Professional Documents
Culture Documents
Nr41 Blaise 41 UKTotal
Nr41 Blaise 41 UKTotal
Nr41 Blaise 41 UKTotal
CONTENTS
Articles
SECURITY AND SAFETY IN APPLICATIONS
- BY ANDREA RAIMONDI - PAGE 5
BEGINNING OF TIME...THE WATER CLOCK
- BY EDITOR - PAGE 9
THE NEW LAZARUS 1.4
- BY EDITOR - PAGE 14
SECURITY IN APPLICATIONS: PASSWORD HANDLING
- BY ANDREA RAIMONDI - PAGE 18
IN REMEMBRANCE OF OF ALAN TURING
- BY EDITOR - PAGE 23
LAZARUS NOW CAN USE GOOGLE APIS
REST CLIENTS: USING THE GOOGLE APIS IN FREE PASCAL
- BY MICHAEL VAN CANNEYT - PAGE 25
ARDUINO: THE VISUINO PROJECT - PART 1
- BY BOIAN MITOV - PAGE 37
WORKING WITH GOOGLE MERCHANTS RATINGDATA USING KBMMW
- BY KIM MADSEN - PAGE 43
MOTION
BLAISE
BLAISE PASCAL
PASCAL MAGAZINE
MAGAZINE
Advertisers
Barnsten 4
BetterOffice 21
Components 4 Developers 48
Computer Math & Games 4
Daniel Teti 47
Raize Software 8 Publisher: Foundation for Supporting the Pascal Programming Language
Visuino MITOV 22 in collaboration with the Dutch Pascal User Group (Pascal Gebruikers Groep)
Stichting Ondersteuning Programmeertaal Pascal
Daniele Teti
www.danieleteti.it
d.teti@bittime.it
Please note: extra space characters have been deliberately added around the @ symbol in
these email addresses, which need to be removed if you use them.
editor @ blaisepascal.eu
Authors - Christian name in alphabethical order
A Andrea Raimondi , L Wagner R. Landgraf, Sergey Lyubeznyy
B Stephen Ball, Peter Bijlsma, Dmitry Boyarintsev K Max Kleiner
C Michal Van Canneyt, Marco Cant, M Kim Madsen, Felipe Monteiro de Cavalho
D David Dirkse, Daniele Teti N Jeremy North,
F Bruno Fierens O Inoussa Ouedraogo
G Primo Gabrijeli, Mattias Gaertner P Howard Page-Clark,
H Fikret Hasovic S Rik Smit, Bob Swart,
J Cary Jensen Z Siegfried Zuhr
Editor - in - chief
Detlef D. Overbeek, Netherlands Tel.: +31 (0)30 890.66.44 / Mobile: +31 (0)6 21.23.62.68
News and Press Releases email only to editor@blaisepascal.eu
Editors
Peter Bijlsma, W. (Wim) van Ingen Schenau, Rik Smit,
Correctors
Howard Page-Clark, James D. Duff
Trademarks
All trademarks used are acknowledged as the property of their respective owners.
Caveat Whilst we endeavour to ensure that what is published in the magazine is correct, we cannot accept responsibility for any errors or omissions.
If you notice something which may be incorrect, please contact the Editor and we will publish a correction where relevant.
Subscriptions ( 2013 prices )
1: Printed version: subscription 65.-- Incl. VAT 6 % (including code, programs and printed magazine,
10 issues per year excluding postage).
2: Electronic - non printed subscription 45.-- Incl. VAT 21% (including code, programs and download magazine)
Subscriptions can be taken out online at www.blaisepascal.eu or by written order, or by sending an email to office@blaisepascal.eu
Subscriptions can start at any date. All issues published in the calendar year of the subscription will be sent as well.
Subscriptions run 365 days. Subscriptions will not be prolonged without notice. Receipt of payment will be sent by email.
Subscriptions can be paid by sending the payment to:
ABN AMRO Bank Account no. 44 19 60 863 or by credit card: Paypal
Name: Pro Pascal Foundation-Foundation for Supporting the Pascal Programming Language (Stichting Ondersteuning Programeertaal Pascal)
IBAN: NL82 ABNA 0441960863 BIC ABNANL2A VAT no.: 81 42 54 147 (Stichting Programmeertaal Pascal)
Subscription department Edelstenenbaan 21 / 3402 XA IJsselstein, The Netherlands / Tel.: + 31 (0) 30 890.66.44 / Mobile: + 31 (0) 6 21.23.62.68
office@blaisepascal.eu
Copyright notice
All material published in Blaise Pascal is copyright SOPP Stichting Ondersteuning Programeertaal Pascal unless otherwise noted and may
not be copied, distributed or republished without written permission. Authors agree that code associated with their articles will be made
available to subscribers after publication by placing it on the website of the PGG for download, and that articles and code will be placed on
distributable data storage media. Use of program listings by subscribers for research and study purposes is allowed, but not for commercial
purposes. Commercial use of program listings and code is prohibited without the written permission of the author.
Data Attractiveness These changes alone make all the difference: the
What makes data attractive to malicious users? fact you have to reset the password means that it
There are two main traits which play a role in how has been hashed, so it's not easy to recover. Also,
attractive a data set is: ease of grab and potential; if the fact you only accept virtual c/c numbers or
the data is easy to grab and with a lot of potential real ones that need a confirmation password
then malicious parties have a really strong interest means that they are essentially useless. For virtual
in getting it. On the other hand, if the data is cards, if a break-in happens, they can easily be
extremely difficult to grab and/or has little disabled and made useless as well.
potential, then they do not have as much interest in
getting hold of it, making it more secure and more As you can see, a few changes make the data
safe in the process.So let's just make an example of harder to get and with very little value in case of a
each and see how your data fits in the picture: break in. The thing here is that now, they only get
one potentially promising set of data instead of
Easy and High Potential two, because even if the admins do not realise
A website called We store your credit cards has a soon of the break in, there is just so much money
login form which shows SQL errors. When you go that criminals can sell a lot less than on real
into your profile, you can see your password in credit cards. Also, if the virtual and real numbers
clear text. It reminds you of your credit card are not clearly identified in the DB, this makes all
number and security code. Why is that an attractive of them useless, because there is no way criminals
target? The fact it shows SQL errors means there is can distinguish them without using them,
no protection from SQL Injection, which means that therefore exposing the fact that a break-in has
you can try to log in with credentials you do not occurred.
own.
