Published 2018-05-11 Last edit -
Hi All
I this article I detail some strategic issues that a new development UI will need to address - these are the ones that I can think of now - others may come to light during this journey.
See the webinar by Eduard Lebedyuk here from the last Global Summit describing modern web development and Caché
And, as always, if I have missed something please comment....
Here's my list (so far):-
- Choosing a Full Stack Development Environment With ZEN I need to know ooDesign, COS, Studio (for editing), COS, HTML, Javascript, CSS, FOP !!!!!! And each of these is large in themselves. There is a good video here that gives an overview of the choices - but it's dated as it does not include containers But the detailed choices huge -The video here details hundreds of different technologies/tools/environments - it's awesome and frighting The key decisions I need to make are
- What client development environment to use
- What development environment (Caché Studio or Eclipse & Atelier - Which client editor to use)
- What version control system that controls and moves both Caché classes and client files (CSS, JS, HTML or whatever)
As I said in part 1, I want to concentrate my intellectual effort to deliver complex business applications not the tools and always having to learn new stuff.
- Leverage Existing ZEN code (link under construction) Again, as in the introduction I would want to leverage/translate the existing ZEN definitions to use going forward. This will:-
- Speed up development
- Reduce testing - end-user acceptance testing is a large overhead for a small/medium company
- Sessions or No Sessions (link under construction) A key concept for JSON communication between the client and the server is that each interaction is self contained, ie the server and the client need to know nothing about each other over the content of each restful call and the JSON response - ie no CSP sessions Is this correct or do we need to maintain sessions?
- Security (link under construction) Using JSON - how do you implement a logon? What are the licensing issues? How do you prevent users hacking restful calls that they have no access to? There is an post by Anna Kantola here that describes some problems. logging in via rest
- Screen Layout/Responsive App (link under construction) As I said in the introduction, responsive apps for a desktop business application is not a high priority However it would be great to have a single framework that can be used for both static screens on the desktop *and* for responsive apps.
- Localisation (multi-lingual pages) (link under construction) ZEN/CSP has in-built localisation (csptext) that allows a single page definition to localise according to the browser language settings - it's a bit fiddly but works great allowing a single page to seamlessly appear in the user's preferred language . What other options are there? Also date/time localisation.
Most of the above (will) link to a separate page to reduce the size of the article and to allow comments to be added to the appropriate heading
REST mainly disallows sessions as a mechanism of data transfer. Stateless as stated in REST dissertation by Roy Fielding has three aims:
Visibility is improved because a monitoring system does not have to look beyond a single request datum in order to determine the full nature
of the request. In my opinion that's the most important one and it mainly deals with storing session data in between requests.
Let's say you provide a newsfeed API. There's a lot of news so users get them by pages of 10 elements. Clients can access news in two different ways:
Reliability is improved because it eases the task of recovering from partial failures. Where partial failure is defined as (from Waldo J,
Wyant G, Wollrath A, Kendall S. A Note on Distributed Computing.):
Sessions as an authentication/authorisation mechanism do not affect Reliability.
Scalability is improved because not having to store state between requests allows the server component to quickly free resources, and
further simplifies implementation because the server doesn't have to manage resource usage across requests. Not relevant in our case as Session still gets created, just destroyed immediately after the request is done.
To sum up: REST APIs can use sessions as authentication mechanism, but not as a data transfer mechanism.
For password authenticated web applications it is possible by following these steps:
If all these conditions are met, user would only consume one license slot per session and perform only one login.
Authentication as a start, SQL security for basic data access checks, app-level checks for the most specific cases
Hi Eduard
I had already seen your second comment elsewhere - but thanks for the additional detailed comment - most useful.
Just some quick thoughts......
But the default value in %CSP.REST is Parameter UseSession As BOOLEAN = 0;
So the developer has to remember to override this every time (or sub-class)
I have seen this but have no understanding of what it's for - searching the docs only brings up a reference in the automatic deployment section only with no description
If you have any more information on it's purpose please share
But if it's a third party app then there is no CSP/ZEN app - the use case I have in mind is a 3rd party web developer is creating a complex shop system that needs to communicate with Caché
I have no idea or interest in what technology they are using and it may be that their programming language does not easily support cookies so the CSPCHD (the session cookie) does not get passed.
