SAML Subject Confirmation Methods

SAML specify the following three methods:

  • Bearer scenario
  • Holder-of-key Scenario
  • Vouches’ Sender Scenario

Bearer scenario

In the bearer scenario, the server automatically trusts the SAML token (after verifying its signature). Thus, in the bearer scenario any client that presents the token can make use of the claims contained in the token (roles, permissions, and so on). It follows that the client must be very careful not to expose the SAML token or to pass it to any untrusted applications. For example, the client/server connection must use encryption, to protect the SAML token from snooping.

Figure below shows a general outline of a typical bearer scenario.

The bearer scenario proceeds as follows:

1. Before invoking an operation on the server, the client sends a RequestSecurityToken (RST) message to the Issue binding of the STS. The RST specifies a KeyType of Bearer.

2. The STS generates a SAML token with subject confirmation type bearer, signs the token using its private key, and then returns the token in a RequestSecurityTokenReply (RSTR) message.

3. The client attempts to invoke an operation on the server, with the SAML token embedded in the SOAP header of the request message, where either the SOAP header or the transport connection must be encrypted, to protect the token.

4. The server checks the signature of the SAML token (using a local copy of the STS public key), to ensure that it has not been tampered with.

Holder-of-key Scenario

The holder-of-key scenario is a refinement of the bearer scenario where, instead of accepting the SAML token when presented by any client, the server attempts to authenticate the client and checks that the client identity matches the holder-of-key identity embedded in the SAML token.

There are two variations on the Holder-of-Key scenario, depending on the value of the KeyType specified in the RST, as follows:

  • PublicKey—the client must prove to the WS server that it possesses a particular private key.
  • SymmetricKey—the client must prove to the WS server that it possesses a particular symmetric session key.

The following figure shows a general outline of a typical holder-of-key scenario:

The holder-of- key scenario proceeds as follows:

1. Before invoking an operation on the server, the client sends a RequestSecurityToken (RST) message to the Issue binding of the STS. The STS generates a SAML token with subject confirmation type holder-of-key, embeds the client identity in the token (the holder-of-key identity), signs the token using its private key, and then returns the token in a RequestSecurityTokenReply (RSTR) message.

2. The client attempts to invoke an operation on the server, with the SAML token embedded in the SOAP header of the request message.

3. The server checks the signature of the SAML token (using a local copy of the STS public key), to ensure that it has not been tampered with.

4. The server attempts to authenticate the client (for example, by requiring a client X.509 certificate or by checking WS-Security UsernameToken credentials) and checks that the client’s identity matches the holder-of-key identity.

Implementation of this scenario has the following requirements:

  • SAML tokens with a Holder-Of-Key subject confirmation method must be protected, so the token cannot be snooped. In most cases, a Holder-Of-Key token combined with HTTPS is sufficient to prevent “a man in the middle” getting possession of the token. This means a security policy that uses a sp:TransportBinding and sp:HttpsToken.
  • A Holder-Of-Key token has no encryption or signing keys associated with it, therefore a sp:IssuedToken of SymmetricKey or PublicKey keyType should be used with a sp:SignedEndorsingSupportingTokens.

 

WSDL example

 

 

 

 


Message exchange example:

Outbound message to STS

To obtain a SAML security token issued by the security token service, the client sends the following RequestSecurityToken (RST) message to the security token service:

 

Inbound message from STS

 

 

 

 

 

 

The security token service sends back the following RequestSecurityTokenResponse (RSTR) message, containing a signed SAML token, saml2:Assertion, back to the client:

 

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

http://www.sopera.de/SAML2

ac:classes:X509

Gpzf8TjPATPsQDAm2ojNdEpht1A=

jsbIP1Z25q4Qedn6OSid4QcV4cs6+lgwB+jDiImwMMEoyzp1BjWQWB+1SIbHfa9rtmmTszLdmeTqxSXiAy2CeVZcIDk1UAfySAhDrrmR5N6lJMJqsQgU4o1ysLsZMKwtR2FL+eya7hJ9e4UtQVH1KOa7Cx1rvl4Dr8u8FuN5Myg=

