Skip to main content

Jazoon 2007: Day two half done

Disclaimer: I'm just splashing in the notes I'm talking while listening to the talks here. All notes are not stated facts. Just stuff I manage to pick up.

Keynote by former Apache foundation chairman Roy T Fielding about the ideas and origin of REST, the re-discovery of REST (after SOA/SOAP). Fielding published the REST architecture in his dissertation 7 years ago, and advises us to be aware of buzz.

Second part of the keynote was an ELCA talk about integration between heterogenous systems and how Spring has helped them with that.. Very 2004'ish.


Glassfish V3 talk.

V1 was released at JavaOne last year. V2 is still in development (clustering, load balancing), most development will happen in V3. Lotsa changes going on.

It is essentially the same demo that was held at JavaOne some weeks ago.

Quickly in demo. Startup is in 800 ms and still able to serve static pages. Started off with deploying a RoR application.

asadmin deploy -- path ~/ror/mephisto

Deploying a RoR application starts the RoR container.

Same for a webapp, starts the web container

asadmin undeploy --name mpehisto

When killing and starting v3 with war still deployed startup time is 2.3 seconds. Undeploying returns the startup to 800 ms.

The architecture is based on maven and OSGi. The kernel is 50KB. Runs on SE.

The module control is meant to be handled with jsr277 due in java se 7.

Went on to talk about modules, classloaders and libraries, garbage collection. We have to be carfeul with use of threadlocal to let the GC run. Repositories hold modules. Eventually they want to tap into OSGi to add and remove repos at runtime. Already done in maven/directories.

Bootstrapping is done by implementating ApplicationStartup (interface). Dependencies can be declared in the manifest (that can be generated from the pom). But they do skip the POM file for performance. Use MF instead

Dependencies are package type "hk2-jar".

V3 is still not JEE compliant, but they're getting there.

Services. Annotation based service declaration. @Contract and @Service. Glassfish will find it and initialize it on startup.

Nice way of annotating actions, like "deploy".

Grizzly best web container on performance.

Dependency Injection. Looks like Google Guice.

Extraction. Lets objects produce ouput. @Extract on getter methods.

But how do they order of instantiation. It does inheritied componend dependencies with "cascading".

Good talk, very interesting even if I heard a run-through of the content before.


On to a SOA talk by Patrick Steger. Trip through WS* standards.

Nice and relaxed tone on the speaker. He's very concise and knows very well what he is talking about. Probably the most professionaly executed talk I've seen here so far (first guy who finished on time).

I've been lagging behind on ye old SOAP stack so its nice to get an update on the standards.

Starting off with WS-SecurityPolicy. Draft standard, suppotrted by some java and MS. Its an extension of the WS-Policy standard. It is done by OASIS

WS-MEX (metadata exchange) is used for getting policies over to the client.

SAML assertions are passports. WSDL get over http can be used to get the metadata used for future transaction. also supported by MS and some Java frameworks. Still protocol independent. It's based on WS-Transfer. Great for flexible endpoints. XML standard, draft review.

SAML is an OASIS standard. Used for key exchange.

The SAML is gotten hold of with a SecurityTokenService (running a dedicated server). Communication with this one is done with WS-trust.

Its basically key exchange mechanics done in WS. WS-Trust is an established OASIS standard supported by MS and Java projects.

WS-Trust is based on WS-Security. There are different token profiles for various security methods (kerbroros, user/pass, SAML, x509).

Passports are used for establishing secutiry for short intervals (40 secs). WS-ServiceConvercation is used for establishing longer sessions. This is done by getting a SecurityContextToken.

Finally the conversation can begin and SOAP messages are exchanged, client using service. All well authenticated, signed and encrypted.

WS-SecureExchange is an integration of all the mentioned standards into one standard.

Goes on to extend the example with an Authentication Service server. XACML is used for communicating with this server. This is the authorization part of the security. This is a mature OASIS standard with good access control.

Java vs MS on this one. WS-Security is supported in Axis 2, also lotsa support in proprietary products. There is a WS02 framework on the way.

Very little happening in the Java community for supporting the above standards, while the standards are already part of the platform in MS Communication Foundation.

