Project

General

Profile

Frequently Asked Questions » History » Version 19

davis jones, 05/08/2010 01:08 PM

1 9 Pieter Libin
h1. Frequently Asked Questions
2
3
{{toc}}
4
5 5 Pieter Libin
h2. Building and deployment
6 1 Pieter Libin
7 17 Koen Deforche
h3. Q: I built Wt and the examples, but many examples don't display correctly
8 1 Pieter Libin
9 17 Koen Deforche
A:
10
If you are running the built example from within the build directory, then the examples will not find their resources bundles (.xml) files and the resources (CSS, images) will not be where they are to be expected.
11 3 Pieter Libin
12 17 Koen Deforche
The examples are designed that you can run them without much hassle from the source directory.
13 3 Pieter Libin
14 17 Koen Deforche
For example, to run composer, you should do the following:
15
<pre>
16
$ cd wt/examples/composer   # source directory for composer example
17
$ ln -s ../../resources .   # link the resources folder
18
$ ../../build/examples/composer/composer.wt --docroot . --http-address 0.0.0.0 --http-port 8080
19
</pre>
20 3 Pieter Libin
21 5 Pieter Libin
h3. Q: How do I build my newly written "Hello World!" application?
22 3 Pieter Libin
23
A:
24
Wt itself, and the examples, use "CMake":http://www.cmake.org, but that is entirely a
25
personal choice. You can use any build environment, like qmake, where
26
you:
27 12 Koen Deforche
28 11 Koen Deforche
* specify the library directory (Wt defaults to installing in @/usr/local/lib@)
29 12 Koen Deforche
* specify the link libraries:
30 13 Koen Deforche
** @-lwt@ and @-lwthttp@ or @-lwtfcgi@ (for release build)
31 12 Koen Deforche
** @-lwtd@ and @-lwthttpd@ or @-lwtfcgid@ (for debug build)
32 3 Pieter Libin
* specify the include directory (Wt defaults to installing in @/usr/local/include@)
33
34
Unlike Qt, there is no need for special features such as moc for
35
starting a Wt project.
36
37 15 Koen Deforche
If you decide to use CMake, and have installed Wt in its default
38 3 Pieter Libin
location (within @/usr/local@), this @CMakeLists.txt@ file should do it:
39 1 Pieter Libin
40 3 Pieter Libin
<pre>
41
ADD_EXECUTABLE(myprog.wt
42
MyProg1.C
43
OtherFile.C
44
AndEvenMoreCode.C
45
)
46
47
# For FastCGI deployment:
48
TARGET_LINK_LIBRARIES(myprog.wt
49
wtfcgi wt someotherlib
50
)
51
52
# Or, for built-in httpd deployment:
53
# TARGET_LINK_LIBRARIES(myprog.wt
54
#   wthttp wt someotherlib
55
# )
56
57
INCLUDE_DIRECTORIES(/usr/local/wt/include)
58
</pre>
59 15 Koen Deforche
60 3 Pieter Libin
The examples use a @CMakeLists.txt@ which is customized for using the
61
current build of Wt, and not that one that is already installed some
62 15 Koen Deforche
place (with make install). Therefore, it is not really the recommended
63 3 Pieter Libin
way to bootstrap your own Wt project. Also, the @./deploy@ scripts are
64
very primitive, and are a bit specific for the examples. Deploying is
65
nothing more than copying the files to some directory in your html
66
root.
67 5 Pieter Libin
68 3 Pieter Libin
*The other methods are:*
69 15 Koen Deforche
70
To handle many sourcefiles, dependencies... you need a makefile. Obviously, the way Wt is designed, you should have quickly many files for the many classes that will compose your app. Wt uses CMake:http://cmake.org to make makefiles and that is probably a good choice. Just like many others, I switched to CMake (from hand-written makefiles) because of wt and I am pretty happy with it.
71
make should produce  the executable. At this point, you probably need to move the output of make to a directory available to your webserver; in practice you therefore need a script that is going to deploy the file. When you name the app, be sure the extension is recognized by the webserver.  Also, you may need to kill active processes of your app and maybe copy the css and some other files (icons...) to the directory available to the webserver.
72 3 Pieter Libin
In the end, I bundled all that in a deploy file located in the build directory (the one that is usually created for CMake). After I have have finished changing the source files, I just type @./deploy@ on the command line and I can refresh my web page.
73 1 Pieter Libin
<pre>
74 3 Pieter Libin
make
75
target_app=app.wt
76
target_path=httpdocs
77
ps -A | grep app.wt | awk '{print $1}' | xargs kill
78
rm -f "~/${target_path}/${target_app}"
79
