Group items tagged

by the container in order to realize common use cases

An interface becomes a vehicle for encapsulation or abstraction,

“Interfaces are used to encode similarities which the classes of various types share, but do not necessarily constitute a class relationship. For instance, a human and a parrot can both whistle; however, it would not make sense to represent Humans and Parrots as subclasses of a Whistler class. Rather they would most likely be subclasses of an Animal class (likely with intermediate classes), but both would implement the Whistler interface.” [http://en.wikipedia.org/wiki/Java_interface]

Extensive use of interfaces derives from a

Premature Extensibility Is the Root of Some Evil

The number of artifacts will double and you will have to introduce a configuration facility

JPA 2.0, still contains only a subset of the features supported by many database vendors

features not supported in JP QL.

performance required by an application is to replace the JP QL query with a hand-optimized SQL version. This may be a simple restructuring of the query that the persistence provider was generating, or it may be a vendor-specific version that leverages query hints and features specific to a particular database.

recommend avoiding SQL initially if possible and then introducing it only when necessary

benefits of SQL query support is that it uses the same Query interface used for JP QL queries. With some small exceptions that will be described later, all the Query interface operations discussed in previous chapters apply equally to both JP QL and SQL queries.

keep application code consistent because it needs to concern itself only with the EntityManager and Query interfaces.

An unfortunate result of adding the TypedQuery interface in JPA 2.0 is that the createNativeQuery() method was already defined in JPA 1.0 to accept a SQL string and a result class and return an untyped Query interface

consequence is that when the createNativeQuery() method is called with a result class argument one might mistakenly think it will produce a TypedQuery, like createQuery() and createNamedQuery() do when a result class is passed in.

@NamedNativeQuery

resultClass=Employee.class

The fact that the named query was defined using SQL instead of JP QL is not important to the caller

SQL Result Set Mapping

JPA provides SQL result set mappings to handle these scenarios

A SQL result set mapping is defined using the @SqlResultSetMapping annotation. It may be placed on an entity class and consists of a name (unique within the persistence unit) and one or more entity and column mappings.

entities=@EntityResult(entityClass=Employee.class)

@SqlResultSetMapping

Multiple Result Mappings

A query may return more than one entity at a time

The SQL result set mapping to return both the Employee and Address entities out of this query

emp_id, name, salary, manager_id, dept_id

address_id, id, street, city, state, zip

order in which the entities are listed is not important

ntities={@EntityResult(entityClass=Employee.class), @EntityResult(entityClass=Address.class)}

Write unit tests

without involving the EntityManager

Let the tool (JPA-provider) generate the DDL

If you introduce interfaces intentionally - and not as a general rule, you will considerably reduce the number of files. Your code becomes easier to understand and so maintain

"Contract First", "Coding To Interfaces" or "Decoupling"

do not at all describe "who" is able to perform the action(s)

Multiple Parts

Wildcard Permissions support the concept of multiple levels or parts. For example, you could restructure the previous simple example by granting a user the permission printer:query

Multiple Values Each part can contain multiple values. So instead of granting the user both the "printer:print" and "printer:query" permissions, you could simply grant them one: printer:print,query

All Values What if you wanted to grant a user all values in a particular part? It would be more convenient to do this than to have to manually list every value. Again, based on the wildcard character, we can do this. If the printer domain had 3 possible actions (query, print, and manage), this: printer:query,print,manage

simply becomes this: printer:*

Using the wildcard in this way scales better than explicitly listing actions since, if you added a new action to the application later, you don't need to update the permissions that use the wildcard character in that part.

Finally, it is also possible to use the wildcard token in any part of a wildcard permission string. For example, if you wanted to grant a user the "view" action across all domains (not just printers), you could grant this: *:view Then any permission check for "foo:view" would return true

Instance-Level Access Control

instance-level Access Control Lists

Checking Permissions

SecurityUtils.getSubject().isPermitted("printer:print:lp7200")

printer:*:*

all actions on a single printer

printer:*:lp7200

missing parts imply that the user has access to all values corresponding to that part

printer:print is equivalent to printer:print:*

Missing Parts

rule of thumb is to

when performing permission checks

first part is the

that is being operated on (printer)

second part is the

(query) being performed

three parts - the first is the

the second is the

third is the

allow access to

can only leave off parts from the end of the string

Performance Considerations

runtime implication logic must execute for

implicitly using Shiro's default

which executes the necessary implication logic

When using permission strings like the ones shown above, you're

Shiro's default behavior for Realm

for every permission check

need to be checked individually for implication

as the number of permissions assigned to a user or their roles or groups increase, the time to perform the check will necessarily increase

If a Realm implementor has a

more efficient way of checking permissions and performing this implication logic

should implement that as part of their

implies

user:*:12345

user:update:12345

printer

implies

printer:print

Implication, not Equality

permission

are evaluated by

logic - not equality checks

the former implies the latter

superset of functionality

implication logic can be executed at runtime

All managed entity instances are unique in a Tide context

Tide keeps the classic three layers web architecture, when LCDS removes the service layer, and is some kind of remote JPA provider for Flex applications

Tide approach is to minimize the amount of code needed to make things work between the client and the server

principles are very similar to the ones of JBoss Seam, which is the main reason why the first integration of Tide has been done with this framework. Integrations with Spring, EJB 3 and CDI are also available

need to compile your MXML/AS sources with the granite-essentials.swc and granite.swc libraries

contains all the remoting and messaging configuration of the application. There are three main sections: channels, factories and services.

