Java One 2005-revised.ppt

Java One 2005

Agenda

Java One overview – Kurt and TomService Oriented stuff – Kurt and JimUI related - TomQ and ALinks

General Session Info

Blu-Ray – Panasonic Disc to hold 50GB on a DVD; players will contain JVM and network portsSun application server – Open source CDDL license like MozillaJava Studio Creator 2 – Based on NetBeans 4.1, includes built-in AJAX enabled componentsBlackberry contains 3-4 million lines of Javatm codeDTrace for Java – script to instrument Java, OS, Kernel, etc., (full system stack)Sun Ultra-20 workstation - $29.95/mo. AMD – risk free, don’t like it send it back

Java One Overview

What JavaOne is likeDrop the 2: the new names are JSE and JEEJEE 5.0 (beta q4, 2005, final Q1, 2006)

New persistence API (EJB, Hibernate, TopLink, JDO) Developability improvements for Web Services EJB 3.0 uses interceptors, POJO, annotations Resource Injection using annotations

JAXB Annotation driven, XMLClass Complete schema support (type substitution,

wildcards, substitution groups) Default binding to java classes XMLJavaTypeAdaptor

Specify XML for non-JavaBeans if you don’t want default

Service Oriented Stuff

Service Oriented ArchitectureEnterprise Service BusJava Business Integration (JBI)

Service Oriented Architecture

Service Oriented Architecture SOA is an architectural style whose goal is to

achieve loose coupling among interacting software agents. A Service is a unit of work done by a service provider to achieve desired end results for a service consumer.

SOA defines a set of callable services which are orchestrated into applications by the client or by middleware acting as an agent of the client Agents are often business process engines which call

the appropriate services in the order required and return the results to the client.

SOA

Not a new idea Goes back to at least CORBA and COM

SOA ≠ Web servicesSOA is a design and development philosophyLoosely coupled, technology agnostic, interoperable servicesThe services are business servicesThe services are not tied to user interfaces Orchestration is the key to making the services usable

SOA OrchestrationBPEL

Business Process Execution Language A programming language written in XML, deployed to a

BPEL engine Orchestrates but doesn’t do anything else

Worker Services Do the real work Make complex calls, talk to RDBMS, etc. ACDC : Asynchronous Conversational Document-

Centric

BPMN (BP Modeling Notation) Based on flowcharting A visual way to specify business processes Tools can generate BPEL from BPMN

SOA Architectural Big Rules

Coarse grained business services

Design Focused rules

Document (XML) based

(Mostly) Asynchronous

Conversational

Reliable

Qualities focused rules

Secure/Identity

Policy driven

Resistered and retrieved

WSDL describedStandards focused

rulesBPEL orchestrated

JBI based

Enterprise Service Bus (TS3533)

An emerging standard for integrating enterprise applications in an implementation-independent fashion, at a coarse-grained service level via an event-driven and XML-based messaging engine (the bus). An enterprise service bus generally provides an abstraction layer on top of an Enterprise Messaging System (EMS) which allows integration architects to exploit the value of messaging without writing code. Purpose: to avoid the “any-to-any” communications problem between service providers and service consumers

Java Business Integration (JBI)

JSR 208, just finalizedJBI consists of 4 parts Service Engines Normalized Message Router Binding Components System Management

JBI Example

BPEL XSLT JEE

System

Managem

ent

Normalized Message Router (NMR)

WSI-Basic JMS EDI

Enterprise Service Bus

Service Engines

Binding Components

WSDL WSDL WSDL

WSDLWSDLWSDL

JBI Service Engine

Provide local services BPEL Transformations (i.e., XSLT, EDI, etc.) Business logic

Consume servicesHave the full power of JSE and JEEProtocol and transport agnosticEngages in message patterns

Binding Components

Handles protocol specific message reformatting Deals with wire transport of messages Protocols such as SOAP, JMS, FTP, SMTP…

Act as a proxy for remote service providerProvides access for remote consumersNo business logic (by convention)WSDL used for publishing services

NMR

Key to interoperationAllows providers to communicate with consumers via Normalized MessagesNM = abstract message + Metadata Metadata may include security token, txn

info, protocol supplied content, etc.

