The recent attack on twitter serves as a reminder about the dangers of cross-site requset hijacking. This entry provides a few suggestions on how to secure your site from this form of attack.

To add a tab in the green tab bar, go to portal_actions/object and add an action.

Some useful expressions:

• string:${context/portal_url}/folder/document
• python:portal.restrictedTraverse(‘@@plone_context_state’).current_page_url()==”testurl”

Note the python expression portal.restrictedTraverse allows python expressions/scripts to access the new browser views

Here is the list of slots that are defined in the master page template for Plone.

• HEAD slots
  • base
  • head_slot
  • style_slot
  • javascript_head_slot
• BODY slots
  • content
  • body
  • main (for most cases use this instead of content or body)
  • sub

To use one of these slots (for example, “style_slot”) use the metal:fill-slot macro

<style metal:fill-slot="style_slot" type="text/css">
 table.LesionLocation {border:1px solid blue;border-collapse:collapse;}
 table.LesionLocation td {border:1px solid black;padding: 5px;}
</style>

The page template must reference the master template:

<html xmlns="http://www.w3.org/1999/xhtml" 
xml:lang="en" lang="en" i18n:domain="plone"
metal:use-macro="here/main_template/macros/master">
...
</html>

At my workplace I am tasked with getting familiar with and eventually customized XNAT, a Java/Tomcat web-based content management system for the health care industy. As this is the first time I am working with a Jave web application, the learning curve is particularly steep. Here are my running notes as I try to get familiar with Java/JSP/XNAT. I must say though that I think Plone/Zope or even an ASP.Net system would have been a lot easier to understand!

• Top level directory for xnat
  • Inside the VM (from NRG):
    • /mnt/hgfs/Shared/Workspace/xdat_release
    • Also, /usr/local/NRG/Shared/Workspace/xdat_release
  • Inside the host OS
    • ~/s/prog/xnat_rc1/Virtual-XNAT/Shared/Workspace/xdat_release
• Directories @ top level
  • bin: Contains maven batch script, quick-deploy.sh and quick-deploy-templates.sh batch scripts to “deploy” XNAT from the top level directory to the tomcat directory (/usr/local/NRG/Applications/tomcat/webapps/xnat)
  • With Eclipse set up properly, there is no need to run the batch scripts.
  • build.properties: From the xnat.org website:
    • SUMMARY: The build.properties file is located in the root directory of the XNAT package.  The file contains the location of your Tomcat installation and details about your database connections.  The xdat.project.name variable will become the name of the generated project.  This will become the name of any generated webapps as well.  The xdat.project.template variable specifies whether or not your new project will use a template.  To create an XNAT project, this variable must be set to ‘xnat’.  Set the db name and connection information to your postgres installation. (This db connection string/name should point to a pre-created empty database of this name).  The initial build.properties is set to create an xnat project called ‘xnat’.  You simply need to create an empty database called ‘xnat’ (see step 2) and set the appropriate user name and password.  Also, the maven.appserver.home variable must be set to reference the root directory of your local Tomcat installation (abslolute path).
  • projects: Again from the website: XNAT will generate a folder in this directory for each of your projects. When you make customizations to your XNAT project, you will modify the files in this directory. These modifications will then be processed by the setup or update script.
  • deployments: XNAT will generate a folder in this directory for each of your projects. It stores the settings for your command line tools. It will also be used to generate your web application via the setup or update command.
    • If I need to modify a template, I have copied the template (a Velocity macro, .vm) from the deployments/xnat/src/xnat-templates/screens folder to the projects/xnat/src/templates/screens folder and edited it in Eclipse. On a deploy-templates operation, the web site is updated with the template content. (Note that for .vm file changes a full rebuild is not necessary.)
• Deploying to Tomcat
  • This can be done in several ways, including using Eclipse, but on the command line running bin/update.sh -Ddeploy=true from the root directory works.
• Customizing XNAT
  • From the website: Note: The XNAT framework looks for custom code, including additional schemas, in the XNAT_HOME/projects/PROJECT directory.  To make your customizations take effect, run the bin/update process from the XNAT_HOME directory.  This process updates the XNAT_HOME/deployments/PROJECT directory, which will contain your customizations and XNAT-generated code to support these customizations, and deploy it all to your webapp (WAR).
  • I am currently on this step, and will update this when I am successful

I have finally gotten a reverse proxy app to work on the Windows Server 2003 machine.

