Monday, November 29, 2010

Becoming a MacBook Pro Ninja

mac book proI have always been the PC guy in those funny Mac
commercials. I knew very little about Macs a month ago. In fact, I had to consult the owners manual to find the seamlessly integrated power button on the shiny new Mac Book Pro! I didn't feel too bad, I challenged another PC guy to find it and they failed too:) Being a novice at anything can be extremely frustrating. As a novice I set a simple goal. Learn everything about this all-aluminum, uni body machine. After reading MacBook Pro Portable Genius, a few magazines, and many online tips I finally feel very comfortable in the drivers seat. Here is a very brief recap of what I discovered on my journey.

Favorite Features

  1. Trackpad gestures:
    The trackpad is unquestionably the most powerful feature you will find on any laptop and it is exclusive to MacBooks. Who needs a mouse? I am more efficient with the trackpad! Enable "tap to click" for even greater efficiency gains.
  2. Expose:
    Expose is also totally unique to Macs and offers a convenient layout for switching between open windows. Additionally, Application Switcher and Spaces (also unique) each offer efficient capabilities for navigating your workspace. These features will definitely make you more efficient while multitasking.
  3. Security:
    The security settings are powerful and simple to setup. The settings include: account management, password enforcement, data encryption, firewall protection, secure notes, SSO capabilities, and parental controls. Each can be configured within Settings or Key Chain.

Top Four Things To Customize When Setting Up

  1. Enable Firewall:
    If you access public WIFI, setting up your firewall is a must. WIFI is the most vulnerable network you can access. Configure your settings to be most restrictive (block all incoming connections) and adjust as necessary if you need to allow network or web sharing.
  2. Require Passwords:
    Most users disable passwords on personal devices for convenience. I will always opt for security.
  3. Enable File Vault Encryption:
    This encrypts the entire home directory. I searched for benchmark studies and they only revealed minor performance degradation. If my laptop ends up in the wrong hands at least the malicious user won't be able to login or physically read my hard drive.
  4. Adjust Energy Savings:
    Dim the backlit keyboard, reduce screen brightness, and adjust the energy saver settings to preserve battery life.

Most Frustrating Features

  • Speech recognition:
    This is an interesting feature that is hit or miss. A few commands work well ("open my browser") while others rarely work ("tell me a joke"). In the end, the trackpad reigns supreme.
  • No trackpad gesture for Spaces:
    Looks like the only alternative is to use a hot corner or keyboard shortcut.

Features With Potential That I May Never Use

  • Dashboard:
    I have setup several active widgets for weather and iTunes but I can access these features outside of dashboard too. The availability of useful widgets will drive my usage of this feature.
  • Text-to-speech:
    This is a nice feature but I only see myself using it while reading an online book.
  • MobileMe:
    I can not justify the yearly cost for Apple's cloud storage when a simple flash drive does the job at a lower cost.

Mac Book Resources

Tuesday, September 14, 2010

Cleaner Code with One Simple Technique

Clean code bookWhat is the simplest technique you can apply to write cleaner code? Clean Code by Robert C. Martin is a very good book that focuses exclusively on writing cleaner code. I read this book several months ago and at a recent code review I was again reminded of the value of this simple technique. The simplest technique to apply for writing cleaner code is to keep functions small!

Advantages of Small Functions

  • Functions perform one specific responsibility (single responsibility principle)
  • Functions become very readable
  • Functions are more likely to descend only one level of abstraction (tip G34 from Bob's book)
  • Small functions promote reusability and help eliminate duplication
  • Your favorite IDE makes extract method so simple
  • Small functions adhere to these valuable coding principles by design

Ideal Function Size

"Continue to extract methods until you can not extract methods anymore. Extract until you drop!" This is Bob's recommendation from his online presentation of Bad Code and Craftsmanship. Personally, I couldn't agree more. For the past three months I have been following this practice and this simple technique has a high return on investment.

Additional Clean Code Tips

Looking for additional clean code tips? Chapter 17 (Smells and Heuristics) in Bob's book is a very quick read and covers sixty-six valuable coding practices. Alternatively, Bob discusses many clean code practices in his online presentation. In fact, he leads off the discussion by focusing on the importance of small functions!

