Saturday, June 30, 2012
Thursday, February 11, 2010
Java - Too Many web frameworks
Java Web technology is exploding with many web frameworks promoted by the industry and many by opensource. Too many frameworks to choose from is a bad thing or good thing ?.
Read on and judge yourselves.
May be too much of anything is bad. Just look at the list below.
JSF
Spring MVC
Tapestry
Struts 2
ADF from Oracle
Cocoon
Maverick
JBoss seam
This is a never ending list. There are many more. Ofcourse not all are mainstream nowadays.
Look at Microsoft stack , you mainly have ASP .NET and that's it. It has grown well.You need to learn only that and you focus all your skills in that web framework.It has accumulated many components and matured into a very robust RAD web application framework. The problem with the Java stream is you work on a particular web framework for sometime and all of a sudden you have to work in another web framework for another project.Hence the experiance one gains by working in a particular framework for long time, gets lost. This definitly lowers productivity.Here ASP .NET scores well.
Again refer to the list i showed above
Many times the java designers has to pick one from this never ending list of java web frameworks.A feature may be there in one framework but it may not be there in another . But it may have another feature required by the project. Hence the decision making becomes difficult.And many times there won't be too many significant differences between the major frameworks. Many times ,the decision favours a particular framework because the architect or designer is more comfortable with that one. And many times we may have to combine multiple frameworks for practical works. Example combining JSF with Spring MVC or Struts2.
If the community was focusing it attention on refining and extending a single framework, it would have helped the whole industry better. Now the major web frameworks in Java stream are JSF, Struts 2 and Spring MVC. Hope the top list ends here and nobody comes with another new framework. The focus should be to extend , optimize and improve the existing ones.
Ofcourse build as many UI widgets as possible into the framework. ASP .NET rocks in all these aspects.
May be industry needs to focus only on JSF + Struts 2 or JSF+ Spring MVC or JSF alone. Or make a hybrid out of these and say this is the single Java Web framework for J2EE development. A big dream ! :)
Wednesday, November 25, 2009
Design Patterns
Wednesday, September 9, 2009
StringPool and GarbageCollection
String a = "java";String b= "java";
String c=new String("java");String d =new String("java");
Wednesday, September 2, 2009
ClassNotFoundException
Friday, November 7, 2008
Auto SSL Switch Over Issue
But the issue is when the application is accessed via a reverse proxy. In this scenario the automatic protocol switch over will contain the IP or domain name of the internal server and not of the proxy. Hence we may have to do the http to https switch over using java script from the browser. So this defeats the whole purpose of CONFIDENTIAL element. I haven't seen any where in the web.xml spec an element to specify the address or domain of the front end host . In this case reverse proxy. I think this is a serious limitation. In my view this element should be added to the JSP / Servlet spec and the web.xml should be updated.
Performance Improvement & Scalability
The best approach to improve the performance and scalability is to pre calculate the logic and cache the results.
All computer systems are surviving heavy loads due to caching.
It is best to cache at DB, cache web pages at the reverse proxy and of course let browser cache the javascript , css and images.
The user request may be anticipated and the system execute the logic and store the information in cache.
When a request with matching parameter arrives just serve the information from the cache. This is particularly true for availability searches in the case of hotels, airlines etc.
The one word mantra : CACHE IT.
Friday, May 16, 2008
How to integrate Container security in a web application and propagate it to EJB Layer.
Normally an enterprise application has a web tier and a business tier (Most probably EJB in the case of J2EE).The security requirments for such an application in general will be this "Only an authenticated and authorized user should be able to access the protected part of the application" This includes both dynamic (jsp pages) and static content like HTML files.
If the user has the rights for the web page then based on his role he should be restricted to invoke an ejb method.That's even if he has access to a page he should be able to execute only those business operations for which his role is given access.
To satisfy the above requirement we have to have security at 2 levels . One at the web container side and other at the ejb container side.
The rest of the post explains how we can do that in JBoss 4.2.2
See my old post on securing an EJB. Once the EJB is secured, next step is to secure the web application.
The web.xml is given below
<servlet>
<servlet-name>securess</servlet-name>
<servlet-class>com.prem.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>securess</servlet-name>
<url-pattern>/central/secured</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted to Secure role</web-resource-name>
<description>Declarative security</description>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>secure</realm-name>
<form-login-config>
<form-login-page>login.html</form-login-page>
<form-error-page>login.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
This shows that /admin pattern is protected and it requires admin role for access. login.html will be the form used to collect the login credentials and the authentication method is FORM. Once this is done we have to configure a security realm so that the container will use this relam for authentication. We can do this in jboss by configuring a relam named secure . This is done in the login-config.xml
The login-coinfig.xml entry is given
<application-policy name = "secure">
<authentication>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name = "dsJndiName">java:/mysql</module-option>
<module-option name = "principalsQuery">select passwd from users where USERID=?</module-option>
<module-option name = "rolesQuery">select role,'Roles' from user_roles where user_id=?</module-option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule" flag="required" />
</authentication>
</application-policy>
The use of ClientLoginModule is required to propogate the caller threads identity to the EJB tier.ClientLoginModule is critical in propagating the Subject from the web to the ejb tier.
In a simple approach it makes sense to use j_security_check for doing the Container authentication.But j_security_check is not very flexible and doesn't have a straight forward way to collect some other
information as part of login form. j_security_check is appropriate for simple logins required for simple web applications. For a complex web application which requires more than username and password from a login form, we have to go for programatic web authentication.
First i will explain the j_security_check approach
<form action="j_security_check" method="POST" >
<input type="text" name="j_username" >
<input type="password" name="j_password">
</form >
When ever a secured page is accessed container will intercept and forward the login.html. If the login is successful the container will redirect to the protected resource. Problem with j_security_check is that you cannot access the login.html directly. You have to access the protected resource and let the container show the login.html. If you directly access the login,html you will get exceptions on submitting the form. There are work arounds for this like providing a filter on j_security_check or submitting to another servlet , get all required parameters in that servlet and from there redirect to j_security_check.All the above has limitations and are not good solutions. The filter doesn't work in the case of tomcat.So the bottomline is go for active authentication(means writing our own
class which does the authentication and inform the container about it).
To do the active authentication follow the below steps.
Instead of j_security_check use own servlet
<form action="/Secure/central/secured" method="POST" >
<input type="text" name="j_username" >
<input type="password" name="j_password">
<input type="text" name="companycode">
</form >
In the doPost of the servlet you may code like this.
Important point to note is that here we are using the WebAuthentication class provided by JBoss from 4.2.2 onwards.
WebAuthentication webAuthentication=new WebAuthentication();
boolean stat=webAuthentication.login(user, pswd);
if(stat) {
String referer=req.getHeader("Referer");
System.out.println("referer = "+referer);
res.sendRedirect(referer);
}else {
res.sendRedirect(req.getContextPath()+"/errorlogin.html");
}
Summary
- Use ClientLoginModule to propagate client identity to the server.This is applicable for both web and standalone clients.
- Use WebAuthentication for programmatic authentication
- Better to use your own servlet than using j_security_check