Welcome
Hi, I’m a developer and consultant developing in the Java enterprise space in large and small organisations and 
companies. I’ve recently extended into mobile applications on Android devices, making use of sensor functionality (such as GPS) to develop extended functionality.
I’ve got 12 years of experience, during which time I’ve developed large and small applications. These include a University-wide identity management system and Cardiff University, which I designed, programmed, implemented and support. This includes server-to-server data connections for provisioning and a web front-end for management.
I mainly work with open source software, using it to provide very high quality functionality to customers at a low cost. Typically this involves the use of code from multiple open source projects, which need to be integrated both with each other and with proprietary components (such as an existing directory, operating system installation or database). I maintain two open source projects which I use extensively in my work – the Data Rules and Routing Engine and the Java LDAP List Server. I also contribute to the Internet2 Grouper Project, being a core developer with commit access to the source tree.
I’m available for consulting, development and support contracts at fixed or variable cost in any of the above areas (or new ones, I’m always learning new stuff).
MyLoc Android App published
I’ve published my first Android App – MyLoc. It’s a more polished version of an app I wrote for myself to keep track of where I’ve been without needing to sign up for any service that would be storing my data.
The way it works is that it wakes up every so often, gets a GPS fix (or falls back to a network fix if GPS is unavailable) and sends an email with my location to one or more email addresses. This email can include a map (downloaded from Google Maps), and an approximate address (reverse geo-coded by Google). Retrieving the map, the address and sending emails is all done on the phone rather than by a webapp hosted on some server. The emails are sent through a Gmail account (which could be the user’s main Gmail account, or a secondary one). I chose Gmail because the vast majority of Android users are likely to have an account already, and so it would be easiest for the largest number of people.
The reason I designed it to work like this is that, while I’m interested in keeping track of where I’ve been, I don’t want to be running the GPS receiver all the time as it drains battery. Also, once set up I want it to be completely hands-off. I have it set to get my location and send emails every hour and this is fine for when I want to remind myself of where I’ve been. The delay between updates can be set to as little as 10 minutes.
I think people could find it useful:
- As a reminder of where they’ve been
- To let other people know progress on a trip, or in a sporting event (marathon, triathon etc)
- As a safety net where I’m resposible for a group of people, sending out location to a trusted third party on a regular basis
I’m sure there are other uses, and I’m going to be adding functionality to it pretty regularly, so hopefully you’ll find a use for it.
I’ve recently been putting together some web applications whcih use Spring Workflow and Spring Security. I originally implemneted them without any external components, but I soon had a requirement to allow authentication to be handled by another service (the Shbboleth Apache module), while authorisation would continue to be handled by Spring security using LDAP groups. Below is a Spring Security configuration file that pulls all this together.
Note that Spring expects the REMOTE_USER username to come through in a request header, not an environment variable as Apache normally does. To do this you need to use mod_rewrite to inject the header using these directives:
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule .* – [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e
Spring config file
This config uses beans which ship with Spring Security 2.0.x.
<beans xmlns=”http://www.springframework.org/schema/beans”
xmlns:s=”http://www.springframework.org/schema/security”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=”http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd”>
<s:http>
<s:intercept-url pattern=”/work/**” access=”ROLE_GROUPERUSERS,ROLE_GROUPERADMINS” />
<s:form-login login-page=’/login.html’/>
<s:anonymous />
<s:logout />
</s:http>
<!– Pre auth –>
<bean id=”siteminderFilter”>
<s:custom-filter position=”PRE_AUTH_FILTER” />
<property name=”principalRequestHeader” value=”REMOTE_USER”/>
<property name=”authenticationManager” ref=”authenticationManager” />
</bean>
<bean id=”preauthAuthProvider”>
<s:custom-authentication-provider />
<property name=”preAuthenticatedUserDetailsService”>
<bean id=”userDetailsServiceWrapper”>
<property name=”userDetailsService” ref=”ldapUserDetailsService”/>
</bean>
</property>
</bean>
<s:authentication-manager alias=”authenticationManager” />
<bean id=”ldapUserDetailsService”>
<constructor-arg index=”0″>
<ref local=”filterBasedLdapUserSearch”/>
</constructor-arg>
<constructor-arg index=”1″>
<ref local=”ldapGroupsPopulator”/>
</constructor-arg>
</bean>
<bean id=”filterBasedLdapUserSearch”>
<constructor-arg index=”0″>
<value>o=Accounts</value>
</constructor-arg>
<constructor-arg index=”1″>
<value>(cn={0})</value>
</constructor-arg>
<constructor-arg index=”2″>
<ref local=”contextSource”/>
</constructor-arg>
<property name=”searchSubtree” value=”true”/>
</bean>
<bean id=”ldapGroupsPopulator”>
<constructor-arg>
<ref bean=”contextSource”/>
</constructor-arg>
<constructor-arg>
<value>ou=Groups,o=Resources</value>
</constructor-arg>
<property name=”searchSubtree” value=”true”/>
<property name=”groupRoleAttribute” value=”cn”/>
<property name=”groupSearchFilter” value=”(member={0})”/>
<property name=”rolePrefix” value=”ROLE_”/>
</bean>
<bean id=”contextSource”>
<property name=”url” value=”ldap://127.0.0.1:389/”/>
<property name=”userDn” value=”cn=admin,o=users”/>
<property name=”password” value=”password”/>
</bean>
<!– end preauth –>
</beans>
What is Identity Management?
In the IT industry today, almost all the publicity in Identity Management revolves around the use that identity data is put to, be it to provide authentication to a partner in a federation; supply personal infomation that a person has stored with a third party; or any similar purpose.
However, this is only the second aspect of Identity Management.
The first (and most important) is collating your store of identity data and maintaining it to ensure it is both comprehensive and accurate. Only when this store is in a good state can the data safely be put to any meaningful use, <corny metaphor>otherwise it’s like building a house with no foundations … on sand</corny metaphor>.
It’s not as easy as it sounds, and even for a small company or organisation requires thought and administrative overhead.
Here are a few of my rules-of-thumb for sucessful identity management:
- Be sure of your data before putting it to any use
- Be ready to meet organisational hurdles as you work with data from existing systems
- Be ready to spend 80% of your time on data issues
- Create a common unique key for each user if one deasn’t already exist and propogate it to as many systems from which data is sourced as possible
- Choose unique identifiers that will be used to match data from different sources carefully. A match much be as near foolproof as possible
- Structure your identity store so that it makes sense to humans as well as to computers
- Make sure the system is dynamic – even if you don’t need to work with data in real time now, you will probably need to in the future
- Design security in from the beginning and make it as granular as possible
- Desgin-in internal data integrity
- Design-in scalability
- Design-in as much flexibility as possible. Assume that what you think will never be required will be called for next week
- Be ready for the organisation to start to rely on your identity data to an extent that you didn’t think possible