Slides

Here I will post the slides as they become available. The slides are in pptx format (Office 2007). If you do not have this version of office, you can download a Powerpoint 2007 viewer (if the link does not work, try refreshing the page. broken server!). For non-users of office, I have included a pdf export, but the animations/graphics may be broken.

FINALS AND GRADES

Course Information Sheet Course Syllabus

Student-editable Q&A Wiki where you can post q's and resources. keyword: 513
TA Wiki where your TA (Josy) posts information, questions, and so forth

Final Review

• EXTENSION to DEADLINE! Hand in hard copy noon saturday.
• SAMPLE FINAL
• I will host another final review session outside of class time for those who wish to come. This will be on Wednesday the 22nd, 6pm, in MathSciences room 670. I will answer questions and discuss the sample final.
• A set of distilled Final Review Slides (pdf) to help in studying for those with limited time. about 25% shorter than the other slides, many examples and technical specs removed. If you have more time, i recommend checking the full set, and any notes regarding my in-class lectures

in-class review:

Final review 1 pdf

Announcements

• EXAM: Thu Apr 23 12:00-2:00 PM, ENE 322
• Marian, our guest lecturer from a few weeks ago, is currently doing a web-based study on the software that he demonstrated in class. Try it
• I came across an article on web 2.0. Once you get past the dry up-front 2.0 stuff, the article actually is a treasure trove of "common sense" for web developers. Anyone seriously considering working on the web really should give this a read. If I could I would make it mandatory reading. Here's a quote

Never make users register, unless you need to in order to store something for them. If you do make users register, never make them wait for a confirmation link in an email; in fact, don't even ask for their email address unless you need it for some reason. Don't ask them any unnecessary questions. Never send them email unless they explicitly ask for it. Never frame pages you link to, or open them in new windows. If you have a free version and a pay version, don't make the free version too restricted. And if you find yourself asking "should we allow users to do x?" just answer "yes" whenever you're unsure. Err on the side of generosity.

• EM clarification:
  • 1 EM is the height of the font. This height is defined to be the height of the /canvas/ on which the letter is drawn, not the height of the visible part of the letter. This is hard to visualize, as characters such a g, y, hang below the other letters -- however, all letters share the same box size. There may be some variation on this between fonts, such that some fonts put the character to the end of the box, and others leave a little white.
  • Although em is taken from the height of the font, the exact same measurement is used for the width. In fact, a square reagion of 1em x 1em is often called an em box. So, the string "hello" is probably shorter in pixels than 5em.
• Good libraries for client-side JS and Graphics: Raphael Processing Prototype JQuery
• Link shown in class today regarding geographical usage of websites
• Regarding why our nonce was reused in the in-class example. It has to do with the fact that our client is using a CNONCE, and the increment counter. Wikipedia has a rough explanation:

At this point the client may make another request, reusing the server nonce value
(the server only issues a new nonce for each "401" response) but providing a new 
client nonce (cnonce). For subsequent requests, the hexadecimal request counter (nc)
must be greater than the last value it used – otherwise an attacker could simply 
"replay" an old request with the same credentials. It is up to the server to ensure
that the counter increases for each of the nonce values that it has issued, 
rejecting any bad requests appropriately. Obviously changing the method, URI and/or
counter value will result in a different response value.

The server should remember nonce values that it has recently generated. It may also 
remember when each nonce value was issued, expiring them after a certain amount of 
time. If an expired value is used, the server should respond with the "401" status 
code and add stale=TRUE to the authentication header – indicating that the client 
should re-send with the new nonce provided, without prompting the user for another
user name and password.

The server does not need to keep any expired nonce values – it can simply assume 
that any unrecognised values have expired. It is also possible for the server to 
only allow each nonce value to be returned once, although this forces the client to
repeat every request. Note that expiring a server nonce immediately will not work, 
as the client would never get a chance to use it.

• A link that does a decent job of discussing some aspects of digest authenticatoin: http://mpeters.ca/?itemid=4
• DTD vs XSD -- DTD limitations
  • Correction -- you CAN nest DTDs. There are issues, though, when you try to combine several DTDs in a parent element. Also remember that no namespaces makes the scalability of this approach a problem.
  • DTD only support character strings (PCDATA,CDATA)
  • XSD can specify format of strings -- characters only, digits only, etc. xs:string, xs:decimal, xs:integer, xs:boolean, xs:date, xs:time
  • XSD gives greater control on types... for example,

<xs:simpleType>
  <xs:restriction base="xs:integer">
    <xs:minInclusive value="0"/>
    <xs:maxInclusive value="120"/>
  </xs:restriction>
</xs:simpleType>

• or

<xs:simpleType>
  <xs:restriction base="xs:string">
    <xs:enumeration value="Audi"/>
    <xs:enumeration value="Golf"/>
    <xs:enumeration value="BMW"/>
  </xs:restriction>
</xs:simpleType>

• or

<xs:simpleType>
  <xs:restriction base="xs:string">
    <xs:pattern value="[a-z]"/>
  </xs:restriction>
</xs:simpleType>

• These cannot be done with DTD

• DTDs only enable you to specify number of elements: ? (zero or one), * (zero or more), + (one or more), or exactly one
• XSDs enable you to specify any number

• Travel: I will have two travels this term where I am not available for meetings and may be away from my email.
  • March 11th - 14th. Class on the 13th will be a guest lecture from Dr. Sharlin on usability. The material in this lecture will be testable, so make sure to attend.
  • April 4th -- 6th. Classes will be conducted as usual.
• For assignment 1 demonstrations, we need a three people from T01 (Mon/Wed) to move to T02 (Tues/Thurs). This is not for regular tutorials, but is only for demonstrations! The next week after you can return to your regular tutorial. If no one moves, we will be forced to ask random people from T01 to demo outside the classroom time. Please email Josy if you are able to help.
• CGI hint.

