Tuesday, July 31, 2012

The Heroes of Java: Bauke Scholtz

The "Heroes of Java" series continues. Interview 17 came a long way from the tropical island of Curaçao. Bauke took the time to answer my questions and I am happy to have him joining the series!

Bauke Scholtz
is more commonly known under his nickname "BalusC". With nearly 12k answers on stackoverflow.com and a quite impressive contribution to the JSF community whenever possible. Born and raised in the Netherlands he migrated to Curaçao in 2007. He is the prototype of the "Web Application Specialist" I love to work with. Highly engaged, committed to his technology and giving back to the community!

General part
Who are you?
I am a deaf Java EE web developer who lives on the tropical island of Curaçao. I work currently almost 2 years as a freelancer for the affiliate marketing network zanox-M4N. I am by my nickname "BalusC" also pretty well known in the JSF world thanks to my Java EE / JSF blog at balusc.blogspot.com, my answers at stackoverflow.com and since recently also the JSF utility library OmniFaces.

Your offical job title at your company?
The current contract just generically states "Software developer" along with the detail "Programming in Java EE in the M4N software system". I am mainly the web/UI guy of the M4N development team and I am mostly involved in Java EE "web profile" (read: JSF) and/or HTML/CSS/JS matters which are complex and/or needs to be solved quickly.

Do you care about it?
I don't care about job titles in general.

Do you speak foreign languages? Which ones?
Yes, although "speaking" has a different meaning to me. I am deaf born in the Netherlands and raised with Dutch Sign Language as native tongue. I can read and write Dutch and English pretty fluently (Dutch better than English). I can read and write German and Papiamentu sufficiently. I can read/guess Spanish and Portuguese somewhat as Papiamentu is derived from them. I can speak phonetic languages like Dutch, German and Papiamentu somewhat understandable, but I cannot speak non-phonetic languages like English, at least not understandable enough (I don't hear myself speaking, so it's hard to correct myself, let alone based on how someone else is trying to correct me), so I tend to restrict to reading/writing in those languages.

How long is your daily "bootstrap" process? (Coffee, news, email)
It depends. It can be only 1 minute, but it can also take up to 2 hours. I work at home, so I can after the wakeup easily go straight from bed to the computer and immediately start with my job. I drink at least 2 cups of Nespresso coffee daily, sometimes more, depending on how much I need to code. I am not really a news reader, I mostly learn new things from reading/answering stackoverflow.com questions. Email is mostly just job related. Very sometimes, especially if I need to clean my mind before starting my job for some reason, I maintain the garden first (which is a little 500m2).

Twitter
You have a twitter handle? Why?
No, because I don't care about it. I however noticed that someone hijacked my nickname "balusc" on Twitter some time ago, but that's definitely not me. I do however have a Facebook profile where I usually only add people who I also really know in real life and I ignore others. I have also a Google+ profile where everyone can put me in a circle, but I use it rarely. I am not exactly socially inclined anyway.

Work
What's your daily development setup? (OS/IDE/VC/other Tools)
Windows 7 x64, Eclipse for Java EE, Mercurial and Git, PostgreSQL and MySQL, Trac and JIRA.

Which is the tool providing most productivity to your work?
JRebel plugin in Eclipse.

Your prefered way of interacting with co-workers?
Chat and/or email. There are basically no other ways as I work alone at home and my colleagues are in the Netherlands and other parts of the world (Germany, India, China, etc).

What's your favorite way of managing your todo's?
Issue tickets (Trac, JIRA, etc).

If you could make a wish for a job at your favorite company: What would that be?
It really doesn't matter as long as I can just telecommute from home and can participate in a team of great software developers and get paid well enough for challenging Java EE / JSF related projects.

Java
You're programming in Java. Why?
Actually, it wasn't my choice, it was IBM's choice. I was initially a REXX developer with some PHP experiences and around 2003 IBM decided to switch to Java in our department, so everyone got courses on that. As of now, I'm very happy to have learnt Java at IBM, it's after all a brilliant software platform, certainly since the open-sourcing.

What's least fun with Java?
I think the learning curve should not be underestimated, certainly not if you were initially familiar with procedural languages like REXX and PHP. The SCJP is a great course, but it doesn't cover "best practices". I was in the beginning almost constantly looking for "best practices" and they are hard to find for Java in general, also for Java EE. You'd definitely need to build some years of solid experience first. My blog was initially also less or more kind of a collection of those "best practices" which I found so that I can spread the knowledge into the world wide web (which was also greatly appreciated, after all).

If you could change one thing with Java, what would that be?
Support for lambda expressions (closures) in Java, but that's already planned for Java 8. No other things comes to mind, Java as language is in general just fine to me, although I sometimes rant at Generics in case of complex polymorphism situations where Generics is also involved.

What's your personal favorite in dynamic languages?
As far as my experience with dynamic languages reaches, that'll be JavaScript. I also work almost daily with it anyway. I am also familiar with PHP, but I don't like it. I have ever been through a basic tutorial of Ruby and Groovy, but for some reason they didn't really attract me enough to continue with them. The only thing which was really interesting in those languages was closures.

Which programming technique has moved you forwards most and why?
DRY and KISS, because they easily forces you to properly separate the concerns which is pretty important in object oriented programming.

What was the biggest project you've ever worked on?
As to existing projects, that'll be at IBM; the employee database at IBM and the whole J2EE web application on top of it for Human Resources which I partially worked on between 2004 and 2005 was really _huge_. As to new projects, that'll be at Vicksburg; between 2006 and 2008 we spent over 2 years on developing new web sites and web services for RDC (rdc.nl) in J2EE/JSF/JAX-RPC. That was also my first encounter with JSF and I became really quickly a JSF expert in the team and I continued polishing my JSF skills on a daily basis until the day of today.

Which was the worst programming mistake you did?
I honestly can't think of any serious one when it comes to Java, they are usually not that major and don't reach production stage at all. Like as every other starter in Java I have during my early Java ages of course made some conceptual mistakes like as declaring a SimpleDateFormat as a static variable without realizing that it's inherently not threadsafe at all, but I wouldn't consider any of them being "the worst mistake". When it comes to other languages, then it'll definitely be the fact that I have learned about SQL database normalization too late and the hard way. After all, this is blamed to those poor quality PHP tutorials found on the Internet. Fortunately it was "just" a hobby project.

Monday, July 30, 2012

GlassFish JDBC Security with Salted Passwords on MySQL

One of the most successful posts on this blog is my post about setting up a JDBC Security Realm with form based authentication on GlassFish. Some comments on this post made me realize that there is more to do to actually make this secure as it should be.

Security out of the box
Picture: TheKenChan (CC BY-NC 2.0)
GlassFish comes with a GlassFish JDBC Realm already. All you have to do is to initialize a database and get the security configuration right and you are done. Among the standard configuration you have the option to define a digest-algorithm (including encoding and charset). The digest-algorithm can be any JDK supported MessageDigest (MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512). Compare my JDBC Security Realm post for a complete setup.

What is weak or missing?
The out of the box solution goes a very trivial way. It simply hashes the password. There are many ways to recover passwords from plain hashes very quickly. The simplest way to crack a hash is to try to guess the password, hashing each guess, and checking if the guess's hash equals the hash being cracked. If the hashes are equal, the guess is the password. The two most common ways of guessing passwords are dictionary attacks and brute-force attacks. Also very widely know are the Lookup tables. They are an effective method for cracking many hashes of the same type very quickly. The general idea is to pre-compute the hashes of the passwords in a password dictionary and store them, and their corresponding password, in a lookup table data structure. But we are not done now. You also find something called Reverse Lookup Tables. This attack allows an attacker to apply a dictionary or brute-force attack to many hashes at the same time, without having to pre-compute a lookup table. And last but not least the Rainbow Tables attack. They are like lookup tables, except that they sacrifice hash cracking speed to make the lookup tables smaller. Very impressive list of approaches. Clearly this doesn't meet my personal need for securing passwords.

Adding some Salt
The above approaches work because of the fact that each password is hashed in the exact same way. Every time you run a password through the secure hash function it produces the exact same output. One way to prevent this is to add some salt to it. Appending or prepending a random string to the password before hashing it would solve this. This random string is referred to as "salt". Be aware that reusing the salt for all passwords is not secure. You can still use rainbow tables or dictionary attacks to crack them. So you have to randomize the salt for every password and store it beside the hashed password. And it needs to change every time a user updates his password. A short sentence about length. Salts shouldn't be too short. For the most effective length would be the same size as the password hash. If you use a SHA512 (512/8bit=64 bytes) you should choose a salt with at least 64 random bytes long.

Preparations
We are clearly leaving the standard JDBCRealm features now. Which means we have to implement our own security realm. Let's call it UserRealm from now on. Let's start with the same setup we have for the JDBCRealm. A MySQL database with a "jdbcrealmdb" schema. Only difference here, we prepare to save the salt with every password.
USE jdbcrealmdb;
CREATE TABLE `jdbcrealmdb`.`users` (
`username` varchar(255) NOT NULL,
`salt` varchar(255) NOT NULL,
`password` varchar(255) DEFAULT NULL,
PRIMARY KEY (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `jdbcrealmdb`.`groups` (
`username` varchar(255) DEFAULT NULL,
`groupname` varchar(255) DEFAULT NULL)
ENGINE=InnoDB DEFAULT CHARSET=utf8; 
CREATE INDEX groups_users_FK1 ON groups(username ASC);

Now we implement the basic realm. The following code simply shows the mandatory members. I am going to make the source available during the next days. Until today this post is anything that is available for you.  on github.com.

public class UserRealm extends AppservRealm {
/**
* Init realm from properties
*/
public void init(Properties props) 
/**
* Get JAASContext
*/
public String getJAASContext() 
/**
* Get AuthType
*/
public String getAuthType() 
/**
* Get DB Connection
*/
private Connection getConnection()
/**
* Close Connection
*/
private void closeConnection(Connection cn)
/** 
* Close prepared statement
*/
private void closeStatement(PreparedStatement st)
/** 
* Make the compiler happy.
*/
public Enumeration getGroupNames(String string)
/** 
* Authenticate the user
*/
public String[] authenticate(String userId, String password) 

But the most important part is missing here.

Setting up some tests
I'm not exactly the kind of test driven guy but in this case it actually makes sense. Because the realm I am going to implement here doesn't support user-management via the GlassFish admin console. So the basic requirement is to have a prepared database with all the users, passwords and salts in place. Let's go. Add the sql-maven-plugin and let it create the tables during test-compile phase.
 <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>sql-maven-plugin</artifactId>
                <version>1.3</version>
                <dependencies>
                    <dependency>
                        <groupId>mysql</groupId>
                        <artifactId>mysql-connector-java</artifactId>
                        <version>5.1.18</version>
                    </dependency>
                </dependencies>
                <configuration>
                    <driver>${driver}</driver>
                    <url>${url}</url>
                    <username>${username}</username>
                    <password>${password}</password>
                    <skip>${maven.test.skip}</skip>
                    <srcFiles>
                        <srcFile>src/test/data/drop-and-create-table.sql</srcFile>
                    </srcFiles>
                </configuration>
                <executions>
                    <execution>
                        <id>create-table</id>
                        <phase>test-compile</phase>
                        <goals>
                            <goal>execute</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
You can either use some db-unit magic to insert the test-data into your database or do this within your test-cases. I decided to go this way. First let us put all the relevant JDBC stuff to a separate place called SecurityStore. We basically need three methods. Add a user, get the salt for a user and validate the user.

 private final static String ADD_USER = "INSERT INTO users VALUES(?,?,?);";
    private final static String SALT_FOR_USER = "SELECT salt FROM users u WHERE username = ?;";
    private final static String VERIFY_USER = "SELECT username FROM users u WHERE username = ? AND password = ?;";
//...
public void addUser(String name, String salt, String password) {
        try {
            PreparedStatement pstm = con.prepareStatement(ADD_USER);
            pstm.setString(1, name);
            pstm.setString(2, salt);
            pstm.setString(3, password);
            pstm.executeUpdate();
        } catch (SQLException ex) {
            LOGGER.log(Level.SEVERE, "Create User failed!", ex);
        }
    }

    public String getSaltForUser(String name) {
        String salt = null;
        try {
            PreparedStatement pstm = con.prepareStatement(SALT_FOR_USER);
            pstm.setString(1, name);
            ResultSet rs = pstm.executeQuery();

            if (rs.next()) {
                salt = rs.getString(1);
            }

        } catch (SQLException ex) {
            LOGGER.log(Level.SEVERE, "User not found!", ex);
        }
        return salt;
    }

    public boolean validateUser(String name, String password) {
        try {
            PreparedStatement pstm = con.prepareStatement(VERIFY_USER);
            pstm.setString(1, name);
            pstm.setString(2, password);
            ResultSet rs = pstm.executeQuery();
            if (rs.next()) {
                return true;
            }
        } catch (SQLException ex) {
            LOGGER.log(Level.SEVERE, "User validation failed!", ex);
        }
        return false;
    }
In order to not implement too much here I decided to have two separate constructors:
public SecurityStore(String dataSource) 
public SecurityStore(String user, String passwd)
So this will work with both, the app-server and my local tests. Next is the actual password and salt logic.

