Genii Weblog


Civility in critiquing the ideas of others is no vice. Rudeness in defending your own ideas is no virtue.


Tue 22 Sep 2020, 11:52 AM
 
 
Inline JPEG image
 
This series of posts is meant to introduce Exciton Boost and provide some comparisons with Domino Access Services. Today, I'm going to talk about the biggest barrier customers report with Domino Access Services: security and integrity.
 
Domino Access Services has a very open (some would say insecure) approach to access. A database must be enabled, which is good. Domino security is respected, at least mostly. There are some security holes with anonymous use, but if you are allowing anonymous access to your database, you probably aren't too worried about security.
 
But there are some serious access control issues which prevent companies from using Domino Access Services. Among them:
 
1) Wide open discovery of databases. Using the endpoint http://example.com/api/data gives you a complete list of every database on the server, including its title, filename, and what template it is based on. Even if you have hundreds of dbs and only one is accessible, they are all included. While obscurity is not security, there is no reason to invite outsiders to view all of this. What if you have client databases by directory, a fairly common approach. Now, for no good reason, your client list is available to a casual browser.
 
Exciton Boost only displays databases that are a) available for Exciton Boost, and b) marked as discoverable in the Exciton configuration database.
 
 
2) Open discovery of views inside a database. Using the endpoint http://example.com/MyDb.nsf/api/data/collections gives you a complete list of every view and folder, private or public, in the database. Even if the database is only open to Domino Access Services to post anonymous public documents, every view and folder is revealed.
 
Exciton Boost only displays views that are explicitly available for Exciton Boost. Everything else is private, as it should be.
 
 
3) No control over forms created. With Domino Access Services, you can create documents with no form name or with any form name, including invalid names or hidden forms that are not meant to be created by users.
 
Exciton Boost only allows forms to be created that are explicitly available for Exciton Boost. You maintain complete control.
 
 
4) Little control over items created. With Domino Access Services, you can create almost any item you like so long as it does not start with a dollar sign. Invalid item names, items meant to be different types, etc. are all open for creating and updating. This invites both mischief and mistakes.
 
Exciton Boost allows as much or little control over the fields to be created based on the form. You can leave it wide open, partly open, or locked down.
 
 
5) Form validation is left in client control. With Domino Access Services, the caller can choose to compute-with-form or not. If it is not chosen, none of the field validation or translation formulas are run, and computed fields are not computed. This may leave the document in an unstable or non-viable state.
 
Exciton Boost allows the form to be marked as Always compute-with-form if desired. You can be sure the fields are in their correct state without the client app being able to disable the setting.
 
 
These are just some of the access control measures we have implemented in Exciton Boost. There are also Query Save and Query Open agents as I wrote about in Exciton Boost - Secret Agents protecting your data
Access levels are also set at the database, form, and view level that control creating, updating, and deleting documents. These never override Domino security, they simply augment it so that you have control over what mobile apps can do. The database form is shown below as an example. This is from the Exciton Configuration database which control access through both Exciton Boost and Exciton Power.
 
Inline JPEG image
 
While one would hope that there aren't really barbarians at the gate, Exciton Boost ensures that you have control over what the barbarians can do once you invite them in.
.
 
==> Request a free Exciton Boost evaluation license, and we'll send you the license and a link to the software as soon as it is released. <==
 
 

Copyright © 2020 Genii Software Ltd.

Tags:

Thu 17 Sep 2020, 02:45 PM
 
Inline JPEG image
 
 
I'm spending the week talking about Exciton Boost's features and some comparisons with Domino Access Services. Today, I'll talk about rich text rendering to HTML. It doesn't sound sexy, and you may think it is just about looks, but data is at stake here, so pay attention.
 
  • Key Concept: Content delivered should be the same content requested,
  • Differentiator: Exciton Boost uses the Midas engine for rendering, providing the most accurate and highest fidelity available anywhere.
There are multiple rich text to HTML rendering engines in Notes/Domino, and they all have problems. By using the award winning Midas engine foir our rendering, Exciton Boost provides high fidelity HTML that matches the content and look-and-feel of the rich text in Notes. I will show two examples, both fairly common scenarios that exhibit data loss or mangling, and both of which could cause confusion on the client app. These use the Domino Access Services REST API available in Domino 11.0.1.
 
Example 1) Nested List Confusion
 
Nesting in lists in Notes is created by indentation, and people are often sloppy about how much they indent.
 
Question to ask yourself when looking at the results of each. Is point D "Legal" or "Benefits"?
 
