Taken while leaving work the other evening. Blue sky at my back, sunset in front of me, and grey skies overhead.

What better way to break the drought of posts with some pictures from this year’s Wintersun. This year I focused a lot more on the pin-striping and hood ornaments than in previous years. The aesthetic of the small details on cars, especially when taken out of context by getting really close, is something I find very pleasing. I hope you do too.

Enjoy!

There’s a bit of a mismatch in the XACML specification, in that most of the functions operate on single arguments but attributes are always returned in bags.  This is fine when comparing values in the <SubjectMatch> (and similar) elements as the multi-valued nature of the four AttributeDesignator elements is handled automatically; comparing values in the <Condition > requires a little more effort.

Luckily there are two classes of functions that allow comparison between a single value and bags of values, or between two bags of values.

Comparing a single value to a bag of values

For example, let’s say we need to check of the attribute “department” is equal to “Finance”.  You could do a simple string-equality check as follows:


<Apply FunctionId="string-equal">
 <AttributeValue DataType="#string">Finance</AttributeValue>
 <SubjectAttributeDesignator
  AttributeId="department" DataType="#string" />
</Apply>

This is well and good until the “department” attribute is multi-valued.  In that case, the “string-equal” function will try to compare a string to a bag of strings and fail with either a syntax error or processing error.

There are a two functions to help here, “any-of” and “all-of”.  Both are boolean functions that allow a constant to be compared to a bag of values, with “any-of” returning true if one of the bag members causes a match and “all-of” returning true if all of the bag members return a match.

Our example above can be re-written as:

<Apply FunctionId="any-of">
 <Function FunctionId="string-equal"/>
 <AttributeValue DataType="#string">Finance</AttributeValue>
 <SubjectAttributeDesignator
  AttributeId="department" DataType="#string" />
</Apply>

The “string-equal” function is applied to “Finance” and each attribute returned from the <SubjectAttributeDesignator>.  If any of these comparisons returns true, then the result of the “any-of” function is also true.

Comparing a bag of values to a bag of values

What if we needed to see if the “department” field was in a range of possible values, such as “Finance” OR “Human Resources”?  Using the “any-of” function would fail for the same reasons the original “string-equal” function failed, as a bag of values would be in the place where a single value was expected.

We can use functions such as “any-of-any” to solve this requirement.  “Any-of-any” applies a function between each element of two bags of values, returning true if at least one of these comparisons returns true.  Our example can be expressed as:

<Apply FunctionId="any-of-any">
 <Function FunctionId="string-equal"/>
 <Apply FunctionId="string-bag">
  <AttributeValue DataType="#string">Finance</AttributeValue>
  <AttributeValue DataType="#string">Human Resources</AttributeValue>
 </Apply>
 <SubjectAttributeDesignator
  AttributeId="department" DataType="#string" />
</Apply>

Notice that I’ve also used the “string-bag” function to convert a list of <AttributeValue> elements to a bag suitable for consumption by this function.

I recently travelled to Austin for a month to co-author an IBM Redpaper on our new security policy and entitlements management product, IBM Tivoli Security Policy Manager.  The draft of that Redpaper is now available for download and public comment here.

Here’s the introduction to whet your appetite:

In a growing number of enterprises, policies are the key mechanism by which the capabilities and requirements of services are expressed and made available to other entities. The goals established and driven by the business need to be consistently implemented, managed and enforced by the service-oriented infrastructure; expressing these goals as policy and effectively managing this policy is fundamental to the success of any IT and application transformation, including SOA solutions.

First, a flexible policy management framework must be in place to achieve alignment with business goals and consistent security implementation. Second, common re-usable security services are foundational building blocks for SOA environments, providing the ability to secure data and applications. Consistent IT Security Services that can be used by different components of an SOA runtime are required. Point solutions are not scalable, and cannot capture and express enterprise-wide policy to ensure consistency and compliance.

In this IBM® Redpaper we discuss an IBM product-based end-to-end security policy management solution, which comprises of both policy management and enforcement using IT security services. We also demonstrate by means of customer scenarios how this standards-based unified policy management and enforcement solution can address authentication, identity propagation, and authorization requirements, and thereby help businesses demonstrate compliance, secure their services, and minimize the risk of data loss.

