Application Development
Application Development
Database System Concepts - 7th Edition 9.2 ©Silberschatz, Korth and Sudarshan
Application Architectures
Application layers
Presentation or user interface
model-view-controller (MVC) architecture
– model: business logic
– view: presentation of data, depends on display device
– controller: receives events, executes actions, and returns a
view to the user
business-logic layer
provides high level view of data and actions on data
– often using an object data model
hides details of data storage schema
data access layer
interfaces between business logic layer and the underlying
database
provides mapping from object model of business layer to relational
model of database
Database System Concepts - 7th Edition 9.3 ©Silberschatz, Korth and Sudarshan
Application Architecture
Database System Concepts - 7th Edition 9.4 ©Silberschatz, Korth and Sudarshan
Business Logic Layer
Provides abstractions of entities
E.g., students, instructors, courses, etc
Enforces business rules for carrying out actions
E.g., student can enroll in a class only if she has completed
prerequsites, and has paid her tuition fees
Supports workflows which define how a task involving multiple
participants is to be carried out
E.g., how to process application by a student applying to a university
Sequence of steps to carry out task
Error handling
E.g. what to do if recommendation letters not received on time
Workflows discussed in Section 26.2
Database System Concepts - 7th Edition 9.5 ©Silberschatz, Korth and Sudarshan
Object-Relational Mapping
Allows application code to be written on top of object-oriented data
model, while storing data in a traditional relational database
Alternative: implement object-oriented or object-relational database
to store object model
Has not been commercially successful
Schema designer has to provide a mapping between object data and
relational schema
E.g., Java class Student mapped to relation student, with
corresponding mapping of attributes
An object can map to multiple tuples in multiple relations
Application opens a session, which connects to the database
Objects can be created and saved to the database using
session.save(object)
Mapping used to create appropriate tuples in the database
Query can be run to retrieve objects satisfying specified predicates
Database System Concepts - 7th Edition 9.6 ©Silberschatz, Korth and Sudarshan
Object-Relational Mapping
Database System Concepts - 7th Edition 9.7 ©Silberschatz, Korth and Sudarshan
Object-Relational Mapping and Hibernate (Cont.)
Database System Concepts - 7th Edition 9.8 ©Silberschatz, Korth and Sudarshan
Web Services
Allow data on Web to be accessed using remote procedure call mechanism
Two approaches are widely used
Representation State Transfer (REST): allows use of standard HTTP
request to a URL to execute a request and return data
Returned data is encoded either in XML, or in JavaScript Object
Notation (JSON)
Big Web Services:
Uses XML representation for sending request data, as well as for
returning results
Standard protocol layer built on top of HTTP
See Section 23.7.3
Database System Concepts - 7th Edition 9.9 ©Silberschatz, Korth and Sudarshan
Disconnected Operations
Tools for applications to use the Web when connected, but operate locally
when disconnected from the Web
Make use of HTML5 local storage
Database System Concepts - 7th Edition 9.10 ©Silberschatz, Korth and Sudarshan
Rapid Application Development
A lot of effort is required to develop Web application interfaces
More so, to support rich interaction functionality associated with Web
2.0 applications
Several approaches to speed up application development
Function library to generate user-interface elements
Drag-and-drop features in an IDE to create user-interface elements
Automatically generate code for user interface from a declarative
specification
Above features have been in used as part of rapid application
development (RAD) tools even before advent of Web
Web application development frameworks
Java Server Faces (JSF) includes JSP tag library
Ruby on Rails
Allows easy creation of simple CRUD (create, read, update and
delete) interfaces by code generation from database schema or
object model
Database System Concepts - 7th Edition 9.11 ©Silberschatz, Korth and Sudarshan
Application Performance
Database System Concepts - 7th Edition 9.13 ©Silberschatz, Korth and Sudarshan
Improving Web Server Performance
Performance is an issue for popular Web sites
May be accessed by millions of users every day, thousands of
requests per second at peak time
Caching techniques used to reduce cost of serving pages by exploiting
commonalities between requests
At the server site:
Caching of JDBC connections between servlet requests
– a.k.a. connection pooling
Caching results of database queries
– Cached results must be updated if underlying database
changes
Caching of generated HTML
At the client’s network
Caching of pages by Web proxy
Database System Concepts - 7th Edition 9.14 ©Silberschatz, Korth and Sudarshan
Application Security
Database System Concepts - 7th Edition 9.15 ©Silberschatz, Korth and Sudarshan
OWASP TOP 10 2021 (The Open Worldwide Application Security Project)
17
Database System Concepts - 7th Edition 9.17 ©Silberschatz, Korth and Sudarshan
Cross Site Scripting
Database System Concepts - 7th Edition 9.18 ©Silberschatz, Korth and Sudarshan
Cross Site Scripting
Protect your web site from XSS/XSRF attacks launched from other sites
Use referer value (URL of page from where a link was clicked)
provided by the HTTP protocol, to check that the link was followed
from a valid page served from same site, not another site
Ensure IP of request is same as IP from where the user was
authenticated
Prevents hijacking of cookie by malicious user
Never use a GET method to perform any updates
This is actually recommended by HTTP standard
Database System Concepts - 7th Edition 9.19 ©Silberschatz, Korth and Sudarshan
Password Leakage
Database System Concepts - 7th Edition 9.20 ©Silberschatz, Korth and Sudarshan
Application Authentication
Single factor authentication such as passwords too risky for critical
applications
Guessing of passwords, sniffing of packets if passwords are not
encrypted
Passwords reused by user across sites
Spyware which captures password
Two-factor authentication
E.g., password plus one-time password sent by SMS
E.g., password plus one-time password devices
Device generates a new pseudo-random number every minute,
and displays to user
User enters the current number as password
Application server generates same sequence of pseudo-random
numbers to check that the number is correct.
Database System Concepts - 7th Edition 9.21 ©Silberschatz, Korth and Sudarshan
Application Authentication
Man-in-the-middle attack
E.g., web site that pretends to be mybank.com, and passes on
requests from user to mybank.com, and passes results back to user
Even two-factor authentication cannot prevent such attacks
Solution: authenticate Web site to user, using digital certificates, along with
secure http protocol
Central authentication within an organization
Application redirects to central authentication service for authentication
Avoids multiplicity of sites having access to user’s password
LDAP or Active Directory used for authentication
Database System Concepts - 7th Edition 9.22 ©Silberschatz, Korth and Sudarshan
Single Sign-On
Database System Concepts - 7th Edition 9.23 ©Silberschatz, Korth and Sudarshan
Application-Level Authorization
Current SQL standard does not allow fine-grained authorization such as
“students can see their own grades, but not other’s grades”
Problem 1: Database has no idea who are application users
Problem 2: SQL authorization is at the level of tables, or columns of
tables, but not to specific rows of a table
One workaround: use views such as
create view studentTakes as
select *
from takes
where takes.ID = syscontext.user_id()
where syscontext.user_id() provides end user identity
End user identity must be provided to the database by the
application
Having multiple such views is cumbersome
Database System Concepts - 7th Edition 9.24 ©Silberschatz, Korth and Sudarshan
Application-Level Authorization (Cont.)
Currently, authorization is done entirely in application
Entire application code has access to entire database
Large surface area, making protection harder
Alternative: fine-grained (row-level) authorization schemes
Extensions to SQL authorization proposed but not currently
implemented
Oracle Virtual Private Database (VPD) allows predicates to be added
transparently to all SQL queries, to enforce fine-grained authorization
E.g., add ID= sys_context.user_id() to all queries on student
relation if user is a student
Database System Concepts - 7th Edition 9.25 ©Silberschatz, Korth and Sudarshan
Audit Trails
Applications must log actions to an audit trail, to detect who carried out
an update, or accessed some sensitive data
Audit trails used after-the-fact to
Detect security breaches
Repair damage caused by security breach
Trace who carried out the breach
Audit trails needed at
Database level, and at
Application level
Database System Concepts - 7th Edition 9.26 ©Silberschatz, Korth and Sudarshan
End of Chapter 9
Database System Concepts - 7th Edition 9.33 ©Silberschatz, Korth and Sudarshan