NM ≠ canonical message format

SOA Scenario

“B” Client SOAP BC JBI NMR BPEL SE XSLT SE “A” Service

"B"

"B"

receive

invoke

"B-to-A"

"A"

invoke

"A"

"A"

Message Exchange Patterns

Define sequence and cardinality between SP and consumerIn-only, robust in-only, in-out, in-optional-out, two wayMessage Exchange Instance is the container for NMs Holds state of exchange Not serializable, won’t survive a crash Visible to all participants

SOA Linkshttps://www35.cplan.com/javaone05_93_1/sessions_catalog.jsp

The session catalog

http://java.sun.com/javaone/sf/index.jsp Where it says 2005 JavaOne Conference Presentations

Now Available

http://webservices.xml.com/pub/a/ws/2003/09/30/soa.html What is Service Oriented Architecture

http://java.sun.com/integration/ The JBI home page

http://www.infoworld.com/article/03/06/13/24FEesb_1.html A little more about Enterprise Server Bus

http://java.sun.com/integration JBI reference implementation with examples

Java 18 Month Plan

Java 6 – Summer of 2006 (Mustang) Theme 1: Compatibility, Stability, Quality Theme 2: Diagnose, Monitor, & Management

(more out of memory diagnosis) Theme 3: XML & Web Services Theme 4: Ease-of-Development (includes

Rhino JavaScript engine; JDBC 4.0, Annotations, more XML Data Support, Updated Javadoc)

Theme 5: Desktop (work with Longhorn for look-n-feel; UI upgrades – faster; system tray)

Theme 6: Becoming more open (mustang.dev.java.net – weekly builds)

UI Stuff

Java Server FacesAJAX

Java Server Faces (JSF)

Why JSF? JSF is only framework specifically designed

with JSR 168 Portlets in mind JSF applications can run inside any JSR 168

container without modification*

Running JSF Portlets Remove redirects from faces-config.xml Create portlet.xml deployment descriptor Deploy portlet in container

JSF technology is the natural choice for portlet development

Why JSF?

Other options (Struts, SpringMVC, Tapestry, etc.)JSF designed to produce UI components & JavaBeans TM (Easier to develop due to IDE integration)Ease of maintenance (faces_config vs struts_config)

What to know about developing Portlets

A portlet runs inside a portlet containerPortlet is normally deployed as an individual WAREach portlet has a standard deployment descriptor called portlet.xmlBeyond portlet.xml each vendor has their own way how portlets are registered with the portal

API for Portlet Interface

public void init()

public void destroy()

public void processAction()

public void render()

Portlet Modes

EditViewHelp

JSF does not have concept of modes, so you usually need to disable Edit and View modes in portlet.xmlMyFaces (1.0.9) supports modes

Steps to Deploy a JSF app. as a portlet

Go to http://javaserverfaces.dev.java.net and download javaserverfaces_portlet.classRun java –cp . Javaserverfaces_portletYou will end up with a jsf-portlet.jarPut jsf-portlet.jar in /WEB-INF/libEnsure you don’t reference HttpServletRequest or HttpServletResponse

JSF Slides & References

Atlhqfs01\web\JavaOne-2005\WebTier\TS-3374.pdfMyFaces: myfaces.apache.orgJSF RI: javaserverfaces.dev.java.netJSF Intro: java.sun.com/j2ee/javaserverfaces/jsfintro.htmlApache Portals Struts Bridge: http://portals.apache.org/jetspeed-2/multiproject/project-bridges-struts

AJAX

AJAX – Asynchronous JavaScript (XMLHttpRequest); originally ActiveX and MS IE only; now supported on (Mozilla,Safari & Opera) browsersCommunication via GET/POSTDocuments must be text/xmlPage continues to process events, the XMLHttpRequest object works in the backgroundLimited number of requests allowed

