Friday, November 20, 2009

爱心女摄影师的哀婉遗作

更多精彩请到 http://www.139ya.com


对 于一名野生动物摄影师来说,图片中这些小家伙绝不是最令人感到威胁的猫科动物。它们长着松柔滑的皮毛、明亮而伶俐的眼睛以及柔软的爪子,是如假包换的 猫。这些令人陶醉的图片是由野生动物摄影师简·伯顿拍摄的。由于可怕的癌症,伯顿于2007年不幸去世,这些图片成为她摄影才能和忍耐力的一个令人心酸的 最后证明。

多年来,伯顿共与丈夫基姆·泰勒以及两个儿子收养了60多只猫,他们将这些小家伙安置在自己位于萨里的家。凭借令人难于置信的细节捕捉能力和强大的忍耐力 ——为了记录下心目中的完美时刻,伯顿有时会苦等4个小时——以及在与癌症抗争时表现出的勇气,伯顿为自己心爱的动物朋友——猫、松鼠和兔子——拍摄了一 幅幅精彩的照片。从某种程度上说,为宠物拍照已成为消除因危机四伏的野外拍摄产生的精神紧张的一剂良药。

文中这些可爱的照片将首次刊登在《猫咪生活》上,《猫咪生活》是伯顿去世后出版的第一部摄影作品集。伯顿是1960年离开英国前往西非的早期女性野生动物 摄影师,该摄影领域的先驱;当时的泰勒是一名农业顾问,正是他带着这些勇敢的女性来到尼日利亚。在多年的野外拍摄过程中,他们的足迹遍布西非,空余时间还 制作了几部纪录片,其中包括为独立电视台(ITV)拍摄的《蝙蝠洞》以及为英国广播公司(BBC)拍摄的《加勒比海摄影之旅》。

尽管在世界范围内从事野生动物拍摄工作,但据泰勒透露,用镜头捕捉猫的本性和特征才是妻子最出众的才能。他说:“在工作室进行拍摄时,猫是非常不合作的拍摄对象,但简却做到了很多摄影师无法做到的事情。作为一项最为出众的才能,她知道应在何时准确按下快门。”













Thursday, November 19, 2009

英语学习网站

更多精彩请到 http://www.139ya.com


力量百度空间 http://hi.baidu.com/liliangan/blog

希腊罗马神话和《圣经》中的英语典故【22】

更多精彩请到 http://www.139ya.com


22.a wolf in sheep's clothing批着羊皮的狼;貌善心恶的人

  耶稣在加利利一带传道布教,收了很多信徒。有一天,他对门徒说:"Beware of false prophets,which come to you in sheep's clothing,but inwardly they are ravening wolves"

  eg:Mrs.Martin trusted the lawyer until she realized that he was a wolf in sheep's clothing

  One who teaches morality and practises immorality is a wolf in lamb's skine

23.separate the sheep from the goats区别好坏,分清良莠

  《新约。马太福音》记述:“And before him shall be gathered all nations:and he shall separate them one from another,as a shepherd divideth his sheep from the goats”

  由于《圣经》的影响,sheep和goat在英语中的形象截然不同,前者比喻好人,后者比喻坏人。英语中有关goat的成语,大多贬义。如:to play the goat=play the fool(瞎胡闹);to get sb's goat(触动肝火) ;等等。《圣经》说牧羊人要分辨绵羊和山羊,“把绵羊安置右边,山羊左边”。据说野山羊常混进羊群里,引诱绵羊,故牧养人必须把它们区分开来,以免混淆。

  由此,人们用to separate the sheep from the goats这个成语,来比喻to separate the good from the wicked; to divide good or useful people from bad or useless

  eg:We'll go through the list of members,and separate the sheep from the goats

  Have faith in me,please.I can separate the sheep from the goats

希腊罗马神话和《圣经》中的英语典故【21】

更多精彩请到 http://www.139ya.com


21.Cast pearls before swine对牛弹琴;白费好意

  To Cast pearls before swine的意思是“珍珠头在猪猡前面”。
swine是个旧词,书面词,即今为pigs,不过swine单复同行,本句为复数。

  这个成语源自《新约。马太福音》第7章:“Give not that which is holy unto the dogs,neither cast ye your pearls before swine,lest they trample them under their feet,and turn again and rend you”.由于to cast pearls efore swine,比喻确切,在后世不断引用中而成为一个国际性成语,常用来表示to offer sth valuable or beautiful to those who can't appreciate it;to give what is precious to those who are unable to understand its value等意思,含有轻蔑嘲笑色彩。按其字面意义,这个成语与汉语成语“明珠按投”相似,但是寓意不同,基本上不对应;按一比喻意义,它相当于“对牛弹 琴”,“向驴说经”“一番好意给狗吃”“狗咬吕洞宾,不识好人心”等。

  She read them Shakespeare,but it was casting pearls before swine

  I won't waste good advice on John any more because he never listens to it.I won't cast pearls before swine.

  ...and when I let the upper floor to Cap'en Cuttle,oh i do a thankless thing,and cast pearls before swine.

希腊罗马神话和《圣经》中的英语典故【20】

更多精彩请到 http://www.139ya.com

20.The Salt of the Earth社会中坚;民族精华;优秀份子

  The Salt of the Earth这个成语,字面意思“世上的盐”

  盐是饮食中不可缺少的调味品,人体若缺盐,健康就会受到影响,出现种种疾病。盐还有杀菌、解毒、消炎、除污等多种功用,它既是“百药之王”,又是工业之母,确是值得珍视的东西。在许多民族的习俗汇总,盐被当作敬客的高贵礼品。

  The Salt of the Earth一词出自《圣经》,据《新约。马太福音》(Matthew)第5长记载:耶稣对他的门徒说:"Ye are the salt of the earth:but if the salt have lost his savor,wherewith shall it be salted? " 在这里,salt用于转义,表示flavor;of the earth即of the world。这是耶稣登山垂训论"福",所讲福音结尾的话,他把门徒比做“世上的盐”,这是极高的称赞。这句话在后世不断引用变成了一个典故性成语,转义 为the most valuable members of sociey;the finest type of humanity;a person or a group of people having the best character 之意

  eg: He does a lot of good jobs and is considered to be the salt of the world.

  You all are the salt of the earth.Our hope is placed on you.

希腊罗马神话和《圣经》中的英语典故【19】

更多精彩请到 http://www.139ya.com


19.Not an iota of没有一点点,丝毫也不

  iota是希腊字母表中第9个字母“I”的名称。not an iota of 出自《新约。马太福音》第5章:“律法的一点一画都不能废去,都要成全。”因为iota是希腊字母表中最小的一个字母,它有时可以写作一短横置于其他字母 之上;遗漏这一点点对发音并无什么影响,只按规则不能减少而已。《福音书》所说的律法,系指“摩西律”,意即无论何人都不允许随便废去这戒律哪怕是最小的 一条,甚至其中的一个字母,一个小小短横也不得更动或遗漏。

  由此,在语言中遗留下来这个成语,转义表示not a bit of ;not one jot or little;not at all等意思。iota在这里,相当于汉语“小不点儿”的意思。

  Eg:Science deals with things in a practical way.Science means honest,solid knowledge,allowing not an iota of falsehood,and it involves herculean efforts and gruelling toil.

  There is not an iota of truth in the story.

希腊罗马神话和《圣经》中的英语典故【18】

更多精彩请到 http://www.139ya.com


 18.The writing/Finger on the Wall不详之兆;大祸临头

  这个成语的字面意思是“墙上的文字(或手指)”,而实际含义是a sign or warning of impending disaster(迫在眉睫的凶兆);a sign that sth bad will happen; a feeling that ones number is up;等等。其语言外壳与内涵是怎样联系起来的呢?还是出自《圣经》

  据《旧约。但以理书》(Daniel)第5章记述:有一次古巴比伦(Babylonian)的国王伯沙撒(Belshazar)正在宫殿里设宴 纵饮时,突然,不知从哪里出现了一个神秘的手指,当者国王的面,在王宫与灯台相对的粉墙上写西了四个奇怪的单词:MENE(弥尼)、MENE(弥尼)、 TEKEL(提客勒)、UPHARSING (乌法珥新)。国王张皇失措,惊恐万分,谁也不懂墙上所写的字是什么意思。后来叫来了被虏的犹太预言家但以理,才明白了这几个字的意思就是大难临头。他 说:“弥尼就是上帝已经数算你国的年日到此为完毕;提客勒就是你被称在天平里显出你的亏欠;乌法珥新就是你的国分裂,归与玛代人和波斯人。”果然,当夜伯 沙撒被杀,又62岁的玛代人大利乌取而代之。

  依次,“墙上的文字(或手指)”就表示身死国亡的凶兆。英语中这个成语有几种表达方式:the writing/handwriting on the wall或a finger on the wall,通常与be,like等系动词连用;有时写成see/read the writing on he wall的句型,表示提出警告,such as :Don't you see the writing on the wall, 有时候也可省略on the wall,只说Don't you see the writing?意思也是一样的。

  eg:This inexplicable incident seemed,like the Babylonian finger on the wall,to be spelling out the letter of my judgement...

  In this house of his there was writing on every wall.His business-like temperament protested against a mysterious warning that she was not made for him.

  John's emplyer had less and less work for him;John could read the writing on the wall.

  The writing on the wall is clear:if man behaves like an animal and allow hs population to increase while each nation steadily increases he coplexity and range of its environment,nature will take her course and the law of the Jungle will prevail.

  When Bill's team lost four games in a row,he saw the handwriting on the wall.

希腊罗马神话和《圣经》中的英语典故【17】

更多精彩请到 http://www.139ya.com


17.The Apple of Ones' Eye

  The Apple of Ones' Eye的字面意思是“某人眼里的苹果”,在这里,apple指的是the pupil(瞳孔,眼珠),大概因眼珠圆的象苹果之故。瞳孔是眼睛最重要的部 分,失去瞳孔,光线就无法通过虹膜中心的圆孔进入眼内而变成了瞎子。所以,这个成语常用来比喻象爱护眼珠一样爱护某个最心爱的人或珍贵的东西,即表示a cherished person or object;sth extrmely precious to one; sb dearly loved等意

   这个成语来字《旧约。申命记》(Deuteronomy)第32章“耶和华遇见他在旷野荒凉、野兽吼叫之地,就环绕他,看顾他,保护他如同保护眼里 的瞳人。”在圣经其他地方也有类似的话。英文版《旧约。诗篇》(Psalm)第17章有这样的句子:"Keep me as the apple of the eye,hide me under the shadow of the wings"

   成语the apple of one's eye是固定结构,不得写成the apple of the eye of…的形式;在搭配上,它常与动词be,keep,care for等连用。按其想象意义,它与汉语成语“掌上明珠”颇相似,但其比喻的对象较汉语“掌 珠”更广,因“掌珠”通常指心爱的女儿,而不能用与其他场合。

   eg:Little Mary is the apple of her father's eye

  Mind the reputation of your school as you care for the apple of your eye.

希腊罗马神话和《圣经》中的英语典故【16】

更多精彩请到 http://www.139ya.com


16.Sell One's Birthright for a Mess of Pottages因小失大;见利弃义

  Sell One's Birthright for a Mess of Pottages直译是:“为了一碗红豆汤而出卖了长子继承权”。

  《旧约.创世纪》第25章记述了这样一个故事传说:犹太族长以撒的妻子利百加怀孕期间,感觉到2个胎儿在她腹内互相踢打,就去问耶和华,耶和华对她说:“两国在你腹内,两族要从你身上出来,这族必强于那族,将来大的要服小的。”

  后来,利百加果然生下一对孪生兄弟,哥哥叫以扫,弟弟叫雅各。两兄弟长大后,以扫好动,常外出打猎;雅各则常在家里帮助料理家务。有一天,以扫打猎回 来,又饥又渴,看见弟弟雅各在熬豆汤,就对他说:“我饿极了,给我喝点红豆汤吧!”雅各说:“你要喝汤,就把你的长子权卖给我。”以扫说:“你都要饿死 了,要这长子权有什么用呢?”于是,他便按雅各的要求,对天起誓,把长子权卖给雅各,换来饼和红豆汤。以扫吃饱喝足后,起身走了。他哪里想到,为了这碗红 豆汤,他的后裔便注定要服事雅各的后裔。

  由此,人们用to sell one's birthright for a mess of pottage短语,来比喻to exchange something of lasting value for something that is of value for a short time only;to suffer a big loss for a little gain.这个成语常缩略为for a mess of pottage的形式。有时也可用to sell one's birthrights.

  eg:It was argued that joining the Common Market...would be giving away her national rights and advantages for a mess of pottage.

  There are many,many people who are willing to prostitute their intelligence for a mess of pottage.

