SharePoint Host Name Site Collection

SharePoint Supports Path based site collection and host based site collection.

In SharePoint 2010 and SharePoint 2013,  Central Admin doesn't have an option to create Host based site collection. It needs to be created using power shell scripts.

Following are powershell commands  used to create a HNSC.

$cred = get-credential 'sphost\administrator' // enter the password here
$adminMA = New-SPManagedAccount -Credential $cred
New-SPWebApplication -Name 'HostNameTest' -ApplicationPool "HostNameTest" -ApplicationPoolAccount $adminMA -Port 9001

$w = Get-SPWebApplication "HostNameTest"
New-SPSite -OwnerAlias "sphost\administrator"    -HostHeaderWebApplication $w -Name "HostA" -Template "BLANKINTERNETCONTAINER#0"
New-SPSite -OwnerAlias "sphost\administrator"    -HostHeaderWebApplication $w -Name "HostB" -Template "BLANKINTERNETCONTAINER#0"

How does https work in browser

This is short note on how HTTPS communication works

In HTTP, data is transferred in clear text making it unsuitable to transfer sensitive data over network,  making it vulnerable to 'man in the middle' attack.   HTTPS solves problems by  sending data via secure channel using encryption to prevent sniffing and authentication to prevent spoofing.

we will try covering following points:
  1. What is HTTPS
  2. Difference between HTTP and HTTPS
  3. HTTPS request flow
What is HTTPS
 HTTPS is hyper text transfer protocol over SSL (secure socket layer). Generally its called as HTTP over SSL or HTTP Secure. HTTPS encrypts and decrypts the pages(data) that is exchanged between webserver and web browser.

This is generally used where authentication is required or sensitive data like credit card details, password needs to be exchanged. 

Difference between HTTP and HTTPS
Default port for http is port 80 , for HTTPS it is 443.  HTTPS works by transmitting normal HTTP  data through an encrypted channel.

HTTPS request flow

There are two parties involved in HTTPS communication:

1. Server: it could be web-server or application server. In our use case, this would host applications and mandates the use of HTTPS.
2. Client browser : its a machine,who request as resource(page). resource is requested typically in a browser like IE, Firefox, chrome.

This does how request flow works:
how https works

This way, handshake is completed and a shared key is exchanged between client and server.
And for any further communication between client and server, this shared secret called session key would used for communication.

When subsequent request  are made to the server, Server encrypts the data using the session key and sends to client . Client decrypts the data using session key.

Good to know Answers:

Why to use Session key instead communication can happen with public and private key ?
PKI communication is CPU intensive, instead of using it for entire communication, its only used to generate a session key. And further communication between server and client happen using symmetric key.  

Difference between HTTPS and SSL ?

SSL is cryptographic protocol for secure communication. It can be used for HTTP, FTP, SMTP etc.

HTTPS : HTTP protocol is used to request and receive the data . It uses  SSL for secure communication of HTTP.

PreMaster Key: client sends premaster secret encrypted with server public key

Session Key : use randomness and premaster key to create session keys

why do SSL certificates exists:

Encryption and Identification.

What is SSLeay :
SSLeay is original TLS/SSL implementation library developed by Eric Young.

HTTP Basic Authentication

HTTP Basic Authentication explained using tomcat as an example

Use case with tomcat with basic authentication.

Most of  you might have used tomcat and tried look at the list of deployed web applications in it . When user clicks on  managed web apps link, a pop up challenge appears in the browser for username and password. User enter credentials and gets the list of deployed apps. 
                                                                                                                                  (Refer appendix A for username password details).

Tomcat challenging for credentials

Few questions this post try to answer.
  1. How does the browser throw a pop up challenge, when a protected page is accessed.
  2. How are user name and password transferred from browser to tomcat server.

  1. Tomcat basic authentication flow
  2. Basic authentication HTTP headers
Tomcat basic authentication flow

 Scenario: Lets see the flow between user browser and tomcat server, when a user trying to access a protected page on tomcat server.

Image description: On the left side is a user browser and right side is tomcat server.
basic authentication flow using tomcat

Note: /manager/html is a protected resource in tomcat.

Step 1: (From User Browser To Tomcat Server)
  1. User tries to access a protected page on tomcat. .i.e, (manager/html)
  2. HTTP method used here would be a 'GET' method
  3. A request would contain address of tomcat server as hostname header. please see below http headers that flow during transaction.

Sample http header with Step 1 request and Step 2 response

Step 2: (From Tomcat Server to User Browser)
  1.  As accessed URI ( /manager/html) is protected resources on tomcat, tomcat would check for  credentials along with request.
  2.  No credentials are present with the request, tomcat won't allow the user access the page, instead throws a challenge.
  3. Tomcat needs to challenge the user for credentials. Tomcat should make browser to throw a pop up for credentials as shown in figure 1.
    1. Tomcat will send a HTTP response code 401 to browser. By sending a 401 response code, browser would understand, the request it made was an unauthorized request, browser needs to throw a basic authentication popup for credentials.
    2. Tomcat would additional sends http header  "WWW-Authenticate" with realm name and basic word.
                          WWW-Authenticate: Basic realm="Tomcat Manager Application"
WWW-Authenticate:  Basic. mean tomcat is expecting  credentials in basic authentication format
realm="Tomcat Manager Application" means, then browser throws a pop up, the pop must use "Tomcat ManagerApplication" as name in the popup challenge. please check  figure 1 for details. its a realm name.

