Web Programming Unleashed
Microsoft Implementation Approach
by Rob McGregor
- Communications Technology Background
- Overview of Windows Communications
- Internet Security Through Code Signing
This chapter provides an overview of Microsoft's approach to communications
across the Internet. It covers the various levels of communications
programming support provided by Win32 APIs and MFC classes. First,
you'll get a crash course in computer communications technology,
and then you'll look at some of the tools Microsoft provides for
Windows programmers to make Windows applications "Internet
aware" and to extend client services with ActiveX controls.
Finally, you look at security issues relative to Internet application
Many communications APIs and Internet programming tools are available for Windows programmers-and all these tools have several things in common: They all provide solutions for communications problems of one sort or another, and they all use standardized protocols to transmit the information they work with from one computer to another using data streams. The remainder of this book provides overviews and details of the most significant of these services and tools. But before you get into the specifics of what's available, the following sections take a quick look at networks and how they relate to the Internet.
When two or more computers are linked together and can transmit data to each other, you have a network. Admittedly, this is an oversimplification, but the underlying idea is true. Although there are many reasons to connect computers into networks (or, to coin a verb, to network the computers), most networks are created for two reasons:
- To enable people to communicate. Networked computers sending data back and forth over a network are really just another means for people to communicate.
- To enable people to share resources. Applications and services on a network can be used by anyone who has access to the network. These shared resources free up other valuable resources that can be used for other things.
Although networks are composed of computers and the peripheral hardware that make the magic happen, networks are really just about people communicating more efficiently and saving money by sharing. (And you thought sharing was just kid stuff!)
Communication over a network often involves sending mail and documents or files from one person to another, which is often much more convenient than an audio-only telephone call. If the network has an Internet connection, the mail, documents, and files can be sent to anyone, anywhere in the world, who has Internet access!
Sharing over a network can save money by enabling several users to share the same spreadsheet or word processor applications and by enabling them to print the resulting documents using a shared printer. Emerging technologies promise to enable this type of resource sharing right from a Web browser in the very near future!
Local Area Networks (LANs) and Wide Area Networks (WANs)
A local area network (LAN) is a network composed of computer workstations directly connected together, often by a direct cable connection. A wide area network (WAN) is a group of LANs connected together, usually with telephone lines. The Internet is composed of uncounted wide area connections that typically use phone lines to transmit data streams. The lack of an advanced or standardized reliable telephone system is the main source of data bottlenecks in LANs, WANs, and the Internet. Data can stream only as fast as the local phone service enables.
Suppose that the computers in your department in the corporate headquarters building are connected with a LAN. Now imagine that other LANs in other buildings also exist. Each LAN can connect to a high-speed link, called a backbone, to create a WAN. Special-purpose computers called routers are used to connect LANs into WANs and to connect WANs into bigger WANs. These routers also provide connections to the outside world and enable LANs and WANs from one organization to connect to those in another organization. If you can imagine the millions of routers connected to LANs and WANs of computer networks worldwide, you can begin to get a glimpse of the awesome power of the Internet! The sheer volume of information stored on these diverse networks, all connected through the Internet, is absolutely staggering.
The principal way computers communicate with one another is through the use of the client/server communication model. Recall that sharing resources is one of the main uses of networks. Most of the time, resource sharing is enabled through the use of two programs working in harmony. A server program, also referred to as just "the server," is responsible for providing the resources to a client program, also referred to as just "the client." Sounds pretty simple doesn't it? The server provides resources, and the client uses them. Of course, it gets more complex.
Clients and servers typically run on separate machines. For example, you can request stock quotes from a server in New York from your yacht somewhere off the coast of Australia by using a cellular satellite connection. (It's said that common folks like Bill Gates often do this sort of thing.) In this example, the client computer in Australia accesses the server computer in New York, a connection is made, and the client and server programs cooperate to achieve the desired result. This is the client/server relationship.
All Internet services are provided using client/server relationships, and much of the effort expended in learning to use the Internet is really effort expended in learning to use the client software that connects and communicates with the Internet server software. As a developer of Internet-aware applications, you must be aware of both sides of the coin and must have a working knowledge of how both client and server work and communicate.