Tuesday, August 31, 2010

Objective-C for Java Developers

objective c book

I actually won Learn Objective-C for Java Developers at the last Twin Cities Java User group meeting. The only stipulation for winning a free book is the expectation that we publish a review of the book online. This is a small task for a free book. Learning Objective-C has been on my todo list for several months anyway. Winning this book simply moved it higher on my priority list.


4 star rating


  • Many of the Objective-C examples were also shown with their Java counterpart. This added value in two regards. First, it clarified what the example was really doing. I could simply reference the Java version and quickly understand the Objective-C code. Secondly, it allowed me to compare and contrast the two languages. In many cases (but not all) the Objective-C examples contained fewer lines of code.

  • In addition to the Java and Objective-C examples, the book also had many table-based comparisons for common features (data types, methods). For example, one page listed the Java data types and their Objective-C alternative including their size and range restrictions. Again this helped simplify the learning curve. The table-based charts were also used for common method declarations too. For example, the common String utility methods were shown side-by-side. One column showing Java's String utility method declarations and the other column showing the Objective-C alternative.

  • Most code examples were a page or less. This helped simplify the learning process by allowing me to focus on more isolated code fragments.


  • Many books that teach a new programming language typically include exercises at the end of each chapter that the reader can take away and complete. This book did not have any. This is a minor complaint. I can definitely think of sample programs to write...

  • The index does not always serve as a good reference for finding things quickly. For example, I wanted to find more information about logging and "logging" or "NSLog" were not in the index. Need to find the for loop quickly? You will not find it in the index. It is actually found in the index under "Collections, iterating through". The index could have been structured slightly better for quick search keywords.

  • An Objective-C quick reference guide would have been helpful. This did not bother me too much because about the time I started reading this book DZone released a new Objective-C reference guide. I highly recommend it! In my previous "con" I mentioned that it can be painful to find certain topics (logging, data types, loops) quickly within the index. The DZone refcard provides quick access to those topics and more!


Overall this book is a very valuable resource for Java developers that want to learn the Objective-C language. The author greatly simplifies the Objective-C learning curve by contrasting many features and examples to its Java equivalent.

Saturday, July 31, 2010

Mobile Web Toolkit

mobile phoneMobile Web development requires a more abundant set of developer tools than its desktop counterpart. XHTML MP, Wireless CSS, and Mobile JavaScript are all more refined subsets compared to their desktop predecessors. In addition, the Mobile Web offers many new challenges. In particular, device fragmentation and browser inconsistencies will always wreak havoc within this ecosystem. Great tools can help overcome these challenges. Here are a few:

Validating Mobile Sites

How valid is your Mobile Web Site? Find out with these awesome validators. These validators will grade and offer best practice solutions to achieve a more compliant Mobile site. These are also valuable tools for a code review!

Mobile Web Best Practices

Both validators above evaluate mobile sites based upon standards and best practices. Their best practice and standards documentation can be found here:

Device Databases

Device databases simplify device detection. This helps facilitate content adaptation for specific device groupings (smartphones, featurephones, screen size, OS, JavaScript/AJAX support, is wireless, is touchscreen, etc.). For example, Bank of America and Amazon tailor content based on several of these groupings.

XHTML Mobile Profile

XHTML MP is the standard markup language for the Mobile Web. Unlike HTML and XHTML, XHTML-MP is featurephone compatible, it is less likely to be transcoded for optimization, and it supports the mobile-optimized Wireless CSS and Mobile JavaScript features. For additional XHTML MP 1.2 features refer to OMA's specification document.

Firefox Add-ons

The following Firefox add-ons are very powerful tools for testing and developing:

Device Testing Solutions

The ideal testing solution is to test on the physical device. Two virtual device testing solutions exist:

JavaScript & AJAX Compatibility

When device testing is not always feasible, the compatibility tables generated by Peter-Paul Koch are a good alternative. If you need assistance identifying JavaScript compatibility across browsers or devices these tables can definitely help:

CSS Compatibility

If you need assistance identifying CSS compatibility across browsers or devices these tables exit too:

Web Widgets

Web Widgets will allow Mobile Web developers to take advantage of native phone features. The subset is limited but it is a start: Device APIs and Policy Working Group

Book Resources

Wednesday, June 30, 2010

Restful Link Integrity

lockHow do you secure sensitive information within your URIs? Many of the RESTful examples I have seen expose sensitive information within their links. Often this sensitive data is the identifying key of the entity that is being managed. RESTful Web Services Cookbook briefly discussed two solutions for securing sensitive information within URI's (refer to chapter 12 for details). I will expand upon these two solutions by demonstrating how we can leverage the Jasypt encryption framework to preserve sensitive information.

Initially, we must validate our URI templates do not expose sensitive data. If they do not, there are no concerns. However, if your URI templates expose sensitive data we must preserve their integrity and confidentiality. An example of an insecure URI template may look like:{account_id}.

If this URI template exposes a clear text account ID we have a security gap. If a security gap exists, we must implement a solution to preserve the integrity and confidentiality of the insecure URIs. Three solutions exist to secure RESTful links:


Hashing is an ideal solution if you need to expose data parameters in clear text and want to preserve data integrity. Integrity is the assertion that the data was not altered by the consumer or a man-in-the-middle. With a hash-based solution the RESTful link may look like:

This solution will preserve integrity but it does not provide confidentiality. If the consumer or malicious user alters the account ID a server-side integrity check against the hash algorithm will fail. The JUnit below demonstrates the creation of the digest (hash) and the assertion to validate the integrity of the clear text and digest have been preserved:

public void testJasyptsHashAlgorithm() {
* By default the standard digester uses the RandomSaltGenerator and runs the hash
* algorithm 1000 times. These are configurable for greater security.

StandardStringDigester digester = new StandardStringDigester();

final String clearText = "123456";
final String digest = digester.digest(clearText);
Assert.assertTrue("Integrity has been violated!", digester.matches(clearText, digest));


Encryption is an ideal solution if you want to preserve integrity and confidentiality. For example, an encryption-based RESTful link may look like:

The JUnit below demonstrates the creation of the encrypted text and the assertion to validate the integrity of the encrypted text has been preserved:

public void testJasyptsEncryptionAlgorithm() {
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();

final String clearText = "123456";
String encryptedText = encryptor.encrypt(clearText);

String decryptedText = null;
try {
decryptedText = encryptor.decrypt(encryptedText);
} catch (EncryptionOperationNotPossibleException e) {"Integrity has been violated!");
Assert.assertEquals(clearText, decryptedText);

Do not expose sensitive data

The ideal solution is to not expose any sensitive information. Alternatively, instead of exposing a sensitive primary key expose an associative key or index that has no identifying relationship to the entity. A common scenario occurs when consumers need to search and maintain records. Consider the following use case:
  1. User performs a search
  2. The server-side executes the search and stores the list of authorized search results within session
  3. The server only exposes the indexes of the entities the consumer is allowed to maintain:{index_id}
This solution preserves integrity by restricting the user to only maintain the records they are authorized to manage and we do not expose a confidential primary key.

Wednesday, June 16, 2010


NoSQLWhat is the one language that has not changed since you learned it in college? SQL is definitely one of them. In fact, SQL has only received minor updates over the past decade. For DBA's, this has been a luxury. Is NoSQL positioned to change this stability? NoSQL does not change SQL or relational databases, it simply provides a non-relational repository alternative. The last Twin Cities Java User Group presentation given by Perry Hoekstra provided a very good summary of NoSQL's advantages and disadvantages. Here is a recap:


  • Performance metrics have shown significant improvements vs relational access. For example, this performance metric compares MySQL vs Cassandra:

  • NoSQL performance metric

  • Inexpensive. All NoSQL implementations except for Amazon's Dynamo are open source.
  • Data types are dynamic (typically strings). However, each implementation defines their own data types.
  • Scales very well.


  • Bleeding Edge (right now).
  • Replication across a cluster is not guaranteed in real-time. Synchronization will happen. However, the "when" is currently documented as unknown.
  • Third-party report tool (Business Objects, Cognos, etc.) integration is currently not available.
  • Data redundancy is likely to occur without relational tables.
  • The application code performs the SQL-like operations.
  • ORM capabilities do not exist yet.
  • Transaction capabilites do not exist yet. However, Cassandra will have this feature soon.
  • No GUI editor tool support.

Early Adopters of NoSQL

Social media corporations are the primary trailblazers of NoSQL implementations. The list includes:


Sunday, May 23, 2010

MinneBar 2010 Recap

Minnebar is an (un)conference aimed at getting those in Minnesota’s tech and design communities together to discuss topics that interest them. This (un)conference is unique for several reasons. 1) It's free. However, donations are welcome. For $10 this was the cheapest tech conference I have ever attended. 2) Admission included: breakfast, lunch, snacks, open bar, and of course 8 concurrent session to choose from!


