Gerald_oral
advertisement
Overview of Modern Web
Architectures, Standards, Security,
and Future Directions
Zhenhua Guo
1
Outline
Web App Case Study
Modern Web Characteristics
Modern Web Architecture : Open Social
Architecture
Components
Security
Background
Authorization
Out of Scope: Authentication
Future Directions
2
Modern Web App
Case Study : Facebook
Your current status
Friends
photos
Facebook
More than 200 million active users
Activities of
MS paid $240 million foryour
1.6friends
percent
Video
Comment, Rate
Aggregation
with Picasa
groups
Chat
More apps!
3
Previous Web App
Case Study : Yahoo! Directory
Provider-defined directory
4
Examples of two “versions” of web apps
1995-2005 Web
2005-Present Web
Britannica Online
Wikipedia
Akamai
BitTorrent
Directories
(Taxonomy)
Tagging
(Folksonomy)
Tightly coupled apps
App Mashup/Integration
Home page
Blog
5
Web 2.0
“Second generation of web development and web
design”
Web 2.0 vs. Web 1.0
Technical point of view
Similar technologies as Web 1.0: HTML, Javascript, XML, HTTP, etc.
Web2.0 makes the web programmable
User’s point of view
Read-write collaborative web
Participatory nature
Blogging, commenting, rating
Cooperate, not control
Sharing, creation of data
Facebook interoperates with Google Picasa, Yahoo! Flickr,
Blogs, etc
User centric
Web is a platform. Users add content (“value”)
6
Web 2.0
Enterprise Approach
Web 2.0 Approach
Portlets
Gadgets, Widgets
SOAP
RSS, Atom, JSON
WSDL
REST(GET, PUT, POST ,DELETE)
Workflow managers
Mash-ups (e.g. Yahoo Pipes)
Server side integration Client-side integration (AJAX)
Gateways
Debate (Buzzword vs. Real progress) is going on, but it
has begun to coalesce.
User-centric social network portals
“Web 2.0 Architectures: What entrepreneurs and information architects
need to know”
OpenSocial: case study that illustrates or motivates several Web 2.0
topics of discussion.
We will use Open Social to illustrate Web 2.0 architecture
7
OpenSocial
A coherent open architecture designed for
social network services and applications.
Common APIs across many websites
REST/RPC protocols – for server-to-server interactions
Javascript APIs – for browser-to-server interactions
Authorization mechanism, Data model …
Usage
Supported by MySpace, Google Orkut, Twitter,
LinkedIn, XiaoNei…
Internationalization
Rival: Facebook
8
Open Social Javascript API Example
Data
Model
Fetch profile
information
of owner
JavaScript
API
example
AJAX!!!
Person: ID, NAME, NICKNAME, ADDRESSES, EMAILS,
STATUS, MOVIES, MUSIC,FOOD …
Activity: TITLE, URL, BODY, PRIORITY …
// Creates a data request object to use for
// sending and fetching data from the server.
var req = opensocial.newDataRequest();
// Adds an item to fetch data from the server
req.add(req.newFetchPersonRequest('OWNER'), “owner”);
// Sends a data request to the server
req.send(function(data) {
owner = dataResponse.get("owner").getData();
});
9
Open Social Message Examples
Request (HTTP POST)
157 Bytes
[{"method" :"people.get",
"params" :{
"userId" : ["@owner"],
How about the corresponding
"groupId" : "@self",
representation in XML???
"id"
: "owner",
"fields" :
["id","name", "thumbnailUrl", "profileUrl", "id", "displayName"]}}]
JSON
[{"id"
:"owner",
"data" :{
"displayName" :
"profileUrl" :
"id"
:
"thumbnailUrl":
"name"
:
...... }}]
Response
"Guo Zhenhua"
"/Main#Profile.aspx?uid=3672642670645936703,
"06881043280087178653",
"http://www.orkut.com/img/i_nophoto64.gif",
{ "familyName":"Zhenhua", "givenName":"Guo" },
10
Request message
represented in XML
<request>
<method>people.get<method>
<params>
<userId>
<id>@owner</id>
</userID>
<groupId>@self</groupId>
<id>owner</id>
<fields>
<field>id</field>
<field>name</field>
<field>thumbnailUrl</field>
<field>profileUrl</field>
<field>id</field>
<field>displayName</field>
</fields>
<params>
281 Bytes
</request>
JSON
Lightweight, Simple
Can represent basic data structures
(number, string, boolean, object, array)
Textual human-readable
Easy to generate and manipulate
Not extensible, No namespace
Hard to represent complex data structures
References
User-defined type
XML
Extensible
Support namespace
Support representation of complex
data structures.
Heavyweight
Slow and verbose
OpenSocial - Architecture
Components
Interface –
REST, Javascript APIs
Client – Ajax, Gadget
Message Format - JSON
Security - OAuth
Data Model
Logic level
12
OpenSocial Interface – REST
REST – REpresentational State Transfer
Based on HTTP (client/server + stateless server)
Resource-oriented (resource can be anything)
Each resource is identified by a unique URL
State transition (Link resources together)
Resources have multiple representations (json, xml)
Uniform interfaces
How to access top ten Twitter topics?
GET
Read
resource
verb
POST
PUT
DELETE
Create
Update
Delete
GET http://search.twitter.com/trends.json
Returns the top ten topics
that are currently trending on Twitter.
13
Analysis of REST
Treat the web as a big database of resources
Good for CRUD operations
A strong constraint – Stateless
Beyond REST
Stateful applications
Streaming Applications
Workflow Execution
Push-Based systems
Pub-Sub systems
14
REST Alternative
SOAP based WS
SOAP
Message format
UDDI
1
2
3
Service registration
WSDL
4
Service description interface
Publish – Find – Bind
About 60 core ws-* protocols
Designed for server-server interactions
SOAP and WSDL are really complicated
Browser-based apps are second-class
citizens.
15
AJAX
OpenSocial Client Tech – AJAX
Rationale
Update sections without refreshing the whole page
More interactive
More responsive
Less bandwidth usage
Asynchronous JavaScript and XML
HTML + CSS Presentation
DOM Document model (for dynamic manipulation)
XMLHttpRequest Asynchronous Communication
JSON/XML Data format
Javascript Bring these together
17
Data
Model
OpenSocial Data Model
Define data models for basic objects in social
network
Relationships between objects can not be
represented.
Person
Activity
AppData
Friend of a Friend (FOAF) – Based on W3C RDF
XHTML Friends Network (XFN)
Other possible issues
Groups, roles, communities
Strength of relationships
Relationships in which more than two objects are involved
Scalability (in terms of number of friends)
19
Security in OpenSocial
20
Beyond Functionalities - Security
Identity
“On the internet, nobody knows you're a dog”
Claimed Identity ≠ Real Identity
Data protection
Who can access your Facebook data?
Increasing risk of identity theft and impersonation.
Cartoon by Peter Steiner.
The New Yorker, July 5, 1993 issue
(Vol.69 (LXIX) no. 20) page 61
Favorite color, mother’s maiden name, …
“Friends” and applications have access to this
“Predicting Social Security numbers from public data”
Communication links
Messages are passed by intermediary machines
Intermediaries understand your messages?
Intermediaries alter your messages?
Intermediaries forge your messages?
21
Security Requirements (in Web)
Connection level
SSL/TLS
System Implementation level
Confidentiality
Integrity
Non-repudiation
Prevention of replay attack
Redirect
Session stealing (cookie)
Cross-site scripting, Cross-site request forgery
Securer programs +
User education
Architecture level
Authentication
Single Sign-On
Authorization
Delegation
22
Challenges
Technical Challenges
Loosely coupled components
No single, isolated trusted base
Domain-specific policies
Separation of security policies and security mechanisms.
Possible solutions
Authentication
Central Authentication Service
Cosign
OpenID
Authorization
Shibboleth
OAuth
23
OpenSocial Authorization – OAuth
Motivation
Solution
Delegated authorization protocol
Light-weight
Explicit user consent
Based on REST
3rd-party App
Twitter
Drawbacks
To allow third party apps to access users’ data stored at service
provider without requiring username and password.
Vulnerable to session fixation attack (http://oauth.net/advisories/2009-1)
Delegation granularity (Service provider-specific)
Access token expiration and revocation
Resources
http://oauth.net/
24
Authentication
OpenSocial does not define authentication mechanism.
Different accounts for different service providers
Twitter, Facebook, Myspace, Orkut, Hi5 …
Same data everywhere
Account linking
Linking Disparate Account IDs Across Multiple Systems or Applications
Identity
Federation
Web
Server
Identification
Provider
Web
Server
Web
Server
N
W
Web
Server
E
S
Trust
Relationship
Web
Server
=>Identification
Identity portability
Web
Server
Provider
25
Authentication – OpenID
Motivation
Provide lightweight authentication service across domains
Solution
Users are asked to prove ownership of their OpenID identifiers.
OpenID identifiers are URLs (e.g. http://zhenhua-guo.blogspot.com).
Service provider and identity provider are clearly separated.
Authentication delegation (service provider → identity provider)
Advantages
Drawbacks
Cross-domain authentication
Attribute exchange beyond authentication
Single Sign-On
Easy OpenID provider switch
Phishing attack
Resources
http://fcom.us.es/blogs/nuevafcom/files/2008/09/openid-1.jpg
Supported by Facebook, Verisign, Sourceforge, Yahoo, etc.
26
OAuth and OpenID
Based on relaxed REST
Use SSL/TLS to guarantee confidentiality,
integrity and non-repudiation.
Scalability
Vulnerable to
Phishing
Cross-site scripting
Cross-site forgery request
27
Conclusions
Adoption of web 2.0
Services, not packaged software
Open Architecture and Open Standards
Interoperability
Flexibility
Integration
Security
Adoption in scientific communities
Traditional gateways
LEAD, Earth System Grid
Gateways that integrate web 2.0 technologies
myExperiment, SciVee, Sakai
Open Life Science Gateway
PolarGrid Portal
Future Directions
Semantic Web (Web 3.0?)
Machine-readable representations of resources and
relationships
Artificial Intelligence, Data Mining
Search Engine
Recommendation System
Scaling
Question Answering
Information search
Information retrieval
Social Network Analysis
Flow pattern recognition
Strength of connections
29
My Research
Gadget Layout Management
OAuth implementation
Implement 2-legged OAuth
Integrate 3-legged OAuth
PolarGrid Portal
Questions?
