"
A "Personal Dynamic Channel" permits any web application/service to provide personalized information via a MyUW channel to the user who has authenticated to the MyUW session. This is accomplished by MyUW querying the service using the authenticated ID (UW NetID) of the user, and displaying the results in a channel. This specification will give departmental developers basic guidelines on how to set up their web applications to become channels on MyUW. Please direct any questions regarding this document to myuw@u.washington.edu.
Your web application can be written in any programming language and running on any platform. The web server your program runs on must have a valid SSL certificate, which enables MyUW to access your application programmatically over https.
For security, we use X.509 certificate based two-way SSL authentication, where MyUW (the SSL client application) verifies the identity of your application (the SSL server application), and your application verifies the identity of the MyUW application. You need to configure your web server to require the client certificates of MyUW servers. The identity that MyUW uses is an UW Certificate Authority issued certificate. MyUW also accepts the UW CA certificate of your application.
Some of the services use the backdoor connections without SSL authentication due to performance and load issues. In this case, to protect your server from denial of service attacks, you must set up address-based protection by configuring your server to only serve requests from the corresponding backdoor IP addresses of MyUW servers. MyUW team will send you an email notification before adding machines or changing addresses. You need to update your settings within 24 hours of the notification.
MyUW is obliged to assert the user ID to your program. This may expose your server to large-scale abuse if any MyUW server is compromised. Therefore, you should keep an access log. If there is any security incident on MYUW server that could affect your channel, we will inform you the time frame and possibly the users affected. As you choose to populate personalized information, you accept MyUW's assertion of the user's authenticated identity. Furthermore, we recommend that the personal dynamic channels are read-only, and the data displayed should not be particularly sensitive.
We recommend that you have two application sites on your servers, one for testing and one for production. The MyUW test server (http://myuwtest.u.washington.edu) would point to your test site and the MyUW production server (http://myuw.washington.edu/) would point to your production site. This would give you full control of your releases. Once you have fully tested a new update on your test site via MyUW test, you can deploy it to the production site without any involvement of the MyUW team.
If a user has subscribed to your channel on the MyUW page that the user is about to see/load on their browser, MyUW will send an https request to your program in the following format:
https://<your server host>/<your app path>/<your app name>?<the query string>
<the query string> : id=<the UWNetID of the user>×tamp=<adecimal value of the system time in millisecond>
(i.e., id=whoishe×tamp=1026769365762)
The timestamp indicates when MyUW sends the request. Your program may use the timestamp to determine if the request is worth a reply. For instance, some web servers can occasionally get confused and hold requests for a long time before presenting them to your program. To prevent servicing stale requests, check the timestamp and close the connection on any request older than n seconds. Your system needs to maintain accurate (to seconds) system time (i.e. synchronize it to time.u.washington.edu on Windows systems ) in order to use the timestamp.
Upon special request, MyUW can also send student number, student system key, employee number, or alumni advance ID in the query string if SSL is used.
When your program receives the request from MyUW, it will return an HTML fragment that goes in the channel box on MyUW based on the following guidelines:
ampersand (& or &)
less-than sign (< or <)
greater-than sign (> or >)
i.e., when your program can't find data associated with the given UW NetID in the database, it may display generic content or a sensible error message to the user.
i.e., when your program is unable to parse the request it should display a sensible error message to the user. These errors should also be logged and communicated to the MyUW team for resolution.
Your server and service must be robust. Your program should respond within a second under normal load. When generating a page, MyUW will wait for your content until a display timeout (which is set based on the longest average response time) occurs. If the content is not ready, MyUW would display this message in your channel:
"Waiting for content ... during busy times the wait may be longer.
Click the Reload button on the channel box to refresh."
In the meantime, MyUW continue waits for your response until it arrives or a socket read timeout (20 seconds) occurs. In later case, MyUW would display the error message in your channel at the next page load:
"The content is not available at this time. Please try again later. "
This error message would also be displayed when MyUW receives an unsuccessful HTTP response code from your server or the response body contains invalid HTML.
To mitigate the customer impact of an outage, we recommend that you provide an alternative access to your service. If that is implemented, instead of displaying "Please try again later..." the link titled "Access the service directly" will be displayed.
The Reload button on the channel box serves two purposes:
Once MyUW has received the content of a channel, it caches the content in the HTTP session. This reduces traffic to your server(s) and allows for quicker loading of the page - accelerate the user experience. When an user hits the Reload button on the channel box, MyUW will requests a fresh copy of the content from your server. If your server supports the conditional GET, we recommend that you configure the Last-Modified response header. MyUW would then use the If-Modified-Since header in the next request to pass the last-modified date back to your server for comparison. If a 304 status code is returned, it will use the cached copy instead.
If needed, we can subscribe your channel for your target users if they can be identified by their Whatami affiliations. Otherwise, you would need to notify them yourself (via email or an announcement on your departmental web site) when your channel is initially released on MyUW. You may also provide instructions to your users about how to subscribe it on MyUW page.
Since MyUW is a 24X7 service, as a trusted content provider you will ensure the stability and correctness of your channel. Once the channel is in production, MyUW will email a daily error report to the contact person for your channel. Please let MyUW know (myuw@u.washington.edu) if you have regular maintenance down time. You program is expected to return a user friendly error message during maintenance time.
Send an email to myuw@u.washington.edu with a general specification on the content you want to provide, a HTML mock-up page of the intended content, and when you plan to set up the channel.
The MyUW team may arrange a meeting with you before setting up the channel on the MyUW test server. Please prepare the following information:
The placement of your channel (its position on the MyUW pages) may be determined in the meeting.
MyUW releases are scheduled on Tuesday at around 8am. The normal time frame for establishing a personal dynamic channel is about a couple of weeks (mostly on testing the connection, authentication and adjusting the content format).
Thanks to Dan Boren and Scott Rose (Department of Computer Science and Engineering) for reviewing this document and providing valuable feedback.
 |
 Contact MyUW Copyright© 1998-2008, University of Washington. MyUW® is a registered trademark of the University of Washington. |