Software Engineering for Internet Applications - Student Community

analysis programs analyzing standard server access logs. In thisexercise you'll see what they see. Pick a standard log analyzer, e.g.,the analog program referenced at the end of this chapter, andprepare a report of all recorded user activity for the last month.An acceptable solution to this exercise will involve linking the mostrecent report from the site administration pages so that the publishercan view it. A better solution will involve placing a "prepare currentreport" link in the admin pages that will invoke the log analyzer ondemand and display the report. An exhaustive (exhausting?) solutionwill consist of a scheduled process ("cron job" in Unix parlance; "atcommand" or "scheduled task" on Windows) that runs the loganalyzer every day, updating cumulative reports and preparing a newdaily report, all of which are accessible from the site admin pages.Make sure that your report clearly shows "404 Not Found" requests(any standard log analyzer can be configured to display these) andthat the referer header is displayed so that you can figure out wherethe bad link is likely to be.16.5 Security Risks of Running Programs inResponse to a Web RequestAny system in which an HTTP server program can start up a newprocess in response to a Web request presents a security risk. ManyWeb scripting languages have "exec" commands in which the Webserver has all of the power of a logged-in user typing at a commandline. This is a powerful and useful capability, but a malicious usermight be able to, for example, run a program that will return theusername/password file for the server.In the Unix world the most effective solution to this challenge ischroot, short for change root. This command changes the file systemroot of the Web server, and any program started by the Web server,to some other place in the file system, e.g., /web/main-server/. Aprogram in the directory /usr/local/bin/ can't be executed bythe chrooted Web server because the Web server can't evendescribe a file unless its path begins with /web/main-server/.The root directory, /, is now /web/main-server/. One downside ofthis approach is that if the Web server needs to run a program in thedirectory /usr/local/bin/ it can't. The solution is to take all of theutilities, server log analyzers, and other required programs and movethem underneath /web/main-server/, e.g., to /web/mainserver/bin/.MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EVEN IFANY REMEDY FAILS ITS ESSENTIAL PURPOSE.This is so important to Microsoft that it is the only part of a 12-pageagreement that is printed in boldface and the only part that ispresented in a French translation for Canadian customers as well.If you don't want to cut and paste Microsoft's verbiage, which mightexpose you to a copyright infringement action from Redmond,consider employing a standard free software or open-source license,of which the GNU General Public License is the best-knownexample. Note that using a free software license doesn't mean thatyour software is now free to the world. You may have licensed oneclient under the GNU GPL but whether or not you decide to offeranyone else a license is a decision for the future.If you wish, you can use the sample contract at the end of this bookas a starting point in negotiating rights with your client. Andremember that old bromide of business: You don't get what youdeserve; you get what you negotiate.3.15 More• "The case for on-line communities", McKinsey Quarterly,Shona Brown et al, 2002, Number 13.16 To the InstructorIt is helpful during the second meeting of the class to bring clients oncampus to give 3-minute presentations pitching their projects. Here isa suggested outline to the client for the presentation:1. introduce the speaker and the organization he or sherepresents (15 seconds)2. explain who the users are and why they need to interact viaan Internet application, i.e., what problem is this onlinecommunity solving (1.5 minutes)3. describe how users will be attracted to the site initially, e.g.,is there a collection of magnet content that these peopleneed that isn't available anywhere else? (30 seconds)4. after the site has been up and running for a few months,what will a typical interaction look like for a new user? (30seconds)29059