Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Donald F. Ferguson, 2014. All rights reserved. Topics in Computer Science: Modern Internet Service Oriented Application Development Dr. Donald F. Ferguson.

Published byLydia Hunt Modified over 8 years ago

Similar presentations

Presentation on theme: "© Donald F. Ferguson, 2014. All rights reserved. Topics in Computer Science: Modern Internet Service Oriented Application Development Dr. Donald F. Ferguson."— Presentation transcript:

1 © Donald F. Ferguson, 2014. All rights reserved. Topics in Computer Science: Modern Internet Service Oriented Application Development Dr. Donald F. Ferguson Donald.Ferguson@software.dell.com (Admin: Kristina_Biehle@dell.com)

2 2 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Contents

3 3 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Contents Introduction –Questions, comments on lecture 1? –A comment on stateless and security. Implementing a REST service –Conceptual datamodel, “the old style of implementation,” and “the new way.” –Collections: primary key, secondary key, query –Relationships/Associations –Iterations –Projection –Update –Asynchronous operations –Events and notification First assignment

4 4 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Introduction

5 5 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Questions or comments from lecture 1?

6 6 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Security of Client Sending State S AliceBob S Eve Mal Eve steals information. Mallory changes information. Alice does not return what Bob sent.

7 7 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns A Note on Security There are several security considerations. Three important ones are: 1.Authentication: How does Bob know it’s Alice and vice-versa? 2.Privacy: What stops Eve from stealing info, e.g. account numbers? 3.Integrity: –What stops Mal from changing data, e.g. redirecting a deposit to a different account? –What stops Alice from maliciously changing the data? Simple answers (we will cover in more detail later in the semester) –Authentication: –Bob publishes and proves ownership of a digital certification. –Alice sends a user ID and password for logging into Bob. –Privacy: The communication occurs over encrypted HTTPS –Integrity: –Mal cannot read, and hence change, communication (including S) between Bob – Alice. –Alice does decrypt Bob’s responses because she needs to read the data. What stops Alice from being nefarious?

8 8 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Session Management https://github.com/mozilla/node-client-sessions Only Bob knows the secret.

9 9 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Comments Let’s assume that –S is string, e.g. serialized JSON object. –Bob may change S, but always returns value on every response. Bob and only Bob –Can encrypt and decrypt any string S with –Some function E(S, k) using the secret key k. Bob return a string S2 = E(S,k), not the actual data, to Alice.  Alice cannot even read the session state let alone modify. Bob can be even more secure …

10 10 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Bob can … Compute a hash H(S) using some algorithm –That has the property that S1 != S2  Pr[H(S1) = H(S2)] < 0.000000000000001 –Bob can compute H(S) and then E(H(S)) and –Returns {S, E(H(S))} to Alice, which she must return. She can change S and “guess” a change to E(H(S)) but does not know the secret. –Bob recomputes when receiving Alice’s next message containing S1 Bob runs the algorithms –If S1 != S than probably –H(S1) != H(S) and almost certainly –E(H(S1)) != E(H(S)) Bob can use just encrypted hash if he only cares about Integrity. Bob can also salt the data (add a random, big string) to avoid cryptographic attacks that can break messages that –Are short –Have recurring information, e.g. {{user id, PW}, {account, 1234}} The Allies were able to break Enigma partly because –The first message sent with the new key for the day was short and always contained “Hi. This is XXX. Situation is normal.” –And because Enigma was not completely random. Enigma would never map A->A or B->B. –So, if you knew there was a “Crib” C that occurred in the space place in S –You could ignore possible wire/plug settings that would ever result in E(C[i]) = C[i]

11 11 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Where did this Come From? https://ssol.columbia.edu/cgi- bin/ssol/DhbtiwfsFOMOeFQaDwqxAh/?p%.5Fr%.5Fid=k0F2vZ4ccAhzbcAg0Ql K4h&p%.5Ft%.5Fid=1&tran%.5B1%.5D%.5Fentry=student&tran%.5B1%.5D%. 5Fterm%.5Fid=20143&tran%.5B1%.5D%.5Fcid=COMSE6998&tran%.5B1%.5 D%.5Fsecid=005&tran%.5B1%.5D%.5Fsch=&tran%.5B1%.5D%.5Fdpt=&tran %.5B1%.5D%.5Fback=&tran%.5B1%.5D%.5Ftran%.5Fname=scrs Some history –Some browsers did not support cookies or handle them consistently –So, putting the session in a cookie (header) was fragile –The alternative was URL rewriting –http://myapp.me.org/students/21 becamehttp://myapp.me.org/students/21 –http://myapp.me.org/”someweirdsessionstateencoding/students/21http://myapp.me.org/”someweirdsessionstateencoding/students/21 –Cookies/headers are most common now.

12 12 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Implementing a Simple REST Service

13 13 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Conceptual Datamodel “ Old Way ” “ New Way ”

14 14 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Database Model are Complex, even examples and samples, e.g. MySql Sakila Sample Database

15 15 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Customer Information

16 16 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Movie Information

17 17 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Stores and Staff

18 18 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Views and Stored Procedures

19 19 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Traditional Web Application 7. Select templates based on result, and pass data 8. Generate HTML result. Request Handler BOBO DB 1. HTTP GET/POST/… 2. Parse and validate request 3. Retrieve session context/info 4. Select “business object.verb base on GET/POST data and context info. 5. Access/Update DB through framework 6. Application logic 9. Send HTML response

20 20 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns Traditional Way Develop a set of POJOs that implement core functions, e.g. –Submitting the “create customer form” will –Check for duplicates and conflicts –Determine if this is a new address or a new customer at an existing address –Submitting the “find rentals by telephone number” will –Find all the customers that have the given phone number –Then find all rentals for each of the customers –Merge and return the results The design relies heavily on database functions and a single logical DB, e.g. –A single POJO can find customers by phone number, and then loop through the result one customer at a time to find the rentals. –The database referential integrity constraint will prevent me from deleting an address if there is a customer at the address. –I can use a column in one table to find something in another.

21 21 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns New Model Service Reference ?

22 22 © Donald F. Ferguson, 2015. All rights reserved.Modern Internet Service Oriented Application Development – Lecture 2: REST Details and Patterns New Model We already talked about “coarse-grained” evolving into a –Set of “micro-services” –Implemented with polyglot programming and polyglot persistence So, what are some things we can learn about REST and this scenario –A uniform approach to CRUD on tables was awesome! Life would have been more unpleasant if every table had a different query language. –Linking “things” moves from linking at the DB level to linking across the web. –Exactly how does referential integrity work? –The micro-service for customer information management –Does now know in advance that it will be part of a rental app –And cannot know to “not delete” a customer if the customer has an active rental –Applications surface API for –Manipulating the information and defining the structure of the information. –How does somebody “Alter Table” when apps evolve?

Download ppt "© Donald F. Ferguson, 2014. All rights reserved. Topics in Computer Science: Modern Internet Service Oriented Application Development Dr. Donald F. Ferguson."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
SFDC Integration Basics Gerry Winning. Integrating Your Progress App with SFDC Ovid Back Office App is Fully Integrated with SFDC (about two and a half.

SFDC Integration Basics Gerry Winning. Integrating Your Progress App with SFDC Ovid Back Office App is Fully Integrated with SFDC (about two and a half.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.

Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.

Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.
Database Application Security Models

Database Application Security Models
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.

ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
JavaScript & jQuery the missing manual Chapter 11

JavaScript & jQuery the missing manual Chapter 11
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google