VI International Conference of Unix at Uninet
  • Presentation
  • Register
  • Program
  • Organizing Comittee
  • Listing of registered people
  • Translators team
@OrozHello everyone
@OrozFirst, as you probably already know Polkan Garcia talk that ws initially schedule for today has been moved to 18.00 GMT on Sunday
@OrozBut  now it's time for Jose Nazario's talk titled "Writing web applications with python webapp frameorks"
@OrozJose is an Openbsd developer and security analyst from Ann Arbor, United States
@OrozThe slied for this talk are on his website:
@Orozhttp://monkey.org/~jose/presentations/umeet05/slides/
@Orozas usual you can ask questions at any time in #qc
@OrozJose,
@Orozall yours
@jose_nthank you oroz.
@jose_nhola a todos, thanks everyone for coming. my name is jose nazario
@jose_nand i'm goin gto be talking about building web applications in
@jose_npython using some simple components.
@jose_ni'll be referring to slides, so please follow along.
@jose_n
@jose_n[slide 1]
@jose_nhere's a brief overview of the talk. i'm going to introduce the two
@jose_nmain paradigms of this talk, web app frameworks and the MVC model
@jose_nof programming, in the next few slides.
@jose_ni'll then focus on the
@jose_nactual python frameworks we're using in this demo and how they fit
@jose_ntogether to form a working application. and finally i'll be sharing
@jose_nthe code i wrote as the demos, aka "bloggy", a simple blogging system.
@jose_n
@jose_n[slide 2]
@jose_nweb app frameworks are just that, pieces of code that let you write
@jose_nyour functional web app veyr quickly.
@jose_nthey contain a number of pieces
@jose_nthat let you get right to it. this can include "boilerplate" code,
@jose_nor code that you'd write every time for almost every app.
@jose_n
@jose_nyou can write web applications in a framework like the ones i'll
@jose_nbe introducing, or you can write you own using pre-existing components.
@jose_nwe're going to mix these two, using the CherryPy web handler framework
@jose_nand some components to extend its functionality.
@jose_n
@jose_nthe important thing about any framework is that it typically lets you
@jose_nget right to the very important bits of your application quickly. they
@jose_nhandle the heavy lifting of handling user requests and such, letting
@jose_nyou focus on getting your specific needs met.
@jose_n
@jose_ni've been using the frameworks described here (CherryPy, SQLObject,
@jose_nand even Django) at work and in some applicatins i've been writing
@jose_noutside of work, as well. i've found them to be feature filled and
@jose_nuseful for getting my job done quickly.
@jose_none of the things i wrote
@jose_nthis week was a simple, lightweight interface to our vulnerability
@jose_nand malware writeup database. took me about 2 hours and was done
@jose_nin under a few hundred lines of code when it was complete.
@jose_n
@jose_n[slide 3]
@jose_nthe main paradigm we're using here is the Model-View-Controll design.
@jose_nwe're going to clearly split the requirements of our application
@jose_nacross these boundaries, making it easy to manage the code.
@jose_n
@jose_nthe model refers to the data model, in this case an SQL-backed app.
@jose_nyou can use any back end, including flat files or directories, but
@jose_nthe idea is the same.
@jose_n you make this a clearly managed piece of code
@jose_nand you can change it as needed. the view handles how the user will
@jose_nsee the data presented to them, such as blog posts or customer
@jose_nentries. and finally the controller is the piece of the app that
@jose_nmediates this interaction, including reading and writing.
@jose_n
@jose_n[slide 4]
@jose_nslides: http://monkey.org/~jose/presentations/umeet05/slides/
@jose_n
@jose_nthe benefits of this modular stack that we have here - CherryPy,
@jose_nCherryTemplate, SQLObject and FormEncode - is that by having modular
@jose_ncode, we can separate our use of these components and speed up
@jose_ndevelopment.
@jose_n we can extend it easily, especially in an object
@jose_noriented language like python, where we can inherit the classes
@jose_nto extend them.
@jose_n
@jose_nthe nice thing about these modules is that they're flexible, meaning
@jose_nwe can use them for a variety of purposes. also, they leave the
@jose_ngrunt work - handling web browser requests, writing SQL queries -
@jose_nto the module, and we get a simple interface.
