Application Architecture and Design: WebAuction
WebAuction is a Web-based auction system built with the WebLogic Server and J2EE. Like a real auction, it includes bidding, categorized items, and user accounts. The source code for WebAuction is included on the accompanying CD-ROM. The application and its source code can be accessed online at http://learnWebLogic.com.
WebAuction Design Goals
The WebAuction application is an e-commerce application that uses nearly all of the J2EE APIs: It uses Java ServerPages (JSP), Java Database Connectivity (JDBC), Java Message Service (JMS), Java Naming and Directory Interface (JNDI), Enterprise JavaBeans (EJB), and JavaMail. Going beyond “hello world” examples, WebAuction demonstrates how these APIs are used together in production applications. Learning APIs is a necessary first step, but developing production-quality applications requires the ability to combine the J2EE APIs effectively.
The WebAuction application is designed to take advantage of the performance and scalability of the WebLogic Server and its clustering capabilities. Because Web applications must accommodate an ever-growing user base, it is important to consider scalability throughout the development cycle.
While WebAuction demonstrates the design and components of a production application, there are several simplifications in the application that would not appear in the real world. Since this is a sample application, we demonstrate important design choices and J2EE features without creating an overly complex application.
Every element of the WebAuction software is a design pattern, a J2EE service, or a WebLogic Server feature. We have chosen to omit auction site features that did not fit these criteria or whose implementation was similar to other components. The interested reader can easily enhance the WebAuction application framework to build a production-quality auction.
In addition to making the application easier to understand, simplicity enables the reader to build and deploy WebAuction on his or her own machine. Although the application is available on our Web site, building and running the application locally provides valuable practice in WebLogic Server administration. Configuring WebLogic Server to handle a real application is a necessary skill for WebLogic Server developers as well as administrators.
WebAuction Subsystems
Like many e-commerce applications, WebAuction has two layers: a presentation layer and a business logic layer (see Figure 14-1). Clients use Web browsers to interact with the presentation layer. The presentation layer (also known as the Web tier) is responsible for relaying client requests to the business logic layer and rendering the business logic's responses into HTML.
Figure 14-1. Multi-tier Architecture
The business logic layer handles the application's logic and communication with back-end systems such as databases. The database, which provides a persistent repository for the application's data, usually resides on a separate server. As you would expect, the presentation layer is implemented with Web components including JSP pages and tag libraries. WebAuction implements the business logic layer with EJB components, JMS, JavaMail, and JDBC. Because WebAuction's entity beans use container-managed persistence (CMP), the EJB container handles the data access code.
WebAuction Interfaces
Designing good interfaces between components is an important but challenging piece of software development. When software is properly decoupled into modules, implementations become easier and cleaner. Interfaces promote information hiding, which enables software components to minimize the exposure of internal information to other areas of the system. This minimizes dependencies: Components may be redesigned or re-implemented without affecting other parts of the system.
For instance, the business logic could be changed from using database-stored procedures to using EJBs, without changing the presentation logic. Without good interfaces, it is easy to have subtle design assumptions creep into the source code. Unfortunately, designing clean interfaces is not trivial. A prototype implementation is usually required to reveal design flaws or false assumptions. The WebAuction implementation should help serve as a demonstration of successful design patterns for your own applications.
Separating the Web and Business Logic Tiers
A clear separation between the presentation layer and the business logic tier is important. The design goals of the presentation layer's user interface are clean and clear Web pages, and providing a user-friendly and satisfying Web site experience. The presentation layer also handles issues such as internationalization and tracking a user's identity between Web pages.
Many e-commerce applications also include security in the presentation layer. All privileged access must first access a form-based login page. This enables the application to change security policies without modifying the back-end logic. However, this arrangement is not always possible, especially if the back-end logic is used directly by another presentation layer, such as a standalone client application.
Separating the presentation and business logic allows for parallel development. In many environments, separate groups or even separate companies develop each application tier. The presentation layer team includes Web page designers and Web experts, while the business logic developers mainly deal with database, messaging, and transaction issues.
Accessing Server-Side Business Logic from JSP Pages
The WebAuction application uses JSP to access its presentation logic. Because JSP pages can include Java code, it is possible to access business logic directly from the JSP page. However, this design should be rejected: Instead, it is recommended that JSP pages contain little—if any—Java code. JSP pages should use tag libraries, JavaBeans, or servlets to access the business logic layer. This means that JSP pages are essentially HTML pages with extra tags to access tag libraries, or small snippets of code to access JavaBeans or servlets. Because there is little code in these pages, the Web page layout can be altered by graphic designers without affecting the remainder of the system. This design also facilitates internationalizing the Web site, because the display output is cleanly separated from the logic needed to generate the Web pages.
The WebAuction JSP pages use tag libraries to make requests to the business logic tier. One advantage of tag libraries is their syntax resembles other HTML documents. This is beneficial for Web page designers who are more familiar with HTML than Java code. Another advantage of using tag libraries is that a library structure facilitates reusing the tags in other application components. While servlets and JavaBeans may also be reused, reusability requires more effort because they were not designed as libraries.
JavaBeans in the Presentation Layer
In addition to tag libraries, WebAuction's presentation layer uses JavaBeans as value objects when interfacing with the business logic. JavaBeans are simple objects with get and set methods for each field. The value objects pass information such as the new account profile to the business logic layer. The business logic layer also uses JavaBeans to return information to the Web tier. The Web tier renders pages by retrieving the information held in the value objects.
The disadvantage to this approach is that extra objects must be created to encapsulate information that already exists within the business object layer. For instance, when the JSP page needs to show the current items available for bid, the WebAuction application must find the appropriate items and then create a value object holding the information for each item. While this creates additional objects, the advantages of this approach is that the presentation layer sees only the value objects, so the persistence layer can be changed without affecting the JSP pages or the tag libraries (see Figure 14-2).
Figure 14-2. Separating Presentation Logic and Business Logic
The Tag Library-to-Business Logic Interface
To avoid mixing the Web page presentation with Java code, WebAuction's control logic is encapsulated in tag libraries. Information is passed between the presentation layer and the business logic layer by means of JavaBean value objects. The tag libraries contain Java code to access the business logic layer. To decouple persistence, transactions, and messaging from the presentation layer, it is important to minimize the entry points into the business logic layer. In WebAuction, the tag libraries must use either the bids JMS queue or the WebAuction stateless session bean to communicate with the business logic layer.
When a WebAuction customer submits a bid, the bid information is encapsulated in a JMS message and sent to a JMS queue. Once the information is on the queue, the JSP page displays a message stating the bid has been received by the system. This is an asynchronous design: The bidder need not wait for the system to process the bid. It is only necessary to wait for the bid's information to be entered in the persistent queue. A JMS listener handles the actual bid processing in the background.
It might be possible to use a synchronous design where the bidder waits until the bid processing completes. However, bids must be validated, and the WebAuction application updates several database tables when a bid is entered.
The asynchronous approach aids scalability because a WebLogic Server cluster can listen on the queue and do all of the processing in parallel.
The user's bids are entered into the system from bid.jsp with the enterBid tag:
<webauction:enterBid itemId="<%= bidId %>" userName="<%= request.getRemoteUser() %>" bidamount="<%= amount %>" />
The EnterBid. Java tag library sends a message to the JMS queue with the values passed in the tag's parameters:
bidMsg.setInt("Item_ID", itemId);
bidMsg.setString("User_Name", userName);
bidMsg.setDouble("Amount", bidAmount);
qsender.send(bidMsg);
In addition to the bids JMS queue, WebAuction's business logic layer exports a synchronous interface to the presentation layer with the WebAuction stateless session bean. Because the WebAuction bean is stateless, the tag libraries create a reference when they are initialized and make all business method calls against the reference. Remember that holding a stateless session bean reference does not tie up resources in the server. Whenever a call is made against the WebAuction remote interface, the EJB container selects a pooled bean instance to handle the call. If a stateful session or entity bean were used, the tag library would have to include more lifecycle code to manage the EJB state.
Utility Methods
The WebAuction bean's remote interface exposes utility methods that are used by the tag libraries. Notice that these methods return the BidValueHolder or the ItemValueHolder JavaBeans.
public interface WebAuction extends EJBObject {
BidValueHolder [] getBidsForUser(String userName)
throws NoSuchUserException, RemoteException;
ItemValueHolder getItemWithId(int id)
throws NoSuchItemException, RemoteException;
ItemValueHolder [] getItemsInCategory(String category)
throws RemoteException;
}
The GetBidsForUser tag library keeps a reference to the WebAuction stateless session bean in the WebAuction member variable. The getBidsForUser method call returns an array of BidValueHolder objects, which are then assigned to the bids variable in the JSP page.
