Group items tagged

The catch comes when you look at the

there is hardly any behavior on these objects, making them little more than bags of getters and setters

I was chatting with

fundamental horror

it's so contrary to the basic idea of object-oriented design

data and process together

procedural style design

completely miss the point of what object-oriented design is all about

It's also worth emphasizing that putting behavior into the domain objects

One source of confusion in all this is that many OO experts do recommend putting a layer of procedural services on top of a domain model, to form a Service Layer

this isn't an argument to make the domain model

service layer advocates use a service layer in conjunction with a behaviorally rich domain model.

does not contain business rules or knowledge, but

data background

J2EE's Entity Beans

Benefit

Violation of the encapsulation

domain model's objects cannot guarantee their correctness

Necessitates a service layer when sharing domain logic across differing consumers of an object model.

Makes a model less expressive and harder to understand.

Facilitates code duplication among transactional scripts and similar use cases, reduces code reuse.

Liabilities

Liabilities

Liabilities

Individuals: instances or objects

Attributes: aspects, properties, features, characteristics, or parameters

Relations: ways in which classes and individuals can be related to one another

Function terms:

Restrictions: formally stated descriptions of what must be true in order for some assertion to be accepted as input

Rules: statements in the form of an if-then (antecedent-consequent) sentence that describe the logical inferences that can be drawn from an assertion in a particular form

Axioms: assertions (including rules) in a logical form

Events: the changing of attributes or relations

Changes for Hibernate 3.5 applications

if your application uses Hibernate 3 classes that are not available in Hibernate 4, for example, some of the validator or search classes, you may see ClassNotFoundExceptions when you deploy your application. If you encounter this problem, you can try one of two approaches: You may be able to resolve the issue by copying the specific Hibernate 3 JARs containing those classes into the application "/lib" directory or by adding them to the classpath using some other method. In some cases this may result in ClassCastExceptions or other class loading issues due to the mixed use of the Hibernate versions, so you will need to use the second approach. You need to tell the server to use only the Hibernate 3 libraries and you will need to add exclusions for the Hibernate 4 libraries. Details on how to do this are described here: JPA Reference Guide.

In previous versions of the application server, the JCA data source configuration was defined in a file with a suffix of *-ds.xml. This file was then deployed in the server's deploy directory. The JDBC driver was copied to the server lib/ directory or packaged in the application's WEB-INF/lib/ directory. In AS7, this has all changed. You will no longer package the JDBC driver with the application or in the server/lib directory. The *-ds.xml file is now obsolete and the datasource configuration information is now defined in the standalone/configuration/standalone.xml or in the domain/configuration/domain.xml file. A JDBC 4-compliant driver can be installed as a deployment or as a core module. A driver that is JDBC 4-compliant contains a META-INF/services/java.sql.Driver file that specifies the driver class name. A driver that is not JDBC 4-compliant requires additional steps, as noted below.

DataSource Configuration

domain mode, the configuration file is the domain/configuration/domain.xml

standalone mode, you will configure the datasource in the standalone/configuration/standalone.xml

MySQL datasource element:

        <connection-url>jdbc:mysql://localhost:3306/YourApplicationURL</connection-url>        <driver-class> com.mysql.jdbc.Driver </driver-class>        <driver> mysql-connector-java-5.1.15.jar </driver>

       <security>            <user-name> USERID </user-name>            <password> PASSWORD</password>        </security>

example of the driver element for driver that is not JDBC 4-compliant. The driver-class must be specified since it there is no META-INF/services/java.sql.Driver file that specifies the driver class name.

