Global

Project V

Wed, 12 Nov 2008 15:36:12 GMT

In my previous post, I was talking about main practice on designing content tree on eZPublish and some limitations due to the current architecture of this CMS.

It seems that this matter of concern was shared by a lot of people, in particular at eZSystems as Paul Borgermans has shown us during the eZDeveloper Meeting. See there.

The project V is the full reimplementation of eZPublish core to lighten it and make it more powerful and flexible. Looking back the evolution of eZPublish, a such great upgrade did not happened from the 3.x series, since 4.x was just a porting to PHP5. Thanks to new tools like a bug tracker or a testing suite, eZSystems has set a mature development system which can produce software of higher quality than before. So the difference between 3.x and 4.x is few bugs and PHP5.

What's next ? The Project V has the ambition to provide two things :

a very modular and flexible Unix-like micro kernel. It will allow you to access more efficiently its API and will be based on ezComponents, specifically on the MVCTools component. This particular feature might let you use other components than the ezComponents : Smarty for another template engine or Doctrine / Propel for the persistence layer. It meets up with functionalities of another product we know well.
a bundle of RAD tools to ease and quicken the development.

As it will be a complete different kernel, extensions will be different. To ease this migration, the engine of the Project V will appear as soon as 4.2 : the broker would bring the possibility to choose between old and new behaviour.

Quite exciting !

Some points about what we think about CMS

Thu, 06 Nov 2008 13:07:07 GMT

This post is about different things. It came from a long talk with Damien Pitard, web architect at Prisma Presse, which began with the difference of concept between using content as children rather than putting it in the direct content. For example, if you have an article related to companies, you can organize differently your content :

You can upgrade your article to put some extra data, like a matrix attribute. There's no limit with this kind of data type : you are sure to store what you want inside the content. So the point is that all your data, related data and main data will be together. The only issue is that this kind of data type does not exist if you consider more complex data type.

Another point is to make your article class like a container and create a new class called company with two or three attributes. By this way, you can add as many companies under your article node and with few template codes, show them. There is no limit with the number of content or the complexity of you content. However, the main issue is that maybe the company does not have a real existence on your web site. It means that you maybe don't want to have a page with a full view of your company. This is the source of a lot of SEO related issues and bug.

There is also a third but not right solution : you can mix basic data types in your content to reach what you would like to have. For example, you have a content with attributes Title, Subtitle 1, Text 1, Subtitle 2, Text 2 and so on. The main issue, even if you got almost what you need, is that you might be limited by the number of attributes. What will happen if you're asked for a subtitle 32 and text 32 ?

As eZPublish is a great product, we just challenged it in a regular way : what we want is to fill customers need and what we have is in eZPublish. We went by two phases : how we use eZPublish and how we would like to change in it.

Underlying concepts

The more you make technical specifications for eZPublish projects, the more you find strange solutions to reach your aim. Looking back, we both made experiments with eZPublish and as the versions went up, we understood some points about the main matter : the content.

This is how the content is typically used in eZPublish :

To store content. We can find this kind of content at the end of the tree, the leaves. There is nothing under them and they are the representation of a page in the CMS. In eZPublish, you expect to have a lot this kind but it's not exactly what happens on projects.

This show a typical organization with content nodes (Article content type).

To structure the content. You can find some contents which are only set up with one attribute, a text line, to make it clickable in the back office. The main point is that it doesn't its own content. A counter example is the Folder content provided in standard by eZSystems in their packages (eZWebin or eZFlow). This class is composed with other attributes like a Description field or a date. It adds content to the website and isn't here to represent a way to categorize your content. This is what you may be tempted to do but it causes several issues.

This is how is organized the content with structure content types.

To syndicate the content. You'll use a content to be the start node of your tree to syndicate content which is under. For example, the typical homepage does not own content or is just a structure node which will put nodes back up. eZSystems has provided a great interface to do this but it still remain on nodes with the Front Page class.

This shows the organization with syndication content types.

What we have understood is that the main a key of a CMS is to provide a page for a content, and in eZ, as you are free to organize you content (you're not guided), you can make great mistakes.

Content rules to make your content rules

Those are the rules that may have to be respected but which are not always and that contribute to provide main issues on standard features :

Don't use structure nodes or syndication nodes in your tree. It doesn't supply any content. Make a module instead.
One content is one page. This will allow you to easily organize your tree and consolidate your content in one and indivisible content. If you decide to display your content in some complex layout, it will ease the separation between the content linked to the uri and the other kind of information. Consequences of this rule are that each content must represent only one page and that your content have to be a complete content, not scattered in few pages. There is a lot of advantages to proceed like this :
- it's easier to publish content and to set the SEO rules (No duplication in pages).
- all part of your content can be visible in the same page : you won't have to cheat with redirection or include templates to correct this.
- your tree is lighter.
- your content is complete.
Don't make relations between content that does not need a real representation of itself. For example, don't try to link a content that is only shown as a line in a folder override. It implies that you will have to make an override for the full view which doesn't mean anything. All types of relation are concerned : child relation and content relation.
Use transversal categorization like a category data type or a tag data type to avoid useless tree nodes.

