Server-Side

Microservices II

  • Database Access
  • Data Serialization
  • Security, Telemetry & Scalability

Version

v1.1 26 October 2021
v1.0 23 September 2021

Acknowledgments

Thanks to:
  • Hamzeh Roumani, who has shaped EECS-4413 into a leading hands-on CS course at EECS and who generously shared all of his course materials and, more importantly, his teaching philosophy with me;
  • Parke Godfrey, my long-suffering Master’s supervisor and mentor; and
  • Suprakash Datta for giving me this opportunity to teach this course.

Download PDF

Database Access

Connecting Microservices to the Databases

Databases in the Microservices Architecture

The three-tier client-server microservice architecture: the clients, the server, and the databases. Shown are three components of the server: the controller, the model, and the data access object (DAO). The DAO connects to the databases, either as database servers, like Derby or PostgresSQL, and database files, like SQLite databases.

What is a Database?

A database is an organized collection of structured information or data. A database is usually controlled by a database management system (DBMS). Together, the data and the DBMS, along with the applications that are associated with them, are referred to as a database system or simply a database.

ID SURNAME GIVENNAME GPA YEARADMITTED
200715420 Andrews Kelly 7.8 2007
200768902 Bartlett Jasmine 7.1 2007
200420801 Golden Dante 8.1 2004
200746650 Higgins Alejandra 7.1 2007
200929837 Jones Evan 8.6 2009
200721627 Shelton Diana 9.0 2007

Data within the most common types of databases in operation today is typically modeled in rows and columns in a series of tables to make processing and data querying efficient.

The data can then be easily accessed, managed, modified, updated, controlled, and organized. Most databases use structured query language (SQL) for writing and querying data.

Source: What Is a Database? - Oracle

JDBC: Java Database Connectivity

JDBC (Java Database Connectivity) is the Java API that manages connecting to a database, issuing queries and commands, and handling result sets obtained from the database. It is oriented toward relational databases. It has been part of the Java Standard library since JDK 1.1 in 1997 and was one of the first components developed for the Java persistence layer.

JDBC offers a programming-level interface that handles the mechanics of Java applications communicating with a database or RDBMS.

The JDBC interface consists of two layers:

  1. The JDBC API supports communication between the Java application and the JDBC manager.
  2. The JDBC driver supports communication between the JDBC manager and the database driver.

Source: What is JDBC? Introduction to Java Database Connectivity

JDBC is layered into 3 layers. The application code calls the JDBC API. The JDBC API is connected to the JDBC Engine that passes the instructions to the JDBC Driver. Each database type or implementation has its own JDBC Driver which JDBC uses to connect to the database implementations. The SQL statements are sent to the database and the database responds with the SQL tables.

Using JDBC

  • Specify the database’s URL.
    • jdbc:sqlite:/path/to/database/file
    • jdbc:derby://host:port/name;credentials

  • Get a connection to the database.

  • Create a SQL statement.

  • Execute the query and see its result.

  • Store the result data into a Java bean, a Plain old Java Object (POJO). More on Java Beans in a bit.

  • For queries with user input, use PreparedStatements.
    String concatenation is insecure and can lead to SQL injection attacks.

  • Handle multiple results by storing them in a data structure like a List.

  • Eclipse has tools (Data Source Explorer, SQL Scrapbook) to explore the database and test queries. For SQLite, I prefer CLI –see https://sqlite.org/cli.html. Similarly, Derby provides the CLI command ij.

Data Serialization

Serialization is the process of converting the state information of an object instance into a binary or textual form to persist into a storage medium or transported over a network.

Data Serialization in the Architecture

The three-tier client-server microservice architecture: the clients, the server, and the databases. Shown are three components of the server: the controller, the model, and the data access object (DAO). The DAO connects to the databases, either as database servers, like Derby or PostgresSQL, and database files, like SQLite databases. The DAO also serializes and deserializes the model into JSON or XML files.

Java Bean

A JavaBean is just a Plain old Java Object that means the following requirements:

  1. All properties are private (use getters/setters).
  2. A public no-argument constructor.
  3. Implements Serializable.

Data Formats

XML

Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.

JSON

JavaScript Object Notation (JSON) is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute-value pairs and arrays (or other serializable values).

