XEP-0070: Verifying HTTP Requests via XMPP

Abstract
This specification defines an XMPP protocol extension that enables verification of an HTTP request via XMPP.
Authors
  • Matthew Miller
  • Joe Hildebrand
  • Dave Smith
  • Peter Saint-Andre
Copyright
© 1999 – 2020 XMPP Standards Foundation. SEE LEGAL NOTICES.
Status

Draft

NOTICE: The protocol defined herein is a Draft Standard of the XMPP Standards Foundation. Implementations are encouraged and the protocol is appropriate for deployment in production systems, but some changes to the protocol are possible before it becomes a Final Standard.
Type
Standards Track
Version
1.0.1 (2016-12-09)
Document Lifecycle
  1. Experimental
  2. Proposed
  3. Draft
  4. Final

1. Introduction

HTTP (see RFC 2616 [1]) is a nearly-ubiquitous mechanism for the publication and retrieval of information over the Internet. Sometimes it is appropriate for an HTTP Server to allow access to that information only if the HTTP Client first provides authentication credentials. While there exist several standardized HTTP authentication schemes (see RFC 2617 [2]), it may be useful in some applications to enforce verification of an HTTP request by requiring an XMPP entity (normally an IM user) to confirm that it made the request. This request verification can be combined with native HTTP authentication to provide a stronger association between the request and a particular user, as well as to take advantage of the strong user authentication provided in XMPP (see XMPP Core [3]).

2. Terminology

2.1 HTTP Terms

This document inherits terminology about the HyperText Transfer Protocol from RFC 2616 and RFC 2617.

2.2 Entities

Table 1: Terms for Entities Described Herein
Term Definition
HTTP Client A client that implements the HyperText Transfer Protocol (HTTP)
HTTP Server A server that implements the HyperText Transfer Protocol (HTTP)
XMPP Client A client that implements the Extensible Messaging and Presence Protocol (XMPP) or its antecedents
XMPP Server A server that implements the Extensible Messaging and Presence Protocol (XMPP) or its antecedents

Note well that an XMPP Client can simultaneously be an HTTP Client (or vice-versa), and that an XMPP Server can simultaneously be an HTTP Server (or vice-versa). However, for the purposes of this discussion, we assume that these entities are logically if not physically separate and distinct.

3. Requirements

The motivations for this document are to:

4. Use Case

The process flow for this protocol is as follows:

  1. HTTP Client requests object via HTTP.
  2. HTTP Server sends Authenticate Response via HTTP.
  3. HTTP Client sends Authorization Request via HTTP (E1).
  4. HTTP Server processes request and forwards it to XMPP Server.
  5. XMPP Server requests confirmation via XMPP (E2).
  6. XMPP Client confirms request via XMPP.
  7. XMPP Server delivers confirmation to HTTP Server.
  8. HTTP Server allows HTTP Client to access object (E3).

Error cases:

This process flow is described in more detail in the following sections.

4.1 HTTP Client Sends Request via HTTP

Let us stipulate that an XMPP user (say, <juliet@capulet.com>) learns of an HTTP URL (e.g., <https://files.shakespeare.lit:9345/missive.html>). The user then attempts to retrieve the URL using her HTTP Client, which opens a TCP connection to the appropriate port of the host and sends an HTTP request as defined in RFC 2616. The request method MAY be any valid HTTP request method, including user-defined methods.

An example is provided below:

Example 1. HTTP Client Makes Request (No Credentials)
GET https://files.shakespeare.lit:9345/missive.html HTTP/1.1

In order to avoid a round trip, the initial request MAY contain HTTP authorization credentials as described below.

4.2 HTTP Server Returns Authenticate Response via HTTP

If the user did not provide authorization credentials in the initial request, the HTTP Server then MUST respond with a (401) Authenticate response as defined in RFC 2616. The response MUST contain an HTTP 401 error and one WWW-Authenticate header for each authentication scheme recognized by the HTTP Server. In order to provide verification via XMPP, at least one of these headers MUST specify a realm of "xmpp" (case-sensitive).

