Upload
catherine-chapman
View
215
Download
0
Embed Size (px)
Citation preview
DSEC--1
CSE333
Aspect Oriented Programming inAspect Oriented Programming in Distributed Systems Distributed Systems
Sahar El SisiRehab El Kharboutly
Jaime Pavlich
Spring 2004 :CSE 333Computer Science & Engineering Department
DSEC--2
CSE333
OutlineOutline
MotivationMotivation Separation of ConcernsSeparation of Concerns
Model Composition AOP UML Notation for AOSD
Aspects in Distributed SystemsAspects in Distributed Systems Synchronization Security
Conclusion and Future WorkConclusion and Future Work
DSEC--3
CSE333
MotivationMotivation
Complexity of distributed ApplicationComplexity of distributed Application Efforts of OOPEfforts of OOP Problem Problem Crosscutting Concerns Crosscutting Concerns Concerns which cannot be constrained easily into modular Concerns which cannot be constrained easily into modular
form.form. Scattering : Different classes, same concern Tangling : one class , many concerns
Why are crosscutting concerns a problemWhy are crosscutting concerns a problem Destroy modularity Make code difficult to develop and understand Limit reuse and make code difficult to evolve
DSEC--4
CSE333
Example 1: Logging Example 1: Logging
Ο Where is logging in org.apache.tomcatWhere is logging in org.apache.tomcat red shows lines of code that handle logging not in just one place not even in a small number of places
DSEC--6
CSE333
Separation of ConcernsSeparation of Concerns
To improve software development, it is necessary to To improve software development, it is necessary to separate adequately all important concerns of an separate adequately all important concerns of an application.application. Design and implementation languages should
provide Decomposition Mechanisms
To understand better the requirements by partitioning the problem in smaller pieces
Composition MechanismsTo ensemble the different parts of the system as
a whole More powerful decomposition mechanisms needed
on top of OOP!
DSEC--7
CSE333
Separation of ConcernsSeparation of Concerns
Efforts in Separation of ConcernsEfforts in Separation of Concerns Subject Oriented Programming : Subject-Oriented
Programming: William Harrison , Harold Ossher, Subject-oriented programming: a critique of pure objects, Proceedings of the 8th annual conference on OOP systems, languages, and applications, p.411-428, September 26-October 01, 1993, Washington, D.C., USA
Model Composition: Siobhán Clarke, Composition of object-oriented software design models, Dublin City University, 2001.
Aspect Oriented Programming: Gregor Kiczales et all. Aspect-Oriented Programming. European Conference on Object-Oriented Programming (ECOOP), 1997.
Disguises Model : Fernando Sánchez Figueroa. Modelo de disfraces: hacia hacia la adaptabilidad de restricciones de sincronización en los LCOO. PhD Thesis. Departamento de Informática,Universidad de Extremadura, Spain 1999.
Design Patterns: E. Gamma, R. Helm, R. Johnson, J. Vlissides. Design Patterns. Addison Wesley,1995.
DSEC--8
CSE333
Model CompositionModel Composition
New approach for designing software systemsNew approach for designing software systems Based in previous work in “Subject Oriented
Programming” System decomposed in Subjects, each one representing a
particular “subjective” view of the system Decompose a software into different views that may
represent specific concerns Integrate all views into one final model, by using
specific model composition rules UML Extensions
Subjects
Composition Relationships
DSEC--9
CSE333<<subject>>Persistence <<subject>>
Logging
Student
+save()+load()
Course
+save()+load()
Student
+log()
Course
+log()
match[name]
<<subject>>courseware
Student
+getNam e()+getAddress()
Course
+getCredits()+getInstructor()
match[name]
match[name]
Student
+getNam e()+getAddress()+save()+load()+log()
Course
+getCredits()+getInstructor()+save()+load()+log()
Model Composition (cont.)Model Composition (cont.)
