• 08:49 Since when have web pages been able to have customized "right click" menus? I always thought that was "impossible" but Google maps does it. #
• 15:19 why the hell is my office so much colder than the rest of the building? #
• 16:24 The problem with recycling is that I can be reminded how many cokes I've consumed by a single glance at the bin. I just don't wanna know. #

Automatically shipped by LoudTwitter

The "$" character in Java is not just for the compiler to stick into the class file names of inner classes. No, you can use it in your own class, method, and variable names too. How did I not know this?

package com.jeff_robertson;

public class $Make$Money$Fast {
 
 public static void main(String $ARGV[]) {
  
  String foo$bar = "foobar";
  
  System.out.println(foo$bar);
  
  String $perl = "...";
  
  String BASIC$ = get$money();
  
 }
 
 public static String get$money() {
  return "$1,000,000";
 }

}

• 16:22 I gotta find some more prolific twitterers to follow. Cause ya'lls are some quiet mofos lately. #

Automatically shipped by LoudTwitter

• 10:54 List of bands that I would probably like if I hadn't been avoiding them since 1993 because of "hype aversion", part 1: Wilco #
• 16:31 Hype aversion is an instinctive ego-defense. "If *I've* never heard it, it must suck". Saves you from knowing there's stuff you don't know. #

Automatically shipped by LoudTwitter

• 11:52 Today is the day I make my girls watch Star Wars. #

Automatically shipped by LoudTwitter

• 08:27 Nice boys don't play rock and roll. #
• 08:39 Oh iPod, why didn't they just make you with a standard USB jack? #

Automatically shipped by LoudTwitter

• 09:35 dropped my blackberry on the floor so hard the battery fell out. just realized that the SIM fell out too and wtf knows where it is now #
• 10:33 Doh. Sim never left BB, but was loose so the BB thought it was gone. I realized after sifting thru trash can for it. #

Automatically shipped by LoudTwitter

• 13:06 Somebody actually just asked me to explain something "in lehman's terms". Bizarre typo, new meme poking at Lehman bros, or Freudian slip? #

Automatically shipped by LoudTwitter

I think I may be turning into a RESTafarian. Been playing with Jersey a bit too much.

• 09:27 @WillCockrell How similar is Connecticut to what was depicted on "Gilmore Girls"? #
• 09:29 Found a bunch of of psedoephedrine in the pocket of a jacket that I can't even remember the last time I wore. #
• 11:28 The girl from The Wonder Years is a popular writer on mathematics?! Nova should have told me this. Head asplode. #
• 13:07 Powerpoint presentation procrastination party. #

Automatically shipped by LoudTwitter

• 10:27 no radio station billing itself as "oldies" has any excuse to play any song younger than me. stick with your core demographic to the grave. #

Automatically shipped by LoudTwitter

• 11:56 my first-grader is "smarter than a fifth grader" #

Automatically shipped by LoudTwitter

• 09:35 oh, the things that the president would oppose under "ordinary circumstances"! #

Automatically shipped by LoudTwitter

• 02:04 Nighttime roadgeek run thru downtown LA, Pasadena, Glendale, Burbank. #
• 09:21 approximate route last night: tinyurl.com/4ptbb5 #
• 22:09 been doin' some good old fashioned bloggin'. by gar, it's been a while. blog.jeff-robertson.com #

Automatically shipped by LoudTwitter

Or, what we might have ended up using instead of HTTPS. In some ways this is nicer than HTTPS, since it puts the key exchange in HTTP. Apparently this was killed by export restrictions on RSA, although it seems like the same thing would have stopped SSL too.

On the other hand, SSL has the advantage of keeping the encryption out of HTTP altogether. Thus keeping HTTP that much simpler, and also enable SSL to be used as a generic tunnel for other protocols as well. Remember, worse is better.

If you actually read RFC 1945, the document that describes HTTP/1.0, one thing you'll notice is that section 8, where the methods are defined, has only GET, HEAD, and POST. The PUT and DELETE methods that are so important to advocates RESTful web services are relegated to Appendix D, "additional features".

This appendix documents protocol elements used by some existing HTTP implementations, but not consistently and correctly across most HTTP/1.0 applications. Implementors should be aware of these features, but cannot rely upon their presence in, or interoperability with, other HTTP/1.0 applications.

This also where a number of other familiar things like the Accept-* family of headers were listed. In RFC 2616 these were promoted to full-fledged features of HTTP 1.1.

But wait.. Appendix D also lists a couple of methods I'd never heard of before: LINK and UNLINK. And some headers (Link, Title, URI) that appear to have been intended to be used with them.

These features are simply missing from HTTP/1.1. They disappeared, like a TV character simply being dropped between seasons with no explanation or mention. They weren't put on a bus, they didn't die in a plane crash with no survivors on their way back home, a bridge didn't collapse on them. The powers that be just decided that they never existed at all.

The Link header is described:

The Link entity-header field provides a means for describing a relationship between the entity and some other resource. An entity may include multiple Link values. Links at the metainformation level typically indicate relationships like hierarchical structure and navigation paths.

This sounds a lot like HTML link tag. Redundant, even.

Digging around, I found this description of the HTTP of 1992, written by Tim Berners-Lee himself. This documents the protocol in a stage between "HTTP 0.9" with it's GET method and no headers and the eventual HTTP/1.0 standard.

