Skip to main content

Our Adventures into Creating a Secure MVC Framework - Prologue

Now that MWLUG 2015 is history and MWLUG 2016 is in the planning stage, I can now start writing a series that I have wanted to do for awhile about creating a MVC framework.

This will a multi-part series on my adventure into creating my own MVC framework.  I will be talking about MVC in the generic sense and it will include MV* of all types.

Creating your own MVC framework? Am I out of my mind? Why in the world would you do that you may ask. There are so many popular and great MVC frameworks available including Angular, Backbone, Ember, React, and etc.

Well, SECURITY, SECURITY, SECURITY.

When we rolled out iPhora Touch v2 just before MWLUG 2014, the feedback for the interface was lukewarm at best, it was slow since the page had to be refreshed each time and it did not work well on tablets and other devices.  Though we were using Bootstrap the interface it just would not respond the way that we wanted.

So after MWLUG 2014, I set out to figure out a way to improve the design so that it would be faster, more responsive, and easier to maintain.  The previous UI framework was built using Dojo 1.53 which needed a significant amount of Javascript to be loaded before the page would initialize.  So moving forward we wanted a AMD JavaScript framework to reduce the loading time.

We wanted to provide a simple and usable user interface for our iPhora solutions that would work for both desktop and tablets.  In our iPhora technology, the UI is totally decoupled from the server and there is a total separation between the data and the form.  We have never been a big fan of having the server generate the HTML interface. That approach requires you to couple the data with the UI. By decoupling the data and UI, what technology is used to generate the data is irrelevant. Currently, it is Domino, but it could easily be a combination of other propriety or open source technologies.  All information is sent and received through a series of JSON RESTful APIs that is managed by the iPhora Gatekeeper. What information you have access to is based on user authentication, roles, ACLs, and permissions. Note for Domino developers, don't use DAS.

Our approach of using Restful APIs makes the use MVC framework ideal. We have long been intrigued by the different MVC frameworks including the popular ones like Angular and Backbone. So our goal was to replace our entire front end with one of these open source MVC frameworks. Even Dojo has a MVC framework, kind of.

However, the selected MVC framework had to meet a number of criterion including easy adaption to how our iPhora data security model worked. It had to handle our multi-level UI Bootstrap-based widget design that is part of the iPhora security model. It had to be lightweight, while being very structured allowing the use of design patterns to help maintainability. In addition, the goal was to have a multi-pane single page application (SPA) interface to help to reduce the constant loading of core libraries over and over again while allowing for constant changes to what appeared on the screen. Since iPhora is designed to handle sensitive information, we needed to control when and how information was to be cached or destroyed both in memory and visually.

From our research and experimentation, we decide the popular MVC frameworks were not going to meet our needs.  Stuff like bi-directional coupling did not work for us since it is assumed that at every RESTful API call your security level and access might have changed.  Not only that, the security level for each of the multi-panes within the single page application interface may be different.

So our adventure of creating our own MVC framework began.  We rolled up our sleeves, got many 6-packs of beer and started laying out want we needed.

Next time, Design Requirements.







Comments

drooze said…
This should be an interesting series. Looking forward to it.
Tony Frazier said…
Looking forward to this Richard. Curious about your experiences with using DAS and why you're not using it.
Tony,

The reason that you do not want to use DAS is security. Since DAS is pulling from views, you can not easily control the amount of information a particular user sees. It assumes all the users should get the same stuff which is never the case. This is not good practice even behind the firewall.

Popular posts from this blog

The iPhora Journey - Part 8 - Flow-based Programming

After my last post in this series -- way back in September 2022, several things happened that prevented any further installments. First came CollabSphere 2022 and then CollabSphere 2023, and organizing international conferences can easily consume all of one's spare time. Throughout this same time period, our product development efforts continued at full speed and are just now coming to fruition, which means it is finally time to continue our blog series. So let's get started... As developers, most of us create applications through the conscious act of programming, either procedural, as many of us old-timers grew up with, or object-oriented, which we grudgingly had to admit was better. This is true whether we are using Java, LotusScript, C++ or Rust on Domino. (By the way, does anyone remember Pascal? When I was in school, I remember being told it was the language of the future, but for some reason it didn't seem to survive past the MTV era).  But in the last decade, there a...

Creating Twitter Bootstrap Widgets - Part II - Let's Assemble

Creating Twitter Bootstrap Widgets - Part I - Anatomy of a Widget Creating Twitter Bootstrap Widgets - Part II - Let's Assemble Creating Twitter Bootstrap Widgets - Part IIIA - Using Dojo To Bring It Together This is two part of my five part series "Creating Twitter Bootstrap Widgets".   As I mentioned in part one of this series, Twitter Bootstrap widgets are built from a collection standard HTML elements, styled, and programmed to function as a single unit. The goal of this series is to teach you how to create a Bootstrap widget that utilizes the Bootstrap CSS and Dojo. The use of Dojo with Bootstrap is very limited with the exception of Kevin Armstrong who did an incredible job with his Dojo Bootstrap, http://dojobootstrap.com. Our example is a combo box that we are building to replace the standard Bootstrap combo box. In part one, we built a widget that looks like a combo box but did not have a drop down menu associated with it to allow the user to make a select...

The iPhora Journey - Part 3 - Creating an Integrated UI Framework

The iPhora Journey - Part 1 - Reimagining Domino The iPhora Journey - Part 2 - Domino, the Little Engine that Could The iPhora Journey - Part 3 - Creating an Integrated UI Framework There are many ways to create the user interface (UI) for a web application. The HTML page could be created on the server and then pushed out. It could be static with the data generated on the page by the server with JavaScript, providing a more dynamic experience, or the server could generate new HTML content to update portions of the web page. XPages or PHP are good examples of this. Another method is to have the web page partially generated by the server and have JavaScript build the rest of the HTML by pulling data from the server via an API. This is the approach used in the Single Page Application (SPA) model. In all cases, it is still dependent on the web server technology being using.  As mentioned previously in this blog, XPages is dependent on complete integration between form and document, whi...