Working with Passwords, Hashes and Salts
Here is what I came up with:
public class Password {

    private SecureRandom random;
    private static final String CHARSET = "UTF-8";
    private static final String ENCRYPTION_ALGORITHM = "SHA-512";
    private BASE64Decoder decoder = new BASE64Decoder();
    private BASE64Encoder encoder = new BASE64Encoder();

    public byte[] getSalt(int length) {
        random = new SecureRandom();
        byte bytes[] = new byte[length];
        random.nextBytes(bytes);
        return bytes;
    }

    public byte[] hashWithSalt(String password, byte[] salt) {
        byte[] hash = null;
        try {
            byte[] bytesOfMessage = password.getBytes(CHARSET);
            MessageDigest md;
            md = MessageDigest.getInstance(ENCRYPTION_ALGORITHM);
            md.reset();
            md.update(salt);
            md.update(bytesOfMessage);
            hash = md.digest();

        } catch (UnsupportedEncodingException | NoSuchAlgorithmException ex) {
            Logger.getLogger(Password.class.getName()).log(Level.SEVERE, "Encoding Problem", ex);
        }
        return hash;
    }

    public String base64FromBytes(byte[] text) {
        return encoder.encode(text);
    }

    public byte[] bytesFrombase64(String text) {
        byte[] textBytes = null;
        try {
            textBytes = decoder.decodeBuffer(text);
        } catch (IOException ex) {
            Logger.getLogger(Password.class.getName()).log(Level.SEVERE, "Encoding failed!", ex);
        }
        return textBytes;
    }
}
Pretty easy, right? To be honest: Working with the byte[] could be hidden better, but I thought you will easier understand what is happening here. The salt() method returns a secure random salt of the configured length. The hashWithSalt() method puts everything into one SHA-512 hashed password.

A word about endcodings
I decided to Base64 encode it and I am using the proprietary API (sun.misc.BASE64Decoder, Encoder). You should think about using apache commons here. But it was the easiest way to do it. Another approach is to simply HEX encode (zero-pad) everything. The difference between Base64 and  HEX  is really just how bytes are represented.  HEX  is another way of saying "Base16".  HEX  will take two characters for each byte - Base64 takes 4 characters for every 3 bytes, so it's more efficient than hex. Assuming you're using UTF-8 to encode the XML document, a 100K file will take 200K to encode in hex, or 133K in Base64.

And finally the missing method in the UserRealm
The very final part of this lengthy post is the authenticate method in the UserRealm class.
    /**
     * Authenticates a user against GlassFish
     *
     * @param name The user name
     * @param givenPwd The password to check
     * @return String[] of the groups a user belongs to.
     * @throws Exception
     */
    public String[] authenticate(String name, String givenPwd) throws Exception {
        SecurityStore store = new SecurityStore(dataSource);
        // attempting to read the users-salt
        String salt = store.getSaltForUser(name);

        // Defaulting to a failed login by setting null
        String[] result = null;

        if (salt != null) {
            Password pwd = new Password();
            // get the byte[] from the salt
            byte[] saltBytes = pwd.bytesFrombase64(salt);
            // hash password and salt
            byte[] passwordBytes = pwd.hashWithSalt(givenPwd, saltBytes);
            // Base64 encode to String
            String password = pwd.base64FromBytes(passwordBytes);
            _logger.log(Level.FINE, "PWD Generated {0}", password);
            // validate password with the db
            if (store.validateUser(name, password)) {
                result[0] = "ValidUser";
            }
        }
        return result;
    }
That is all left to do here. If we have a salt for a given user-name we generate a hashed password which we are going to check against the one we have in the database. The getSaltForUser() also is our implicit check for the existence of the user.

Making password cracks even harder: Slow Hash Functions
Security wouldn't be called security if they wouldn't add more to it. So, salted passwords are way better than simply hashed ones but still probably not enough because they still allow for brute-force or dictionary attacks on any individual hash. But you can add more protection. The keyword is key-stretching. Also known as slow hash functions. The idea here is to make computation slow enough to no longer allow for CPU/GPU driven attacks. It is implemented using a special CPU-intensive hash function. PBKDF2 (Password-Based Key Derivation Function 2) is one of them. You can use it in different ways but one warning: never try to do this at your own. Use one of the tested and provided implementations like the PBKDF2WithHmacSHA1 from the JDK or the PKCS5S2ParametersGenerator from the Bouncycastle library. An example could look like this:
    public byte[] hashWithSlowsalt(String password, byte[] salt) {
        SecretKeyFactory factory;
        Key key = null;
        try {
            factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
            KeySpec keyspec = new PBEKeySpec(password.toCharArray(), salt, 1000, 512);
            key = factory.generateSecret(keyspec);
        } catch (NoSuchAlgorithmException | InvalidKeySpecException ex) {
            Logger.getLogger(Password.class.getName()).log(Level.SEVERE, null, ex);
        }
        return key.getEncoded();
    }

Why all that?
We hear about password and user database leaks a lot. Every day. Some big sites have been hit and it basically is up to the implementer to provide suitable security for his users. Knowing where and how to tweak can be difficult and honestly using the provided features left you behind with a wrong comfortable feeling. Don't stop learning about security features and keep an eye open for possible problems. I personally wish GlassFish would provide a more comprehensive set of default realms for users to work with. But as long as this isn't the case my blog is the only way to guide you into the right direction. Hope you enjoyed it!

[UPDATE 31.07.2012]
The source is on github.com

Wednesday, July 25, 2012

I'm speaking at JavaOne 2012, 30 Sept to 4 Oct in San Francisco, California, USA

Flights are booked and everything else is arranged. I am truly looking forward to the no one Java event in one of my favorite cities in the states. Moving this from a placeholder to the final state took some time this year. The schedule still isn't finished and all the last minute changes are dropping in. If you are looking for me try to find me at one of the mentioned places and sessions. Beside this I will most likely run around "The Zone" or attend some of the great sessions.

My Own Sessions
Three type of sessions for me this year. I will be moderating the Web-Framework Smackdown this year. This year's panelists are:
- Ed Burns: JSF
- James Ward: Play
- Graeme Rocher: Grails
- Santiago Pericas-Geersten: Avatar (Oracle's new proprietary framework)
So, if you are interested in joining us; Happy to welcome you! And bring good questions!