 <driver-class>com.mysql.jdbc.Driver</driver-class>

JDBC driver can be installed into the container in one of two ways: either as a deployment or as a core module

Install the JDBC driver

Install the JDBC driver as a deployment

In AS7 standalone mode, you simply copy the JDBC 4-compliant JAR into the AS7_HOME/standalone/deployments directory

example of a MySQL JDBC driver installed as a deployment:     AS7_HOME/standalone/deployments/mysql-connector-java-5.1.15.jar

length must be at least 128 bits (16 bytes)

Session ID Length

Session ID Name Fingerprinting

Session ID Properties

Session ID Entropy

must be unpredictable (random enough) to prevent guessing attacks

good PRNG (Pseudo Random Number Generator) must be used

must provide at least 64 bits of entropy

Session ID Content (or Value)

content (or value) must be meaningless

identifier on the client side

meaning and business or application logic associated to the session ID must be stored on the server side

session objects or in a session management database or repository

create cryptographically strong session IDs through the usage of cryptographic hash functions such as SHA1 (160 bits).

Session Management Implementation

defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID

token expiration date and time

This is one of the reasons why cookies (RFCs 2109 & 2965 & 6265 [1]) are one of the most extensively used session ID exchange mechanisms, offering advanced capabilities not available in other methods

Transport Layer Security

use an encrypted HTTPS (SSL/TLS) connection for the entire web session

process where the user credentials are exchanged.

“Secure” cookie attribute

must be used to ensure the session ID is only exchanged through an encrypted channel

never switch a given session from HTTP to HTTPS, or viceversa

should not mix encrypted and unencrypted contents (HTML pages, images, CSS, Javascript files, etc) on the same host (or even domain - see the “domain” cookie attribute)

should not offer public unencrypted contents and private encrypted contents from the same host

www.example.com over HTTP (unencrypted) for the public contents

secure.example.com over HTTPS (encrypted) for the private and sensitive contents (where sessions exist)

only has port TCP/80 open

only has port TCP/443 open

“HTTP Strict Transport Security (HSTS)” (previously called STS) to enforce HTTPS connections.

Secure Attribute

instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection

HttpOnly Attribute

instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object

Domain and Path Attributes

instructs web browsers to only send the cookie to the specified domain and all subdomains

instructs web browsers to only send the cookie to the specified directory or subdirectories (or paths or resources) within the web application

vulnerabilities in www.example.com might allow an attacker to get access to the session IDs from secure.example.com

Expire and Max-Age Attributes

it will be considered a

and will be stored on disk by the web browser based until the expiration time

use non-persistent cookies for session management purposes, so that the session ID does not remain on the web client cache for long periods of time, from where an attacker can obtain it.

Session ID Life Cycle

file listed under the filename parameter can be deployed to the server using the deploy goal

deploy

redeploy

undeploy

<phase>install</phase>

<goal>deploy</goal>

Deploying other artifacts

possible to deploy other artifacts that are not related to your deployment, e.g. database drivers:

<phase>install</phase>

<goal>deploy-artifact</goal>

<configuration> <groupId>postgresql</groupId> <artifactId>postgresql</artifactId> <name>postgresql.jar</name> </configuration>

artifact must be already listed as a dependency in the projects pom.xml.

Deploying your application in domain mode.

add the domain tag as well as specify at least one server group.

<domain> <server-groups> <server-group>main-server-group</server-group> </server-groups> </domain>

Write unit tests

without involving the EntityManager

Let the tool (JPA-provider) generate the DDL

do not at all describe "who" is able to perform the action(s)

Multiple Parts

Wildcard Permissions support the concept of multiple levels or parts. For example, you could restructure the previous simple example by granting a user the permission printer:query

Multiple Values Each part can contain multiple values. So instead of granting the user both the "printer:print" and "printer:query" permissions, you could simply grant them one: printer:print,query

All Values What if you wanted to grant a user all values in a particular part? It would be more convenient to do this than to have to manually list every value. Again, based on the wildcard character, we can do this. If the printer domain had 3 possible actions (query, print, and manage), this: printer:query,print,manage

simply becomes this: printer:*

Using the wildcard in this way scales better than explicitly listing actions since, if you added a new action to the application later, you don't need to update the permissions that use the wildcard character in that part.