1.2.840.113549.1.9.1=#160b737473407374732e636f6d,CN=www.sts.com,OU=IT Department,O=Sample STS — NOT FOR PRODUCTION,L=Baltimore,ST=Maryland,C=US

MIID5jCCA0+gAwIBAgIJAPahVdM2UPibMA0GCSqGSIb3DQEBBQUAMIGpMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxEjAQBgNVBAcTCUJhbHRpbW9yZTEpMCcGA1UEChMgU2FtcGxlIFNU UyAtLSBOT1QgRk9SIFBST0RVQ1RJT04xFjAUBgNVBAsTDUlUIERlcGFydG1lbnQxFDASBgNVBAMT C3d3dy5zdHMuY29tMRowGAYJKoZIhvcNAQkBFgtzdHNAc3RzLmNvbTAeFw0xMTAyMDkxODM4MTNa
Fw0yMTAyMDYxODM4MTNaMIGpMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxEjAQBgNV BAcTCUJhbHRpbW9yZTEpMCcGA1UEChMgU2FtcGxlIFNUUyAtLSBOT1QgRk9SIFBST0RVQ1RJT04x FjAUBgNVBAsTDUlUIERlcGFydG1lbnQxFDASBgNVBAMTC3d3dy5zdHMuY29tMRowGAYJKoZIhvcN AQkBFgtzdHNAc3RzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo+f8gs4WcteLdSPW
Pm8+ciyEz7zVmA7kcCGFQQvlO0smxRViWJ1x+yniT5Uu86UrAQjxRJyANBomQrirfE7KPrnCm6iV OsGDEntuIZAf7DFPnrv5p++jAZQuR3vm4ZHXFOFTXmI+/FD5AqLfNi17xiTxZCDYyDdD39CNFTrB 2PkCAwEAAaOCARIwggEOMB0GA1UdDgQWBBRa0A38holQIbJMFW7m5ZSw+iVDHDCB3gYDVR0jBIHW MIHTgBRa0A38holQIbJMFW7m5ZSw+iVDHKGBr6SBrDCBqTELMAkGA1UEBhMCVVMxETAPBgNVBAgT
CE1hcnlsYW5kMRIwEAYDVQQHEwlCYWx0aW1vcmUxKTAnBgNVBAoTIFNhbXBsZSBTVFMgLS0gTk9U IEZPUiBQUk9EVUNUSU9OMRYwFAYDVQQLEw1JVCBEZXBhcnRtZW50MRQwEgYDVQQDEwt3d3cuc3Rz LmNvbTEaMBgGCSqGSIb3DQEJARYLc3RzQHN0cy5jb22CCQD2oVXTNlD4mzAMBgNVHRMEBTADAQH/ MA0GCSqGSIb3DQEBBQUAA4GBACp9yK1I9r++pyFT0yrcaV1m1Sub6urJH+GxQLBaTnTsaPLuzq2g
IsJHpwk5XggB+IDe69iKKeb74Vt8aOe5usIWVASgi9ckqCwdfTqYu6KG9BlezqHZdExnIG2v/cD/ 3NkKr7O/a7DjlbE6FZ4G1nrOfVJkjmeAa6txtYm1Dm/f

_181835fb981efecaf71d80ecd5fc3c74

_181835fb981efecaf71d80ecd5fc3c74

 

Outbound message to the server

 

 

 

 

 

 

 

The client now embeds the signed SAML token, saml2:Assertion, in the WS-Security header, wsse:Security, when it invokes the greetMeoperation on the server:

http://www.sopera.de/SAML2

ac:classes:X509

Gpzf8TjPATPsQDAm2ojNdEpht1A=

jsbIP1Z25q4Qedn6OSid4QcV4cs6+lgwB+jDiImwMMEoyzp1BjWQWB+1SIbHfa9rtmmTszLdmeTqxSXiAy2CeVZcIDk1UAfySAhDrrmR5N6lJMJqsQgU4o1ysLsZMKwtR2FL+eya7hJ9e4UtQVH1KOa7Cx1rvl4Dr8u8FuN5Myg=