希腊罗马神话和《圣经》中的英语典故【15】

更多精彩请到 http://www.139ya.com


15.Adam's Apple喉结

  亚当是圣经中人类的始祖,而苹果的历史比人类的历史还悠久。在世界各文明古国的民间故事和神话传说中,苹果都是受人喜爱的一种果实。英语中有个谚 语:An apple a day keeps the doctor away.但据圣经故事上说,苹果也给人类带来了麻烦,男人的喉结就是因吃苹果引起的。

  《旧约.创世纪》第3章讲到人类的起源,传说上帝创造人类的始祖亚当和夏娃,在东方的伊甸(Eden)建立了一个园子给他们居住。伊甸园里生长着悦人 眼目的各种树木,树上长着各种各样的果实。上帝吩咐亚当说:你可以随意吃园中的各种果子,只是不能吃那棵分别善恶树上的果实,吃了必定要死。这种“禁果” 就是apple。后来,亚当的配偶夏娃听信蛇的诱惑,不顾神谕,吃了善恶树上的禁果,还把这果子给它丈夫吃。亚当因心怀恐惧,吃时仓促,有一片果肉哽在吼 中,不上不下,留下个结块,就叫“亚当的苹果”两人吃了这果子就心明眼亮,能知善恶美丑。但是由于他们违背了上帝的告戒而被逐出伊甸园。从此,亚当就永远 在脖子前端留下“喉结”,作为偷吃禁果的“罪证”。上帝还惩罚亚当,“必汗流满面才能糊口”

  不过也说一说是正当亚当吃的时候,上帝来了,所以亚当急忙吞下去,不料哽在喉咙间了。

  eg:Your Adam's apple isn't apparent.

  Adam's apple can be more clearly seen on men than women's throats.

希腊罗马神话和《圣经》中的英语典故【14】

更多精彩请到 http://www.139ya.com


14.Bone of The Bone and Flesh of the Flesh

  Bone of The Bone and Flesh of the Flesh直译"骨中之骨,肉中之肉",出自<圣经>中关于上帝造人的神话.

  据<旧约·创世纪>第2章叙述:太初之际,混沌未开,耶和华上帝开天辟地.第一天耶和华创造了白天和夜晚;第二天创造了天空和风云;第三 天创造了高山峻岭.平原河流,以及富饶的土地和芳香的花果;第四天他又创造了太阳.月亮和星辰,确定年岁.季节.月份和日期;第五天他创造了各种形状和大 小的鱼类和飞禽;第六天他才创造了各种陆上动物,然后他按照自己的形象用地上的尘土造出一个男人,名叫亚当(Adam),这就是神话中人类的始祖.后来, 耶和华见押当独居无伴侣帮助他,于是,趁亚当沉睡的时候,从他身上取下一根肋骨造成了一个女人叫夏娃(Eve),领到他面前,亚当说:"This is bone of my bone and flesh of my flesh"(这是我骨中之骨,肉中之肉)。从此两人结为夫妻

  Bone of The Bone and Flesh of the Flesh常用来比喻血缘上的亲属关系或思想上的团结一致,即as close as flesh and blood;to be inseperately linked to each other等的意思。

  eg:Our army is bone of the bone and flesh of the flesh of the people.

  The I.W.W was bone of the bone and flesh of the flesh of the floating workers.(W.Foster:Pages from a Worker's Life.)

希腊罗马神话和《圣经》中的英语典故【13】

更多精彩请到 http://www.139ya.com

13.Cut the Gordian Knot

  Cut the Gordian Knot直译“斩断戈耳迪之结”,源自上篇的同一典故。

  佛律基亚(Phrygia)的国王戈耳迪,用乱结把轭系在他原来使用过的马车的辕上,其结牢固难解,神谕凡能解开此结者,便是亚洲之君主。好几个世纪 过去了,没有人能解开这个结。公元前3世纪时,古希腊罗马的马其顿国王亚历山大大帝(Alexander the Great,公元前356-323),在成为希腊各城邦的霸主后,大举远征东方。公元前334年,他率领进入小亚细亚,经过佛律基亚时,看到这辆马车。有 人把往年的神谕告诉他,他也无法解开这个结。为了鼓舞士气,亚历山大拔出利剑一挥,斩断了这个复杂的乱结,并说:“我就是这样解开的”因此,to cut the Gordian knot 就是意味着to solve a complicated difficulty by quick and drastic action;to end a difficulty by using a vigorous or violent method;to solve a problem by force.按其形象意义,这个成语与汉语成语“快刀斩乱麻”,“大刀阔斧,果断处置”十分相似。

  eg:They have decided to cut the Gordian knot to wipe out the enemy at a blow.

  Jean is afraid of everything,How can she cut the Gordian knot in her work?

希腊罗马神话和《圣经》中的英语典故【12】

更多精彩请到 http://www.139ya.com


12.A Gordian Knot难解的结;难题;难点

  A Gordian Knot直译“戈耳迪之结”。

  戈耳迪(Gordius)是小亚细亚佛律基亚(Phrygia)的国王,传说他原先是个贫苦的农民。一天,他在耕地的时候,有只神鹰从天而且降,落在 他马车的轭上,久不飞走。戈耳迪就赶着马车进城去请求神示。其时,佛律基亚的老王突然去世,一国无主,上下动乱不安,于是人们请求神示由谁来做国王。神示 说:“在通向宙斯神庙的大陆上,你们遇到的第一个乘马车者就是新王。”恰好这时戈耳迪正乘着牛车前往宙斯的神庙,人们看见巍然屹立在车轭上的神鹰,认为这 是掌握政权的象征,就一致拥戴戈耳迪为国王。戈耳迪当了国王后,就把那辆象征命运的马车献给宙斯,放置在婶庙中。他用绳索打了个非常复杂的死结,把车轭牢 牢得系在车辕上,谁也无法解开。

  由此,人们常用a Gordian knot比喻a knot difficult or impossibe to unite;the difficult problem or task.

  eg:We must try to solve the problem even if it is really a Gordian knot.

  The knot which you thought a Gordian one will untie it before you.

希腊罗马神话和《圣经》中的英语典故【10】

更多精彩请到 http://www.139ya.com

11.A Procrustean Bed

  A Procrustean Bed直译是“普洛克路斯贰斯的床”,源自古希腊神话的典故。

  在雅典国家奠基者(Theseus)的传说中,从墨加拉到雅典途中有个非常残暴的强盗,叫达玛斯贰斯,绰号普洛克路斯贰斯。希腊问 Procrustes的意思是“拉长者”、“暴虐者”。据公元前1世纪古希腊历史学家狄奥多(Diodoros,约公元前80-前29年)所编《历史丛 书》记述:普洛克路斯贰斯开设黑店,拦截过路行人。他特意设置了2张铁床,一长一短,强迫旅店躺在铁床上,身矮者睡长床,强拉其躯体使与床齐;身高者睡短 床,他用利斧把旅客伸出来的腿脚截短。由于他这种特殊的残暴方式,人称之为“铁床匪”。后来,希腊著名英雄提修斯在前往雅典寻父途中,遇上了“铁床匪”, 击败了这个拦路大盗。提修斯以其人之道还治其人之身,强令身体魁梧的普洛克路斯贰斯躺在短床上,一刀砍掉“铁床匪”伸出床外的下半肢,除了这一祸害。

  由此,在英语中遗留下来a Procrustean bed这个成语,亦做the Procrustes' bed或the bed of Procrustes,常用以表示an arrangement or plan that produces uniformity by violent and arbitrary measures之意。按其形象意义,这个成语与汉语成语“削足适履”、“截趾穿鞋”颇相同;也类似俗语“使穿小鞋”、“强求一律”的说法

  eg:I didn't put forth the plan as a Procrustean bed,to which exact conformity is to be indispensable.

  Don't stretch the facts to fit the Procrustean bed.

希腊罗马神话和《圣经》中的英语典故【9】

更多精彩请到 http://www.139ya.com


9.Under the Rose秘密地;私下得;暗中

  Under the rose直译"在玫瑰花底下",而实际上却表示in secret; privately confidentially的意义,语言外壳与内涵,似乎风马牛不相及.它源自古罗马的神话故事和欧洲的风尚.

  罗马神话中的小爱神丘比特(Cupid),也称希腊神话里的厄洛斯(Eros),在文艺作品中以背上长着双翼的小男孩的形象出现,常携带弓箭在天空中 遨游,谁中了他的金箭就会产生爱情.丘比特是战神玛斯(Mars)和爱与美之神维纳斯(venus)所生的儿子.维纳斯,也就是希腊神话里的阿芙罗狄蒂 (Aphrodite),传说她是从大海的泡沫里生出来,以美丽著称,从宙斯到奥林匹帕斯的诸神都为起美貌姿容所倾倒.有关她的恋爱传说很多,欧洲很多文 艺作品常用维纳斯做题材.小爱神丘比特为了维护其母的声誉,给沉默之神哈伯克拉底(Harpocrates)送了一束玫瑰花,请他守口如瓶不要把维纳斯的 风流韵事传播出去.哈伯克拉底受了玫瑰花就缄默不语了,成为名副其实的"沉默之神"

  古罗马人对维纳斯非常尊崇,不仅奉为掌管人类的爱情.婚姻.生育的爱与美的神,而且尊为丰收女神.园艺女神.罗马的统治者恺撒大帝甚至追搠维纳斯是罗 马人的祖先.由于上述神话传说,古罗马人把玫瑰花当作沉没或严守秘密的象征,并在日常生活中相尚成风.人们去串门做客,当看到主人家的桌子上方画有玫瑰, 客人就了解在这桌上所谈的一切行为均不应外传.于是在语言中产生了Sub rosa在玫瑰花底下这个拉丁成语. 据<牛津英语词典>解释,英语under the rose系源自德语unter der Rosen. 古代德国的宴会厅.会议室以及旅店的餐室,在天花板上常画有或雕刻着玫瑰花,用来提醒在场者要守口如瓶,严守秘密,不要把玫瑰花底下的言行透露出去.这个 流行于15至17世纪的德语成语反映了这种习俗.

  罗马帝国全盛时,其势力几乎席卷了整个欧洲,罗马某些文化风尚也随着他的军事力量渗透到欧洲各国.因此,以玫瑰花象征沉默的习俗,并不限于德国..

  under the rose 是个状语性成语,在句中修饰动词,其含义因所修饰的动词的不同而略有不同.如:born under the rose"私生的""非婚生的";do under the rose"暗中进行"

  eg:The senator told me under the rose that there is to be a chance in the cabinet.

  The matter was finally settled under the rose.

  Do what you like undeer the rose,but don't give a sign of what you're about...

希腊罗马神话和《圣经》中的英语典故【8】

更多精彩请到 http://www.139ya.com

8.Win/Gain Laurels获得荣誉;赢得声望

  Look to One's Laurels爱惜名声;保持记录

  Rest on One's Laurels坐享清福;光吃老本

  Laurel(月桂树)是一种可供观赏的常绿乔木,树叶互生,披针形或者长椭圆形,光滑发亮;花带黄色,伞形花序.laurels指用月桂树叶编成 的"桂冠".古代希腊人和罗马人用月桂树的树叶编成冠冕,献给杰出的诗人或体育竞技的优胜者,作为奖赏,以表尊崇.这种风尚渐渐传遍整个欧洲,于是 laurels代表victory,success和distincion.

  欧洲人这种习俗源远流长,可上朔到古希腊神话.相传河神珀纳斯(Peneus)的女儿达佛涅(Daphne)长的风姿卓约,艳丽非凡.太阳神阿波罗为 她的美所倾倒,热烈追求她,但达佛涅自有所爱,总是逃避权利很大的太阳神的追求.一天,他俩在河边相遇,达佛涅一见阿波罗,拔腿就跑,阿波罗在后边穷追不 舍,达佛涅跑得疲乏不堪,情急之下只好请她父亲把她变成一株月桂树.阿波罗非常感伤,无限深情地表示:"愿你的枝叶四季长青,装饰我的头,装饰我的琴,让 你成为最高荣誉的象征".他小心得将这株月桂树移植到自己神庙旁边,朝夕相处,并取其枝叶遍成花冠戴在头上,以表示对达佛涅的倾慕和怀念.

  因此,古希腊人把月桂树看做是阿波罗的神木,称为"阿波罗的月桂树"(The Laurel of Apollo).起先,他们用月桂枝叶编成冠冕,授予在祭祀太阳神的节目赛跑中的优胜者.后来在奥林匹亚(Olympia)举行的体育竞技中,他们用桂冠 赠给竞技的优胜者.从此世代相传,后世欧洲人以"桂冠"作为光荣的称号.

  由于阿波罗是主管光明.青春.音乐和诗歌之神,欧洲人又把源自"阿波罗的月桂树"的桂冠,献给最有才华的诗人,称"桂冠诗人".第一位著名的"桂冠诗 人"就是欧洲文艺复兴时期人文主义的先驱者.意大利诗人彼特拉克(Francesco Petrarch,1304-1374).他的代表作<抒情诗集>,全部为14行诗体,系诗人献给他心中的女神劳拉的情诗(彼特拉克喜欢了劳 拉一辈子,但是劳拉从来都不知道),抒发他对恋人的爱情,描写大自然的景色,渴望祖国的统一.这部被称为西方"诗三百'的诗集,虽不能与我国古代< 诗经>相提并论,但不失为世界文学的瑰宝.

  中古时代英国的大学,也曾授予过"桂冠诗人"的称好,但是这只是一种荣誉称号,而非目前含义的类似职务,学衔的专用名称.