Session ID: BOF4149
Session Title: Web Framework Smackdown 2012
Venue / Room: Parc 55 - Cyril Magnin II/III
Date and Time: Monday, Oct 1, 20:30 - 21:15

Late news! The combined session with Masoud Kalali was accepted also! After I did this on my own at JavaZone before, we will finally give a combined session about Java EE security with GlassFish. I am really looking forward to it!

Session ID: CON11881
Session Title: Java EE Security in Practice with Java EE 6 and GlassFish
Venue / Room: Parc 55 - Powell I/II
Date and Time: Monday, Oct 1, 10:00 AM - 11:00 AM

Last but not least I am going to take roughly 8 minutes of Sandeep's breakout session and talk about my experiences with the Oracle Cloud Java Service:

Session ID: CON8633
Session Title: Oracle Cloud: Success Stories
Venue / Room: Moscone South - 307
Date and Time: Monday, Oct 1, 1:45 PM - 2:45 PM

JCP annual gathering and JCP Awards
You might have read, that I was nominated for the JCP Member of the Year. The awards will be presented at the JCP annual gathering at the Infusion Lounge on Tuesday, 2 October at 6:30 pm.

NetBeans Community Day at JavaOne 2012 Conference
Join us for a full day dedicated to all things NetBeans. Find out what's new in the IDE and Platform, and how a wide range of companies are using NetBeans technology to deliver innovative applications.
More information!

Date: Sunday, September 30
Location: Moscone West, Level 2
Room: MW-L2-2004
Time: 9am - 3pm

GlassFish Community Event and Party
Join the GlassFish Community for their annual GlassFish Community Event at JavaOne 2012. It's fun and free! (But you need a OOW/JavaOne pass to enter the Moscone Center)

Date: Sunday, September 30
Location: Moscone West, Room 2005
Room: MW-L2-2004
Time: 11am - 1pm

The GlassFish and Friends Party takes place at "The Thirsty Bear" (661 Howard Street San Francisco, CA 94105), Sunday, September 30, 2012 from 8:00 PM to 10:00 PM (PDT)

JavaOne San Francisco Geek Bike Ride
If it happens, that you are a bike fan and would love to bike the bridge you can think about joining this years JavaOne San Francisco Geek Bike Ride.
All you have to do is to register (for free) with http://sfgeekbikeride.eventbrite.com/ and enjoy the best the Bay Area has to offer by riding a bicycle across the Golden Gate Bridge.
We will meet at Blazing Saddles at Fisherman's Wharf and ride across the bridge and down into Sausalito, and then take a ferry back to the city.
This is a beginner/intermediate ride, roughly 8 miles and takes 1.5 hours to ride. I expect we'll have several photograph stops, and we'll stop for a treat in Sausalito. There are three big hills (two steep ones going up Fort Mason and the approach to the bridge, and one fun downhill into Sausalito), but (obviously) the bridge is flat and easy. The hardest part may be dodging pedestrians on the bridge!
All geeks and their friends are invited.

Meet at Blazing Saddles bikes at 2715 Hyde St. If you want to reserve a particular bike, you can reserve it in advance online. Bike rental is $30-$40 USD, there's a 10% discount if you reserve online. The ferry is $10.50 USD. Follow #geekbikeride for updates.

Tuesday, July 24, 2012

I'm speaking at Devoxx 2012, 12-16 Nov in Antwerp, Belgium

Im going to visit Devoxx in Antwerp for the first time ever! This is especially exciting as this is the biggest Java related conference in Europe and I missed it for so long. Schedule is shaping up during the last days and I am proud to contribute to David's Java EE Gathering:

Wed, 14 November 2012
19:00 - 20:00

If you haven't done so, don't forget to register:



Monday, July 23, 2012

The Heroes of Java: Werner Keil

After a bit of silence I finally managed to continue my "Heroes of Java" interview series. The 16th edition is about Werner Keil.

Werner Keil
has worked for more than 20 years as project manager, software architect, analyst and consultant on leading-edge technologies for Banking, Insurance, Telco/Mobile, Media and Public sector.
Among his earlier clients are Sony where Werner designed and implemented micro-format based tags for Sony Music.
He develops enterprise systems using Java, JEE, Oracle or IBM, does Web design and development using Adobe, Ajax/JavaScript or dynamic languages like Ruby, PHP, etc.
Besides work for major companies he runs his own creative, talent and consulting agency Creative Arts & Technologies. In his spare time, he runs and supports open-source projects, writes song lyrics, novels, screenplays and technical articles. He is committing member of the Eclipse Foundation and Java Community Process, including his role as JSR-275 Spec Lead and Executive Committee Member(SE/EE).

General part
Who are you?
I am Founder/Owner of a consultancy, Creative Arts & Technologies, Agile Coach, Java "Godfather" (founded or raised many Java projects and standard), Individual Executive Committee Member at JCP.org. Beside that I am involved in a couple of other Open Source communities like Eclipse, Apache, Java.net, Sourceforge or GitHub.

Your offical job title at your company?
Founder/Owner

Do you care about it?
I founded or helped found many projects and initiatives, so maybe the founder

Do you speak foreign languages? Which ones?
German, a little bit of French and some understanding of all languages derived from Latin (Italian, Spanish mostly)

How long is your daily "bootstrap" process? (Coffee, news, email)
News, Short Messages or email in most cases on a tablet. Coffee I save the office, unless I stay in a place (hotel, B&B) where it's ready before I leave

Twitter
You have a twitter handle? Why?
@wernerkeil It is a quick and often also direct way of communication. Some people or companies you also get attention there best;-)

Whom are you following in general?
Interesting people or accounts. Creative personalities or people I work with, mostly IT professionals

Do you have a personal "policy" for twitter?
Not really. I try to keep feeds by Android games or other channels away from it, funnel them e.g. into Facebook, but beside that I tweet both personal and professional.

Does your company restricts or encourages you with your twitter usage?
There were very few clients, especially in India (not that it would have increased their own productivity;-) who restricted it or preferred us to use Twitter only outside office hours. As it helps, e.g. to check with colleagues from a particular field very fast when you have a problem, most other clients these days tolerate or even appreciate it. Especially those clients and teams who really work in an Agile way, and not just claim to do so.

Work
What's your daily development setup? (OS/IDE/VC/other Tools)
Depends a lot on the project. Windows is usually the desktop OS, but some environments like the current one use it only to host a multitude of Virtual Linux instances. There tools are often console-based or plain text editors like VI or Emacs. When I develop Java in most cases an IDE is involved, either Eclipse or for tasks it's better suited NetBeans. Occasionally I use other IDEs like IntelliJ or JDeveloper, mostly if a team or work item prefers to use these.