Most computer systems communicate with the outside world using a modem and the Internet; Internet servers typically use modems to send and receive data to and from their clients. So what is a modem, anyway? A modem is a hardware device that translates data from digital to analog and vice versa. In fact, the name modem itself reflects this functionality.
A modem translates digital data from a computer into an analog signal that can be transmitted over a telephone line. This process is called modulation. When the signal from the telephone line reaches another modem, it's converted back to its original digital representation. This process is called demodulation. The operations of MODulation and DEModulation gave the modem its name.
Modems use various transmission protocols; the modems communicating across the phone line must use the same protocol if they are to understand each other. To put this in perspective, think of the various modem protocols in terms of different spoken languages. If a person who speaks only English has a phone conversation with another person who speaks only Spanish, the result isn't very productive.
Windows communications programming isn't just a hot topic-it's almost a necessity these days. Face it: The Internet has been with us in one form or another for nearly 30 years, and it's here to stay. With the advent of the World Wide Web a few years back, and the explosion of Web interest across the globe, it's imperative that today's Windows programmer understand communications programming. In fact, "communications programming" is very nearly synonymous with "Internet programming" these days!
That's not to say that you must become an expert in every facet of communications and Internet programming or commit complex Internet protocols and obscure modem commands to memory. Today's Windows programmer has a great advantage over the programmers of yesteryear. What is this advantage? Experience. Not your own personal experience, perhaps, but you'll definitely benefit from the combined experience of the thousands of programmers who have gone before-those legions of communications gurus who have harnessed the Internet and the Web and made it what it is today.
And those communications gurus aren't really any different from you. Like all good programmers, they don't like to reinvent the wheel-so they've created volumes of code libraries, classes, and components to save themselves (and you!) the time and effort of doing it all over again. Now that's a bargain! Time is money, and many advanced tools are now available for Windows programmers that enable you to just dive in and start hacking out sophisticated communications applications, most with very little time and effort (comparatively speaking).
Microsoft programmers have been busily working over the last several years putting together useful APIs and MFC classes to make the tasks involved in communications programming easier and easier. This part of the book discusses several of these handy, reusable tools and shows several sample programs that can help get you started on the road to creating your own communications masterpieces. The remainder of this chapter introduces some of the technologies integral to Windows communications programming.
The Windows Sockets (WinSock) specification enables applications to communicate with each other across networks (including the granddaddy of all networks-the Internet) by means of "socket" communications objects. In general, Windows Sockets are low-level, advanced communications functions that enable a client computer to communicate transparently with a distant host and vice versa. Microsoft has worked with standards committees over the last several years to develop a comprehensive application programming interface for Windows Sockets: the WinSock API.
MFC wraps the complexity of the WinSock API into classes that make it easier to integrate this technology into your applications. Although these low-level classes require some knowledge of socket programming, MFC does a good job of reducing programming tasks. Two classes are provided by MFC for basic socket communications:
- Class CAsyncSocket, which encapsulates the WinSock API. For programmers who know network programming, this class gives low-level access to the WinSock API along with network event callback functions.
- Class CSocket, which provides a high-level interface to WinSock.
Microsoft has unveiled a new API for creating Internet-enabled applications more quickly and easily than ever before: the Win32 Internet (WinInet) API. This API provides intermediate-to-advanced-level communications functions that enable you to access the main Internet protocols fairly easily. These functions use the familiar Win32 API style and provide a layer of insulation between you and the underlying WinSock implementation that drives it. Here are the four fairly well-defined WinInet API function categories:
- General-purpose WinInet functions
- WinInet File Transfer Protocol (FTP) functions
- WinInet Gopher functions
- WinInet HyperText Transfer Protocol (HTTP) functions
Admittedly, the WinInet API is still evolving. At the time of this writing, it is still in beta versions. To help make WinInet more standardized as the specification is revised, MFC 4.2 encapsulates the WinInet API within a set of classes that use immutable interfaces. Changes to the underlying API specification will affect the MFC classes only internally. The down side to this arrangement is that these classes are available only with MFC 4.2 (and a Visual C++ subscription)
Microsoft's Internet client architecture has been dubbed Sweeper. Sweeper is an API built on Win32 and OLE; it gives you the ability to Internet-enable your applications. Sweeper includes support for extensibility and scripting, asynchronous access, caching, and navigation. Sweeper is composed of a set of redistributable modules that you can use in any Windows-based application. The underlying technology is OLE, and the buzzword is ActiveX.