cp "${target_app}" ~/${target_path}/
80
cp ../app.css  ~/${target_path}/
81
</pre>
82 5 Pieter Libin
83 3 Pieter Libin
*OR*
84
85 1 Pieter Libin
You can use install command instead of cp, more or less like this:
86
<pre>
87
install -m 0755 astariand.wt /var/www/game
88
install -m 0644 messages.xml /var/www/game
89
install -m 0644 astariand.css /var/www/game
90
install -m 0644 login.php /var/www/game
91
install -m 0644 includes.php /var/www/game
92
install -m 0755 -d /var/www/game/media
93
install -m 0755 -d /var/www/game/media/icons
94
install -m 0644 media/icons/* /var/www/game/media/icons
95
install -m 0755 -d /var/www/game/media/images
96
install -m 0644 media/images/* /var/www/game/media/images
97
</pre>
98
99
Using install has two advantages. First, it allows you to set permissions
100
on the fly (just as user and group, but I don't use this). Second, with
101
dedicated process session management you don't need to kill all processes
102
beforehand - old connections will keep using the old binary and new
103
connections will use the new one, until all old connections "die from
104
natural reasons".
105
106
h3. Q: My browser shows a window with a message like 'Wt internal error: ReferenceError: Ext is not defined, code: undefined, description: undefined'. How do I resolve it?
107
108
A:
109
Check your log for 404 messages regarding ExtJs. Download Ext 2.0.1 or 2.0.2 from the ExtJs homepage and install it as described "here":http://www.webtoolkit.eu/wt/doc/reference/html/group__ext.html. ExtJs 2.0.2 is available for download "here":http://yogurtearl.com/ext-2.0.2.zip.
110
111
You will receive similar error messages when you use a WTextEdit and TinyMCE is not properly deployed. Download TinyMCE from the "TinyMCE homepage":http://tinymce.moxiecode.com/.
112
113
ExtJS and TinyMCE need to be available in the document root of your web server. By default, Wt expects ext-related files to be found in 'ext/' (relative to your application deployment location), and TinyMCE in 'resources/tiny_mce/'.
114
115
For example (Wt 2.2.1), to run the widgetgallery example (which needs both ExtJS and TinyMCE) from within its source directory, you need the following organisation of auxiliary files:
116
117
<pre>
118
 $ pwd
119
 /home/.../wt/examples/widgetgallery
120
 $ ls ext/
121
 ext-all.js  ext-base.js  resources
122
 $ ls resources/
123
 collapse.gif      items-ok.gif     nav-minus.gif              nav-plus-line-middle.gif  sort-arrow-down.gif  tab_l.gif
124
 expand.gif        line-last.gif    nav-minus-line-last.gif    orbited.js                sort-arrow-none.gif  tab_r.gif
125
 iframe.js         line-middle.gif  nav-minus-line-middle.gif  orbited_LICENSE.txt       sort-arrow-up.gif    tiny_mce
126
 items.gif         line-trunk.gif   nav-plus.gif               slider-thumb-h.gif        stripes              tv-line-last.gif
127
 items-not-ok.gif  loading.png      nav-plus-line-last.gif     slider-thumb-v.gif        tab_b.gif
128
 $ ls resources/tiny_mce/
129
 langs  license.txt  plugins  themes  tiny_mce.js  tiny_mce.js.gz  tiny_mce_popup.js  tiny_mce_src.js  utils
130
</pre>
131
132
and then you can run the example using the following command line:
133
134
<pre>
135
 $ ../../build/examples/widgetgallery/widgetgallery.wt --http-address=0.0.0.0 --http-port=8080 --docroot .
136
</pre>
137
138
h3. Q: My browser shows an empty window and I am disappointed now.
139
140
A. See the previous question.
141 17 Koen Deforche
142
h3. Q: How does Wt organize sessions in processes and threads ?
143
144
Wt makes a distinction in the conceptual organization (which is reflected in the API of WApplication)
145
and the way the application is actually deployed.
146
147
_Conceptually_, every user session is completely isolated from each other. For each new session, Wt
148
calls the function that is supplied to WRun(), to create a WApplication object for that session.
149
As a programmer, you should program for the general case where different WApplication objects
150
are in different processes, and thus if you wish to communicate between different session, you
151
have the following options: (in increasing order of flexibility traded for convenience):
152
* A database to which every session connects.
153
* A dedicated server daemon, with socket based communication.
154
* A combination of both, with possible peer-to-peer communication between different sessions.
