Web Services with Rust Part 3: Accept All We Can

All Web-Rust postings In the last posting we added metrics to our very basic test Web service. Initially this third part was supposed to be about adding logging to the server, comparing the performance impact of mutex based- and, especially, lock free data structures. However, I was also still puzzled by the observation that the number of connections the server took from the stream of accepted sockets somehow seemed related to the request processing rate....
Read more...

Web Services with Rust Part 2: Baseline Revisited

All Web-Rust postings In the last posting I started exploring implementing Web services in Rust, using hyper with some minimal single- and multi-threaded servers. If you have been paying attention to the test setup description there (as I should have done) you will have noticed that the load test configuration is limiting the number of clients to 500. Many requests with few clients are not the common case reality for most Web services and definitely...
Read more...

Web Services with Rust Part 1: Exploring Hyper

All Web-Rust postings A while ago I have turned my head towards Rust for developing Web Services. Rust’s design in my opinion hits a sweet spot between ease of development and runtime efficiency, especially doing away with a garbage collector. Recently sophisticated support for future-based, async, and reactive programming has been added to the Rust ecosystem; putting together in the Tokio project some of the most intriguing designs I have come across so far. In...
Read more...

Using iron to Encapsulate Cookies

Eran Hammer has recently created iron, a cryptographic procedure and tool to seal arbitrary data in a way so that it cannot be read and also cannot be changed without being noticed. Besides its intended use in combination with Oz it can also be used in other scenarios. One of them being encapsulated HTTP cookies. While it is in no way a new thing to pass state to Web clients in encrypted form so they...
Read more...

Beyond OAuth

Eran Hammer’s noisy departure from OAuth 2 woke me up to finally engage in that HTTP security investigation that had been buried in my todo list for years. Thanks a bunch for that, Eran! Starting from close-to-zero security knowledge it took some time to understand the points he is making but finally it all came together: Yep - sadly he’s spot on with his criticism. If in doubt, look at the OAuth 2.0 Threat Model...
Read more...

Getting Started Playing Around with JAX-RS 2.0 in an EE Container

Trying out the latest JAX-RS API advancements in an EE container is a bit of a pain because pulling in the latest JAX-RS 2.0 libraries into a Java EE environment creates conflicts with the EE-shipped JAX-RS version. Ah yes, and of course you want your IDE to pick up the correct libs for code completion. After trying and tweaking a bit the most workable solution for me was to download the latest Glassfish 4 build....
Read more...