Project

General

Profile

Frequently Asked Questions » History » Version 42

Roel Standaert, 10/13/2020 12:08 PM

1 42 Roel Standaert
Frequently Asked Questions
2
==========================
3 9 Pieter Libin
4 1 Pieter Libin
{{toc}}
5
6 42 Roel Standaert
Building and deployment
7
-----------------------
8 1 Pieter Libin
9 42 Roel Standaert
### Q: I built Wt and the examples, but many examples don't display correctly
10 3 Pieter Libin
11 42 Roel Standaert
If you are running the built example from within the build directory, then the examples will not find their resource bundles (`.xml`) files and the resources (CSS, images) will not be where they are to be expected.
12 1 Pieter Libin
13 42 Roel Standaert
The examples are designed so that you can run them without much hassle from the source directory.
14 1 Pieter Libin
15 42 Roel Standaert
For example, if you built Wt in a `build` subdirectory of Wt and want to run composer, you can do the following:
16 29 Wim Dumon
17 42 Roel Standaert
```sh
18
cd wt/examples/composer   # source directory for composer example
19
../../build/examples/composer/composer.wt --docroot . --http-listen 0.0.0.0:8080 --resources-dir ../../resources
20
```
21 1 Pieter Libin
22 42 Roel Standaert
Applications that have explicit approot and/or docroot directories (e.g. widgetgallery), must be started with the appropriate ---approot and ---docroot parameters:
23 1 Pieter Libin
24 42 Roel Standaert
```sh
25
cd wt/examples/widgetgallery # source directory for composer example
26
../../build/examples/widgetgallery/widgetgallery.wt --docroot docroot --approot approot --http-listen 0.0.0.0:8080 --resources-dir ../../resources
27
```
28 1 Pieter Libin
29 42 Roel Standaert
### Q: How do I build my newly written "Hello World!" application?
30 1 Pieter Libin
31 42 Roel Standaert
Wt itself, and the examples, use [CMake](http://www.cmake.org), but that is entirely a personal choice. You can use any build environment, like qmake, where you:
32 15 Koen Deforche
33 42 Roel Standaert
- specify the library directory (Wt defaults to installing in `/usr/local/lib`)
34
- specify the link libraries:
35
  - `-lwt` and `-lwthttp` or `-lwtfcgi` (for release build)
36
  - `-lwtd` and `-lwthttpd` or `-lwtfcgid` (for debug build)
37
- specify the include directory (Wt defaults to installing in `/usr/local/include`)
38 1 Pieter Libin
39 42 Roel Standaert
Unlike Qt, there is no need for special features such as moc for starting a Wt project.
40 1 Pieter Libin
41 42 Roel Standaert
If you decide to use CMake, and have installed Wt in its default location (within `/usr/local`), you can use `find_package` in your `CMakeLists.txt`:
42 1 Pieter Libin
43 42 Roel Standaert
```cmake
44
find_package(Wt CONFIG REQUIRED COMPONENTS Wt HTTP)
45
add_executable(myprog.wt PRIVATE Wt::Wt Wt::HTTP)
46
```
47 3 Pieter Libin
48 42 Roel Standaert
When you did not install the Wt libraries in `/usr/local/lib/`, you can use the `-Wt_DIR` argument. See the [CMake documentation](https://cmake.org/cmake/help/latest/command/find_package.html#search-procedure) for more information.
49 15 Koen Deforche
50 42 Roel Standaert
The examples use a `CMakeLists.txt` which is customized for using the current build of Wt, and not that one that is already installed some place (with `make install`). Therefore, it is not really the recommended way to bootstrap your own Wt project.
51 1 Pieter Libin
52 42 Roel Standaert
**The other methods are:**
53 21 Koen Deforche
54 3 Pieter Libin
To handle many sourcefiles, dependencies... you need a makefile. Obviously, the way Wt is designed, you should have quickly many files for the many classes that will compose your app. Wt uses CMake:http://cmake.org to make makefiles and that is probably a good choice. Just like many others, I switched to CMake (from hand-written makefiles) because of Wt and I am pretty happy with it.
