Re: Banana Republic (was Re: OpenVMS Book Wins award)

Hi Mark,

(Once again, sorry for the delay)

Cross-domain access is one of the holy grails of distributed
applications

There is also a strong argument for server-side aggregation, or portal
functionality. (and good 'ol same-origin policy)

(at least those that can be mashed together from existing
webby technologies)

Granted.

and are always fraught with security related issues.

To say the least. The JSON script-injection option I find particularly
scary! (Although I cannot see why, at least for Sockets, some/many people
still pursue HTTP Access Control at the expense of policy files.)

Of course there probably also is an element of 'HTML people' tending to
have only a hammer in their toolbox (no real slight intended).

I think you're right.

To better convey that this example has some level of sophistication here
is a (short-lived) peek at the HMI

http://wasd.vsm.com.au/wasd_tmp/mondesi_081116a.png

Looks good! (Although I think I recall some of JFP's Stills looking sexier;
and with stock standard Ajax?)

> Is this
thread/process serving *all* clients or is there a 1:1 relationship?

In all general purpose Web serving there is such a relationship. This
is definitely the case in the above application which is written as a
CGI script. All VMS Web servers would activate an instance for each
client (in fact for a CGI script, all servers period).

So even when you're doing traditional request/response processing, you still
get one instance per client? It's worse than I thought! But then I also
thought that "Fast"-CGI (or some such beast) was meant to overcome this
absolute bollocks? Although, limited in its application to long-polling I
imagine.

Not to worry, an article has just appeared over at CometDaily that says
there's nothing wrong with 1000 threads for 1000 users! Doesn't say anything
about attaching to the database 1000 times, duplicating memory and
everything else 1000x, paging in/out, but then that's the Comet people for
ya.

Of course in
many Web environments there would be nothing preventing the design and
implementation of something (like an Apache module) which maintained a
single, internal 'application' that serviced multiple, concurrent clients.

OK, something like a single-threaded Apache (or Tomcat?) module that took
standard Ajax/http requests, kept the connections open, sampled GETRMI data,
and streamed it back to the client(s)? Perhaps you have one you prepared
earlier?

But surely one process or thread is a bottleneck and you'd need an
application-configurable pool of Execution Server processes/threads to
allocate the work to, and that pool could grow/shrink (within parameters set
by the System Manager) to meet workload requirements? Then you might also
want to know the VMS Username of the client you're performing work for so
you can perform auditing and security checking? (It's a shame Ian Mugabe
vetoed Rdb's introduction of SQL> Set Session Authorization Persona
:ws_integer; But then Rdb doesn't work with threads so you're probably
stuffed anyway.)

This is all sounding strangely familiar for some reason. . .oh I've got it -
"You need Tier3!" As in :-
http://manson.vistech.net/t3$examples/demo_client_flex.html

Username: TIER3_DEMO
Password: QUEUE

No bollocks HTTP, SOAP, XML (unless you really want), Java, Garbage
Collector, RMI, Threads, WSIT, Axis2, Apache, Tomcat, WASD, OSU, CGI, Perl,
PHP, Pyhthon!

Just the VMS 3GLs you know and love, Oracle (Rdb or Orrible), and RMS on the
back-end. (The world's your oyster on the front-end: - HTML, Javascript,
Java, Flex, Flash, Silverlight, VMS)

Is the thread/process unavailable for servicing
other requests while it's streaming its long-poll (or words to that
effect
:-)

Yes.

Sounds optimal :-)

An interesting .

I agree; so that's all two of us then :-(

and opportune thread,

How so?

Anyway, for anyone else out there who may be reading, let me reiterate an
alternative architecture for asynchronous client event notification; it's
called "UDP"! (Plus or minus Broadcasting and Multicasting functionality
depending on the network intra/internet etc) A single client socket can
receive messages from any number of server processes who in turn could be
sending message events to any number of clients. Use this in combo with a
middleware backbone based on a reliable transport such as TCP/IP and all of
your application architecture needs will have been met!

See below for a PUSH technology example (in case you missed a much earlier
post to COV)

Cheers Richard Maher
====================================

If you'd like to see an example of a bog-standard VMS server that sends UDP
messages to Web-client subscribers, then please follow these instructions: -

1) Click on the following link and read the instructions:
http://manson.vistech.net/~tier3/tier3pager.html

2) Telnet to manson.vistech.net. (If you don't already have an account on
the Deathrow cluster then please use Username: DEMO Password: USER) and
then:

$set term/width=132
$run sys$users:[users.tier3.web]demo_udp_msg

3) Enter the IP address of your client node. Your "stock-monitor" from step
1 should now spring into life with ransom stock-prices generated at 2sec
intervals. (NATed clients will find this bit problematic :-)

4) Enter any adhoc messages that you wish to appear in the seperate Java
Frame on the client.

