Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Donald F. Ferguson, 2014. All rights reserved. Topics in Modern Internet Application Development: REST Continued, A Little Security, SaaS, Some DB Dr.

Published byAlyson Lang Modified over 9 years ago

Similar presentations

Presentation on theme: "© Donald F. Ferguson, 2014. All rights reserved. Topics in Modern Internet Application Development: REST Continued, A Little Security, SaaS, Some DB Dr."— Presentation transcript:

1 © Donald F. Ferguson, 2014. All rights reserved. Topics in Modern Internet Application Development: REST Continued, A Little Security, SaaS, Some DB Dr. Donald F. Ferguson Donald.Ferguson@software.dell.com

2 2 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Agenda

3 3 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Agenda Questions, discussions on assignments. Follow on topics from last week –Security concepts –Replay attacks. –Security basics: Message hash, signature, keys. –Stateless and Sessions Future assignments –Overview –Next steps Publish/subscribe; notification Multi-tenancy introduction Two new database models and use. We will likely end early I think I am presenting concepts Faster than you can absorb/implement I want to introduce concepts, To show where we are going Understand why we are doing things Give you a chance to pre-read if you want Follow-up with detail in subsequent lectures Free up some time for ad hoc reviews/discussion

4 4 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Questions Discussion on Assignment?

5 5 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Follow Up from Last Week

6 6 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB One perspective on security topics Alice is sending a message over a network to Bob. Eve is malicious and is watching the communication channel. Mallory can see and inject messages. Alice and Bob care about: 1.Authentication of messages 2.Integrity of messages 3.Privacy of messages Additionally, someone processing messages may care about 1.Authorization 2.Non-repudiation 3.Audit

7 7 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB HTTP(S)/TLS Solve the Problem?

8 8 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Some Issues Eve can see the encrypted messages but cannot extract information, e.g. user ID/PW, account numbers, …  Privacy Bob and Alice still need some form of shared secret, e.g. UID/password, API Keys, for authentication –Alice knows that UID and password –Bob knows the UID and password hash. Eve can, however, –Change and corrupt the message  no integrity. –Capture and replay a message. The message could be the logon message. Remember, securing the pipe HTTPS/TLS occurs –Based on Bob’s certificate, which is public. –Alice may not have a certificate. –Eve resending a logon message allows Eve to become Alice. Alice may naturally move between IP addresses, e.g. at home versus at work versus mobile phone.

9 9 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Some Additional Issues -- “ Layered Systems ” The HTTP(S) connection may not be fully end-to-end, e.g. –Firewalls –Proxies The messages may flow through a value added intermediary, e.g. –Message queue –Notification service

10 10 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Secure the Message Header Data Hash Header Data Header Alice –Computes a message hash using a known algorithm, e.g. MD5 –Encrypts the message hash with the shared secret, e.g. API secret key Bob –Decrypts the transmitted message hash with the shared secret –Computes the overall message hash using the known algorithm –The hash comparison will fail if Eve changed the message  integrity –Bob and Alice agreed on what Alice would hash, and Alice encrypted the information with a secret Eve does not know  authentication

11 11 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Danger Remember when I said in the 1 st lecture, “Don’t Panic?” Well, now would be a good time to panic. This explanation –Is a gross over simplification! –And is not a valid security solution! The explanation clarifies some concepts that we discussed –AWS API key pairs. –Signing information in REST headers –etc. Provides initial insight into why some of the stuff is there.

12 12 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Future Assignments

13 13 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB We are going to build a composite app Evolve the simple CRM service –Implementation using new functions, e.g. notification, workflow, rules/policy, new database types, reports, … –“Portal” for on the glass integration of multiple sites. Use a SaaS, web callable product, price, billing, … API Build a very simple, multi-tenant web commerce application (catalog, cart, …) CRM Service Multi-Tenant Commerce Service SaaS Account/ Billing API Cloud Infrastructure APIs S3 SQS OpenID …

14 14 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Representational State Transfer (REST) People confuse –Various forms of RPC/messaging over HTTP –With REST REST has six core tenets –Client/server –Stateless –Caching –Uniform Interface –Layered System –Code on Demand

15 15 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB REST Tenets Client/Server (Obvious) Stateless is a bit confusing –The server/service maintains resource state, e.g. Customer and Agent info. –The conversation is stateless. The client provides all conversation state needed for an API invocation. For example, –customerCursor.next(10) requires the server to remember the client’s position in the iteration through the set. –A stateless call is customerCollection.next(“Bob”, 10). Basically, the client passes the cursor position to the server. Caching –The web has significant caching (in browser, CDNs, …) –The resource provider must –Consider caching policies in application design. –Explicitly set control fields to tell clients and intermediaries what to cache/when. Motivation for the concepts of explicit/implicit cursors and pagination.

16 16 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB I Lied Think about the commerce application –There are going to be many, many message exchanges –Browse –Add to cart –Remove from cart –etc. The commerce application needs to remember –What has gone into the cart during this commerce session –What I have searched for during this commerce session –Don’t ask me, “Are you interested in metric wrenches?” –When I am shopping for textbooks. –Just because I looked for screwdrivers three years ago. Technically, –I could have the client store and provide all session information on every request –But, … this is fragile and complicated So, the application –Generates a session key/ID –The client requests always contain the session key either in a cookie or URL (URL rewrite) –Maintains session state in a “database.” –Invalidates the session key/ID when the client logs out or the session times out.

17 17 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Session and URL Rewrite

18 18 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Class Implications We are going to start building a simple commerce application This is a natural evolution/reapplication of what you have already done –Customer info creation, deletion, etc. –Searching for things in a database, just applied to new data (catalog entries) –Creating things in a database, just applied to new data (shopping cart) –Using headers in REST messages, just applied to session keys But, you will apply some new concepts –Creating/terminating sessions –Using session specific data to tailor application –Storing data not easily mapped to relational data models, e.g. product descriptions Request Handler BOBO DB 1. HTTP GET/POST/… 2. Parse and validate request 3. Retrieve session context/info 4. Select “business object.verb base on GET/POST data and context info. 5. Access/Update DB through framework 6. Application logic 9. Send HTML response

19 19 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB New Topics

20 20 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Publish/ Subscribe and Notification

21 21 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Amazon Web Services

22 22 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Google Cloud Pub/Sub https://cloud.google.com/pubsub/overview

23 23 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Topic Trees e1 e2 Subscribe to /sales Will see e1 and e2 If they match the filter

24 24 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB RabbitMQ https://www.rabbitmq.com/getstarted.html

25 25 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB RabbitMQ https://www.rabbitmq.com/tutorials/tutorial-five-python.html

26 26 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Class Implications Install and setup RabbitMQ (or something similar) –On a private machine, e.g. your desktop development systems –Or EC2, GCE or something similar Define a topic schema and configure Rabbit MQ, e.g. –customer.name –address.zipcode. Extend the CRM system –Emit notifications (publish to RabbitMQ) for Create, Update, Delete of Customer –Web pages allowing Agents to create subscriptions, e.g. –“New customer in zipcode=12345” –“Change in customer for agentID=“898” –And specify how the agent wants to be notified, e.g. email, SMS

27 27 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Current Assignment Data Access Service CustomerDS AgentDS ContactDS Business Service CRM Services Customer Facade Agent Facade V V V Q UI Controller REST API Web UI Controller may be on server or in browser (e.g. Angular) Standalone App Amazon SQS SQS Adaptor

28 28 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB “ Next Assignment ” Data Access Service CustomerDS AgentDS ContactDS Business Service CRM Services Customer Facade Agent Facade VVV REST API “RabbitMQ” Subscriptions Notification Service Install and configure RabbitMQ Write a simple application that enables agents to CRUD subscriptions, specifying –Topics –Notify method Listens for events on Rabbit MQ and uses AWS API to notify agent using SNS or SES Modify CRM app to automatically emit events for CUD of customer

29 29 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB SaaS Multi- Tenancy Introduction

30 30 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Some Terminology Software as a service (SaaS) is –A software licensing and delivery model –In which software is licensed on a subscription basis –And is centrally hosted. Multitenancy refers to a principle in software architecture where –A single instance of the software runs on a server, serving multiple tenants. –A tenant is a group of users sharing the same view on a software they use. –With a multitenant architecture, a software application is designed to provide every tenant a dedicated, private instance including –Data –Configuration –User management –Tailored application logic –SLAs and non-functional properties. –Multitenancy contrasts with multi-instance architectures where separate software instances operate on behalf of different tenants.

31 31 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB A Perspective on SaaS and Multi-Tenancy The application must have special functionality to enable tenant specific customization –Branding: allowing each organization to customize the look-and-feel of the application to match their corporate branding. –Workflow: Accommodating differences in workflow to be used by a wide range of potential customers. –Extensions to the data model: supporting an extensible data model to give customers the ability to customize the data elements managed by the application to meet their specific needs. –Policies and rules –Access control: letting each client organization independently customize access rights and restrictions for each user. Two special applications that “manage” the actual application –Business Support Service, e.g. –Sign-up –add user –add feature –Editor enabling certain roles to –Add fields to the database –Specify maximum number of allowed entries in a shopping cart –Add step to order approval workflows –etc.