My primary involvement with the product was the development of the Runtime Security Services.  In particular, the XACML engine that provides the authorization service capability.  As written in the Redpaper, the core of the authorization runtime is a high-performance implementation of the XACML v2.0 standard.  It’s been demonstrated at previous interoperability events organized by OASIS (see here, here and here).

Back at the Burton Event in 2007 I was asked a few times “When is this going to be in a product?”.  Tivoli Security Policy Manager is that product.

I’m happy to answer questions about the paper or product to the best of my ability, as well as point people to the appropriate folks within IBM if I can’t help.

I’ve been teaching myself how to generate JVM byte code directly for a side project recently, and got stuck on the following exception a few times:

Exception in thread "main" java.lang.VerifyError: stack shape inconsistent (class: CompiledTest method: evaluate(Lcom/ibm/test/Param;)S) at pc: 2
	at java.lang.J9VMInternals.verifyImpl(Native Method)
	at java.lang.J9VMInternals.verify(J9VMInternals.java:66)
	at java.lang.J9VMInternals.initialize(J9VMInternals.java:127)
	at java.lang.Class.newInstanceImpl(Native Method)
	at java.lang.Class.newInstance(Class.java:1300)
	at TestHarness.execute(TestHarness.java:158)
	at TestHarness.main(TestHarness.java:100)

After a long time Googling unsuccessfully, I hacked around until stumbled across the answer. Turns out this exception is caused when your byte code is attempting to perform an instruction but the stack contains an invalid type for that instruction.

One example is if the top of the stack contains a string but you’re using a operand that expects an integer. Using BCEL:

//Push a string onto the stack
il.append( new PUSH( cg.getConstantPool(), "123" ));

//Attempt to save the top of the stack using "ISTORE"
LocalVariableGen var = mg.addLocalVariable( "var", Type.STRING, il.getEnd(), null );
il.append( new ISTORE( var.getIndex() ));

Note that I’m using the integer-specific ISTORE instruction to save the variable even though I’ve pushed the string “123″ onto the stack!  Try to execute the class generated from this code, and you’ll get the VerifyError from above.

The simple, and obvious in hindsight, fix is to change the ISTORE instruction to ASTORE.

Microsoft’s Windows Communication Foundation (WCF) provides a hook for inserting custom authorization modules to protect your web services.  By implementing a custom ServiceAuthorizationManager as per this tutorial, you can make the decision to allow access based on whatever custom logic you may desire.

Things can get a little tricky if you want to inpsect the incoming message itself, though.  Each message can be read only once in WCF, meaning that if you consume the message during authorization the actual service itself can no longer consume it.

Luckily WCF provides a manner in which you can buffer the message, copy it, and send an unconsumed copy to the underlying service.  Here’s the code I used to get this to work:

public override bool CheckAccess(OperationContext operationContext, ref Message message)
{
    MessageBuffer buffer =
        operationContext.RequestContext.RequestMessage.CreateBufferedCopy(8192);
    message = buffer.CreateMessage();
    Message internalCopy = buffer.CreateMessage();
    buffer.Close();

    //Examine 'internalCopy' during your authorization processing
    return authzResult;
}

The basic technique is outlined in these two posts on Nicholas Allen’s Indigo Blog:

• Basing Authorization on the Message Body
• This message cannot support the operation because it has been copied

When you work with XML as much as I do, quite often you get sent a list of files that are not pretty-printed.  By “pretty-printed”, I mean nicely formatted with each new element on a new line and each nested element indented appropriately.

The files not being nicely formatted makes using command-line tools like grep nigh-on impossible, so quite often you have to format the files before you can get any real work done.

I’ve been using the following script to automatically format whatever XML files I pass it:


#!/bin/bash
for a
do
xmllint --format $a -o $a
done
exit 0


As you can see it just passes whatever arguments I pass to xmllint and over-writes the original in-place.

I’ve called my version of this file prettify.sh, and when it’s in the path you can invoke it like this:

[craigf@eleanor ~]prettify.sh *.xml

Update: I should’ve mentioned that xmllint is part of the libxml2 package. It should be available on most Linux distributions.

I couldn’t resist this new Prowl Transformer. Especially seeing as it’s only $20 or so.

I’m meant to be paying off my credit card dammit!