Example
DSEC--10
CSE333
Aspect-Oriented Programming (AOP)Aspect-Oriented Programming (AOP)
• Aspect-oriented programming is a S/W development paradigm that aims to increase comprehensibility, adaptability, and reusability by introducing a new modular unit, called “aspect”
Aspect : is a modular unit of crosscutting implementation Aspect weaver : aspect + code = executable
• AOP languages include AspectJ, HyperJ, Sally
DSEC--11
CSE333
Aspect JAspect J
AspectJ is a general-purpose AO extension to Java, is a general-purpose AO extension to Java, developed by Xerox Palo Alto Research Center, which developed by Xerox Palo Alto Research Center, which enables plug-and-play implementations of crosscutting in enables plug-and-play implementations of crosscutting in Java.Java.
Open source, Latest version is AspectJ1.2Open source, Latest version is AspectJ1.2 Basic Language ConstructsBasic Language Constructs
Join Point Point cut Advice Introduction
DSEC--12
CSE333
AspectJ (continue)AspectJ (continue)
Point CutPoint Cut : is a programming construct that names certain join : is a programming construct that names certain join points (points (well-defined point in the flow of a programwell-defined point in the flow of a program))
AdviceAdvice is used to define additional code that should be is used to define additional code that should be executed at join points.executed at join points. before, after, around
AspectAspect : is a special class that can crosscut another class. It is : is a special class that can crosscut another class. It is defined in terms of point cuts, advice and introduction. defined in terms of point cuts, advice and introduction.
DSEC--13
CSE333
AOSD vs. AOPAOSD vs. AOP
Aspects are two things:Aspects are two things: Concerns that crosscut [design level] A programming construct [implementation level]
enables crosscutting concerns to be captured in modular units Aspect-Oriented Software Development (Aspect-Oriented Software Development (AOSDAOSD)) aims at addressing crosscutting concerns by providing aims at addressing crosscutting concerns by providing
means for their systematic identification, separation, means for their systematic identification, separation, representation (Modelling) and composition. Rashid et al. representation (Modelling) and composition. Rashid et al. [Ras03][Ras03]
DSEC--14
CSE333
UML Notation for AOSDUML Notation for AOSD
Pawlak, R., et al, A UML Notation for Aspect-Oriented Software Design, Aspect-Oriented Modeling with UML workshop at the 1 st International Conference on AOSD, April 2002.
Junichi Suzuki, Yoshikazu Yamamotto, “Extending UML with Aspects:Aspect support in the design phase”3 rd, AOP Workshop at ECOOP 1999.
Clarke, S., Walker, R.J. Composition Patterns: An Approach to Designing Reusable Aspects. in Proc. of ICSE '01 (Toronto,Canada, May 2001), ACM, 5-14
Herrero, J.L., S nchez, F., Lucio, F., Torro, M. Introducing Separation of Aspects at Design Time. in Proc. of AOP Workshop at ECOOP '00 (Cannes, France, Jun. 2000)
Stein, D., Hanenberg, St., Unland, R., A UML-based Aspect-Oriented Design Notation For AspectJ, in: Proc. of AOSD '02 (Enschede, The Netherlands, Apr. 2002), ACM, pp. 106-112
DSEC--15
CSE333
UML Notation for AOSD (continue)UML Notation for AOSD (continue)
• Groups : a group represents a set of classes that are not necessary instances of the same class or super class (yet could share being cross cut by the same aspect)
• Aspect class: is similar to a regular class with stereotype aspect and aspect-methods
• Aspect methods : equivalent to advice construct in AspectJ. Use the following stereotypes – <<around>>,<<before>>
<<after>>,<<replace>>
DSEC--16
CSE333
UML Notation for AOSD (continue)UML Notation for AOSD (continue)
Point cut relationPoint cut relation : : used to link aspect methods to join used to link aspect methods to join points. points. Oriented association Stereotype <<pointcut>> Special semantic roles
SemanticsSemantics Role 1: name of
advice Role 2: point cut C1 : cardinality of
aspect instances C2: cardinality of C
instances
DSEC--18
CSE333
Aspects in Distributed SystemsAspects in Distributed Systems
CommunicationCommunication : rules for parameter passing and their : rules for parameter passing and their effect on the network bandwidth needed effect on the network bandwidth needed
Replication : Replication : rules for managing replicate informationrules for managing replicate information Configuration: Configuration: relations between different nodes of the relations between different nodes of the
system system SynchronizationSynchronization : rules for accessing a certain object in a : rules for accessing a certain object in a
multi-thread system multi-thread system Access Control (Security)Access Control (Security) : includes DAC, MAC and : includes DAC, MAC and
URBACURBAC
DSEC--19
CSE333
SynchronizationSynchronization
Exclusion ConstraintsExclusion Constraints Concurrent execution of methods within a single
object Which operations are allowed to execute concurrently
and which are not. State ConstraintsState Constraints
Conditions under which operations can be applied to an object
May involve objects internal state or environment state
Coordination ConstraintsCoordination Constraints Coordinating operations involving a number of
independent objects
DSEC--20
CSE333
ExampleExample
A Library items locator that maintains a relation between library items and A Library items locator that maintains a relation between library items and their physical locationstheir physical locations
DSEC--21
CSE333
Java CodeJava Code
public class LibraryItemLocator{ protected Item items[]; protected Location locations[]; protected int nitems; protected int activeReaders = 0; protected int activeWriters = 0;
public Location locate(String str) throws
ItemNotFound{ Item an_item = items[0]; int i = 0; boolean found = false; Location l;
synchronized(this) {while (activeWriters > 0) {
try{ wait(); }catch
(InterruptedException e) {}}++activeReaders;
} while (i < nitems && found == false) {
if (an_item.get_title().compareTo(str) == 0)
found = true;else an_item = items[++i];
}
if (found == false) {synchronized(this) {
--activeReaders;notifyAll();
}throw new ItemNotFound (str);
} l = locations[i]; synchronized(this) {
--activeReaders;notifyAll();
} return l;}
}}
DSEC--22
CSE333
Java Code (cont.)Java Code (cont.)
public class BookLocator extends LibraryItemLocator{
public register() { beforewrite(); if (nitems > items.length()) {
afterwrite();throw new LocatorFull();
} else {
//book specific registration code } afterwrite();
}protected synchronized void
beforewrite() { while ((activeReaders > 0) ||
(activeWrites > 0)) {try { wait(); }catch (InterruptedException e) {}
} ++activeWriters;}
protected synchronized void afterwrite() {
--activeWriters; notifyAll();}
}
public class JournalLocator extends LibraryItemLocator {
public register() { beforewrite(); if (nitems > items.length()) {
afterwrite();throw new LocatorFull();
} else {
//journal specific registration code } afterwrite();
}protected synchronized void
beforewrite() { while ((activeReaders > 0) ||
(activeWrites > 0)) {try { wait(); }catch (InterruptedException e) {}
} ++activeWriters;}
protected synchronized void afterwrite() {
--activeWriters; notifyAll();}
}
DSEC--24
CSE333
Locator Example in Java and AspectJ: Locator Example in Java and AspectJ: Functional Code (Java)Functional Code (Java)
public class LibraryItemLocator{ protected Item items[]; protected Location locations[]; protected int nitems;
public Location locate(String str) throws
ItemNotFound{ Item an_item = items[0]; int i = 0; boolean found = false; Location l;
while (i < nitems && found == false) {if (an_item.get_title().compareTo(str) == 0)
found = true;else an_item = items[++i];
}if (found == false) {
throw new ItemNotFound (str); } l = locations[i];return l;}
}/**********************************/
public class BookLocator extends LibraryItemLocator{
public register() {
//book specific registration code}
}/*********************************/public class JournalLocator extends
LibraryItemLocator {
public register() {
//journal specific registration code}
}
DSEC--25
CSE333
Locator Example in Java and AspectJ: Locator Example in Java and AspectJ: Synchronization Code (AspectJ)Synchronization Code (AspectJ)
public aspect Locator_Coordinator {private int activeReaders = 0;private int activeWriters = 0;
pointcut write(): execution(public * *.register(..))
pointcut read(): execution(public * *.locate(..))
before(): write() { synchronized(thisJointPoint.getThis())
{ while ((activeReaders > 0) ||
(activeWrites > 0)) {try { wait(); }catch (InterruptedException e) {}
} ++activeWriters; } if (nitems > items.length())
throw new LocatorFull();
}
after(): write() { synchronized(thisJointPoint.getThis()) {
--activeWriters;notifyAll();
}}
before(): read() { synchronized(thisJointPoint.getThis())
{while (activeWrites > 0) {
try{ wait (); }catch
(InterruptedException e) {} }
++activeReaders; }}
after() : read(){ synchronized(thisJointPoint.getThis())
{--activeReaders; notifyAll();
}}
}
DSEC--26
CSE333
D: A Language Framework for Distributed D: A Language Framework for Distributed ProgrammingProgramming
C. Lopes Ph.D. Dissertation, Northeastren University, C. Lopes Ph.D. Dissertation, Northeastren University, 19971997
Separates the synchronization and communication Separates the synchronization and communication concerns from the functional concernconcerns from the functional concern
Falls under aspect specific languagesFalls under aspect specific languages Communication Language (RIDL)Communication Language (RIDL) Synchronization Language (COOL)Synchronization Language (COOL)
Declarative nature
DSEC--27
CSE333
Locator Example in D:Locator Example in D: Synchronization Code (COOL) Synchronization Code (COOL)
Coordinator Locator: LibraryItemLocator, BookLocator, JournalLocator{
selfex BookLocator.register, JournalLocator.register;
mutex{BookLocator.register,JournalLocator.register};
mutex{BookLocator.register,BookLocator.locate};
mutex{JournalLocator.register,BookLocator.locate};
cond boolean full = false;
BookLocator.register,JournalLocator.register: requires(!full);
on_exit { if (nitems > items.length()) full ==
true; }}
DSEC--28
CSE333
D AnalysisD Analysis
Case Study on 10 examplesCase Study on 10 examples Lines of Code Lines of Code
Up t0 40% reduction Methods Affected by Aspect CodeMethods Affected by Aspect Code
Zero (no scattering) in almost all cases Tangling RatioTangling Ratio
D : very close to 0 Traditional OO languages : close to 20%
Note : Results can be generalizedNote : Results can be generalized
DSEC--29
CSE333
Security as an AspectSecurity as an Aspect
IntroductionIntroduction Security is a very important concern in a system
Modularization of Access ControlUsing AOP to enforce security
Modularization of Security PoliciesUsing AOP to compose different security policies in a
system Apply decomposition techniques normally used for separation
of concerns to security policy definitions
DSEC--30
CSE333
Modelling SecurityModelling Security
RBACRBAC Use a modified version of Model Composition to
represent Role Permissions Role Slices
A class diagram which is a subset of the original class diagram of the system
It represents the view of the system, from the point of view of the role that is accessing itEach method in a Role Slice represents a permission
for the given role to invoke it.
DSEC--31
CSE333
<<RoleSlice>>Registered Student
Student
+<<pos>> getCoursesTaken()
{assignable}
Course
+<<pos>> getCredits()+<<pos>> getInstructor()
<<RoleSlice>>Alum ni
Student
+<<pos>> getNam e()
<<com position>>
<<RoleSlice>>Registered Student
{assignable}
Student
+<<pos>> getCoursesTaken()+<<pos>> getNam e()
Course
+<<pos>> getCredits()+<<pos>> getInstructor()
Modelling Security (cont.)Modelling Security (cont.)
RBAC - ExampleRBAC - Example
DSEC--32
CSE333
Modelling Security (cont.)Modelling Security (cont.)
MAC: Method-based approachMAC: Method-based approach We assume that methods are the ones that have
sensitivity levels Extensions to the Role Slice notation
Add a tagged value to Role Slices to represent clearance Add a tagged value to methods to represent classification and
other tagged value to represent if it is a read or write method Definition and Composition of Role Slices with MAC
depends now on the security properties used by the system
DSEC--33
CSE333
Modelling Security (cont.)Modelling Security (cont.)
MAC: Method-based approachMAC: Method-based approach A read method can only be assigned to a Role Slice if
and only if its classification is lesser or equal than the clearance of the Role Slice (Simple security property)
For write methods it will depend on the security property of the system Strict*-property: classification of the method must be equal to
clearance of the Role Slice Liberal*-property: classification of the method must be greater
or equal to clearance of the Role Slice Simple Integrity Property: classification of the method must be
lesser or equal to clearance of the Role Slice
DSEC--34
CSE333
<<composition>>
<<composition>>
A
+{mode=w, cls=S} setProp1()+{mode=r, cls=S} getProp1()+{mode=r, cls=C} getProp2()+{mode=r, cls=U} getProp3()
Class Model
<<RoleSlice>>Role3
A
+<<pos>> getProp3()
{clr=C, assignable}
<<RoleSlice>>Role2
A
+<<pos>> getProp2()
{clr=C, assignable}
<<RoleSlice>>Role1
A
+<<pos>> setProp1()
{clr=S, assignable}
Modelling Security (cont.)Modelling Security (cont.)
