<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head profile="http://internetalchemy.org/2003/02/profile"> <link rel="foaf" type="application/rdf+xml" title="FOAF" href="http://www.openlinksw.com/dataspace/uda/about.rdf" /> <link rel="schema.dc" href="http://purl.org/dc/elements/1.1/" /> <meta name="dc.title" content="17. Internet Services" /> <meta name="dc.subject" content="17. Internet Services" /> <meta name="dc.creator" content="OpenLink Software Documentation Team ; " /> <meta name="dc.copyright" content="OpenLink Software, 1999 - 2009" /> <link rel="top" href="index.html" title="OpenLink Virtuoso Universal Server: Documentation" /> <link rel="search" href="/doc/adv_search.vspx" title="Search OpenLink Virtuoso Universal Server: Documentation" /> <link rel="parent" href="internetservices.html" title="Chapter Contents" /> <link rel="prev" href="ftpservices.html" title="FTP Services" /> <link rel="next" href="ldap.html" title="LDAP" /> <link rel="shortcut icon" href="../images/misc/favicon.ico" type="image/x-icon" /> <link rel="stylesheet" type="text/css" href="doc.css" /> <link rel="stylesheet" type="text/css" href="/doc/translation.css" /> <title>17. Internet Services</title> <meta http-equiv="Content-Type" content="text/xhtml; charset=UTF-8" /> <meta name="author" content="OpenLink Software Documentation Team ; " /> <meta name="copyright" content="OpenLink Software, 1999 - 2009" /> <meta name="keywords" content="" /> <meta name="GENERATOR" content="OpenLink XSLT Team" /> </head> <body> <div id="header"> <a name="vspguide" /> <img src="../images/misc/logo.jpg" alt="" /> <h1>17. Internet Services</h1> </div> <div id="navbartop"> <div> <a class="link" href="internetservices.html">Chapter Contents</a> | <a class="link" href="ftpservices.html" title="FTP Services">Prev</a> | <a class="link" href="ldap.html" title="LDAP">Next</a> </div> </div> <div id="currenttoc"> <form method="post" action="/doc/adv_search.vspx"> <div class="search">Keyword Search: <br /> <input type="text" name="q" /> <input type="submit" name="go" value="Go" /> </div> </form> <div> <a href="http://www.openlinksw.com/">www.openlinksw.com</a> </div> <div> <a href="http://docs.openlinksw.com/">docs.openlinksw.com</a> </div> <br /> <div> <a href="index.html">Book Home</a> </div> <br /> <div> <a href="contents.html">Contents</a> </div> <div> <a href="preface.html">Preface</a> </div> <br /> <div class="selected"> <a href="internetservices.html">Internet Services</a> </div> <br /> <div> <a href="webdavserver.html">WebDAV Server</a> </div> <div> <a href="uriqa.html">URIQA Semantic Web Enabler</a> </div> <div> <a href="maildelivstore.html">Mail Delivery & Storage</a> </div> <div> <a href="nntpnewsgroups.html">NNTP Newsgroups</a> </div> <div> <a href="mime.html">MIME & Internet Messages</a> </div> <div> <a href="ftpservices.html">FTP Services</a> </div> <div class="selected"> <a href="vspguide.html">VSP Guide</a> <div> <a href="#vspintro" title="Introduction">Introduction</a> <a href="#htmlusage" title="Simple HTML FORM usage">Simple HTML FORM usage</a> <a href="#dbinteraction" title="Interacting with the Database">Interacting with the Database</a> <a href="#vspforumsapp" title="The Forums Application">The Forums Application</a> <a href="#corsshare" title="Setting up server-side Cross-Origin Resource Sharing (CORS) with Virtuoso">Setting up server-side Cross-Origin Resource Sharing (CORS) with Virtuoso</a> </div> </div> <div> <a href="ldap.html">LDAP</a> </div> <br /> </div> <div id="text"> <a name="vspguide" /> <h2>17.7. VSP Guide</h2> <a name="vspintro" /> <h3>17.7.1. Introduction</h3> <p> Virtuoso Server Pages are the equivalent of a stored procedure in a Web page that is compiled when it is first read by the Virtuoso server. Virtuoso detects when the '.vsp' file is modified and recompiles the procedure. Since VSP is essentially Virtuoso PL in a Web page you can do anything that PL can, either directly or from interaction with the user. VSP gives you the advantage of not having to worry about making connections to the database. You also avoid the overhead of RPCs because the HTTP server is built into Virtuoso. When you write a VSP page the connection is automatic since you are already in Virtuoso. </p> <p> VSP is server script and is therefore executed in the server as it is encountered on the page. For this reason client (JavaScript) and server script cannot directly interact but can supplement each other. You can call JavaScript inside a VSP loop, for example, to manipulate something that already exists on the page but you cannot pass variables by reference from VSP directly to JavaScript or vice versa. </p> <p> Page flow control can be managed using FORMs. The state of the page is defined in form fields such as INPUT boxes and TEXTAREA boxes and then passed to the next form or page using POST. </p> <br /> <a name="htmlusage" /> <h3>17.7.2. Simple HTML FORM usage</h3> <p> We start with a small example that shows the source of a page including a FORM with data from the user being sent when a submit button is pressed. We then examine the elements and attributes of this simple form that are important to us at this stage. </p> <a name="basicform" /> <h4>17.7.2.1. Basic Forms</h4> <a name="" /> <div class="example"> <div class="exampletitle">Simple Forms</div> <div> <pre class="programlisting"> <HTML> <HEAD> <TITLE>Simple FORM demo</TITLE> </HEAD> <BODY> <FORM METHOD="POST" ACTION="formdemo_receiver.vsp"> <P>Test form, type some info and click Submit</P> <INPUT TYPE="TEXT" NAME="myInput" /> <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Submit" /> </FORM> </BODY> </HTML> </pre> </div> </div> <p> The METHOD