Simple States Manager

Context 

I came accross Spring state machine a few days ago. I was trying to use it in a project I was involved in. That seems, at first glance, to be a perfect fit given we are  using spring boot in the project.

Unfortunately, I quickly found few important problems for meeting our requirements.

• I find it was difficult to manage custom exception without doing some hacking in the framework
• I need to instanciate a couple of state machines using a pool as it is recommended to not maintained state machine by sesssion or by thread. 
• A spring state machine can only send one event a given time. That seems to me very inconvenient even if changing state is quite a quick task.
• In one work : the framework is state full and I don't know why it has to be that way

       However, I find the spring documentation of the state machine concepts is very clear and expressive. I learned of lot from it.

Discussion

When I dig a bit into the code source, I realized spring state machine is wrong  to manage transitions along with the current state. From my understanding, transitions could be implemented as likely static configurations that is not subject to modification while  the current entity may be changed. If transitions are practically immutable, they can then be shared accross threads without any concerns.

So, I implement a simpler solution that keeps the transitions in a good Map like Object. I have update this post to call it a state manage. With this set up, there is no need for synchronisation. A single instance of this  State machine can be shared accross thread or create on fly. 

Here is how the transitions could look like for simple states :

[Source states, event] --> targetState

So a simple get with the event and the current state of your domain object allows to create build the key for the Map.

Adding Guards actions to the state machine is just a decoration of the initial get  of the map like object.

This is a very basic solution that works well for simple state machine. This would not probably about handle complex with regions and sub states. Higher abstractions may be needed. But this a very good starting point.

Conclusion

State Machine is very usefull programming tool and they appear so often in business requirements.  But for me, it's a mistake to meld them within business code. They need to be isolated. Unfortunately, I have not found so far a good and easy implementation in java.

In the next post, I will try to demo a more involved version I have successfully implemented as a state manager to maintain and extend an existing approbation  system . I've put  the code in github. Work in progress...

I really think that a simple state manager which works as an internal application service class is a better solution than a full state as described in the literature. It allows to reuse existing application solution for persistence,  business rules, object scope and so on.

Thanks for your comments.

See post : 

1. Why-developers-never-use-state
2. https://medium.com/datadriveninvestor/state-machine-design-pattern-why-how-example-through-spring-state-machine-part-1-f13872d68c2d

My usefull posts

 Java posts

• Secrets of Equals Hascode
• Use Generators to create boilerplate code in GWT 2.0
• Java_tip_how_read_files_quickly
• Why-developers-never-use-state
• Asynchronous processing support in Servlet 3.0
• Spring Cloud: Designing Feign client
• Bitwise Operators and Bit Masks
• Make your SB app thiny

Blockchain/Smart contacts

• Blockchain : use https://cryptozombies.io/ for starting your practical learning journey of etherum
• Optimizing your Solidity contract’s gas usage : As everyone in the Ethereum community knows, Gas is a necessary evil for the execution of smart contracts. If you specify too little, your transaction may not get picked up for processing in a timely manner — or, die....
• Malicious backdoors in Ethereum Proxies : A detailed explanation on how the Proxy pattern for smart contract upgradeability can be exploited.
• Smart Contract Weakness Classification and Test Cases :  The following table contains an overview of the SWC registry. Each row consists of an SWC identifier (ID), weakness title, CWE parent and list of related code samples.
• https://wallet2wallet.io/
• https://relay.radar.tech/#widget
• https://medium.com/crowdbotics/a-beginners-guide-to-building-a-relayer-with-0x-protocol-c725c45f0b2f
• https://blog.0xproject.com/announcing-0x-otc-5db58dc9ba8

Crypto and Vote systems

• A mixnet-based secure voting protocol

Miscellaneous software topic

• State-machine-concepts
• Image processing : http://www.ipol.im/

REST service Mutual SSL aauthentication

Migrating applications to micro-services means having a couple of applications that need to talk to each other. We need an architecture to allow to add security at method level and to keep our data safe from inside attacks. Much of what will be said here can be applied to non spring based micro-services.

Oauth2, our best friend

This is an authorization problem that can be solved with oauth2. Oauth2 is widely used as a mechanism to give web applications developers access to users data at Google/Facebook/GitHub directly from the foreign services in a secure way.

What is Aouth2 
Oauth2 provides also a very elegant solution. The core components of oauth2 cooperates but they are loosely coupled to each other. In fact, they have no knowledge of each other. Once the system is in place, resource server modules that needs security can have almost  security for free.

• Resource Owner - our users
• Resource Server - This is any of module based spring boot that contains data of our users
• Authorization Server - This is essentially the token endpoint. It could also any existing compliant oauth2 server or simply a spring based oauth2. It allows user to manage tokens that give access to resource servers. This is the central point for authorization where users give access to their resources and resource server validate theses tokens to build their security context
• Client - This is any of module based spring boot that manage  data on the behalf of our users. Mobile apps, web apps, any program etc

How it works ? 

The user authenticates on a authorization service, which maps the user session to a token. The authentication is outside the scope of oauth2. Any further API call to the resource services must provide this token. The services are able to recognize the provided token and ask the authorization service, which authorities this token grants, and who is the owner of this resource.  

It is important to highlight that Oauth2 is not an authentication server and acts only as an authorization server by enforcing who can access to what. For that, it reuses the user identity obtained via authentication process as well as the application (client_id) who are consuming the resources on behalf the of user. 

With OAuth2 you can define, which application (web, mobile, desktop, additional website) can access which resources on the top of the user identity which tell us which user can access which data. 

JWT

Oauth2 doesn't solve all of our problems. OAuth2 as a protocol does not tell us how the token is looking like and where it is stored. Also, for each request against a resource micro service containing a token in the header, the service will perform another request to authorization server to check the token. That's not good enough.

To solve these two problems, we can use JWT or  JSON Web Token.  This token contains info about the OAuth client, optionally the user with its authorities and the granted scope that is serialized into JSON first, encoded with base64 and finally signed using cryptographic key. The result is called JSON Webtoken, which we use as an access token directly. This json token may be sign with public key, symmetric key or a shared key.

When this token is passed via HTTP header, the resource servers just have to take this JWT, verify it was really properly signed (meaning this token is coming from the authorization server), and instead of asking user info, deserializing the JSON content into a OAuth2Authentication, establishing a SecurityContext based on this.

Using JWT provides a simple way of transmitting tokens, containing the permissions and user data in the access token string. Since all the data is already inside, there neither is a need to maintain a token store, nor the resource servers must ask authorization for token checks. The security of the token is based on the underlying cryptographic primitive used to secured the tokens. So, using JWT makes OAuth2 available to micro services, without affecting the architectures scalability.

Work on progress.....