BidValueHolder [] bids = webAuction.getBidsForUser(user-
Name);
pageContext.setAttribute("bids", bids);
The currentbid.jsp page uses the GetBidsForUser tag library to receive the array of BidValueHolder objects:
<webauction:getBidsForUser id="bids" userName="<%= request.getRemoteUser() %>" />
Finally, the currentbid.jsp page renders the bids into the HTML page. We have simplified the HTML here, but each bid is shown as a row in a table. Note the use of the wl:repeat tag. This is a standard tag included in the WebLogic Server's tag library. It iterates through the elements of an array or java.util.Collection and applies the tag body to each element. In this case, it iterates through the bids array and assigns each value in the array to the bid variable. Within the tag body, the currentbid.jsp page includes a table row for each bid.
<table>
<tr>
<td>Item</td>
<td>Bid Price</td>
</tr>
<wl:repeat id="bid" set="<%= bids %>" type="webauction.jsp.BidValueHolder" >
<tr>
<td><%= bid.getItemDescription() %></td>
<td><%= bid.getBidAmount() %> </td>
</tr>
</wl:repeat>
</table>
WebAuction Security
Like most e-commerce applications, WebAuction requires security constraints. The WebAuction security model is based on user accounts. Users register with the WebAuction site and create user accounts with passwords and an associated email address.
Not every page in WebAuction needs to be protected. In particular, Web site visitors should be allowed to browse the auction without creating a user account. This enables new users to visit the auction site without requiring them to enter user information. Also, it helps minimize resource usage on the server because no session data is kept until the user logs in. A user must log into WebAuction before providing a new auction item or entering a bid on an existing item.
WebAuction's business logic layer does not include any security checking. It assumes that the presentation layer has satisfied all security constraints. This is acceptable for most Web-based designs, and it simplifies the business logic layer. In addition, security checks can affect performance, so avoiding unnecessary access constraints helps scalability. However, more stringent security requirements might require multiple access checks at different levels in the application.
Security Constraints in the Deployment Descriptor
The web.xml deployment descriptor specifies the security constraints that restrict access to a protected page. If a user has not already logged into the system, the WebLogic Server redirects the browser to the login page before accepting the request.
For example, this security constraint restricts the newitem.jsp page to users in the auction_user role.
<security-constraint>
<web-resource-collection>
<web-resource-name>New Item</web-resource-name>
<url-pattern>/newitem.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>auction_user</role-name>
</auth-constraint>
</security-constraint>
The web.xml file also declares the abstract role named auction_user:
<security-role> <role-name>auction_user</role-name> </security-role>
Finally, weblogic.xml maps the auction_user role name to the user principal.
<security-role-assignment> <role-name>auction_user</role-name> <principal-name>user</principal-name> </security-role-assignment>
Every WebAuction user is a member of the group named user and can access the newuser.jsp page.
Authenticating Users
The WebAuction application uses the Servlet 2.2 specification's form-based authentication to verify user names and passwords. The login.jsp page includes a form with the j_security_check as the action. The user name is passed as j_username and the password is j_password. The password field uses the input type of password to prevent the password characters from being echoed to the screen. The login.jsp page is served through HTTPS to ensure that the password is encrypted on the network.
We have simplified the HTML in the form element to demonstrate it here:
<form method="post" name="Login" action="j_security_check"> <input type="text" name="j_username> <input type="password" name="j_password"> </form>
Creating New User Accounts
New user accounts are created with the newuser.jsp Web page. This page includes a FORM element that contains all of the required account information. WebAuction requires that all fields in the new user form be completed, by including a JavaScript onSubmit element that instructs the browser to run validateNewUserForm before accepting the submission. The Java-Script code simply ensures that every field has a value.
<form method="post" name="NewUser" action="newuser.jsp"
onSubmit="return validateNewUserForm()">
<SCRIPT LANGUAGE="JavaScript">
<!-- Hide code from non-javascript
function validateNewUserForm() {
newUserForm = document.NewUser;
if ((newUserForm.userName.value == "") ||
(newUserForm.password.value == "") ||
(newUserForm.firstName.value == "") ||
(newUserForm.lastName.value == "") ||
(newUserForm.streetAddress.value == "") ||
(newUserForm.city.value == "") ||
(newUserForm.zipCode.value == "") ||
(newUserForm.email.value == "")) {
alert("You must fill out all fields to create a WebAuction account.");
return false;
} else {
return true;
}
}
// end hiding -->
</SCRIPT>