CSE 136 - Lecture 6

Service Layer WCF Business Layer

Security Regular Expression

Overview

Service is consideredpart of the BusinessLayer

We will wrap DomainModel with a ServiceLayer

We will skipWorkflows

Macro-services (more on this later)

What is Service Layer

Sits between GUI & business logic (part of BLL)

GUI

BLL Server

GUI can be replaced by web-service client

Each GUI has a slightly different objects depending onwhether it’s Web, mobile, windows, or just flat-file thatwill import into another system.

DTO - data transfer objects

Services - May call other services on other systems

What is Service

Service will have a contract (parameters and return values)

parametersreturn value

we will skipthese in 136

we will usedefault values

in vs 2010

Service Layer as services wrapper

Following shows the benefit of a service layer: a unique andremotable point of contact between the UI and middle tier

Macroservice

Macro service – orchestrate the entire flow of transaction.

UpdateGrade()

Microservices

Micro service – more detailed business rules

LookupReason()

ChangeGrade()

EmailStudent()

Design Patterns in Service Layer

Remote Façade Pattern A set of methods that modify the granularity existing

operations already implemented elsewhere. A service is already a remote façade over the business layer

Data Transfer Object Pattern Object that carries data across an application’s boundaries ex: XML file as input format for ChangeGrade()

Adapter Pattern Converts the interface of one class into another interface that

a client expects ex: UCSD GPA system takes in % points also

Proxy Pattern Client will create a proxy, and proxy will communicate with the

service

WCF - windows communication foundation

An SDK for developing and deploying services on Windows

A WCF Service is a unit of functionality exposed to the world can be local or remote, developed by multiple parties

using any technology A WCF Client

is merely the party consuming a service's functionality can be literally anything:

ASP.NET (MVC) JAVA app Mobile apps

A set of .NET libraries

WCF - Same vs cross machines

Same Machine Communication using WCF

Right-lick, add servicereference creates the

proxy for you.

Cross-machine Communication using WCF(for scalability or 3rd party services)

ABC of WCF

This was an interview question A - Address

Every service is associated with a unique address. Where are you?

B - Binding A binding is a consistent set of choices regarding the

transport protocol, message encoding, communication pattern, reliability, security, transaction propagation, and interoperability

How should I talk with you? C - Contract

The contract is a platform-neutral and standard way of describing what the service does.

What am I giving/getting from you.

SSL, call-backs, encryption-key

WCF ABC - Address

Every service is associated with a unique address. The address provides two important elements (1) the location of the service

IP address URL

(2) transport protocol or transport schema used to communicate with the service http net.tcp

Examples net.tcp://localhost:8002/MyService http://www.wcf.org:8001 net.pipe://localhost/MyPipe net.msmq://localhost/MyService

WCF ABC - Binding

Basic Binding - expose a WCF service as a legacy ASMX web service

TCP Binding - Offered by the NetTcpBinding class, this uses TCP for cross-machine communication on the intranet. It supports a variety of features, including reliability, transactions, and security, and is optimized for WCF-to-WCF communication

Web Service binding - Offered by the WSHttpBinding class, this uses HTTP or HTTPS for transport, and is designed to offer a variety of features such as reliability, transactions, and security over the Internet

IPC Binding - Same-machine communication Others (skip) : MSMQ, Duplex WS, etc

WCF ABC - Contract

The contract is a platform-neutral and standard way of describing what the service does

Service contracts (method definition) Describe which operations the client can perform

on the service Data contracts (parameter types)

Define which data types are passed to and from the service.

WCF defines implicit contracts for built-in types such as int and string, but you can easily define explicit opt-in data contracts for custom types.

WCF ABC quick example

open to WCF clients

method and data

not part of the service

visible to service clients

not visible as a service

WCF Operation

Focus on the client side (1) Request & Reply (for CSE 136)

Most common calls - If no response, client gives up always put try/catch in the client code

(2) One-way Send and forget

(3) Call-back (not for CSE 136) The service is the client and the client becomes the

service HTTP cannot be used for callbacks TCP and the IPC protocols support duplex communication Observer Design Pattern

WCF Instance

Focus on the server side Applications differ in their needs for scalability, performance,

throughput, transactions, and queued calls (1) per-call

services allocate (and destroy) a new service instance per client request

This is the default behavior (2) session

allocate a service instance per client connection. [ServiceContract(SessionMode = SessionMode.Required)]

(3) Singleton all clients share the same service instance across all connections

and activations [ServiceBehavior(InstanceContextMode=InstanceContextMode.Singl

e)

RESTful Services

CRUD : Create, Read, Update, and Delete RESTFul : using http methods

Get - Read Post - Create Put - Update Delete - Delete REST stands for “Representational State

Transfer” Skip for 136

WCF Security (authentication) Verifying that the caller of a service is

indeed who the caller claims to be Windows authentication Username and password X509 certificate Custom mechanism & other 3rd parties No authentication (CSE 136)

Business Logic Layer Security User-based Security

Authorization deals with what the caller (user) is allowed to do.

Callers are mapped to logical roles. (Role ex: Faculty, Staff, or Student)

Code-based Security Authenticate the code source Authorize code for access Enforce the code access

BLL Security : user-identity 1

Common security systems (user-identity based)

ResourceAccess

Attempt

"Ali"Person

SecuritySystem

Selfcheck-in

SecurityConfiguration

Name/nationality profiling

Partial Access

Full Access

Deny Access

check-in @counter

Resource

Get onthe

plane

BLL Security : user-identity 2

Resource protection through the interplay of authentication,authorization, and enforcement

Attempt to Access Resource

Authentication of caller

Authorization

Resource

Enforcement

caller

user/password

securityconfiguration

settings

what you areallowed to access

BBL Security : Code-identity-based 1

Authenticate code identity Information about the origin of a piece of code (such as the

URL where it is run from) are collected and presented to the authorization layer

Ex: Tourist visa from China Authorize code, not users, to access resources

All trust decisions to access protected resources are made for particular pieces of code, based on security settings evolving around information about the origin of code

Ex: Tourism visa from China can visit, not work and study Enforce the authorization

The granularity of enforcement functions on the level of individual pieces of code (such as individual assemblies)

.NET CLR enforces the security Ex: Employer checking for U.S. Visa

BBL Security : Code-identity-based 2

Authenticate code identity Authenticates assemblies By collecting evidence about the assembly Ex: assembly's URL or strong name

Authorize code, not users, to access resources Authorizes assemblies By granting assemblies a set of permissions to

access protected resources (such as the file system or registry)

Enforce the authorization By checking that all assemblies calling to a

protected resource have the appropriate permission to access that resource (.NET CLR)

exe & dll

Signed by Microsoft

.NET code-based Security : Evidence

EvidenceProvides the basic building blocks for how code accesssecurity can work on .NET Framework code

SHA1 Hashis the evidence

• Publisher• Site (url)• Zone (where on the

computer)• Strong name (signed

key)

.NET code-based Security : Policy

Policy

Policy containing Membership and Permission Sets.

What type of code/program can access what resources

Four policies in .NET

(1) Enterprise

(2) Machine code running on this machine

(3) User code running by this user

(4) Applications

Similar to homeland security policy Visitors with “Iraq visa” (membership)has limited access to certain “government buildings" (permission set)

.NET code-based Security : Code Group and membership

Code GroupCode group categorized intofollowing zones:

right-click

Membership

availablezones

.NET code-based Security : Permission set

Permissions

A set ofpermissions

List of availablepermissions

no security check

no access at all

check everypermissionlisted

.NET code-based Security : Example

All code belong to "My Computer" zone running on this machine hasfull-trust permission

All of the above sets up the security policy rules. CLR will checkassembly's evidence and allow/disallow code execution

Ex: In government, policy makers set up security policy. When each person travels witha passport/ID, airport-security executes the security check based on the passport

Ex: immigration document typeVisa, Diplomatic ID, birth-certificate

Ex: Chinese Visa

Regular Expressions 1

What is regular expression pattern describing a certain amount of text a series of letters, digits, dots, underscores,

signs and hyphens What are its common usages

Formatting Validating Parsing

Regular Expressions 2using System.Text.RegularExpressions;

... string phone = "1(888)555-1234"; string strRegex = @"[^0-9]";

Regex match = new Regex(strRegex); phone = match.Replace(phone, ""); // strip non digits

Console.WriteLine(phone);...

anynon-digit

characters

Output: 18885551234

public bool IsInteger (String strNumber){

Regex objNotIntPattern =new Regex("[^0-9-]");Regex objIntPattern =new Regex("^-[0-9]+$|^[0-9]+$");return !objNotIntPattern.IsMatch (strNumber) &&

objIntPattern.IsMatch (strNumber);

}

-154

// Function to Check for AlphaNumeric.public bool IsAlphaNumeric (String strToCheck){

Regex objAlphaNumericPattern=new Regex("[^a- zA-Z0-9]");return !objAlphaNumericPattern.IsMatch (strToCheck);

}

T@AA.COM

Regular Expression 3

bool IsEmail (string inputEmail) { // @ means it's specific to C#, not to regular expression

string strRegex = @"^([a- zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}" + @"\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a- zA-Z0-9\-]+\" + @".)+))([a- zA-Z]{2,4}|[0-9]{1,3})(\]?)$";

Regex re = new Regex(strRegex);

if (re.IsMatch(inputEmail)) return (true); else return (false); }

isaac.chu@gmail.com

Isaac.Chu@192.128.1.1

,,@..com

Review question

Difference between macro and micro services? What design patterns exist in the services layer? What .NET libraries does 136 use to implement the

service layer? What is the ABC of WCF? Difference between authenticate and authorize? What is security policy? (rules defined) What are the four levels of .NET policies? What is code group? (groups of code in a policy) What is membership? (identify a group of code) What is permission set? (set of permissions assigned

to a group of code)

Your assignment

Due Next Thursday Create a Service Layer project Continue development of your BLL Continue development of unit tests for

your BLL

Just a wrapper project

Lab

Due: Grade your DAL with test cases

References

.NET : Architecting Applications for the Enterprise

Learning WCF