OPCOM messages to web-subscribers? CHAT conferences? Stock-Watching? Alarm
Monitoring? - I mean what's it all about?

Cheers Richard Maher

PS. The code for Tier3Pager.java aqnd DEMO_UDP_MSG.COB are below, but all
can be found at SYS$USERS:[USERS.TIER3.WEB]

Tier3Pager.java
===========

/**
* Copyight Tier3 Software. All rights reserved.
*
* Author: Richard Maher
*
**/

import java.applet.Applet;
import java.awt.*;
import java.net.*;
import java.io.IOException;
import netscape.javascript.JSObject;
import netscape.javascript.JSException;

public class Tier3Pager extends Applet
{
private String hostName;
private JSObject browser;
private static MessageThread socketThread;
private static Tier3Talk chat;

public class MessageThread extends Thread
{
private DatagramSocket socket;
private DatagramPacket packet;
private String threadData;

public MessageThread(String name, String txt) throws Exception
{
super(name);

byte[] buffer;
threadData = txt;

String port = getParameter("PORT");
String maxBuf = getParameter("MAXBUF");
try
{
if (port == null)
socket = new DatagramSocket();
else
socket = new DatagramSocket(Integer.parseInt(port));

if (maxBuf == null)
buffer = new byte[512];
else
buffer = new byte[Integer.parseInt(maxBuf)];

packet = new DatagramPacket(buffer, buffer.length);
}
catch (Exception e)
{
e.printStackTrace();
System.out.println("Unable to create UDP Socket");
throw new Exception("Message thread could not be created");
}

setDaemon(true);
start();
}

public void shutdown()
{
socket.close();
}

public int getLocalPort()
{
return socket.getLocalPort();
}

public void run()
{
System.out.println("Started Message thread. ThreadData = " +
threadData);
String args[] = {"Started Message Thread " + threadData};
browser.call("alert", args);
boolean stopThread = false;

readLoop:
while (!stopThread)
{
try
{
socket.receive(packet);
String received = new String(packet.getData(), 0,
packet.getLength());
processMessage(received);
}
catch (SocketException e)
{
System.out.println("Shutting up shop");
stopThread = true;
continue readLoop;
}
catch (IOException e)
{
e.printStackTrace();
System.out.println("Unable to retrieve UDP message");
}
}

System.out.println("Thread run() unit terminating");
}

public void processMessage(String msgText)
{
int msgType = Integer.parseInt(msgText.substring(0,2));
switch (msgType){
case 1:
chat.append(msgText.substring(2));
break;
case 2:
String args[] = {msgText.substring(2)};
try {browser.call("priceUpdate", args);}
catch (JSException e)
{
System.out.println("Error when calling JS
priceUpdate()");
}
break;
default:
System.out.println("Unknown rec type
"+msgText);
}
}
}

public void init()
{
System.out.println("Initializing. . .");
hostName = getCodeBase().getHost();

chat = new Tier3Talk("Tier3 Messages");
requestFocus();

browser = JSObject.getWindow(this);

if (socketThread == null)
{
try
{
socketThread = new MessageThread("MsgDaemon", "SomeData");
}
catch (Exception e)
{
e.printStackTrace();
System.out.println("Could not init Tier3Pager");
}
}
}

public void alert(String alertText)
{
String args[] = {alertText};
browser.call("alert", args);
}

public void destroy()
{
if (chat != null)
chat.dispose();

boolean stillDying;

if (socketThread != null){
socketThread.shutdown();
do
{
stillDying = false;
System.out.println("Joining MessageThread");
try {socketThread.join();}
catch (InterruptedException e){
System.out.println("Interrupted Join");
stillDying = true;
}
} while (stillDying);

socketThread = null;
}

System.out.println("Tier3Pager Applet Rundown complete");
super.destroy();
}
}


DEMO_UDP_MSG.COB
====================

****************************************************************************
********
*
*
* COPYRIGHT (c) BY TIER3 SOFTWARE LTD. ALL RIGHTS RESERVED.
*
*
*
* THIS SOFTWARE IS FURNISHED UNDER A LICENSE AND MAY BE USED AND COPIED
ONLY *
* IN ACCORDANCE WITH THE TERMS AND CONDITIONS OF SUCH LICENSE AND WITH
THE *
* THE INCLUSION OF THE ABOVE COPYRIGHT NOTICE. THIS SOFTWARE OR ANY
OTHER *
* COPIES THEREOF MAY NOT BE PROVIDED OR OTHERWISE MADE AVAILABLE TO
ANY *
* OTHER PERSON. NO TITLE TO AND OWNERSHIP OF THE SOFTWARE IS
HEREBY *
* TRANSFERRED.
*
*
*
* THE INFORMATION IN THIS SOFTWARE IS SUBJECT TO CHANGE WITHOUT NOTICE
AND *
* SHOULD NOT BE CONSTRUED AS A COMMITMENT BY TIER3 SOFTWARE LTD.
*
*
*
****************************************************************************
********
*+
* Facilility: DEMO_UDP_MSG
*
* Abstract: Send a UDP message to a Java Applet Web client
*
* Build example:
* $COBOL/LIST DEMO_UDP_MSG
* $MACRO/LIST DEMO_TCP_IP_DEF
* $LINK DEMO_UDP_MSG, DEMO_TCP_IP_DEF
* $RUN DEMO_UDP_MSG
*-
identification division.
program-id. demo_udp_msg.
data division.
working-storage section.
01 stock_ticker pic s9(9) comp value external
stock_ticker.
01 acp_gethostbyname pic s9(9) comp value external
acp_gethostbyname.
01 io$_setmode pic s9(9) comp value external
io$_setmode.
01 io$_writevblk pic s9(9) comp value external
io$_writevblk.
01 io$_acpcontrol pic s9(9) comp value external
io$_acpcontrol.
01 ss$_bufferovf pic s9(9) comp value external
ss$_bufferovf.
01 ss$_endoffile pic s9(9) comp value external
ss$_endoffile.
01 ss$_abort pic s9(9) comp value external
ss$_abort.
01 ss$_normal pic s9(9) comp value external
ss$_normal.
01 sys_status pic s9(9) comp.
*
01 iosb.
03 cond_val pic s9(4) comp.
03 byte_count pic s9(4) comp.
03 pic s9(9) comp.
*
01 create_socket.
03 pic s9(4) comp value external
ucx$c_udp.
03 pic s9(4) comp value external
inet_protyp$c_dgram.
*
01 local_sock_desc.
03 pic s9(9) comp value 16.
03 pointer value
reference local_addr.
01 local_addr.
03 pic s9(4) comp value external
ucx$c_af_inet.
03 local_port_number.
05 low_byte pic x value
low-values.
05 high_byte pic x value
low-values.
03 pic s9(9) comp value external
ucx$c_inaddr_any.
03 pic x(8).
*
01 ast_area.
03 net_chan pic s9(4) comp.
03 stock_delta_secs pic s9(11)v9(7) comp value -2.
03 seed pic 9(9) comp.
03 ast_iosb.
05 ast_cond pic s9(4) comp.
05 pic x(6).
03 rem_sock_desc.
05 pic s9(9) comp value 16.
05 pointer value
reference rem_addr.
*+
* Use port number 1234 for example's sake
*-
01 rem_addr.
03 pic s9(4) comp value external
ucx$c_af_inet.
03 rem_port_number.
05 low_byte pic x value x"04".
05 high_byte pic x value x"D2".
03 rem_node_addr pic x(4).
03 pic x(8).
*
01 in_addr_name pic x(60).
01 in_addr_name_len pic 9(4) comp.
01 out_len pic 9(4) comp.
*
01 message_buffer.
03 message_type pic x(2) value "01".
03 message_text pic x(30).
*
01 user_exit pic x value "N".
01 end_key pic x(4).
01 in_time pic 9(8).
*
procedure division.
kick_off section.
00.
accept in_time from time.
move in_time to seed.

display "Enter Client's IP address or name: " erase screen no advancing.
accept in_addr_name protected reversed at end go to fini.

if in_addr_name = spaces go to fini.

perform get_udp_socket.
if sys_status not = ss$_normal go to fini.

move "Stock Ticker is now on-line" to message_text.
perform send_message.

call "sys$dclast"
using by value stock_ticker
by reference ast_area
by value 0
giving sys_status.
if sys_status not = ss$_normal go to fini.

perform get_user_message until user_exit = "Y" or sys_status not =
ss$_normal.
if sys_status not = ss$_normal go to fini.

perform socket_close.
*
fini.
call "sys$exit" using by value sys_status.
*
get_user_message section.
00.
display "Enter message text (ctrl/z = exit): " no advancing.
accept message_text reversed
bold
protected
default is space
at end move "Y" to user_exit
go to fini.

