Very often I read that you need to structure your web applications into multiple tiers to separate the concerns. The advice is to move the business and data logic out of the web project into two different projects so you end up with the classic 3 tier model – presentation, business and data. This advice is good.

The strange thing is that this advice is given to web developers as a way of structuring web applications. I’ve always found that very odd. Not that web developers don’t write business and data logic, but I don’t see the connection between web development and business/data logic development.

Let me explain

The premise for the advice is that business/data logic is part of building a website. This is wrong. A website is a visual representation that interacts with the business logic, but the business logic doesn’t and shouldn’t care about the website. The business logic is an API consumed by the website and nothing more. The business logic still doesn’t care if its public methods (API) are used on a website, in a Windows Forms application or in a web service. Ergo, business logic is not part of building a website. The premise is wrong.

In a typical 3 tier web solution you have three projects – the website, business- and data logic projects. That makes it a little confusing to believe that the business and data logic has nothing to do with building a website. But if you think of the three projects as the building blocks in creating a solution then it’s easier to understand. In other words; you don’t separate a website into three tiers by separating the business and data logic into their own projects, you separate the solution into three tiers. Since the website is just the UI in such a solution, it is wrong statement that your website is 3-tiered and the premise is then wrong.

The three tiers

The reason why I’ve always found this advice odd is that I always build my websites in three tiers, but it has nothing to do with the business and data logic. The three tiers I use in web development are specific for the website only. The tiers are:

  1. User interface
  2. User interface logic
  3. Presentation logic

The names are just some that I use and may be different elsewhere.

User interface (UI)

The UI is the HTML, JavaScript and CSS that makes up the visual look and feel and the browser behavior. It lives in pages (.aspx), user controls (.ascx), .js and .css files. In some cases also in HTTP handlers (.ashx), but mainly for custom AJAX mechanisms.

User interface logic

This tier is what controls the server side behaviour of the UI. It lives in code-behind files and in the App_Code folder. This logic is responsible for handling button events and differentiates the response based on the user etc. It’s also custom web control collections that could live in its own project and often do.

Presentation logic

This is the where all the stuff goes that isn’t directly is used in the UI. It could be RSS feeds or classes used by the code-behind. Most often it’s where I put the HttpHandlers and HttpModules and the logic that controls them. It could be located in its own project or it could just be in its own folder in the App_Code or wherever it feels right to put it depending on the size of the project.

It doesn’t really matter where the tiers are physically placed as long as they are logically separated. That’s why it often makes sense to move the tiers into their own projects to make the separation clear and the code easier to maintain and reuse.

So a three tier web application has nothing to do with business and data logic. Remember that the business logic is just an API consumed by a website even if they both live in the same Visual Studio solution.

I think by now, most ASP.NET developers have come across some of the different provider models in ASP.NET 2.0. Most likely the Membership, Roles and SiteMap provider but also the custom provider model that you can use to create your own providers.

Still, I often come across custom authentication and authorization mechanisms instead of using the Membership and Roles provider model. Typically, a business object called User has a Logon method that does the authentication and returns a Boolean back to the login page, which sets a cookie and maybe session variable and then redirects the user to the password protected area of the website.

Then there’s usual also some custom authorization mechanism that prevents certain logged in users from certain areas such as admin pages. The menu is custom designed to hide and show only the pages available to the current user and the individual pages also makes the checks.

That is a common scenario and I see it very often. If you have such a scenario on your web application, then consider converting your existing logic to use the provider model. By creating a custom implementation of the Membership, Roles and SiteMap provider, you get all this for free and it is very simple to do so. You can keep your existing code and then build the providers on top of that.

The benefit is that these three providers work together so that the SiteMap automatically shows only the pages a user has permissions to see based on her role. You also get the cookie management for free. But the best part is that you can easily switch to a new provider when needed without changing your existing code. I did that today when I installed BlogEngine.NET on our intranet at ZYB. It had to use the Active Directory Membership provider so that we could log on using our network credentials. It took me 5 minutes to make the transition from my custom XML Membership provider to the Active Directory one. There’s a good guide at MSDN for using the Active Directory provider.

That flexibility comes free of charge with ASP.NET 2.0 and makes the lives of all .NET web developers much easier, more flexible and powerful. I have published my XML Membership provider and will wrap up the XML Roles provider soon and publish it as well.

When you first try the provider model, I promise that you’ll never go back.

Resources