Example 2. HTTP Server Returns Authenticate Response
401 Unauthorized HTTP/1.1
WWW-Authenticate: Basic realm="xmpp"
WWW-Authenticate: Digest realm="xmpp",
                  domain="files.shakespeare.lit",
                  stale=false,
                  nonce="ec2cc00f21f71acd35ab9be057970609",
                  qop="auth",
                  algorithm="MD5"

4.3 HTTP Client Sends Authorization Request via HTTP

The HTTP Client responds with an Authorization Request as defined in RFC 2616. The following rules apply:

  1. The request MUST include the Jabber Identifier (JID) of the user making the request. This SHOULD be the full JID (<user@host/resource>) of a client that supports the protocol defined herein, although it MAY be the user's bare JID (<user@host>) instead.
  2. The request MUST include a transaction identifier for the request. This identifier MUST be unique within the context of the HTTP Client's interaction with the HTTP Server. If the HTTP request is generated by the XMPP Client (e.g., because the HTTP URL was discovered via Out-of-Band Data (XEP-0066) [4]) then the transaction identifier SHOULD be generated by the client; if not, the transaction identifier SHOULD be provided by the human user who controls the HTTP Client.

The Authorization Request process is described in the following subsections.

4.3.1 Basic Access Authentication Scheme

The Basic Access Authentication scheme is defined in RFC 2617. This scheme specifies that the authorization information shall consist of a userid and password, separated by a ':' character and then encoded using Base64. When the realm is "xmpp", the profile defined herein further specifies that the userid MUST be a valid JID as described above, that the password entity MUST be a transaction identifier as described above, that any character in the JID or transaction identifier that is outside the range of the US-ASCII coded character set MUST be transformed into a percent-encoded octet as specified in Section 2.1 of RFC 3986 [5] prior to Base64 encoding, and that Base64 encoding MUST adhere to Section 4 of RFC 4648 [6].

(Refer to RFC 2617 for specification of the syntax of the Basic Access Authentication scheme; that information is not duplicated here.)

Example 3. HTTP Client Makes Basic Authorization Request
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

4.3.2 Digest Access Authentication Scheme

The Digest Access Authentication scheme is defined in RFC 2617. This scheme specifies that the authorization information shall consist of the MD5 checksum of the username, a cnonce generated by the client, a nonce value provided in the challenge, the HTTP method, and the requested URL. When the realm is "xmpp", the profile defined herein further specifies that prior to creating the MD5 checksum the username MUST be a valid JID as described above, that the cnonce MUST be a transaction identifier as described above, and that any character in the JID or transaction identifier that is outside the range of the US-ASCII coded character set MUST be transformed into a percent-encoded octet as specified in Section 2.1 of RFC 3986.

(Refer to RFC 2617 for specification of the syntax of the Digest Access Authentication scheme; that information is not duplicated here.)

Example 4. HTTP Client Makes Digest Authorization Request
Authorization: Digest username="juliet@capulet.com",
               realm="xmpp",
               nonce="ec2cc00f21f71acd35ab9be057970609",
               uri="missive.html",
               qop=auth,
               nc=00000001,
               cnonce="0a4f113b",
               response="6629fae49393a05397450978507c4ef1",
               opaque="5ccc069c403ebaf9f0171e9517f40e41"

4.3.3 Additional Authentication Schemes

The HTTP Server MAY offer any other valid authentication scheme, instead of or in addition to the Basic and Digest schemes mentioned above, as long as the scheme makes it possible to specify a userid (JID) and transaction identifier as described above. However, it is RECOMMENDED to implement both the Basic and Digest authentication schemes.

4.4 HTTP Server Processes Request

Once the HTTP Client has communicated the JID and transaction identifier to the HTTP Server, the HTTP Server MUST verify that the JID is authorized to access the HTTP resource. This may involve JID-level or domain-level access checks, or (depending on local service policies) potentially no access checks at all if only verification is required.

If the JID is authorized to access the HTTP resource, the HTTP Server MUST pass the URL, method, JID, and transaction identifier to the XMPP Server for confirmation. Exactly how this is done is up to the implementation. It is RECOMMENDED for the HTTP Server to connect to the XMPP Server as a trusted server component and to itself generate the confirmation request as described below.

