Web Technology and DBMSs

1
Chapter 24

• Web Technology and DBMSs
• Transparencies

2
Questions you should be able to answer from this
chapter

• What would you consider to be the most important
  advantages and disadvantages of the World-Wide
  Web as a distributed information system (web-dbms
  approach)?
• The World Wide Web is a distributed information
  system based on hypertext. Discuss how the
  two-tier client-server architecture may not be
  entirely suitable for this environment and
  describe and alternative architecture

• The increasing accessibility of databases on the
  Internet and Intranets requires a reanalysis and
  extension of the normal approaches to security.
  Discuss some of the issues associated with
  database system security in these environments.

4
3
Introduction

• Many Web sites today are file-based where each
  Web document is stored in separate file.
• For large sites, this can lead to significant
  management problems.
• Also many Web sites now contain more dynamic
  information, such as product and pricing data.
• Maintaining such data in both a database and in
  separate HTML files is problematic.
• Accessing database directly from Web would be a
  better approach.
• Worldwide collection of interconnected networks.
• Began in late 60s in ARPANET, a US DOD project,
  investigating how to build networks that could
  withstand partial outages.
• Starting with a few nodes, Internet estimated to
  have over 100 million users in 1997, and over 270
  million users in over 100 countries in 1998, with
  one million new users joining each month.
• May be 199 million users of Web by year 2000.

5
4
Intranet and Extranet

• Intranet - A Web site or group of sites belonging
  to an organization, accessible only by the
  members of an organization.
• Extranet - An intranet that is partially
  accessible to authorized outsiders.
• Whereas intranet resides behind firewall and is
  accessible only to people who are members of same
  organization, extranet provides various levels of
  accessibility to outsiders.
• Hypermedia-based system that provides a simple
  point and click means of browsing information
  on the Internet using hyperlinks.
• Information presented on Web pages, which can
  contain text, graphics, pictures, sound, and
  video.
• Can also contain hyperlinks to other Web pages,
  which allow users to navigate in a non-sequential
  way through information.
• Web documents written using HTML.

7
5
The Web

• Web consists of network of computers that can act
  in two roles
• as servers, providing information
• as clients (browsers), requesting information.
• Protocol that governs exchange of information
  between Web server and browser is HTTP and
  locations within documents identified as a URL.
• Much of Webs success is due to its simplicity
  and platform-independence.

9
6
HyperText Transfer Protocol (HTTP)

• Protocol used to transfer Web pages through
  Internet.
• Based on request-response paradigm
• Connection - Client establishes connection with
  Web server.
• Request - Client sends request to Web server.
• Response - Web server sends response (HTML
  document) to client.
• Close - Connection closed by Web server.
• HTTP/1.0 is stateless protocol - each connection
  closed once server provides response.
• difficult to support concept of a session that is
  essential to basic DBMS transactions.

Static and Dynamic Web Pages

• HTML document stored in file is static Web page.
• Content of dynamic Web page is generated each
  time it is accessed.
• Thus, dynamic Web page can
• respond to user input from browser.
• be customized by and for each user.
• Requires hypertext to be generated by servers.
• Need scripts that perform conversions from diff
  data formats into HTML on-the-fly.

11
7
HyperText Markup Language (HTML) / URLS

• Document formatting language used to design most
  Web pages.
• HTML is an application of Standardized
  Generalized Markup Language (SGML), a system for
  defining structured document types and markup
  languages to represent instances of those
  document types.
• URLS
• String of alphanumeric characters that
  represents location or address of a resource on
  Internet and how that resource should be
  accessed. Defines uniquely where documents
  (resources) can be found.
• Uniform Resource Identifiers (URIs) - generic set
  of all Internet resource names/addresses.
• Uniform Resource Names (URNs) - persistent,
  location-independent name. Relies on name lookup
  services.
• URL consists of three basic parts
• protocol used for the connection - Host name -
  path name on host where resource stored.
• Can optionally specify
• port through which connection to host should be
  made - query string.

13
8
Requirements for Web-DBMS Integration

• Ability to access valuable corporate data in a
  secure manner.
• Data and vendor independent connectivity to allow
  freedom of choice in DBMS selection.
• Ability to interface to database independent of
  any proprietary browser or Web server.
• Connectivity solution that takes advantage of all
  the features of an organizations DBMS.
• Open-architecture to allow interoperability with
  a variety of systems and technologies. For
  example
• different Web servers Microsoft's (Distributed)
  Common Object Model (DCOM/COM) CORBA/IIOP
  (Internet Inter-ORB protocol) Java RMI
• Cost-effective solution that allows for
  scalability, growth, and changes in strategic
  directions, and helps reduce applications
  development costs.
• Support for transactions that span multiple HTTP
  requests.
• Support for session- and application-based
  authentication.
• Acceptable performance.
• Minimal administration overhead.
• Set of high-level productivity tools to allow
  applications to be developed, maintained, and
  deployed with relative ease and speed.

