July 25, 2007
I’ve seen a million .NET web service client examples that don’t implement security. Here’s one that does. It’s a simple snippet on digest authentication. It’s really simple, and I wish more people would default to using it.
Using digest authentication means the actual values will not be sent for the username and password. Instead the username and password are encrypted using an algorithm (like MD5) and a hash of the two sent over the wire. Nifty huh?
The first thing you need to do is modify your WSE3 policy configuration file. The policy for your web service (in this example mine is MyWebServicePolicy) needs two entries; 1) usernameOverTransportSecurity and 2) requireActionHeader. Your file should look something like this….
type=“Microsoft.Web.Services3.Design.UsernameOverTransportAssertion, Microsoft.Web.Services3, Version=126.96.36.199, Culture=neutral, PublicKeyToken=31bf3856ad364e35“ />
type=“Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=188.8.131.52, Culture=neutral, PublicKeyToken=31bf3856ad364e35“ />
Next you need to add three lines of code to digest and send the username & password…
//Creates the username/password digest token
UsernameToken userToken = new
UsernameToken(“exampleUserName”, “examplePassword”, PasswordOption.SendHashed);
//Creates web service credentials using the token
CredentialSet credentials = new Microsoft.Web.Services3.Security.CredentialSet(userToken);
//Assigns the username/password to the web services proxy
myWebServiceProxy should be the variable for the stub that .NET’s WSE 3 automatically created for your web service. …I think you need to use WSE3 (Web Service Enhancements v3) for this to work properly.
I think digest authentication is the beez-knees, and stupid easy…I’m left wondering why I didn’t always use this technology? …Oh, and while researching this code I ran into a really cool snibit. Some guy (Peter Bromberg) created a nice little example on how to implement digest authetnication in ASP.NET. Click here for Pete’s article…
July 24, 2007
Why would you ever want to bypass certification verification? …Well, maybe if you’re testing a web service that’s under development and you don’t own a valid certificate yet like me.
It took a while to figure this out. I was convinced it would be something simple, and it was…
The code below implements a custom certificate validation method that does nothing. You could customize the TrustAllCertificatesCallback method to execute your own meaningful validation, my example simply validates every request. Notice my nifty TODO comment? I wrote this as a temporary fix and I was a little paranoid I’d forget to take this line out.
I’ve only tested this with WSE3 (Microsoft Web Service Enhancements v3) on the client side talking to a Java implementation of Axis2 on the server side. …But this should work with WSE3/.Net on whatever.
static class Program
/// The main entry point for the application.
static void Main()
// TODO: REMOVE THIS LINE BEFORE GOING INTO PRODUCTION!!!
public static bool TrustAllCertificatesCallback(
object sender, X509Certificate cert,
X509Chain chain, SslPolicyErrors errors)
June 5, 2007
So, the other day I opened my laptop bag and whipped it out only to realize that my laptop had been left on, again, and was now totally hot and mostly drained.
I’m the proud owner of a newer Vista laptop (a tricked out Lenovo T60p). I get 3 hours and 30 minutes out of every charge running at High Performance (instead of that limited Power Saver mode most people use). …And yet somehow I only get to enjoy 2 hours of that because I leave the laptop on in my bag for the majority of the day. I know I just have to hit that sleep button but I have thousands of other things on my mind. That’s when I realized something had to be done. This needed to be automated. I sat down and started coding. A few hours later I ran BedTime for the first time.
BedTime, the program I wrote, monitors the laptop accelerometer. Accelerometers are commonly used to automatically shutdown the hard drive when a laptop moves suddenly. They’re very precise and easy to work with thanks to some great DLL APIs. The DLL reports the pitch, roll and hard drive status. My program monitors this data and automatically triggers sleep mode when it suspects the laptop is being moved, and not being used. …Like when I leave my laptop in my bag and walk around for a few hours.
It works EXACTLY how I wanted it to. Now I can forget the Sleep button forever, my laptop will automatically go to sleep for me. There is a 10MB overhead (caused by some .NET 2.0 overhead I should get rid of) but I have 3GB, and I think most owners of new laptops boast about the same amount of memory, so this shouldn’t be a problem.
I already know this program will only run on newer laptops because older systems don’t have accelerometers. …That’s part of why their hard drives blow up. (…That reminds me; If you own an older system please backup regularly. I’ve been there before, with a crashed drive, just once. I never happened again because it was horrible and now I do my best to warn others. PS: If you buy a new laptop with an accelerometer Vista makes backups a cinch. …And yes, Bill made me say that, but Gates rocks and I would never leave Vista for XP, a filthy penguin or some fruity OS).
I’m currently testing this application on a daily basis and working on a patent for the concept and copyright for the code. I hope to be looking for beta users soon, so please let me know if you have a newer laptop with an accelerometer (like a Lenovo, Apple, etc.) and are interested. Even if you have an off-brand you have an accelerometer if your laptop advertises having an “Airbag” or “Active Protection System” for hard drive.
