JDBC Realm and Form Based Authentication with GlassFish 3.1.2.2 and Primefaces 3.4

One of the most popular posts on my blog is the short tutorial about the JDBC Security Realm and form based Authentication on GlassFish with Primefaces. After I received some comments about it that it isn't any longer working with latest GlassFish 3.1.2.2 I thought it might be time to revisit it and present an updated version. Here we go:

Preparation
As in the original tutorial I am going to rely on some stuff. Make sure to have a recent NetBeans 7.3 beta2 (which includes GlassFish 3.1.2.2) and the MySQL Community Server (5.5.x) installed. You should have verified that everything is up an running and that you can start GlassFish and the MySQL Server also is started.

Some Basics
A GlassFish authentication realm, also called a security policy domain or security domain, is a scope over which the GlassFish Server defines and enforces a common security policy. GlassFish Server is preconfigured with the file, certificate, and administration realms. In addition, you can set up LDAP, JDBC, digest, Oracle Solaris, or custom realms. An application can specify which realm to use in its deployment descriptor. If you want to store the user credentials for your application in a database your first choice is the JDBC realm.

Prepare the Database

Fire up NetBeans and switch to the Services tab. Right click the "Databases" node and select "Register MySQL Server". Fill in the details of your installation and click "ok". Right click the new MySQL node and select "connect". Now you see all the already available databases. Right click again and select "Create Database". Enter "jdbcrealm" as the new database name. Remark: We're not going to do all that with a separate database user. This is something that is highly recommended but I am using the root user in this examle. If you have a user you can also grant full access to it here. Click "ok". You get automatically connected to the newly created database. Expand the bold node and right click on "Tables". Select "Execute Command" or enter the table details via the wizard.

CREATE TABLE USERS (
  `USERID` VARCHAR(255) NOT NULL,
  `PASSWORD` VARCHAR(255) NOT NULL,
  PRIMARY KEY (`USERID`)
);

CREATE TABLE USERS_GROUPS (
  `GROUPID` VARCHAR(20) NOT NULL,
  `USERID` VARCHAR(255) NOT NULL,
  PRIMARY KEY (`GROUPID`)
);

That is all for now with the database. Move on to the next paragraph.

Let GlassFish know about MySQL
First thing to do is to get the latest and greatest MySQL Connector/J from the MySQL website which is 5.1.22 at the time of writing this. Extract the mysql-connector-java-5.1.22-bin.jar file and drop it into your domain folder (e.g. glassfish\domains\domain1\lib). Done. Now it is finally time to create a project.

Basic Project Setup
Start a new maven based web application project. Choose "New Project" > "Maven" > Web Application and hit next. Now enter a name (e.g. secureapp) and all the needed maven cordinates and hit next. Choose your configured GlassFish 3+ Server. Select Java EE 6 Web as your EE version and hit "Finish". Now we need to add some more configuration to our GlassFish domain.Right click on the newly created project and select "New > Other > GlassFish > JDBC Connection Pool". Enter a name for the new connection pool (e.g. SecurityConnectionPool) and underneath the checkbox "Extract from Existing Connection:" select your registered MySQL connection. Click next. review the connection pool properties and click finish. The newly created Server Resources folder now shows your sun-resources.xml file. Follow the steps and create a "New > Other > GlassFish > JDBC Resource" pointing the the created SecurityConnectionPool (e.g. jdbc/securityDatasource).You will find the configured things under "Other Sources / setup" in a file called glassfish-resources.xml. It gets deployed to your server together with your application. So you don't have to care about configuring everything with the GlassFish admin console.Additionally we still need Primefaces. Right click on your project, select "Properties" change to "Frameworks" category and add "JavaServer Faces". Switch to the Components tab and select "PrimeFaces". Finish by clicking "OK". You can validate if that worked by opening the pom.xml and checking for the Primefaces dependency. 3.4 should be there. Feel free to change the version to latest 3.4.2.

Final GlassFish Configuration
Now it is time to fire up GlassFish and do the realm configuration. In NetBeans switch to the "Services" tab again and right click on the "GlassFish 3+" node. Select "Start" and watch the Output window for a successful start. Right click again and select "View Domain Admin Console", which should open your default browser pointing you to http://localhost:4848/. Select "Configurations > server-config > Security > Realms" and click "New..." on top of the table. Enter a name (e.g. JDBCRealm) and select the com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm from the drop down. Fill in the following values into the textfields:

JAAS	jdbcRealm
JNDI	jdbc/securityDatasource
User Table	users
User Name Column	username
Password Column	password
Group Table	groups
Group Name Column	groupname

Leave all the other defaults/blanks and select "OK" in the upper right corner. You are presented with a fancy JavaScript warning window which tells you to _not_ leave the Digest Algorithm Field empty. I field a bug about it. It defaults to SHA-256. Which is different to GlassFish versions prior to 3.1 which used MD5 here. The older version of this tutorial didn't use a digest algorithm at all ("none"). This was meant to make things easier but isn't considered good practice at all. So, let's stick to SHA-256 even for development, please.

Secure your application
Done with configuring your environment. Now we have to actually secure the application. First part is to think about the resources to protect. Jump to your Web Pages folder and create two more folders. One named "admin" and another called "users". The idea behind this is, to have two separate folders which could be accessed by users belonging to the appropriate groups. Now we have to create some pages. Open the Web Pages/index.xhtml and replace everything between the h:body tags with the following:

 <h:body>
        Select where you want to go:
        <br />
        <h:link outcome="admin/index" value="To the admin section" /><br />
        <h:link outcome="users/index" value="To the user section" />
    </h:body>

Now add a new index.xhtml to both users and admin folders. Make them do something like this:

 <h:body>
        <h1>Hello Admin|User</h1>
        <br />
        <h:link outcome="/index" value="Back to Homepage" />
    </h:body>

On to the login.xhtml. Create it with the following content in the root of your Web Pages folder.

<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:p="http://primefaces.org/ui"
      xmlns:h="http://java.sun.com/jsf/html">
    <h:head>
        <title>Login Form</title>
    </h:head>
    <h:body>
        <p:panel header="Login From">
            <form method="POST" action="j_security_check">
                Username: <input type="text" name="j_username" />
                Password: <input type="password" name="j_password" />
                <br />
                <input type="submit" value="Login" />
                <input type="reset" value="Reset" />
            </form>
        </p:panel>
    </h:body>
</html>

As you can see, whe have the basic Primefaces p:panel component which has a simple html form which
points to the predefined action j_security_check. This is, where all the magic is happening. You also have to include two input fields for username and password with the predefined names j_username and j_password. Now we are going to create the loginerror.xhtml which is displayed, if the user did not enter the right credentials. (use the same DOCTYPE and header as seen in the above example).

 <h:body>
        <p:panel header="Login Error">
            Sorry, you made an Error. Please try again: <a href="#{facesContext.externalContext.requestContextPath}/" >Login</a>
        </p:panel>
    </h:body>

The only magic here is the href link of the Login anchor. We need to get the correct request context and this could be done by accessing the faces context. If a user without the appropriate rights tries to access a folder he is presented a 403 access denied error page. If you like to customize it, you need to add it and add the following lines to your web.xml:

<error-page>
<error-code>403</error-code>
<location>/faces/403.xhtml</location>
</error-page>

That snipped defines, that all requests that are not authorized should go to the 403 page. If you have the web.xml open already, let's start securing your application. We need to add a security constraint for any protected resource. Security Constraints are least understood by web developers, even though they are critical for the security of Java EE Web applications. Specifying a combination of URL patterns, HTTP methods, roles and transport constraints can be daunting to a programmer or administrator. It is important to realize that any combination that was intended to be secure but was not specified via security constraints, will mean that the web container will allow those requests. Security Constraints consist of Web Resource Collections (URL patterns, HTTP methods), Authorization Constraint (role names) and User Data Constraints (whether the web request needs to be received over a protected transport such as TLS).

 <security-constraint>
        <display-name>Admin Pages</display-name>
        <web-resource-collection>
            <web-resource-name>Protected Admin Area</web-resource-name>
            <description></description>
            <url-pattern>/faces/admin/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>admin</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <security-constraint>
        <display-name>All Access</display-name>
        <web-resource-collection>
            <web-resource-name>None Protected User Area</web-resource-name>
            <description/>
            <url-pattern>/faces/users/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

If the constraints are in place you have to define, how the container should challenge the user. A web container can authenticate a web client/user using either HTTP BASIC, HTTP DIGEST, HTTPS CLIENT or FORM based authentication schemes. In this case we are using FORM based authentication and define the JDBCRealm

<login-config>
        <auth-method>FORM</auth-method>
        <realm-name>JDBCRealm</realm-name>
        <form-login-config>
            <form-login-page>/faces/login.xhtml</form-login-page>
            <form-error-page>/faces/loginerror.xhtml</form-error-page>
        </form-login-config>
    </login-config>

The realm name has to be the name that you assigned the security realm before. Close the web.xml and open the sun-web.xml to do a mapping from the application role-names to the actual groups that are in the database. This abstraction feels weird, but it has some reasons. It was introduced to have the option of mapping application roles to different group names in enterprises. I have never seen this used extensively but the feature is there and you have to configure it. Other appservers do make the assumption that if no mapping is present, role names and group names do match. GlassFish doesn't think so. Therefore you have to put the following into the glassfish-web.xml. You can create it via a right click on your project's WEB-INF folder, selecting "New > Other > GlassFish > GlassFish Descriptor"

    <security-role-mapping>
        <role-name>admin</role-name>
        <group-name>admin</group-name>
    </security-role-mapping>

That was it _basically_ ... everything you need is in place. The only thing that is missing are the users in the database. It is still empty ...We need to add a test user:

Adding a Test-User to the Database
And again we start by right clicking on the jdbcrealm database on the "Services" tab in NetBeans. Select "Execute Command" and insert the following:

INSERT INTO USERS VALUES ("admin", "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918");
INSERT INTO USERS_GROUPS VALUES ("admin", "admin");

You can login with user: admin and password: admin and access the secured area. Sample code to generate the hash could look like this:

 try {
            MessageDigest md = MessageDigest.getInstance("SHA-256");
            String text = "admin";
            md.update(text.getBytes("UTF-8")); // Change this to "UTF-16" if needed
            byte[] digest = md.digest();
            BigInteger bigInt = new BigInteger(1, digest);
            String output = bigInt.toString(16);

            System.out.println(output);

        } catch (NoSuchAlgorithmException | UnsupportedEncodingException ex) {
            Logger.getLogger(PasswordTest.class.getName()).log(Level.SEVERE, null, ex);

        }

Have fun securing your apps and keep the questions coming! In case you need it, the complete source code is on https://github.com/myfear/JDBCRealmExample

Read More

I'm speaking at OUGN Vårseminar, 17th-20th April 2013 in Oslo/Kiel

I'm very proud to announce that I will be speaking at this year's Norwegian Oracle User Group (OUGN) Vårseminar. Not only because I am excited to visit Oslo again but mostly because of the unique venue. A full day at the Radisson Blu Scandinavia Hotel in Oslo is followed by the main part of the conference which is held on the Colour Magic Cruise Ferry sailing from Oslo to Kiel and back.

As far as I know, this is the only conference happening on a cruise ferry. I have seen the reports about last years conference and was always wondering what cool event this would be. This year it is on me to bring Java and Java EE to another Oracle User Group Conference. And I can tell you, I have a bag full of stuff to talk about.

Thursday, April 18, 5pm-6pm
The Java EE Cloud Smackdown (P37)
With Java EE 7 cloud should have been added to the specification. Allowing for a broad ecosystem of PaaS providers to jump on the train. Because of the missing maturity and field experiences this has been delayed to EE 8. However there are some offerings on the market already. This talk throws light onto how they differentiate from each other and which ones are the right ones for Java EE. Featuring: CloudBees, OpenShift, Elastic Beanstalk, Jelastic and Oracle Java Service.

Friday, April 19, 5:45pm-6:45pm
WebLogic in the Cloud (P44)
The new Oracle Cloud offering has been launched at last year's OpenWorld. Now it is finally time to get your hands dirty and learn everything you need to know to develop your own applications for Oracle's Java Service.

Additionally there will be plenty of time to talk and exchange experiences. Thanks for the invitation! I am very much looking forward seeing you there! Don't forget to have a look at the complete schedule and register if you haven't done so!

Read More

Report OOP Special Day Oracle

Once a year famous OOP conference is happening literally next to where I live. A 20 minutes ride brings me down to Munich's trade fair center and the biggest hassle I have to cope with is parking. As usual I forget to submit a talk and I was lucky to be invited by Oracle to speak at the Oracle Special Day.