The solution:

1. Install cygwin. This by far was the biggest stumbling block, as I didn’t want to install cygin on a production server. However, after scouring the web (and google) for free/open source reverse proxy apps for Windows, I came to the conclusion that the only ones available require cygwin.
2. Get Pound. I’ve looked at a variety of reverse proxys (nginx, lighttpd, apache, etc.) and each one seemed to have some disadvantage that I couldn’t ignore. Not to mention many of the alternatives weren’t dedicated reverse proxys but web servers. More details are here.
   • One caution is that the most recent version of pound (2.4.2) would not compile, as it required some IPv6 support in the headers. I chose to download the previous version (2.3.2) and it did compile smoothly.
   • ./configure –without-ssl –disable-log –disable-dynscale
   • Strangely enough, even with the –without-ssl option the openssl library is linked into the pound.exe executable.
   • make
   • Copy the pound.exe and the associated DLLs ( cygssl-0.9.8.dll, cygcrypto-0.9.8.dll, cygrunsrv.exe, cygwin1.dll, cygpcre-0.dll, cygpcreposix-0.dll) to a new directory (e.g. c:\apps\pound)
3. Create a pound.cfg file in the c:\apps\pound directory. Note that the sample config files shown in this site do not work. I am assuming they use commands for an older version of pound that have since been removed
   • A sample config file that works for me is:
   • 
     # Set pound to run like a normal app, so that cygrunsrv can daemonize it
     Daemon 0
     ListenHTTP
     Address 1.2.3.4
     Port 80# Prevent any access to the ZMI from outside
     Service
     URL ".*/manage"
     End# If you have multiple domains, repeat the Service block
     Service
     HeadRequire "Host: .*A.edu.*"
     BackEnd
     Address 127.0.0.1
     Port 8123
     End
     End
     End

   • Note that for this to make sense, the web server (Zope in this case) should be configured to listen only on the localhost ip address (127.0.0.1), and the firewall to block port 8123, otherwise the intent of having only pound exposed to the internet will not be realized.
   • By the way, adding multiple BackEnd directives allows for load balancing, even with prioritization. Really simple and cool!
4. Once you have pound running and have tested it on the command line (pound -f pound.cfg), you want to install it as a service so that it will be automatically started on startup.
   • cygrunsrv –install Pound –path C:\Apps\Pound\pound.exe –args “-f
     C:\Apps\Pound\pound.cfg” –stdout C:\Apps\Pound\pound.log –stderr
     C:\Apps\Pound\pound.log
5. I haven’t configured it yet, but I will be adding additional URL filters to reverse proxy to the IIS server.

This year I am revamping both Web development and robotics courses to use Microsoft technologies: ASP.Net 3.5, IronPython/Dynamic Language Runtime, Robotics Studio.

 As a first step I am trying to port over the course website, or at least some sample code, to IIS. Apache has its headaches with long config files, but the IIS setup is even more confusing, since not everything is accessible in one file.

1.  The first stumbling block was I couldnt get a simple Default.aspx file recognized by IIS to serve when I went to http://localhost.
   • Solution: register ASP.Net 2.0 (3.5) with IIS
   • In the c:\Windows\Microsoft.NET\framework\v2.0.50727 directory run the command aspnet_regiis -i

Note that ASP.Net 3.5 is really ASP.Net 2.0 with some extensions.

2. Second step was to add SSL (Secure Socket Layer) support, ie allow https:// access. This was surprisingly easy from the IIS perspective! The only hard part was to generate the Certificate Authority and Server certificates.
   • solution: Look at this page
   • Be sure to open up the firewall with port 443!
   • Install the server certificate in the IIS manager
   • To remove the annoying warnings on the client browser, install the certificate authority certificate on the client machine.
3. NFS mounting. The students will be given accounts on the unix (really linux) systems with their own directories. We want to allow students to log onto the Windows 2003 server (cygwin sshd) using their unix username/password (ActiveDirectory/LDAP, to be discussed below) and mount their NFS directories. This will aid in “uploading” web site code to the server.
   • This site has very good information on setting up Windows Services for Unix (SFU) for Windows Server 2003

This year I am revamping both web development and robotics courses I teach during the summer.