perform send_message.
*
fini.
*
send_message section.
00.
*+
* Call my Applet.
*-
call "sys$qiow"
using by value 0, net_chan, io$_writevblk
by reference iosb
by value 0, 0
by reference message_buffer
by value 32
by reference rem_sock_desc
by value 0, 0, 0
giving sys_status.
if sys_status = ss$_normal move cond_val to sys_status.
if sys_status not = ss$_normal call "lib$stop" using by value
sys_status.
*
get_udp_socket section.
00.
call "sys$assign"
using by descriptor "_BG:"
by reference net_chan
by value 0, 0, 0
giving sys_status.
if sys_status not = ss$_normal call "lib$stop" using by value
sys_status.
*
call "str$trim"
using by descriptor in_addr_name, in_addr_name
by reference in_addr_name_len
giving sys_status.
if sys_status not = ss$_normal call "lib$stop" using by value
sys_status.

call "sys$qiow"
using by value 0, net_chan, io$_acpcontrol
by reference iosb
by value 0, 0
by descriptor acp_gethostbyname,
in_addr_name(1:in_addr_name_len)
by reference out_len
by descriptor rem_node_addr
by value 0, 0
giving sys_status.
if sys_status = ss$_normal move cond_val to sys_status.
*
evaluate sys_status
when ss$_endoffile display "Unknown node"
when other continue
end-evaluate.
if sys_status not = ss$_normal call "lib$stop" using by value
sys_status.

call "sys$qiow"
using by value 0, net_chan, io$_setmode
by reference iosb
by value 0, 0
by reference create_socket, omitted, local_sock_desc
by value 0, 0, 0
giving sys_status.
if sys_status = ss$_normal move cond_val to sys_status.
if sys_status not = ss$_normal call "lib$stop" using by value
sys_status.
*
socket_close section.
00.
call "sys$dassgn" using by value net_chan giving sys_status.
*
end program demo_udp_msg.
identification division.
program-id. stock_ticker.
data division.
working-storage section.
01 stock_ast pic s9(9) comp value external
stock_ast.
01 io$_writevblk pic s9(9) comp value external
io$_writevblk.
01 ss$_normal pic s9(9) comp value external
ss$_normal.
01 sys_status pic s9(9) comp.
*
01 random_num comp-1.
01 stock_message.
03 pic x(2) value "02".
03 stock_price pic zz9.99.
*
linkage section.
*
01 ast_area.
03 net_chan pic s9(4) comp.
03 stock_delta_secs pic s9(11)v9(7) comp.
03 seed pic 9(9) comp.
03 ast_iosb.
05 ast_cond pic s9(4) comp.
05 pic x(6).
03 rem_sock_desc.
05 pic s9(9) comp.
05 pointer.
*
procedure division using ast_area.
00.
call "mth$random" using seed giving random_num.
multiply random_num by 100 giving stock_price.

call "sys$qio"
using by value 0, net_chan, io$_writevblk
by reference ast_iosb
by value stock_ast
by reference ast_area, stock_message
by value 8
by reference rem_sock_desc
by value 0, 0, 0
giving sys_status.
if sys_status not = ss$_normal call "lib$stop" using by value
sys_status.

exit program.
*
end program stock_ticker.
identification division.
program-id. stock_ast.
data division.
working-storage section.
01 stock_ticker pic s9(9) comp value external
stock_ticker.
01 ss$_normal pic s9(9) comp value external
ss$_normal.
01 sys_status pic s9(9) comp.
*
linkage section.
01 ast_area.
03 net_chan pic s9(4) comp.
03 stock_delta_secs pic s9(11)v9(7) comp.
03 seed pic 9(9) comp.
03 ast_iosb.
05 ast_cond pic s9(4) comp.
05 ast_bytes pic s9(4) comp.
05 unix_cond pic s9(9) comp.
03 rem_sock_desc.
05 pic s9(9) comp.
05 pointer.
*+
procedure division using ast_area.
00.
if ast_cond not = ss$_normal call "lib$stop" using by value sys_status.

call "sys$setimr"
using by value 0
by reference stock_delta_secs
by value stock_ticker
by reference ast_area
by value 0
giving sys_status.
if sys_status not = ss$_normal call "lib$stop" using by value
sys_status.

exit program.
*
end program stock_ast.

"Mark Daniel" <mark.daniel@xxxxxxxxxx> wrote in message
news:012fb96c$0$20664$c3e8da3@xxxxxxxxxxxxxxxxxxxx
Richard Maher wrote:
Hi Mark,

Thanks for the reply. (Sorry for the delay)

I noted the post on Adobe policy files.

I think the HTML5 people ignore policy-files at their peril. (Not that
they
seem to care as their world is all HTTP-shaped with no end of lovely
"headers")

Cross-domain access is one of the holy grails of distributed
applications (at least those that can be mashed together from existing
webby technologies) and are always fraught with security related issues.

Of course there probably also is an element of 'HTML people' tending to
have only a hammer in their toolbox (no real slight intended).

[Orbited] Without some sort of access
control it functions as an open relay - carte blanche.

I haven't used it but I believe they have some sort of white-list.

That is coarse-grained access control.

Adobe policy files are a structured, finer-grained white-list.

Both are broad, evolving concepts and implementations.

Unlike TCP/IP and/or UDP Sockets with Java that have been around since
year
dot. (Ok, sandboxed or signed up until now)
>
FYIW; I have an (as-yet) unpublished Web application displaying
elementary graphs of $GETRMI (monitor) data. It uses a Comet-style
<IFRAME> and streaming long-poll. When system data changes it
generates
a <script>ed function call into browser JavaScript that supplies data
values which the application JavaScript then graphs or displays. One
buffered I/O of a few tens to a few hundreds of bytes (depending on
what
data have changed) per sample period. Negligible CPU ticks. Not
full-duplex but not synchronous-poll either.

Look, polling is anathema to me but when it comes to System Stats or
RMU/SHOW STATS etc, I don't have that much of a problem with it. I mean
to
try to fire off an event every time something happens on a system or a
database might generate a bit of a flood. And each users might like to
set
their own "sample" (or poll) interval?

Anyway, I understand it's "How your example works" rather than "What
it's
doing" that's important. Sounds interesting, I look forward to seeing
it.

To better convey that this example has some level of sophistication here
is a (short-lived) peek at the HMI

http://wasd.vsm.com.au/wasd_tmp/mondesi_081116a.png

The bar graph is the instantaneous value (at a selected sample period of
2 seconds). The line graph displays the history over the last five
minutes. It's all HTML (via DOM) and JavaScript. The graphed 'events'
(changes in RMI data) are individually and asynchronously provided from
the server to the client over a persistent (long-lived) connection and
each respective graphical element is equally asynchronously updated.
It's not classic polling as you might generally describe it. Historical
data are stored in the browser. I did a couple of compiles to generate
a more interesting image.

The application is really just an exercise in Comety stuff and what can
be done with dynamic applications in a standard browser (though perhaps
with some potential usefulness).

Though, one thing I have been curious about with Comet (and possibly
your
example) is what is the server thread/process doing while it's waiting
for
(say Stock Price for FMG to change or to move past some limit(s))

It can be doing anything it is capable of; hibernating usually, waiting
for some event such as a timer (i.e. sleeping) but of course it could
'register' for any event the implementation environment provides and use
that to provide data.

In the above application's case, when it wakes it does a $GETRMI and a
$GETSYI, and then IPCs changed data to the client, before hibernating
again. CPU hardly 'ticks' at all. One (or none) buffered I/O.

> Is this
thread/process serving *all* clients or is there a 1:1 relationship?

In all general purpose Web serving there is such a relationship. This
is definitely the case in the above application which is written as a
CGI script. All VMS Web servers would activate an instance for each
client (in fact for a CGI script, all servers period). Of course in
many Web environments there would be nothing preventing the design and
implementation of something (like an Apache module) which maintained a
single, internal 'application' that serviced multiple, concurrent clients.

How is
the connection-state and context maintained between the
producing-service(s)
and the consuming client?

This is probably a non-question for such an elementary application.

However, in the above case, the browser connects to the server; the
server then activates the application and provides IPC from it back to
the client browser. The network connection persists as long as
maintained by the client and/or server and/or network. If and when the
connection is dropped the browser (notified via a DOM event) re-requests
data from the server (not requiring a page refresh, this is transparent
to the user). State and context are implicit. Data are timestamped by
the application, IPCed to the browser, placed in an time-ordered buffer
maintained by the browser, which then plots each against the time (X)
axis with every new datum. Stale data are removed from the 'older end'
of the buffer.

Is the thread/process unavailable for servicing
other requests while it's streaming its long-poll (or words to that
effect
:-)

Yes.

If you mean, provide asynchronous (event triggered), binary (non-HTTP)
comms using these ports then yes. Of course there is no reason why the
services requested over these ports cannot further proxy the binary to
TCP anything-configured. IMO the bottom line is (again)
access-control.
Whether this is the lone advantage is moot.

But I thought this is what the mail from Shannon of the WHATWG (in my
earlier post) describes as problematic? - I'm confused.

My explanation was a bit thin. What I intended to describe was a Web
Socket 'service' (implement it how you like, might be as simple as a
script) under control of the origin server that then connected the Web
Socket 'request' directly using raw IP socket(s) to whatever the access
control allowed. It could also do the necessary data encoding changes
between the Web Socket protocol and the raw end-point.

This of course is NOT what you are looking for; direct
browser-to-raw-IP-endpoint. However it can (I'm guessing because I
obviously haven't tried it) emulate (perhaps 'tunnel' might be better)
asynchronous, raw network streams via a Web Socket server / raw IP
network proxy. At the risk of becoming (more) repetitive, carte blanche
access is game-over.

If Sockets can't traverse public proxy-servers with existing HTTP then
option 1 is no longer on the table as far as I can see?
This one has lost me but I'll have a go at two of the possible intents:

1) If you mean Web Sockets can't through existing HTTP proxy then the
answer seems to me that they are designed to do just that. Web Sockets
behind proxy servers know it and appropriately CONNECT to tunnel.

I thought that's what Shannon was saying was problematic as they do go
through, but all roads lead to 443?

I did begin that response with a disclaimer
It appears this was prudent ;-)

An interesting and opportune thread, Mark.

Cheers Richard Maher

"Mark Daniel" <mark.daniel@xxxxxxxxxx> wrote in message
news:0118206d$0$20660$c3e8da3@xxxxxxxxxxxxxxxxxxxx
Richard Maher wrote:
Hi Mark,

Thanks for the reply.

I bought it through Barnes and Noble in late May '08 for US$36.00
plus
US$13.00 P&P, and I think my credit card statement said something
like
AU$52.00 so it was right at the 'peak'. Why the AU$ currently should
be
at US$0.65 now escapes me - perhaps that's one reason I'm still
working
for wages.
I looked seriously at Perth Mint gold in August (when the bank deposit
guarantee was sweet FA) and Foreign Currency accounts aren't as common
here
as they are in the UK. Either way I would (and have) lost big time -
but
haven't we all :-(

That any network connectivity has some sandboxing doesn't exactly
surprise me.
Me either! I'm a big fan of the same-origin, or codebase, policy for
Applets
but these guys just want to keep pushing the envelope.
I noted the post on Adobe policy files.

A network conduit (like SSH or HTTP CONNECT) is carte
blanche for whatever the agent wishes to transfer. No constraint
would
be considered negligence.
Yeah, but here I bow
;-)

to your much greater experience and ask "What the hell
can a *Socket not HTTP* proxy-server do for me?".
Isn't a(n IP) socket proxy that doesn't explicitly talk HTTP during
setup a one-to-one NAT router? And if accepting external connection
requests, a static port mapping NAT router, into/through the DMZ and
onto internal services? And so forth through the NAT variants.

Look I wanted a HTTP
CONNECT handshake to give me a Tunnel for my Socket over a httpS
connection
to an arbitray TCP/IP server, but it doesn't look doable; please
advise.
I can but reframe my previous comment; unconstrained connectivity from
browser based applications is surely like signing a full book of blank
cheques.

I also view with interest what the Comet guys are doing with Orbited
(see
www.cometdaily.com for some background) as they don't seem to be bound
by
(or have already solved) these proxy-server restrictions.
AIUI; Orbited is a service used to accept Web-style socket connection
requests from browsers, establish Comet-style, bidirectional
communication with the browser, then proxy (or forward, or gateway, or
<whatever-you-feel-comfortable-describing-it-as>) that communication
via
a TCP socket to the requested end-point. Without some sort of access
control it functions as an open relay - carte blanche. With access
control it's a lot like most CONNECT proxy, or at least CONNECT
reverse-proxy. Of course it's a bit more than that (but isn't
everything!) Until Web Sockets become commonplace it uses a number of
approaches to *emulate* asynchronous comms with current browsers.

AIUI; Comet is a broad term used to described leveraging HTTP
server-push of unsolicited/unpolled/asynchronous data to the browser,
using existing HTTP technologies, most commonly, though not restricted
to, streaming of a series individual response data 'inside' a
persisting
HTTP connection, currently via 'long polling' and XMLhttpRequest() or
<script> tag instances. It's a compromise hack. Not perfect but it
works. Of course it's more than this (but then isn't everything!)
Undoubtably it will(/is) develop(ing) to encompass Web Sockets, etc.

Both are broad, evolving concepts and implementations.

FYIW; I have an (as-yet) unpublished Web application displaying
elementary graphs of $GETRMI (monitor) data. It uses a Comet-style
<IFRAME> and streaming long-poll. When system data changes it
generates
a <script>ed function call into browser JavaScript that supplies data
values which the application JavaScript then graphs or displays. One
buffered I/O of a few tens to a few hundreds of bytes (depending on
what
data have changed) per sample period. Negligible CPU ticks. Not
full-duplex but not synchronous-poll either.

I'm guessing you mention this because the suggestion below that

"that the time could be better spent providing guidelines for
communication via an asynchronous CGI [originally I read GUI :-]
interface."

sounds remarkably like Tier3 :-)
Damn, I'm as transparent and one-domensional as usual :-)
>
The way I see it is we have two camps (and I'm happy to live with the
pluralism and think there's enough room for everyone).

