I am new to GAE (cloud based development in general actually) and I am looking for some advice.
I am looking to use GAE only as a service (REST + JSON) with my client-side in Sproutcore. I am looking to find a light-weight service-based framework that will provide me with strong security (authentication, protection against XSS etc).
Java or Python is fine, the priority being speed and security.
Does anybody have any ideas on this? Any links to relevant information. I am going through an information overload phase. Any help in this regard would be much appreciated!
Thank you.
How about tipfy, a open source lightweight python-based framework made for GAE?
Its core can be enhanced through usage of extensions.
Combining some of those extensions
would allow you to perform auth
against different systems (Google,
Facebook, Twitter...) or against your
own baked one. An example of this can
be found here, source code is
available here.
A really simple sample of JSON
rendering is available here.
Of course, other python frameworks run on top of AppEngine. You'll find in the AppEngine-Python google group, a thread discussing pros/cons of most of them.
Considering speed, those links may shed some light on the subject
Choosing Java vs Python on Google App Engine
Google AppEngine Language Performance Comparison Followup
proceed with caution if you want to use a framework. since GAE is still evolving, frameworks tend to break. i have tried both tipfy and django on large projects.
http://blog.bygsoft.com/2011/04/27/why-we-should-avoid-tipfy-a-gae-framework/
in many places tipfy tends to just write meaningless (read no value add) python wrappers around what the core gae frameworks provide just causing code bloat.
last i checked, the map reduce package did not work well with tipfy. sorry, i may sound very biased but my experience with tipfy has been average.
So looks like I can't comment on your answer but the link was very helpful! Looks very much like something I am looking for:
Server-side sessions
Custom user authentication
JSON based service with no View layer
Fast and secure
Any other python framework that you might possibly know of along the lines of Tipfy? Just so I have something to compare with?
Does anybody know of any Java libraries along the same lines of Tipfy?
Thanks again for the link!
Edit 1:
Hmm...I have no idea how I ended up with 2 accounts. I'll try to iron it out..
Your links were very helpful..Thanks!
I am inching towards Tipfy at this point, but I think I am going to wait a little longer on this thread to see if I get some more opinions..
Thanks again...
Related
I would like to create my company based upon a tourism project (WEB 2.0 / CMS like).
Firstly, I want to argue why I think, in my case, that I should develop it (from scratch, but with a good plateform or tool). Indeed, I think that today (but maybe I am wrong...), some tools (or plateform...) are very powerfull and we can be very productive with it.
Moreover, these requesite 'could' jutify to implement my own software :
- my software may interact with other applications (or other tourism database)
- I need to do an 'inline administration' such as MAGNOLIA (not all CMS have it I think)
- I have no monney to buy one good CMS doing the work I need (such as Alfresco, or Magnolia or Liferay...)
- I think that for a long term project, it could be more rentable to develop it in order to have a better control on its evolution.
- I would like to use GAE because it is a cheaper and more flexible solution for the hosting (I do not think that all CMS work on it)
Secondly, now, if you agree with me (but if I am wrong about the liscence, or other solution, tell me please), I really like some help about the technologies...I think that SPRING ROO is a very good tool to develop my CMS. But maybe I should use DJANGO (can you argue about the choice between these 2 solutions to develop my software ?).
My CMS functionalities needed are mainly :
- versionning of the articles (talking about touristic places...) and a repository for them.
- a search (Solr is include in Spring Roo)
- using the AJAX technology (quick refresh)...I would like to use GWT
- permissions (administrator, visitor, contributor, manager...)
- multi-langage and maybe multi-domain websites (or I should have a big portal that give acces to all countries)
- a Backend management for the adverts (I am not sur if delegating this task to dfp (DoubleClick For Publisher) is a good idea ?
- User authentication (LDAP)...I do not know if SPRING ROO manage this ?
- Having simple workflow (such as editing, validating then publishing the article...)
- Think about Mobile App (Android)...so I think that if I choose JAVA, it will be easier to 'translate' on the Android Plateform...
Then, I am sorry if there is a lot of 'topics' in my thread but it is very complicated for me. So I would like to know if, as supposed, I used SPRING ROO + GAE + GWT, so I should use BIGTABLE (the Google NoSQL) ?
