AtomAPI and Authentication

Joe Gregorio and Mark Pilgrim have been working on a new implementation of the Atom API, and have come up with a Digest-like authentication mechanism for it. Joe describes it here; here’s a small part of the post:

  1. Triggered an auth by rejecting a request with an HTTP status code of 401.
  2. The server response includes an Authenticate: header that includes Atom as an authentication scheme.
  3. The client then sends an Authorization: header with the scheme of Atom with all the Digest authentication information going into X-Atom-Authorization: header.
  4. With every request the server sends back an X-Atom-Authentication-Info: header with the ‘nextnonce’.

Note that this now uses the extensibility of the HTTP authentication scheme. 

Well, ok. But how about this:

1. Change “Atom” to “Digest” in the WWW-Authenticate header, and make a couple of other trivial changes to this response.

2. Change X-Atom-Authentication to Authorization, with appropriate trivial changes.

Poof! You’re using digest authentication. Now I know Mark and Joe thought about this, and I was involved in a long painful discussion talking about this. But here’s my point: if you have enough control over your server to implement this “Atom-authentication” mechanism, then you have enough control to implement Digest itself. With a huge added benefit that many client toolkits understand digest out of the box.

My guess is this – there is a way to implement this for Apache in code, rather than using the .htaccess built-in support. If you can implement atom-auth, can’t you just modify your code to implement Digest?

And I even have a Digest implementation for .NET built, for folks that can’t (or don’t want to) turn on IIS intrinsic support for Digest.

We’re so close. Let’s do this right. I bet if there was an implementation built for Apache that didn’t require .htaccess or httpd.conf access, then some of the nay-sayers might get on board. Someone care to try it? I did my part – my .NET/IIS implementation is available, free, for anyone to use today…

17 Comments

Embedded code

From Sean Varley’s weblog:

Apparently the University of Wisconsin and Netgear have a problem.  It looks like Netgear hard coded the SNTP IP address into some embedded devices for network time sync and now the school gets the pleasure of servicing a few hundred thousand requests per second.  You can read about it here.

Wow…seems to me the moral of this story is twofold.

#1 – don’t ship a product that beats the crap out of someone else’s server.

#2 – don’t ship 700,000 units of your product until you’re pretty sure you’ve taken care of #1.

Yikes!

2 Comments

NewsGator tips feed

If you were previously a NewsGator user before 1.3, it’s likely you’ve never seen the new NewsGator Tips feed.  If you’d like to subscribe, go to the Subscriptions dialog, click the Add button, and select the Feed Wizard. Choose RSS and continue, select “NewsGator.com Feeds” from the list and click Next, and then choose the NewsGator Tips feed from the list.

And ignore the first tip about using the feed wizard – it’s not really applicable if you add the feed this way. ;-)

Leave a comment

Marketing by RSS

Dwight talks about RSS for marketing, and mentions a couple of things he sees as problems:

I love RSS as much as anyone else, but we don’t do anyone any favors when we refuse to take off the rose-colored sunglasses. Chris Pirillo throws some brickbats at an RSS doubter, but I happen to agree with the doubter on several points:

  • You can’t reliably measure exposure via RSS.
  • You can’t control how RSS is displayed.
  • RSS doesn’t build a user database.
  • RSS is difficult to customize – as a response driver – the way email is.
This problem has been discussed before, and I know Derek Scruggs has built at least one prototype of something that can do subscriber tracking. We’re using the same mechanism to power the NewsGator Tips feed, which is customized for each individual user. It’s simple really:
 
1. Get a user request for the RSS feed, say /rss.xml
 
2. Redirect the request with a 301 permanent redirect to /rss.xml?user=123456789
 
There you go. If you assign users an individual ID, you can track them to some extent. You can’t just look at how many times the feed has been retrieved (not relevant), but by looking at all the data in aggregate, you can tell how many users you have subscribed, the date they subscribed, the approximate date they stopped reading, and other useful data.  You can tell, with pretty decent accuracy, how many individual people are reading each post.
 