One of the most popular posts on my blog is my semi-rant on HECS debts, in which I urge people to think about the impact that carrying a HECS debt will have on their lives before they start studying.

Most people found my post through entering a question into Google, and through the magic of Google Analytics I’m going to do my best to answer them all here.  I’ve cleaned up the questions a little for clarity.

Also, the answers here are correct to my knowledge.  If I’m wrong then please let me know, I’ll fix up the article.

1. Are HECS the same as HELP debt?

This one’s easy – yes.

2. What is the HECS-HELP interest rate?

The interest rate on a HECS-HELP debt is equal to the Consumer Price Index (CPI) over the year.  CPI is a measure of inflation, so by changing your HECS-HELP debt at the same rate it is pegged at the same amount relative to everything else.

The indexation applied to my HECS debt this year was 2.8%

3. What happens when you finish paying your HECS debt?

You get an effective pay rise of about 6%!  The money that was automatically taken out by your employer via PAYG now goes straight into your bank account.

4. How much does HECS take out of pay?

Here is the repayment schedule for the 2008-2009 year (source):
 

5. If I pull out do I still have to pay HECS?

Yes – any debt you’ve incurred in previous semesters of study you have to pay.  If you’ve just started a new semester and are withdrawing from a particular subject, you have a month or so to withdraw from the course without incurring a debt for it.

6. What is the average age to pay HECS debt back?

This is a really tough question to answer, and a bit of Googling of my own failed to turn up any real data.  It’s pretty easy to calculate your specific scenario though – you can easily calculate your expected debt by the end of your degree, then look at somewhere like Seek to find the average income for the career you head into.  The rest is spreadsheet magic!

7. Am I better off paying off my HECS-HELP debt?

In my opinion, the answer to this is no – with one caveat.  The interest rate on your debt is as low as you’re ever going to see.  It’s even lower than the money you can earn by putting your cash in the bank instead! You’re better off putting your money in an ING account and letting it sit.

The caveat is if you can completely pay off the remainder of your debt.  You get a 10% bonus for making a voluntary repayment.  If you pay off the debt, the return on that money is 10% straight away.  If you don’t pay it off completely, the return on that money must be split across the years your debt remains (as you get no further earnings from that money as you would in a bank).   This reduces the effective interest rate each time, 5% pa over 2 years; 3.3% over 3 years, and so on.

Talk to a financial advisor before you make any decisions though.

8. Am I eligible for HECS for second degree?

From the Government’s site:

Does an existing HELP debt affect my eligibility for HECS-HELP?

No.  An existing HELP debt does not affect your eligibility for HECS-HELP

Looks like you’ll be fine for a second degree.

9. What happens to my HECS debt after leaving the country and returning?

While you’re not earning any taxable income in Australia, you don’t have to make any repayments.  The debt doesn’t go anywhere though – it just sits around increasing at CPI every year.  When you start earning taxable income in Australia again you have to make repayments again.

Almost a year and a half ago I wrote a post on how “owning” the bank can be more profitable than simply putting your money in the bank.  I compared the increase in value you’d get from placing $1000 in an ING Direct Savings Maximiser account with buying the equivalent value of stock in four major Australian banks.  The comparison showed a return on investment of between around 10% per annum and 17% per annum, which was significantly higher than ING’s interest rate of 6%.

That post was written in a time of economic prosperity, and the results reflected the stellar results that stocks had seen in the previous year.  Things dramatically changed in November last year, with the ASX 200 dropping in value dramatically to the present day.  From a high of 6851 in November the index has dropped to a low of 4758 this month (so far), representing a decline of roughly 30% since November.

In light of this economic change does it still make sense to buy stock?

I made the same comparison over the year from 1st August 2007 to 31st July 2008, and the results were the exact opposite of last year’s!

In this year, the banks lost a minimum of $100 of a $1000 investment – that’s a minimum loss of 10%! The worst performing bank, Suncorp Metway*, lost $241 or 24%!

ING, in comparison, made a nice steady gain of $70.

This is a perfect reflection of the risk inherent in buying stock.  You trade potentially higher gains, for a higher risk of losing money.  This risk was definitely realized in the past year.

(Hat tip to HiredGoon of bubblepedia.net.au for getting me thinking about this again.)

* Interestingly, Suncorp Metway was also the worst performing bank in my last comparison.