lunes, 5 de marzo de 2018

SpecUIAddOns release

I released yesterday SpecUIAddOns, a MIT library providing additional SPEC widgets not included in Pharo Smalltalk by default.

If you have any suggestions for how this package could be improved, please get in touch or suggest an improvement using the GitHub issues page. Installation, screenshot and usage instructions are provided in the GitHub page.

domingo, 18 de febrero de 2018

PI Announcement

Today I just released PI, a MIT-pip-like command line program for Pharo Smalltalk.

PI stands for Pharo Install. It is written in bash and tested successfully under Windows (MSYS) and GNU/Linux. Currently supports listing and searching pacakges both in SmalltalkHub and GitHub, Pharo image installation, installing packages from SmalltalkHub, and more features comming. Everything is available through command-line options, such as pip, yum, apt, and other well-known package managers.

For parsing SmalltalkHub repository list, XMLLint is required. For parsing GitHub JSON results, jq is automatically downloaded if not found in the current directory.

You can download PI at the GitHub repository:

Try and play around, if you found any bugs or want to integrate new feature, feel free to submit PR.

martes, 18 de julio de 2017

Iliad version 0.9.6 released

Lately I have been playing with the Iliad Web Framework, and decided to publish some updates which I want to share with you:

  • A new web site based in GitHub pages, with install instructions, screenshots and links to pre-loaded images and documentation.
  • Updated Iliad to load in Pharo 6.0
  • Added an Iliad Control Panel, based in the Seaside one, which allows to create/inspect/remove web server adapters, start or stop them. The difference with the Seaside Control Panel is that the Iliad one let you to choose the start mode (debug, verbose or deploy). Currently only the Comanche Web Server is used, but I borrowed also the underlying classes behind the Control Panel to support future web server adapters such as Zinc HTTP Components.
  • Added an experiemental Spec Sessions Browser to manage live sessions.
  • Thanks to the work of Benoit Astruc, jQuery version was updated to 1.12.4 and #debugMode start was fixed.

Please let us know what do you think and what could be improved.

lunes, 5 de septiembre de 2016

Territorial: A new package for Geographical Information Retrieval for Smalltalk

Territorial is a Smalltalk library for Geographical Information Retrieval (GIR) in geopolitical objects. It was originally designed for a Phylogeographic Information Retrieval system based in BioSmalltalk.

There will be no scripts in this post, everything is explained in the Territorial User Manual (PDF). The Territorial library has two locations: SmalltalkHub is where I will commit latest changes. The GitHub repository for bug reporting and maintaining documentation until I find comfortable using GitHub from Pharo in Windows.

Territorial is also a never-ending task, a library like this couldn't ever be finished. But now it is public under the MIT license, ready to get your ideas, issues and patches. If you want to discuss about features, ports to platforms or other collaboration opportunities, please do not hesitate to contact me.

miércoles, 1 de junio de 2016

Detecting system platform in Smalltalk

This is a short post describing how to detect the system platform (Operating System) where your virtual-machine is running. You can use the following expressions in several major Smalltalk flavors:


" Pharo >= 4 "
Smalltalk os isWin32.
Smalltalk os isMacOS.
Smalltalk os isMacOSX.
Smalltalk os isUnix.
" Pharo 3 "
OSPlatform current isWindows.
" Pharo 2 "
OSPlatform isWin32.

VisualWorks >= 7

ExternalInterface currentPlatform.

Dolphin 7

OSVERSIONINFO current osName.
OSVERSIONINFO current isWinV5OrLater
OSVERSIONINFO current isWinV6OrLater
OSVERSIONINFO current isWinVista
OSVERSIONINFO current isWinXPOrLater

miércoles, 25 de mayo de 2016

Visualize commit history in Pharo


This is another GraphViz post for Pharo Smalltalk. A few days ago I committed a working version of GraphBuilder. It was mostly coded by Lukas Renggli and I updated the package to work with the current Pharo images and added minor features (like displaying commit date in the nodes).

Installation and Usage

To install the package, open the Catalog Browser, select and install GraphViz, or evaluate the following expression:
Gofer new
 smalltalkhubUser: 'hernan' project: 'GraphViz';
 package: 'ConfigurationOfGraphViz';
((Smalltalk at: #ConfigurationOfGraphViz) project version: #stable) load: #('Tools').
The usage is pretty simple and just requires to select the repository to analyze:
GBAncestryBuilder select.
Depending upon the repository selected, it could take some time to complete since it needs to fetch all repository packages (so please, use it with caution).