And if you are lucky enough to know something about an individual subscriber, you can customize the feed just for them. For example, with the NewsGator Tips feed, we trickle out tips one per day, based on the date you subscribed. It’s not hard – you just need a smart server, and your clients need to react correctly to certain HTTP status codes.
16 Comments

21-6 Productions

Back in another life, at Galileo, I worked with a guy named Justin Mette, probably one of the smartest developers I’ve had the pleasure to work with.

Well, a while back Justin left Galileo and formed a independent gaming studio called 21-6 Productions…and they’ve been doing some amazing stuff. At lunch a couple of weeks ago, I finally convinced him to create a RSS feed for their news so I could keep up with what they’ve been up to. And I see that a few days ago, they released version 2.1 of their award-winning game, Orbz – looks like they’ve been busy. Head over and take a look!

4 Comments

Formatting and Styles in NewsGator

This is the first of a few posts to come about cool NewsGator features that aren’t obvious…

Did you know you can change the formatting of posts within NewsGator? A common request is to be able to change the default font used to render items. The font used is actually Internet Explorer’s default font, and you can change that if you wish (IE, Tools/Options, Font button). But starting in 1.3, there’s another way.

There is a file in your NewsGator installation directory called ngstyles.css. If you edit this file, and insert some CSS styles, you can change the way posts are formatted. For example, to change the font used for the post/comment links at the top of the post (or bottom, depending on how you have it configured), put the following into your ngstyles.css file:

.ngpostlinks
{
   font-family: Arial;
}

Similarly, there is a file called NewsPage.css which contains style and formatting information for the NewsPage. You can edit this at will also, and come up with the formatting you like.

Chris Pirillo was kind enough to post the stylesheets he’s using in the NewsGator forums. In fact, he also posted a whole new NewsPage HTML file, which uses different icons. Thanks Chris!

So how about it? Anyone else want to post their creations in the forum?

7 Comments

RSS and Authentication

I see the following kind of thing a lot, talking about authentication with RSS feeds:

[…]  Right now, RSS is all anonymous and doesn’t care who you are.  Does ATOM/ECHO/PIE have it in its specs for any sort of authentication, so a person could get customized content?  Maybe an employee vs. a customer could get different content instead of having two different places a person would have to blog from.  What about security?  Sensative data…SSL? [Erik Porter]

What many folks seem to overlook is you can do all of this today. You can use HTTP authentication mechanisms, and many aggregators (including, of course, NewsGator) will support it. It’s being done every day, both on the internet and on corporate intranets. And SSL is also supported, if you need an encrypted connection.

5 Comments

COM Interop and .NET

This wasn’t obvious at all, so I thought I’d post this in the hopes of saving someone some pain:

If you have a non-managed application which creates a COM object implemented in managed code, by default the latest installed version of the framework will be loaded. Even if the COM object is specifically targeted to the 1.0 Framework. Took a while to finally find the docs for this:

The following factors determine the runtime version:

  • A COM application can specify the runtime version in an application configuration file. For additional information, see Configuring a COM Application for Side-By-Side Execution.
  • The runtime can already be loaded into memory by an extensible host, such as Microsoft Internet Explorer or Microsoft Office. The plug-in COM application uses the runtime that is loaded for the host to run managed components.
  • When strict control is needed, a COM application can preload a specific version of the runtime programmatically by invoking the CorBindToRuntimeHost method (exported from mscoree.dll). Alternatively, the application can target a different version of the runtime, based on an activated COM class, by invoking the GetRequestedRuntimeVersionForCLSID method (also exported from mscoree.dll) and passing the return value to CorBindToRuntimeHost.

In the absence of these factors, the startup code loads the latest compatible runtime version installed on the computer.

Interesting. Makes sense now, I suppose, but not what I initially expected.

Which leads to an interesting problem. If an application needs to use two inproc COM objects, one which only works with the 1.0 Framework, and one that only works with 1.1, you’re screwed. And these objects don’t even have a way to tell anyone that they only work with a certain version. Seems the only safe thing to do, if you’re such a COM object, is support every version of the framework that you might be loaded into. Hmm.

Leave a comment