Saturday, June 30, 2012
Thursday, February 11, 2010
Java - Too Many web frameworks
Hmm.........
Java Web technology is exploding with many web frameworks promoted by the industry and many by opensource. Too many frameworks to choose from is a bad thing or good thing ?.
Read on and judge yourselves.
May be too much of anything is bad. Just look at the list below.
JSF
Spring MVC
Tapestry
Struts 2
ADF from Oracle
Cocoon
Maverick
JBoss seam
This is a never ending list. There are many more. Ofcourse not all are mainstream nowadays.
Look at Microsoft stack , you mainly have ASP .NET and that's it. It has grown well.You need to learn only that and you focus all your skills in that web framework.It has accumulated many components and matured into a very robust RAD web application framework. The problem with the Java stream is you work on a particular web framework for sometime and all of a sudden you have to work in another web framework for another project.Hence the experiance one gains by working in a particular framework for long time, gets lost. This definitly lowers productivity.Here ASP .NET scores well.
Again refer to the list i showed above
Many times the java designers has to pick one from this never ending list of java web frameworks.A feature may be there in one framework but it may not be there in another . But it may have another feature required by the project. Hence the decision making becomes difficult.And many times there won't be too many significant differences between the major frameworks. Many times ,the decision favours a particular framework because the architect or designer is more comfortable with that one. And many times we may have to combine multiple frameworks for practical works. Example combining JSF with Spring MVC or Struts2.
If the community was focusing it attention on refining and extending a single framework, it would have helped the whole industry better. Now the major web frameworks in Java stream are JSF, Struts 2 and Spring MVC. Hope the top list ends here and nobody comes with another new framework. The focus should be to extend , optimize and improve the existing ones.
Ofcourse build as many UI widgets as possible into the framework. ASP .NET rocks in all these aspects.
May be industry needs to focus only on JSF + Struts 2 or JSF+ Spring MVC or JSF alone. Or make a hybrid out of these and say this is the single Java Web framework for J2EE development. A big dream ! :)
Java Web technology is exploding with many web frameworks promoted by the industry and many by opensource. Too many frameworks to choose from is a bad thing or good thing ?.
Read on and judge yourselves.
May be too much of anything is bad. Just look at the list below.
JSF
Spring MVC
Tapestry
Struts 2
ADF from Oracle
Cocoon
Maverick
JBoss seam
This is a never ending list. There are many more. Ofcourse not all are mainstream nowadays.
Look at Microsoft stack , you mainly have ASP .NET and that's it. It has grown well.You need to learn only that and you focus all your skills in that web framework.It has accumulated many components and matured into a very robust RAD web application framework. The problem with the Java stream is you work on a particular web framework for sometime and all of a sudden you have to work in another web framework for another project.Hence the experiance one gains by working in a particular framework for long time, gets lost. This definitly lowers productivity.Here ASP .NET scores well.
Again refer to the list i showed above
Many times the java designers has to pick one from this never ending list of java web frameworks.A feature may be there in one framework but it may not be there in another . But it may have another feature required by the project. Hence the decision making becomes difficult.And many times there won't be too many significant differences between the major frameworks. Many times ,the decision favours a particular framework because the architect or designer is more comfortable with that one. And many times we may have to combine multiple frameworks for practical works. Example combining JSF with Spring MVC or Struts2.
If the community was focusing it attention on refining and extending a single framework, it would have helped the whole industry better. Now the major web frameworks in Java stream are JSF, Struts 2 and Spring MVC. Hope the top list ends here and nobody comes with another new framework. The focus should be to extend , optimize and improve the existing ones.
Ofcourse build as many UI widgets as possible into the framework. ASP .NET rocks in all these aspects.
May be industry needs to focus only on JSF + Struts 2 or JSF+ Spring MVC or JSF alone. Or make a hybrid out of these and say this is the single Java Web framework for J2EE development. A big dream ! :)
Also many people are now moving away from JSP and embracing the trusted PHP. PHP is ideal for web applications for its easy to use syntax and rich libraries.
Wednesday, November 25, 2009
Design Patterns
A note on Design patterns
Many times we can see ourselves looking for design patterns to fit the design of a requirement.
Of course if the requirement is simple enough to apply any existing design pattern we should do so. This will save us valuable time.
In my opinion it is better not to worry about which pattern to apply.But concentrate on the
three basic Object oriented principles.
1) Encapsulate what varies
2) Prefer composition over inheritance
3) Program to an interface not to an implementation.
If we approach the design with these principles in mind , we don't have to search for patterns. Pattern will emerge itself. Once we apply these principles, we can definitely look whether any of the existing patterns can solve the issue better than the way we thought of. This way our thinking process will improve tremendously and at times we may end up creating a solution which may be better than any available design patterns.
Wednesday, September 9, 2009
StringPool and GarbageCollection
It is interesting and important to understand how strings are handled in Java. The way Java handles or manages strings is little different from other objects.
Case1:
String a = "java";String b= "java";
Does these two strings represent the same object reference ?. The answer is yes they do.
Case 2:
String c=new String("java");String d =new String("java");
Does c and d point to the same object reference. The answer is NO . They don't.
Now let us see how all these work out.
First thing: Java maintains a pool of string constants called literal pool. Infact this pool contains references to string instances in heap. Since Strings are also objects they are also created in the heap.
Whenever you put a literal ( example to this is what the variable a represents) in the code, this gets special treatment. When the JVM loads your class where there is a string literal, the VM checks whether there is an existing entry in the string pool for this string value. If yes , the symbolic link is replaced with the actual reference to that string object.
If there is no such string in the pool a entry will be created in the pool and a string instance will be created in the heap. The entry in the pool points to reference of this string object. Again the symbolic link in your class is replaced with the actual reference to the string object in heap.
Again refer to the Case 2 at the top. Here a new string is created using new operator. When we do this , we are telling VM to create a new instance of string in heap. VM won't mind whether the string pool has an entry for this string value. With new always a new instance is created.
These string objects created using new operator are eligible for Garbage collection when there are no reference to them for other parts of the code.
But what about the string objects in heap that are created by VM as a response to a string literal creation like Stirng a ="java". These objects are never garbage collected as they have a reference to them from the string pool constant table.
This string pool constant table is part of the class data of string class and since string class would be never offloaded by the classloader, these referenceexists in the method area and GC can never collect them.
Wednesday, September 2, 2009
ClassNotFoundException
Every programmer would have encountered a ClassNotfoundException somewhere in the development lifecycle. Many times we search for reasons why this is happening and i have seen many times people spending long hours to find why this is happening. This is particularly seen with web applications which are deployed in a webserver like tomcat or an app server like Weblogic or JBoss.In the case of a normal desktop java application, this can be fixed by adding the required class or the library that contains the class to the classpath. This way with Java 1.2, classpath classloader will load the class and the issue is fixed.
For a web application this may not be as staightforward. Some times i have seen people adding the class to the classpath of the webserver and still getting the error again.
Now to identify and fix these issues we need to understand that java supports many types of classloaders. The main one being bootstrap classloader responsible for loading Java API. The other one is the classpath classloader responsible for loading the classes refered in the classpath of the java. In the case of web application , the webserver uses it own user defined class loader to load the classes from the WAR file. Based on java security architecture a class loaded by a classloader can only see classes loaded by it. Then you would wonder how did a userdefined classloader access classes loaded by the bootstrap classloader if it can only see classes loaded by it. This is not true. The classloaders follows a parent child delegation model. If user defined class loader (in this cases , the classloader who loads classes from WAR) is required to load a class it asks the classloader's parent to load it and the parent will ask its parent this chain goes on and if none of the parent can load then it is upto the userdefined classloader to load it and if it cannot load , classnotfoundexception occurs.
I will try to explain this with an example.
Consider the case of a WAR file in which Class A is included in the WAR file. Class A references Class B. But Class B is not included in the WAR file. Infact someone has added it to the classpath of the webserver for some reason. Hence when the web classloader loads Class A, it finds the reference to Class B and it tries to load Class B when the method which uses Class B is invoked on Class A. For this it will ask its immediate parent and finally it will be loaded by the classpath classloader and returned. No issues here. No ClassNotFoundException.
Consider the case in which Class A is put in the webserver's class path and Class B is included in the WAR file. Here when web classloader (classloader responsible for loading classes from the WAR file. ) is required to load Class A, it asks its immediate parent and the chain continues and finally Class A is loaded by the classpath classloader and is returned. Now since Class B is not loaded by classpath classloader and Class A is loaded by classpath classloader when the method which uses Class B is invoked on Class A, a ClassNotFoundException would be thrown.
This is because classpath classloader can only ask its parent to load class and not its child classloader. This means classpath classloader doesn't know about Class B loaded by the Web Classloader. The reverse is true. Web Classloader will have access to classes loaded by its parent.
To solve the above ClassNotFoundException put both classes in the WAR file . Another option is to put Class A in WAR and Class B in classpath.
Friday, November 7, 2008
Auto SSL Switch Over Issue
To protect a web resource typically we add a security constraint CONFIDENTIAL in the web.xml in the case of Java Technology. That means that this resource is protected and can only be accessed via HTTPS. How this works is this way. Browser sends the request to the resource . Container intercepts and sends a redirect url which is the https URL. Browser again sends the request via HTTPS. The advantage is this mechanism will do automatic switch over of protocols. Hence by simply changing the configuration we can make which part is http and which should be https.
But the issue is when the application is accessed via a reverse proxy. In this scenario the automatic protocol switch over will contain the IP or domain name of the internal server and not of the proxy. Hence we may have to do the http to https switch over using java script from the browser. So this defeats the whole purpose of CONFIDENTIAL element. I haven't seen any where in the web.xml spec an element to specify the address or domain of the front end host . In this case reverse proxy. I think this is a serious limitation. In my view this element should be added to the JSP / Servlet spec and the web.xml should be updated.
But the issue is when the application is accessed via a reverse proxy. In this scenario the automatic protocol switch over will contain the IP or domain name of the internal server and not of the proxy. Hence we may have to do the http to https switch over using java script from the browser. So this defeats the whole purpose of CONFIDENTIAL element. I haven't seen any where in the web.xml spec an element to specify the address or domain of the front end host . In this case reverse proxy. I think this is a serious limitation. In my view this element should be added to the JSP / Servlet spec and the web.xml should be updated.
Performance Improvement & Scalability
The best approach to improve the performance and scalability is to pre calculate the logic and cache the results.
All computer systems are surviving heavy loads due to caching.
It is best to cache at DB, cache web pages at the reverse proxy and of course let browser cache the javascript , css and images.
The user request may be anticipated and the system execute the logic and store the information in cache.
When a request with matching parameter arrives just serve the information from the cache. This is particularly true for availability searches in the case of hotels, airlines etc.
The one word mantra : CACHE IT.
Friday, May 16, 2008
How to integrate Container security in a web application and propagate it to EJB Layer.
Normally an enterprise application has a web tier and a business tier (Most probably EJB in the case of J2EE).The security requirments for such an application in general will be this "Only an authenticated and authorized user should be able to access the protected part of the application" This includes both dynamic (jsp pages) and static content like HTML files.
If the user has the rights for the web page then based on his role he should be restricted to invoke an ejb method.That's even if he has access to a page he should be able to execute only those business operations for which his role is given access.
To satisfy the above requirement we have to have security at 2 levels . One at the web container side and other at the ejb container side.
The rest of the post explains how we can do that in JBoss 4.2.2
See my old post on securing an EJB. Once the EJB is secured, next step is to secure the web application.
The web.xml is given below
<servlet>
<servlet-name>securess</servlet-name>
<servlet-class>com.prem.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>securess</servlet-name>
<url-pattern>/central/secured</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted to Secure role</web-resource-name>
<description>Declarative security</description>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>secure</realm-name>
<form-login-config>
<form-login-page>login.html</form-login-page>
<form-error-page>login.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
This shows that /admin pattern is protected and it requires admin role for access. login.html will be the form used to collect the login credentials and the authentication method is FORM. Once this is done we have to configure a security realm so that the container will use this relam for authentication. We can do this in jboss by configuring a relam named secure . This is done in the login-config.xml
The login-coinfig.xml entry is given
<application-policy name = "secure">
<authentication>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name = "dsJndiName">java:/mysql</module-option>
<module-option name = "principalsQuery">select passwd from users where USERID=?</module-option>
<module-option name = "rolesQuery">select role,'Roles' from user_roles where user_id=?</module-option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule" flag="required" />
</authentication>
</application-policy>
The use of ClientLoginModule is required to propogate the caller threads identity to the EJB tier.ClientLoginModule is critical in propagating the Subject from the web to the ejb tier.
In a simple approach it makes sense to use j_security_check for doing the Container authentication.But j_security_check is not very flexible and doesn't have a straight forward way to collect some other
information as part of login form. j_security_check is appropriate for simple logins required for simple web applications. For a complex web application which requires more than username and password from a login form, we have to go for programatic web authentication.
First i will explain the j_security_check approach
<form action="j_security_check" method="POST" >
<input type="text" name="j_username" >
<input type="password" name="j_password">
</form >
When ever a secured page is accessed container will intercept and forward the login.html. If the login is successful the container will redirect to the protected resource. Problem with j_security_check is that you cannot access the login.html directly. You have to access the protected resource and let the container show the login.html. If you directly access the login,html you will get exceptions on submitting the form. There are work arounds for this like providing a filter on j_security_check or submitting to another servlet , get all required parameters in that servlet and from there redirect to j_security_check.All the above has limitations and are not good solutions. The filter doesn't work in the case of tomcat.So the bottomline is go for active authentication(means writing our own
class which does the authentication and inform the container about it).
To do the active authentication follow the below steps.
Instead of j_security_check use own servlet
<form action="/Secure/central/secured" method="POST" >
<input type="text" name="j_username" >
<input type="password" name="j_password">
<input type="text" name="companycode">
</form >
In the doPost of the servlet you may code like this.
WebAuthentication webAuthentication=new WebAuthentication();
boolean stat=webAuthentication.login(user, pswd);
if(stat) {
String referer=req.getHeader("Referer");
System.out.println("referer = "+referer);
res.sendRedirect(referer);
}else {
res.sendRedirect(req.getContextPath()+"/errorlogin.html");
}
Summary
- Use ClientLoginModule to propagate client identity to the server.This is applicable for both web and standalone clients.
- Use WebAuthentication for programmatic authentication
- Better to use your own servlet than using j_security_check
Subscribe to:
Posts (Atom)
Posts
