Secure Web Applications with AWA - TIB AV-Portal

Secure Web Applications with AWA

00:00

15

Carrez, Stephane

Formal Metadata

Title

Secure Web Applications with AWA

Title of Series

Number of Parts

561

Author

Carrez, Stephane

License

CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/44536 (DOI)

Publisher

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Web application security is often underestimated, and using a secure framework can help reduce application vulnerabilities. Ada Web Application (AWA) is a web framework that leverages Ada's safety features to provide a secure environment on top of which safe applications are built. AWA is based on several Java-like technologies such as Java Beans, Java Servlet, Java Server Faces, other standards such as OAuth2, REST and OpenAPI, all implemented in Ada. This presentation briefly describes the AWA architecture and how applications are built with it. The presentation highlights some of the Ada functionalities that contribute to the safety and make applications secure and reliable.

Speech

Text

Image

00:00

DatabaseClient (computing)Server (computing)Web browserJava appletLTI system theoryAuthorizationBuildingJava Server FacesDemo (music)BlogInformation securitySummierbarkeitEvent horizonComputer-generated imageryComponent-based software engineeringPhysical systemBuildingComputer programData managementConnectivity (graph theory)Information securityWebsiteMereologyWeb browserClient (computing)Web 2.0NumberPhysical systemWeb serviceSemiconductor memoryServer (computing)Latent heatFlow separationSoftwareJava appletComputer architectureCASE <Informatik>Cartesian coordinate systemPlanningDatabaseLibrary (computing)Utility softwareProjective planeBitOperator (mathematics)Dynamical systemObject (grammar)Online helpDependent and independent variablesMechanism designValidity (statistics)Standard deviationComputer fileLeakSoftware frameworkFront and back endsBlogWritingProcess (computing)Insertion lossWindowFunctional (mathematics)Web applicationWikiPresentation of a groupPoint cloud2 (number)Software as a serviceSpacetimeState of matterProxy serverOcean currentDiscrete groupGroup actionTwitterHeegaard splittingFreewareCross-site scriptingFamilyIsing-ModellForcing (mathematics)Open setLevel (video gaming)SummierbarkeitPerturbation theoryoutputTesselationBootingService-oriented architectureBlock (periodic table)AuthenticationDrop (liquid)E-learningComputer animation

08:45

Parameter (computer programming)String (computer science)IntegerCurvatureData typeoutputSoftware frameworkComputer fileEuclidean vectorInterface (computing)MetadataContent (media)Web pageAnalog-to-digital converterWikiInformationGroup actionOSI modelJava appletObject (grammar)Information securityFunction (mathematics)Type theoryAbstractionOperations researchTable (information)ImplementationElectric generatorCodeStructural loadKeyboard shortcutRadiology information systemInstance (computer science)Dean numberWritingMetreWikiView (database)Attribute grammarFunctional (mathematics)ExpressionObject (grammar)Function (mathematics)Ring (mathematics)Content (media)Standard deviationParameter (computer programming)Revision controlCodeSummierbarkeitOperator (mathematics)Connectivity (graph theory)Physical systemElectric generatorMultiplication signWeb browserGroup actionEndliche ModelltheorieLink (knot theory)Proxy serverData managementSemantics (computer science)Process (computing)Row (database)Hill differential equationConfiguration spaceSubject indexingFactory (trading post)outputGame controllerInterface (computing)Online helpRight anglePresentation of a groupForm (programming)String (computer science)File formatPhysical lawApplication service providerComputer fileJava appletDatabaseResultantPerturbation theoryLine (geometry)Validity (statistics)ImplementationSoftware framework2 (number)PressureRekursiv aufzählbare MengeLatent heatServer (computing)Mechanism designSmith chartMereologyWhiteboardBinary fileType theoryFormal verificationInformationStructural loadTable (information)NavigationDampingComputer animation

17:24

Exception handlingParameter (computer programming)Validity (statistics)MetadataServer (computing)Type theoryGUI widgetoutputImage registrationProcess (computing)EmailPasswordAuthenticationSoftware frameworkFacebookGoogolTwitterInformation securityAuthorizationOperations researchUniform resource locatorView (database)String (computer science)Data typeStructural loadPhysical systemContext awarenessClique-widthComputer fileModule (mathematics)SummierbarkeitNumberGroup actionMechanism designValidity (statistics)Water vaporFunctional (mathematics)Factory (trading post)Tracing (software)Process (computing)Uniform resource locatorNatural numberView (database)Fisher informationConnectivity (graph theory)Formal verificationOpen setSet (mathematics)Link (knot theory)Principal idealMereologyInformation securityGame theoryTwitterIdentifiabilityDatabaseTerm (mathematics)Physical systemAuthenticationData managementFacebook2 (number)GoogolForcing (mathematics)Software frameworkHydraulic jumpException handlingImage registrationOperator (mathematics)Level (video gaming)Web pageProjective planeResultantFisher's exact testStructural loadPoynting vectorAuthorizationContent (media)EmailGreen's functionObject (grammar)Cartesian coordinate systemGame controllerLogic gateSource codeCategory of beingPasswordSpeech synthesisEndliche ModelltheorieService-oriented architectureRevision controlKeyboard shortcutWikiParameter (computer programming)Ferry CorstenPresentation of a groupAddress spaceState of matterMessage passingPoint (geometry)Type theoryConnected spaceTable (information)System callKey (cryptography)Rule of inferenceCASE <Informatik>ImplementationRight angleAttribute grammar

26:03

Information securityGame controllerSign (mathematics)Function (mathematics)Data typeString (computer science)Context awarenessBoolean algebraCharge carrierException handlingContent (media)Configuration spaceBlock (periodic table)AuthorizationWeb pageModule (mathematics)Electric generatorServer (computing)Electronic program guideoutputData modelJava appletSummierbarkeitSoftware frameworkDatabaseAnnihilator (ring theory)Validity (statistics)Information securityoutputGame controllerTerm (mathematics)Configuration spacePresentation of a groupDirection (geometry)Virtual machineProjective planeComputer fileMechanism designCartesian coordinate systemLevel (video gaming)Principal idealSymbol tableRevision controlPrisoner's dilemmaHill differential equationModule (mathematics)Open setResultantOrder (biology)BenchmarkBlock (periodic table)BitCodeSeries (mathematics)Object (grammar)State of matterWaveMiniDiscWordContent (media)ArmGodStatement (computer science)Client (computing)Value-added networkBarrelled spaceContext awarenessLimit (category theory)Server (computing)Phase transitionComputer programFunctional (mathematics)Interface (computing)Exception handling2 (number)Disk read-and-write headDrop (liquid)Forcing (mathematics)Lattice (order)Complete metric spaceVapor barrierDependent and independent variablesWeb pageAuthenticationPairwise comparisonDeclarative programmingFlow separationRule of inferenceType theoryNumberGroup actionComputer animation

34:41

Object (grammar)Ferry CorstenPresentation of a groupCausalityWebsiteEndliche ModelltheorieSummierbarkeitComputer fileTerm (mathematics)Product (business)Video gameInternet service providerDatabaseJava appletPhysical systemSoftware bugLevel (video gaming)Student's t-testRing (mathematics)Constructor (object-oriented programming)Musical ensembleFluid staticsMechanism designSemiconductor memoryGodGame theoryWeb pagePressureConnectivity (graph theory)Server (computing)Multiplication signStokes' theoremExecution unitForcing (mathematics)IdentifiabilityImplementationSoftware developerType theoryDivisorGoodness of fitAxiom of choiceMoment (mathematics)Message passingComa BerenicesContent (media)OrbitBenchmark9 (number)Standard deviationBlogMatching (graph theory)CodeMereologyPairwise comparisonElectronic mailing listFunctional (mathematics)FreewareCycle (graph theory)MeasurementCompilerWeb 2.0Instance (computer science)Limit (category theory)Real numberCASE <Informatik>Representational state transferQuery languageElectric generatorComputer animation

43:20

Euler anglesComputer animation

Transcript: English(auto-generated)

00:07

Okay, I will talk about how we can build a secure web application with AWOL. So first, what is a web application?

00:23

A simple definition is it's a client server program where we have the browser which is a client. A typical example is Gmail, Dropbox, Netflix, Zoho, which is a program management system.

00:44

So the web application contains several parts. You have on one side your client browser, which is on the desktop side, and then you have a server part which contains two or three elements, a front-end which is in general responsible

01:07

for rendering or doing some presentation stuff. You have in general some back-end which is responsible for getting the data from the database, and at the end you have the database.

01:21

So all these components participate together to provide a service to the client through the browser. In general, we have different technologies which are used. On the client and browser, you get some JavaScript, HTML, CSS, which is downloaded from the

01:43

server front-end and which is executed on the browser. On the front-end and back-end, in many cases, this is PHP or JavaScript, sometimes Ruby and Java. So you have many frameworks which use this language.