• MAC: Method-based approach – ExampleMAC: Method-based approach – Example– Representing Simple Security Property and Liberal*-Representing Simple Security Property and Liberal*-
propertyproperty
DSEC--35
CSE333
ModellingModelling Security (cont.)Security (cont.)
MAC: Instance-based approachMAC: Instance-based approach We assume that instances are the ones that
have sensitivity level For defining each role, we require as many
role slices as classification levels we use. Only one of these role slices must be assignable and its security level represents the clearance of the user to which the role is assignedEach role slice includes sets of instances
Each role slice has a tagged value that represents the classification of all the instances that belong to it
Each method inside a role slice represents the permission to invoke that method over instances of the class that are allowed inside that role slice
DSEC--36
CSE333
Modelling Security (cont.)Modelling Security (cont.)
MAC: Instance-based approachMAC: Instance-based approach Read and write methods
Add a tagged value to represent if the method is a read or write method
Composition of role slices When composing two role slices which have the same method
assigned, the resulting role slice will represent the permission to invoke that method over the union of all instances of the class allowed in both role slices
DSEC--37
CSE333
<<composition>>
<<composition>>
<<composition>>
<<RoleSlice>>C-Role1
A
+<<pos>> getProp1()
{secLevel=C}
<<RoleSlice>>U-Role1
A
+<<pos>> getProp1()
{secLevel=U}
<<RoleSlice>>S-Role1
A
+<<pos>> setProp1()+<<pos>> getProp1()
{secLevel=S, assignable}
<<RoleSlice>>T-Role1
A
+<<pos>> setProp1()
{secLevel=T}
ModellingModelling SecuritySecurity (cont.)(cont.)
• MAC: Instance-based approach – ExampleMAC: Instance-based approach – Example– Representing Simple Security Property and Liberal*-
property
Only instances of AWith cls=S
Only instances of AWith cls=U
Only instances of AWith cls=C
Only instances of AWith cls=T
DSEC--39
CSE333
Enforcing Security (Cont.)Enforcing Security (Cont.)
AOP ImplementationAOP Implementation
public aspect AccessControl {private User activeUser;pointcut login(): call(User SecurityAdmin.logIn(..));User around(): login() {
activeUser = proceed();return activeUser;
}pointcut securedMethod() : call (* application..*.*(..))
&& !within(application..*); pointcut internalCall() : call (* application..*.*(..))
&& within(application..*); before() : securedMethod() {
// Check for permissions}before() : internalCall() {
// Check for permissions}
}
DSEC--40
CSE333
Role Slice GeneratorRole Slice Generator
• Takes Takes an XMI file with the UML diagrams containing the role-slices as an inputan XMI file with the UML diagrams containing the role-slices as an input• Checks consistency of the role slicesChecks consistency of the role slices• Generates a file containing the data about permissions in a simpler format that can Generates a file containing the data about permissions in a simpler format that can
be used by the Role Slice Framework. be used by the Role Slice Framework. • Implemented as a plug-in to a UML utility that parses UML/XMI (UMT-QTV)Implemented as a plug-in to a UML utility that parses UML/XMI (UMT-QTV)
DSEC--41
CSE333
Conclusions and Future WorkConclusions and Future Work
Security and Synchronization as an AspectSecurity and Synchronization as an Aspect Modelling and Enforcing Security
Mac notation still incomplete Modelling Synchronization
UML Aspect ModellingUML Aspect Modelling Separation of Concerns enhances reusability and eliminates Separation of Concerns enhances reusability and eliminates
crosscutting concerns problems that standard techniques crosscutting concerns problems that standard techniques cannot solvecannot solve
Future WorkFuture Work Enhance the security notation to support DAC Create a visual modelling language for syncrhonization
and integrate it with our approach Complete the UML notation for Aspects