I used to my code in Google’s subversion. It was good, but I needed more. The built-in wiki was to restrictive, and I wanted to track usage and downloads.
So I signed up with DreamHost. The have shell access, lots of disk space, up and running subversion and one-click install Gallery and WordPress. My experience with their support is also very good !
I was playing around with SSPI, the Security Support Provider Interface. I stumbled across a behavior that I cannot explain : you cannot call LoadLibrary when you are impersonating.
If you check you program with SysInternals (now Microsoft’s) Process Monitor, you’ll find an error saying”Bad Impersonation”.
LoadLibrary returns NULL and a call to GetLastError() says “Either a required impersonation level was not provided, or the provided impersonation level is invalid”.
If you just specify a filename, LoadLibrary will look in the current directory only. If supply a full path to the DLL, LoadLibrary will find it but the CreateFile will fail with Bad Impersonation.
I am still baffled by this behavior. I will keep looking into it. Meanwhile, here is a simple program that reproduces the problem.
You can get the full project using anonymous subversion :
svn co http://src.paralint.com/spikes/badimpersonation BadImpersonation
Good luck !
I use Apache Forrest to generate what will someday be the homepage of paralint.com. I use “forrest run” most of the time, and “forrest site”, “forrest clean” every now and then.
I wrote a little batch file that will launch forrest in a new window when the “run” option is used, and in the same window when any other option is used. Here it is :
@echo off if "%1"=="run" goto NEWWINDOW call "%FORREST_HOME%\\bin\\forrest.bat" %* goto END :NEWWINDOW start "Forrest" cmd /C "%FORREST_HOME%\\bin\\forrest.bat" %* :END
You can also add a /T:2F switch to make the window white on green. I often have quite a few console windows running, separating them by color reminds me which one is which !
I followed advice from my father and learned how to type back in high school. Using a typewriter, in case you wonder. The first time I had to type something, I forced myself to “do it right”, even though hunt and peck was faster. I now type quite fast, and I can type while looking at somebody. Might not qualify as listening, though…
Came across vi later. I found a quick reference, kept it on my desk and forced myself to learn and use the keys, event though it took me while to get it. Now, vim is my editor of choice.
What does Google has to do with all this ? I was browsing their lab, and found they added keyboard navigation to their search results. And they used vi syntax ! Now I only need to make that setting permanent…
I use Apache’s Forrest tool, which uses internally the Jetty engine. I wanted to make Jetty listen to 127.0.0.1 instead of 0.0.0.0, so my computer wouldn’t show up in a enterprise port scan.
I had trouble finding the information. I went looking for the link again without any success. So I am posting it here, where I will always be able to find it !
Update 2008-01-25 : You must add this XML to the file $FORREST_HOME/main/webapp/jettyconf.xml
<Call name="addListener">
<Arg>
<New class="org.mortbay.http.SocketListener"> <!-- Add this next line -->
<Set name="Host"><SystemProperty name="jetty.host" default="localhost"/></Set>
<Set name="Port"><SystemProperty name="jetty.port" default="8888"/></Set>
<Set name="MinThreads">5</Set>
<Set name="MaxThreads">100</Set>
<Set name="MaxIdleTimeMs">30000</Set>
<Set name="LowResourcePersistTimeMs">5000</Set>
</New>
</Arg>
</Call>
You know its working when you see this in the Forrest window:
21:05:11.864 EVENT Apache Cocoon 2.2.0-dev is up and ready. 21:05:11.864 EVENT Started SocketListener on 127.0.0.1:8888 21:05:11.864 EVENT Started org.mortbay.jetty.Server@df8f5e
À la lumière des résultats de l’élection mais aussi de la campagne électorale en général, je suis encore en réflexion sur l’avenir du Québec et le fondement de mes convictions souverainistes. Le projet de souveraineté du MSA de 68 ou du PQ de 76 n’est plus applicable tel quel aujourd’hui, 30 ou 40 ans plus tard. Le Québec a trop changé. On parle maintenant aux enfants de la loi 101 et au Québec inc.