Finally, it is also possible to use the wildcard token in any part of a wildcard permission string. For example, if you wanted to grant a user the "view" action across all domains (not just printers), you could grant this: *:view Then any permission check for "foo:view" would return true

Instance-Level Access Control

instance-level Access Control Lists

Checking Permissions

SecurityUtils.getSubject().isPermitted("printer:print:lp7200")

printer:*:*

all actions on a single printer

printer:*:lp7200

missing parts imply that the user has access to all values corresponding to that part

printer:print is equivalent to printer:print:*

Missing Parts

rule of thumb is to

when performing permission checks

first part is the

that is being operated on (printer)

second part is the

(query) being performed

three parts - the first is the

the second is the

third is the

allow access to

can only leave off parts from the end of the string

Performance Considerations

runtime implication logic must execute for

implicitly using Shiro's default

which executes the necessary implication logic

When using permission strings like the ones shown above, you're

Shiro's default behavior for Realm

for every permission check

need to be checked individually for implication

as the number of permissions assigned to a user or their roles or groups increase, the time to perform the check will necessarily increase

If a Realm implementor has a

more efficient way of checking permissions and performing this implication logic

should implement that as part of their

implies

user:*:12345

user:update:12345

printer

implies

printer:print

Implication, not Equality

permission

are evaluated by

logic - not equality checks

the former implies the latter

superset of functionality

implication logic can be executed at runtime

this annotation bypasses the management layer and as such it is recommended only for development and testing purposes

Defining a Managed DataSource

Installing a JDBC driver as a deployment

Installing the JDBC Driver

deployment or as a core module

managed by the application server (and thus take advantage of the management and connection pooling facilities it provides), you must perform two tasks.  First, you must make the JDBC driver available to the application server; then you can configure the data source itself.  Once you have performed these tasks you can use the data source via standard JNDI injection.

recommended way to install a JDBC driver into the application server is to simply deploy it as a regular JAR deployment.  The reason for this is that when you run your application server in domain mode, deployments are automatically propagated to all servers to which the deployment applies; thus distribution of the driver JAR is one less thing for administrators to worry about.

Note on MySQL driver and JDBC Type 4 compliance: while the MySQL driver (at least up to 5.1.18) is designed to be a Type 4 driver, its jdbcCompliant() method always return false. The reason is that the driver does not pass SQL 92 full compliance tests, says MySQL. Thus, you will need to install the MySQL JDBC driver as a module (see below).

Installing a JDBC driver as a module

<module xmlns="urn:jboss:module:1.0" name="com.mysql">  <resources>    <resource-root path="mysql-connector-java-5.1.15.jar"/>  </resources>  <dependencies>    <module name="javax.api"/>  </dependencies></module>

jboss-7.0.0.<release>/modules/com/mysql/main

define your module with a module.xml file, and the actual jar file that contains your database driver

content of the module.xml file

Under the root directory of the application server, is a directory called modules

module name, which in this example is com.mysql

where the implementation is, which is the resource-root tag with the path element

define any dependencies you might have.  In this case, as the case with all JDBC data sources, we would be dependent on the Java JDBC API's, which in this case in defined in another module called javax.api, which you can find under modules/javax/api/main as you would expect.

Defining the DataSource itself

   <datasource jndi-name="java:jboss/datasources/MySqlDS" pool-name="MySqlDS">      <connection-url>jdbc:mysql://localhost:3306/EJB3</connection-url>         <driver>com.mysql</driver>

    <drivers>      <driver name="com.mysql" module="com.mysql">        <xa-datasource-class>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xa-datasource-class>      </driver>    </drivers>

jboss-7.0.0.<release>/domain/configuration/domain.xml or jboss-7.0.0.<release>/standalone/configuration/standalone.xml

Unrestricted crossdomain.xml

If the JPA entities still do not look right, try to apply some JPA tricks like mapping a JPA-entity to several tables, or even map JPA-entities to DB-views, to improve the situation

Rename the classes into some more meaningful. The attribute, class names are in general everything but not fluent

Junit. Purpose: JPA mapping verification

Thinking In Structs Not Objects

12 Tips On JPA Domain Modelling

Execute the "Unit" tests after every change

even better get rid of them

domain objects are

encourages the ProductService approach

it’s not for small projects