For many years, OOP has become the meeting point for technical experts (architects, developers, requirements-engineers, testers, etc.), technical (project) managers and leaders in IT, because the conference allows gaining an excellent overview of the state-of-the-art in modern software engineering.
So, it is always worth to get a full conference ticket but in case you cant, the special days are a nice alternative. They are a free for pre registered attendees and run the whole day. If you like its kind of a conference within the conference.
The Oracle Special Day was divided into three big areas. It began with a short update on the roadmap of the Java and Oracle universe (including JavaFX and ADF Mobile). Directly followed by a Java EE part where I introduced and showcased the Java Cloud Service and Adam Bien did a nice Java EE 6 introduction.

Adam doing Live-Coding with NetBeans

The last part was dedicated to three Hands-On-Labs where interested attendees could get a first impression on either JavaFX, ADF Mobile or Java EE 6 with GlassFish. With roughly 80 attendees this was quite a successful day and it was a pleasure to talk in my first language on a conference :)

Slides and Materials
The slides for the Java Cloud Service introduction can be found on Slideshare.

In the GlassFish HOL we used the following products:
NetBeans 7.3-beta2 Java EE Version
Java 1.7 JDK
The working materials have been prepared by Arun Gupta and can be downloaded from his blog javaee6-hol-glassfish.pdf. Thanks for all the hard work on that Arun! It worked like a charm!

The Oracle Special Day was fun! Many thanks to all the attendees for listening! Hope to meet you again somewhere around!

Read More

The GlassFish Story

You know that I like to play around with visualizations. I blogged about a nice way to visualize svn commits over time a while back. Today I finally found some time to run this little magic on the GlassFish svn. And here is the result of roughly 134 committers working on GlassFish to bring us the latest and greatest in Java EE.

Read More

The Heroes of Java: Coleen Phillimore

The "Heroes of Java" series took a short break. After the first 20 it is time to start over in 2013. This time it is kind of an unexpected hero. During my ongoing search for the real heroes of Java I stumbled upon Coleen.

Coleen Phillimore

is a Hotspot veteran and hers and the work of many others build the cornerstones of every single line of Java ever written. I'm very happy that she joined my little series. Thanks to Marcus for getting me in touch!

General Part
Who are you?
I am a software engineer working on the Hotspot Java Virtual Machine at Oracle. I work in the runtime group and we work on startup and footprint optimizations, the interpreter, class file parsing, verification, internal class data representation, and interfaces to GC and the compilers. I've been doing this for a long time - 12 years at Sun then Oracle and about 30 years in the industry on various compilers for other languages.

Your offical job title at your company?
My official title is "principle engineer" although most of us talk about our titles as IC<something>, where I think IC is "Individual Contributor".

Do you care about it? (the title)
I don't care a whole lot about titles.  Most of my co-workers are quite senior and have the same or one better title.

Do you speak foreign languages? Which ones?
I had a high school French.   I still remember some of the words but that's it.

How long is your daily "bootstrap" process? (Coffee, news, email)
My daily bootstrap process takes a couple hours.   Sometimes it takes longer so I don't make it into the office and work from home instead to save the driving.   I usually drink 3-4 cups of coffee while checking personal email and organizing some activity for my teenage son.   I also have my Oracle email configured in Thunderbird, so when I run out of home email, I start answering these emails.   I might do some code reviews and reply to colleagues in Stockholm or Australia or an earlier time zone.

Twitter
You have a twitter handle? Why?
No, I really haven't figured out why I would have a twitter account or follow anyone on it (sorry this is boring).

Work
What's your daily development setup? (OS/IDE/VC/other Tools)
I have just installed Ubuntu 12.04 on some Dell 4 way system in my office. We have racks of different types of virtual machines at Oracle somewhere that we use to test on different platforms. It's all virtualized now.

Which is the tool providing most productivity to your work?
In general, I am as about as low tech as it gets.  I mostly use vim, make, gcc and gdb.   grep -r is my IDE.

Your prefered way of interacting with co-workers?
My co-workers are all over the world. We have very long email threads. I do have some coworkers in my office and we actually talk in person and can draw pictures on whiteboards to explain things.   This is my preference but it's impractical for everyone. Some of us use IM which is better than email.

What's your favorite way of managing your todo's?
I keep lists with arrows in front of these items in a spiral notebook.   Was this supposed to be some high tech gadget?   I'm the boringest tech person ever.

If you could make a wish for a job at your favorite company: What would that be?
Well, working at Oracle on the JVM is really fun. We don't seem to run out of ideas for improvements and code to write.   My husband's company Abinitio would be great to work at because they all went to the Galapagos but they won't say what they do.

