My client want to use OpenAM OpenIDM and OpenDJ for the product development. Before that client want to know what will be the production sizing for this forgerock.
Our plan is to have the 1 million user and 100K concurrent users are there then how much size it will take to on production. I have gone through the documentation of forgerock but didn’t find much information from it.
Deepak,
I am from ForgeRock and we would be very happy to help. As everyone's situation is different, we would like to discuss your requirements before providing sizing details to make sure we are not over / underestimating. ie. We want to get it right. :-)
There are a couple of options for getting in touch with your nearest tech resources.
Ping your request to this email address info#forgerock.com. If you could include the detail you have in this question, as well as your country and city, it will help the right person pick up your question and get in touch.
Here is a URL to our offices. I suggest calling your closes office for assistance. https://www.forgerock.com/contact/
If you can tell me your country / city, I can put you in touch with your nearest engineer.
Matt.
My primary question is: Can connected apps add relevant information to venue pages?
I am a coder and avid Foursquare user. The basic information about venues is cool (location, photos, tips, etc.), but while I have my meal (in the case of a restaurant) I'd like to have more to read about the venue, such as the back-story, i.e., what's the history of the place, when was it founded, by who, and other interesting facts about the venue.
I thought connected apps would be the answer and that perhaps I could write a simple wiki to integrate with the venue page for users to provide their knowledge about the venue. But it seems from what I've read that's not the the intent of a connected app or the API. Am I correct is this assumption? And if so, can this idea be dropped into the Foursquare suggestion box? I think it would make a great value added feature - especially for us nerds who like to read.
This is a great use case for connected apps. Connected apps can reply to check-ins with up to 200 characters of text, and a link to more content. This can be used to provide additional information about the venue. Take a look at https://foursquare.com/apps/ to see examples of connected apps, and the kinds of responses they give to check-ins.
I'm planning to add some vote up/vote down buttons to a website I run. This seems easy enough but I want to stop people voting multiple times. One solution would be to make them register before allowing them to vote but I'd prefer not to have to force them to register.
Is there are a reasonably straightforward way of doing this? Checking the IP address doesn't seem like a good solution, since it's possible that multiple users may come from the same IP address.
Cookies might be the answer, but a savvy user could delete the cookie. Any better ideas?
Sorry I don't have a useful answer, I just want to share my experience.
About 8 years ago I worked for a site that ran online polls. We once got hacked by some bots voting on some of our questions several hundred votes a minute.
I had to implement some emergency checks: IP address, cookies, and I really don't remember what else.
At the end of the day we decided to take the polls down. Those damn robots just didn't care. IP adresses were spoofed, cookies were being deleted, etc.
If you really really need the polls to be unhackeable I don't see any other way that requiring registration and using captchas to avoid bots signing up for new accounts.
And the sad thing is that this was just an entertainment site with polls on what's your favorite color and things like that.
The only thing we didn't tried was using captchas because they didn't exist at the time. That might have reduced non-human cheating a good deal.
Don't take this as any kind of expert advice on the matter, because that was the only time I had anything to do with online polls, but I remembered my story and wanted to share.
I think it really comes down to the nature of your website, and how accurate your results needed to be.
Using a cookie seems like the best option, but it depends on the target audience of your website. Would they be tech-savvy enough to try and beat the system to allow them to vote multiple times? If not, the risk should be fairly low and this would seem like the best approach.
Checking against an IP address, as you said, may be too restrictive. But if it's critical for all votes to be from unique individuals, this might be the better approach even if it means some legitimate voters won't get to vote.
I thought of another option, but I'm not sure if it's possible or feasible. If you could combine the IP address approach with a hardware based check (e.g. MAC address of NIC) this would eliminate the IP address approach being too restrictive due to NAT within a LAN. But it wouldn't help the situation where you have a computer in an Internet cafe used by different individuals.
You should also use captcha (for non registered accounts) to reduce the likelihood of voting bots. If someone wants to maliciously cast multiple votes, making it more difficult for them to automate the voting process through bots will help to hopefully reduce the occurrence of such behaviour.
So, you want to have each unique person have only one vote on each item. When a person tries to vote who has already voted before, you want to detect this. This means that you have to identify the person. There are no tricks to get around that.
Now, since persons can log in from any computer, identifying the computer doesn't help. This rules out IP checks and cookies, as well as anything else based on the user's hardware.
How to identify a person? You can't. You can only force them to identify themselves, by providing unique credentials, like a social security number (I think this is often used in Korea), a passport number, or similar. This, of course, doesn't help if you don't check it, since anyone can make up a 10 digit number with little chance of collision.
Even having the user register doesn't really help per se -- they can just register another account.
I wonder if you could make it a multi-step process, to make it more difficult for BOTs.
Registering, or some similar task, gets you Cookie-A, and then when you vote you get Cookie-B, but if you have Cookie-B and don't have a suitable matching Cookie-A your vote doesn't count. If you try to re-register on the same machine that can be detected by you already having Cookie-A. Going through the steps too fast is treated as a BOT.
We had a psychometric test, with many questions, and users had to make thoughtful answers. An answer in sub-N seconds was someone just pressing buttons to get through it. We never told them that their answer was too quick, we just marked the data as "suspect".
So anyone trying to go straight to the Vote Button won't work. They would have to do Step-A, then Step-b then Step-C in order.
To re-vote I would have to clear cookies, re-register, read the blurb-page (whatever) and finally re-vote, all in the right order, and not too fast.
Requiring JavaScript to be enabled may help, as may a Captcha system. Captcha could have some sort of delay - "Please watch as the two words appear" so that there are two words, shown one after another, but "real words" so that they can be easily memorised, and then typed in. Any response that is "too fast" is not valid.
At some point people will just become annoyed and not bother though.
Obviously you need to identify the user so he can only vote once. But identify the user does'nt mean you have to pop up a login screen. As said above you can ask for the email
address, ans use it as an identfier.
No one mention the way stackoverflow works, if the user has something to win (here reptutation) when becoming a register user and if the login process is as simple as giving an email address, then that's a win-win situation in wich the user is happy to login and vote, and you're happy to have him registered and voting things (and only once per question).
Jeff Atwood wrote an article about the "login barrier", wich may give you clues.
I once created a voting system for a contest. I was restricted from limiting votes by IP due to the fact that multiple people would be legitimately voting from the same IPs. As such, I went with the email confirmation method, requiring each voter to input an email address which a confirmation link was sent to, which, once clicked, would activate their vote and prevent additional votes using that address.
It did not work well. People created hundreds of false email addresses on various free sites.
What did work in the runoff vote, somewhat surprisingly, was adding the email address/vote pairs to a database but not immediately sending the confirmation emails out. Instead, I had a cron job send the batch of them every 15 minutes or so. This adds an additional complication for people registering many addresses, as they have to either leave them all open or remember the login info for each of them at some point in the future.
Of course, still easily bypassed for someone motivated enough, but it seemed to work well in this case.
I've never used a system like this, but try to identify a user by their browser's fingerprint. This jQuery plugin combines screen size, color depth, user timezone, and installed plugins to create a unique ID of a user. Definitely not foolproof, but it's a different approach.
There's no accurate way to avoid multiple votes from the same user, even if they don't delete cookies, they can use another browser, or another computer.
I think you should register user before he up / down vote. You can get a little piece of information from the user to get registered, so he does not bored or break his registeration. Afterwards he can update his account if he wants. IMHO this is the best solution.
As has been said there is no 'perfect' solution.
As an attempt at an imperfect solution, how about storing a hash of the IP address and the User agent.
This would mean that different users from a given IP, which have different browser user agents, can still vote.
Use a cookie-based approach, it is accurate enough for most entertainment-grade polls on the web. Stay away from IP restrictions. This would mean that only one person from larger companies gets to vote and that only one person in a family gets to vote.