 
Nested List Confusion - What it looks like in Notes 11.0.1 client
 
Inline JPEG image
 
 
Nested List Confusion - What it looks like after GET from Domino Access Services 11.0.1
 
Inline JPEG image
 
 
Nested List Confusion - What it looks like after GET from Exciton Boost 4.5.0
 
Inline JPEG image
 
 
Example 2) Form Elements
 
Whether through forwarding or RenderToRTItem or define a field as rendering the parent document, it has always been quite common to see "form elements" such as radio buttons and combo boxes in rich text fields. Many applications even use this as part of the workflow. So, while the look of the tables is notably different, try to ignore that and focus more on the data
 
Questions to ask yourself when looking at the results of each: What is the value next to "Product"? Is this "Chargeable?" Is a Reminder Needed?" What is the "Status"? These vital pieces of information should be discernible from the HTML generated, no matter what the appearance. 
 
 
Form Elements - What it looks like in Notes 11.0.1 client
 
Inline JPEG image
 
 
Form Elements - What it looks like after GET from Domino Access Services 11.0.1
 
Inline JPEG image
 
 
Form Elements - What it looks like after GET from Exciton Boost 4.5.0
 
Inline JPEG image
 
 
 
There are many more examples of data loss, corruption, obscuring, and that is even before considering the professionalism of the rendered rich text.
.
 
==> Request a free Exciton Boost evaluation license, and we'll send you the license and a link to the software as soon as it is released. <==
 
 

Copyright © 2020 Genii Software Ltd.

Tags:

Tue 15 Sep 2020, 03:27 PM
Inline PNG image
I was curious how a more complex formula would work with Exciton Boost. While this may look dense, it is a real one I created for the Lotusphere Sessions db back in 2004. Here it is in formula language without the escaped quotes and with colors to guide the eye. (Also, you can copy this, as it is text rather than an image.)
 
sorted := @Sort(Speaker; [CustomSort];
@If(
   @Do(R:=@Transform(@Explode($A; " "); "W";
      @If(@Matches(W; "{a-z}*"); W+@RightBack($A; W)+", "+@LeftBack($A; W); @Nothing));
         @If(@Trim(R) != ""@Trim(R)[1]; @RightBack($A; " ")+", "+@LeftBack($A; " "))) >
   @Do(R:=@Transform(@Explode($B; " "); "W";
      @If(@Matches(W; "{a-z}*"); W+@RightBack($B; W)+", "+@LeftBack($B; W); @Nothing));
         @If(@Trim(R) != ""@Trim(R)[1]; @RightBack($B; " ")+", "+@LeftBack($B; " ")));
   @True@False));
 
If you look in the properties after POSTing this, you see that the Speaker item has a text list as specified.
 
Inline JPEG image
 
The SpeakersSorted item has the same text list, now sorted by last name. A tweak would make this sort with German sorting rules (van der Welten after Veems).
 
Inline JPEG image
 
 
 
 
==> Request a free Exciton Boost evaluation license, and we'll send you the license and a link to the software as soon as it is released. <==
 
 

Copyright © 2020 Genii Software Ltd.

Tags:

Tue 15 Sep 2020, 11:18 AM
 
Inline JPEG image
 
 
With Exciton Boost out this week, I'm spending the week talking about its features and some comparisons with Domino Access Services. Today, I'll talk about formulas, specifically Notes formula language, and how access to formula evaluation can empower your mobile and web apps in both the REST API and JSON-RPC API.
 
  • Key Concept One: Not all information is available to the client, nor should it be,
  • Differentiator One: Exciton Boost allows client apps to express values as Notes formulas, and allow the Domino server to evaluate and use the data which the client doesn't have.
 
  • Key Concept Two: Some operations require intermediate results, but should not trigger repeated saves or repeated calls back and forth from the client and server,
  • Differentiator Two: Exciton Boost allows intermediate results to be stored and then retrieved using Notes formulas
Because the API in Domino Access Services treats Domino as a simple data store, calculations usually require data to be brought back to the client. If this means intermediate results, it requires multiple requests which is both inefficient and leaves the document on the server in a partially updated state for too long.
 
 
Setting field values in REST API using formulas
 
In Domino Access Services, using POST to create and PUT/PATCH to update, field values must be known to the client and expressed explicitly. Alternatively, the form must contain all the fixed formulas and must be evaluated to get the results, which is less flexible.
 
In Exciton Boost, field values may be set directly or evaluated by a server-side formula. Let's look at an example where we want the request to reflect the abbreviated, not common, name of the logged in user, and we don't want to have to modify the request payload. In the first line below, we only know the name used to log in, and we have to alter the payload to ensure it is used. In the second line, we let the server evaluate the formula to determine the abbreviated name, which it does know.
 