02:02

And on the database side, you have SQL and NoSQL. What is the problem with web applications? They have some data, they have your data. And they have to protect the data that you own.

02:23

Protecting the data means that on the front-end part, when the data comes in, you have to validate what is given to you as an input, that's the validation part. The second problem is authenticating users.

02:42

When you have a user that comes into the server, you have to authenticate this user. And the last part is more back-end responsibility. You have to authorize access to the protected data.

03:02

You have to make sure that you don't leak users' data by allowing unauthorized users to access safe data. So these are the three problems that you have to take care. A little bit on the project history.

03:24

So the project was created in 2011, so it's not a new project. It's based on my experience in writing SAS software as a service application, which is called Plan Zone, which is still running.

03:41

Based on G2EE and Java server faces, I've learned a lot of Java technologies. Java has a lot of technologies which help in creating web service and web application. The idea was to be able to benefit from all these technologies, but in Ada.

04:04

Ada brings more safety to the application, more performance, less memory usage. The goal was to be able to build this kind of software as a service application, but in Ada.

04:23

Example of application, there are several. So I have my blog website. We have Ada France, which is also running the AWA. There is a demonstrator, which is called Atlas, which allows you to see the features

04:41

provided by AWA. Jazone, which is a project management project and ticket management system, which allows you to manage project. All these applications are written on top of AWA. So what is the AWA architecture?

05:00

So at the bottom level, you have the operating system. So it runs on NetBSD, FreeBSD, Linux, Windows. Then you have some database layer. We have MySQL, Postgres, and SQLite. All these are existing components that you can get easily, and they are not written

05:23

in Ada. On top of that, we have several Ada components, which bring the AWA architecture. First, we have the IDEA web server, which is a famous web server, known by the community.

05:42

XMLAdaf, to be able to read XML files. We have a number of Ada utilities libraries that I will describe briefly. Ada servlet, I took a lot of Java specification, and I implemented this specification in Ada.

06:03

So this is a case for Ada servlet, similar to Java servlet. Ada server spaces, which is similar to Java server faces. Ada security is a part that I will speak a lot to deal with how to enforce the security

06:21

in the application. OpenAPA is a project that I presented last year. Ada database object is what I presented at the beginning of the afternoon. And on top of that, you have Ada web application, which provides a number of features, which allows you to build your own application.

06:44

So what are the features for Ada? There are several parts. You have general purpose components that you can use. You have system components, and you have functional components.

07:00

General purpose components are components that you can use as is, and they are not dependent with each other. System components don't provide any useful functionality. They just are here to help the system work, managing users, managing mails, managing permissions,

07:24

having some background jobs to run. Functional components are components that really provide something for user. There is a wiki component, which is a full wiki system, which allows you to write pages,

07:41

insert images, and so on. Blogs is a blog system which allows you to post articles. And we have also others that I will not describe. OK, so let's see what happens on the server side when we have a request which comes in.

08:05

So the client performs some HTTP GET operation. This GET operation is handled by AWS, and then we enter in the servlet world with a servlet filter, which is a standard mechanism defined by the Java standard.

08:29

And at the end, we have a GET operation which is called on the server faces servlet, which is the last part that will handle the request.

08:41

Then we have some adabins. This is an adab object which will be created dynamically. And this object will be configured, will be populated by other server faces by calling the set value operation. Once the adabin is populated with input parameters,

09:04

then you will have a load operation, which is called, and which will actually allow you to do some work, perform some action, and actually get the data from the database and return the value.

09:21

And the last part is for the rendering, which is we have done a request. We got some data from the database, and we have to format this as a result to return it in HTML or whatever. And the server faces will use GET values to get information from the adabin.

09:48

So problem one, how do we validate data? The data comes in through HTTP parameters, which is a string. So it must be validated, verified.

10:02

And because we use ADAS trunk typing, it helps in this validation process. So the ADAS server faces, when the doGet operation is called, it gets a parameter, which is a string.

10:21

A string can be anything. It will have to validate the value. Then it will call the set value on the adabin. And in this transition, we convert the string into the other finite type, a data float. It could be a string, of course.

10:43

And this is this validation process that we will see. A small thing about ADAS server faces. So this is an implementation of GSR 344.

11:02

So this is a model view controller framework, but it's based on components. It renders HTML, XML, JSON, but also Ada. I have used it in Dynamo to generate Ada code. And the framework helps in validating inputs.

11:26

It uses XML to describe the content. I will show you. So when you start with server faces, you have an XML file. Here you have an extract of this XML.

