2-tier o 3-tier: Which is safer? - security

I'm reading about architecture and found the following expression:
For instance, in a 2-tier Windows Forms or ASP.NET application, the machine running the interface code must-have credentials to access the database server. Switching to a 3-tier model in Which the data access code runs on an application server machine running the Means That code no longer the interface Needs Those credentials, making the system Potentially more secure. (Rockford Lhotka)
I can not Realize why i should use 3-tier app.

In a three-tier application, the middle tier (the application server) controls all access to data, so it is possible to specify very fine and specific access control rules (in code), much more than the database itself offers. Whatever an end-user wants to do, has to go through your code (in a two-tier application, the end-user "directly" talks to the database).
OTOH, if you stop using the database access protections, securing the data is now entirely up to your application and coding errors can create huge security holes.

Related

Can web application be considered part of client/server architecture?

I am doing a research on client/server architecture and web applications. I've been reading different thoughts and suggestions around the web. Some saying that web applications are not considered client/server architecture apps while others are saying the exact opposite. I was wondering what is actually the right thing and if someone can provide in depth explanation that would be highly appreciated?
It depends on the architecture/design of your web application(s). The rule of thumb would be: The client application has to be another piece of software than the (resource) server. There is no "one right way" to design a client/server architecture.
The most common implementations for web based applications are MVC (Model View Controller and SPAs (Single Page Applications).
MVC applications (like ASP.NET or ZendFramework) are applications that are booth rendering the client and handling the business logic in the backend and are not based on a client/server model. (An action in a controller handles a request, loads some data and renders an HTML view as the response).
But: If your MVC Application is acting as a proxy calling a "remote" web service internally (via SOAP or whatever), it should be considered a client application.
As an example: A CRM system is running in an intranet network and provides a data-services for desktop clients. You could write a web application that displays data from those services which is then another client application.
The SPA architecture requires the separation of the server from the frontend, the SPA being the frontend, which in turn is the client application. With this requirement you are basically already implementing a client/server architecture. Let's say an AngularJS frontend and the backend could be a REST service (like ASP.NET WebAPI or Lumen).
The choice of where you host the client application does not affect the client/server architecture, since the applications are still separated on execution: the browser executes the JavaScript SPA on the device of the visitor and calls the service in some data center.
Web application is a part of client-server architecture. Any implementations have always two or more tiers, so two or more process communicate each other.
You may take a look on my old presentation "Architecture of enterprise (automated) information system - Layers and levels" that shows different client-server architectures including web application case (the slide "Tiers are physical layers (examples)" shows examples).

To understand Milton WebDAV server working with cloud environment load balancer

We want to use Milton WebDav to transfer files in our web application which eventually is going to be deployed on cloud environment (most likely azure) as IaaS.
Now we are aware that WebDAV standard is stateless and hence it should not create any problems with cloud load balancer, but what we are not sure about Milton and have few questions:
1.) Is Milton implemented WebDAV as it is, do all the communication remains stateless? I assume that it passes Authentication token with every request but I am not sure where is the token stored at server? Does it store it in the database or some sort of cache etc.?
2.) Do locking mechanism works fine if a load balance is used and there are 5-6 servers to handle the load? Again where does Milton server store Lock Token?
Sorry for the late comment, the two most important aspects of webdav which affect load balancing are digest authentication tokens (Nonce values) and lock tokens.
As the Resource implementor you get to control both of those. Lock tokens are typically stored in a database (you must implement the methods on LockableResource which will do the persistence) so will be shared across servers, although its not uncommon to use memory based lock tokens, in which case you need to find some way to share that information across servers.
Digest nonces are only a consideration if you've implemented DigestResource. The default NonceProvider uses a simple HashMap so this will not be shared across servers. But the interface is trivial so you can easily implement a database store. If your load-balancing solution uses sticky sessions then that won't be an issue because clients will go to the server which has their nonce.
Note that Tomcat session replication won't help with the above issues, because webdav clients typically dont support cookies, so there is no Servlet session.
I have never used Milton WebDAV before but from the looks of it, it is used to modify and edit files on a server.
However Azure's local storage is not shared. Each instance is a completely seperate server. If you modify a file on 1 server, it will not be replicated to the next.
Azure works by uploading a deployment package. When a new instance needs to come up it uses the deployment package and starts a completely new server.
From a your perspective they don't share anything in common. Because of this you will never know which server you are hitting.
If you have a shared file storage system behind, then it may be a different story. However that scenario looks odd from using Azure. Amazon EC2 with a shared EBS might do it though.

Client-server communication on same machine via file or socket

I have a client-server relationship between two apps: a web application and an OCX. What I want to do is communicate the client part of the web application, running on the local PC, with the OCX, also installed in the same PC. The server app (the OCX) is not mine (I can't change its source code) and offers 2 ways of communicating with client apps: through an intermediate file or through a socket. There are lot of restrictions in the PCs where the apps have to be executed (the users, for example, are not administrators of their own PCs) so it's even more difficult than it seems. My doubt is which technology would be better to handle this communication from the cliente app (JavaScript, Java Applets, another OCX, etc.) and which option could be handled easier (file or sockets) by this technologies. And also which would be the security and permissions settings that should be taken into account to make it all work properly. You must know that, in case of using an intermediate file, I must be able to write in specific positions of that file from the web app (I'm not sure if Javascript's FileSystemObject can do this, for example). Thanks in advance.
Working with Sockets is realy easy. I only don't know the security options of sockets. May be you can take a look here: Oracle Sockets

I don't think I fully understand couchDB

I don't think that I am understanding how CouchDB works. My impression is that everything runs on the client side, so wouldn't that mean it is useless for storing user data because anyone can write a simple script to access that information? This doesn't make sense to me, do I have it all wrong?
Aside from map-reduce and update operations, everything in CouchDB does run on the client. In this context, client means client connecting to the database server, which will usually be an application or script running on your web server. That's the case for other database systems, too: to connect to a MySQL database from a PHP script, you need to use a MySQL client library.
One special thing about CouchDB is that instead of using its own transfer protocol (like other systems like MySQL do), it uses HTTP, which is implemented by almost every single available language out there. This makes the development of a CouchDB client extremely easy.
The other special thing about CouchDB is that its security model does allow you to let end users connect directly to the database. In such a situation, you would write a JavaScript application that runs entirely in the users' browsers and queries the database through AJAX. The server would then authenticate the user and grant access only to those databases that the user is allowed to access, in either read-only or read-write mode. While this requires a bid of server-side scaffolding (to register new users and create a brand new database for them).
But you don't have to. My company uses CouchDB as a general-purpose persistent storage that is completely invisible from the internet, and only our web server is allowed to access it.
There's a really good book on CouchDb here: http://guide.couchdb.org/

What are the best development tools to use in this project?

I am currently devising 3 database desktop applications for different users in a manufacturing company (one for the accounting department, sales department, production department). All applications have different functions but they should be able to access the data of the other department to reflect business transactions. What is the best programming language and database to use for this kind project? The three computers are not physically connected so I was thinking of having them to access a remote database. The language I am most familiar with is Java but I am very open to learning others if it would be more beneficial to the company. I was also thinking of having to use Adobe Air as I am adept with web programming but could still run as a desktop app but I can't seem to find sufficient resources of distributed systems using Adobe air. Any ideas would be very much appreciated. Thanks!
Lots of languages will do this just fine, including Java. You're familiar with that so my advice is stick to it with one caveat: depending on your requirements I would seriously suggest examining the possibility of making it a Web app instead. Desktop database apps are somewhat... old-fashioned. More to the point they'll create a bunch of headaches for you such as installation, Swing is annoying and tedious, etc.
As for what database, barring requirements you haven't specified, anything will do so pick something free like MySQL.
So for a desktop Java app I would:
Put the database on a remote server;
Put an application server or Web container on that same server;
Create a Webapp on the app server for handling RPC;
Pick a method of RPC, be it Web services or whatever, and use Spring to implement it;
Create a desktop Java app in Swing and distribute it to clients from the app server via Webstart (JNLP).
If it's a Web app:
Put the database and appserver or Web container on one server;
Pick a Java Web framework and create a bunch of Web pages that do what you want.
In all cases, have it be the same app but just act differently on the user type. This is much better than maintaining three different apps.
Also if you do a Web app, you might want to consider using PHP as it's a fast and proven way of knocking up Web pages and probably sufficient for the kind of internal application that you're doing.

Resources