Pages

Sunday, February 7, 2010

A loop hole in social networking sites security

Hey readers, I wanted to share with you a loop hole that I've found with social networking sites and their security. Please note, I'm not a hacker and I've found this using my own account. Last night I was trying to access my MySpace account and I forgot my password. I requested to retrieve my password by clicking on the 'Forgot your password' link, this is a link that all social networking sites provide just in case if you forget your password, see Figure 1. Next I was taken to another page where it would ask me to provide my email address that I used when creating my MySpace account, see Figure 2. Remember when signing up for MySpace, they would required you to put in a contact email address? Well  this is the reason why, so they can send you information on how to change your , instead of posting your password a separate page. Hackers could easily retrieve your password if MySpace just posted your password on a separate page by supplying your email address and clicking the submit button.

Next, I provided my email account and click submit and I got a message back stating that my password information was sent to my email address, then the light came on. I had deleted this email account months ago, so MySpace sent an email message to an email account that no longer exists. I went back to the provider where I had created my email account from before and I checked to see if that email account was still available, and it was. I re-created the account and went back to MySpace, clicked on the 'Forgot your password' link, supplied my old email address which has now been recreated and active to accept email messages, clicked the submit button and then went back to my now recreated email account inbox and I saw the email message to change my MySpace password was there.

Figure 1                                                                
 










Figure 2











The moral of this story, if you have email accounts tied to social networking sites or any online account, I suggest changing deleted email address tied  on your social networking sites as well as any other online accounts that you may have. If you have any questions or comments regarding this post, please provide your comments in the 'Comments' section for this post.

Thank You,

Saturday, February 6, 2010

Two ways to access a WCF RESTful service from a client

Hey readers, I want to show you two ways to access a WCF RESTful service from the client. Let's dive in!!!.

First let's take a look at the service implementation. This service a RESTful service which provides product information and returns the data  in a JSON format. In this service I have an interface named IProduct which  defines my service contact and two operation contracts. GetAllProducts returns a generic lits of product objects, and GetProductByID returns a single product object based on a product id. The attributes that appear on top of each method defines the details of how the service will accept and respond to service calls. For more information on this I suggest reading "How to: Create a Basic WCF REST service". Figure 1 shows you the interface definition, Figure 2 shows you Product data contact definition and Figure 3 shows you the code implementation for each operational method .

Figure 1










Figure 2

















Figure 3
















There's one thing to note here in Figure 3, at the top of the class I have an attribute called "ServiceBehavior" and that sets the InstanceContextMode to PerCall. The InstanceContextMode specifies the number of service instances available for handling calls.By using the PerCall enumeration we're saying that an InstanceContext object is created before and destroyed after each call is made. Its important to set the InstanceContextMode to PerCall to increase performance when accepting incoming requests. The other options are PerSession and Single which can be used for scenarios where a services that accepts a lot of incoming requests, you would want to keep the InstanceContext  session alive until the session has expired. Be careful because you can have a situation where you have a boat load of sessions existing on server which could hurt your server and service performance. Next, let's take a look how to access this service using jQuery and Sys.Net.Request


Using jQuery or Sys.Net.WebRequest to access a WCF RESTful service
First, lets take a look at the interface. Just as a note, the interface will be the same for both the jQuery and Sys.Net.WebRequest examples. Figure 4 shows the browsers view, the interface is divided into two sections, the first section shows a listing of all products and the second section shows a single product based on a product id.

Figure 4
jQuery:
Now that we defined our interface let's take a look at the code behind. First we need to add a script reference to the jQuery library so we can invoke our service operational methods, see Figure 5.

Figure 5

Next we need to implement code to retrieve all products, by invoke the "GetAllProducts" method, see Figure 6. "ShowAllProducts()" function uses the  jQuery's $.ajax method to make an ajax request using the service url value which is the url to our web service, request type which is a GET , the type of data that we're expecting back from the server,which is JSON and then finally we need to register functions to call when the web request has ran successfully or unsuccessfully. If no errors has been thrown, "OnSuccessGetAllProducts" is called which returns a 'GetAllProductsResult' array object. The 'GetAllProductsResult' is the name of the JSON array object which I use to display all products to the browser.

Figure 6


Take a look at Figure 7, both figure 6 & 7 are almost identical with the exception that the GetProductByID function requires a product id. We now retrieve this product id from text input made by the user. Now that we have the product id, we need to append the product to the service url to satisfy the URLTemplate property requirement. If you remember when we created the GetProductByID operation method, the URLTemplate property was define as "/GetProductByID/{ProductID}", if defined in any other way when making a request to that method, will result in an error. Here is the service url value that we will use to retrieve the requested single product," url: "http://localhost:3284/CSWS/Services/ProductServices.svc/GetProductByID/"+productID+"" ". All we have to do now is to display the product to the user which is handle by  "OnSuccessGetProductByID" function and display the single product to the user. The results are stilled return as JSON array with the name of GetProductByIDResult, but since the array has only one element we don't need to use a loop to display the  contents.

Figure 7

To get more information about jQuery, please check out this link, JQUERY.

Sys.Net.WebRequest
Sys.Net.WebRequest provides you the ability to make web request on the client. For more information, check out the Sys.Net.WebRequest documentation. Before we being, we must add a ScriptManager control to the page, its required in order to invoke web requests with the Sys.Net.WebRequest object.  Figure 8 shows you the full implementation for retrieving all products.

Figure 8

Take a look at the ShowAllProducts function. As you can see that I have created a Sys.Net.WebRequest object, but before we can make our request we need to provide some information to this object. The first thing we need to provide is the url by setting the set_url property. This tells the Sys.Net.WebRequest instance where to send the request to using your service url. The next item that we need to provide is the type of request that we're making, by setting the set_httpVerb property which in my example I set value to do a "GET" request. Next, I'm going to skip over the set_body and .get_headers()["Content-Length"] properties, since they really don't have any significant value in my example, but just for your knowledge, the set_body property allows you to set the body part of a  request and the .get_headers() property allows you to set custom headers for a request. The last property that I'm setting is the add_completed which registers a handler for the completed request event of the Web request object, its similar to the "success:" element that I used in my jQuery example. In this example I set this value to GetAllProductsHandler. Finally we  use invoke method which beings the web request. Let's see how I processed the response results by using the GetAllProductsHandler function.

GetAllProductsHandler function is pretty simple, we first check to see if we have a response  by checking if the executor.get_responseAvailable value is true. If true, then we need to use the executor.get_responseData to retrieve the response results and store them into a local variable called serviceResults. Next we need to transform the response results into a format we can process using plain old javascript code, in this case I'm using the eval function.. Now that we have the results into a format that we can use, we can work with data in the same way as we did with jQuery example. First, we make a call to the GetAllProductsResults JSON array which contains a list of all products, then we use a for loop  to display all products. That's it. Figure 9 will show you the implementation for retrieving a single product based on a product id. I'll skip the details on this since the code is almost identical to how we retrieve all products with one exception, the _set_url property value appends a product id.

Figure 9


In summary, both using jQuery and Sys.Net.WebRequest provide valuable options to access web resources. In my opinion, I think using the Sys.Net.WebRequest class is easier to use because the classes and syntax are familiar to me as if I was writing server side code with C#. Even though its required to have an instance of the ScriptManager control on the page before you can use the Sys.Net.WebRequest object, but the same is true for jQuery, before you can make any Ajax calls you need to include a script reference to the jQuery library. Maybe in a future article I go over the difference between the two and see which is better. 

I hope you enjoy this article. Below is a link to download the sample code used in this post. Please post your comments and let me know what you think. Thank You

Wednesday, February 3, 2010

IP Law and Third Party Software Licencing usage in IT orginzations

Today, I had an interesting conversation about intellectual property law and third party software licencing usage in IT shops. An IT shop purchases a third party software product with a developer licence which means you can only use this software in a non-production/commercial server. If the IT shop decides to use this software on their production/commercial server without buying a commercial licence, then the company can be liable for patent infringement. Has anyone experience this before? Please share, I'm interested in hearing your comments.

National Society of Black Engineers

Hey readers, is anyone a member of NSBE? If you do, can you please provide some incite to this organization? I'm thinking of joining.
National Society of Black Engineers