Model-Driven Software Development - Web Abstractions 2
1. Web Abstractions 1I
access control policies, data validation, workflow, ajax, search
Lecture 4
Course IN4308
Eelco Visser
Master Computer Science
http://eelcovisser.org Delft University of Technology
Wednesday, March 10, 2010
2. Modeling
Modeling IDEs
Software Systems
Modeling Transforming
Web Programs Software Models
Implementing Software Language
Web Models Engineering Strategies
Modeling Make your own
Software Languages Software Languages
Wednesday, March 10, 2010
3. Web Abstractions
from a declarative point of view
(we’ll investigate underlying mechanisms later)
Wednesday, March 10, 2010
4. More Web Abstractions
- Access control policies
★ constraints over objects
★ role-based AC, discretionary AC
- Data validation
★ form validation
★ data integrity
- Workflow
- Search
- AJAX: accessing page fragments (templates)
Wednesday, March 10, 2010
5. Access Control
Danny M. Groenewegen, Eelco Visser. Declarative Access Control for WebDSL:
Combining Language Integration and Separation of Concerns. ICWE 2008: 175-188
Wednesday, March 10, 2010
6. Case 2: Access Control Policy for Conference
Papers
★ has authors
Authors
★ submit papers, read reviews
Reviewers
★ write review for paper & discuss papers
★ are anonymous (for authors)
Conflicts
★ author cannot be reviewer
★ reviewer not related to authors
Wednesday, March 10, 2010
8. WebDSL Access Control
Constraints over data model
- boolean expression over properties of objects
Rules restrict access to resources
- page, template, action
Infer restriction of navigation
- don’t show link to inaccessible page or forbidden
action
Wednesday, March 10, 2010
9. Principal
representation of principal
turn on access control
Wednesday, March 10, 2010
10. Access Control Rules
‘may access page f with
argument x if boolean
expression e is true’
Wednesday, March 10, 2010
11. Wiki Access Control Rules
‘anyone can view
existing pages, only
logged in users can
create pages’
‘only logged in users may edit pages’
Wednesday, March 10, 2010
17. Access Control Policies
Standard Policies
- Mandatory access control
- Discretionary access control
- Role-based access control
Mixing policies
- Role-based + discretionary access control
WebDSL
- No restrictions on access control policies
Wednesday, March 10, 2010
18. Encoding Access Control Policies
Rules
- Who may access which resources?
- Who can apply which actions?
Representation
- How are permissions stored?
Administration
- How can permissions be changed?
- Who can change permissions?
Wednesday, March 10, 2010
22. Mandatory Access Control
Security Labels
★ Classification label protects object
• Top Secret, Secret, Confidential, Unclassified
★ Clearance indicates access of subject
Confidentiality rules
★ Read-down: clearance should be higher than or
equal to classification document to read
★ Write-up: clearance is lower than or equal to
classification of document to write
Wednesday, March 10, 2010
29. Role-Based Access Control
Role: group of activities
- authorization assigned to roles
- users assigned to roles
- robust to organizational changes
Hierarchical roles
- least privilege: use minimal permissions for task
Separation of duties
- critical actions require coordination
Wednesday, March 10, 2010
33. Mixing Access Control Policies
Real policies
- Mix of DAC & RBAC
- AC rules are constraints over object graph
WebDSL
- No policies built-in
Wednesday, March 10, 2010
34. Case 2: Access Control Policy for Conference
Papers
★ has authors
Authors
★ submit papers, read reviews
Reviewers
★ write review for paper & discuss papers
★ are anonymous (for authors)
Conflicts
★ author cannot be reviewer
★ reviewer not related to authors
Wednesday, March 10, 2010
35. Data Validation
Danny M. Groenewegen, Eelco Visser. Integration of Data Validation
and User Interface Concerns in a DSL for Web Applications. SLE 2010
Wednesday, March 10, 2010
36. Data Validation
Check input & maintain data integrity
Types of validation
- Value well-formedness
- Data invariants
- Input assertions
- Action assertions
User interface integration
- Display errors
Wednesday, March 10, 2010
37. Validation Rules
data validation
form validation
action assertions messages
Wednesday, March 10, 2010
47. Workflow
Zef Hemel, Ruben Verhaaf, Eelco Visser. WebWorkFlow: An Object-Oriented
Workflow Modeling Language for Web Applications. MoDELS 2008: 113-127
Note: WebWorkFlow is not supported by current version of WebDSL
Wednesday, March 10, 2010
48. Workflow
Coordinating activities by participants
WebWorkFlow
- object-oriented workflow definition
- integrate all aspects of workflow
★ data
★ user interface
★ access control
★ control-flow
- abstractions on top of base WebDSL
Wednesday, March 10, 2010
59. Workflow Remarks
Recursive workflows (see paper)
Issue: user interface patterns for workflow
Is workflow an anti-pattern?
- is workflow good interaction design?
- determine order of user actions
- what are alternatives?
Wednesday, March 10, 2010
62. AJAX
Michel Weststrate. Abstractions for Asynchronous
User Interfaces in Web Applications.Master's thesis,
Delft University of Technology, 2009.
Wednesday, March 10, 2010
63. AJAX
Deliver page fragments, not just full pages
- Replace page elements by new fragments
- Templates are unit of replacement
Wednesday, March 10, 2010
64. placeholder
default view
Wednesday, March 10, 2010
66. Summary
Access control policies
★ constraints over objects
★ encoding of standard policies (DAC, RBAC)
Data validation
★ form validation & data integrity
Workflow
★ coordinating activities of multiple participants
Search based on data model annotations
AJAX: accessing page fragments (templates)
Wednesday, March 10, 2010
67. Schedule
Lab this week
★ WebDSL application
Cases
★ Case 2: web abstractions
★ Read: Declarative Access Control for WebDSL
★ Read: Integration of Data Validation and User
Interface Concerns
★ Read: WebWorkFlow
Next
★ Lecture 5: WebDSL implementation strategies
★ Lecture 6 & 7: modeling languages
Wednesday, March 10, 2010