The Small HammerThe simplest way to separate the programmers from the designers isto create two files <strong>for</strong> each URL. File 1 contains SQL statements andsome procedural code that fills local variables or a data structure within<strong>for</strong>mation from the RDBMS. The last statement in File 1 is a call toa procedure that will fetch File 2, a template file that looks likestandard HTML with simple references to data prepared in File 1.Suppose that File 1 is named index.pl and is a Perl script. Byconvention, File 2 will be named index.template. In preparing atemplate a designer needs to know (a) the names of the variablesbeing set in index.pl, (b) that one references a variable from thetemplate with a dollar sign, e.g., $standard_navbar, and (c) that tosend an actual dollar sign or at-sign character to the user it should beescaped with a backslash. The merging of the template and localvariables established in index.pl can be accomplished with asingle call to Perl's built-in eval procedure, which per<strong>for</strong>ms standardPerl string interpolation, i.e., replacing $foo with the value of thevariable foo.The Medium HammerIf the SQL/procedural script and the HTML template are in separatefiles in the same directory there is always a risk that a carelessdesigner will delete, rename, or modify a computer program. It maymake more sense to establish a separate directory and give thedesigners permission only on that parallel tree. For example onphoto.net you might have the page scripts in /web/photonet/www/and templates underneath /web/photonet/templates/. A scriptat /ecommerce/checkout.tcl finishes by calling the sharedprocedure return_template. This procedure first invokes the Webserver API to find out what URI is being served. A configurationparameter specifies the start of the templates tree. return_templateuses the URL plus the template tree root to probe in the file system<strong>for</strong> a template to evaluate. If found, the template, in AOLserver ADP<strong>for</strong>mat (same syntax as Microsoft ASP), is evaluated in the context ofreturn_template's caller, which means that local variables set in thescript will be available to the ADP file.The "medium hammer" approach keeps programmers and designerscompletely separated from a file system permissioning point of view.It also has the advantage that the shared procedure called at the endof every script can do some poking around. Is this a user who preferstext-only pages? If so, is there a text-only template available? Is thisrouter <strong>for</strong> IPv6. SSL encryption <strong>for</strong> HTTP connections can be donewith plug-in boards, an example of which is the Compaq AXL300,PCI card, available in 2003 <strong>for</strong> $750 with a claimed per<strong>for</strong>mance ofhandling 330 SSL connections per second. Finally it is possible tointerpose a hardware encryption machine between the Web server,which communicates via ordinary HTTP, and the client, which makesrequests via HTTPS. This feature is, <strong>for</strong> example, option on loadbalancing routers from F5 Networks (www.f5.com).11.2 Do you have enough CPUs?After reading the preceding sections, you've gone out and gottensome computer hardware. How do you know whether or not it will beadequate to support the expected volume of requests? A good rule ofthumb is that you can't handle more than 10 requests <strong>for</strong> dynamicpages per second per CPU. A "dynamic" page is one that involvesthe execution of any computer program on the server side other thansimple HTTP service, i.e., anything other than sending a JPEG orHTML file. That's non-encrypted or assuming the presence ofhardware encryption in front of the HTTP server. For example, if youhave a 4-CPU RDBMS server handling persistence and abstractionand 4 1-CPU front-end machines handling presentation and HTTPservice you shouldn't expect to deliver more than 80 dynamic pagesper second.You might ask what CPU speed is this 10 hits per second per CPUnumber based upon? The number is independent of CPU speed! Inthe mid-1990s we had 200 MHz CPUs. Web scripts queried thedatabase and merged the results with strings embedded in the script.Everything ran on one physical computer so there was no overheadfrom copying data around. Only the final credit card processingpages were encrypted. We struggled to handle 10 hits per second. Inthe late 1990s we had 400 MHz CPUs. Web scripts queried thedatabase and merged the results with templates that had to beparsed. Data were networked from the RDBMS server to the Webserver be<strong>for</strong>e heading to the user. We secured more pages inresponse to privacy concerns. We struggled to handle 10 hits persecond. In 2000 we had 1 GHz CPUs. Web scripts queried thereferer header to find out if the request came from a customer of oneof our co-brand partners. The script then selected the appropriatetemplate. We'd freighted down the server with Java Server Pagesand Enterprise Java Beans. We struggled to handle 10 hits persecond. In 2002 we had 2 GHz CPUs. The programmers haddecided to follow the XML/XSLT fashion. We struggled to handle 10hits per second....140209
11.1.5 Transport-Layer EncryptionWhenever a Web page is served two application programs onseparate computers have communicated with each other. Asdiscussed in the Basics chapter, the client opens a TransmissionControl Protocol (TCP) connection to the server, specifies the pagedesired, and receives the data back over that connection. TCP is onelayer up from the basic unreliable <strong>Internet</strong> Protocol (IP). What TCPadds is reliability: if a packet of data is not acknowledged, it will beretransmitted. Neither TCP nor the IP of the 1990s, IPv4, providesany encryption of the data being transmitted. Thus anyone able tomonitor the packets on the local-area network of the server or clientor on the backbone routers may be able to learn, <strong>for</strong> example, theparticular pages requested by a particular user. If you were runningan online community about a degenerative disease, this might causeone of your users to lose his or her job.There are two ways to protect your users' privacy from packetsniffers. The first is by using a newer version of <strong>Internet</strong> Protocol,IPv6, which provides native data security as well as authentication. Inthe glorious IPv6 world we can be sure of the origin of a packet,whether it is from a legitimate user or a denial of service attacker. Inthe glorious IPv6 world we can be sure that it will be impractical tosniff credit card numbers or other user-sensitive data from Webtraffic. As of spring 2003, however, it isn't possible to sign up <strong>for</strong> ahome IPv6 connection. Thus we are <strong>for</strong>ced to fall back on the 1990sstyleapproach of adding a layer between HTTP and TCP. This waspioneered by Netscape Communications as Secure Sockets Layer(SSL) and is now being standardized as TLS 1.0 (seehttp://www.ietf.org/html.charters/tls-charter.html).However it is per<strong>for</strong>med, encryption is processor-intensive. On theclient side, that's not a big deal. The client machine probably has a 2GHz processor that is 98 percent idle. However on the server endper<strong>for</strong>ming encryption can tie up a whole CPU per user <strong>for</strong> theduration of a request.If you've run out of processing power the only thing to do is ... addprocessing power. The question is what kind and where. Addinggeneral-purpose processors to a multi-CPU computer is veryexpensive as mentioned earlier. Adding additional single-CPU frontendservers to a two-tier server farm might not be a bad strategyespecially because, if you're already running a two-tier server farm, itrequires no new thinking or system administration skills. It is possible,however, that special-purpose hardware will be more cost-effective oreasier to administer. In particular it is possible to do encryption in the208a user who prefers a language other than the site's default? If so, isthere a template available in which the annotation is in the user'spreferred language?The SQL HammerIf a system already has extensive RDBMS-backed facilities <strong>for</strong>versioning and permissioning it may seem natural to store templatesin a database table. These templates can then be edited from abrowser and changes to templates can be managed as part of asite's overall publishing workflow. If the in<strong>for</strong>mation architecture of asite is represented explicitly in RDBMS tables (see the ContentManagement chapter), it may be natural to keep templates andtemplate fragments in the database along with content types,categories, and subcategories.The SledgehammerBack in 1999, Karl Goldstein was the sole programmer building theentire in<strong>for</strong>mation system <strong>for</strong> a commercial online community. Themanagers of the community changed their minds about 15 timesabout how the site should look. Every page should have a horizontalnavbar. Maybe vertical would be better, actually. But move thenavbar on every page from the left to the right. After two or three ofthese massive changes in direction, Goldstein developed an elegantand efficient system:• every page script would have a corresponding template,e.g., register.tcl would look <strong>for</strong> register.template• nearly all templates would include a "master" tag indicatingthat the template was only designed to render a portion ofthe page• the server would look <strong>for</strong> a master.template file in the samedirectory as the script; if found, the content rendered by thepage script and its corresponding template would besubstituted <strong>for</strong> the tag in the master template andthe result of evaluating the master template returned to theuser• when a master template was not found in the same directoryas the script, the server would search at successively higherlevels in the file system until a master template was found,then apply that oneHere's an example of how what the user viewed would be divided bymaster and slave templates:141
