Kerberos is a single sign on solution. AFAICT, it is the only one that solves the problem completely: You confirm that you are who you say you are, and the remote side confirms that it is who you think it is. It doesn’t work over he public internet only due to the fact that most corporate firewalls block the ports it needs. So we want to be able to do Kerberos, or its equivalent from the browser.
The Dogtag PKI project is a long lived project. It is a Java Web Server based application that predates many of the technologies that now are standards of Java Web development. One requirement that has changed over time is how to access the server remotely. Continue reading
I’ve been working with the PKI/Dogtag code for a while. Over the past couple years, I’ve been more and more comfortable with Git. PKI uses SVN as a centralized Repository. Since Git SVN integration is fairly mature, I’ve been using that to manage my coding. On Monday, I gave a presentation to my team on Git SVN. I’ve taken the outline from the slides and included it here.
Continue reading
I posted before about how I get a patch ready for code review. Since I now also work on the Dogtag PKI project, I’ve extend the script to included configuration information from the projects .git/config.
Continue reading
Fedora and Debian play the role where many chaotic projects get a degree of charm school: they learn to play nice with a lot of other projects. In Fedora, as near as I can tell, there is only one Java based web application packages as part of the distribution: Dogtag, the Public Key Infrastructure server. As we look at how PKI should look in the future, the dearth of comparable applications packaged for Fedora leaves us with the opportunity for defining a logical and simple standard packing scheme. While I am not there yet, this post is the start of my attempts to organize my thoughts on the subject. I’m looking for input.
I forget things. A lot. I need a to do list tracker that works with me. So I wrote one. I, being me, used the technologies I use the most to make this happen: bash and git.
The Java bindings for the Network Security Services (NSS) Library is called JSS. NSS provides a key management scheme that is different enough from both standard Java and OpenSSL that trying to do standard Java Socket operations using the Apache HttpClient requires a little bit of extra work.
One thing that is missing in traditional Unix systems is the ability to let a non root user manage group membership. Unix was built around several simple concepts. One of those was: everything is a file. Using this principle, we can specify how group delegation would have worked.
As I dig deeper into the Dogtag code, I find I want to be able to talk to the web server from the command line the same way I did when for IPA work. Since Dogtag is certificate based, and the version of curl included in Fedora has NSS build in, I used the NSS/Certificate approach.
I’m back on a Java project. Been a while, and I want to capture some of the tricks I’m using.
Right now, I’m just trying to import the project into eclipse. Seems that the current team members don’t use it. I’m an IDE kind of guy, at least when it comes to Java.
Building the .classpath file can be tricky. However, since I know that I have a good build, and that this project it a good participant in the Fedora build process, I have the advantage of knowing that my packages reside in /usr/share/java. Still, all eclipse gives me is a set of classes that it can’t find. how to find them?
This project uses CMake. I could look for all of the Jar files in the CMakeLists.txt files, and I might do that in the future. However, a trick I’ve developed in the past has come in handy.
class2path(){
echo $1 | sed 's!\.!\/!g'
}
JDIR=/usr/share/java
make_alljars(){
for JAR in `find /usr/share/java -name \*.jar -type f `
do for CLASS in `jar -tf $JAR | grep \.class`
do echo $JAR $CLASS
done
done > /tmp/alljars.txt
}
First, the make_alljars function creates a map in (value key) order. The value is the Jar file name, and the key is the class name. To fine a Jar file that contains a given class (in this example netscape.ldap.LDAPConnection) , run:
grep `class2path netscape.ldap.LDAPConnection` /tmp/alljars.txt
And the output is
/usr/share/java/ldapjdk.jar netscape/ldap/LDAPConnection$ResponseControls.class /usr/share/java/ldapjdk.jar netscape/ldap/LDAPConnection.class
This works really well with eclipse, in that the error messages have the name of the class. You can then just highlight the class name, paste it into the command line in place of the class I have above, and when you get the Jar file name, you can highlight to save to the clipboard. From The right click context menu pick Java Build Path and then Add External Archive and then paste the whole path in.