  作为专名的"桂冠诗人"(The Poet Laureate,也称The Laureate),系英国王室赐予御用诗人的专用称号,从17世纪英皇詹姆士一世(James I,1566-1625)开始,延续到现在,已历三个世纪了.凡获得"桂冠诗人"称号者,可领取宫廷津贴,每遇到王室喜庆或官方盛典时,都要写作应景诗以 点缀和宣扬喜庆事件,歌功颂德,粉饰升平.17世纪,在英国被封为第一位"桂冠诗人"的是约翰·德莱顿(John Dryden,1631-1700),他一生为贵族写作,美化君主制度,不过他创造的"英语偶句诗体",成为英国诗歌的主要形式之一.从1670到 1972这三百年间,英国王室相继封了17位"桂冠诗人"年限最长的是19实际的浪漫诗人阿弗里德·丁尼生(Alfred Tennyson,1809-1892),他从1850年获得这个称号一直到逝世,长达42年,算是"终身桂冠诗人"了.英国最近的"桂冠诗人"是约翰· 本杰明(John Benjamin).其实,所谓"桂冠诗人"大部分是徒具虚名的,在英国文学史上享有盛名者极少;就象中国封建时代的"钦点状元",从公元960到 1904(清关绪30年最后一届科举止)近1000年,历代状元341名,在中国文学史上著名的寥寥无几.

  eg:Shakespeare won laurels in the dramatic world.

  The student gained laurels on the football field,as well as in his studies.

  Tom won the broad jump,but he had to look to his laurels Getting an A in chemistry almosst cause Mike to rest on his laurels.

希腊罗马神话和《圣经》中的英语典故【7】

更多精彩请到 http://www.139ya.com


7.Swan Song最后杰作;绝笔

  Swan Song字面译做“天鹅之歌”,源于希腊成语Kykneion asma.

  天鹅,我国古代叫鹄,是一种形状似鹅而体形较大的稀有珍禽,栖息于海滨湖畔,能游善飞,全身白色。因此,英语成语black swan,用以比喻稀有罕见的人或物,类似汉语成语“凤毛麟角”之意。

  在古希腊神话中,阿波罗(Apollo)是太阳神、光明之神,由于他多才多艺,又是诗歌与音乐之神,后世奉他为文艺的保护神。天鹅是阿波罗的神鸟,故 常用来比喻文艺。传说天鹅平素不唱歌,而在它死前,必引颈长鸣,高歌一曲,其歌声哀婉动听,感人肺腑。这是它一生中唯一的,也是最后的一次唱歌。因此,西 方各国就用这个典故来比喻某诗人,作家,作曲家临终前的一部杰作,或者是某个演员,歌唱家的最后一次表演。即a last or farewell appearance;the last work before death之意;偶尔也可指某中最后残余的东西。

  Swan Song是个古老的成语,源远流长。早在公元前6世纪的古希腊寓言作家伊索(Aisopos)的寓言故事中,就有“天鹅临死才唱歌”的说法。古罗马政治 家、作家西塞罗(Cicero,公元前106-前43)在其《德斯肯伦别墅哲学谈》等论文中,就使用了“天鹅之歌”来比喻临死哀歌。在英国,乔叟,莎士比 亚等伟大诗人、剧作家,都使用过这个成语典故。如:莎翁的著名悲剧《奥噻罗》(othello)中塑造的爱米莉霞的形象,她在生死关头勇敢得站出来揭穿其 丈夫的罪行。她临死时把自己比做天鹅,一生只唱最后一次歌。

  eg:All the tickets have been sold for the singer's performance in London this week--the public clearly believes that this will be her swan song

  The Tempest was W.Shakespeare's swan song in 1612.

希腊罗马神话和《圣经》中的英语典故【6】

更多精彩请到 http://www.139ya.com


6.A Penelope's Web亦作The Web of Penelope故意拖延的策略;永远做不完的工作

  A Penelope's Web或The Web of Penelope,直译为“珀涅罗珀的织物”,典故出自荷马史诗《奥德赛》卷2。

  这部史诗的主人公奥德修斯是希腊半岛西南边伊大卡岛(Ithaca)的国王,他有个美丽而忠诚的旗子,名叫珀涅罗珀。奥德修斯随希腊联军远征特洛伊, 十年苦战结束后,希腊将士纷纷凯旋归国。惟独奥德修斯命运坎坷,归途中又在海上漂泊了10年,历尽无数艰险,并盛传他已葬身鱼腹,或者客死异域。正当他在 外流浪的最后三年间,有一百多个来自各地的王孙公子,聚集在他家里,向他的妻子求婚。坚贞不渝的珀涅罗珀为了摆脱求婚者的纠缠,想出个缓宾之策,她宣称等 她为公公织完一匹做寿衣的布料后,就改嫁给他们中的一个。于是,她白天织这匹布,夜晚又在火炬光下把它拆掉。就这样织了又拆,拆了又织,没完没了,拖延时 间,等待丈夫归来。后来,奥德修斯终于回转家园,夫妻儿子合力把那些在他家里宴饮作乐,胡作非为的求婚者一个个杀死,终于夫妻团圆了。

  由于这个故事,英语中的Penelope一词成了a chaste woman(贞妇)的同义词,并产生了with a penelope faith(坚贞不渝)这个短语。而A Penelope's Web这个成语比喻the tactics of delaying sth on purposel;the task that can never be finished的意思

  eg:Mr Jones made a long speech at the meeting.Everyone else thought it a Penelope's web.

  My work is something like the Penelope's web,never done,but ever in hand.

希腊罗马神话和《圣经》中的英语典故【4】

更多精彩请到 http://www.139ya.com

5.Greek Gift(s)阴谋害人的礼物;黄鼠狼拜年,不安好心

  Greek Gift(s)直译是“希腊人的礼物”,出自荷马史诗《奥德赛》以及古罗马杰出诗人维吉尔(Publius Virgilius Maro,公元前70-前19年)的史诗《伊尼特》(Aeneis)中关于特洛伊城陷落经过的叙述。

  据《奥德赛》卷8记述:许多特洛伊人对如何处置希腊人留下的大木马展开了辩论,“他们有三种主张:有的主张用无情的铜矛刺透中空的木马;有的主张把它 仍到岩石上;有的主张让它留在那里作为京观,来使天神喜悦”。结果是后一说占优势,把那匹木马拖进城里来,终于遭到了亡国之灾。

  维吉尔的史诗《伊尼特》,写的是特洛伊被希腊攻陷后,王子伊尼斯从混乱中携家属出走,经由西西里、迦太基到达意大利,在各地漂泊流亡的情况。史诗第2 卷便是伊尼斯关于特洛伊城陷落经过的叙述,其中情节除了模拟荷马史诗的描述外,还做了更详细的补充。当特洛伊人要把大木马拖进城的时候,祭司拉奥孔 (Laocoon)劝说不要接受希腊人留下的东西。他说:“我怕希腊人,即使他们来送礼”这句话后来成了一句拉丁谚语:“Timeo Danaos,et dona ferenteso."(原文的达奈人Danaos,即泛指希腊各部族人)译成英语就是:I fear the Greeks ,even when bringing gifts.其简化形式就是Greek Gifts.可惜特洛伊人不听拉奥孔的警告,把木马作为战利品拖进城里。木马里藏着希腊的精锐部队,给特洛伊人带来了屠杀和灭亡。由此,Greek gift成为一个成语,表示a gift with some sinister purposes of the enemy;one given with intent to harm;a gift sent inorder to murder sb等意思,按其形象意义,这个成语相当与英语的俚谚:When the fox preaches,take care of your geese;也与汉语“黄鼠狼给鸡拜年--不安好心”十分类似

  eg:He is always buying you expensive clothes,I'm afraid they are Greek gifts for you.

  Comrades,be on guard against the Greek gifts!

  To meet Waterloo(倒霉,受毁灭性打击,灭顶之灾)

  滑铁卢是一代天骄拿破仑遭受残败的地方。遭遇滑铁卢,对一个人来说,后果不堪设想。无怪据说二战期间,在准备诺曼底反攻时,温斯顿·丘吉尔和随员冒雨 去某地开会,其随员因路滑而摔了一跤,脱口说一句“To meet Waterloo!”丘吉尔竟联想到拿破仑兵败滑铁卢的典故,恼怒地斥责他:“胡说!我要去凯旋门呢!”

  It's Greek to me.(我不知道)

  英国人一般都不懂希腊语。这句话的直译是:对于我这是希腊语。自然是不明白的意思。

  Greek Kalends(幽默,诙谐方式表达的永远不)

  Kalends是罗马日历的第一天。古希腊不用罗马日历,永远不会有这一天。

  Castle in Spain(西班牙城堡,幻想,梦想。相当于汉语中的空中楼阁)

  中世纪某一时期,西班牙是一个颇富浪漫色彩的国家,这句成语是和Castle in air(空中城堡)相齐名的。

  Set the Thames on fire(火烧泰晤士河,这是何等伟大的壮举)

  但是这句成语经常是反其义应用,指那些人对某事只是夸下海口,而不是真正想去做。

  From China to Peru(从中国到秘鲁)

  它的意义非常明白,指从世界的这一边到世界的那一边,相当于汉语的远隔重洋。

  Between Scylla and Charybdis(锡拉和卡津布迪斯之间———在两个同样危险的事物之间:一个人逃出一种危险,而又落入另一种危险)

  锡拉是传说中生活在意大利岩石的怪兽,卡津布迪斯是住在海峡中一端经常产生旋涡的另一个怪兽。水手为了躲避其中一个的危害,而常又落入另一个灾难。意大利这一方的海角叫凯尼斯(Caenys),西西里岛那一方的海角叫皮罗鲁姆(Pelorum)。

  Spoil Egyptians(掠夺埃及———迫使敌人提供自己所需要的东西)

  源于圣经:上帝答应摩西,埃及人必须借给以色列他们所需要的东西。

  Do in Rome as Romans Do(在罗马,就按罗马人的方式办)

  和我们的入乡随俗的意思一样。

  Carry Coals to Newcastle(把煤送到纽卡斯尔)

  把某种东西送到一个人们根本不需要的地方。纽卡斯尔盛产煤,送煤到那里,岂不是多此一举。有趣的是法国也有类似的成语“del'eau a la riviere(送水到大河里)。”

希腊罗马神话和《圣经》中的英语典故【3】

更多精彩请到 http://www.139ya.com

  3.Helen of Troy 直译"特洛伊的海伦",源自源自荷马史诗Iliad中的希腊神话故事。

  Helen是希腊的绝世佳人,美艳无比,嫁给希腊南部邦城斯巴达国王墨涅俄斯(Menelaus)为妻。后来,特洛伊王子帕里斯奉命出事希腊,在斯巴达国王那里做客,他在爱与美之神阿芙罗狄蒂的帮助下,趁着墨涅俄斯外出之际,诱走海伦,还带走了很多财宝

  此事激起了希腊各部族的公愤,墨涅俄斯发誓说,宁死也要夺回海轮,报仇雪恨。为此,在希腊各城邦英雄的赞助下,调集十万大军和1180条战船, 组成了希腊联军,公推墨涅俄斯的哥哥阿枷门农(Agamemnon)为联军统帅,浩浩荡荡,跨海东征,攻打特洛伊城,企图用武力夺回海轮。双方大战10 年,死伤无数,许多英雄战死在沙场。甚至连奥林匹斯山的众神也分成2个阵营,有些支持希腊人,有些帮助特洛伊人,,彼此展开了一场持久的恶斗。最后希腊联 军采用足智多谋的奥德修斯(Odusseus)的“木马计”,里应外合才攻陷了特洛伊。希腊人进城后,大肆杀戮,帕里斯王子也被杀死,特洛伊的妇女、儿童 全部沦为奴隶。特洛伊城被掠夺一空,烧成了一片灰烬。战争结实后,希腊将士带着大量战利品回到希腊,墨涅俄斯抢回了美貌的海轮重返故土。这就是特洛伊战争 的起因和结局。正是由于海轮,使特洛伊遭到毁灭的悲剧,真所谓“倾国倾城”,由此产生了Helen of Troy这个成语。

  特洛伊战争的真实性,已为19世纪德国考古学家谢里曼在迈锡尼发掘和考证古代特洛伊古城废墟所证实。至于特洛伊城被毁的真正原因,虽然众说纷 纭,但肯定决不是为了一个美女而爆发这场战争的,与其说是为了争夺海轮而打了起来,毋宁说是为了争夺该地区的商业霸权和抢劫财宝而引起战争的。所谓“特洛 伊的海伦”,实质上是财富和商业霸权的化身。中国历史上也有过“妲己亡商”,“西施沼吴”等传说,以及唐明皇因宠杨贵妃而招致“安史之乱”,吴三桂“冲冠 一怒为红颜”等说法。汉语中有个“倾国倾城”的成语(语出《汉书·外戚传》:‘一顾倾人城,再顾倾人国’。)这里的“倾”字一语双光,既可指美艳非凡,令 人倾倒;也可纸倾覆邦国。其含义与Helen of troy十分近似。

  在现代英语中,Helen of Troy这个成语,除了表示a beautiful girl or woman;a beauty who ruins her country等意义外,还可以用来表示a terrible disaster brought by sb or sth you like best的意思。

  eg:It is unfair that historians always attribute the fall of kingdoms to Helen of Troy.

  She didn't think of the beautiful umbrella bought the day before should become a Helen of Troy in her family.Because of this she and her husband quarreled for a long time.

