Monday, June 28, 2004

Browser NG: Some weird thoughts

Hmm.. so I finally got around to start using the firefox 0.9 last week. The requirement came due to some issues that I encountered with Internet Explorer(see below for more information) and whether it was a Browser issue. Any way I have shifted completely to this new browser but so far I have not been able to find the wow factor for this tool so far. Well as a self-proclaimed geek I do like some things like DOM Inspector and the Java Script Console (even though a small icon at the bottom telling that there was error would make more sense), I see the features as just an extension of basic browser facilities of rendering the content generated by the content provider. Isn't it time that we gave the control over to content redering to client/user? This control can start with simple things like
  • Setting Page Properties Allowing Client to set the automatic refresh on a page which does not have a REFRESH Tag embeded to it(will this be construde as denial of service attack?)
  • Web Site Macro Recording and playing Record the sequence of events on the browser for a user and then automating that sequence (obviously incase of any problem, the user should be able to take over) when user accesses the web site. This ensures that you directly go to the page that you want to and not be bothered by things that are of no use to you.
  • Web Site Search Now that you have reached a site, would it not make more sense that the browser automatically searches the site for all the relevant pages and when you scroll over to a link tell you whether that is the best bet or even skip the pages to go to page with best match corresponding to a link(obviously having such a search capability at your fingertips would require really cheap and highspeed network access or the search engines could provide such capabilities which may already be there). And may be even have a sidebar with list of sites that closely match the content of the site that you are on (such a sevice will come from a search engine like google or yahoo or next big search engine).
  • Web Services Support With the growing acceptance of the webservices as one of the interface for providing service, it would be interesting if the browsers would provide the capability of rendering the Web Service interface as User Interface which can be used to invoke the web service and the response can then be rendered by either client side XSL or service provider side XSL.

Well incase we are comfortable with this level of customization, I think we have the existing technology to build Client Side Portals. I remember that around 99-00, Microsoft had this idea of active desktop which was solved as some sort of push or pull model system. The idea is similar to it but goes ahead and gives complete control to customers. The idea being that customers will be able to create their intelligent browser skins (for text data equivalent to CSS) which is customizable for rendering the information based on the space allocated for the site in the window and also tracks the users browsing habit(7/4/04:something similar), privacy concern incase of compromize of machine, and customizes itself to make better decisions about what user is trying to do on the web (well it may start by building stupid intelligence into the product and then we can go from there with continuous feed back from the users). I know I sound very naive to raise it, but is time to make the protocols like RSS standard on the web for content publishing in conjunction with HTML. This basically converts the entire web into one big blogosphere and the RSS Readers can be the next generation browsers with the improved skins to customize the client side portal with all the information that is needed. But is looking at the entire internet as blogosphere a right way to interpret it. May be it is a programmers' view of the world (remember the last time your manager was happy with the website immediately after web designer had updated the look and feel of the site after you had completed the functionality as if functionality was nothing in comparision to look and feel) of being able to access the content without getting bogged down by the look and feel components which reduce the content area. But I have a feeling that the concept of skin, if implemented well, will be accepted by the standard user who wants to give the personal touch to the whole browsing experience similar to for example choosing the colors to paint their house. But would that mean there would be no free sites (because the free content provider try to entice you to be on the website for longer time by developing the look and feel to achieve that and thus providing them with more opportunity to generate revenue through you)? May be that would be the case and content preview sites will come into the being which will agregate content (and will be subscribed by clients to decide what they want) from variety of providers and would allow you to decide which content you want to subscribe to and then you can use micro-payment for paying the content provider on per use basis. At the same time just like mordern bloggers and other people looking for non-tangible assets like fame, popularity or for altruistic reasons, will continue to provide content for free. But in absence of content provider funded art, how will the artist/mordern web designer survive? I do not know may be by directly selling their services and ideas to people who want to customize their portal to their liking in a way similar to how interior decorator sell their services to the clients. This whole thing seems too far fetched to be happening in next few years, but my feeling is that the user has to take back the control over the content and should be able to get the stuff that he is looking for.

IE Problem

Now the problem with IE which I noticed in version 5.5, 6.0 SP1 is as follows.

  1. Create a website on a server that supports Integrated Windows Authentication using Kerberos (IIS in W2k domain will be the simplest).
  2. In this site protect one of the pages with SPNEGO while leaving the other page to have anonymous access (well this is to simulate different applications with different authentication requirements)
  3. Now if you try to access the URL protected by IWA from a machine where you have loggedin locally (i.e. not in domain), you should get a 401.1 or 401.3 error.
  4. Now to increase the fun (or what my boss calls increasing usability of site), replace these default error pages with your own error page which redirect the person to a page not protected by IWA. And this page should post data to itself and show the posted data to simulate password based login process(simple ASP should do the trick).
  5. Go ahead and try to access the protected page and then submit the data to IIS.
  6. If you see that no data is POST you have succesfully simulated the problem.
  7. Now change the redirect URL in error page to a directory instead of ASP file and make ASP file a default page. Try protected URL again and post the data.
  8. Viola!! you should now start seeing the posted data.

Could not simulate the problem in FireFox 0.9(completely ignored the SPNEGO) or Opera 7.0 (just gave an error) since they do not seem to support SPNEGO or is it NTLM (can't be sure because not logged in to domain). Update 7/13 I have been getting more hits on support for SPNEGO in Firefox and thought that I will add the information for the people who look for the same on to this site. The Integrated Windows authentication can be performed by using NTLM authentication and Kerberos ticket based Authentication (Win2K and above). The FireFox supports the NTLM and so if you enable the Integrated Windows Authentication on IIS or corresponding authentication scheme on any other server, the server will send Negotiate and NTLM in supported authentication mechanisms. On XP (the platform I tested on) you will get a prompt for ID and password which will then be used to perform the NTLM authentication by FireFox. You can not disable the prompt for user id and password(not that I know of). At the moment there does not seems to be support for Negotiate Authentication scheme (Kerberos ticket based authentication like Internet Explorer) and thus provides a more user friendly reduced sign on solution. Another thing to keep in mind is that if the server besides IIS is used make sure that the server sends the NTLM header along with Negotiate header. If it sends only the Negotiate header (some of the SSO products send only the Negotiate header) the FireFox will not switch to NTLM for authentication and display the page returned by the server. Hope this helps!!

No comments: