Learning Node/Express

During the past few weeks, I was reading and practicing on Node, using Express framework.

I finished a simple web app deployed on Heroku.

It can help check your annual income ranking in Singapore for tax year 2012/2013.

I read two simple books: Node web development and Express web application development.

Having some  knowledge in web development, it seems easy to grasp the ideas behind.

ArcMap Convert Data from WGS84 to SVY21 TM (Singapore SLA)

1. First create a custom Geographic Transformation as following:


You can select the input GCS and output GCS from ESRI projection list:

GCS => World => WGS 1984

PCS => National Grids => Malaysia and Singapore => SVY21_Singapore_TM

2. Project Data: select From_WGS84_to_SVY21 for the last option(just now created)



3. It’s a reverse step to do the SVY21 to WGS 1984 conversion.

Exception: Checked vs Unchecked

An exception is an event that occurs during the execution of a program that disrupts the normal flow of instructions.

Unchecked Exception: exception in runtime or error can’t be recovered in runtime, like dividing by zero.

Checked Exception: exception can be handled by code try catch statement, like invalid input.

Because the Java programming language does not require methods to catch or to specify unchecked exceptions (RuntimeException, Error, and their subclasses), programmers may be tempted to write code that throws only unchecked exceptions or to make all their exception subclasses inherit from RuntimeException. Both of these shortcuts allow programmers to write code without bothering with compiler errors and without bothering to specify or to catch any exceptions. Although this may seem convenient to the programmer, it sidesteps the intent of the catch or specify requirement and can cause problems for others using your classes.

Why did the designers decide to force a method to specify all uncaught checked exceptions that can be thrown within its scope? Any Exception that can be thrown by a method is part of the method’s public programming interface. Those who call a method must know about the exceptions that a method can throw so that they can decide what to do about them. These exceptions are as much a part of that method’s programming interface as its parameters and return value.

The next question might be: “If it’s so good to document a method’s API, including the exceptions it can throw, why not specify runtime exceptions too?” Runtime exceptions represent problems that are the result of a programming problem, and as such, the API client code cannot reasonably be expected to recover from them or to handle them in any way. Such problems include arithmetic exceptions, such as dividing by zero; pointer exceptions, such as trying to access an object through a null reference; and indexing exceptions, such as attempting to access an array element through an index that is too large or too small.

Runtime exceptions can occur anywhere in a program, and in a typical one they can be very numerous. Having to add runtime exceptions in every method declaration would reduce a program’s clarity. Thus, the compiler does not require that you catch or specify runtime exceptions (although you can).

One case where it is common practice to throw a RuntimeException is when the user calls a method incorrectly. For example, a method can check if one of its arguments is incorrectly null. If an argument is null, the method might throw a NullPointerException, which is an unchecked exception.

Generally speaking, do not throw a RuntimeException or create a subclass of RuntimeException simply because you don’t want to be bothered with specifying the exceptions your methods can throw.

Here’s the bottom line guideline: If a client can reasonably be expected to recover from an exception, make it a checked exception. If a client cannot do anything to recover from the exception, make it an unchecked exception.


1. https://docs.oracle.com/javase/tutorial/essential/exceptions/index.html

2. http://www.javapractices.com/topic/TopicAction.do?Id=129

How does ArcGIS Server token authentication work?

ArcGIS Server supports two methods of authentication – web-tier (including Integrated Windows authentication, PKI, and HTTP Basic/Digest) and GIS-tier authentication (also known as token authentication). One method must be chosen, the methods cannot be combined.
For highest security, web-tier authentication is recommended. GIS-tier may be used in less secure environments if the architecture dictates a load balancer instead of a web adaptor or in situations where the web server has no means to integrate into the user store that ArcGIS Server is using (such as ArcGIS Server built-in accounts).

This article explains how token authentication works and how it should be configured.

When ArcGIS Server is configured to use GIS-tier authentication, client applications ask the user for their username and passwords. Those client applications then send the username/password to ArcGIS Server and receive a token in exchange. That token can then be used on subsequent requests so that the username/password do not need to be sent.

If ArcGIS Server is not configured properly there are security risks to using tokens. The following is a discussion of those risks and what should done about them.

Risk 1. Leaking username/passwords

All Esri clients and APIs send usernames and passwords over https (encrypted) if it is enabled. If it’s not enabled, then usernames/passwords may be sent as clear text over the network. To prevent this, it is strongly recommended that https be enabled in ArcGIS Server when using GIS-tier authentication. It is not enabled by default.

Risk 2: Replay attacks

A common attack is to sniff network traffic and acquire information like tokens for re-use in a malicious attack. An attacker who acquired an ArcGIS Server token from a user would be able to pretend to be that user for a period of time.

There are ways to mitigate this kind of attack. The strongest is to require https for all communications, which encrypts everything sent to and from ArcGIS Server.

There are also ways to mitigate this through the token settings for ArcGIS Server. ArcGIS Server issues both short- and long-term tokens. Long-term tokens must be bound to an IP address or an referrer. When a token is bound to an IP, only tokens coming from that IP address are accepted. This means that a replayed token from another machine is rejected. When a token is bound to a referrer, it means that unless a specific http header called a referrer is set, the token is rejected. Client applications decide whether to use referrers or IP addresses. Utilizing the referrer may decrease the security of the implementation, therefore it is not recommended.

Short-term tokens don’t need to be bound to an IP address or a referrer because the period in which the token is valid is often very short which makes it harder to replay. The maximum time period for short-term tokens can be configured so that it can be shortened down to as little as a single minute.

Risk 3: Development Practices

Tokens can be acquired through either an HTTP GET or an HTTP POST. Using a POST is always more secure. GET requests may leave usernames/passwords in network equipment history and in the browser history. Esri APIs and products use POST when acquiring tokens. However for the convenience of people writing scripts, tokens can be acquired via GET requests. Esri recommends against obtaining tokens via GET requests in secure environments.

Reference from ESRI.

OOP Concepts

An object is a software bundle of related state (attributes) and behavior (methods). Software objects are often used to model the real-world objects that you find in everyday life.

Object-Oriented Programming is just a programming paradigm based on this concept of ‘”everything is object”. A class is a blueprint or prototype from which objects are created. A class models the state and behavior of a real-world object.

In definition of a class, we can decide which attributes or methods are only locally used, i.e. private, which can be exposed to others, i.e. public. This is called data encapsulation. It allows data hiding and protection of coding corruption.

For example, a car can be described as a specific implementation of a more general ‘class’ of a thing, called a vehicle. We model this relationship in software with classes by defining a Vehicle class and a Car class. In class Vehicle, we have speed, carry of people, etc.which would be all the behaviors common to most of different types of vehicles, e.g. planes, trains, etc.. It might not make sense in our software to redefine the basic essence of speed over and over again for each different type of vehicle. Instead, we define it once in Vehicle, and then when we define Car (child class), we simply indicates that it inherits (extends) the base definition from Vehicle (parent class). Car is said to specialize the general Vehicle definition. This is how inheritance works in class definition.

Another key concept is polymorphism, which describes the idea that a general behavior from a parent class can be overridden in a child class to give it more specifics. Say we define a method StartEngine() in Vehicle, the same named method should be implemented differently in Car and Plane, since each starts engine differently.


1. http://docs.oracle.com/javase/tutorial/java/concepts/index.html

2. wikipedia: oop



Spatial Reference, GCS and PCS

You are better to read some basic geography to understand these concepts.

Map Projection

A systematic transformation of the latitudes and longitudes of locations on the surface of a sphere or an ellipsoid into locations on a plane. Maps of places on earth for 2-D view needs projection, if you want to project something to display in a Cartesian (x,y) coordinates system, you need an origin, scales to define the distance, and bounds; and that’s the job for Spatial Reference. For a 3-D view, you also need z value, i.e. Elevation.

Spatial Reference

A Spatial Reference System (SRS) or Coordinate Reference System (CRS) is a coordinate-based local, regional or global system used to locate geographical entities. A SRS defines a specific map projection, as well as transformations between different spatial reference systems. Like a date-time reference for time, i.e. Greenwich Mean Time. There are many spatial references defined by various organizations and religions, please see in Wikipedia. For example: EPSG 4326 for the current GPS measurement.

Geographic Coordinate System (GCS)

You can think of a Geographic Coordinate Systems as data that is defined by a 3-D surface and measured in latitude and longitude. An example of a Geographic Coordinate System would be “WGS 1983” or “North American Datum 1983”. You may also wonder what a “Datum” is. Just remember that the term “Datum” and “Geograhpic Coordinate System” can be used interchangeably. Essentially a Datum provides a “frame of reference for measureing locations on the surface of the earth i.e. lines of latitude and longitude.”

Projected Coordinate System (PCS)

A projected coordinate systems refers to data that is defined by a flat 2-D surface and can be measured in units of meters and feet. An example would be USA Albers Equal Area Conic which has a measuring unit of Meters. “Map projections” and “Projected Coordinate Systems” can be used interchangably as well.

Read the a ArcGIS content for a fully understand.

Install the JavaScript API for use with ArcGIS 10.2 for Server


When using ArcGIS for Server in an isolated or secure environment, it may not be possible to access the hosted Esri JavaScript API libraries. This article provides a walkthrough for installing a local copy of the JavaScript API and configuring it for use with ArcGIS 10.2 for Server.


 This document assumes that Microsoft IIS is being used as the web server. If using a different program, some steps may not apply or may be different based on that configuration. Please consult that software’s documentation if needed.

Download and install the JavaScript API

1. Navigate to the ArcGIS API for JavaScript page.

2. Under the Download section, click the link to the ArcGIS API for JavaScript section of the Esri Download page.


3. Scroll down to the latest ArcGIS API for JavaScript API release (currently v3.8).

4. Click the ‘arcgis_js_v38_api.zip’ link and log in with an Esri Global Account username and password.


5. Accept the License Agreement to start the download. -show me-


Modify JavaScript files

1. Unzip the contents of the .zip file to a temporarily location. -show me-

 This may take a few minutes. While not physically large, the .zip file contains approximately 17K files that must be extracted.

2. Copy the arcgis_js_api folder into the web server root folder, typically:

 Please note in the following two steps, do not include ‘http://’ with the fully qualified host name as this is already defined in the two files.

3. Open the following file in a text editor:


4. Search for the text ‘[HOSTNAME_AND_PATH_TO_JSAPI]’, and replace this text with:


5. Open the following file in a text editor:


6. Search for the text ‘[HOSTNAME_AND_PATH_TO_JSAPI]’, and replace this text with:


Add IIS default document

1. Open IIS and navigate to the Default Web Site.

2. Open the Default Document. -show me-


3. Under the Actions heading, click Add. -show me-


4. Type init.js as the name value, and click OK. -show me-


Init.js should now be listed as a Local Entry Type default document. -show me-


Edit ArcGIS services

1. In a web browser on the server navigate to the following location:


2. Login with administrator credentials. -show me-


3. Copy or take a screenshot of the current Services Directory settings in case it is necessary to revert to the default settings.

4. Click ‘edit’ to modify settings. -show me-


5. Replace each of the following fields with the path to the local installation of the JavaScript API using the fully qualified host name in place of the following examples:

• Javascript API URL:


• Javascript API CSS URL:


• Javascript API CSS2 URL:


-show me-

 If your server is configured to use HTTPS only, modify the examples above to use HTTPS instead of HTTP as the URL connection.

6. Clear the browser cache to complete installation.

 To confirm that ArcGIS for Server is using the correct settings for the JavaScript API, open a web debugging program and preview a map service using the ArcGIS JavaScript viewer from the Services Directory (REST). If configured correctly, the viewer should load successfully and all URLs listed in the web debugger are from the local web server and not from ‘serverapi.arcgisonline.com’