4.5 XMPP Server Requests Confirmation via XMPP

Upon receiving the JID and transaction identifier from the HTTP Server, the XMPP Server MUST send a confirmation request (via XMPP) to the XMPP Client (or route the confirmation request generated by the HTTP Server acting as a trusted XMPP server component).

The confirmation request shall consist of an empty <confirm/> element qualified by the ''http://jabber.org/protocol/http-auth' namespace. This element MUST possess a 'method' attribute whose value is the method of the HTTP request, MUST possess a 'url' attribute whose value is the full HTTP URL that was requested, and MUST possess an 'id' attribute whose value is the transaction identifier provided in the HTTP Authorization Request.

If the JID provided was a full JID, the confirmation request SHOULD be sent in an <iq/> stanza of type "get" whose 'to' attribute is set to the full JID, but MAY be sent in a <message/> stanza.

If the JID provided was a bare JID, the confirmation request MUST be sent in a <message/> stanza whose 'to' attribute is set to the bare JID; this enables delivery to the "most available" resource for the user (however "most available" is determined by the XMPP Server). The <message/> stanza SHOULD include a <thread/> element for tracking purposes and MAY include a <body/> element that provides human-readable information or instructions. If it however provides a <body/>, the server SHOULD be able to handle a plaintext reply from the client, in the case where it does not support this XEP.

Example 5. Confirmation Request Sent via IQ
<iq type='get'
    from='files.shakespeare.lit'
    to='juliet@capulet.com/balcony'
    id='ha000'>
  <confirm xmlns='http://jabber.org/protocol/http-auth'
           id='a7374jnjlalasdf82'
           method='GET'
           url='https://files.shakespeare.lit:9345/missive.html'/>
</iq>
Example 6. Confirmation Request Sent via Message
<message type='normal'
         from='files.shakespeare.lit'
         to='juliet@capulet.com'>
  <thread>e0ffe42b28561960c6b12b944a092794b9683a38</thread>
  <body>
    Someone (maybe you) has requested the following file:

       https://files.shakespeare.lit:9345/missive.html.

    The transaction identifier is:

       a7374jnjlalasdf82

    If you wish to confirm the request, please reply
    to this message by typing "OK". If not, please
    reply with "No".
  </body>
  <confirm xmlns='http://jabber.org/protocol/http-auth'
           id='a7374jnjlalasdf82'
           method='GET'
           url='https://files.shakespeare.lit:9345/missive.html'/>
</message>

4.6 XMPP Client Confirms Request via XMPP

If the confirmation request was provided via an <iq/> stanza, the XMPP Client MUST respond to the request by sending an <iq/> stanza back to the XMPP Server. If the user wishes to confirm the request, the <iq/> response stanza MUST be of type "result" and MAY contain the original <confirm/> child element (although this is not necessary since the XMPP 'id' attribute can be used for tracking purposes):

Example 7. XMPP Client Confirms Request via IQ
<iq type='result'
    from='juliet@capulet.com/balcony'
    to='files.shakespeare.lit'
    id='ha000'/>

If the user wishes to deny the request, the <iq/> response stanza MUST be of type "error", MAY contain the original <confirm/> child element (although this is not necessary since the XMPP 'id' attribute can be used for tracking purposes), and MUST specify an error, which SHOULD be <not-authorized/>:

Example 8. XMPP Client Denies Request via IQ
<iq type='error'
    from='juliet@capulet.com/balcony'
    to='files.shakespeare.lit'
    id='ha000'>
  <confirm xmlns='http://jabber.org/protocol/http-auth'
           id='a7374jnjlalasdf82'
           method='GET'
           url='https://files.shakespeare.lit:9345/missive.html'/>
  <error code='401' type='auth'>
    <not-authorized xmlns='urn:ietf:params:xml:xmpp-stanzas'/>
  </error>
</iq>

If the confirmation request was provided via a <message/> stanza and the <message/> contains a human-readable <body/> or does not contain a <body/> but the XMPP Client understands the 'http://jabber.org/protocol/http-auth' namespace, the XMPP Client SHOULD respond to the request by sending a <message/> stanza back to the XMPP Server. If the user wishes to confirm the request, the <message/> response stanza SHOULD be of type "normal", MUST mirror the <thread/> ID (if provided by the XMPP Server), and MUST contain the original <confirm/> child element:

Example 9. XMPP Client Confirms Request via Message
<message from='juliet@capulet.com/balcony'
         to='files.shakespeare.lit'>
  <thread>e0ffe42b28561960c6b12b944a092794b9683a38</thread>
  <confirm xmlns='http://jabber.org/protocol/http-auth'
           id='a7374jnjlalasdf82'
           method='GET'
           url='https://files.shakespeare.lit:9345/missive.html'/>
</message>

If the user wishes to deny the request, the <message/> response stanza MUST be of type "error", MUST mirror the <thread/> ID (if provided by the XMPP Server), MUST contain the original <confirm/> child element, and MUST specify an error, which SHOULD be <not-authorized/>:

Example 10. XMPP Client Denies Request via Message
<message type='error'
         from='juliet@capulet.com/balcony'
         to='files.shakespeare.lit'>
  <thread>e0ffe42b28561960c6b12b944a092794b9683a38</thread>
  <confirm xmlns='http://jabber.org/protocol/http-auth'
           id='a7374jnjlalasdf82'
           method='GET'
           url='https://files.shakespeare.lit:9345/missive.html'/>
  <error code='401' type='auth'>
    <not-authorized xmlns='urn:ietf:params:xml:xmpp-stanzas'/>
  </error>
</message>

4.7 HTTP Server Allows HTTP Client to Access Object

Once the XMPP Client has successfully confirmed the request, the XMPP Server forwards that confirmation to the HTTP Server, which allows access:

Example 11. HTTP Server Allows Access to Object
200 OK HTTP/1.1
Content-Type: text/html
Content-Length: 3032

...

If the XMPP Client denied the request, the HTTP Server MUST return a Forbidden error:

Example 12. HTTP Server Denies Access to Object
403 Forbidden HTTP/1.1

5. Implementation Notes

5.1 Interaction of HTTP methods

For the HEAD and OPTIONS methods, the credentials SHOULD be usable for a subsequent request from the same entity. This enables an entity to both determine support for the mechanism defined herein and start the authentication process.

For the POST and PUT methods (or any method containing a message body), clients MUST send all data with each request (if needed, the client should obtain credentials with a previous HEAD or OPTIONS method).

6. Security Considerations

6.1 Association of Request

In order to associate the HTTP request with the XMPP confirmation, a transaction identifier MUST be provided by the user in the HTTP Authorization Request, then passed unchanged to the XMPP Client as the value of the <confirm/> element's 'id' attribute. If the XMPP Client generated the HTTP request, it MUST check the transaction identifier against the requests it has made to verify that the request has not yet been confirmed. If the XMPP Client did not generate the HTTP request, it MUST present the transaction identifier to the user for confirmation. If the XMPP Client or User confirms the request, the XMPP Client MUST then return a confirmation to the XMPP Server for delivery to the HTTP Server.

6.2 Channel Encryption

To reduce the likelihood of man-in-the-middle attacks, channel encryption SHOULD be used for both the XMPP channel and the HTTP channel. In particular:

  1. The channel used for HTTP requests and responses SHOULD be encrypted via SSL (secure HTTP via https: URLs) or TLS (RFC 2817 [7]).
  2. If the standard binding of XMPP to TCP is used, TLS SHOULD be negotiated for the XMPP channel in accordance with RFC 6120.
  3. If a binding of XMPP to HTTP is used (e.g., as specified in XEP-0124), exchanges between the XMPP Client and XMPP Server (connection manager) SHOULD be sent over a channel that is encrypted using SSL or TLS.

6.3 End-to-End Encryption

For added security, the XMPP Server and XMPP Client may wish to communicate using end-to-end encryption. Methods for doing so are outside the scope of this proposal.

7. IANA Considerations

This document requires no interaction with the Internet Assigned Numbers Authority (IANA) [8].

8. XMPP Registrar Considerations

8.1 Protocol Namespaces

The XMPP Registrar [9] includes "http://jabber.org/protocol/http-auth" in its registry of protocol namespaces.