attribute of a FORM TAG in a VSP page can be either GET or POST. The GET method allows the form submission to be contained completely in a URL; this can be advantageous because it permits bookmarking in browsers, but it also prevents form data from containing non ASCII characters such as accented letters and special symbols and restricts the amount of form data that can be handled. The GET method is l mited by the maximum length of the URL that the server and browser can process. To be safe, any form whose input might contain non-ASCII characters or more than 100 characters should use METHOD="POST". </p> <p> With the POST method, the form input is submitted as an HTTP POST request with the form data sent in the body of the request. Most current browsers are unable to bookmark POST requests, but POST does not entail the character encoding and length restrictions imposed by GET. </p> <p> The ACTION attribute of FORM specifies the URI of the form handler. This will usually be another web page that performs some action based on the data that is sent from the originating form. The URI could point to the same page as the data originated and for pages that perform a well-defined small set of functions it usually does. When a page needs to manage multiple states there needs to be some flow control that can determine how the page was reached; for example, to differentiate whether it arrived at as a result of someone clicking on the submit button or it is the first time the page has been visited. </p> <br /> <a name="formvalues" /> <h4>17.7.2.2. Exchanging Values in Forms</h4> <p> Now we add some VSP to check the values of the parameters in the form. VSP markup is typically contained in <?vsp ... ?> blocks. </p> <a name="" /> <div class="example"> <div class="exampletitle">Forms and Values</div> <div> <pre class="programlisting"> <HTML> <HEAD> <TITLE>Simple FORM demo</TITLE> </HEAD> <BODY> <P>Last value sent: <?vsp http(get_keyword('myInput', params, 'no value')); ?> </P> <FORM METHOD="POST" ACTION="formdemo.vsp"> <P>Test form, type some info and click Submit</P> <INPUT TYPE="TEXT" NAME="myInput" /> <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Submit" /> </FORM> </BODY> </HTML> </pre> </div> </div> <p> This is the same example as above but now it uses the same page for the form handler and displays the parameters each time. Clicking the Submit button takes you to the same page and displays whatever you typed in the field last time. </p> <p> The VSP block uses two nested functions. The <span class="computeroutput">http()</span> function allows you to send data to the HTTP client, the browser. What we send to the browser is the result of the <span class="computeroutput">get_keyword()</span> function, which has three parameters: <span class="computeroutput">search_for</span>, <span class="computeroutput">source_array</span>, and <span class="computeroutput">default_val</span>. It searches for the keyword-value pair (keyword=value) where the keyword matches the <span class="computeroutput">search_for</span> parameter (in this case 'myInput') in the array passed in the <span class="computeroutput">source_array</span> parameter. It returns the value if one is found; otherwise returns the <span class="computeroutput">default_val</span> parameter in the function, in this case 'no value'. The<span class="computeroutput"> params</span> argument is a special array that contains all page parameters from the previous FORM state. </p> <br /> <a name="formandvspconditions" /> <h4>17.7.2.3. Conditional Processing</h4> <p> Now we extend this further to add some conditional control so that if a value was entered we can respond directly to it. We will also use a variable this time, which must be declared first. </p> <a name="" /> <div class="example"> <div class="exampletitle">Conditional Processing Using IF</div> <div> <pre class="programlisting"> <HTML> <HEAD> <TITLE>Simple FORM demo</TITLE> </HEAD> <BODY> <?vsp declare _myInput varchar; _myInput := get_keyword('myInput', params, ''); if (_myInput <> '') { http('<P>Hello, '); http(_myInput); http('</P>'); } else { http('<P>Please enter your name</P>'); } ?> <FORM METHOD="POST" ACTION="formdemo.vsp"> <INPUT TYPE="TEXT" NAME="myInput" VALUE="" /> <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Submit" /> </FORM> </BODY> </HTML> </pre> </div> </div> <br /> <a name="vsppgctrl" /> <h4>17.7.2.4. Further Page Control</h4> <p> We now extend this to control the whole content of the page. In this example we see that VSP and HTML can be interleaved. </p> <a name="" /> <div class="example"> <div class="exampletitle">Page Control</div> <div> <pre class="programlisting"> <HTML> <HEAD> <TITLE>Simple FORM demo</TITLE> </HEAD> <BODY> <?vsp declare _myInput varchar; declare Mode varchar; _myInput := get_keyword('myInput', params, ''); Mode := get_keyword('submit', params, ''); if (Mode = 'Submit') { ?> <P>Hello, <?vsp http(_myInput); ?> </P> <FORM METHOD="POST" ACTION="demo4.vsp"> <INPUT TYPE="HIDDEN" NAME="myInput" VALUE="" /> <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Again" /> </FORM> <?vsp } else { ?> <P>Please enter you name</P> <FORM METHOD="POST" ACTION="demo4.vsp"> <INPUT TYPE="TEXT" NAME="myInput" /> <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Submit" /> </FORM> <?vsp } ?> </BODY> </HTML> </pre> </div> </div> <p>We start by setting the mode based on whether the Submit button has been pressed. When the mode has changed a different version of the page is sent to the browser. In the new version, the Again button the appears, to return you to the previous state when pressed.