WebSEAL Documentation

January 24, 2013April 3, 2013 ~ Anton Khitrenovich ~ Leave a comment

Here are some useful links to various WebSEAL concepts:

Authentication strength concepts
Local response redirection
EAI (External Authentication Interface):

Deploying a Web Application from Maven Build to Remote Tomcat Container with Cargo

January 24, 2013January 25, 2013 ~ Anton Khitrenovich ~ 2 Comments

Several days ago I had to implement a mechanism that uploads a web application to the running instance of Tomcat. The web application was build using Maven, so the obvious choice was Maven Cargo plugin. The Cargo framework is mostly intended for integration testing, but it’s Maven plugin can do some useful things by the way, as a side effect. There are a lot of documentation on the web about Cargo in general and remote deployment to Tomcat specifically, but I was unable to find the complete example to be taken as-is. So, here it goes!
Continue reading “Deploying a Web Application from Maven Build to Remote Tomcat Container with Cargo” →

Difference between SSO (Single Sign On) and Identity Federation

January 23, 2013 ~ Anton Khitrenovich ~ 3 Comments

There is a lot of confusion on the net between SSO and Identity Federation. Both concepts may look the same to the end users, but they are different. Today many authentication products implement both, further increasing the confusion. Here I’ll try to explain the difference as I see it.

Identify Federation (sometimes referred as Federation or Federated Identity) allows the end users to use the same set of credentials to obtain access to multiple resources. This gives an advantage to the software systems that utilize Identify Federation, both from security and usability perspective – the end users do not have to maintain multiple sets of credentials. Yet, the users have to provide their credentials to each one of the participating resources. Typically Identify Federation system are based on single credentials store, but other implementation methods (for example, password synchronization) may also be used.

SSO (Single Sign On) allows the end users to provide their credentials once and obtain access to multiple resources. The key point of the concept is that the users are not prompted for their credentials anew on access to participating resources until the active session is terminated. The participating resources are typically related, but still remain independent. Specifically, each system may have own authorization system, providing system-specific roles to the end users. The practical implementation of the supporting software system remains out of scope for the concept definition.

How to enable Google Adsense on Jetpack Mobile Theme

December 7, 2012December 9, 2012 ~ Anton Khitrenovich ~ 9 Comments

Congratulations, you’ve successfully activated Mobile Theme on Jetpack! Now your lovely site looks great on small mobile screens also, and it was only one click away. But wait, something is still missing… Right, there are no sidebars – and no ads inside! Maybe it makes no difference for the readers, but not for you as the blog owner.

Well, the Jetpack documentation explains that they do use look for a sidebar with some predefined ID to show it at the bottom of the page. It means that maybe you do have one of your sidebars shown there. If this is the case, you have no choice but to rearrange the content of this sidebar to match it to mobile page. Otherwise keep reading, and I will explain how to add a new dedicated sidebar for mobile theme. Continue reading “How to enable Google Adsense on Jetpack Mobile Theme” →

How to enable RDP access to Microsoft UAG 2010

December 5, 2012 ~ Anton Khitrenovich ~ Leave a comment

Some time ago we found that the Microsoft UAG installation in our lab does not allow RDP access. The server itself was fine and the RDP service inside worked as expected – it was clearly visible on the VM console, – but the RDP connections were silently ignored. It looked strange and we spent the significant amount of time looking for the reason of this behavior over the internet, until we realized that the UAG server does allow us to connect via RDP from one of the remote computers – the one it was installed from. This gave us a clue on what’s going on and finally led us to the right direction.

The solution is simple and well-documented – but only if you know what to look for, as usual. It appears that Microsoft TMG (the product that Microsoft UAG is based on) allows remote access from predefined set of computers only. In order be allowed to open RDP to UAG server, the computer should be added to the list of Forefront TMG Remote Management Computers. The detailed instructions can be found at the bottom of this TechNet article, and I’ll quote the relevant part here also for future reference:

«Open the Forefront TMG Management console from the Start menu. In the console tree, click the Firewall Policy node. On the Toolbox tab, click Network Objects. Click Add, and then click Computer. Specify the details of the computer from which you will remotely manage Forefront UAG. … After adding the computer to the set, activate the changes in the Forefront TMG Management console.»