Any ROP users?

[Aristedes Maniatis <ar...@ish.com.au.INVALID>]

On the heels of the security announcement, there has been discussion on 
removing ROP from the next major Cayenne release after 4.2.

ROP was modelled on a similar Java Client feature in Webobjects/EOF and 
there is nothing else quite like it in other ORMs. The ability to just 
use normal Cayenne operations from the client machine without worrying 
about how those operations get to the server and data objects are returned.

It has some limitations:

* limited security. There is no simple way to add an authorisation layer 
to restrict access to certain objects or fields. Authentication and 
encryption are really simple, but per object authorisation is hard.

* Java client. Although it is possible to write Cayenne in other 
languages, no one has done so. There was some work ages ago on 
Cocoa/Objective C bindings. Java client UI (swing/javaFX) is not popular 
these days.

* upgrading. You need to upgrade the client and server at the same time


But it is really quite neat. Maybe I'm a bit sentimental since I used to 
use it extensively for many years. But I've moved onto react/js/browser 
clients which means that server-client serialisation is now over 
json/swagger/jackson/CXF. Authorisation is now easy and the client UI 
more lovely.


Is anyone using ROP? Should we remove it from the next Cayenne and 
reduce the burden of maintenance?


Ari


On 12/2/2022 8:50am, Aristedes Maniatis wrote:
> A patched version of Cayenne 4.1 (or earlier) will not be released 
> since we believe there are sufficient ways to avoid the issue and the 
> number of people using ROP is likely quite low. Given the security 
> model of ROP, it is also most likely used in a scenario where the 
> client is trusted.