Veikko Mäkinen

Preemptive HTTP Authentication with Android 2.2

Wed, 29 Dec 2010 12:46:00 +0200

Preemptive HTTP Authentication with Android 2.2

I just spend a good few hours trying to figure out why my Android application fails to communicate with a web service which requires preemptive Basic HTTP Authentication. Here’s an example code for anyone else on the same quest:

String auth = android.util.Base64.encodeToString(
	(username + ":" + password).getBytes("UTF-8"), 
	android.util.Base64.NO_WRAP
);
HttpGet request = new HttpGet(url);
request.addHeader("Authorization", "Basic "+ auth);

Thanks Mark Murphy.

David Linsin shows in his blog how to use HttpRequestInterceptor to fiddle with the request before it is sent. For some reason I wasn’t able to make it work and I don’t see any reason why adding the Authorization header manually wouldn’t be enough. Feel free to correct me if I’m missing something here.

Android 2.2 ships with Base64 utility class. With older versions you can use http://iharder.net/base64. This is what Mark Murphy uses in his examples. The interface is almost identical.

android.util.Log Trims, Base64 Doesn’t!

This is actually the reason why all this took so long to figure out. The web server returned “400 Bad Request” and I couldn’t figure out what was wrong. I knew the problem was in the Authorization header but when I logged the authorization token everything looked OK… until I did this:

Log.i("AUTH", "\""+auth+"\"");

I turned out that the base64 encoded authorization token had an extra newline at the end. Hence, android.util.Base64.NO_WRAP.

My name is MÃ¤kinen, Veikko MÃ¤kinen

Sun, 19 Dec 2010 21:47:00 +0200

Sometimes it’s not easy to be a Finn with weird characters in my surname…

On 18.12.2010 20:22, devenroll@apple.com wrote:
> Please include the line below in follow-up emails for this request.
>
> Follow-up:  XXXXXXXXXXX
>
> Re: iOS Developer Program
>
> Dear Mr Makinen,
>
> We are currently in the process of reviewing your iOS Developer
> Program enrolment information.
>
> In reviewing your company enrolment application, we have found the
> following information:
>
> Enrollment ID: XXXXXXXXXX 
> Company Name: XXXXXXXXXX  
> Applicant Name: Veikko MÃ¤kinen 
> Email: veikko.makinen@xxxxx
>
>
> Please note that the applicant name is in double-byte characters. We
> are unable to properly view this on our system since we require
> registered information to be in standard English characters. We have
> therefore withdrawn your enrolment XXXXXXXXXXX and you can submit a
> new enrolment request with the correct applicant name.
>
> We ask that you please submit a new enrolment using a different Apple
> ID and email address from the ones used for your original enrolment.

Dear Apple Developer Support,

I have read this message over and over again and several times checked 
my calendar to make sure I'm still in year 2010 and not leaped back to 
the 90'ies. Don't get me wrong, though. Many quality software systems 
were built in the 90'ies and if your enrollment system still runs just 
fine there's no need to update it to support other character sets besides 
the legendary American Standard Code for Information Interchange, or 
ASCII. After all, if we get by with ten digits, 128 characters should 
be plenty.

This can, however, become problematic now that developing countries like 
Finland or Germany are joining the party. Some of these newcomers, me 
being one of them, might expect to be able to use their actual names 
or at least GET A NOTICE AND A CHANCE TO CORRECT IF THE NAME PROVIDED 
IS NOT ACCEPTABLE!

And then about creating a totally new Apple ID just to be able to enroll 
with a fake name: You have got to be kidding...? No? Absolutely sure? 
I have changed the name in my Apple ID account but the enrollment system 
still insists that my name is Veikko MÃ¤kinen. Can't I reset the information 
from the Apple ID account? I was under the impression that Apple systems 
Just Work.

Sincerely,
Veikko Mäkinen

Why do so many companies actively using email for marketing know...

Fri, 12 Nov 2010 22:15:54 +0200

Why do so many companies actively using email for marketing know so little about basic do’s and dont’s… Well here’s a Dont for you all: don’t write “www.something.com” and then link it to “www.somethingelse.net”.