1) The WebSockets http/html5 guys who have the distinct (and only)
advantage
of being able to tunnel out of 80/443 as HTTP
If you mean, provide asynchronous (event triggered), binary (non-HTTP)
comms using these ports then yes. Of course there is no reason why the
services requested over these ports cannot further proxy the binary to
TCP anything-configured. IMO the bottom line is (again)
access-control.
Whether this is the lone advantage is moot.

Of course Web Sockets require specialised server (and proxy server) as
well as client (browser) support.

The WASD mudmap includes Web Sockets server support (either 10.0 in
mid-'09, or 10.1 in mid-'10). Perhaps once HTML5 moves from draft :-}

2) The New Order of full-blown, connection-oriented, full-duplex,
binary,
Socket Interaction
No doubt this will be remarkably versatile in the absence of
sandboxing,
with many-and-varied conduits established between user's browsers and
all manner of 'services'.

If Sockets can't traverse public proxy-servers with existing HTTP then
option 1 is no longer on the table as far as I can see?
This one has lost me but I'll have a go at two of the possible intents:

1) If you mean Web Sockets can't through existing HTTP proxy then the
answer seems to me that they are designed to do just that. Web Sockets
behind proxy servers know it and appropriately CONNECT to tunnel.

2) If you mean TCP sockets can't then no, unless they speak the
application-level protocol required by the proxy (which would make them
Web Sockets for all intents and purposes :-)

Anyway, please let me ask the question of why anyone would want to use
a
proxy-server for Socket communication?

. Socket Cacheing - No Thanks
Difficult to cache without meta-data.

. Limited client IP addresses - IPV6
Still a ways off. And there's always the private/public address
thingy.

. Anonymity - Not always a good thing
Internal opacity usually is a good thing.

. Firewall - Open up connections to/from valid hosts/ports
Access control usually is a good thing.

. Monitoring/filtering - Requirements spec for binary data
Many organisations have a legal requirement to audit their activities.
Certainly mine does.

BFN, Mark.

Cheers Richard Maher

"Mark Daniel" <mark.daniel@xxxxxxxxxx> wrote in message
news:011308d4$0$20645$c3e8da3@xxxxxxxxxxxxxxxxxxxx
Richard Maher wrote:
Hi Mark,

(I purchased it when AU$ was almost at US$ parity :-)
Aaah, it seems like only weeks ago :-(
I bought it through Barnes and Noble in late May '08 for US$36.00
plus
US$13.00 P&P, and I think my credit card statement said something
like
AU$52.00 so it was right at the 'peak'. Why the AU$ currently should
be
at US$0.65 now escapes me - perhaps that's one reason I'm still
working
for wages.

It was a good 'background' read but not directly applicable to my
daytime duty statement these days. I had not (as I indicated to
Roland
I might) gotten around to a public review (that would have required a
second read). Willem Grooters provided one I'd generally endorse.

At around the same time I purchased Heller's, "Catch 22" (shipped to
one
of my daughters), Earl's, "Digital Equipment Corporation (MA) (Images
of America)", and Schein's, "DEC Is Dead, Long Live DEC"; all good
reads and all for different reasons. With the exchange rate more
like
2:3 I might have to think think more carefully. (The Earl soft-cover
is
a particularly easy but also interesting 'read' I'd recommend to all
interested in DEC :-)

Cheers Richard Maher

PS. Just in case you don't subscribe to the WHATWG mailing list, do
you
have
any interest in, or opinions on the following: -
No I don't and indirectly I guess I do.

That any network connectivity has some sandboxing doesn't exactly
surprise me. A network conduit (like SSH or HTTP CONNECT) is carte
blanche for whatever the agent wishes to transfer. No constraint
would
be considered negligence.

I'm guessing you mention this because the suggestion below that

"that the time could be better spent providing guidelines for
communication via an asynchronous CGI [originally I read GUI :-]
interface."

sounds remarkably like Tier3 :-)

I agree; why would anyone spend time abstracting interfaces if a
monolithic solution is all that is currently required? Of course
this
is an entirely fresh (if not novel) discussion point ...

----- Original Message -----
From: "Shannon"
To: "WHAT working group" >
Sent: Tuesday, October 14, 2008 7:22 AM
Subject: [whatwg] WebSocket and proxies


In the process of testing my WebSocket proposal I discovered the
CONNECT
method has a major restriction. Most proxies disable CONNECT to
anything
but port 443.