Which is the tool providing most productivity to your work?
Hard to say, for the current requirement there are mostly Console based based Linux tools and programs. Too many to mention. The fact, that Eclipse makes products and tools feel familiar, even if you work with many different languages and environments is of course a benefit.

Your prefered way of interacting with co-workers?
If everybody is closely located, talking face to face is usually best. Otherwise some Instant Messenger, either internal or over the Internet (like Twitter, Google, MSN or Yahoo) works best. Email for longer conversations or if you need to attach more than an occasional image. I rarely use the phone, except for conference calls in some projects.

What's your favorite way of managing your todo's?
A Kanban board or tool

If you could make a wish for a job at your favorite company: What would that be?
Chief Architect, Evangelist or a role close to that. CTO maybe. The favorite company would probably a solid start-up either in a Social or Mobile business, or combination of both

Java
You're programming in Java. Why?
I got a bit sick of Microsoft languages and runtimes often behaving badly by turning my UI controls into a black or white rectangle. If just a single DLL had changed or similar configuration differences occured. Neither of these components were transparent or sources available. While not all of Java was when it came out, a much greater part of the system could be looked at and understood, how things work or why something doesn't. This way e.g. I managed to translate all of Swing into a Dozen languages, years before Sun did. Imagine that with most Microsoft solutions even today.

What's least fun with Java?
Boiler-plate code can be tedious to write, when you may just need a rather simple Business task. Lack of modularity and related classpath issues is probably worse.

If you could change one thing with Java, what would that be?
The classpath system I'd say, see above. There are more sometimes smaller things, but thanks to the JCP I already am involved in some changes.

What's your personal favorite in dynamic languages?
Fantom. Though it may be lesser known than e.g. Scala, it got some of the basic principles you need more often than you think like Date, Time or ther Measurement Units better supported than Java. Makes it a more Functional language. The only equivalent case would be F#, but Fantom is also among the few languages running either on the JVM or .NET CLR.

Which programming technique has moved you forwards most and why?
XTreme Programming, ideally going hand in hand with sufficient amount of Unit Tests written. There are a number of Java Enterprise Design Patterns like "Value List Handler" just to name one example, I applied and created frameworks for prior to it being named and identified by Sun or other industry players.

What was the biggest project you've ever worked on?
There were a few. DeutschePostWorldNet could be among the biggest in range and the people it reached. It also indirectly helped shape some Java standards like JSR-170 straight from our team of BEA, Day and Individual Consultants like myself. Nokia, part of Ovi probably another good example. The largest team in one place was I guess a bank that no longer exists by that name. We had up to 100 people in a single Stand-Up(!) far too many, but the Scrum Master managed that better than other projects I saw since then with 1/3 or less people;-D

Which was the worst programming mistake you did?
I was involved in writing an Application Server based on EJB 1 EntityBeans a long time ago. While it provided a lot of insight into e.g. the first version of JBoss ever written in the making, it went along a different path, involving a few Antipatterns those who defined the requirements demanded. I left the project eventually. And heard to little surprise, it took them at least 12x more time to write. And users 4-6x more memory on each client to run.

Friday, July 20, 2012

I'm speaking at JavaZone 2012, 12-13 Sept in Oslo, Norway

For the first time ever I am going to present at this years JavaZone in Oslo, Norway. JavaZone is the biggest meeting place for software developers in Scandinavia, and one of Europe's most important.
JavaZone has been described as a high quality, independent conference - a leading forum for knowledge exchange for IT-professionals. Each year around 2,300 conference tickets are sold. This years JavaZone is the eleventh and surely not the last.

Something special this time it will be my first joint presentation with Oracle's Masoud Kalali

Masoud is a principal software engineer at ORACLE working in GlassFish project in the Security and PaaS areas. He is author of GlassFish and Java EE security book published in 2010 and several articles in that area in Java.net, dZone and other magazines. He is author or multiple well received refcardz about Security, Java EE, GlassFish, XML and NoSQL. He has a master degree in Information Systems and been involved with software projects since 2001. Masoud blogs regularly at http://kalali.me and he can be followed in his twitter @MasoudKalali.

We are giving a talk with the title:
"Java EE Security in practice with Java EE 6 and GlassFish"

Sept, 13th / Room: Sal 6 / 17:00 - 18:00

The hottest topic for Enterprise Java applications out there is security. It has so many different aspects and this session is going to cover the basics which are used ootb from the example application. Going further down to the OWASP Top 10 about application security and also shows how and where to integrate solutions for that.

Even if this is the last slot of the conference, it will be big fun to see the two M&Ms (red and yellow :)) speak! See the complete conference program online and  buy your tickets now, if you haven't done so already!

Looking forward meeting you there!

Wednesday, July 18, 2012

What's New in the GlassFish Server 3.1.2.2 Release?

You might have heard that the latest GlassFish 3.1.2.2 is out. You can download it from both glassfish.org and oracle.com . According to the announcement in the GlassFish forums it covers three bugs which have been categorized by feedback from the community. These are:

- wsimport Ant tasks causes NoClassDefFoundError from many places from within some java app (JAX_WS-1059)
- NoClassDefFoundError: org/openide/util/Enumerations$1RDupls due to use of WebServices (NetBeans Bug 211962)
- JK listener with Apache + mod_ajp_proxy causes truncated downloads (GLASSFISH-18446)

According to an email to the http://java.net/projects/glassfish/lists/users/archive there are some more details about what exactly has been fixed:

Grizzly:
- AJP connector can not recover after unexpected EOF (GRIZZLY-1284)
- This error occurs occasionally for no apparent reason, causing glassfish does not deliver all packets. (GRIZZLY-1254)
- Errow when posting data with "Expect: 100-continue" header via ajp with mod_proxy_ajp in apache (GRIZZLY-1267)
- CPing/CPong doesn' work (GRIZZLY-1276)
- NPE when attempting to get the session from a request associated with a websocket. (GRIZZLY-1270) - Add memory tuning option for MimeHeaders (GRIZZLY-1285) - Incorrect timeout switch logic may cause unexpected interruption of a thread (GRIZZLY-1286)

GlassFish:
- JK listener with Apache + mod_ajp_proxy causes truncated downloads (GLASSFISH-18446)
- Windows Services - can't handle paths with spaces (GLASSFISH-18546)
- install-node-dcom does not abide by --windowsdomain parameter (GLASSFISH-18327)
- Incompatibel breaking changes to getParameter() / getPart() probably for Ticket GLASSFISH-16740 (GLASSFISH-18444)

Metro/JAX-WS:
- java.lang.ClassCastException: org.glassfish.gmbal.ManagedObjectManagerNOPImpl cannot be cast to com.sun.xml.ws.server.WSEndpointMOMProxy (WSIT-1619)
- wsimport Ant tasks causes NoClassDefFoundError from many places from within some java app (JAX_WS-1059)

And more news:
And also if you compare the two distributions (zip archives of both GF 3.1.2 and GF 3.1.2.2) you notice some more changes.
- It seems as if JBoss Logging 3 ( 3.1.0.GA) is now part of GlassFish. Find the jboss-logging.jar in the modules folder.
- Grizzlyhas been updated to 1.9.50
- Both org.apache.felix.shell.jar and *.shell.tui.jar have been removed.
- The Rest interface for GlassFish Management and Monitoring got an update to 3.1.2.1-SNAPSHOT
- The Weld implementation is now at 1.1.8.Final (yeahhaaa :-))
- Metro has been updated to 2.2.0-1 (which actually isn't a "version" in their jira (wondering)

Plan B? That is Plan N ... Nothing. Jigsaw follows in 2015.

what a day. When the typical European is winding down people in the States are starting with coffee. This is why I had a good night sleep over the recent news by Mark Reinhold. In a post titled "Project Jigsaw: Late for the train" he proposes to "defer Project Jigsaw to the next release, Java 9." With the modularization efforts being one of the key topics of Java's future on recent conferences and blog-posts this was a quite surprising move. Yesterday everybody was speculating about if there will be an JSR for Jigsaw or not. Today we know why this didn't happen. And I am disappointed about that. Here is why.

Early notification? No - it's salami slicing! Or? 
My first impression was: Hey, you guys don't get it. Dropping features late in the timeline isn't good for the community. But Donald made me realize that Java 8 is scheduled for May 2013.
That basically means, we are informed 18 months ahead. But you guessed right. The reason for me being disappointed isn't the time. It's about the way the future of Java has been communicated and used for marketing. Bert Ertmann naild it for me with his tweet:

It seems to be a pattern here. Slicing everything until nothing relevant remains. But wait. Haven't we all seen the save harbor slides? Have we been ignoring them? Or aren't we aware of their real importance? Could all this be an agile planning process which simply isn't communicated in the right way? The community as the most important stakeholder (beside Oracle internal interests) obviously wasn't aware of the true reliability of the statements and plans. I have seen that before. And struggled with the same approach. Outlining the planning a bit more or even adding a burn down chart for the progress would be a very helpful instrument for a sneak into what's actually happening with the development. No, I'm not proposing to see all the little numbers, but I would love to have an indicator about stuff that is working like it was planned and stuff that is ... being postponed.

I don't want to miss the chance to say thanks to Donald and Mark and also Dalibor and the many others from the OpenJDK/Oracle team for listening to the community. I am thankful to see them on Twitter, Email, Blogs, Forums and everywhere around to gather feedback and try to work on the way Oracle is communicating proposals and decisions.

The real reasons?
Are there any more reasons behind that than the ones Mark expressed in his blog? "some significant technical challenges remain" and there is "not enough time left for the broad evaluation, review, and feedback which such a profound change to the Platform demands." Following Mark's twitter stream also reveals some more insights here. "Started on a shoestring at Sun, barely survived integration into Oracle, only fully staffed about a year ago …" (@mreinhold) For the external person the news sounded like ... wow that stuff has been started years ago and nobody was actually coding there? With the insights from Mark about I hope he is doing another blog-post about this does actually sound a little different. It might be that the truth is much simpler here. And it also would be good to know what the community can do to help. Mark: Go on! Keep lifting the former secret parts and try to facilitate what  the community has to offer!

Dreams of Java on iOS over?
Do you remember what has been said at last JavaOne? The iOS and Android versions of JavaFX? Mobile goddess is back with Java since Java ME never really lifted up? Awesome. One of the most prominent requirements for that to happen was the ability to repackage the JDK to the right size for the job. Jigsaw was the idea behind that. As of today Mark proposes to introduce "one or more compact Profiles in the Java SE 8 spech http://mail.openjdk.java.net/pipermail/java-se-8-spec-observers/2012-July/000001.html to solve the missing module system. This in fact wouldn't be a "module" system but simply "just different ways to build the JDK, resulting in different-sized JREs." (@mreinhold). Yeah. Ok. And asked for the implications that might have the answer was: "We’ve already been preparing for the complexity of building and testing a modular platform." (@mreinhold) Seems as if the building blocks of that proposal are in place and no additional overhead is needed to get the mobile promises on the road.
So we will not have to fear >100 MB downloads for the JavaFX based apps. I don't know if they will meet the proposed distribution size starting at 10 MB. But anyway I expect it to be at a reasonable size.

We don't need Jigsaw!?
Really? We already have OSGI, JBoss Modules, HK2 Kernel abstraction. A lot of stuff is in place and Jigsaw would only have helped the JDK. Really? I'm looking at it from a slightly different perspective. Even if it is true that a module system would have helped the JDK in the first place, the dependent platform specifications (like Java EE) also are in big need for a module system. And Java simply hasn't anything to over here. At least nothing that is in the reach of the JCP. So, looking for modularization approaches as of today would mean to embrace non JCP technologies. And we all know that this will not happen. So, looking at Java EE 7 and beyond we are quite sure that this proposal is putting a lot of pressure on the internal discussions. Not to forget about the additional years the competitors gain in entering and deciding the field. If you ask me, the worst thing that could happen is that Jigsaw ends up with being used JDK internally only. There is a good chance for exactly that to happen.

What is left of Java 8?
With Jigsaw being stripped of the Java 8 time-frame the most important question here is about the what is left. Even still under the save harbor statements that's basically:
- Project Lambda (JSR 335) will bring closures to the Java programming language.
- New Date/Time API (JSR 310)
- Type Annotations (JSR 308)
- A couple of smaller feature
With the new scope Java 8 will ship on time, around September 2013 according to Mark.

Feeling better now?
I don't know. Even a good night sleep didn't bring back that comfy feeling I had a few days ago talking about modularization with Java. But I think I have to get over it and this is still another one of those "bad-hair" days which don't have a real reason for feeling sad. Seems as if I personally have to look at the alternatives. Waiting until 2015 is not an option. OSGI, JBoss Modules ... Here I come.

Update 20.07.12
Alexis has put up an interesting piece about motivation and the true debacle behind Jigsaw:
As I wrote above, Oracle has the resources to declare Jigsaw a strategic goal. I can agree that it may be hard to deliver by late 2013 but waiting for 2016 is effectively killing Jigsaw and encouraging everyone to look at alternatives which will jeopardize yet even more Jigsaw’s chances of ever seeing the light of day. In fact, even Oracle is considering profiles in Java 8, an ugly band-aid if you ask me. One you’ll need to painfully tear off to get proper modularity in the platform. Jigsaw really shouldn’t be seen as “a new feature”, to me it’s really the Java reboot some people have been calling for a long time. Only a compatible one.

Tuesday, July 17, 2012

GlassFish Operations: Log Notifications

The of the most prominent requirements for application servers derive from the operations space. Taking this into account the next Java EE platform specification will focus entirely on platform as a service (PaaS) and cloud operations. Looking at what we have today still leaves a couple of questions unanswered. The one I get asked for quite a lot is: "How to configure GlassFish to receive notifications/alerts/messages on important log entries?". Seems to be a good topic to blog about.

Application Logging vs. System Logging vs. Monitoring
You basically have three options here. Either you choose to integrate some notification magic into your application logging or you go with the system logging or you go with the more classy monitoring approach. However the differences should be clear. By default GlassFish does not provide any third-party logging integration. Whatever logging way you go from a framework perspective you will end up logging application specific events. If you are looking for some kind of application server specific notifications you have to take the system logging or the monitoring road.

System Logging
The easiest configuration I have ever done. GlassFish supports Unix Syslog. By checking the "Write to system log" box in the "Logger Settings" at your desired configuration you enable this feature. In fact this works like a charm but has a couple of drawbacks. Syslog is a protocol that allows a machine to send event notification messages across IP networks to event message collectors - also known as Syslog Servers or Syslog Daemons. It's a connection-less UDP based IP protocol. Some kind of broadcast. If you want to react upon ERRORS or other severity messages you have to use the facilities which come with your syslog server/daemon. This might be a more high sophisticated appliance (STRM, Log Manager) or a piece of software. Most notably the syslog format isn't encrypted in any way so you have to be careful about configuring this. Syslog-ng isn't supported as of latest 3.1.2. And some more hints if you are interested in how this is done. Have a look at com.sun.enterprise.server.logging.Syslog and SyslogHandler. You see that you can only send messages to localhost. No chance to configure that. You have to use syslog forwarding if you want that stuff to end up on another machine. Running on Windows requires to install one of the many open or closed software products. I tested http://www.thestarsoftware.com/syslogdaemonlite.html">Star SysLog Daemon Lite and was quite happy with the results.
One last note: If you are stumbling over older Google search results refering to something called "GlassFish Performance Advisor" .. that actually no longer exists. Hasn't been ported to 3.x branch.

Application Logging
In fact, GlassFish doesn't provide a special logging framework integration unlike WebLogic server does. So going this way you will lose the core GlassFish system logs and you can only focus on application specific logging.And that is where the integration actually happens. On an application level. Almost any recent frameworks (Log4J, LogBack) have a couple of providers for you to use out of the box. In terms of notifications email is still the simplest way to go. For that you have to look for the right appender (SMTP). Both LogBack (SMTPAppender) and Log4j (SMTPAppender) offer something here. Configuration is straight forward and only requires you to input some stuff about your SMTP infrastructure. Don't forget to set the right level of logging here. You are definitely not willing to have all DEBUG level messages send to your inbox.
Still thinking about the syslog thing? Both Log4j and LogBack can produce syslog messages with their SyslogAppenders (log4j, logback). But all the above mentioned drawbacks also apply here. On top of that you will not be able to receive the GlassFish core log messsages with your syslog server. There might be very rare and special situations where this would be of any help.

Monitoring
One last thing to mention is the monitoring approach. A couple of monitoring suites can actually read your logfiles (keyword: logfile adapters) and you can configure your logging solution to react to certain pattern. While I don't consider that elegant it might be a stable solution to work with and I have seen this a lot in the wild. Another approach could be to use JMX or even the GlassFish admin REST interface to find out about the relevant metrics. But both don't provide access to the logging subsystem.

Wednesday, July 11, 2012

Review: "Enterprise JavaBeans 3.1" by Andrew Lee Rubinger, Bill Burke"

Another O'Reilly book on my review list. This has been sitting there for some time but the blogger review program finally made it happen. This is one of the few books accompanying me since years. I don't know with which one I started but I believe it was the 3rd or even 2nd edition written by Richard Monson-Haefel himself. That was back in 2001 or earlier. Back than EJB was a nice concept but worth nearly nothing without a container. So I found it hard to follow all those examples enriched with all the fancy CORBA and remoting stuff. Even if it was the one being closest to the specification and as vendor independent as possible a WebLogic specific book caught me more. What a surprise, right? Knowing Andrew since some time now I was curious to see what Bill Burke and he did to the book and how I see things today. More than 10 years later.

Abstract: Learn how to code, package, deploy, and test functional Enterprise JavaBeans with the latest edition of bestselling guide. Written by the developers of the JBoss EJB 3.1 implementation, this book brings you up to speed on each of the component types and container services in this technology, while the workbook in the second section provides several hands-on examples for putting the concepts into practice. Enterprise JavaBeans 3.1 is the most complete reference you'll find on this specification.

Book: "Enterprise JavaBeans 3.1"
Language : English
Paperback: 766 pages
Release Date : September 24, 2010
ISBN-10: 0596158025
ISBN-13: 978-0596158026

The Author
Andrew Lee Rubinger (@ALRubinger) is an advocate for and speaker on testable enterprise Java development and a member of the JBoss Application Server development team. Beside that he is the technical lead of the ShrinkWrap project. Working for JBoss / Red Hat. He is running his blog at exitcondition.alrubinger.com
The technical manuscript was adapted from Bill Burke and Richard Monson-Haefel’s fifth edition of this book.

The Content
Some statistics front-up. With 766 pages this clearly is a visible book in your book-shelf. If you would remove the preface, index and the code examples you end up with 408 pages of content and 318 pages of examples . This is obviously wrong. Due to many reasons (Environment, cost of the book, my back ...).
But let's start with the overview: The book is organized in five parts. Parts 1 through 4 make up the so-called technical manuscript. Part 5 contains the examples and a detailed guide on installing, configuring and running the examples. Nobody is wondering about the fact that this is done using Arquillian and ShrinkWrap :) All examples run on OpenEJB.

Part 1 starts with a bird’s-eye view of the technology introducing your to component types and container services and leads you to write your first ever EJB.
Part 2 draws you deeper into the different component models (stateless-, statefull-, singleton- and message driven beans.
Part 3 is all about persistence with JPA. What that is, how to configure and package and simply how to use it.
Part 4 examines the different container services like Security, Injection, Transaction, Interceptors, Timer Services and Web Services.

Writing and Style
Entertaining. That is the right word. If you are used to technical documentation you shouldn't struggle with this book. For a non native speaker it reads very easy and I didn't find very many complex sentences which stopped my reading. For native speaker it might be more likely to identify the different writing styles in it. The extensive examples doesn't make any sense to me. It feels like ages ago when I was used to typewriting stuff from books.

Conclusion and recommendation
Hard to judge on this one. Beside the fact that I have a personal history with this book, I still believe that is helpful to people which want to get a good and basic introduction to the EJB programming model. The clear separation from any appserver makes this only half as valuable than it could be. And this is the surprising bottom line. I still would prefer any vendor specific book over a plain technology focused one. Anyway, congratulations to Andrew for doing a good job in taking over such a piece of history and making it up to date. And thanks to O'Reilly for keeping traditions alive.

Monday, July 9, 2012

Upgrading to latest Mojarra in GlassFish 3.1.x

I was playing around with latest Mojarra and in order not to replace any existing versions at a server module level I tried to package it with my apps. I shouldn't have done that. Here is a short story.

I do love application servers. Especially GlassFish and WebLogic. You know that. But there is one thing that starts to bug me more and more with latest releases. It's the release cycle of bundled components. Do you remember the good old days where you simply threw a newer library into your app bundle and (nearly) everything worked fine? Those days belong to the past. As of today you experience a lot of trouble if you try to upgrade and replace single reference implementations or components of your appserver by bundling them to your apps. The recent example was Mojarra. Some bugs in the Mojarra 2.1.5 which is shipped with the latest GlassFish 3.1.2-b22 prevented me from upgrading an application. So I thought I give the latest 2.1.10 (05/31/2012) a shot which promised to solve those issues. I am very thankful for the frequent releases here and was very very looking forward having this solved in literally a few seconds.
Googling around a bit for the specifics of the upgrade process brought me to Arun's blog. A four year old entry pointed me to the basics. Bundle impl and api jars to your application. Add some lines to your sun-web.xml.
There you go. That should be everything. Fine. Obviously the name of the deployment descriptor changed. It's new name is glassfish-web.xml and also the property name changed from useMyFaces to useBundledJsf. Not a big surprise and very welcome.
&lt;class-loader delegate=&quot;false&quot;/&gt;
&lt;property name=&quot;useBundledJsf&quot; 
value=&quot;false&quot;/&gt;
If you now try to find the jsf-impl and jsf-api dependencies for the 2.1.10 you start struggling. With 2.1.3 Mojarra started adopting the Oracle Java EE Maven and OSGi naming and versioning scheme. This basically means, you now have only one dependency for both:
<dependency>
  <groupId>org.glassfish</groupId>
  <artifactId>javax.faces</artifactId>
  <version>2.1.10</version>
  <scope>compile</scope>
</dependency>
Also fine to me. Let's give that a test-drive. Ups:
java.lang.Exception: java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: java.lang.RuntimeException: com.sun.faces.config.ConfigurationException: CONFIGURATION FAILED! org.glassfish.weld.jsf.WeldFacesConfigProvider cannot be cast to com.sun.faces.spi.ConfigurationResourceProvider
That did not work!
What happened?
The issue seems to be that there are two versions of ConfigurationResourceProvider on the class path: one at the web app level (your bundled jar file) and a second at the parent class loader level (provided by GlassFish). WeldFacesConfigProvider extends ConfigurationResourceProvider at the parent class loader, but it ends up casting this to ConfigurationResourceProvider at the web app class loader.

Workaround: Replacing Mojarra in GlassFish
How to work around that? Easy if you like it to be easy. Simply download the latest stable version of Mojarra from it's java.net project and replace the glassfish3\glassfish\modules\javax.faces.jar with the downloaded version. Make sure to keep a backup of the original file and also don't forget to delete the osgi cache glassfish3\glassfish\osgi for the changes to take effect. Also make sure to only use a 2.1 version of Mojarra and don't try a 2.2 even if it is there. First of all because it implements the new EE 7 features and second because it is still a snapshot. Keep away here! For now.
Why you might not like this approach. Imagine you are a paying Oracle GlassFish Server Customer. What do you think? Do you still get support if you are replacing a core module with a newer version? I haven't checked the licensing and support terms. But I believe you will not. And that might be right from a product point of view because you simply can't test every possible combination of modules for every release. 

Workaround: Adding the missing dependency to your app
If you can't cast across class loaders you have to make the missing part available to the right class-loader. Not replacing the javax.faces.jar in your server's modules leads to adding the magic WeldFacesConfigProvider to your app. It is contained in the glassfish3\glassfish\modules\weld-integration.jar and by simply putting that as an additional library to your application you also solve the issue.
There is even a mavenized version on the web. But this is drawing in a lot of additional dependencies which you would have to exclude and it also seems to be a snapshot build only. So you will end up putting this jar to your local or corporate maven repository. Going this way you should still receive support for your commercial appserver version. Even if the weld-integration obviously was not thought of being deployed with your applications every time over and over again. But with 77KB this also isn't a too big issue.

The good news
The JSF and GlassFish team is working on this. And I hope they are getting this fixed with one of the upcoming GlassFish releases. Thanks to Andy and Ed for the support here and for taking care.

Modularization and Rolling Upgrades
As I said in the introduction, this is only one example. I believe you could come up with more. And the voices are getting louder which call for a better modularization everywhere. And they are right. If I or you would have developed a complex project with all those cross dependencies we would have been kicked hardly. Either by our customers or by our coworkers. So, even if we dropped that from the scope of EE 7 I am very looking forward having the possibility to integrate this into EE 8 latest. Another point here are the release cycles and the update policies for vendors. Even if GlassFish isn't broken by default and it is a very stable server in general you have other examples out there: Let's look at the latest WebLogic 12c release. It has been released quite late comparing to other EE 6 compliant servers. Bringing in some bugs and forcing Oracle to deliver a repackaged distribution later on. And even this isn't completely usable (Issue, Issue) forcing you to be either a paying customer to receive the fixes or stay off the product. Bottom line? I don't know. Something is wrong the way it is today. We need to work harder to make EE a specification which can be used, updated and worked with. And I believe the next release shouldn't focus on first level developer experience but on vendors and quality. What is a car worth that is easy to drive for everyone but breaks down frequently with bugs and missing spare parts?