Facelift

Sun, 03 Oct 2010 10:06:00 +0300

Long overdue facelift of my ever-so active blog happened finally. Briefly tested with Firefox 3, IE8, and Safari [something]. Can’t be bothered with anything more.

A Great Article Series on Agavi

Wed, 16 Sep 2009 09:58:52 +0300

Vikram Vaswani has written a great article series on Agavi. The five-part series starts off with the basic but in the end goes quite deep into building a multi presentational layer web application. Go read it on the IBM developerWorks! Now!

Propel Developers' Held a Meeting

Fri, 11 Sep 2009 09:10:06 +0300

Propel developers held an IRC meeting last night discussing the projects future. Amazingly many showed up and the discussion was active and fruitful.

Read the log at Propel Wiki.

Say It!

Wed, 04 Mar 2009 19:07:30 +0200

Disqus Comments

Integrating Disqus commenting system to my Tumblr blog was ridiculously easy. Just have to figure out why the comment form completely breaks my design :)

Be Careful with PHP's version_compare

Tue, 03 Mar 2009 13:33:48 +0200

Be Careful with PHP’s version_compare

var_dump(version_compare("5.2.8-0.dotdeb.1", "5.2.8", "<="));

Expected result: bool(true)

Actual result: bool(false)

The moral of the story: use < or >.

Installing a Project-local Propel

Sun, 01 Mar 2009 10:11:00 +0200

Installing a Project-local Propel

Installing Propel is often seen as a difficult task. Official installion instructions recommend installing via Pear and say more initial work is requireq to install it manually. I usually advice not to use global Pear installations but install everything per project because it gives you better control and you are able to use different versions of libraries for different project. This article shows you how easy it actually is to have a project-local installation of Propel 1.3.

Prerequisites

Phing 2.2.x (and, thus, Pear)

Phing is the only exception to my “no pear installations” rule. It can be installed per project but I see Phing as a development tool you can have globally on your development machine.

Suggested Directory Layout

/            project root
  dev/       development-time files (docs, database schemas, code templates etc.)
    db/      database development files (schema.xml, diagrams, docs etc.)
    libs/    development-time libraries
  libs/      runtime libraries (3rd party)

Getting Propel from the SVN

I recommend fetching Propel directly from the SVN repository simply because I see that as the easiest choice and you have full control of which version to pick. Also, should you ever want to upgrade to a newer revision (maybe there is a bugfix that isn’t officially released yet), you can just retrieve it from the repository. Personally I have 3rd party libraries set up as svn:external where possible but we don’t go into that in this article.

Propel is split into two components - generator and runtime libraries and we’ll keep those two appart. So, in your project root execute following SVN commands:

svn export http://svn.phpdb.org/propel/branches/1.3/generator dev/libs/propel

svn export http://svn.phpdb.org/propel/branches/1.3/runtime/classes/propel libs/propel

And that is it. YES, I mean it!

Propel is now ready to be used. You don’t need to set PATH or include_path, you don’t need to copy executables anywhere and you don’t have to modify a single file.

Building a Propel Project

Create your schema.xml, runtime-conf.xml and build.properties files in dev/db. To build your project go to your project root and run

dev/libs/propel/bin/propel-gen dev/db

… and whatch Propel do its magic. Propel creates output files into ´dev/db/build/´

Fine-tuning The Building Process

You can control where Propel puts the output with a few build.properties directives. Here’s an example that probably needs no explanation.

#relative to propel-gen script
propel.output.dir = ../../..
propel.php.dir = ${propel.output.dir}/app/lib/propel
propel.phpconf.dir = ${propel.output.dir}/dev/db/config
propel.sql.dir = ${propel.output.dir}/dev/db/sql

What About Runtime?

Yeah, you got me there - there’s still one thing you need to take care of before everything “just works”.

//propel runtime + path to your om classes
$path = '/my/project/libs' . PATH_SEPARATOR . '/my/project/app/lib/propel';
set_include_path(get_include_path() . PATH_SEPARATOR . $path);

Agavi 1.0.0 Beta 8 Includes a Critical Security Fix

Thu, 05 Feb 2009 09:28:00 +0200

Agavi 1.0.0 Beta 8 Includes a Critical Security Fix

A new Agavi 1.0.0 Beta 8 was released late yesterday (European time). As usual, the new version contains several improvements and bug fixes but also a fix to a critical cross-site scripting vulnerability described in http://trac.agavi.org/ticket/1019. The vulnerability actually affects, as far as we know, only Internet Explorer 6 and 7 which fail to encode URL according to standards.

Affected versions:

Agavi 0.11 up to and including 0.11.6-RC2
Agavi 1.0 up to and including 1.0.0-beta7

Solutions

Upgrade to 0.11.6 or 1.0.0 Beta 8
Patch your Agavi with a hot fix attached to the ticket
Use one of the workarounds described in the ticket.

Agavi Tip: Automatic Output of Validation Errors

Mon, 02 Feb 2009 21:13:48 +0200

Agavi Tip: Automatic Output of Validation Errors

I decided today to stop printing my validation error messages manually in the template. I knew that Form Population Filter (one of Agavi’s many excellent features also referred to as FPF) could be used to inject error messages into the HTML form next to erroneous fields but I want my error messages above the form. Once again David was there to help me and with a few iterations of trial and error he offered a working solution for me. And the solution was so simple and nice that I just had to blog it.

Filter Configuration

global_filters.xml


<filter name="FormPopulationFilter" class="AgaviFormPopulationFilter">

  <ae:parameter name="methods">
    <ae:parameter>write</ae:parameter>
  </ae:parameter>
  
  <ae:parameter name="output_types">
    <ae:parameter>html</ae:parameter>
  </ae:parameter>

  <ae:parameter name="error_messages">
    <ae:parameter name="self::${htmlnsPrefix}form">
    <ae:parameter name="location">before</ae:parameter>
    <ae:parameter name="container"><![CDATA[<div class="errors">${errorMessages}</div>]]></ae:parameter>
    <ae:parameter name="markup"><![CDATA[<p class="error">${errorMessage}</p>]]></ae:parameter>
    </ae:parameter>
  </ae:parameter>
  
</filter>

And that’s it. FPF injects all error messages above your form. Each error message in its own paragraph and all paragraphs wrapped inside a <div>

Want More?

FPF can have different rules for different kinds of errors and with XPath you can inject them pretty much anywhere you want. See the Agavi’s sample application for more examples.

Running IE6, IE7 and IE8 Virtually

Mon, 26 Jan 2009 13:34:00 +0200

Running IE6, IE7 and IE8 Virtually

Now, this is not easy for me to admit but I just learned about an awesome Windows application by Microsoft.. from a mac user :)

Microsoft Virtual PC 2007 SP1 & Internet Explorer VPC Images

I cannot believe this has been under my radar all this time. Finally I can easily have different windows/IE setups. The software is free (yes, I found it hard to believe too but it’s true!) and Microsoft gives you ready-to-use virtual hard-drive images with operating system and IE ready.

It has been a long time since I last praised Microsoft for doing something right. And now I’m getting suspicious… what’s the catch here?!

Installation

Download Virtual PC 2007 setup.exe, execute it and enjoy the no-reboot-required installation (yet another amazing thing).
Download one or more hard-drive images, execute and select a directory where you want the image to be extracted.
Start Virtual PC 2007 and create a new virtual machine. Use the extracted hard-drive image.
Boot up the virtual machine and enjoy the IE experience

P.S. Like the original post describes you can use virtual images provided by MS with other operating systems / virtual machine hosts too.

Agavi 1.0.0 beta 7 released!

Sun, 11 Jan 2009 15:41:15 +0200

Agavi 1.0.0 Beta 7

Out of many changes there are two (or actually three) I want to emphasise because they may be backwards compatibility breaks for someone.

Default View Security Fixes

Two separate changes have been made to action’s default view handling to ensure strict security.

To make sure a developer doesn’t use unvalidated input data by mistake global unvalidated request data is locked during action and view execution. However, before 1.0.0 beta 7 it was possible to access the global request data in Action::getDefaultViewName(). This has now been fixed and anyone using the global request will be punished severely with an exception. Mind you, it has always been recommended that no application logic is put into getDefaultView(). It should just return the default view name for the action.

It was also recently discovered that the strict validation mode (default mode in Agavi 1.0) wasn’t working as it is supposed to when an action didn’t provide an execute method for the current request and the default view was used. In this case the request data was given to the view unfiltered which is against the strict validation mode principles.

PHP 5.2.8 Requirement (conditional)

Due to issues with magic quotes in PHP’s earlier versions and the fact that making Agavi bullet proof in all situations is beginning to be a maintenance nightmare it was decided to require PHP 5.2.8 if magic_quotes_gpc is ON. I’ll repeat: Agavi requires PHP 5.2.8 ONLY if magic_quotes_gpc is enabled on your server. If it’s not you can still use Agavi with PHP 5.2.0 or later (5.1.3 with Agavi 0.11).

Agavi Blog

1.0.0 Beta 7 Release Notes

Agavi Tip: Validation Gotchas

Wed, 07 Jan 2009 21:18:00 +0200

Agavi Validation Gotchas

Agavi’s input validation system is extremely versatile and even people with long history with Agavi - me for example - sometimes struggle to get their head around it. So I decided to put down a few gotchas. Here goes…

Validators Can Be Grouped

You can use AgaviAndValidator, AgaviOrValidator and AgaviXorValidator to group several validators.


<validator class="or">
  <validators>
    <validator class="email" required="false" >
      <arguments>
        <argument>email</argument>
      </arguments>
    </validator>
    <validator class="MyPhoneNumberValidator" required="false" >
      <arguments>
        <argument>phone</argument>
      </arguments>
    </validator>
  </validators>
  <errors>
    <error>Please provide email or phone</error>
  </errors>
</validator>

Validator Can Depend on Another Validator

Quite often you only want validate input B only if the user provided input A. Agavi makes this simple:


<validator ... required="false" provides="street_set">
  <arguments base="contact">
    <argument>Street</argument>
  </arguments>
</validator>

<validator ... required="true" depends="contact[street_set]">
  <arguments base="contact">
    <argument>Zip</argument>
  </arguments>
</validator>

Note: argument’s base attribute affects also provides/depends attributes (see example above) !!

Pimp My Error Messages

A validator can throw different error message based on what went wrong and error messages can be translated on the fly. Error message options vary between validators. See API docs for more.


<validator class="string" translation_domain="default.errors">
  <arguments>
    <argument>my_input</argument>
  </arguments>
  <errors>
    <error for="required">Please fill this input</error>
    <error for="max">Please keep it shorter than 40 characters</error>
  </errors>
  <ae:parameters>
    <ae:parameter name="max">40</ae:parameter>
  </ae:parameters>
</validator>

Validating Array Inputs

<input name=”rows[Id]”


<arguments base="rows">
    <argument>Id</argument>
</arguments>

<!-- or -->

<arguments>
    <argument>rows[Id]</argument>
</arguments>

<input name=”rows[1][Id]”


<arguments base="rows[]">
    <argument>Id</argument>
</arguments>

<input name=”rows[]”


<arguments base="rows[]">
    <argument/>
</argument>

Validator Can Normalize And Export Combined Values

This example shows how to get AgaviDateValidator to validate a compound value. But that’s not all! It’ll even export a proper timestamp for you to use in your application code.


<validator class="AgaviDateTimeValidator">
    <arguments>
        <argument name="AgaviDateDefinitions::DATE">day</argument>
        <argument name="AgaviDateDefinitions::MONTH">month</argument>
        <argument name="AgaviDateDefinitions::YEAR">year</argument>
    </arguments>
    <errors>
        <error>Validation error</error>
    </errors>
    <ae:parameters>
        <ae:parameter name="export">MyDatestamp</ae:parameter>
    </ae:parameters>
</validator>

Remember to Validate ALL Input

Validation is not limited to GET/POST input parameters but HTTP headers and cookies can (and should) be validated too. Use the source attribute to tell the validator where to get the data from.


<validator ... source="headers"> <argument>REFERER</argument>

Validator is ran only if the parameter is non-empty.

By default the validator base class AgaviValidator checks that all the arguments are set before executing the actual validation. If the input value is empty or non-existent but required error is thrown. But if required attribute is set to False the validation just quietly continues to another validator. Normally this is not a problem but you might want to code a custom validator that exports a default value for empty parameters. In this case you need to override AgaviValidator’s checkAllArgumentsSet().

Did I forget something?

Join #agavi IRC channel and hassle me there or send email to veikko@veikko.fi.

Agavi Tip: Checking Validation Results

Tue, 06 Jan 2009 23:25:00 +0200

Agavi Tip: Checking Validation Results

Normally when an input validator fails you’ll just want to show the form again and let FormPopulationFilter do its magic (you do know you can it have re-populate the form and inject error messages into the form, don’t you?-). But occasionally you want to decide the next move based on what validator failed. With Agavi 1.0 getting validation incidents of a named validator is this simple:

public function handleError(AgaviRequestDataHolder $rd)
{
  $vm = $this->container->getValidationManager();
  if (count($vm->getReport()->getValidatorResult('my_special_validator')->getIncidents())) {
    return 'CriticalError';
  }
  else {
    return 'Error';
  }
  
}

Note: that AgaviValidationValidatorResult was missing from the core autoload.xml in 1.0 Beta 6. This has been fixed in the SVN If you aren’t using the bleeding edge version add the following line to your config/autoload.xml.

<autoload name="AgaviValidationValidatorResult">%core.agavi_dir%/validator/AgaviValidationValidatorResult.class.php</autoload>

Agavi Debug Tools now supports Propel query logging (both...

Mon, 05 Jan 2009 22:41:09 +0200

Agavi Debug Tools now supports Propel query logging (both FirePHP and HTML output). Just configure Propel to use DebugPDO and AdtFilter to use AdtPropelDataSource. Nothing else required.

Agavi 1.0.0 Beta 6

Tue, 25 Nov 2008 21:55:00 +0200

Agavi 1.0.0 Beta 6 - Even More Secure

Default: Strict Validation ALWAYS

Agavi has a very special input validation system which, by default, will not let your application use any unvalidated input data. And this doesn’t mean only POST or GET parameters in HTTP world but also cookies and headers. Remember, those too are user input and must be considered insecure.

This strict validation mode has been the default setting for production environment for quite some time already but after Agavi was blamed for somebody’s poor input validation it was made default for development environments too. It had already been discussed earlier because different defaults for different environments was sometimes confusing and caused applications to break when moved to production.

Production-ready Exception Templates

Because people seem to be too lazy to configure exception templates for production use a new set of default templates was added to Agavi 1.0.0 Beta 6.

Download Agavi: http://www.agavi.org/download

Thanks to Harald “digitarald” Kirschner ADT’s...

Tue, 18 Nov 2008 09:51:00 +0200

Thanks to Harald “digitarald” Kirschner ADT’s FirePHP output is now 174% nicer. And a few bugs was fixed too. Check out ADT at http://adt.projectbin.org/.

Kübler-Ross Model

Mon, 17 Nov 2008 20:01:00 +0200

Five Steps to Agile Development

Denial
Anger
Bargaining
Depression
Acceptance

Elisabeth Kübler-Ross’ Five Stages of Grief describes how people handle grief and tragedy, especially when diagnosed with a terminal illness. Apparently these also apply to agile development and user experience practice :D

Originally blogged/linked by http://agileweb.org/.

Happy Birthday to Me

Mon, 17 Nov 2008 06:23:08 +0200

28 (0x1c) years today.