At last but not least, I have not found a website that explain how to create my own CMS...what I want to know is how to do the architecture of the software, because there is a lot of technologies interacting (OSGi, Solr, JPA...) and I do not masterize them, so I would know in what order do I need to process...
For the security part, do you think that taking care about the XSS injection is enought ?
To conclude, I know that it is difficult to help me because I ask a lot of things, but here I am now...and in order to explain in what context I am, I would like to take the time to learn 'interesting technologies' because if my project fail, I would reconvert myself in an 'expert' of the tool I have learned (ready to spend until 6 month, 24/24, 7/7 :D to create my CMS-LIKE).
Thank you,
I would suggest to avoid inserting too much information in your question :) Better throw smaller questions so people answer's are more suitable to your problem.
If you plan to deploy on GAE, well my answer is:
GWT for web-dev platform (I don't use neither GXT nor SmartGWT)
Objectify (for persistence on GAE only, kind of vendor lock-in but a good choice)
Use Google App for business and use their OpenID to handle authentication (will reduce a lot your work stack, and especially security concerns).
Optionally, you could use a framework to assist your presentation layer like GWT-platform which is really great. They also offer a nice command pattern implementation. The framework as it's limitations but the guys working for the project are just great.
Try to stay away from Spring-Roo for production app. I tried a few prototypes, buy going further is hard. At least it was in my experience.
Well, the title says most of it. I'm looking to develop a chat application that will hopefully become something more, and currently I'm considering my options for what I should build it on top of.
I've taken a look at Tornado with Redis as my primary option - Tornado, being a Comet server, is perfect for long polling to retrieve the messages on Redis, which I have the intention of using as both a persistent data store, as well as a message queue with its nifty subpub features.
However, I've also heard good things about Django, RabbitMQ, MongoDB and Orbited. JavaScript isn't a big problem for me, so Orbited's JavaScript support isn't too much of a boon.
Really, I'd probably be happy to develop on the route I've chosen for myself, but if there are any gaping deficiencies in my plan, I'd like some kind person to point them out before I find I've wasted months on this.
Since Javascript is not a problem for you and you need high-performance you should really consider Node.js. It's really fast for this kind of stuff.
It's fairly new project, but it already has a bunch of libraries. It also has already a package manager NPM like PIP (python) or Gem (Ruby).
Don't use Django for this. It should be possible at some level, but it is definitely not well suited for it. Tornado sounds like a great fit, so if that works go for it.
Have you ever considered Scala?
I agree with the rest of the people answering this question. If you need a high performance web server I would recommend you to take a look at Deft. Take a look at the benchmarks and the examples and see if it fits your needs.
Disclaimer: im a Deft committer
What libraries / projects is to identify / authenticating to web apps using the voice?
Since there are still no answers for this question and it's been two years, I feel like there should be at least a follow-up.
Authenticating to an app using your voice is a very complex and difficult subject. Each case would probably require severe customization and as of right now I believe there is no out-of-the-box working solution to do it. The subject of speech/speaker recognition is still an academic subject.
One might use HTK or Sphinx to build one's own authentication tool. It is entirely possible, though quite difficult and still prone to false positives and/or rejections.
As for authenticating in the web - it adds some technical difficulties which, however, can be overcome. You would have to somehow get a sample, either by using a java applet or flash (something that can acces the microphone anyway), then submit it for analysis (may happen in the same applet), then pass the results to your web application.
For anyone still thinking about the problem: I'd suggest building a sphinx-4 based Java applet for authentication. It is possible, though time-costly and requiring some advanced knowledge.
I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications.
I've tried to run it on Mono, since my development platform is Linux. Unfortunately it crashes with a System.ArgumentNullException deep inside Microsoft.Practices.EnterpriseLibrary and I seem to be unable to find sufficient information about the software (it seems to be a single-shot project, with no homepage and no further development).
Is anyone aware of a similar tool? Preferably it should be:
cross-platform (Java, Python, .NET/Mono, even cross-platform C is ok)
open source (I really like being able to audit my security tools)
able to talk to a wide range of DB products (the big ones are most important: MySQL, Oracle, SQL Server, ...)