Powerful but useless

Finally, the most important in a CMS is to efficiently manage content. This truism shows that sometimes we forget the things which has to be perfect in the software and that is polluted by other provided features that are used in 10% of your projects. Those become useless features as long as you apply our rules :

The multi positioning system : this feature allows you to add several locations to an object. When you modify the content, the modification is affecting all the locations. However, it implies that you have a 1 to many relation between content objects and nodes. If you don't use multi positioning, you can merge the table of nodes and objects, increasing all your requests on content.

The class tables : this features is not longer useful provided that each time you make a modification in a class you have to modify the corresponding templates. Let stop deluding ourselves here, in an eZProject, developers don't make perfect templates with all the cases and your users doesn't modify the classes. It is possible to store it elsewhere like in an XML file that will be cached. If we remove this tables, the requests on content are improved.

Users and roles management : all users and groups are stored as content. Provided that all the modules use those ones, it is heavily eating up resources. As we have to manage it on line, it's better to keep the current interface but not to store it as content.

Conclusion

CMS are evolving quickly, users are asking new features everyday, high performance and availability level is becoming a standard and the software law of evolution is wreaking havoc. It is a matter of fact that eZPublish has a perfect conception model to store any content lying on a complex and full featured architecture. We are resigned : what has brought eZPublish to its CMS high rank will maybe lead it to the end. Nowadays, this model is reaching its limits and new CMS are coming out with light interfaces and light and flexible architectures.

Alternate way to Kerberos NTLM auth in pure PHP

Mon, 03 Nov 2008 14:15:10 GMT

Regarding to a recent post I put here about Kerberos and Apache, there is a way to replace Kerberos when the Active Directory cannot be properly configured to accept Kerberos connections. You can simulate the NTLM auth process with the browser by 6 steps in PHP :

function get_login() {

   /*
   step:  | type:
   -------|----------------|------------------------------------
   1      | C --> S        | GET ...
   -------|----------------|------------------------------------
   2      | C <-- S        | 401 Unauthorized
          |                | WWW-Authenticate: NTLM
   -------|----------------|------------------------------------
   3      | C --> S        | GET ...
          |                | Authorization: NTLM
          |                | 
   -------|----------------|------------------------------------
   4      | C <-- S        | 401 Unauthorized
          |                | WWW-Authenticate: NTLM
          |                | 
   -------|----------------|------------------------------------
   5      | C --> S        | GET ...
          |                | Authorization: NTLM

   -------|----------------|------------------------------------
   6      | C <-- S        | 200 Ok
   -------|----------------|------------------------------------
   */

   $headers = apache_request_headers();
   if($headers['Authorization'] == NULL) { // step 1
       header( "HTTP/1.1 401 Unauthorized" ); // step 2
       header( "WWW-Authenticate: NTLM" );
       exit;
   };
   if(isset($headers['Authorization'])
         && substr($headers['Authorization'],0,5) == 'NTLM ') {
            // step 3 to 6
       $chaine=$headers['Authorization'];
       $chaine=substr($chaine, 5); // type1 message
       $chained64=base64_decode($chaine);
       if(ord($chained64{8}) == 1) { // step 3
           // check NTLM flag "0xb2",
          // offset 13 in type-1-message :
           if (ord($chained64[13]) != 178) {
                echo "Please use NTLM compatible browser";
                   return null;
           }
           $retAuth = "NTLMSSP";
           $retAuth .= chr(0).chr(2).chr(0).chr(0);
          $retAuth .= chr(0).chr(0).chr(0).chr(0);
           $retAuth .= chr(0).chr(40).chr(0).chr(0);
          $retAuth .= chr(0).chr(1).chr(130).chr(0);
           $retAuth .= chr(0).chr(0).chr(2).chr(2);
          $retAuth .= chr(2).chr(0).chr(0).chr(0);
           $retAuth .= chr(0).chr(0).chr(0).chr(0);
          $retAuth .= chr(0).chr(0).chr(0).chr(0).chr(0);

           $retAuth64 =base64_encode($retAuth);
           $retAuth64 = trim($retAuth64);
           header( "HTTP/1.1 401 Unauthorized" ); // step 4
           header( "WWW-Authenticate: NTLM $retAuth64" );
           exit;
       }
       else if(ord($chained64{8}) == 3) { // step 5
           $lenght_domain = (ord($chained64[31])*256 + ord($chained64[30]));
           $offset_domain = (ord($chained64[33])*256 + ord($chained64[32]));
           $domain = substr($chained64, $offset_domain, $lenght_domain);
           $lenght_login = (ord($chained64[39])*256 + ord($chained64[38]));
           $offset_login = (ord($chained64[41])*256 + ord($chained64[40]));
           $login = substr($chained64, $offset_login, $lenght_login);
           $lenght_host = (ord($chained64[47])*256 + ord($chained64[46]));
           $offset_host = (ord($chained64[49])*256 + ord($chained64[48]));
           $host = substr($chained64, $offset_host, $lenght_host);
       }

   }
   $login = preg_replace("/(.)(.)/","$1",$login);
   $domain = preg_replace("/(.)(.)/","$1",$domain);
   $login = strtolower($login);
   $domain = strtoupper($domain);
   return array($login,$domain); // step 6 : accept
}

Warning : this code must be exectuted not only for the auth process when you want to login the user, but for each HTTP request to your application (so on each page).

