Annotation of bookie/www/setup.html, revision 1.13
1.12 will 1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
7: Setup instructions for compiling and running Bookie:
8: <p>If you're just browsing or don't need to edit files directly, you can
9: look at Bookie through the <a
10: href="http://www.mozdev.org/source/browse/bookie/">web interface</a>. </p>
11: <p>If you want to contribute to Bookie or compile it, then you should grab
12: a CVS <a href="http://www.cvshome.com">client</a> and set up a workspace
13: for bookie.</p>
14: <p>You download bookie by doing this (you only need to login once, the password
1.9 will 15: is guest). Please use the prune option when checking out and updating, since
1.12 will 16: the CVS tree has a lot of dead branches in it.</p>
1.13 ! will 17: <code> cvs -d :pserver:firstname.lastname@example.org:/cvs login<br></code>
! 18: <code>cvs -d :pserver:email@example.com:/cvs co bookie<br></code>
1.12 will 19: <p>The java client is in <code>/clients/swing</code>. There is an<a
20: href="http://jakarta.apache.org/ant">ant</a> script that should compile everything.
21: The client depends on Jena, Apache XML-RPC, Log4J and Xerces. All the libraries
22: should be available in lib. The client's main class is<code>com.tersesystems.bookie.client.Client</code>.
23: Downloading<a href="http://tersesystems.com/bookie/client.jar">client.jar</a>
24: will give you the classes, source code and javadoc to play with.</p>
25: <p>The java server is in <code>/server</code>. Again, the<a
26: href="http://jakarta.apache.org/ant">ant</a> script that should compile everything.
27: The server currently depends on JTidy, Marquee XML-RPC, Jisp, Servlet 2.2,
28: Log4J, and Xerces, which are all available in lib. The server's main class
29: is <code>com.tersesystems.bookie.service.xmlrpc.BookieServlet</code>.</p>
30: <p> The server will create four files on initialization in the current directory:
1.9 will 33: <li>profile.db - a database of profile information.</li>
34: <li>profile.idx - an index of profile.db</li>
35: <li>bookmarks.db - a database of bookmarks information.</li>
36: <li>bookmarks.idx - an index of bookmarks.db</li>
1.12 will 37:
39: These databases contain all the information needed for the server to work.
40: Deleting these files will cause the server to start off fresh.
41: <p> The server does not attempt to limit multiple logins on the same account
1.9 will 42: from different servers. However, care should be taken with this feature,
1.12 will 43: as there is no facility to distribute messages between clients that a
44: branch has been deleted. </p>
45: <p> Bookmarks are cached on the server, but since bookmarks are unique to
46: each client this isn't that much of a win. Performance seems okay for
47: now (and if anything seems bound on the XML processing and IO overhead).
48: Database operations are not transactional.</p>
49: <p> The server uses an MD5 hashed password for authentication of the client.
1.10 will 50: Once authenticated, the server maintains a session based off the IP address
1.12 will 51: of the client. All data is sent in the clear, and as such the passwords
52: and XML-RPC information may be <a
53: href="http://www.robertgraham.com/pubs/sniffing-faq.html">packet sniffed</a>.
54: Even if the attacker does not know the clear-text password, he can still
55: send the MD5 hash to be authenticated as the user. Unfortunately, XML-RPC
56: does not cover <a
57: href="http://www.strongsec.com/tutorials/security.htm">security</a> and
58: session management very well; if there are any new RFCs I would love to
59: hear about them. One possible RFC is <a
60: href="http://jimfl.tensegrity.net">Jim Flanagan's</a> <a
61: href="http://jimfl.tensegrity.net/xmlrpc/">proposal</a>, but this requires
62: the use of <a href="http://www.ietf.org/rfc/rfc2617.txt">HTTP digest
1.13 ! will 63: authentication</a>, which I believe most clients don't support.</p>
1.12 will 64: <br>