</p> <br /> <a name="params" /> <h4>17.7.2.5. Communicating Parameters Between Pages</h4> <p>Now we will use two pages to do the same job as in the demo above.</p> <a name="" /> <div class="example"> <div class="exampletitle">Using more than one page</div> <p>Page 1</p> <div> <pre class="programlisting"> <HTML> <HEAD> <TITLE>Multi Page Demo</TITLE> </HEAD> <BODY> <P>Please enter you name</P> <FORM METHOD="POST" ACTION="demo5_2.vsp"> <INPUT TYPE="TEXT" NAME="myInput" /> <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Submit" /> </FORM> </BODY> </HTML> </pre> </div> <p>Page 2</p> <div> <pre class="programlisting"> <HTML> <HEAD> <TITLE>Multi Page Demo</TITLE> </HEAD> <BODY> <P>The value you entered was: <?vsp http(get_keyword('submit', params, 'no data')); ?> </P> <FORM METHOD="POST" ACTION="demo5_1.vsp"> <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Back" /> </FORM> </BODY> </HTML> </pre> </div> </div> <br /> <a name="formsandjs" /> <h4>17.7.2.6. Using JavaScript to Control Forms</h4> <p>JavaScript is a programming language that can be used in the browser and is useful for client-side programming. It is useful to be able to do some work on the client machine before making another round trip to the server for more processing. JavaScript is also useful for making things more appealing to the Web page viewer. </p> <p>JavaScript can be made to respond to events within the browser such as when the mouse is moved over a link, a graphic or a button or when the mouse is clicked on some part of the page. This can be achieved by using event handlers within the HTML tags and placing JavaScript code in their content. Common event handlers are <strong>onMouseOver</strong>, <strong>onMouseClick</strong>, <strong>onMouseOut</strong>, <strong>onChange</strong>, and the like.</p> <p>A simple but useful example of this would be to simplify one of the previous examples by placing a handler on the text box so that you do not have to press the submit button to send the form to the server:</p> <div> <pre class="programlisting"> <FORM METHOD="POST" ACTION="demo5_2.vsp" NAME="demo5_2"> <INPUT TYPE="TEXT" NAME="myInput" onChange="document.demo5_2.submit()" /> <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Submit" /> </FORM> </pre> </div> <br /> <br /> <a name="dbinteraction" /> <h3>17.7.3. Interacting with the Database</h3> <p>This section describes manipulating data within Virtuoso from VSP. Unless the required tables already exist, new ones will need to be created. This example will involve a simple table of people and a series of pages for adding, editing, viewing, and deleting its entries.</p> <a name="basiccreatetable" /> <h4>17.7.3.1. Creating a Table</h4> <p>Tables should be created so that their entries can be uniquely identified. This is very important so that if we need to edit or delete one particular entry we can distinguish it from other entries. A <strong>primary key</strong> is how a database enforces unique rows, by refusing to allow duplicate data to be inserted. It is up to the user to choose a column in the table to act as a primary key. Sometimes one or more of the columns of data are naturally unique either singularly or in composite; other times it is necessary to add a column to contain unique codes for each row.</p> <div class="tip"> <div class="tiptitle">See Also:</div> <p> <a href="CREATETABLE.html#pkeycons">Primary Keys</a> </p> </div> <p>Here is the definition of the simple table that will be used:</p> <div> <pre class="programlisting"> CREATE TABLE DB.DBA.DEMO_PEOPLE ( EMAIL VARCHAR(255) PRIMARY KEY, FORENAME VARCHAR(100), SURNAME VARCHAR(100) ); </pre> </div> <p>The email address has been selected as a primary key.</p> <br /> <a name="insertingvalues" /> <h4>17.7.3.2. Basic Form Input Page</h4> <p>After the table has been created; for example via Virtuoso's iSQL utility; it will need some data. For this we create a "New Person" page. This page uses form inputs and some VSP code to determine whether an insert button was pressed. If the insert button is pressed then the page takes submitted values from the POST and uses them to construct an SQL statement that inserts a new row into the table. This is demonstrated below:</p> <div> <pre class="programlisting"> <HTML> <HEAD> <TITLE>New Person Page</TITLE> </HEAD> <BODY> <?vsp declare _email, _forename, _surname varchar; _email := get_keyword('email', params, ''); _forename := get_keyword('forename', params, ''); _surname := get_keyword('surname', params, ''); -- insert new person if we came from the insert button if ('' <> get_keyword('ins_button', params, '')) { INSERT INTO DB.DBA.DEMO_PEOPLE(EMAIL, FORENAME, SURNAME) VALUES(_email, _forename, _surname); } ?> <P>Please enter the details of new person:</P> <FORM METHOD="POST" ACTION="demo_people_add.vsp"> <TABLE> <TR><TH>Email:</TH><TD><INPUT TYPE="TEXT" NAME="email" /></TD></TR> <TR><TH>Forename:</TH><TD><INPUT TYPE="TEXT" NAME="forename" /></TD></TR> <TR><TH>Surname:</TH><TD><INPUT TYPE="TEXT" NAME="surname" /></TD></TR> </TABLE> <INPUT TYPE="SUBMIT" NAME="ins_button" VALUE="Insert" /> </FORM> </BODY> </HTML> </pre> </div> <p>The underscores were added to this example to keep the param variables and page variables visibly distinguishable.</p> <br /> <a name="retrtabvals" /> <h4>17.7.3.3. Displaying Table Data in a VSP Page</h4> <p>Now that some data exists in the table we need a way to display it. The FOR ... DO construct is used to construct the insides of an HTML table:</p> <div> <pre class="programlisting"> <HTML> <HEAD> <TITLE>The People Page</TITLE> </HEAD> <BODY> <P>The Peoples' Details</P> <TABLE> <TR><TH>Email</TH><TH>Forename</TH><TH>Surname</TH></TR> <?vsp FOR (SELECT EMAIL, FORENAME, SURNAME FROM DB.DBA.DEMO_PEOPLE) DO { ?