Egypt India
The oldest water clock of which there is physical evidence N. Kameswara Rao suggests that pots excavated from
dates to c. 1417-1379 BC, during the reign of Amenhotep Mohenjo daro might have been used as water clocks;
III where it was used in the Temple of Amen-Re at they are tapered at the bottom, have a hole on the side,
Karnak. The oldest documentation of the water clock is and are similar to the utensil used to perform
the tomb inscription of the 16th century BCE Egyptian abhishekam (pour holy water) on shivalingam.
court official Amenemhet, which identifies him as its It is suggested that the use of the water clock in ancient
inventor. These simple water clocks, which were of the India is mentioned in the Atharvaveda from the 2nd
outflow type, were stone vessels with sloping sides that millennium BC. Ghati or Kapala (clepsydra or water clock)
allowed water to drip at a nearly constant rate from a is referred to in Jyotisha Vedanga, where the amount of
small hole near the bottom. There were twelve separate water that measures a nadika (24 minutes) is mentioned.
columns with consistently spaced markings on the inside
to measure the passage of "hours" as the water level A more developed form of the clepsydra is described in
reached them. The columns were for each of the twelve the Suryasiddhanta. At Nalanda, a Buddhist university,
months to allow for the variations of the seasonal hours. four hours a day and four hours at night were measured
These clocks were used by priests to determine the time at by a water clock, which consisted of a copper bowl
night so that the temple rites and sacrifices could be holding two large floats in a larger bowl filled with
performed at the correct hour.[8] These clocks may have water. The bowl was filled with water from a small hole
been used in daylight as well. at its bottom; it sank when completely filled and was
marked by the beating of a drum at daytime.
The amount of water added varied with the seasons and
this clock was operated by the students of the university.
The description of a water clock in astrologer
Varahimira's Pancasiddhantika (505) adds further detail
to the account given in the Suryasiddhanta.
Huan Tan (40 BCE 30 CE), a Secretary at the Court in The water clock created by Su Song in 1088 was one of
charge of clepsydrae, wrote that he had to compare the most important and desired inventions of its time.It
clepsydrae with sundials because of how temperature took Su Song approximately 12 years to build an
and humidity affected their accuracy, demonstrating amazingly detailed water clock. Those 12 years that Su
that the effects of evaporation, as well as of temperature Song was building his water clock he also took the time
on the speed at which water flows, were known at this to draw out plans to build his magnificent clock. His
time. In 976, Zhang Sixun addressed the problem of the clock was a very complicated thing. It included 117
water in clepsydrae freezing in cold weather by using manikins that came out of the tower every hour on the
liquid mercury instead. Again, instead of using water, hour and banged gongs and rang bells or carried a tablet
the early Ming Dynasty engineer Zhan Xiyuan (c. 1360- that said the hour. It was powered by an 11 foot water
1380) created a sand-driven wheel clock, improved wheel with 36 buckets of water mounted on its
upon by Zhou Shuxue (c. 1530-1558). perimeter.
The use of clepsydrae to drive mechanisms illustrating The clock's water wheel only turned 100 times a day and
astronomical phenomena began with Zhang Heng (78- was able to keep time relatively accurately. Su Song's
139) in 117, who also employed a waterwheel. clock not only kept time but allowed people to observe
Zhang Heng was the first in China to add an extra constellations that were important to Chinese astrology.
compensating tank between the reservoir and the inflow
vessel, which solved the problem of the falling pressure Su Song built his astronomical water clock in 1088, and
head in the reservoir tank. Zhang's ingenuity led to the for 79 years the amazingly complicated clock stood in
creation by Yi Xing (683727) and Liang Lingzan in 725 the capital. One day the Jin army came and
of a clock driven by a waterwheel linkwork escapement disassembled the clock and brought the pieces to their
mechanism. capital which is modern day Beijing .
The same mechanism would be used by Su Song They weren't able to rebuild it because of the complexity
(10201101) in 1088 to power his astronomical clock of the clock. They might have been able to manage if
tower, as well as a chain drive. Su Song's clock tower, they had taken the plans with them. The fact that it was
over 30 feet (9.1 m) tall, possessed a bronze power- stolen suggests that it was a very important invention
driven armillary sphere for observations, an and since it was impossibleto be rebuilt it must have
automatically rotating celestial globe, and five front been extremely complicated.
panels with doors that permitted the viewing of
changing mannequins which rang bells or gongs, and People today have tried to rebuild the water clock but
held tablets indicating the hour or other special times of the best replica we currently have is about five feet tall
the day. and doesn't actually keep time
Figure 4: The water-powered mechanism plans Figure 5: The Chinese Hydraulic Water clock
of Su Song's astronomical clock tower, created by Su Song
To accomplish this, the clock had two tanks, the top tank The first water clocks to employ complex segmental and
was connected to the time indicating mechanisms and the epicyclic gearing was invented earlier by the Arab
bottom was connected to the flow control regulator. engineer Ibn Khalaf al-Muradi in Islamic Iberia c. 1000.
Basically, at daybreak the tap was opened and water
flowed from the top tank to the bottom tank via a float His water clocks were driven by water wheels, as was
regulator that maintained a constant pressure in the also the case for several Chinese water clocks in the 11th
receiving tank. century. Comparable water clocks were built in
Damascus and Fez. The latter (Dar al-Magana) remains
until today and its mechanism has been reconstructed.
starter expert
LCL Changes
Added methods and utilities to load objects from FPC resources
Changed all LCL resources from LRS to RES.
As a result they can be edited in executables using resource editors on Windows platform.
