Wednesday, 21 February 2018

Consultant Bingo - A master class

I love a useless term to baffle the room as much as the next fellow but watching a master in a meeting today:

STRIDE Model is Microsoft's Security/Threat classification model.  I had to look it up and found another acronym.  STRIDE is for Threat modelling as part of risk management.  Acronym for: 
  1. Spoofing a server
  2. Tampering a file
  3. Interlude: Scope and timing
  4. Reputing an order
  5. Information Disclosure
  6. Denial of Service
  7. Elevation of Privilege's
DREAD Model is pretty much the same thing.

'RESPECT' for: "I evaluated my DTAP environments cross Federation services using the STRIDE model over the DREAD model because it is simpler.  Of course, all the cross-cutting concerns have been dealt with." 

Three Amigos - Backlog review: PO, SM and Team members get together to discuss design, dev and testing.

YAGNI is an XP principle "You Ain't Gonna Need It", which is basically only create code for requirements not what you feel may be needed later on.  

Pareto Rule - roughly 80% of consequences come from 20% of the causes.  Or 80% of outputs come from 20% of inputs.  So 80% of revenue may come from 20% of your clients.  Also referred to as 80-20 rule. Same principle for 90-10 rule.  Pareto analysis 80% of a projects benefits can be achieved by doing the right 20% of the work.

A hockey stick pattern is a chart pattern that shows a rapid increase after a period of relative stability.  For example pizza sales might drastically increase when a pandemic strikes as people no longer go out to eat and people tend to order more delivery pizza.

WSJF (Weighted Shortest Job First) is used in Scaleable Agile Framework (SAFe) for prioritizing tasks.  It is pronounce "Wiz-jiff".  I'm not a fan of this technique.

Useful Glossary:

Architecture Review Board (ARB) - functions as the governance to ensure IT projects/programs align with the businesses IT Architecture.  Ensure IT initiatives align with the companies IT goals.
Change Advisory Board (CAB) - board of members that evaluate changes and the associated risks to the business.  Has a strong technology influence but not only technical.  Some time CABs in companies are IT focused dealing with IT change requests and are more like a ARB.

Friday, 9 February 2018

CORS for SharePoint Requests

Problem:  I wish to create a standard header for my client to layover multiple applications to tie together branding and global organisation branding.  Similar to what O365 does as shown below:
Provide a common header that logs the user in and dynamically generates the header within SharePoint.  Use an HTTP Javascript request from multiple children applications to deliver the shared user common header.  As I have numerous application on sub-domains (e.g. and even so I need to ensure I allow CORS requests that also allow for user authentication.  

"The CORS mechanism supports secure cross-domain requests and data transfers between browsers and web servers."  Mozilla

Initial Hypothesis:

Option 1 - IIS and SharePoint struggle to handle this requirement using configuration.  For instance, by default, only same origin subdomain requests are allowed.  Adding the header Access-Control-Allow-Origin: * allows for any domain but I can't specify to use credentials so I need an anonymous site, and then I lose my ability to identify my user and generate a dynamic menu.
Result: Fail.  I receive the following error in the browser: "A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true"

Option 2- Specify a multiple sub-domains, i.e. Access-Control-Allow-Origin:,
To do authentication, I now need the following 3 HTTP response headers:
Access-Control-Allow-Credentials: true
Vary: Origin
Result: Fail.  I receive the following error in the browser: "The 'Access-Control-Allow-Origin' header contains multiple values '', but only one is allowed".

Option 3 - Specify a single sub-domains, i.e. Access-Control-Allow-Origin:
Access-Control-Allow-Credentials: true
Vary: Origin
Result: Fail.  Works for the hr sub-domain but my other sub-domains fail. I have multiple sub-domains that need access.

Key take away: There can only be 1 Access-Control-Allow-Origin response header, and the returned Access-Control-Allow-Origin header can only have one URL.

Option 4 - Dynamically inject the Access-Control-Allow-Origin, in SharePoint, this is an ISAPI filter, or I need to use the Global.asax to dynamically set the HTTP Access-Control-Allow-Origin header to a white-list list of URLs.  Beware of caching pages downstream.  Alternatively, URL Rewrite can be used on the IIS WFE's.

Thanks to Abhishek Sharma for highlighting my lack of knowledge about CORS requests.