It is very important to put HTTP 1.1 protocole in HTTP headers because HTTP 1.0 does not support Keep-alive connection and so NTLM auth. For some unknown reasons, even if some Apache versions change automatically the protocole version to 1.1 in your headers, other versions don't (for example 2.2.3 can do it and 2.2.9 can't).

Finally, keep in mind that this code is not as secure as Kerberos Apache module, because this code will never check Active Directory permission to accept the user. This function is just to retrieve login and domain, you have to make the account check yourself.

Good luck !

Alternate way to Kerberos NTLM auth in pure PHP

Mon, 03 Nov 2008 14:15:10 GMT

function get_login() {

   /*
   step:  | type:
   -------|----------------|------------------------------------
   1      | C --> S        | GET ...
   -------|----------------|------------------------------------
   2      | C <-- S        | 401 Unauthorized
          |                | WWW-Authenticate: NTLM
   -------|----------------|------------------------------------
   3      | C --> S        | GET ...
          |                | Authorization: NTLM
          |                | 
   -------|----------------|------------------------------------
   4      | C <-- S        | 401 Unauthorized
          |                | WWW-Authenticate: NTLM
          |                | 
   -------|----------------|------------------------------------
   5      | C --> S        | GET ...
          |                | Authorization: NTLM

   -------|----------------|------------------------------------
   6      | C <-- S        | 200 Ok
   -------|----------------|------------------------------------
   */

   $headers = apache_request_headers();
   if($headers['Authorization'] == NULL) { // step 1
       header( "HTTP/1.1 401 Unauthorized" ); // step 2
       header( "WWW-Authenticate: NTLM" );
       exit;
   };
   if(isset($headers['Authorization'])
         && substr($headers['Authorization'],0,5) == 'NTLM ') {
            // step 3 to 6
       $chaine=$headers['Authorization'];
       $chaine=substr($chaine, 5); // type1 message
       $chained64=base64_decode($chaine);
       if(ord($chained64{8}) == 1) { // step 3
           // check NTLM flag "0xb2",
          // offset 13 in type-1-message :
           if (ord($chained64[13]) != 178) {
                echo "Please use NTLM compatible browser";
                   return null;
           }
           $retAuth = "NTLMSSP";
           $retAuth .= chr(0).chr(2).chr(0).chr(0);
          $retAuth .= chr(0).chr(0).chr(0).chr(0);
           $retAuth .= chr(0).chr(40).chr(0).chr(0);
          $retAuth .= chr(0).chr(1).chr(130).chr(0);
           $retAuth .= chr(0).chr(0).chr(2).chr(2);
          $retAuth .= chr(2).chr(0).chr(0).chr(0);
           $retAuth .= chr(0).chr(0).chr(0).chr(0);
          $retAuth .= chr(0).chr(0).chr(0).chr(0).chr(0);

           $retAuth64 =base64_encode($retAuth);
           $retAuth64 = trim($retAuth64);
           header( "HTTP/1.1 401 Unauthorized" ); // step 4
           header( "WWW-Authenticate: NTLM $retAuth64" );
           exit;
       }
       else if(ord($chained64{8}) == 3) { // step 5
           $lenght_domain = (ord($chained64[31])*256 + ord($chained64[30]));
           $offset_domain = (ord($chained64[33])*256 + ord($chained64[32]));
           $domain = substr($chained64, $offset_domain, $lenght_domain);
           $lenght_login = (ord($chained64[39])*256 + ord($chained64[38]));
           $offset_login = (ord($chained64[41])*256 + ord($chained64[40]));
           $login = substr($chained64, $offset_login, $lenght_login);
           $lenght_host = (ord($chained64[47])*256 + ord($chained64[46]));
           $offset_host = (ord($chained64[49])*256 + ord($chained64[48]));
           $host = substr($chained64, $offset_host, $lenght_host);
       }

   }
   $login = preg_replace("/(.)(.)/","$1",$login);
   $domain = preg_replace("/(.)(.)/","$1",$domain);
   $login = strtolower($login);
   $domain = strtoupper($domain);
   return array($login,$domain); // step 6 : accept
}

Warning : this code must be exectuted not only for the auth process when you want to login the user, but for each HTTP request to your application (so on each page).

Good luck !

Through the lines

Thu, 16 Oct 2008 14:24:33 GMT

This one has been discovered by one of my colleague, Chawalit Tangwongpiboon, while he was searching security holes in eZPublish.

Go on this page, choose a website and type at the end :

/content/browse/2

or

/user/register

or

/ezinfo/about

You can access all the tree of the website, or you can register yourself on the website or just access some information about versions and packages installed on this website.

Where does it come from ? Just from the override/site.ini where the definitions of the siteaccess rules are stored. It actually overrides your own roles and policies for the anonymous role. But by default, eZ allow anonymous user to access those modules. If you want to secure your site, the best way is to forbid access by modifying the rules :

[SiteAccessRules]
 Rules[]=Access;disable
 Rules[]=Module;user/register

It will disable the view for this module.

I have tested a lot of sites and almost all let those information and accesses out.

Terrific...

First feedback on Android framework

Thu, 25 Sep 2008 15:03:28 GMT

After few months developing a little try under Android API, I wanted to make feedback on benefits of the Google OS. I want to achieve the first version of my project and then make a constructive criticism about Android regarding to other graphical or mobile APIs, like the iPhone.