55 1 Pieter Libin
56 42 Roel Standaert
`make` should produce the executable. At this point, you probably need to move the output of make to a directory available to your webserver; in practice you therefore need a script that is going to deploy the file. When you name the app, be sure the extension is recognized by the webserver. Also, you may need to kill active processes of your app and maybe copy the css and some other files (icons...) to the directory available to the webserver.  
57
In the end, I bundled all that in a deploy file located in the build directory (the one that is usually created for CMake). After I have have finished changing the source files, I just type `./deploy` on the command line and I can refresh my web page.
58 5 Pieter Libin
59 42 Roel Standaert
    make
60
    target_app=app.wt
61
    target_path=httpdocs
62
    ps -A | grep app.wt | awk '{print $1}' | xargs kill
63
    rm -f "~/${target_path}/${target_app}"
64
    cp "${target_app}" ~/${target_path}/
65
    cp ../app.css  ~/${target_path}/
66 1 Pieter Libin
67 42 Roel Standaert
**OR**
68 1 Pieter Libin
69
You can use install command instead of cp, more or less like this:
70
71 42 Roel Standaert
    install -m 0755 astariand.wt /var/www/game
72
    install -m 0644 messages.xml /var/www/game
73
    install -m 0644 astariand.css /var/www/game
74
    install -m 0644 login.php /var/www/game
75
    install -m 0644 includes.php /var/www/game
76
    install -m 0755 -d /var/www/game/media
77
    install -m 0755 -d /var/www/game/media/icons
78
    install -m 0644 media/icons/* /var/www/game/media/icons
79
    install -m 0755 -d /var/www/game/media/images
80
    install -m 0644 media/images/* /var/www/game/media/images
81
82
Using install has two advantages. First, it allows you to set permissions on the fly (just as user and group, but I don't use this). Second, with  
83
dedicated process session management you don't need to kill all processes beforehand - old connections will keep using the old binary and new  
84 1 Pieter Libin
connections will use the new one, until all old connections "die from natural reasons".
85
86 42 Roel Standaert
### Q: My browser shows a window with a message like 'Wt internal error: ReferenceError: Ext is not defined, code: undefined, description: undefined'. How do I resolve it?
87 1 Pieter Libin
88 42 Roel Standaert
Check your log for 404 messages regarding ExtJs. Download Ext 2.0.1 or 2.0.2 from the ExtJs homepage and install it as described [here](http://www.webtoolkit.eu/wt/doc/reference/html/group__ext.html). ExtJs 2.0.2 is available for download [here](http://yogurtearl.com/ext-2.0.2.zip).
89 1 Pieter Libin
90 42 Roel Standaert
You will receive similar error messages when you use a WTextEdit and TinyMCE is not properly deployed. Download TinyMCE from the [TinyMCE homepage](http://tinymce.moxiecode.com/).
91 1 Pieter Libin
92 42 Roel Standaert
ExtJS and TinyMCE need to be available in the document root of your web server. By default, Wt expects ext-related files to be found in 'ext/' (relative to your application deployment location), and TinyMCE in 'resources/tiny\_mce/'.
