Model-Driven Software Development - Web Abstractions 2
1. Web Abstractions 1I
access control policies, data validation, workïŹow, ajax, search
Lecture 4
Course IN4308
Eelco Visser
Master Computer Science
http://eelcovisser.org Delft University of Technology
Wednesday, March 10, 2010
2. Modeling
Modeling IDEs
Software Systems
Modeling Transforming
Web Programs Software Models
Implementing Software Language
Web Models Engineering Strategies
Modeling Make your own
Software Languages Software Languages
Wednesday, March 10, 2010
3. Web Abstractions
from a declarative point of view
(weâll investigate underlying mechanisms later)
Wednesday, March 10, 2010
4. More Web Abstractions
- Access control policies
â constraints over objects
â role-based AC, discretionary AC
- Data validation
â form validation
â data integrity
- WorkïŹow
- Search
- AJAX: accessing page fragments (templates)
Wednesday, March 10, 2010
5. Access Control
Danny M. Groenewegen, Eelco Visser. Declarative Access Control for WebDSL:
Combining Language Integration and Separation of Concerns. ICWE 2008: 175-188
Wednesday, March 10, 2010
6. Case 2: Access Control Policy for Conference
Papers
â has authors
Authors
â submit papers, read reviews
Reviewers
â write review for paper & discuss papers
â are anonymous (for authors)
ConïŹicts
â author cannot be reviewer
â reviewer not related to authors
Wednesday, March 10, 2010
8. WebDSL Access Control
Constraints over data model
- boolean expression over properties of objects
Rules restrict access to resources
- page, template, action
Infer restriction of navigation
- donât show link to inaccessible page or forbidden
action
Wednesday, March 10, 2010
9. Principal
representation of principal
turn on access control
Wednesday, March 10, 2010
10. Access Control Rules
âmay access page f with
argument x if boolean
expression e is trueâ
Wednesday, March 10, 2010
11. Wiki Access Control Rules
âanyone can view
existing pages, only
logged in users can
create pagesâ
âonly logged in users may edit pagesâ
Wednesday, March 10, 2010
17. Access Control Policies
Standard Policies
- Mandatory access control
- Discretionary access control
- Role-based access control
Mixing policies
- Role-based + discretionary access control
WebDSL
- No restrictions on access control policies
Wednesday, March 10, 2010
18. Encoding Access Control Policies
Rules
- Who may access which resources?
- Who can apply which actions?
Representation
- How are permissions stored?
Administration
- How can permissions be changed?
- Who can change permissions?
Wednesday, March 10, 2010
22. Mandatory Access Control
Security Labels
â ClassiïŹcation label protects object
âą Top Secret, Secret, ConïŹdential, UnclassiïŹed
â Clearance indicates access of subject
ConïŹdentiality rules
â Read-down: clearance should be higher than or
equal to classiïŹcation document to read
â Write-up: clearance is lower than or equal to
classiïŹcation of document to write
Wednesday, March 10, 2010
29. Role-Based Access Control
Role: group of activities
- authorization assigned to roles
- users assigned to roles
- robust to organizational changes
Hierarchical roles
- least privilege: use minimal permissions for task
Separation of duties
- critical actions require coordination
Wednesday, March 10, 2010
33. Mixing Access Control Policies
Real policies
- Mix of DAC & RBAC
- AC rules are constraints over object graph
WebDSL
- No policies built-in
Wednesday, March 10, 2010
34. Case 2: Access Control Policy for Conference
Papers
â has authors
Authors
â submit papers, read reviews
Reviewers
â write review for paper & discuss papers
â are anonymous (for authors)
ConïŹicts
â author cannot be reviewer
â reviewer not related to authors
Wednesday, March 10, 2010
35. Data Validation
Danny M. Groenewegen, Eelco Visser. Integration of Data Validation
and User Interface Concerns in a DSL for Web Applications. SLE 2010
Wednesday, March 10, 2010
36. Data Validation
Check input & maintain data integrity
Types of validation
- Value well-formedness
- Data invariants
- Input assertions
- Action assertions
User interface integration
- Display errors
Wednesday, March 10, 2010
37. Validation Rules
data validation
form validation
action assertions messages
Wednesday, March 10, 2010
47. WorkïŹow
Zef Hemel, Ruben Verhaaf, Eelco Visser. WebWorkFlow: An Object-Oriented
WorkïŹow Modeling Language for Web Applications. MoDELS 2008: 113-127
Note: WebWorkFlow is not supported by current version of WebDSL
Wednesday, March 10, 2010
48. WorkïŹow
Coordinating activities by participants
WebWorkFlow
- object-oriented workïŹow deïŹnition
- integrate all aspects of workïŹow
â data
â user interface
â access control
â control-ïŹow
- abstractions on top of base WebDSL
Wednesday, March 10, 2010
59. WorkïŹow Remarks
Recursive workïŹows (see paper)
Issue: user interface patterns for workïŹow
Is workïŹow an anti-pattern?
- is workïŹow good interaction design?
- determine order of user actions
- what are alternatives?
Wednesday, March 10, 2010
62. AJAX
Michel Weststrate. Abstractions for Asynchronous
User Interfaces in Web Applications.Master's thesis,
Delft University of Technology, 2009.
Wednesday, March 10, 2010
63. AJAX
Deliver page fragments, not just full pages
- Replace page elements by new fragments
- Templates are unit of replacement
Wednesday, March 10, 2010
64. placeholder
default view
Wednesday, March 10, 2010
66. Summary
Access control policies
â constraints over objects
â encoding of standard policies (DAC, RBAC)
Data validation
â form validation & data integrity
WorkïŹow
â coordinating activities of multiple participants
Search based on data model annotations
AJAX: accessing page fragments (templates)
Wednesday, March 10, 2010
67. Schedule
Lab this week
â WebDSL application
Cases
â Case 2: web abstractions
â Read: Declarative Access Control for WebDSL
â Read: Integration of Data Validation and User
Interface Concerns
â Read: WebWorkFlow
Next
â Lecture 5: WebDSL implementation strategies
â Lecture 6 & 7: modeling languages
Wednesday, March 10, 2010