If you write web applications, you should peruse the latest release of the Open Web Application Security Project Guide, currently at 2.0.1. Its 293 pages of tips, tricks and techniques, for multiple languages, should be useful to any developer.
Monthly Archives: July 2005
Running your company on webapps
Here’s an interesting post on running your company on webapps.
Of course, the issues of security (who’s responsible for it? who do you call when an employee leaves?), data ownership (how can you export your precious data if you want to move to a different provider?), legality (using gmail for business is a violation of their terms of service–didn’t check the other services), and access (if your internet access is disabled, your business is too) are skipped over entirely.
On the plus side, hey, it’s easy to get started, and the ongoing maintenance is minimal! But consider the downsides outlined above before you jump in.
It is interesting to me that that broadband is enough of a utility now, if you can get it, that a business can think of putting something as crucial as their calendar on a remote website.
Exchanging PostgreSQL for Oracle
I have a client who was building some commercial software on top of PostgreSQL. This plans to be a fairly high volume site, 1.8 million views/hour 500 hits a second. Most of the software seemed to work just fine, but they had some issues with Postgres. Specifically, the backup was failing and we couldn’t figure out why. Then, a few days ago, we saw this message:
ERROR: could not access status of transaction 1936028719
DETAIL: could not open file “/usr/local/postgres/data/pg_clog/0836”: No such file or directory
After a bit of searching, I saw two threads suggesting fixes, which ranged from deleting the offending row to recreating the entire database.
I suggested these to my client, and he thought about it for a couple of days and came up with a solution not suggested on these threads: move to Oracle. Oracle, whose licensing and pricing has been famously opaque, now has a pricing list available online, with prices for the Standard Edition One and Enterprise Edition versions of their database, as well as other software they sell. And my client decided that he could stomach paying for Oracle, given:
1. The prices aren’t too bad.
2. The amount of support and knowledgeable folks available for Oracle dwarfs the community of Postgres.
3. He just wants something to work. The value add of his company is in his service, not in the back end database (as long as it runs).
I can’t fault him for his decision. PostgreSQL is full featured, was probably responsible for Oracle becoming more transparent and reasonable in pricing, and I’ve used it in the past, but he’d had enough. It’s the same reason many folks have Macs or Windows when there is linux, which is a free tank that is “… invulnerable, and can drive across rocks and swamps at ninety miles an hour while getting a hundred miles to the gallon!”.
I’ll let you know how the migration goes.
Building a Full-Text Search Engine from Open Source Components
A friend and former colleague did a presentation a few months ago about “Building a Full-Text Search Engine from Open Source Components”. The slides are up. From the abstract:
In addition to the many useful open source applications that are available ready-to-run, there are quite a few open source APIs out there that are just crying out to be combined in new, useful, and interesting ways. By “just” writing a few lines of code to join them together it should be possible to build a new application that has a unique set of features.
Calling one servlet from another
So, I’m building a RESTful web service for a client, which is going to accept a large (60 mbish) file and a set of parameters that are attributes of the file, using the multipart/form-data
enctype. The idea is to have this service be available for external programs to post to, but to also provide a nice web interface. I built another servlet which generates the usable user interface (the UI servlet), and am now having trouble pushing the data over to the RESTful servlet. After the RESTful service is called, the UI servlet needs to ensure that any errors are understandable to the user.
It looks like there are a couple of options:
1. Use RequestDispatcher to hand the request entirely over to the service. This is easy, but it means that the service now needs to return a human readable response, or you need to insert a filter to provide one.
1a. Have the RESTful service take a parameter which indicates whether its caller is another program or a human being, and use the RequestDispatcher from the UI servlet.
1b. Have no UI servlet at all, but just have the RESTful servlet be able to generate a nice user interface (or redirect to a pleasant looking JSP) via a given parameter.
2. Use the URL and HttpURLConnection objects to have the UI servlet post to the RESTful servlet just as you’d post to any other remote resource on the internet with java. This seems to work ok (I think), but requires (I also think) an absolute URL and also requires a bit of I/O to push the stream of bytes from the UI servlet to the RESTful servlet.
I can’t think of any other ways to solve this problem, and the only other solution that searching turned up is a no-no in modern servlet engines.