Tuesday, June 28, 2011

Kscope 11 - Day 3

What a day. All started with a sweet breakfast in the sun right in front of the Long Beach Performing Arts Center. Followed by a nice general session in which the KScope 12 location was announced. So. Nice. The bad part, I had to give the first two sessions of the day starting at 11:15. So I was a little bit excited. And with the time coming closer I got nervous.
Speakers Fear ;)
Anyway, I think I did a good job in general and had the pleasure to do some introductory sessions about Java . The good part here was, that the KScope team forced their speakers to send the slides in early and I was well prepared. That's what I was hoping at last. It turned out, that there is always room for improvement and  I had a lot of stuff to tell, which was not on the slides, so ... anyway. Thanks to everybody for attending. I enjoyed it!
The rest of the day was all about finding out about other topics. I attended a couple of sessions and tried to learn about other speakers doing their job. It was my pleasure to meet Maiko Rocha and had a great time chatting with him. He's also a very talented photographer (even if he is a Nikon addict, I'll forgive you! ).
In general conferences are good places to meet. People, you know personally. People you see once a year, people you write to everyday via your social media stream. At conferences you have most of them at your fingertips and it's a pleasure spending time with them! And of course it's always a great pleasure to see all the ACEs and ACED around! I have missed you! Good to be back with all of you! Thanks OTN for bringing us here! Thanks KScope for the opportunity to speak in front of the audience!
The afternoon was a little boring. Everybody knew, that there are some great panels and BoFs later on and it was basically time to get some needed sleep or rest in general. Taking the cam walking around and taking pictures was the only true option :) Again, I updated my flickr photoset which has now grown to 95 pictures. I hope, you enjoy it. Love to read your comments.

Update:
Here are the presentations:

Sunday, June 26, 2011

The GlassFish Tale - Oracle Scene

It happened. Today, I finally got my personal, printed issue of the latest Oracle Scene (issue 44) from the Chairman herself ;) Why this is important to me? Ohh ... that's easy: I got another article of mine published there. It's the next in my unofficial series about the latest GlassFish 3.1 release.



Oracle Scene brings you case studies, news on technology, applications and business and management, as well as the latest UKOUG and Oracle updates, interesting blogs and useful top tips. Published three times a year this flagship publication for Oracle users can be viewed in both print and digital format. Oracle Scene is a UKOUG member benefit. You will therefore require your member login details to access copies of the magazine free of charge.
In this edition, we welcome our new Chairman and Deputy Chairman, Debra Lilley and Lisa Dobson respectively. We also hear about the forthcoming Volunteer’s Day and the Partner of the Year Awards ...
Read more here

Kscope 11 - Day 1 and 2

Kscope11, June 26-30 at the Long Beach Convention Center in Long Beach, CA, is ODTUG’s annual conference bringing together the best Oracle minds in the industry. And after a successful first year last year I am attending this year, too. After a really long flight (roughly 12h) I safely arrived Friday evening and already had some time to walk around and get adjusted to the timezone. Today is the first conference day. Symposiums all over. I'm sitting right inside the FMW (Fusion Middle Ware) Symposium lead by Chris and Debra. I am really looking forward to my two little sessions tomorrow. I'm excited to see, how I do the job presenting in English. Even if this isn't my first time, it's always a challenge to stand.
If you are interested in some more impressions from the conference, follow my twitter stream or look at the KScope'11 photoset on flickr (from which the mosaics below are taken) or even follow the official Kscope social accounts.


Monday, June 20, 2011

Devoxx - some more data analysis about speakers

You might have seen my earlier post about the W-JAX and their speakers. I received some feedback from people interested in comparing the results to other conferences. I thought about that and found it reasonable to do. Here we go. Next on the list is the Devoxx (former JavaPolis). Again, this was compiled from the sources available (compare links at the end of the post). I asked Stephan to get some more information from him but I guess, he is too busy organizing the 2011 event. So, I would be happy to receive any corrections or additions.
Btw: the 2011 CfP is still open. At the time posting for less than 9 days 15:48:21.

General Information
The Devoxx is "The Java™ Community Conference". Rebranded from former JavaPolis it's basically the conference of the Belgian JUG. With it's no1 speakers and topics it has become one of the main Java conferences around. The Devoxx conference is a special blend of many IT disciplines, ranging from Java to Scripting, FX to RIA, Agile to Enterprise, Security to Cloud and much more.

General Speaker Distribution
Let's start with a look at the general distribution of the speakers.
Speakers per year
The first one after the rebranding from JavaPolis was the one with the most speakers in general. 2009 was reduced to the numbers of a very early W-JAX with 2010 being back to the hundred. It's most likely, that the 2011 Devoxx will be around this numbers again.


Top 13 - always on
In this case we do not have a simple top 10, but a top 13 list of speakers attending every Devoxx since 2008. The 2011 speakers are not announced until now, so I don't know, if this list will be smaller after that.

Guillaume Laforge
Richard Bair
Kirk Pepperdine
Bill Venners
Alexis Moussine-Pouchkine
Brian Goetz
Jasper Potts
Carl Quinn
Mark Reinhold
Chet Haase
Virgil Dodson
Dan Allen
Dick Wall

Speaking at W-JAX and Devoxx
There are a couple of speakers which can be seen at both. At last for 2010 I did look at them and found the following ones:

Stefan Tilkov
Dan Allen
Viktor Klang
Christian Dupuis
Adam Bien


Frequent speaker distribution
Ok, now let's look at the general distribution between first-timers, frequent and top speakers.
Breakdown by years.

Compared with the W-JAX this is a very low fraction of returning speakers and also a lower fraction of two-timers.

Nearly 70% one-timers
Nearly 70% one-timers and only 13% of top speakers attending every conference since 2008 makes a great mix.
Complete speaker distribution 2008-2010

Conclusion
Woohhoow. I did expect similar results as from the W-JAX, but I must say, that you see far more "fresh blood" at the Devoxx. And there is one thing, the numbers don't tell you: The speakers are excellent and well known. Even the ones, speaking on one conference only.

Links
Devoxx 2008 Speakers
Devoxx 2009 Speakers
Devoxx 2010 Speakers

Thursday, June 16, 2011

W-JAX - some data analysis about speakers.

Conferences are casting their shadows these days. DOAG; Devoxx; JavaOne and finally the German W-JAX announced their first speakers for 2011. Looking through the list, I was wondering, if my first impression is true: Are those really the same guys over and over every year? I googled around a bit and did some data analysis on the speaker (public available information only). I decided to include data from 2006 onward, because this was the year I had the pleasure to attend once. Hope, you like it. Disclaimer: I did some copy and paste and spreadsheet works for the numbers. They are not official. So, if you find any mistakes, I would be happy to correct them.

General Information
The W-JAX is the conference for holistic technical Know-how in the enterprise and web environment. Here Europe’s leading experts come together to distribute their knowledge and experience to the attendees. Due to their unique mix of topics the W-JAX gives key impulses to the java Enterprise Community, every year again.
A total of 550 speakers attended from 2006 to 2010. For 2011 the speaker number is not completely known, because they release the information bit by bit. At the moment I count 39. The datasource for the following analysis are the speaker websites listed below.

General Distribution
As you can see, the 2009 W-JAX was the one with the most speakers (140). I don't know the number of attendees but I guess, it was the biggest one overall. It seems as if the number decreases since 2010. I wouldn't be surprised to see this years number lower than the 2010 number.
Speaker per year. 2011 still preliminary.

Top 10 - always on
I was wondering, if my feeling was true to see the same faces over and over again. In fact this list is really short. Only 10 of them attended every W-JAX since then. Taking into account, that the final list for 2011 isn't there, we still have some follower, which still could make it.

All time speaker
Adam Bien
Arno Haase
Bernd Kolb
Dierk König
Eberhard Wolff
Kai Tödter
Michael Plöd
Peter Roßbach
Stefan Tilkov
Torsten Winterberg

Still possible but missing 2011 announcement as of today
Bruce Sams
Jutta Eckstein
Mike Wiesner
Papick Garcia Taboada

More than three
If you still have the feeling, you always see the same faces, here is another breakdown. There roughly 25% old-hands, nearly 50% first-timer and always some more experienced 2 or 3 timer in between.

Breakdown by years

Many speakers come only once
If you aggregate this to the total numbers, you get a better impression about the mix. With 248 speakers which attended only one W-JAX this seems to be a good mix in general.
Complete distribution 2006-2011

Conclusion
I did expect to see different results. With a total of 25% frequently returning speakers you can't say, that you see the same faces over and over again. What is true is, that they are the ones being announced early and catch your attention quite frequently because they are marketing material :) But as usual .. there is more behind it.

Links
W-JAX 2006 Speaker Listing
W-JAX 2007 Speaker Listing
W-JAX 2008 Speaker Listing
W-JAX 2009 Speaker Listing
W-JAX 2010 Speaker Listing
W-JAX 2011 Speaker Listing

Wednesday, June 15, 2011

Dynamically registering WebFilter with Java EE 6

Yeah. Security. I start loving this stuff. I have a nice little application running with Java EE 6. And if you are following my posts lately, you know, that it has little more security requirements than usual and therefore we definitely have some custom filter logic in place. The javax.servlet.Filter is a great place to start, if you are looking for a way to implement cross cutting concerns.
CC BY-NC 2.0 by aftab
Filters perform filtering in the doFilter method. Every Filter has access to a FilterConfig object from which it can obtain its initialization parameters, and a reference to the ServletContext which it can use, for example, to load resources needed for filtering tasks.
Beside Logging and Auditing, compression and conversion this is also suitable for placing security related stuff.
Beginning with Java EE 6 the implementation is straight forward and easy.
Add a @WebFilter annotation to your implementation class and you are done:

@WebFilter(dispatcherTypes = {DispatcherType.REQUEST, DispatcherType.FORWARD}, urlPatterns = {"/something/*"})
public class SecurityFilter implements Filter {
...
}


Problem
But: What to do, if you are running different environments and you have some very heavy filter logic in place, which in fact depends on other infrastructure components placing header variables or other stuff into the request before processing? You have to disable them in development. Enable them in production or integration testing.
Building for different environments basically is not a big issue, but you end up commenting in and out the @WebFilter annotation. That ...cks.

Solution: Dynamically register your WebFilter
But hey, the Servlet 3.0 API is here. And you are able to register your components dynamically. A good place to register filters is a ServletContextListener. And you don't even have to forgo your beloved annotations. Let's start with the basics.

@WebListener
public class FilterStartupListener implements ServletContextListener {

@Override
public void contextInitialized(ServletContextEvent sce) {
ServletContext ctx =
sce.getServletContext();
...
}
}

Next is to find any way to figure out, if you are running in production mode or not. You could think about using a system property or even reading the projectStage property from your JSF implementation. Whatever you chose, the magic happens here:

if (Util.isProduction()) {
// if we are running in production mode
// register with servletContext
FilterRegistration fr = ctx.addFilter("SecurityFilter", SecurityFilter.class);
fr.addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD),
true, "/something/*");
}
}

That's it. It does all the magic for you and you no longer have to care about them. If the property of your choice changes, your filters get registered dynamically or not.

Monday, June 6, 2011

Binding SSL-Sessions to HttpSessions in GlassFish

You might have noticed, that I am working my way through the security principles regarding secure web applications at the moment. The main idea about this is to enable GlassFish to deliver high secure applications. One of the things making my brain hurt a bit is the Session Hijacking attack. It consists of the exploitation of the http session control mechanism, which is normally managed for a session token.
In our case the JSESSIONID. The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the applications running on you GlassFish.
There are different type of possible attacks. See the OWASP page about that for details. If you are going to address this topic you have different options from an implementation perspective. This is what I am going to describe in this blog post.

SSL is your friend
The basic requirement for session hijack prevention is to use https for your applications. This primary assures, that it's not easy to a) sniff the session out of the http stream and prevents simple man-in-the-middle attacks. Running in very high secure environments requires installing ssl certificates to your GlassFish and running all http-listeners in secure mode.

Where to put and how to configure the JSESSIONID?
Before you start with further reading, you should be aware that the whole topic is about the Servlet spec and about containers. The spec itself requires the session tracking cookie to be most convenient for any user and defines many ways of storing and transmitting it. This is a behavior that is undesired in high secure environments. So the first thing is to restrict the session tracking cookie to the minimum needed.

<session-config>
<!--
Specifies General Session Timeout in Minutes
-->
<session-timeout>15</session-timeout>
<cookie-config>
<!--
Specifies whether any session tracking cookies created
by this web application will be marked as HttpOnly
-->
<http-only>true</http-only>
<!--
Specifies whether any session tracking cookies created
by this web application will be marked as secure
-->
<secure>true</secure>
</cookie-config>
<!--
Specifies whether JSESSIONID is added to the URL
-->
<tracking-mode>COOKIE</tracking-mode>
</session-config>

What is also true is, that the spec would allow for "secure" HttpSession identifiers. In 7.1.2 it states, that
Secure Sockets Layer, the encryption technology used in the HTTPS protocol, has a
built-in mechanism allowing multiple requests from a client to be unambiguously
identified as being part of a session. A servlet container can easily use this data to
define a session.
Do my knowledge GlassFish does not implement this features up to now. So you have to work around this. Let's go:

HttpSession ID and SSL Session ID
Even if you are running SSL with the strongest certificates available, don't use URL-Rewriting and have httpOnly and secure enabled, nobody prevents you from man-in-the-browser attacks or client-side attacks. So, there are still some possibilities to gather the Session ID and use it from a different computer. If you are willing to implement some protection here, you are in need of some additional logic in your application which binds the SSL ID to your HttpSession ID.

SessionIdValve
The most obvious thing is to simply make both of them equal. The basic idea here is to take the SSL Session ID from the request and implement your own SessionIdValve which instantiates a HttpSession with that ID. Jan Luehe has a basic example how to achieve this with a GlassFish v2 on his blog. The only thing to do is to not take the client IP but the coyoReq.getAttribute("javax.servlet.request.ssl_session") and put it as HttpSession back to the request (see this forum discussion for more details). To be honest, I was not able to get this working with GlassFish 3 (see here). Don't worry: I don't like this solution anyway because it's simply not portable enough. You tie your logic very closely to the container you run in and so, you should avoid this approach in general.

Session Attributes
What I like a bit more is to use something like a HijackingPreventionFilter. This could be a simple @WebFilter that is mapped to any resource that should be protected

@WebFilter(dispatcherTypes = {DispatcherType.REQUEST, DispatcherType.FORWARD,
DispatcherType.INCLUDE, DispatcherType.ERROR}, urlPatterns = {"/*"})

On the first request it checks for an existing session and either does

chain.doFilter(request, response);

or checks some session attributes against the information in the actual request. The only prerequisite here is, that you have something in place to add the initial information to your newly created session. There are some places you could come up with. The best would probably be your login. Due to security reasons you should always _renew_ the HttpSession after a successful login. Afterwards you could assume that the request is from the client authenticating against your system. Just get the SSL Session ID and set it as HttpSession attribute there:

String cidSize = (String)request.getAttribute("javax.servlet.request.key_size");
String cid = (String)request.getAttribute("javax.servlet.request.ssl_session");
...
session.setAttribute("CLIENT_SSL_ID", cid);

You noticed the cidSize attribute? The javax.servlet.request.ssl_session is not an official servlet supported attribute. Grizzly set's it, when the webcontainer asks to set ALL ssl attributes. So when you just ask for "javax.servlet.request.ssl_session", the webcontainer doesn't recognize it as known SSL attribute and nothing happens (Null), but when you first ask for the key size, it's getting recognized by the webcontainer and it asks Grizzly to set all known SSL attributes including the ssl_session.
Another good place could be an HttpSession listener. The big problem here still is, that you are programming against container features which prevent your application from being portable.

Custom HTTP Header variables
What really resolves the mess is, if you have any networking device or proxy in front of your GlassFish that simply puts the ssl-session-id as a custom header variable to your request. In this case you don't even have to care for it yourself, you simply change the code in your webfilter to check for your request headers.

String cid = httpRequest.getHeader("HEADER_CLIENT_SSL_ID");

The only drawback here is, that you basically lose the chance to locally run it without the proxy. So you need to put a startup class in place which adds your filter to the configuration if you are in production mode.

Conclusion: Security is painful
The higher your security requirements are, the more painful your development gets. That's the basic message. You don't have a single switch to turn on to secure your application but you have a lot of screws to tighten to get everything right. This post only shows a little bit from the complete story. What I would like to see is that the Servlet EG is taking some action defining more basic security into the spec.
What's also true is, that nobody should runs a high secure GlassFish without any kind of Enterprise Access Management (EAM) solution in place. Those typically address the described issues with their own plugins and tokens. Anyway, there are still some smaller installations out there suffering from the very little capabilities of todays Java EE servers.
Comments and suggestions? I would love to read them!

Thursday, June 2, 2011

Review: "Real World Java EE Night Hacks - Dissecting the Business Tier" by Adam Bien

In a very irregular series I do some book reviews here. One paperback found it's way to my post box a few weeks ago already. And it was the one, I was most curious about this year. Adam told me, he is going to write something during last years flight back from OOW/JavaOne. And since we know each other roughly since 2005 it feels like I am following his way through mutual customers and the Java community for ages.
Reading his first self published book "Real World Java EE Patterns Rethinking Best Practices" was somehow an unexpected eye-opener. After Sun stopped the blueprint team and their work around Java EE pattern and best practices never got updated like it would be necessary, Adam positioned himself as a worthy successor. Knowing about him writing a complete end-to-end Java EE example was exciting. Here is my honest review of the long awaited masterpiece.
Real World Java EE Night Hacks walks through best practices and patterns used to create a real world application called "X-ray." This is a high-performance blog statistics application add-on for Apache Roller which is built with nothing but "vanilla" Java EE 6. Covering JAX-RS, EJB 3.1, JPA 2, and CDI 1.0 APIs. Adam managed to force (I guess, you payed him a beer, right? ;) ) James Gosling the Father of Java to write a very nice foreword for him,

Book: Real World Java EE Night Hacks - Dissecting the Business Tier
Language : English
Paperback : 167 pages
Release Date : April 2011
Publisher: press.adam-bien.com; First Iteration edition (2011)
ISBN-10: 1447672313
ISBN-13: 978-1447672319

About the author
Independent consultant and author Adam Bien http://blog.adam-bien.com is an Expert Group member for the Java EE 6/7, EJB 3.x, JAX-RS, JMS, and JPA 2.x JSRs. He has worked with Java technology since JDK 1.0 and with Servlets/EJB 1.0, and currently, he is as an independent architect and developer on Java SE, Java EE, and JavaFX projects. Adam has edited several books about JavaFX, J2EE, and Java EE. Adam is also a Java Champion, Oracle ACE Director and JavaOne 2009 Rock Star.

The content
Short five pages after you opened the book you have to jump in. Chapters one and two sets the stage and introduce you to the problem domain. This is all about missing detailed statistics in Apache Roller which is the blogging software powering Adam's blog. The actual performance probe is developed in chapter 3. Followed by the REST services needed for X-Ray in chapter 4 and the needed client in 5. Chapter six offers some solutions to the overall development process (covering Hudson, Maven, etc). Chapter 7 talks about testing with Java EE 6 and also briefly covers Arquillian. The final chapter eight covers some architectural thoughts about patterns and components.

Writing and style
Adam's writing is clear and easy to read even for non native speakers. The code samples are very extensive and you can follow every important point in seconds. There is not a single point I am unhappy about.

My expectations
High. Probably still an understatement. That's potentially one of the reasons I somehow was a little bit disappointed reading through it. The list of technologies it has on the cover is _impressive_ and I would kill to read a book about an end-to-end story about it. I should have started wondering looking at the total of 167 pages. The aim of the book is obviously NOT to teach you how to use any of the technologies listed on the cover but you can still learn about them. This makes the book a good starting point. But don't think you will get to the end without doing further research on your own.

Conclusion and recommendation
If you are one of those guys working your way through state of the art Java EE projects. Go! Get it! It's probably the only book beside it's predecessor able to provide in-depth insights and real live value to your projects. If you are a beginner. Go! Get it! But keep in mind, that you probably will need much more books before you can follow what Adam has written. It's not a reference text, but it's a source of inspiration.