Since the beginning of the year, I established a personal project to develop a small Android application, quite independent,
using GUI at maximum of its capacities, a database (SQLite) and a few onboard Google Maps onboard. I'll give small screenshots in a way that says enough along on the usefulness of the program, because I do not know yet exactly what I will do with my application.
My first impressions over development were:

Firstly, the ownership of the GUI as a developer is quite long: you cannot learn to make a good GUI in a week, it takes more time (about 2 months). But when you play well with this API, you have fun. The GUI is certainly more easy to control than the Swing one, my only point of comparison in Java.
Despite this, the GUI is not as good as the iPhone one: technologically, it lacks important points (difficult to achieve, I know): the multi-touch is not supported at all and will probably never (or only partially, if we can hope?); the fluidity of the scrolls with the finger is not as impressive as on the iPhone and at the same time it lost ergonomism; the sequence of screens and transitions between them are not automatic: you must integrate or develop it by yourself: it has its advantages but also disadvantages: each program will behave differently on transistions, resulting in a loss of landmarks for the user; API adopted by Google is a little too oriented "1 screen means 1 Java class", which is sometimes a strong constraint to generate clear source code.
The screen resolution of Android is variable! Several resolutions will be possible: this advantage allows manufacturers of phones to have screens of different size depending on the targeted markets: it is good for them. For developers, that's another story! You must design applications with screens nor too rich (to fit on small screens), nor too poor (to avoid empty large screens), or (solution that I had adopted) set up screens for each resolution. This work is long, and if an application does not handle many resolutions (as I saw many applications as ADC Challenge winners...), small screen will not display everything, and therefore the application does not run properly on low resolutions, which are - I presume - being the first resolutions to emerge on the market, given the current technological possibilities.
Application side, we do what we want, as long as it is possible in Java, and if it is not too heavy to execute : we must not forget that Java is a language interpreted by a JVM, and it is basically heavy and power consumer. On a small phone, we have the computing power of a PC made five years ago. See how Windows Mobile is slow: it will be worse under Android, unless you have a very big phone tht cost a lot (see the dimensions of the HTC Dream / G1, the first android phone to be released, for about $300).
Synchronization side, between Android / Desktop, is for the moment inexisting: either I missed a big detail in the framework, or it is a huge mistake made by Google: I have not found any tool in the emulator to synchronize laptop with a PC... If every developer must do its own synchronization program, there will be problems quickly. I intend to look at this at the end of my project to analyze the feasibility and simplicity to develop a database sync.
Finally, as the framework version 0.9 was released recently, I was able to experience a transition of versions with my application. The changes in the API showed me about 550 errors in Eclipse. Classes have disappeared, others are displaced or have become private. Many methods have been renamed (without any logical intention), and Google Maps API has changed a lot. I had to fully rewrite the classes of my application using MAPS. For 550 errors, 30 hours were needed to bring my application up to version 0.9 (the gain is still significant in terms of fluidity, features ...).

First feedback on Android framework

Thu, 25 Sep 2008 15:03:28 GMT

Firstly, the ownership of the GUI as a developer is quite long: you cannot learn to make a good GUI in a week, it takes more time (about 2 months). But when you play well with this API, you have fun. The GUI is certainly more easy to control than the Swing one, my only point of comparison in Java.
Despite this, the GUI is not as good as the iPhone one: technologically, it lacks important points (difficult to achieve, I know): the multi-touch is not supported at all and will probably never (or only partially, if we can hope?); the fluidity of the scrolls with the finger is not as impressive as on the iPhone and at the same time it lost ergonomism; the sequence of screens and transitions between them are not automatic: you must integrate or develop it by yourself: it has its advantages but also disadvantages: each program will behave differently on transistions, resulting in a loss of landmarks for the user; API adopted by Google is a little too oriented "1 screen means 1 Java class", which is sometimes a strong constraint to generate clear source code.
The screen resolution of Android is variable! Several resolutions will be possible: this advantage allows manufacturers of phones to have screens of different size depending on the targeted markets: it is good for them. For developers, that's another story! You must design applications with screens nor too rich (to fit on small screens), nor too poor (to avoid empty large screens), or (solution that I had adopted) set up screens for each resolution. This work is long, and if an application does not handle many resolutions (as I saw many applications as ADC Challenge winners...), small screen will not display everything, and therefore the application does not run properly on low resolutions, which are - I presume - being the first resolutions to emerge on the market, given the current technological possibilities.
Application side, we do what we want, as long as it is possible in Java, and if it is not too heavy to execute : we must not forget that Java is a language interpreted by a JVM, and it is basically heavy and power consumer. On a small phone, we have the computing power of a PC made five years ago. See how Windows Mobile is slow: it will be worse under Android, unless you have a very big phone tht cost a lot (see the dimensions of the HTC Dream / G1, the first android phone to be released, for about $300).
Synchronization side, between Android / Desktop, is for the moment inexisting: either I missed a big detail in the framework, or it is a huge mistake made by Google: I have not found any tool in the emulator to synchronize laptop with a PC... If every developer must do its own synchronization program, there will be problems quickly. I intend to look at this at the end of my project to analyze the feasibility and simplicity to develop a database sync.
Finally, as the framework version 0.9 was released recently, I was able to experience a transition of versions with my application. The changes in the API showed me about 550 errors in Eclipse. Classes have disappeared, others are displaced or have become private. Many methods have been renamed (without any logical intention), and Google Maps API has changed a lot. I had to fully rewrite the classes of my application using MAPS. For 550 errors, 30 hours were needed to bring my application up to version 0.9 (the gain is still significant in terms of fluidity, features ...).

Google Chrome

Thu, 04 Sep 2008 15:31:43 GMT

Never heard about it and now Google launches a new browser !

So, what's new in this browser ? Some good things, actually :

the omnibox : it's the merge of the search box and the address box in one box where you can type what you want to search or where you want to go. All the things you will type will be parsed and sent to Google Suggestions and the possible answers are suggested under the box.

a task manager : it allows you to manage the different processes launched by your browser and easily kill it if you got some troubles with one of it.

a javascript tool : to debug javascript. This the first browser to implement the JavaScript V8 engine which is faster and ready to support Web 2.0 application as Flicker or Facebook.

a source editor : with line numbers, coloration on search and position of the items found in the scroll bar.

Some humour on errors ?!?

Not a real revolution but a commercial product based on the Chrome Engine of the Mozilla platform and WebKit, the engine of Safari which exploits all your data and sell it to third partners.

Even if Google tries to impose is new product, the reaction of experts are very interesting concerning the security and the data stored and sent (fr) or the real performance of this new browser.

In my opinion, I'm not sure that a new interface is required for Firefox and that you really need to increase the chances of being bothered by companies which would like to sell you something ? However, if you install this browser, make sure to understand that all the content may be exploited freely by Google without any restrictions....

Android SDK 0.9 released yesterday

Tue, 19 Aug 2008 12:30:41 GMT

It's a big news, Android finally opened up the Android SDK v0.9, and Eclipse plugins that comes with.

You can find information on the following sites :

In few days, I will add a post to comment the migration of an Android application from M5 version to 0.9beta. I can say today that for a little application like mine, more than an hundred of errors appeared in my project with the new SDK (moved/removed API classes, deprecated methods, etc...)...

Good luck for migrations!

Android SDK 0.9 released yesterday

Tue, 19 Aug 2008 12:30:41 GMT

It's a big news, Android finally opened up the Android SDK v0.9, and Eclipse plugins that comes with.

You can find information on the following sites :

Good luck for migrations!

Firefox 3 - eZDebug extension

Mon, 18 Aug 2008 12:44:46 GMT

And I finally finished it, the new version is better, smaller, faster, stronger ?

Here are some screenshot of what it can do.

Some informations :

Click on the link to install the extension
To use it, you can click on the small icon on the bottom right corner, make CTRL+SHIFT+E combination or open the related sidebar in Firefox. Then just press Scan when you are on a page with debug inside.
Due to the differences between Firefox 2 and 3, it won't be updated fore Firefox 2. (And also because I'm lazy).
If there's no debug on the page, nothing happens.
If you got some trouble, you can mail me or just leave a message here.

You can download it on the official extension page on addons.mozilla.org. Please for this extension and leave a comment so it can be supported by the Mozilla Foundation.

Or you can download it here.

To install it, just click on it, Firefox will install it.

eZpublish SSO login Handler - Apache Kerberos module bypass

Wed, 13 Aug 2008 15:07:24 GMT

This week I had to make an eZpublish web site with an SSO authentication under eZpublish (NTLM). An SSO login handler is required. This login handler is executed by PHP and so is preceded by Apache authentication, with Kerberos Apache module.

The first problem comes when you want to let Kerberos authenticate the user (to give user data to PHP) or bypass authentication module if Kerberos cannot identify the user, to let eZpublish authenticate the user itself, with a classical form or another login handler : this parameter is not possible under Apache Auth modules, with a classical configuration like this:


    AuthType Kerberos
    KrbAuthRealms WASCOU.ORG
    KrbServiceName HTTP
    Krb5Keytab /root/wascou.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    Require valid-user
    Options All

The "Require valid-user" line will disallow site access until the user is not authenticated under Apache Kerberos module. This is the problem for users that need to be logged in with the classical form on eZpublish. Unfortunately there is no instruction to tell Kerberos to let a bypass in failure case (like with Basic or Digest modules, the same): Apache will give a HTTP 401 error, which is quite logical.

I suppose you know that eZpublish can call the user/login module from any URL that brings to a protected content: according to the user rights, a login form could be shown, and before this, a SSO login can be called. So there no way to indicate clearly to apache when eZpublish needs to login the user (to activate Kerberos authentication): telling "/user/login" URL is the only login URL is a mistake.

So, the solution is to play with well built Apache and PHP redirections, that the user cannot see, to call Kerberos module only when eZpublish needs it. Firstly, we will replace the above configuration with the following one, contained in a Location section, much more appropriated in our case :


    AuthType Kerberos
    KrbAuthRealms WASCOU.ORG
    KrbServiceName HTTP
    Krb5Keytab /root/wascou.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    Require valid-user
    Options All
    ErrorDocument 401 /user/login

Notice that the "/ntlm/auth" URL could bring us to an eZpublish module: this module must exist (you have to create it), but the PHP script behind this will never been executed and could remain empty (Apache and eZpublish will make redirections before this execution, see next step). Also notice the "ErrorDocument 401 /user/login" line, that will redirect the user if Kerberos cannot authenticate the user (and only for the "/ntlm/auth" URL!).

The big tip is here: if Kerberos cannot authenticate the user, it must redirect to an eZpublish page. The "/user/login" is an arbitrary choice, because the SSO login handler will make redirections before the execution of the user/login script (see next step).

Now, you have to make your SSO login handler, playing with all needed redirections, to manage correctly all possible bounds.

The following SSO login handler is a complete example:

function handleSSOLogin() {
  $ip = $_SERVER["REMOTE_ADDR"];
  $net = $ini->variable( 'NTLMSettings', 'net' );
  $mask = $ini->variable( 'NTLMSettings', 'mask' );

  // tip: (net & mask) == (ip & mask) : ok!
  if ((ip2long($net)&ip2long($mask))==(ip2long($ip)&ip2long($mask))) {

    // 2nd case : /ntlm/auth redirected to first URL, to auth under PHP.
    if ($_SESSION['ntlm_success']=="success") {
      if ( array_key_exists( 'REMOTE_USER', $_SESSION )
             && array_key_exists( 'AUTH_TYPE', $_SESSION ) ) {
        $remoteUser = $_SESSION['REMOTE_USER'];
        $authType = $_SESSION['AUTH_TYPE'];

        eZDebug::writeDebug('#25# user:'.$remoteUser,'');

        $loginParts = explode( '@', $remoteUser );
        $loginName = $loginParts[0];

        // main call of YOUR User handler in NTLM mode
        $user = LOGINCLASS::loginUser($loginName);

        if ( is_object( $user ) ) {
          return $user;
        } else {
          eZDebug::writeDebug('#36# Unable to fetch user','');
          unset($_SESSION['REMOTE_USER']);
          unset($_SESSION['AUTH_TYPE']);
        }
      } else {
        eZDebug::writeDebug('#39# No sso auth performed','');
        unset($_SESSION['REMOTE_USER']);
        unset($_SESSION['AUTH_TYPE']);
      }
      $_SESSION['ntlm_success'] = "failed";
      return false;
    }

    // first case : sso_handler redirection to /ntlm/auth.
    if ($_SERVER['SCRIPT_URL'] == '/ntlm/auth') {
      eZDebug::writeDebug('#47# IP on domain, Kerberos OK.','');
      if (!$_SESSION['ntlm_url']) {
        echo 'Cookies or/and Sessions are not activated.
';
        eZExecution::cleanExit();
      }
      $ntlm_url = $_SESSION['ntlm_url'];
      unset($_SESSION['ntlm_url']);
      $_SESSION['ntlm_success'] = "success";
      $_SESSION['REMOTE_USER'] = $_SERVER['REMOTE_USER'];
      $_SESSION['AUTH_TYPE'] = $_SERVER['AUTH_TYPE'];
      eZHTTPTool::redirect($ntlm_url);
      eZExecution::cleanExit();
    } else if ($_SESSION['ntlm_success'] != "failed") {
      eZDebug::writeDebug('#59# IP on domain, checking NTLM.','');
      $_SESSION['ntlm_url']=$_SERVER['SCRIPT_URL'];
      eZHTTPTool::redirect('/ntlm/auth');
      eZExecution::cleanExit();
    } else {
      eZDebug::writeDebug('#64# IP on domain, Kerberos failed.','');
    }

  } else eZDebug::writeDebug('#67# IP not on domain, Stop.','');

  return false;
}

This script will process like this:

First, a test is executed to ensure we are on the right domain (by mask and IP)
Then a redirection is done to /ntlm/auth ; we store the original URL typed in the SESSION
When /ntlm/auth is called, apache Kerberos module will try to authenticate user
if failed, an Apache redirection (by "ErrorDocument 401" param) is done to /user/login
- in this case, our SSO login handler will redirect to the original URL typed by the user, with a failed state for authentication (stored in the session)
- the next login handler will try an authentication with a form...
if succeeded, our SSO login handler will store user login (given by Kerberos under $_SESSION['REMOTE_USER']) and will redirect to the original URL typed by the user,
- on this new URL, our SSO login handler will authenticate the given user in the database (you have to implement "LOGINCLASS::loginUser($loginName);" line by yourself)
- in case of success, login process is terminated, the $user is returned.
- in case of failure, false is returned to let next login handler try an authentication with a form...

If you have any question, comment this post!

Good luck!

eZpublish SSO login Handler - Apache Kerberos module bypass

Wed, 13 Aug 2008 15:07:24 GMT


    AuthType Kerberos
    KrbAuthRealms WASCOU.ORG
    KrbServiceName HTTP
    Krb5Keytab /root/wascou.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    Require valid-user
    Options All


    AuthType Kerberos
    KrbAuthRealms WASCOU.ORG
    KrbServiceName HTTP
    Krb5Keytab /root/wascou.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    Require valid-user
    Options All
    ErrorDocument 401 /user/login

Now, you have to make your SSO login handler, playing with all needed redirections, to manage correctly all possible bounds.