155
156
_Physically_, Wt offers several choices for deployment, each of them with different trade-offs.
157
If an application sticks strictly to the previous rules, you can freely change between different
158
deployment options at deployment time.
159
160
The options that are available are:
161
* Dedicated-process mode: mapping one session to one process. Advantages are:
162
** Kernel-level isolation between processes (security and reliability!).
163
** Kernel-based sharing of read-only memory segments (simply UNIX feature).
164
** Development friendly: a new session uses the latest deployed binary, and valgrind may be used to
165
debug one particular session, by modifying the URL request.
166
167
* Shared-process mode: mapping multiple sessions in a fixed number of processes. Advantages are:
168
** No process and stack overhead per session.
169
170
Wt is capable of using multi-threading to improve performance for both situations. Threads are
171
used for simultaneous handling of requests. Even in dedicated-process mode, several requests
172
may be handled simultaneously, for example concurrent streaming of different @WResource@'s. The
173
multi-threading feature however is more important for shared-process mode, for handling concurrent
174
requests for different sessions. In the latter case, however, the number of threads must not
175
equal the number of active sessions: threads are reused after every request is handled.
176
177
The shared-process mode has the notable disadvantage, inherent to C++, that memory corruption
178
may occur and can take down all sessions. It is however well suited for 'open' applications on
179
the Internet (and the Wt homepage and all examples are deployed this way). If you design a
180
restricted access application, or possibly a security sensitive application, or deploy the
181
application on a private intranet, the dedicated process mode may be more suitable.
182
183
h3. Q: How does it compare to Java servlets ?
184
185
Differences with Java Servlets are mostly due to the Java Virtual Machine. Java has the benefit
186
of automating pointer manipulation, and therefore eliminating unwanted interference between
187
different sessions because of pointer bugs. On the other hand, because of the high costs (both
188
run-time start up as well as memory usage) associated with a Java Virtual Machine instance,
189 19 davis jones
Java cannot afford kernel-level isolation "custom writing paper":http://custom-paper-writing.com/ between different Java sessions. If not programmed properly,
190 17 Koen Deforche
two sessions can still interfere through for example the use of class static variables.
191
Unfortunately, some servlet based frameworks, like the often-used struts framework, actually encourage
192
sharing of for example form objects between different sessions for run-time efficiency reasons,
193
making session cross talk readily an issue.
194
195
Similarities between Wt and Java Servlets are the use of a thread pool to serve concurrent
196
requests, and the abstraction of actual deployment details from the API, allowing easy
197
scalability.
198
199
Note: you should consider using "JWt":http://www.webtoolkit.eu/jwt if you would like to develop in Java.
200 3 Pieter Libin
201 1 Pieter Libin
h2. API
202 5 Pieter Libin
203 1 Pieter Libin
h3. Q: How do I deal with look and layout ? Does Wt support CSS ?
204 15 Koen Deforche
205
Wt provides you with two options for layout.
206
207 3 Pieter Libin
* You can use CSS for layout, and CSS may be either specified in CSS style sheets, or
208
manipulated programmatorically. Tomasz Mazurek contributed [[Using CSS|a tutorial]] about
209
it.
210 15 Koen Deforche
211 3 Pieter Libin
* You can use Wt's layout managers (e.g. @WBoxLayout@, @WGridLayout@, @WBorderLayout@). These have the advantage over CSS-based layouts that you also have control over vertical layout, but require JavaScript to work properly.
212 5 Pieter Libin
213
h3. Q: How do I pass an additional argument from a signal to a slot ?
214 3 Pieter Libin
215
Frequently, you may want to connect many different signals to a single slot, and identify the original sender in the slot.
216
217 1 Pieter Libin
For example:
218 5 Pieter Libin
219 3 Pieter Libin
<pre>
220 1 Pieter Libin
 void Test::createWidgets()
221 3 Pieter Libin
 {
222
   // create text1, text2, text3 widgets
223
 