Most of the functionality provided by Sweeper is present in the Microsoft Internet Explorer 3.0 (IE3), Microsoft's standards-based Internet browser application. IE3 is split into a set of ActiveX components and services that will soon become an integral part of all Windows operating systems. This is good news for developers because, like the Win32 API, the libraries and components needed to use the coolest features of Windows will ship with every copy sold!
The Internet Information Server
The Windows NT Server network operating system (NOS) is Microsoft's top-end system and is quickly becoming the favored operating system for new Web servers. The NT Server networking operating system provides a secure, robust environment with which many types of networks can interact without a hitch-a feature that makes Windows NT Server well-suited for the Internet. The release of Windows NT Server 4.0 has brought the ease of use of the modern Windows 95 interface to what is arguably the best, most robust NOS ever created.
The Microsoft Internet Information Server (IIS) is the only World Wide Web server tightly integrated with the Microsoft Windows NT Server NOS. IIS is designed to deliver a wide range of Internet and intranet server capabilities; it delivers high performance, excellent security, and ease of management on the Windows NT Server platform.
The goals of IIS are to be the fastest information server and
to enable the server to be extended. How do you extend the server?
Through a new open API designed specifically with IIS in mind-the
Internet Server API (ISAPI). ISAPI provides you with the tools
you need in order to create high-performance, efficient, and secure
commercial add-ons for Internet servers that comply to the new
IIS standard. In fact, to promote the IIS standard, Microsoft
is encouraging other server vendors to adopt ISAPI so that developers
can write to a single set of code that will work on several Internet
server platforms. In MFC 4.1 and above, the ISAPI is wrapped by
MFC classes that, in typical MFC style, make it easier to program
ISAPI programming can radically enhance Windows NT Server and IIS by enabling programmers to create custom applications for the Internet and intranet
ActiveX controls combine the best features of standard OLE controls with the exciting environment of the Web browser. ActiveX technology is changing the Internet, and Microsoft has announced an open ActiveX standard to ensure that industry titans and smaller third-party developers alike can use this new twist on OLE/COM technology. A typical ActiveX control enhances a Web page by providing interactivity, animation, and OLE Automation programmability through scripting languages.
ActiveX controls can be programmed within a Web page by scripting
languages such as Microsoft's Visual Basic, Scripting Edition
(the founding father of the modern Web browser) and Sun (creator
of the Java language).
Of course, ActiveX controls also are OLE controls and can be used in programming environments that support OCXs, such as Visual C++ 4.x, Visual Basic 4.0, and Delphi 2.0
The Messaging API (MAPI) is based on a powerful object-oriented interface that uses the Component Object Model (COM) as the underlying model for object interaction. MAPI defines a set of objects with many features that enable client applications to give users access to message or recipient properties and customized views of message and address book information.
In addition to full-blown, low-level MAPI, three API sets provide a higher-level interface to support a full range of client application development. These additional APIs are Common Messaging Calls (CMC), Simple MAPI, and the OLE Messaging Library. These APIs provide messaging capabilities for C, C++, Delphi, and Visual Basic programmers and are easier to use and understand.
All types of client applications can use the powerful and complex MAPI interface, but the less-complex Simple MAPI is usually sufficient to create messaging-aware and messaging-enabled applications.
As you're probably aware (and if you aren't, you should be!), computer viruses, Trojan horses, and other assorted malicious code-nastiness pose a major security threat to networked systems. On a constantly changing and growing global network the size of the Internet, it's simply impossible to keep viruses and their brethren at bay. The truth is, infected code of one form or another runs rampant in many systems, and code safety is a major concern for developers and for users of Internet applications (including ActiveX controls).
For example, it's possible that a perfectly harmless-looking ActiveX control, executable file, or code from unknown sites or authors could wipe out a user's entire system before he knew what hit him! Worse yet, perfectly harmless code created by one programmer could be tampered with and altered by some other, malicious programmer after its release, possibly wreaking havoc on the systems of users who download and execute the altered code!
There are two basic ways to address the Internet security issue:
- Sandboxing. This term refers to restricting an application to a certain set of APIs, excluding those that would enable file I/O and other potentially dangerous function groups that could alter or destroy data on a user's system. This security method assumes that you trust the application won't do any harm, and that you trust the source of the application to not act maliciously.
- Shrinkwrapping. This security method uses specially encrypted digital signatures. A shrinkwrapped product verifies signed code with a private-key/public-key verification scheme. Before any signed code is allowed to execute on a user's machine, its digital signature is verified. This verification process ensures that the code hasn't been tampered with since the code was signed, and it also ensures that the code is from a known, authenticated source.
Digital Code Signing
Digital code signatures are used to verify code authenticity and
also to identify and provide details about the publisher of the
code. Digital signatures are an industry standard supported by
many Web browsers. Such browsers enable a user to choose whether
to download and execute code of unknown or suspicious origin.
For the most up-to-date information about digital code signing, an industry standard, access the Web site for the World Wide Web Consortium (W3C) at this URL
Signed Code and Code Certificates
As an independent software vendor (ISV) who wants to use the benefits of digital code signatures in your applications, you must get something called certificates from a certificate authority (CA), a third-party company known and trusted by the industry. After a CA verifies that you comply with W3C policies, the CA issues you a digital certificate file for use in code signing. The certificate file contains important information, including the name of the software publisher, your public encryption key, the name of the CA's certificate, and more.
Public and Private Encryption Keys
Public and private keys are created by you for use in encrypting the digital signature block used to verify your code's authenticity. Both keys are created by you, but the private key remains your little secret. The public key must be checked by the CA to ensure that it's unique.
You need special tools to sign your code, and these are available in the ActiveX Development Kit, available from Microsoft on CD-ROM and online at the following URL:
Fully debugged, release-ready code is run through a hash function
that produces a fixed-length code digest. You then encrypt
this digest with your private key and combine it with your certificate
file. The result is linked back into your executable file. Presto!
Your digitally signed masterpiece is ready for distribution over
the Internet. The tools used for code signing are listed in Table
16.1 and are available in the ActiveX SDK.
|MAKECERT.EXE||A tool that creates a fake certificate for development purposes.|
|CERT2SPC.EXE||The tool used to build a signature block from your certificate.|
|SIGNCODE.EXE||A tool that links the signature block into your executable.|
|CHKTRUST.EXE||A tool that verifies that code has been successfully signed.|
In addition to CHKTRUST.EXE, you can use Internet Explorer 3 (IE3) to verify signed code as well. IE3 provides certificate and code signing options in the Options dialog box (accessed with the View | Options menu command). The Security tab for this dialog box reveals options you can set for verifying signed code, viewing any certificates installed on your system, and setting options for ActiveX components (see Figure 16.1).
As you've seen, code signing is a robust system for creating trustworthy code. Users can rest assured that signed code is safe to download and execute. The nagging question in your mind at this point is probably, "How much does a certificate cost?" Good question!
Microsoft estimates that commercial software publishers will pay around $400 U.S. dollars for the initial certificate and around $300 for an annual renewal. Certificates for individual software publishers will ring in at about $20.
MFC makes using WinSock, WinInet, ISAPI, ActiveX, and MAPI programming almost easy (especially when compared to standard SDK programming), so you should use these features and experiment with the technologies to better prepare for present needs and future challenges. Windows communications programming is getting more important with each passing day, so don't wait-get connected!
Here are some points to remember:
- Networks enable people to communicate and share resources.
- A local area network (LAN) is a network composed of computer workstations directly connected together, often by a direct cable connection.
- A wide area network (WAN) is a group of LANs connected together, usually with telephone lines.
- The principal way computers communicate with one another is through the use of the client/server communication model; all Internet services are provided using client/server relationships.
- Many communications APIs and Internet programming tools are available for Windows programmers.
- The Windows Sockets (WinSock) specification enables applications to communicate with each other across networks by means of socket communications objects.
- The Win32 Internet (WinInet) API provides intermediate-to-advanced-level communications functions that enable you to access the main Internet protocols (FTP, Gopher, and HTTP) fairly easily.
- ActiveX controls combine the best features of standard OLE controls with the exciting environment of the Web browser.
- The Messaging API (MAPI) is a COM-based set of objects that enable client applications to provide users with messaging, e-mail, and address book information.