Also a possibility:
let the user vote and fill out his emailaddress.
The user receives a confirmationemail with a link he needs to click in order to confirm his vote.
But this way, the user also has quite some overhead.
Or do this in combination with registered userss (who will not be forced to confirm)
I know that this is an old thread. In any case I suggest to use evercookie (http://samy.pl/evercookie/) to track a user that have already voted!
It's matter of how many identities a single person can control. The more harder you make for a single person to control multiple identities the more secure your poll will be.
For entertainment grade polls where the results doesn't matter, single cookie approach is enough. Very easy to circumvent if the user opens icognito windows.
Better protection can be obtained if you put a registration barrier, you can use OAuth based logins for seamless authentication, it would take some effort to switch accounts for more votes. But this doesn't stop the desperate ones to vote multiple times.
Even better if you send confirmation code in SMS. Though people may own multiple phone numbers, it's not common to have a considerable number of phone numbers to execute a fraud. But this approach costs money for you and can be abused by DoSing the server to exhaust all the SMSes.
If you want goverment-grade polls, where the votes can decide an election.
Then you should have the voters show up in the registration office to apply for the poll and let them choose one from the prepared PIN envelopes, which contains a long hash they can enter when casting the vote.
So unless the organizers commit a fraud then voters can't. This also ensures anonymity.
An old question but for to touch on new ways - these days there are many Poll services out there who work tirelessly to implement numerous measures to avoid dupe votes, and constantly tweak their systems to counter new ways people introduce to circumvent etc. Doing this yourself is a job in itself.
They even offer branding. And large corporations use them, so it's not like your company will look bad for outsourcing a poll.
If you need to do it yourself.
As has been said, registration is the only sure fire way. If it's really important to avoid dupe votes (i.e. it's not just fave colour or something trivial/fun) then you can also limit voting to a link you send to their email they registered with.
While still not fool proof (nothing is) at least you force them to have a genuine email address which they have access to.
This isn't too much trouble for users voting, but makes it fiddly to make many dupe votes - registering, waiting for email, using the link, etc.
You already named all usable solutions. ;) It's your task to decide now.
I'd recommend combining an IP and cookie check.
Ok, so I'm building "Web 2.0/3.0" sites to make extra money. I currently run my own personal project sites with some advanced technology in the backend (AI stuff, recommendation system) that I've developed over the years. It's a subscription site for me to make money on the side.
Now, my company (they do web application/software technology, ad network) somehow found out I run several websites. They were like, "Hey Joe, you run so and so websites! Why not put them on our ad network?? The stuff you're doing is a threat to our technology -- we don't want you competing with us on the side. Let us have your websites and put it on our portfolio/ad network."
Ok, basically it seems they want the rights to my technology and personal project. Somehow they must've googled my name and linked it to some projects I'm working on on the side. Is this ethical for a company to do? Trying to own my personal project since it's got some cool technology and trying to own the rights to it? Just because I work for the company doesn't mean I'm gonna make an offer to them, right?
You probably need to consult a lawyer. What were the terms of your employment that you agreed to when you were hired? Was there a non-compete clause? Was there a required disclosure clause?
Depends on your employment contract. Your contract might say something like "anything you do, while in the employ of company XYZ, be it during work or non work hours belongs to us". It's time to talk to a lawyer, not ask StackOverflow, this isn't a technology/programming question.
Ethical? Yes, why not. If you're putting stuff out on the web and they can find it via Google, then why shouldn't they? If you don't want people to find stuff you've done on the web then don't put it on the web or use a robots.txt to hide it from Google. It's not completely unreasonable for them to at least wonder if you may be using technology that you developed while you were working for them.
Legal--maybe so, maybe not. Depends on the employment agreement that you signed when you joined the company. I'd consult an employment lawyer for real advice rather than asking here.