Edit: I'd like to clarify my goal: I'd like a tool that directly writes the result of a successful XSS/SQL injection attack into the database. The idea is that I want to check that every place in my app does correct output encoding. Detecting and avoiding the data getting there in the first place is an entirely different thing (and might not be possible when I display data that's written to the DB by a third-party application).
Edit 2: Corneliu Tusnea, the author of the tool I linked to above, has since released the tool as free software on codeplex: http://xssattack.codeplex.com/
I think metasploit has most of the attributes you are looking for. It may even be the only one that has all of what you specify, since all the others I can think of are closed source. There are a few existing modules that deal with XSS and one in particular that you should take a peek at: HTTP Microsoft SQL Injection Table XSS Infection. From the sounds of that module it is capable of doing exactly what you are wanting to do.
The framework is written in Ruby I believe, and is supposed to be easy to extend with your own modules which you may need/want to do.
I hope that helps.
http://www.metasploit.com/
Not sure if this is what you're after, its a parameter fuzzer for HTTP/HTTPS.
I haven't used it in a while, but IIRC it acts a proxy between you and the web application in question - and will insert XSS/SQL Injection attack strings into any input fields before deeming whether the response was "interesting" or not, thus whether the application is vulnerable or not.
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
From your question I'm guessing it is a type of fuzzer you're looking for, and one specifically for XSS and web applications; if I'm right - then that might help you!
Its part of the Open Web Application Security Project (OWASP) that "jah" has linked you to above.
There are some Firefox plugins to do some XSS testing here:
http://labs.securitycompass.com/index.php/exploit-me/
A friend of mine keeps saying, that php-ids is pretty good. I haven't tried it myself, but it sounds as if it could approximately match your description:
Open Source (LGPL),
Cross Platform - PHP is not in your list, but maybe it's ok?
Detects "all sorts of XSS, SQL Injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks" (this is from the FAQ)
Logs to databases.
I don't think there is such a tool, other than the one you pointed us to. I think there's a good reason for that: It's probably not the best way to test that each and every output is properly encoded for the applicable context.
From reading about that tool it seems the premise is to insert random xss vectors into the database and then you browse your application to see if any of those vectors succeed. This is rather a hit and miss methodology, to say the least.
A much better idea, I think, would be to perform code reviews.
You may find it helpful to have a look at some of the resources available at http://owasp.org - namely the Application Security Verification Standard (ASVS), the Testing Guide and the Code Review Guide.
Background:
I have a new site in the design phase and am considering using ColdFusion. The Server is currently set-up with ColdFusion and Python (done for me).
It is my choice on what to use and ColdFusion seems intriguing with the tag concept. Having developed sites in PHP and Python the idea of using a new tool seems fun but I want to make sure it is as easy to use as my other two choices with things like URL beautification and scalability.
Are there any common problems with using ColdFusion in regards to scalability and speed of development?
My other choice is to use Python with WebPy or Django.
ColdFusion 9 with a good framework like Sean Cornfeld's FW/1 has plenty of performance and all the functionality of any modern web server development language. It has some great integration features like exchange server support and excel / pdf support out of the box.
Like all tools it may or may not be the right one for you but the gotchas in terms of scalability will usually be with your code, rarely the platform.
Liberally use memcached or the built in ehache in CF9, be smart about your data access strategy, intelligently chunk returned data and you will be fine performance wise.
My approach with CF lately involves using jQuery extensively for client side logic and using CF for the initial page setup and ajax calls to fill tables. That dramatically cuts down on CF specific code and forces nice logic separation. Plus it cuts the dependency on any one platform (aside from the excellent jQuery library).
To specifically answer your question, if you read the [coldfusion] tags here you will see questions are rarely on speed or scalability, it scales fine. A lot of the questions seem to be on places where CF is a fairly thin layer on another tool like Apache Axis (web services) and ExtJs (cfajax) - neither of which you need to use. You will probably need mod-rewrite or IIS rewrite to hide .cfm
Since you have both ColdFusion and Python available to you already, I would carefully consider exactly what it is you're trying to accomplish.