Explicit => "Requestor": "Ben Langhinrichs"
 
Formula => "Requestor": {"@evaluate": "@Name([Abbrev]; @UserName)"}
 
Another example might be where an item number is known, but we want to use the item name. This requires a lookup to another database. 
 
{
"ItemNo": "REDM01",
"ItemDescr": {"@evaluate": "@DbLookup(\"\"; \"\":\"Orders.nsf\"; \"(ItemLU)\"; ItemNo; 2)"}
}
 
In this example, the ItemNo is saved as a value on the document, and is also used as an intermediate value in the formula for ItemDescr. If you retrieved the document afterwards, the values would be returned as
 
{
"ItemNo": "REDM01",
"ItemDescr": "Redmond Real Salt - Ancient Fine Sea Salt, Unrefined"
}
 
For those worried about opening up the power of @DbLookup and so forth, we are putting various controls in place to make sure they are not used to access data which is off limits, above and beyond the control based on Domino security.
 
Setting parameter values in JSON-RPC API using formulas
 
In Exciton Boost's JSON-RPC API, methods are called with specified parameters. Let's use the example from yesterday with agents. 
 
Request (using POST): 
{"jsonrpc": "2.0", "method": "doc.runAgent", "params": {"@evaluate": "@If(SalesTotal >= SalesTarget; \"Reward profitability\"; \"Punish failure\")"}, "id": "msg"}
 
Response (with 200 OK):
{"jsonrpc": "2.0", "result": "Loser! You missed your sales target. No soup for you!", "id": "msg"}
 
Different agents were run depending on whether the SalesTotal was greater than the SalesTarget, though the client never needs to know what either value is. The return value in the response is the output, if any, from Print statements in the agent. I use it here to send a message.
 
 
Another example is where we have a batch of RPC calls. By setting a url paramater, we can specify that return values with string ids be saved as intermediate field values. We are running this on the Body field of a specific document.
 
{"jsonrpc":"2.0", "method":"rtc.getCount", "params": "Graphic", "id": "ImageCount"}, 
{"jsonrpc":"2.0", "method":"rtc.getCount", "params": "Doclink", "id": "DoclinkCount"}, 
{"jsonrpc":"2.0", "method":"rtc.appendTable", "params": [1, 2, "", {"@evaluate":"\"Doclinks: \"+DoclinkCount"}, {"@evaluate":"\"Images: \"+ImageCount"}]}
 
 
The first two calls use Exciton Boost methods to get the number of images and doclinks in the Body field, and saved in numeric fields called ImageCount and DoclinkCount. Then, we append a table at the end of the Body field with one row and two columns. The values of the columns show the number of doclinks and images, using those intermediate fields from the document. 
 
These are fairly simple examples, but they show how powerful formula evaluation can be, and how intermediate results allow a series of actions based on earlier actions.
 
==> Request a free Exciton Boost evaluation license, and we'll send you the license and a link to the software as soon as it is released. <==
 
 

Copyright © 2020 Genii Software Ltd.

Tags:

Mon 14 Sep 2020, 03:15 PM
 
Inline JPEG image
 
 
With Exciton Boost out this week, I thought I'd spend a little time explaining some of its features and some comparisons with Domino Access Services. Today, I'll talk about Agents, both explicit and implicit (or "secret"). This is a lengthy post, but very important as it outlines a key differentiator for Exciton Boost which makes the product more useful for real business needs for flexibility, security, and data integrity.
 
  • Key Concept: Application Control and Flow belong to the client, but Business Logic and responsibility for Data Integrity and Security belong to the server
  • Differentiator: Exciton Boost allows client apps to call business logic on server via agents, but also enables server logic to override and control data access and updates
A common complaint by those who have tried Domino Access Services is that it treats Domino as nothing more that a simple data store. While you can read/write data to the data store, this ignores Domino's strengths and sometimes requires too much data and business to be handled on the client when it would be better staying on the server.
 
Exciton Boost treats Domino as a partner in applications, allowing most application logic and flow to be carried out in the mobile or web app, but also empowering business logic and data integrity to be handled out on the server where appropriate., If you take a look back at the video from my post, RPC - Empowering the server while retrieving to the client, you'll notice that the thousands of medical terms and links did not need to be downloaded to the client, but remained on the server where a simple JSON-RPC call could use them. The application triggered the call, but the processing happened on the server where much of the data resides. Agents take this concept a step further.
 