DBImage changes versus 1.2:
DbImage implements loading stream directly if it doesn't have a known header,
WriteHeader property. This makes writing image header optional improving compatibility
with Delphi controls
Translations unit: SetFuzzy (boolean with default value false) parameter was added
to TPOFile.Add method. It allows to mark PO entry as fuzzy (when true).
TDateTimePicker and TDBDateTimePicker components were added.
They are Delphi compatible and are installed by default, but have their own package
instead of being part of LCL.
TComboBoxEx and TCheckComboBox components were added.
They are Delphi compatible and are part of LCL.
16
6 Issue Nr 3 2015 BLAISE PASCAL MAGAZINE
NEW LAZARUS VERSION 1.4 FPC 2.6.4 (PAGE 4 - end)
Remedy:
Use EditChange, EditDblClick etc. in derived controls.
Use (ActiveControl.Parent is TEditButton), or alternatively (ActiveControl is TEbEdit)
TControl.GetChildsRect renamed to TControl.GetChildrenRect
Effect: compile error: There is no method in an ancestor class to be overridden:
"TYourControl.GetChildsRect(Boolean): <record type>;"
Reason: Incorrect English
Remedy: use GetChildrenRect instead. TControl.GetChildsRect renamed to
TControlScrollBar.AutoCalcRange was removed
Effect: compiler error: There is no method in an ancestor class to be overridden:
"TYourControlScrollBar.AutoCalcRange;"
Reason: Code for calculating the AutoScroll ranges was moved from the two scrollbars
to the new proteced method TScrollingWinControl.CalculateAutoRanges.
This prevents an endless loop when the two scrollbars depend on each other, it simplifies
the code and reduces some overhead.
Remedy: Override TYourControl.CalculateAutoRanges instead.
TDateEdit.DialogTitle property was removed
Effect: Compile error if the property was set in code. LFM loader removes it from form files.
Reason: Unused and thus misleading and confusing.
Remedy: Remove it from your code.
TMemo, TTextStrings and TCustomStringGrid: changed behaviour of
LoadFromFile/SaveToFile
Effect: LoadFromFile/SaveToFile respectively LoadFromCSVFile/SaveToCSVFile now
take strings in UTF8-encoding (was: system encoding) as their parameter.
Reason: LCL uses UTF8 internally; consistency with e.g. TSynEdit.
Remedy: do not use Utf8ToSys() anymore in the calls to these procedures.
IDE incompatibilities
Changed parameters
LazarusIDE.DoJumpToCompilerMessage: changed Line integer to TMessageLine
CompilerOptions.ShowAllProcsOnError: was removed, option -vb is now always passed
CompilerOptions.ShowNothing: was removed, not needed
LazarusHelp.ShowHelpForMessage: removed parameter Line.
The IDE now always shows helpfor the currently selected line.
IDE Macro CompPath
Effect: IDE uses the project compiler instead of the default compiler set in the IDE options.
Reason: The macro $(CompPath) now resolves to the project compiler.
Packages are now compiled with the project compiler.
Remedy: Use $CompPath(IDE)
Old IDE does not reopen first file when opening a project
Effect: When a project saved with a new IDE (1.3+) is opened with an old IDE (e.g. 1.2),
the first file in the source editor is not reopened automatically.
Reason: The default value for Editor position is now "0", which is not stored in the lpi,
creating smaller lpi files.
Remedy: Open the file manually.
IDE does not show Compile Dialog
Effect: Compile Info window does not appear when compiling.
Options Show compile dialog and Autoclose compile dialog are missing.
Reason: The code that runs the compiler was completely rewritten. The dialog needed a
big rewrite too, but it had no maintainer.
Remedy: You can abort a compile via Run / Abort Build or its shortcut Ctrl+Alt+Shift+G.
You can change the shortcut in Tools / Options / Editor / Key Mappings.
The number of errors, warnings and hints are shown in the Messages window.
IDE/lazbuild cross compiles for different target OS/CPU
Effect: When the target OS/CPU are not set (i.e. empty or default) the 1.4 IDE/lazbuild
compile for a different target than Lazarus 1.2.
Reason: Formerly the IDE took as default its own OS/CPU. Now it queries the project's
compiler and uses its default target OS/CPU.
Remedy: Specify target OS/CPU in Project options / Compiler options or for compiling
the IDE set Tools / Configure build Lazarus.
The second thing is that, luckily, a good majority of Or the password could be, more
passwords input by users are 6 characters or longer. viciously, 57tony19. It still contains exactly the
So, why is it so easy to break them? Well, part of same information and it's just as easy to remember,
this is that many website developers think they will but it is a lot harder to guess because it does not fit
be smarter than the bad guys and so do not hash the statistical expectation. Hence, if you give this
their passwords. They think they can get away kind of advice on your website, you can be sure
simply with encryption so that the password that your users will find ways to comply with your
cannot then be recovered. suggestions while still remembering the password
The reason this is bad is that a lot of the time easily. Plus, if this is the advice you keep giving,
they do not just commit the cardinal sin of the bad guys will have to assume that all bets are
encrypting them, they even use very poor off, and they do not like that.
encryption methods which are vulnerable to The password you hash does not have
frequency analysis or other statistical analysis. to be the same one as was entered
Again, this happens because of a desire not to delay If the previous section made you think, this will
login times, which really should not be an issue make you think even more. Why on Earth should
since login and registrations are done fairly you be using the same password they give you to
infrequently compared to other operations. hash? Just use another one, derived from that. This
Frequency analysis is called password mangling and it can be as
Frequency what? Consider this text: it is written simple as counting the characters of a string and
in English and is fairly long. If you count the letters, ordering them by frequency. So let's say the
you will notice that some appear more frequently password is tony1957: you will end up with
than others. Hence, if you know a text has been 1t1o1n1y11191517. Now, that's a password! See?
written in English and you use a bad encryption Even with a bad password, you still can get a
algorithm, some bytes will appear more frequently good password. And good luck with the statistics
than others. By matching the two pieces of on that! If you want to be particularly devious, you
information, you can reasonably assume that a can have a password strength evaluator which
certain byte corresponds to a certain letter. This is highlights the bad passwords leaving the good
how you break a Caesar cipher. The Vigenre ones alone. Also, along with this, you can also use
cipher is very similar, except that you have to do it some padding characters, which will be part of the
in a multi-step fashion. string being hashed and the malicious user will be
left wondering whether the user or the system
Statistics inputted them, making the password ultimately
Another tool used by malicious users is statistics. useless.
