Franck, Makes sense to me. Do you (or does anyone) know of any open/standards based architecture for this SOAP token security? Any OOTB solutions out there, or do I need to redesign the wheel?
Thanks! Darren >From: "Franck de Bruijn" <[EMAIL PROTECTED]> >Reply-To: [email protected] >To: <[email protected]> >Subject: RE: [flexcoders] Re: Choice of backend systems - which provides >best functionality >Date: Thu, 24 Aug 2006 07:33:13 +0200 > >Hi Darren, > > > >I developed my webservices such that you have to supply a security token in >the header section of a SOAP operation. By using a security token you >prevent needing to send the user credentials over the line every time for >every request to the back-end. It's a mechanism used heavily in most >web-based systems (including single sign-on). Maybe the difference is that >often these security tokens are sent in by means of cookies. Webservices >don't need cookies; they have a header section (something that simple HTTP >requests/posts don't). > > > >After a successful login operation, a security token is generated and >stored >in the database together with the necessary user profile information. So, >the user session information is actually stored in the database and not in >the application server. Yes, you have to do an extra query to your database >to get the session information back, but since it's a very simple and fast >query on a primary key it will take be nearly costless. > > > >Databases are around now for more than 20 years. They have been totally >optimized for data storage and data distribution (if you need a clustered >database). It's my belief that databases can do this much better than >application servers (or myself/yourself). > > > >I also try to rule out caching (of dynamic data) in my application servers. >Each normal thinking human being understands that caching (and the >distribution of the cache among your application server cluster) introduces >many headaches. In my experience, when performance issues arise, most often >these are solved by writing cleverer queries, rearchitecting your >interface, >and even maybe take some consequences in the UI (ok, we don't display that >attribute directly, but behind a tab or something). In my opinion caching >is >rarely the best solution for performance increase, but probably the easiest >to develop ... and the hardest to maintain. > > > >Cheers, > >Franck > > > > _____ > >From: [email protected] [mailto:[EMAIL PROTECTED] On >Behalf Of Dave Wolf >Sent: Wednesday, August 23, 2006 11:54 PM >To: [email protected] >Subject: [flexcoders] Re: Choice of backend systems - which provides best >functionality > > > >Darren, > >Flex inherits the HTTP session that the page which contained the EMBED >tag acquired. Dont forget that HTTP/HTML is entirely stateless and >yet we can easily secure those. The theory is identical with Flex. > >-- >Dave Wolf >Cynergy Systems, Inc. >Adobe Flex Alliance Partner >http://www.cynergys <http://www.cynergysystems.com> ystems.com >http://www.cynergys <http://www.cynergysystems.com/blogs> ystems.com/blogs > >Email: [EMAIL PROTECTED] <mailto:dave.wolf%40cynergysystems.com> >stems.com >Office: 866-CYNERGY > >--- In [EMAIL PROTECTED] <mailto:flexcoders%40yahoogroups.com> ups.com, >"Darren Houle" <[EMAIL PROTECTED]> wrote: > > > > Franck, > > > > I agree with you, but... how do you handle security in a stateless >back-end? > > I mean... how do you maintain logged-in / user session >information? Or > > unauthorized access of the web services by others? If Flex is >*completely* > > agnostic of the back-end technology then how do you securely link them > > together? > > > > Darren > > > > > > > > > > >From: "Franck de Bruijn" <[EMAIL PROTECTED]> > > >Reply-To: [EMAIL PROTECTED] <mailto:flexcoders%40yahoogroups.com> >ups.com > > >To: <[EMAIL PROTECTED] <mailto:flexcoders%40yahoogroups.com> ups.com> > > >Subject: RE: [flexcoders] Re: Choice of backend systems - which >provides > > >best functionality > > >Date: Tue, 22 Aug 2006 18:03:24 +0200 > > > > > >Hi Barry, > > > > > > > > > > > >I'm not sure if I can be of much help here. I'm not into PHP, I'm >not into > > >FDS and remoting and the AMF protocol that is related to it. For >me, but > > >that is totally a personal opinion, the only acceptable solution for > > >communication with a back-end is webservices, and nothing else. >Briefly > > >here > > >are my reasons: > > > > > >* The coolest thing about Flex is not the graphics ... but that you > > >can make your server stateless, meaning that you obtain 100% fail-over > > >characteristics including linear scalability. With FDS (or any other > > >related > > >solution) you highly likely lose this `feature' and my guess is that > > >scalability will be tougher to achieve; for sure it is harder to >guarantee > > >... with a stateless server solution you can. And we always want to >grow > > >with our applications, don't we??? > > >* I like to keep my Flex layer totally independent of my back-end > > >layer. My back-end layer should not be aware by any means of the client > > >technology. With webservices you realize this. With FDS (or any other > > >related solution) you get a vendor lock-in, which I consider >undesirable. > > >* The trend in my business is that more and more you get projects only > > >for a front-end or back-end solution. In the past it occurred more >that you > > >had to build them together, but that is changing. It's very >acceptable to > > >request a back-end to expose its operations through