Thu, 29 Nov 2012
Secure Login at Alza.CZ
Here is how the "secure" login works at alza.cz, one of the biggest e-shops in the Czech Republic:
In the login form, user can click to the link named "SSL", which leads to the SSL-encrypted page with an alternative login form. The problem is, that this page apparently sends the login form data unencrypted, so the usage of SSL to display the login form is completely pointless.
Wed, 28 Nov 2012
SOAP::Lite
Today's daily WTF goes to the SOAP::Lite CPAN package and its non-configurability and mis-design.
For example, look at this:
HTTP Basic authentication is accomplished by overriding the get_basic_credentials suboutine in LWP::UserAgent (which SOAP::Transport::HTTP::Client is a subclass):
BEGIN {
sub SOAP::Transport::HTTP::Client::get_basic_credentials {
return 'username' => 'password';
}
}
So apparently the only way how to use Basic authentication is to override
a global function in some foreign namespace. And what to do when I want to
use two SOAP servers with two sets of credentials inside a single application?
There are more similar "features" in SOAP::Lite. For example, tracing can
only be set up globally in compile-time, or by manually calling ->import().
My dear lazyweb, is there a SOAP module with cleaner design?
Update - Wed, 28 Nov 2012: Tracing
FWIW, it is probably easier and cleaner to do both basic authentication
and tracing at the transport level - the transport module here is
LWP::UserAgent (thanks Adelton for the hint!), so for example handlers described in the LWP::UserAgent manpage work:
$soap->transport->add_handler(
request_prepare => sub {
shift->authorization_basic($login, $pass);
},
);
$soap->transport->add_handler(
request_send => sub { print STDERR shift->content; },
);
$soap->transport->add_handler(
response_done => sub { print STDERR shift->content; },
);
I wonder why the SOAP::Lite manpages suggest such dirty ways
of handling this (and I have not even started mentioning things
like $SOAP::Transport::HTTP::Client::USERAGENT_CLASS global
variable; ugh)
Tue, 27 Nov 2012
Cookies Auth and 403 Forbidden
In IS MU we have recently abandoned the HTTP basic authentication and replaced it with cookie-based authentication. The main reason was that there is no portable way of logging out of the basic authentication. So I have based our new solution on Apache2::AuthCookie. The problem is, that it does not work correctly with some clients because of the way how the login form is handled.
When the yet-unauthenticated user accesses an URL for authenticated users only,
Apache2::AuthCookie returns the HTTP response with "403 Forbidden"
status code, and with text/html body containing the login
form. That way, the client cannot be possibly lead into the false assumption that the page it just received is in fact the content it wanted to receive.
So the user fills the login form, submits it, and the server returns the real
page for that URL, this time with "200 OK" status code.
This approach seems to be correct (even after reading the RFC 2616 :-). However, we observe problems with
the following two use cases:
- Nokia Symbian-based phones. After receiving 403 from the server, they display their own error message, and ignore the returned HTML altogether (except for the page background :-).
- Microsoft Word. When the link to the authenticated page is embedded inside the Word document, and user ctrl+clicks it, Word apparently starts MSIE to get the page. However, in this special case MSIE does not display the login form after getting the 403 status, but reports the error to its caller (MS Word) instead. So Word displays a generic error pop-up to the user, without the user being able to log in.
What to do now? The problem is clearly in the HTTP status code 403, and in its
mis-interpretation by some clients. I don't want to return the login form
in a 200 OK response, because I need e.g. the web crawlers to know that this
is not actually the page they tried to access. As for Symbian, they can be
clearly identified by their User-Agent string, so I can
return 200 OK only for them. But as for MS Word, I have no clue: what I see
is the request made by MSIE (and again, I probably don't want to return
200 OK to every unauthenticated MSIE request).
Any other suggestions, my dear lazyweb?
Tue, 20 Nov 2012
SMD Soldering
For the first time in my life, i have tried to solder SMD components (as I have written before, I am working on DYI LED lights for my bike). The component side looks OK, and soldering through-hole components went without problems. The SMD parts were a bit tricky, though.
