UI generation

Table of Contents:

• introduction
• Requirements and responsibilities
• Security and authorization
• SANDForms
• Dataset pagination
• Adapting SANDForms to other UI technology
• Using SANDForms with other UI frameworks
• The SANDForms native framework
• Appendices:
  • model/view/controller (MVC) architecture
  • information filtering
  • UIFormContext overview

introduction:

While the UI is one of the 6 primary components of SAND, it is not directly considered to be a supporting technology. While SAND has formal technology interfaces for messaging, persistency, configuration, control and framework processing (see nodecommon and the DataManager), it provides an interface for UI development.

SAND actually provides for UI development at multiple levels. This document covers each of these levels starting with the fundamentals and working upwards from there.

TOC

Requirements and responsibilities:

There are two primary requirements for a SAND UI:

1. It must communicate with the SAND application via SAND messages. That's not to say a UI built using SAND cannot directly access the database or do anything else it wants. It can. However this kind of access is outside outside of anything supported by SAND (and outside the scope of this document).
2. It must shoulder the burden of authentication and communicate with other nodes in the system via secure messaging. As the closest point of contact to the user, the UI must ascertain the user's identity, and not allow for interception, spoofing, or other problems resulting from faulty communication.

SAND messaging can be achieved easily using an in-process bridge. In this approach, the deployment configuration contains a node which is executing in the same process space as the UI code. The UI retrieves a direct reference to this node using a SingletonAccessor and then calls it's generated messaging methods directly:

To support incoming asynchronous communications, a UI can register itself with the bridge node for callback. For additional information, refer to adaptor node deployment and the messaging overview.

TOC

Security and authorization:

SAND supports authorization at the level of actions, data types, data instances, data fields, data field values, and other programmatic logic done by the application Authorizer. It is the responsibility of the Authorizer to ensure that no unauthorized data is ever passed to the UI, and that no unauthorized actions or data are accepted from the UI.

In order to provide a non-frustrating user experience, the UI should in turn:

• avoid showing buttons for unsupported actions
• allow querying and viewing only of authorized data types
• avoid showing unauthorized fields for display or querying
• understand that collections of instances may be filtered

Obviously this requires close cooperation between the Authorizer node, and the SAND UI. In SAND this cooperation is achieved through the AuthFilter, which provides the authorization logic. The AuthFilter is used directly by both the Authorizer, and the SAND UI, to ensure that the application is consistent.

Refer to the information filtering use cases for details on specific authorization scenarios.

TOC

SANDForms:

When you take the number of structs in an application, and look at writing display, edit, query and collection forms for each one, and then writing authorization filtering for each one, autogenerated code is clearly the way to go. The challenge with SANDForms was to handle this code generation in a way that would:

1. adapt to different display technology (web, GUI, mobile device)
2. adapt to, and play nicely with, existing frameworks
3. provide for easy customization
4. be easily extended

• The UIFormContext is the model. It holds the original message, the updated message, and context, including what action was taken by the user.
• The UIFormAdaptor creates the view by converting the UIFormContext into a format displayable in the target UI.
• The UIFormManager is the primary controller, handling form actions and calling back into the UIFormOwner as needed.

SAND provides fully functional default implementations of these interfaces, which can be extended to provide additional functionality. With the XHTMLFormAdaptor, the generated output can also be post-processed using XSLT or other transformation operations. The example TaskHeapDemo deployment uses this technique with a simplified default transformation template.

Refer to the UIFormContext overview for details on the SANDForms model.

TOC

Dataset pagination:

When the UI issues a query, it needs to consider the maximum number of matching items that should be returned. While the UIFormOwner will typically enforce some limitations in its formFind processing, and the DataManager is configured with hard constraint settings, the correct number of return values for a query is a balance of:

• the work necessary to retrieve the result collection
• the likelihood of reducing round-trip data retrieval through caching
• communication and display overhead

1. exactly the number of items as the display will hold. This approach is appropriate for general ad-hoc query results.
2. the number of items the display will hold, times the number of pages the user is likely to traverse. This approach is appropriate for targeted queries where the user is expected to page through the results in order.
3. as much data as can possibly be retrieved. This approach is appropriate when the entire result will be cached or otherwise stored in state for further manipulation (such as with a rich client interface).