webservices. >It's not > > >very accetable to request them to expose it via FDS or something >like that. > > > > > > > > > > > >To be fair, there are some disadvantages using web services as >well; among > > >others: > > > > > >* No automatic conversion of the web service results into your custom > > >action script classes. You have to make converters yourself to >accomplish > > >this. With FDS/AMF I understand you can have this conversion >automatically > > >done for you. > > >* Performance. People tend to say that webservices are slow. It's true > > >that the serialization/deserialization of the XML (both on client and > > >server) side takes computing time. My experiences so far are that this > > >extra > > >computing time is not causing any serious damage in the user >experience. > > >* Flex has some trouble communicating with DOC/Literal encoded > > >webservices. Especially in the .Net corner this is causing >problems. But > > >that should be temporarily ... The adobe guys are working on it and > > >hopefully in a next release these issues will be fixed. > > > > > > > > > > > >For me the advantages of webservices by far outweigh the >disadvantages. So > > >if you ask me: use webservices! You keep your freedom ... > > > > > > > > > > > >Cheers, > > > > > >Franck > > > > > > > > > > > > > > > > > > _____ > > > > > >From: [EMAIL PROTECTED] <mailto:flexcoders%40yahoogroups.com> ups.com >[mailto:[EMAIL PROTECTED] <mailto:flexcoders%40yahoogroups.com> ups.com] >On > > >Behalf Of barry.beattie > > >Sent: Tuesday, August 22, 2006 9:50 AM > > >To: [EMAIL PROTECTED] <mailto:flexcoders%40yahoogroups.com> ups.com > > >Subject: [flexcoders] Re: Choice of backend systems - which >provides best > > >functionality > > > > > > > > > > > >Franck and Doug: may I be so bold as to include here some information > > >I sent to our programming team for them to have some context? > > > > > >I offer it here as a talking point only - and would invite any > > >comments or corrections to help me gain a better understanding myself > > >... this has just been gathered by my own ad-hoc investigations. the > > >context of the email was a report that Adobe were seriously targeting > > >PHP developers for Flex. > > > > > >------------------------------------ > > >regarding Flash remoting: some background to put it into context: > > > > > >there are three basic ways of getting communication happening between > > >a SWF (now-a-days built with Flex) and server-side code: > > > > > >webservices > > >XML HTTP requests > > >Flash Remoting (using the Async Message Format - AMF) > > > > > >PHPAMF (Flash remoting with PHP) is not a Macromedia/Adobe product. It > > >was reverse engineered by the PHP community to use Flash remoting. > > >It's been around for a few years (that I know of) and may be even more > > >popular than CF-AMF (don't know for sure) > > > > > >here's the important bit: > > > > > >PHPAMF, OpenAMF, the Adobe .NET/ Java remoting add-in and ColdFusion > > >6.1 remoting all use the AMF0 protocol. ColdFusion 7.02 and > > >FlexDataServices (Java) all use AMF3 > > > > > >What's the diff? 2 things: > > >Apart from some removal of dumb stuff-ups and a reduction of data > > >packet size (thanx to new encoding), AMF3 is very strongly typed which > > >allows a seamless (and easy) mapping/conversion between server side > > >objects (eg: Java value objects and ColdFusion's CFC's). This is why > > >FlexBuilder can have a simple wizard to take your CFC and create > > >Actionscript classes from it (and/or visa-versa). Before it was all > > >manual with a tonne of testing (eg string to numeric conversions, etc). > > > > > >[NOTE: the follow paragraph is total speculation] > > > > > >Also, inside the latest Flash player (Flash9) there are actually 2 > > >players. An older for backwards compatability and the latest "hot-rod" > > >that has had some amazing improvements in functionality and speed. > > >Expect to see the use for the older player depricated in less than 5 > > >years (the new player in Flash9 is like starting again). AMF0 is for > > >the older player, AMF3 for the newer. > > > > > >Will Adobe release their own PHPAMF using AMF3? I'm not sure, since > > >they aren't bothering to upgrade the .NET/ Java remoting add-in (I've > > >checked). But if they do, you can be assured that they will charge > > >well for it - just like the .NET/ Java remoting add-in (almost as much > > >as a CF licence). > > > > > >Will the PHP community re-engineer their remoting for AMF3? Quite > > >possibly. they're smart people. But I haven't herd anything yet.... > > > > > >my gut feeling? Adobe will try and push remoting onto everyone so they > > >can take up Flex 2 and buy Flexbuilder. they'll have to support it > > >somehow. see the note below about WebOrb... > > > > > >ADDENDIUM > > > > > >I have deliberatly not mentioned 2 products: > > > > > >WebOrb, a pricey but full featured product that is an alternative to > > >FlexDataServices (and runs AMF3) for .NET and Java - and - (comming > > >soon) PHP and Ruby! (http://www.themidni > > ><http://www.themidni <http://www.themidnightcoders.com/index.htm> >ghtcoders.com/index.htm> ghtcoders.com/index.htm) > > >Fluorine, an open source project for Flash (AMF3) and .NET > > >(http://fluorine. ><http://fluorine. <http://fluorine.thesilentgroup.com/fluorine/index.html> >thesilentgroup.com/fluorine/index.html> > > >thesilentgroup.com/fluorine/index.html) > > > > > > > > > > > > > > -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
