Old retiring IIS 5.0 web server has been accepting URLs containing plus (+) for spaces instead of %20 for like 74 years. People have the old URLs bookmarked and stuff so they’ll keep going to them. The content will still exist on the replacement IIS 7 web server. Wouldn’t it be nice to make it transparent?

(Not to mention “foo+bar.pdf” is sane, but “foo%20bar.pdf” reads “foo percent twenty bar”, awkwardly. )

The problem is that IIS7 by default considers naked plusses in the URL as scary and sends a 404.11, URL_DOUBLE_ESCAPED error. Even if you convince it the URL is OK, it no longer maps plus to space and finds a piece of content.

On the old IIS 5.0 server these URLs both work, serving up the document named “foo bar.pdf”:

http://server/foo+bar.pdf

http://server/foo%20bar.pdf

On the new IIS 7 (Windows 2008) server, the second URL works but the first one gives an error.

Solution:

I put this in my application’s web.config file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering allowDoubleEscaping="True" />
    </security>
    <rewrite>
      <rules>
        <rule name="RewriteUserFriendlyURL1" stopProcessing="false">
          <match url="\+" />
          <conditions>
            <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
          </conditions>
          <action type="Rewrite" url="{UrlDecode:{REQUEST_URI}}" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

the allowDoubleEscaping directive on line 5 solves the first part of the problem, allowing IIS to handle unescaped plusses. The rewrite rule below passes the requested URI through the UrlDecode function (line 15), which thankfully still remembers the time-tested convention of plus equaling space. Now both forms of the URL work.

(I didn’t really write the rewrite stanza, I just stumbled around with the rewrite URL editor in the IIS Manager until it worked)

Yay!

This week I used the sfDoctrineActAsTaggablePlugin to add tag behavior to a Symfony project. My goal was to have a user interface similar to WordPress’s, which I like a lot:

Another goal was to use JQuery UI with the nice visual theme I built with their Theme Roller tool (which I had already installed and added to my symfony project).

The documentation was a little bit sparse and I’ll probably end up doing this again, so here are relevant instructions so Future Me and others may also benefit:

Set up

1. get/install/checkout sfDoctrineActAsTaggablePlugin. I use this line in the `svn:externals` property on plugins/:

   sfDoctrineActAsTaggablePlugin/ http://svn.symfony-project.com/plugins/sfDoctrineActAsTaggablePlugin/tags/RELEASE_1_0_0

2. enable the plugin in config/ProjectConfiguration.class.php.

       $this->enablePlugins(
                            'sfDoctrinePlugin', 
                            ...
   			 'sfDoctrineActAsTaggablePlugin'
   			 );

3. Add the Taggable behavior to your model(s) in config/doctrine/schema.yml

       actAs:            { Timestampable: ~ , Taggable: ~ }

   (not templates: [Taggable] as the README says)
4. Rebuild your model and forms and everything. My favorite way is to dump the old data to fixtures, then rebuild everything.

   ./symfony --color doctrine:data-dump
   ./symfony --color doctrine:build --all --and-load --no-confirmation

At this point you should have new database tables tag and tagging, and the proper model relations and everything.

Form fields for tags

UI for entering tags, displaying existing tags (with remove buttons)

I’m going to have

1. a single text input field for adding tags,
2. a link to display a tag cloud (see below) if the user wants to pick tags by clicking instead of typing
3. a styled list of existing tags with delete icons
4. a hidden field for storing tags to be removed after clicking on the delete icons.

The delete icons will trigger a Javascript function which populates the hidden field and hides the tag. Changes won’t be saved until the user submits the form, so we’ll also provide a little reminder.

1. add the tag field(s) to the configure() method of your form, in lib/form/doctrine/ModelForm.class.php.

       // this text appears in gray until the user focuses on the field
       $default = 'Add tags with commas';
       $this->widgetSchema['new_tags'] = new sfWidgetFormInput
         (
          array('label'   =>  'Add Tags', 'default'   =>  $default),
          array(
                'onclick' => "if (this.value=='$default') { 
                                   this.value = ''; this.style.color='black'; }", 
                'size'   =>  '32',
   	     'id' => 'new_tags', 
                // don't let the browser autocomplete.  We'll add typeahead, below
   	     'autocomplete' => "off",      
   	     'style' => 'color:#aaa'
   	     )
          );
       // allow the field to remain blank
       $this->setValidator('new_tags', new sfValidatorString(array('required' => false)));
    
       // this hidden field will be populated with JavaScript.
       $this->widgetSchema['remove_tags'] = new sfWidgetFormInputHidden();
       $this->setValidator('remove_tags', new sfValidatorString(array('required' => false)));

2. Add a partial with the admin generator. In apps/frontend/modules/mymodule/config/generator.yml:

         form:
           display:
             # add another section after the other fields...
             Tags: [_tags]

3. edit the partial, apps/frontend/modules/mymodule/templates/_tags.php

   <?php use_helper('JavascriptBase', 'Tags')  ?>
   <?php  
    
   // much of this I copied and adapted from a cached admin generator template.
   $name = 'new_tags'; $label = ''; $help = ''; 
   $class = 'sf_admin_form_row sf_admin_text sf_admin_form_field_tags';
    
    ?>
    
     <div class="<?php echo $class ?><?php $form[$name]->hasError() and print ' errors' ?>">
       <?php echo $form[$name]->renderError() ?>
       <div>
         <?php echo $form[$name]->renderLabel($label) ?>
    
         <div class="content"><?php echo $form[$name]->render($attributes instanceof sfOutputEscaper ? $attributes->getRawValue() : $attributes) ?>
    
    
   <?php // tag cloud will go here, see below ?>
    
    
   </div>
    
         <?php if ($help): ?>
           <div class="help"><?php echo __($help, array(), 'messages') ?></div>
         <?php elseif ($help = $form[$name]->renderHelp()): ?>
           <div class="help"><?php echo $help ?></div>
         <?php endif; ?>
       </div>
     </div>
    