希腊罗马神话和《圣经》中的英语典故【2】

更多精彩请到 http://www.139ya.com


2.The Heel of Achilles 亦作The Achilles' Heel唯一弱点;薄弱环节;要害

  The Heel of Achilles直译是“阿基里斯的脚踵”,是个在欧洲广泛流行的国际性成语。它源自荷马史诗Iliad中的希腊神话故事。

  阿基里斯是希腊联军里最英勇善战的骁将,也是荷马史诗Iliad里的主要人物之一。传说他是希腊密耳弥多涅斯人的国王珀琉斯和海神的女儿西蒂斯所生的 儿子。阿基里斯瓜瓜坠地以后,母亲想使儿子健壮永生,把他放在火里锻炼,又捏着他的脚踵倒浸在冥河(Styx)圣水里浸泡。因此阿基里斯浑身象钢筋铁骨, 刀枪不入,只有脚踵部位被母亲的手捏住,没有沾到冥河圣水,成为他的唯一要害。在特洛伊战争中,阿基里斯骁勇无敌,所向披靡,杀死了特洛伊主将,著名英雄 赫克托耳(Hector),而特洛伊的任何武器都无法伤害他的身躯。后来,太阳神阿波罗(Apollo)把阿基里斯的弱点告诉了特洛伊王子帕里斯,阿基里 斯终于被帕里斯诱到城门口,用暗箭射中他的脚踵,负伤而死。

  因此,the heel of Achilles,也称the Achilles' heel,常用以表示a weak point in something that is otherwise without fault;the weakest spot等意思。

  eg:The shortage of fortitude is his heel of Achilles.

  His Achilles' heel was his pride--he would get very angry if anyone criticized his work.

希腊罗马神话和《圣经》中的英语典故 --- 1

更多精彩请到 http://www.139ya.com


  1.An Apple of Discord争斗之源;不和之因;祸根

  An Apple of Discord直译为“纠纷的苹果”,出自荷马史诗Iliad中的希腊神话故事

  传说希腊阿耳戈英雄(Argonaut)珀琉斯(Peleus)和爱琴海海神涅柔斯的女儿西蒂斯(Thetis)在珀利翁山举行婚礼,大摆宴席。

  他们邀请了奥林匹斯上(Olympus)的诸神参加喜筵,不知是有意还是无心,惟独没有邀请掌管争执的女神厄里斯(Eris)。这位女神恼羞成 怒,决定在这次喜筵上制造不和。于是,她不请自来,并悄悄在筵席上放了一个金苹果,上面镌刻着“属于最美者”几个字。天后赫拉(Hera),智慧女神雅典 娜(Athena)、爱与美之神阿芙罗狄蒂(Aphrodite),都自以为最美,应得金苹果,获得“最美者”称号。她们争执不下,闹到众神之父宙斯 (Zeus)那里,但宙斯碍于难言之隐,不愿偏袒任何一方,就要她们去找特洛伊的王子帕里斯(Paris)评判。三位女神为了获得金苹果,都各自私许帕里 斯以某种好处:赫拉许给他以广袤国土和掌握富饶财宝的权利,雅典娜许以文武全才和胜利的荣誉,阿芙罗狄蒂则许他成为世界上最美艳女子的丈夫。年青的帕里斯 在富贵、荣誉和美女之间选择了后者,便把金苹果判给爱与美之神。为此,赫拉和雅典娜怀恨帕里斯,连带也憎恨整个特洛伊人。后来阿芙罗狄蒂为了履行诺言,帮 助帕里斯拐走了斯巴达国王墨涅俄斯的王后---绝世美女海伦(Helen),从而引起了历时10年的特洛伊战争。不和女神厄里斯丢下的那个苹果,不仅成了 天上3位女神之间不和的根源,而且也成为了人间2个民族之间战争的起因。因此,在英语中产生了an apple of discord这个成语,常用来比喻any subject of disagreement and contention;the root of the trouble;dispute等意义

  这个成语最初为公元2世纪时的古罗马历史学家马克·朱里·尤斯丁(Marcus Juninus Justinus)所使用,后来广泛的流传到欧洲许多语言中去,成为了一个国际性成语。

  eg: He throwing us an apple of discord,we soon quarrelled again.

  The dispute about inheriting estate formed an apple of discord between them.

  This problem seems to be an apple of discord between the Soviet union and the USA.

Installing and Configuring SSL Support

更多精彩请到 http://www.139ya.com

http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security6.html

What Is Secure Socket Layer Technology?

Secure Socket Layer (SSL) technology allows web browsers and web servers to communicate over a secure connection. In this secure connection, the data that is being sent is encrypted before being sent and then is decrypted upon receipt and before processing. Both the browser and the server encrypt all traffic before sending any data. SSL addresses the following important security considerations.

  • Authentication: During your initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials in the form of a server certificate. The purpose of the certificate is to verify that the site is who and what it claims to be. In some cases, the server may request a certificate that the client is who and what it claims to be (which is known as client authentication).
  • Confidentiality: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL responses are encrypted so that the data cannot be deciphered by the third party and the data remains confidential.
  • Integrity: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL helps guarantee that the data will not be modified in transit by that third party.

To install and configure SSL support on your stand-alone web server, you need the following components. SSL support is already provided if you are using the Application Server. If you are using a different web server, consult the documentation for your product.

To verify that SSL support is enabled, see Verifying SSL Support.


Understanding Digital Certificates


Note: Digital certificates for the Application Server have already been generated and can be found in the directory <J2EE_HOME>/domains/domain1/config/. These digital certificates are self-signed and are intended for use in a development environment; they are not intended for production purposes. For production purposes, generate your own certificates and have them signed by a CA.


To use SSL, an application server must have an associated certificate for each external interface, or IP address, that accepts secure connections. The theory behind this design is that a server should provide some kind of reasonable assurance that its owner is who you think it is, particularly before receiving any sensitive information. It may be useful to think of a certificate as a "digital driver's license" for an Internet address. It states with which company the site is associated, along with some basic contact information about the site owner or administrator.

The digital certificate is cryptographically signed by its owner and is difficult for anyone else to forge. For sites involved in e-commerce or in any other business transaction in which authentication of identity is important, a certificate can be purchased from a well-known certificate authority (CA) such as VeriSign or Thawte.

Sometimes authentication is not really a concern--for example, an administrator may simply want to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection. In such cases, you can save the time and expense involved in obtaining a CA certificate and simply use a self-signed certificate.

SSL uses public key cryptography, which is based on key pairs. Key pairs contain one public key and one private key. If data is encrypted with one key, it can be decrypted only with the other key of the pair. This property is fundamental to establishing trust and privacy in transactions. For example, using SSL, the server computes a value and encrypts the value using its private key. The encrypted value is called a digital signature. The client decrypts the encrypted value using the server's public key and compares the value to its own computed value. If the two values match, the client can trust that the signature is authentic, because only the private key could have been used to produce such a signature.

Digital certificates are used with the HTTPS protocol to authenticate web clients. The HTTPS service of most web servers will not run unless a digital certificate has been installed. Use the procedure outlined later to set up a digital certificate that can be used by your web server to enable SSL.

One tool that can be used to set up a digital certificate is keytool, a key and certificate management utility that ships with the J2SE SDK. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself or herself to other users or services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers. For a better understanding of keytool and public key cryptography, read the keytool documentation at the following URL:

http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/key-tool.html



Creating a Server Certificate

A server certificate has already been created for the Application Server. The certificate can be found in the <J2EE_HOME>/domains/domain1/config/ directory. The server certificate is in keystore.jks. The cacerts.jks file contains all the trusted certificates, including client certificates.

If necessary, you can use keytool to generate certificates. The keytool stores the keys and certificates in a file termed a keystore, a repository of certificates used for identifying a client or a server. Typically, a keystore contains one client or one server's identity. The default keystore implementation implements the keystore as a file. It protects private keys by using a password.

The keystores are created in the directory from which you run keytool. This can be the directory where the application resides, or it can be a directory common to many applications. If you don't specify the keystore file name, the keystores are created in the user's home directory.

To create a server certificate follow these steps:

  1. Create the keystore.
  2. Export the certificate from the keystore.
  3. Sign the certificate.
  4. Import the certificate into a trust-store: a repository of certificates used for verifying the certificates. A trust-store typically contains more than one certificate. An example using a trust-store for SSL-based mutual authentication is discussed in Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC.

Run keytool to generate the server keystore, which we will name keystore.jks. This step uses the alias server-alias to generate a new public/private key pair and wrap the public key into a self-signed certificate inside keystore.jks. The key pair is generated using an algorithm of type RSA, with a default password of changeit. For more information on keytool options, see its online help at http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.


Note: RSA is public-key encryption technology developed by RSA Data Security, Inc. The acronym stands for Rivest, Shamir, and Adelman, the inventors of the technology.


From the directory in which you want to create the keystore, run keytool with the following parameters.

  1. Generate the server certificate.
  2. <JAVA_HOME>\bin\keytool -genkey -alias server-alias
    -keyalg RSA -keypass changeit -storepass changeit
    -keystore keystore.jks

    When you press Enter, keytool prompts you to enter the server name, organizational unit, organization, locality, state, and country code. Note that you must enter the server name in response to keytool's first prompt, in which it asks for first and last names. For testing purposes, this can be localhost. The host specified in the keystore must match the host identified in the host variable specified in the <INSTALL>/j2eetutorial14/examples/common/build.properties when running the example applications.

  3. Export the generated server certificate in keystore.jks into the file server.cer.
  4. <JAVA_HOME>\bin\keytool -export -alias server-alias -storepass changeit -file server.cer -keystore keystore.jks

  5. If you want to have the certificate signed by a CA, read Signing Digital Certificates for more information.
  6. To create the trust-store file cacerts.jks and add the server certificate to the trust-store, run keytool from the directory where you created the keystore and server certificate. Use the following parameters:
  7. <JAVA_HOME>\bin\keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass changeit -storepass changeit

    Information on the certificate, such as that shown next, will display.

    <INSTALL>/j2eetutorial14/examples/gs 60% keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass changeit -storepass changeit

    Owner: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA, C=US
    Issuer: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA, C=US
    Serial number: 3e932169
    Valid from: Tue Apr 08
    Certificate fingerprints:
    MD5: 52:9F:49:68:ED:78:6F:39:87:F3:98:B3:6A:6B:0F:90
    SHA1: EE:2E:2A:A6:9E:03:9A:3A:1C:17:4A:28:5E:97:20:78:3F:
    Trust this certificate? [no]:

  8. Enter yes, and then press the Enter or Return key. The following information displays:
  9. Certificate was added to keystore
    [Saving cacerts.jks]




tool.html




Installing and Configuring SSL Support

更多精彩请到 http://www.139ya.com

http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security6.html



Installing and Configuring SSL Support

What Is Secure Socket Layer Technology?

Secure Socket Layer (SSL) technology allows web browsers and web servers to communicate over a secure connection. In this secure connection, the data that is being sent is encrypted before being sent and then is decrypted upon receipt and before processing. Both the browser and the server encrypt all traffic before sending any data. SSL addresses the following important security considerations.

  • Authentication: During your initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials in the form of a server certificate. The purpose of the certificate is to verify that the site is who and what it claims to be. In some cases, the server may request a certificate that the client is who and what it claims to be (which is known as client authentication).
  • Confidentiality: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL responses are encrypted so that the data cannot be deciphered by the third party and the data remains confidential.
  • Integrity: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL helps guarantee that the data will not be modified in transit by that third party.

To install and configure SSL support on your stand-alone web server, you need the following components. SSL support is already provided if you are using the Application Server. If you are using a different web server, consult the documentation for your product.

To verify that SSL support is enabled, see Verifying SSL Support.

Understanding Digital Certificates


Note: Digital certificates for the Application Server have already been generated and can be found in the directory <J2EE_HOME>/domains/domain1/config/. These digital certificates are self-signed and are intended for use in a development environment; they are not intended for production purposes. For production purposes, generate your own certificates and have them signed by a CA.


To use SSL, an application server must have an associated certificate for each external interface, or IP address, that accepts secure connections. The theory behind this design is that a server should provide some kind of reasonable assurance that its owner is who you think it is, particularly before receiving any sensitive information. It may be useful to think of a certificate as a "digital driver's license" for an Internet address. It states with which company the site is associated, along with some basic contact information about the site owner or administrator.

The digital certificate is cryptographically signed by its owner and is difficult for anyone else to forge. For sites involved in e-commerce or in any other business transaction in which authentication of identity is important, a certificate can be purchased from a well-known certificate authority (CA) such as VeriSign or Thawte.

Sometimes authentication is not really a concern--for example, an administrator may simply want to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection. In such cases, you can save the time and expense involved in obtaining a CA certificate and simply use a self-signed certificate.

SSL uses public key cryptography, which is based on key pairs. Key pairs contain one public key and one private key. If data is encrypted with one key, it can be decrypted only with the other key of the pair. This property is fundamental to establishing trust and privacy in transactions. For example, using SSL, the server computes a value and encrypts the value using its private key. The encrypted value is called a digital signature. The client decrypts the encrypted value using the server's public key and compares the value to its own computed value. If the two values match, the client can trust that the signature is authentic, because only the private key could have been used to produce such a signature.

Digital certificates are used with the HTTPS protocol to authenticate web clients. The HTTPS service of most web servers will not run unless a digital certificate has been installed. Use the procedure outlined later to set up a digital certificate that can be used by your web server to enable SSL.

One tool that can be used to set up a digital certificate is keytool, a key and certificate management utility that ships with the J2SE SDK. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself or herself to other users or services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers. For a better understanding of keytool and public key cryptography, read the keytool documentation at the following URL:

http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/key-
tool.html

Creating a Server Certificate

A server certificate has already been created for the Application Server. The certificate can be found in the <J2EE_HOME>/domains/domain1/config/ directory. The server certificate is in keystore.jks. The cacerts.jks file contains all the trusted certificates, including client certificates.