If a query returns a complete collection (see the SandCollectionMessage isComplete method), then a UI can offer arbitrary sorting of the query results. This is referred to as result ordering. But due to runtime query processing restrictions, not all query result collections will be complete. In these cases the UI must work via dataset pagination.

Dataset pagination refers to traversing the total dataspace via repeated queries, and is therefore dependent on data ordering. If no orderBy is specified in the query, then ordering is by uniqueID, and dataset pagination is handled automatically via the uniqueIDAfter query field. If orderBy is specified, then the UIFormOwner must handle data pagination itself using its knowledge of alternate keys.

A few cases are worth mentioning explicitely to illustrate:

Standard dataset pagination:

The UIFormManager calls the UIFormOwner to process the query. The UIFormOwner executes the query without specifying orderBy, and the resulting collection elements are displayed ordered by uniqueID.

While maxReturn in the UIFormContext.findQuery message determines the total size of the returned collection, the number of items which are displayed is determined by the UIFormContext.findCollMaxDisplay. The display starts at findCollIndex in the findCollection, and shows findCollMaxDisplay items.

Pagination is handled as follows:

• If (findCollIndex + findCollMaxDisplay) is less than the number of elements in the findCollection, or the findCollection is not complete, then the "next" action is enabled in the display.
• If the "next" action is selected
  • if the collection is complete, or it contains enough elements to display the next page without requerying, then findCollMaxDisplay is added to findCollIndex to display the next page.
  • otherwise the query uniqueIDAfter is set to the uniqueID of the last displayed element, the uniqueID of the first element is pushed onto the findKeys stack, the findCollIndex is reset, and the query is reissued to retrieve the next page for display.
• If findCollIndex > findCollMaxDisplay (we are on the second display page of a collection), or findKeys is not empty, then the "previous" action is enabled in the display.
• If the "previous" action is selected
  • if findCollIndex is greater than zero, then it is set to (findCollIndex - findCollMaxDisplay) with the result floored at zero.
  • otherwise the query uniqueIDAfter is set to the last value popped off the findKeys stack minus one, the findCollIndexis reset, and the query is reissued to retrieve the previous page for display.

Dataset pagination with custom ordering:

When standard dataset pagination detects that it needs to reissue the query in response to either a "next" or "previous" action, it skips the uniqueID calculations if orderBy is specified in the findQuery. Movement within the collection elements is still supported, but when a query needs to be reissued it is not modified by the UIFormManager.

Since the UIFormManager calls the UIFormOwner to process the query, and passes along the UIFormContext, the UIFormOwner has all the information it needs to handle custom data pagination. To do this it will need to implement the change to the query, but with the alternate ordering key.

As an example consider custom pagination ordering on the username key of BaseUser. Before processing the query, an extra match is added specifying username as greater than the last value in the current collection. This match takes the place of the uniqueIDAfter in standard dataset pagination. In this case the findKeys field (used for reverse pagination) would hold usernames rather than uniqueIDs.

Custom data pagination is relatively easy to implement since the code relating to the existing collection is re-used as a common framework.

TOC

Adapting SANDForms to other UI technology:

At the time of this writing, only the XHTMLFormAdaptor is available. Using SANDForms with other UI technology would require writing other UIFormAdaptor implementations. For example a SwingFormAdaptor would write Swing classes to provide forms for the defined structs.

The SandUI framework is designed to be technology independent, and is intended for use with webapps, rich client GUI interfaces, text terminals, restricted display interfaces, or voice interfaces. By autogenerating the user interface from the data structures and the SandUI definition, it is possible to support many application changes without impact to user display rendering, even if the application supports multiple user interfaces simultaneously.

