java one 2005-revised.ppt
DESCRIPTION
TRANSCRIPT
Java One 2005
Agenda
Java One overview – Kurt and TomService Oriented stuff – Kurt and JimUI related - TomQ and ALinks
General Session Info
Blu-Ray – Panasonic Disc to hold 50GB on a DVD; players will contain JVM and network portsSun application server – Open source CDDL license like MozillaJava Studio Creator 2 – Based on NetBeans 4.1, includes built-in AJAX enabled componentsBlackberry contains 3-4 million lines of Javatm codeDTrace for Java – script to instrument Java, OS, Kernel, etc., (full system stack)Sun Ultra-20 workstation - $29.95/mo. AMD – risk free, don’t like it send it back
Java One Overview
What JavaOne is likeDrop the 2: the new names are JSE and JEEJEE 5.0 (beta q4, 2005, final Q1, 2006)
New persistence API (EJB, Hibernate, TopLink, JDO) Developability improvements for Web Services EJB 3.0 uses interceptors, POJO, annotations Resource Injection using annotations
JAXB Annotation driven, XMLClass Complete schema support (type substitution,
wildcards, substitution groups) Default binding to java classes XMLJavaTypeAdaptor
Specify XML for non-JavaBeans if you don’t want default
Service Oriented Stuff
Service Oriented ArchitectureEnterprise Service BusJava Business Integration (JBI)
Service Oriented Architecture
Service Oriented Architecture SOA is an architectural style whose goal is to
achieve loose coupling among interacting software agents. A Service is a unit of work done by a service provider to achieve desired end results for a service consumer.
SOA defines a set of callable services which are orchestrated into applications by the client or by middleware acting as an agent of the client Agents are often business process engines which call
the appropriate services in the order required and return the results to the client.
SOA
Not a new idea Goes back to at least CORBA and COM
SOA ≠ Web servicesSOA is a design and development philosophyLoosely coupled, technology agnostic, interoperable servicesThe services are business servicesThe services are not tied to user interfaces Orchestration is the key to making the services usable
SOA OrchestrationBPEL
Business Process Execution Language A programming language written in XML, deployed to a
BPEL engine Orchestrates but doesn’t do anything else
Worker Services Do the real work Make complex calls, talk to RDBMS, etc. ACDC : Asynchronous Conversational Document-
Centric
BPMN (BP Modeling Notation) Based on flowcharting A visual way to specify business processes Tools can generate BPEL from BPMN
SOA Architectural Big Rules
Coarse grained business services
Design Focused rules
Document (XML) based
(Mostly) Asynchronous
Conversational
Reliable
Qualities focused rules
Secure/Identity
Policy driven
Resistered and retrieved
WSDL describedStandards focused
rulesBPEL orchestrated
JBI based
Enterprise Service Bus (TS3533)
An emerging standard for integrating enterprise applications in an implementation-independent fashion, at a coarse-grained service level via an event-driven and XML-based messaging engine (the bus). An enterprise service bus generally provides an abstraction layer on top of an Enterprise Messaging System (EMS) which allows integration architects to exploit the value of messaging without writing code. Purpose: to avoid the “any-to-any” communications problem between service providers and service consumers
Java Business Integration (JBI)
JSR 208, just finalizedJBI consists of 4 parts Service Engines Normalized Message Router Binding Components System Management
JBI Example
BPEL XSLT JEE
System
Managem
ent
Normalized Message Router (NMR)
WSI-Basic JMS EDI
Enterprise Service Bus
Service Engines
Binding Components
WSDL WSDL WSDL
WSDLWSDLWSDL
JBI Service Engine
Provide local services BPEL Transformations (i.e., XSLT, EDI, etc.) Business logic
Consume servicesHave the full power of JSE and JEEProtocol and transport agnosticEngages in message patterns
Binding Components
Handles protocol specific message reformatting Deals with wire transport of messages Protocols such as SOAP, JMS, FTP, SMTP…
Act as a proxy for remote service providerProvides access for remote consumersNo business logic (by convention)WSDL used for publishing services
NMR
Key to interoperationAllows providers to communicate with consumers via Normalized MessagesNM = abstract message + Metadata Metadata may include security token, txn
info, protocol supplied content, etc.
