Tech Tips

To protect a web resource typically we add a security constraint CONFIDENTIAL in the web.xml in the case of Java Technology. That means that this resource is protected and can only be accessed via HTTPS. How this works is this way. Browser sends the request to the resource . Container intercepts and sends a redirect url which is the https URL. Browser again sends the request via HTTPS. The advantage is this mechanism will do automatic switch over of protocols. Hence by simply changing the configuration we can make which part is http and which should be https. But the issue is when the application is accessed via a reverse proxy. In this scenario the automatic protocol switch over will contain the IP or domain name of the internal server and not of the proxy. Hence we may have to do the http to https switch over using java script from the browser. So this defeats the whole purpose of CONFIDENTIAL element. I haven't seen any where in the web.xml spec an element to specify the addres...

The best approach to improve the performance and scalability is to pre calculate the logic and cache the results. All computer systems are surviving heavy loads due to caching. It is best to cache at DB, cache web pages at the reverse proxy and of course let browser cache the javascript , css and images. The user request may be anticipated and the system execute the logic and store the information in cache. When a request with matching parameter arrives just serve the information from the cache. This is particularly true for availability searches in the case of hotels, airlines etc. The one word mantra : CACHE IT.

How to integrate Container security in a web application and propagate it to EJB Layer. Normally an enterprise application has a web tier and a business tier (Most probably EJB in the case of J2EE).The security requirments for such an application in general will be this "Only an authenticated and authorized user should be able to access the protected part of the application" This includes both dynamic (jsp pages) and static content like HTML files. If the user has the rights for the web page then based on his role he should be restricted to invoke an ejb method.That's even if he has access to a page he should be able to execute only those business operations for which his role is given access. To satisfy the above requirement we have to have security at 2 levels . One at the web container side and other at the ejb container side. The rest of the post explains how we can do that in JBoss 4.2.2 See my old post on securing an EJB. Once the EJB is secured, next step is to sec...

This post is a detailed description on how to use the database login module in JBoss with a J2EE Application. Scenario There is a EJB and we want to restrict the access to this ejb's method to an authenticated user having a particular role. The EJB is accessed from a standalone Java Client using Remote Lookup. Implementation The EJB is HelloSSB and the roles allowed are admin and user. First step is to write the EJB The source code is given below. This is a stateless session bean. package com.prem.ejb; import javax.annotation.PreDestroy; import javax.annotation.Resource; import javax.annotation.security.RolesAllowed; import javax.ejb.SessionContext; import javax.ejb.Stateless; import javax.persistence.EntityManager; import javax.persistence.PersistenceContext; import org.jboss.annotation.security.SecurityDomain; @Stateless @SecurityDomain ("helloworld") public class HelloSSB implements HellioIntf{ @PersistenceContext(unitName = "EntApp") EntityManager em; @Reso...

This is a very interesting and important difference between the Default settings of oracle and mysql isolation levels. Default Isolation Level for Oracle = READ COMMITED Defautl for MySQL = REPEATABLE READ

Introduction Using J2EE Container security is the first step towards designing a secure and portable J2EE application . The integration of Container security with an application is easy but requires some amount of knowledge and research. The main reason for this is various J2EE application server providers gives us only a limited amount of login modules by default. For example an Active Directory authentication is a standard requirement but not all J2EE Server vendors provide this.But many major vendors provide this login module . The bottomline is we may be required to write our own login modules for many standard services. Writing our own login module is not difficult .Writing a custom login module will not be covered in this post.This post is about integrating a DB login module to an application deployed in JBoss Server. In this post i am only giving the steps without eloborating on each of the steps. 5 Steps Identify the EJB that you want to secure. Add the annotation @Securitydoma...

Why do you need to load balance ? Here i will put forward the various options available for web load balancing. Before we go into that , let us first examine why do we need load balancing after all.Consider you develop a website and is available to the public.If the application is served from a single webserver then there is a high chance that the machine will be overwhelmed if the usage of the application increases. This may result in users experiancing unusually high response times or in worse case the machine can come to a halt.So you need some mechanism to distribute the load across different machines,without the client having to swich address. There are many widely used approaches. The most common ones are DNS based load balancing Software load balancing Hardware load balancing DNS based Load Balancing Here the DNS server is configured in such a way that it returns different IP addresses for various requests to the DNS server for a particular domain name. The DNS server may contai...

BEA has announced that they have reached an agreeement with oracle on the purchase of BEA by Oracle. I think BEA with its excellent application server Weblogic is the looser here. Oracle has their own Application server and SOA intergration platforms. So what are they going to do with Weblogic . Will they promote it or rename it ?