The following is from "Squid and the Blowfish":
------------------
It is very important that you stop CONNECT type requests to non-SSL
ports. The CONNECT method allows data transfer in any direction at
any
time, regardless of the transport protocol used. As a consequence,
a
malicious user could telnet(1) to a (very) badly configured proxy,
enter
something like:
... snip example ...
and end up connected to the remote server, as if the connection was
originated by the proxy.
-------------------

I verified that Squid and all public proxies I tried disable
CONNECT
by
default to non-SSL ports. It's unlikely many internet hosts will
have
443 available for WebSockets if they also run a webserver. It could
be
done with virtual IPs or dedicated hosts but this imposes complex
requirements and costs over alternatives like CGI.

The availability and capabilities of the OPTIONS and GET protocols
also
varied from proxy to proxy. The IETF draft related to TLS
(http://tools.ietf.org/html/draft-ietf-tls-http-upgrade-05) has
this
to
say:
-------------------
3.2 Mandatory Upgrade

If an unsecured response would be unacceptable, a client MUST
send
an OPTIONS request first to complete the switch to TLS/1.0 (if
possible).

OPTIONS * HTTP/1.1
Host: example.bank.com
Upgrade: TLS/1.0
Connection: Upgrade
-------------------

So according to this draft spec OPTIONS is the only way to do a
*mandatory* upgrade of our connection. Once again this failed in
testing
-------------------
=> OPTIONS * HTTP/1.1
=> Proxy-Connection: keep-alive
=> Connection: Upgrade
=> Upgrade: WebSocket/1.0
=> Host: warriorhut.org:8000
=>
<= HTTP/1.0 400 Bad Request
<= Server: squid/3.0.STABLE8
--------------------

Other proxies gave different errors or simply returned nothing. The
problem may be related to the Upgrade and Connection headers rather
than
OPTIONS, since I had similar issues using Connection: Upgrade with
GET.
I had the most success using GET without a Connection: Upgrade
header.
It seems that the proxy thinks the header is directed at it so it
does
not pass it on to the remote host. In many cases it will abort the
connection. Using the Upgrade: header without Connection allows the
Upgrade header through to the actual websocket service.

It seems to me that whatever we try in many cases the connection
will
be
silently dropped by the proxy and the reasons will be unclear due
to
the
lack of error handling. There seems to be a wide variation in proxy
behaviour for uncommon operations. I suppose proxy developers could
fix
these issues but whether a significant rollout could be achieved
before
HTML5 is released is questionable.

Given that an asynchronous connection cannot be cached the only
reasons
remaining for going through a proxy are anonymity and firewall
traversal. Automatically bypassing the users proxy configuration to
solve the issues above has the potential to break both of these. It
would be a significant breach of trust for a UA to bypass the users
proxy and some networks only allow connections via a proxy (for
security
and monitoring).

It seems that we're stuck between a rock and hard place here. In
light
of this I reiterate my earlier suggestion that the time could be
better
spent providing guidelines for communication via an asynchronous
CGI
interface. This would allow reuse of existing port 80 and 443 web
services which would resolve the cross-domain issues (the CGI can
relay
the actual service via a backend connection) and most of the proxy
issues above (since proxy GET and CONNECT are more reliable on
these
ports).
Shannon

"Mark Daniel" <mark.daniel@xxxxxxxxxx> wrote in message
news:01110d0c$0$20616$c3e8da3@xxxxxxxxxxxxxxxxxxxx
yyyc186 wrote:
The Minimum You Need to Know About Service Orieted Architecture by
Roland Hughes

Award-Winner in the Business: Technology/Computers/Internet
category
of the National Best Books 2008 Awards, sponsored by USA Book News
Congratulations Roland!

(I purchased it when AU$ was almost at US$ parity :-)

You can find this book in Island Computer's Web store.






.

Relevant Pages

  • Re: Asynchronous socket programming vs. remoting
    ... You are the first person that said I should use sockets. ... them quicker than I can load them from my harddrive using the file system. ... It scales nice too - I tried throwing 400 requests at the server in a span ... > do not need the same assembly on the client and server. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: breaking the model
    ... > The forms data then is in the Request object. ... HTTP Request; in this case, the form POST Request from the Page. ... client and server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: MDX Sample App broken by 2005
    ... You might find it useful as an alternative to http ... Windows authentication wouldn't work since client and server are ... > different non-trusted domains. ...
    (microsoft.public.sqlserver.olap)
  • Re: MSAS Licensing Part II
    ... wish to use http access then you must have Enterprise Edition. ... PTS looks at the server name. ... You will note that all of this is totally transparent to the client. ...
    (microsoft.public.sqlserver.olap)
  • Re: Firewall session disconnects after 2 minutes of inactivity
    ... I want to start by pointing out the following: HTTP keep-alives and anything ... involved in the early stage of the connection when the client downloads the ... The HOD server I mean. ... when the session takes place through the ISA Server? ...
    (microsoft.public.isa)