File:  [mozdev] / bookie / www / setup.html
Revision 1.10: download - view: text, annotated - select for diffs - revision graph
Thu May 16 17:28:04 2002 UTC (15 years, 7 months ago) by will
Branches: MAIN
CVS tags: HEAD
Add musings about security.

Setup instructions for compiling and running Bookie:

<p>
If you're just browsing or don't need to edit files directly, you can look
at Bookie through the <a
href="http://www.mozdev.org/source/browse/bookie/">web interface</a>.

<p>
If you want to contribute to Bookie or compile it, then you should grab a
CVS <a href="http://www.cvshome.com">client</a> and set up a workspace for bookie.
</p>

<p>
You download bookie by doing this (you only need to login once, the password
is guest).  Please use the prune option when checking out and updating, since
the CVS tree has a lot of dead branches in it.
</p>

<pre>
 cvs -d :pserver:guest@mozdev.org:/cvs login
 cvs -d :pserver:guest@mozdev.org:/cvs co bookie -P
</pre>

<p>
The java client is in <code>/clients/swing</code>.  There is an
<a href="http://jakarta.apache.org/ant">ant</a> script that should compile
everything.  The client depends on Jena, Apache XML-RPC, Log4J and Xerces.
All the libraries should be available in lib.  The client's main class is
<code>com.tersesystems.bookie.client.Client</code>.
</p>

<p>
The java server is in <code>/server</code>.  Again, the
<a href="http://jakarta.apache.org/ant">ant</a> script that should compile
everything.  The server currently depends on JTidy, Marquee XML-RPC, 
Jisp, Servlet 2.2, Log4J, and Xerces, which are all available in lib.  The
server's main class is <code>com.tersesystems.bookie.service.xmlrpc.BookieServlet</code>.
</p>

<p>
  The server will create four files on initialization in the current directory:
  <ul>
    <li>profile.db - a database of profile information.</li>
    <li>profile.idx - an index of profile.db</li>
    <li>bookmarks.db - a database of bookmarks information.</li>
    <li>bookmarks.idx - an index of bookmarks.db</li>
  </ul>
  These databases contain all the information needed for the server to work.  Deleting
  these files will cause the server to start off fresh.  
</p>

<p>
  The server also starts up with a large amount of debugging information.  You can
  override the default configuration by specifying the log4j configuration file on
  the command line with <code>-Dlog4j.configuration=minimal.txt</code> where the 
  file <code>minimal.txt</code> contains the following:
</p>

<pre>
    # Set root logger level to INFO and its only appender to A1.
    log4j.rootLogger=INFO, A1
      
    # A1 is set to be a ConsoleAppender. 
    log4j.appender.A1=org.apache.log4j.ConsoleAppender
      
    # A1 uses PatternLayout.
    log4j.appender.A1.layout=org.apache.log4j.PatternLayout
    log4j.appender.A1.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n
</pre>

<p>
  The server does not attempt to limit multiple logins on the same account
  from different servers.  However, care should be taken with this feature,
  as there is no facility to distribute messages between clients that a 
  branch has been deleted.  
</p>

<p>
  No caching or pre-loading of bookmarks is performed on the server, but
  performance seems okay for now (and if anything seems bound on the XML 
  processing and IO overhead).  Database operations are not transactional.
</p>

<p>
  The server uses an MD5 hashed password for authentication of the client.
  Once authenticated, the server maintains a session based off the IP address
  of the client.  All data is sent in the clear, and as such the passwords and
  XML-RPC information may be 
  <a href="http://www.robertgraham.com/pubs/sniffing-faq.html">packet sniffed</a>. 
  Even if the attacker does not know
  the clear-text password, he can still send the MD5 hash to be authenticated as
  the user.  Unfortunately, XML-RPC does not cover 
  <a href="http://www.strongsec.com/tutorials/security.htm">security</a> and session management
  very well; if there are any new RFCs I would love to hear about them.  One
  possible RFC is <a href="http://jimfl.tensegrity.net">Jim Flanagan's</a> 
  <a href="http://jimfl.tensegrity.net/xmlrpc/">proposal</a>, but this requires
  the use of <a href="http://www.ietf.org/rfc/rfc2617.txt">HTTP digest 
  authentication</a>, which I believe most clients don't
  support.
</p>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>