1.2.840.113549.1.9.1=#160b737473407374732e636f6d,CN=www.sts.com,OU=IT Department,O=Sample STS — NOT FOR PRODUCTION,L=Baltimore,ST=Maryland,C=US
MIID5jCCA0+gAwIBAgIJAPahVdM2UPibMA0GCSqGSIb3DQEBBQUAMIGpMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxEjAQBgNVBAcTCUJhbHRpbW9yZTEpMCcGA1UEChMgU2FtcGxlIFNU UyAtLSBOT1QgRk9SIFBST0RVQ1RJT04xFjAUBgNVBAsTDUlUIERlcGFydG1lbnQxFDASBgNVBAMT C3d3dy5zdHMuY29tMRowGAYJKoZIhvcNAQkBFgtzdHNAc3RzLmNvbTAeFw0xMTAyMDkxODM4MTNa
Fw0yMTAyMDYxODM4MTNaMIGpMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxEjAQBgNV BAcTCUJhbHRpbW9yZTEpMCcGA1UEChMgU2FtcGxlIFNUUyAtLSBOT1QgRk9SIFBST0RVQ1RJT04x FjAUBgNVBAsTDUlUIERlcGFydG1lbnQxFDASBgNVBAMTC3d3dy5zdHMuY29tMRowGAYJKoZIhvcN AQkBFgtzdHNAc3RzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo+f8gs4WcteLdSPW
Pm8+ciyEz7zVmA7kcCGFQQvlO0smxRViWJ1x+yniT5Uu86UrAQjxRJyANBomQrirfE7KPrnCm6iV OsGDEntuIZAf7DFPnrv5p++jAZQuR3vm4ZHXFOFTXmI+/FD5AqLfNi17xiTxZCDYyDdD39CNFTrB 2PkCAwEAAaOCARIwggEOMB0GA1UdDgQWBBRa0A38holQIbJMFW7m5ZSw+iVDHDCB3gYDVR0jBIHW MIHTgBRa0A38holQIbJMFW7m5ZSw+iVDHKGBr6SBrDCBqTELMAkGA1UEBhMCVVMxETAPBgNVBAgT
CE1hcnlsYW5kMRIwEAYDVQQHEwlCYWx0aW1vcmUxKTAnBgNVBAoTIFNhbXBsZSBTVFMgLS0gTk9U IEZPUiBQUk9EVUNUSU9OMRYwFAYDVQQLEw1JVCBEZXBhcnRtZW50MRQwEgYDVQQDEwt3d3cuc3Rz LmNvbTEaMBgGCSqGSIb3DQEJARYLc3RzQHN0cy5jb22CCQD2oVXTNlD4mzAMBgNVHRMEBTADAQH/ MA0GCSqGSIb3DQEBBQUAA4GBACp9yK1I9r++pyFT0yrcaV1m1Sub6urJH+GxQLBaTnTsaPLuzq2g
IsJHpwk5XggB+IDe69iKKeb74Vt8aOe5usIWVASgi9ckqCwdfTqYu6KG9BlezqHZdExnIG2v/cD/ 3NkKr7O/a7DjlbE6FZ4G1nrOfVJkjmeAa6txtYm1Dm/f

TEST

 

Inbound message from the server

 

 

 

 

 

 

 

 

When the server receives the preceding SOAP request, the soap:mustUnderstand=”1″ attribute setting ensures that the server must process the security header. In addition, the presence of a signature in the SAML token means that the server must confirm the signature.After successfully processing the security header, the server sends back the following reply to the client:

Hello TEST

 

Vouches’ Sender Scenario

You can use the sender-vouches confirmation method for SSO scenarios where the WS intermediary system has a trust relationship with the back-end system.

This scenario defines four different entities:

(1) a client,

(2) an intermediary,

(3) SAML issuer,

and (4) a back-end system that is the WS provider.

For an overview of the system interaction for this scenario, see the figure below:

 

The following steps describe in more detail the lifetime of a request using the SAML sender-vouches profile.

1. The client sends a request to the intermediary. This request can be of any kind but must contain valid authentication information to log the client on to the intermediary.

2. The intermediary authenticates the client. To process the request, the intermediary needs to retrieve information from the back-end system using Web Services forwarding mechanisms for the client’s authentication information.

3. To forward the client’s authentication, the intermediary needs to add a SAML assertion to the request. This assertion is provided by the issuer. To get it the intermediary needs to forward all necessary login information to the issuer, which in return creates the SAML assertion.

4. The assertion is added to the Web service request. To vouch for the integrity of the SAML assertion and the payload of the Web service request both are signed by the intermediary using a digital signature. The intermediary is able to vouch for the SAML assertion because there is an explicit trust relationship between the back-end system and the intermediary, which enables the back-end system to verify the digital signature.

5. The Web service request containing the SAML assertion is now sent to the back-end system.

6. The back-end system attempts to verify the SAML assertion. Other than checking the correctness of the SAML assertion, the back-end system also verifies that the issuer is trusted and there is an existing trust relationship between the intermediary and the back-end system. After successful verification, the client is logged on to the system and the request is processed.

7. The back-end system sends a response to the intermediary. The intermediary uses the received data to complete the client’s request and send a response to the client.

SAML 2.0 Assertion example:

https://technet.microsoft.com/en-us/library/dn133771.aspx?f=255&MSPPError=-2147217396

References:

1. https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Fuse/6.0/html/Web_Services_Security_Guide/files/WsTrust-BasicScenario.html
2. https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf 3. http://dulanja.blogspot.com/2013/01/saml-subject-confirmation-methods.html
4. http://fusionsecurity.blogspot.com/2009/09/bearer-confirmation-method-huh-what-is.html
5. http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key.pdf
6. https://docs.jboss.org/author/display/JBWS/SAML+Holder-Of-Key+Assertion+Scenario?_sscc=t
7. https://help.sap.com/saphelp_nwpi71/helpdata/en/44/322225a52d5447e10000000a422035/content.htm
8. https://access.redhat.com/documentation/en-US/Fuse_ESB/4.4.1/html/Web_Services_Security_Guide/files/WsTrust-Demo-Messages.html

Advertisements

Xcode: No signing certificate “iOS Distribution” found

[http://stackoverflow.com/questions/32821189/xcode-7-error-missing-ios-distribution-signing-identity-for]

  • Download https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
  • Double-click to install to Keychain.
  • Then in Keychain, Select View -> “Show Expired Certificates” in Keychain app.
  • It will list all the expired certifcates.
  • Delete “Apple Worldwide Developer Relations Certificate Authority certificates” from “login” tab
  • And also delete it from “System” tab.

Apache Cordova Hide Status Bar

[DRAFT]

To remove the status bar in iOS 7 use the following entries in the plist file.

<key>UIStatusBarHidden</key>

<true/>

<key>UIViewControllerBasedStatusBarAppearance</key>

<false/>

In the configuration on XCode the following achieves the same

set
Status bar is initially hidden = YES

add row: View controller-based status bar appearance = NO

 

Edit .plist file for the iOS build by adding:

UIStatusBarHidden = true

UIViewControllerBasedStatusBarAppearance = false

 

First, we need to note this only works on Cordova (recommend v3.3.1) or another native UIWebViewwrapper. If we use Cordova, we will need to install one plugin:

$ cordova plugin add org.apache.cordova.statusbar

Then, we will use Ionic’s Platform service to listen for the device ready event and remove the status bar:

angular.module(‘myApp’, [‘ionic’])

 

.controller(‘MyCtrl’, function($scope, Platform) {


Platform.ready(function() {


// hide the status bar using the StatusBar plugin


StatusBar.hide();

});

});

 

 

My app.js

if (window.cordova && window.cordova.plugins.Keyboard) {
cordova.plugins.Keyboard.hideKeyboardAccessoryBar(true);
cordova.plugins.Keyboard.disableScroll(true);
}
if (window.StatusBar) {
// org.apache.cordova.statusbar required
StatusBar.hide();
StatusBar.styleDefault();
}

 

 

 

For API level 19:

In addition to setting the fullscreen flag, I also had to add the following to hide the soft keys:

View decorView = getWindow().getDecorView();

// Hide both the navigation bar and the status bar.
					

// SYSTEM_UI_FLAG_FULLSCREEN is only available on Android 4.1 and higher, but as
					

// a general rule, you should design your app to hide the status bar whenever you
					

// hide the navigation bar.
					

int uiOptions = View.SYSTEM_UI_FLAG_HIDE_NAVIGATION

              | View.SYSTEM_UI_FLAG_FULLSCREEN;

decorView.setSystemUiVisibility(uiOptions);
					

https://developer.android.com/training/system-ui/navigation.html

You can also set the sticky immersion as described here:https://developer.android.com/training/system-ui/immersive.html

 

 

This is how I do it – hides the title and makes it full screen:

// requesting to turn the title OFF

requestWindowFeature(Window.FEATURE_NO_TITLE);


// making it full screen

getWindow().setFlags(WindowManager.LayoutParams.FLAG_FULLSCREEN, WindowManager.LayoutParams.FLAG_FULLSCREEN);

I also have this in my AndroidManifest under Application:

android:theme=“@android:style/Theme.NoTitleBar.Fullscreen”

 

 

References

 

http://stackoverflow.com/questions/21395416/cordova-how-do-you-hide-the-status-bar-on-the-splash-launch-screen

http://ionicframework.com/tutorials/fullscreen-apps/

https://forum.ionicframework.com/t/status-bar-not-hidden-in-spash-screen-in-android/38976

http://stackoverflow.com/questions/20678024/how-to-hide-navigation-bar-in-android-app-code/20680323#20680323

Raspberry Pi Chrome Kiosk Mode

The following steps might be helpful in setting up Kiosk Mode on Raspberry Pi.

Enable SSH

You can enable or disable the SSH server on your Raspberry Pi (it is enabled by default). This is done using raspi-config:

Select “Advanced Options”

End select “Enabled”

[https://www.raspberrypi.org/documentation/remote-access/ssh/]

Install Chrome Browser

Login remotely using ssh and execute the following commands:

wget http://ftp.us.debian.org/debian/pool/main/libg/libgcrypt11/libgcrypt11_1.5.0-5+deb7u3_armhf.deb

wget http://launchpadlibrarian.net/218525709/chromium-browser_45.0.2454.85-0ubuntu0.14.04.1.1097_armhf.deb

wget http://launchpadlibrarian.net/218525711/chromium-codecs-ffmpeg-extra_45.0.2454.85-0ubuntu0.14.04.1.1097_armhf.deb

sudo dpkg -i libgcrypt11_1.5.0-5+deb7u3_armhf.deb

sudo dpkg -i chromium-codecs-ffmpeg-extra_45.0.2454.85-0ubuntu0.14.04.1.1097_armhf.deb

sudo dpkg -i chromium-browser_45.0.2454.85-0ubuntu0.14.04.1.1097_armhf.deb

[http://conoroneill.net/running-the-latest-chromium-45-on-debian-jessie-on-your-raspberry-pi-2/]

Turn-on Kiosk Mode

[http://raspberrypi.stackexchange.com/questions/38515/auto-start-chromium-on-raspbian-jessie-11-2015]

Create a new .desktop file in ~/.config/autostart/, e.g.

sudo nano ~/.config/autostart/autoChromium.desktop

Then add the following:

 

 

 

 

Name[en_US]=AutoChromium

Name=AutoChromium

Comment=Start Chromium when GNOME starts

Set Static IP

[http://sizious.com/2015/08/28/setting-a-static-ip-on-raspberry-pi-on-raspbian-20150505/]

For setting a static IP for the Raspberry Pi 2 on the latest Raspbian release available at this time (20150505 through NOOBS v1.4.1), the old method modifying the/etc/network/interfaces file isn’t so efficiency as before. In fact, if you modify the/etc/network/interfaces by settingeth0 tostatic instead ofmanual(the default setting) your Raspberry Pi will get two IP adresses for the sameeth0 interface. This sucks.

The “faulty” is thedhcpcd daemon, which is a DHCP client that seems to be run before the parsing of the/etc/network/interfaces file.