On completion, two files are generated in the dot subdirectory on the working directory, one for the textual DOT language and the other one in PNG format.


Follows some outputs from analyzing several repositories:

History of OrderPreservingDictionary, a special class of Dictionary where order is preserved:
Visual history of Connectors, a Morphic package to make connected drawings (you may want to check Roassal for a more updated visualization engine):
And finally, a graph of CommandShell, an Unix command shell simulator for Squeak and Pharo Smalltalk:

domingo, 9 de agosto de 2015

New ISO 3166-1 implementation for Pharo Smalltalk


If your application lists any of Yugoslavia, Czechoslovakia, South Yemen, USSR, Serbia and Montenegro countries then you have an obsolescence problem. The same as if it doesn't known about South Sudan, Jersey or East Timor.

Geopolitical map has changed, countries around the world have dissolved, merged and new ones were created. As of August 2015, ISO web site lists 249 official countries. Unfortunately their list is not made available free of charge, but there are a few reliable places where its lists is available (ex: Wikipedia).

To keed updated regarding world political situation and providing more features, I developed an ISO 3166-1 wrapper to access objects into a ISO3166 model. This is, including only information contained in the ISO standard, not calling codes, not language tags or other data located at external standards. Installation instructions, usage and reference links are provided in this document. Code is in the SmalltalkHub repository. The Metacello Configuration is accessible from the Pharo Configuration Browser, in Pharo 4 (released in 2015), or Pharo catalog in Pharo 5 (to be released in 2016).

Documentation is available in PDF format. Suggestion, fixes and improvements are very welcome. Don’t hesitate to contribute if you want to add new features.


To get a sorted Collection with all ISO-3166 codes:
ISO3166P1 sortedIso3166Codes.
To obtain a Collection of all the countries with all ISO-3166 country names:
ISO3166P1 sortedCountryNames.   " a SortedCollection('Afghanistan' 'Albania' 'Algeria' ... "
Get an ISO3166P1Code of France from 2-letter or 3-letter code:
ISO3166P1 atLetterCode: 'FR'.
ISO3166P1 atLetterCode: 'FRA'.  " an ISO3166P1Code (France) "
Obtain a String with the ISO 3166 code number for Zimbabwe:
ISO3166P1 codeNumberFrom2LetterCode: 'ZW'. "716"
Obtain the three-letter String country code of Niger:
(ISO3166P1 atCountryName: 'Niger') codeThreeLetter. " 'NER' "
(ISO3166P1 atCountryName: 'nIGeR') codeThreeLetter. " 'NER' "
Obtain the two-letter String country code of Burundi:
(ISO3166P1 atCountryName: 'Burundi') codeTwoLetter. " 'BI' "
Obtain a String representing the country code top-level domain of Denmark:
(ISO3166P1 atCountryName: 'Denmark') ccTLD. " '.dk' "

miércoles, 15 de abril de 2015

Iliad 0.9.4 is out


I have updated the Iliad Web Application Server to load properly in Pharo 4 (good tutorials here and here). All tests passes. As usuall you can load it from the Configuration Browser or by evaluating the expression:
Gofer it
 smalltalkhubUser: 'hernan' project: 'Iliad';


Start the Iliad Web Application Server in port 8888 using the Comanche/Kom Web Server adapter:
IliadKom startOn: 8888.
And point your browser to: http://localhost:8888/ Stop all servers:
IliadKom stop.
If things go bad you can start Iliad in Debug Mode:
IliadKom startDebugOn: 8888.
and enjoy the opened Debugger in the signaler method when an exception is signaled.


  • Use the Grease latest stable version which includes a fix of the #next: method in GRPharoUtf8CodecStream (thanks Benoit Astruc)
  • Added ILTempFile helper methods (#printOn: and #extension).
  • Added ILCaptionElement and ILDatalistElement (thanks Benoit Astruc).
  • Added methods to start Comanche in debug and verbose mode.
  • Changed HttpService name to be more descriptive in the Process list.
  • Removed versions for GemStone and Squeak in ConfigurationOf (will add later after check)
  • Use convertToEncoding: instead of #decode: to patch the Invalid UTF-8 bug.
  • Replaced Pharo 4 deprecated TimeStamp with DateAndTime.
  • Replaced senders of Pharo 4 deprecated #displayString with #asString.
  • Updated acknowledgements windows and text.

viernes, 27 de febrero de 2015

LanguageDetection API Client in Smalltalk


Language Detection API is a service to query the language of a given input text. You will need to register an API key in the web site to use the service. This client enables to use the service from Pharo Smalltalk. The output is an object containing the language code, a confidence score and a 'is reliable' boolean value.