    Process process = Runtime.getRuntime ().exec ("myprogram.exe");
      stdin = process.getOutputStream ();
      stderr = process.getErrorStream ();
      stdout = process.getInputStream ();

• a neat site that suggests ways to use URL rewriting to make them look friendlier.
• I was recommending Charles Proxy as a great debug tool, but it has too many shareware restrictions. I found something better, a plugin for Firefox called LiveHTTPHeaders that you may find useful.
• Apparently, vista has telnet disabled by default, although it is included. This is done because using telnet to login to servers is a bad idea, as credentials are plaintext. Since we are not using it for that, telnet is perfectly safe. Enable telnet in vista

Assignments

Group Project!!!!

• NEW VERY important changes to the group project schedule.
  • DEADLINE EXTENDED TO FRIDAY, APR 17, 5pm. Digital/paper copy due at this time
  • MILESTONE 3 Cancelled, since it conflicted with presentaiton schedules
  • Josy's SCHEDULE will soon be updated to reflect the changes, make sure to have a look.
  • Presentation schedule is now fixed. Group ordering was random

• For those interested, CSS-for-print tutorial
• Due to delays in getting the groups finalized, you have a one-week extension on the 1-page proposal. The new deadline is Tuesday Feb 17th.
  • Submit your 1-page proposal via email to both me and your TA.
• For your group project, feel free to use a Web Application Framework to manage, organize, and build your site. These systems can make your life a lot easier, aid in interconnectivity of pages, and keeping consistent interfaces/designs. One drawback is that they can also be limiting, forcing you to follow some design paradigm that you do not like, and, may make it hard to interconnect with other services. Further, keep in mind that as part of your grade I will be judging difficulty and effort -- if you simply use a system and plug pieces together for a minimal result, do not expect a good mark.

Assignment 4 - Due March 17 (noon) 2009

• REMEMBER: hard copy due in the TA drop box at the same time or you will receive a 0. You /must/ demo during your allotted time (to be posted on the TA Wiki) or receive a 0 for the demonstration component.

Assignment 3 - Due March 3 (noon) 2009

• NEW Sample Solution
• The algorithm given in assignment 3 regarding the MD5 sum is unclear, and as such can result in a lot of headaches to get the assignment working. The results of a MD5 hash is just a bitstream, but how do you send a bitstream over HTTP? you need to encode it to safety. In this case, the MD5 result should be converted to HEX. In fact, since this assignment does multiple layers of MD5, it needs to be converted to HEX at every level. Perhaps the below text is a better representation of the algorithm (thanks to John Haldeman for advice on this)

HA1 = HEX(  MD5(username : realm : password)  )
HA2 = HEX(  MD5(method : digestURI)   )
Response = HEX(    MD5(HA1 : nonce : nonceCount : clientNonce : qop : HA2)  )

• Due to problems getting demos and collecting hard copies on time, the rules have changed a little for assignment 3 (and 4).
  • Your TA will post an exact demo schedule on her TA Wiki and you must show up and demo at your alloted time. Failure to do so will result in a 0 on the demonstration grade (and may have ramifications for the "functionality" grade).
  • Your hard copy is due in the TA DROPBOX in MS 2nd floor on March 3rd 12:00 noon! Do not wait until you demo your assignment. Failure to submit a hard copy can result in a zero for the entire assignment.

Assignment 2- Due Feb 17 (NOON), 2009

• For those who did not manage to finish assignment 2, here is a sample solution. Note that this is considered a "bare-bones" solution, not a perfect, 100% solution.
• Assignment 2 half-day extension, to make it more reasonable.
• hand in hard copy to TA when you demo, as long as your soft-copy is in on time (via email)
• clarification: you are NOT required to provide an xml schema for the exchange-rate file i provided.
• Assignment updated -- additional marking information added to the assignment spec, at the end of the document. The assignment specifications and description are not changed.

Assignment 1- Due Feb 2, 2009

• Clarification: you must implement POST, as per assignment specifications, but there is a problem. Unless you implement CGI (bonus q), there is no way to really test this. Implement and accept post requests, but you do not need to implement the last leg -- passing the post data to a program or script. If a client calls POST on a resource, still return the resource as you would for a GET command. This is how webservers are supposed to act (test it in telnet)
  • ideally, your webserver would check if the resource is capable of accepting the data, and pass the data to it, and then grab it to send back to the user.
• Clarification: more information on the suggested class for testing http: sun.net.www.http.HttpClient
• Clarification: Your server does /not/ need to implement all possible response codes, only the ones that make sense for your assignment. Codes such as 101 (upgrade to secure), 201 (new resource created), 3XX (redirection), and the slew of codes related to caching are well beyond what you need to do. You definitely need 200 (OK), and 404 (not found), and you should consider what to do about incorrect HTTP versions, badly-formed requests, and unsupported HTTP commands.
• ASSIGNMENT 1 is now past-due, late submissions will not be accepted. While most of you got your email/digital version in on time, only a few hard copies were received. Get it in by the end of TODAY (Feb 3rd) to avoid penalty.