data and middle tier in an e2e bart vande ghinste [email protected] developer consultant...
TRANSCRIPT
2
Agenda
Architectural Overview Transactions Authentication and Authorization Data Access Exception Handling
3
PresentationPresentation Data Data
Architectural Overview
WSFaçade(asmx)
WSFaçade(asmx)
ASP .NETUI
(aspx)
ASP .NETUI
(aspx)
WINService
WINService
BusinessBusiness
WSFaçade
WSFaçade
ES Façade
ES Façade
BizServices
BizServices
DAL
DAL
SPSP
or
browser
admin
reporter
4
Football247.net
Football247.Presentation
User Tier
Business Tier
Data Tier
Firewall
Firewall
SQL
SystemArchitecture
SolutionStructure
ApplicationArchitecture
.Administrator, .Reporter
.WebSite .WebControls
.WinControls
.Facades
Football247.Business
.Facades .Host
.Services
Football247.Data
.DataAccess
Football247.Common
.Core
.Datasets
5
BusinessBusiness
Football247.Business.Services
Football247.Business.Facades
Data Data
Football247.Data.DataAccessors
Architectural OverviewTasks By Layer
FaçadeFaçade ServicesServices
Client
• Authentication• Authorization• Input Validation• Transactions
• Business Rules• Business Flow• Business Validation• Transformations
DAL
DAL
• Data Source Abstraction• Data Validation• Input Validation
7
Business Facade Tasks
Isolating Client From Business Tier Controlled business environment
Simplifying Client Programming One role equals one Business Façade
Input Validation First barrier the client will hit
Authorization Programmatic Declarative
Boundary Transformations between Tiers For instance from ApplicationException to SoapException to
ApplicationException Transactional Control
Root of transactions Declarative
8
Facades Using Web Services
Advantages Method Based Transactional Control No COM+ Catalog Registration Required Standardized Protocols (SOAP, HTTP, XML, DISCO,UDDI) Possibility to call it in process
Disadvantages Limited access to Enterprise Services No external configuration mechanism for transaction attributes Slower then Serviced Components
About 8 - 15 % on average depending on scenario Tier Boundary Transformations Limited hosting options
9
Facades Using Serviced Components
Advantages Faster but still depending on scenario Runtime Configurable in COM+ Explorer Full Access to all COM+ Enterprise Services Wide range of supported protocols and formats
tcp + binary http + Soap DCOM
Disadvantages Only Class Level Transaction Control Needs to be signed, including all dependencies Versioning COM+ Catalog Registration Required
10
Façade Factory PatternWeb Services and Serviced Components
BusinessBusiness
WS-FaçadeWS-Façade
SC-FaçadeSC-Façade
ServicesServices
Client
FactoryFactory
AdapterAdapter
App.ConfigApp.Config
• Input Validation• Message Formatting• Caching Credentials• Exception Transformations
11
Service Responsibilities
Business Flow Business Rules
Improves reuse Business Rule Validation Data Transformations
XML and XSLT Generic code
Data Access Delegation Factory Pattern
Transactional Control Bubbling Exception Causes Abort
Authentication and Authorization Programmatic Declarative
Not Necessary Serviced Components Thread Bound Context
12
Data Tier Responsibilities
Providing Data Source Abstraction SQL Server OleDB Data Source Oracle ODBC
Data Validation SQL Injection Data Constraints
Optimizing data access
Not Necessary Serviced Components Thread Bound Context
13
Agenda
Architectural Overview Transactions Authentication and Authorization Data Access Exception Handling
14
Handling Transactions
BusinessBusiness
FaçadeFaçade ServicesServicesClient
Transaction Root[AutoComplete][Transaction(TransactionOption.Required)]
Data Data
DAL
DAL
TX Context TX
Context
Message
WS/SCWS/SC ClassClass
ClassClass
DAL
DAL
TX Context ClassClass
15
Handling Transactions
Handled by the Business Façade Root of Transaction
Method Level with Web Services Class Level with ServicedComponents
Uses Enterprise Services Infrastructure Declarative
WebMethod Attribute with Web Services Transaction Attribute with ServicedComponents AutoComplete Attribute
[AutoComplete][WebMethod(TransactionOption=TransactionOption.Required] public void UpdateGames(GameData gameData){
//// delegate//new GameServices().UpdateGames(gameData);
}
16
Agenda
Architectural Overview Transactions Authentication and Authorization Data Access Exception Handling
17
Authentication and AuthorizationOptions
Authentication Windows Authentication
Basic Digest Integrated (NTLM or Kerberos) Certificates Anonymous
Passport Authentication Forms Authentication Custom Authentication
Authorization URL Authorization File Authorization Principal Permissions .NET Roles
18
Custom Authentication
IISIIS
AuthenticationFaçade
AuthenticationFaçade
Client
Custom HttpModule
Custom HttpModuleMessage
Event
OnCustomEventGlobal.asax
OnCustomEventGlobal.asax Authenticate
HeaderHeader
BodyBody
Soap MessageSoap Message
ASP.NET CacheASP.NET Cache
Cached
Call
Context.User = CustomPrincipal