So you have 3 options there:

Setting like before in/etc/network/interfaces then disabling thedhcpcd daemon, with thesudo update-rc.d -f dhcpcd remove command (you can revert back withsudo update-rc.ddhcpcd defaults). But really, don’t do this;

Add a static DHCP entry for your Raspberry Pi in your router/gateway configuration;

Force thedhcpcd daemon to get the IP you like. It’s really the best solution for me.

To implement the latest solution, justsudo nano /etc/dhcpcd.conf then at the end of the file, add the following:

# Custom static IP address for eth0.

interface eth0

static ip_address=192.168.0.200/24

static routers=192.168.0.1

static domain_name_servers=192.168.0.1

   

Of course, adjust the IP as you wish. the 192.168.0.1 IP address is referring to my ISP router.

Update for Raspbian Jessie

Revision 2017-02

Autostart

 

/etc/xdg/lxsession/LXDE-pi/autosart

@lxpanel –profile LXDE-pi
@pcmanfm –desktop –profile LXDE-pi
#@xscreensaver -no-splash
@point-rpi

@xset s noblank
@xset s off
@xset -dpms

@/usr/bin/chromium-browser —noerrdialogs —disable-pinch —overscroll-history-navigation=0 —disable-session-crashed-bubble —disable-infobars —kiosk —no-first-run http://127.0.0.1:80/panel/zsStandardIndex.php

 

pi@raspberrypi:~ $ usr/bin/chromium-browser –noerrdialogs –disable-pinch –overscroll-history-navigation=0 –disk-cache-dir=/dev/null –disable-session-crashed-bubble –disable-infobars –kiosk –no-first-run http://127.0.0.1:80/panel/www/zsStandardIndex.php

 

SAML and WS-Security Resources

 

Ref:

  1. http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html
  2. http://crishantha.com/wp/?p=1223 (The Web Services Trust Model (WS-Trust))
  3. https://msdn.microsoft.com/en-us/library/bb498017.aspx (Understanding WS-Federation)
  4. https://en.wikipedia.org/wiki/WS-Trust (WS-Trust)
  5. http://www.ploug.org.pl/seminarium/seminarium_XIII/pliki/problematyka_bezpieczenstwa_slajdy.pdf (Problematyka bezpieczeństwa
  6. usług Web Services)
  7. https://msdn.microsoft.com/en-us/library/ms730908.aspx (WS-Federation)
  8. http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/ws-secureconversation-1.3-os.html (WS-SecureConversation 1.3)
  9. https://en.wikipedia.org/wiki/X.509 (x.509)
  10. https://msdn.microsoft.com/en-us/library/ff650503.aspx (Brokered Authentication: Security Token Service (STS))
  11. https://msdn.microsoft.com/en-us/library/aa528862.aspx (Establishing a Secure Conversation)
  12. https://msdn.microsoft.com/en-us/library/windows/desktop/ee652302%28v=vs.100%29.aspx?f=255&MSPPError=-2147217396 (Security Token Service Endpoint)
  13. https://blogs.oracle.com/enterprisetechtips/entry/security_token_service_and_identity (Security Token Service and Identity Delegation with Metro)
  14. https://docs.oracle.com/cd/E21455_01/common/tutorials/authz_saml_assertion.html (SAML Authorization Assertion)
  15. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss (OASIS Web Services Security (WSS) TC)
  16. http://owulff.blogspot.com/2012/02/saml-tokens-and-ws-trust-security-token.html (SAML tokens and WS-Trust Security Token Service (STS))
  17. https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language (SAML)
  18. https://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf (Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 – Errata Composite)
  19. https://docs.oracle.com/cd/E28280_01/dev.1111/e15866/ws_policy.htm#OSBDV1599 (Using WS-Policy in Oracle Service Bus Proxy and Business Services)
  20. https://msdn.microsoft.com/en-us/library/aa480582.aspx (Implementing Transport and Message Layer Security)
  21. http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064962 (WS-Trust)
  22. http://saml.xml.org/saml-specifications (SAML)
  23. https://docs.oracle.com/cd/E19159-01/820-1072/ahidd/index.html (SAML Holder of Key relaying party confirmation method)
  24. http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0.pdf
  25. http://stackoverflow.com/questions/1132111/saml-assertion-with-username-password-what-do-the-messages-really-look-like (SAML assertion with username/password – what do the messages really look like?)
  26. https://www.oasis-open.org/committees/download.php/12958/SAMLV2.0-basics.pdf (SAML 2.0)
  27. https://wiki.oasis-open.org/security/FrontPage#SAML_V2.0_Standard (SAML 2.0)
  28. https://docs.jboss.org/author/display/JBWS/SAML+Holder-Of-Key+Assertion+Scenario?_sscc=t (SAML Holder-Of-Key Assertion Scenario)
  29. https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf (SAML Token Profile 1.1)