When they break a certain set of passwords, they
will update a count in their dictionaries, so they When the going gets tough, the tough
know which are more likely to appear than others. get going
This is another very useful tool allowing them to If you feel that the above is only a good start, you
optimise away another swathe of potential can also go overboard and be really mean. One of
passwords. They know, for example, that if the the techniques I devised (but never found a reason
username is Tony there are good chances the to use, because I don't deal with stuff requiring this
password could have 2 to 4 digits representing the level of security) is the multi-password: who says
year of birth. All of this information is fed to their that you always have to use the same password
tools to weed out bad candidates and speed up the field? Why can't you use one, say, from Monday to
recovery of passwords. Wednesday and another, with a different hash, from
Thursday to Sunday?
You can use statistics against them, When the cracker downloads the MySQL dump
though he'll find out there are two password fields hang
Oh yes! You can and you should. Say that we have on, is the password split in two fields or are they
a user Tony with password tony1957. That different encodings of the same password?
password will be found in less than 2 hours, But I would only use this if I wanted to make the
granted. Do not even doubt that. Can we make that poor malicious user cry really hard.
password more secure without radically changing
it? Oh yes, we can. What if the password was How nasty you are is only up to you
tony5719? Now, there are still four digits, but it's I am sure that I have now inspired you to think of
not a year anymore and the malicious code ideas that can work, provided that you make a plan
dealing with the year will fail, because it does not and discuss it with both your peers and your
account for that kind of thing. seniors, because it's easy to get these things wrong
and do something stupid instead of clever. What I Darn! Save them in encrypted files on
am suggesting here is not that you should not be another machine and only make them accessible
clever, I am suggesting that you should be clever in through a script which only accepts requests from
things that do not affect the cryptographic the machine where your website is located and
properties of the hash and that is where people possibly use a really long and nasty password in
usually get it wrong because they try to be cleverer the script to decrypt them.
than the researchers that do this for a living. News
flash: you are not. What if we didn't need passwords at all?
We have been discussing passwords, but really do
Not all passwords can be hashed we really need them? Have you ever heard of
If your password cannot be hashed, you are in alternatives to passwords? And I am not talking
trouble. What do you mean some password can't be about biometric stuff. That does not work unless it's
hashed? Well, for example, say that you have to done properly, which means with devices that cost
automatically log in to a site and need to save the thousands of dollars, specific usage protocols and
credentials: that account needs to be saved trained personnel. What I am talking about is the
somewhere because you need it for the function to use of images. Say that you are creating a website
work. This is one of those cases where, as a and that you have 1 or 2 million small images on
developer, you have to assert security over the server. Now, say that when you register a user,
convenience: you simply do not store them. You you show 10 of those images and save which ones
ask them every time. There is no other secure way, you were showing on the user profile. Now, let's
because malicious users can't reach what you do also say that you associate each image to a piece of
not store. If you have an E-Commerce website and text which defies statistics and then allow the user
you store credit card numbers, you should stop. to pick 4 out of 10 in a certain order. They have to
Just don't. You are not PayPal and will never be: use that order again when they log in. I argue that
stop being delusional. With an ever increasing in such a case, if the images shown are truly
number of bad attacks on really well known random, you might not even really need a
websites, it is dawning on users that convenience username because the chances that two users get
sometimes is a bad thing. We are not yet where we the same image set and pick the same 4 in the same
should be, but the time will come when they realise order are minimal. The system is also easy to
it and will start requesting it. If you were able to expand if needed by simply adding new images.
explain why you made this choice, they will They do not even need to be really big, I'd say that
certainly trust you more than the other guy who a 1000x1000 pixel image should be more than
says they can store their credit card number enough, therefore limiting the amount of hard disk
securely. space needed.
For those people who are not strong on writing code then designing, compiling and creating
Arduino programs has never been easier! Why waste time on creating code when we have done
all the hard work for you already? You have your Arduino board, and great hardware design,
see it running in minutes, not hours!
Currently we are running a Beta program which you can be part of by joining our Google group.
Join the group now to download and test the software or send an email to mitov@mitov.com.
www.visuino.com
By Andrew Lycett
(JavaScript Object Notation), which has several 3. Serialization of objects is done using
advantages over XML: it is less verbose (that applies JSON. Therefore the basic REST object
to the specification as well: the JSON specification fits on contains a JSON serialization
an A4 page), it is less sensitive to whitespace, and it mechanism, based on RTTI.
has some native notion of data types (including
string, boolean, number, object, and array). Last but not The upshot of these architectural decisions is
least, it is a subset of Javascript, and as such can be that there are several classes involved in the
handled natively by any browser. REST implementation:
Obviously all the data on the web needs to be
protected from unauthorized access. This protection TFPWebclient
is increasingly done using OAuth (version 2). (OAuth handles HTTP(S) messages.
is an open standard for authorization. OAuth provides A descendent of this client is needed, which uses a
client applications a 'secure delegated access' to particular TCP/IP suite to actually send the request
server resources on behalf of a resource owner. It specifies and read the response.
a process for resource owners to authorize third-party
A request is represented by a TWebRequest class,
access to their server resources without sharing their
the response will come in the form of a
credentials.
TWebResponse class.
