Skip to main content

Jazoon 2007: Day two half done

Disclaimer: I'm just splashing in the notes I'm talking while listening to the talks here. All notes are not stated facts. Just stuff I manage to pick up.

Keynote by former Apache foundation chairman Roy T Fielding about the ideas and origin of REST, the re-discovery of REST (after SOA/SOAP). Fielding published the REST architecture in his dissertation 7 years ago, and advises us to be aware of buzz.

Second part of the keynote was an ELCA talk about integration between heterogenous systems and how Spring has helped them with that.. Very 2004'ish.

...

Glassfish V3 talk.

V1 was released at JavaOne last year. V2 is still in development (clustering, load balancing), most development will happen in V3. Lotsa changes going on.

It is essentially the same demo that was held at JavaOne some weeks ago.

Quickly in demo. Startup is in 800 ms and still able to serve static pages. Started off with deploying a RoR application.

asadmin deploy -- path ~/ror/mephisto

Deploying a RoR application starts the RoR container.

Same for a webapp, starts the web container

asadmin undeploy --name mpehisto

When killing and starting v3 with war still deployed startup time is 2.3 seconds. Undeploying returns the startup to 800 ms.

The architecture is based on maven and OSGi. The kernel is 50KB. Runs on SE.

The module control is meant to be handled with jsr277 due in java se 7.

Went on to talk about modules, classloaders and libraries, garbage collection. We have to be carfeul with use of threadlocal to let the GC run. Repositories hold modules. Eventually they want to tap into OSGi to add and remove repos at runtime. Already done in maven/directories.

Bootstrapping is done by implementating ApplicationStartup (interface). Dependencies can be declared in the manifest (that can be generated from the pom). But they do skip the POM file for performance. Use MF instead

Dependencies are package type "hk2-jar".

V3 is still not JEE compliant, but they're getting there.

Services. Annotation based service declaration. @Contract and @Service. Glassfish will find it and initialize it on startup.

Nice way of annotating actions, like "deploy".

Grizzly best web container on performance.

Dependency Injection. Looks like Google Guice.

Extraction. Lets objects produce ouput. @Extract on getter methods.

But how do they order of instantiation. It does inheritied componend dependencies with "cascading".

Good talk, very interesting even if I heard a run-through of the content before.

...


On to a SOA talk by Patrick Steger. Trip through WS* standards.

Nice and relaxed tone on the speaker. He's very concise and knows very well what he is talking about. Probably the most professionaly executed talk I've seen here so far (first guy who finished on time).

I've been lagging behind on ye old SOAP stack so its nice to get an update on the standards.

Starting off with WS-SecurityPolicy. Draft standard, suppotrted by some java and MS. Its an extension of the WS-Policy standard. It is done by OASIS

WS-MEX (metadata exchange) is used for getting policies over to the client.

SAML assertions are passports. WSDL get over http can be used to get the metadata used for future transaction. also supported by MS and some Java frameworks. Still protocol independent. It's based on WS-Transfer. Great for flexible endpoints. XML standard, draft review.

SAML is an OASIS standard. Used for key exchange.

The SAML is gotten hold of with a SecurityTokenService (running a dedicated server). Communication with this one is done with WS-trust.

Its basically key exchange mechanics done in WS. WS-Trust is an established OASIS standard supported by MS and Java projects.

WS-Trust is based on WS-Security. There are different token profiles for various security methods (kerbroros, user/pass, SAML, x509).

Passports are used for establishing secutiry for short intervals (40 secs). WS-ServiceConvercation is used for establishing longer sessions. This is done by getting a SecurityContextToken.

Finally the conversation can begin and SOAP messages are exchanged, client using service. All well authenticated, signed and encrypted.

WS-SecureExchange is an integration of all the mentioned standards into one standard.

Goes on to extend the example with an Authentication Service server. XACML is used for communicating with this server. This is the authorization part of the security. This is a mature OASIS standard with good access control.

Java vs MS on this one. WS-Security is supported in Axis 2, also lotsa support in proprietary products. There is a WS02 framework on the way.

Very little happening in the Java community for supporting the above standards, while the standards are already part of the platform in MS Communication Foundation.

Good slide in the end there, good talk. Very clear on what the facts are and what his personal opinions are.

Key findings include that these standards put a heavy load on developers. Best for Jva/MS integration is to use WCF on MS side and WSIT on the Java side.

Good idea to extract all this security into xml-firewalls, and reuse authentication/authorization mechanics across projects.

Question about whether it is difficult to deploy on IBM Websphere. It is a problem, but using WSIT instead of webpshere WS framework.

WSIT is a framework, project Tango. Spinoff from Sun. The aim is to provide a WS framework that interoperates with the MS world.

Comments

Popular posts from this blog

Open source CMS evaluations

I have now seen three more or less serious open source CMS reviews. First guy to hit the field was Matt Raible ( 1 2 3 4 ), ending up with Drupal , Joomla , Magnolia , OpenCms and MeshCMS being runner-ups. Then there is OpenAdvantage that tries out a handful ( Drupal , Exponent CMS , Lenya , Mambo , and Silva ), including Plone which they use for their own site (funny/annoying that the entire site has no RSS-feeds, nor is it possible to comment on the articles), following Matt's approach by exluding many CMS that seem not to fit the criteria. It is somewhat strange that OpenAdvantage cuts away Magnolia because it "Requires J2EE server; difficult to install and configure; more of a framework than CMS", and proceed to include Apache Lenya in the full evaluation. Magnolia does not require a J2EE server. It runs on Tomcat just like Lenya does (maybe it's an idea to bundle Magnolia with Jetty to make it seem more lightweight). I'm still sure that OpenAdvant

Considerations for JavaScript in Modern (2013) Java/Maven Projects

Disclaimer: I'm a Java developer, not a JavaScript developer. This is just what I've picked up the last years plus a little research the last days. It's just a snapshot of my current knowledge and opinions on the day of writing, apt to change over the next weeks/months. We've gone all modern in our web applications, doing MVC on the client side with AngularJS or Ember , building single-page webapps with REST backends. But how are we managing the growing amount of JavaScript in our application? Yeoman 's logo (not necessarily the conclusion of this blog post) You ain't in Kansas anymore So far we've just been doing half-random stuff. We download some version of a library and throw it into our src/main/webapp/js/lib , or we use it from a CDN , which may be down or unreachable when we want to use the application.. Some times the JS is minified, other times it's not. Some times we name the file with version number, other times without. Some

Git Stash Blooper (Could not restore untracked files from stash)

The other day I accidentally did a git stash -a , which means it stashes *everything*, including ignored output files (target, build, classes, etc). Ooooops.. What I meant to do was git stash -u , meaning stash modifications plus untracked new files. Anyhows, I ended up with a big fat stash I couldn't get back out. Each time I tried, I got something like this: .../target/temp/dozer.jar already exists, no checkout .../target/temp/core.jar already exists, no checkout .../target/temp/joda-time.jar already exists, no checkout .../target/foo.war already exists, no checkout Could not restore untracked files from stash No matter how I tried checking out different revisions (like the one where I actually made the stash), or using --force, I got the same error. Now these were one of those "keep cool for a second, there's a git way to fix this"situation. I figured: A stash is basically a commit. If we look at my recent commits using   git log --graph --

Managing dot-files with vcsh and myrepos

Say I want to get my dot-files out on a new computer. Here's what I do: # install vcsh & myrepos via apt/brew/etc vcsh clone https://github.com/tfnico/config-mr.git mr mr update Done! All dot-files are ready to use and in place. No deploy command, no linking up symlinks to the files . No checking/out in my entire home directory as a Git repository. Yet, all my dot-files are neatly kept in fine-grained repositories, and any changes I make are immediately ready to be committed: config-atom.git     -> ~/.atom/* config-mr.git     -> ~/.mrconfig     -> ~/.config/mr/* config-tmuxinator.git       -> ~/.tmuxinator/* config-vim.git     -> ~/.vimrc     -> ~/.vim/* config-bin.git        -> ~/bin/* config-git.git               -> ~/.gitconfig config-tmux.git       -> ~/.tmux.conf     config-zsh.git     -> ~/.zshrc How can this be? The key here is to use vcsh to keep track of your dot-files, and its partner myrepos/mr for o

Leaving eyeo

Thirteen blog posts later, this one notes my departure from eyeo after 4 years and 3 months. I joined eyeo around the headcount of 80 employees, and now I think there's just over 250 people there. My role coming in was as operations manager, doing a mix of infrastructure engineering and technical project management. I later on took on organizational development to help the company deal with its growing pains . We introduced cross-functional teams, departments (kind of like guilds), new leadership structures, goal-setting frameworks, onboarding processes and career frameworks.  And all of this in a rapidly growing distributed company. I'm proud and happy that for a long time I knew every employee by name and got to meet every single new-hire through training them on company structure and processes.  At some point, we had enough experienced leaders and organizational developers that I could zoom back in on working in one team, consulting them on  Git and continuous integration