Archive for July 2011

Implementing 2-Legged OAuth in Javascript (and CloudTest)

Posted by Dan Bartow on Jul 28, 2011. Leave a Comment

Introduction

If you’re reading this you are probably looking for information on how to implement 2-Legged OAuth in Javascript.  I recently had to implement 2-legged OAuth into a CloudTest performance test for one of our customers.  Because 2-legged OAuth is not part of the official OAuth spec yet (as of 6/15/2011) there is relatively little information outthere about how to make this all work. Where there is information unfortunately it doesn’t universally work for all implementations since there isn’t a specification for it.  I hope this saves you some time… it definitely would have helped me out.  You will need a working knowledge of Javascript to find the implementation details in this article useful.  Without an understanding of Javascript you may find just the general OAuth overview interesting.

High Level OAuth Overview

OAuth is a way for applications to authenticate with one-another.  In essence a client application encrypts a string of values and passes that encrypted string, along with the values it used to encrypt it (except one, your secret key), to theserver.  The server then uses the values you sent across to look up your secret key and attempt to generate the sameencrypted string you did. The server then compares the two encrypted stringstogether.  If they match, it’s a success.  If not, it’s a failure.

The difference between 3-Legged OAuth and 2-Legged OAuth is that in the 3-Legged variant, the client first passes some credentials to the server and gets an access token back if authentication is successful.  Then this token is passed along in subsequent requests.  This is commonly called ‘the dance’ in OAuth developer circles.  When you authenticate with Netflix through various platforms (AppleTV, iPhone, Netflix.com), you do a 3-Legged OAuth dance.  This allows for users, applications, and authentication to be abstracted out into separate tiers.

Some other types of applications may be better suited for the authentication and message passing to happen in 1 request and 1 requestonly. This is where 2-legged comes in. In 2-legged OAuth you pass the encrypted string, the values used forencryption, and the message payload in 1 GET or POST.  If it is rejected, the message fails.  If it’s accepted then the message is processed.  This particular app that I was working on testing was a central logging system.  Every message was a log event.  There was no time (or functional need) for a three-way handshake in this app and also no notion of a maintained state.  2-Legged OAuth cuts out the middleman.  If authentication is successful the message is processed, no dancing around.

Click here to dive deeper

It’s Time to End Web 2.0’s ‘Dirty Little Secret’

Posted by Tom Lounibos on Jul 18, 2011. Leave a Comment

75% of All Web & Mobile Apps Go Live Without Ever Being Scale Tested

So why is it that so many web and mobile apps experience some form of performance issues (#FAIL) despite having access and availability to seemingly unlimited amounts of affordable compute power? Well…it’s complicated. First of all, very few of these performance issues are based on a lack of capacity, but rather on configuration, setup, design, or implementation issues. All of which could easily have been discovered through testing.

Which brings us to the app market’s “dirty little secret”…that at least 75% of all web and mobile apps GO LIVE without ever being load (scale) tested, despite the potential volatility and volume of today’s web traffic. Having run one of the largest financial services SaaS sites in the early 2000s, I can tell you this: all of us building and deploying these apps want them to be fully scale tested. Especially in light of recent surveys, which indicate that even the most minor app performance issues (500ms) can lead to a significant amount of lost revenue (1% of sales). So why don’t we scale test these sites?

While the answers may vary slightly, it is almost always that the traditional enterprise-class test solutions are way too expensive and take way too long to set up and analyze results. The only alternative to these expensive test solutions like HP LoadRunner and MicroFocus Silk, has been the recent emergence of a number of easy-to-use and low cost test tools such as jMeter and Grinder. Unfortunately these tools lack many of the most basic components of load testing, such as integrated analytics and automation of test deployment, leaving the need for additional products to fill in. The options of choosing between expensive & slow vs. cheap & lacking features most often leads to the decision of not testing at all.

It has been our vision here at SOASTA to change app testing forever. First, we changed testing by introducing “Cloud Computing” as the new platform to test from back in 2007. Then (in April) by introducing the first load and performance test platform specifically for Mobile applications. And now today (once again) we are changing testing by announcing the First FREE (Enterprise Class) test solution built specifically for web and mobile testing. The name of our new edition is CloudTest Lite, (beta available today).

CloudTest Lite is the same award winning enterprise class test solution that is currently being used by many of the leading consumer facing and enterprise companies such as Mattel, Gilt Groupe, Hallmark, Intuit, Verizon and Netflix. It includes SOASTA’s award winning (patented) technology with its extremely easy-to-use test creation and deployment processes, as well as SOASTA’s advanced and integrated real-time analytics engine. The only limitation to CloudTest Lite versus our other CloudTest editions is in the size of the test that can be performed…it is set at a maximum of 100 concurrent users per test. For perspective, an “average” app on a normal day of usage will experience between 50-250 concurrent users. To test 100 users just a few years ago using a sophisticated test solution would have cost around $100,000; with CloudTest Lite, now it is FREE and could and should lead to regular scale testing of applications.

It is our sincere hope, that this announcement of CloudTest Lite will once again transform the app development world by introducing a test platform for daily scale testing of web and mobile applications.

Email Us!
Subscribe to our Feed!
Find us on Facebook
Follow our Tweets
See our pics