Good slide in the end there, good talk. Very clear on what the facts are and what his personal opinions are.

Key findings include that these standards put a heavy load on developers. Best for Jva/MS integration is to use WCF on MS side and WSIT on the Java side.

Good idea to extract all this security into xml-firewalls, and reuse authentication/authorization mechanics across projects.

Question about whether it is difficult to deploy on IBM Websphere. It is a problem, but using WSIT instead of webpshere WS framework.

WSIT is a framework, project Tango. Spinoff from Sun. The aim is to provide a WS framework that interoperates with the MS world.

Popular posts from this blog

Encrypting and Decrypting with Spring

I was recently working with protecting some sensitive data in a typical Java application with a database underneath. We convert the data on its way out of the application using Spring Security Crypto Utilities. It "was decided" that we'd be doing AES with a key-length of 256, and this just happens to be the kind of encryption Spring crypto does out of the box. Sweet!

The big aber is that whatever JRE is running the application has to be patched with Oracle's JCE in order to do 256 bits. It's a fascinating story, the short version being that U.S. companies are restricted from exporting various encryption algorithms to certain countries, and some countries are restricted from importing them.

Once I had patched my JRE with the JCE, I found it fascinating how straight forward it was to encrypt and decrypt using the Spring Encryptors. So just for fun at the weekend, I threw together a little desktop app that will encrypt and decrypt stuff for the given password and sa…

Managing dot-files with vcsh and myrepos

Say I want to get my dot-files out on a new computer. Here's what I do:

# install vcsh & myrepos via apt/brew/etc
vcsh clone mr
mr update

Done! All dot-files are ready to use and in place. No deploy command, no linking up symlinks to the files. No checking/out in my entire home directory as a Git repository. Yet, all my dot-files are neatly kept in fine-grained repositories, and any changes I make are immediately ready to be committed:

    -> ~/.atom/*

    -> ~/.mrconfig
    -> ~/.config/mr/*

    -> ~/.tmuxinator/*

    -> ~/.vimrc
    -> ~/.vim/*

    -> ~/bin/*

    -> ~/.gitconfig

    -> ~/.tmux.conf    

    -> ~/.zshrc

How can this be? The key here is to use vcsh to keep track of your dot-files, and its partner myrepos/mr for operating on many repositories at the same time.

I discovere…

Always use git-svn with --prefix

TLDR: I've recently been forced back into using git-svn, and while I was at it, I noticed that git-svn generally behaves a lot better when it is initialized using the --prefix option.

Frankly, I can't see any reason why you would ever want to use git-svn without --prefix. It even added some major simplifications to my old git-svn mirror setup.

Update: Some of the advantages of this solution will disappear in newer versions of Git.

For example, make a standard-layout svn clone:

$ git svn clone -s

You'll get this .git/config:

[svn-remote "svn"]
        url =
        fetch = project-foo/trunk:refs/remotes/trunk
        branches = project-foo/branches/*:refs/remotes/*
        tags = project-foo/tags/*:refs/remotes/tags/*

And the remote branches looks like this (git branch -a):

(Compared to regular remote branches, they look very odd because there is no remote name i…

The Best Log Viewer Ever

This is what it looks like when I want to have a look through the logfile, to see what a user did on one of our machines one day:

Read the whole story about how it works on the Viaboxx Systems blog (and upvote on DZone!).

Microsoft ups their Git efforts another notch

This week Microsoft announced first class Git support embedded in the coming version of Visual Studio.

Now, it's not completely shocking. We could have seen it coming since Microsoft started offering Git repos on CodePlex, and more recently offering a Git client for TFS. In any case, these are some big news. Scott Hanselman weighs on some features and some more background here.

For those who are a bit unaware of what the Git situation on Windows looks like these days, I've dotted down these notes:
Some explanation on these:

msysGit has long been The Way to use Git on Windows. It's basically a port of Git itself, so it's a command-line tool.GitExtensions (includes Visual Studio integration), TortoiseGit, Git Shell, posh-git and most other tools are powered by msysGit.libgit2 is a native library for doing Git stuff. It is developed completely separate from Git itself. The above tools could (and should) probably use libgit2 instead of hooking onto and around msysGit.Github…