Java
You're programming in Java. Why?
I am actually not coding in Java. The Hotspot JVM is written in C++. There's an openjdk project to write the JVM, or at least parts of it in Java, called Graal. That would be cool to work on when it's closer to a product.

What's your personal favorite in dynamic languages?
I haven't had time to learn and use dynamic languages yet, but all the runtime support underneath these dynamic languages is in the JVM. We've had to change assumptions that we've made for Java to accommodate these new languages. It's totally cool that there's this whole world on top of the JVM but it's also a lot of pressure to make it faster, better, smaller and more reliable.

What was the biggest project you've ever worked on?
Last summer, a few of us completed a project where we moved Java class metadata from the Java heap, aka PermGen, to a different heap area. This probably seems counter intuitive to a Java programmer because now we have to use explicit memory management and not let the garbage collector do the work. There were a lot of problems with managing our JVM memory through the garbage collectors and the memory for class metadata was limited by this. We were finding many applications that load too many classes and would get OutOfMemoryError on PermGen which wasn't recoverable. This project changed most of the JVM and removed a ton of code, which is sort of my favorite thing to do.

Which was the worst programming mistake you did?
I tend to be a code environmentalist - reduce, reuse and recycle and all that. Most of my programming mistakes have been to remove code and find out that it was in fact needed.

Read More

I'm speaking at Devoxx UK 2013, 26th-27th March 2013 in London

Here we go! I'm excited to speak at first ever Devoxx UK this year! After the tremendous success of the flagship in Belgium and the French spin-off this is the second Devoxx offspring. Hosted by Ben and Martijn and held at the Business Design Center in London, UK.
The Business Design Center is a beautiful former agricultural hall from Victorian days. It's situated only one stop away from Kings Cross/St Pancras (Eurostar terminal in the heart of London) and is on a street famed for its pubs, cafes and restaurants - nom nom! The venue is fully wheelchair accessible and we'll have it decked out in full Devoxx regalia. You can find more details on the Devoxx UK venue page.
Devoxx is renowned for bringing in the who's who of the Java and Software Development worlds as well as showcasing talent from the local development community. Devoxx UK is no different! A couple of Rockstar speakers have already confirmed!

I'm talking about the:
Seven Deadly Sins
Have you ever wondered what the worst mistakes in your Java EE projects could be? Lets call them the seven deadly sins and walk through them and save you and your projects from eternal damnation.

Don't forget to organize the two days off on the 26th and 27th of March to join the London Java Community and the merry Knights of Devoxx UK at the Business Design Center in London, UK. For further updates follow @DevoxxUK. I'm very looking forward meeting you there!

Read More

Selecting Your Java EE 6 Application Server

The number one question I get asked is: "Which Java EE Application server should we use?". With the growing adoption of Java EE 6 new compatible application server get certified. The current official compatibility and certification matrix lists 12 different products certified for the Full Profile, the Web Profile or both. If you are going to start a new project on a green field which decision would you make? Here is what I do trying to narrow the solution space down.

The Players

What does the bouquet to pick from look like? Very colorful. Beside the well know names like IBM, SAP, RedHat, Apache and Oracle we also have lesser know names in the list. Caucho's Resin, Apache's TomEE, OW2's JOnAS and SAP's NetWeaver Cloud are Web Profile only certified. All the others reached a Full Profile certification.
A full list of our participants with some furhter details is contained in the following table:

Appserver	Vendor	License	Profile	Vendor Support Available	Java Version
GlassFish Server 3.01	Oracle	OTN / Commercial	FP	Yes	HotSpot 6/7
GlassFish Server Open Source Edition 3.x	Oracle	GPL + CDDL	FP	No	HotSpot 6/7
WebSphere Application Server 8.x	IBM	Commercial (prod+dev)	FP	Yes	IBM JVM 7
WebSphere Application Server Community Edition 3.0	IBM	IBM International License Agreement for Non-Warranted Programs	FP	Yes	IBM JVM 7
JEUS 7	TMAX	Commercial	FP	Yes	HotSpot 6
Interstage Application Server powered by Windows Azure	Fujitsu	Commercial	FP	Yes	HotSpot 6
Interstage Application Server v10.1	Fujitsu	Commercial	FP	Yes	HotSpot 6
Geronimo 3.0-beta-1	Apache	Apache 2.0	FP	No	HotSpot 6
WebLogic Server 12.1.1	Oracle	Commercial / Free for Dev	FP	Yes	HotSpot 6/7
uCosminexus Application Server v9.0	Hitachi	Commercial	FP	Yes	?
JBoss Application Server 7.x	RedHat	LGPL	FP	No	HotSpot 6
JBoss Enterprise Application Platform 6	RedHat	LGPL / Commercial	FP	Yes	HotSpot 6
Resin 4.0.17	Caucho	GPL "Resin Open Source" version "Resin Professional" Commercial	WP	Yes	HotSpot 6
TomEE 1.0	Apache	Apache 2.0	WP	No	HotSpot 6/7
JOnAS 5.3.0-M8-SNAPSHOT	OW2	LGPL	WP	No	HotSpot 6/7
NetWeaver Cloud	SAP	Commercial	WP	Yes	SAP Java Server VM 1.6