93 21 Koen Deforche
94
For example (Wt 2.2.1), to run the widgetgallery example (which needs both ExtJS and TinyMCE) from within its source directory, you need the following organisation of auxiliary files:
95 1 Pieter Libin
96 42 Roel Standaert
     $ pwd
97
     /home/.../wt/examples/widgetgallery
98
     $ ls ext/
99
     ext-all.js  ext-base.js  resources
100
     $ ls resources/
101
     collapse.gif      items-ok.gif     nav-minus.gif              nav-plus-line-middle.gif  sort-arrow-down.gif  tab_l.gif
102
     expand.gif        line-last.gif    nav-minus-line-last.gif    orbited.js                sort-arrow-none.gif  tab_r.gif
103
     iframe.js         line-middle.gif  nav-minus-line-middle.gif  orbited_LICENSE.txt       sort-arrow-up.gif    tiny_mce
104
     items.gif         line-trunk.gif   nav-plus.gif               slider-thumb-h.gif        stripes              tv-line-last.gif
105
     items-not-ok.gif  loading.png      nav-plus-line-last.gif     slider-thumb-v.gif        tab_b.gif
106
     $ ls resources/tiny_mce/
107
     langs  license.txt  plugins  themes  tiny_mce.js  tiny_mce.js.gz  tiny_mce_popup.js  tiny_mce_src.js  utils
108 1 Pieter Libin
109
and then you can run the example using the following command line:
110
111 42 Roel Standaert
     $ ../../build/examples/widgetgallery/widgetgallery.wt --http-address=0.0.0.0 --http-port=8080 --docroot .
112 1 Pieter Libin
113 42 Roel Standaert
### Q: My browser shows an empty window and I am disappointed now.
114 1 Pieter Libin
115
See the previous question.
116
117 42 Roel Standaert
### Q: How does Wt organize sessions in processes and threads?
118 1 Pieter Libin
119
Wt makes a distinction in the conceptual organization (which is reflected in the API of WApplication) and the way the application is actually deployed.
120
121 42 Roel Standaert
*Conceptually*, every user session is completely isolated from each other. For each new session, Wt calls the function that is supplied to WRun(), to create a WApplication object for that session. As a programmer, you should program for the general case where different WApplication objects are in different processes, and thus if you wish to communicate between different session, you have the following options: (in increasing order of flexibility traded for convenience):
122 21 Koen Deforche
123 42 Roel Standaert
-   A database to which every session connects.
124
-   A dedicated server daemon, with socket based communication.
125
-   A combination of both, with possible peer-to-peer communication between different sessions.
126 21 Koen Deforche
127 42 Roel Standaert
*Physically*, Wt offers several choices for deployment, each of them with different trade-offs. If an application sticks strictly to the previous rules, you can freely change between different deployment options at deployment time.
128
129 17 Koen Deforche
The options that are available are:
130
131 42 Roel Standaert
-   Dedicated-process mode: mapping one session to one process. Advantages are:
132
    -   Kernel-level isolation between processes (security and reliability!).
133
    -   Kernel-based sharing of read-only memory segments (simply UNIX feature).
134
    -   Development friendly: a new session uses the latest deployed binary, and valgrind may be used to debug one particular session, by modifying the URL request.
135 17 Koen Deforche
136 42 Roel Standaert
<!-- -->
137
138
-   Shared-process mode: mapping multiple sessions in a fixed number of processes. Advantages are:
139
    -   No process and stack overhead per session.
140
141
Wt is capable of using multi-threading to improve performance for both situations. Threads are used for simultaneous handling of requests. Even in dedicated-process mode, several requests may be handled simultaneously, for example concurrent streaming of different `WResource`'s. The multi-threading feature however is more important for shared-process mode, for handling concurrent requests for different sessions. In the latter case, however, the number of threads must not  
142 17 Koen Deforche
equal the number of active sessions: threads are reused after every request is handled.
143 20 Koen Deforche
144 42 Roel Standaert
The shared-process mode has the notable disadvantage, inherent to C, that memory corruption may occur and can take down all sessions. It is however well suited for 'open' applications on the Internet (and the Wt homepage and all examples are deployed this way). If you design a restricted access application, or possibly a security sensitive application, or deploy the application on a private intranet, the dedicated process mode may be more suitable.
145 17 Koen Deforche
146 42 Roel Standaert
### Q: How does it compare to Java servlets?
147 21 Koen Deforche
148 17 Koen Deforche
Differences with Java Servlets are mostly due to the Java Virtual Machine. Java has the benefit of automating pointer manipulation, and therefore eliminating unwanted interference between different sessions because of pointer bugs. On the other hand, because of the high costs (both run-time start up as well as memory usage) associated with a Java Virtual Machine instance, Java cannot afford kernel-level isolation between different Java sessions. If not programmed properly, two sessions can still interfere through for example the use of class static variables. Unfortunately, some servlet based frameworks, like the often-used struts framework, actually encourage sharing of for example form objects between different sessions for run-time efficiency reasons, making session cross talk readily an issue.