Step 3(From User Browser To Tomcat Server)
  1. User would enter the username and password in the pop up challenge.
  2. Browser would  append  username and password with semi colon and would do  a base 64 encoding of the appended string.
      Example : tomcat:s3cret     (username:password)
                            base 64 encoding of username:password would yield
                           (tomcat:s3cret)  base64  value will be  'dG9tY2F0OnMzY3JldA=='
     3. Authorization header "Authorization: Basic"  with base 64 is passed to the server. Basic word in the Authorization header means that  browser is sending the credentials in basic authentication format

Sample HTTP header with Step 3 request and Step 4 response
Step 4:(From Tomcat Server to User Browser)
  1. Tomcat server application would receive the request and check for Authorization header.
  2.  web application would decode the base 64 value of Authorization
  3. Validates the user name and password internally. And allow the actual page.

Basic authentication HTTP headers:

Security headers in basic authentication are 'WWW-authenticate' and 'authorization'.

www-authenticate is a response header. Server receives a request for an accessing a protected page and an acceptable Authorization header is not sent, the server responds with a "401 Unauthorized" status code, and a WWW-Authenticate header.
WWW-Authenticate: <Auth-type> realm="<Custom name for the realm>" 
Custom name for the realm is displayed during challenge.
ex:                          WWW-Authenticate: Basic realm="Tomcat Manager Application".

Authorization Header:

When user wants to send credentials to the server, authorization header is used. It’s a request header and it would look like Authorization: Basic <base 64 encoded credentials>

ex:                                 Authorization: Basic  dG9tY2F0OnMzY3JldA== 

Answers to the questions:

  • How does the browser through a pop up challenge, when page is accessed.
Answer: On accessing a protected page without valid credentials, Server sends a HTTP response code 401, to the browser.  This way browser throws a pop up challenge
  • How are user name and password transmitted from browser to tomcat?
 Answer: User credentials are converted to base 64 format  and are send to server in the HTTP  Authorization request header

Good to know facts:
Appendix A:

Default username and password would be tomcat and s3cret respectively,  provided below lines present in conf\tomcat-users.xml

 <role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>

Appendix B:

Base 64: MIME's Base64 implementation uses AZ, az, and 09 for the first 62 values. 3 octets into 4 encoded characters. Below table is used for encoded values.

Final word..
Thanks to my friends for their support:).


Lets try explaining whats Authentication in Information security domain.

Authentication is about Identity Validation. Its a process to determine whether the user or entity is who he claims to be. Typical example of Authentication is login credentials entered as part of login to any site or portal.

Authentication can be classified into following three types.

1. Something you know
2. Something you have
3. Something you are

1. Something you Know.
Its Knowledge based Authentication. Typical Example is User-name/Password that we use every day to log-in to any site. This is most widely used technique
Remember user name and password

Password, PIN Numbers.

Advantages :
1. Simple Mechanism and Easy to implement             

forgot password

1. People tend to forgot passwords.

2. Easy to crack. Attack like brute force attack,  dictionary attack are common

"A password that is easy to remember is generally also easy for an attacker to guess".

Prevention Mechanism:
CAPTCHA, Forced lock out after number of failure attempts.
On Time Password are certain mechanism that help prevent the above mentioned attacks

2. Something you have.
Its Ownership based Authentication. Its based on something a principal or authenticating entity as it.
An access card swiped at the entry and exit of door, could you be use case for  entity based authentication.
access card swiping at entrance
An attacker must obtain or copy the token in order to break this kind of authentication.

1. Magnetic Strip Cards. ( Credit Cards/ATM Cards)
2. Smart Cards (Challenge/Response cards and Cryptographic Calculators.)

3. Something you are.

Its based on physiological or behavioral characteristics to verify the identity of an individual.
Finger print, Bio metric authentication
Every individual has unique biometric data and individual’s behavioral or physiological characteristics have the capability to reliably distinguish between authorized and unauthorized person.

1.  Biometrics includes fingerprints, retina scan, voice, facial ,hand geometry, and so on

Hardest to break.

Cost and availability
High false acceptance rate for devices

Application of principle:
All this above principle can be used in single or combination of two or all. When above factors are used in a combination, authentication becomes difficult to break.

Mutli-Factor Authentication:
ATM Card would be simple example for it, it uses a combination of "Something you have" (ATM Card) and " Something you know"( PIN Number). Even if the card is lost, PIN number is required to prove authentication.

Java Collections Cheat Sheet

Java Collections Framework

Collections are most widely concept in java. Most of the time I get confused, when to use, what type of collections. If its the same with you, this post would make an  attempt to clear that confusion, I tried to list the parameters that can be used to make decision.