If necessary, you can use keytool to generate certificates. The keytool stores the keys and certificates in a file termed a keystore, a repository of certificates used for identifying a client or a server. Typically, a keystore contains one client or one server's identity. The default keystore implementation implements the keystore as a file. It protects private keys by using a password.

The keystores are created in the directory from which you run keytool. This can be the directory where the application resides, or it can be a directory common to many applications. If you don't specify the keystore file name, the keystores are created in the user's home directory.

To create a server certificate follow these steps:

  1. Create the keystore.
  2. Export the certificate from the keystore.
  3. Sign the certificate.
  4. Import the certificate into a trust-store: a repository of certificates used for verifying the certificates. A trust-store typically contains more than one certificate. An example using a trust-store for SSL-based mutual authentication is discussed in Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC.

Run keytool to generate the server keystore, which we will name keystore.jks. This step uses the alias server-alias to generate a new public/private key pair and wrap the public key into a self-signed certificate inside keystore.jks. The key pair is generated using an algorithm of type RSA, with a default password of changeit. For more information on keytool options, see its online help at http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.


Note: RSA is public-key encryption technology developed by RSA Data Security, Inc. The acronym stands for Rivest, Shamir, and Adelman, the inventors of the technology.


From the directory in which you want to create the keystore, run keytool with the following parameters.

  1. Generate the server certificate.
  2. <JAVA_HOME>\bin\keytool -genkey -alias server-alias
    -keyalg RSA -keypass changeit -storepass changeit
    -keystore keystore.jks

    When you press Enter, keytool prompts you to enter the server name, organizational unit, organization, locality, state, and country code. Note that you must enter the server name in response to keytool's first prompt, in which it asks for first and last names. For testing purposes, this can be localhost. The host specified in the keystore must match the host identified in the host variable specified in the <INSTALL>/j2eetutorial14/examples/common/build.properties when running the example applications.

  3. Export the generated server certificate in keystore.jks into the file server.cer.
  4. <JAVA_HOME>\bin\keytool -export -alias server-alias
    -storepass changeit -file server.cer -keystore keystore.jks

  5. If you want to have the certificate signed by a CA, read Signing Digital Certificates for more information.
  6. To create the trust-store file cacerts.jks and add the server certificate to the trust-store, run keytool from the directory where you created the keystore and server certificate. Use the following parameters:
  7. <JAVA_HOME>\bin\keytool -import -v -trustcacerts
    -alias server-alias -file server.cer
    -keystore cacerts.jks -keypass changeit
    -storepass changeit

    Information on the certificate, such as that shown next, will display.

    <INSTALL>/j2eetutorial14/examples/gs 60% keytool -import
    -v -trustcacerts -alias server-alias -file server.cer
    -keystore cacerts.jks -keypass changeit -storepass changeit
    Owner: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA, C=US
    Issuer: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA, C=US
    Serial number: 3e932169
    Valid from: Tue Apr 08
    Certificate fingerprints:
    MD5: 52:9F:49:68:ED:78:6F:39:87:F3:98:B3:6A:6B:0F:90
    SHA1: EE:2E:2A:A6:9E:03:9A:3A:1C:17:4A:28:5E:97:20:78:3F:
    Trust this certificate? [no]:

  8. Enter yes, and then press the Enter or Return key. The following information displays:
  9. Certificate was added to keystore
    [Saving cacerts.jks]

Signing Digital Certificates

After you've created a digital certificate, you will want to have it signed by its owner. After the digital certificate has been cryptographically signed by its owner, it is difficult for anyone else to forge. For sites involved in e-commerce or any other business transaction in which authentication of identity is important, a certificate can be purchased from a well-known certificate authority such as VeriSign or Thawte.

As mentioned earlier, if authentication is not really a concern, you can save the time and expense involved in obtaining a CA certificate and simply use the self-signed certificate.

Using a Different Server Certificate with the Application Server

Follow the steps in Creating a Server Certificate, to create your own server certificate, have it signed by a CA, and import the certificate into keystore.jks.

Make sure that when you create the certificate, you follow these rules:

  • When you press create the server certificate, keytool prompts you to enter your first and last name. In response to this prompt, you must enter the name of your server. For testing purposes, this can be localhost.
  • The server/host specified in the keystore must match the host identified in the host variable specified in the <INSTALL>/j2eetutorial14/examples/common/build.properties file for running the example applications.
  • Your key/certificate password in keystore.jks should match the password of your keystore, keystore.jks. This is a bug. If there is a mismatch, the Java SDK cannot read the certificate and you get a "tampered" message.
  • If you want to replace the existing keystore.jks, you must either change your keystore's password to the default password (changeit) or change the default password to your keystore's password:

To specify that the Application Server should use the new keystore for authentication and authorization decisions, you must set the JVM options for the Application Server so that they recognize the new keystore. To use a different keystore than the one provided for development purposes, follow these steps.

  1. Start the Application Server if you haven't already done so. Information on starting the Application Server can be found in Starting and Stopping the Application Server.
  2. Start the Admin Console. Information on starting the Admin Console can be found in Starting the Admin Console.
  3. Select Application Server in the Admin Console tree.
  4. Select the JVM Settings tab.
  5. Select the JVM Options tab.
  6. Change the following JVM options so that they point to the location and name of the new keystore. There current settings are shown below:
  7. -Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks
    -Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks

  8. If you've changed the keystore password from its default value, you need to add the password option as well:
    -Djavax.net.ssl.keyStorePassword=your_new_password
  9. Logout of the Admin Console and restart the Application Server.

Creating a Client Certificate for Mutual Authentication

This section discusses setting up client-side authentication. When both server-side and client-side authentication are enabled, it is called mutual, or two-way, authentication. In client authentication, clients are required to submit certificates that are issued by a certificate authority that you choose to accept. From the directory where you want to create the client certificate, run keytool as outlined here. When you press Enter, keytool prompts you to enter the server name, organizational unit, organization, locality, state, and country code.


Note: You must enter the server name in response to keytool's first prompt, in which it asks for first and last names. For testing purposes, this can be localhost. The host specified in the keystore must match the host identified in the host variable specified in the <INSTALL>/j2eetutorial14/examples/common/build.properties file. If this example is to verify mutual authentication and you receive a runtime error stating that the HTTPS host name is wrong, re-create the client certificate, being sure to use the same host name that you will use when running the example. For example, if your machine name is duke, then enter duke as the certificate CN or when prompted for first and last names. When accessing the application, enter a URL that points to the same location--for example, https://duke:8181/mutualauth/hello. This is necessary because during SSL handshake, the server verifies the client certificate by comparing the certificate name and the host name from which it originates.


To create a keystore named client-keystore.jks that contains a client certificate named client.cer, follow these steps:

  1. Generate the client certificate.
  2. <JAVA_HOME>\bin\keytool -genkey -alias client-alias -keyalg RSA -keypass changeit
    -storepass changeit -keystore keystore.jks

  3. Export the generated client certificate into the file client.cer.
  4. <JAVA_HOME>\bin\keytool -export -alias client-alias
    -storepass changeit -file client.cer -keystore keystore.jks

  5. Add the certificate to the trust-store file <J2EE_HOME>/domains/domain1/config/cacerts.jks. Run keytool from the directory where you created the keystore and client certificate. Use the following parameters:
  6. <JAVA_HOME>\bin\keytool -import -v -trustcacerts
    -alias client-alias -file client.cer
    -keystore <
    J2EE_HOME>/domains/domain1/config/cacerts.jks
    -keypass changeit -storepass changeit

    The keytool utility returns this message:

    Owner: CN=J2EE Client, OU=Java Web Services, O=Sun, L=Santa Clara, ST=CA, C=US
    Issuer: CN=J2EE Client, OU=Java Web Services, O=Sun, L=Santa Clara, ST=CA, C=US
    Serial number: 3e39e66a
    Valid from: Thu Jan 30 18:58:50 PST 2003 until: Wed Apr 30
    19:58:50 PDT 2003
    Certificate fingerprints:
    MD5: 5A:B0:4C:88:4E:F8:EF:E9:E5:8B:53:BD:D0:AA:8E:5A
    SHA1:90:00:36:5B:E0:A7:A2:BD:67:DB:EA:37:B9:61:3E:26:B3:89:46:
    32
    Trust this certificate? [no]: yes
    Certificate was added to keystore

For an example application that uses mutual authentication, see Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC. For information on verifying that mutual authentication is running, see Verifying That Mutual Authentication Is Running.

Miscellaneous Commands for Certificates

To check the contents of a keystore that contains a certificate with an alias server-alias, use this command:

keytool -list -keystore keystore.jks -alias server-alias -v

To check the contents of the cacerts file, use this command:

keytool -list -keystore cacerts.jks

Using SSL

An SSL connector is preconfigured for the Application Server. You do not have to configure anything. If you are working with another application server, see its documentation for setting up its SSL connector.

Verifying SSL Support

For testing purposes, and to verify that SSL support has been correctly installed, load the default introduction page with a URL that connects to the port defined in the server deployment descriptor:

https://localhost:8181/ 

The https in this URL indicates that the browser should be using the SSL protocol. The localhost in this example assumes that you are running the example on your local machine as part of the development process. The 8181 in this example is the secure port that was specified where the SSL connector was created in Using SSL. If you are using a different server or port, modify this value accordingly.

The first time a user loads this application, the New Site Certificate or Security Alert dialog box displays. Select Next to move through the series of dialog boxes, and select Finish when you reach the last dialog box. The certificates will display only the first time. When you accept the certificates, subsequent hits to this site assume that you still trust the content.

Tips on Running SSL

The SSL protocol is designed to be as efficient as securely possible. However, encryption and decryption are computationally expensive processes from a performance standpoint. It is not strictly necessary to run an entire web application over SSL, and it is customary for a developer to decide which pages require a secure connection and which do not. Pages that might require a secure connection include login pages, personal information pages, shopping cart checkouts, or any pages where credit card information could possibly be transmitted. Any page within an application can be requested over a secure socket by simply prefixing the address with https: instead of http:. Any pages that absolutely require a secure connection should check the protocol type associated with the page request and take the appropriate action if https: is not specified.

Using name-based virtual hosts on a secured connection can be problematic. This is a design limitation of the SSL protocol itself. The SSL handshake, where the client browser accepts the server certificate, must occur before the HTTP request is accessed. As a result, the request information containing the virtual host name cannot be determined before authentication, and it is therefore not possible to assign multiple certificates to a single IP address. If all virtual hosts on a single IP address need to authenticate against the same certificate, the addition of multiple virtual hosts should not interfere with normal SSL operations on the server. Be aware, however, that most client browsers will compare the server's domain name against the domain name listed in the certificate, if any (this is applicable primarily to official, CA-signed certificates). If the domain names do not match, these browsers will display a warning to the client. In general, only address-based virtual hosts are commonly used with SSL in a production environment.

Enabling Mutual Authentication over SSL

This section discusses setting up client-side authentication. As mentioned earlier, when both server-side and client-side authentication are enabled, it is called mutual, or two-way, authentication. In client authentication, clients are required to submit certificates that are issued by a certificate authority that you choose to accept. If you regulate it through the application (via the Client-Certificate authentication requirement), the check is performed when the application requires client authentication. You must enter the keystore location and password in the web server configuration file to enable SSL, as discussed in Using SSL.

Here are two ways to enable mutual authentication over SSL:

  • PREFERRED: Set the method of authentication to Client-Certificate using deploytool. This enforces mutual authentication by modifying the deployment descriptor of the given application. By enabling client authentication in this way, client authentication is enabled only for a specific resource controlled by the security constraint. Setting client authentication in this way is discussed in Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC.
  • RARELY: Set the clientAuth property in the certificate realm to true. To do this, follow these steps:
    1. Start the Application Server if you haven't already done so. Information on starting the Application Server can be found in Starting and Stopping the Application Server.
    2. Start the Admin Console. Information on starting the Admin Console can be found in Starting the Admin Console.
    3. In the Admin Console tree, expand Configuration, expand Security, then expand Realms, and then select certificate. The certificate realm is used for all transfers over HTTP with SSL.
    4. Select Add to add the property of clientAuth to the server. Enter clientAuth in the Name field, and enter true in the Value field.
    5. Click Save to save these new properties.
    6. Log out of the Admin Console.

When client authentication is enabled in both of these ways, client authentication will be performed twice.

Verifying That Mutual Authentication Is Running

You can verify that mutual authentication is working by obtaining debug messages. This should be done at the client end, and this example shows how to pass a system property in targets.xml so that targets.xml forks a client with javax.net.debug in its system properties, which could be added in a file such as <INSTALL>/j2eetutorial14/examples/security/common/targets.xml.

