Having recently discovered design patterns, and having acquired the excellent Head First Design Patterns book (can really recommend it!), I am now wondering about design patterns for security and controlling access to records in data stores.
My use case is a bespoke CRM style application, with contacts, businesses, and users who have different levels of access, including being limited to read only access, or even a subset of records. I will only be doing distinct entity level access control, not field level.
Can anyone recommend any security orientated design patterns that would fit the above?
If it makes a difference, I am using ASP.Net MVC, Entity Framework 4 and SQL Server 2008.
Security is what we call Cross-cutting concern and it's never easy deal with.
If you need to deal with the security from ASP.NET MVC level you would consider to look at MVC tutorial :
http://www.asp.net/learn/mvc/
If you want to know more about the security from the domain model level, an interesting question was already asked :
DDD User Security Policies
Hope this helps
There does exists a group of patterns realted to security, though most of them fucuses on securing integrated systems. I have found no book that is as well written and usable as GOF/Head-first, though I did enjoy the one online at www.securitypatterns.org.
Security is as much about architecture (sever setup, network topology...) as its about programing, so I would recommend that you start out with a general security book. Also pick up a book specifically on .NET/Windows security, since robust security programming is very technology specific (I, as UNIX/Java programmer, will have a completly different toolbox than
a .NET programmer and can unfortunatly not help you with a book on this last subject).
A good place to start on security (although not necessarily a "security design patterns" book) is Ross Anderson's Security Engineering.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
I am a web developer, I want to become software architect, and I learn everyday about it, but when I am learning software architecture I see TOGAF framework for enterprise architecture, I want to get solid understand in an enterprise architecture.
Overview
Enterprise architecture focuses on the future state solution for : Current business problem , business strategy , business process improvement (BPI), business process re-engineering and business adventures. If you ask one enterprise architect what they are working on, most likely you are going to find out that they are working on one of these areas, unless they have a more specialized domain, which we cover later in this article.
“The What”
Enterprise Architecture does not prescribe the “how” only the what,
Deliverables
Depending on your company solution lifecycle standards and templates, your deliverable may be called “solution architecture”, “Enterprise Architecture blueprint” or some other name.
Architecture layers
It is a good practice to include in your deliverable minimum six architecture layers:
Security: End to end view of your solution from security perspective, this captures authentication and access management, data in transit and at rest protection.
Application: A view of your solution from the application perspective, includes domain specific programming language, and application design patterns and decisions for your font end, back-end and middle tier.
Infrastructure: This layer shows a view of your running platform, it may include cloud, containerization and virtualization.
Information: This captures your entire information lifecycle management from data modeling to acquisition, classification, and retirement.
Network: This architecture layer depicts the network end points and their paths.
Integration: This layer shows your data transportation and systems conversations, for example it shows your separations of data transportation from orchestration.
While these layers are not the only layers hat you can add to your architecture, you can add more as needed for example “business continuity” and “devops”, but all depends on the type of your organization and objectives.
The Enterprise Architect role
Being an Enterprise Architect (EA) entails command in multiple domains , however most of us in this industry started our careers in one domain such as development, networking, DBA, etc, an architect usually have expertise in at least one of the following and experience in the rest.
Expertise in one programming language (expert level means very familiar with the language and design patterns specific to the language).
Expertise in one database vendor ( Oracle, MSSql, DB2) expert level means - - Expertise in SQL , SQL:2016 being the latest standard in addition to server side language (PLSQL, TSQL)
Experience in networking basic concepts of networking and knowledge of new trends such as software defined networks (SDN).
Experience in integration patterns
Experience in infrastructure such as cloud , virtualization and containerization
Experience in information security: Identity and access management , Data in transit and data at rest protection.
In addition basic knowledge in : Data modeling, data warehousing, big data, Web UI frameworks, major cloud providers, compliance (ie: PCI, HIPPA), IPV4, IPV6, SOA.
And also helps if you have your own vision of the future landscape (ie: server-less , self-rendering services )
Architecture frameworks
There are multiple frameworks that depending on the situation may fit in your deliverables, these frameworks try to address the common architecture patterns in a prescriptive way.
TOGAF
Zachman
DoDAF
To answer your question " what s the difference between system architecture, application, software architecture":
Application architecture is one of the layers in your architecture.
System architecture, software architecture, solution architecture can be used interchangeably. Just don't lose your the big picture .
Some of the inputs for the architecture are
business strategy.
use cases
business cases.
Business continuity strategy
Compliance
Some of the outputs are
High level designs
A vertical partition) of your architecture layers.
Software specifications
A prescriptive and technology oriented specifications of your solution.
I have presented on Enterprise Architecture a few times over the past couple of years. One of the quotes (from myself) that I use in my talks is: "Just because I am an Enterprise Architect, that does not mean that I am an Enterprise Architect". That might seem like a strange quote but it's basically just a fun way to say that enterprise architecture can mean different things to different organizations and people.
Enterprise architects tend to work across a broad domain of concerns, occasionally focusing on specific aspects of a specific technology and/or business process. Some organizations (they tend to be the ones with a more mature EA practice) will have architects that work across all domains within the organization (or, enterprise - hence enterprise architect). Some organizations will have specific types of architects (e.g. applications architect, solutions architect, data architect, network/systems architect, business architect, etc.) that focus on a particular area. Having various types of architects within an organization is one way to "ease" yourself into the architecture space.
For example, the organization I work for has the role, Lead Developer. Each development team has a lead developer and they essentially act as applications architects (even if that is not their specific title). For someone new to that role, they focus on learning the business domain their team is typically responsible for. They also provide the overall architectural vision and design for the apps their team produces. And, they also work closely with the enterprise architects to ensure they are working within the parameters of the organization as a whole (i.e. not reinventing the wheel or making use of a technology or approach that does not fit within the enterprise architecture as a whole).
Starting out as a lead developer is one way to get your foot in the door, so to speak. There are other ways. For example, if you're interested in data architecture, then joining a BI team would be a great way to learn more about data architecture at scale. Joining a network team would go a long way toward gaining knowledge that could be applied as a network/systems architect.
You mention TOGAF in your question above but there are many architectural frameworks out there (TOGAF, Zachman, DoDAF, etc.). Depending upon your specific situation, a "canned" framework might make sense for your organization and it might not. However, becoming familiar with some of the available frameworks will give you insights into some of the common challenges faced by enterprise architects. In the end, however, you will want to do what is right for your organization. You might take bits and pieces from multiple frameworks and wrap them all up into your own framework. As with many challenges, do what works for you.
Along with everything else, keep in mind that enterprise architects tend to think strategically and keep a focus on the future. That does not mean that they do not think tactically or are not concerned with the "here and now". They just tend to have strengths when it comes to strategy and vision.
While this is a bit of a wordy answer, the reality is that nothing beats experience. If you want to become an enterprise architect then you should try to apply architectural practices to your everyday tasks. The more you work and act like an enterprise architect the more ready you will be when an opportunity presents itself.
Hope this helps!
If you want to be a software architect - aka Application Architect, then TOGAF is useful to know, but not necessary for you. Enterprise architects deal with things that impact the entire organisation, particularly things like Strategy & Planning. Organisational modelling, etc.
They can be sometimes involved as a governance role to ensure alignment with organisational design standards, or security standards. They can also sometimes be involved in setting organisational policy.
Either way - too many people assuming taking the "most senior looking" title will get them the best pay and the best life - this is not always true and an EA role is very very different to a software architect - even though they are both "Architects"
Now getting a solid understanding of Enterprise Archtiecture will be a challenge - because 1. its kind of undefined right now - or more accurately - there is around 460+ different models of what an Enterprise Architecture is - TOGAF only being one of them. 2. Most EAs like to get completely OCD around model definitions, and each one has a different OCD point of view exactly what they are - I should know, I'm one of them :)
One of the best general models I have found is DoDAF, but it sure isn't light bedtime reading. Wikipedia has a reasonably light definition though and it might be worth starting there if you haven't already
Enterprise Architecture (EA) entails the whole organization and possibly beyond. It includes Business Architecture, Information Architecture, Technology Architecture & Application Architecture. EA is strategic and thus it is "What" needs to be done.
I have been tasked at work with creating an organisational wiki to document information such as Employees, Teams (Groups of employees), and Systems (what we support) within MS Sharepoints Wiki Product. Does anyone else have a Wiki for this information? What sort of roadblocks have you run into?
I couldn't really find any nuggets of information about a corporate internal wiki, as these things tend to be internalized and not really discussed. The main goals I have are to
Define Who we are (as an IT organisation)
Define the systems we support
Define the history/evolution of those systems
The initial goals are more about information associated with the organisation, not necessarily technical documentation or code samples for developers. I think I can draw that distinct line, I'll be okay with Sharepoint's Wiki Product. Is there any other information that other organisations consider for this type of project? We have a company intranet, but this will supplement and tell the story of the IT side of the organisation.
Developing n-layered application with DDD (o better DDDD because we are using WCF) using Microsoft technology (where we have full controll of all component), the best choise seems to be STE vs POCO (this last one force the usage of DTOs). That's right? In your opinion make sense the usage of STE with DTOs where we need them?
Thanks.
I really can recommend Julie Lerman's Programming Entity Framework. She goes in depth about simple poco's, dto's and Self Tracking Entities. Advantages and disadvantages are described. But off course depending a lot on application requirements and personal taste.
So I can't give you an exact answer because the question is to general for that. But reading the book should give you a taste of the possible alternatives and can help you in making these kind of design decisions. I'm working with Self Tracking Entities in combination with a Business Access Layer, Serive Layer, WCF, Win / WPF clients. And expanding it in the future most probably with ASP.NET
Can somebody please explain (in succinct terms) what exactly is domain driven design? I see the term quite a lot but really don't understand what it is or what it looks like. How does it differ from non-domain driven design?
Also, can somebody explain what a Domain Object is? How does domain differ from normal objects?
EDIT:
As this seem to be a top result on Google and my answer below is not, please refer to this much better answer:
https://stackoverflow.com/a/1222488/1240557
OLD ANSWER (not so complete :))
In order to create good software, you have to know what that software
is all about. You cannot create a banking software system unless you
have a good understanding of what banking is all about, one must
understand the domain of banking.
From: Domain Driven Design by Eric Evans.
This book does a pretty good job of describing DDD.
Register to download a summary of the book.
Domain Driven Design is a methodology and process prescription for the development of complex systems whose focus is mapping activities, tasks, events, and data within a problem domain into the technology artifacts of a solution domain.
The emphasis of Domain Driven Design is to understand the problem domain in order to create an abstract model of the problem domain which can then be implemented in a particular set of technologies. Domain Driven Design as a methodology provides guidelines for how this model development and technology development can result in a system that meets the needs of the people using it while also being robust in the face of change in the problem domain.
The process side of Domain Driven Design involves the collaboration between domain experts, people who know the problem domain, and the design/architecture experts, people who know the solution domain. The idea is to have a shared model with shared language so that as people from these two different domains with their two different perspectives discuss the solution they are actually discussing a shared knowledge base with shared concepts.
The lack of a shared problem domain understanding between the people who need a particular system and the people who are designing and implementing the system seems to be a core impediment to successful projects. Domain Driven Design is a methodology to address this impediment.
It is more than having an object model. The focus is really about the shared communication and improving collaboration so that the actual needs within the problem domain can be discovered and an appropriate solution created to meet those needs.
Domain-Driven Design: The Good and The Challenging provides a brief overview with this comment:
DDD helps discover the top-level architecture and inform about the
mechanics and dynamics of the domain that the software needs to
replicate. Concretely, it means that a well done DDD analysis
minimizes misunderstandings between domain experts and software
architects, and it reduces the subsequent number of expensive requests
for change. By splitting the domain complexity in smaller contexts,
DDD avoids forcing project architects to design a bloated object
model, which is where a lot of time is lost in working out
implementation details — in part because the number of entities to
deal with often grows beyond the size of conference-room white boards.
Also see this article Domain Driven Design for Services Architecture which provides a short example. The article provides the following thumbnail description of Domain Driven Design.
Domain Driven Design advocates modeling based on the reality of
business as relevant to our use cases. As it is now getting older and
hype level decreasing, many of us forget that the DDD approach really
helps in understanding the problem at hand and design software towards
the common understanding of the solution. When building applications,
DDD talks about problems as domains and subdomains. It describes
independent steps/areas of problems as bounded contexts, emphasizes a
common language to talk about these problems, and adds many technical
concepts, like entities, value objects and aggregate root rules to
support the implementation.
Martin Fowler has written a number of articles in which Domain Driven Design as a methodology is mentioned. For instance this article, BoundedContext, provides an overview of the bounded context concept from Domain Driven Development.
In those younger days we were advised to build a unified model of the
entire business, but DDD recognizes that we've learned that "total
unification of the domain model for a large system will not be
feasible or cost-effective" 1. So instead DDD divides up a large
system into Bounded Contexts, each of which can have a unified model -
essentially a way of structuring MultipleCanonicalModels.
You CAN ONLY understand Domain driven design by first comprehending what the following are:
What is a domain?
The field for which a system is built. Airport management, insurance sales, coffee shops, orbital flight, you name it.
It's not unusual for an application to span several different domains. For example, an online retail system might be working in the domains of shipping (picking appropriate ways to deliver, depending on items and destination), pricing (including promotions and user-specific pricing by, say, location), and recommendations (calculating related products by purchase history).
What is a model?
"A useful approximation to the problem at hand." -- Gerry Sussman
An Employee class is not a real employee. It models a real employee. We know that the model does not capture everything about real employees, and that's not the point of it. It's only meant to capture what we are interested in for the current context.
Different domains may be interested in different ways to model the same thing. For example, the salary department and the human resources department may model employees in different ways.
What is a domain model?
A model for a domain.
What is Domain-Driven Design (DDD)?
It is a development approach that deeply values the domain model and connects it to the implementation. DDD was coined and initially developed by Eric Evans.
Culled from here
Here is another good article that you may check out on Domain Driven Design. if your application is anything serious than college assignment. The basic premise is structure everything around your entities and have a strong domain model. Differentiate between services that provide infrastructure related things (like sending email, persisting data) and services that actually do things that are your core business requirments.
Hope that helps.
As in TDD & BDD you/ team focus the most on test and behavior of the system than code implementation.
Similar way when system analyst, product owner, development team and ofcourse the code - entities/ classes, variables, functions, user interfaces processes communicate using the same language, its called Domain Driven Design
DDD is a thought process. When modeling a design of software you need to keep business domain/process in the center of attention rather than data structures, data flows, technology, internal and external dependencies.
There are many approaches to model systerm using DDD
event sourcing (using events as a single source of truth)
relational databases
graph databases
using functional languages
Domain object:
In very naive words, an object which
has name based on business process/flow
has complete control on its internal state i.e exposes methods to manipulate state.
always fulfill all business invariants/business rules in context of its use.
follows single responsibility principle
DDD(domain driven design) is a useful concept for analyse of requirements of a project and handling the complexity of these requirements.Before that people were analysing these requirements with considering the relationships between classes and tables and in fact their design were based on database tables relationships it is not old but it has some problems:
In big projects with complex requirements it is not useful although this is a great way of design for small projects.
when you are dealing with none technical persons that they don,t have technical concept, this conflict may cause some huge problems in our project.
So DDD handle the first problem with considering the main project as a Domain and splitting each part of this project to small pieces which we are famous to Bounded Context and each of them do not have any influence on other pieces.
And the second problem has been solved with a ubiquitous language which is a common language between technical team members and Product owners which are not technical but have enough knowledge about their requirements
Generally the simple definition for Domain is the main project that makes money for the owners and other teams.
I do not want to repeat others' answers, so, in short I explain some common misunderstanding
Practical resource: PATTERNS, PRINCIPLES, AND PRACTICES OF DOMAIN-DRIVEN DESIGN by Scott Millett
It is a methodology for complicated business systems. It takes all the technical matters out when communicating with business experts
It provides an extensive understanding of (simplified and distilled model of) business across the whole dev team.
it keeps business model in sync with code model by using ubiquitous language (the language understood by the whole dev team, business experts, business analysts, ...), which is used for communication within the dev team or dev with other teams
It has nothing to do with Project Management. Although it can be perfectly used in project management methods like Agile.
You should avoid using it all across your project
DDD stresses the need to focus the most effort on the core subdomain. The core subdomain is the
area of your product that will be the difference between it being a success and it being a failure. It’s
the product’s unique selling point, the reason it is being built rather than bought.
Basically, it is because it takes too much time and effort. So, it is suggested to break down the whole domain into subdomain and just apply it in those with high business value. (ex not in generic subdomain like email, ...)
It is not object oriented programming. It is mostly problem solving approach and (sometimes) you do not need to use OO patterns (such as Gang of Four) in your domain models. Simply because it can not be understood by Business Experts (they do not know much about Factory, Decorator, ...). There are even some patterns in DDD (such as The Transaction Script, Table Module) which are not 100% in line with OO concepts.
I believe the following pdf will give you the bigger picture. Domain Driven Design by Eric Evans
NOTE: Think of a project you can work on, apply the little things you understood and see best practices. It will help you to grow your ability to the micro service architecture design approach too.
Get an organization wide understanding of the problem domain by
developing a ubiquitous language (a common mental model) per sub-problem-domain.
Use that language as close as possible in solution domains (code).
Only then choose technologies.
Don't be technology driven but problem domain or business driven.
I repeatedly find that establishing user requirements is one of the hardest parts of my job. This is for several reasons, for example, lack of shared technical vocabulary, incomplete understanding of domain on my part, inability of user to 'imagine' completed UI / product, etc etc.
Since this appears to be an ongoing challenge for me, has anyone here had a 'eureka' moment that has really helped them with this part of developing? For example, I have heard of the book 'Domain Driven Design', but not read it yet. Has anyone found a book, online resource of piece of advice that has really turned things around for them?
I won't aspire for eureka experience, however, if you are interested in DDD, which is about establishing common language for you and the users (among other things), than if you don't have access to the book, look for the Domain-Driven Design Quickly on DZone.
Generally speaking, any time user cannot imagine the thing and therefore state proper requirements, go for the prototyping (if you can). Recently I was pleased by really super simple tool which is a Firefox extension called Pencil, which enables easy and quite fast prototyping even for non-programmers. It is far from perfect, but it enables you to create own components and it is extensible.
Are you creating the user requirements on your own or are you actually interacting with the user to generate the requirements?
If you are creating a piece of software without a customer then starting with a simple high-level mock-up of what I want to create is where I will usually start and will formulate my User Requirements how I think a user would use the software.
If you have a customer I would suggest breaking the software into smaller modules (manageable chunks) and sitting down with the user to talk to them, step-by-step, how they want the module to function.