Requests are executed using the ExecuteRequest
OAuth is also implemented using JSON. OAuth in
and ExecuteSignedRequest methods: To each
essence relies on the user giving consent to an
TFPWebclient instance, a TRequestSigner
application (mostly the browser) to use data on his or
her behalf. component can be attached. This component is
All the technologies needed to perform REST allowed to examine the request and response when
operations and OAuth authorization are available in they are sent or received, allowing a request to be
Free Pascal. It was therefore only a matter of time signed (for instance by adding an Authorization header
before a comprehensive set of components became with a Bearer token).
available to easily access web APIs. In this article
TFPOauth2Handler
we'll describe how to access the Google APIs using
REST in Free Pascal and Lazarus, and demonstrate is a class that handles OAuth 2 authentication.
how they can be used in sample applications such Technically, it is a descendent of a
as the Google Drive demo (figure 2) TRequestSigner that will add the OAuth2
header. This class may use the TFPWebclient
Access to Microsoft Office365 is also instance (or a second TFPWebclient instance) to
being worked on, but will be the subject execute token exchange requests as part of the
of a later article. OAuth2 flow.
The class can be used in offline mode (for desktop
2 Architecture apps) as well as in online mode (for web applications).
The Free Pascal implementation of the web APIs
makes several assumptions: TRestObject
1. Transport uses the HTTP(s) protocol. This is the basic object that represents a
Several TCP/IP socket implementations are REST resource. It has 2 important methods:
available (including Synapse, lnet, Indy, the FPC LoadFromJSON and SaveToJSON. These methods
native client). Each developer has his own use the RTTI to create a JSON representation of the
preferred implementation which he uses. object, or to read the object properties from a JSON
So, the REST APIs should work with each of representation. It also has a mechanism to record
those. That means that the HTTP request and which properties have been changed.
response mechanism has been abstracted into We need a mechanism to record property changes
a new class called TFPWebClient. Concrete is needed because many REST APIs allow both PUT
implementations of this abstract class have been and PATCH (or UPDATE) methods. A PUT method
made for Synapse and TFPHTTPClient. generally completely replaces a resource with the
new value specified in the request, whereas
2. Authentication of the HTTP requests happens PATCH modifies the resource by applying the
using OAuth2, but other mechanisms can be changes in the request to the existing resource.
implemented as well. Since the Oauth2
protocol involves exchanging tokens with a
webserver, it needs a HTTPS transport layer
as well.
The advantage is that this mechanism allows the Then an instance of the Discovery API
programmer to create descendants of the classes in is created, and connected to the client
an API which have customised behaviour and component. The last 2 lines handle
properties, rather than modify the service initialization of the code generator, and update
description unit. When data arrives from the the caption of the Google API. In general the above
server, all private classes will be instantiated mechanism will be the same for all applications that
instead of the declared stock classes. want to communicate with a Google service API.
When the service changes, the API converter The TApisResource class represents the resources
can then regenerate the service description unit, exposed by the discovery API, and was generated
and not all customizations are not all lost. If the by the code generator as follows:
object factory does not contain TApisResource = Class(TGoogleResource)
a definition for a certain class, Public
the serializer will always fall Class Function ResourceName : String; override;
Class Function DefaultAPI : TGoogleAPIClass; override;
back to instantiating an instance
Function GetRest(_api: string; version: string) : TRestDescription;
of the declared property type. Function List(AQuery : string = '') : TDirectoryList;
Function List(AQuery : TApislistOptions) : TDirectoryList;
end;
5 Using the generated APIs The first 2 methods are for the
Armed with these base classes, it is time to start API's internal bookkeeping for the
using them to create an actual program. factory methods. The interesting
The Google discovery demo program uses the methods are List and GetRest:
googlediscovery unit to create a small GUI The latter requires the name and
program. Using this GUI program the following the version of the API, and will
actions can be performed: return a description of the REST API in the
TRestDescription instance. These 2 parameters
View and search in available services. are required and are encoded in the path of the URI
Open the documentation of a service used to access the resource: this is a feature of the
in a browser. API and is reflected in the signature of the methods
View the JSON rest description of the service. generated by the API.
Generate a unit based on the REST description As seen in the declaration, the List method of
of a service. this resource comes in 2 forms: One accepts a string,
the other a structure of type TApislistOptions.
The main form of the application simply shows a This pattern can be seen in all resource classes
list of services, with a button to (re)fetch the list, generated by the code generator, and this is a
and a textbox to filter the list. design choice: for each call the Google REST
The OnCreate event is used to set up everything up: description document describes for each call what
optional parameters the call accepts, and usually
procedure TMainForm.FormCreate(Sender: TObject); these parameters serve to filter the returned
begin // set up communication. response. These parameters are passed to the API in
the query variables encoded in the URL.
FClient:=TGoogleClient.Create(Self);
This is always translated by the code generator
FClient.WebClient:=TSynapseWebClient.Create(Self);
// Register all classes so they can be streamed. into 2 calls: rather than creating a method that
TDiscoveryAPI.RegisterAPIResources; contains all the parameters in its signature, a
// create the API and hook it up to the Google client. record is declared that contains each parameter as a
FDiscoveryAPI:=TDiscoveryAPI.Create(Self); field. For the List method, these parameters are
FDiscoveryAPI.GoogleClient:=FClient;
described in TApisListOptions:
// The code generator uses its own objects.
TDiscoveryJSONToPas.RegisterAllObjects; TApisListOptions = Record
UpdateCaption; _name : string;
end; preferred : boolean;
end;
Since the API can change and to allow for custom user. Note that the base classes
queries, whenever there are such optional used in the APIs will always free
parameters for a method, the method is generated properties of class or dynamic array type
twice. The second form just accepts a query stringwhen they are destroyed: the user does not
which is passed on as-is in the URL (which means need to do this, but you do need to be aware of it.
it must be URL-encoded). Internally, the method The ShowDiscovery method
using the record just constructs the query from shows all services in the list. It has two
non-empty fields in the record, and calls the latter
arguments that can be used to filter the list:
method. PreferredOnly and a filter on text (the title,
So how can we use the TApisResource and its name, description and labels are filtered on this text).
methods ? Google APIs come in different versions, and one of
Each API class has methods to create the resource these versions is the preferred version. Normally
instances used in the API. For the discovery API, this is the version that should be used in new
there is only 1 resource, so the number of methodsimplementations. To cater for this, the demo
is limited: program has a check menu
TDiscoveryAPI = Class(TGoogleAPI) which can be used to show
//Add create function for resources only the preferred versions
Function CreateApisResource(AOwner : TComponent) : TApisResource;
Function CreateApisResource : TApisResource; of an API.