I have used an ordinary soldering station with temperature regulation, but the results are not pretty. I wonder what is required to achieve this level of quality (watch from 14:10). One possible problem might be that some components on my board (especially the smallest sensing resistors) are connected to the highest-current and thus thickest paths, which suck great amounts of thermal energy when soldering.
Anyway, from the preliminary testing, it seems that my board works. So far I have found the following problems:
- The programming connector is bigger than I expected. I have solved this by using the angled variant instead, and adjusting it using knife :-)
- The silk layer labels marking the polarity of components (electrolytic capacitors, diodes, etc.) can be placed under the components, except for the labels of connectors, which are needed even after the components are soldered!
- I should have added low-pass filters to the A/D converter inputs, at least for the feedback of the PWM-regulated converters. I think I would be able to overcome this in the firmware, though.
- Next time, I would probably design the board with round corners :-)
Now it's time to finish the firmware and to start adjusting the mechanical parts. I have already made the front spotlight and rear spotlight, and I want to make a LED string. Any tips about making a waterproof LED string out of 3mm through-hole LEDs will be appreciated. Should I use silicon, shrink-wrap tube, or what?
Thu, 15 Nov 2012
Printed Circuit Boards
For my bike lights I needed a PCB. Out of several services for manufacturing PCBs, I have chosen Itead Studio PCB prototyping service (the other candidate was Seeed studio). Here are the preliminary results:
I have placed my order on October 29th evening (Central European Time), according to Hong Kong post, the package was received by them on November 7th, it left Hong Kong on November 11th, and I have received it today, on November 15th.
They also have an interesting "Open source" program - the customer declares that his design is open source (mine is anyway), they make few more boards in addition to those the customer has ordered, and they send them to their other customers. The original customers gets his orderd boards, and in addition to that, two more boards from other open source projects. I have in fact got their demo board (on the right side), and one open source board (the white one). Apparently, it is Arduino 512KB SRAM expansion board. I currently don't use Arduino, so if any Arduino user is interested in this PCB, just let me know.
Okay, now it's time to take a soldering iron and play more with the hardware :-)
Mon, 12 Nov 2012
Desktop Environment-Specific Apps
I have recently came across this two years old bug report, filled to the bug tracker of Transmission (a Bittorrent client) where a GNOME developer suggests removal of the notification area icon from the application on the basis that GNOME 3 does not support notification area at all.
So if I understand it correctly, we are now living in a world where all the GUI applications have to be dependent on the particular desktop environment, and it should be no longer supported to run - say - Transmission under XFCE, or GIMP under KDE, at least according to GNOME developers. "We GNOMErs do not support notification area icons, so this application should not use it" (even though the application is not used exclusively under GNOME)? Where are the freedesktop.org cross-DE interoperability recommendations?
That said, notification area as such sucks - what I liked most was the original approach of X11: using on-desktop icons for minimized applications (instead of applications and documents shortcuts), and applications displaying their own status in their icon (handled by every window manager using the same ICCCM specification).
Tue, 06 Nov 2012
DNS Lookup :-)
It seems my registrar will
discontinue their "free" hosting (as in "bundled with the domain
registration") soon,
so I will have to move my domain yenya.net mail and WWW servers
elsewhere. There is no problem with that - I have a 24/7 running computer at
home with good connectivity. There is one challenge, though:
The new DirectNIC service allows only one A record in the registered domain, when the domain is hosted on their DNS servers (no AAAA and no DNSSEC). So I am considering running my own DNS server in addition to mail and WWW servers. This would allow me to have A and AAAA records, SSHFP, and possibly the new DANE records. So I need someone to host a secondary DNS server. The requirements are:
- Static IP address, running 24/7
- IPv6 connectivity, if possible
- DNSSEC enabled
- Hourly update interval if possible
- Preferably outside the SmartComp/Nebox network
Of course, I am willing to provide the same service to the other party. Is anybody interested? Thanks in advance.