Yenya's World

Thu, 29 Nov 2012

Secure Login at Alza.CZ

Here is how the "secure" login works at alza.cz, one of the biggest e-shops in the Czech Republic:

Alza SSL login

In the login form, user can click to the link named "SSL", which leads to the SSL-encrypted page with an alternative login form. The problem is, that this page apparently sends the login form data unencrypted, so the usage of SSL to display the login form is completely pointless.

Section: /computers (RSS feed) | Permanent link | 3 writebacks

Wed, 28 Nov 2012

SOAP::Lite

Today's daily WTF goes to the SOAP::Lite CPAN package and its non-configurability and mis-design.

For example, look at this:

HTTP Basic authentication is accomplished by overriding the get_basic_credentials suboutine in LWP::UserAgent (which SOAP::Transport::HTTP::Client is a subclass):
  BEGIN {
    sub SOAP::Transport::HTTP::Client::get_basic_credentials {
      return 'username' => 'password';
    }
  }

So apparently the only way how to use Basic authentication is to override a global function in some foreign namespace. And what to do when I want to use two SOAP servers with two sets of credentials inside a single application? There are more similar "features" in SOAP::Lite. For example, tracing can only be set up globally in compile-time, or by manually calling ->import().

My dear lazyweb, is there a SOAP module with cleaner design?

Update - Wed, 28 Nov 2012: Tracing

FWIW, it is probably easier and cleaner to do both basic authentication and tracing at the transport level - the transport module here is LWP::UserAgent (thanks Adelton for the hint!), so for example handlers described in the LWP::UserAgent manpage work:

$soap->transport->add_handler(
	request_prepare => sub {
		shift->authorization_basic($login, $pass);
	},
);

$soap->transport->add_handler(
	request_send => sub { print STDERR shift->content; },
);
$soap->transport->add_handler(
	response_done => sub { print STDERR shift->content; },
);

I wonder why the SOAP::Lite manpages suggest such dirty ways of handling this (and I have not even started mentioning things like $SOAP::Transport::HTTP::Client::USERAGENT_CLASS global variable; ugh)

Section: /computers (RSS feed) | Permanent link | 3 writebacks

Tue, 27 Nov 2012

Cookies Auth and 403 Forbidden

In IS MU we have recently abandoned the HTTP basic authentication and replaced it with cookie-based authentication. The main reason was that there is no portable way of logging out of the basic authentication. So I have based our new solution on Apache2::AuthCookie. The problem is, that it does not work correctly with some clients because of the way how the login form is handled.

When the yet-unauthenticated user accesses an URL for authenticated users only, Apache2::AuthCookie returns the HTTP response with "403 Forbidden" status code, and with text/html body containing the login form. That way, the client cannot be possibly lead into the false assumption that the page it just received is in fact the content it wanted to receive. So the user fills the login form, submits it, and the server returns the real page for that URL, this time with "200 OK" status code. This approach seems to be correct (even after reading the RFC 2616 :-). However, we observe problems with the following two use cases:

What to do now? The problem is clearly in the HTTP status code 403, and in its mis-interpretation by some clients. I don't want to return the login form in a 200 OK response, because I need e.g. the web crawlers to know that this is not actually the page they tried to access. As for Symbian, they can be clearly identified by their User-Agent string, so I can return 200 OK only for them. But as for MS Word, I have no clue: what I see is the request made by MSIE (and again, I probably don't want to return 200 OK to every unauthenticated MSIE request). Any other suggestions, my dear lazyweb?

Section: /computers (RSS feed) | Permanent link | 2 writebacks

Tue, 20 Nov 2012

SMD Soldering

For the first time in my life, i have tried to solder SMD components (as I have written before, I am working on DYI LED lights for my bike). The component side looks OK, and soldering through-hole components went without problems. The SMD parts were a bit tricky, though.

bike lights board bike lights
board


I have used an ordinary soldering station with temperature regulation, but the results are not pretty. I wonder what is required to achieve this level of quality (watch from 14:10). One possible problem might be that some components on my board (especially the smallest sensing resistors) are connected to the highest-current and thus thickest paths, which suck great amounts of thermal energy when soldering.

Anyway, from the preliminary testing, it seems that my board works. So far I have found the following problems:

Now it's time to finish the firmware and to start adjusting the mechanical parts. I have already made the front spotlight and rear spotlight, and I want to make a LED string. Any tips about making a waterproof LED string out of 3mm through-hole LEDs will be appreciated. Should I use silicon, shrink-wrap tube, or what?

Section: /personal (RSS feed) | Permanent link | 0 writebacks

Thu, 15 Nov 2012

Printed Circuit Boards

For my bike lights I needed a PCB. Out of several services for manufacturing PCBs, I have chosen Itead Studio PCB prototyping service (the other candidate was Seeed studio). Here are the preliminary results:

bike lights PCB

I have placed my order on October 29th evening (Central European Time), according to Hong Kong post, the package was received by them on November 7th, it left Hong Kong on November 11th, and I have received it today, on November 15th.

They also have an interesting "Open source" program - the customer declares that his design is open source (mine is anyway), they make few more boards in addition to those the customer has ordered, and they send them to their other customers. The original customers gets his orderd boards, and in addition to that, two more boards from other open source projects. I have in fact got their demo board (on the right side), and one open source board (the white one). Apparently, it is Arduino 512KB SRAM expansion board. I currently don't use Arduino, so if any Arduino user is interested in this PCB, just let me know.

Okay, now it's time to take a soldering iron and play more with the hardware :-)

Section: /personal (RSS feed) | Permanent link | 0 writebacks

Mon, 12 Nov 2012

Desktop Environment-Specific Apps

I have recently came across this two years old bug report, filled to the bug tracker of Transmission (a Bittorrent client) where a GNOME developer suggests removal of the notification area icon from the application on the basis that GNOME 3 does not support notification area at all.

So if I understand it correctly, we are now living in a world where all the GUI applications have to be dependent on the particular desktop environment, and it should be no longer supported to run - say - Transmission under XFCE, or GIMP under KDE, at least according to GNOME developers. "We GNOMErs do not support notification area icons, so this application should not use it" (even though the application is not used exclusively under GNOME)? Where are the freedesktop.org cross-DE interoperability recommendations?

That said, notification area as such sucks - what I liked most was the original approach of X11: using on-desktop icons for minimized applications (instead of applications and documents shortcuts), and applications displaying their own status in their icon (handled by every window manager using the same ICCCM specification).

Section: /computers/desktops (RSS feed) | Permanent link | 3 writebacks

Tue, 06 Nov 2012

DNS Lookup :-)

It seems my registrar will discontinue their "free" hosting (as in "bundled with the domain registration") soon, so I will have to move my domain yenya.net mail and WWW servers elsewhere. There is no problem with that - I have a 24/7 running computer at home with good connectivity. There is one challenge, though:

The new DirectNIC service allows only one A record in the registered domain, when the domain is hosted on their DNS servers (no AAAA and no DNSSEC). So I am considering running my own DNS server in addition to mail and WWW servers. This would allow me to have A and AAAA records, SSHFP, and possibly the new DANE records. So I need someone to host a secondary DNS server. The requirements are:

Of course, I am willing to provide the same service to the other party. Is anybody interested? Thanks in advance.

Section: /personal (RSS feed) | Permanent link | 1 writebacks

About:

Yenya's World: Linux and beyond - Yenya's blog.

Links:

RSS feed

Jan "Yenya" Kasprzak

The main page of this blog

Categories:

Archive:

Blog roll:

alphabetically :-)