149 25 Peter Mortensen
150 17 Koen Deforche
Similarities between Wt and Java Servlets are the use of a thread pool to serve concurrent requests, and the abstraction of actual deployment details from the API, allowing easy scalability.
151 21 Koen Deforche
152 42 Roel Standaert
Note: you should consider using [JWt](http://www.webtoolkit.eu/jwt) if you would like to develop in Java.
153 21 Koen Deforche
154 42 Roel Standaert
API
155
---
156 5 Pieter Libin
157 42 Roel Standaert
### Q: How do I deal with look and layout? Does Wt support CSS?
158 15 Koen Deforche
159 25 Peter Mortensen
Wt provides you with options for layout.
160 15 Koen Deforche
161 42 Roel Standaert
-   You can use CSS for layout, and CSS may be either specified in CSS style sheets, or manipulated programmatorically. Tomasz Mazurek contributed [[Using CSS\|a tutorial]] about it.
162 1 Pieter Libin
163 42 Roel Standaert
<!-- -->
164 31 Wim Dumon
165 42 Roel Standaert
-   You can use WTemplate for composing Wt widgets together in a layout. Within the templates, you can use CSS, but also Twitter Bootstrap for layouting.
166 31 Wim Dumon
167 42 Roel Standaert
<!-- -->
168 31 Wim Dumon
169 42 Roel Standaert
-   Wt's Twitter Bootstrap theme is a themable theme. Wt's widgets support rendering in bootstrap style, so if you compose your own program with WTemplate in bootstrap's style, you can benefit from Bootstrap and the Bootstrap themes you can find online (+ most design agencies know how to design a Bootstrap theme).
170 15 Koen Deforche
171 42 Roel Standaert
<!-- -->
172 5 Pieter Libin
173 42 Roel Standaert
-   You can use Wt's layout managers (e.g. `WBoxLayout`, `WGridLayout`, `WBorderLayout`). These have the advantage over CSS-based layouts that you also have control over vertical layout, but require JavaScript to work properly.
174 3 Pieter Libin
175 42 Roel Standaert
### Q: How do I pass an additional argument from a signal to a slot?
176
177 1 Pieter Libin
Frequently, you may want to connect many different signals to a single slot, and identify the original sender in the slot.
178 5 Pieter Libin
179 3 Pieter Libin
For example:
180 1 Pieter Libin
181 42 Roel Standaert
     void Test::createWidgets()
182
     {
183
       // create text1, text2, text3 widgets
184 28 Wim Dumon
185 42 Roel Standaert
       text1->clicked.connect(this, &Test::onClick);
186
       text2->clicked.connect(this, &Test::onClick);
187
       text3->clicked.connect(this, &Test::onClick);
188
     }
189
190
     void Test::onClick()
191
     {
192
       // How to know which widget?
193
     }
194
195 28 Wim Dumon
Boost's boost.bind allows you to pass a 'generalized' function pointer where some (or all) of its arguments can be bound to a value of your choice:
196 3 Pieter Libin
197 42 Roel Standaert
     void Test::createWidgets()
198
     {
199
       // Actually you can write onClick to accept any kind of argument
200
       // (int, enum, object pointer, ...). We chose to pass the sending widget
201
       // here.
202
       text1->clicked().connect(boost::bind(&Test::onClick, this, text1));
203
       text2->clicked().connect(boost::bind(&Test::onClick, this, text2));
204
       text3->clicked().connect(boost::bind(&Test::onClick, this, text3));
205
     }
206 1 Pieter Libin
207 42 Roel Standaert
     void Test::onClick(Wt::WText* source)
208
     {
209
       // source is where it is coming from
210
       // ...
