[erlang-questions] Erlang web framework

Andrew Berman rexxe98@REDACTED
Sun Dec 11 06:44:45 CET 2011


I don't have code I can share with you as it's closed source, but,
basically, I think of my Webmachine layer as a completely separate
application from my website.  Essentially it solely provides an API to
handle all the business logic.  As such, my front-end (i.e. the website) is
now free to worry solely about the front-end and can be written using any
framework or language you want.  With that in mind, I am writing a very
AJAX-centric and HTML5 app so the front-end logic resides in the JavaScript
(which I write in CoffeeScript).  However, because my API layer has
security built into it, the front-end must provide credentials to use the
API.  I don't want to store those credentials in the JavaScript and I
didn't want to use HTML5 sessionStorage to store secure data, so I put
Misultin between the two.  So, Misultin acts as a proxy server of sorts.  A
request comes in, if it is a login URL or logout URL or any other "special"
URL that needs additional processing, I have Misultin take care of it.
 Otherwise, Misultin just forwards the request on to Webmachine and then
forwards the response back to the front-end.  Misultin also takes care of
the sessioning on login and logout (I do this manually) and on all other
requests by adding the proper auth info to the Authentication header (I'm
using OAuth 2).

So if you look here:
can see an example of how you can intercept specific URLs and then a
general function to capture the other URLs.  So when a request comes in, I
do my processing and then use httpc to make a request to the API layer.
 Then I take the result and just return it in the Misultin function.

Does that make sense?


On Sat, Dec 10, 2011 at 6:40 PM, Tristan Sloughter <
tristan.sloughter@REDACTED> wrote:

> Andrew, do you have an example of using it as an intermediate between the
> frontend and Webmachine? I was just looking through your examples and
> couldn't find one and was hoping too. Because yes, I have Webmachine call
> out while handling the request session information and authentication and
> wanted to give your way a shot.
> Thanks,
> Tristan
> On Sat, Dec 10, 2011 at 7:50 PM, Andrew Berman <rexxe98@REDACTED> wrote:
>> I'm doing something similar to Tristan.  I'm using Webmachine in the
>> backend which houses all the db, business, and security logic and using
>> SpineJS and CoffeeScript for my front-end which communicates with
>> Webmachine using JSON.  After writing a web app this way, I have to say
>> that it is more difficult than most prepackaged frameworks, however, it
>> allows you a complete separation of concern, forces you to really think
>> about your security, and also forces you to focus on a solid, usable REST
>> API.  The cool thing is that you are using your own REST API and if you're
>> looking for an API for your service/web app, you can find and fix any pain
>> points that someone else might encounter using your API.
>> Unlike Tristan, however, I separated all my sessioning into a completely
>> separate web app from the main Webmachine web app.  I saw the Webmachine
>> app as something I wanted to keep as a completely standalone service and so
>> I basically wrote an intermediate app using Misultin which proxies messages
>> from the front-end to Webmachine adding any necessary authentication
>> tokens, dealing with sessions, and any web security features.  As for web
>> security, this is built into my Misultin app and I followed this guide:
>> http://guides.rubyonrails.org/security.html.  It's pretty easy to
>> implement them yourself.
>> I haven't used Opa, but I have used NodeJS and I was very tempted to use
>> it for the intermediate app.  You might want to look at Express for NodeJS
>> if you're looking for more of a framework.
>> Hope this helps,
>> Andrew
>> On Sat, Dec 10, 2011 at 2:06 PM, Tristan Sloughter <
>> tristan.sloughter@REDACTED> wrote:
>>> I've tried pretty much every Erlang web framework (some more than
>>> others).
>>> Could you explain what you mean about Lift's security, 'ajax+html
>>> component security'?
>>> The main frameworks are: ChicagoBoss (Railish), Nitrogen (evet-based
>>> architecture), Zotonic (a CMS/framework in my opinion, they may just say
>>> CMS), Erlang Web (the one I have least played with but does seem the most
>>> OTP fitting) and Erlyweb.
>>> I haven't personally been happy with building full projects in any of
>>> these (though Zotonic has been GREAT for projects that just need a CMS like
>>> my wedding website, and Chicago BOSS looks great for MVC style Erlang web
>>> development) and now I'm doing my own which is based on Webmachine and
>>> Batman.js with security based on resource access control using Seresye (
>>> https://github.com/afiniate/seresye) and an Erlang security framework
>>> Genbu.
>>> So the idea is the client is built completely in Batman.js and
>>> communicates (JSON) with the Webmachine based RESTful interface of the
>>> backend (which I am greatly simplifying the necessary steps needed to
>>> build). And then all security on the backend is based on the idea of
>>> writing a rules engine with Seresye which will be simplified for web
>>> resource/db use as part of Genbu (which I am moving all web session,
>>> authentication logic from Maru to).
>>> I hope to have the pieces for Genbu and Maru and an example, for others
>>> to start using it, committed tomorrow or sometime this week, but
>>> http://claimstrade.github.com/maru/ is the "idea" -- well its more than
>>> an idea I am building this while building a real business on top of it. So
>>> it is taking what I find I need as I build the business and then adding it
>>> to the framework, or taking out and moving to the framework. Also is based
>>> on a couple years of Webmachine based web development and what I saw went
>>> wrong in some cases as we did so.
>>> That said, and even though this is an Erlang list so I hope I'm not
>>> yelled at :), I have to also point you at Opa (http://opalang.org/)
>>> because I really like it for building sites. And it is very secure
>>> and statically typed (even your frontend code is compiled and type
>>> checked!).
>>> Tristan
>>> On Sat, Dec 10, 2011 at 3:41 PM, eigenfunction <emeka_1978@REDACTED>wrote:
>>>> Hi everybody, i would loke to get my feet wet into erlang web
>>>> development so i wanted to ask: what is the state of erlang web
>>>> frameworks? i did google a little bit and found a couple  of
>>>> interesting projects. But having written some web applications in
>>>> webobjects before, security is paramount for me. I have been playing
>>>> with "scala lift" lately and wanted to know if the erlang community
>>>> has something of the sort, i mean easy ajax + html component security.
>>>> Or something in the line of smaltalk seaside. Thank you very much
>>>> indeed.
>>>> _______________________________________________
>>>> erlang-questions mailing list
>>>> erlang-questions@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20111210/a1123006/attachment.htm>

More information about the erlang-questions mailing list