File:  [mozdev] / bookie / www / setup.html
Revision 1.10: download - view: text, annotated - select for diffs - revision graph
Thu May 16 17:28:04 2002 UTC (17 years, 2 months ago) by will
Branches: MAIN
CVS tags: HEAD
Add musings about security.

    1: Setup instructions for compiling and running Bookie:
    2: 
    3: <p>
    4: If you're just browsing or don't need to edit files directly, you can look
    5: at Bookie through the <a
    6: href="http://www.mozdev.org/source/browse/bookie/">web interface</a>.
    7: 
    8: <p>
    9: If you want to contribute to Bookie or compile it, then you should grab a
   10: CVS <a href="http://www.cvshome.com">client</a> and set up a workspace for bookie.
   11: </p>
   12: 
   13: <p>
   14: You download bookie by doing this (you only need to login once, the password
   15: is guest).  Please use the prune option when checking out and updating, since
   16: the CVS tree has a lot of dead branches in it.
   17: </p>
   18: 
   19: <pre>
   20:  cvs -d :pserver:guest@mozdev.org:/cvs login
   21:  cvs -d :pserver:guest@mozdev.org:/cvs co bookie -P
   22: </pre>
   23: 
   24: <p>
   25: The java client is in <code>/clients/swing</code>.  There is an
   26: <a href="http://jakarta.apache.org/ant">ant</a> script that should compile
   27: everything.  The client depends on Jena, Apache XML-RPC, Log4J and Xerces.
   28: All the libraries should be available in lib.  The client's main class is
   29: <code>com.tersesystems.bookie.client.Client</code>.
   30: </p>
   31: 
   32: <p>
   33: The java server is in <code>/server</code>.  Again, the
   34: <a href="http://jakarta.apache.org/ant">ant</a> script that should compile
   35: everything.  The server currently depends on JTidy, Marquee XML-RPC, 
   36: Jisp, Servlet 2.2, Log4J, and Xerces, which are all available in lib.  The
   37: server's main class is <code>com.tersesystems.bookie.service.xmlrpc.BookieServlet</code>.
   38: </p>
   39: 
   40: <p>
   41:   The server will create four files on initialization in the current directory:
   42:   <ul>
   43:     <li>profile.db - a database of profile information.</li>
   44:     <li>profile.idx - an index of profile.db</li>
   45:     <li>bookmarks.db - a database of bookmarks information.</li>
   46:     <li>bookmarks.idx - an index of bookmarks.db</li>
   47:   </ul>
   48:   These databases contain all the information needed for the server to work.  Deleting
   49:   these files will cause the server to start off fresh.  
   50: </p>
   51: 
   52: <p>
   53:   The server also starts up with a large amount of debugging information.  You can
   54:   override the default configuration by specifying the log4j configuration file on
   55:   the command line with <code>-Dlog4j.configuration=minimal.txt</code> where the 
   56:   file <code>minimal.txt</code> contains the following:
   57: </p>
   58: 
   59: <pre>
   60:     # Set root logger level to INFO and its only appender to A1.
   61:     log4j.rootLogger=INFO, A1
   62:       
   63:     # A1 is set to be a ConsoleAppender. 
   64:     log4j.appender.A1=org.apache.log4j.ConsoleAppender
   65:       
   66:     # A1 uses PatternLayout.
   67:     log4j.appender.A1.layout=org.apache.log4j.PatternLayout
   68:     log4j.appender.A1.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n
   69: </pre>
   70: 
   71: <p>
   72:   The server does not attempt to limit multiple logins on the same account
   73:   from different servers.  However, care should be taken with this feature,
   74:   as there is no facility to distribute messages between clients that a 
   75:   branch has been deleted.  
   76: </p>
   77: 
   78: <p>
   79:   No caching or pre-loading of bookmarks is performed on the server, but
   80:   performance seems okay for now (and if anything seems bound on the XML 
   81:   processing and IO overhead).  Database operations are not transactional.
   82: </p>
   83: 
   84: <p>
   85:   The server uses an MD5 hashed password for authentication of the client.
   86:   Once authenticated, the server maintains a session based off the IP address
   87:   of the client.  All data is sent in the clear, and as such the passwords and
   88:   XML-RPC information may be 
   89:   <a href="http://www.robertgraham.com/pubs/sniffing-faq.html">packet sniffed</a>. 
   90:   Even if the attacker does not know
   91:   the clear-text password, he can still send the MD5 hash to be authenticated as
   92:   the user.  Unfortunately, XML-RPC does not cover 
   93:   <a href="http://www.strongsec.com/tutorials/security.htm">security</a> and session management
   94:   very well; if there are any new RFCs I would love to hear about them.  One
   95:   possible RFC is <a href="http://jimfl.tensegrity.net">Jim Flanagan's</a> 
   96:   <a href="http://jimfl.tensegrity.net/xmlrpc/">proposal</a>, but this requires
   97:   the use of <a href="http://www.ietf.org/rfc/rfc2617.txt">HTTP digest 
   98:   authentication</a>, which I believe most clients don't
   99:   support.
  100: </p>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>