Do you need a gradual learning curve, newbie-friendly language (easy for someone who knows HTML to learn), great documentation, and lots of features that make normally difficult tasks easy? That sounds like a job for ColdFusion.
That said, once you get the basics of ColdFusion down, it's easy to transition into an Object Oriented approach (as others have noted, there are a plethora of MVC frameworks available: FW/1, ColdBox, Fusebox, Model-Glue, Mach-ii, Lightfront, and the list goes on...), and there are also dependency management (DI/IoC) frameworks (my favorite of which is ColdSpring, modeled after Java's Spring framework), and the ability to do Aspect-Oriented Programming, as well. Lastly, there are also several ORM frameworks (Transfer, Reactor, and DataFaucet, if you're using CF8 or earlier, or add Hibernate to the list in CF9+).
ColdFusion also plays nicely with just about everything else out there. It can load and use .Net assemblies, provides native access to Java classes, and makes creating and/or consuming web services (particularly SOAP, but REST is possible) a piece of cake. (I think it even does com/corba, if you feel like using tech from 1991...)
Unfortunately, I've got no experience with Python, so I can't speak to its strengths. Perhaps a Python developer can shed some light there.
As for url rewrting, (again, as others have noted) that's not really done in the language (though you can fudge it); to get a really nice looking URL you really need either mod_rewrite (which can be done without .htaccess, instead the rules would go into your Apache VHosts config file), or with one of the IIS URL Rewriting products.
The "fudging" I alluded to would be a url like: http://example.com/index.cfm/section/action/?search=foo -- the ".cfm" is in the URL so that the request gets handed from the web server (Apache/IIS) to the Application Server (ColdFusion). To get rid of the ".cfm" in the URL, you really do have to use a URL rewriting tool; there's no way around it.
From two years working with CF, for me the biggest gotchas are:
If you're mainly coding using tags (rather than CFScript) and formatting for readability, be prepared for your output to be filled with whitespace. Unlike other scripting languages, the whitespace between statements are actually sent to the client - so if you're looping over something 100 times and outputting the result, all the linebreaks and tabs in the loop source code will appear 100 times. There are ways around this but it's been a while - I'm sure someone on SO has asked the question before, so a quick search will give you your solution.
Related to the whitespace problem, if you're writing a script to be used with AJAX or Flash and you're trying to send xml; even a single space before the DTD can break some of the more fussy parsing engines (jQuery used to fall over like this - I don't know if it still does and flash was a nightmare). When I first did this I spent hours trying to figure out why what looked like well formed XML was causing my script to die.
The later versions aren't so bad, but I was also working on legacy systems where even quite basic functionality was lacking. Quite often you'll find you need to go hunting for a COM or Java library to do the job for you. Again, though, this is in the earlier versions.
CFAJAX was a heavy, cumbersome beast last time I checked - so don't bother, roll your own.
Other than that, I found CF to be a fun language to work with - it has its idiosyncracies like everything else, but by and large it was mostly headache free and fast to work with.
Hope this helps :)
Cheers
Iain
EDIT: Oh, and for reasons best known to Adobe, if you're running the trial version you'll get a lovely fat HTML comment before all of your output - regardless of whether or not you're actually outputting HTML. And yes, because the comment appears before your DTD, be prepared for some browsers (not looking at any one in particular!) to render it like crap. Again - perhaps they've rethought this in the new version...
EDIT#2: You also mentioned URL Rewriting - where I used to work we did this all the time - no problems. If you're running on Apache, use mod_rewrite, if you're running on IIS buy ISAPI Rewrite 3.
do yourself the favor and check out the CFWheels project. it has the url rewriting support and routes that you're looking for. also as a full stack mvc framework, it comes with it's own orm.
It's been a few years, so my information may be a little out of date, but in my experience:
Pros:
Coldfusion is easy to learn, and quick to get something up and running end-to-end.
Cons:
As with many server-side scripting languages, there is no real separation between persistence logic, business logic, and presentation. All of these are typically interwoven throughout a typical Coldfusion source file. This can mean a lot more work if you want to make changes to the database schema of a mature application, for example.
There are some disciplines that can be followed to make things a little more maintainable; "Fusebox" was one. There may be others.