|Target Archery Shop →|
Target Archery Shop TARGET SYSTEM TABLE OF CONTENTS I. Case Paper 3-12 II. Sources Cited 13 This Case Paper discusses the design and implementation of a Web based database system for Target Archery Shop, capable of handling on-line data processes. The goal in designing the system is to provide a simple, user-friendly interface and a secure on-line database for the submission, retrieval, and sharing of application data through the Internet. This paper chose to base on the Web for various reasons including user familiarity, broad availability, low distribution cost, and minimal development time. This paper, too, describes some design challenges of a Web based database application, such as Authentication, Access control, and Security issues, and how this paper intends to address these challenges and build the system efficiently and speed up the data process. SYSTEM OVERVIEW Majority of the Web applications are built on the Three-Tier Model which facilitates the perceived need to separate business logic from the Graphical User Interface (GUI) and the backend database. According to the model, three separate well-defined processes, or modules, run on different layers: o Client tier: End user application, normally, Web Browser. o Middle tier: Mediating information servers, that run with Web server and that actually process the data request. o Resource tier: Information resources that stores and manipulate the data at the backend. The expansion of the use of Web browser and strong demand for supplying interactive and dynamic information through the internet rather than the static HTML page makes the three-tier applications popular as well as practical. For transaction-oriented applications on line data processing, middleware is typically required between the network servers and the back-end system to ensure proper interoperability. Common Gateway Interface as the first solution to deploy dynamic Web application, is one of the most popular tools and is supported by almost all Web servers. CGI defines the specification for transferring information between a Web server and information resources. A CGI program accepts parameters from a HTTP request passed by theWeb server, then generates and returns a HTML page as if it was a pre-stored one. (CGI Specification) Even with its simplicity, the biggest drawback of CGI approach is that theWeb server needs to throw a separate CGI process for processing each request received. This is time consuming and expensive in terms of server’s memory and other system resources. Java Servlet is a Java program (class) that runs on a Java enabled Web server and resembles a conventional CGI program. However, Servlet is designed to overcome the drawback of CGI and is an increasingly attractive alternative to CGI program. Unlike a CGI program, a Servlet is persistent once it is started. It remains in memory and can therefore be used to handle multiple requests. In general, a Servlet is faster and cleaner than a corresponding CGI script. Although a Servlet runs in the same address space as theWeb server does, it is safer than CGI because of the protection mechanism obtained from the Java virtual machine. Servlets can be embedded in many different servers because the servlet API, which programmers use to write servlets, assumes nothing about the server’s environment or protocol.
(C. Bloch / S. Bodoff) Overview of the Target Archery (TARGET) System There are already many on-line systems available aiming for speed up the online data process. The work on Target System for the Target Archery Shop was motivated by the fact that many of the systems mainly target collecting information for the business, while provide few feedback or assistance for the customers. Among the objectives of the TARGET system is to: o Build an Integrated Application Environment (IAE) for different class of users, including a centralized database, unified GUI and standard processing sequence, hence to efficiently exchange the application data. o Allow a customer to trace his/her own account status based on a predefined processing sequence. The TARGET project is composed of two chief components: o a dedicated library that encapsulates the database access o details of user and customer data, and a collection of programs that drive the generation of output of HTML pages. In a typical session, the client’s browser sends a request to the Web server, which passes it to the processing program. For those pages that include dynamic content, such as a registered user’s account, the processing program calls the appropriate library for accessing data from the database and delivers formatted data to the HTML page generator. Lastly, the HTML page generator assembles the complete HTML page, and ships it to the client browser. The architecture of TARGET is illustrated below. From the user’s perspective, TARGET system is designed for four user categories: o A customer can submit application information on line by filling in a pre-designed form. Then the collected data will be stored into the centralized database. Additionally, a customer can check his/her account status periodically. o A supporting staff is responsible for the routine work of handling accounts, such as sending out marketing packages, updating client’s status, responding to special queries, and generating statistics and reports. o Target Archery Shop is mainly interested in the data provided by customers. o The system administrator will focus on manipulation user accounts, such as creating new user account, modifying access control level, resetting user password, or deleting useless database records, and others. DESIGN AND IMPLEMENTATION In order for TARGET system to be effective, development must be configured to implement certain policies and guidelines. Some of these are common and applicable to any project, whereas some differ from project to project. The following section will discuss important issues in the design and implementation of the system. Development Platform and Tools TARGET is primarily developed on MySQL and PHP, both being open source projects distributed under GNU general public license. MySQL is an efficient, multi-threaded, multi-user, and robust SQL database server. Features provided by MySQL are far more sufficient for manipulating the centralized application dataset. (MySQL Manual) As a server-side HTML-embedded scripting language, PHP differs from CGI in the sense that a CGI script usually involves using other programming languages, such as C or Perl, to generate and output HTML scripts, whereas a PHP script is embedded inside of an HTML page.
(J. Park / R. Sandhu) TARGET is primarily concerned about the end-system threats. Once the cookie is stored in browser’s side in the form of plain text, its content can be trivially altered by users and easily copied from one computer to another computer, without notification of the user whose computer the cookie was originally stored. The ability to alter and copy cookies lets attackers easily forge cookies’ content and impersonate other users. Thus, concepts of confidentiality and integrity in deploying cookie for system authentication are vital. Confidentiality is the property that information is not made available or disclosed to unauthorized individuals; while integrity is the property that information has not been modified or destroyed in an unauthorized manner. In the case of TAGET, we use cryptographic technologies to enforce cookies’ confidentiality and use an integrity verification function to check the cookie’s owner and protect the system against unauthorized modification of the cookie. To achieve this, TARGET deploys the secret-key cryptography by using a message digest algorithm. After a user having successfully logged in, the system generates a message digest form the username and a system secret key, then puts the signature into the cookie together with the character string of user name. When the user makes later visits to the system, the browser sends the secure cookies to the system. TARGET verifies the signature in this secure cookie using the same cookie-issuing policy in the authentication stage. CONCLUSION The objective of the TARGET system is to offer a simple, user-friendly interface and a secure on-line database for the submission, retrieval, and data access on internet. The TARGET system incorporates the World Wide Web and distributed computing technologies to permit users sharing a centralized database, data processing via standard Web browsers. Authentication capability is supplied by the username and password verification mechanism. Access restriction to TARGET system is implemented by enforcing a role based access control policy. Future improvements include adding a XML message layer to expand TARGET customer layer to be independent of the underlying database API. Based on the experience, this paper’s author believe that the combination of PHP and MySQL under three-tier model is a good, practical environment for developing multi-user distributed applications that utilize World Wide Web infrastructure, consequently speeding up online data process.