Lap, spam, in mijn eigen taal nog wel.

Nu beginnen ze al met hun spam te vertalen, dat moet toch goed verdienen als ze vertalers kunnen betalen, ze moeten wel nog een beetje oefenen me dunkt

Goede dag, 

Mijn naam is Mr.Cheung Pui.I werken met de Hang Seng Bank.There is een bedrag
van $ 17,300,000.00 Op mijn bankrekening Hang Seng Bank ",Hong Kong.Er waren
geen begunstigden verklaarde betrekking tot deze fondsen wat betekent dat
niemand ooit zou komen tot it.That claim is de reden waarom ik vragen dat we
werken together.I doen te werven voor uw hulp bij het uitvoeren van deze
transaction.I van plan om 30% van de te geven totale middelen als compensatie
voor uw assistance.I zal u op de hoogte over de volledige transactie
onreceipt van uw reactie indien interesse, en ik zendt u de details en de
nodige procedures om de overschrijving uit te voeren. 

Mocht u geïnteresseerd zijn, stuur dan de volgende informatie van deze emeil

1. Volledige namen
2. Prive-telefoonnummer
3. Huidige woonadres 

Met vriendelijke groet,

Continue reading “Lap, spam, in mijn eigen taal nog wel.”

Authentication and Authorization

Small summary of the Opensource Authentication and Authorization talk by Allan Foster.

First noteworhty thing: The headset didn’t work, and got replaced, and the fact that people want more and more single sign on where they can use all their different credential methods to sign on to all different things they want to sign on too. The speaker makes his talk an argument of also having a centralized authorization mechanism (XACML3).

So applications do not longer need to know how authentication is done, how the users profile is stored etc… But only need to know about authorization, “is this user allowed to perform this action on this data? YES|NO”. These rules can become very complex as we all know.  so we need this stuff centrally managed (e.g. corporate LDAP, SSO sites).

The speaker makes u huge argument for single sign on, applications should only validate an identity not do the login itself. For most applications this is easy. But the authorization is a different story. Mostly it’s coded into the application because they are very domain specific. For this there are different options like Ad Hoc (if then elses everywhere to error prone!) JEE Policy (but they are difficult to change), on URL level (downsides: most frameworks have 1 url with lots behind it, so the amount of roles is limited), Custom Policy ( writing your own is expensive, hard to maintain etc..)

So what we need is an external policy provider. But it must be extensible, flexible, centrally administrated and handle specific domain complexity. For this there is XACML3 a xml based standard for this, based on rules. The rules compiled out of resources, actions, subjects and conditions on one side and response, attributes and advice on the other side. The provider does not need to know about what kind of rules are defined in the sets, that’s for the application using the service. The service just returns a YES|NO on the questions asked. (like question: user x wants to edit data y, can it?). The questions or resources (in XACML3) can of course be very complex.

In the end Allan Foster points us to OpenAM (of ForgeRock) which is derived from Sun Access Manager what was opensourced in 2007, so OpenAM is also open source and will stay that.

I believe this is worth checking out!

Java EE 6

Java EE 6 Tutorial. Reloaded! by Antonio Goncalves and Alexis Moussine-Pouchkine

In Java EE 6 we get an overview of the EE stuff in Java. Thanks to the fog, traffic and a badge that escaped from my badge holder I was a bit late and missed the general overview. I was just in time to pick up the fact that every container that implements the EE6 spec has to provide a EE6 client. This client allows you to run EE6 code in SE, meaning using for example @Inject in a stand alone application.

They dive into some specs, starting with JPA2.0 which actually we already know because of using Hibernate with JPA 2.0. There are some differences but hey, not so much, the guys from Hibernate worked on the JPA2.0 spec … take a look at @NamedQueries and CriteriaBuilder of you’ve never heard of it before.

The Servlet 3.0 spec is much more interesting, with the annotations introduced and making the web.xml optional. Thanks to @WebServlet, @WebListener etc … There is the new Plugability stuff: what you can now do is create fragmented web.xml that are self contained in their own jar. This is done through <web-fragment> instead of <web-app>. Of course you can override the different jar’s with your main web.xml if you put it in your own WEB-INF . there is also the ServletContainerInitializer API which allows to manipulate the ServletContext at startup. for resources you can put them in META-INF/resources of any jar and the will be served from the root of the web app.

More new stuff is the async (comet like ) communication. Which is of course very cool. With al the fuss about HTML 5 and Websockets. But they did not really show the full power of it.

With EJB 3.1 the remote interface becomes optional. Thanks to the new stuff. ejb’s can now be contained in the war files. For async stuff we can now use @Asynchronous which returns a java.util.concurrent.Future instead of using JMS, however this does not assure that the future will return a result unlike JMS which has more guarantees.

The timer service has been enhanced to act more like the linux/unix cron scheduler. (we can use @schedule )

Another new thing is the @Singleton bean, the name of the annotation speaks for itself of course. You can leave concurrency up to the container or do it yourself in Singleton beans. This is the only part of the spec where you can use synchronized in an EJB. (they are singletons per app container. not clusterwise)

There is more but they didn’t really cover that.

The embedable container

This container can be embedded in your SE application allowing you to use EJB’s in SE applications. Through the EJBContainer you can get the context (this is like spring no? 🙂  ) Will EE6 slowly start to replace Spring everywhere? Maybe. Didn’t the Spring guys worked on the EE6 specification too?

JSF 2.0 I didn’t really listen extensively, I’ve never used it and after watching the overview I don’t think I really will unless it’s required by a customer. ( I would have better skipped this part and go watch the Introducing Wicket, lol, but we’ll see that on parleys).

JSF is a component framework. Which might be cool since you can use different components through out other stuff. Instead of being dependent on the action frameworks where one needs to follow a more specific style of that framework. It seems that in JSF 2.0 it does get easier to create you own components which is a good thing. Maybe it will be used more now. And if I will have to use it, it wont be hard to pick it up and get up to speed. There is ajax functionality in JSF as they demonstrated, but I wonder more what kind of Javascript is being spit out by JSF which wasn’t shown.

Bean Validation is a new specification in EE 6, it”s a nice ‘short’ 50 pages spec which tries to set a standard for bean data validation. It works together with JPA 2.0. You can do it with annotations like @NotNull @Valid @Size(max=1020) etc.. There about 15 standard validation annotations but you can write your own Validation annotations. Would be silly if we couldn’t. (This bean validation reminds me of the hibernate validator, my guess is if you check the JCP, they will have been involved in creating the spec)

JAX-RS 1.1 allows you to create restfull services. Again with annotations (like @GET @POST ). By adding the annotations toa a class & it’s methods you enable them as a restfull webservice. With @Path you can set the url path, with @Produces and @Consumes you set the Mimetype of what the method send/receives. If its xml and your classes are JAXB annotated it works nicely togehter. The same counts for JSON. You can add multiple media types to one method.  JAX-RS is cool since no contract is required unlike a wsdl. You can create a contract file (a wadl) but it is not a standard yet. There are more annotations that you can use like the @MatrixParam, @PathContext and many more. The best is to look at the spec jsr-311.

CDI in EE6. In EE5 there was already @Resource @PersistenceContext @WebServiceRef which are actually already CDI. The new CDI consist of 2 jsr’s JSR-299 JSR-330. CDI for EE en DI for SE. The SE version is minimalistic with @Inject. For EE there is more to it.

For CDI to work you need a beans.xml file in your WEB-INF. The beans.xml can be completely empty. @Named makes the bean available in EL (expression language), rather use @Named then @ManagedBean (JSF annotation). @Inject is for injecting stuff, @Resource is still hanging around but you can use @Inject for that.

You can create your own annotations where you group different other annotations into one (through @StereoType). Like @Model which is actually an @Named and @RequestScoped. Injections can be qualified with self defined annotations that are @Qualifiers. Then you get something like @Inject @Myqualifier MyDao dao; .

But it might be better to do this in beans.xml and then you can have @Alternative for multiple implementers. In the beans.xml you can add them through <alternative>. A new scope is @ConversationScoped, @Dependent or you can build your own @ScopeType. For @ConversationScoped it is demarcated and thus it can be associated with individual browser tabs. It also is accesible from any JSF scope.

(seems like JSF was a main component of the talk thoughout al the demos)

Other interesting annotations are @Consumer and @Producer but the speakers didn’t go into these.

There is a whole set of Portable Extension to allow the user to extend the CDI framework.

The status of EE 6 in application servers. At the moment there is glassfish and jboss which have a Java EE 6 enabled server. TmaxSoft does EE 6. Websphere beta 8 maybe. WebLogic almost. Caucho only does the web profile part of EE6 so no jms etc.. Geronimo uses the open (openESB, openJPA …) stuff to try and implement EE 6.