My company has a 3rd party web service we are designing a front end for. The "objects" used by this web service are very large (and variable depending on the number of sub-entities created). The web service does not expose methods to commit/load sub-entities, only the full object hierarchy.
The UI itself is split into many sub screens, and master/detail views to be able to efficiently/easily edit the large amount of data.
The issue is where to store all the data you aren't currently looking at.
Doing the web service commit takes up to 30 seconds for large records, so it is not feasible to use the web service for the intermittent data storage.
You can consider using .Net's SessionState out of the box, with the SQL persistence mode to cache the web service data, although you do need to ensure that you have a strategy to clear out expired data from the database. All objects stored in SessionState will need to be Serializable.
Also, instead of using the external web service's entity structure (e.g. the serializable proxy entities generated by a .Net added Service Reference), you should also
consider building your own customized class hierarchy for your screens (i.e. custom view models), and then build the bridging to map / project the web service graph to your viewmodel after the initial fetch from the web service, and then back again to the web service entities after the user has finished updating the graph. LINQ is great for this purpose, or possibly AutoMapper, if you haven't deviated from the web service class and property naming standards.
Related
I have a web application into which I would like to utilize asp.net identity. The setup itself within my asp.net MVC project with the provided templates is rather straightforward. However it uses EF in the web "tier". Our company requires us to use a "n" tier architecture approach whereby all data access and business logic is physically separated onto a separate server and all logic is exposed via REST apis. I want to utilize the .net identity framework as it has everything I need but how can i extend it to access the database via a REST api? It appears to be very tightly coupled and I dont see how to separate it out. I have seen similiar questions asked but they lead no where and with no resolution. Any samples or guidance is appreciated.
This is an opinion, but you have three basic sets of functionality in your description.
UI (MVC, Angular, React)
Data Tier (Web API)
Authentication/Authorization (IdentityServer)
Your front-end (1) authenticates with the id tier (3) and gets back a token with your user claims (Authorization). Front end (1) passes token with request to data tier (2) which checks with id server (3) to make sure token is valid and then services the request.
Edit: EF would go in the Data tier, just to be Cap'n Obvious.
Is it efficient using a web service to access database objects?
I'm developing a win phone app and a web app. Both of them will use the same db. Should I create one web service for two apps?
A shared webservice is definitely the right way to go. That's really the point of a service, to be able to access the same business and data logic from multiple places (assuming both places are doing the same thing of course). It also acts as a natural security buffer between your app and database - so your database only needs to accept connections from the service, as opposed to multiple client applications.
As far as the technology, since both of your clients are Microsoft, you can use WCF as your service as opposed to a traditional SOAP service. Or you can go with something more universally accepted, like WebAPI with JSON. Lots of options there.
I am in the process of developing a web based solution do replace an application we provide. The web application is a record storing application and each client would have different forms they would input data into and store. My question is: Is it possible to create a backbone Web Project, which would have minimal updates this would be like a container and be the same for all of our clients, and have the document forms which would be different among clients and need to be updated more often.
Any constructive comments for or against this with reason why would also be appreciated.
It sounds like what you’re describing is a multi-tenant system if you'd like to do some research on that term. Your web interface remains the same for all, but the records/documents are different for each client. It sounds like you might need login/access functionality that ties the records to a client ID (possibly stored in a database). According to how you intend to store the records (file system vs. database), you can control access either based on the client ID (foreign key to the doc tables) or you might want to create roles. This is a very high overview for what can become complex according to the specs.
I am planning to develop a fairly small SaaS service. Every business client will have an associated database (same schema among clients' databases, different data). In addition, they will have a unique domain pointing to the web app, and here I see these 2 options:
The domains will point to a unique web app, which will change the
connection string to the proper client's database depending on the
domain. (That is, I will need to deploy one web app only.)
The domains will point to their own web app, which is really the
same web app replicated for every client but with the proper
connection string to the client's database. (That is, I will need to
deploy many web apps.)
This is for an ASP.NET 4.0 MVC 3.0 web app that will run on IIS 7.0. It will be fairly small, but I do require to be scalable. Should I go with 1 or 2?
This MSDN article is a great resource that goes into detail about the advantages of three patterns:
Separated DB. Each app instance has its own DB instance. Easier, but can be difficult to administer from a database infrastructure standpoint.
Separated schema. Each app instance shares a DB but is partitioned via schemas. Requires a little more coding work, and mitigates some of the challenges of a totally separate schema, but still has difficulties if you need individual site backup/restore and things like that.
Shared schema. Your app is responsible for partitioning the data based on the app instance. This requires the most work, but is most flexible in terms of management of the data.
In terms of how your app handles it, the DB design will probably determine that. I have in the past done both shared DB and shared schema. In the separated DB approach, I usually separate the app instances as well. In the shared schema approach, it's the same app with logic to modify what data is available based on login and/or hostname.
I'm not sure this is the answer you're looking for, but there is a third option:
Using a multi-tenant database design. A single database which supports all clients. Your tables would contain composite primary keys.
Scale out when you need. If your service is small, I wouldn't see any benefit to multiple databases except for assured data security - meaning, you'll only bring back query results for the correct client. The costs will be much higher running multiple databases if you're planning on hosting with a cloud service.
If SalesForce can host their SaaS using a multitenant design, I would at least consider this as a viable option for a small service.
We have a few projects that we put all the data access in a separate web service project and the parent project will call the web service for everything data related. The web service will only accept connections from the web project server. My assumption is that the web service would be less susceptible to intrusion this way. I'm not really sure this is correct.
Is this more secure than just putting the data access in a class or dll within the parent project?
NOTE
Developers above me made this decision.
I don't see that as an effective way of securing your database. Of all the various ways that exist to protect your data layer, I don't think that moving calls from a class library to a web service is an effective way to protect yourself.
A better approach would be to make sure that you use parameterized queries or stored procedures to prevent SQL injection, and limit the privileges of your logins to only the operations that they need to perform.
However, there would be other arguments for having data access in a separate web service... such as re-usability, or a service-oriented architecture. If the same data access layer is needed from a variety of projects on multiple servers, by having the web service you wouldn't need to have the same class library duplicated all over the place... which would cause you to worry about which project has which version of your data access layer.
So, more secure? I don't think so... Other benefits? Probably...
Short answer: Yes
Longer answer: My assumption is that the web server that is exposing the services is behind its own firewall. Doing it this way insulates the database from intrusion by forcing hackers to go through another layer if they were able to compromise your application servers. Since the database connection strings do not exist on the app server, and a firewall prevents direct connections from that server to the database, the hackers would need to somehow puncture that firewall and gain access to the server that is hosting your data services.
Now, I also assume that the web services are not simply exposing methods like
execute(string sqlCommand)
if that's the case, then this solution might actually less secure than simply using a database without the web services. For this solution to truly be more secure you would want to create operation-specific methods on the web service server.
A DLL can't be accessed and executed from the Web, so far as I know. A Web service can. If that's true, the class library referenced by a Web project (or even a Web Service) is more secure than a Web service encapsulating that logic directly.
Further, there's the whole notion of Separation of Concerns. In my mind, data access logic belongs on a separate tier, completely separate from business logic. In a well designed architecture, Web services expose discrete methods that represent business transactions--not necessarily data transactions. Business transactions encapsulate one or more data transactions, which are represented by separate classes that encapsulate the data access logic and provide the security to ensure that SQL injection never occurs.
Others, naturally, may disagree. We're developers. It's our nature to disagree. :)