0% found this document useful (0 votes)
14 views

Application Development

Chapter 9 discusses application development in database systems, focusing on application architectures, including presentation, business logic, and data access layers. It covers object-relational mapping, web services, application performance, and security measures such as authentication and authorization. The chapter emphasizes the importance of audit trails and performance optimization techniques in web applications.

Uploaded by

Nguyên Trung
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
14 views

Application Development

Chapter 9 discusses application development in database systems, focusing on application architectures, including presentation, business logic, and data access layers. It covers object-relational mapping, web services, application performance, and security measures such as authentication and authorization. The chapter emphasizes the importance of audit trails and performance optimization techniques in web applications.

Uploaded by

Nguyên Trung
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 25

Chapter 9: Application Development

Database System Concepts, 7th Ed.


©Silberschatz, Korth and Sudarshan
See www.db-book.com for conditions on re-use
Application Architectures

Database System Concepts - 7th Edition 9.2 ©Silberschatz, Korth and Sudarshan
Application Architectures
 Application layers
 Presentation or user interface
 model-view-controller (MVC) architecture
– model: business logic
– view: presentation of data, depends on display device
– controller: receives events, executes actions, and returns a
view to the user
 business-logic layer
 provides high level view of data and actions on data
– often using an object data model
 hides details of data storage schema
 data access layer
 interfaces between business logic layer and the underlying
database
 provides mapping from object model of business layer to relational
model of database

Database System Concepts - 7th Edition 9.3 ©Silberschatz, Korth and Sudarshan
Application Architecture

Database System Concepts - 7th Edition 9.4 ©Silberschatz, Korth and Sudarshan
Business Logic Layer
 Provides abstractions of entities
 E.g., students, instructors, courses, etc
 Enforces business rules for carrying out actions
 E.g., student can enroll in a class only if she has completed
prerequsites, and has paid her tuition fees
 Supports workflows which define how a task involving multiple
participants is to be carried out
 E.g., how to process application by a student applying to a university
 Sequence of steps to carry out task
 Error handling
 E.g. what to do if recommendation letters not received on time
 Workflows discussed in Section 26.2

Database System Concepts - 7th Edition 9.5 ©Silberschatz, Korth and Sudarshan
Object-Relational Mapping
 Allows application code to be written on top of object-oriented data
model, while storing data in a traditional relational database
 Alternative: implement object-oriented or object-relational database
to store object model
 Has not been commercially successful
 Schema designer has to provide a mapping between object data and
relational schema
 E.g., Java class Student mapped to relation student, with
corresponding mapping of attributes
 An object can map to multiple tuples in multiple relations
 Application opens a session, which connects to the database
 Objects can be created and saved to the database using
session.save(object)
 Mapping used to create appropriate tuples in the database
 Query can be run to retrieve objects satisfying specified predicates

Database System Concepts - 7th Edition 9.6 ©Silberschatz, Korth and Sudarshan
Object-Relational Mapping

Database System Concepts - 7th Edition 9.7 ©Silberschatz, Korth and Sudarshan
Object-Relational Mapping and Hibernate (Cont.)

 The Hibernate object-relational mapping system is widely used


 Public domain system, runs on a variety of database systems
 Supports a query language that can express complex queries
involving joins
 Translates queries into SQL queries
 Allows relationships to be mapped to sets associated with objects
 E.g., courses taken by a student can be a set in Student object
 See book for Hibernate code example
 The Entity Data Model developed by Microsoft
 Provides an entity-relationship model directly to application
 Maps data between entity data model and underlying storage, which
can be relational
 Entity SQL language operates directly on Entity Data Model

Database System Concepts - 7th Edition 9.8 ©Silberschatz, Korth and Sudarshan
Web Services
 Allow data on Web to be accessed using remote procedure call mechanism
 Two approaches are widely used
 Representation State Transfer (REST): allows use of standard HTTP
request to a URL to execute a request and return data
 Returned data is encoded either in XML, or in JavaScript Object
Notation (JSON)
 Big Web Services:
 Uses XML representation for sending request data, as well as for
returning results
 Standard protocol layer built on top of HTTP
 See Section 23.7.3

Database System Concepts - 7th Edition 9.9 ©Silberschatz, Korth and Sudarshan
Disconnected Operations
 Tools for applications to use the Web when connected, but operate locally
when disconnected from the Web
 Make use of HTML5 local storage

Database System Concepts - 7th Edition 9.10 ©Silberschatz, Korth and Sudarshan
Rapid Application Development
 A lot of effort is required to develop Web application interfaces
 More so, to support rich interaction functionality associated with Web
2.0 applications
 Several approaches to speed up application development
 Function library to generate user-interface elements
 Drag-and-drop features in an IDE to create user-interface elements
 Automatically generate code for user interface from a declarative
specification
 Above features have been in used as part of rapid application
development (RAD) tools even before advent of Web
 Web application development frameworks
 Java Server Faces (JSF) includes JSP tag library
 Ruby on Rails
 Allows easy creation of simple CRUD (create, read, update and
delete) interfaces by code generation from database schema or
object model

Database System Concepts - 7th Edition 9.11 ©Silberschatz, Korth and Sudarshan
Application Performance

Database System Concepts - 7th Edition 9.13 ©Silberschatz, Korth and Sudarshan
Improving Web Server Performance
 Performance is an issue for popular Web sites
 May be accessed by millions of users every day, thousands of
requests per second at peak time
 Caching techniques used to reduce cost of serving pages by exploiting
commonalities between requests
 At the server site:
 Caching of JDBC connections between servlet requests
– a.k.a. connection pooling
 Caching results of database queries
– Cached results must be updated if underlying database
changes
 Caching of generated HTML
 At the client’s network
 Caching of pages by Web proxy

