTA1VISTEMMAoG
A1UECxMDV1dXMRMwEQYDVQQDEwpHdWFueGkgU1NPMB4XDTA0MTEyOTEyMjAzOFoX
DTA1MDIyNzEyMjAzOFowYTELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUhpZ2hsYW5k
</ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</KeyAuthority>

<ds:KeyName> should be set to your X509 certificate’s subject (CN).

note also the insertion of your IdP’s X509 certificate in <ds:X509Certificate> – you should paste at the end of the element and put the closing </ds:X509Certificate> on the start of a new line.

One thing to note. If the URL of your AA doesn’t match your certificate’s CN then you’ll get the Shibboleth error:

SSL: certificate subject name ‘SOME_SUBJECT_NAME’ does not match target host name ‘uni.ac.uk’

You’ll get this error if you have your Attribute Authority on:

https://uni.ac.uk/guanxi/AA

but you’re using a Guanxi auto generated keystore to protect 443 as well as sign assertions.