Tells the security interceptor to check the permission using "contact" as the resource name, not "contactmanager" inflected from the class name ContactManager

@NamedResource("contact")

org.granite.gravity.tomcat.GravityTomcatServlet

/gravityamf/*

6.3.1. Supported Application Servers

GraniteDS provides a generic servlet implementation that can work in any compliant servlet container

blocking IO and thus will provide relatively limited scalability

GraniteDS thus provides implementations of non blocking messaging for the most popular application servers.

asynchronous non blocking servlets

JBoss 5+org.granite.gravity.jbossweb.GravityJBossWebServletOnly with APR/NIO enabled (APR highly recommended)

GlassFish 3.xorg.granite.gravity.async.GravityAsyncServletUsing Servlet 3.0

Tomcat 7.x / Jetty 8.xorg.granite.gravity.async.GravityAsyncServletUsing Servlet 3.0

 enabled="{identity.hasRole('admin')}"

button labeled Delete will be enabled only if the user has the role admin

a) stop writing dynamic queries

b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query

Primary Defenses:

Option #1: Use of Prepared Statements (Parameterized Queries)

Option #3: Escaping all User Supplied Input

Additional Defenses:

Perform: White List Input Validation

Primary Defenses

Defense Option 1: Prepared Statements (Parameterized Queries)

attacker is not able to

of a query, even if SQL commands are inserted by an attacker

allows the database to

distinguish

between

Defense Option 3: Escaping All User Supplied Input

The discussion whether or not to use Spring vs. Java EE for new enterprise Java applications is a no-brainer

Why migrate?

since then fallen a prey to the hungry minds of Venture Capitalists and finally into the hands of a virtualization company called VMware

While the different companies and individuals behind the Spring framework have been doing some work in the JCP their voting behavior on important JSRs is peculiar to say the least

outdated ORM solution like JDBC templates

some developers completely stopped looking at new developments in the Java EE space and might have lost track of the current state of technology

size of the deployment archive

fairly standard Java EE 6 application will take up about 100 kilobytes

comparable Spring application weighs in at a whopping 30 Megabytes!

Lightweight

Firing up the latest JBoss AS 7 Application Server from scratch and deploying a full blown Java EE 6 application into the server takes somewhere between two and five seconds on a standard machine. This is in the same league as a Tomcat / Spring combo

Dependency injection

Java EE 6, the Context and Dependency Injection (CDI) specification was introduced to the Java platform, which has a very powerful contextual DI model adding extensibility of injectable enterprise services

Aspect Oriented Programming

“AOP Light” and this is exactly what Java EE Interceptors do

common pitfall when taking AOP too far is that your code might end up all asymmetric and unreadable. This is due to the fact that the aspect and its implementation are not in the same place. Determining what a piece of code will do at runtime at a glance will be really hard

Testing

With Arquillian we can get rid of mocking frameworks and test Java EE components in their natural environment

Tooling

capabilities comparison matrix below to map Spring’s technology to that of Java EE

Capability Spring JavaEE Dependency Injection Spring Container CDI Transactions AOP / annotations EJB Web framework Spring Web MVC JSF AOP AspectJ (limited to Spring beans) Interceptors Messaging JMS JMS / CDI Data Access JDBC templates / other ORM / JPA JPA RESTful Web Services Spring Web MVC (3.0) JAX-RS Integration testing Spring Test framework Arquillian *

and allows data modifications to be queued up (like a shopping cart),

EXTENDED

is managed by the underlying persistence provider.

an entity is new if it has just been instantiated using the new operator, and it is not associated with a persistence context. It has no persistent representation in the database and no identifier value has been assigned.

a managed entity instance is an instance with a persistent identity that is currently associated with a persistence context.

the entity instance is an instance with a persistent identity that is no longer associated with a persistence context, usually because the persistence context was closed or the instance was evicted from the context.

a removed entity instance is an instance with a persistent identity, associated with a persistence context, but scheduled for removal from the database.

Replacing the current Hibernate 4.0.x jars with a newer version

update the current as7/modules/org/hibernate/main folder

Delete *.index files in as7/modules/org/hibernate/main and as7/modules/org/hibernate/envers/main folders

Remove the older jars and copy new Hibernate jars into as7/modules/org/hibernate/main + as7/modules/org/hibernate/envers/main.

Update the as7/modules/org/hibernate/main/module.xml

as7/modules/org/hibernate/envers/main/module.xml to name the jars that you copied in.

TomEE+

OpenEJB

Java API for XML Web Services (JAX-WS) Java API for RESTful Web Services (JAX-RS) Java EE Connector Architecture Java Messaging Service (JMS)

Java Servlets Java ServerPages (JSP) Java ServerFaces (JSF) Java Transaction API (JTA)

Interceptor classes and methods are defined using metadata annotations, or in the deployment descriptor of the application containing the interceptors and target classes

Interceptor Metadata Annotations

Interceptor classes must have a public, no-argument constructor

@Asynchronous

@Asynchronous

simple to use

as a return type and to receive a result asynchronously