224
   text1->clicked.connect(SLOT(this, Test::onClick));
225
   text2->clicked.connect(SLOT(this, Test::onClick));
226
   text3->clicked.connect(SLOT(this, Test::onClick));
227
 }
228
 
229
 void Test::onClick()
230
 {
231
   // How to know which widget?
232 5 Pieter Libin
 }
233 3 Pieter Libin
</pre>
234 5 Pieter Libin
235 3 Pieter Libin
The solution is to use a "WSignalMapper":http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1WSignalMapper.html like this:
236 5 Pieter Libin
237 3 Pieter Libin
<pre>
238
 void Test::createWidgets()
239 1 Pieter Libin
 {
240 3 Pieter Libin
   Wt::WSignalMapper<Wt::WText> *myMap = new Wt::WSignalMapper<Wt::WText*>(this);
241 1 Pieter Libin
 
242 3 Pieter Libin
   myMap->mapped.connect(SLOT(this, Test::onClick));
243
   myMap->mapConnect(text1->clicked, text1);
244 1 Pieter Libin
   myMap->mapConnect(text2->clicked, text2);
245
   myMap->mapConnect(text3->clicked, text3);
246
 }
247
 
248 3 Pieter Libin
 void Test::onClick(Wt::WText* source)
249 5 Pieter Libin
 {
250 1 Pieter Libin
   // source is where it is coming from
251
   // ...
252
 }
253
</pre>
254 15 Koen Deforche
255 3 Pieter Libin
The additional argument can be of any type, since @WSignalMapper@ is a template class. It could for example be the button text, or some other information specific to the widget that is activated.
256 1 Pieter Libin
257 18 Joe VanAndel
h3. Q: How do I update my application window from another thread, or from a socket notifier?
258
259
A:
260
See the documentation for Wt::WApplication::enableUpdates().
261
262 5 Pieter Libin
h2. Security
263 1 Pieter Libin
264 5 Pieter Libin
265 3 Pieter Libin
h3. Q: Building web applications in a low-level language like C? Have you never heard of buffer overruns??
266 1 Pieter Libin
267 3 Pieter Libin
We are well aware of the hostile environment that is the Internet. We believe that Wt provides some unique benefits compared to other solutions to handle the most common attacks:
268 15 Koen Deforche
269
* *Cross-Site scripting attacks (XSS)*: an attacker forces the display of some script by letting the application render it to the browser of a victim that is also using the web application.
270 19 davis jones
** Unlike other web technologies, Wt does not require any effort from the programmer to avoid XSS attacks. Instead, any 'rich' XHTML text that needs to be displayed (for example in a @WText@ using @XHTMLFormatting@) is filtered by a built-in XML parser for any potentially malicious tags or attributes (which is anything "resume CV":http://cvresumewriters.com/ that may execute some JavaScript code). Unlike other (low-level) frameworks, Wt provide this protection because there is no raw 'print' command. Instead, Wt generates all HTML/JavaScript from widgets and therefore it knows that rich text should only be "passive" rich text and not contain any "active" content.
271 15 Koen Deforche
272 3 Pieter Libin
* *Cross-site request forgery attacks (CSRF)*: an attacker tricks a user into sending a request to a trusted website passing its credentials in a cookie.
273 8 Pieter Libin
** This kind of attack is eliminated since Wt uses a secure random number generator for the session ID (on platforms that provide this kernel-level service, such as Linux and Win32 platforms), and even when using cookies for session tracking, the session ID is always sent within the request as well, and verified within Wt (since Wt 2.2.0).
274
275
* Attacks against the *application logic*: an attacker issues a request to some page or service that is only accessible after authorization. 
276 5 Pieter Libin
** Wt protects the application logic because all incoming requests are interpreted in one central, well-tested routine. The request is parsed and only _*exposed event signals*_ may be triggered. Exposed event signals are attached to widgets that are currently rendered on the screen. For example, a button click on a button that is currently shown on the screen. In this way, the logic of the application (such as for example: you need to first log
277 8 Pieter Libin