In the section on "Object Headers", we find:

Note. It is proposed that any HTML metainformation element (allowed withing the HEAD as opposed to BODY element of the document) be a valid candidate for an HTTP object header. LINK is one example, TITLE another. One suggestion was that the isomorphism should be realized by prepending "WWW-" to the HTML element name to make the HTTP header name, and the HTML attributes imply identically named semicolon-separated MIME-style header parameters. It is open to discussion whether the "WWW-" should be inserted or not.

Apparently sometime between HTTP/1.0 and 1.1 they finally decided that this wasn't something that needed to be in HTTP after all.

I have to admit I'm a little bit sad. When dealing with (X)HTML these headers and the methods to put/delete them are redundant, but they could be useful for non-HTML. One use I can imagine would be to provide the title ("alt text") of a photo as part of the HTTP response for requesting the actual image file, rather than having that text only exist in the HTML that embeds the photo. Maybe Link(s) to the homepages of the people in the photo. Of course it would require the web server to maintain some kind of database in which to store this data, which might have been asking too much of in 1996. But now? I think we could have used these little guys.

EDIT: It just dawned on me that understanding how things like this get abandoned and yet the world still turns out OK, means understanding a great truth applicable to other domains besides HTTP. After all, if PUT, POST, and DELETE had been widely implemented as they were originally designed - to allow users to create and edit web pages using features directly built into their browsers - then mankind would never need to have invented things called "wikis" and "blogs", and then where would we be?

• 08:43 I don't want nobody to give me nothin'. Open up the door, I'll get it myself. #
• 09:00 There is so much awesome on _Physical_Graffiti_ that the otherwise-mindblowing "Kashmir" is rendered lame for obscuring the rest. #
• 18:18 At the airport, explaining the food at Paschals to people from NJ. #
• 18:31 Ever since I was eight years old I've always wanted to write a song about Duran Duran to the tune of "Barbara Ann". #
• 18:38 Add to the list of band/album/song name ideas: [Son of] Mr. Green Screens. #

Automatically shipped by LoudTwitter

For years and years (like since approximately 2001) I've been bitching and complaining, and never doing anything in particular, about customizing HTTP basic authentication in a servlet container. It's container specific, it involves lots of XML, and it usually involves sticking your classes up into the appserver's backside.

I've never actually gotten it to work. Then again, I haven't really tried all that hard either. It's just always seemed like more work than it's worth, especially when compared to things like Restlet and even Sun's own com.sun.net.httpserver. Anyway, I never did it. Instead I did this:

Just write a servlet filter that does the authentication and sets up the request appropriately. Duh. Why didn't they just include a class like this in the Servlet API instead of all the shenanigans?

NOTE: Yes, I know basic authentication is insecure. Prove to me that it's somehow less secure than an HTML form sending the credentials in plain text.

import java.io.IOException;
import java.security.Principal;

import javax.servlet.*;
import javax.servlet.http.*;

import org.apache.commons.codec.binary.Base64;

public class BasicAuthServletFilter implements Filter {

 private SessionCache sessions = new SessionCache();
 

 public void doFilter(ServletRequest arg0, ServletResponse arg1,
   FilterChain arg2) throws IOException, ServletException {
  
  HttpServletRequest httpRequest = (HttpServletRequest) arg0;
  HttpServletResponse httpResponse = (HttpServletResponse) arg1;
  
  String auth = httpRequest.getHeader("Authorization");
  
  if( auth == null ) {
   send401(httpResponse);
   return;
  }
  
  String[] tokens = auth.split(" ");
  
  if( !tokens[0].equalsIgnoreCase("Basic")) {
   send401(httpResponse);
   return;
  }

  String[] credentials = new String( Base64.decodeBase64(tokens[1].getBytes()) ).split(":");
  
  
  try {
   customLogin( credentials[0], credentials[1] );
  } catch (Exception e) {
   send401(httpResponse);
   return;
  }
  
  // implementation of MyPrincipal is left an exercise for the reader
  final java.security.Principal p = new MyPrincipal(credentials[0]);
  
  HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper(httpRequest) {

   @Override
   public String getAuthType() {
    return HttpServletRequest.BASIC_AUTH;
   }

   @Override
   public String getRemoteUser() {
    return p.getName();
   }

   @Override
   public Principal getUserPrincipal() {
    return p;
   }

   @Override
   public boolean isUserInRole(String role) {
                                // probably want to customize here
    return true;
   }
  };

  
  arg2.doFilter(wrapper, arg1);
  
 }

 private void send401(HttpServletResponse httpResponse) throws IOException {
  httpResponse.setHeader("WWW-Authenticate",
    "Basic realm=\"My Realm\"");
  httpResponse.sendError(401);
 }

 public void customLogin(String user, String password) throws Exception {

  // proprietary business logic (TM)

 }


 public void init(FilterConfig arg0) throws ServletException {
 }
 
 
 public void destroy() {
 }

  
 

}

Work related

• 20:04 testing #
• 22:28 testing again #
• 22:29 - #
• 22:30 Kentucky (4-1) 14 2 Alabama (6-0) 17 #
• 22:30 yes im working on that football thing #

Automatically shipped by LoudTwitter

• 10:54 do not expect any further statements. the sons of batman don't talk. we act. #

Automatically shipped by LoudTwitter