April 23, 2012

Only JS

The ability to develop application using simply JavaScript is an interesting advent, even though in certain arias the performance issues of an interpreted language or the exposure of business logics can prevent you from placing all that which is central to an application on the client side - there are many systems being built on top of  JavaScript with mentioning.

One, is of course, the node.js server side framework which enables you to write the server in JavaScript and is alls has a package system nmp liked to is similar to that of Linux distribution. 

Even more interesting are JavaScript libraries that include persistence and enable that on a cloud service, see for instance, persistencejs which enables you to work with ORM-style data queries both on the browser or the server.

Even more relevant is perhaps Racer which is one of the few libraries to truly realise the goal of running the same code on clients and servers. Another alternative to look into is batman.js which might be of interest just because you can use that name in a web application.

Finally, the last step is to go into something like Firebase which may completely eliminate database and web server for you and make you write web applications completely in client-side code. Of course, it runs off a cloud storage server which will cost you money or you can have Node.js instead on a server but the code in you application is independent of the server. "Firebase lets you create fully interactive apps with just HTML and JavaScript. No servers or server code required." 

April 11, 2012

The point of MVC

Most frameworks use some form of MVC design pattern as do many other GUI development APIs. The point of the design pattern is to help support development by adding structure that simplifies the development of models independent of views and increase the simplicity of developing multiple views using the same data models.

An important aspect of using a design pattern like this is, naturally, also an increased ability to separate work among team members so that there is an increased ability to work together without coordination. Software development in the "real worls" is often a large group activity and needs structure that simplifies coordination.  

Another very important factor of the MVC pattern and other design principles in more large scale development that one may not immediately consider is the the ability to support automated testing by separating function from views. The ability to write test software for key functions like the data extraction and also the generation of views enables software development projects to utilize unit testing systems. Views and user interfaces get in the way of the test process so isolating those parts is good from a test perspective.

April 06, 2012

Role security in ASP.NET MVC

An interesting post here describes how to using ASP.NET MVC 4 do do role-based security in an ASP.NET project. The crucial things about security is protecting two things:
  • Minimizing the risk of missing to assign security restrictions to controller actions of web functions
  • Ensuring that a security survives the open communication of sessions between clinet and server over the network
I usually consider it relevant to isolate the security assignment and the application code. In many systems like the ASP.NET MVC 4 example describes in the article and in other systems like spring and Java frameworks and also for PHP, assignment of role access is identified in the code as an annotation. The point of this is to explain role requirements are specific along the action instead of in web configuration file which maps URLs to control calls - ensuring one point of specification (many different URLs may lead to the same control action).

the problem with this close assignment between role requirements and actions is the risk of not assigning roles of assigning the wrong roles by individuals implementing the action but not in charge of defining security roles or even having the knowledge of who should have access to what actions. For more large scale work the separation of code and security assignment should perhaps be greater.    

April 05, 2012

Data validation

Validation of data in forms and on the server side is principally a tricky thing. HTML provide us with more validation schemes for input field and systems like JQuery can provide through its JQuery Validation plugin structure more functions for validations and make it easier.  The bottom line is this: how to you ensure that you validate correctly on the client and server side. Optimally you should only define your validation in one place and reuse that validation method one the server and client. Also, optimally, that validation definitions should be separate from your application code and be tested by unit tests to ensure that you have a correct validation.

On the client side it is perhaps not critical, since validation is in place to ensure that users enter correct data and understand what data to input. The speed with which feedback is given can help users understand forms and minimize the amount of instruction needed. HTML5 also easily provide you with more input types for standard data types such as e-mail and phone numbers.

On the server side we validate to ensure that correct data is entered but also to protect against attacks and things like SQL injections. It is very easy to find yourself in a position to use regular expressions to define the validation. for that.  no corrupt data enter the system many validation systems end up using regular expressions which are easy to define by googling and copy/pasting but not easy to verify and also difficult to protect from accidental change.  It is not easy to verify that a regular expression has not been tampered with just by looking at it.

Isolating regular expressions in the code and writing test cases to validate your regular expressions is central to protecting your service in the long term. These expressions could then be reused on the client side which provide many good functions for doing the validation but the validation rule needs to be protected from accidental change.


April 04, 2012

Validating human users

Recaptcha is an interesting service for identifying human users that also provide the additional benefit of translating scanned text to digital form. Validating human users is highly relevant because bots run around the internet adding them selves to services. This is also a reason for using things like facebook or google accounts to identify new users, that they are already identified as users, so the need for every service to verify human users is not as mandatory as before but it is still a good component to add to your application when registering users.

Many alternatives exist of course but what is particularly interesting here is that Recaptcha also helps translate text while identifying users so it provides a dual service.