The following SSO login handler is a complete example:

function handleSSOLogin() {
  $ip = $_SERVER["REMOTE_ADDR"];
  $net = $ini->variable( 'NTLMSettings', 'net' );
  $mask = $ini->variable( 'NTLMSettings', 'mask' );

  // tip: (net & mask) == (ip & mask) : ok!
  if ((ip2long($net)&ip2long($mask))==(ip2long($ip)&ip2long($mask))) {

    // 2nd case : /ntlm/auth redirected to first URL, to auth under PHP.
    if ($_SESSION['ntlm_success']=="success") {
      if ( array_key_exists( 'REMOTE_USER', $_SESSION )
             && array_key_exists( 'AUTH_TYPE', $_SESSION ) ) {
        $remoteUser = $_SESSION['REMOTE_USER'];
        $authType = $_SESSION['AUTH_TYPE'];

        eZDebug::writeDebug('#25# user:'.$remoteUser,'');

        $loginParts = explode( '@', $remoteUser );
        $loginName = $loginParts[0];

        // main call of YOUR User handler in NTLM mode
        $user = LOGINCLASS::loginUser($loginName);

        if ( is_object( $user ) ) {
          return $user;
        } else {
          eZDebug::writeDebug('#36# Unable to fetch user','');
          unset($_SESSION['REMOTE_USER']);
          unset($_SESSION['AUTH_TYPE']);
        }
      } else {
        eZDebug::writeDebug('#39# No sso auth performed','');
        unset($_SESSION['REMOTE_USER']);
        unset($_SESSION['AUTH_TYPE']);
      }
      $_SESSION['ntlm_success'] = "failed";
      return false;
    }

    // first case : sso_handler redirection to /ntlm/auth.
    if ($_SERVER['SCRIPT_URL'] == '/ntlm/auth') {
      eZDebug::writeDebug('#47# IP on domain, Kerberos OK.','');
      if (!$_SESSION['ntlm_url']) {
        echo 'Cookies or/and Sessions are not activated.
';
        eZExecution::cleanExit();
      }
      $ntlm_url = $_SESSION['ntlm_url'];
      unset($_SESSION['ntlm_url']);
      $_SESSION['ntlm_success'] = "success";
      $_SESSION['REMOTE_USER'] = $_SERVER['REMOTE_USER'];
      $_SESSION['AUTH_TYPE'] = $_SERVER['AUTH_TYPE'];
      eZHTTPTool::redirect($ntlm_url);
      eZExecution::cleanExit();
    } else if ($_SESSION['ntlm_success'] != "failed") {
      eZDebug::writeDebug('#59# IP on domain, checking NTLM.','');
      $_SESSION['ntlm_url']=$_SERVER['SCRIPT_URL'];
      eZHTTPTool::redirect('/ntlm/auth');
      eZExecution::cleanExit();
    } else {
      eZDebug::writeDebug('#64# IP on domain, Kerberos failed.','');
    }

  } else eZDebug::writeDebug('#67# IP not on domain, Stop.','');

  return false;
}

This script will process like this:

First, a test is executed to ensure we are on the right domain (by mask and IP)
Then a redirection is done to /ntlm/auth ; we store the original URL typed in the SESSION
When /ntlm/auth is called, apache Kerberos module will try to authenticate user
if failed, an Apache redirection (by "ErrorDocument 401" param) is done to /user/login
- in this case, our SSO login handler will redirect to the original URL typed by the user, with a failed state for authentication (stored in the session)
- the next login handler will try an authentication with a form...
if succeeded, our SSO login handler will store user login (given by Kerberos under $_SESSION['REMOTE_USER']) and will redirect to the original URL typed by the user,
- on this new URL, our SSO login handler will authenticate the given user in the database (you have to implement "LOGINCLASS::loginUser($loginName);" line by yourself)
- in case of success, login process is terminated, the $user is returned.
- in case of failure, false is returned to let next login handler try an authentication with a form...

If you have any question, comment this post!

Good luck!

Ciao 3.x

Mon, 11 Aug 2008 15:37:25 GMT

It's done. We loved it, they stop it. Bye bye eZPublish 3.x series...

Yes, a bit sad but how good for developpers ! There were some features that eZSystems improved in the 3.x and which made this great software a more evolutive and scalable software for everyone. Here are the features I remember the most :

3.6

LDAP handler : connect eZPublish on a LDAP directory and to automatically create users in the eZ subtree.
Reverse features : get the objects which are relating the current object.
Remove subtree : useful to delete entire subtree.

3.7

Siteaccess settings in the extensions : you can put siteaccess settings in the extension. It allows you to design reusable extensions, overriding standards.
Developpement Mode : in dev mode it's not necessary to clear cache at each time...

3.8

Internationalisation : it is possible to translate any content in any language without having a content reference translated in a given language.
Clustering : you can put several instance of eZ on several hosts to share the load.
Group approval for workflows.
Serialization for all datatypes.
eZInfo() function for extensions.

3.9

Auto upload for files in Online Editor.
Diff.

And now ?

Some upcoming goodies for us ! Version 3.10.1 and 4.0.1 will be updated and 4.1 is announced for Q3. It seems that eZ gets behind...