Google Page Speed

Key points:
  • Google Page Speed is similar to YSlow. It evaluates the performance of your website, displays the metrics, and lists optimization strategies to improve your score. It can be downloaded as a Firefox plug-in.

Room and Bored

Key points:
  • Is college broken when it comes to Information Technology? This was the topic that was discussed. Personally, I do not see anything broken with college. However, it is very important to supplement real world experience with an IT degree. For example, if you are in High School and want to pursue a career in IT then join your local IT community. It's never too soon. In addition, try finding part-time IT jobs or work for free. There is no substitute for real world experience in addition to an awesome college degree.

"I'm a guru not a God!" A Tao of System Architecture

Key points:
  • Characteristics of successful software systems were discussed. Many common themes were discussed: KISS, don't reinvent the wheel, open/closed principle, etc. In addition to those common traits the one characteristic that topped the list pertained to bureaucracy. Mark Beckman noted that "bureaucracy is evil and should be severely limited".
  • "Bureaucracy frustrates people, distorts their priorities, limits their dreams and turns the face of the entire enterprise inward." -- Jack Welch, GE Annual Report, 2000
  • Lean processes are preferred. We must eliminate the overhead of simple tasks. How quickly can you deploy to production or setup a new development environment? Is the process simple or not? Cloud computing has few hurdles and provides an alternative for departments seeking simpler process.

Mapping Your World with OpenStreetMap

Key points:
  • OpenStreetMap is a Wikipedia of maps allowing anyone to edit the map. Now we can map our favorite tennis courts, hiking trails, or archery range!
  • Topo maps are currently in development.
  • Cloudmade can be used for driving directions

Why Drupal? An expert panel

Key points:

Getting started with CSS3

Key points:

Overall, Minnebar was a hit! The attendance was extremely high with roughly 800-900 attendees. The venue at Best Buy was fantastic. However, next time they should increase the number of available WIFI hotspots. The network was overloaded. I can't wait for the fall show!

Tuesday, April 13, 2010

Mobile Security Hacks to Avoid

The average cost of a data breach is $6.75 million. While some argue that data breaches cannot be prevented, training and education can prove to be a very effective remedy.

Hacking: The Next Generation is an extremely good book filled with detailed examples on how hackers maliciously attack unsuspecting users. While this book primarily discusses the offensive strategies hackers employ, I am going to discuss several countermeasures to help secure mobile users. Mobile vulnerabilities typically fall under one or more of the following categories:

WIFI Hacks

TJ Maxx suffered a $4.5 billion data breach because they had a WIFI security vulnerability in one of their stores. WIFI networks can be extremely insecure and they provide hackers two attack options.
Passive Attacks
Passive attacks are when hackers utilize tools to scan the WIFI network for streams of personal data. The hacker is hoping an unaware user will enter personal information from a non-secured web site. For example, MySpace still allows users to log in unsecured (non-https). Your user credentials will pass the wire in clear text! The hacker may attempt to retry those same credentials against your email, corporate, and personal banking sites. Social networking sites often expose these personal details. One potential solution is to never re-use your credentials across multiple sites. Better yet, never enter personal information over an insecure network!
Active Attacks
Active attacks are when hackers setup rogue access points on a WIFI network. From this approach, the hacker is hoping an unsuspecting user connects to their malicious access point. If a connection is established and the unsuspecting user ignores the security vulnerability warnings, the hacker has access to all your personal data even over a secured (https) site.

Defending WIFI attacks
  • Never enter personal information from insecure (non-https) sites. Look for either "https" within the browsers URL or look for the locked image icon browser lock within your browser to determine if the site is secure. Browser warnings can also be configured to alert users when they are not on a secured site.

  • Validate you are connected to a trusted WIFI access point. Most browsers can protect and alert users of this attack. For example, from IE you would see a warning shown in Figure 1 below. However, most users may not completely understand the warning and may ignore it completely. For example, if you need to board a plane in 15-minutes and need to send an urgent email what do you do? In IE, the security setting to enable this check is shown in Figure 2 and is enabled by default.

  • Internet Explorer certificate warning
    Figure 1.

    IE certificate security setting
    Figure 2.

