his chapter describes how to develop applications with LiveWire and Java-Script. For information on using JavaScript in client applications, see the JavaScript Guide.his chapter describes how to develop applications with LiveWire and Java-Script. For information on using JavaScript in client applications, see the JavaScript Guide.
Note: After installing an
application, you may
want to protect it.
See "Restricting
access to applications."
<FORM METHOD="post" ACTION="hangman.html">LiveWire forms can use either "get" or "post" as the value of the METHOD attribute.
Note:
LiveWire applications do not support file upload; that is, you cannot submit an INPUT element of TYPE="file" to a LiveWire application.
<SERVER> and follow them with </SERVER>. The tags can enclose a single statement or several statements. Do not use a SERVER tag inside another HTML tag.
<A HREF=...>, images <IMG SRC = ...>, or form element tags. Do not use backquotes to enclose JavaScript expressions outside HTML tags.
<P>This time you are <SERVER> write(request.newname) client.oldname = request.newname </SERVER>The first line generates HTML based on the value of request.newname. If request.newname is "Mr. Ed," then it will generate the following HTML:
<P>This time you are Mr. Ed.The second line in the excerpt simply performs a JavaScript statement, assigning the value of request.newname to client.oldname. It does not generate any HTML.
<TAG ATTRIB="value" [...ATTRIB=VAL]>where ATTRIB is an attribute and
"value" is its value. The bracketed expression indicates that any number of attribute/value pairs is possible.
Use backquotes (\Q) to enclose JavaScript expressions as substitutes for HTML attribute names or values. JavaScript embedded in HTML with backquotes automatically generates HTML; you do not need to use write.
For example, consider the following line from the Hangman sample application:
<IMG SRC=\Q"images/hang" + client.num_misses + ".gif"\Q>This line dynamically generates the name of the image to use based on the value of client.num_misses. The backquotes enclose a JavaScript expression that concatenates the string
"images/hang" with the integer value of client.num_misses and ".gif". The result is a string such as "images/hang0.gif" or "images/hang1.gif". JavaScript automatically converts the integer value to a string. The result is HTML such as
<IMG SRC="images/hang0.gif">The order of the quotation marks is critical. The backquote comes first, indicating that the following value is a JavaScript expression, consisting of a string (
"images/hang"), concatenated with an integer (client.num_misses), concatenated with another string (".gif"). JavaScript converts the entire expression to a string, and LiveWire adds the necessary quotation marks around the attribute value. You cannot put a JavaScript expression for an attribute value inside double quotation marks because it would be interpreted as the literal attribute value.
LiveWire automatically adds quotation marks around an attribute value when you enclose a JavaScript expression in backquotes; therefore do not provide them yourself (except for string literals, as in the preceding example).
For example, the anchor tag has attributes called HREF and NAME, among others. HREF makes the tag a hyperlink, and NAME makes it a named anchor. You could use the following script to create either a hyperlink or a target, depending on the value of the attrib and val properties of client:
<A \Qclient.attrib\Q = \Qclient.val\Q> Netscape Communications </A>You could use the following code before the preceding statement to set the properties according to a request variable:
<SERVER>
if (request.choice == "link") {
client.attrib = "HREF"
client.val = "http://www.netscape.com"
}
if (request.choice == "target") {
client.attrib = "NAME"
client.val = "NetHead"
}
</SERVER>
If request.choice is "link", the result would be
<A HREF="http://home.netscape.com"> Netscape Communications </A>If request.choice is
"target", the result would be
<A NAME="NetHead"> Netscape Communications </A>In both cases LiveWire adds the quotation marks around the attribute values produced in HTML.
<IMG SRC=\Q"images/hang" + client.num_misses + ".gif"\Q>you could write
<SERVER>
write("<IMG SRC="images/hang")
write(client.num_misses)
write(".gif">")
</SERVER>
Notice the backslash that lets you use a quotation mark inside a literal string. Although the resulting HTML is the same, in this case backquotes are preferable because the source is easier to read and edit.
web file from HTML and JavaScript source files.
Note:
Only pages containing server-side JavaScript need to be compiled.
lwcomp [-c|v|d|?] [-o outfile.web] [script1.html ...scriptn.html] [funct1.js ...functn.js]Items enclosed in square brackets are optional. The syntax is shown on multiple lines for clarity. There must be at least one HTML file or JavaScript source file.
For example, the following command compiles and links two LiveWire pages, main.html and hello.html, and a JavaScript file, support.js, creating a binary output file named myapp.web:
lwcomp -v -o myapp.web main.html hello.html support.js
Note: For more information, see "Using Application Manager."
Note: Unix only
You must stop and restart your server after you add new application with Application Manager on Unix servers. You can restart a server from your Server Manager; see your server's Administrator's Guide for more information.
When you install an application, be sure the application name you choose will not usurp an existing URL on your server. LiveWire will route all client requests for URLs that match the application URL to the directory specified for the web file. This will circumvent the server's normal document root. For example, if you have an application called "orders," when a client requests the URL
http://yourserver.yourdomain.com/orders
the user will get the LiveWire application; if you have an orders directory in your server document root, users will no longer be able to access it.
Protecting applications
You may want to restrict access to your application, particularly if the application provides access to sensitive information or capabilities. You can protect your application from unauthorized access as described in "Restricting access to applications."
If you are working on a development server inside a firewall, then you may not need to worry about restricting access while you are developing the application. It is convenient to have unrestricted access during development, and you may be able to assume that the application is safe from attack from inside the firewall. If you are using sample data during the development phase, then the risk will be even less. However, if you leave your application open, you should be aware that anyone who knows or guesses the application URL can use the application. When you finish development and are ready to deploy your application, you should reconsider how you want to protect it. For more information, see "Restricting access to applications."
Starting, restarting, and stopping applications
After you first install an application, you must start it to run it. Select the application in Application Manager and click Start. If LiveWire successfully starts the application, the status of the application, indicated in the right frame, will change from "stopped" to "active."
You can also start an application by loading the following URL:
http://server.domain/appmgr/control.html?name=appName&cmd=start
where appName is the application name.
You must restart an application each time you rebuild it. To restart an active application, select it in Application Manager and click Restart. Restarting essentially reinstalls the application; LiveWire will look for the specified web file. If there is not a valid web file, then LiveWire will generate an error.
You can also restart an application by loading the following URL:
http://server.domain/appmgr/control.html?name=appName&cmd=restart
If you want to stop an application, to make it inaccessible to users, select it in Application Manager and click Stop. You can also stop an application by loading the following URL:
http://server.domain/appmgr/control.html?name=appName&cmd=stop
To use the start, restart, or stop URLs you must have access privileges for Application Manager.
Running and debugging applications
Once you have compiled and installed an application, you can run it by
The server then generates HTML for the specified application page and sends it to the client.
http://server.domain/appmgr/trace.html?name=appNamewhere server.domain is your server and domain name and appName is the name of the application. To display the trace facility in the same window as the application (but in a separate frame), enter this URL:
http://server.domain/appmgr/debug.html?name=appNameTo use these URLs you must have access privileges to run Application Manager.
debug("Current Guess is ", request.guess)
displays the value of the guess property of the request object in the trace window along with some identifying text.
/etc/passwd). When accessing files in your application, take care that the file name cannot be modified by an attacker. For example, you should avoid using client properties for file names, since the values may be accessible to an attacker through cookies or URLs (depending on the client maintenance technique being used). In such cases, the attacker can modify cookie or URL values to gain access to sensitive files.
Using external libraries can compromise security if you the native program processes a command line entry from the user (for example, a program that allows you to enter operating system or shell commands). This functionality is dangerous because an attacker can attach additional commands using semicolon multi-statement syntax. It is best to avoid command lines, unless you strictly check the input.
In general, you should be suspicious of information from the client, including:
An attacker can manipulate data from these sources to allow access to unauthorized information or capabilities. You should never assume that data from any of these sources is trusted.
Deploying applications
After you have finished developing and testing your application, you are ready to deploy it so that it is available to its intended users. This involves two steps:
You should only move the application web file to the deployment server, along with any standard (uncompiled) HTML files required. In general, you should not deploy source files. You can move files with standard utilities such as FTP or with Site Manager, as described in "Deploying a site."
Note: Before making an application openly available, be sure to read "Security considerations."
Depending on the application, you might want to restrict access to certain groups or individuals. In some cases, you might want anyone to be able to run the application; in these cases you don't need to apply any restrictions at all. If the application displays sensitive information or provides access to the server file system, you should restrict access to authorized users who have the proper username and password, as described in the following section.
Restricting access to applications
You restrict access to an application by applying a server configuration style from your Server Manager. For complete information on using Server Manager and configuration styles, see your server Administrator's Guide.
Using the LiveWire configuration style
A configuration style called "LiveWire" is provided in the Server Manager. To restrict access to Application Manager, apply this style to the /appmgr and /dbadmin Application URLs. You can add other application URLS to this configuration style, or create new ones.
On a development server, you generally want to let developers have access to all LiveWire applications, including Application Manager. On a production (deployment) server, you should restrict access to Application Manager. You might not want to restrict access to other applications, or have less restriction on them. Therefore, you will probably want to create separate configuration styles for applications other than Application Manager.
To apply the LiveWire configuration style to an application: