Wednesday, 21 February 2018

Consultant Bingo - A master class

I love a useless term to baffle the room as much as the next fellow but watching a master in a meeting today:

STRIDE Model is Microsoft's Security/Threat classification model.  I had to look it up and found another acronym.

DREAD Model is pretty much the same thing.

'RESPECT' for: "I evaluated my DTAP environments cross Federation services using the STRIDE model over the DREAD model because it is simpler.  Of course, all the cross-cutting concerns have been dealt with." 

Three Amigos - Backlog review: PO, SM and Team members get together to discuss design, dev and testing.

YAGNI is an XP principle "You Ain't Gonna Need It", which is basically only create code for requirements not what you feel may be needed later on.  

Pareto Rule - roughly 80% of consequences come from 20% of the causes.  Also referred to as 80-20 rule. Same principle for 90-10 rule.  Pareto analysis 80% of a projects benefits can be achieved by do the right 20% of the work.

A hockey stick pattern is a chart pattern that shows a rapid increase after a period of relative stability.  For example pizza sales might drastically increase when a pandemic strikes as people no longer go out to eat and people tend to order more delivery pizza.

WSJF (Weighted Shortest Job First) is used in Scalable Agile Framework (SAFe) for prioritizing tasks.  It is pronounce "Wiz-jiff"

Friday, 9 February 2018

CORS for SharePoint Requests

Problem:  I wish to create a standard header for my client to layover multiple applications to tie together branding and global organisation branding.  Similar to what O365 does as shown below:
Provide a common header that logs the user in and dynamically generates the header within SharePoint.  Use an HTTP Javascript request from multiple children applications to deliver the shared user common header.  As I have numerous application on sub-domains (e.g. https://hr.contoso.com https://cash.finance.contoso.com and even https://clients.oldurl.net) so I need to ensure I allow CORS requests that also allow for user authentication.  

"The CORS mechanism supports secure cross-domain requests and data transfers between browsers and web servers."  Mozilla

Initial Hypothesis:

Option 1 - IIS and SharePoint struggle to handle this requirement using configuration.  For instance, by default, only same origin subdomain requests are allowed.  Adding the header Access-Control-Allow-Origin: * allows for any domain but I can't specify to use credentials so I need an anonymous site, and then I lose my ability to identify my user and generate a dynamic menu.
Result: Fail.  I receive the following error in the browser: "A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true"

Option 2- Specify a multiple sub-domains, i.e. Access-Control-Allow-Origin: https://hr.contoso.com,other.contoso.com
To do authentication, I now need the following 3 HTTP response headers:
Access-Control-Allow-Origin: https://hr.contoso.com, https://other.contoso.com
Access-Control-Allow-Credentials: true
Vary: Origin
Result: Fail.  I receive the following error in the browser: "The 'Access-Control-Allow-Origin' header contains multiple values '', but only one is allowed".

Option 3 - Specify a single sub-domains, i.e. Access-Control-Allow-Origin: https://hr.contoso.com
Access-Control-Allow-Origin: https://hr.contoso.com
Access-Control-Allow-Credentials: true
Vary: Origin
Result: Fail.  Works for the hr sub-domain but my other sub-domains fail. I have multiple sub-domains that need access.

Key take away: There can only be 1 Access-Control-Allow-Origin response header, and the returned Access-Control-Allow-Origin header can only have one URL.

Option 4 - Dynamically inject the Access-Control-Allow-Origin, in SharePoint, this is an ISAPI filter, or I need to use the Global.asax to dynamically set the HTTP Access-Control-Allow-Origin header to a white-list list of URLs.  Beware of caching pages downstream.  Alternatively, URL Rewrite can be used on the IIS WFE's.

Thanks to Abhishek Sharma for highlighting my lack of knowledge about CORS requests.