Our next priority is likely to be SWT, but this depends on customer projects. Our hope is to release these adaptors to open source as the versions upgrade. If you are interested in specific technologies, joint development, or extensions to SANDForms, please contact Structs And Nodes Development Services

TOC

Using SANDForms with other UI frameworks:

For new development, we would recommend creating a UIFormAdaptor to generate the code expected by the UI framework. This can be done using the XHTMLFormAdaptor as a model, or alternatively using runtime post-processing (provided the differences in form output are relatively minor).

In situations where there is already significant established UI code, it may be fastest to build an adaptor node to convert the existing UI form processing calls to SAND messaging. If new data structures are being added to an existing webapp, it may be best to segment the application to take best advantage of code generation to minimize the work involved.

Conversion work is being handled on a per-project basis.

TOC

The SANDForms native framework:

The SANDForms native framework is implemented in the apps/ui project and supporting tools. A user interface is defined as an instance of a SandUI, which can be viewed/modified using the UI editor. The interface is then implemented through generated code, which varies depending on the interface technology used.

As one example, here's how the webapp interface of the TaskHeapDemo deployment works:

• In its webapp subdirectory, TaskHeapDemo defines TaskHeapUIShell.java, which sets up a singleton instance of XHTMLSandUIServlet for use. In particular it specifies where to find the serialized SandUI definition file, and the name of the UIFormOwner node. After setting things up, the shell passes all service requests over to XHTMLSandUIServlet.
• The XHTMLSandUIServlet sets up
  1. a UIScreenAdaptor (defaults to a XHTMLScreenAdaptor if not specified)
  2. a SandTransformer (defaults to an XSLTransformer if not specified)
  3. a UIFormManager (defaults to a StandardFormManger if not specified)
  and then handles authentication and all processing given the definition in the SandUI.

To handle a given screen request, XHTMLSandUIServlet

1. reconstructs the current screen object (using its UIScreenAdaptor)
2. processes the screen (using its UIFormManager, which calls through to the UIFormOwner as needed)
3. renders the resulting output (using its UIScreenAdaptor)
4. transforms the resulting output (using its SandTransformer and the template specified for use with the screen)

That's about it. Authentication and error processing are pretty standard for servlet processing. The only other point of interest is that it is possible to override locale information regardless of server settings, which can be handy. For more details, refer to XHTMLSandUIServlet.java.

TOC

Appendices:

model/view/controller (MVC) architecture:

In a typical web browser UI, individual data entry and query forms are placed into pages, and the pages are organized into a web site. As a website grows in size, separating the component aspects of the site becomes increasingly important in managing complexity. MVC is a general UI architecture which helps separate the major component aspects:

• model: the object being worked on
• view: the rendering of the object
• controller: action recognition and validation

How the adaptor node does its work, and what the view generator code needs to do, depends on your application, the interface API, and which framework you are using. SandBoss ships with an example TaskHeapDemo deployment with a simplified user interface that serves as an example for how to get started.

TOC

information filtering:

Enterprise information is sensitive, so it is imperative that no unauthorized information be transmitted to a client machine. Preventing unauthorized input, and setting unauthorized fields to their default values is the job of the Authorizer node. Hiding messages, fields, or values from view is the job of the UI, since this is where the message is transformed from an object into a display structure. Both mechanisms use an AuthFilter to determine the appropriate action to take.

Although different applications have different authorization requirements, the following cases illustrate the types of processing required:

• case: hidden message types
  User is not allowed access to any form of a specific message. For example you might have a SiteRevenueSummary message that the vast majority of users should not even know about.

  • Outgoing display generation: User is simply never shown the message, or presented with any links to a form for that message.
  • Incoming message processing: An "unknown message type" error or the equivalent is returned.
  possible implementation:
  Unless the user is authorized, the UI provides no links to any form for the SiteRevenueSummary message. If an unauthorized SiteRevenueSummary message is received by the Authorizer, it is rejected, setting the status to STATUS_APPERROR. The UI picks up on the error flag and parses the errorMessage field. For "authorization : hidden message type" it displays the same error as for unparseable input.