NM ≠ canonical message format
SOA Scenario
“B” Client SOAP BC JBI NMR BPEL SE XSLT SE “A” Service
"B"
"B"
receive
invoke
"B-to-A"
"A"
invoke
"A"
"A"
Message Exchange Patterns
Define sequence and cardinality between SP and consumerIn-only, robust in-only, in-out, in-optional-out, two wayMessage Exchange Instance is the container for NMs Holds state of exchange Not serializable, won’t survive a crash Visible to all participants
SOA Linkshttps://www35.cplan.com/javaone05_93_1/sessions_catalog.jsp
The session catalog
http://java.sun.com/javaone/sf/index.jsp Where it says 2005 JavaOne Conference Presentations
Now Available
http://webservices.xml.com/pub/a/ws/2003/09/30/soa.html What is Service Oriented Architecture
http://java.sun.com/integration/ The JBI home page
http://www.infoworld.com/article/03/06/13/24FEesb_1.html A little more about Enterprise Server Bus
http://java.sun.com/integration JBI reference implementation with examples
Java 18 Month Plan
Java 6 – Summer of 2006 (Mustang) Theme 1: Compatibility, Stability, Quality Theme 2: Diagnose, Monitor, & Management
(more out of memory diagnosis) Theme 3: XML & Web Services Theme 4: Ease-of-Development (includes
Rhino JavaScript engine; JDBC 4.0, Annotations, more XML Data Support, Updated Javadoc)
Theme 5: Desktop (work with Longhorn for look-n-feel; UI upgrades – faster; system tray)
Theme 6: Becoming more open (mustang.dev.java.net – weekly builds)
UI Stuff
Java Server FacesAJAX
Java Server Faces (JSF)
Why JSF? JSF is only framework specifically designed
with JSR 168 Portlets in mind JSF applications can run inside any JSR 168
container without modification*
Running JSF Portlets Remove redirects from faces-config.xml Create portlet.xml deployment descriptor Deploy portlet in container
JSF technology is the natural choice for portlet development
Why JSF?
Other options (Struts, SpringMVC, Tapestry, etc.)JSF designed to produce UI components & JavaBeans TM (Easier to develop due to IDE integration)Ease of maintenance (faces_config vs struts_config)
What to know about developing Portlets
A portlet runs inside a portlet containerPortlet is normally deployed as an individual WAREach portlet has a standard deployment descriptor called portlet.xmlBeyond portlet.xml each vendor has their own way how portlets are registered with the portal
API for Portlet Interface
public void init()
public void destroy()
public void processAction()
public void render()
Portlet Modes
EditViewHelp
JSF does not have concept of modes, so you usually need to disable Edit and View modes in portlet.xmlMyFaces (1.0.9) supports modes
Steps to Deploy a JSF app. as a portlet
Go to http://javaserverfaces.dev.java.net and download javaserverfaces_portlet.classRun java –cp . Javaserverfaces_portletYou will end up with a jsf-portlet.jarPut jsf-portlet.jar in /WEB-INF/libEnsure you don’t reference HttpServletRequest or HttpServletResponse
JSF Slides & References
Atlhqfs01\web\JavaOne-2005\WebTier\TS-3374.pdfMyFaces: myfaces.apache.orgJSF RI: javaserverfaces.dev.java.netJSF Intro: java.sun.com/j2ee/javaserverfaces/jsfintro.htmlApache Portals Struts Bridge: http://portals.apache.org/jetspeed-2/multiproject/project-bridges-struts
AJAX
AJAX – Asynchronous JavaScript (XMLHttpRequest); originally ActiveX and MS IE only; now supported on (Mozilla,Safari & Opera) browsersCommunication via GET/POSTDocuments must be text/xmlPage continues to process events, the XMLHttpRequest object works in the backgroundLimited number of requests allowed
AJAX - 2
3 main strategies: Use JSF phase listener – best <ajaxTags:completionField size="40" id="cityField“ completionMethod="#{ApplicationBean.completeCity}“ value="#{SessionBean.city}" required="true"/>
Separate Servlet Retro-existing Application