Inside Pharo, open the Configuration Browser and select LanguageDetection, then Install. Or evaluate the following expression:
Gofer it 
 smalltalkhubUser: 'hernan' project: 'LanguageDetection';
 configurationOf: 'LanguageDetectionAPI';


| ldClient |
ldClient := LDApiClient new.
 query: 'Des perles de pluie venues de pays où il ne pleut pas'; 
 query: 'Een enkele taal is nooit genoeg ';
 query: 'buenos dias señor';

miércoles, 25 de febrero de 2015

StNER: Interface to the Stanford Named Entity Recognizer


StNER provides a Pharo Smalltalk interface to the Stanford Named Entity Recognizer (NER). The Stanford NER recognizer is an implementation of a Named Entity Recognizer, used for tagging raw text which is a central task in Information Retrieval and Natural Language Processing. The input is a sequence of words in a text, and the NER classifier - using already trained data - try to recognize typically three types of "Named Entities" (NEs) : NAME, LOCATION and ORGANIZATION (more classes exists). The output is the tagged text in some common tagging format for tagging tokens. This recognizer works better on input more similar to the already trained labeled data sets (muc6, muc7, conll2003), however there are reports to use it with tweets, and you can retrain to recognize entities for your particular needs.

To recognize text in other languages, for example, Chinese, German, or Spanish, a different classifier (in this context a .tgz file) can be used (see NLP Stanford Demo).


  • Java is required to run the server locally.
  • Download the Stanford NER packages.
  • Inside Pharo, open the Configuration Browser and select StNER, then Install. Or evaluate
    Gofer it
     smalltalkhubUser: 'hernan' project: 'StNER';
     configurationOf: 'StNER';

Launch the server

  • Start (from Smalltalk) the (Java) server using the StNER Smalltalk server interface. For example, to start the server with default parameters in Windows:
    StSocketNERServer new
        stanfordNERPath: 'c:\stanford-ner-2015-01-30\';
  • Query an input text using the StNER Smalltalk client interface.

Server Settings

Providing path location is mandatory. If no host or port is supplied, defaults to:
  • localhost (,
  • port 8080
  • JVM memory 1000m.
  • output format: inlineXML

You can configure the server with the following taggers:
  • 3 class NER tagger that can label: PERSON, ORGANIZATION, and LOCATION entities. (#setEnglish3ClassTagger)
  • 4 class NER tagger trained on the CoNLL 2003 Shared Task training data that labels for PERSON, ORGANIZATION, LOCATION, and MISC. (#setEnglish4ClassTagger)
  • 7 class NER tagger trained only on data from MUC (#setEnglish7ClassTagger): TIME, LOCATION, ORGANIZATION, PERSON, MONEY, PERCENT, DATE.

Client Usage

To tag text you can use the #tagText: method as follows:
StSocketNERClient new 
  tagText: 'University of California is located in California, United States'
and the output will be:
'University of California 
is located in California, 
United States' "
Another example including PERSON tagging:
StSocketNERClient new 
 tagText: 'Argentina President Kirchner has been asked to testify in court on the death of Alberto Nisman the crusading prosecutor who had accused her of conspiring to cover up involvement of Iran'
which results in:
'Argentina President Kirchner has been asked to testify in court on the death of Alberto Nisman the crusading prosecutor who had accused her of conspiring to cover up involvement of Iran'
Parse text to in-line XML
StSocketNERClient new 
  parseText: 'University of California is located in California, United States'
results in a Dictionary of Bag's with occurrences of tagged classes.

martes, 24 de febrero de 2015

GADM: Access to Global Administrative Areas in Smalltalk


GADM is a high-resolution spatial database of the location of the world's administrative areas for use in GIS and similar software. GADM is freely available for academic and other non-commercial use. The data contained in GADM was collected from spatial databases provided by NGO, National Governments, and/or maps and list of names available on the Internet (e.g. from Wikipedia).