@jose_n
@jose_nif you've ever programmed in PHP or a CGI-BIN application language like
@jose_nPerl, compare the code here to what you had to do before. you'll see
@jose_nthat it's easier, and much easier to maintain. PHP, which i've done
@jose_na lot of work in for myself, suffers from mixing all of this without
@jose_nthe use of some newer packages.
@jose_nalmost any CGI-BIN app will have
@jose_nto print out the HTML itself, making it a pain to manage the actual
@jose_nlogic within that mess. simply put, i can't go back, and i hope you
@jose_nsee the benefits here, too.
@jose_n [slide 5]
@jose_n
@jose_nour demo app is "bloggy" a dead simple codebase that you can take
@jose_nwith you to explore and play with. it's a simple blogging system,
@jose_nnot suitable for real world use, but it illustrates these ideas
@jose_ncleanly, i hope.
@jose_nyou can create posts and browse them easily. if
@jose_nyou want to extend it, go for it. you'd probably do much the same
@jose_nif you wrote a full featured blogging system you'd probably do
@jose_nsomethin like this at the core of the app. anyhow, we'll be using
@jose_nthis code in the next few slides.
@jose_n
@jose_nthe code is here: http://monkey.org/~jose/presentations/umeet05/
@jose_ni wrote it using Postgres on OS X, but it's highly retargetable to
@jose_nany supported DB and and platform supported by python.
@jose_n
@jose_n[slide 6]
@jose_nthis is the simple view of the bloggy index, so posts by title and
@jose_ndate. nothing fancy, and clearly i'm no guru of web design. i leave
@jose_nthe sytles to someone else.
@jose_n
@jose_n[slide 7]
@jose_nhere's a specific post, you can see how you can essentially drill into
@jose_na post from that index page. pretty simple, eh? and just like you'd
@jose_ndo if you were browsing a full featured and mature blogging system.
@jose_n
@jose_n[slide 8]
@jose_nslides: http://monkey.org/~jose/presentations/umeet05/slides/
@jose_n
@jose_nfirst up, the main component here, CherryPy. this is a simple
@jose_nweb app framework, handling requests and mapping them to the
@jose_ncode. in CherryPy (or CP), web directories are under the "root"
@jose_nobject as their own objects, and pages and vews are methods of
@jose_nthose objects.
@jose_n
@jose_nthis is the CherryPy website: http://www.cherrypy.org/
@jose_n
@jose_nthis will be more clean when i show you some code in the next few
@jose_nslides, but think about it this way: it's a simple, intuitive way
@jose_nto map requests to your code to handle it. CP handles the request
@jose_nand maps the arguments given to it (in the GET or POST methods) to
@jose_nthe code for you to handle.
@jose_n
@jose_none major drawback of CP is that it wont run as a CGI, so some hosting
@jose_nproviders wont be available to host your app. it works best
@jose_nbehind apache and ProxyPass.
@jose_n
@jose_n[slide 9]
@jose_nover the next two slides, you'll see the actual code from CP that
@jose_ncreates a simple standalone web application. we have our SQLObject
@jose_nimports (and our model, which we'll explain later), but the key thing
@jose_nhere is the root class. the __init__() method handles the database
@jose_nconnection in our case. but on the next slide, we can see the main
@jose_npage and the app setup.
@jose_n
@jose_n[slide 10]
@jose_nthe index method is the base directory, "/", of the web app. when
@jose_nwe go to 10.10.10.11 (my IP in this case) as http://10.10.10.11:8080/
@jose_nwe get this method called.
@jose_n
@jose_nnotice "index.exposed = True", this attribute says that the CP server
@jose_ncan expose this to web clients. if you had a method under the Root
@jose_nobject that wasn't supposed to be exposed, set this to False.
@jose_n
@jose_nthe main() function starts it up. the configuration tells the server
@jose_nhow to behave:
@jose_n
@jose_nOcho:~/python/bloggy jose$ cat simple.conf
@jose_n[global]
@jose_nserver.socketPort = 8080
@jose_nserver.logToScreen = True
@jose_nserver.socketHost = '0.0.0.0'
@jose_n
@jose_nwe listen for any requests coming in on port 8080 and log to the
@jose_nscreen, useful for dev/testing work.