How to Change App Title Bar Colors in Windows 10

Article from [http://windows.wonderhowto.com/how-to/change-app-title-bar-colors-windows-10-0163059/%5D

Step 1: Copy ‘Aero’ Folder

Start by navigating to C:\Windows\Resources\Themes, then copy and paste the “aero” folder to the same directory. Note that you’ll see a dialog box stating that you need proper access to copy over the MSS files. When you see this, select “Do this for all current items” and choose the Skip option.

Once the pasting is complete, you’ll be left with a new folder call “aero – Copy.”


Step 2: Rename Folder & Files

Now rename the “aero – Copy” folder to “windows,” then rename the “aero.msstyles” file to “windows.msstyles.”


Now jump inside the “en-US” folder and rename the “aero.msstyles.mui” file to “windows.msstyles.mui.”


Step 3: Edit Theme File

Now go back to the main Themes folder (the folder we started with) and copy the “aero.theme” file to your Desktop, then rename it to “windows.theme” and open it with Notepad.


In Notepad, scroll down to the “VisualStyles” section, then replace this entry:

Path=%ResourceDir%\Themes\Aero\Aero.msstyles

With this:

Path=%ResourceDir%\Themes\windows\windows.msstyles


Now save and exit Notepad.

Step 4: Rejoice in the Glory of Colored Titlebars

The last thing to do is double-click the “windows.theme” file on your Desktop and watch the magic happen.


And that’s it. The color that shows will be whichever you set in the Personalization settings

Problem with cross-site Ajax calls and PHP

Setup

The following example is demonstrating Ajax call made to the weather service.

As long as service calls: http://api.openweathermap.org/data/2.5/weather?lat=35&lon=139l
Ajax is returning success.

Sample Ajax request is presented below:


var jqxhr = $.ajax({

url: “http://api.openweathermap.org/data/2.5/weather?lat=35&lon=139l&#8221;,


//url: “http://www.jaskierny.com/playground/json/testJSON.php&#8221;,

crossDomain: true,

dataType: “json”,

})

.done(function (data) {

alert(“Success”);

elements = data.weather;

 

$.each(elements, function (index, element) {

alert(element.main);

})

 

})

.fail(function (jqXHR) {

alert(“Error”);


if (jqXHR.status === 0) {

alert(‘Not connect.\n Verify Network.’);

} else
if (jqXHR.status == 404) {

alert(‘Requested page not found. [404]’);

} else
if (jqXHR.status == 500) {

alert(‘Internal Server Error [500].’);

} else
if (exception === ‘parsererror’) {

alert(‘Requested JSON parse failed.’);

} else
if (exception === ‘timeout’) {

alert(‘Time out error.’);

} else
if (exception === ‘abort’) {

alert(‘Ajax request aborted.’);

} else {

alert(‘Uncaught Error.\n’ + jqXHR.responseText);

}

 

});

 

Problem

The problem occurred when I created PHP page, wrapping up an original Ajax call; my Ajax responded with the error, although both requests, from the original site and from my PHP page responded with the identical content:

Original site: http://api.openweathermap.org/data/2.5/weather?lat=35&lon=139l

New PHP page: http://www.jaskierny.com/playground/json/testJSON.php

Here is the source code of my PHP page:

 

<?php

$jsonContent = file_get_contents(“http://api.openweathermap.org/data/2.5/weather?lat=35&lon=139&#8221;);