Administrative areas include: countries, provinces, counties, departments, etc. up to five sublevels, which cover most boundaries in the world. For each level it provides some attributes, foremost being the name and in some cases variant names. GADM can also be used to extract polygon shapes for visualization, for example to build choropleth maps for regions. The GADM package includes the raw data in CSV format, which I parsed to build a browseable GADM world tree, allowing off-line access to the GADM database in a hierarchical fashion with objects, without need to perform on-line queries for basic requests. A hierarchical tree can be used to build a toponym browser for example.


From within Pharo 3, or Pharo 4 you can use the Configuration Browser, or evaluate the following expression:
Gofer it
 smalltalkhubUser: 'hernan' project: 'GADM';
 configurationOf: 'GADM';

Usage Examples

" To access to the whole World (as seen by GADM), evaluate "
GADMWorldTree root.

" Access country Lithuania "
GADMWorldTree @ 'Lithuania'.

" To acces the Part (Partido: spanish) where I am living:"
GADMWorldTree @ 'Argentina' @ 'Buenos Aires' @ 'La Plata'.

" You want to know which type of region is Los Angeles "
(GADMWorldTree @ 'United States' @ 'California' @ 'Los Angeles') typeName " 'County' "

" You wish to list all subregions in San Marino "
(GADMWorldTree @ 'San Marino') nodeNames
 " a SortedCollection('Acquaviva' 
'Borgo Maggiore' 
'San Marino' 
'Serravalle') "

sábado, 7 de febrero de 2015

Application Security 3: Setting your password rules

The post you are reading is about password enforcement rules in the Application Security package, released as Open Source on March 2014 for the Pharo Smalltalk community. Rules which you can set up are:
  • Increase the password length, which results in increasing the number of combinations search space.
  • Increase the size of character set, to increase the number of password combinations.
The default character set in the Application Security package, includes uppercase and lowercase letters, numbers and a set of non-letters. This forms a 95-character set as recommended by the FIPS, and if passwords are between 5 and 8 characters, a brute-force attack would have to guess between 7.7 billion to 6.6 quadrillion combinations. It is possible to change the password creation rules by creating checkpointed validation settings:
| settings |
settings := ASValidationSettings forCheckPoint: ASDeployCheckPoing new.

" Set my passwords will allow up to 14 characters "
settings maxPasswordCharacters: 14.

" Set the user name character length maximum "
settings maxUsernameCharacters: 14.
You can also change the default character set allowed by user names. The default is the result of evaluating:
ASValidationSettings defaultUsernameCharactersList 
  evalString gather: [ : c | c ].

" but for convenience, you should grab the 
#defaultUsernameCharactersList method and customize for your purposes:

{ '$0 to: $z' . '$A to: $z' . '$a to: $z' . 
  '($0 to: $9) , ($A to: $Z) , ($a to: $z)' . 
  '($0 to: $9) , ($A to: $Z) , ($a to: $z) , 
  #($_ $- $.)' } "
Continuing with the validation settings example, this is how you do it:
settings allowedUsernameCharacters: {'$A to: $z' . '$a to: $z' }.

" and the same could be achieved for password characters : "

settings allowedPasswordCharacters: ...
Recent password research, have claimed that using passphrases increase the combinations needed by brute-force attacks, but there is more chance of making typographical mistakes, and so is good practice to increase the number of allowed failure attempts. This can be done in Application Security by evaluating:
" Set the maximum count of allowed fails per user during a period of time "
" Default is 40 "
settings maxUserFailCount: 5.

lunes, 2 de febrero de 2015

Pharo Smalltalk Scripts, part 1

These are some scripts and tips I used in my daily developement with Pharo Smalltalk in the last years. Hope you find them useful:

Parsing XML with DOM

You can instantiate and parse a XML DOM parser with one line of code:
(XMLDOMParser parseFileNamed: 'fao_country_names.xml') 
  allElementsSelect: [ : each | 
    each localName = 'geographical_region' ].


You can quickly parse a CSV file using NeoCSV with just a snippet for most tasks:
(NeoCSVReader on: 'myfile.csv' asFileReference readStream)
 separator: Character tab; 
 do: [ : row | " do something with row " 
      third ]
or using a one-liner
'myfile.csv' asFileReference readStreamDo: [ : stream | 
  (NeoCSVReader on: stream) upToEnd ]

Lorem Ipsum

You already have the first paragraph of "Lorem ipsum" available in Pharo.
String loremIpsum


If you are developing UI you can have the Time Profiler (Pharo) opened in any method by enclosing your code between:
 TimeProfiler new openOnBlock: [ 
   " Your code ... "

Open File Dialog

Opening a File Dialog for specific file type is a one-liner:
UIManager default chooseFileMatching: #('*.xml').


Spec is a relatively young UI Specification library. You can prototype UI's easily by using Dynamic Composable Models, for example:
| view layout |
" Configure the Spec models "
view := DynamicComposableModel new
        instantiateModels: #(labelA LabelModel textA TextInputFieldModel labelB LabelModel textB TextInputFieldModel);
        extent: 500@200;
        title: 'Title'
" Configure the Spec layout "
layout := SpecLayout composed
        newColumn: [ : r | r
                add: #labelA; add: #textA;
                add: #labelB; add: #textB ];
" Set up the widgets "
view labelA text: 'A'.
view labelB text: 'B'.
" Open the Window "
(view openDialogWithSpecLayout: layout)
        modalRelativeTo: World.

Morphic Window and Controls

If you need a basic container Morph window, just evaluate:
| s |
(s := SystemWindow labelled: 'Window')
 s addMorph: (StringMorph new
  contents: 'Comments:';
  color: Color black)
   frame: (0@0.0 corner: 1@0.2).
But you can have a control like a TextArea without container
| o ptm |
o := Object new.
ptm := PluggableTextMorph on: o text: #printString accept: nil.
ptm height: TextStyle defaultFont height + 6.
ptm acceptOnCR: true; openInHand.
And instantiated differently
(PluggableTextMorph on: Workspace new
 text: #contents
 accept: #acceptContents:
 readSelection: nil
 menu: #codePaneMenu:shifted:) openInHand.


Udo Schneider recently wrote an FTP/WebDAV Plugin for the Pharo FileSystem, and you get almost for free a FTP client using the File Browser
fs := FileSystem ftp: ''.
FileList openOn: fs workingDirectory.
fs close.

jueves, 15 de enero de 2015

miércoles, 19 de noviembre de 2014

Smalltalk Survey Report


The content of this post is a survey report of a Smalltalk questionnaire. The purpose of this report is to determine the opinion of developers about Smalltalk related topics. A limit of 10 questions was imposed to the survey because of the SurveyMonkey Free Account limitations.

The survey was anonymous and contained partially structured questions with open-ended questions where participants could add thoughts or missing options. The survey was conducted from 11/10/2014 to 30/10/2014. Only the first week of the survey non-smalltalk forums were privileged. The information below summarize statistics:

Survey Statistics

(Click the following figures to open the whole image)

Question 1 highlights

  • Smalltalk was not listed as an option in the valid responses.
  • This question was mostly directed to non-smalltalkers.

Question 2 highlights

  • Goal of the question was to determine a general attitude towards the technology.
  • There is a good reception of Smalltalk, although respondents where scarce (22).
  • This question was mostly directed to non-smalltalkers.

Question 3 highlights

  • The idea was the same as Question 2, but focused towards a professional level of choice.
  • This question was directed to both smalltalkers and non-smalltalkers.

Question 4 highlights

  • The question tried to determine the Smalltalk platforms most used.
  • This question was mainly directed to smalltalkers.
  • Unsurprisingly, Pharo, VisualAge and VisualWorks seem to be the most deployable environments.
  • More recent or commercial projects like S8, Smalltalk MT or LSW are almost unknown.
  • The respondents also noted Amber as ocasionally used or prototyped/deployed a product.

Question 5 highlights

  • This question is similar to Question 4, but focused on the current use.
  • Products like VisualSmalltalk and Smalltalk/X, both considered (technically) excellent Smalltalk flavors, keep almost unused.

Question 6 highlights

  • This question addressed four technology aspects: Usability, Speed, Community Health and Overall.
  • There is a notable unsatisfaction at the Community level for most Smalltalk communities.
  • The old fallacy of Smalltalk being slow seems to be almost refuted by a general satisfaction in execution speed.
  • Maybe unexpectedly, the usability award was for VisualSmalltalk.

Question 7 highlights

  • All respondents answered this question.
  • Besides the expected noise towards libraries for common application scenarios, there is a considerable interest in Data Science (Visualization, Mining, etc).
  • Some respondents noted missing options like X-language invocation: SOAP, CORBA, MQ, REST and Good modern library support - easy call outs to native code or library wrappers.


Screengrab is a Firefox add-on which saves complete pages as images. And if you ever create a SurveyMonkey and don't want to pay to download results, is better to bookmark Screengrab.

lunes, 27 de octubre de 2014

The Smalltalk Family Tree

Introduction : GraphViz in Pharo

GraphViz is a popular free graph visualization library currently used in many applications. In GraphViz you describe a graph in text format and the software draws a pretty picture of the graph.

A GraphViz package for Smalltalk was originally available in Squeak, but it was outdated in the current Pharo releases (3.0). The package facilitates the creation of graph descriptions in the DOT language of the Graphviz graphing tool. You write the graph using the beautiful Smalltalk syntax, and the GraphViz class generates the output in all available formats (dot,svg,png,jpg,gd,etc).

Now I have uploaded a new Metacello Configuration for GraphViz in Pharo 3.0, available in the Configuration Browser. To use it, GraphViz should be installed and present in the PATH environment variable. More useful information can be found in the original repository (Connectors compatibility is still missing until we get a Connectors version which loads in Pharo 3 or 4). The Configuration loads both stable versions of CommandShell and XML-Parser packages.

A Smalltalk Family Tree

I have collected the Smalltalk implementations I know and grouped them in a graph by what could be considered their "family". Some of them are not supported anymore, others are difficult to find or get executed again. Exotic or very old Smalltalks like Bricktalk, DuoTalk, Marvin, etc. were not included because there are too few references on the web. Now by looking at it in perspective, one could understand why Smalltalk is considered the most evolved and state-of-the-art programming environment. Here is the resulting graph :

Licencia Creative Commons
Smalltalk Family Tree por Hernán Morales Durand se distribuye bajo una Licencia Creative Commons Atribución-NoComercial-SinDerivar 4.0 Internacional.
Basada en una obra en

lunes, 20 de octubre de 2014

10 simple survey questions about Smalltalk


So I did a short on-line Smalltalk survey to find out where is the technology today, and what could be expected in the future, by asking people about their experiences and expectations with Smalltalk. Any programmer could participate and answer. The survey was designed to a broad developer audience.
Why is important you take this survey? Because you could help to a small(talk) community to uncover answers, to gather feedback and meaningful opinions, and to evolve by telling what you need most. The survey is open until 31/10/2014 at 3:15 a.m.

The survey is not biased towards any particular Smalltalk flavor (I am not affiliated with any particular Smalltalk provider). The following Smalltalk platforms have been included (any other not listed flavor can be added):


I have collected a list of well-known forums containig "General Computer Programming" sub-forums, as most forums do not contain a Smalltalk sub-forum. I have rejected all programming sub-forums specific to a particular language, for example: JavaForum, PHPDevForum, "General C++ Forum", etc. Because:

  • Posts with surveys related to other programming language are not commonly accepted
  • They are marked as off-topic or closed.
  • It could be seen as promotion which is not the intent of this survey.


The survey is still running! You can come back after 31/10/2014 and check responses.

lunes, 13 de octubre de 2014

Application Security 2: The CheckPoint Protocol


As commented in my previous post, CheckPoint is a security pattern to avoid unauthorized access to a system.

The nice idea of the design pattern is to delegate complex validation behavior into specific classes which can manage events, response actions and statistics, completely transparent to your application. CheckPoints could be used to bypass validations for specific cases too. For example if you are debugging or testing your application, you don't want to be constantly bothered by timeouts and logins, you don't want to bias security statistics, and certainly you don't want to debug into someone's new bug merged in your repository, in the middle of your workflow.

The following sections describe how to use core classes for a typical application scenario.

Basic workflow

Let's assume an application is globally represented by a Singleton class, and it has different states. An state could be "in deployment mode" or "in testing mode". Each of these "modes" contain behaviors, implemented in specific CheckPoint subclasess. This simply means, you can use a Global Application class to answer a default CheckPoint class for your needs.

An example: Our Singleton manages application's state, and so it could be asked which CheckPoint should be assigned to each user, at a specific scenario he is in. This is, CheckPoint instances are associated to user sessions. Initially all newly created users will have a "invalid" or "unregistered" state. When the user begins the registration process, its session is given a CheckPoint instance to behave accordingly.