  • Validate strong encryption is used on your wireless network. WPA is preferred. For example, if you are still using WEP encryption for your home wireless network you should upgrade. There are tools that allow hackers to crack WEP encryption relatively quickly.

  • Encrypt sensitive documents. Encryption adds an additional layer of security. If you have personal documents saved locally they should be encrypted. Also, when sending sensitive documents those should be encrypted too.

Stolen Phone

The most common type of data breach is from physically stolen devices. Forty percent of data breaches fall under this category. Additionally, hackers may use CSI sticks to extract all data and leave your phone behind. So do not assume that your data has not been tampered with if you still have your phone in hand.

Defending Stolen Phone
  • Encrypt sensitive documents!

  • Remotely erase your phone if it is lost or stolen. For example, Mobile Defense is an Android app that can remotely find, lock, backup, and erase your phone.

Voice Mail Hacking

Can you access your mobile voicemail from your cellphone without entering a PIN? If you can, you may be susceptible to caller ID spoofing. Make sure a PIN is required for all voicemail access. Nitesh Dhanjani has a detailed blog posting about this attack.

Saturday, March 27, 2010

Top 5 Home Screen Features For Android Developers

Android has several very intriguing components that add many dynamic capabilities to your home screen. The trend is slowly migrating towards dynamic home screens. The static screens you have been accustomed to are over. Users want access to information faster and with fewer clicks. Patent filings are a very good barometer for the future direction of mobile operating systems and home screen patents are one of them. Dynamic home screens are definitely a trend. In fact, Android provides many intriguing home screen components that you can leverage right now to create a more efficient and dramatic user experience:

App Widgets

App Widgets are small application components that you can embed on your home screen. If you need instant access to important data, these compact portlet-like components are an ideal choice.
  • Compact design
  • Provides portlet-like capabilities for your home screen
  • Quick and simple to access
  • Refresh frequency is configurable

Quick Search Box

Quick search boxThe Quick Search Box is an extremely powerful feature. It is the ubiquitous Google search function available directly on your Android device. In addition to its Google Web search capabilities, users can also search their local device and applications too. The only caveat with Quick Search is that users must opt-in to search their applications.
  • The only search function your device will ever need
  • Leverages the power of Google Search
  • Displays results in a consistent framework
  • Available directly from your home screen

Live Wallpapers

Live Wallpapers are interactive backgrounds that are available on your home screen. Most of the current Live Wallpaper apps in this space are of the fun and whimsical type. However, if you wanted your calendar, appointments, or stock streamer available here it can be accomplished.
  • Quick and simple to access
  • Refresh frequency can be customized
  • These are simply apps exposed to the background

Live Folders

A Live Folder is a real-time view of data. Live Folders can be launched from your home screen via a shortcut.
  • Quick and simple to access
  • Data is refreshed in real-time

Status Bar Notifications

Status Bar Notifications conveniently alert the user from the home screen. In addition to an icon or text notification you can also be notified via sound, vibration, or flashing lights.
  • Quick and simple to access
  • Alerts can notify users in real-time

Sunday, March 14, 2010

No Fluff Just Stuff: Minneapolis Summary (Spring)

The No Fluff Just Stuff conference was back in Minneapolis. Here is a brief recap of the sessions I attended:

Friday Sessions

Encryption on the JVM: Boot Camp

Key points:
  • Anything can be cracked with time, money, and hardware. The goal is to make it an infeasible task.
  • The Java Cryptography Extention (JCE) within the JDK is a good library. However, JASYPT was the speakers preferred encryption library.
  • Is all of your sensitive information encrypted?

Encryption on the JVM: Advanced Techniques

Key points:

Hadoop: Divide and Conquer Gigantic Datasets (Intro)

Key points:
  • Hadoop is an extremely performant solution for searching enormous amounts (terabytes) of unstructured data (HTML, XML, images). The performance advantage is achieved from partitioning the search across a cluster of worker nodes.

Keynote: How (not why) Agile Works!

Key points:
  • Agile works for the following three reasons:
    1. It provides continuous feedback loops
    2. Improves communication
    3. It is fun!

Saturday Sessions

Grails - How to Build Enterprise Apps

Key points:
  • The GORM capabilities are nice. It is not necessary to code trivial finder methods. For example, Person.findAllByAgeLessThan(16) is implicitly available. The convention works as follows: .findAllBy(). Very convenient.