I am thinking that in this case the authentication needs to be passed with each Rest call - not an issue
(or use OAUTH which I know little about)
Yes SQL security for sure - but there are traps here in the management of that security - I don't want a huge overhead in having to manage multiple roles each with it's own SQL security profile.
And anyway it does not help if the Rest application is accessing the database via the object projection rather than SQL
As always, there are many options/scenarios my aim is not to give a definitive answer but to share my experience as a real world developer and how I implement things
Peter
Oh forgot this one......
Maintaining State between client calls...
I can think of a real world case where some sort of state between the client and the server is a good idea...
Consider a huge database where we need to query and produce the equivalent of the ZEN tablepane that displays rows of data with filtering and sorting functionality
I can see there are a number of widgets available for different frameworks where the whole result set is shipped to the client and filtering/sorting is done there.
However there are cases were....
Unless you can suggest a better alternative that does not require state to be maintained
At the moment this is the only use case that I can think of where maintaining state is a useful thing
Peter
State is not required (and in fact harmful) for that case. Here's why.
Users do not care for thousands of results.
That doesn't happen. User most often cares about one specific result, or a small group of them - dozen(s), rarely up to a hundred but to be extremely generous let's say that user cares about 1000 individual records at the same time tops.
So, how do we work with that assumption?
There are several things to do.
One other case where user might be actually interested in the exact number of the results is when he needs that number only. For example our user might be interested in the number of incidents per month and calculate it himself by filtering incidents by date and getting the results count. This requirement could be addressed in several ways:
tl;dr users are not interested in thousands of results, so we need to build systems where they get only the results they really need.
Hi Eduard
Food for thought !!!!
It's just that it's always been the way I have done it in ZEN for around 11 years - started off with "small" result sets and just carried on doing it that way
It's great to be challenged - Thank you!!!
= =
BTW I like the look of the way that you include source code in your posts
Do you care to share how you create the posts with the grey box around them - do you create/edit with the online editor or some other tool?
Peter
Check this article. No external tools required. More articles about how to get the most from community are available on the link at the bottom of the page:
Hi, Peter! Want to add that highlighter is not ideal though (ObjectScript is a tough parsing exercise). If you see the bug in highlighting and want to improve it, you are very welcome to pull request here
I recommend having an abstract broker, which does technical stuff like CORS, UseSession, Encoding, JSON transformation. All other brokers must extend it (and they don't do technical stuff, only business logic). More on that.
If two (or more) web applications share the same GroupBy value, then session opened in one application would be valid in all other applications with the same GroupBy value. This way user needs to login only once (or not at all if we have domain/SSO authentication configured). It's also documented (but hard to find), more docs.
CSP app could contain only HTML/JS/CSS. So it could be an AngularJS web application, but also hosted with Caché (as a Caché CSP web application).
If you host a web-application via Caché (Ensemble, HealthShare, InterSystems IRIS) then your web application would be authorization-aware automatically. Browser sends relevant cookies/headers with each request so developer don't need to think about it.
You can do it like this:
This way you pass login/pass only once instead of with every call. But I'd still recommend Caché security system.
Thanks again Eduard
Just one point it's Angular2 not AngularJS - I think AngularJS could be delivered by CSP but I doubt that it would be the best way to deliver Angular2
Or so I believe - it's one of the things on my list to look at with Angular 2
Peter
What's the difference between AngularJS and Angular2 in regards to CSP?
AngularJS is the first version, Angular 2-5 are collectively referred as Angular and somewhat compatible between themselves. @Sergey.Sarkisyan?
What a lovely discussion.
Btw if you ever looking for a new teammate, would love to join you as One on adhoc
Hi Peter,
I am not sure if it is appropriate to post my concern here. Please let me know if I need to move this out this and post separately.
The reason I posted it here is because similar posts have been redirected to this discussion. This is wonderful discussion and we ourselves are probably on a similar journey butstill at exploratory stage. Both you and Eduard seems to have traveled further down this road and you might be able to point me in the proper direction. Below mentioned is my concern.
Is it mandatory for the application to be rendered using the CSP Server to maintain the CSP Session?
Would it be possible for html and javascript based application can connect to the REST service and maintain the session and the license?
If possible would someone be able post the login code and and the headers or parameters to be passed for the subsequent calls to the REST service.
I made some trials with the Delegated login and ZAUTHENTICATE (Hardcoded the Username and Password ) for the REST application
I tried all the below steps (only for the REST web application. The client web application is not CSP)