211
     }
212 1 Pieter Libin
213 42 Roel Standaert
The solution based on [WSignalMapper](http://www.webtoolkit.eu/wt/doc/reference/html/classWt_1_1WSignalMapper.html) is considered deprecated.
214 28 Wim Dumon
215 42 Roel Standaert
### Q: How do I update my application window from another thread, or from a socket notifier?
216 28 Wim Dumon
217 42 Roel Standaert
A:  
218 1 Pieter Libin
See the documentation for Wt::WApplication::enableUpdates().
219 18 Joe VanAndel
220 42 Roel Standaert
Security
221
--------
222 18 Joe VanAndel
223 42 Roel Standaert
### Q: Building web applications in a low-level language like C? Have you never heard of buffer overruns??
224 5 Pieter Libin
225
We are well aware of the hostile environment that is the Internet. We believe that Wt provides some unique benefits compared to other solutions to handle the most common attacks:
226 3 Pieter Libin
227 42 Roel Standaert
-   **Cross-Site scripting attacks (XSS)**: an attacker forces the display of some script by letting the application render it to the browser of a victim that is also using the web application.
228
    -   Unlike other web technologies, Wt does not require any effort from the programmer to avoid XSS attacks. Instead, any 'rich' XHTML text that needs to be displayed (for example in a `WText` using `XHTMLFormatting`) is filtered by a built-in XML parser for any potentially malicious tags or attributes (which is anything that may execute some JavaScript code). Unlike other (low-level) frameworks, Wt can provide this protection because there is no raw 'print' command. Instead, Wt generates all HTML/JavaScript from widgets and therefore it knows that rich text should only be "passive" rich text and not contain any "active" content.
229 1 Pieter Libin
230 42 Roel Standaert
<!-- -->
231 1 Pieter Libin
232 42 Roel Standaert
-   **Cross-site request forgery attacks (CSRF)**: an attacker tricks a user into sending a request to a trusted website passing its credentials in a cookie.
233
    -   This kind of attack is eliminated since Wt does not use cookies for session identification, but instead uses URL rewriting (within a (pseudo-) single page application). It uses a secure random number generator for the session ID (on platforms that provide this kernel-level service, such as Linux and Win32 platforms), and even when using cookies for session tracking, the session ID is always sent within the request as well, and verified within Wt (since Wt 2.2.0).
234 8 Pieter Libin
235 42 Roel Standaert
<!-- -->
236 34 Koen Deforche
237 42 Roel Standaert
-   Attacks against the **application logic**: an attacker issues a request to some page or service that is only accessible after authorization.
238
    -   Wt protects the application logic because all incoming requests are interpreted in one central, well-tested routine. The request is parsed and only ***exposed event signals*** may be triggered. Exposed event signals are attached to widgets that are currently rendered on the screen. For example, a button click on a button that is currently shown on the screen. In this way, the logic of the application (such as for example: you need to first log in, and then only you may request for a payment) is automatically validated: only code in slots connected to exposed signals can be invoked by the user.
239 8 Pieter Libin
240 42 Roel Standaert
<!-- -->
241
242
-   **Session cross-talk**: sensitive data from one session spills in another session because of a programming error, where data is shared.
243
    -   Wt is the only solution which may eliminate any cross-talk between sessions by deploying each session in a dedicated process, and thus using kernel-level protection (Dedicated Process mode of deployment). In the case of a bug, data from other sessions cannot be accessed and this is guaranteed by the kernel. This feature is especially valuable in sensitive areas such as financial transactions.
244
    -   In other web application frameworks, such as Python/PHP/Java solutions, cross-talk between sessions is always a risk since sessions run within the same process for performance reasons since virtual machines and byte interpreters take their time to load. Cross-talk can be the consequence of a programming mistake where data structures are shared between sessions. In fact, many popular Java servlet-based frameworks encourage sharing of data structures, again for performance reasons, to avoid (expensive) object creation. For example, in struts ***form beans*** should be shared, and be reused by reinitialization rather than reconstruction.
245
246
<!-- -->
247
248
-   **Buffer over-runs**: A low-level C programming mistake is abused by an attacker to execute arbitrary code.
249
    -   While it is true that C applications may suffer this problem, this is no longer a valid concern for modern C code. The main source of these programming mistakes was string manipulation in C, relying on careful memory management of the string buffers. In C, **std::string** avoids this issues entirely by automated memory management and buffer sizing. Furthermore, Wt is developed using the highest standards for code clarity (so we believe), and is thoroughly checked for memory-related problems by running it through memory checking tools such as valgrind.
250
251 36 Wim Dumon
All these attacks (except for the last one) are commonly exploited against current-day web applications which are vulnerable by the simple fact that too many web-related details are in the hands and responsibility of the developer. In contrast, Wt actively helps in avoiding programming mistakes which may lead to these exploits.
252 3 Pieter Libin
253 42 Roel Standaert
### Q: How do I use the built-in HTTPS server in `wthttpd`?
254 35 Koen Deforche
255 1 Pieter Libin
You will need a private server key that is signed by a certificate authority, and a temporary file containing random Diffie-Hellman parameters. If you are simply experimenting with the feature, then you can create and sign a key yourself, or use the one that comes with the OpenSSL distribution (server.pem, which has the password 'test'). If you are about to set up a secure https server in a production environment, do not use the commands outlined in this section to generate the cryptographic files but get informed on up to date good practices.
256
257
The file with Diffie-Hellman parameters can be created using the command:
258
259 42 Roel Standaert
    $ openssl dhparam -check -text -out dh2048.pem 2048
260 39 Koen Deforche
261
Then start Wt using:
262
263 42 Roel Standaert
    $ ./app.wt --https-address=0.0.0.0 \
264
        --ssl-certificate=server.pem \
265
        --ssl-private-key=server.key \
266
        --ssl-tmp-dh=dh2048.pem \
267
        --ssl-cipherlist='ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
268 1 Pieter Libin
269
Noe that the ssl-cipherlist is necessary because many flows have been discovered in recent years regarding weaknesses in specific ciphers. With this list (which follows the recommendation of https://weakdh.org/sysadmin.html) you will avoid the use of weak ciphers.
270 5 Pieter Libin
271 22 Wim Dumon
Provide the password at the prompt.
272
273
To generate your own self-signed certificate:
274
275 42 Roel Standaert
    # This sequence is found all over the internet:
276
    openssl genrsa -des3 -out server.key 1024
277
    openssl req -new -key server.key -out server.csr
278
    cp server.key server.key.org
279
    openssl rsa -in server.key.org -out server.key # removes the passphrase
280
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
281
    # The PEM file is a combination of what is above:
282
    cat server.crt server.key server.crt > server.pem
283
284
Alternatively, a reverse proxy that terminates https can be deployed. This wiki page explains how this can be configured, and also explains how "let's encrypt" (free certificates for everyone) can be used in this configuration:  
285 41 Wim Dumon
http://redmine.webtoolkit.eu/projects/wt/wiki/Using_HAProxy_as_a_reverse_proxy_terminating_https
286 5 Pieter Libin
287 42 Roel Standaert
Trouble shooting
288
----------------
289 27 Wim Dumon
290 42 Roel Standaert
### Q: My application crashes, and my apache error log shows no information.
291 21 Koen Deforche
292 42 Roel Standaert
There is a known problem with mod\_fcgid: STDERR (including everything printed to std::cerr) is not saved to the apache error log.
293 1 Pieter Libin
294 42 Roel Standaert
Wt uses STDERR by default for all error reporting. You can use a different log file in your `wt_config.xml` file (<log-file>).
295 23 Ray Charlesson
296 42 Roel Standaert
You may also consider using mod\_fastcgi or the built-in web server (wthttpd) during development. The latter is especially convenient for development as it allows you to start from within a debugger, or diagnose memory-related problems with valgrind.