   <?php // list of current tags, with remove buttons ?>
   <div class="sf_admin_form_row sf_admin_text sf_admin_form_field_tags">
   <div>
   <label>Current tags</label>
   <div class="content">
   <div class="taglist">   
      <?php foreach ( $form->getObject()->getTags() as $t):   ?>
       <span><nobr><?php 
    
   echo link_to_function("Remove '$t'", 
              "remove_tag(".json_encode($t).", this.parentElement)", 
              "class=removetag")
    
     ?>&nbsp;<?php echo $t  ?></nobr></span>
       <?php endforeach;  ?>
   </div>
   <span id="remove_tag_help" style="display:none;">Tag(s) removed. Remember to save the complaint.</span>
   </div>
   </div>
    
   </div>

4. Add a Javascript function to support the “remove tag” buttons.

   $(function() {
               // add fancy jQuery UI button styles.  See additional in "CSS" below
   	    $(".taglist a").button({icons:{primary:'ui-icon-trash'}, text: false});
   });
    
   function remove_tag (tag, element) {
     remove_field = $("#complaint_remove_tags");
     if ( remove_field.val().length ) {
       remove_field.val( remove_field.val()  + "," + tag );
     }
     else {
       remove_field.val( tag );
     }
     $(element).hide();
     $("#remove_tag_help").show();
   }

5. edit the `processForm` action to process the `new_tags` and `remove_tags` fields. I started by copying the `processForm` method from cache/frontend/dev/modules/autoMymodel/actions/actions.class.php into apps/frontend/modules/mymodule/actions/actions.class.php, then added code after validation:

     protected function processForm(sfWebRequest $request, sfForm $form)
     {
       $form->bind($request->getParameter($form->getName()), $request->getFiles($form->getName()));
    
       if ($form->isValid())
       {
         $notice = $form->getObject()->isNew() ? 'The item was created successfully.' : 'The item was updated successfully.';
    
         // NEW: deal with tags
         if ($form->getValue('remove_tags')) {
   	foreach (preg_split('/\s*,\s*/', $form->getValue('remove_tags')) as $tag) {
   	  $form->getObject()->removeTag($tag);
   	}
         }
         if ($form->getValue('new_tags')) {
   	foreach (preg_split('/\s*,\s*/', $form->getValue('new_tags')) as $tag) {
             // sorry, it would be better to not hard-code this string
   	  if ($tag == 'Add tags with commas') continue;
   	  $form->getObject()->addTag($tag);
   	}
         }
    
         try {
           $complaint = $form->save();
           // and the remainder is just pasted from the generated actions file

Yay! Now I can add, display, and remove tags. Now for the fancy parts.

Typeahead tag autocompletion

As detailed in the README, sfDoctrineActAsTaggablePlugin has typeahead support. I tried it, but I didn’t feel like the user interaction was quite smooth enough, and I wanted to use the excellent, beautiful, and user-expectation-meeting jQuery UI Autocomplete widget.

I ended up using the action provided by sfDoctrineActAsTaggablePlugin, but modified the view to return JSON instead of an HTML <ul>, and I used the multiple, remote demo code from the jQuery UI Autocomplete documentation.

1. override the completeSuccess view for the taggableComplete/complete action

   mkdir -p apps/frontend/modules/taggableComplete/templates
   touch apps/frontend/modules/taggableComplete/templates/completeSuccess.php

   And here is my new template:

   <?php
    
   // we're rewriting the view for the taggable plugin to output JSON instead of HTML
   // see http://wiki.jqueryui.com/Autocomplete
    
   $tags_simple = array();
   foreach ( $tagSuggestions as $suggestion ) {
     $tags_simple[] =  $suggestion['suggested'];
   }
    
   echo json_encode($tags_simple);

   You can test your autocomplete action with a URL like http://myserver/myproject/taggableComplete/complete/current/p. In my case (because I have some data in my tag table) it returns this JSON-formatted array:

   ["PHP","plugins"]

2. Add jQuery UI javascript. I used a <script> section in my _tags.php partial, but you could also use an external javascript file (but mind the line of PHP code using the url_for() helper).

   	$(function() {
    
   // for debug info, uncomment these lines and add a <div id="autocomplete_log">
   // 		function log(message) {
   // 			$("<div/>").text(message).prependTo("#autocomplete_log");
   // 			$("#autocomplete_log").attr("scrollTop", 0);
   // 		}
   		function split(val) {
   			return val.split(/\s*,\s*/);
   		}
   		function extractLast(term) {
   		        last = split(term).pop();
   // 			log ( "extracted last = "+last );
   			return last;
   		}
    
    
   		$("#new_tags").autocomplete({
    
   			source: function(request, response) {
   		      $.getJSON(<?php echo json_encode(url_for("taggableComplete/complete")) ?>, {
   					current: extractLast(request.term)
   				}, response);
   			},
   			search: function() {
   				// custom minLength
   				var term = extractLast(this.value);
   				if (term.length < 1) {
   					return false;
   				}
   			},
   		        focus: function(event, ui) {
   				// prevent value inserted on focus
   				return false;
   			},
   			select: function(event, ui) {
   				var terms = split( this.value );
   				// remove the current input
   				terms.pop();
   				// add the selected item
   				terms.push( ui.item.value );
   				// add placeholder to get the comma-and-space at the end
   				terms.push("");
   				this.value = terms.join(", ");
   				return false;
   			}
    
   		});
   	});

tag cloud

I like how WordPress has an option for picking tags from a tag cloud too. The sfDoctrineActAsTaggablePlugin made this nice and easy.