> <TR><TD><?=EMAIL?></TD><TD><?=FORENAME?></TD><TD><?=SURNAME?></TD></TR> <?vsp } ?> </TABLE> </BODY> </HTML> </pre> </div> <br /> <a name="deletevals" /> <h4>17.7.3.4. Simple Form Delete Page</h4> <p>The page above can easily be extended to allow deletion. For each row an 'action' link is added. The action Remove link hardwires a form GET on the URL. This is then intercepted by the IF condition looking for the <span class="computeroutput">remove</span> parameter. </p> <div> <pre class="programlisting"> <HTML> <HEAD> <TITLE>The People Page With Deletion</TITLE> </HEAD> <BODY> <?vsp declare deleteme varchar; deleteme := get_keyword('remove', params, ''); if ('' <> deleteme) DELETE FROM DB.DBA.DEMO_PEOPLE WHERE EMAIL = deleteme; ?> <FORM METHOD="POST" ACTION="demo_people_view2.vsp"> <P>The Peoples' Details</P> <TABLE> <TR><TH>Email</TH><TH>Forename</TH><TH>Surname</TH> <TH>Action</TH></TR> <?vsp FOR (SELECT EMAIL, FORENAME, SURNAME FROM DB.DBA.DEMO_PEOPLE) DO { ?> <TR><TD><?=EMAIL?></TD><TD><?=FORENAME?></TD><TD><?=SURNAME?></TD> <TD><A HREF="?remove=<?=EMAIL?>">Remove</A></TD></TR> <?vsp } ?> </TABLE> </FORM> </BODY> </HTML> </pre> </div> <br /> <a name="editvals" /> <h4>17.7.3.5. Simple Form Edit Page</h4> <p>The last step is to have a way to edit rows of the table. To do this, we combine everything that we have so far and use the SQL UPDATE statement to update the row. The EMAIL column is not made updateable since this is the primary key. </p> <div> <pre class="programlisting"> <HTML> <HEAD> <TITLE>The People Page With Deletion</TITLE> </HEAD> <BODY> <FORM METHOD="POST" ACTION="demo_people_view3.vsp"> <?vsp declare deleteme, editme, edt_email, edt_forename, edt_surname, save_email, save_forename, save_surname varchar; deleteme := get_keyword('remove', params, ''); if ('' <> deleteme) DELETE FROM DB.DBA.DEMO_PEOPLE WHERE EMAIL = deleteme; if ('' <> get_keyword('save_button', params, '')) { save_email := get_keyword('email', params, ''); save_forename := get_keyword('forename', params, ''); save_surname := get_keyword('surname', params, ''); update DB.DBA.DEMO_PEOPLE SET FORENAME = save_forename, SURNAME=save_surname WHERE EMAIL = save_email ; } editme := get_keyword('edit', params, ''); if ('' <> editme) { SELECT EMAIL, FORENAME, SURNAME INTO edt_email, edt_forename, edt_surname FROM DB.DBA.DEMO_PEOPLE WHERE EMAIL = editme; ?> <TABLE> <TR><TH>Email:</TH><TD><INPUT DISABLED TYPE="TEXT" NAME="email" VALUE="<?=edt_email?>" /></TD></TR> <TR><TH>Forename:</TH><TD><INPUT TYPE="TEXT" NAME="forename" VALUE="<?=edt_forename?>" /></TD></TR> <TR><TH>Surname:</TH><TD><INPUT TYPE="TEXT" NAME="surname" VALUE="<?=edt_surname?>" /></TD></TR> </TABLE> <INPUT TYPE="SUBMIT" NAME="save_button" VALUE="Save" /> <?vsp } ?> <P>The Peoples' Details</P> <TABLE> <TR><TH>Email</TH><TH>Forename</TH><TH>Surname</TH> <TH>Action</TH></TR> <?vsp FOR (SELECT EMAIL, FORENAME, SURNAME FROM DB.DBA.DEMO_PEOPLE) DO { ?> <TR><TD><?=EMAIL?></TD><TD><?=FORENAME?></TD><TD><?=SURNAME?></TD> <TD><A HREF="?remove=<?=EMAIL?>">Remove</A> <A HREF="?edit=<?=EMAIL?>">Edit</A></TD></TR> <?vsp } ?> </TABLE> </FORM> </BODY> </HTML> </pre> </div> <br /> <br /> <a name="vspforumsapp" /> <h3>17.7.4. The Forums Application</h3> <p> The "Forums" Application is a World Wide Web Application for posting, reading and searching of messages developed under the Virtuoso VDBMS with a wide usage of Virtuoso Server Pages (VSP) and server-side XSL-T transformation. </p> <p> Messages in the forums are classified to forums and sub-forums by interest. Posting is only allowed for registered users. Registration is performed via a registration form. Every registered user can create new a theme, post new messages to an existing theme or reply to an existing message. Unregistered users can only search, browse, and read existing themes and messages. </p> <a name="forumsprinciples" /> <h4>17.7.4.1. Principles</h4> <p> The application is based on VSPs, XML and XSLT transformations. The VSPs are used to produce XML documents that are transformed to HTML using server side XSLT. The design and appearance of the application depends solely on XSLT style sheets. This allows us to divide the development into two distinct parts: layout and design, and functionality of the application. </p> <p> Session management is based on URL manipulation and persistent HTTP session variables. The messages are stored in Database as XML documents with a free-text index applied over them. </p> <br /> <a name="forumsnav" /> <h4>17.7.4.2. Navigation</h4> <p> The application consists of four main pages: </p> <ol> <li> <p> <strong>home.vsp</strong> - the main page introduces the forums with the following information:</p> <ul> <li>Forums: name of each forum with link to the relevant sub-forums.</li> <li>Total: total number of messages for this forum.</li> <li>New: new messages for this forum within the last day.</li> <li>Last: number of the last message inserted in the forum.</li> <li>Total users: count of registered users.</li> <li>Options: login if the user is already registered in the forums.</li> <li>Registration: add a new user.</li> <li>Search: search in the messages.</li> </ul> </li> <li> <p> <strong>subforums.vsp</strong> - sub-forums of the current forum with the following information:</p> <ul> <li>Subforum: name of each sub-forum with links to relevant themes.</li> <li>Total: total number of messages for this forum.</li> <li>New: new messages for this forum within the last day.</li> <li>Last: number of the last message inserted in the forum.</li> <li>Options: login if the user is already registered in the forums.</li> <li>Registration: add a new user</li> <li>Search: search in the messages.</li> <li>Forums path: links to the home page and to the forum to which the current sub-forums belong.</li> </ul> </li> <li> <p> <strong>forum.vsp</strong> - themes of the current sub-forum with the following information:</p> <ul> <li>Theme: name of each theme with links to its messages.</li> <li>Total: total number of messages for this theme.</li> <li>New: new messages for this theme within the last day.</li> <li>Last: number of the last message inserted in the theme.</li> <li>Options: login if the user is already registered in the forums.</li> <li>Registration: add a new user.</li> <li>Search: search in the messages.</li> <li>Forums path: links to the home page, to the forum and to the sub-forum to which the current themes belong.</li> </ul> </li> <li> <p> <strong>thread.vsp</strong> - messages of the current theme with the following information:</p> <ul> <li>Message: name of each message with a link to its properties. When the link is activated the same page is presented, but with the tree of messages for which the current message is the parent.</li> <li>Author: the name of the author of the current message.</li> <li>Date: posting date of the message.</li> <li>Options: login if the user is already registered in the forums.</li> <li>Registration: add a new user.</li> <li>Search: search in the messages.</li> <li>Forums path: links to the home page, to the forum and to the sub-forum to which the current message belongs. Also for the current message, the parent message's name is presented. As users move lower in the tree, they can go back using this path.</li> </ul> </li> </ol> <br /> <a name="forumsremarks" /> <h4>17.7.4.3. Remarks</h4> <p> The basic principles of the application's implementation are: </p> <ul> <li>The result of a VSP execution is a well-formed XML document.</li> <li>Use the Virtuoso server to do server-side XSLT transformations with appropriate style sheets whenever needed.</li> <li>Use URL manipulations for session management.</li> <li>Use post-processing functions to provide commonly used parameters (such as user ID) as session variables.</li> </ul> <p> If users are not logged in they can access all pages of the site, but if they want to insert a new theme or create a new message, they have to log in. When users attempt to create or insert, they will be prompted with the login page. When they log in, the forums application will take them directly to the form for inserting messages or themes. If users are not logged in, the name 'anonymous' is displayed, instead of the e-mail address that would be displayed if they were logged in. </p> <br /> <a name="forumssrchpg" /> <h4>17.7.4.4. The Search Page</h4> <p>Users can search in three ways:</p> <ul> <li>Theme title: titles of message that are titles of themes.</li> <li>Message title: titles of message that have the current theme as parent.</li> <li>Message body: bodies of messages that have different themes as parents.</li> </ul> <p>Search results contain information about how many hits were found, and for each hit the following:</p> <ul> <li>Message title: the title of the current message. When you search in message bodies, the message titles are displayed.</li> <li>Time: date the message or theme was inserted.</li> <li>Author: author of the message or theme.</li> </ul> <p> The search page provides the interface for searching contents of forums including messages and titles.</p> <div> <pre class="programlisting"> <?vsp declare id, acount, aresults integer; declare aquery, awhat, askiped, search_res, sid, uid, url, usr varchar; -- > at this point we instruct server to do server-side XSLT transformation -- > over resultant document -- > The transformation will be done before sending the document to the user-agent -- > and after page execution is done. -- > To provide flexible file location we use a registry setting for XSLT -- > style sheets http_xslt(sprintf ('file:%s/search.xsl', registry_get ('app_forums_xslt_location'))); -- > because the application does URL poisoning for session management -- > we must retrieve the request parameters: -- > the session ID sid := get_keyword('sid', params, '0'); -- > the query text aquery := get_keyword('q',params,''); -- > the query locator (for what we searching) awhat := get_keyword('wh',params,'t'); -- > how many records to skip askiped := atoi (get_keyword('sk',params,'0')); -- > how many results to return aresults := atoi (get_keyword('rs',params,'10')); -- > hits count acount := atoi (get_keyword('c',params,'0')); url := 'thread.vsp'; -- > also we get the user ID from the session variables uid := connection_get ('pid'); usr := connection_get ('usr'); -- > now we are ready and call the stored procedure that returns the result from search search_res := FORI_SEARCH_RES (aquery, awhat, askiped, aresults, acount); ?> <!-- now we produce the result as well-formed XML document --> <?xml version="1.0"?> <page> <sid><?=sid?></sid> <usr><?=usr?></usr> <url><?=url?></url> <nav_2><?vsp http(FORI_SEARCH_FORM (sid, aquery, awhat, askiped, aresults, acount)); ?></nav_2> <css_1/> <squery><?=aquery?></squery> <swhat><?=awhat?></swhat> <sskiped><?=askiped?></sskiped> <sresults><?=aresults?></sresults> <scount><?=acount?></scount> <?vsp http (search_res); ?> <?vsp http (FORI_SEARCH_NAVIGATION ( sprintf('search.vsp?q=%s&wh=%s&rs=%d&c=%d&sid=%s&', aquery, awhat, aresults, acount, sid), acount, askiped, aresults)); ?