L’ADQ propose une constitution Québecoise. Je veux bien, mais elle sera adopté sans élection ou référendum ? Tout ça ne fais aucun sens, peu importe l’allégeance politique.
Si vous vous posez les mêmes questions, je vous suggère ce billet de Lysiane Gagnon. Il illustre bien la dualité québécoise.
Il ne reste plus qu’à répondre à la question : “What does Quebec want ?“
Don’t you just love man-in-the-middle (MITM) HTTPS proxies ? I use Burp proxy a lot, it does man-in-the-middle and gzip.
But I have an assignment where the client configuration cannot be changed. The client rejects certificates from non-trusted CA and I cannot add Portswigger’s certificate to the trusted roots. I went looking for an open source HTTPS mitm proxy, hoping I could recompile it to use a trusted certificate that I have in hand.
Paros proxy fits the bill. Here is how you can change Paros proxy’s man-in-the-middle certificate for your own using keytool, openssl, and jar.
J’ai lu la présentation sur les services web de Benoit Piette. Très bien, mais j’ai des réserves sur tout ce qui est UDDI. Non pas que la technologie est mal expliquée, c’est juste que je résume habituellement UDDI par “technology waiting for a problem“. Voici mon raisonnement.
Le WSDL n’est pas “sémantique”. Surtout pas pour un programme qui ira le lire. Autrement dit, il faut déjà savoir ce qu’on cherche pour le trouver. Il faut avoir une implémentation du client déjà prête. On peut générer un client on the fly à partir du WSDL, mais comment savoir dans quelle ordre appellé les services, que passer en paramètre ? Ainsi, si on a un client, on a probablement déjà le WSDL. Alors comme source de WSDL inconnus, on oublie UDDI.
UDDI pourrais alors à trouver différentes implémentations du service ? Oui, mais ça ne peut marcher qu’a deux conditions qui ne sont pratiquement jamais réunies.
Disons que le point 1 arrivera bien un jour, en commençant par des domaines spécialisés et soumis à des réglementations internationale (de l’industrie) comme la réservation de billets d’avion par exemple. D’où le “waiting” de mon résumé UDDI.
Le point 2 est là où tout s’effondre. Si le service n’est pas gratuit, il y aura une entente contractuelle entre les parties avant le premier appel SOAP. Que cette entente prenne la forme d’un contrat écrit, d’un courriel ou même d’un service web d’abonnement, on ne s’en sauve pas. Il y a une étape “contractuelle”. Le WSDL (et le endpoint) seront donnés lors de l’établissement du contrat. Pourquoi retourner dans UDDI pour me faire dire ce que je sais déjà ? Le service déménage ? 302 Moved.
UDDI pourra peut-être un jour être la solution au problème qu’il cherche/invente (j’appelle ça la solution “consultant”). Avoir un standard d’établissement de contrat avec un service, c’est la pierre d’achoppement de l’établissement d’un modèle distribué dynamique où UDDI aurait un rôle à jouer. Dans ce modèle, le client cherche les providers de contrats (le service pourrais être son propre provider de contrat), on établis un contrat et on appelle le service. Des standards comme WS-Trust pourrais jouer un rôle dans un tel scénario.
I was looking for free subversion hosting. I had just set up an empty projet at opensvn.csie.org when I heard the news : Google is now hosting open source projects. So I added a few hobby projects I have going.
I was looking for a table that showed how client authentication, server authentication and impersonate flag work together. I found many good examples and tutorials explaining how to make any combinaison work, but not a quick reference table.
So I made one. I tested on a Windows Server 2003 with ASP.NET version 2.0. I used wfecth as client to be sure of what was going on. Not every configuration makes sense in real life, but I included it for completeness. HTH !
| Client sends creds | Server require creds | Impersonate | Result |
| don’t care | No | false | NETWORK_SERVICE |
| No | Yes | don’t care | 401 Unauthorized |
| Yes | Yes | False | NETWORK_SERVICE |
| don’t care | No | True | IUSR_MACHINENAME |
| Yes | Yes | True | Domain\User |
ps : Actually, NETWORK_SERVICE is the account the application pool is running under.