In traditional Domino applications, business logic is often built into agents which may in turn call script libraries. Exciton Boot harnesses these agents at several stages from both the REST API or JSON-RPC API.
 
 
Query Save agents called explicitly from the REST API
 
In Domino Access Services, using POST to create and PUT/PATCH to update allows you to set field values (with some limitations), plus you can use compute with form to validate fields, but only by request of the client application.  This poses some security issues. At best, an agent in the database could process the document after the fact by running on a schedule, but the documents are saved first.
 
In Exciton Boost, both the client and server may specify agents to be run on documents being created, updated or deleted using the REST API in Exciton Boost. These agents happen BEFORE the document is updated, thus preventing even short intervals when data integrity might be a problem. For example, using POST to create a document, or PUT/PATCH to update a document, the app can add
 
"@querysave": true
 
to the JSON payload to trigger the WebQuerySave agent specified for that form. Even greater control can be exerted by specifying the agent to be run as a query save agent.
 
"@querysave": "Validate Order"
 
Either the form's WebQuerySave agent or the "Validate Order" agent is run on the document before it is saved. If the SaveOptions item is set to "0", the update will not occur, allowing existing WebQuerySave agents to be used. Note: one difference is that the SaveOptions field does not need to already exist as it does with traditional WebQuerySave agents.
 
You may also set the query save agent using the X-Query-Save header in cases where that is easier.
 
X-Query-Save: true
 
or
 
X-Query-Save: Validate Order
 
 
Query Save agents called implicitly from the REST API (aka "secret agents")
 
With Exciton Boost, while the client application is in control of the query save agent above, there is a second layer of query save agent controlled by the Exciton Configuration. When a document is to be updated via the Exciton REST API, the database or form may have a designated query open or query save agent. This empowers the server to add, delete or modify any items including the Form, and to set the SaveOptions item itself if desired. The ultimate responsibility and control remains on the server.
 
 
Query Open agents called explicitly from the REST API
 
Because there is no JSON payload in a GET, a query open agent is always specified via the X-Query-Open header. The form's WebQueryOpen agent can also be run using the URL parameter &queryopen=true.
 
X-Query-Open: true
 
or
 
X-Query-Open: Prepare Order for REST use
 
 
Query Open agents called implicitly from the REST API
 
Similar to the query save, Exciton Boost allows the server to specify a Query Open just for documents retrieved using the REST API. When a document is to be opened via the Exciton REST API, the database is checked for an agent denoted by the form. For a Main Topic form, the agent would be called "(QO-Main Topic)", or "(QO Default)" if no agent was found for that form. If the agent exists, it is run before any client-specified query open agent. This empowers the server to add, delete or modify any items before the document is rendered. The ultimate responsibility and control for what data is accessed remains on the server.
 
 
Agents called explicitly from the JSON-RPC API
 
With Exciton Boost's JSON-RPC API, calling agents is as simple as
 
{"jsonrpc": "2.0", "method": "db.runAgent", "params":["Agent to run"]}
 
or
 
{"jsonrpc": "2.0", "method": "doc.runAgent", "params":["Agent to run"]}
 
or
 
{"jsonrpc": "2.0", "method": "coll.runAgent", "params":["Agent to run"]}
 
These would all run the same agent, but the first would have no documents selected (and so should be an agent which does not expect documents selected), while the second would run on the current document without saving it, and the third would run on all of the documents in the document collection, saving them if appropriate. If an id is specified, the print statements returned from the agent would be returned as the result.
 
Request (using POST): {"jsonrpc": "2.0", "method": "db.runAgent", "params":["Agent to run"], "id": 1}
 
Response (with 200 OK): {"jsonrpc": "2.0", "result": "Agent run successfully with 214 documents found", "id": 1}
 
 
Query Save agents called implicitly from the REST API (aka "secret agents")
 
Exciton Boost uses the same query save agents for documents to be updated via JSON-RPC as for those updated via REST API, thus allowing consistent responsibility and control to remain with the server.
 
 
==> Request a free Exciton Boost evaluation license, and we'll send you the license and a link to the software as soon as it is released. <==
 
 

Copyright © 2020 Genii Software Ltd.

Tags:

Fri 11 Sep 2020, 04:44 PM
Next week, I'll start going through the Exciton Boost capabilities, including a comparison with Domino Access Services. But for anybody curious, this is the result of a call such as the following, essentially an outline of the core Exciton Boost services.
 
 
Inline PNG image

Copyright © 2020 Genii Software Ltd.

Tags: