AJAX In Action [90]
In the and retrieve the value asynchronously from the server. Our Person only has one method, so that’s all we’ve exposed, right? Unfortunately, that’s a false assumption. Our Java Person class is descended from java.lang.Object and inherits a few public methods from there, such as hashCode() and toString(), which we can also invoke from the server. This hidden feature is not peculiar to DWR. The JSONRPCBridge.registerObject() method will do the same, for example. To its credit, DWR does provide a mechanism for restricting access to specific methods within its XML config file. However, the default behavior is to expose everything. This problem is inherent in most Licensed to jonathan zheng 172 CHAPTER 5 The role of the server reflection-based solutions. We ran across it in chapter 4 in our early versions of the ObjectViewer utility using JavaScript reflection. Let’s see what we can do about it. Limiting exposure We’ve accidentally exposed our hashcodes to the Web, but have we really done any damage? In this case, probably not, because the superclass is java.lang. Object, which is unlikely to change. In a more complex domain model, though, we might be exposing implementation details of our own superclasses, which we might want to refactor later. By the time we get around to it, some bright spark is bound to have discovered our unwittingly exposed methods and used them in his client code, so that when we deploy the refactored object model, his client suddenly breaks. In other words, we’ve failed to separate our concerns adequately. If we’re using a toolkit such as DWR or JSON-RPC, then we should take great care to decide which objects we are going to publish as our Ajax interface and preferably create a Façade object of some sort (figure 5.5). Using a Façade in this situation offers several advantages. First, as already noted, it allows us to refactor our server-side model without fear. Second, it simplifies the publicly published interface that client code will use. In comparison to code written for internal consumption, interfaces published to other parties are expensive. Either we document them in detail up front or we don’t document them—and become inundated with support calls from people writing to our published interfaces. Another advantage of Façade is that it allows us to define the level of granularity of our services separately from the design of our domain model. A good domain model may contain lots of small, precise methods, because we require that precision and control within our server-side code. The requirements of a web service interface for an Ajax client are quite different, however, because of network latency. Many small method calls will kill the usability of the client, and, if deployed in sufficient number, may kill the server and even the network. Think of it as the difference between a face-to-face conversation and a written correspondence (or an IM conversation and an email correspondence, for those too young and hip to remember what pen and paper are). When I talk directly to you, there are many small interchanges, possibly several just to establish that we are both “fine” today. When writing a letter, I may send a single exchange describing the state of my health, a recent vacation, what the family is doing, and a joke that I heard the other day, all in a single document. Licensed to jonathan zheng The big picture: common server-side designs 173 Fine-grained web services Web client Web Domain service model Web server Coarse-grained web services