Implementing Evolutionary Architecture

Key points:
  • Restful Web Services are appealing because they are scalable and free.
  • What is the value of leveraging Hypermedia as the engine of application state (HATEAOS)? This strategy completely decouples the server-side workflow from the client. For example, imagine we have a wizard-style workflow where the user makes decisions and clicks the "next" button as they continue through each step. As the server processes the requests, it will update the state of the workflow and respond with a list of allowable transitions (URI links) that the user may perform next. What is the advantage? If the workflow changes in the future we only have to update the workflow on the server-side. No client-side changes will be necessary because the server is dynamically driving the UI's navigation by returning the allowable URI links following each request.

Implementing Emergent Design

Key points:
  • Code == Design
  • Delay design decisions until the last responsible moment.
  • Eliminating technical debt must be a continuous process. You may evaluate your technical debt with Sonar.
  • Code analysis tools:
    • ckjm (analyze coupling)
    • x-ray (Eclipse plug-in to analyze system complexity)
    • Structure101 (Currently used on the Spring framework)

HTML 5 ... and the Kitchen Sink

Key points:

Sunday Sessions

Architecting Code for Concurrent Execution

Key points:
  • The preferred design strategy is to manage concurrency concerns at an architectural level. Traditionally, we have leveraged concurrency via Java's synchronized keyword at the method level. Successfully managing concurrency at a low level can become challenging. Instead, prefer to leverage architectural design patterns to simplify concurrency management. Several design patterns for consideration include:
  • Functional languages are inherently thread-safe because all their objects are immutable.

Introducing Spring Roo

Key points:
  • Spring Roo can help provide Grails-like scaffolding. A valuable tool for rapid prototyping.

Sunday, February 7, 2010

Android: Ideal Platform for Busy Java Developers

Android is an appealing technology for Java developers. The platform provides many new capabilities and possibilities. In addition, the learning curve is relatively small.

Learning Curve Matrix
Java XAndroid applications are written using the Java programming language. This should be a major advantage for Android because the Java community is extremely strong.

A skillset that deserves more attention when developing mobile applications is performance. Java developers must adhere to coding practices that optimize performance. Mobile development is the only platform where production devices will run much slower than your local development environment. For example, the emulator running on your local PC will have much greater network bandwidth, RAM, and processing power compared to the mobile devices running in production. Although, within Eclipse you can configure the network speed you want your emulator to simulate. This is a valuable feature for simulating the speed of your application across different performing mobile networks.
Android SDKX The Android SDK is the only new skillset that must be acquired for existing Java developers. The Android developer documentation is very informative and the SDK install has sample applications for nearly every SDK feature. In addition to learning the SDK, developers will also need to become familiar with the Android architecture, lifecycle, and mobile design guidelines. Android's developer documentation contains substantial information within each of these areas.
IDE XThe preferred IDE for developing Android applications is with Eclipse and the Android Development Tools (ADT) plugin. Experienced Eclipse developers should have a complete development environment setup in about ten minutes when following the quick start guide. However, other IDE's are supported for Android development too.
Debugger XDebugging Android applications is simple. It is identical to what you have become accustomed to within Eclipse. Simply set your breakpoints and run your application in Debug mode.

The Dalvik Debug Monitor Server (DDMS) is an extremely helpful debug tool that's included within the ADT plugin. It contains features for monitoring threads, CPU usage, memory consumption, and garbage collection. In addition, it allows the developer to mock incoming calls, SMS messages, location controls (GPS positioning), and network speed and latency.
Deploy XRunning your Android application is identical to running a Java application. Within Eclipse, you simply right-click on your project and select Run As -> Android Application.

Again, the ideal advantage Android has for Java developers is the rapid setup and the productivity of leveraging many existing skills. Mobile development requires application developers to think in a slightly new paradigm. Android allows Java developers to focus on this new paradigm exclusively.

Favorite Android Links

Saturday, January 16, 2010

Bulletproof SSO with SAML 2.0

Bulletproof status is difficult to achieve. Even bulletproof glass is a myth. Is it possible to achieve bulletproof status with an SSO implementation? First, lets start with a code review checklist of assertions that must all pass in order to achieve bulletproof status.

Code Review Checklist for a Web Browser SSO Profile

The Web Browser SSO Profile with Redirect/POST bindings is the most common SSO implementation. The checklist will focus primarily on this profile. If interested, Google has an extremely helpful static demo and reference implementation of this SSO profile online.

