Kevin Haverlock

Subscribe to Kevin Haverlock: eMailAlertsEmail Alerts
Get Kevin Haverlock: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Enterprise Mashups, PC Security Journal, SSL Journal, Apache Web Server Journal, Twitter on Ulitzer, IBM Journal, Security Journal

Blog Feed Post

Ajax Proxy for Web 2.0 Feature pack - quick look

The security model of modern browsers dictate that XMLHttpRequests (Dojo.xhr style requests if using the Dojo Toolkit) must have the same domain in order to connect and exchange data. From a security perspective, that is a good thing and helps make your web application secure from outside influence. The problem is that it makes cross site mashup creation downright difficult.

There are a couple of options that have been proposed:

Flash: A proprietary solution that requires learning Adobe's programming model. Requires the deployment of a crossdomain.xml file.

JSONP: proposed by Bob Ippolito, JSONP is a script tag injection which passes the response from the server (normally JSON) into a user specified function.

Proxy: Using a service that marshals requests to the server. Since the Proxy is located on the same domain, the content appears to originate from the same server.

Lets look at the proxy option as a it relates to the Web 2.0 Feature Pack for WebSphere Application server. The Ajax proxy is a lightweight proxy application that is used by Ajax clients to issue out of domain requests. As an example, your web application may access various RSS sites outside of the your original domain to display current news information.

Under the covers the Ajax proxy uses Apache's HTTPClient to handle connecting to other servers and passing the results back to the Ajax client. On top of HTTPClient is code that provides a configuration interface that can be used to tailor the proxy. The customization include context mapping, white-listing, filtering based on cookies, mime-type, HTTP verbs (POST, GET, etc). The end result is a highly customizable Servlet proxy that can be embedded into your JEE application to provide proxy services. At the heart of the Ajax proxy is the proxy-config.xml configuration file. The configuration file is located in your WEB-INF/ directory of the Ajax Proxy WAR file.

The listing shows a basic proxy configuration that is used to access two services. In this case Yahoo's and CNN's RSS feeds. Lets walk through the configuration.

<?xml version="1.0" encoding="UTF-8"?>
<proxy:proxy-rules  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xmlns:proxy="http://www.ibm.com/xmlns/prod/sw/ajax/proxy-config/1.0">
	    
    <proxy:mapping contextpath="/rss/tech"          url="http://rss.news.yahoo.com" />    
    <proxy:mapping contextpath="/rss/cnn_world.rss" url="http://rss.cnn.com" />
            
    <proxy:policy url="http://rss.news.yahoo.com/*" acf="none"> 
        <proxy:actions>
	    <proxy:method>GET</proxy:method>
	</proxy:actions>  
    </proxy:policy>
    
    <proxy:policy url="http://rss.cnn.com/*" acf="none">
       <proxy:actions>
	    <proxy:method>GET</proxy:method>
	   </proxy:actions>  
    </proxy:policy>       

    <proxy:meta-data>
         <proxy:name>maxconnectionsperhost</proxy:name>
         <proxy:value>2</proxy:value>
	</proxy:meta-data>	
     <proxy:meta-data>
         <proxy:name>maxtotalconnections</proxy:name>
         <proxy:value>5</proxy:value>
	</proxy:meta-data>	

The <proxy:mapping> sets the contextpath for the URL of the service you are connecting too. As an example, if you are trying to access http://rss.news.yahoo.com/rss/tech from your site, then the contextpath would be /rss/tech and the matching URL would be http://rss.news.yahoo.com. When it comes time to access the service through the proxy, you would use the <servlet-mapping>

	<servlet-mapping>
		<servlet-name>ProxyServlet</servlet-name>
		<url-pattern>/proxy/*</url-pattern> 		
	</servlet-mapping>

combined with the context root mapping of mysite. As an example, if the Ajax proxy Servlet is accessed from http://localhost/mysite/proxy then the URL for Yahoo's news service would be http://localhost/mysite/proxy/rss/tech.

The <proxy:policy> defines a policy to be used against the URL. In the case of http://rss.news.yahoo.com, the <proxy:method> states that only a HTTP GET request is supported on the URL. Other requests, such as POST will be rejected by the Ajax proxy. In addition >proxy:method<, other rules can be applied such as preventing cookies, allowing only certain mime-types and http headers.

Additionally, performance tuning can also be done against the Ajax proxy. The parameters correspond to those that are available Apache's HTTPClient and can be used to fine tune the Ajax proxy. The <proxy:meta-data> contain optional parameters. The maxconnectionsperhost is a global value that specifies the maximum number of connections kept alive for any host or port combination and can be increased if your site access more than two remote sites for content. The maxtotalconnections is the maximum total of connections supported by the proxy. The default value is 5. The value you choose must be a high enough to support the number of simultaneous connections you might receive. In reality, the maximum connections will also be dependent on how WebSphere's Web container is configured.

There are additional parameters as well, including unsigned SSL certificate support, pass-through proxy support (in case the Ajax proxy needs to authenticate through a border firewall before accessing the network). Information and parameters are available with the documentation and can be found online through IBM's InfoCenter for the Web 2.0 Feature Pack.

Kevin Haverlock

Read the original blog entry...

More Stories By Kevin Haverlock

Kevin Haverlock is an advisory software engineer for IBM's WebSphere Application Server product. He joined IBM in 1995 at Research Triangle Park, NC, where he worked as a developer for the Tivoli division. In 2000 he transferred to the WebSphere Application Server organization and is currently an architect and developer for the WebSphere Application Server Express product.