Looking at your Requirements
The good message first. All the application servers listed on the compatibility matrix passed the Java EE 6 TCK (Technology Compatibility Kit) which basically means, that they deliver the same kind of functionality related to Java EE 6. Even if this contains a decent area of fuzziness due to many reasons. One is, that no TCK covers 100% of the specified features. But I'm sure you can come up with other reasons. What basically is a good message leaves you wondering which could be the right set of requirements to compare instead? It is obviously not a complete technical set of metrics but a combination of different aspects.
A simple example set of metrics could be the following:
- Source Code License (OSS or Commercial)
- License Costs (free for development and production)
- Support (development and/or production support available)
- Certified Java Version (6.0, 7.0 / HotSpot / Proprietary JVM)
- Java EE 6 profile (Full or Web Profile)
This is by far too less if you are doing a full blown product selection . You most likely are going to look at metrics from different categories (e.g. functional, non-functional, corporate, financial aspects) but for now this should be sufficient.

The Selection Process
Lets do it: On to the selection process in this simple example.
First a little disclaimer: This is a very very simplified selection process which really don't dig into all the dirty little details. It is only thought as a rough methodology idea for your own selection process! So, if anybody is unhappy about what I did, I am happy to read about it in the comments!
We are looking for an OSS server which supports the Java EE 6 Full Profile. That means we are going to kill all the commercial servers and the Web Profile only ones:

Appserver	Vendor	License	Profile	Vendor Support Available	Java Version
GlassFish Server 3.01	Oracle	OTN / Commercial	FP	Yes	HotSpot 6/7
GlassFish Server Open Source Edition 3.x	Oracle	GPL + CDDL	FP	No	HotSpot 6/7
WebSphere Application Server Community Edition 3.0	IBM	IBM International License Agreement for Non-Warranted Programs	FP	Yes	IBM JVM 7
Geronimo 3.0-beta-1	Apache	Apache 2.0	FP	No	HotSpot 6
JBoss Application Server 7.x	RedHat	LGPL	FP	No	HotSpot 6
JBoss Enterprise Application Platform 6	RedHat	LGPL / Commercial	FP	Yes	HotSpot 6

Five left. Two which are questionable from a license point of view. Both JBoss EAP 6 and Oracle GlassFish Server do have a commercial license (as to my understanding) but they still rely on the OSS server products and the licensed version is only relevant if you want to have support. With the next step I am going to kick all the servers which don't offer vendor support:

Appserver	Vendor	License	Profile	Vendor Support Available	Java Version
GlassFish Server 3.01	Oracle	OTN / Commercial	FP	Yes	HotSpot 6/7
WebSphere Application Server Community Edition 3.0	IBM	IBM International License Agreement for Non-Warranted Programs	FP	Yes	IBM JVM 7
JBoss Enterprise Application Platform 6	RedHat	LGPL / Commercial	FP	Yes	HotSpot 6

Which brings us down to three. Still not really a single result. Now lets intentionally remove IBM because they are not certified on HotSpot but use their own IBM JVM J9.

Appserver	Vendor	License	Profile	Vendor Support Available	Java Version
GlassFish Server 3.01	Oracle	OTN / Commercial	FP	Yes	HotSpot 6/7
JBoss Enterprise Application Platform 6	RedHat	LGPL / Commercial	FP	Yes	HotSpot 6

That leaves us with JBoss AS 7 and GlassFish as the only real options today according to my little evaluation.

Recommendation

One could call me afraid of selection a single winner here. If you know me, you know that this simply isn't true. Given the initial metrics this is exactly the outcome and obviously the selected metrics are not sufficient enough to appoint a clear winner.
If you need a final recommendation you have to tweak the metrics to your needs. I would recommend looking a little bit further into:
- Market reach (e.g. downloads/customers/etc.)
- Maturity (e.g. availability in years since EE 6 final version)
- Development Performance (e.g. Startup-Time/IDE integration)

Remark:
I'm sorry for the fact, that I mixed the commercial offerings from Oracle and RedHat with the related OSS servers a bit. Given the fact, that I wanted to see a OSS server would have lead to a knock-out criteria with the vendor support requirement. Given the fact, that I really don't want to propose to use AS7.1.1.Final to anybody (see a very nice summary of the reasons done by henk) I personally think, that it is fair to recommend the commercial side for both servers.

Read More

Testdriving Mojarra 2.2.0-m08 on GlassFish 3.1.2.2

We just slipped into 2013 and after a wonderful holiday season it is time to kick off the new posting season on my blog. With all the Java EE 7 specifications moving forward it is finally time to test-drive some of them and give feedback. If you are brave enough you could indeed take the latest GlassFish 4.0 nightly or promoted builds and test the complete integrated suite of specifications. If you have limited time and want some more reliable setup to look at you could also test-drive stuff on the latest GlassFish 3.1.2.2 release.

Installing JSF 2.2

As expected this isn't as convenient as we are used to it. Instead of simply packaging the snapshot dependency into your web-app and turning the classloader around, you will have to replace the bundled module in glassfish/modules for the complete server. I opened a bug on this and hope to get this fixed in the near future. JSF 2.2 is backward compatible with Java EE 6 containers and it should be able to package it in your app. For now just get the latest  Mojarra JSF 2.2.0 Milestone 8 release (javax.faces-2.2.0-m08.jar) and drop it into the glassfish/modules folder. Now rename or move the original javax.faces.jar to a save place. Don't forget to empty the osgi-cache folder of your domain (e.g. glassfish\domains\domain1\osgi-cache). Start your domain and keep an eye on the log-file to spot the Mojarra version:
Mojarra 2.2.0-m08 (-SNAPSHOT 20130107-2105 https://svn.java.net/svn/mojarra~svn/tags/2.2.0-m08@11337)

Test-driving new features
Now go ahead and create a new web project in your favorite IDE. If you are using Maven declare the needed dependency as provided and go ahead implementing some of the new features.

 <dependency>
            <groupId>org.glassfish</groupId>
            <artifactId>javax.faces</artifactId>
            <version>2.2.0-m08</version>
             <scope>provided</scope>
        </dependency>

There is a great overview post What’s new in JSF 2.2? which is a great starting point. Don't forget to check back with the linked JIRA issues to see the latest implementation status of all the features.
Mr. JSF Ed Burns himself gave a great one hour introduction at last years JavaOne titled "What’s New in JSF: A Complete Tour of JSF 2.2" which includes links to all the relevant information and gives a comprehensive overview about the different feature categories. Find the slides and the captured presentation for free on the JavaOne Content Catalog page.

Feature Summary
Six Big Ticket Features (JIRA): HTML5 Friendly Markup Support , Faces Flows, Cross Site Request Forgery Protection, Loading Facelets via ResourceHandler, File Upload Component , Multi-Templating

28 Medium Sized Features (JIRA) in the following areas: Components/Renderers, Facelets, Lifecycle, Managed Beans, Resources

44 Bug Fixes (JIRA) in different areas: Components/Renderers, Ajax, Specification errors and clarifications, EL, Facelets, Lifecycle, Resources

Keep an eye on the progress
It is easy to follow the changes in the JSF space. Most likely because of the very transparent and open way the spec lead is driving it. There are public java.net projects for both the specification and the implementation and you are free to join the specification mailing-lists. There are also issue tracker for both the specification and the implementation and you can also have a look at the updated planning by visiting http://jsf-spec.java.net/planning/.
Further on it is always a good idea to follow Manfred Riem and Ed Burns on twitter. The jsf specification also has its own twitter handle (@jsf_spec)

Give Feedback
Most important is to give feedback. Send comments regarding the specification to the users mailing-list and vote on issues you want to see solved. Another good idea is to help the project by following the Adopt-a-JSR for Java EE 7 guidelines for JavaServer Faces 2.2 (JSR 344)

Read More