From here two different security scenarios are possible, depending on the registration state. Each scenario is represented by a CheckPoint subclass:

ASRegisterCheckPoint : Should be assigned while the (candidate) user is not confirmed as user. Maintains a registration object (ASUserRegistration), responsible to hold an unique link identifier, the registration time, and the corresponding candidate instance (ASCandidateUser). To optimize resources, a candidate user manages expiration (#hasExpiredRegistration) and that's a reason why is important to keep a #registrationDate.

ASDeployCheckPoint: This is a "common" CheckPoint which should be used for production systems, and when a registered user signs-in a system. It checks against typical login conditions, which we will se below in the Using the CheckPoint section.

Registering Users

Before anything else, create a repository and mock user to play with:
| cp newRegId |
cp := ASRegisterCheckPoint new.
newRegId := cp registrationId.
cp addNewUser: (ASCandidateUser new
    entityName: 'alphabetic name';
    username: 'alpha3';
    password: 'alphanumeric123';
    registrationId: newRegId;
Trying to add another candidate with the same username will raise an ASUserExists exception. Ideally you should catch and handle it appropiately in the context of your application. You can now query if you can register this candidate:
cp isValidPendingRegistrationId: newRegId.
and register as valid user in your system:
cp registerCandidateAsUser: newRegId.

Using the CheckPoint

Continuing with the Session-based example, login code which uses the CheckPoint could ask for the current user CheckPoint, and perform a global validate and retrieve:
user := self checkPoint 
  loginUserNamed: 'myuser'
  password: 'anypassword'
  machine: ''.
The message send performs three major steps:
  • Validate authentication settings for the provided parameters
  • Validate if passwords match.
  • Answer the user from the repository
You can also chain exceptions to manage fail conditions, logging messages or block an user:
 ^ ASEmptyError , ASInvalidUsername , ASEntityNotFound , ASPasswordError , ASMaxUserFailCountError
  , ASMaxMachineFailCountError , ASMaxGlobalFailCountError , ASDenegatedAccess
and manage the exception properly:
[ cpUser := self checkPoint loginUserNamed: usernameString password: passwordString machine: '' ]
 on: self loginExceptions
 do: [ :ex | ^ self handleFailedLogin: ex ].

CheckPoint verifications

Login an user should perform a number of checks which, many times, are application security specific. The default implementation is naive, but useful for many cases. For specific security requirements, validation settings are customizable by subclassing ASDeployCheckPoint and specializing the method #validateAuthSettingsLogin:password:machine:. This is how looks like as in the current release:

 (userString isEmpty or: [ userString isNil ])
  ifTrue: [ ^ ASEmptyError signal: 'Username' ].
 (passwordString isEmpty or: [ passwordString isNil ])
  ifTrue: [ ^ ASEmptyError signal: 'Password' ].
 (self isValidIpAddress: ipAddressString)
  ifFalse: [ ^ ASDenegatedAccess signal ].
 (self validationSettings allowedUsernameCharacters includesAllOf: userString)
  ifFalse: [ ^ ASInvalidUsername signal: 'Invalid characters ' , userString ].
 (self validationSettings allowedPasswordCharacters includesAllOf: passwordString)
  ifFalse: [ ^ ASPasswordError signal: userString ].

(Remember, this is not code checking on User-Agent side, this is Application Security so your application's security can be guarantee independently of UI code).

A first look at Validation Settings

If you have ever worked with an Expert System, you already know what a Rule-Base is, and probably have figured out that all verifications could be easily written using rules. Although currently Application Security does not use rules, it seems a good point to note the direction where our model should be going to (if you want to read a really cool chapter about Rules-Based Expert Systems, try the one from Robbie T. Nakatsu in Diagrammatic Reasoning in AI)

Validation setting objects are maintained by CheckPoints and useful during registration time. They notify authorization/authentication exceptions and answer limit settings like:

  • Maximum size for characters allowed for a user name.
  • Maximim size for characters allowed for a password.
  • Characters allowed by a password.
  • characters allowed by an user name.
  • Expiration days for a password.
  • Valid IP addresses

As they are CheckPoint specific, they could be changed at run-time for an user or a group of users, which is very handy for debugging purposes. And that's all for today, in the following post I will post how to set up password rules to customize validation settings. See you soon.

jueves, 19 de junio de 2014

FIFA World Cup 2014 App


I have just published a small application which consumes JSON data from a FIFA World Cup 2014 endpoint. It is implemented in Pharo 3.0 and you may install it by evaluating:

Gofer it 
  smalltalkhubUser: 'hernan' project: 'FIFAWorldCup2014';
  configurationOf: 'FIFAWorldCup2014';
Then evaluate:

FIFAWorldCupApp open
and here is what you get:

If you feel any wish to participate, register for an account in SmalltalkHub and just let me know.


jueves, 27 de marzo de 2014

Application Security Presentation


I have implemented a package called "Application Security" to provide a domain-independent security model which you can easily instantiate in your applications. It is based in patterns from the Application Security Pattern System introduced by J. Yoder and J. Barcalow in a PLoP (Pattern Language of Programs - a workshop for pattern researchers) paper in 1997, which contains about 290 citations as of today.

Web sites with user registration, e-mail confirmation, forgot password, password rules and validation makes heavy use of ApplicationSecurity. It is a completely independent package (not tied with a particular web framework) providing all user management - roles, groups, etc. - access control based on IP addresses.


Although acceptable for my security requirements, the software security world is a neverending story. To recognize the whole dimension of this territory, I have collected a short summary of the most cited security pattern literature:
  • J. Yoder and J. Barcalow: One of the first security pattern languages, 7 patterns.
  • Kienze et. at.: Contains 29 security patterns.
  • The Open Group: 13 patterns.
  • Braga et. al: Oriented to cryptographic software API.
  • Romanosky et. al: 8 security design patterns.
  • Weiss M. Patterns for web applications. In: Proceedings of the 10th conference on pattern languages of programming (PLoP ’03); 2003.
  • Kienzle D, Elder M. Security patterns for web application development, University of Virginia technical report; 2002


The interactive way to install the package is using the Configuration Browser in Pharo 3. Also you can evaluate the following script which perform the same action:
Gofer it
  smalltalkhubUser: 'hernan' project: 'ApplicationSecurity';
  configurationOf: 'ApplicationSecurity';
The Configuration automatically loads the stable versions for FFI and Nacl.


The Application Security package contains two hasher adapters, one is the hashing provided by Grease (a package for cross-smalltalk compatibility including convenience methods), this is a SHA-1 (160-bit, 20-byte hash value) and another one which is enabled by default using Nacl cryptographic library, which uses SHA-512 through the libsodium binding for Pharo. And of course, to prevent rainbow table attacks in case of a breach, all passwords are salted.

User model

Contains following main classes:
  • Registered user: A valid and registered user in the system.
  • Candidate user: Users currently not validated or confirmed, this is for example a user which is registering. It handles regitration identifier and expired regitrations.
  • User group: To group users sharing common property
  • User registration: Maintains candidate registration information such as URL link's unique identifier for verification (during a period of time) and the candidate object.


Application Security also contains Network security utilities to do access control based on IP addresses:
  • ASIPAddress : Represents an IP address.
  • ASIPAddressClass : For representing IPv4 address classes. This class is not intended to be used for doing subnetting (scaling, allocation, etc.).
  • ASIPAddressList : Access control list used for representing classful network architecture for IPv4 addresses. This class is not intended to be used for doing subnetting (scaling, allocation, etc.)
An IPAddress is a helper class to support querying IP address range (ASIPAddress). Follow some examples to set up useful list for filtering machines based on their IP addresses:
" Build a denied IP list for IP addresses in class A "
ASIPAddressList new denyClassA.

" Build a denied IP list for IP addresses in class A and B "
ASIPAddressList new 

" Deny private IP addresses from classes A, B and C 
the following address ranges: - - - "
ASIPAddressList new denyPrivateIPAddresses.

" To deny a specific IP address: "
ASIPAddressList new deny: #('').


The repository is responsible for the persistency of secured objects. This covers queries as well as set modifications (insert/delete). Currently it is based in the FUEL serialization package, but there is plan to make it adatable to other serializers.
| myRepo |
myRepo := ASRepository new.
myRepo isValidPendingRegistrationId: '6pe62ek45lvxhd0xawvcueceo'. " => false "
myRepo defaultAdministrator " => ASUser "
Following posts will contain details about usage of the CheckPoint API, IMO the most interesting feature of the package. In the meantime, I will be glad of hearing about your impressions and comments.