Flex Pasta » BlazeDS with Annotations for Remote Objects

BlazeDS with Annotations for Remote Objects

Like many Flex/Java applications, they are started from scratch and use java 1.5 or greater. I was surprised that there were no annotations for BlazeDS to make it easier to mark up remote objects and services. Being that BlazeDS is open source, I thought it would be valuable to use annotated classes for remote objects. I created a custom BeanProxy(a class that defines what properties go from Java to actionscript, and vice versa). Note: I have submitted the code to Adobe for acceptance into the BlazeDS code base. I plan on expanding the code further, and I hope others will contribute as well. The link to the enhancement request can be found here: Please vote for the issue! Inclusion into the BlazeDS code base will help make it maintainable in the long run.

Now for a step by step guide about the annotations, and how to use them. First, I will point out that somethings I have done in the code are not ideal but are necessary to be compatible will BlazeDS which is primarily a java 1.4 app.

  1. Download the Jar and source: BlazeDS Annotations Jar and Source Files
  2. Take one of your domain classes/remote objects and implement IAnnotatedProxy and mark the class with the @FlexClass Annotation. The IAnnotatedProxy is a marker interface and its existence is simply to tell BlazeDS it has annotatations and should use the AnnotatedBeanProxy instead of the normal BeanProxy.
  3. Add this one liner to the servlet init of your webapp: PropertyProxyRegistry.getRegistry().register(IAnnotatedProxy.class, new AnnotatedBeanProxy());
  4. Begin adding @FlexField annotations to your “getter” methods on your remote objects. As I will explain in more detail, I have broken up what the @FlexField annotation does into two parts:
    1. Annotations that manipulate whether a field is included in BlazeDS AMF serialization.
      1. @FlexField( fieldType = FlexFieldType.ReadWrite) - Default option. Acts just like domain objects do today with BlazeDS, it reads a field if and only if both a matching getter and setter exist.
      2. @FlexField( fieldType = FlexFieldType.Exclude) - Does not include this field in AMF serialization even though a matching getter and setter may exist. Benefits are 1) Performance, 2) Security, and 3) Unnecessary Clutter. Keep in mind though, if you have a field populated with data going from Java to Flex, when it comes back from Flex to Java, the fields you excluded will be null.
      3. @FlexField( fieldType = FlexFieldType.Transient) - Include this field in serialization from Java to Flex if it has a “getter” method, but it does not require a matching “setter” method. The primary benefit here is I may have a field such as a calculation that doesn’t have a “setter” because it is a calculation. Yet I want the field to be translated over to the flex front end because I will use it for display only purposes to the end user.
    2. Annotations that manipulate data during serialization primarily for security purposes. Note, for use of the following annotations, remote objects on both the flex and Java side MUST extend mx.rpc.remoting.JavaObject. Before using the following annotations, make sure to fully understand what they are doing.
      1. @FlexField( fieldType = FlexFieldType.ReadOnly) - This field is included in serialization to and from Java and Flex. However, when data is coming from Flex into Java, encoded data in the JavaObject’s key determines the value of the field. Example: An account number field with the value of 999 is passed from Java to Flex. The account number is encoded in the JavaObject’s “key” field. Now the user goes to save their account settings, so data is sent back from Flex to Java. If the account number is anything other than “999″, a (runtime) ReadOnlyException is thrown. The primary benefit here is security. I want the user to be able and see, but not edit the account number on the Flex side. There may be other fields in the domain class they can edit, but this field is off limits.
      2. @FlexField( fieldType = FlexFieldType.CreateOnly) - This field is included in serialization to and from Java and Flex, and is almost identical to the ReadOnly Annotation. The difference here is that, if the field has no value(is null) when it goes from Java to Flex, the field can be created on the flex side and sent back. An example here is a foreign fey field. I have a customer creating an order. The order contains a customer id field. I want to let the customer create an order with their customer id for the first time, but after that, want to make sure that data is not tampered with later.

Web 2.0 and Security

With Web 2.0, application security is a big concern. Data is much more exposed to the curious eyes of an end user (especially primary and foreign keys) than in a traditional web app. My post on BlazeDS and Security goes into more detail. One of the driving forces for these annotations is for object security.

Annotations: To be Continued….

The annotations here create a starting point for use in BlazeDS. I hope the community will build on these annotations. The next goal is to tackle securing remote service methods using annotations. Feel free to post ways you would like to see annotations used with BlazeDS in the future.

Monday, May 19th, 2008 BlazeDS, Flex, Flex Security, Java Trackback URL for this entry

5 Comments

  • 1. Dirk Eismann replies at 2nd June 2008, 7:57 am :

    nice stuff. One question: when marking a DTO class as @FlexClass the classType has to be defined. The FlexClassType enum defines two values: FlexClassType.RemoteObject and FlexClassType.RemoteService - which one do I need to use?

  • 2. Brian Telintelo replies at 2nd June 2008, 9:38 pm :

    In that instance you would want to use RemoteObject. RemoteService is not used yet but would be for those classes defined in the remoting-config.xml. I hope to add annotation suport for service classes as a next step. I will update the Javadoc for this class to better define the options.

  • 3. Alex replies at 7th August 2008, 2:40 am :

    Nice work Brian,

    I love the power of annotations, and BlazeDS surely needed security tweaks.
    I love blogs with real content, not just links to “others cool stuffs”,

    Keep on the good work !!!

  • 4. Eduardo Burgos replies at 14th October 2008, 9:54 am :

    malformed link under the “Web 2.0 and Security” section, I think it’s missing a colon ( : ).

    Regards,

  • 5. Yahya replies at 3rd January 2009, 3:00 am :

    Nice Idea.
    When I faced the Lazy initialization exception i was shocked that I have to implement Externalize, and I said didn’t they hear about annotation.
    and After so much searching on google I found nothing until I took a look in bugbase.

    I like what you did, I didn’t look in the code yet but i think it will be great but one thing I read made me worry.
    Why should all my beans extend mx.rpc.remoting.JavaObject?
    I’ll try to answer this question myself but if you can communicate your progress either via email or through your blog I would be grateful.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <blockquote cite=""> <code> <em> <strong>