@jose_n
@jose_n[slide 11]
@jose_nthis rehashes some of what i said in the previous slides, but you
@jose_nget the idea. mapping requests and arguments to code in a simple
@jose_nfashion. arguments can be passed in as a named argument in a
@jose_nGET request (or a POST request), like this:
@jose_n        def index(self, q): ...
@jose_nto handle
@jose_n        http://10.10.10.11/q=test
@jose_nor you can handle them as a dictionary with lots of pieces and take
@jose_nit apart inside your code.
@jose_n
@jose_n[slide 12]
@jose_nslides: http://monkey.org/~jose/presentations/umeet05/slides/
@jose_n
@jose_nto complement this, we use CherryTemplate to create dynamic web pages.
@jose_nwe embed python in the pages and it gets evaluated.
@jose_n
@jose_nlink: http://cherrytemplate.python-hosting.com/
@jose_n
@jose_nCherryTemplate (or CT) has access to the variants in the scope
@jose_nwhere the method renderTemplate() is called. we get some nice stuff
@jose_nin CT, including iterators, conditional expressions, and variable
@jose_nreference.
@jose_n
@jose_nas in any good MVC app, leave the logic of the controller inside
@jose_nthe app and leave only the bits needed for the view in the template.
@jose_n
@jose_n[slide 13]
@jose_nhere's an example template from bloggy, see how the CT specific
@jose_nbits are highlighted in red. you can wrap any HTML around this,
@jose_nincluding CSS or javascript. very easy to use!
@jose_n
@jose_nhere we loop over the posts and print the link to the post by
@jose_nID and list the title and the date.
@jose_n  
@jose_nagain, i think this is pretty easy and illustrates a powerful web
@jose_napp design technique. nothing too complicated here, and that's good!
@jose_n
@jose_n[slide 14]
@jose_nto render a template, CherryPy actually returns the generated
@jose_nstring. we use renderTemplate from CherryTemplate to go over the
@jose_nHTML template and fill it out.
@jose_n
@jose_nwe call them as files in this case, but we could have used a static
@jose_nstring if we wanted. the key thing here is that by making it files,
@jose_nwe split up the maintenance of this and make it easy to find what
@jose_nmatters to us.
@jose_n if you have web designers, they can work on the
@jose_nlayout and markup and you can keep working on the logic.
@jose_n
@jose_n[slide 15]
@jose_nhere's a few more templating languages:
@jose_nkid, which is very powerful as well, but i didn't like the syntax.
@jose_nCheetahTemplate, which i think predates CherryTemplate, and is a lot
@jose_nlike Python server pages.
@jose_nMyghty, which is inspired by the Perl HTML::Mason framework but
@jose_nlacks very good beginner docs.
@jose_nand Python Server Pages, which are very powerful but complicated.
@jose_ni like CherryTemplate: it's easy to use, powerful, and not complicated.
@jose_n
@jose_n[slide 16]
@jose_nslides: http://monkey.org/~jose/presentations/umeet05/slides/
@jose_n
@jose_nSQLObject is our big, heavy lifter here. if you've written a lot
@jose_nof SQL, you know it can be a pain to manage. instead, we use an
@jose_nobject-relation mapper like SQLObject to do that heavy lifting for us.
@jose_nwe can interface to most popular databases and change that on the
@jose_nfly with little, if any, work involved. it also uses native Python
@jose_ndata types, and lets us do everything we want from our database:
@jose_nselects, joins, updates, and even table management.
@jose_n
@jose_n[slide 17]
@jose_nhere's Bloggy's simple model. we have a table, BlogPost, that has
@jose_nthree columns: a post title, a body, and a date. SQLObject now
@jose_nuses this for everything to access and manage that table and
@jose_nthe rows within it.
@jose_nwe map the types to SQLObject column types,
@jose_nso it knows what to expect from them and how to deliver data
@jose_nto them. very easy!
@jose_n
@jose_n[slide 18]
@jose_nto create the table, i usually make a simple script like this
@jose_ninitialization script. i create the tables as needed and voila,
@jose_nSQLObject has done the work for me.
@jose_n
@jose_ndeleting tables is also easy, and is also managed using SQLObject.
@jose_n(ie TableName.deleteTable())
@jose_n
@jose_n[slide 19]
@jose_nhere are the results of our createTable() calls as viewed in
@jose_nPostgres. we can see tat it creates two things implicitely. first
@jose_nis an "id" column, which is the primary key of the table. the
@jose_nsecond is the table for the index on that table. we can make
@jose_nmore indices if we want, and add constraints easily.
@jose_n
@jose_n[slide 20]
@jose_nslides: http://monkey.org/~jose/presentations/umeet05/slides/
@jose_n
@jose_nSQLObject link: http://sqlobject.org/
@jose_n
@jose_nsome more, unrelated examples, showing how to cross reference tables
@jose_nusing a foreign key, and how to make database indices, even with
@jose_nthe UNIQUE constraint!
@jose_n
@jose_nall very easy, thanks to SQLObject.
@jose_n
@jose_n[slide 21]
@jose_nwith SQLObject, adding data is very easy. you just call the class
@jose_nand fill out the fields appropriately. it will create the database
@jose_nrow for you, or it will bump up an exception if something has failed.
@jose_n
@jose_nto access the data you can select using any requirements you want.
@jose_nfor example, model.Mytable.select(model.Mytable.q.id == 1) would get
@jose_nthe row where "id = 1". this returns a list of results.
@jose_n
@jose_nfinally, to update, we can just access the feature we have and reassign
@jose_nthe attribute:
@jose_n        m = model.Mytable.select(model.Mytable.q.id == 1)[0]
@jose_n        m.title = "This is my new title"
@jose_nand voila, it's updated.
@jose_n
@jose_n[slide 22]
@jose_nfinally, FormEncode, which lets us enforce the data mode using validators.
@jose_nthese validators operate on user-supplied data (from an HTML form) and
@jose_nhelp us ensure that the data maintains its integrity.
@jose_nin a few lines
@jose_nof code, and bubble up errors to the user cleanly. what's even
@jose_nnicer is that it maps stuff to a format usable by SQLObject, which
@jose_nis just native Python data types.
@jose_nlink: http://formencode.org/
@jose_n
@jose_n[slide 23]
@jose_nthe schemas used by FormEncode are a lot like the models used by
@jose_nSQLObject. we can allow extra fields in the form, which is handy
@jose_nif you have a form that will input into multiple tables and
@jose_nschemas, and you can filter them per-schema.
@jose_n
@jose_nthe validators are almost like the types in SQLObject, and you
@jose_ncan enforce any criteria you want on the input stream. you can
@jose_nalso write your own validators, if you want to enfoce a format
@jose_nof the data.
@jose_n
@jose_n[slide 24]
@jose_nthis is a modified CherryTemplate file showing you the places we bubble
@jose_nup the errors to the user. once rendered by the error form, they
@jose_nget wrapped in a CSS class that lets us change the color to red,
@jose_nfor example (to make it highly visible). again, very easy.
@jose_n
@jose_nslides: http://monkey.org/~jose/presentations/umeet05/slides/
@jose_n
@jose_n[slide 25]
@jose_nthis is how we use FormEncode in our controller code. we basically
@jose_nrun the form through the validator using htmlform.HTMLForm()
@jose_nand then look for any errors after we call the "validate" method
@jose_non the resluting HTMLForm object.
@jose_n
@jose_nif we get any errors, we bubble up an error form (shown on the next
@jose_nslide) to the user. if not, everything must be ok, so we pass it
@jose_non to the database for finally inserting it.
@jose_n
@jose_nvoila, we have a new entry in our blog!
@jose_n
@jose_n[slide 26]
@jose_nagain, a rehash of what was just said. we get user input in, we
@jose_ncompare it against our scheme using validators, and if we have
@jose_nany errors, tell the user to try again. if not, we accept the
@jose_ndata.
@jose_n
@jose_nvery easy to do, an it only adds a few lines of code.
@jose_n
@jose_n[slide 27]
@jose_nthis shows you how it looks to the user if an error has been
@jose_nfound in our code. namely, a useful error is bubbled up telling
@jose_nthe user that a problem was encountered.
@jose_n
@jose_nvery easy to do! (i keep saying that, but it's true)
@jose_n
@jose_n
@jose_n[slide 28]
@jose_nand we're at the end, hopefully i've shown you how to use these
@jose_nsimple components together in a robust web application framework.
@jose_nthese pieces fit together nicely, and leave you able to focus on
@jose_nthe bits that matter, namely how do you get your app's logic working.
@jose_nno complicated SQL, no need to manage HTTP requests, and CherryPy
@jose_ncan even manage sessions for you. and finally, very simple but
@jose_nrobust form validation, preserving your data's integrity.
@jose_n  
@jose_nwhat's amazing to me is that Bloggy was only 80 lines of Python
@jose_nand 40 lines of HTML templates, hopefully ilustrating how easy it
@jose_nis to get a functional application up and running.
@jose_n
@jose_nenjoy, and hopefully Bloggy and the methods shown here are useful
@jose_nto you for your own application development.
@jose_n
@jose_nthanks!
@jose_n
@jose_n(slide 29 is just a list of related frameworks .. some easy t use, some not so easy, but you get the idea.)
@jose_nthank yo oroz!
@Oroz:)
@jose_nalejandro was asking in #qc how well CP and these tools protect your data against insertions or data integrity attacks
@jose_nto the best of my knowledge they do so very well ... i haven't figured out a way to do SQL injection in SQLObject-based apps yet ...
DrFritzanyone experienced in pda programing?
@jose_nXSS will bea matter of your own app's development, mind you ...
@jose_nthank you MJesus_ :)
@alejandronice, SQL Object uses a mechanism similar to using Prepared Statements?
@MJesus_thank you  very much, indeed!
DrFritzany PDA coder?
@alejandrogood talk jose_n. :-)
@jose_nalejandro: maybe ...
* Salva res
@jose_ni haven't looked too closely, but i think so (along with simple simple sanitization)
@jose_nerr simple input sanitization (ie scrubs ';' or what not)
@alejandrothen it's hard to identify risks using these frameworks
@alejandroin .net framework there is validation per page and it mitigates some known vulnerabilities
@alejandrobut I think there doesnt exist a way to mitigate these problems yet when you develop web applications
@alejandrobecause developers doesnt mind of validation, so we will have again security problems
@alejandrojose_n: how integrated are these frameworks with Web 2.0? using Ajax, EXL, etc?
@jose_nalejandro: not familiar with EXL, but you can easily layer someting like AJAX components on this, sure
@jose_ntat'd be more at the view layer of the stack
@jose_nvery easy to do, they integrate nicely with that model
@jose_nie the Prototype.js lib or Rico or what have you ..
@alejandrojose_n: I dont know if Web 2.0 is going to expose new security problems and more now with iniciatives like Web Desktop (google desktop, etc)
@jose_nso far it has exposed some new classes of problems quite nicely :)
@alejandroheh, ok thanks.
@alejandrogood talk jose_n and thanks for your talk.
@jose_nto be fair, RoR is pretty hot and very feature rich
@jose_nsome features of Ruby lend itself more positively to web programming than does python, ie continuations
@jose_n:)
@jose_nthank you everyone :) thanks to the organizers for anoher great umeet!
@jose_n:)
@Orozthanks jose_n
Maxplas
@MJesus_oh Jose, the great umeet, is also for you and your nice presentations!
@OrozMax: don't be shy ;)
@MJesus_jeje
@OrozThanks one more time jose_n
@Oroznext talk would be tomorrow at 18GMT, in 22 hours and 30 minutes
@Orozby Polkan Garcia about Inteligent agents embedded in the kernel
genesisclap clap

Generated by irclog2html.pl 2.1 by Jeff Waugh - find it at freshmeat.net!

© 2005 - www.uninet.edu - Contact Organizing Comittee - Valid XHTML - Valid CSS - Based on a design by Raul Pérez Justicia