- Page 1 and 2:
SoftwareEngineering forInternetAppl
- Page 3 and 4:
Signature: ________________________
- Page 5 and 6:
end-users. We use every opportunity
- Page 7 and 8:
• availability of magnet content
- Page 9 and 10:
• we want to see if a student is
- Page 11 and 12:
you supply English-language queries
- Page 13 and 14:
What to do during lecturesWe try to
- Page 15 and 16:
The one-term cram courseWhen teachi
- Page 17 and 18:
332• spend a term learning how to
- Page 19 and 20:
Once we've taught students how to b
- Page 21 and 22:
has permission to perform each task
- Page 23 and 24:
UDDIUnixcustomer's credit card. If
- Page 25 and 26:
thousands of concurrent users. This
- Page 27 and 28:
OraclePerlnamed XYZ" without the pr
- Page 29 and 30:
LDAPLinuxbits per color, a vastly s
- Page 31 and 32:
FilterFirewallFlat-fileGIF318functi
- Page 33 and 34:
when there is an educational dimens
- Page 35 and 36:
system. The authors of the core pro
- Page 37 and 38:
Sign-OffsTry to schedule comprehens
- Page 39 and 40:
scheduling goals that both you and
- Page 41 and 42:
Client Tenure In Job (new, mid-term
- Page 43 and 44:
ReferencesEngagement ManagementSQL*
- Page 45 and 46:
Decision-makers often bring senior
- Page 47 and 48:
presentation to a panel of outsider
- Page 49 and 50:
300always been written by programme
- Page 51 and 52:
17.3 Professionalism in the Softwar
- Page 53 and 54:
Try to make sure that your audience
- Page 55 and 56:
Chapter 17WriteupIf I am not for my
- Page 57 and 58:
Suppose that an RDBMS failure were
- Page 59 and 60:
analysis programs analyzing standar
- Page 61 and 62:
at 9 hours 11 minutes 59 seconds pa
- Page 63 and 64:
found" will result in an access log
- Page 65 and 66:
15.18 Time and MotionThe team shoul
- Page 67 and 68:
select 227, 891, 'algorithm', curre
- Page 69 and 70:
create table km_object_views (objec
- Page 71 and 72:
• object-create• object-display
- Page 73 and 74:
The trees chapter of SQL for Web Ne
- Page 75 and 76:
);274-- ordering within a form, low
- Page 77 and 78:
and start the high-level document f
- Page 79 and 80:
Example Ontology 2: FlyingWe want a
- Page 81 and 82:
systems. What would a knowledge man
- Page 83 and 84:
spreadsheet". Other users can comme
- Page 85 and 86:
Chapter 15Metadata (and Automatic C
- Page 87 and 88:
{site url}{site description}en-usCo
- Page 89 and 90: drawing on the intermodule API that
- Page 91 and 92: At this point you have something of
- Page 93 and 94: • description• URL for a photo
- Page 95 and 96: Here's a raw SOAP request/response
- Page 97 and 98: Chapter 14Distributed Computing wit
- Page 99 and 100: conduct programmer job interviews h
- Page 101 and 102: Most admin pages can be excluded fr
- Page 103 and 104: content that should distinguish one
- Page 105 and 106: Chapter 13Planning ReduxA lot has c
- Page 107 and 108: the Internet-specific problem of no
- Page 109 and 110: wouldn't see these dirty tricks unl
- Page 111 and 112: 12.8 Exercise 4: Big BrotherGeneral
- Page 113 and 114: than one call to contains in the sa
- Page 115 and 116: A third argument against the split
- Page 117 and 118: way 1 1/16One might argue that this
- Page 119 and 120: absquatulate 612bedizen 36, 9211cry
- Page 121 and 122: What if the user typed multiple wor
- Page 123 and 124: Chapter 12S E A R C HRecall from th
- Page 125 and 126: long as it is much easier to remove
- Page 127 and 128: features that are helpful? What fea
- Page 129 and 130: made it in 1938)? Upon reflection,
- Page 131 and 132: environment, we identify users by t
- Page 133 and 134: those updates by no more than 1 min
- Page 135 and 136: Balancer and mod_backhand, a load b
- Page 137 and 138: translation had elapsed--the site w
- Page 139: It seems reasonable to expect that
- Page 143 and 144: such as ticket bookings would colla
- Page 145 and 146: give their site a unique look and f
- Page 147 and 148: It isn't challenging to throw hardw
- Page 149 and 150: Chapter 11Scaling GracefullyLet's l
- Page 151 and 152: 10.15 Beyond VoiceXML: Conversation
- Page 153 and 154: Consider that if you're authenticat
- Page 155 and 156: In this example, we:194• ask the
- Page 157 and 158: As in any XML document, every openi
- Page 159 and 160: (http://www.voicegenie.com). These
- Page 161 and 162: Chapter 10Voice (VoiceXML)questions
- Page 163 and 164: 9.15 MoreStandards information:•
- Page 165 and 166: 9.14 The FutureIn most countries th
- Page 167 and 168: 9.10 Exercise 7: Build a Pulse Page
- Page 169 and 170: 9.6 Keypad HyperlinksLet's look at
- Page 171 and 172: text/xml,application/xml,applicatio
- Page 173 and 174: Protocol (IP) routing, a standard H