Web Service Based Web Sites

Monday, June 20, 2005

Web Services (ws) and Web Sites have many things in common. So, why not put them together? I gave it the classic "Jared try" to find out if I could. (http://blueblocks.lobberecht.com)

DB <-> Business Logic <-> Web Services <-> Web Browser

First, I had to make some allowances for the Web Browser. No browser, that I know of, will directly communicate with a ws. Browsers were designed to use pure HTTP. My solution was to create a PHP file to act as a ws proxy for the browser.
DB <-> Business Logic <-> Web Services <-> PHP proxy <-> Web Browser
(I used PHP because my host only supports PHP. You could accomplish this in any server-side language, perhaps even a client-side language, that has a ws library. I also used PHP for the SOAP webservices.)

I chose not to output HTML from my ws. HTML was designed to describe the look-and-feel of data, not content. My ws outputs standard XML, conforming to various specifications, based on the content (RSS for the News, etc.), to maintain it's programmatic accessibility and compliance to accepted standards. I still had to contend with the browser, because it is still a web site, so, I used XSLT to transform the XML into XHTML on the client side. The client side XSLT transformation does limit my audience to modern webbrowsers, such as IE6 and Firefox, but I'm not trying to make this site universally compatible. Besides, you should be running a modern browser for security reasons anyway.

None. There are no advantages, in this design, over having an HTML page and a separate XML page, expressing the same content, generated directly from the same datasource. I have, simply, made the conversion process, from data to HTML formatted response, serial. (DB->XML->HTML) Some would also consider this a weak point in the design, because the HTML is dependent on the XML and the DB instead of just the DB.
This might be a good design if the site is intended to be used programmaticly, with a fall-back to HTML for those who wish to use it that way.

A little more difficult to code, especially if you are already using a CMS or other HTML based template engines.

Anyone returning XML from a Web Service should remember, the XML validator that validates the ws response will strictly validate your returned XML also. Make sure the returned XML is valid, has the <?xml version="1.0"?> tag, and a DOCTYPE or the whole ws response will not validate. You can also use a CDATA tag to enclose the response, but that did not work for me.


Friday, June 17, 2005

Google-depression strikes again!

GeoURL is a location-to-URL reverse directory. This will allow you to find URLs by their proximity to a given location. Find your neighbor's blog, perhaps, or the web page of the restaurants near you. It currently only lists 181,117 sites, but you can add sites for free.

When mobile internet devices incorperate GPS devices, businesses will want this!

Super Future Prediction: This idea will be officially folded into Google Maps. (Unofficially, It has already been done by Leigh Dodds.)

Code Signing on a Shoe-String Budget

Tuesday, June 14, 2005

I don't need a professional Code Signing infrastructure complete with 24/7 Indonesian support and free Hot Pocket delivery within the tri-state area. I just want to make sure people know they have something of mine for less than, or equal to, $0.

Solution 1 of 1:
Free code signing. (I must remind everyone of the lack of official support for what I'm about to describe. If you are running a real business, go pay the money.)

Windows (I'm using XP)
Compiled binary of OpenSSL
GlobalSign's PVK transform utility (Mirror)
Microsoft's code signing stuff (Mirror)

Get a free certificate from Ascertia.
Note: The "Name" you enter will be the name seen on the certificate. Don't worry if you can't decide on a good name, you can change it after you register.

Generate and download the certificate using Internet Explorer.
It failed to download the ActiveX file in all the other browsers I tried, including Firefox.

Run certmgr.exe from codesigningx86, select the certificate, and export.
Select the option to export without the private key and in DER encoded binary. I did not test the other encoding methods, but, in theory, they all should work.
This should produce a cer file. I put all my files on the desktop to shorten all the path names. There is nothing worse than typing and searching for errors in long pathnames.

[I had a beautiful tutorial written just before the power went out. For speed, I will just give you the bare bones.]

cert2spc <insert cer file path> <insert new spc file path>

Run certmgr.exe, select the same certificate, and export again.
This time export the private key. Make sure "Include all certificates in the certification if possible" is checked and "Delete the private key if the export is successful" is unchecked.
This will export a pfx file. (Make sure to remember the password you set.)

openssl pkcs12 -in <insert pfx file path> -nocerts -nodes -out <insert new pem file path>

pvk -in <insert pem file path> -topvk -out <insert new pvk file path>

You only need the spc and pvk files, so you can, and should for security reasons, delete the other data files.

signcode -spc "<insert spc file path>" -v "<insert pvk file path>" -a md5 -i "<insert some information, usually your websites url>" -n "<insert short file description>" -t http://timestamp.verisign.com/scripts/timstamp.dll "<insert target file path>"

You don't have to pay Verisign to use their timestamp server. You should, and again you should just pay the money if you are running any form of business, but it works whether you do or not.

That will do it. You can verify the signature by opening the properties of the signed file, and clicking the Digital Signatures tab. If there is no Digital Signatures tab, you failed.

Thanks to Matthew Jones for the help.