//Add default on-demand instances for resources
Property ApisResource : TApisResource Read GetApisInstance;
end;
4. As a last step, a pair of keys must be generated For desktop applications, the 'native
for the application. This is done under the client application' type must be chosen,
APIs and Auth - Credentials section of the and urn:ietf:wg:oauth:2.0:oob
console. One key is a unique identifier for the or http://localhost must be chosen
application (the client ID), the other is a secret as the Redirect URI.
key (a password). These are used when asking In the Google Developer Console a new Client
for user consent: they are sent to the Google ID and Client Secret can then be generated.
authorization server when the application
needs permission to fetch data from a user. The client ID and Secret must be used in the code
Through the OAuth 2 protocol flow, of your application - preferably scrambled
the application will then end up with a new somehow. Google offers a JSON download of this
token (the access token) that it will use to ask data, the contents of this file must be kept secret.
permissions to acces data on behalf If this data becomes public, then another
programmer can impersonate your application and
of the user.
start downloading or, worse, wreak havoc on the
The credentials configuration is shown in
user's data (and you will get the blame for it).
figure 6 on page 36. Depending on what kind The second method, APINeedsAuth, returns True
of application you are developing, different if the API needs authorization. (This is the case when
settings must be used. the APIauthscopes array is non-empty).
The code differs only in the setup of the Procedure TMainForm.DoUserConsent(Const AURL: String;
authentication handler: The webclient's Out AAuthCode: String);
begin
RequestSigner property is set to the // Make the code entry visible.
Google Client AuthHandler property. GBAccess.Visible:=True;
EAccessCode.Text:='<enter code here>';
When the webclient needs to sign a FAccessState:=acsWaiting;
request (basically, it adds an // Show the URL in the browser
OpenUrl(AURL);
authorization handler), it checks the
// Wait for the user to enter the code
AuthHandler. This will check if an While (FAccessState=acsWaiting) do
access token is available. For the Application.ProcessMessages;
// If the user has entered the code, return it
authentication handler to be able to do if FAccessState=acsOK then AAuthCode:=EAccessCode.Text;
its work, 2 properties must be set: GBAccess.Visible:=False;
end;
FClient.AuthHandler.Config.AccessType:=atOffLine;
FClient.OnUserConsent:=@DoUserConsent; The code for this event handler looks like the
example above:
The first line tells the authentication handler class The code starts by showing the button and edit
that the application is an offline application. control. It then repeatedly runs the application
The second line registers an event handler: for an message loop to wait for the user to enter the
offline application, this event handler is called if authorization code. The OK and Cancel buttons
user consent is needed. The last line of the simply set a state, which is picked up in the loop:
OnCreate event handler loads the configuration procedure TMainForm.BSetAccessClick(Sender: TObject);
from an ini file; we'll get back to this. begin
FAccessState:=acsOK;
Now, when the application needs to do a service end;
call to a Google service, the authentication
procedure TMainForm.BCancelClick(Sender: TObject);
handler will check if it has an access token. If it begin
does not, and it does not have a refresh token FAccessState:=acsCancel;
(with which it can ask an access token from end;
Google), it will call the DoUserConsent event
handler.
Obviously, it would be annoying for the user to
When the event handler is called, several things
have to login and enter this code each time the
must be done:
application is used.
1. The event handler gets an URL to a Fortunately, this is not necessary: the application
Google authentication server, saves the tokens it received after the first calls to
which must be displayed in a browser. the server.
2. The Google authentication server procedure TMainForm.SaveRefreshToken;
will then ask the user to log in Var ini:TIniFile;
(if he or she is not yet logged in) and begin // We save the refresh token for later use.
will ask permission for your With FClient.AuthHandler.Session do
if RefreshToken<>'' then
application to access the calendar.
begin ini:=TIniFile.Create('Google.ini');
3. The browser will then display an try
authorization code, which must be With ini do
begin
entered by the user in the program.
WriteString('Session','RefreshToken',RefreshToken);
4. Once the user has entered the WriteString('Session','AccessToken',AccessToken);
authorization code, the event WriteString('Session','TokenType',AuthTokenType);
handler may return, passing the WriteDateTime('Session','AuthExpires',AuthExpires);
code back to the authorization WriteInteger('Session','AuthPeriod',AuthExpiryPeriod);
end;
handling component. finally
In the calendar demo application, Ini.Free;
there is a groupbox with an edit end;
control and 2 buttons (OK and Cancel). end;
end;
In this edit control the user can enter
the authorization code returned by
Google. Initially, this groupbox is invisible.
procedure TMainForm.LoadAuthConfig;
Var ini:TIniFile;
begin
ini:=TIniFile.Create('Google.ini');
try
With FClient.AuthHandler.Config,Ini do begin
// Registered application needs calendar scope
ClientID :=ReadString('Credentials','ClientID','');
ClientSecret :=ReadString('Credentials','ClientSecret','');
AuthScope :=ReadString('Credentials','Scope', 'https://www.googleapis.com/auth/calendar');
// We are offline.
RedirectUri:='urn:ietf:wg:oauth:2.0:oob';
end;
With FClient.AuthHandler.Session,Ini do begin
// Session data
RefreshToken:=ReadString('Session','RefreshToken','');
AccessToken:=ReadString('Session','AccesToken','');
AuthTokenType:=ReadString('Session','TokenType','');
AuthExpires:=ReadDateTime('Session','AuthExpires',0);
AuthExpiryPeriod:=ReadInteger('Session','AuthPeriod',0);
end;
finally
Ini.Free;
end;
end;
This happened exactly in the middle of the Delphi So using PlotLab, I naturally added a Scope
Week, celebrating 20 years of Delphi, and so as I component and hooked it to the serial port.
did a brief live interview about my experience with The Visuino was shaping very well. Not only could
Delphi over the years, David I and Jim McKeeth, I program my boards with it, but I could also
suggested to show the Visuino as example of what monitor and plot the data from one channel.
can be achieved with Delphi. But what if I need to monitor more channels?