Database System Concepts - 7th Edition 9.14 ©Silberschatz, Korth and Sudarshan
Application Security

Database System Concepts - 7th Edition 9.15 ©Silberschatz, Korth and Sudarshan
OWASP TOP 10 2021 (The Open Worldwide Application Security Project)

17
Database System Concepts - 7th Edition 9.17 ©Silberschatz, Korth and Sudarshan
Cross Site Scripting

 HTML code on one page executes action on another page


 E.g., <img src =
http://mybank.com/transfermoney?amount=1000&toaccount=14523>
 Risk: if user viewing page with above code is currently logged into
mybank, the transfer may succeed
 Above example simplistic, since GET method is normally not used
for updates, but if the code were instead a script, it could execute
POST methods
 Above vulnerability called cross-site scripting (XSS) or cross-site
request forgery (XSRF or CSRF)
 Prevent your web site from being used to launch XSS or XSRF
attacks
 Disallow HTML tags in text input provided by users, using functions
to detect and strip such tags
 Protect your web site from XSS/XSRF attacks launched from other
sites
 ..next slide

Database System Concepts - 7th Edition 9.18 ©Silberschatz, Korth and Sudarshan
Cross Site Scripting

Protect your web site from XSS/XSRF attacks launched from other sites

 Use referer value (URL of page from where a link was clicked)
provided by the HTTP protocol, to check that the link was followed
from a valid page served from same site, not another site
 Ensure IP of request is same as IP from where the user was
authenticated
 Prevents hijacking of cookie by malicious user
 Never use a GET method to perform any updates
 This is actually recommended by HTTP standard

Database System Concepts - 7th Edition 9.19 ©Silberschatz, Korth and Sudarshan
Password Leakage

 Never store passwords, such as database passwords, in clear text in


scripts that may be accessible to users
 E.g., in files in a directory accessible to a web server
 Normally, web server will execute, but not provide source of
script files such as file.jsp or file.php, but source of editor backup
files such as file.jsp~, or .file.jsp.swp may be served
 Restrict access to database server from IPs of machines running
application servers
 Most databases allow restriction of access by source IP address

Database System Concepts - 7th Edition 9.20 ©Silberschatz, Korth and Sudarshan
Application Authentication
 Single factor authentication such as passwords too risky for critical
applications
 Guessing of passwords, sniffing of packets if passwords are not
encrypted
 Passwords reused by user across sites
 Spyware which captures password
 Two-factor authentication
 E.g., password plus one-time password sent by SMS
 E.g., password plus one-time password devices
 Device generates a new pseudo-random number every minute,
and displays to user
 User enters the current number as password
 Application server generates same sequence of pseudo-random
numbers to check that the number is correct.

Database System Concepts - 7th Edition 9.21 ©Silberschatz, Korth and Sudarshan
Application Authentication
 Man-in-the-middle attack
 E.g., web site that pretends to be mybank.com, and passes on
requests from user to mybank.com, and passes results back to user
 Even two-factor authentication cannot prevent such attacks
 Solution: authenticate Web site to user, using digital certificates, along with
secure http protocol
 Central authentication within an organization
 Application redirects to central authentication service for authentication
 Avoids multiplicity of sites having access to user’s password
 LDAP or Active Directory used for authentication

Database System Concepts - 7th Edition 9.22 ©Silberschatz, Korth and Sudarshan
Single Sign-On

 Single sign-on allows user to be authenticated once, and applications can


communicate with authentication service to verify user’s identity without
repeatedly entering passwords
 Security Assertion Markup Language (SAML) standard for exchanging
authentication and authorization information across security domains
 E.g., user from Yale signs on to external application such as acm.org
using userid [email protected]
 Application communicates with Web-based authentication service at
Yale to authenticate user, and find what the user is authorized to do by
Yale (e.g., access certain journals)
 OpenID standard allows sharing of authentication across organizations
 E.g., application allows user to choose Yahoo! as OpenID
authentication provider, and redirects user to Yahoo! for authentication

Database System Concepts - 7th Edition 9.23 ©Silberschatz, Korth and Sudarshan
Application-Level Authorization
 Current SQL standard does not allow fine-grained authorization such as
“students can see their own grades, but not other’s grades”
 Problem 1: Database has no idea who are application users
 Problem 2: SQL authorization is at the level of tables, or columns of
tables, but not to specific rows of a table
 One workaround: use views such as
create view studentTakes as
select *
from takes
where takes.ID = syscontext.user_id()
 where syscontext.user_id() provides end user identity
 End user identity must be provided to the database by the
application
 Having multiple such views is cumbersome

Database System Concepts - 7th Edition 9.24 ©Silberschatz, Korth and Sudarshan
Application-Level Authorization (Cont.)
 Currently, authorization is done entirely in application
 Entire application code has access to entire database
 Large surface area, making protection harder
 Alternative: fine-grained (row-level) authorization schemes
 Extensions to SQL authorization proposed but not currently
implemented
 Oracle Virtual Private Database (VPD) allows predicates to be added
transparently to all SQL queries, to enforce fine-grained authorization
 E.g., add ID= sys_context.user_id() to all queries on student
relation if user is a student

Database System Concepts - 7th Edition 9.25 ©Silberschatz, Korth and Sudarshan
Audit Trails
 Applications must log actions to an audit trail, to detect who carried out
an update, or accessed some sensitive data
 Audit trails used after-the-fact to
 Detect security breaches
 Repair damage caused by security breach
 Trace who carried out the breach
 Audit trails needed at
 Database level, and at
 Application level

Database System Concepts - 7th Edition 9.26 ©Silberschatz, Korth and Sudarshan
End of Chapter 9

Database System Concepts - 7th Edition 9.33 ©Silberschatz, Korth and Sudarshan

You might also like