19
9
File-server

• File-server is connected to several workstations
  across a network.
• Database resides on file-server.
• DBMS and applications run on each workstation.
• Disadvantages include
• Significant network traffic.
• Copy of DBMS on each workstation.
• Concurrency, recovery and integrity
• control more complex

10
Client-server

• Server holds the database and the DBMS.
• Client manages the user interface and runs
  applications.
• Advantages include
• Wider access to existing databases.
• Increased performance.
• Possible reduction in hardware costs.
• Reduction in communication costs.
• Increased consistency.

38
11
Three-Tier Client-Server Architecture

• Client side presented two problems preventing
  true scalability
• Fat client, requiring considerable resources on
  clients computer to run effectively.
• Significant client side administration overhead.
• By 1995, three layers proposed, each potentially
  running on a different platform.
• Advantages
• Thin client, requiring less expensive hardware.
• Application maintenance centralized.
• Easier to modify or replace one tier without
  affecting others.
• Separating business logic from database functions
  makes it easier to implement load balancing.
• Maps quite naturally to Web environment.

24
12
Web-DBMS Approach
Advantages
Disadvantages

• DBMS advantages
• Simplicity
• Platform independence
• Graphical User Interface
• Standardization
• Cross-platform support
• Transparent network access
• Scalable deployment
• Innovation

• Reliability
• Security
• Cost
• Scalability
• Limited functionality of HTML
• Statelessness
• Bandwidth
• Performance
• Immaturity of development tools

27
13
Approaches to Integrating Web and DBMSs

• Common Gateway Interface (CGI).
• Server-Side Includes.
• HTTP Cookies.
• Extending the Web Server.
• Java and JDBC, JSQL and JRB.
• Scripting Languages (JavaScript and VBScript).
• Microsoft Active Platform ASP and ADO.
• Oracle Network Computing Architecture.

29
14
JDBC

• Modeled after ODBC, JDBC API supports basic SQL
  functionality.
• With JDBC, Java can be used as host language for
  writing database applications.
• On top of JDBC, higher-level APIs can be built.
• Currently, two types of higher-level APIs
• An embedded SQL for Java.
• A direct mapping of relational database tables to
  Java classes.
• JDBC API consists of two main interfaces an API
  for application writers, and a lower-level driver
  API for driver writers.
• Applications and applets can access databases
  using
• JDBC API with pure Java JDBC drivers,
• ODBC drivers and existing database client
  libraries.
• Advantages/Disadvantages
• Advantage of using ODBC drivers is that they are
  a de facto standard for PC database access, and
  are available for many DBMSs, for very low price.
  
• Disadvantages with this approach
• Non-pure JDBC driver will not necessarily work
  with a Web browser.
• Downloaded applet can connect only to database
  located on host machine.
• Deployment costs increase.

48
15
Security

• All Internet traffic travels in the clear and
  anyone who monitors traffic can read it.
• Need to ensure with communication that
• It is inaccessible to anyone but sender and
  receiver (privacy).
• It has not been changed during transmission
  (integrity).
• Receiver can be sure it came from sender
  (authenticity).
• Sender can be sure receiver is genuine
  (non-fabrication).
• Sender cannot deny he or she sent it
  (non-repudiation).
• Must also protect information once it has reached
  Web server. Download may have executable content,
  which can perform following malicious actions
• Corrupt data or execution state of programs.
• Reformat complete disks.
• Perform a total system shutdown.
• Collect and download confidential data.
• Usurp identity and impersonate user.
• Lock up resources.
• Cause non-fatal but unwelcome effects.

• Look at
• Proxy Servers.
• Firewalls
• Message Digest
• - Digital Certificates.
• Kerberos.
• SSL and S-HTTP.
• SET and SST.
• Java Security.
• ActiveX Security.

70
16
Proxy Servers

• Proxy server is computer that sits between
  browser and Web server.
• It intercepts all requests to Web server to try
  to fulfil requests itself.
• Has two main purposes
• improve performance
• filter requests.

Firewalls

• Designed to prevent unauthorized access to/from a
  private network.
• Can be implemented in both hardware and software,
  or a combination of both.
• Several types of firewall techniques
• Packet filter.
• Application gateway.
• Circuit-level gateway.
• Proxy server.

74
17
Message Digest Algorithms

• Message digest algorithm takes an arbitrary-sized
  string (message) and generates fixed-length
  string (digest or hash).
• A digest has following characteristics
• It should be computationally infeasible to find
  another message that will generate same digest.
• Digest does not reveal anything about message.

Digital Signatures

• Digital signature consists of two parts
• string of bits computed from data being signed
• private key of individual or organization wishing
  the signature.
• Can be used to verify data comes from this
  individual or organization. Digital signature has
  many useful properties
• Authenticity can be verified, using public key.
• Cannot be forged (assuming private key is kept
  secret).
• Data signed and cannot be claimed to be signature
  for any other data.
• Signed data cannot be changed or signature will
  no longer verify data

76
18
Digital Certificates

• Attachment to electronic message used for
  security purposes (e.g. verify user sending
  message), and provide receiver with means to
  encode reply.
• Sender applies for certificate from Certificate
  Authority (CA).
• CA issues encrypted certificate containing
  applicants public key and other identification
  information.
• CA makes its own public key readily available.
• Recipient uses CAs public key to decode
  certificate attached to message, verifies it as
  issued by CA, and obtains senders public key and
  identification information held within
  certificate.
• With this information, recipient can send an
  encrypted reply.
• CAs role is critical, acting as go-between in
  relationship between two parties.

79
19
Kerberos

• A server of secured user names and passwords.
• Provides one centralized security server for all
  data and resources on network.
• Database access, login, authorization control,
  and other security features are centralized on
  trusted Kerberos servers.
• Has similar function to that of Certificate
  server to identify and validate a user.

Secure Sockets Layer (SSL)

• Encryption protocol for transmitting private
  documents
• Designed to prevent eavesdropping, tampering, and
  message forgery.
• Works by using private key to encrypt data that
  is transferred over SSL connection.
• Layered between application-level protocols such
  as HTTP and TCP/IP transport-level protocol.
• Thus, may be used for other application-level
  protocols such as FTP and NNTP.

81
20
Secure-HTTP (S-HTTP)

• Protocol for securely transmitting individual
  messages over Web.
• Both SSL and S-HTTP use techniques such as
  encryption, and digital signatures, and
• Allow browsers and servers to authenticate each
  other.
• Allow controlled access to Web site.
• Ensure data exchanged between browser and server
  is secure and reliable.

Secure Electronic Transactions

• Open, interoperable standard for processing
  credit card transactions over Internet, in simple
  and secure way.
• Transaction is split in such a way that merchant
  has access to information about
• what is being purchased,
• how much it costs,
• whether payment is approved,
• but no information on what payment method
  customer is using.

83
21
Secure Transaction Technology (SST)

• Protocol designed to handle secure bank payments
  over Internet.
• Uses DES encryption of information, RSA
  encryption of bankcard information, and strong
  authentication of all parties involved in
  transaction.

Java Security

• Sandbox ensures untrusted application cannot gain
  access to system resources.
• Involves three components
• class loader,
• bytecode verifier,
• security manager.
• Safety features provided by language and JVM, and
  enforced by compiler and runtime system.
• Security is a policy built on top of safety layer.

87
22
ActiveX Security

• ActiveX security model places no restrictions on
  what a control can do.
• Instead, each ActiveX control can be digitally
  signed by its author using system called
  Authenticode.
• Digital signatures are then certified by CA.
• This security model places responsibility for the
  computers security on the user.

HTTP/1.1

• Number of new features added. Look at two
• Persistent connections become default behavior.
  While open, client can send synchronous or
  asynchronous messages, and server can respond to
  them in order.
• Digest authentication provided as replacement for
  basic authentication. Password remains secret
  between client and server. Client and server
  compute digest value using the MD5 and digest is
  sent across network.

93
23
XML (eXtensible Markup Language)

• XML is new standard that could preserve general
  application independence that makes HTML portable
  and powerful.
• Pared-down version of SGML, designed especially
  for Web documents.
• Designers can create their own customized tags to
  provide functionality not available with HTML.
• SGML allows document to be logically separated
  into two
• Document Type Definition (DTD)
• other containing the text itself.
• Useful features include
• Database Schema Definition.
• Linking to relative objects or elements.
• Support for bi-directional links.
• Simplicity may be lost with move to XML.

95