SETUP
At present I have a controller heavy spring MVC application. Its components are heavily guarded with spring security. Most of the datamodel fetching, form binding etc... is done within controllers.
I however see great value addition in using spring web flow.
However I would like to use web flow in a specific way.
First of all I would like the web flow to be like traffic police directing web requests to appropriate controllers inside every state (Along with form binding objects, request, session params etc...).
I would like the controller to ultimately determine direction of web flow like successful login or goto registration page. However it is web flow that will consume the decision and facilitate the transition to the next state.
This next state will in turn leverage mvc by invoking appropriate controllers.
This way spring web flow is just like a facilitator and does not contain too much decision making logic & business logic invocation calls.
This is important for me since controllers can get heavy with respect to services it invokes and can potentially invoke them in a multi-threaded approach. All this cannot be done in spring web flow definitions
QUESTION
My question is very simple and basic. Is Spring Web Flow designed to perform like this on top of Spring MVC?
Is it possible to designate just this traffic regulation and state flow functionality to web flow while preserving most of the control and service invocation logic inside the controller?
--Am I understanding anything wrong here? I want to get these questions cleared before
embarking along this path.
This may be a little late for you, but I'm not sure webflow will give you exactly what you want to achieve. You want a router, and that's not really what webflow was designed for. Webflow is used more for multi-page form type flows, and using it for much more risks running into the limitations of the framework. Webflow cannot be used to intercept all web requests -- only those initiated through the flow mechanism, and it has very strong opinions on what state transition is (for example, form/bean validation is the default, although it can be overridden if required).
It's not that it can't be used as a router, it's just that it's not designed for this so you're likely to find impedance from its form based design goals.
Related
The common tasks of web application framework(ex: Django or Laravel or .NET or beego):
request / response abstraction
session state
user authentication & authorisation
page templating
URL mapping
DB access
security
caching
MVC design pattern implement above common tasks, as shown below:
URL mapping is handled by Controller component of MVC. Controller routes requests to handlers. Ex: http.ServeMux is the controller from GOLang package
request / response abstraction is performed by Controller by registering the handlers, written by web developer, as shown below:
sm := http.NewServeMux() // in GoLang
sm.Handle("/", productHandler)
session state is handled by the handler code written by web developer
Page templating is handled by templating engine(view component) of MVC
user authentication & authorisation is handled by the handler code written by web developer
DB access is handled by model component of MVC.
security and caching is handled by handler code written by web developer
Is this the right understanding on MVC design pattern to implement common tasks of web application framework?
There are many definitions of the MVC pattern. It was evolving over time and it was used differently in different frameworks and contexts.
When it was invented, there was no HTTP protocol and the request/response part wasn't present. There were some other ways in which the user request was handled. With time, new template engines were invented and HTTP becomes dominant protocol on the web.
MVC is considered to be a pure presentation pattern since it mainly orchestrates views and model(whatever model is representing). Also, one of the main reasons why MVC is invented is separation of concern. It is important to keep it clean, short and to let other layers take care of logic.
The common task of the web application framework is to serve as IoC container (Inversion of control) and let its component worry about specific responsibilities. So if it is a web framework, it will probably have session, cookie, MVC... components.
Controller methods are just an implementation of HTTP interface. URL Mapping can be considered as an argument to controller method.
Request/response are handled by web component (servlet in Java)
Session state is handled by session component and can be configured by developer e.g. session expire time or session cookie type or even session type (database, in memory)
Correct
Usually, there is a proven auth component in the framework, but it can be written manually (not recommended)
DB access is handled by a persistence layer like JDBC in Java. Model in MVC is responsible for data that should be presented on the screen or submitted by the user.
Same as 5
We are writing a mostly single-page, client-side app, but server-side/DB endpoints are still required of course, so the natural choice is SpringMVC (since we are a Java / Spring shop).
But this got me thinking why we need the cluttered, very old design for this app:
- Controller layer
- Service layer
- DAO layer
This app is mostly just the client side making AJAX calls with JSON for DB retrieval/persistence. Do I really need to go thru the Controller layer to receive requests, then invoke a Service method, which in turn invokes a DAO method?
At the same time, I don't want to write a REST Service because it could result in overhead and we may not support all of the REST requirements... but is it the right choice here? If I understand correctly, I would still need a RESTController on the presentation layer?
My goal is to just directly hit a Service method or, maybe even more directly, a DAO method. Is that how modern apps are written?
You cannot hit a DAO unless you expose it through an API of some sort that can be invoked remotely by the UI application; as a consequence, you need to write a service.
A convenient way of exposing a service is to either:
Use Spring MVC and use the controllers as stateless endpoints that provide a JSON/Protobuffer/XML sort of payload that is then parsed by your API (with JSON being the simplest option of them all, perhaps) or
Use Spring Boot, which uses Spring MVC under the hood.
Hope this helps and good luck with your project.
Assuming you follow DDD and you have your Domain, Application and Presentation (Controller) Layers, should the Application Layer be completely decoupled from knowing anything about HTTP requests and all the other things that go with it such as cookies, sessions, etc.
To illustrate, say our CommentingService in Application Layer needs a value from a cookie named guestId. Should this value be passed in as a parameter to our service or can we pass the whole Request (HttpContext) object and let our service extract it from there.
Commons sense tells me that if I would want to reuse this Application Layer somewhere else I would want it to be decoupled from web.
Services
Yes, you will want to decouple your application layer from any web concerns.
Application layer is responsible for managing your domain objects like aggregates, repositories etc (orchestration).
Mostly you will go with next layer providing Rest Api functionality.
If you decompose it like that, you could use your API with CLI, Rest, Soap or whatever your business want you to provide.
Cross-cutting concerns
You will want to implement cross-cutting concerns in your application layer, because you do not want to reinvent wheel for every outside layer.
For example: security, caching, transaction managing logging.
It doesn't provide you with business capabilities, so you do not implement them in domain layer, but you can implement it in your application layer.
How can we flow user session from one spring application context to another?
Basically I have one spring application representing Web Layer and another spring application representing REST layer. I want when Web Layer access the REST layer the session containing user info to be available from to Web at REST layer for authentication.
Please suggest.
Edit after receiving first ans:
At present we do have Web Layer in place along with security and all the other flows. What we are about to intended is to introduce REST layer. This REST layer is suppose to be called by present Web Layer and by other APIs. We do not want to make any changes for Web Layer, but at the same time need security to be placed at REST Layer that should work for Web Layer too when calling REST services.
Differentiate between SSO and session sharing. If you just want the authentication to carry between application (user only has to log in once), then you want some form of Single-Sign-On (SSO), CAS is one example, but there are numerous.
If, on the other hand, you need to have access to the full session (and everything the application has put in it) across different nodes (or applications), you could look into something like Memcached or Terracotta. Worth noting is that session replication is fairly I/O intensive and for larger sites it often requires a dedicated network interface for the replication.
I would put it to you, however, that if your applications are so tightly coupled that they need to share the same exact session state, then perhaps they should not be separated in the first place? This smells of faulty design and architecture assumptions.
I am learning general development strategies but there are a lot question in my mind about them. One of them is about creating application layer which shouldn't have dependencies Presentation layer.
For example, in MVC application lets say we have application services but this application services doesn't check validation for incoming data models from Presentation layer. It is only checked in controller via ASP.NET MVC validations also service layer doesn't include any authorization stuffs inside. All job is done in Presentation layer. Do you think that is it correct architecture ? Do i have to include all validation and authorizations inside service layer re-again ? If you say yes but how ??
How can i include authorization in service layer ? I really don't know how to control auhthorizations inside service layer. Duplicating validations in also service layer could be ok ?
After all Is it really worth to make such as design if i am sure presentation layer will never change ?
Validation should be in the domain layer. In a DDD application the domain (business) layer should own the validation since it knows most about itself. The service layer operates upon the domain and should handle errors, including validation errors, raised by the domain layer. Handling an error in this case could mean wrapping it in a service layer exception and returning an error code, logging the error, etc. Authorization should also be the responsibility of the service layer. This is not to say that the presentation layer (ASP.NET MVC) should not perform validation or authorization verification. Validation in the presentation layer is typically more light-weight than validation in the domain and service layers and is done in order to improve the user experience. After all, if most of the validation can be performed on the client side, why not do it and save a trip to the service layer? The same logic applies for authorization.
In regards to duplication of of validation logic there is no solution that will fulfill all cases and sometimes you have to accept a little duplication to reduce overall complexity and improve maintainability. The simplest way do do validation in the domain layer is using standard guards and throwing ArgumentException instances. In ASP.NET MVC the simplest way to do validation is using data annotation attributes. Often times it is easier to duplicate validation logic to some extent than it is to implement an all encompassing validation system. Moreover, there may be validation that can only be performed by the domain layer, which is another argument for keeping them separate.
Authorization in the service layer can be done in many ways and depends on the underlying technology used. If using WCF there are many guidelines for doing authorization.