To enable debug messages for SSL mutual authentication, pass the system property javax.net.debug=ssl,handshake, which will provide information on whether or not mutual authentication is working. The following example modifies the run-mutualauth-client target from the <INSTALL>/j2eetutorial14/examples/security/common/targets.xml file by adding sysproperty as shown in bold:

description="Runs a client with mutual authentication over
SSL">



value="${key.store}" />
value="${key.store.password}"/>



Friday, November 13, 2009

Hibernate

更多精彩请到 http://www.139ya.com


http://wiki.springside.org.cn/display/calvin/DataBase+Access

mysql ini 5.1

更多精彩请到 http://www.139ya.com



# MySQL Server Instance Configuration File
# ----------------------------------------------------------------------
# Generated by the MySQL Server Instance Configuration Wizard
#
#
# Installation Instructions
# ----------------------------------------------------------------------
#
# On Linux you can copy this file to /etc/my.cnf to set global options,
# mysql-data-dir/my.cnf to set server-specific options
# (@localstatedir@ for this installation) or to
# ~/.my.cnf to set user-specific options.
#
# On Windows you should keep this file in the installation directory
# of your server (e.g. C:\Program Files\MySQL\MySQL Server X.Y). To
# make sure the server reads the config file use the startup option
# "--defaults-file".
#
# To run run the server from the command line, execute this in a
# command line shell, e.g.
# mysqld --defaults-file="C:\Program Files\MySQL\MySQL Server X.Y\my.ini"
#
# To install the server as a Windows service manually, execute this in a
# command line shell, e.g.
# mysqld --install MySQLXY --defaults-file="C:\Program Files\MySQL\MySQL Server X.Y\my.ini"
#
# And then execute this in a command line shell to start the server, e.g.
# net start MySQLXY
#
#
# Guildlines for editing this file
# ----------------------------------------------------------------------
#
# In this file, you can use all long options that the program supports.
# If you want to know the options a program supports, start the program
# with the "--help" option.
#
# More detailed information about the individual options can also be
# found in the manual.
#
#
# CLIENT SECTION
# ----------------------------------------------------------------------
#
# The following options will be read by MySQL client applications.
# Note that only client applications shipped by MySQL are guaranteed
# to read this section. If you want your own MySQL client program to
# honor these values, you need to specify it as an option during the
# MySQL client library initialization.
#
[client]

port=3306

[mysql]

default-character-set=utf8


# SERVER SECTION
# ----------------------------------------------------------------------
#
# The following options will be read by the MySQL Server. Make sure that
# you have installed the server correctly (see above) so it reads this
# file.
#
[mysqld]

# The TCP/IP Port the MySQL Server will listen on
port=3306


#Path to installation directory. All paths are usually resolved relative to this.
basedir="C:/Tools/mysql5.1/"

#Path to the database root
datadir="C:/Tools/mysql5.1/data/Data/"

# The default character set that will be used when a new schema or table is
# created and no character set is defined
default-character-set=utf8

# The default storage engine that will be used when create new tables when
default-storage-engine=INNODB

# Set the SQL mode to strict
sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"

# The maximum amount of concurrent sessions the MySQL server will
# allow. One of these connections will be reserved for a user with
# SUPER privileges to allow the administrator to login even if the
# connection limit has been reached.
max_connections=100

# Query cache is used to cache SELECT results and later return them
# without actual executing the same query once again. Having the query
# cache enabled may result in significant speed improvements, if your
# have a lot of identical queries and rarely changing tables. See the
# "Qcache_lowmem_prunes" status variable to check if the current value
# is high enough for your load.
# Note: In case your tables change very often or if your queries are
# textually different every time, the query cache may result in a
# slowdown instead of a performance improvement.
query_cache_size=0

# The number of open tables for all threads. Increasing this value
# increases the number of file descriptors that mysqld requires.
# Therefore you have to make sure to set the amount of open files
# allowed to at least 4096 in the variable "open-files-limit" in
# section [mysqld_safe]
table_cache=256

# Maximum size for internal (in-memory) temporary tables. If a table
# grows larger than this value, it is automatically converted to disk
# based table This limitation is for a single table. There can be many
# of them.
tmp_table_size=18M


# How many threads we should keep in a cache for reuse. When a client
# disconnects, the client's threads are put in the cache if there aren't
# more than thread_cache_size threads from before. This greatly reduces
# the amount of thread creations needed if you have a lot of new
# connections. (Normally this doesn't give a notable performance
# improvement if you have a good thread implementation.)
thread_cache_size=8

#*** MyISAM Specific options

# The maximum size of the temporary file MySQL is allowed to use while
# recreating the index (during REPAIR, ALTER TABLE or LOAD DATA INFILE.
# If the file-size would be bigger than this, the index will be created
# through the key cache (which is slower).
myisam_max_sort_file_size=100G

# If the temporary file used for fast index creation would be bigger
# than using the key cache by the amount specified here, then prefer the
# key cache method. This is mainly used to force long character keys in
# large tables to use the slower key cache method to create the index.
myisam_sort_buffer_size=35M

# Size of the Key Buffer, used to cache index blocks for MyISAM tables.
# Do not set it larger than 30% of your available memory, as some memory
# is also required by the OS to cache rows. Even if you're not using
# MyISAM tables, you should still set it to 8-64M as it will also be
# used for internal temporary disk tables.
key_buffer_size=25M

# Size of the buffer used for doing full table scans of MyISAM tables.
# Allocated per thread, if a full scan is needed.
read_buffer_size=64K
read_rnd_buffer_size=256K

# This buffer is allocated when MySQL needs to rebuild the index in
# REPAIR, OPTIMZE, ALTER table statements as well as in LOAD DATA INFILE
# into an empty table. It is allocated per thread so be careful with
# large settings.
sort_buffer_size=256K


#*** INNODB Specific options ***
innodb_data_home_dir="C:/Tools/mysql5.1/data/innodb/"

# Use this option if you have a MySQL server with InnoDB support enabled
# but you do not plan to use it. This will save memory and disk space
# and speed up some things.
#skip-innodb

# Additional memory pool that is used by InnoDB to store metadata
# information. If InnoDB requires more memory for this purpose it will
# start to allocate it from the OS. As this is fast enough on most
# recent operating systems, you normally do not need to change this
# value. SHOW INNODB STATUS will display the current amount used.
innodb_additional_mem_pool_size=2M

# If set to 1, InnoDB will flush (fsync) the transaction logs to the
# disk at each commit, which offers full ACID behavior. If you are
# willing to compromise this safety, and you are running small
# transactions, you may set this to 0 or 2 to reduce disk I/O to the
# logs. Value 0 means that the log is only written to the log file and
# the log file flushed to disk approximately once per second. Value 2
# means the log is written to the log file at each commit, but the log
# file is only flushed to disk approximately once per second.
innodb_flush_log_at_trx_commit=1

# The size of the buffer InnoDB uses for buffering log data. As soon as
# it is full, InnoDB will have to flush it to disk. As it is flushed
# once per second anyway, it does not make sense to have it very large
# (even with long transactions).
innodb_log_buffer_size=1M

# InnoDB, unlike MyISAM, uses a buffer pool to cache both indexes and
# row data. The bigger you set this the less disk I/O is needed to
# access data in tables. On a dedicated database server you may set this
# parameter up to 80% of the machine physical memory size. Do not set it
# too large, though, because competition of the physical memory may
# cause paging in the operating system. Note that on 32bit systems you
# might be limited to 2-3.5G of user level memory per process, so do not
# set it too high.
innodb_buffer_pool_size=47M

# Size of each log file in a log group. You should set the combined size
# of log files to about 25%-100% of your buffer pool size to avoid
# unneeded buffer pool flush activity on log file overwrite. However,
# note that a larger logfile size will increase the time needed for the
# recovery process.
innodb_log_file_size=24M

# Number of threads allowed inside the InnoDB kernel. The optimal value
# depends highly on the application, hardware as well as the OS
# scheduler properties. A too high value may lead to thread thrashing.
innodb_thread_concurrency=8

Thursday, November 12, 2009

安装、设置与启动MySql绿色版的方法

更多精彩请到 http://www.139ya.com


1、解压 mysql-noinstall-5.1.30-win32.zip
2、在 F 盘建立目录 MySql\MySqlServer5.1\
3、把解压的内容复制到 F:\MySql\MySqlServer5.1\
4、在 F:\MySql\MySqlServer5.1\ 中找 my-large.ini 把它复制成 my.ini
5、在 my.ini 中找 [mysqld] ,添加以下语句;

basedir="F:/MySql/MySqlServer5.1/"
datadir="F:/MySql/MySqlServer5.1/data/"
default-character-set=latin1 #utf8
default-storage-engine=innodb
max_allowed_packet =12M

#skip-networking #// 这句会忽略网络登陆
#bind-address=192.168.0.72 #// 如果加上这句 localhost 就用不了 只要改 user 表的 127.0.0.1 为 % 重启服务 就可以远程登陆

6、安装 MySQL_Administrator_1.2 绿色版:把 mysql-gui-tools-noinstall-5.0-r14-win32.zip 解压到 F:\MySql\MySQL GUI Tools 5.0
6.5、可以尝试手动启动 MySql 服务器,并用 MySQL_Administrator_1.2 和 console 登陆:
1、手动启动服务:cmd --> F:\MySql\MySqlServer5.1\bin\mysqld --console
会看到 InnoDB: The first specified datafile c:\ibdata\ibdata1 did not exist:
InnoDB: a new database to be created!
InnoDB: Setting file c:\ibdata\ibdata1 size to 209715200
InnoDB: Database physically writes the file full: wait... 等 很长的
最后看到 mysqld: ready for connections
Version: '5.1.2-alpha' socket: '' port: 3306
表示 MySql 服务已经启动,可以登陆了,这时: 登陆名是 root ,密码为空,IP 地址只能写 localhost 或 127.0.0.1 ,因为现在
root 的权限只允许本地登陆,远程登陆不可以,在本机写本机 IP 地址来登陆被 MySql 视为远程登陆,所以是登陆不了的,会报错 1130
2、MySQL_Administrator_1.2 登陆:到 F:\MySql\MySQL GUI Tools 5.0\ 运行 MySQLAdministrator.exe ,
填入 localhost或127.0.0.1 3306 root 密码为空 就可以登陆
3、用 console 登陆: cmd --> f:\MySql\MySqlServer5.1\bin\mysql -u root -p
密码为空
如果要在登陆时就选定数据库可以这样写:f:\MySql\MySqlServer5.1\bin\mysql -u root -p[密码] [数据库名]
当前情况举例:f:\MySql\MySqlServer5.1\bin\mysql -u root -p mysql 就是密码是空的,登陆的数据库是 mysql 库
4、修改root的密码、让root可以远程登陆、添加新用户
修改root的密码:在登陆后的 console 中输入
use mysql
update user set Password=PASSWORD('[密码]') where user='root';
让root可以远程登陆:在登陆后的 console 中输入
use mysql
update user set Host='%' where user='root' and Host='127.0.0.1';
添加新用户,用户名是 gary,密码为空,权限等于root,用户允许远程登陆 :在登陆后的 console 中输入
GRANT ALL PRIVILEGES ON *.* TO 'gary'@'%';
如果用户不可以远程登陆:GRANT ALL PRIVILEGES ON *.* TO 'gary'@'localhost';
然后用上面的方法修改gary的密码,root 改为 gary
5、手工停止 MySql 服务:cmd --> F:\MySql\MySqlServer5.1\bin\mysqladmin -u root shutdown
如果MySQL root用户账户有密码,你需要调用命令 F:\MySql\MySqlServer5.1\bin\mysqladmin -u root -p shutdown 并根据提示输入密码。

注意:修改密码、修改是否远程登陆,添加用户后必须重启MySql服务才生效 !!!!!!!!!!!!!!!!!!!!!!!!!!!
注意: MySQL权限系统中的用户完全独立于Windows下的登录用户。

7、添加 MySql 服务到windows服务中:
1、简易添加方法:cmd --> F:\MySql\MySqlServer5.1\bin\mysqld --install 这样用默认的 MySQL 为名称添加一个windows服务
这是,该服务的属性写着:F:\MySql\MySqlServer5.1\bin\mysqld MySQL
2、指定服务名称与指定启动选项文件的添加方法:
F:\MySql\MySqlServer5.1\bin\mysqld --install LevelDBServer --defaults-file=F:\MySql\MySqlServer5.1\my.ini
用 LevelDBServer 为名称来创建windows服务,指定 F:\MySql\MySqlServer5.1\my.ini 为MySql的启动选项文件

如果在服务安装命令中,在--install选项后面指定的服务名不是默认服务名(MySQL)。则从具有相同服务名的组中读取选项,并从标准选项文件读取选项。
服务器还从标准选项文件的[mysqld]组读取选项。你可以使用[mysqld]组中的选项用于所有MySQL 服务,还可以使用具有相同服务名的组,用于该服务名所对应的服务器。

该命令中,--install选项后面给出了默认服务名(MySQL)。如果未给出--defaults-file选项,该命令可以让服务器从标准选项文件的[mysqld]组中读数。
由于提供了--defaults-file选项,服务器只从命名文件的[mysqld]组读取选项。

注意:添加服务后该服务并未启动。重启电脑服务就会启动,要手动启动与关闭 MySql 服务用以下语句:
cmd --> NET START MySQL 或 NET START LevelDBServer , NET STOP MySQL 或 NET STOP LevelDBServer

8、测试MySQL安装
可以通过以下命令测试MySQL服务器是否工作:
C:\> F:\MySql\MySqlServer5.1\bin\mysqlshow
C:\> F:\MySql\MySqlServer5.1\bin\mysqlshow -u root mysql
C:\> F:\MySql\MySqlServer5.1\bin\mysqladmin version status proc
C:\> F:\MySql\MySqlServer5.1\bin\mysql test
如果mysqld对客户端程序TCP/IP连接的响应较慢,可能是DNS问题。此时,使用--skip-name-resolve选项启动 mysqld,在MySQL授权表的Host列只使用localhost和IP号。
可以通过 --pipe 或 --protocol=PIPE 选项强制 MySQL 客户端使用命名管道连接代替TCP/IP连接,或指定.(阶段)做为主机名。使用 --socket 选项指定管道名。

my.ini配置设置

更多精彩请到 http://www.139ya.com

my.ini配置设置
linux下/etc/mysql/my.cnf(windows下my.ini)