No ?

eZDebug for Firefox3

Thu, 03 Jul 2008 05:40:12 GMT

After a fruitful conversation with Nicolas Pastorino, he said me that he was waiting the new version of eZDebug. I was focusing on other extension so I completely forgot that. So, I've started the development of the version 1.0 fore Firefox3, in six monthes dev tools have evolved (happily for me) and it will be easier to test and develop. I will make the following arrangements :

It won't be in a new window but in the sidebar or in a new tab (like the magic CTRL+MAJ+C).
It won't be necessary to hack the kernel --> So it can be used for any eZ instance.
It will be possible to filter by category or by typing something.
A clear "debug button" will allow to hide the debug in the internet page.

If you got some remarks or suggestions on this, just leave a comment.

The Norvegian Chronicles

Sat, 28 Jun 2008 15:54:30 GMT

My badge at the eZConference

Few weeks ago, I participipated to the eZConference & Open Nordic 2008 in Skien in Norway. There's some things you must now about Norway :

It's difficult to get there, even by plane, or car or camel...
It's absurdly expensive (150€ to do 40km in cab)
There's no night
Most of Norvegian is speaking english, hopefully !
They eat caviar for breakfast
Salmon is absurdly cheap

By the way, as you can imagine, Norway is a big country with few persons in it. So there's a lot of space and they are very concerned by the quality of their life : cities are clean and services are perfect.

Open Nordic 2008

The conference stood in the Skien Ibsenhuset, a very large conference hall, where both conferences, eZConference and Open Nordic, happened.

The main subject on eZ were :

Multiple file upload in 4.1 : it has been made in complement of the webdav feature which does not work on all platforms (Did I say Windows ???).
OE 5 : integrating Tiny MCE, this WYSIWG editor rocks ! After having worked with HTMLArea, FCKEditor and the former OE, it seems to be the more powerfull and intuitive work ever done. At least, it is a very visible work.
Support for OpenOffice.org and Microsoft Office document import and export in eZ via a nested toolbar in the editor : you can open content directly on an eZ instance via a Java connector and modify it as you want. When you save it, it will send the data to the eZ instance and update your website. Very powerfull and I guess very similar to the Sharepoint feature.
Site factory and CSS Editor : two features which are made to ease the deployment and configuration of eZ websites. The first is a console tool allowing to deploy in one command an entire site with a specified configuration (it uses REST). The second one is a kind of webmaster gadget in full java which will allow people to modify their design in few clicks : you activate a design mode on your frontend and then you can select each element of the page and then change some defined css values, like background-color or what you want.
ezComponents integration : eZGuys are close to completely lighten the kernel libs by integrating the eZComponents. The most important change will happen when the integration of the ezcTemplate will be effective. It's a big step for the eZCommunity because we will have to deal with a strict template engine (at last !).
And some new components like Document and Search.

By the way, it was a great time, sharing our knowledge and drinking beers at the at the pub...

Nicolas Pastorino from eZSystems

Bård Farstad and Damien Pobel

Oslo

And then I travelled a bit to reach Oslo... Country, sea and half-light :

Countryside

Seaside

Opera

At night

Conclusion

It was a great trip, lot of emotions, lot of exchanges between people from different countries, and one pledge : next year I will be there, Monseigneur.

:-D

D-2

Tue, 17 Jun 2008 06:45:48 GMT

Exciting ! Only two days before eZConf and the eZAwards !

So a year is gone since last time I trampled the Norvegian floor and I'm ready to go there again. Why ? Simply for the best :

The bigger CMS conference in the world
The eZAward after party
Salmon
Grenland

As a nominee, I would like to wish a good luck to everybody.

However, I've got bad news for everyone, it won't be a pleasure like last year. It seems that we will have bad weather suring the conf but it will be better just after.

And now, a little trick in order to make accept eZFlow by women.

See you in Skien !

Little survey : Who's coming ?

Tue, 20 May 2008 06:23:17 GMT

Hey buddy,

Are you coming to the eZ Conference this year ?

If yes please leave me a comment !

First Android Developper Challenge over

Mon, 19 May 2008 11:13:27 GMT

About two weeks ago, the first ADC is over, and winners are published.
This post will comment few winner applications, positive and negative points on them.

Firstly, I saw in a recent RSS feed that ADC judges are mainly from the Handset Alliance. I think this is quite unfair for some kind of application. Judges are from constructors like HTC, NVidia, Samsung, Telefonica, Motorola, T-mobile *, ASUS, etc... and for a lot of them, they are mobile contructors. By this way, many applications are designed to be winners because of the marketing concept that constructors like to use for selling a mobile. For example, many winners are social networks. I understand that this kind of application will be very used by majority of people (if they have enough money to stay connected to the Internet everytime they use their mobile...), but other applications, that could be really usefull but that are not a very good subject for marketing could be disadvantaged.

A second point that I want to highlight is that in a lot of these winner applications, the user interface is made for a very high resolution. Think that first mobiles using Android won't have such a resolution. In this case, the winner application won't work correctly on many of these phones...

Yet, I was impressed by some of these applications. For example a biometric application called BioWallet that scan eyes for iris based authentication (yes, you will need a very good camera on your mobile now...), or the ability to scan 1D and 2D barcodes.

The past month, I tried the Android SDK, and I enjoyed the easy way to make efficient user interfaces.

The next post I will put on this blog will be about first steps in Android SDK.

The following links talks about the 50 winners of the ADC. See them and imagine what Android will be in few months: