Skip to main content

Jazoon 2007: Day two half done

Disclaimer: I'm just splashing in the notes I'm talking while listening to the talks here. All notes are not stated facts. Just stuff I manage to pick up.

Keynote by former Apache foundation chairman Roy T Fielding about the ideas and origin of REST, the re-discovery of REST (after SOA/SOAP). Fielding published the REST architecture in his dissertation 7 years ago, and advises us to be aware of buzz.

Second part of the keynote was an ELCA talk about integration between heterogenous systems and how Spring has helped them with that.. Very 2004'ish.

...

Glassfish V3 talk.

V1 was released at JavaOne last year. V2 is still in development (clustering, load balancing), most development will happen in V3. Lotsa changes going on.

It is essentially the same demo that was held at JavaOne some weeks ago.

Quickly in demo. Startup is in 800 ms and still able to serve static pages. Started off with deploying a RoR application.

asadmin deploy -- path ~/ror/mephisto

Deploying a RoR application starts the RoR container.

Same for a webapp, starts the web container

asadmin undeploy --name mpehisto

When killing and starting v3 with war still deployed startup time is 2.3 seconds. Undeploying returns the startup to 800 ms.

The architecture is based on maven and OSGi. The kernel is 50KB. Runs on SE.

The module control is meant to be handled with jsr277 due in java se 7.

Went on to talk about modules, classloaders and libraries, garbage collection. We have to be carfeul with use of threadlocal to let the GC run. Repositories hold modules. Eventually they want to tap into OSGi to add and remove repos at runtime. Already done in maven/directories.

Bootstrapping is done by implementating ApplicationStartup (interface). Dependencies can be declared in the manifest (that can be generated from the pom). But they do skip the POM file for performance. Use MF instead

Dependencies are package type "hk2-jar".

V3 is still not JEE compliant, but they're getting there.

Services. Annotation based service declaration. @Contract and @Service. Glassfish will find it and initialize it on startup.

Nice way of annotating actions, like "deploy".

Grizzly best web container on performance.

Dependency Injection. Looks like Google Guice.

Extraction. Lets objects produce ouput. @Extract on getter methods.

But how do they order of instantiation. It does inheritied componend dependencies with "cascading".

Good talk, very interesting even if I heard a run-through of the content before.

...


On to a SOA talk by Patrick Steger. Trip through WS* standards.

Nice and relaxed tone on the speaker. He's very concise and knows very well what he is talking about. Probably the most professionaly executed talk I've seen here so far (first guy who finished on time).

I've been lagging behind on ye old SOAP stack so its nice to get an update on the standards.

Starting off with WS-SecurityPolicy. Draft standard, suppotrted by some java and MS. Its an extension of the WS-Policy standard. It is done by OASIS

WS-MEX (metadata exchange) is used for getting policies over to the client.

SAML assertions are passports. WSDL get over http can be used to get the metadata used for future transaction. also supported by MS and some Java frameworks. Still protocol independent. It's based on WS-Transfer. Great for flexible endpoints. XML standard, draft review.

SAML is an OASIS standard. Used for key exchange.

The SAML is gotten hold of with a SecurityTokenService (running a dedicated server). Communication with this one is done with WS-trust.

Its basically key exchange mechanics done in WS. WS-Trust is an established OASIS standard supported by MS and Java projects.

WS-Trust is based on WS-Security. There are different token profiles for various security methods (kerbroros, user/pass, SAML, x509).

Passports are used for establishing secutiry for short intervals (40 secs). WS-ServiceConvercation is used for establishing longer sessions. This is done by getting a SecurityContextToken.

Finally the conversation can begin and SOAP messages are exchanged, client using service. All well authenticated, signed and encrypted.

WS-SecureExchange is an integration of all the mentioned standards into one standard.

Goes on to extend the example with an Authentication Service server. XACML is used for communicating with this server. This is the authorization part of the security. This is a mature OASIS standard with good access control.

Java vs MS on this one. WS-Security is supported in Axis 2, also lotsa support in proprietary products. There is a WS02 framework on the way.

Very little happening in the Java community for supporting the above standards, while the standards are already part of the platform in MS Communication Foundation.

Good slide in the end there, good talk. Very clear on what the facts are and what his personal opinions are.

Key findings include that these standards put a heavy load on developers. Best for Jva/MS integration is to use WCF on MS side and WSIT on the Java side.

Good idea to extract all this security into xml-firewalls, and reuse authentication/authorization mechanics across projects.