11:42

It's a standard, which is called FASLET. So it's standard with Java. It's a component-based system where you can plug your own component. For example, AW wiki is a UI component that is provided by the wiki component,

12:06

which allows to render some text, some wiki text, and render it into HTML. So what we see here is we have only some text, but we have some reference.

12:26

For example, here I have wiki view.content. It's a reference. And we have to make a link between this and Ada world. So for this, what we have done is to implement the GSR245,

12:41

which is another Java standard, which allows us to access Ada content from a simple presentation layer. So I have a small EL expression. I have an object which is called wiki view.

13:02

And from this object, I have an attribute which is called title. And on this side, I have the Ada code, which contains my title. And the purpose of EL is to be able to retrieve the value that I have on the other side.

13:25

You have to know that Java is doing all this by using introspection. So introspection is not possible in Ada. We are not able to take an object and see what are its attributes, what are its methods.

13:42

So we need some mechanism. So what I've done is I invented this AdaBeans. So it's a simple system where you just have to implement a bin interface. And the bin interface must be implemented by your type.

14:05

And it just has to implement two operations. A get value operation, which you give it a name, which is the title that I was speaking about. And it returns the value that is associated to the name.

14:24

And the second operation is set value, which you give a name, title or whatever, and you update the value associated with the name.

14:40

Because we need some generic type, the value itself is inserted in an object type, which is which in fact is a special type which allows you to store any type you want. An integer, a string, a date, and including a bin itself, which means that you can

15:08

transition and navigate from one bin to another and to another and to another and so on. All this by keeping the type safety. So at any time, even if you have an object, you can know its type.

15:24

It's strongly typed. Second part is we want to be able to call methods on it. We want to be able to specify that on the view presentation, we want to call the load operation.

15:42

So for this, the bin has to implement the method bin interface. And this interface has to return a table of what operations are provided by the bin. It means a lot of operations, and because it's quite complex, in fact,

16:02

Dynamo, the code generator, is able to generate a lot of things. And I have put as an example the piece of code that it generates to create the binding that we'll be able to use to call the load operation.

16:24

The last part is we need a bin factory. In the model, we have created an object, and we want to create it. For this, you have to create a function.

16:41

Here, it creates Wikiview bin, and then you register this function in a factory, and you associate this function with a name, the name that you have here. And then on the configuration part, we have in XML, you have to declare some managed bin

17:01

XML. It's exactly what you do, in fact, in Java server faces. It's the same semantics, the same definition. You, in fact, declare in XML the fact that, OK, I want a bin which is called Wikiview. So this is the name that I give to my object, and the factory to create it is here.

17:26

So this is the function that I have registered at this level. OK, so if we are back to this piece of XML that we had in the presentation,

17:44

we have a view param with an ID. So we have a request which comes in. We have a page parameter, and we want that this page parameter populate the Wikiview name property. OK, so what will happen is, first, we will verify before calling the set value.

18:05

We will verify that the parameter is correct, first thing. Second thing, we will need the Wikiview object. So we are going to create the object with a factory.

18:21

Then we will call set value with a value that we know. The set value portion is able to raise an exception. So here, if the validation fails, the set value is not called, and we are back. When we set a value on the object, we still have the ability to raise an exception

18:45

and abort the complete call. And the last part is, we are calling this action. So we want to call the load method on the object. This method will perform its work, and it can also raise an exception,

19:04

in which case it will be handled also by the system. So how we validate the data? So we have many points where we do some control before converting the value.

19:21

At the end, we convert the value in an additional type. So we enforce the strong typing. With the other object that we want to expose, we have to explicitly declare what operation, what attributes are available to the presentation layer. And the set value is called only when everything is correct.

19:50

Authenticating users, that's a second part. You don't want that anybody accesses the data. So you have to authenticate your user. You have to identify your known users and get the credentials for these users.

20:07

On the other hand, you may want to have some registration process for users who are not yet part of the system. So for this, AIWA provides the users module, which is a system module.

20:23

And it authenticate users with two mechanisms. The first one is OpenID, which allows you to connect to Google, Facebook, and so on. And the second one is more traditional, is with email and password.

20:40

There is also a mechanism to invite other users by sending them a link that they will go back and enter in the system. And all this with a secure key, which allows to verify that you are really allowed to do it.

21:03

So the user module provides a number of information, a number of database table. Here we have a user table, which contains the users that have registered in the application.

21:22

And we have a session table, which is updated to track users that connect to the system. So you can manage and trust users that connect to the application and see if they are allowed to connect or not.

21:41

And last, you have email, which is related to your user, and an access key, which is the access key that allows to verify that users are allowed to connect to the system. Ada security. So this is a component.

22:01

This is a standalone project, which implements OpenID Connect, which is a standard. So OpenID Connect is an authentication framework, which is built on OAuth. And this is a mechanism, in fact, that allows you to authenticate with Google, Facebook, Twitter,

22:24

and others. So together with the module and with Ada security module, you are able to authenticate users. So this is the first part of verifying who accesses the data.

22:50

The last problem is authorizing access, which is making sure that the resources that you have in your database, the user has a grant to access the resource.

23:08

So you have to verify this before giving access, before giving the data to the user, not after. And what we want is to deny the access to users who are not authorized, of course.

23:27

So in the authorization process, there are several places where we can take care of this. First part is within a servlet filter.

23:41

So the servlet filter gets the request, and it is able to look at the URL and implement permission checking, which is if you decide that a user is not allowed to access a page, you can refuse the permission and refuse the GET request.

24:02

The second part is at the business level, when you are going to retrieve some data, before retrieving the data, you have to check, does this user, does the credential of these users allow him to access the data?

24:22

And if it's not the case, abort everything. The last part is when you render some content, when you render the result for the user, it's useful to have permission checking in the rendering to hide some features which

24:42

the user is not allowed to see or some features that the user is not allowed to make. There are some free concepts about security.

25:05

These three concepts are heavily used in the ADAS security framework. The policy and policy manager are the components which will enforce the security. They define the rule on how we want to verify that an access is granted or not.

25:25

The principle is the credentials which is given to a user. It's the part that notify your user with all his rights. The permission is the action that we want to protect,

25:42

which clarifies the access of the resource. The ADAS security module provides several policies which enforce the security.

26:08

They describe several security policies. There is a pluggable mechanism, and it will provide the framework to authorize access to the principle based on the policy and the permission that you want to check.

26:32

When the user comes in and authenticate, the user will authenticate through OpenID, for example.

26:41

The result of this authentication is a principle. This notifies the user in terms of credentials. On the other hand, we have policies which define the rules on how to check the permission.

27:03

The policies are enforced by the policy controller. The policy controller is a mechanism that will really verify that the permission is allowed or not. The policy controller will look at the security context,

27:22

which represents the client in terms of principle and in terms of capabilities for this client. If the security controller sees that some capabilities are missing on this client, then it can deny the access.

27:48

Security policies, you can configure your own security policy. The ADAS security framework provides a simple world-based policy that you can configure.

28:02

Here I have put an example of the entity controller policy, which is provided by AWOL. So to implement a new policy is very simple. You just have to implement the controller interface. This is a limited interface, so you are free to implement it.

28:26

What you have to do is just implement an ASPermission function. Within this ASPermission function, you get a context which is a security context, which tells you who wants to access the resource.

28:42

You get the permission, which tells you what resource the user is going to access. You decide yes or no, the permission is granted or not. Permission declaration is as simple as instantiating an ADAS package.

29:08

You just instantiate the definition and give it a name. And with this instantiation in the AIDA code, I have created my permission. Now this is the AIDA code, and we have to configure this permission.

29:23

And to configure this permission, we will do it in XML. And this is a place where you decide, okay, I want to use world-based security or I want to use entity-based security. So with the world permission, I will say the create permission here

29:44

is granted if the user has an admin role. On the other hand, with this entity permission, it will be granted if this SQL statement returns something, returns the ACL.

30:05

So this is for the definition of the permission, and checking is also very simple. On the AIDA side, when you check a permission, it acts as a barrier. The code which is after the check is executed only if you have the permission.

30:26

So with a simple call, AWARE permission check, you know that after this, the user has a permission to follow. On the presentation layer, this is an XML which you put in Fastlet file,

30:50

and this content here is rendered only if the permission is granted to the user.

31:02

So with this, we can declare a permission in AIDA, and we can configure it. And we can check a permission and block any access to users. And we can also hide some data and some portion when we render the response.

31:33

All this is built with Dynamo, which is a code generator that I presented a little bit with AIDA database objects.

31:43

Dynamo contains a number of commands that help you to start your project. You can create your project with the simple command like this, it will create a project that you can build, and then you can start, and you have immediately a server that is up and running with all the framework.

32:06

Here, an example, you have the ability to add easily some page. The idea of all these commands is to avoid the blank page syndrome, where you start on a project and you don't know where you have to,

32:20

what is the next action to proceed. To add a new module, which is more complex, it's adding some AIDA code, adding some presentation file. It's done easily with this command.