XML Serialization

Java Architecture for XML Binding (JAXB) provides a fast and convenient way to bind XML schemas and Java representations, making it easy for Java developers to incorporate XML data and processing functions in Java applications. As part of this process, JAXB provides methods for unmarshalling (reading) XML instance documents into Java content trees, and then marshalling (writing) Java content trees back into XML instance documents. JAXB also provides a way to generate XML schema from Java objects.

Sources: Lesson: Introduction to JAXB; and Java Architecture for XML Binding (JAXB) (by Ed Ort and Bhakti Mehta, March 2003).

XML De-serialization

Sources: Introduction to JAXB - Basic Examples.

JSON Serialization

Gson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object. Gson can work with arbitrary Java objects including pre-existing objects that you do not have source code of.

  • Provides simple toJson and fromJson methods to convert Java objects to JSON and vice-versa
  • Allows pre-existing unmodifiable objects to be converted to and from JSON
  • Extensive support of Java Generics
  • Allows custom representations for objects
  • Supports arbitrarily complex objects (with deep inheritance hierarchies and extensive use of generic types)

Sources: Gson - Github; and Gson - Quick Guide (TutorialsPoint).

JSON De-serialization

  • It is perfectly fine (and recommended) to use private fields.
  • There is no need to use any annotations to indicate a field is to be included for serialization and deserialization. All fields in the current class (and from all super classes) are included by default.
  • If a field is marked transient, (by default) it is ignored and not included in the JSON serialization or deserialization.
  • This implementation handles nulls correctly.
    • While serializing, a null field is omitted from the output.
    • While deserializing, a missing entry in JSON results in setting the corresponding field in the object to its default value: null for object types, zero for numeric types, and false for booleans.
  • If a field is synthetic, it is ignored and not included in JSON serialization or deserialization.
  • Fields corresponding to the outer classes in inner classes, anonymous classes, and local classes are ignored and not included in serialization or deserialization.

Sources: Gson User Guide - Github.

Cross-Cutting Themes

  • Security
  • Modularity
  • Versatility
  • Interoperability
  • Scalability
  • Telemetry

Security

Never trust the client

Always assume all input or data coming from the client might be sent maliciously, because you can’t control it. This means authentication and authorization must be checked and enforced server-side. All input must be validated. Never trust the user; there is nothing on the client side that can prevent them from entering dangerous, unexpected input. Always validate input and perform server-side checks on everything. Assume a malicious actor can tampered with the client and its implementation (not just webpages but mobile applications as well). Never provide direct access to the databases.

Hacker gaining unauthorized access to the database.

Confidentiality Protection against disclosure
  Encrypt: link level or end-to-end
  Authentication: Passwords, Accounts, OAuth
Integrity Protection against alteration
  SQL Injection: Always sanitize incoming parameters and use prepared queries
Availability Protection against interference
  Network based Measures: IP filtering, black and white lists, DoS, DDoS, …

Scalability

Scalability: the property of the systems of remaining efficient where there is a significant increase in the number of users and resources.

  • Controlling the cost of physical resources
  • Controlling the performance loss
  • Preventing software resources from running out
  • Avoiding performance bottlenecks

Techniques

  • Multithreading
  • Throttling
  • Thread Pooling
  • Scale through containers (e.g. Docker, Kubernetes)
  • Scale through boxes (pods and nodes) or VMs
  • Load Balancing
  • Auto Scaling

Telemetry

  • System Logs
  • Performance Timing
  • Metrics
  • Analytics
  • Data Mining
  • Machine Learning

Failure Handling

  • If a part of the system fails, the system should still functions
  • Detecting failure:
    • Some failures can be detected: for example a checksum can detect corrupted data in a message, a server not responding
  • Masking failures: when a failure is detected it can be hidden or made less severe
    • Messages can be retransmitted or corrected, a server is restarted
  • Tolerating failure: if a browser cannot contact a server, it does not try forever; it gives up and inform the user
  • Recovery from failures: the software should be able to “roll-back” to a stable and know state
  • Redundancy: services can tolerate failures by using redundant components; most web applications run on clusters
  • Unsolved problems: denial of service

This slide is intentionally left blank.

Return to Course Page