$jsonContent = str_replace(“\n”,”, $jsonContent);

header(‘Content-Type: application/json’);

echo stripslashes(($jsonContent));?>

 

Solution

The problem was related to the access control mechanism, for cross-site HTTP requests. The problem was solved by adding yellow-marked header in the code below:

 

<?php

$jsonContent = file_get_contents(“http://api.openweathermap.org/data/2.5/weather?lat=35&lon=139&#8221;);

$jsonContent = str_replace(“\n”,”, $jsonContent);

header(“Access-Control-Allow-Origin: *”);

header(‘Content-Type: application/json’);

echo stripslashes(($jsonContent));?>

 

Additional resources

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

C# Singleton Application

There are several option that can be used to create singleton application.

Option 1.

 


///
<summary>


/// Supporting function for “singleton” functionality


///
</summary>


///
<returns></returns>


public
static
Process IsRunningInstance()

{


Process current = Process.GetCurrentProcess();


Process[] processes = Process.GetProcessesByName(current.ProcessName);

 


//Loop through the running processes in with the same name


foreach (Process process in processes)

{


//Ignore the current process


if (process.Id != current.Id)

{


//Make sure that the process is running from the exe file.


if (Assembly.GetExecutingAssembly().Location.

Replace(“/”, “\\”) == current.MainModule.FileName)

{


//Return the other process instance.


return process;

 

}

}

}


//No other instance was found, return null.


return
null;

}

 

Application code (in constructor of the main form):


// Singleton verification – exit if application is already started

 


if (RunningInstance() != null)

{


string singletonRedirectUrl = util.GetAppSetting(“singletonRedirectUrl”, “0”);


string redirectPage = DownloadWebPage(singletonRedirectUrl);

 


//MessageBox.Show(“redirected”);

 

log.Info(“Duplicate instance detected. Exiting application.”);

 

System.Environment.Exit(1);

}

 

Option 2.

This sample is based on:

http://blog.billsdon.com/2011/10/c-sharp-check-if-application-is-already-running-then-set-focus/

using System;

using System.Diagnostics;

using System.Runtime.InteropServices;

 
 

/// ————————————————————————————————-

/// <summary> Application Running Helper. </summary>

/// ————————————————————————————————-

public static class ApplicationRunningHelper

{

    [DllImport(“user32.dll”)]

    private static extern

        bool SetForegroundWindow(IntPtr hWnd);

    [DllImport(“user32.dll”)]

    private static extern

        bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);

    [DllImport(“user32.dll”)]

    private static extern

        bool IsIconic(IntPtr hWnd);

 
 

    /// ————————————————————————————————-

    /// <summary> check if current process already running. if running, set focus to existing process and

    ///           returns <see langword=”true”/> otherwise returns <see langword=”false”/>. </summary>

    /// <returns> <see langword=”true”/> if it succeeds, <see langword=”false”/> if it fails. </returns>

    /// ————————————————————————————————-

    public static bool AlreadyRunning()

    {

        /*

        const int SW_HIDE = 0;

        const int SW_SHOWNORMAL = 1;

        const int SW_SHOWMINIMIZED = 2;

        const int SW_SHOWMAXIMIZED = 3;

        const int SW_SHOWNOACTIVATE = 4;

        const int SW_RESTORE = 9;

        const int SW_SHOWDEFAULT = 10;

        */

        const int swRestore = 9;

 
 

        var me = Process.GetCurrentProcess();

        var arrProcesses = Process.GetProcessesByName(me.ProcessName);

 
 

        if (arrProcesses.Length > 1)

        {

            for (var i = 0; i < arrProcesses.Length; i++)

            {

                if (arrProcesses[i].Id != me.Id)

                {

                    // get the window handle

                    IntPtr hWnd = arrProcesses[i].MainWindowHandle;

 
 

                    // if iconic, we need to restore the window

                    if (IsIconic(hWnd))

                    {

                        ShowWindowAsync(hWnd, swRestore);

                    }

 
 

                    // bring it to the foreground

                    SetForegroundWindow(hWnd);

                    break;

                }

            }

            return true;

        }

 
 

        return false;

    }

}