Overview of Modern Web Architectures, Standards, Security, and Future Directions Zhenhua Guo 1 Outline Web App Case Study Modern Web Characteristics Modern Web Architecture : Open Social Architecture Components Security Background Authorization Out of Scope: Authentication Future Directions 2 Modern Web App Case Study : Facebook Your current status Friends photos Facebook More than 200 million active users Activities of MS paid $240 million foryour 1.6friends percent Video Comment, Rate Aggregation with Picasa groups Chat More apps! 3 Previous Web App Case Study : Yahoo! Directory Provider-defined directory 4 Examples of two “versions” of web apps 1995-2005 Web 2005-Present Web Britannica Online Wikipedia Akamai BitTorrent Directories (Taxonomy) Tagging (Folksonomy) Tightly coupled apps App Mashup/Integration Home page Blog 5 Web 2.0 “Second generation of web development and web design” Web 2.0 vs. Web 1.0 Technical point of view Similar technologies as Web 1.0: HTML, Javascript, XML, HTTP, etc. Web2.0 makes the web programmable User’s point of view Read-write collaborative web Participatory nature Blogging, commenting, rating Cooperate, not control Sharing, creation of data Facebook interoperates with Google Picasa, Yahoo! Flickr, Blogs, etc User centric Web is a platform. Users add content (“value”) 6 Web 2.0 Enterprise Approach Web 2.0 Approach Portlets Gadgets, Widgets SOAP RSS, Atom, JSON WSDL REST(GET, PUT, POST ,DELETE) Workflow managers Mash-ups (e.g. Yahoo Pipes) Server side integration Client-side integration (AJAX) Gateways Debate (Buzzword vs. Real progress) is going on, but it has begun to coalesce. User-centric social network portals “Web 2.0 Architectures: What entrepreneurs and information architects need to know” OpenSocial: case study that illustrates or motivates several Web 2.0 topics of discussion. We will use Open Social to illustrate Web 2.0 architecture 7 OpenSocial A coherent open architecture designed for social network services and applications. Common APIs across many websites REST/RPC protocols – for server-to-server interactions Javascript APIs – for browser-to-server interactions Authorization mechanism, Data model … Usage Supported by MySpace, Google Orkut, Twitter, LinkedIn, XiaoNei… Internationalization Rival: Facebook 8 Open Social Javascript API Example Data Model Fetch profile information of owner JavaScript API example AJAX!!! Person: ID, NAME, NICKNAME, ADDRESSES, EMAILS, STATUS, MOVIES, MUSIC,FOOD … Activity: TITLE, URL, BODY, PRIORITY … // Creates a data request object to use for // sending and fetching data from the server. var req = opensocial.newDataRequest(); // Adds an item to fetch data from the server req.add(req.newFetchPersonRequest('OWNER'), “owner”); // Sends a data request to the server req.send(function(data) { owner = dataResponse.get("owner").getData(); }); 9 Open Social Message Examples Request (HTTP POST) 157 Bytes [{"method" :"people.get", "params" :{ "userId" : ["@owner"], How about the corresponding "groupId" : "@self", representation in XML??? "id" : "owner", "fields" : ["id","name", "thumbnailUrl", "profileUrl", "id", "displayName"]}}] JSON [{"id" :"owner", "data" :{ "displayName" : "profileUrl" : "id" : "thumbnailUrl": "name" : ...... }}] Response "Guo Zhenhua" "/Main#Profile.aspx?uid=3672642670645936703, "06881043280087178653", "http://www.orkut.com/img/i_nophoto64.gif", { "familyName":"Zhenhua", "givenName":"Guo" }, 10 Request message represented in XML <request> <method>people.get<method> <params> <userId> <id>@owner</id> </userID> <groupId>@self</groupId> <id>owner</id> <fields> <field>id</field> <field>name</field> <field>thumbnailUrl</field> <field>profileUrl</field> <field>id</field> <field>displayName</field> </fields> <params> 281 Bytes </request> JSON Lightweight, Simple Can represent basic data structures (number, string, boolean, object, array) Textual human-readable Easy to generate and manipulate Not extensible, No namespace Hard to represent complex data structures References User-defined type XML Extensible Support namespace Support representation of complex data structures. Heavyweight Slow and verbose OpenSocial - Architecture Components Interface – REST, Javascript APIs Client – Ajax, Gadget Message Format - JSON Security - OAuth Data Model Logic level 12 OpenSocial Interface – REST REST – REpresentational State Transfer Based on HTTP (client/server + stateless server) Resource-oriented (resource can be anything) Each resource is identified by a unique URL State transition (Link resources together) Resources have multiple representations (json, xml) Uniform interfaces How to access top ten Twitter topics? GET Read resource verb POST PUT DELETE Create Update Delete GET http://search.twitter.com/trends.json Returns the top ten topics that are currently trending on Twitter. 