• Web Development
  • Up until now I have been using Plone/Zope/Python for both the course website and teaching web development. Lately though I have been examining Visual Web Developer, ASP.Net, and C#. While I think Plone/Zope has its advantages, clearly ASP.Net is more popular, and its feature set (especially with 3.5) is getting to be pretty comprehensive. What has finally convinced me to migrate is the fact that ASP.Net pages can now be written in IronPython, the .Net implementation of CPython.
  • IIS seems to have its issues, however, so I am looking into reverse proxies that will hide IIS and Plone/Zope behind it.
• Robotics
  • I have been using Parallax BASIC Stamps, Sumobots, and Cypress Semiconductor PSOCs. While the Sumobot is a very nice hobby robot, the computational power of the BASIC Stamp that is at its core leaves a lot to be desired.
  • Microsoft has the Robotics Studio, a .Net platform for robotics work. It has gained sufficient support that I think it is a viable platform on which to teach my course. It requires an interface on the robot that is too much for the Sumobot (although there is sample code for the BOEBot, which is similar). I have been looking at the ARM series of microcontrollers for some time now, and have decided to have a hybrid solution, where a PSOC handles all the low-level sensor/motor interfaces, and the new ARM Cortex M3 handles the AI/machine learning as well as the interface to the Robotics Studio.
  • I purchased the Olimex STM32-P103 prototyping board, based on the ST STM32F103RBT6 Cortex 32-bit microcontroller. It has the following features, from the Olimex website.
  • ARM 32 bit CORTEX M3â„¢ with 128K Bytes Program Flash, 20K Bytes RAM, USB, CAN, x2 I2C, x2 ADC 12 bit, x3 UART, x2 SPI, x3 TIMERS, up to 72Mhz operation.
  • I think I have gotten spoiled by the rich set of peripherals available on the PSOC, because while the set of peripherals the Cortex has is reasonable, by itself it will not be able to manage all the sensors and hardware of a robot.
  • I am thinking of using a new chassis for the robots, I need to do a full engineering preliminary design before I can commit to that course of action.

After much reading and searching I have finally managed to burn, run and debug a sample LED blinking program on the STM32-P103. The beauty of open source development tools is obviously the cost and the frequent updates, but the disadvantage is the lack of good documentation or manual. I have been able to piece together bits and pieces through a lot of trial and error, and will be posting everything I have learned so far soon, with sample code.

The UN has made data it collects from its member nations available here. Very interesting, and I am looking forward to mining some of the data to prepare for the web course this summer, as well as try my hand at some economic analyses.

It is no secret that IE has some bugs in rendering CSS styles, most notably with respect to the box model. This wikipedia entry has a good summary of one of the bugs, which is really a misinterpretation of the CSS standard. It doesn’t help that for some web developers, Microsoft’s interpretation makes more sense than the “correct” standard!

Well I finally have it working the way I want.

Rundown of flow:

• Student creates PSFolder
• Student submits PSFolder
• PSFolder gets moved to separate folder that only TFs can access
• TF logs onto account and goes to tf_resources and selects View Submitted Homework
• TF grades each submitted PSFolder
• When done, TF returns to student PSFolder
• PSFolder gets moved back to student folder

New features to be added eventually

• Incorporate grading pages to enter grades while in workflow (this is complicated)
• Incorporate archiving of submitted folder in case of disputes later on
• Email on homework submission/return

Some hard lessons learned

• If you manage_pasteObjects(manage_cutObjects()) requires both Copy or Move and Delete permissions (need to confirm)
• manage_cutObjects() takes a list (or tuple?) of ids, not an id. (sort of obvious)
• portal_catalog gets confused if you do a copy -> paste. do a cut -> paste. Confused means the review_state variable is “private” (the original state) not “submitted”
• if as a student you can no longer see your home folder, that means some workflow permissions were screwed up, just reset security settings in portal_workflow to clear this up
• put the object move script in the After section, not Before. otherwise portal_catalog gets confused too, as the state hasnt changed to submitted yet.
• Properties, based on a db using SQLPASPlugin, need to be set through Plone using setMemberProperties, not directly into the db.
  • I created an external method script to do this. extSetMemberProperty // extSetStudentTFStatus

Parts of the workflow system

• Portal_catalog: Add index/metadata for TF
• Portal_workflow: Add PSFolder type
  • Add Variable TF
  • For submit transition use expression: TF = python:here.portal_membership.getAuthenticatedMember().getProperty(‘tf’)
  • Set Script (after) to an external method that handles the move extMoveObjectsPlone
  • For return transition set script (after) to extMoveBackSubmittedPlone
  • Both are in the external file extCopyObjects.py
  • Permissions for the submitted state: Owner should have Access contents, Copy or Move, and Delete
  • You need to edit the Adds to actions box and add a label or else the transition won’t appear (e.g. “Submit to TF”)
• PSFolders are Plone objects, not ZMI/zclass objects. Create a regular Plone folder to store the moved psfolder objects in the top level portal root, and manually create Plone folders with tf user ids as ids. Make sure this folder is Private!
• Set permission to private, submitted, graded, etc appropriately.

I’ve added code snippets to the svn server, which can be accessed on trac.reisun.com