Pages

Showing posts with label web. Show all posts
Showing posts with label web. Show all posts

ETags - Roles in Web Application to Cloud Computing

A web server returns a value in the response header known as ETag (entity tag) helps the client to know if there is any change in content at a given URL which requested.When a page is loaded in the browser, it is cached.It knows the ETag of that page.The browser uses the value of ETag as the value of the header key "If-None-Match".The server reads this http header value and compares with the ETag of the page.If the value are same ie the content is not changed, a status
code 304 is returned ie. 304:Not Modified. These HTTP meta data can be very well used for predicting the page downloads thereby optimizing the bandwidth used.But a combination of a checksum (MD5) of the data as the ETag value and a correct time-stamp of modification could possible give quality result in predicting the re-download. An analysis of the effectiveness of chosing the value of ETag is described in this paper.

According to http://www.mnot.net/cache_docs/

A resource is eligible for caching if:

  • There is caching info in HTTP response headers
  • Non secure response (HTTPS wont be cached)
  • ETag or LastModified header is present
  • Fresh cache representation

Entity tags can be strong or weak validators.The strong validator provide the uniqueness of representation.If we use MD5 or SHA1, entity value changes when one bit of data is changed, while a weak value changes whenever the meaning of an entity(which can be a set of semantically related) changes.

More info on conditional requests explaining strong and weak ETags in here

In Spring MVC, Support for ETags is provided by the servlet filter ShallowEtagHeaderFilter. If you see the source here

String responseETag = generateETagHeaderValue(body);
.... ......

protected String generateETagHeaderValue(byte[] bytes) {
StringBuilder builder = new StringBuilder("\"0");
Md5HashUtils.appendHashString(bytes, builder);
builder.append('"');
return builder.toString();
}


The default implementation generates an MD5 hash for the JSP body it generated.So whenever the same page is requested, this checks for If-None-Match, a 304 is send back.


String requestETag = request.getHeader(HEADER_IF_NONE_MATCH);
if (responseETag.equals(requestETag)) {
if (logger.isTraceEnabled()) {
logger.trace("ETag [" + responseETag + "] equal to If-None-Match, sending 304");
}
response.setStatus(HttpServletResponse.SC_NOT_MODIFIED);
}



This reduces the processing and bandwidth usage.Since it is a plain Servlet Filter, and thus can be used in combination any web framework.A MD5 hash assures that the actual etag is only 32 characters long, while ensuring that they are highly unlikely to collide.A deeper level of ETag implementation penetrating to the model layer for the uniqueness is also possible.It could be realted to the revisions of row data. Matching them for higher predicatability of lesser downloads of data will be an effective solution.

As per JSR 286 portlet specification Portlet should set Etag property (validationtoken) and expiration-time when rendering. New render/resource requests will only be called after expiration-time is reached.New request will be sent the Etag. Portlet should examine it and determine if cache is still good if so, set a new expiration-time and do not render.This specification is implemented in Spring MVC.(see JIRA )

A hypothetical model for REST responses using deeper Etags could be effective while an API is exposed or two applications are integrated.I have seen such an implementation using Python here

When cloud computing is considered, for Amazon S3 receives a PUT request with the Content-MD5 header, Amazon S3 computes the MD5 of the object received and returns a 400 error if it doesn't match the MD5 sent in the header.Here Amazon or Azure uses Content-MD5 which is of 7 bytes.

According to the article here in S3 for some reason the entity was updated with the exact same bits that it previously had, the ETag will not have changed, but then, that's probably ok anyway.

According to S3 REST API,

Amazon S3 returns the first ten megabytes of the file, the Etag of the file, and the total size of the file (20232760 bytes) in the Content-Length field.

To ensure the file did not change since the previous portion was downloaded, specify the if-match request header. Although the if-match request header is not required, it is recommended for content that is likely to change.


The ETag directive in the HTTP specification makes available to developers to implement caching, which could be very effective at the transport level for REST services as well as web applications.The trade-off would be, there may be security implications to having data reside on the transport level.

But in the case of static files which is having a large "Expires" value and clustered files, Etag will not be effective because of the unique checksum for files that are distributed will be transported to client for each GET requests.By removing the ETag header, you disable caches and browsers from being able to validate files, so they are forced to rely on your Cache-Control and Expires header.Thus by reducing the header size which was having the checksum value.
Posted by Haris at 2:35 AM 0 comments
Labels: , , , ,

Need privacy ? Go for oAuth



In facebook we can import contact list from our mail accounts ... mmm Do you trust to give away your secret password?

Here comes the saviour ( hope !!)



An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.This API is very useful for the authentication mechanisms enabled by mashups/widgets.It is a Data Portability standard. The authentication method can help to port data between different web apps around.Most of the mashup technology widgets asks for the credentials from users for getting contact list,post links to bookmarks,blogs etc.Using the oAuth the users no longer need to give up their confidential Google accounts user name and password to 3rd party services in order for the 3rd party services to access their data on Google services.I thinks its more than OpenID.oAuth is now available for all Google Data APIs, everything from Gmail contacts to Google Calendar to Docs to YouTube.

Thus oAuth allows you to grant access to your private resources on one site to another site without sharing your passwords..

cool!


ReadWritreWeb Says:

Apps that don't use the approved Google user authentication method in short order will be acting like a mail carrier who says they have to have a key to the inside of your house to pick up your mail because they aren't familiar with the mailbox on the front porch.
Read Mashups: Google's Adoption Makes oAuth a Must Have for All Apps


oAuth.net says:

Everyday new website offer services which tie together functionality from other sites. A photo lab printing your online photos, a social network using your address book to look for friends, and APIs to build your own desktop application version of a popular site. These are all great services – what is not so great about some of the implementations available today is their request for your username and password to the other site. When you agree to share your secret credentials, not only you expose your password to someone else (yes, that same password you also use for online banking), you also give them full access to do as they wish. They can do anything they wanted –even change your password and lock you out.

This is what OAuth does, it allows the you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User). While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts).

How does it work ?


If there is a service provider X (a mashup/widget/social app/bookmark app....) we have to get the resource data from them.The consumer C can have an app Y ,it can be a 3rd party widget, a desktop app or any other tool which is using the data from the service X. The consumer app Y has to be registered with the service X.



When the user decides to get the data,There will be a dialog between service and consumer getRequestToken(signed) will happen as

http://X/oauth/get_request_token

Then the user is directed to the service with the token and he is authorized

http://X/oauth/authorize.

Then user is send to the consumer site.Then there will be a dialog to exchange the request token for access token

http://X/oauth/get_access_token

Further communication will be based on this signed acesskey.

So the user neednot concern about the privacy as this form of "contract" exists between the consumer app and the service provider.

oAuth UX Flow :


A number of companies and individuals are working on solutions to this problem including Google, Yahoo and Microsoft, as well as the OAuth project. Initiated by Blaine Cook, Chris Messina, Larry Halff and David Recordon, OAuth aims to provide an open standard for API access delegation. The OAuth discussion group was founded in April 2007 to provide a mechanism for this small group of implementers to write the draft proposal for the protocol.

OAuth is already gaining considerable momentum, with implementations for many popular languages including Java, C#,Objective-C, Perl, PHP and Ruby. The majority of these implementations are hosted by the OAuth project via a GoogleCode repository. Sites supporting OAuth include Twitter, Ma.gnolia ,Photobucket and Google
Posted by Haris at 3:41 PM 0 comments
Labels: , , ,

The REST - part1

Representational State Transfer is the basic architecture of Web.
"Representation State Transfer is intended to evoke an image of how a well-designed Web application behaves: a network of web pages (a virtual state-machine), where the user progresses through an application by selecting links (state transitions), resulting in the next page (representing the next state of the application) being transferred to the user and rendered for their use.",
as quoted by Roy Fielding who coined REST in his Ph.D dissertation to describe an architecture style of networked systems.
The resources scattered all around the web are identified by its URI.These URIs are the equivalent of a noun.Think how many nouns !! From "flick"ring pixels to "twitter"ing fingers.All the thoughts congregate to the web.Verbs describe the actions.We use verbs for funcion names in programming.GET is the action to fetch a web page , the representation of the resource identified by URI.It is the undamental action of a browser.Other verbs are : POST to add information, PUT to update information, DELETE removes information.They make the CRUD verbs for web as a database.REST is like modelling the web services as URI addressable resources. These REST type URIs are logical ones than physical.The URLs are parsed and the required data ie the represenatio is sent back to client. So the state of client changes as per the recievables.If we look in a hypertext document we see hyperlinks to other resources.
Each resource representation contains hyper-links. Following a hyper-link takes the client to the next state. Thus, within the resource representations themselves are pointers to the next states.
If we consider this concept in regard to OOP , it is like a "HTTP Object Model", as it was originally referred.
The REST-RPC style in flickr API looks like :-
GET services/rest?api_key=xx&method=flickr.photos.search&tags=sunflower
It gets the images with tag sunflower using the search method.
The Web uses embedded identifiers rather than link servers.So the authors need an identifier that closely matches the semantics they intend by a hypermedia reference, allowing the reference to remain static even though the result of accessing that reference may change over time. REST accomplishes this by defining a resource to be the semantics of what the author intends to identify, rather than the value correspondingto those semantics at the time the reference is created. It thus integrates with "tagging" on web .So the REST becomes the fundamental principle for a semantic web.
Posted by at 11:52 PM 0 comments
Labels: ,

Gravatar - Universal Avatar

Gravatar -is the globally recognized avatar.Avatars are the virtual persona in the cyber world.They are your pixelized existence in two dimensions.Gravatar, is invented by Tom Werner an american web developer, is a service to have a single image identity on web.It will show your picture on content delivery platforms.The encrypted url helps to identity the avatar image.When a comment is posted on web forum or a blog using your mailid, the gravatar will be shown along the post.Comment platforms like Disqus support gravatar. The avatar is stored in one place and it will appear on several websites, blogs, forums.Once the image is changed and its reflected in all the web pages.This is web as a service.Adding avatar to your website is simple - add the url provided by gravtar API inside the img tag.

<img src="http://en.gravatar.com/avatar/2f89787e504e558c1efbe55e73a95df3" />


The hashing algorithm is used on the email id which is unique.Suppose we have a site and if we want to create a gravatar ..hash("ur@mail.com") => results the string which is encrypted by MD5 hashing algorithm.
Append that string to rest of cleaner URL API "http://en.gravatar.com/avatar/".
"http://en.gravatar.com/avatar/"+hash("ur@mail.com")+[.jpg -optional] .
These gravatars can be integrated with microformats,xfn,mails,forums,blogs,
Grab a gravatar

Posted by at 11:54 PM 0 comments
Labels:
Subscribe to: Posts (Atom)