32 32 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Step 1: Multi-Tenant Database A customer logon associates a tenant ID with each session, e.g. –Logging on as dff9@Columbia.edudff9@Columbia.edu –Associates tenantID=21 with the created session All data operations automatically “add” the tenant ID, e.g. –Select * from customer where customerID=1234 is actually –Select * from customer where customerID=1234 and tenantID=21

33 33 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Some New Data Models

34 34 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Query Results {author, “Ferguson”} {includes, {paper, {author, “Ferguson”}}} {references, {book, {author, “Ferguson”}}}

35 35 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Data and Rendering Two different renderings Of the same underlying document

36 36 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Content Management System Some Terminology A content management system (CMS) is a computer application that –Allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface. –Such systems of content management provide procedures to manage workflow in a collaborative environment. A web content management system is a bundled or stand-alone application –To create, deploy, manage and store content on Web pages. –Content includes text and embedded graphics, photos, video, audio, … –Content includes code that displays content in a specific way –A Web CMS may catalog and index content, select or assemble content at runtime, or deliver content to specific visitors in a requested way, such as other languages.

37 37 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB CMS Data Model

38 38 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Why Don ’ t I Just Use … A relational database? RDBs do not handle –Dynamic taxonomies/folders particularly well. –Relatively free form tagging and query of items. –You can realize the model in relational, but you have to write a specific schema. –Your code is awkward and you write “framework,” which is a CMS. A file system? –File systems do not handle arbitrary metadata well. I want to find documents with author=“Ferguson” not containing the text “Ferguson.” –I want to publish or rollback all changes made by Bob in the last 24 hours. –Jim must approve all contributions of type “Press Release.” MongoDB? –Handle hierarchical and dynamic tags well. –Not great for images, audio, … –Would still need some framework code.

39 39 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Apache Jackrabbit

40 40 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB The Simple Commerce Application Needs a CMS Product classification, e.g. –Classification I: Books, Magazines, Videos –Classification II: Sports, Engineering, Business Relatively freeform, queryable information –Artist Type = {Author, Editor, Contributor, Reviewer, …}.Name={…} –Format = {eBook, paperback, audiobook, …} Fragments of a rendering, e.g. –Images –Reviews –Descriptive prose –TOC Various renderings, e.g. –Summary in a search result –Full information

41 41 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Project Implications Your commerce application will implement a simple CMS using Amazon S3 –Bucket per tenant –A set of base document object elements, e.g. –Image –Description –Review –A logical classification of products, e.g. –Publication –eBook –Movie –Compound product descriptions that contain a set of base elements, e.g. –Image –Description –Authors

42 42 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB Amazon S3

43 43 © Donald F. Ferguson, 2014. All rights reserved.Modern Internet App Development – Lecture 6: REST Continued, A Little Security, SaaS, Some DB The Assignment You do not need to write code (yet) You are doing a logical data model –What buckets do you have? –What is the folder structure in the buckets? –What are the base content types? –What are the composite content types? –What is the defined metadata type for each content type? –What are some sample renderings? Pilot and manually set up in S3 –With sample data –Using the web UI.

Download ppt "© Donald F. Ferguson, 2014. All rights reserved. Topics in Modern Internet Application Development: REST Continued, A Little Security, SaaS, Some DB Dr."

Similar presentations

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
4.01 How Web Pages Work.

4.01 How Web Pages Work.
2013 Texas Ad Astra Summit Monday, July 22 nd What’s New in 7.5 for Event Scheduling Presented by: Kelly Hollowell, Manager of Education, Ad Astra.

2013 Texas Ad Astra Summit Monday, July 22 nd What’s New in 7.5 for Event Scheduling Presented by: Kelly Hollowell, Manager of Education, Ad Astra.
Ellucian Mobile: Don’t text and drive, kids!

Ellucian Mobile: Don’t text and drive, kids!
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.

Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.

Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
Presented by Mina Haratiannezhadi 1.  publishing, editing and modifying content  maintenance  central interface  manage workflows 2.

Presented by Mina Haratiannezhadi 1.  publishing, editing and modifying content  maintenance  central interface  manage workflows 2.
A content management system (CMS) is a computer program that allows publishing, editing and modifying content on a web site as well as maintenance from.

A content management system (CMS) is a computer program that allows publishing, editing and modifying content on a web site as well as maintenance from.
Understanding and Managing WebSphere V5

Understanding and Managing WebSphere V5
Software Engineering for Cloud Computing Rao, Feng 04/27/2011.

Software Engineering for Cloud Computing Rao, Feng 04/27/2011.
Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.

Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.
UNIT-V The MVC architecture and Struts Framework.

UNIT-V The MVC architecture and Struts Framework.
Sharing Geographic Content

Sharing Geographic Content
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
IT 210 The Internet & World Wide Web introduction.

IT 210 The Internet & World Wide Web introduction.

Similar presentations

Ads by Google