AJAX –JSF Component Issues
Syncing up state in the HTML DOM and JSF interfaceAutoComplete – Need to turn browser autocomplete off--<input .. Autocomplete=“off”/>
Validation messages should use same CSS styles and elements as JSF componentsEncapsulate the XMLHttpRequest and callback functions to prevent JavaScript technology conflicts
AJAX - JavaScript
Remember to use separate .js file – so that script can be cachedUse generic JavaScript objects to stash propertiesDOM manipulation differs with browsers – be careful
AJAX – Use Cases
Refreshing dataReal-time validationAuto-completeAdvanced GUI widgets and controls
AJAX Trade-Offs
JS technology dependencyDifficult to debug and testSource is in plain viewSecurityRequires latest generation of browsersCross-browser compatibility needs
AJAX Future
AJAX enabled JSF componentsStandardization of XMLHttpRequestBest practicesBetter browser supportFramework support
AJAX
AJAX – Asynchronous JavaScript (XMLHttpRequest); originally ActiveX and MS IE only; now supported on (Mozilla,Safari & Opera) browsersCommunication via GET/POSTDocuments must be text/xmlPage continues to process events, the XMLHttpRequest object works in the backgroundLimited number of requests allowed
AJAX - 2
3 main strategies: Use JSF phase listener – best <ajaxTags:completionField size="40" id="cityField“ completionMethod="#{ApplicationBean.completeCity}“ value="#{SessionBean.city}" required="true"/>
Separate Servlet Retro-existing Application
AJAX - 3
AJAX Processing with a JSF Component
AJAX –JSF Component Issues
Syncing up state in the HTML DOM and JSF interfaceAutoComplete – Need to turn browser autocomplete off--<input .. Autocomplete=“off”/>
Validation messages should use same CSS styles and elements as JSF componentsEncapsulate the XMLHttpRequest and callback functions to prevent JavaScript technology conflicts
AJAX - JavaScript
Remember to use separate .js file – so that script can be cachedUse generic JavaScript objects to stash propertiesDOM manipulation differs with browsers – be careful
AJAX – Use Cases
Refreshing dataReal-time validationAuto-completeAdvanced GUI widgets and controls
Pushing data to an HTML page
Real-Time Validation w/AJAX
Auto-Complete via AJAX
Progress Bar via AJAX
AJAX Trade-Offs
JS technology dependencyDifficult to debug and testSource is in plain viewSecurityRequires latest generation of browsersCross-browser compatibility needs
AJAX References
BluePrints Solutions catalog on AJAX: https://bpcatalog.dev.java.net/nonav/ajaxAJAX Community https://ajax.dev.java.net/Atlhqfs01\web\JavaOne-2005\WebTier\TS-7986.pdf
Nine Ways to Hack a Web-App (ts-5935.pdf)
95% of web apps have vulnerabilities Cross-site scripting (80 percent) SQL Injection (62 percent) Parameter tampering (60 percent) Cookie poisoning (37 percent) Database server (33 percent) Web server (23 percent) Buffer overflow (19 percent)
Security Principles of Web Architecture
Separate services (web server, app server, db server on separate hosts)Limit privileges of application user (file system; db; running apps)Hide secrets (db account passwords, encryption keys)Use standard, vetted components/libraries (keep them patched)Log, and watch logs for unusual activityLoad-test and tune
OWASP Top 10 Web Security Vulnerabilities
Unvalidated inputBroken access controlBroken account/session managementCross-site scripting (XSS) flaws (steal cookies; inject JS into DB)Buffer overflows (not really an issue with Java)Injection flaws (Runtime.exe(); dynamic concat SQL)Improper error handling (too much info.)Insecure storage (bad crypto)Denial-of-service (overuse of logging; unresolved dependencies on other systems; {code reviews/load test})Insecure configuration management