MVC may be the vanilla option, but conventional isn’t always best. Ben Gurion University PhD candidate and and Harvard University Fellow Michael Bar Sinai explains to Voxxed why he and the team behind research data repository system the Dataverse opted to throw the Command Pattern switch.
Voxxed: Your talk at JavaOne, “Lean Beans (Are Made of This): Command Pattern Versus MVC” centered around the Dataverse team’s decision to use Command Pattern over MVC. Can you explain the reasoning for this to our readers?
Michael: We had two main goals: to have security and permission enforcement baked into the application’s architecture, and support rich API as well as UI. Both these requirements could be better supported if we had a way to reason about the actions taken by the application. We wanted to be able to say “only users with permission X can do Y to object Z”, and we wanted to say it just once, without duplicating code between the API and the UI.
MVC would have made us duplicate code, as there will be two “C”s – the UI controller and the API controller. This may mean duplicating the permission validations, but more importantly to remember to perform them in all appropriate places – we are all human, Dataverse is a big application, and we would have missed a spot eventually. And that spot might allow attackers to access data they are not supposed to access. The breach in iCloud that was part of the recent celebrity nude picture scandal, where Apple allegedly forgot to enforce login throttling in just one place, is a good example of what we were trying to avoid.
Our adaptation of the command pattern allowed us to reason about commands the way we wanted, since commands are plain objects that encapsulate actions. Because they are objects, we have rich ways of handling them at runtime. Our commands expose some metadata that include the issuing user and the objects that will be affected if the command will run, and so our command engine can validate whether the command should be discarded or not. And we do it only once, in a pretty declarative manner.
What did you learn from this?
Don’t be afraid to try different architectures – while MVC is the go-to architecture for Java EE, and it is an overall good solution, sometimes it’s better to try different approaches. It’s important to note that this is not just Phil and me, this decision was backed by the team and most importantly the project manager – Gustavo Durand, who also gave a talk at JavaOne. He backed this decision even though it’s not the most conventional one, and we were dealing with imminent deadlines. I was part of teams where the project manager was afraid to allow any diversion for the mainstream, so I really appreciate that.
Can you give us a case study based on this principle?
Dataverse is a real-life application – as Phil noted at the beginning of our talk, we are from Harvard, but this is no research project. This is a research tool, a real-life application whose biggest installation holds about 750K files in almost 55K studies. Our next versions will support storage of sensitive datasets, that may include personal health data or locations of endangered species. We really want to protect these.
Do you really think it would be feasible for commands to replace service beans altogether?
No. We explored this direction, and we still have a few commands that do not use beans at all. We felt these commands read as too detailed. We ended up using a more balanced approach, where the beans handle the database operations (a.k.a CRUD) and the commands do the modifications. It is also easier to test this way.
What’s next for the Dataverse team – will you be continuing your experimentation with the Command Pattern?
Yes. We have a few pain points, and we want to address these. All in all, I think the team is happy with it, as well as our security reviewers. After the infrastructure is in place, commands are very pleasant to work with: the code is concise, free from many accidental complexities, it’s easy to locate a certain functionality since the command name gives it away, etc. I think all in all we’re happy with it.
You’re currently working on a software programming based PhD. Did this project link into your research focus?
Sadly, no. And I wouldn’t feel comfortable basing a sensitive application such as Dataverse on a research project that’s still in the works. My thesis revolves around interweaving complex systems from heterogeneous partial specifications – think drawing two sides of a house and have a computer build it for you. Or, at least, build an OK house that has two sides that look like your drawings.