1. Here’s the code for the view (in the _tags.php partial)

   <?php echo link_to_function("Choose from the most used tags &gt;&gt;", '$("#add_tag_from_cloud").show(); $(this).hide()' ) ?>
    
   <div id="add_tag_from_cloud" class="tag_cloud popular" style="display:none">
   <h3>Popular tags</h3>
   <?php 
   // gets the popular tags
   $tags = PluginTagTable::getPopulars();
    
   // Display the tags cloud, using link_to_function() instead of link_to()
   // The %s in the second arg will be substituted with the tag text.
   echo tag_cloud($tags, 'add_tag("%s")', array(
   				'link_function'   =>  'link_to_function',  
   				'link_options'   =>  array('class=addtag')
   					     )
   	       );
    
     ?>
   </div>

2. And here’s the javascript to handle those links.

   function add_tag (tag) {
     add_field = $("#new_tags");
    
     if ( add_field.val() == "Add tags with commas" ) {
       add_field.val( tag );
       add_field.css("color", "black");
     }
     else if ( add_field.val().length ) {
       add_field.val( add_field.val()  + ", " + tag );
     }
     else {
       add_field.val( tag );
     }
     $(element).hide();
   }

CSS

I made lots of incremental changes to my CSS but here are all of the sections relevant to the tag stuff I’ve shown here, I think.

 
.taglist .removetag {
   vertical-align: middle;
   width: 18px;
   height: 18px;
}
 
.taglist span {
   margin-right: 1.4em;
}
 
.tag_cloud li {
   display: inline;
   list-style: none;
}
 
#sf_admin_container .tag_cloud li a {
   background: transparent;
   padding-left: 0px;
}

And I had this in my apps/frontend/templates/layout.php to apply JQuery UI button styling to all my form buttons and hyperlinks with the “button” CSS class:

<script type="text/javascript">
// use JQueryUI buttons
      $(function() {
       $("input:submit,  button, a.button").button();
      });
</script>

Yay! I’m pretty happy with it so far. I hacked at it for a couple days though and have been cloudy with fighting a cold, so if I’ve missed anything let me know. I think this is enough to get me there more quickly the next time.

Salient errors:

String.cpp: In member function ‘off_t String::toOffset()’:
String.cpp:167: warning: format ‘%d’ expects type ‘int*’, but argument 3 has type ‘off_t*’
In file included from HTTPHeader.hpp:38,
                 from DownloadManager.hpp:30,
                 from OptionContainer.hpp:27,
                 from ConnectionHandler.hpp:27,
                 from ConnectionHandler.cpp:25:
RegExp.hpp:31:23: error: pcreposix.h: No such file or directory
In file included from HTTPHeader.hpp:38,
                 from DownloadManager.hpp:30,
                 from OptionContainer.hpp:27,
                 from ConnectionHandler.hpp:27,
                 from ConnectionHandler.cpp:25:
RegExp.hpp:82: error: ‘regex_t’ does not name a type
make[2]: *** [dansguardian-ConnectionHandler.o] Error 1
make[2]: *** Waiting for unfinished jobs....
mv -f .deps/dansguardian-String.Tpo .deps/dansguardian-String.Po
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

And a wild goose chase: don’t alter your PCRE_LIBS environment variable or you’ll have trouble like this:

ld: in /Developer/SDKs/MacOSX10.5.sdk/usr/include/php/ext/pcre/pcrelib, can't map file, errno=22

What worked:

 
# this is the main thing-- help it find pcreposix.h !
export CPPFLAGS=-I/Developer/SDKs/MacOSX10.5.sdk/usr/include/php/ext/pcre/pcrelib
 
# only the last two are my preferences, 
# the others are from the INSTALL doc
 
./configure --localstatedir=/var  \
         --mandir=/usr/share/man/  \
         --bindir=/usr/local/sbin/ \
         --with-logdir=/usr/local/dansguardian/logs/ \
         --enable-email=yes
 
make -j 2
sudo make install

starting at boot with daemonic

I got squid using Fink, which uses daemonic for startup/init scripts. So hopefully I can use it to start dansguardian at boot too.

I copied the squid XML file and made this one at /sw/etc/daemons/dansguardian.xml:

<service>
<description>Dan's Guardian</description>
<message>Dan's Guardian content filter</message>
 
<daemon name="dansguardian">
<executable checkexit="true">/usr/local/sbin/dansguardian</executable>
<configfile>/usr/local/etc/dansguardian/dansguardian.conf</configfile>
<pidfile>/var/run/dansguardian.pid</pidfile>
</daemon>
 
</service>

Now all I have to do is:

$ sudo daemonic enable dansguardian

Looks like it built some nice OS-X-y startup scripts for me in /Library/StartupItems/daemonic-dansguardian. Here goes rebooting…

Visual Studio 2005 complains,

Error screenshot (read text on left)

Database schema could not be retrieved for this connection. Please make sure the connection settings are correct and that the database is online. This server version is not supported. You must have Microsoft SQL Server 2005 Beta 2 or later.

Except I have MS SQL Server 2008 Express.

Solution:

Download and install this CTP (Community Technology Preview) which addresses the issue.

I like using Subversion to deploy web content to production servers. I check in everything while I’m working on the development copy, then check out onto the server when it’s ready.

Subversion creates a .svn directory contain readable copies of all your files, which is bad for server-processed files like .php or .aspx that you don’t want readable by, say, Google Hackers.

I have thought about this before but when I went to do it I couldn’t find any clear guides online. I did find this question at Server Fault, which is a newish sister of Stack Overflow, which reminds me kind of Experts Exchange but without the suck. Except that in this case the answers sucked. So I figured it out and added my answer and am posting it here too:

“Don’t do it that way” does not answer the question.

Practically, I like having a working copy on the production server, because that way I can make quick changes in production (who has never done that?) and check them back in. It depends on where you want your security/convenience slider, and in many cases this is a good place.

The standard solution in Apacheland is to leave the .svn files there but tell the web server to never serve them. Here’s how to do that with IIS 5 through 7 on Windows NT4 through 2008.

1. Download and install ISAPI_Rewrite — the Lite version will be enough for this purpose. There are two versions, version 2 and 3. Use ISAPI_Rewrite3 unless you need to support NT4. Also, note the extra IIS features you need to enable for Win 2008.
   Warning– the MSI installer may stop and start IIS.

2. Launch the Helicon->ISAPI_Rewrite3->ISAPI_Rewrite Manager app from the Start Menu. It makes editing the config file (installed in C:\Program Files\Helicon\ISAPI_Rewrite3\httpd.conf by default) easier, but you can also do it by hand. note, the config file in ISAPI_Rewrite2 is named httpd.ini and is read-only by default.

3. Add these lines to httpd.conf:

# Deny access to Subversion working copy administrative
#  directories (.svn) and their contents
RewriteRule .*/\.svn\b.* . [F,I,O]

Now, any request for a .svn directory or its contents will result in a 404 Not Found from the server.

Symfony’s production environments don’t create logs, but the development environments do, and for one project I had several batch jobs logging to the myproject/log directory. (Troubleshooting batch jobs without logs is just crazy).

I was going to use symfony log:rotate, but

• I would need one cron job for each log
• I had permission issues since some of the logs belong to apache and others to root
• Everything else on the machine, pretty much, is managed with the standard Linux utility logrotate. Logrotate has been around for about 174 Linux Years, and is common to most distributions.

So here’s how I did it using with logrotate.

1. WARNING: You might want to make a convenient copy of your log directory before you do this. I accidently wiped all the logs out while messing with it.
2. Create a file config/myproject.logrotate. Very simple, I just want it to use the same rotation schedule specified for the whole machine in /etc/logrotate.conf

   /path/to/myproject/log/*.log {
           weekly
           rotate 4
   }

3. Check that it will do stuff by running it with the debug flag

   logrotate -df config/badge.logrotate

4. Make a symlink to it in /etc/logrotate.d

   ln -s /path/to/myproject/config/myproject.logrotate  /etc/logrotate.d/myproject

5. Run it the first time manually to rotate your logs and make sure it does the right thing!

   sudo logrotate -fv /etc/logrotate.d/myproject

So I have to get a certification to progress in my job, and it needs to involve Microsoft .NET. OK. So I’m working through the MCPD (Microsoft Certified Professional Developer) .NET web development training kit, available at Amazon, Barnes and Noble, etc. In theory it’s all I need prepare for the 3 exams for the MCPD, 70-536, 70-528, 70-547.

Thoughts so far:

1. C# is surprisingly well-designed. Especially compared to say, PHP, which was only designed after the fact.
2. I LOVE LOVE LOVE the elegant high tech tool metaphor gracing the cover.
3. I love books instead of training, especially “online training”. But I need to map out a schedule and stick to it or it will get lost amid many other things.

So here, I went through the books and with Perl’s help, added up the estimates for each section, adding a 10 minute review on each chapter.

70-536 Foundations

ch 1: Framework Fundamentals (total: 2:20)

• lesson 1: 30 minutes
• lesson 2: 40 minutes
• lesson 3: 40 minutes
• lesson 4: 20 minutes
• review: 10 minutes

ch 2: Input (total: 1:15)

• lesson 1: 20 minutes
• lesson 2: 20 minutes
• lesson 3: 10 minutes
• lesson 4: 15 minutes
• review: 10 minutes

ch 3: Searching (total: 1:25)

• lesson 1: 45 minutes
• lesson 2: 30 minutes
• review: 10 minutes

ch 4: Collections and Generics (total: 1:55)

• lesson 1: 15 minutes
• lesson 2: 10 minutes
• lesson 3: 30 minutes
• lesson 4: 30 minutes
• lesson 5: 20 minutes
• review: 10 minutes

ch 5: Serialization (total: 2:05)

• lesson 1: 45 minutes
• lesson 2: 40 minutes
• lesson 3: 30 minutes
• review: 10 minutes

ch 6: Graphics (total: 2:10)

• lesson 1: 60 minutes
• lesson 2: 30 minutes
• lesson 3: 30 minutes
• review: 10 minutes

ch 7: Threading (total: 1:50)

• lesson 1: 20 minutes
• lesson 2: 40 minutes
• lesson 3: 40 minutes
• review: 10 minutes

ch 8: Application Domains and Services (total: 1:40)

• lesson 1: 20 minutes
• lesson 2: 25 minutes
• lesson 3: 45 minutes
• review: 10 minutes

ch 9: Installing and Configuring Applications (total: 1:35)

• lesson 1: 20 minutes
• lesson 2: 25 minutes
• lesson 3: 15 minutes
• lesson 4: 25 minutes
• review: 10 minutes

ch 10: Instrumentation (total: 1:30)

• lesson 1: 20 minutes
• lesson 2: 20 minutes
• lesson 3: 20 minutes
• lesson 4: 20 minutes
• review: 10 minutes

ch 11: Application Security (total: 2:40)

• lesson 1: 60 minutes
• lesson 2: 45 minutes
• lesson 3: 45 minutes
• review: 10 minutes

ch 12: User and Data Security (total: 3:40)

• lesson 1: 90 minutes
• lesson 2: 30 minutes
• lesson 3: 90 minutes
• review: 10 minutes

ch 13: Interoperation (total: 1:10)

• lesson 1: 20 minutes
• lesson 2: 20 minutes
• lesson 3: 20 minutes
• review: 10 minutes

ch 14: Reflection (total: 1:35)

• lesson 1: 15 minutes
• lesson 2: 20 minutes
• lesson 3: 25 minutes
• lesson 4: 15 minutes
• lesson 5: 10 minutes
• review: 10 minutes

ch 15: Mail (total: 1:10)