Collections Interfaces
Collections Cheat Sheet
Collections Examples

Collection Framework:
Java Collection framework provides mechanism to store, retrieve and manipulate objects.
All collection interfaces and classes are present in java.util package.

Core Interfaces for Collections
Collection  is the root of the collection hierarchy

Sorted Set: A Set that maintain elements in sorted ascending order.
Sorted Map: A Map that maintains keys in sorted ascending order.

Decision to use which collection class depends on following factors:
  • Ordered
  • Duplicates
  • Synchronized
  • Not Ordered

Collection Interfaces:

Interfaces Definition has Duplicates
List It’s a data structure where stored objects can be accesible using index. Yes.
Map Data structure allows key value pair storage. No duplicate keys are allowed.Values can be duplicate.
Set it’s a data structure  that doesnot allow duplicate storage of elements . Elements cannot be accessed using index. No. Set doesnot allow duplicate elements
Queue ordered in on a FIFO Yes.
Deque ordered elements in either  LIFO and FIFO. Its a double-ended-queue is a linear collection of elements that supports the insertion and removal of elements at both end points Yes.

Collection Cheat Sheet:

Ordered : Elements are stored in a order and when iterator is used over this elements, user knows in what order elements can be retrieved.
Sorted : elements are stored in sorted order.This sorting order depends on natural ordering, or by a Comparator.
Thread safe:  Methods are implemented using synchronized. this can be used in a multi threaded environment. 

classes with collections. Maps doesn't implement interface Collection

Below parameters can be used to make choice of what data structures can be used.

Collection Name Implements Interface Ordered Sorted synchronized
(Thread safe)
 When to use it
Array List List  Yes No No 1. when retrieval/accessing elements  is primary aim
2. Random access to elements using their index
Vector List  Yes No Yes when elements  thread safety is more important with retrieval of elements
Linked List List, Deque  Yes No No  When insertion and deletion is primary task, not accessing the elements.
HashSet Set  No No No If the requirement is only to have elements unique.
LinkedHashSet Set Yes No No If the requirement is to returns elements in the same order of insertion
TreeSet Set Yes Yes No Elements needs to be stored in sorted order. Default is ascending order
HashMap Map No No No If the requirement is faster access. No synchronization needed
HashTable Map No No Yes Used for faster access. No null keys are allowed
LinkedHashMap Map Yes No No If user wants  retrieve keys is the insertion order. Predictable iteration order is the requirement
TreeMap Map Yes Yes No If the requirement is sorted Map, with key value pair storage
ArrayDeque Deque Yes No No No Null values.  Cannot access elements using index. Can be used which allows efficient insertion and deletion at both ends. 
PriorityQueue Queue Yes No No No Null values.  Item that is removed from the queue is not necessarily the first one that was added. Rather, it is whatever item in the queue has the highest priority. 

Collection Examples:
 All the examples are compiled on java 1.7 update 21

ArrayList Example:

Standard Arrays are fixed cannot  grow and shrink in size .  ArrayList solves this problem. ArrayList can dynamically increase or decrease in size. It has a  initial size, When this size is exceeded, the collection is automatically enlarged. When objects are removed, the array may be shrunk. It can be asssed with indexes.

import java.util.ArrayList;
public class ArrayListExample {
    public static void main(String[] args) {
        ArrayList<Integer> arrayList = new ArrayList<Integer>(10);
        // retrieve an element using index
        System.out.println( " Accessing using index " + arrayList.get(2) );
        // let us print all the elements
        System.out.println( " print ArrayList elements " + arrayList) ;



HashSet Example:
import java.util.HashSet;

public class HashSetExample {

    public static void main(String[] args) {

        HashSet<Integer> hashset = new HashSet<Integer>();
        //returns true if the element is inserted
        if ( hashset.add(34) )
            System.out.println(" Element is inserted");
            System.out.println("Element Cannot be inserted, duplicate");
        if ( hashset.add(34) )
            System.out.println(" Element is inserted");
            System.out.println("Element Cannot be inserted, duplicate");


 TreeMap Example:

   import java.util.Iterator;
    import java.util.Map;
    import java.util.Map.Entry;
    import java.util.Set;
    import java.util.TreeMap;
    public class TreeMapExample {
        public static void main(String[] args) {
            TreeMap<String,Integer> treemap = new TreeMap<String,Integer>();
            treemap.put("first", 1);
            treemap.put("second", 2);
            treemap.put("three", 3);
            treemap.put("four", 4);
            Set<Entry<String, Integer>> entrySet = treemap.entrySet();
            Iterator<Entry<String, Integer>> iterator = entrySet.iterator();
                Map.Entry me = (Map.Entry);

Good to know facts:
1. When to use
Hash Map :Inserting , deletion are required.
Tree Map: To traverse already sorted list

List of thread safe classes in collection

Vector, Hash table,  Stack are synchronized classes can be termed as thread-safe..

What is difference between HashMap vs  Hashtable
HashMap                                                  |         HashTable
Allows null keys and null values                |       Doesn't allow null values
Non Synchronized(not thread safe)            |      Synchronized (thread safe)


Sets doesn't allow duplicates.


Maps duplicate keys are not allowed.