Today | RSS | RDF | Atom | Other
 
Advanced Search
Eric's weblog
Weird Thoughts From Eric's Head

Tags - Categories : All | AJAX | BUSINESS | PERSONAL | PROGRAMMING | BOOK REVIEW
December 2005
SunMonTueWedThuFriSat
     1  2  3 
 4  5  6  7  8  9  10 
 11  12  13  14  15  16  17 
 18  19  20  21  22  23  24 
 25  26  27  28  29  30  31 
Nov  |  Today  |  Jan

Recent Blog Entries
Google Chrome Debugger

Co-Author of Ajax In Action Ajax In Action

Recent Responses
Re: Make innerText compatiable
A better way to do this now is: if(document.all){ document.getElementB...

Re: The responseXML is null or has an error.
Another problem that can screw up your XML response when it is generated by PHP code is when you make a call to a PHP function that reports a warning such as the mail function does when there is a problem with the mail set up. You can suppress these wa...

Other Blogs
Dave Crane
Val's Blog
Dirk's Blog
Nate's weblog
Ajith Kallambella
Lasse's weblog
Gregg's Weblog
Hershey's Blog
My Cave Online
Bounces amongst neurons
Six Sides To A Box
Jia Yo!
Moose in Headlights
Unresolved References
This That and The Other...
Just My Thoughts
Balaji's blog
Java Ranch Book Reviews
Corey's SCJP Tipline, etc.
JavaRanch News
Eric's weblog
Barry's weblog
Mike Curwen's Blog
David's blog
In through the out door
Frank Carver's weblog
Peabody's
Uncontrolled Vocabularies
The Bear Den
I've Been Wondering...
Simon Brown
<< AIA News Update: Dave's interview w/ indicthreads.com | Home | JavaScript Sortable Table >>
Permalink
[AJAX] [PROGRAMMING] Ajax: Where should my business logic sit?

Ajax: Where should my business logic sit?

In my recent Ajax In Action talk I gave at the Central PA code camp, I had some interesting side discussions with people about Ajax. One of the topics that seemed to come up is: "Where should my business logic sit?"

I always tell people that it needs to sit on the server and not on the client. The two points that it is based upon is speed and security. Since security is an easier topic to cover I will start there.

Now for years that I have been moderating on JavaRanch.com, one of the questions I see pop up is how can I secure my code, images, HTML markup, CSS, and so on. The real answer is anything that is rendered in a browser is basically "Open Source" since there is no way to really protect it. All of this information is "downloaded" into the cache so everyone has a copy of it. You can destroy all the formatting by eliminating returns and changing variable names, but it still can be deciphered by anyone that has time. So basically if security is very important for you, than your business logic has to be on the server. (If I see anyone saying right click scripts and no tool bars are the way to avoid this in my comments I am going to laugh. Give me 5 seconds to send you the source code.)

Now speed of execution is also a point that was brought up. Your server running server side code should be a lot faster than most people's computers running JavaScript. Get a person with 10 browser windows open, word and excel, acrobat reader, outlook, media player, and those spyware apps running and say bye to the memory and speed. Ever run a for loop with 3000 interactions? Some people's browsers choke and freeze up. This is one main reason to stick with the server for business logic is more reliability in processing information. Plus most servers are built to crunch data. Why use a browser running JavaScript that has poor memory management (unless you built your server side app. with poor memory management, but that is a different story!)

A counter argument was putting business logic before making the request limits the amount of data being sent to the server. This is true for certain applications. Look at the type ahead suggest that I wrote in Ajax In Action. We use logic to determine if we need to make the request. Do you have the correct data or should we send the XHR to the server to get more data. BUT you do not see me building my query string directly from the JavaScript opening up a big hole for any SQL injections. I have seen that with some implementations people have showed me on forums and email. Major No No! Please delete my database table!

In general you should put your business logic on the server. The clientside should be handling the displaying of the data (aka the user interface portion.) It is just like our classic postback web application. You never built querys or logic with JavaScript code and saved it in a hidden text field for the server side code to read. All of that is done behind the scenes out of the view of the people. That same idea should apply to your Ajax applications. If you are accessing databases, algorithms, etc. you need to keep this information secure on the server. Ajax or even a classic postback form can open this up to attack, so you need to always secure your data and check for the injection attacks.

Hopefully I answered some people's questions on this topic with my quick rambling. I know I did not go into any great detail or have sample code, but I am sure I got some points across.

Eric Pascarello

Eric Pascarello
Coauthor of Ajax In Action
Moderator of HTML/JavaScript at www.JavaRanch.com
Author of: JavaScript: Your Visual Blueprint for Dynamic Web Pages

TrackBacks[0] Comments[3] Posted by pascarello on December 16, 2005 11:43:28 AM EST

Reply | Permalink Re: Ajax: Where should my business logic sit?
Of course, any software engineering theory dictates that any AJAX has no trace of business logic, but that this one must be limited to the server. Any theoricist will tell you that you should put all of your logic in server-side web services, and handle only the presentation issues on the AJAX client side. Also of course, the ability of creating business logic in a simple development environment like Javascript will lead in practice to the existence of a large number of applications with all of its business logic in the client side part. Just have a look at the number of applications existing now that have input validations only in the client side, and have the server side open to any client side mischief. This is one of the problems I see in all the fuzz around AJAX. In my view, Javascript is not a good, stable, reliable environment for running professional applications. In my experience, any average development team devoted to Javascript will end up creating an unmanageable mess. It is not that it is not possible to do it in the right way: it is just that the average team won't. One just has to look to all the problems JSP has created to see this (if instead of just copying Microsoft's ASP with JSP Sun would have come up with a decent component-oriented framework for creating web views -which was perfectly feasible at the time-, web development would be a lot more easier now. Then, Java trailed MS again in this, with JSF). I think that currently there is much more hype in AJAX than practical stuff. Although all the frenzy is also good, since it draws the attention and it is a first step. A first step towards a good computing platform to deploy client-side applications to the web: what Java applets should have been and are not because of several different reasons. Something with the robustness of Java (or .Net), the appeal and speed of Flash, and the convenience and universal availability of Javascript. Some day there will be such a platform, well beyond AJAX. However, it will be also thanks to AJAX.
Comment from Javier Cámara on December 22, 2005 4:39:41 AM EST
Reply | Permalink Re: Ajax: Where should my business logic sit?
The business logic should be sitting on the server-side. However, some work may be needed on the client side with the data for formatting, etc. This is how we are using AJAX. I have to disagree with the comments above. Javascript used wisely is very stable and the DOM object is the underpinning of all major modern browsers. AJAX meerely manipulates the DOM to a large extent. In fact, the problems we are having with some of our third-party java plugins is the poor relationship with the dom. Many of these apps only provide the data availability on POST and not in the DOM.
Comment from Deco on December 22, 2005 11:31:45 AM EST
Reply | Permalink Re: Ajax: Where should my business logic sit?

I created a JavaScript Wrapper for my C# Business Logic classes. You specify which dll to "wrap" and the wrapper spits out javascript.

The result is that you can write near-C# language in JavaScript! I have all the public classes, constructors, public constants, public methods and public properties available client side in javascript.

The methods and constructors are just "empty" functions that check if the correct number of parameters are specified and then perform a synchronous web service call. The web service then invokes the construtor or method and returns the resulting value.

This means that you don't need to write hundreds of web services and web service methods when you need to interact with the business entities and business logic.

In respect to security the wrapper only wraps public classes and namespaces. And furthermore it checks that a [Wrap] attribute is present.

For even more security WSE provides a mechanism to digitally sign SOAP messages.

Comment from Troels Wittrup on February 19, 2006 7:56:49 AM EST


Add a comment

Title
Body
HTML : b, i, blockquote, br, p, pre, a href="", ul, ol, li
Math Quiz 6 + 4 = (Helps stop blog spam)
Name
E-mail address
Website
Remember me Yes  No 

E-mail addresses are not publicly displayed, so please only leave your e-mail address if you would like to be notified when new comments are added to this blog entry (you can opt-out later).

TrackBack to http://radio.javaranch.com/pascarello/addTrackBack.action?entry=1134751408446

Powered by Pebble 1.9.1 [ Login ] Content © Eric Pascarello