• case: hidden message fields
  User is not allowed access to specific fields within a message. For example you might have tracking information as part of a User message which is only visible to site administrators.

  • Outgoing display generation: The user is never shown the unauthorized fields.
  • Incoming message processing: If a query specifies an unauthorized field, then it is rejected. For a new instance, unauthorized fields are filled in with appropriate initial values. For an update to an existing instance, unauthorized fields are filled in with their current values.
  possible implementation:
  The Authorizer caches the message and sets all sensitive field values to their defaults. The display processing removes these fields from the output. If the unauthorized field is specified as part of a query, then the authorizer rejects it. The UI then parses "authorization : hidden message fields : ..." and displays an error for unparseable input. If a new instance is being created, then the value is replaced with the default initial value. If an existing instance is being modified, then the value is replaced with the existing value (which is retrieved from the cache).

• case: limited update fields
  User has read access to fields which they may not edit. For example you might have a membershipExpiration field as part of a User message which a user can see, but which can only be updated by site administrators or by membership payment processing.

  • Outgoing display generation: The unauthorized fields are displayed as read only.
  • Incoming message processing: For a new instance, unauthorized fields are filled in with appropriate initial values. For an update to an existing instance, unauthorized fields are filled in with their current values.
  possible implementation:
  The display processing disables input for the unauthorized fields. If a new instance is being created, then the value is replaced with the default initial value. If an existing instance is being modified, then the value is replaced with the existing value (which is retrieved from the cache).

• case: limited message actions
  User may query but not update (or more unusually update but not query). As an example, users might query for Products but not be allowed to update them.

  • Outgoing display generation: The edit button is not provided in the form.
  • Incoming message processing: The update message is rejected.
  possible implementation:
  The display processing removes the edit option from the form display. The Authorizer rejects any unauthorized update message.

• case: limited instance updates User may only update specific message instances, or instances matching specific criteria. For example a user may only allowed to update their own user information, or user information for users who they manage.

  • Outgoing display generation: The edit button is not provided in the form if the user cannot edit the instance.
  • Incoming message processing: Any unauthorized modifications are rejected.
  posible implementation:
  If the user is not authorized to update a specific instance, then the edit button is removed from the form display. If a new instance is being created which does not match what the user is authorized to create, then it will be rejected by the Authorizer. Any attempt to modify an existing instance which the user is not authorized to change will be rejected by the Authorizer.

• case: limited instance queries User may only query for specific subsets of the total data available. For example a user may only be allowed to query for orders which they themselves have placed.

  • Outgoing display generation: Unauthorized information is never returned from a query.
  • Incoming message processing: Unauthorized information is never returned from a query.
  possible implementation:
  The Authorizer adds additional match information to any incoming query to filter out any unauthorized information. So if the user queries for orders, the Authorizer adds that the owner must be the current user.

• case: limited query fields (see hidden message fields).

• case: limited query field values User may only specify a subset of all the possible values when issuing a query. For example a user may be allowed to search for new or promotional products, but not archived, deleted, or group limited ones.

  • Outgoing display generation: The unauthorized values are not displayed as options in the form.
  • Incoming message processing: Unauthorized information is never returned from a query.
  possible implementation:
  The UI removes any unauthorized values. If only one value remains, then the field is switched to read only. If no values remain, then the field is hidden. The Authorizer adds additional match information to any incoming query to filter out any unauthorized information. So if the user queries for products, the Authorizer adds they must be new or promotional.

• case: variably hidden fields When viewing data, the user will see the values for fields in authorized instances only. For example a user may see personal info for their direct reports but not others.

  • Outgoing display generation: Values which should not be seen are replaced with default placeholders, or not shown.
  • Incoming message processing: Values which should not be seen are replaced with default placeholders.
  possible implementation:
  The UI is generally written to favor hidden message fields, to avoid displaying placeholder values. When placeholder values must be used, they should be replaced with known display values like "N/A" or the equivalent. The Authorizer iterates through any query results and replaces unauthorized field values with their display defaults. Updates follow the processing for limited update fields.

TOC

UIFormContext overview:

note: