MSDN Magazine - September 2008 - (Page 53) Dino ESpoSito Cutting EdgE Building A Secure AJAX Service Layer A major advantage of AJAX and Silverlight™ apmore coarsely granular services. The presentation plications is that they can transparently and conlayer makes one call to one service in the layer. tinuously interact with a back-end service. The The invoked service layer method will coordinate problem is that they run over HTTP, which wasn’t the objects and workflows in the business layer designed with security in mind. Yet it’s important to implement the required behavior. Figure 2 that you protect these back-end services from unshows the benefits of the service layer. authorized access. So what do you do? In the service layer implementation, it is comThe architecture of a typical AJAX or Silverlight mon to assume that callers have been previously application is shown in Figure 1. It’s essentially a authenticated and authorized. Also, it is common two-tiered architecture with the front and back to place the service layer in an isolated part of the ends neatly separated by the Internet. As a result network, for example behind a firewall. If the cliof this architecture, there is opportunity for unent is an ASP.NET application, you call the serauthorized access between the presentation layer vice layer from within the page code. However, and the back end. because this code executes on the Web server, The back end exposes its API through a collec- Figure 1 A Typical Architecture the call to the service is essentially a server-totion of public URLs. These URLs refer to hosted for a Rich Web Client App server call and occurs in a protected and conservices that are technically part of the applicatrolled environment. No new security concerns tion, yet are exposed as public services. Any high-security barrier arise in this scenario. you could place here (such as a firewall) would stop authorized as Now imagine a service layer in an ASP.NET AJAX or Silverwell as unauthorized calls. It would be quite difficult to complete- light scenario. To enable AJAX or Silverlight clients to call into ly weed out the unwanted access. Obviously, this would be much the service layer, the address of the service layer’s endpoints must easier in an intranet or extranet scenario. be publicly exposed. This means removing any firewalls you may When you choose to take advantage of a Web-based distributed have in the middle. architecture like this, you must expect outsiders to find your serOnly publicly exposed functionality can be invoked from a publicly vices and attempt to exploit them. facing, rich Web client. In protecting your back-end service layer, you could implement a pared-down version of the functionality in The Service Layer question in your ASP.NET AJAX or Silverlight clients. This might Modern distributed systems have an extra layer of code between the presentation and business layers—the service layer. Formalized by Martin Fowler in his book Patterns of Enterprise Application Architecture, the service layer in a distributed application represents an additional layer of code that creates a boundary between two other layers, in this case between the presentation and business layers. The code in the presentation layer typically implements use cases. A typical use case is a sequence of actions performed by the user that result in interactions between one or more business objects, workflows, and services. The service layer allows you to abstract these smaller interactions with an intermediate API, exposed through Send your questions and comments for Dino to cutting@microsoft.com. Code download available at msdn.microsoft.com/magazine/cc135911. Figure 2 The Service Layer Decouples Presentation and Business Layers September 2008 53 http://msdn.microsoft.com/magazine/cc135911
Table of Contents Feed for the Digital Edition of MSDN Magazine - September 2008 MSDN Magazine - September 2008 Contents Toolbox CLR Inside Out Data Points Advanced Basics Office Space Cutting Edge Hierarchy ID New Features for Microsoft SQL Server 2008 Prism Data Services Advanced WPF Test Run Security Briefs Foundations { End Bracket } MSDN Magazine - September 2008 MSDN Magazine - September 2008 - (Page Intro) MSDN Magazine - September 2008 - Contents (Page Cover1) MSDN Magazine - September 2008 - Contents (Page Cover2) MSDN Magazine - September 2008 - Contents (Page 1) MSDN Magazine - September 2008 - Contents (Page 2) MSDN Magazine - September 2008 - Contents (Page 3) MSDN Magazine - September 2008 - Contents (Page 4) MSDN Magazine - September 2008 - Contents (Page 5) MSDN Magazine - September 2008 - Contents (Page 6) MSDN Magazine - September 2008 - Contents (Page 7) MSDN Magazine - September 2008 - Contents (Page 8) MSDN Magazine - September 2008 - Contents (Page 9) MSDN Magazine - September 2008 - Contents (Page 10) MSDN Magazine - September 2008 - Toolbox (Page 11) MSDN Magazine - September 2008 - Toolbox (Page 12) MSDN Magazine - September 2008 - Toolbox (Page 13) MSDN Magazine - September 2008 - Toolbox (Page 14) MSDN Magazine - September 2008 - Toolbox (Page 15) MSDN Magazine - September 2008 - Toolbox (Page 16) MSDN Magazine - September 2008 - Toolbox (Page 17) MSDN Magazine - September 2008 - Toolbox (Page 18) MSDN Magazine - September 2008 - CLR Inside Out (Page 19) MSDN Magazine - September 2008 - CLR Inside Out (Page 20) MSDN Magazine - September 2008 - CLR Inside Out (Page 21) MSDN Magazine - September 2008 - CLR Inside Out (Page 22) MSDN Magazine - September 2008 - CLR Inside Out (Page 23) MSDN Magazine - September 2008 - CLR Inside Out (Page 24) MSDN Magazine - September 2008 - CLR Inside Out (Page 25) MSDN Magazine - September 2008 - CLR Inside Out (Page 26) MSDN Magazine - September 2008 - Data Points (Page 27) MSDN Magazine - September 2008 - Data Points (Page 28) MSDN Magazine - September 2008 - Data Points (Page 29) MSDN Magazine - September 2008 - Data Points (Page 30) MSDN Magazine - September 2008 - Data Points (Page 31) MSDN Magazine - September 2008 - Data Points (Page 32) MSDN Magazine - September 2008 - Data Points (Page 33) MSDN Magazine - September 2008 - Data Points (Page 34) MSDN Magazine - September 2008 - Advanced Basics (Page 35) MSDN Magazine - September 2008 - Advanced Basics (Page 36) MSDN Magazine - September 2008 - Advanced Basics (Page 37) MSDN Magazine - September 2008 - Advanced Basics (Page 38) MSDN Magazine - September 2008 - Advanced Basics (Page 39) MSDN Magazine - September 2008 - Advanced Basics (Page 40) MSDN Magazine - September 2008 - Advanced Basics (Page 41) MSDN Magazine - September 2008 - Advanced Basics (Page 42) MSDN Magazine - September 2008 - Advanced Basics (Page 43) MSDN Magazine - September 2008 - Advanced Basics (Page 44) MSDN Magazine - September 2008 - Office Space (Page 45) MSDN Magazine - September 2008 - Office Space (Page 46) MSDN Magazine - September 2008 - Office Space (Page 47) MSDN Magazine - September 2008 - Office Space (Page 48) MSDN Magazine - September 2008 - Office Space (Page 49) MSDN Magazine - September 2008 - Office Space (Page 50) MSDN Magazine - September 2008 - Office Space (Page 51) MSDN Magazine - September 2008 - Office Space (Page 52) MSDN Magazine - September 2008 - Cutting Edge (Page 53) MSDN Magazine - September 2008 - Cutting Edge (Page 54) MSDN Magazine - September 2008 - Cutting Edge (Page 55) MSDN Magazine - September 2008 - Cutting Edge (Page 56) MSDN Magazine - September 2008 - Cutting Edge (Page 57) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 58) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 59) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 60) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 61) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 62) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 63) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 64) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 65) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 66) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 67) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 68) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 69) MSDN Magazine - September 2008 - Prism (Page 70) MSDN Magazine - September 2008 - Prism (Page 71) MSDN Magazine - September 2008 - Prism (Page 72) MSDN Magazine - September 2008 - Prism (Page 73) MSDN Magazine - September 2008 - Prism (Page 74) MSDN Magazine - September 2008 - Prism (Page 75) MSDN Magazine - September 2008 - Prism (Page 76) MSDN Magazine - September 2008 - Prism (Page 77) MSDN Magazine - September 2008 - Prism (Page 78) MSDN Magazine - September 2008 - Prism (Page 79) MSDN Magazine - September 2008 - Data Services (Page 80) MSDN Magazine - September 2008 - Data Services (Page 81) MSDN Magazine - September 2008 - Data Services (Page 82) MSDN Magazine - September 2008 - Data Services (Page 83) MSDN Magazine - September 2008 - Data Services (Page 84) MSDN Magazine - September 2008 - Data Services (Page 85) MSDN Magazine - September 2008 - Data Services (Page 86) MSDN Magazine - September 2008 - Advanced WPF (Page 87) MSDN Magazine - September 2008 - Advanced WPF (Page 88) MSDN Magazine - September 2008 - Advanced WPF (Page 89) MSDN Magazine - September 2008 - Advanced WPF (Page 90) MSDN Magazine - September 2008 - Advanced WPF (Page 91) MSDN Magazine - September 2008 - Advanced WPF (Page 92) MSDN Magazine - September 2008 - Advanced WPF (Page 93) MSDN Magazine - September 2008 - Advanced WPF (Page 94) MSDN Magazine - September 2008 - Advanced WPF (Page 95) MSDN Magazine - September 2008 - Advanced WPF (Page 96) MSDN Magazine - September 2008 - Test Run (Page 97) MSDN Magazine - September 2008 - Test Run (Page 98) MSDN Magazine - September 2008 - Test Run (Page 99) MSDN Magazine - September 2008 - Test Run (Page 100) MSDN Magazine - September 2008 - Test Run (Page 101) MSDN Magazine - September 2008 - Test Run (Page 102) MSDN Magazine - September 2008 - Test Run (Page 103) MSDN Magazine - September 2008 - Test Run (Page 104) MSDN Magazine - September 2008 - Security Briefs (Page 105) MSDN Magazine - September 2008 - Security Briefs (Page 106) MSDN Magazine - September 2008 - Security Briefs (Page 107) MSDN Magazine - September 2008 - Security Briefs (Page 108) MSDN Magazine - September 2008 - Security Briefs (Page 109) MSDN Magazine - September 2008 - Security Briefs (Page 110) MSDN Magazine - September 2008 - Security Briefs (Page 111) MSDN Magazine - September 2008 - Security Briefs (Page 112) MSDN Magazine - September 2008 - Foundations (Page 113) MSDN Magazine - September 2008 - Foundations (Page 114) MSDN Magazine - September 2008 - Foundations (Page 115) MSDN Magazine - September 2008 - Foundations (Page 116) MSDN Magazine - September 2008 - Foundations (Page 117) MSDN Magazine - September 2008 - Foundations (Page 118) MSDN Magazine - September 2008 - Foundations (Page 119) MSDN Magazine - September 2008 - { End Bracket } (Page 120) MSDN Magazine - September 2008 - { End Bracket } (Page Cover3) MSDN Magazine - September 2008 - { End Bracket } (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.