[client] 下添加
default-character-set=utf8 默认字符集为utf8
[mysqld] 添加
default-character-set=utf8 默认字符集为utf8
#character-set-server=utf8
collation-server=utf8_general_ci
init_connect='set collation_connection=utf8_general_ci'
init_connect='set names utf8' (设定连接mysql数据库时使用utf8编码,以让mysql数据库为utf8运行;
注意该参数对于连接数据库的用户是超级用户组的用户将被忽略,这样是为了避免该参数导致数据库致命错误,而无法使用任何一个用户连接上修改该项配置)

修改好后,重新启动mysql 即可,查询一下show variables like 'character%';
+--------------------------+----------------------------+
| Variable_name | Value |
+--------------------------+----------------------------+
| character_set_client | utf8 |
| character_set_connection | utf8 |
| character_set_database | utf8 |
| character_set_filesystem | binary |
| character_set_results | utf8 |
| character_set_server | utf8 |
| character_set_system | utf8 |
| character_sets_dir | /usr/share/mysql/charsets/ |

Tuesday, November 10, 2009

XML Schema Standards Library

更多精彩请到 http://www.139ya.com


http://schemas.liquid-technologies.com/

理解SOAP

更多精彩请到 http://www.139ya.com


http://msdn.microsoft.com/zh-cn/library/ms995800%28classic%29.aspx


理解 SOAP
发布日期 : 4/1/2004 | 更新日期 : 4/1/2004

Aaron Skonnard

DevelopMentor

2003 年 3 月

适用于:

  • 全局 XML Web 服务结构 (GXA)

  • 远程过程调用 (RPC)

  • SOAP 1.1 和 SOAP 1.2 规范

  • 传输协议: TCP、HTTP、SMTP 和 MSMQ

  • Web Services Enhancements 1.0 SP1 for Microsoft .NET

  • XML 架构

摘要: SOAP 提供一种简单的、可扩展并且功能丰富的 XML 消息处理框架,用于定义高级别的应用程序协议,从而在分布式异构环境中提供更高的互操作性。(20 页打印页)

本页内容

简介 简介
SOAP 版本 SOAP 版本
消息处理框架 消息处理框架
扩展性 扩展性
处理模型 处理模型
协议绑定 协议绑定
HTTP 绑定 HTTP 绑定
RPC 和编码 RPC 和编码
SOAP 类型 SOAP 类型
小结 小结

简介

就在不久以前,SOAP 还不过是指肥皂而已。 而如今,大多数开发人员一听到这个词眼前就会浮现出一些尖括号来。 SOAP 最初代表“简单对象访问协议”。 如果在几年前问任何一个人 SOAP 的含义,他们很可能这样回答:“SOAP 是用来使 DCOM 和 Corba(例如,RPC 调用)在互联网上工作”。 原作者们也承认,在那时他们注重于“访问对象”,但随着时间的推移,人们希望 SOAP 能够处理更广泛的情况。 因此,SOAP 规范的重心很快从对象转移到通用的 XML 消息处理框架上。

这种重心的变化给 SOAP 缩写词中的 "O" 带来了一点小问题。 有意思的是,SOAP 1.2 工作组沿用了(到目前为止)SOAP 这个名称(为什么不呢?这个词太流行了),但决定不再把这个词拼出来以免误导开发人员。 如今,在最新的 SOAP 1.2 规范中,其正式的定义并不提及对象:

SOAP 是一种轻量级协议,用于在分散型、分布式环境中交换结构化信息。 SOAP 利用 XML 技术定义一种可扩展的消息处理框架,它提供了一种可通过多种底层协议进行交换的消息结构。 这种框架的设计思想是要独立于任何一种特定的编程模型和其他特定实现的语义。

这个定义确实体现了 SOAP 现在的主旨。 SOAP 定义了一种方法以便将 XML 消息从 A 点传送到 B 点(参见图 1)。 为此,它提供了一种基于 XML 且具有以下特性的消息处理框架:1) 可扩展,2) 可通过多种底层网络协议使用,3) 独立于编程模型。 以下将分别详细讨论这三种特性。

图 1. 简单的 SOAP 消息处理

首先,SOAP 可扩展性是关键所在。 在这个缩写词还代表某些含义时,"S" 意味着“简单”。 如果我们从 Web 中学到了一样东西,那就是,简单性总是比效率和纯技术更重要,因而互操作性成败的关键,就在于必须绝对要求简单性。 简单性仍然是 SOAP 的主要设计目标之一,这一点的例证就是 SOAP 缺少分布式系统的很多特性(如安全性、路由和可靠性等)。 SOAP 定义了一种通信框架,允许以分层扩展的形式随着时间推移而加入这些特性。 Microsoft、IBM 和其他软件厂商正在积极开发一个 SOAP 扩展的通用套件,该套件将加入大多数开发人员期待的特性。 这一计划被称为全局 XML Web 服务结构 (GXA)Microsoft 已经发布了针对若干 GXA 规范的一个参考实现,并将其命名为 Web Services Enhancements 1.0 SP1 for Microsoft .NET (WSE)

其次,SOAP 可在任何传输协议(诸如 TCP、HTTP、SMTP,甚至是 MSMQ)上使用(参见图 1)。 然而,为了保持互操作性,需要定义一些标准协议绑定以便草拟用于每种环境的规则。 SOAP 规范提供了一种用于定义任意协议绑定的灵活框架,并且由于 HTTP 的使用极为广泛,它现已为 HTTP 提供了一种显式绑定。

第三,SOAP 允许任何编程模型,并且不依赖于 RPC。 大多数开发人员立刻将 SOAP 与对分布式对象进行的 RPC 调用等效起来(因为 SOAP 最初就是关于“访问对象”的),但实际上,基本的 SOAP 模型更接近于传统的消息处理系统,如 MSMQ。 SOAP 定义了一种模型以便处理个别的单向消息。 你可以将多条消息组合成一条整体的消息交换。 图 1 说明了一种简单的单向消息,其中发送方不会收到响应。 但是,接收方可以向发送方发回一条响应(参见图 2)。 SOAP 允许使用任何数量的消息交换模式 (MEP),请求/响应只是其中一种。 其他示例包括要求/响应(与请求/响应相对)、通知和长期运行的点对点对话等。

图 2. 请求/响应消息交换模式

开发人员经常将请求/响应与 RPC 混为一谈,而实际上二者之间的差别很大。 RPC 使用请求/响应,但请求/响应不一定就是 RPC。 RPC 是 一种允许开发人员进行方法调用的编程模型。 RPC 需要将方法签名转换成 SOAP 消息。 鉴于 RPC 的广泛应用,SOAP 草拟了一项协议,以便将 RPC 用于 SOAP(参见本文稍后的RPC 和编码一节)。

具备这三种主要特性,SOAP 消息处理框架就促进了在异构环境中交换 XML 消息,而在这类环境中,互操作性长久以来都是极大的挑战。

SOAP 版本

从第一个发布的 SOAP 规范到如今被广泛实施的 SOAP 1.1,很多方面都发生了改变,从琐碎的细节到思想的重大转变。 SOAP 1.1 被提交给 W3C,并于 2000 年 5 月被发布为 Note。由于 SOAP 1.1 未能通过 W3C 过程的严格审核,"W3C Note" 状态使其还停留在仅是一个好主意的层次,但当完成时,它将最终达到“推荐”状态。 然而,由于如今 SOAP 1.1 得到了大小厂商如此广泛的支持,它仍然被认为是事实上的标准。

W3C 使用 SOAP 1.1 Note 作为新 XML 协议工作组的基础,负责产生下一版本的 SOAP,目前命名为SOAP 1.2。 SOAP 1.2 当前是一种“候选推荐方案”,意味着它正处在实施阶段且离最后完成为期不远。 一旦 SOAP 1.2 成为“推荐方案”,它极有可能很快获得厂商的支持。

在 SOAP 1.2 发布之后,为了提供向后兼容性,厂商应该继续支持 SOAP 1.1。 SOAP 版本控制基于 XML 命名空间。 SOAP 1.1 由 http://schemas.xmlsoap.org/soap/envelope/ 命名空间标识,而 SOAP 1.2 由 http://www.w3.org/2002/12/soap-envelope 命名空间标识(尽管当其成为推荐方案时,这也将改变)。

有关每个版本的命名空间名称和规范所在位置,请参见表 1。 在本文的剩余部分中,我们将讲述 SOAP 1.1 最重要的一些方面。 要了解两个版本之间完整的更改列表,请查看当前的 SOAP 1.2 规范。

表 1. SOAP 版本信息

  • SOAP 1.1

  • 命名空间名称

  • 规范位置

  • SOAP 1.2

  • 命名空间名称

  • 规范位置

消息处理框架

SOAP 规范的核心部分就是消息处理框架。 SOAP 消息处理框架定义了一整套 XML 元素,用以“封装”任意 XML 消息以便在系统之间传输。

该框架包括以下核心 XML 元素: Envelope、Header、Body 和 Fault,所有这些都来自 SOAP 1.1 中的 http://schemas.xmlsoap.org/soap/envelope/ 命名空间。 以下代码中提供了 SOAP 1.1 的完整 XML 架构定义,以供在阅读下文时参考。 我个人认为,每次让自己熟悉各种 XML 结构时,检查一下该架构是颇有帮助的。

SOAP 1.1 XML 架构定义

 xmlns:tns="http://schemas.xmlsoap.org/soap/envelope/"        
targetNamespace="http://schemas.xmlsoap.org/soap/envelope/"
>







maxOccurs="unbounded" processContents="lax" />

processContents="lax" />





maxOccurs="unbounded" processContents="lax" />

processContents="lax" />





maxOccurs="unbounded" processContents="lax" />

processContents="lax" />

















type="tns:encodingStyle" />









minOccurs="0" />
minOccurs="0" />





maxOccurs="unbounded" processContents="lax" />

processContents="lax" />



如果检查一下 EnvelopecomplexType 定义,你很快就能了解这些元素相互之间是如何关联的。 以下消息模板说明了 SOAP Envelope 的结构:

  xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">







Envelope 元素始终是 SOAP 消息的根元素。 这就便于应用程序识别“SOAP 消息” — 只要检查一下根元素的名称即可。 通过检查 Envelope 元素的命名空间,应用程序也可确定所使用的 SOAP 版本。

Envelope 元素包含一个可选的 Header 元素(有关详细信息,参见可扩展性一节),后跟一个必要的 Body 元素。 Body 元素代表了该消息的有效内容。 它是一种通用容器,因为它可包含来自任何命名空间的任意数量的元素。 这就是试图发送数据的最终目的地。

例如,以下的 SOAP 消息代表了一个在银行帐户之间转帐的请求:

xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">


22-342439
98-283843
100.00



如果接收方支持请求/响应,且能够成功地处理该消息,它应向最初的发送方返回另一条 SOAP 消息。 在这种情况下,响应信息也应包含在 Body 元素中,如下例所示:

xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">

xmlns:x="urn:examples-org:banking">


22-342439
33.45


98-283843
932.73





该消息处理框架还定义了一个名为Fault 的元素,用于在发生错误时在 Body 元素中表示错误。 这是不可缺少的,因为如果没有一种标准的错误表示方法,每个应用程序将不得不自己创建,从而使得通用基础结构不可能区分成功和失败。 以下示例 SOAP 消息中包含了一个 Fault 元素,指明在处理该请求时发生了“Insufficient Funds(资金不足)”错误:

 xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">


soap:Server
Insufficient funds


22-342439
100.00
89.23





Fault 元素必须包含一个 faultcode,后跟一个 faultstring 元素。 faultcode 元素使用一种符合命名空间的名称对错误进行分类,而 faultstring 元素提供一种对错误可读的解释(类似于 HTTP 的工作方式)。 表 2 简要地说明了 SOAP 1.1 所定义的各种错误码(所有这些代码都包含在 http://schemas.xmlsoap.org/soap/envelope/ 命名空间中)。

Fault 元素也可能包含一个 detail 元素,以便提供该错误的细节,这样可以帮助客户端诊断问题,特别是在 Client 和 Server 错误码的情况下。

表 2. SOAP 1.1 错误码

名称

  • VersionMismatch

  • MustUnderstand

  • Client

  • Server

含义

  • 处理方发现 SOAP Envelope 元素的命名空间是无效的。

  • 处理方没有理解或服从 SOAP Header 元素的某个直接子元素,而该子元素包含一个值为 "1" 的 SOAP mustUnderstand 属性。

  • Client 类的错误表明消息的格式错误或者不包含适当的信息,因而不能成功。 这通常表明,如果不对该消息做出更改,就不应该重发该消息。

  • Server 类的错误表明该消息未能得到处理的原因与消息的内容并没有直接关系,而是跟该消息的处理有关。 例如,处理过程可能包括与某个上游处理器的通信,但该处理器没有响应。 如果在稍后重发,该消息可能会成功。

现在,假设你想在初始的消息中增加一些验证信息,以便接收方能够确定发送方是否有足够的权限来执行传输。 要达到这一目的,一种方法就是在主体中添加凭证信息,如下所示:

xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">


22-342439
98-283843
100.00


dave
evad




如果使用这种方法,每项需要验证的操作都必须处理这些凭证。 这也意味着其他需要安全性的应用程序必须开发自己的解决方案以解决这个问题;归根结底,这将损害互操作性。 对于诸如安全性等公共需要,定义各方都同意的标准 SOAP 标头将更有意义。 然后,各厂商可以在其通用的 SOAP 基础结构中建立对扩展功能的支持,这样各方皆赢。 这种方法可提高开发人员的生产力,同时有助于确保更高级别的互操作性。 而这正是 SOAP 扩展性模型设计要实现的目标。

扩展性

大多数现有的协议都区分控制信息(例如,标头)和消息有效负载。 在这方面,SOAP 也不例外。 SOAP Header 和 Body 元素在易于处理的 XML 世界中也进行同样的区分。 除了易用性之外,可扩展 Envelope 的关键优势在于它可用于任何通讯协议。

在各种应用程序协议中(如 HTTP、SMTP 等)标头总是具有重要的意义,因为标头允许连网两端的应用程序就所支持命令的具体行为进行协商。 尽管 SOAP 规范本身并不定义任何内置的标头,标头将逐渐在 SOAP 中扮演同等重要的角色。 随着 GXA 日趋成熟及 SOAP 标头的标准化,开发人员能够更方便地定义丰富的应用程序协议,而不必每次都重新开始。

与 Body 元素类似,Header 元素是控制信息的通用容器。 其中可包含来自任何命名空间(除 SOAP 命名空间之外)的任意数量的元素。 放置在 Header 元素中的各个元素被称为标头块。 如同其他协议一样,标头块中包含的信息应该能够影响有效负载的处理。 因此,这里正适于放置诸如凭证一类的元素,以帮助控制对操作的访问:

xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">



dave
evad




22-342439
98-283843
100.00



我们也可以利用一个名为 mustUnderstand 的全局 SOAP 属性对标头块进行标注,以指明接收方在处理该消息之前是否需要理解标头。 以下示例说明了如何要求对凭证标头进行处理:

xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">


soap:mustUnderstand="1"
>
dave
evad


...

