Posts Tagged php
ITworks Design Journal: GWT RPC vs JSON
Posted by BinaryMuse in Technology on May 15th, 2009
This post is part of the “ITworks Design Journal” series.
Currently, ITworks uses JSON generated via PHP for client-server communication. This decision was made for several reasons:
- I am not extremely familiar with Java servlets or serving them (ie, Tomcat, etc)
- I am not familiar with accessing SQL databases from Java code
- I am experienced in PHP and quickly wrote code to convert SQL result sets into JSON responses
- I already had code to authenticate via LDAP written in PHP that could be reused for this application
- The university already has servers set up to serve PHP scripts
However, after reading more about GWT RPC and how it works, I decided to try my hand at setting up my first Tomcat instance. When the university’s web developer asked for a new Apache server, I figured it was an opportune time.
So, after a lot of experimentation and a lot of reading documentation, I installed my first Tomcat server, and even got the GWT "Hello World" demo app (the one that gets created when you use webAppCreator) to run by using mod_proxy and ProxyPass (I’m still having issues getting mod_jk to do what I want it to, but I think I’m close). So, now using GWT RPC is a real possibility.
GWT’s RPC sheme is very nice; you can call server-side methods, and your input parameters and the server’s return are all automatically serialized and sent acorss the wire–you don’t have to worry about it at all. This is certainly a very nice feature. I also feel confident that I can get LDAP authentication and SQL connectivity down fairly quickly.
The one downside is connection other non-GWT applications to the server-side code. If I want, say, an iPhone app, or a desktop widget, to be able to connect to the server to retrieve information I have to either (1) figure out how GWT RPC sends and receives information, or (2) code the server-side logic again in another language.
It’s still up in the air for me. Thoughts?
ITworks Design Journal: Authentication
Posted by BinaryMuse in Technology on April 1st, 2009
This post is part of the “ITworks Design Journal” series.
Where I work, we authenticate against an Active Directory server. In an effort to help the consolidation of usernames and passwords, I decided that users of the ITworks app should also authenticate against the AD, and that the user’s role, or permissions, in the app should be determined by groups they are members of in the directory. A bonus advantages of this system is that I don’t have to design any sort of user management piece!
I developed a very simple class, LdapUser, that logs into the AD with a privileged user and search for a user with a sAMAccountName that is the same as what the user entered in the login dialog:
If found, the class attempts to re-bind to the server with that user’s name and the password they entered. If successful, the user entered valid AD credentials. The class then queries the server for an array of groups the user is in, and checks against a known list of valid groups.
If found, the server returns some JSON indicating the user’s proper name, access level, and session-specific API key.
API Key
In order to insure that request for information is coming from a user that has successfully authenticated, every user that logs in is given an API key that is valid until their session ends. Every time the client requests information from the server, the API key must be passed, and is validated against the one the server generated when the user first logged in.
Login Throttling
One thing I was concerned about was brute-force attacks on the site. Since we authenticate against our AD server, it would be a bad thing™ if someone was able to brute-force their way into an IT staff member’s password. Thus, a login throttling system was born.
The system I designed is very simple–it limits unsuccessful login attempts on a specific user. Each time an invalid username and password combination is entered, that username’s "incorrect login count" is incremented in the database. Depending on how many bad login attempts have been recorded, subsequent attempts will issue an error message that the user must wait before logging in again. (I considered making the server thread sleep() for a while, to make it more frustrating, but I feared that the potential to consume a large number of threads was too high, effectively increasing vulnerability to a DoS attack). The time required gets exponentially longer as the number of attempts increases.
Once a user enters a correct username and password (assuming they are not currently in the "wait" period triggered by multiple incorrect combos), their count is reset to zero.
Again, the system is simple, but provides enough security for basic brute-force attacks–which was the goal.
Conclusion
In the end, I ended up with a simple authentication script that authenticates against Active Directory and prevents basic brute-force password hacking. The system works fairly well–if anyone sees any flaws in my logic, or has any comments, please do not hesitate to comment below!
ITworks Design Journal: Language and Framework
Posted by BinaryMuse in Technology on March 27th, 2009
This post is part of the “ITworks Design Journal” series.
We currently use an enterprise-level application for managing work orders, and an in-house web site for managing assets. After sitting down and looking at these two systems, we came to the conclusions that (1) the work order system was more powerful than we needed, and we were likely paying too much for it, and (2) the asset system was too simple and difficult-to-use (very form-based layout). It didn’t take long to decide the following:
- I wanted the new app to be web based, allowing for use anywhere without installation
- I wanted the new app to use a rich web UI
- I wanted the new app to be exactly as complex as we needed it to be, but no more
- I wanted the new app to be expandable as easily as possible
As the IT sat down and began to brainstorm what features we wanted the app to have, I started thinking about languages and frameworks. PHP has always been my favorite server-side language, and the only web UI framework I had used to any extent was the Yahoo! UI library.
After some research, I discovered the Google Web Toolkit, or GWT. I had actually heard of it before, but passed it up as I didn’t read enough about it to fully understand what it was. It didn’t take me long to find the following on thier site:
With Google Web Toolkit (GWT), you write your AJAX front-end in the Java programming language which GWT then cross-compiles into optimized JavaScript that automatically works across all major browsers.
The very idea intrigued me; I downloaded the toolkit and installed Eclipse (I haven’t written Java in a very long time), and started following along with the sample tutorial.
In the end, I was very impressed with GWT. The ability to debug a web application just like you would a Java application (after all, in the GWT shell, it is technically a Java application!) was a huge boon, and being able to make a change in the Java code and simply refresh the included hosted-mode browser to see the change saved so much time.
The one thing I didn’t like about GWT was the look and feel. What “widgets” it does include are very HTML-ish and don’t feel rich at all. So, some more searching, and I discover Ext JS, a javascript UI library that looks very nice. A little more time spent looking around their site revealed an amazing and very cool piece of information–they have a version of their UI library designed specifically to work with GWT!
After downloading and installing the GXT library, I was sold. The UI was beautiful, and between GWT and GXT, Ajax data loading and display is a breeze.
My decision was made: GWT/GXT would be my front end framework of choice; I decided on PHP for the server-side layer, as it is my favorite server-side scripting language and I am very familiar with it. It was time to write some code.