> </page> </pre> </div> <br /> <a name="forumssrchdesc" /> <h4>17.7.4.5. Search Page Analysis</h4> <p> First we declare the variables used inside the page. In VSP, variables can be defined at any time, but it is generally good practice is to declare them near the top. </p> <p> We call <span class="computeroutput">http_xslt()</span> with a file URL parameter. This instructs the Virtuoso server to do XSLT transformation on the server side before sending output to the client, and after execution of the page. Hence we will produce an XML document. </p> <p> After this we need to get the input parameters session_id, query text, how many records to skip, and how many records to display. We do this by calling <span class="computeroutput">get_keyword()</span> and passing it the 'params' array. Every VSP page has <span class="computeroutput">params</span>, <span class="computeroutput">path</span>, and <span class="computeroutput">lines</span> as input parameters. For each call we supply a default value in case the variable has not been used. For some of the parameters we need an integer, but varchars are always returned, so we use <span class="computeroutput">atoi()</span> on the result to convert it to an integer. </p> <p> Next we retrieve the persistent variables <span class="computeroutput">user id</span> and <span class="computeroutput">user name</span>. We do this by calling <span class="computeroutput">connection_get()</span> with the session variable name. </p> <p> After this preparation, we are ready to perform the searching by calling the PL stored procedure <span class="computeroutput">FORI_SEARCH_RES()</span>. This procedure returns the XML entities that contain the results from the search. </p> <p> Once we have results, we want to produce the XML document that will be used in the XSLT transformation. We do this part of the work using the shortcuts to the <span class="computeroutput">http_value()</span> function: '<?= ?>' pairs, and also in some places '<?vsp ?>' to call the <span class="computeroutput">FORI_SEARCH_FORM()</span> and <span class="computeroutput">FORI_SEARCH_NAVIGATION()</span> procedures and output their results. </p> <p> The main benefits to this approach are: </p> <ul> <li>design independency of VSP content: if we need a different design we only need to change the XSLT style sheet;</li> <li>different style sheets can represent different themes. If we pass an additional 'theme' parameter, for example, we can associate a new theme with a different style sheet. This way we have a fast approach to customizing the look of the page; </li> <li>browser independence: because we do server-side XSLT transformation we do not need the browser to support XSLT or XML at all.</li> </ul> <p> If we comment out the line that instructs Virtuoso to perform the XSLT transformation (<span class="computeroutput">http_xslt()</span>) we will get the following document: </p> <div> <pre class="programlisting"> <?xml version="1.0"?> <page> <sid>0</sid> <usr>anonymous</usr> <url>thread.vsp</url> <nav_2><search_form> <hidden> <hidden_input type="hidden" name="sid" value="0" /> <hidden_input type="hidden" name="sk" value="0" /> <hidden_input type="hidden" name="rs" value="10" /> <hidden_input type="hidden" name="c" value="0" /> </hidden> <select name="wh"> <option value="t" selected="1">theme title</option> <option value="mt">message title</option> <option value="mb">message body</option> </select> </search_form> </nav_2> <css_1/> <squery></squery> <swhat>t</swhat> <sskiped>0</sskiped> <sresults>10</sresults> <scount>0</scount> <search_result> <no_hits/> </search_result> <navigation pages="0"> </navigation> </page> </pre> </div> <p>If we re-enable the XSLT transformation the user agent will receive the following HTML content: </p> <div> <pre class="programlisting"> <html><head> <style type="text/css"> a:hover{color:#a2a2a2} .id{font-size:12px;font-family:arial,sans-serif;font-weight:bold;color:#004C87} .ie{font-size:12px;font-family:verdana,sans-serif;color:#FFFFFF} .ir{font-size:14px;font-weight:bold;font-family:verdana,sans-serif;color:#FFFFFF} .if{font-size:12px;text-decoration:none;font-family:verdana,sans-serif; font-weight:bold;color:#E1F2FE} .iname{font-size:12px;font-weight:bold;font-family:verdana,sans-serif;color:#FFFFFF} .ipath{font-size:12px;text-decoration:none;font-weight:bold; font-family:verdana,sans-serif;color:#004C87} .inew {font-size:12px;text-decoration:none;font-weight:bold; font-family:verdana,sans-serif;color:#FFC600} .text {font-size:12px;text-decoration:none;font-family:Arial,sans-serif;color:#004C87} </style> </head> <body> <TABLE WIDTH="100%" BGCOLOR="#004C87" CELLPADDING="0" CELLSPACING="0" BORDER="0"> <TR> <form action="search.vsp" method="post"> <TD WIDTH="20%" VALIGN="top"> <IMG SRC="i/logo_n.gif" HEIGHT="49" WIDTH="197" BORDER="0"></TD> <TD WIDTH="40%" ALIGN="center"> <input type="text" name="q" size="36" value=""></TD> <TD WIDTH="25%" ALIGN="center"> <select name="wh"> <option value="t" selected>theme title</option> <option value="mt">message title</option> <option value="mb">message body</option> </select> <input type="hidden" name="sid" value="0"> <input type="hidden" name="sk" value="0"> <input type="hidden" name="rs" value="10"> <input type="hidden" name="c" value="0"> </TD> <TD WIDTH="15%"> <input type="image" name="search" src="i/search.gif" border="0"></TD> </form> </TR> </TABLE> <TABLE WIDTH="100%" BGCOLOR="#02A5E4" CELLPADDING="0" CELLSPACING="0" BORDER="0"> <TR> <TD> <IMG SRC="i/str.gif" HEIGHT="12" WIDTH="35"> <a class="id" href="home.vsp?sid=0">Home</a> </TD> <TD HEIGHT="22" class="iname" ALIGN="right">anonymous </TD> </TR> </TABLE> <TABLE BGCOLOR="#E1F2FE" ALIGN="center" WIDTH="100%" CELLPADDING="0" CELLSPACING="0" BORDER="0"> <TR> <TD COLSPAN="3"> <IMG SRC="i/c.gif" HEIGHT="12" WIDTH="1"> </TD> </TR> <TR> <TR BGCOLOR="#0073CC"> <TD WIDTH="60%" HEIGHT="24" class="ie"> message title</TD> <TD WIDTH="20%" class="ie">time</TD> <TD WIDTH="20%" class="ie">author</TD> </TR> <TR> <TD COLSPAN="3"> <IMG SRC="i/c.gif" HEIGHT="2" WIDTH="1"> </TD> </TR> <TR> <TD align="left" class="id" COLSPAN="3">No hits found</TD> </TR> <TR> <TD HEIGHT="18" colspan="3" BGCOLOR="#0073CC" class="id"> </TD> </TR> </TR> <TR> <TD COLSPAN="3"> <IMG SRC="i/c.gif" HEIGHT="2" WIDTH="1"> </TD> </TR> <TR> <TD COLSPAN="3" BGCOLOR="#0073CC"> <IMG SRC="i/c.gif" HEIGHT="1" WIDTH="1"> </TD> </TR> </TABLE> </body> </html> </pre> </div> <p>The page sources are available in the default distribution under the samples directory.