Global.asax
Context.User = CustomPrincipal
Global.asax
BusinessFaçade
BusinessFaçadeMessage
19
Custom Authentication
Create Custom Soap Header Derive From SoapHeader Type Contains Encrypted Authentication Data
Create Custom Http Module Implement IHttpModule Implement Init Method And Register Events Register Module in web.config Give it a friendly module name
Handle Custom Authentication Event in Global.asax FriendlyModuleName_EventName(AppropriateEventArgumentSign
ature) Check Cache if already authenticated Authenticate using Credentials Create Custom Principal Assign Principal To Context.User Use SoapHeader Attribute on Methods
21
Agenda
Architectural Overview Transactions Authentication and Authorization Data Access Exception Handling
22
Handling Data with Data Access Blocks
Contains optimized data access code Contains best practices for performance and resource
management Reduces amount of custom code Do not reinvent the wheel
Data Access Blocks makes it easier to Call stored procedure or SQL text commands Specify Parameter Details Access to DataReader, DataSet or XMLReader Objects
Examples Microsoft Data Access Building Block For .NET SundBlad Data Access Block
Property Based
23
Handling Data with DataAccessors
1. Create Stored procedures implementing CRUD2. Auto Generate Typed Datasets with VS.NET from Stored
Procedures3. Specify it’s a Stored Procedure
CmdType
4. specify the Stored Procedure to use SelectString InsertString UpdateString DeleteString
5. Map input or output parameters Identity Rows
6. Apply Table Mappings if needed7. Execute the command8. Return result if any
25
Typed Datasets
Advantages Design-Time Type Checking Great Data Binding support in VS.NET Relational or XML model Intellisense
Disadvantages No support in Compact Framework Extra code generated hence increased assembly size
Smart Clients Some creation overhead (8 – 10%) Tightly Coupled Versioning
26
Securing The Connection String
Traditional stored in web.config or machine.config Not secure using plain text
HttpForbiddenHandler prevents download Exposed to everyone who needs access to change the configuration
files Use correct ACL
System : Full Control Administrators: Full Control Others: Read
Remove unwanted HttpModules
<configuration> <appSettings> <add key=“DataConnection” value=“user id=somename password=somepwd" /> <appSettings></configuration>
27
Securing The Connection String
Stored in web.config or machine.config using custom file No <configuration> tag Seperate ACL for file
Only required users can access the file
<configuration> <appSettings file=“custom.config” /></configuration>
<appSettings> <add key=“DataConnection” value=“user id=somename password=somepwd" /><appSettings>
web.config
custom.config
28
Securing The Connection String
Encrypted using Data Protection API (DPAPI) CryptProtectData and CryptUnprotectData Lesser privileges needed then Local Security Authority (LSA) Lesser resources needed then LSA Machine Store versus User Store
Machine Store is machine bound User Store requires loading the user profile
<configuration> <appSettings> <add key=“DataConnection” value=“AQAAHoAwE/Cl+sBAAAABcqc/xCi3" /> <appSettings></configuration>
29
Role Based Connection String
Each role has its own connection string to use Advantages
Auditing Securing Stored Procedures
Disadvantages More resources needed
If Thread.CurrentPrincipal.IsInRole("Browser") Then ' ' get The Browser role string ' Dim name As String = "BrowserConnectionString"
ConnString = Configuration.ConfigurationSettings.AppSettings.Get(name)
ElseIf Thread.CurrentPrincipal.IsInRole("Reporter") Then…
End If
30
SQL Injection Attacks
Problem when using User input into SQL Queries
SELECT TeamID, TeamName FROM Teams WHERE TeamName = ‘User Input'
' ; INSERT INTO Users (UserID, Name) VALUES (0,’MyName’) -
SELECT TeamID, TeamName FROM Teams WHERE TeamName = ‘' ; INSERT INTO Users (UserID, Name) VALUES (0,’MyName’) -
Solution Use Parameter Collection when building SQL Statements Use Parameter Collection when calling a Stored Procedure Filter User Input For SQL Characters
+
=
31
Agenda
Architectural Overview Transactions Authentication and Authorization Data Access Exception Handling
32
Exception Handling
Common Application Exception Improves Consistency Implement ISerialize with remoting when custom fields are added
Microsoft Exception Management Block Exception Isolation Minimum amount of code needed Extensible Framework Several supported data sources
Handling SoapExceptions Business Facade
Serialize Exception Store in Message Property
Adapter Deserialize Exception Throw Exception
33
Resources
http://www.football247.net Microsoft Data Access Block
http://msdn.microsoft.com/library/en-us/dnbda/html/daab-rm.asp
Microsoft Exception Management Block http://msdn.microsoft.com/library/en-us/dnbda/html/emab-rm.asp
Football247.Net Workspace on http://www.gotdotnet.com