Here’s some screenshots…
This dialog appears when you double-click the BedTime icon…
This is the Settings dialog. It allows the user to configure the amount of movement to allow, etc…
This is the dialog that appears before the laptop automatically goes to sleep…
…Of course, all laptops have those settings to automatically launch Sleep mode after a specific amount of time with no user activity. My problem with that feature had always been that if I set the feature for 15 minutes it would launch while I was distracted and become annoying. I’m still using that feature now in tandem with BedTime. I have it set to 30 minutes. I use that more like a failsafe.
My laptop, and many others, also support automatically launching Sleep mode when the laptop lid closes. I disabled that because I close the lid when I move from one seat to the next, e.g. when I’m going from the office desk to the kitchen counter. I didn’t *always* want it to go to sleep. Now BedTime automatically launches in those situations and I have a chance to abort Sleep mode by the time I get to my destination.
Future versions of BedTime will likely only operate when the lid is closed, or at least support that option. Now that I’ve been paying attention to how I move my laptop I realize it’s usually closed when I want BedTime to go into effect. …BedTime does this perfectly, but it also triggers sometimes when I pick up the laptop, or move it to plug in devices, insert a DVD, etc.
What do you think of the idea and design? I was going for a sexy-but-all-business look. This interface was probably inspired by the way Vista launches the security authorization dialogs. I think it deserves the whole screen because it is only on your screen just before it puts your laptop to bed (Sleep mode). And, if you can see it you probably want to hit abort. It runs as an “Always-on-top” Windows Form so it blocks the user from interacting with anything else. …How do you feel about that? But if BedTime is on your screen you want to click Abort and get rid of it, not hide it. Pressing Alt+F4, Escape, Alt+A, Enter or clicking on the button will all abort Sleep mode. …Do you think it would be overkill to abort on any keystroke? …So far, based on my user experience, I think that makes sense.
Well, I think this little project will be a work-in-process for more than a minute. The idea is a little ahead of its time since most laptops don’t have the required hardware. …But that WILL change. Every new laptop will have more and more accelerometers. That is happening as we speak because they are proving to be more and more useful (my program for example).
I think other factors will also increase their popularity (and lower their price by increasing manufacturing volumes). ….Did you know most new digital cameras have one, even the new iPhone has one! That’s why the iPhone can change the display from landscape to portrait when the user rotates the phone. …Why don’t ALL Windows Mobile phones have them? …? …? Bill?
Well who knows what will happen. Either way this was fun to write and has improved my battery life and user experience. Here’s a video of me using the software…
Hack the Planet,
May 23, 2007
Did you know every Windows Mobile Smartphone has a dynamic public IP address? I was reading the other day about how we’re quickly running out of IP addresses. What I read again and again claimed cell phones in Europe and Asia had a lot to do with this. I wasn’t really worried about this because the new IP standards IPv6 gives us plenty new numbers. But this got me curious and a quick Google later I realized something I should have already known. Smartphone’s have public IP addresses. Checking my Q I realized the IP address was public and dynamic. I would have preferred a static number, but I still thought that was fantastic.
Just in case you don’t know about IP addresses I’ll give you a quick primer. IP addresses are like phone numbers on the most common kind of computer networks. Some numbers are private; those can’t be accessed from any PCs that aren’t on the same private network (typically this is how computers are networked at home and in the office). Having a private IP address is nice because people can’t access your PC. In all too familiar twist, that’s also why they’re lousy. Sometimes you might want to give someone your IP address, just like you randomly might want to give someone your phone number.
So, there are two kinds of public IP addresses; Dynamic and Static. The dynamic kind change seemingly at random, the static ones never change. Cell phones use the dynamic kind. That’s a little lame because if you give someone you’re IP address (think phone number) your number might change before they use it. Well, geeks already thought about this a long time ago. They wrote software that update DNS servers whenever your number changes. DNS servers are the magic boxes that map all the URLs like www.google.com to IP addresses. Today there are plenty of sites like www.DynDNS.org that map your dynamic public IP address to a domain name for free.
In other words, http://yourphone.dyndns.org could point to your phone. You could simply give anyone that URL and they could access anything you wanted to expose from your phone. For a guy like me, who uses his phone like an iPod, this is nice. This means I can just tell people to hit my URL whenever they want to download a song I have. …Is this illegal? I hope not, I pay for my music on URGE. …Let’s just say this is hypothetical to be safe.
Another nifty feature is that people browsing the site running on my Smartphone could see photos instantly the moment I took them with my phone’s camera. My blog could also be served up directly from my phone with new posts the moment inspiration struck. All sorts of other nifty things like that.
…The only down side is that I have a CDMA phone that doesn’t support phone and internet access at the same time — My phone goes to voicemail while I’m online. GSM phones don’t have this problem. Maybe I’ll end up with one of those.
So, I think I’m way ahead of the curve here. But I want to help push it along. There wasn’t an easy way to use DynDNS from my Smartphone, so I wrote this program. It maps your Smartphone’s IP directly to a URL (like http://myphone.com) quickly and painlessly. It’ll be posted here eventually, I also wrote a small web-server for Smartphones and I want to release them at the same time. Here’s some screenshots (with fake numbers). You’ll have to excuse my language. This won’t be the release version’s title. A few problems had me cursing at the program while I was coding it, one of those names just stuck.