</p> <div class="tip"> <div class="tiptitle">See Also:</div> <p> For more information about the functions used see: <a href="fn_http_xslt.html">http_xslt()</a>, <a href="fn_http.html">http()</a>, <a href="fn_http_value.html">http_value()</a>. </p> <p>For more information about VSP in general go the <a href="vsp1.html">VSP Section</a>.</p> </div> <br /> <br /> <a name="corsshare" /> <h3>17.7.5. Setting up server-side Cross-Origin Resource Sharing (CORS) with Virtuoso</h3> <p>User agents (e.g., Web browsers) have traditionally restricted scripts within web pages by a Same Origin Policy, which allowed scripts to make requests only to resources within the same domain from which the scripts themselves originated. This restriction is meant to protect the user and their computer from "Trojan horse websites" which may appear to be safe, but which then make unsafe HTTP requests to other, invisible sites. This restriction also protects the second website from potential "Denial of Service" and other attacks, whether accidental or intentional.</p> <p>This policy has the unfortunate side-effect of also preventing client-side Web applications served from one website ("Origin") from retrieving data from another website ("Origin").</p> <p> <a href="http://www.w3.org/TR/cors/">Cross-Origin Resource Sharing (CORS)</a> is a mechanism intended to enable safer client-side cross-origin requests, primarily focused on data.</p> <a name="corssharewk" /> <h4>17.7.5.1. How does CORS work?</h4> <p>Authentication and session-management information methods are extended in several ways:</p> <ul> <li>Enforcement by User Agent <ul> <li>A server providing a resource can include an <strong>Access-Control-Allow-Origin</strong> HTTP response header, with a value of the request's triggering script's site of origin (that is, the site which provided the script which made the request for the resource), to indicate whether access to the resource's contents may be allowed. The user agent validates that the value in this header matches the actual origin of the script which made the request. </li> <li>User agents can use a "pre-flight request" to discover whether a cross-origin resource is prepared to accept requests from a given script origin, using a complex method (which we will not detail here). Again, the response is validated by the user agent. </li> </ul> </li> <li>Enforcement by Server-side Application <ul> <li>Server-side applications can refer to the <strong>Origin</strong> HTTP request header to discover whether the user agent deemed it a cross-origin request. Here, the server-side application enforces limitations (e.g., returning nothing, partial results, or full results) on the cross-origin requests that they are willing to service at all. </li> </ul> </li> </ul> <br /> <a name="corssharesetup" /> <h4>17.7.5.2. CORS Setup for Virtuoso servers</h4> <p>With Virtuoso 6 and later (specific earliest versions as noted below), CORS support may be configured at the server-level or enabled through application logic (scripting, PL, etc.).</p> <p>When working with older versions of Virtuoso, CORS support cannot be configured at the server-level, but it may be enabled within application logic (scripting, PL, etc.).</p> <a name="corssharesetupapplv" /> <h5>17.7.5.2.1. Application-level CORS Setup</h5> <p>Any Virtuoso PL (VSP)-based application can implement CORS checking through well-known HTTP functions <a href="fn_http_request_header.html">http_request_header()</a> and <a href="fn_http_header.html">http_header()</a>. This method will work with any version of Virtuoso. For instance:</p> <div> <pre class="programlisting"> <?vsp IF (http_request_header (lines, 'Origin', NULL) = 'http://host.org') { http_header ('Access-Control-Allow-Origin: http://host.org\r\n'); } ELSE { RETURN; } -- Additional code here --- ?> </pre> </div> <p>Applications running in other hosted environments (Perl, Python, PHP, ASP.NET, etc.) may also use their specific scripting options to add and/or check relevent headers.</p> <br /> <a name="corssharesetupsrvlv" /> <h5>17.7.5.2.2. Server-level CORS Setup</h5> <p>Note: These instance/server-level configuration instructions require <a href="http://edit-wiki.usnet.private/dataspace/dav/wiki/VOS/VOSNews">Virtuoso Open Source (VOS) 6.1.3 or later</a>, or <a href="http://download.openlinksw.com/virtwiz/">Virtuoso Commercial Edition 6.2.3129 or later</a>.</p> <ol> <li>In the Virtuoso Conductor, go to <strong>Web Application Server -> Virtual Directories & Directories</strong>. <table class="figure" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <img alt="Server-side Cross-Origin Resource Sharing (CORS) Example Setup" src="../images/ui/oc1.png" /> </td> </tr> <tr> <td>Figure: 17.7.5.2.2.1. Server-side Cross-Origin Resource Sharing (CORS) Example Setup</td> </tr> </table> </li> <li>Expand the <strong>Interface</strong> store. <table class="figure" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <img alt="Server-side Cross-Origin Resource Sharing (CORS) Example Setup" src="../images/ui/oc2.png" /> </td> </tr> <tr> <td>Figure: 17.7.5.2.2.1. Server-side Cross-Origin Resource Sharing (CORS) Example Setup</td> </tr> </table> </li> <li>Click <strong>New Directory</strong>.