So it was, that the first people to see the product I still was not satisfied. To send data from
live in action (bugs and all), were the Delphi fans multiple channels, over a single communication
watching the Delphi Live broadcast! channel, I needed to package the data in some
At this point I already had achieved all the goals form of structure, so I designed a package and un-
I had in mind, when I started the project. package components that allow the data to be
All I needed was to write more components, packaged and transmitted as a structured packet.
and play with it, but soon I started to discover Now I was able to plot multiple channels easily.
more shortcomings. I was able to program my I went even further, allowing Visuino to
Arduino with great ease, but my Arduino and my PC automatically configure the scope from the
were living in separated worlds. package format in my Arduino design.
I wanted to see on my screen, what my Arduino Scope piloting was nice, but sometimes we want to
was collecting as data, or processing. As a see the data in Gauges, and LEDs so I decided to
minimum, I needed a terminal window, so I add instrumentation view as well, using the
created an OpenWire serial port component, and InstrumentLab component package. My Visuino was
hooked a terminal window, with the necessary user feature complete, I was happy, and I already had
interface. I was able to see my data, but it was in Delphi components developed that allowed me to
text format. What if I need to see it in a plot? easily communicate with the board.
Figure 1
Figure 6
Figure 8
Figure 9
Figure 11
Your design is ready. You can generate, compile,
and upload the code to your Arduino. Now you
can use the Visuino Scope and Instrumentation
Panel to view the data. Select the com port to which
the Arduino is connected, and from the Format
drop-down select Packet1: Then click Connect.
Figure 12
Figure 13
In the scope you can see the data arriving from the
sensors: see figure above
And the same data can be seen
in the Instrument Panel:
Figure 14
// Log:
// Converted without errors or warnings.
type
Ttype_1 = (singleton,group);
TNonEmptyString = kbmMWNullable<string>;
Ttype = (summary,detail);
Treviewer_type = (user,editorial,aggregator);
Tcollection_method = (unsolicited,point_of_sale,after_fulfillment);
const
CLanguageCode : array[TLanguageCode] of string =
('aa','ab','ae','af','ak','am','an','ar','as','av','ay','az','ba','be','bg','bh','bi','bm','bn','bo','br','bs','ca'
,'ce','ch','co','cr','cs','cu','cv','cy','da','de','dv','dz','ee','el','en','eo','es','et','eu','fa','ff','fi','fj'
,'fo','fr','fy','ga','gd','gl','gn','gu','gv','ha','he','hi','ho','hr','ht','hu','hy','hz','ia','id','ie','ig','ii'
,'ik','io','is','it','iu','ja','jv','ka','kg','ki','kj','kk','kl','km','kn','ko','kr','ks','ku','kv','kw','ky','la'
,'lb','lg','li','ln','lo','lt','lu','lv','mg','mh','mi','mk','ml','mn','mr','ms','mt','my','na','nb','nd','ne','ng'
,'nl','nn','no','nr','nv','ny','oc','oj','om','or','os','pa','pi','pl','ps','pt','qu','rm','rn','ro','ru','rw','sa'
,'sc','sd','se','sg','si','sk','sl','sm','sn','so','sq','sr','ss','st','su','sv','sw','ta','te','tg','th','ti','tk'
,'tl','tn','to','tr','ts','tt','tw','ty','ug','uk','ur','uz','ve','vi','vo','wa','wo','xh','yi','yo','za','zh','zu'
);
CCountryCode : array[TCountryCode] of string =
[kbmMW_Root('Review',[mwrfIncludeOnlyTagged])]
Before serializing or deserializing we need to let kbmMW have full support for timezones, and you
kbmMW know about the classes that are part of the can operate the TkbmMWDateTime in much the
merchant_reviews unit. This is done in the same way as you would with a TDateTime.
OnFormCreate event in this sample: Ok.. then let us try to serialize the FFeed object
procedure TForm1.FormCreate(Sender: TObject); back to XML again potentially after we have made
begin changes to it, or perhaps even built a new Tfeed
Tmerchant_reviews.RegisterStreamableObjects;
instance from scratch.
end;
procedure TForm1.btnSaveClick(Sender: TObject);
Now everything is ready for streaming. Lets put var xmlm:TkbmMWXMLMarshal; xml:TkbmMWDOMXML;
some code in the load XML buttons event handler to begin
if FFeed=nil then exit;
load a Google merchants ratings XML file and have it
accessible via standard Delphi objects: xmlm:=TkbmMWXMLMarshal.Create;
try
procedure TForm1.btnLoadClick(Sender: TObject); xmlm.Typed:=false;
var xml:=xmlm.ValueToDOMXML(FFeed);
xmlm:TkbmMWXMLMarshal; xml:TkbmMWDOMXML; if xml=nil then
m:TMerchant; r:TReview; d:TNonEmptyString; begin
begin Memo1.Lines.Add('xml=null');
xml:=TkbmMWDOMXML.Create; exit;
try end;
xml.LoadFromFile('merchant_reviews.xml'); finally
xmlm:=TkbmMWXMLMarshal.Create; xmlm.Free;
try FFeed:=TFeed(xmlm.ValueFromDOMXML(TFeed,xml)); end;
Use the FFeed object for what you want. xml.Typed:=false;
finally xmlm.Free; xml.AutoIndent:=true;
end; xml.AutoLineFeed:=true;
finally xml.Update;
xml.Free; xml.SaveToFile('newfeed.xml');
end; xml.Free;
end;
As such, the browser typically do support parsing The string can be sent directly to the browser as a
XML to an extent, potentially via 3rdparty XML response to the browsers GET or POST request,
Javascript libraries. However Javascript supports a giving the mimetype application/json.
native textual object notation, that is more compact What makes the serialization/deserialization magic
than XML and faster for it to read. JSON is the name happen is the combination of attributes given on the
for that notation (Javascript Object Notation). Delphi types, and an advanced and intelligent built in
So a better choice is to serialize the Ffeed object to mechanism that understands the combination of
JSON and send that JSON stream to the browser. attributes and the type and relations between the
The browser would see the streamed data as true defined Delphi types that are to be
Javascript objects upon reception. serialized/deserialized.
In kbmMW its simple to serialize to JSON: kbmMW's serializer is probably one of the most
advanced on the market, and is even
procedure TForm1.btnSaveJSONClick(Sender: TObject);
var jm:TkbmMWJSONMarshal; s:string; included in the free kbmMW CodeGear Edition.
begin A Delphi class can be decorated with a
if FFeed=nil then exit;
number of attributes that hints to the
jm:=TkbmMWJSONMarshal.Create; serializer/deserializer how it should go
try about its operation.
s:=jm.ValueToString(FFeed);
This is a short explanation of the basic forms
Now the string s contains the JSON data of various attributes currently understood
by kbmMW:
finally jm.Free;
end;
end;
[kbmMW_Ignore] Can be placed in front of any field or property to ensure that that particular field/property is not serialized. Eg.
[kbmMW_Ignore] property SomeValue:string read.
[kbmMW_NotNull] Can be placed in front of any field/property to indicate that the field must NOT take the value of NULL (undefined).
If it does, an exception will be raised upon serialization or deserialization.
[kbmMW_Element(..)] Place in front of any field/property to indicate that the value should be serialized as an element (a child node in XML).
Its also possible to specify the name of the child object like this: [kbmMW_Element('someName')]
[kbmMW_Attribute(..)] Similar to the kbmMW_Element, except that it directs that the value must be put in an attribute (in the parent node in
XML). For JSON it will work the same as kbmMW_Element. This attribute also accepts a naming argument.
[kbmMW_Root(..)] Specifies default naming of a class, and what parts of it should automatically be serialized/deserialized like all published
properties, all public properties or only properties/fields tagged with kbmMW_Attribute or kbmMW_Element attributes.
[kbmMW_Null(..)] Indicate that the element can take the value of NULL. Optionally a default value can be provided, which will be used in
case the value in the XML/JSON indicates NULL.
[kbmMW_Validate()] Validates a property/field or a complete class instance for its values and raises an exception if a value is out of spec.
A complete expression which can refer to any field in the class can be given. If the expression evaluates to false,
then an exception will be raised upon serialization/deserialization time.
Eg. [kbmMW_Validate('$someName=22')] accepts only the value 22 in the someName field.
Finally its possible to register custom As kbmMW is a modular framework, one can choose
serialization/deserialization code for handling only to use its XML capabilities, its JSON capabilities,
special serialization/deserialization requirements. its serialization capabilities, its application server
It already comes with such for handling capabilities, its database capabilities, its stream
kbmMWNullable<..> types, TkbmMWDateTime storage capabilities, its memory table or its async
types, TStream types/descendants and messaging capabilities etc without having to use all
TkbmCustomMemtable descendants. other parts of the kbmMW framework.
I hope this has given an appetizer for how versatile
the kbmMW object serialization/deserialization But obviously, you will get the best of the best if
framework is. you take the plunge and choose to take advantage
of all the kbmMW features you need in your
As an example of a fairly complex XSD that kbmMW applications as all parts are designed to work in
effortless converts and serializes/deserializes perfect harmony with each other.
accordingly to, but that even Delphi XE8 fails
converting, is the Personal Health Record XSD /Kim Madsen / C4D
found here:
http://www.recordsforliving.com/ There is extra code you can download from your
Schemas/2006-04/PHR- subscription site....
Model/R4L_PHRModel.xsd
AZING
PASCAL
DI
MAGAZINE
Daniele Teti E
http://www.blaisepascal.eu/daniele_teti_book/DanieleTeti.html
COMPOELOPERS
DEV
4 NENTS
- Now faster than ever!
- Improved publish/subscribe message queues
- Improved XML/JSON marshalling support
- Delphi/C++Builder/RAD Studio XE8
- Native high performance 100% developer Supports Delphi/C++Builder/RAD Studio 2009
defined application server with support for to XE8 (32 bit, 64 bit and OSX where applicable).
loadbalancing and failover kbmMW for XE5 to XE8 includes full support for
- Native high performance JSON and XML Android and IOS (client and server).!
(DOM and SAX) for easy integration with
kbmMemTable is the fastest and most feature rich
external systems in memory table for Embarcadero products.
- Native support for RTTI assisted object
marshalling to and from XML/JSON, now also - Easily supports large datasets
with new fullfeatured XML schema with millions of records
(XSD) import - Easy data streaming support
- High speed, unified database access - Optional to use native SQL engine
(35+ supported database APIs) with - Supports nested transactions and undo
- Native and fast build in M/D,
connection pooling, metadata and
aggregation /grouping,
data caching on all tiers range selection features
- Multi head access to the application server, - Advanced indexing features for
via AJAX, native binary, Publish/Subscribe, extreme performance
SOAP, XML, RTMP from web browsers,
embedded devices, linked application Warning!
servers, PCs, mobile devices, Java systems kbmMemTable and kbmMW
and many more clients
- Full FastCGI hosting support. Host PHP/Ruby
are highly addictive!
Once used, and you are hooked for life!
/Perl/Python applications in kbmMW!
- KBMMW V. 4.80 AMQP support
( Advanced Message Queuing Protocol)
- Added AMQP 0.91 client side gateway
support and sample.
- Updated StreamSec TLS transport plugin
component (by StreamSec).
COMPONENTS
4
- Improved performance on Indy TCP/IP
Client messaging transport for large number
of inbound messages.
DEVELOPERS
EESB, SOA,MoM, EAI TOOLS FOR INTELLIGENT SOLUTIONS. kbmMW IS THE PREMIERE N-TIER PRODUCT FOR DELPHI /
C++BUILDER BDS DEVELOPMENT FRAMEWORK FOR WIN 32 / 64, .NET AND LINUX WITH CLIENTS RESIDING ON WIN32 / 64,
.NET, LINUX, UNIX MAINFRAMES, MINIS, EMBEDDED DEVICES, SMART PHONES AND TABLETS.