Question about whether it is difficult to deploy on IBM Websphere. It is a problem, but using WSIT instead of webpshere WS framework.

WSIT is a framework, project Tango. Spinoff from Sun. The aim is to provide a WS framework that interoperates with the MS world.

Comments

Popular posts from this blog

Open source CMS evaluations

I have now seen three more or less serious open source CMS reviews. First guy to hit the field was Matt Raible ( 1 2 3 4 ), ending up with Drupal , Joomla , Magnolia , OpenCms and MeshCMS being runner-ups. Then there is OpenAdvantage that tries out a handful ( Drupal , Exponent CMS , Lenya , Mambo , and Silva ), including Plone which they use for their own site (funny/annoying that the entire site has no RSS-feeds, nor is it possible to comment on the articles), following Matt's approach by exluding many CMS that seem not to fit the criteria. It is somewhat strange that OpenAdvantage cuts away Magnolia because it "Requires J2EE server; difficult to install and configure; more of a framework than CMS", and proceed to include Apache Lenya in the full evaluation. Magnolia does not require a J2EE server. It runs on Tomcat just like Lenya does (maybe it's an idea to bundle Magnolia with Jetty to make it seem more lightweight). I'm still sure that OpenAdvant

Encrypting and Decrypting with Spring

I was recently working with protecting some sensitive data in a typical Java application with a database underneath. We convert the data on its way out of the application using Spring Security Crypto Utilities . It "was decided" that we'd be doing AES with a key-length of 256 , and this just happens to be the kind of encryption Spring crypto does out of the box. Sweet! The big aber is that whatever JRE is running the application has to be patched with Oracle's JCE  in order to do 256 bits. It's a fascinating story , the short version being that U.S. companies are restricted from exporting various encryption algorithms to certain countries, and some countries are restricted from importing them. Once I had patched my JRE with the JCE, I found it fascinating how straight forward it was to encrypt and decrypt using the Spring Encryptors. So just for fun at the weekend, I threw together a little desktop app that will encrypt and decrypt stuff for the given password

What I've Learned After a Month of Podcasting

So, it's been about a month since I launched   GitMinutes , and wow, it's been a fun ride. I have gotten a lot of feedback, and a lot more downloads/listeners than I had expected! Judging the numbers is hard, but a generous estimate is that somewhere around 2000-3000 have listened to the podcast, and about 500-1000 regularly download. Considering that only a percentage of my target audience actively listen to podcasts, these are some pretty good numbers. I've heard that 10% of the general population in the western world regularly listen to podcasts (probably a bit higher percentage among Git users), so I like to think I've reached a big chunk of the Git pros out there. GitMinutes has gathered 110 followers on Twitter, and 63, erm.. circlers on Google+, and it has received 117 +'es! And it's been flattr'ed twice :) Here are some of the things I learned during this last month: Conceptually.. Starting my own sandbox podcast for trying out everythin

The academical approach

Oops, seems I to published this post prematurely by hitting some Blogger keyboard shortcut. I've been sitting for some minutes trying to figure out how to approach the JavaZone talk mentioned in my previous blog-post. Note that I have already submitted an abstract to the comittee, and that I won't publish the abstract here in the blog. Now of course the abstract is pretty detailed on what the talk is going to be about, but I've still got some elbow room on how to "implement" the talk. I will use this blog as a tool to get my aim right on how to present the talk, what examples to include, what the slides should look like, and how to make it most straightforward and understandable for the audience. Now in lack of having done any presentations at a larger conference before, I'm gonna dig into what I learned at the University, which wasn't very much, but they did teach me how to write a research paper, a skill which I will adapt into creating my talk: The one

Git Stash Blooper (Could not restore untracked files from stash)

The other day I accidentally did a git stash -a , which means it stashes *everything*, including ignored output files (target, build, classes, etc). Ooooops.. What I meant to do was git stash -u , meaning stash modifications plus untracked new files. Anyhows, I ended up with a big fat stash I couldn't get back out. Each time I tried, I got something like this: .../target/temp/dozer.jar already exists, no checkout .../target/temp/core.jar already exists, no checkout .../target/temp/joda-time.jar already exists, no checkout .../target/foo.war already exists, no checkout Could not restore untracked files from stash No matter how I tried checking out different revisions (like the one where I actually made the stash), or using --force, I got the same error. Now these were one of those "keep cool for a second, there's a git way to fix this"situation. I figured: A stash is basically a commit. If we look at my recent commits using   git log --graph --