如果某个标头块被标注为 mustUnderstand="1",而接收方未设计为支持给定的标头,则不应处理该消息,而应该向发送方返回一条 Fault (带有 soap:MustUnderstand 状态码)。 如果 mustUnderstand="0" 或者没有提供 mustUnderstand 属性,则接收方可以忽略相应的标头块并继续进行处理。 在整个 SOAP 处理模块中,mustUnderstand 属性起着核心作用。

处理模型

SOAP 定义了一种处理模型,它大致规定了从 SOAP 发送方传输到 SOAP 接收方的过程中对 SOAP 消息的处理规则。 图 1说明了最简单的 SOAP 消息处理方案,其中一个应用程序(SOAP 发送方)向另一个应用程序(SOAP 接收方)发送一条 SOAP 消息。

但是,处理模型允许使用一些更有趣的结构(如图 3 中的结构),这类结构中包含多个中间 节点。 在下文中,将使用 SOAP 节点 这个术语指代任何要处理 SOAP 消息的应用程序,不管是最初的发送方、中间节点还是最终的接收方;否则,我将明确指出并使用相应的准确术语。

图 3. 高级 SOAP 消息处理

中间节点位于最初的发送方和最终的接收方之间,并截获 SOAP 消息。 中间节点可同时作为 SOAP 发送方和 SOAP 接收方。 中间节点使得有可能设计一些有趣且灵活的网络体系结构,而这些网络结构能受到的消息内容影响。 SOAP 路由就是一个很好的示例,它很大程度上利用了 SOAP 中间节点(有关 SOAP 路由的详细信息,请查看 Routing SOAP Messages with Web Services Enhancements 1.0)。

在处理消息时,SOAP 节点承担一个或者多个角色 (role),这些角色会影响如何处理 SOAP 标头。 各个角色被赋予独特的名称(以 URI 的形式),以便在处理过程中能够识别这些角色。 当 SOAP 节点接收到一条要处理的消息时,它首先必须确定要假定哪些角色。 它可以检查该 SOAP 消息以帮助确定。

一旦 SOAP 节点确定了要扮演的角色,它随后必须处理针对其角色之一的所有必要标头(标记为mustUnderstand="1" )。 SOAP 节点也可选择处理针对其角色之一的任何可选标头(标记为 mustUnderstand="0")。

SOAP 1.1 只定义了一个名为 http://schemas.xmlsoap.org/soap/actor/next 的角色(简写为 next)。 每个 SOAP 节点都必须承担 next 角色。 因此,当 SOAP 消息到达任一给定的 SOAP 节点时,该节点必须处理针对 next 角色的所有必要标头,它可以选择处理针对该 next 角色的可选标头。 除 next 外,SOAP 1.2 定义了另外一些角色(参见表 3),且应用程序也可以定义自定义角色。

SOAP 标头通过全局 actor 属性(在 SOAP 1.2 中该属性名为 role )来指定具体的角色。 如果不存在 actor 属性,则标头默认地指向最终的接收方。 以下 SOAP 消息说明了如何使用 actor:

 xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">

soap:actor="http://schemas.xmlsoap.org/soap/actor/next"
soap:mustUnderstand="1"
>
...

由于 wsrp:path 标头被指定为 next 角色且被标记为必要的 (mustUnderstand="1"),因此接收到此消息的第一个 SOAP 节点必须根据该标头块的规范来处理此消息,在这种情况下为 WS-Routing。 如果 SOAP 节点不理解针对其角色之一的某个必要的标头,则它必须产生一个带 soap:MustUnderstand 状态码的 SOAP 错误,并停止处理。 SOAP Fault 元素提供了faultactor 子元素,以指定在消息路径中哪个节点导致了该错误的发生。faultactor 属性的值是一个 URI,用以标识导致该错误的 SOAP 节点。

如果 SOAP 节点成功地处理了一个标头,则它必须从消息中删除该标头。 SOAP 节点可以再插入标头,但是这样做会改变合同方 — 它现在处于当前节点与该标头所指向的下一节点之间。 如果 SOAP 节点恰好是最终的接收方,则它还必须处理 SOAP 主体。

表 3. SOAP 1.2 角色

SOAP 角色名称

说明

  • 每个 SOAP 中间节点和最终的 SOAP 接收方必须 (MUST) 扮演此角色,并可以 (MAY) 另外承担零个或多个其他 SOAP 角色。

  • SOAP 节点绝不可以 (MUST NOT) 扮演此角色。

  • 要将某个 SOAP 节点确立为最终的接收方,该 SOAP 节点必须 (MUST) 扮演此角色。 SOAP 中间节点绝不能 (MUST NOT) 扮演此角色。

协议绑定

图 3中一个有趣之处是 SOAP 允许通过多种底层协议进行消息交换。 由于 SOAP 消息处理框架独立于底层协议,每个中间节点可以选择使用不同的通信协议而不会影响 SOAP 消息。 然而,为了确保各种 SOAP 应用程序和基础结构之间高级别的互操作性,标准的协议绑定是必要的。

一种具体的协议绑定准确地定义了应该如何利用给定的协议来传输 SOAP 消息。 换言之,它详细定义了 SOAP 如何适用于另一协议的范围,该协议很可能具有自己的消息处理框架以及多种标头。 协议绑定实际所定义的内容很大程度上取决于该协议的功能和选项。 例如,针对 TCP 的协议绑定应很大程度不同于针对 MSMQ 或针对 SMTP 的协议绑定。

SOAP 1.1 规范仅规范化了一种用于 HTTP 的协议绑定(由于 HTTP 的广泛使用)。 SOAP 已经用于 HTTP 之外的很多协议,但是其实现并未遵循标准化的绑定。 当你尝试与利用相同协议的其他 SOAP 实施进行集成时,只要准备好处理各种互操作性方面的问题,超前一点而不使用标准的协议绑定也未尝不可。

HTTP 绑定

HTTP 协议绑定定义了在 HTTP 上使用 SOAP 的规则。 SOAP 请求/响应自然地映射到 HTTP 请求/协议模型。 图 4 说明了 SOAP HTTP 绑定的很多细节。

图 4. SOAP HTTP 绑定

HTTP 请求和响应消息的 Content-Type 标头都必须设为 text/xml (在 SOAP 1.2 中是 application/soap+xml)。 对于请求消息,它必须使用 POST 作为动词,而 URI 应该识别 SOAP 处理器。 SOAP 规范还定义了一个名为 SOAPAction 的新 HTTP 标头,所有 SOAP HTTP 请求(即使是空的)都必须包含该标头。 SOAPAction 标头旨在表明该消息的意图。 对于 HTTP 响应,如果没有发生任何错误,它应该使用 200 状态码,如果包含 SOAP 错误,则应使用 500

RPC 和编码

尽管 SOAP 规范已日渐远离对象,它仍然定义了一种约定,以便利用上述的消息处理框架来封装并交换 RPC 调用。 定义一种标准的方法将 RPC 调用映射到 SOAP 消息,这使得在运行时基础结构可以在方法调用和 SOAP 消息之间自动转换,而不用围绕 Web 服务平台重新设计代码。

要利用 SOAP 进行方法调用,基础结构需要以下信息:

  • 1.终结点位置 (URI)

  • 2.方法名称

  • 3.参数名称/值

  • 4.可选的方法签名

  • 5.可选的标头数据

这些信息可以通过多种方法来传输,包括类型库、IDL 文件,或者,更好的是 WSDL 文件。 SOAP RPC 绑定定义了如何在 SOAP 主体中封装并表示这些信息。 为此,RPC 绑定首先定义如何将方法签名映射到简单的请求/响应结构,然后将这些结构以 XML 进行编码。 RPC 绑定规定将以一个按照方法命名的 struct 来模拟该方法调用。 该结构将包含对应于每个 [in][in/out] 参数的一个访问器,访问器的名称与参数名相同,其次序由消息签名确定。 方法响应也将作为一个结构来建模。 结构的名称无关紧要,尽管约定是使用方法名后跟 "Response"(例如,对于 add 操作,方法响应名应该相应为 addResponse)。 响应结构包含一个用于返回值的访问器(其名称在 SOAP 1.1 中无关紧要,但在 SOAP 1.2 必须是 rpc:result),其后是针对每个 [out][in/out] 参数的访问器。

让我们来看一个示例。 假设 add 操作具有以下的 C# 方法签名:

double add(ref double x, double y)

根据刚才所说明的 RPC 绑定规则,代表该方法调用的请求结构应如下建模:

struct add {
double x;
double y;
}

而响应结构如下:

struct addResponse {
double result;
double x;
}

现在的问题是: 应该如何将这些结构映射到 XML(R) SOAP 规范定义了一组编码规则,专门用于此用途。 SOAP 编码规则大致阐述了如何将当今最常用的数据结构(如结构和数组)映射到普通的 XML 格式。 根据 SOAP 编码规则,以上的请求结构应映射到以下 XML 消息(这将放在 SOAP 主体中):


33
44

且上述请求的响应消息将映射到以下 XML 消息(这个消息将进入响应消息的主体):


77
33

XML 架构的相关工作刚刚开始,SOAP 编码规则即已创立。 既然 XML 架构已经完成,开发人员可以简单地提供文字的 XML 架构定义,从而准确指定应该如何以 XML 来格式化请求/响应消息。 由于利用 XML 架构定义更易于获得互操作性,因此大多数开发人员已经决定完全摒弃 SOAP 编码规则。 实际上,自 SOAP 1.2 起,SOAP 规范不再正式要求支持 SOAP 编码规则。 从现在起,最好避免使用 SOAP 编码规则,有关此中原由的全面讨论,请查看关于 SOAP 编码的讨论一文。

尽管 SOAP RPC 绑定和编码规则为那些不愿意涉及诸如 XML 架构和 WSDL 等的应用程序提供了一个很好的 SOAP 集成层,因为 RPC 绑定和编码规则易于导致互操作性方面的问题,它们基本上已经失宠于 Web 服务社区。

SOAP 类型

要重申的是,如今有两种基本类型的 SOAP 消息处理: 文档和 RPC。 文档类型指出主体只是包含一个 XML 文档,而发送方和接收方都必须遵循该文档的格式。 另一方面,RPC 类型指出主体中包含某个方法调用的 XML 表示,正如刚才所述。

两种方法可用于确定如何将数据序列化到主体中: 使用文字的 XML 架构定义和使用 SOAP 编码规则。 利用前一种方法,架构定义逐字确定了主体的 XML 格式,不具有二义性。 然而,利用后一种方法,SOAP 处理器必须在运行时遍历各种 SOAP 编码规则以确定主体正确的序列化。 很显然,这种方法更易于导致错误和互操作性方面的问题。

最常见的情形是在使用文档类型时也使用文字架构定义(称为文档/文字),以及在使用 SOAP 编码规则时使用 RPC 类型(称为 rpc/编码)。 文档/编码和 rpc/文字也是可能的,但并不常见,也没有太大意义。 大多数 Web 服务平台都集中于文档/文字类型,将其作为发展的主要用例,且是现今 Microsoft ASP.NET WebMethod 框架的默认设置。

小结

SOAP 定义了一种简单而可扩展的 XML 消息处理框架,它可以通过多种协议用于各种不同的编程模型,尽管此规范中规范化了如何将 SOAP 用于 HTTP 和 RPC 调用。 SOAP 还定义了一个完整的处理模型,大致规定了当消息沿路径传送时如何对其进行处理。 总的来说,SOAP 提供了一个功能丰富而灵活的框架以便定义高级应用程序协议,这些协议可在分布式异构环境中提供更好的互操作性。