in, and then only you may request for a payment) is automatically validated: only code in slots connected to exposed signals can be invoked by the user.
278 15 Koen Deforche
279 8 Pieter Libin
* *Session cross-talk*: sensitive data from one session spills in another session because of a programming error, where data is shared.
280 3 Pieter Libin
** Wt is the only solution which may eliminate any cross-talk between sessions by deploying each session in a dedicated process, and thus using kernel-level protection (Dedicated Process mode of deployment). In the case of a bug, data from other sessions cannot be accessed and this is guaranteed by the kernel. This feature is especially valuable in sensitive areas such as financial transactions.
281 8 Pieter Libin
** In other web application frameworks, such as Python/PHP/Java solutions, cross-talk between sessions is always a risk since sessions run within the same process for performance reasons since virtual machines and byte interpreters take their time to load. Cross-talk can be the consequence of a programming mistake where data structures are shared between sessions. In fact, many popular Java servlet-based frameworks encourage sharing of data structures, again for performance reasons, to avoid (expensive) object creation. For example, in struts _*form beans*_ should be shared, and be reused by reinitialization rather than reconstruction.
282 15 Koen Deforche
283 16 Koen Deforche
* *Buffer over-runs*: A low-level C programming mistake is abused by an attacker to execute arbitrary code.
284 3 Pieter Libin
** While it is true that C applications may suffer this problem, this is no longer a valid concern for modern C++ code. The main source of these programming mistakes was string manipulation in C, relying on careful memory management of the string buffers. In C++, *std::string* avoids this issues entirely by automated memory management and buffer sizing. Furthermore, Wt is developed using the highest standards for code clarity (so we believe), and is thoroughly checked for memory-related problems by running it through memory checking tools such as valgrind.
285
286
All these attacks (except for the last one) are commonly exploited against current-day web applications which are vulnerable by the simple fact that too many web-related details are in the hands and responsibility of the developer. In contrast, Wt actively helps in avoiding programming mistakes which may lead to these exploits.
287 15 Koen Deforche
288 5 Pieter Libin
h3. Q: How do I use the built-in HTTPS server in @wthttpd@ ?
289 3 Pieter Libin
290
You will need a private server key that is signed by a certificate authority, and a temporary file containing random Diffie-Hellman parameters. If you are simply experimenting with the feature, then you can create and sign a key yourself, or use the one that comes with the OpenSSL distribution (server.pem, which has the password 'test'). The file with Diffie-Hellman parameters can be created using the command:
291
292
<pre>
293
$ openssl dhparam -check -text -5 512 -out dh512.pem
294 1 Pieter Libin
</pre>
295
296
Then start Wt using:
297
298
<pre>
299
$ ./app.wt --https-address=0.0.0.0 --ssl-certificate=server.pem --ssl-private-key=server.pem --ssl-tmp-dh=dh512.pem
300
</pre>
301
302
Provide the password at the prompt.
303
304 5 Pieter Libin
305
h2. Trouble shooting
306
307
308 1 Pieter Libin
h3. Q: My application crashes, and my apache error log shows no information.
309
310
There is a known problem with mod_fcgid: STDERR (including everything printed to std::cerr) is not
311
saved to the apache error log.
312 16 Koen Deforche
313 1 Pieter Libin
Wt uses STDERR by default for all error reporting. You can use a different log file in your @wt_config.xml@ file (<log-file>).
314
315
You may also consider using mod_fastcgi or the built-in web server (wthttpd) during development. The latter is especially convenient for development as it allows you to start from within a debugger, or diagnose memory-related problems with valgrind.