They may have web logs that demonstrate that you were working on your private web sites during work time--if you did so. I'd be very careful in how I proceed if I were you.
check your contract, and/or your state laws and case precedents. Talk to a lawyer.
IMHO it is unethical for them to attempt to take your intellectual property without compensation, even if you have a 'all your codez are belong to us' kind of work-for-hire agreement. But talk to a lawyer, and be prepared to walk, get sued, and countersue, if necessary. Someone trying to steal your lunch money is a bully and a thief, but they may just have a legal claim.
Unfrotunately, this is not a joke. Talk to a lawyer right away.
If what you do in any way competes with what your company does or uses technology, intellectual property, information or contacts that you gained because of your employment with your company, then you may have issues and should check your contract and see a lawyer.
The other side is: did you ever work on your sites (and this can include sending emails and the like) your personal projects at work? If so, you may be in trouble there too.
IANAL so that's all I'll say on the legalities.
You need to consult a lawyer to get a definitive answer to this question. The answer might depend on your employment contract, and the laws in your locale. Don't rely on anything people say on the internet regarding legal matters.
Regardless of whether or not it's within their rights to do so, I think it's unethical and foolish of them to pressure you like this. I imagine they have just lost any employee loyalty you might have had.
I think a proper response could be, "if you think there's ad revenue potential in my websites, make me an offer that reflects their value, and I'll consider it." After all, you started those sites to make money, right?
But first talk to a lawyer, to be sure you're in a position to negotiate.
Well a friendly way to go about it, and that they should probably be willing to accept if they are a reasonable lot, is to buy/lease your technology. This way you can get a nice sum of money for your work (since you mentioned the purpose of this site was to make extra money in your question).
Otherwise (if its a pet project first and foremost) you might as well tell them in a friendly manner that you keep that site as a hobby, and you'd prefer to not share it if thats ok, unless they let you work full time on your and a cut in the earnings, etc... (something most people would love to do, work on their pet projects and get paid a stable salary for it).
As always first try to reason with the other party in a civilized and friendly matter, it'll likely make both parties happier, and it'll be better than taking the legal route most of the time.
I am Not a Lawyer, and the laws almost certainly vary by country/state/province. But if you are working on a side project on your own time, on your own equipment, using only your own network resources, etc., then in my opinion, they have no right to your work.
If you signed some sort of vague non-compete contract, or something that says all the stuff you do on your own time is theirs, then you have less of a leg to stand on.
Your best bet is to ask a lawyer, if there's enough revenue from your subscription base to justify it.
Consult a lawyer! Regardless of your contractual obligations, any company has a right to be concerned if one of their employees is running a direct competitor on the side, especially if they can demonstrate that you have access to privileged information which you are using to compete (knowledge of their technologies, marketing strategy, customers etc).
My company is planning to start a forum for our software product which the clients can refer for general FAQ's, problems etc.
Right now we are planning to have:-
User manuals.
Best practices for different section's of the application
Frequently faced problems.
Forum where user can discuss issues with development team.
Any other ideas?
Edit:-
We have RSS and E-mail notification subscription to the forum.
Forum where user can discuss issues
with development team.
I don't know if this is a euphemism for "issue tracker" but if not, make sure you include a way for people to submit bug/feature/enhancement reports and track them to completion. Nothing is worse than not being able to submit a bug report or being able to submit a bug report but only into a black hole.
Communication is key.
If you add an issue tracker as suggested by Kevin, your list seems pretty ok to me.
I'd also suggest that you do not start out with too many different services that require interaction from your side (e.g. your developers) at first - I've seen (too) many good initiatives die simply because nobody in the company had enough time e.g. for regular answering of the forum questions.
In your case, I guess "best practices", "frequent problems" and the forum will all consume regular time from your dev team if you want to keep them alive and up-to-date, especially in the beginning. So I would not add more services at the beginning but make sure to get these right (and you can always add more services later on if you find that the users need them :-).
You.
Show that you care about your customers.
Many useful tips at Creating passionate users blog.