How to use CXP pages with eXpress++ library functions

[bwolfsohn]

I have no experience with the performance and security issues. I would think that since every call from the Web Server is to a CXP page that Xbase++ would be able to handle the security. It all depends on what you mean by security problems. Apache is all over the web, running millions of web sites. Are you saying that the security issue is with the Microsoft platform vs Linux?

No, the security issue is with the webserver sitting outside xbase either IIS or apache. Yes, there all over the web, but, that have security issues... all the time... that's why they have to be constantly updated to address these issues.. That's fine for experienced web personnel, but that's not who we're dealing with...

iis and apache allow anything. you have to disallow what you don't want exposed. xb2net only allows what you tell it to, everything else is disallowed automatically.

as far as every call is to a cxp page, that's legitimate calls... there's nothing to prevent the webserver being hit by 1000's of hack attempts looking for weaknesses, looking for holes... when the default is open and you have to close things you don't want to show,. there will be holes...

[rdonnay]

iis and apache allow anything. you have to disallow what you don't want exposed. xb2net only allows what you tell it to, everything else is disallowed automatically.

I agree. This is why I have always like Xb2.Net.
If Boris can implement fastCGI in Xb2.Net, then Alaska should be able to do so with their WebHandler class. This is just like Xb2.Net but not yet as robust. I found it very easy to rewrite my Web Server in Xbase++ 2.0 and no Xb2.net. It doesn't handle CXP pages, but maybe that's coming. I will have to ask Steffen or Andreas.

[Cliff Wiernik]

>>
SSL is always handled by the Web Server so there is no need for CXP to do this. Xb2.Net had to support it because it is acting as a Web Server. A https request will automatically be secure via IIS or Apache.
>>

That is what I was thinking, but if you wanted to have Xbase++ be a webserver or provide a webserver or straight web services environment, without using Apache or IIs, then if you need SSL, that is not yet capable with Xbase++2.0. Is the accurate.

[bwolfsohn]

>>
SSL is always handled by the Web Server so there is no need for CXP to do this. Xb2.Net had to support it because it is acting as a Web Server. A https request will automatically be secure via IIS or Apache.
>>

That is what I was thinking, but if you wanted to have Xbase++ be a webserver or provide a webserver or straight web services environment, without using Apache or IIs, then if you need SSL, that is not yet capable with Xbase++2.0. Is the accurate.

Cliff,

I'm not sure about what you said... (i don'tfollow triple negatives very well)

We've implemented ssl with xb2net. no problem..
we have no other web stuiff installed on our servers except our xb2net applications.. No IIS no apache, no ftp.

[Cliff Wiernik]

What I am saying is. Xbase++ can provide a webserver, just like Xb2net. However, since it does not provide SSL at the server side, it cannot be used for secure application needs. You need Xb2net. Or you need to use Xbase++ and CXP to go through Apache/IIs, where it provides the SSL communications.

In addition, if I want to provide webservices, in a similar fashion to how we get CC approvals from VirtualMerchant, but with our side as the provider, you need SSL at the server side. For example, we have outside parties that submit credit application, we pull credit reports and submit a response approving/declining the application. The incoming application must be secure and potentially requires a specific SSL certificate to be loaded at the client side. With Xb2net, we can handle providing the SSL connection and process the data using either SOAP or a restful API. Using straight Xbase++ 2.0 webservices, this would not be able be done. We would have to work through an Apache/IIs server to provide this.

This is the point of my comment. You cannot program a server in just Xbase++2.0, like you can with xb2net, and do the same thing. You need to through apache/IIs into the mix to be secure on the server side.

Now using Xbase++2.0 as the client to access outside services, that can be done as Xbase++2.0 currently supports SSL from the client side by using the workstations buildin features.

1. Need SSL
2. Providing webservices, like SOAP or RESTFUL calls
3. Don't want to use Apache or IIs (Something similar to the webserve.prg sample in xb2net)

That is what I am saying.

[bwolfsohn]

got it..

and you're correct..
for now..

Hopefully, boris will come up with a way of integrating cxp into xb2net. we're been doing something very similar for years...

[rdonnay]

Hopefully, boris will come up with a way of integrating cxp into xb2net. we're been doing something very similar for years...

I have new information about the topics of SSL, CXP and Xbase++ 2.0.

HttpEndPoint uses the Microsoft sockets layer now, meaning that SSL is automatically supported.
There is no requirement for OpenSSL (which is used by Xb2.Net and Stunnel).

The only thing that Alaska has not finished is the documentation on how to assign a certificate.
Steffen says that this is coming.

Additionally, HttpEndPoint also works with CXP pages. I have a small webserver I wrote using HttpEndPoint and WebHandler that now supports CXP with no other web server required. It works very well and I will be posting the source and samples for it soon.

This will solve the security issues and the latency issues that you would experience if running CXP via a web server and fastCGI. There is NO web server and NO fastCGI required.

[bwolfsohn]

This will solve the security issues and the latency issues that you would experience if running CXP via a web server and fastCGI. There is NO web server and NO fastCGI required.

now THAT is an approach that would work and be scalable..

[Cliff Wiernik]

So HttpEndPoint() supports both sides of the equation, where the Xbase++2.0 application is a client accessing other services using SSL as a client of those services and as a provider of those services, where outside entities, be they Xbase++2.0 programs or any other programming language supporting web services accessing the Xbase++2.0 application providing those services via SSL.

So HttpEndPoint can be used to create the functional equivalent of the xb2net webserve.prg example program, which supports both http:// and https://.