• lesson 1: 30 minutes
• lesson 2: 30 minutes
• review: 10 minutes

ch 16: Globalization (total: 1:10)

• lesson 1: 20 minutes
• lesson 2: 40 minutes
• review: 10 minutes

70-528 Web-Based

ch 1: Introducing the ASP.NET 2.0 Web Site (total: 2:20)

• lesson 1: 30 minutes
• lesson 2: 60 minutes
• lesson 3: 20 minutes
• lesson 4: 20 minutes
• review: 10 minutes

ch 2: Adding and Configuring Server Controls (total: 1:40)

• lesson 1: 30 minutes
• lesson 2: 60 minutes
• review: 10 minutes

ch 3: Exploring Specialized Server Controls (total: 2:10)

• lesson 1: 60 minutes
• lesson 2: 60 minutes
• review: 10 minutes

ch 4: Using ADO.NET and XML with ASP.NET (total: 3:10)

• lesson 1: 60 minutes
• lesson 2: 60 minutes
• lesson 3: 60 minutes
• review: 10 minutes

ch 5: Creating Custom Web Controls (total: 2:10)

• lesson 1: 60 minutes
• lesson 2: 60 minutes
• review: 10 minutes

ch 6: Input Validation and Site Navigation (total: 2:10)

• lesson 1: 60 minutes
• lesson 2: 60 minutes
• review: 10 minutes

ch 7: ASP.NET State Management (total: 1:10)

• lesson 1: 30 minutes
• lesson 2: 30 minutes
• review: 10 minutes

ch 8: Programming the Web Application (total: 1:10)

• lesson 1: 30 minutes
• lesson 2: 30 minutes
• review: 10 minutes

ch 9: Customizing and Personalizing a Web Application (total: 3:10)

• lesson 1: 45 minutes
• lesson 2: 45 minutes
• lesson 3: 90 minutes
• review: 10 minutes

ch 10: Globalization and Accessibility (total: 1:20)

• lesson 1: 40 minutes
• lesson 2: 30 minutes
• review: 10 minutes

ch 11: Implementing Authentication and Authorization (total: 1:40)

• lesson 1: 45 minutes
• lesson 2: 45 minutes
• review: 10 minutes

ch 12: Creating ASP.NET Mobile Web Apps (total: 1:10)

• lesson 1: 60 minutes
• review: 10 minutes

ch 13: Monitoring, Deploying and Caching Apps (total: 2:00)

• lesson 1: 40 minutes
• lesson 2: 30 minutes
• lesson 3: 40 minutes
• review: 10 minutes

70-547 Designing

ch 1: Application Requirements and Design (total: 1:10)

• lesson 1: 40 minutes
• lesson 2: 20 minutes
• review: 10 minutes

ch 2: Decompose Specifications for Developers (total: 1:25)

• lesson 1: 20 minutes
• lesson 2: 20 minutes
• lesson 3: 35 minutes
• review: 10 minutes

ch 3: Design Evaluation (total: 0:30)

• lesson 1: 10 minutes
• lesson 2: 10 minutes
• review: 10 minutes

ch 4: Creating a User Interface (total: 2:25)

• lesson 1: 90 minutes
• lesson 2: 45 minutes
• review: 10 minutes

ch 5: Creating and Choosing Controls (total: 2:25)

• lesson 1: 45 minutes
• lesson 2: 90 minutes
• review: 10 minutes

ch 6: Data Validation (total: 2:25)

• lesson 1: 45 minutes
• lesson 2: 90 minutes
• review: 10 minutes

ch 7: Delivering Multimedia (total: 0:55)

• lesson 1: 45 minutes
• review: 10 minutes

ch 8: Component Design (total: 1:10)

• lesson 1: 20 minutes
• lesson 2: 20 minutes
• lesson 3: 20 minutes
• review: 10 minutes

ch 9: Component Development (total: 1:00)

• lesson 1: 30 minutes
• lesson 2: 10 minutes
• lesson 3: 10 minutes
• review: 10 minutes

ch 10: Reusable Software Components (total: 1:40)

• lesson 1: 90 minutes
• review: 10 minutes

ch 11: Application Logic Layer (total: 1:10)

• lesson 1: 30 minutes
• lesson 2: 30 minutes
• review: 10 minutes

ch 12: Logging and Monitoring (total: 1:25)

• lesson 1: 40 minutes
• lesson 2: 35 minutes
• review: 10 minutes

ch 13: Application Configuration (total: 1:10)

• lesson 1: 60 minutes
• review: 10 minutes

ch 14: Define and Evaluate a Testing Strategy (total: 1:05)

• lesson 1: 30 minutes
• lesson 2: 25 minutes
• review: 10 minutes

ch 15: Creating Development Tests (total: 1:50)

• lesson 1: 60 minutes
• lesson 2: 20 minutes
• lesson 3: 20 minutes
• review: 10 minutes

ch 16: Deploying an Application (total: 2:25)

• lesson 1: 45 minutes
• lesson 2: 45 minutes
• lesson 3: 45 minutes
• review: 10 minutes

ch 17: Supporting an Application (total: 2:10)

• lesson 1: 60 minutes
• lesson 2: 60 minutes
• review: 10 minutes

Totals:

70-536 Foundations: 26:30 70-528 Web: 23:10 70-547 Designing: 23:30

Also, as I wrote in my post about custom error pages, I have error pages set up for each, and I hate copying them. So I have invested some time into building a plugin containing the visual assets and the customized error pages, so that it’s easier to keep them uniform across all the apps I work on, and so that it will be that much quicker to build new projects.

I don’t think anyone outside my company will want my plug-in, but these instructions will hopefully be useful for anyone who wants to do the same thing.

These instructions are for symfony 1.1 but they should apply equally to 1.0 and 1.2.

Plugin organization

Here are the files and directories in my plugin:

plugins/myThemePlugin/
  config/
    view.yml
  modules/
    default/
      config/
        view.yml
      templates/
        disabledSuccess.php
        error404Success.php
  README
  web/
    css/
      mystyles.css
      myerrors.css
      mymain.css
    errors/
      error500.php
      unavailable.php
    images/
      my_swoop.jpg
      bg_sfTAlert.jpg
      bg_sfTLock.jpg
      bg_sfTMessage.jpg
      indicator.gif
      tall_gradient.jpg

Using svn:externals to install the plugin in each symfony project

I only want one copy of this thing, with version control, so I use svn:externals (for my other plugins too ).

$ svn propget svn:externals plugins
myThemePlugin/        https://mysvnserver.com/svn/web/myThemePlugin
sfGuardPlugin/        http://svn.symfony-project.com/plugins/sfGuardPlugin/branches/1.1/
$ svn up

Publishing the assets

The chapter on plugins in the The Definitive Guide to symfony explains:

Web assets (images, scripts, style sheets, etc.) are made available to the server. When you install a plug-in via the command line, symfony creates a symlink to the project web/ directory if the system allows it, or copies the content of the module web/ directory into the project one. If the plug-in is installed from an archive or a version control repository, you have to copy the plug-in web/ directory by hand (as the README bundled with the plug-in should mention).

As I showed above, I prefer to use svn:externals for my plugins, so this is a bit of a problem for me. Also, I develop on Windows (with XAMPP and Cygwin), so the more elegant symlink solution is not an option. Symfony 1.2 has a task called plugin:publish_assets that makes the copies, but that messes up my version control strategy. SO: I am going to use svn:externals to get the web assets from my plugin too.

$ svn propset svn:externals "myThemePlugin  https://my_svn_server/svn/web/myThemePlugin/web/" web
$ svn propget svn:externals web
    myThemePlugin  https://my_svn_server/svn/web/myThemePlugin/web/
$ svn up

This lets me keep the plugin in its own repository. You could get a similar effect by just checking out the files, but it would clutter up the SVN for your main project.

The end result: I have one copy of the web assets in the SVN repository, but they’re checked out twice into each project (once under plugins/myThemePlugin/web and once under web/myThemePlugin).

view.yml files

Now the overall view.yml file in plugins/myThemePlugin/config/ sets stylesheets for my whole project:

default:
  stylesheets:    
    - /myThemePlugin/css/main: { position: last }
    - /myThemePlugin/css/bannerhealth: {position: last}
    - %SF_ADMIN_WEB_DIR%/css/main
    - %SF_CALENDAR_WEB_DIR%/skins/aqua/theme

And I have another one to apply some additional stylesheets to my error pages:

error404Success:
  metas:
    title:        404 Not Found
  stylesheets: 
    - /sf/sf_default/css/screen.css
    - /sf/sf_default/css/ie.css
    - /myThemePlugin/css/errors: {position: last}
 
disabledSuccess:
  metas:
    title:        Temporarily Unavailable
  stylesheets: 
    - /sf/sf_default/css/screen.css
    - /sf/sf_default/css/ie.css
    - /myThemePlugin/css/errors: {position: last}

relative image paths in stylesheets and error pages

I use relative paths in my stylesheets (served out of myprojecturl/myThemePlugin/css/) so they can find the images (myprojecturl/myThemePlugin/images/):

background-image: url(../images/tall_gradient.jpg);

I’d do the same if my error templates (like plugins/myThemePlugin/modules/default/templates/error404Success.php) used images, but they don’t.

The pages in plugins/myThemePlugin/web/errors (which are installed via svn:externals now in web/myThemePlugin/errors) are used when things are so broken symfony can’t build template pages, so they have full HTML structure, including full stylesheet tags:

<?php $path = '..'; ?>
 
<link rel="stylesheet" type="text/css" media="screen" href="<?php echo $path ?>/../sf/sf_default/css/screen.css" />
<!--[if lt IE 7.]>
<link rel="stylesheet" type="text/css" media="screen" href="<?php echo $path ?>/../sf/sf_default/css/ie.css" />
<![endif]-->
 
 
<link rel="stylesheet" type="text/css" media="screen" href="<?php echo $path ?>/css/main.css" />
<link rel="stylesheet" type="text/css" media="screen" href="<?php echo $path ?>/css/bannerhealth.css" />
<link rel="stylesheet" type="text/css" media="screen" href="<?php echo $path ?>/css/errors.css" />

Apache error page configuration

Finally, I tell Apache to use my customized error pages for errors in this project.

  <Directory "/path/to/myproject/web">
        ErrorDocument 404 /myproject/default/error404
	ErrorDocument 500 /myproject/bhThemePlugin/errors/error500.php
  </Directory>

There we go! Now I have a lot less to do each time I make a new app; all the pretty stuff is in my plugin, and there aren’t any surprisingly brown symfony pages to throw off any users.

What do you think? Any errors or ommissions or problems?

CONCEPTS

Problem 1: Brute force SSH attackers

I recently made a Linux machine accessible by port 22 from the Internet, so I could remotely administer it with SSH. Within a day or two, there were hosts from all over the Internet trying to log in using random usernames (‘root’, ‘dave’, ‘mysql’, ‘neo’) and random passwords.

Problem 2: Weak system passwords

System passwords are becoming easier to guess by brute force every time a new processor comes out. It doesn’t matter how complicated your alphabet soup is, it’s just not long enough, or won’t be long enough eventually. The bad guys also have botnets full of machines and all the time in the world.

Working around problems 1 and 2: Key authentication

An SSH key is complex (random) and much, much longer than your password (see Wikipedia for more details about how public-key cryptography works). You store the private part of your key securely on your client machine, and tell the server to trust only the public key that goes with it. BUT, you should really use a nice, long, complex passphrase to lock up your private key so that someone who gains access to it can’t get free access to all your servers, which leads to

Problem 3: I’m too lazy to unlock my inconvenient SSH key all the time

I log in to different machines all the time, from a bunch of different workstations. But, I have a long passphrase on my SSH key. Too long to type every time, especially if I’m just looking at something or transferring a file or two.

Solution to problem 3: A key agent

An SSH key agent lets you unlock your key and load it into memory once, and then automatically uses it to get you in to all your servers. SUPER convenient.

Problem 4: It’s confusing

I tried to explain it to a friend recently and found nowhere on the internets that explained it all in one place.

Coming up: detailed instructions for getting started with SSH keys and using a key agent on Mac OS X (command line), Windows (PuTTY and Cygwin commandline ssh), and Linux/Unix (command line).

HOW TO START USING SSH KEYS

References:

• PuTTY manual chapter 8 and chapter 9
• section 2.4 of the O’Reilly SSH book by Barrett/Silverman
• man ssh_config
• man ssh-agent

Generate your key with a command-line (Open)SSH client (Cygwin, Mac OS X, Linux)

I’m going to start with this client, because the command-line OpenSSH is the common denominator on all the OSes I use.

1. Write down a nice long, complex, memorable passphrase that you’re capable of typing reliably, and store it in a safe place. You probably won’t need it every day (unless you reboot a lot), so make sure you can remember and type it. Security expert Bruce Schneier suggests a scrap of paper in your wallet is a pretty good place.

2. Generate a private key with ssh-keygen from your client machine’s command line:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/myusername/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):     # use yours from step 1
Enter same passphrase again:
Your identification has been saved in /home/myusername/.ssh/id_rsa.
Your public key has been saved in /home/myusername/.ssh/id_rsa.pub.
The key fingerprint is:
9a:89:9c:6b:87:a7:e8:93:9a:f5:f7:35:bf:23:87:c6 myusername@myhostname

1. The file permissions of your new .ssh directory and the files in it (except maybe your public key) should be very restrictive, allowing only you to read them. But just in case, reset them restrictively:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
chmod 644 ~/.ssh/id_rsa.pub

1. You need to append your public key to ~/.ssh/authorized_keys on each of your servers:
   • if you don’t have an authorized_keys file in your ~/.ssh directory, just copy your public key to it on each server:

scp -r ~/.ssh/id_rsa.pub  myserver:.ssh/authorized_keys

• if you already have one, you’ll need to append your key to it. Use a text editor and paste, copy and paste, or, courtesy of CodeSnippets,

cat .ssh/id_dsa.pub | ssh user@domain.tld 'cat >> .ssh/authorized_keys'

1. Test and make sure it works! When you ssh to the server, it should prompt you for your passphrase to unlock your private key, and then you should successfully connect. Using the -d flag to ssh gives you verbose debugging information which is usually useful.

$ ssh -v myserver
... # copious debug information about which keys or 
... # authentication methods ssh is trying ]
Enter passphrase for key '~/.ssh/id_rsa':
... # here's where you type your passphrase correctly
... # more debugging
debug1: Entering interactive session.
Last login: Thu May 21 14:30:31 2009 from 10.0.0.2

1. I like to turn on agent forwarding by adding this line to ~/.ssh/config file on each server. This allows you to ssh from server A to another server B that trusts your key, using the agent on your client machine to pass your key through. ForwardAgent yes

2. If all the users on the server will be using keys from now on, it’s a good idea to turn off password authentication for the whole server, in sshd_config, which is usually located in /etc/: PasswordAuthentication no Unfortunately, I can’t figure out how to lock one account on the server from using password authentication. You can put that line in your ~/.ssh/config file, but it only affects your use of ssh from that account, not to it.

Or, generate your key with PuTTY on Windows:

PuTTY is rock-solid terminal and SSH software for Windows. I usually generate my key with the command-line OpenSSH tools and then import it to PuTTY, but here’s how you do it the other way around:

1. Install the latest version of the whole PuTTY package. At the time of this writing, the PuTTY author’s site has been inaccessible for a while, but there are mirrors available for downloading the software.

2. Generate an RSA key with puttygen.exe, using a good passphrase (see instructions in the PuTTY manual chapter 8)

   

   Generating a key with puttygen.exe

3. Save the private key somewhere using the ‘Save private key’ button, like maybe in C:\Documents and Settings\yourusername\.ssh\puttyprivkey to be compatible with command-line SSH tools. Save the public key somewhere too (though you will paste it, below).

4. Make the file permissions of that directory and the files in it very restrictive (only you should have access).

5. On one server, edit .ssh/authorized_keys in your home directory (creating it if it doesn’t exist yet), and paste your public key from puttygen in there

6. Test that it works! Tell PuTTY to try key authentication instead of password authentication by setting your private key under Connection->SSH->Auth in the connection settings:

   

   Tell PuTTY to use your key

7. Copy the authorized_keys file and/or the whole .ssh directory to each other server. Eg on the first server, scp -r .ssh myotherserver:

8. Turn on agent forwarding (and “try to use Pageant”… see screenshot above) for each ssh session config in PuTTY in the Connection->SSH->Auth pane (this lets you ssh from server A to another server using the agent on your client machine)

9. Put your username in the “Auto-login username” field under Connection->Data for each saved PuTTY session:

   

   Don't forget to fill in the Auto-login username field for each saved PuTTY session.

Using your PuTTY key with command-line ssh client (Cygwin, Mac OS X, Linux):

If you want to use the key you just generated with puttygen.exe with another ssh client (eg cygwin commandline ssh), export your private key from puttygen and store it in your .ssh dir (ssh looks by default for .ssh/id_rsa but these instructions let you specify another name), and put these lines in your .ssh/config file:

ForwardAgent yes
IdentityFile ~/.ssh/id_rsa_putty_priv.openssh

( i.e., the filename of your exported private key )

To change your ssh key password

Load it in puttygen and change the password, save and export it for your other ssh client(s) if necessary

Using a different key from home or another machine or whatever

You can copy your private key to several machines, or you can generate a new key on each and append the public key to the .ssh/authorized_keys file on the server. Think about how much you want to expose/replace if something gets compromised.

In my case, I use one private key on all my client computers at work, one on my home computers, and one on my Palm handheld. That way if one of my client computers is lost, stolen or compromised, I can disallow that key but keep the others.

USE A KEY AGENT TO KEEP YOUR KEYS HANDY

So far, we’ve made SSH more secure, but my key passphrase is at least as much of a pain as using my password — in fact, more so because it’s about twice as long.

Using an SSH Key Agent offers a killer mix of security and convenience. When you open the agent and load your keys, you can unlock them and they’re held unlocked in memory. This lets you open connections all day without having to type your password or passphrase. NOTE WELL, lock your machine when it is unattended if you have an agent running; otherwise anyone who walks up to it can conceivably log in to any of the servers you’ve configured to trust your key.

To use PuTTY’s agent “Pageant” on Windows:

1. Launch pageant.exe, PuTTY’s ssh agent, right-click it in the system tray, and add your private key.

Now you can log into all your servers conveniently and get from server to server using agent forwarding.

You may want to convince pageant.exe to run at login. See Chapter 9 of the PuTTY manual.

I just made a shortcut to pageant and edited the Target to load the key and launch PuTTY at startup thusly: "C:\Program Files\putty\pageant.exe" "C:\Documents and Settings\myusername.ssh\puttyprivkey.ppk" -c "C:\Program Files\PuTTY\putty.exe"

To run an agent with the command-line OpenSSH client:

This applies to Linux, Mac OS X, and Cygwin.

Basically, add this line to your .profile file in your home directory, to start the agent whenever you open a shell:

eval `ssh-agent -s`

Then, before you ssh to anything in that terminal, use the ssh-add command (if your private key in openssh format is named .ssh/id_rsa) or ssh-add ~/.ssh/puttyprivkey.openssh if you’ve got a weirdly named one you made with puttygen.exe, above.

$ ssh-add
Enter passphrase for /cygdrive/c/Documents and Settings/myusername/.ssh/id_rsa:
Identity added: /cygdrive/c/Documents and Settings/myusername/.ssh/id_rsa (/cygdrive/c/Documents and Settings/myusername/.ssh/id_rsa)

ssh-add -l (ell) shows which keys the agent is currently holding.

$ ssh-add -l
9a:89:9c:6b:87:a7:e8:93:9a:f5:f7:35:bf:23:87:c6 /cygdrive/c/Documents and Settings/myusername/.ssh/id_rsa (RSA)

Making it nicer in with keychain

The keychain utility you can get with Cygwin (and some Linuxes) is also nice. I put this line in my .bashrc so that every Cygwin shell either starts the ssh agent or connects to the already running one.

eval `keychain --eval -q -Q --noask`

Then I can use ssh-add (see above) when I want to load my keyring, and all my open Cygwin shells get it, until I log out or restart Windows.

Running an agent on Mac OS X

In Leopard (Mac OS X 10.5, released in October 2007), the SSH Agent is integrated into the OS, so if you’ve generated your keys with ssh-keygen as above and they live in ~/.ssh/id_rsa and id_rsa.pub, you will get prompted to unlock your key the first time you try to ssh or scp anywhere:

This dialog box prompts you to unlock your key and/or start the agent.

The “Remember password in my keychain” checkbox makes it keep an ssh agent running. It works great.

For older versions of Mac OS, you want SSHKeychain. It also works with the Apple Keychain, to remember your key’s passphrase.

Both solutions work seamlessly for all the OpenSSH tools (ssh, sftp, scp, etc) in all your terminals.

So it’s been secretly irking me for a while that although I installed the very nice WP-Syntax code highlighting plugin for this WordPress blog, it was hard to get it to display things in reverse-video like I prefer for all my terminal and text editor windows, and like I love in the online Symfony documentation. It’s just nicer on the eyes, you know? Digging in, I found the GeSHI syntax highlighter to be impressive in scope but scary in its inline-style-generating detail.

So today, to solve the problem for more than just me, I published my very first WordPress plugin, wp-syntax-hacktify. Very educational! I like the plugin system at wordpress.org.

The plugin tells GeSHI to use stylesheets instead and provides a slightly more commented/documented stylesheet as an example for if you’d like to override it with your own color scheme.

So now my code samples can be all nicer and stuff, like this:

  /**
   * Print a string to the log using 'debug' level.  For printf-style
   * debugging.
   *
   * @param      string $m      The string to log
   * @return     nothing
   */
  public static function debug ($m) {
    if (sfConfig::has('sf_logging_enabled') && sfConfig::get('sf_logging_enabled'))
      {
        if ($logger = sfContext::getInstance()->getLogger()) {
          $logger->debug($m);
        }
      }
    elseif (sfConfig::has('bhLDAP_echo_debugging') && sfConfig::get('bhLDAP_echo_debugging'))
      {
        echo "# $m\n";
      }
    else
      {
//      echo $m;
      }
  }
 
  /**
   * Dump a data structure to the log at the 'debug' level.  Uses
   * print_r() formatting.
   *
   * @param      mixed $v         The variable/data structure to dump
   * @param      string $label    An optional label to print in front of the dump
   * @return     nothing
   */
  public static function debugDump ($v, $label = "var dump") {
    self::debug("$label:  " . print_r($v, true));
  }

Now the code on my blog can look nice even if it’s terrifically hacky!