Monday, February 28, 2011

GlassFish 3.1 arrived! Yes sir, we do cluster now!


GlassFish 3.1 is finally there. As promised by Oracle back in March last year! And it is an exciting release. It brings back all the clustering and high availability support we were missing since 2.x into the Java EE 6 world. And there are other really nice things on the feature map. Here is your short introduction.

Get it!
As usual you can get the latest GlassFish Open Source Server 3.1 release (which is completely the same as the latest RC3/RC4 btw) from glassfish.org/downloads/. They should be there the minute this post was issued. The commercial version Oracle GlassFish Server 3.1 is available via otn.oracle.com. Both can be downloaded with a Web Profile only or the full version.

What's really new
It's still the lightweight and modular Java EE 6 runtime you know. But now we have:
  • Clustering
    Multiple clusters per domain, multiple instances per cluster. Up to 100 instances per domain!
  • ssh provisioning
    GlassFish Server uses secure shell (SSH) to ensure that clusters that span multiple hosts can be administered centrally.
  • Centralized management
    The use of SSH to enable centralized administration of remote instances is optional and is required only for specific operations. Instances local to the DAS can be administered without SSH. If SSH is not practicable in your environment, you can administer remote instances locally.
  • High Availability (HA)
    Enhanced and optimized from GlassFish 2.x, High Availability Session Persistence, High Availability Java Message Service, RMI-IIOP Load Balancing and Failover
  • GlassFish Embedded API
    A reworked GF Embedded API is there to satisfy your needs!
  • (improved) RESTful API
  • Enterprise OSGi specifications (HTTP, Web, JTA, JDBC, JPA)
  • Use of CDI in hybrid applications
  • Latest Felix version, improved OSGi shell
  • Improving yet more the developer productivity features
  • ActiveRedeploy (preserving state across redeploys) now
    covers stateful EJBs
  • JDBC statement leak detection and reclaim and SQL tracing
  • Maven plugin
  • Application versioning
  • Application-scoped resources
  • weblogic.xml support

Oracle GlassFish Server Control
Even if the OSS and the commercial version are basically the same the commercial version includes some value add-ons which are useful in some situations. Beside the support and the MyOracle Support access with the contained knowledge base you now also get the Server Control add-on. It consists of different parts:
  • DAS Backup & Recovery Performance Tuner
    A complete backup and restore solution for the complete GlassFish domain.
  • Monitoring Scripting Client
    A cmd line client for your monitoring needs.
  • ActiveCache for GlassFish
    Stateful HTTPSession clustering with Oracle's Coherence (will be available with Coherence version 3.7 which ships later the year.
  • Oracle Access Manager Integration
    GlassFish Integration for OAM
  • Load Balancer Plugin & Installer
    Separate LB Plugin with it's own installer.

Get the complete documentation!
The 3.1 issue also delivers the long awaited complete set of documentation. And you can have it in two separate ways. Get the ZIP of PDF documents for Open Source Edition from glassfish.org/docs and browse the Online & PDF documents for Oracle GlassFish Server docs on the oracle.com site. As a side note: I love the new doc design in the oracle library! It's readable and navigable ;)

The updated roadmap
The roadmap has been updated, too. As usual this was published with a safe harbor statement in front, so you know what to think about it. It's most likely going to happen but nobody will pay you anything if you rely on this.


What else is happening today?
Together with the new GlassFish release a Java EE SDK Refresh (Update 2) was pushed out as well. There will be a launch webinar at 10 AM (PT) / 7 PM (CET). And as always you can find lot's of great resources and engineer blogs via theaquarium blog. Go check them out! And enjoy the new GlassFish release!

Finally: This was a hard piece of work! Congratulations to all the engineers working on it! 

Preventing CSRF with JSF 2.0


Have you ever had the need for higher security in one of your applications? Than you are probably familiar with the following topic. If not, I am going to tell you a little bit about attacks and web application security before we move over to implement a CSRF prevention approach with JSF 2.0.

What is Application Security? And why should I care?
Have you ever heard about attacks? Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. That is not necessarily done by a real hacker but from nearly anybody with some kind of knowledge in the field of security and programming. There are a couple of basic principles your application should comply to. See OWASP Principles for more details. For each of the principles you could and should employ some prevention methods in your application.

What is a Cross-Site Request Forgery Attack?
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In affect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed.
This attack can happen even if the user is logged into a Web site using strong encryption (HTTPS). Utilizing social engineering, an attacker will embed malicious HTML or JavaScript code into an email or Website to request a specific 'task url'. The task then executes with or without the user's knowledge. For more details please have a look at the owasp page.

How to prevent CSRF Attacks?
The only successful way of protection against CSRF attacks is to decide weather an issued user action is valid and allowed in the actual context. There basically are two ways to achieve this: You have to issue a secure random token and assign it to the requests issued by a client. This could be done by either assigning one token per HttpSession or, if you need an even higher level of security by issuing a token per request. If the token is send back from the client you have to check it's validity somehow and allow or reject the request.

Where to start? - Generating and placing the token
If you are looking at a standard JSF 2.0 application you have a couple of places where you can think about integrating the described solution. The following is only one approach focusing on the per HttpSession token, as this will be the sufficient one for most of the requirements. Let's start with the token generation and placement. We are in need of generating a unique token per HttpSession and placing it there. For developer convenience this should be done transparently and centralized. So you first need to implement your own CSRFSessionListener implementing the HttpSessionListener interface. Overwrite the sessionCreated method and place the token in the created session.

@Override
public void sessionCreated(HttpSessionEvent event) {
HttpSession session = event.getSession();
String randomId = generateRandomId();
session.setAttribute(CSRFTOKEN_NAME, randomId);
}

As you can see, there is no real magic here. The magic happens in the generateRandomId method. Again there are many ways to generate truly unique identifiers. Since Java SE 5 you have the handy UUID Class. This is a class that represents an immutable universally unique identifier (UUID) which represents a 128-bit value. The second option is to use SecureRandom and MessageDigest classes. Their use is far more expensive but you have a couple of options available which make your token a little bit more secure. You basically have to take the following steps:

// Generate a random string
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
// inizialize a MessageDigest
MessageDigest sha = MessageDigest.getInstance("SHA-1");
// create a MessageDigest of the random number
byte[] randomDigest = sha.digest(new Integer(random.nextInt()).toString().getBytes());
// encode the byte[] into some textual representation
hexEncode(randomDigest)

For a more complete example please see this article about Generating unique IDs

And the JSF parts? - placing the token to a form
Up to know we didn't even use JSF. But we will. The idea is to have the token printed as a hidden textfield to every form. To prevent developers from additional coding, we should introduce a new CSRFForm component which does this for us. So the next step is to implement your CSRFForm which should extend the standard HtmlForm.

@Override
public void encodeBegin(FacesContext context) throws IOException {

// initialize the new TokenInput
CSRFTokenInput cSRFToken = new CSRFTokenInput();

// set the clientId
cSRFToken.setId(this.getClientId() + "_CSRFToken");

// add the component to the form
getChildren().add(cSRFToken);
super.encodeBegin(context);

As you can see, we also need the CSRFTokenInput class which extends UIComponentBase and represents our own hidden field.

@Override
public void encodeEnd(FacesContext context) throws IOException {

// get the session (don't create a new one!)
HttpSession session = (HttpSession) context.getExternalContext().getSession(false);

// get the token from the session
String token = (String) session.getAttribute(CSRFTOKEN_NAME);

// write the component html to the response
ResponseWriter responseWriter = context.getResponseWriter();
responseWriter.startElement("input", null);
responseWriter.writeAttribute("type", "hidden", null);
responseWriter.writeAttribute("name", (getClientId(context)), "clientId");
responseWriter.writeAttribute("value", token, "CSRFTOKEN_NAME");
responseWriter.endElement("input");

}

Perfect. Now we placed the token which was generated with the HttpSessionListener to the form. If you now register your components with the custom-taglib.xml you can now use the new form within your pages <cu:csrff>. Looking at the page source you will see, that the token has been placed.

<input type="hidden" name="j_idt7:j_idt7_CSRFToken" value="0c776040ff77d3af5acce4d4c59a51411eb960bd" />


... and checking the validity!
Fine. But what about checking the validity of the token. Spend a minute and add a decode() method to your CSRFTokenInput component.

public void decode(FacesContext context) {
// get the client id of the component
String clientId = getClientId(context);
// access the hidden input field value
ExternalContext external = context.getExternalContext();
Map requestMap = external.getRequestParameterMap();
String value = String.valueOf(requestMap.get(clientId));

// access the session and get the token
HttpSession session = (HttpSession) context.getExternalContext().getSession(false);
String token = (String) session.getAttribute(CSRFTOKEN_NAME);

// check if the token exists
if (value == null || "".equals(value)) {
throw new RuntimeException("CSRFToken is missing!");
}

// check the values for equality
if (!value.equalsIgnoreCase(token)) {
throw new RuntimeException("CSRFToken does not match!");
}

}

Done finally. We have the token in place, we can check it and this is done more or less transparently from the page designers. The only thing they have to take care of is the new form.

What's next?
It's quite drastic to throw a RuntimeException here. This is done to keep the example short. The JSF way of things would be to register and implement a converter that does the checks. But you probably know how to do this, so I skip this step here. Another part is also missing. You have to audit and alert the attack. But how to do this the right way in the context of your actual implementation is a post of it's own. Thanks for reading!

UPDATE: 01.03.11
Some more research and reading input for the fellow readers:
JSF does currently have such a token (the javax.faces.ViewState), which is
currently generated as a sequential token (easy to guess). A specification request to the EG was issued, implemented and backed out. Some more example code for the "Synchronizer Token" pattern (avoiding double submits) with JSF which will be targeted to JSF >=2.1

Thursday, February 24, 2011

Six reasons why you should revise you opinion about the Java-Univers in 2011


In a long row of widely spread discussions about "Six reasons why ..", we (Markus Eisele aka @myfear and Michael Hüttermann aka @huettermann) now offer the following contribution named "Six reasons why you should revise you opinion about the Java-Univers in 2011". In the following, we'll discuss recent movements, but also misunderstandings and common discussions. Let us know what you think.

„I have 5 predictions“
CC BY 2.0 By Xurble
Almost every day you can read about some wise experts’ predictions. That’s great, isn’t it? And so helpful! You just read it, and know about the future. But why don’t these people share their insights about the next raffle? Why don’t they publish the future prices of shares? They just write about boring technical things and even worse, they consider it to be of value for others. Why bother? Well, thinking about it, you may start with the question: what is an “expert”? Is it a tool vendor who has a prediction about how his prediction may help to increase sales? Or is it a person who gained some new insights or read about something that is totally new for him (but not for others?). Maybe these are good reasons to claim that this is a subjectiv prediction and perhaps also some good motivations for excellent, but absurd or trivial pro tips. A different option is that the prediction is just a “discovery” or a description of the current status or the recent (or even past) movement. Interesting enough some predictions are that generic or mathematically correct that they will fulfill for sure. What about: “My five predictions why Hudson or Jenkins will be very successfully”.

„[Hudson|Jenkins] is the first choice!” (take the one you like most)
The popular continuous integration server “Hudson” was forked to two different tools, Hudson and Jenkins. Actually, in retrospective, it is not that important why the fork exists or who forked. What is more important is that politics should stop soon. Please stop bashing the other side. Please do not again and again describe what happened although almost daily (and interesting) discussions and new views pop up. It may influence some other people if persons again write about their view of the history. But, what really counts is the future. Both products started from the same (source) base. Now it is up to the key people and the community to further develop their individual products. On the one hand, we now have a product Hudson that is pushed by Oracle and Sonatype. On the other hand we have Jenkins that is driven by the majority of the former Hudson (core) contributors. The bottom line is we now have two different products that will certainly find their individual paths. And time will tell.

„Certifications are nonsense”
From time to time I’m involved in discussions about certifications. Some of these discussions are driven by facts, others by plain emotions. I think it is pretty clear that certs cannot substitute practical experience. But certs can check skills and knowledge as well as help to train and to reach and foster standards. OK, you may ask what “knowledge” is. Is “knowledge” the qualification to be able to discuss with others about the same topic, having a shared glossary and the same general understanding? Practical IT skills of course also comprise to be able to transfer former decisions and solutions to new ones, in a different context. And it is all about experience. But certs can act as a handy direction sign that also tells about skills as well as the ability and willing to pass them. You should always balance the importance of certs. Is a two days seminar really more important than being a PhD? What about this closing thought: having a certification is probably not a disadvantage, it will not endamage you. But solely relying on it won’t be enough as well.

„JavaFX 2.0 will be a revolution and bring Java back to the desktops”
Have you seen the olympic wintergames last year? Not a bit? Sorry, you are into programing not sports. Great then you probably have seen the great Medal Wheel application which was advertised a lot in the whole Java universe. It was written with Java FX and it seemed like a step into the right direction. Until JavaOne. Oracle revealed their plans to redesign their 1.x branch into something worth wearing the 2.x version number. Some major changes will happen. Back to APIs and good bye scripting. What was thought of as a Adobe Flash killer and should be used by webdevelopers knowing how to script things is stepping back into plain old Java. What looks like a revolution is a great step back. Back to Swing like programing. We have seen this before. Do you know any good reason why we should get back to Java on the desktop? Have you seen what's happening with Webapps lately? HTML 5 seems the new pandoras box that is opened by more and more vendors. And it is everything Java FX is not. It's widespread, it's well known to many developers, cross device compatible and it has anything you need to build great apps. Java on the desktop is and will stay dead.

„JCP is crap and should be completely abandoned”
The three letter acronym that has had it's most famous moments at the end of last year. Even if hardly any Java developer out there is a member, it's still thought of as a community process.
And all the many many (was it a number in the low 200?) members were sooo upset as Oracle decided not to change a bit with their Java standardization organisation. And that's what it is. The fairest thing would be to rename the JCP. Call it JSO. If you compare the roughly 9 Million developers to the number of people in it ... it's simply and umbrella for the companies investing into Java and a few people trying to love it or change it. Those who didn't stand it left the JCP. Sorry for that. It's probably the only place to actively work on the future of Java; within the boundaries of the actual Steward. Does this sound familiar to you? That's
how politics work. You can have great success with changes that are worthy to the party being in power. But you have to play the opposition game if your not. And so anybody has to decide on it's own if this works for him. But we all know, it will not work without any organization.

„Oracles Community Culture is the best we can get”
"The Sun we knew is gone!". What a big sentence. And I love it. Six words to describe, that something we got used to for long years is over. There were so many great people working at Sun. Talking passionate about their work. Blogging, Speaking, Writing, Living what Sun was all about: Innovation, Openess. You never ever had the feeling of being outside of Sun. Even if you were only working with their technology. It was the perfect idea of being in the middle of ongoing research and development. Every single user counted. Nobody ever actively heard a product-manager talking about revenue or value add-ons. Everything was free. And making money a part time job. Compared to Oracle it could be seen as the complete opposite. You always have spokespersons, product-managers, vice presidents or other big names in anything. And safe harbor statements as the final straw. Even if you are actively involved with any of the open source products around, you can't fight the feeling that anybody else is driving. And you could swear you are holding the steering wheel in your hand. If you believe this is anything we can hope for with a company like Oracle you are wrong! Fact is, Oracle is the company you feel and see. But they are able to change. And they don't get tired about telling anybody that the Java community is the most valued asset they got with the Sun merger. There are some good guys out there, that you can help. Look out for the OTN team, the ACEs, the Java Champions. They all love their technology. And they are willing to give Oracle a hard time while getting closer to their most valued asset.

Monday, February 21, 2011

Clustering Stateful Session Beans with GlassFish 3.1


Clustering will be the next big topic for the GlassFish 3.1 version. It's right ahead and you can already pick your RC4 build to experiment a bit. There are some screencasts for clustering the HTTPSession available. Arun Gupta did a great intro for GlassFish 3.1 Clustering, High Availability and Centralized Administration. So you can get a basic introduction into clustering, nodes, instances and domains. Up to today the documentation for all those features is still very limited. But this will change in the next few weeks. Here is, what I did to get a Stateful Session Bean failover scenario working with two instances on one node.

Preparation
As always: Get you GlassFish 3.1 RC4 up an running. Create a cluster (e.g. demoCluster) and add two instances (instance1 and instance2). Now start your domain and cluster. Write a simple EJB (e.g. MySessionBean) and make it implement a RemoteInterface (e.g. MySessionBeanRemote). My example has a simple String showInstance() business method which prints out the actual running instance:

Logger.getLogger(MySessionBean.class.getName())
.log(Level.INFO, "Running on: {0}",
System.getProperty("com.sun.aas.instanceName"));

Wrap your ejb-jar into an ear and deploy it. Make sure to check the "Availability" during deployment. This enables in-memory replication from one instance to the other.
Go and check if the EJB is registered with your instances:

%AS_INSTALL%/bin/asadmin list-jndi-entries demoCluster

You should see something like this:

node2:
java:global: com.sun.enterprise.naming.impl.TransientContext
[...]net.eisele.cluster.MySessionBeanRemote#
net.eisele.cluster.MySessionBeanRemote: javax.naming.Reference
[...]

node1:
java:global: com.sun.enterprise.naming.impl.TransientContext
[...]
net.eisele.cluster.MySessionBeanRemote#
net.eisele.cluster.MySessionBeanRemote: javax.naming.Reference
[...]

Up to now, this hardly was any problem. It's a simple EJB without anything else to tweak. Now let's go and write some clients.

Standalone Client
Coming from the old-school I am starting with a standalone client without any "magic". Create a Java project (e.g. StandaloneClient), add a Main class (StandaloneClient) and add the %AS_INSTALL%/glassfish/lib/gf-client.jar as a dependency. Make sure to reference the RemoteInterface (MySessionBeanRemote) somehow (Classpath or copying it to your projects source).

// get a simple no argument constructor InitialContext
InitialContext ic = new InitialContext();
// use the global jndi name as lookup string
String lookup = "java:global/ClusterTestEar/ClusterTestEar-ejb/MySessionBean!net.eisele.cluster.MySessionBeanRemote";
//lookup the jndi name
MySessionBeanRemote myEjb = (MySessionBeanRemote) ic.lookup(lookup);
//call showInstance
myEjb .showInstance();

Everything straight forward. No magic here. Compared with most of the other application servers it's unusual that you don't either have to specify any InitialContext properties or even add any cluster magic to the lookup string. But how does the client know about my instances and ports? That's simple. you have to specify them as VM Options:

-Dcom.sun.appserv.iiop.endpoints=
127.0.0.1:23701,127.0.0.1:23700


Application Client Container
The youth is probably unhappy about the standalone client. They are used to some kind of injection and those fancy annotation stuff. Ok. Here we go. You are calling for the ACC. The easiest way of creating one is to let your IDE do this. NetBeans generates a great acc project for you. It also has a main class and you can simply:

// inject you ejb ...
@EJB
private static MySessionBeanRemote myEjb;
[...]
// and use it
myEjb .showInstance();

Great. But here it goes. NetBeans itself does not have any kind of cluster deployment support, but the ACC project was designed to be deployed. So, even if you are not in need doing so, the "Run File" NetBeans command fails. So you have to do this manually. First part is to Tell the ACC where to find the remote EJB.
If you are not going to write a webstart based scenario (which is exactly what we are NOT going to do :)), you can simply pick a copy of the %AS_INSTALL%\domains\clusterdomain\config\sun-acc.xml and put it to your projects folder. You need to edit it and make it reflect your instances:

<target-server name="MYNODE" address="localhost" port="23701"/>
<target-server name="MYNODE" address="localhost" port="23700"/>

The %AS_INSTALL%\bin\appclient.bat/sh script is there to help you executing the ACC. Build a jar from your appclient project and run it:

appclient -client %YOUR_DIST_FOLDER%\ClusterAppClient.jar -xml %YOUR_DIST_FOLDER%\sun-acc.xml

Done. Now you have everything working. The new-school and the old-school way of accessing remote EJBs.

Clustering / Failover
Now let's test the failover capabilities. Add a second business method call to your clients and do anything to make the client pause between them. Either to automatically continue after a few seconds or on key-press.
Now let's start the client. It prints out to which instance this client is connected. Assume it tells you something like this:

Running on: instance1

Now switch over to your asadmin console and enter the needed stop-instance command to shutdown the instance the client is connected to. In this case:

asadmin> stop-instance instance1

If it is stopped, press a key or wait for the client script to continue. and see, that the second call is redirected to the second node:
Running on: instance2

Failover works. Perfect :) Thanks to Oracle's Cheng and Tim for answering my questions during research!

Further Reading
Oracle GlassFish Server 3.0.1 Application Development Guide Chapter 11 Developing Java Clients
GlassFish Community EJB FAQ

Monday, February 14, 2011

High Performance JPA with GlassFish and Coherence - Part 2


In this second part of my four part series I'll explain strategy number one of using Coherence with EclipseLink and GlassFish.This describes the steps you have to take to configure a JPA backed Cache with Coherence and how you could use it from within GlassFish as a high performance data store.

General approach
You can use the Coherence API with caches backed by a database mapped through JPA. The grid accesses relational data through JPA CacheLoader and CacheStore implementations. In this "traditional" Coherence approach, TopLink Grid provides CacheLoader and CacheStore implementations that are optimized for EclipseLink JPA. (EclipseLinkJPACacheLoader and EclipseLinkJPACacheStore) which are both contained in the toplink-grid.jar file. Going this way, you use the standard JPA run-time configuration file persistence.xml and the JPA mapping file orm.xml. The Coherence cache configuration file coherence-cache-config.xml must be specified to override the default Coherence settings and define the CacheStore caching scheme.

Details
The CacheLoader implementation  redirects all read operations/queries directly to the database via EclipseLink. The CacheStore takes care for all write operations (insert, update, delete) which are executed against the database using EclipseLink. This solution is basically independent from GlassFish and it's JPA provider. You simply use Coherence with it's native API and Coherence takes care of persisting the entities. This approach is referred to as "Traditional Coherence Configuration" in the documentation.

Preparation 
In order to get this and each of the following examples to work, we need to make some preparations. First one is to get all the needed software. Get your copy of Java SE Development Kit 6u23, GlassFish 3.1 (Part of NetBeans), MySQL Community Server (5.5.9)TopLink (11.1.1.4.0) and Coherence (3.6.1.0). Any IDE would work. I based all examples on NetBeans 7.0 Beta2. You should start by installing the bits and pieces. Create an empty "coherence" db with MySQL. We will use this one for all examples. I will NOT guide you through this. I'll start with the relevant Coherence parts. This will be the configuration you need to follow the other parts of this series, too. So you'd better keep it ;)
Unzip your Coherence download to a suitable location (e.g. x:\Oracle\coherence\) and check the installation by setting up and running the sample cache server application. Change to the \bin folder and execute the cache-server.cmd/sh. Prior to this make sure, that the JAVA_HOME variable is pointing to a valid JDK install. If everything went smoothly you get message: "Started DefaultCacheServer...". One simple side note: Coherence is cluster-aware. Which means, it automatically tries to discover other running Coherence nodes in your subnet. If you are seeing any other output than "ActualMemberSet=MemberSet(Size=1," you should stop here and configure Coherence to run on your machine only. Great. All set. Let's go and execute the example client. Start coherence.cmd/sh and wait for the output "Map (?):". If you check back with the server console you will see something like this:
(thread=Cluster, member=1): Member 2 joined Service Management with senior member 1.
Play around with it and try the following commands, each confirmed with return: help, cache myCache, put message "hello", get message, size, list, bye. For further help please consult the tutorial.

Move it into practice
Start a new Java/Java Class Library project with NetBeans. Name it "GridEntityExample" (check the dedicated lib folder box). Add coherence.jar, toplink-grid.jar and mysql-connector-java-5.1.13-bin.jar to the lib folder and add them to the projects dependencies.
Add two new packages entities and server (e.g. net.eisele.coherence.entities, net.eisele.coherence.server) and
As we already have the cache-server example, it's easy to modify it to fit our needs.  Add a new Entity Class (Employee) to the entities package. Change the primary key type to "int" and click next. Select EclipseLink JPA 2.0 from the dropdown box. As the wizard will not let you finish without, create a new Database Connection (jdbc:mysql://localhost:3306/coherence) and click finish. Add two private Strings (firstName, lastName) and their getters and setters to the entity. Remove the @GeneratedValue from the id attribute (more on that later). Some tweaks in the persistence.xml finish up the configuration. Add the following:

<property name="eclipselink.ddl-generation" value="create-tables" />
<property name="eclipselink.ddl-generation.output-mode"
value="database" />
<property name="eclipselink.jdbc.read-connections.min" value="1" />
<property name="eclipselink.jdbc.write-connections.min" value="1" />
<property name="eclipselink.jdbc.batch-writing" value="JDBC" />
<property name="eclipselink.logging.level" value="FINE" />
<property name="eclipselink.logging.thread" value="false" />
<property name="eclipselink.logging.session" value="false" />
<property name="eclipselink.logging.exceptions" value="false" />
<property name="eclipselink.logging.timestamp" value="false"/>

Now we need a simple StartCacheServer class which should resist in the server package. Give it a simple main method:

public static void main(String[] args) throws UnknownHostException {
// Restrict Coherence to localhost
System.setProperty("tangosol.coherence.wka", InetAddress.getLocalHost().getHostAddress());
// Start CacheServer
DefaultCacheServer.main(new String[0]);
}

Now we have to configure Coherence. This is done via the coherence-cache-config.xml file. The complete file can be found in the tutorial. The key to success is the second init-param for the class-scheme. You have to reference the persistence unit from the persistence.xml there:

<init-param>
<param-type>java.lang.String</param-type>
<param-value>GridEntityExamplePU</param-value>
</init-param>

Right-click StartCacheServer and run it. You should see the already know message: "Started DefaultCacheServer...".
Ok. Now we are going to insert our first employee into the database. Create a simple InsertExample class:

public static void main(String[] args) throws UnknownHostException {
// Restrict Coherence to localhost
System.setProperty("tangosol.coherence.wka", InetAddress.getLocalHost().getHostAddress());
// Disable local storage--need to start independent CacheServer
System.setProperty("tangosol.coherence.distributed.localstorage", "false");
// Get the configured Cache
NamedCache cache = CacheFactory.getCache("Employee");
//Create a new Employee
Employee emp = new Employee();
emp.setFirstName("Markus");
emp.setLastName("Eisele");
emp.setId(1);
//Put the Employee into the cache
cache.put(1, emp);
}


Run it and check with your db, if the newly created Employee is there. It should be :)
Done. That's all. Ok, where exactly is the GlassFish part?

Using this approach with GlassFish
It's simple as hell. Create a new domain (let's call it coherence) and create a new WebApplication (lets call it GridEntityWeb). Add the GridEntityExample project and the coherence.jar as dependencies. Now you have to configure the cache. This is done again via a coherence-cache-config.xml. Create one in WEB-INF/classes and make it reference the EclipseLinkJPA service-name.


<cache-config>
<caching-scheme-mapping>
<cache-mapping>
<cache-name>*</cache-name>
<scheme-name>distributed-eclipselink</scheme-name>
</cache-mapping>
</caching-scheme-mapping>

<caching-schemes>
<distributed-scheme>
<scheme-name>distributed-eclipselink</scheme-name>
<service-name>EclipseLinkJPA</service-name>
</distributed-scheme>

</caching-schemes>
</cache-config>


That's all. Make sure the StartCacheServer is running and fire up your GlassFish domain together with your application. If you simply copy the few lines from the InsertExample you can quickly test if everything is working. All left to do now is to find a nice and clean way to integrate this into your application. Maybe you could come up with a generic Coherence crud service (probably based on Adam's proposal).

Drawbacks and thoughts
When using this approach, it is essential to configure the persistence unit to ensure that no changes are made to entities when they are inserted or updated. Any changes made to entities by the JPA provider are not reflected in the Coherence cache. This means that the entity in the cache will not match the database contents. In particular, entities should not use ID generation, for example, @GeneratedValue, to obtain an ID. That means that in order to insert an object into a Coherence cache, you need to provide its identity as well, to serve as the key.
The ID is typically the key under which the entity is stored in Coherence. Optimistic locking (for example, @Version) should not be used as it may lead to a database transaction commit failure.
So in general this is not really a commonly use approach which only fits with some special scenarios where you are fighting with big loads of data.
But what exactly is the deal here. Let's see: If you run the configured example in a loop and insert 12.635 Employee objects, it takes roughly 13 minutes on my machine. This happens if you run Coherence in synchronous mode. But you can utilize a feature called "write-behind" to improve application response time by performing database updates asynchronously. If you add one single line to the CacheServer's coherence-cache-config.xml:

<write-delay>10s</write-delay>

the needed time to issue the inserts from an application point of view shrinks to 9 seconds! Of course, the running server still needs it's time to process the updates asynchronously but for the client this is the optimal behavior.

Enough for now. I will try to explain more an more concepts running my way through the examples. As you might have guessed, there is a lot to know if you work with caches. Next part will cover Coherence as L2 cache for EclipseLink with GlassFish. Thanks for reading. Stay tuned.

Further Readings:
Using Coherence Caches Backed by TopLink Grid
Coherence 3.6 Tutorial
Synthetic Sequence Approach

Sunday, February 13, 2011

"I'm a great think tank, and here is why"?


Up to today I never thought, that anybody could and would write such a blog post. The last person would probably be me. But, things and times change. Java Champion Michael Hüttermann said, that he would love to read such a post and hopes he could learn more about people thinking of themselves that they are "think tanks". There is a slight change I did. I replaced the period with a question mark at the end of the sentence. Reason for that? Read on!

What is a Think Tank?
According to Wikipedia a
Think Tank is an organization that conducts research and engages in advocacy in areas such as social policy, political strategy, economy, science or technology issues, industrial or business policies, or military advice.
(Source: http://en.wikipedia.org/wiki/Think_tank)
Hey, thats a lot of stuff. Let's focus on the technology issues and stress the further definition a bit. The (not very good) Wikipedia article defines Think Tanks with their five main areas of work:
  • Seek [political] support for policies
  • Legitimize policies
  • Spaces of debate
  • Financial channels for [political parties] or [other] interest groups
  • Expert cadres of policy-makers [and politicians]

Where have you heard the word "Think Tank" latest?
I personally don't know. I guess, it was a co-worker telling me that I work for one. I was shaking my head and negated it. But looking at the points above I can now guess about two areas of my life where I am probably a small part of one. And no: This is not about making people working for one special in any kind. I strongly believe that this is simply a job like anyone else has one.

Users Groups
I'm involved with the DOAG e.V. (German Oracle User Group) but it could be any other user group out there. If Java, Oracle or even SAP. They all develop policies to successful interaction between users and manufacturer. They try to legitimize what they worked out for their users (e.g. Licensing issues) and try to give space for debates and new thoughts (e.g. through JUG meetings or their own conferences). And they are most likely the place where the best of the best share their knowledge (e.g. JUG leaders and Java Champions or even ACE Directors) and help new believers to get further with the technology. They also try to deliver the community feedback back to the manufacturer. The one thing I am not sure about is the financial aspect. I guess this is the only part, that will and should be left to the readers interpretation. I simply don't know enough about it.

My Department
The co-worker probably was right. And I am wrong. I'm working for a department called "applied technology research". What we do is to develop methodologies and policies for software development which support the company and our customers. We also try to legitimize them (even if that's not the core focus). We also try to be open to new technologies and thoughts that don't fit into daily work and projects. And we also have very few (financial space, workforce) for innovations and ideas. Last but not least we are (sometimes) the place where new line managers or industry experts are born.

Could a single person be a "Think Tank"?
According to anything we learned from the article, it is obvious that not a single person could fulfill the requirements to be one. The list of examples of Think Tanks around the world makes clear, that they are more likely involved with politics and that it is some kind of organisation which could be entitled as such. And even my personal two examples show that it's simply not possible to BE a "Think Tank". But you could be a proud part of one or even more. So .... let's finish with me, being a proud member of a few "Think Tanks". And I am happy to share what I know.

Thanks for reading!

Friday, February 11, 2011

High performance JPA with GlassFish and Coherence - Part 1


Have you heard about Coherence before? Probably yes. It's one of those famous in-memory grid solutions promising awesome fast data access and unlimited space for your frequently used data. Some of it's well know competitors are Infinispan, Memcached and Terracotta Ehcache. They are all great and the worst part with Coherence probably is, that it is NOT open source. This is the first part of a four part series in which I shortly explain the usage of Coherence together with GlassFish. This one is intended to give you a brief overview of the possible scenarios. The following ones will go into more details and describe the configuration with concrete examples.

Why Coherence?
But why did I choose Coherence over any of the other ones? I love working with GlassFish and I was looking for a stable and easy integration with one of those in-memory grids for some data intensive use-cases recently. So the first place to look was the Oracle product stack. More or less driven by the idea, that there has to be any kind of integration into EclipseLink which is the JPA 2.0 RI shipped with GlassFish. Especially since there is the new Cache API with JPA 2.0.
First research revealed a leak of information in that topic. Neither of the mentioned products does have any plugin or other integration with EclipseLink up to now. Even if EclipseLink has something called the "cache interceptor" framework which allows you to tie in 3rd party cache systems really easily, I was looking for a (probably supported) ootb solution. So I ended up looking at Coherence. Little remark: I am not the right person to ask about licensing or costs. All I do is use Coherence according to the OTN License.

What is Coherence?
Oracle Coherence is an in-memory data grid solution. You can scale mission-critical applications by using Coherence to provide very fast access to frequently used data. By automatically and dynamically partitioning data in memory across multiple servers, Coherence enables continuous data availability and transactional integrity, even in the event of a server failure. It is a shared infrastructure that combines data locality with local processing power to perform real-time data analysis, in-memory grid computations, and parallel transaction and event processing.

Strategies for JPA on the grid
All of the in-memory data grid solutions have a very simple put/get API. You issue something like:

Cache.put(key, object);
Cache.get(key);


to store your objects into the cache or get them back from the cache. Coherence would be responsible to persist everything into your Database (probably using EclipseLink). From an application point of view this seems like a very straight forward API to use. Let's call it the "JPA backed Caches". But it's only one of the three possible scenarios. The second is the L2 Cache approach for JPA which basically means your simply implement your JPA based application and plug in coherence in a second step. Third is combination of the first two and simply redirects all database operations to Coherence. All three have their positive points and of course drawbacks.


Products and Definitions
At this point in time it's best to look at the different products and names around. The JPA 2 RI is EclipseLink, which is part of the commercial offering from Oracle called TopLink. All the Coherence integration is part of the TopLink Grid product which also contains EclipseLink as JPA implementation.

1) JPA backed Caches
You can use the Coherence API with caches backed by a database mapped through JPA. The grid accesses relational data through JPA CacheLoader and CacheStore implementations. In this "traditional" Coherence approach, TopLink Grid provides CacheLoader and CacheStore implementations that are optimized for EclipseLink JPA. (EclipseLinkJPACacheLoader and EclipseLinkJPACacheStore) which are both contained in the toplink-grid.jar file. Going this way, you use the standard JPA run-time configuration file persistence.xml and the JPA mapping file orm.xml. The Coherence cache configuration file coherence-cache-config.xml must be specified to override the default Coherence settings and define the CacheStore caching scheme.
I'll dive into this example with the next blog post which should be the second part in the series.

2) JPA L2 Cache 
The Grid Cache configuration uses Coherence as the JPA shared (L2) cache.
Primary key queries attempt to get entities first from Coherence and, if unsuccessful, will query the database, updating Coherence with query results. Non-primary key queries are executed against the database and the results checked against Coherence to avoid object construction costs for cached entities. Newly queried entities are put into Coherence. Write operations update the database and, if successfully committed, updated entities are put into Coherence.
I'll explain this strategy with the third part in the series.

3) JPA L2 Cache with a JPA backed Cache
The Grid Entity configuration should be used by applications that require fast access to large amounts of fairly stable data and that perform relatively few updates In combination with Coherence as a L2 Cache using write-behind to improve application response time by performing database updates asynchronously. Read operations get objects from the Coherence cache. Write operations put objects into the Coherence cache, the configured L2 Cache performs write operations on the database.
I'll show you this example with the last part in the series.

Further Reading and Downloads:
Coherence 3.6
TopLink Grid 11g (11.1.1.3.0)
Toplinkgrid Examples (OTN login required)

Tuesday, February 8, 2011

GlassFish City - Another view onto your favorite application server


Have you ever wondered, how GlassFish would look like? I mean .. not the well know logo. Or even the non existent Oracle GlassFish logo. More in terms of daily live? What would GlassFish look like, if you transform the sourcode into something that you "could" compare to dimensions you probably have a feeling for. I stumbled about an awesome tool a few months ago. And always being on the hunt to present new view for well known things I had the chance to run this analysis today. Get excited ...

GlassFish City
If you are into Enterprise Architecture and ever have heard about software landscapes, you probably know, what will follow. I used a tool called CodeCity to visualize the project. CodeCity is an integrated environment for software analysis, in which software systems are visualized as interactive, navigable 3D cities. The classes are represented as buildings in the city, while the packages are depicted as the districts in which the buildings reside.

GlassFish City from front
GlassFish City from back

EJB District

Apache District

Logging District

The facts
In order to be able to use CodeCity, you first need to generate a MSE model. This is done with the help of inFusion. inFusion is an integrated environment for performing in-depth code and architectural reviews of object-oriented and procedural software systems, written in C, Java or C++. inFusion supports the analysis, diagnosis and quality improvement of your systems at the architectural, as well as at the code level. After the parsing you get some first basic facts for the GlassFish development trunk 3.1-b41 according to inFusion:
445613 lines of clean code.
Packages: 1072
Classes: 10427
Methods: 69852
Attributes: 30885
Parameters: 62484
Local Var: 78937
Annotations: 149
Annotation References: 5515
Calls: 191858
Accesses: 154880
Exceptions: 27304
Primitive Types: 0

Basic interpretation
Class hierarchies tend to be shallow and of average width (i.e. inheritance trees tend to have only few depth-level(s) and base-classes with several directly derived sub-classes)
Classes tend to contain an average number of methods; and are organized in rather fine-grained packages (i.e. few classes per package);
Methods tend to be average in length and having a rather simple logic (i.e. few conditional branches); Methods call several other methods from several other classes.
There are many other conclusions to draw and I simply presented the ones that got generated automatically. But the idea behind all this was simply to present an awesome picture and nothing more (for now :)).

What I learned
JRockit is awesome. The conversion from Java into the MSE model via inFusion took more than five minutes and consumed roughly 1.7 GB heap. One of the basic steps is analyzing the files, which took 21 seconds with HotSpot and 18 seconds with JRockit. Which is not too much but a little faster. Beside this, the whole calculation takes time. In general I was stuck for more than 30 minutes with calculating for the final city model.
Hope you enjoyed it! Happy to read about your thoughts!

Download Wallpaper 1440x900px
Wallpaper two. On Grey 1440x900px


Links and resources
Latest 3.1-b41 Source
CodeCity
Import Java System with inFusion
inFusion Trial

Further Background Reading

Saturday, February 5, 2011

DOAG e.V. Advisory Board Meeting - Review


Back home. Finally. It was stressful. Two days packed full with ideas, thoughts, sentiments, talks, presentations and working groups. Awesome. Thanks to anybody providing such great feedback. It's a pleasure seeing you all together once a year (even if this is far too less). Looking forward in contributing to the under year working groups. The biggest deal for 2011 will be the new DOAG website which was approved by the board and I am looking forward having it online round Q3/2011.

Official Group Picture | more information (in German)
The sades part is, that nobody had a real cam with them. So I need to stick to some very very simple BlackBerry snapshots. Here they are:
Günther Stürner (VP, Oracle Germany)

Resort Schwielowsee, Impressions

Half the crowd and our big conference room.

Thursday, February 3, 2011

DOAG Advisory Board Meeting 2011 - Schwielowsee


Today the anual DOAG advisory board meeting starts. It's held near Schwielowsee (852°20′0″N 12°58′0″E). A municipality in the Potsdam-Mittelmark district, in Brandenburg, Germany.
Roughly 60 participants are expected. I guess I'll post some impressions from the weekend, as I get the chance to. I am very looking forward meeting all those great guys again and work with them towards the future of the German Oracle Users Group (DOAG e.V.)

Wednesday, February 2, 2011

JavaDoc: The unloved child. A pragmatic approach.


Project documentation is an important but awkward thing to do. Same is true for JavaDoc. The few special comments in the Java source code that are delimited by /** ... */. This short post presents a very pragmatic approach to JavaDoc and outlines the general best practices for successful sourcecode documentation.

Why you should care!
Look at the NetBeans screenshot from the right. This is the tooltip you get, when trying to use the method. And now? What happens? Why? For what? How does this thing behave? Do you know what to do, if you see a getInstance() method?
The second screenshot gives you a more detailed idea about what you can achieve with writing some JavaDoc comments. And it applies to nearly any situation. If you are writing any kind of Java program you should keep in mind, that others probably want to use it's public API or need to use your implementation. This is not only true for framework developers but for anybody working within a team. Even if we are talking about component boundaries or utility classes. A class without documentation is trivial or worthless.

Hey: I am a programmer not a writer!
In theory, the general idea of commenting code sounds like a worthy one: Offer the reader detail, an explanation of what's going on. What could be more helpful than being helpful?
To make it short. I am not proposing to write too much beside the actual code. But that's exactly the problem. Beside the fact, that there are a couple of JavaDoc tags you could use it's also mostly up to you how much and what you write. The basic rule of thumb is:
Comments should say something code does not and cannot say.
(Source: 97 Things Every Programmer Should Know)
Does this help? Partly. This rule needs some interpretation. If you don't have source.jars at hand you probably don't have any code at all to look at. So: The less open the source is, the more extensive the comments should be. The second idea here is to look at your stakeholders. Who is the one intended to read the documentation? I don't like the idea to talk about skills here. My favorite is to classify the APIs into abstraction level. The higher the abstraction level, the more general and easier readable texts should be there. If you have a lower abstraction level, the texts could be more technical and probably less readable in terms of writing style. But, it's always good to remember the reworked old adage as a rule to keep in mind:
If it was hard to write, it should be EASY to read!

Ok: Tell me, which are the important parts?
Now you know, how and when to document your sources. What does this mean in practice?
If you refer to the Java SE 6 JavaDoc documentation you have 19 tags which you could use to. Here are the usage guidelines I propose for your next project:

1) Introduce a class header with a single line of documentation ("First Sentence") and an @author tag at a minimum.
2) Add as many documentation up the hierarchy as possible. Use {@inheritDoc} down the hierarchy.
3) Document all public methods except getters and setters with at last a single line and add @throws and @return. @params only if they are not obvious.
4) Use @link as internal reference and @see to add references to external resources.
5) Javadocs should get peer-reviewed, just like code.

Optional but possible needed:
- Introduce a meaningful file comments if needed (e.g. OSS or Company Copyright). Skip it, if not!
- If you are developing versions you should make broad use of the @deprecated tag where applicable.

That's all. Nothing more. Nothing less.
What are your best practices in projects? Let me know. Comments and other ideas are welcome!

Read more
JavaDoc Overview (Java SE 6)
How to Write Doc Comments for the Javadoc Tool
JavaDoc Tags
JLS Documentation Comments (first Edition)

Hey ... NetBeans 6.9.1 got some plugin updates tonight :)


It was like: WOW today ... Starting my IDE this morning was a big surprise. Being used to Eclipse since some time, the regular update check was something I really missed with NetBeans. But it is simply useless. First of all there are not that many plugins around and second they don't update that often. What a big surprise, seeing the IDE telling me, there actually IS something to update. Here we go:


Most of them are minor changes. And I was not able to get a list of changes in any of them. But: Hey, thanks for the Update, NetBeans Team :) Looking forward to the 7.0 final!