Validate Message Confidentiality and Integrity

  • SSL 3.0 is the most common solution to guarantee message confidentiality and integrity. Refer to SAML Security (section 4) for additional information. This step will help counter the following attacks:
    • Eavesdropping
    • Theft of User Authentication Information
    • Theft of the Bearer Token
    • Message Deletion
    • Message Modification
    • Man-in-the-middle

  • A digitally signed message with a certified key is the most common solution to guarantee message integrity and authentication. Refer to SAML Security (section 4) for additional information. This step will help counter the following attacks:
    • Man-in-the-middle 6.4.2
    • Forged Assertion 6.4.3

Validate Protocol Usage

This is a common area for security gaps. In fact, Google's original SSO implementation suffered from a severe security flaw in this area. The flaw was identified with SATMC, a state-of-the-art model checker for security protocols. Their SSO profile was vulnerable to a Man-in-the-middle attack from a malicious SP (Service Provider). As ironic as it seems, the SSO Web Browser Profile is most susceptible to attacks from trusted partners. This particular security flaw was exposed because the SAML Response did not contain all of the required data elements necessary for a secure message exchange. Following the SAML Profile usage requirements for AuthnRequest ( and Response ( will help counter this attack. The Formal Analysis team documented these requirements in much simpler notation. Their documentation for required data elements were as follows:
  • AuthnRequest(ID, SP); An AuthnRequest must contain and ID and SP. Where ID is a string uniquely identifying the request and an SP identifies the Service Provider that initiated the request. Furthermore, the request ID attribute must be returned in the response (InResponseTo="<requestId>"). InResponseTo helps guarantee authenticity of the response from the trusted IdP. This was one of the missing attributes that left Google's SSO vulnerable.

  • Response(ID, SP, IdP, {AA} K -1/IdP); A Response must contain all these elements. Where ID is a string uniquely identifying the response. SP identifies the recipient of the response. IdP identifies the identity provider authorizing the response. {AA} K -1/IdP is the assertion digitally signed with the private key of the IdP.

  • AuthAssert(ID, C, IdP, SP); An authentication assertion must exist within the Response. It must contain an ID, a client (C), an identity provider (IdP), and a service provider (SP) identifier.

Validate Protocol Processing Rules

This is another common area for security gaps simply because of the vast number of steps to assert. Processing a SAML response is an expensive operation but all steps must be validated.
  • Validate AuthnRequest processing rules. Refer to SAML Core ( for all AuthnRequest processing rules. This step will help counter the following attacks:
    • Man-in-the-middle (6.4.2)

  • Validate Response processing rules. Refer to SAML Profiles ( for all Response processing rules. This step will help counter the following attacks:
    • Stolen Assertion (6.4.1)
    • Man-in-the-middle (6.4.2)
    • Forged Assertion (6.4.3)
    • Browser State Exposure (6.4.4)

Validate Binding Implementation

  • For an HTTP Redirect Binding refer to SAML Binding (3.4). To view an encoding example, you may want to reference found within Google's reference implementation.

  • For an HTTP POST Binding refer to SAML Binding (3.5). The caching considerations are also very important. If a SAML protocol message gets cached, it can subsequently be used as a Stolen Assertion (6.4.1) or Replay (6.4.5) attack.

Validate Security Countermeasures

Revisit each security threat that exists within the SAML Security document and assert you have applied the appropriate countermeasures for threats that may exist for your particular implementation. Additional countermeasures considererd should include:
  • Prefer IP Filtering when appropriate. For example, this countermeasure could have prevented Google's initial security flaw if Google provided each trusted partner with a separate endpoint and setup an IP filter for each endpoint. This step will help counter the following attacks:
    • Stolen Assertion (6.4.1)
    • Man-in-the-middle (6.4.2)

  • Prefer short lifetimes on the SAML Response. This step will help counter the following attacks:
    • Stolen Assertion (6.4.1)
    • Browser State Exposure (6.4.4)

  • Prefer OneTimeUse on the SAML Response. This step will help counter the following attacks:
    • Browser State Exposure (6.4.4)
    • Replay (6.4.5)

Need an architectural diagram? The SAML technical overview contains the most complete diagrams. For the Web Browser SSO Profile with Redirect/POST bindings refer to the section 4.1.3. In fact, of all the SAML documentation, the technical overview is the most valuable from a high-level perspective.