AJAX - 2

3 main strategies: Use JSF phase listener – best <ajaxTags:completionField size="40" id="cityField“ completionMethod="#{ApplicationBean.completeCity}“ value="#{SessionBean.city}" required="true"/>

Separate Servlet Retro-existing Application

AJAX –JSF Component Issues

Syncing up state in the HTML DOM and JSF interfaceAutoComplete – Need to turn browser autocomplete off--<input .. Autocomplete=“off”/>

Validation messages should use same CSS styles and elements as JSF componentsEncapsulate the XMLHttpRequest and callback functions to prevent JavaScript technology conflicts

AJAX - JavaScript

Remember to use separate .js file – so that script can be cachedUse generic JavaScript objects to stash propertiesDOM manipulation differs with browsers – be careful

AJAX – Use Cases

Refreshing dataReal-time validationAuto-completeAdvanced GUI widgets and controls

AJAX Trade-Offs

JS technology dependencyDifficult to debug and testSource is in plain viewSecurityRequires latest generation of browsersCross-browser compatibility needs

AJAX Future

AJAX enabled JSF componentsStandardization of XMLHttpRequestBest practicesBetter browser supportFramework support

AJAX

AJAX – Asynchronous JavaScript (XMLHttpRequest); originally ActiveX and MS IE only; now supported on (Mozilla,Safari & Opera) browsersCommunication via GET/POSTDocuments must be text/xmlPage continues to process events, the XMLHttpRequest object works in the backgroundLimited number of requests allowed

AJAX - 2

3 main strategies: Use JSF phase listener – best <ajaxTags:completionField size="40" id="cityField“ completionMethod="#{ApplicationBean.completeCity}“ value="#{SessionBean.city}" required="true"/>

Separate Servlet Retro-existing Application

AJAX - 3

AJAX Processing with a JSF Component

AJAX –JSF Component Issues

Syncing up state in the HTML DOM and JSF interfaceAutoComplete – Need to turn browser autocomplete off--<input .. Autocomplete=“off”/>

Validation messages should use same CSS styles and elements as JSF componentsEncapsulate the XMLHttpRequest and callback functions to prevent JavaScript technology conflicts

AJAX - JavaScript

Remember to use separate .js file – so that script can be cachedUse generic JavaScript objects to stash propertiesDOM manipulation differs with browsers – be careful

AJAX – Use Cases

Refreshing dataReal-time validationAuto-completeAdvanced GUI widgets and controls

Pushing data to an HTML page

Real-Time Validation w/AJAX

Auto-Complete via AJAX

Progress Bar via AJAX

AJAX Trade-Offs

JS technology dependencyDifficult to debug and testSource is in plain viewSecurityRequires latest generation of browsersCross-browser compatibility needs

AJAX References

BluePrints Solutions catalog on AJAX: https://bpcatalog.dev.java.net/nonav/ajaxAJAX Community https://ajax.dev.java.net/Atlhqfs01\web\JavaOne-2005\WebTier\TS-7986.pdf

Nine Ways to Hack a Web-App (ts-5935.pdf)

95% of web apps have vulnerabilities Cross-site scripting (80 percent) SQL Injection (62 percent) Parameter tampering (60 percent) Cookie poisoning (37 percent) Database server (33 percent) Web server (23 percent) Buffer overflow (19 percent)

Security Principles of Web Architecture

Separate services (web server, app server, db server on separate hosts)Limit privileges of application user (file system; db; running apps)Hide secrets (db account passwords, encryption keys)Use standard, vetted components/libraries (keep them patched)Log, and watch logs for unusual activityLoad-test and tune

OWASP Top 10 Web Security Vulnerabilities

Unvalidated inputBroken access controlBroken account/session managementCross-site scripting (XSS) flaws (steal cookies; inject JS into DB)Buffer overflows (not really an issue with Java)Injection flaws (Runtime.exe(); dynamic concat SQL)Improper error handling (too much info.)Insecure storage (bad crypto)Denial-of-service (overuse of logging; unresolved dependencies on other systems; {code reviews/load test})Insecure configuration management