13 Analysis of REST Treat the web as a big database of resources Good for CRUD operations A strong constraint – Stateless Beyond REST Stateful applications Streaming Applications Workflow Execution Push-Based systems Pub-Sub systems 14 REST Alternative SOAP based WS SOAP Message format UDDI 1 2 3 Service registration WSDL 4 Service description interface Publish – Find – Bind About 60 core ws-* protocols Designed for server-server interactions SOAP and WSDL are really complicated Browser-based apps are second-class citizens. 15 AJAX OpenSocial Client Tech – AJAX Rationale Update sections without refreshing the whole page More interactive More responsive Less bandwidth usage Asynchronous JavaScript and XML HTML + CSS Presentation DOM Document model (for dynamic manipulation) XMLHttpRequest Asynchronous Communication JSON/XML Data format Javascript Bring these together 17 Data Model OpenSocial Data Model Define data models for basic objects in social network Relationships between objects can not be represented. Person Activity AppData Friend of a Friend (FOAF) – Based on W3C RDF XHTML Friends Network (XFN) Other possible issues Groups, roles, communities Strength of relationships Relationships in which more than two objects are involved Scalability (in terms of number of friends) 19 Security in OpenSocial 20 Beyond Functionalities - Security Identity “On the internet, nobody knows you're a dog” Claimed Identity ≠ Real Identity Data protection Who can access your Facebook data? Increasing risk of identity theft and impersonation. Cartoon by Peter Steiner. The New Yorker, July 5, 1993 issue (Vol.69 (LXIX) no. 20) page 61 Favorite color, mother’s maiden name, … “Friends” and applications have access to this “Predicting Social Security numbers from public data” Communication links Messages are passed by intermediary machines Intermediaries understand your messages? Intermediaries alter your messages? Intermediaries forge your messages? 21 Security Requirements (in Web) Connection level SSL/TLS System Implementation level Confidentiality Integrity Non-repudiation Prevention of replay attack Redirect Session stealing (cookie) Cross-site scripting, Cross-site request forgery Securer programs + User education Architecture level Authentication Single Sign-On Authorization Delegation 22 Challenges Technical Challenges Loosely coupled components No single, isolated trusted base Domain-specific policies Separation of security policies and security mechanisms. Possible solutions Authentication Central Authentication Service Cosign OpenID Authorization Shibboleth OAuth 23 OpenSocial Authorization – OAuth Motivation Solution Delegated authorization protocol Light-weight Explicit user consent Based on REST 3rd-party App Twitter Drawbacks To allow third party apps to access users’ data stored at service provider without requiring username and password. Vulnerable to session fixation attack (http://oauth.net/advisories/2009-1) Delegation granularity (Service provider-specific) Access token expiration and revocation Resources http://oauth.net/ 24 Authentication OpenSocial does not define authentication mechanism. Different accounts for different service providers Twitter, Facebook, Myspace, Orkut, Hi5 … Same data everywhere Account linking Linking Disparate Account IDs Across Multiple Systems or Applications Identity Federation Web Server Identification Provider Web Server Web Server N W Web Server E S Trust Relationship Web Server =>Identification Identity portability Web Server Provider 25 Authentication – OpenID Motivation Provide lightweight authentication service across domains Solution Users are asked to prove ownership of their OpenID identifiers. OpenID identifiers are URLs (e.g. http://zhenhua-guo.blogspot.com). Service provider and identity provider are clearly separated. Authentication delegation (service provider → identity provider) Advantages Drawbacks Cross-domain authentication Attribute exchange beyond authentication Single Sign-On Easy OpenID provider switch Phishing attack Resources http://fcom.us.es/blogs/nuevafcom/files/2008/09/openid-1.jpg Supported by Facebook, Verisign, Sourceforge, Yahoo, etc. 26 OAuth and OpenID Based on relaxed REST Use SSL/TLS to guarantee confidentiality, integrity and non-repudiation. Scalability Vulnerable to Phishing Cross-site scripting Cross-site forgery request 27 Conclusions Adoption of web 2.0 Services, not packaged software Open Architecture and Open Standards Interoperability Flexibility Integration Security Adoption in scientific communities Traditional gateways LEAD, Earth System Grid Gateways that integrate web 2.0 technologies myExperiment, SciVee, Sakai Open Life Science Gateway PolarGrid Portal Future Directions Semantic Web (Web 3.0?) Machine-readable representations of resources and relationships Artificial Intelligence, Data Mining Search Engine Recommendation System Scaling Question Answering Information search Information retrieval Social Network Analysis Flow pattern recognition Strength of connections 29 My Research Gadget Layout Management OAuth implementation Implement 2-legged OAuth Integrate 3-legged OAuth PolarGrid Portal Questions?