The Rantings of the barely human.
The IBM Collaboration stack ( Atom db2 Websphere Connections Domino etc etc )
This is over an above the usual suspects of Java , Jquery , github, SVN, Mavin, Jenkins et al, that you need to have a grip on.
Part of the work LDC have been doing for Wellesley Information Services on the Socialbizug.org site has been a upgrade of the home page
One of the upgrades was a overhaul of the Content Spotlight (basically a carousel of stories), but it had a niggly bug that was identified, in which the text showing inside a semi transparent area that was its self semi transparent
Just does not quite right does it? the CSS for this is as follows
div.content { background:#000; opacity:0.65; filter:alpha(opacity=90); -ms-filter:progid:DXImageTransform.Microsoft.Alpha(Opacity=90); }
Playing with the CSS Opacity property of the child text properties makes no difference and that is totally expected, Opacity works like that (boooo!!), the traditional work around if you want none transparent text inside a transparent element is to NOT have the text/object as a child, but rather a peer and then move it into the correct place via css, for this situation that sucks as the whole Content Spotlight is generated via Java script, thankfully we have a lovely little alternative for modern browsers and that is the [RGBA Colors](http://www.w3schools.com/cssref/css_colors_legal.asp) setting for the background property, which allows you to set the Red Green Blue and Opacity values for an element and this does not ruffle down to the child elements, like so:
div.content { background:#000; /* opacity:0.65; filter:alpha(opacity=90); -ms-filter:progid:DXImageTransform.Microsoft.Alpha(Opacity=90); IE */ background: rgba(0, 0 ,0 ,.65); }
Which suddenly fixes our problem and makes everything look nice again.
At LDC we deal with all sorts of projects from bleeding edge to stuff that I’m sure was written by the same people as made Stonehenge. One such example came our way from a large client and involved communication between an IBM ISeries and a very wide variety of other systems, the user would trigger an item of work on the Iseries which would then call all the other systems, the job its self was not an issue, BUT the security implication of it was,
because of the variety of the systems involved, web services were picked as the most universal communication method available, but the frameworks used by the various systems varied hugely, from up-to-date CXF and .NET thought AXIS 1.4 all the way down to manual text parsing (yes really), this meant that there was no way of doing session security, hell any form of security was going to be hell.
After a bit of head scratching we used a simple solution that solved the problem nicely for all.
Every web service call now contains an additional parameter that contains a hashed text string.
when a request is made from the ISeries it generates a text string according to the rules we laid down, hashes it (we used a MD5 hash*) and adds that to the webservices call, the receiving system knows the rules the Iseries used, so generates its own string to generate a matching hash, compares it to in incoming hash and if it matches then its a valid request, else just discard.
the source string needs to contain a number of different elements to be of any use, I recommend a minimum of
Now I don’t know IBM RPG so this side was done by an extremely talented programmer called Wajid Basha (who I personally think is wasted at his current role)
he did a little generic function to generate the hash on the IBM ISeries MD5 HASH Generator Iseries.txt
and the Java to test the resultant hash:
public static boolean isRequestValidPerEnv(String hashId, String password, String IseriesEnv) { boolean validRequest = false; String currentAS400date = String.valueOf(getAs400Date(Calendar.getInstance())); String completedHash = ""; try { //this is the simplest version probably you would want to really add more variables and maybe chop the text around as well //It will obviously have to match the string generation rules on the Iseries String original = password + IseriesEnv + currentAS400date; MessageDigest md; md = MessageDigest.getInstance("MD5"); md.update(original.getBytes()); byte[] digest = md.digest(); StringBuffer sb = new StringBuffer(); for (byte b : digest) { sb.append(Integer.toHexString((int) (b & 0xff))); //bloody Hex to String trims leading zeros if ( temp.length() == 1 ) { temp = "0" + temp; } } completedHash = sb.toString(); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); } if (hashId.equals(completedHash)) { validRequest = true; } return validRequest; } // if you are doing any work with IBM As400 systems then you will already have this code. public static Long getAs400Date(Calendar dateIn) { if (dateIn == null) return null; Long as400dt = 0L; SimpleDateFormat df = new SimpleDateFormat("yyMMdd"); int era = 0; if (dateIn.get(Calendar.YEAR) > 1999) era = 1; String newDate = (1 == era ? era : "") + df.format(dateIn.getTime()).toString(); as400dt = new Long(newDate); return as400dt; }
Problem solved. 🙂
Now I would not suggest this method for an externally facing system (not with md5), and its not true serious security, but given the definition:
> Security is the ability of a system to protect information and system resources with respect to confidentiality and integrity.
then its a way that will hold this system safe from internal attack.
*Yes I know MD5 has known vulnerabilities but it was one of the few hashes that all the systems involved could generate (I hate lowest common denominators but they are a factor of real life), and frankly if someone is going to the level of effort to break the hash, then they are bloody stupid as if they are attached to the internal network then there are a lot better targets.
A large number of Domino apps I develop solutions for seem to need a few jar files and more often than not these end up in the ext lib on the server (be that for speed/memory or conflict reasons)*
but such apps are a sod to deploy for administrators, I figured a simple and consistent zip file in the files section would make everybody’s life a bit simpler so I went and asked a top admin and this is the suggestion.
where XXXXXXXX is the name of the application (maybe a version number for the developer) and YYYYMMDD is the date the zip was added (yes include it despite the fact it will be in the files section as admin’s tend to store these things on the file system)
This file should contain:
*OSGI has not always made it to clients but it if has SHOW112 by Paul Fiore is an amazing presentation
As a firm insider on the IBM community I often forget how impenetrable IBM stuff is from the outside, I got this contact from a friend who no longer makes his living from IBM/Lotus products but still likes to keep up to date, they are less than impressed…
..quick rant to you … not at you at all.
Who do you know high up in Lotus/IBM that listen to their public? I find the product release and websites around the Notes/Domino product HORRENDOUS. Download 9 (yep, just found out it’s been released after searching many pages down in Google despite being a PARTNER!), get the release notes – click on the What’s new, takes you to Lotus site, click on the link there, takes you to IBM, click on Notes 9 stuff, takes you BACK to the readme file I started at – do I know what’s new yet? Yep, that nothing has changed when it comes to taking care of customers or the paying public – IBM/Lotus – go and talk to Atlassian, they know how to grow community, build awesome products and take care of customers and evangelists alike.
Try it out – search Google to find anything about the product being launched and fail badly.
When you download, you can get to the release notes – I’ll save you the time – http://infolib.lotus.com/resources/domino/Notes/9.0/Readme/readme.html – now tell me what’s new?Gladly share this with whomever you wish as high as you can – they are a bunch of absolute rubbish.
And if they want suggestions of how to do it better rather than just a rant, I’ve got a LOT of suggestions but I’m not making them if none will be implemented (like me contacting XXXXX XXXXX directly to get the forums sorted out and it NEVER happening, so I stopped sending any feedback on any beta testing)
what can I tell him?