9. XML Schema

<?xml version='1.0' encoding='UTF-8'?>

<xs:schema
    xmlns:xs='http://www.w3.org/2001/XMLSchema'
    targetNamespace='http://jabber.org/protocol/http-auth'
    xmlns='http://jabber.org/protocol/http-auth'
    elementFormDefault='qualified'>

  <xs:annotation>
    <xs:documentation>
      The protocol documented by this schema is defined in
      XEP-0070: http://www.xmpp.org/extensions/xep-0070.html
    </xs:documentation>
  </xs:annotation>

  <xs:element name='confirm'>
    <xs:complexType>
      <xs:simpleContent>
        <xs:extension base='empty'>
          <xs:attribute name='id' use='required' type='xs:string'/>
          <xs:attribute name='method' use='required' type='xs:NCName'/>
          <xs:attribute name='url' use='required' type='xs:anyURI'/>
        </xs:extension>
      </xs:simpleContent>
    </xs:complexType>
  </xs:element>

  <xs:simpleType name='empty'>
    <xs:restriction base='xs:string'>
      <xs:enumeration value=''/>
    </xs:restriction>
  </xs:simpleType>

</xs:schema>

Appendices

Appendix A: Document Information

Series
XEP
Number
0070
Publisher
XMPP Standards Foundation
Status
Draft
Type
Standards Track
Version
1.0.1
Last Updated
2016-12-09
Approving Body
XMPP Council
Dependencies
XMPP Core, RFC 2616, RFC 2617, XEP-0030
Supersedes
None
Superseded By
None
Short Name
http-auth
Schema
<http://www.xmpp.org/schemas/http-auth.xsd>
Source Control
HTML

This document in other formats: XML  PDF

Appendix B: Author Information

Matthew Miller
Email
linuxwolf@outer-planes.net
JabberID
linuxwolf@outer-planes.net
Joe Hildebrand
Email
jhildebr@cisco.com
JabberID
hildjj@jabber.org
Dave Smith
Email
dizzyd@jabber.org
JabberID
dizzyd@jabber.org
Peter Saint-Andre
Email
xsf@stpeter.im
JabberID
peter@jabber.org
URI
http://stpeter.im/

Copyright

This XMPP Extension Protocol is copyright © 1999 – 2020 by the XMPP Standards Foundation (XSF).

Permissions

Permission is hereby granted, free of charge, to any person obtaining a copy of this specification (the "Specification"), to make use of the Specification without restriction, including without limitation the rights to implement the Specification in a software program, deploy the Specification in a network service, and copy, modify, merge, publish, translate, distribute, sublicense, or sell copies of the Specification, and to permit persons to whom the Specification is furnished to do so, subject to the condition that the foregoing copyright notice and this permission notice shall be included in all copies or substantial portions of the Specification. Unless separate permission is granted, modified works that are redistributed shall not contain misleading information regarding the authors, title, number, or publisher of the Specification, and shall not claim endorsement of the modified works by the authors, any organization or project to which the authors belong, or the XMPP Standards Foundation.

Disclaimer of Warranty

## NOTE WELL: This Specification is provided on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. ##

Limitation of Liability

In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall the XMPP Standards Foundation or any author of this Specification be liable for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising from, out of, or in connection with the Specification or the implementation, deployment, or other use of the Specification (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if the XMPP Standards Foundation or such author has been advised of the possibility of such damages.

IPR Conformance

This XMPP Extension Protocol has been contributed in full conformance with the XSF's Intellectual Property Rights Policy (a copy of which can be found at <https://xmpp.org/about/xsf/ipr-policy> or obtained by writing to XMPP Standards Foundation, P.O. Box 787, Parker, CO 80134 USA).

Visual Presentation

The HTML representation (you are looking at) is maintained by the XSF. It is based on the YAML CSS Framework, which is licensed under the terms of the CC-BY-SA 2.0 license.

Appendix D: Relation to XMPP

The Extensible Messaging and Presence Protocol (XMPP) is defined in the XMPP Core (RFC 6120) and XMPP IM (RFC 6121) specifications contributed by the XMPP Standards Foundation to the Internet Standards Process, which is managed by the Internet Engineering Task Force in accordance with RFC 2026. Any protocol defined in this document has been developed outside the Internet Standards Process and is to be understood as an extension to XMPP rather than as an evolution, development, or modification of XMPP itself.

Appendix E: Discussion Venue

The primary venue for discussion of XMPP Extension Protocols is the <standards@xmpp.org> discussion list.

Discussion on other xmpp.org discussion lists might also be appropriate; see <http://xmpp.org/about/discuss.shtml> for a complete list.

Given that this XMPP Extension Protocol normatively references IETF technologies, discussion on the <xsf-ietf@xmpp.org> list might also be appropriate.

Errata can be sent to <editor@xmpp.org>.

Appendix F: Requirements Conformance

The following requirements keywords as used in this document are to be interpreted as described in RFC 2119: "MUST", "SHALL", "REQUIRED"; "MUST NOT", "SHALL NOT"; "SHOULD", "RECOMMENDED"; "SHOULD NOT", "NOT RECOMMENDED"; "MAY", "OPTIONAL".

Appendix G: Notes

1. RFC 2616: Hypertext Transport Protocol -- HTTP/1.1 <http://tools.ietf.org/html/rfc2616>.

2. RFC 2617: HTTP Authentication: Basic and Digest Access Authentication <http://tools.ietf.org/html/rfc2617>.

3. RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core <http://tools.ietf.org/html/rfc6120>.

4. XEP-0066: Out of Band Data <https://xmpp.org/extensions/xep-0066.html>.

5. RFC 3986: Uniform Resource Identifiers (URI): Generic Syntax <http://tools.ietf.org/html/rfc3986>.

6. RFC 4648: The Base16, Base32, and Base64 Data Encodings <http://tools.ietf.org/html/rfc4648>.

7. RFC 2817: Upgrading to TLS Within HTTP/1.1 <http://tools.ietf.org/html/rfc2817>.

8. The Internet Assigned Numbers Authority (IANA) is the central coordinator for the assignment of unique parameter values for Internet protocols, such as port numbers and URI schemes. For further information, see <http://www.iana.org/>.

9. The XMPP Registrar maintains a list of reserved protocol namespaces as well as registries of parameters used in the context of XMPP extension protocols approved by the XMPP Standards Foundation. For further information, see <https://xmpp.org/registrar/>.

Appendix H: Revision History

Note: Older versions of this specification might be available at http://xmpp.org/extensions/attic/

  1. Version 1.0.1 (2016-12-09)
    Mention a plaintext fallback.
    mp (XEP Editor: ssw)
  2. Version 1.0 (2005-12-14)
    Per a vote of the Jabber Council, advanced status to Draft.
    psa
  3. Version 0.10 (2005-12-01)
    Corrected several errors in the text.
    psa
  4. Version 0.9 (2005-11-09)
    Changed use of transaction identifier from SHOULD to MUST; removed x-xmpp-auth scheme; clarified requirements, business rules, and confirm element syntax; added several more examples; more clearly specified how HTTP server communicates with XMPP server; updated schema and security considerations.
    psa
  5. Version 0.8 (2005-10-19)
    Changed use of transaction identifier from MAY to SHOULD; updated and clarified security considerations.
    psa
  6. Version 0.7 (2005-10-11)
    Added more HTTP examples to illustrate process flow; updated IANA considerations and security considerations.
    psa
  7. Version 0.6 (2005-07-21)
    Updated references; clarified several points in the text; rewrote introduction.
    psa
  8. Version 0.5 (2004-04-27)
    Added optional id attribute in order to track requests, described in new implementation note.
    psa
  9. Version 0.4 (2004-01-14)
    Incorporated results of IRL and IM discussions: simplified the flow; added x-xmpp-auth authentication scheme.
    psa/dss/jh
  10. Version 0.3 (2003-06-27)
    Removed hashing requirements; added/clarified JID fields in HTTP headers; added XML Schema; added XMPP error conditions; added more descriptions for confirm and accept tokens; fixed discrepancies in examples.
    lw
  11. Version 0.2 (2003-06-26)
    Updated to reflect feedback received (moved to using standard HTTP authentication headers; included token-authority JID in HTTP header; removed example involving deprecated protocol).
    lw
  12. Version 0.1 (2003-01-31)
    Initial draft.
    lw

END