</li> <li>Specify the desired <strong>Virtual Directory Type</strong>, or choose an existing virtual directory to use as a template. <table class="figure" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <img alt="Server-side Cross-Origin Resource Sharing (CORS) Example Setup" src="../images/ui/oc3.png" /> </td> </tr> <tr> <td>Figure: 17.7.5.2.2.1. Server-side Cross-Origin Resource Sharing (CORS) Example Setup</td> </tr> </table> </li> <li>Click <strong>Next</strong>.</li> <li>Specify the <strong>Directory Path</strong> value. <table class="figure" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <img alt="Server-side Cross-Origin Resource Sharing (CORS) Example Setup" src="../images/ui/oc4.png" /> </td> </tr> <tr> <td>Figure: 17.7.5.2.2.1. Server-side Cross-Origin Resource Sharing (CORS) Example Setup</td> </tr> </table> </li> <li>Set the <strong>CORS</strong> options. <table class="figure" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <img alt="Server-side Cross-Origin Resource Sharing (CORS) Example Setup" src="../images/ui/oc5.png" /> </td> </tr> <tr> <td>Figure: 17.7.5.2.2.1. Server-side Cross-Origin Resource Sharing (CORS) Example Setup</td> </tr> </table> <ul> <li> <strong>Cross-Origin Resource Sharing</strong>: Contains a single wildcard asterisk, i.e., "<strong>*</strong>", or a space-delimited list of HTTP server URIs, e.g., "<strong>http://example.com:8080 http://blah.example.com http://foo.example.com</strong>". Scripts originating on the listed HTTP servers are authorized to retrieve the specified resource(s); the wildcard means scripts from any HTTP server will be authorized. For this example, enter the following single URI: <div> <pre class="programlisting"> http://demo.openlinksw.com </pre> </div> </li> <li> <strong>Reject Unintended CORs</strong> checkbox: When ticked (and the application does not overwrite headers), unmatched Origins will be rejected by sending an empty response. For this example, tick this box.</li> </ul> </li> <li>Click Save changes.</li> </ol> <br /> <a name="corssharewkspcurlexmp" /> <h5>17.7.5.2.3. Example Usage with cURL</h5> <a name="corssharewkspcurlexmp1" /> <h6>Example 1</h6> <ol> <li>Suppose the example setup above is performed, and http://demo.openlinksw.com/ is in the CORS list.</li> <li>In this case, the request below will return an empty response: <div> <pre class="programlisting"> $ curl -i http://demo.openlinksw.com/mytest/test.vsp HTTP/1.1 200 OK Server: Virtuoso/06.02.3128 (Win32) i686-generic-win-32 VDB Connection: Keep-Alive Content-Type: text/html; charset=ISO-8859-1 Date: Thu, 28 Oct 2010 09:27:54 GMT Accept-Ranges: bytes Content-Length: 0 </pre> </div> </li> </ol> <br /> <a name="corssharewkspcurlexmp2" /> <h6>Example 2</h6> <ol> <li>Suppose the example Setup above is performed, and http://demo.openlinksw.com/ is in the CORS list.</li> <li>Also, suppose the curl command includes a proper Origin value, e.g.: <div> <pre class="programlisting"> -H "Origin: http://demo.openlinksw.com" </pre> </div> </li> <li>In this case, the request below will return a response including the retrieved content, etc. <div> <pre class="programlisting"> $ curl -i -H "Origin: http://demo.openlinksw.com" http://demo.openlinksw.com/mytest/test.vsp HTTP/1.1 200 OK Server: Virtuoso/06.02.3128 (Win32) i686-generic-win-32 VDB Connection: Keep-Alive Content-Type: text/html; charset=ISO-8859-1 Date: Thu, 28 Oct 2010 09:40:21 GMT Access-Control-Allow-Origin: http://demo.openlinksw.com Accept-Ranges: bytes Content-Length: 7 </pre> </div> </li> </ol> <br /> <a name="corssharewkspcurlexmp3" /> <h6>Example 3</h6> <ol> <li>Suppose the Example Setup above is performed, but reject is off (i.e., "Reject Unintended CORs" check-box is not ticked).</li> <li>In this case, the request below will return a response that lacks Access-Control-Allow-Origin: <div> <pre class="programlisting"> $ curl -i http://demo.openlinksw.com/mytest/test.vsp HTTP/1.1 200 OK Server: Virtuoso/06.02.3128 (Win32) i686-generic-win-32 VDB Connection: Keep-Alive Content-Type: text/html; charset=ISO-8859-1 Date: Thu, 28 Oct 2010 09:45:01 GMT Accept-Ranges: bytes Content-Length: 7 </pre> </div> </li> </ol> <br /> <br /> <br /> <div class="tip"> <div class="tiptitle">See Also:</div> <p> <a href="https://wiki.mozilla.org/Security/Origin">Origin header proposal for CSRF and click-jacking mitigation</a> </p> <p> <a href="http://arunranga.com/examples/access-control/">CORS In Action</a> </p> <p> <a href="http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/">Cross-domain Ajax with Cross-Origin Resource Sharing</a> </p> <p> <a href="http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity">Guide to Secure Implementation of Cross Origin Requests in HTML5</a> </p> </div> <br /> <table border="0" width="90%" id="navbarbottom"> <tr> <td align="left" width="33%"> <a href="ftpservices.html" title="FTP Services">Previous</a> <br />FTP Services</td> <td align="center" width="34%"> <a href="internetservices.html">Chapter Contents</a> </td> <td align="right" width="33%"> <a href="ldap.html" title="LDAP">Next</a> <br />LDAP</td> </tr> </table> </div> <div id="footer"> <div>Copyright© 1999 - 2009 OpenLink Software All rights reserved.</div> <div id="validation"> <a href="http://validator.w3.org/check/referer"> <img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0!" height="31" width="88" /> </a> <a href="http://jigsaw.w3.org/css-validator/"> <img src="http://jigsaw.w3.org/css-validator/images/vcss" alt="Valid CSS!" height="31" width="88" /> </a> </div> </div> </body> </html>