Monday, July 18, 2016

HMTL and CSS - Vertical Alignment

Using CSS to vertically align can be tricky. Here are some situations and the solution that allowed for vertical alignment.

Angular ui-grid and vertically aligning an anchor within a cell:



columnDefs: [{ name: ' ', cellTemplate: '<a href=""
  ng-click="grid.appScope.viewBatch(row.entity)">View</a>',
  cellClass: 'grid-align', width: "6%" },

CSS:

.grid-align {
    displayflex;
    flex-directioncolumn;
    justify-contentcenter;
    text-aligncenter/* horizontal part */
}



Align span and input within div:




Sunday, February 14, 2016

Why I like my MacBook Pro - The Little Things

A friend of mine asked me to record some of the reasons I like my new MacBook Pro so much. Here it is.

MacBook Pro - The Little Things

  • Boots in 10 seconds
  • Multiple desktops (spaces)
  • Trackpad so nice that external mouse no longer necessary
  • Safari browser favorites easy to use without having to have a favorites bar showing and taking up space (it pops up when you click in the URL textbox)
  • Text on my Mac with keyboard instead of using my phone
  • Decline calls from my Mac
  • Shuts down in two seconds
  • On Windows, tool tips pop-up immediately. That’s always been a pet peeve of mine. As you’re moving the mouse around the screen, things keep popping up and getting in the way. On the Mac, you need to pause over something for the tip to come up.
  • Copying files and opening file explorer doesn’t fail.
  • It took 10 minutes for my Win 10 laptop to boot. It blue-screened, then restarted and downloaded updates.
  • Power cord attaches to laptop magnetically. No getting loose over time.

Thursday, January 21, 2016

Gig History

My experience playing on stage:

Solo:

Feb 2015: Joined a band on stage (bar is Desire) for two songs on Penang Island, in Malaysia.


Creep
Some Chinese song


AmpWagon (I joined the band 12-Jun-2015):



1. 29-Aug-2015: Nate and Wally's Fishbowl
2. 11-Sep-2015: Nate and Wally's Fishbowl
3. 17-Oct-2015: BGSU Tailgate
4. 24-Oct-2015: Halloween Party
5. 7-Nov-2015: The Alehouse
6. 21-Nov-2015: Nate and Wally's Fishbowl
7. 11-Dec-2015: Nate and Wally's Fishbowl
8. 22-Jan-2016: Howard's Club H
9. 17-Mar-2016: Howard's Club H


Groove Cricket (I started the band. First practice was Oct 2016.)



1. 17-Dec-2016: Christmas Party at Dave Riffer's (guitarist) house
2. 13-Apr-2017: Howard's Club H (open mic night)
3. Dec 2017: Christmas Party at Dave Riffer's house

First Set List:


Thursday, January 14, 2016

Web Security Implementation

I needed to pick an approach to security for my new web front end for my open source project Presto. My first step was to ask for overall direction from some industry experts. So, special thanks to Jim Manico (@manicode, site) for helping me. While this approach is still evolving as I work through it, I wanted to summarize the security implementation here.

Overview

Instead of defining roles and allowing things based on those roles, define permissions (functionality seems to be a more intuitive word here) and allow things based on those permissions. For example, if I define an admin role, some company may want some admins to do some things and other admins to do different things, so don't lump them all together. Instead, create a list of specific functionality (print this, save that, etc.) and assign each user(?) to each functionality. Then there is a lot more flexibility.

With this approach, we won't have to change source code in the future. For example, if we wanted to add a new AD group, and we specified AD groups/users in code, we'd have to change code. With this approach, each piece of functionality gets its own unique name. Then each is mapped to AD groups in some central store.

Note: We ended up abandoning this approach for one main reason: our security line of trust is at the logic layer in our business logic classes. If we secure at the Web API, then we have to secure correctly at every Web API we implement. It's better to have security in one spot, which, in our case, is at each method in our logic layer.


Implementation

Web API


Web.config (the key is the functionality, the value is the AD group):
<add key="DeleteUser" value="Some AD Group"/>

(Note: The web.config is used here just as a demo to get this working. Perhaps this info should be in the DB.)

FunctionalityAttribute:
public class FunctionalityAttribute : AuthorizeAttribute
    {
        public string FunctionalityName { getset; }
 
        protected override bool IsAuthorized(HttpActionContext actionContext)
        {
            string adGroup = WebConfigurationManager.AppSettings[FunctionalityName];
 
            if (actionContext.RequestContext.Principal.IsInRole(adGroup)) { return true; }
 
            return false;
        }
 
        protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
        {
            // Authenticated, but not authorized.
            if (actionContext.RequestContext.Principal.Identity.IsAuthenticated)
            {
                // Use Forbidden because Unauthorized causes a login prompt to display.
                actionContext.Response = new HttpResponseMessage(HttpStatusCode.Forbidden);
            }
        }
    }

API Controller:
[Functionality(FunctionalityName = "DeleteUser")]
public class AppsController : ApiController

(Note: The attributes will actually go on the methods, not the class. This example is just to test at the moment.)




Dealing with success and failure in the AngularJS repository call

$http.get('/PrestoWeb/api/apps/')
    .then(function (result) {
        data = result.data;
        $rootScope.setUserMessage("Application list refreshed");
        callbackFunction(data);
    }, function (response) {
        console.log(response);
        if (response.status == 403) {
            $rootScope.setUserMessage("Unauthorized");
            callbackFunction(null);
        }
    });




JavaScript

if (user.canAccess("DeleteUser")) {
    // Set AngularJS scope variable that shows that the delete button should be enabled
}




WCF Service

What's to stop someone from changing the JavaScript and getting the DELETE button enabled? Nothing, that's why you don't trust the browser. Whatever security we implement on the web page must also be implemented at the service or logic layer. In my case, that would be the WCF service. So while the user can enable the DELETE button by hacking the JS, he won't actually be able to delete because the security at the service (or logic) layer will prevent that.

ToDo: Show WCF security implementation here after I do it.

Resources

Cross Site Scripting Prevention Cheat Sheet
Java Authorization Guide


Some Notes

As a product, you need to support many different kinds of authentication.
As a service, you need to support SAML and similar for federation - especially for big customers.