32:42

So to sum up, AIDA takes care of the application security by first validating the input that user has submitted.

33:01

Second, it will enforce strong typing during the validation, but also when you store the data in the database, I have explained in the presentation, it will provide an authentication framework which allows you to authenticate your users.

33:21

And it will verify the access to the resources. And finally, you have the AWA programmer's guide that you can use and to get started with. Thank you.

33:58

Yes, I made the benchmark comparison not on the AWA complete framework.

34:08

I did some benchmark on REST API, which uses the servlet framework that I have presented.

34:20

I have compared Java Grizzly, which is a Z2E machine. I have compared AWS as a direct access and Java servlet also. I don't have the picture here.

34:42

There is a 10% benefit in using AWA compared to Java in terms of speed. Now, in terms of memory, it's enormous. In Java, you need 500 megabytes of memory. Here, you need 10 megabytes of memory for the server to run, in fact.

35:05

So the impact on memory is huge. The impact on performance, I have observed only 10% to 20%. But I have not made any measurements on the other servlet part

35:21

to compare Java servlet versus other servlet. I have not done it, but it would be interesting to do it.

35:48

If you have an IDA compiler, yes, why not? If you have a free IDA compiler that I can use, I would be happy to do the port or to help in porting.

36:11

No, no. Yes, I would then recommend to use SQLite.

36:22

SQLite is very nice because it's a file database. Actually, SQLite provides very, very good performance for small databases. I have another benchmark which shows that SQLite is

36:42

10 times to 20 times faster than MySQL on small datasets. Now, with big datasets, it is not the case. But it's best, I think, to still continue to use a database, even like SQLite, because you benefit from all the models that are presented,

37:07

all the data, all the code generation which allows you to map directly SQL content in IDA.

37:36

It's difficult. It's difficult because when you have a request which comes in,

37:42

there are some objects that you have to create dynamically because you don't know, many objects cannot be shared and they have to be created for a given request. What you could do, yes, is make sure that your server receives only one web request at a time and is mono-threaded, for example,

38:04

and in that case you can have one instance and a static instance for every AdaBeans that I have presented and it would be possible, sorry? Or just use storage pool to limit the amount of memory at least?

38:25

Yes, to be honest, I have never used them. Two questions. First one is how far do you think it is from usable in production?

38:47

Personally, it's used in production. AdaFrance website is running. My blog site is also running for four years now.

39:01

No, it's really, really stable. The thing is, I made the choice to develop in Ada because I was frustrated by Java consumption and the fact that Java consumes a lot of memory. The second reason is I don't have time to spend to debug.

39:26

By having everything in Ada, in fact, I realized that I don't spend time to debug, in fact, because I just compile and it's almost correct. Of course, there are some bugs, but fixing the bugs is really, really easy.

39:47

And I'm really confident to have something because of the compiler, because of the work that the compiler has done, and because I've tried to use a lot of limited types to

40:01

forbid copies, for example. I have to try to use private types to hide the details of the implementation so that it's not exposed to other parts. When I have to refactor something, I know that either the compiler will tell me,

40:20

oh, you changed something, it breaks, or the data is simply not exposed, so I know that by construction it does not impact some part of the system. Next on my list is GraphQL.

40:44

I presented last year REST API with Swagger. So, REST API is being able to provide some HTTP API. Now there is more and more a standard which is coming, which is GraphQL.

41:06

With REST API, if you want users, you will do one request. If you want a message from the user, you will do another request. So, we will do one request and then another and so on and so on.

41:20

With GraphQL, what you do is, okay, I want users and their message and their emails and this. You create your query and the server runs the query and gives you in one request everything. So, this is a challenge because this is, in terms of implementation, you have to implement,

41:48

you don't know what is a query, in fact, when it comes in. So, you have to interpret, so it's a real challenge and I'm interested in this challenge. Okay.

42:10

Yes, yes. In fact, with Java server, what Java server faces and other server faces are really, really similar.

42:20

I have used exactly the same components. I tried to use exactly the same components. So, I'm using IDE, IntelliJ IDE, to be able to edit the files. And, in fact, by having the same technologies that we have in Java, it's also easier, in

42:41

fact, to use Java tools. Of course, the Java tools will be able to introspect objects, but there are many functionalities that Java tools offer for the developers, which, in fact, I can reuse because I'm sharing the same facility and same life cycle in the Java server faces mechanism.