Group items tagged

cdiqi just forces Quartz to use CDI beans as its jobs

bounds request context to every job execution so that it's possible to use @RequestScoped, @Dependent and @ApplicationScoped jobs and especially beans

The discussion whether or not to use Spring vs. Java EE for new enterprise Java applications is a no-brainer

Why migrate?

since then fallen a prey to the hungry minds of Venture Capitalists and finally into the hands of a virtualization company called VMware

While the different companies and individuals behind the Spring framework have been doing some work in the JCP their voting behavior on important JSRs is peculiar to say the least

outdated ORM solution like JDBC templates

some developers completely stopped looking at new developments in the Java EE space and might have lost track of the current state of technology

size of the deployment archive

fairly standard Java EE 6 application will take up about 100 kilobytes

comparable Spring application weighs in at a whopping 30 Megabytes!

Lightweight

Firing up the latest JBoss AS 7 Application Server from scratch and deploying a full blown Java EE 6 application into the server takes somewhere between two and five seconds on a standard machine. This is in the same league as a Tomcat / Spring combo

Dependency injection

Java EE 6, the Context and Dependency Injection (CDI) specification was introduced to the Java platform, which has a very powerful contextual DI model adding extensibility of injectable enterprise services

Aspect Oriented Programming

“AOP Light” and this is exactly what Java EE Interceptors do

common pitfall when taking AOP too far is that your code might end up all asymmetric and unreadable. This is due to the fact that the aspect and its implementation are not in the same place. Determining what a piece of code will do at runtime at a glance will be really hard

Testing

With Arquillian we can get rid of mocking frameworks and test Java EE components in their natural environment

Tooling

capabilities comparison matrix below to map Spring’s technology to that of Java EE

Capability Spring JavaEE Dependency Injection Spring Container CDI Transactions AOP / annotations EJB Web framework Spring Web MVC JSF AOP AspectJ (limited to Spring beans) Interceptors Messaging JMS JMS / CDI Data Access JDBC templates / other ORM / JPA JPA RESTful Web Services Spring Web MVC (3.0) JAX-RS Integration testing Spring Test framework Arquillian *

length must be at least 128 bits (16 bytes)

Session ID Length

Session ID Name Fingerprinting

Session ID Properties

Session ID Entropy

must be unpredictable (random enough) to prevent guessing attacks

good PRNG (Pseudo Random Number Generator) must be used

must provide at least 64 bits of entropy

Session ID Content (or Value)

content (or value) must be meaningless

identifier on the client side

meaning and business or application logic associated to the session ID must be stored on the server side

session objects or in a session management database or repository

create cryptographically strong session IDs through the usage of cryptographic hash functions such as SHA1 (160 bits).

Session Management Implementation

defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID

token expiration date and time

This is one of the reasons why cookies (RFCs 2109 & 2965 & 6265 [1]) are one of the most extensively used session ID exchange mechanisms, offering advanced capabilities not available in other methods

Transport Layer Security

use an encrypted HTTPS (SSL/TLS) connection for the entire web session

process where the user credentials are exchanged.

“Secure” cookie attribute

must be used to ensure the session ID is only exchanged through an encrypted channel

never switch a given session from HTTP to HTTPS, or viceversa

should not mix encrypted and unencrypted contents (HTML pages, images, CSS, Javascript files, etc) on the same host (or even domain - see the “domain” cookie attribute)

should not offer public unencrypted contents and private encrypted contents from the same host

www.example.com over HTTP (unencrypted) for the public contents

secure.example.com over HTTPS (encrypted) for the private and sensitive contents (where sessions exist)

only has port TCP/80 open

only has port TCP/443 open

“HTTP Strict Transport Security (HSTS)” (previously called STS) to enforce HTTPS connections.

Secure Attribute

instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection

HttpOnly Attribute

instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object

Domain and Path Attributes

instructs web browsers to only send the cookie to the specified domain and all subdomains

instructs web browsers to only send the cookie to the specified directory or subdirectories (or paths or resources) within the web application

vulnerabilities in www.example.com might allow an attacker to get access to the session IDs from secure.example.com

Expire and Max-Age Attributes

it will be considered a

and will be stored on disk by the web browser based until the expiration time

use non-persistent cookies for session management purposes, so that the session ID does not remain on the web client cache for long periods of time, from where an attacker can obtain it.

Session ID Life Cycle

William Drai

Honestly I don't see any value in switching to CDI if it is

please not this Dao/Template mess

Gavin King

to reproduce the same awful patterns

please not this Dao/Template mess

Because, of course, there are no other well-known patterns for dealing with boiler-plate cleanup code and connection leaks.

This is exactly the kind of

It gives people a

and somehow shuts down their brains so they

It's a very impressive magic trick, and I wish I knew how to do it myself. But then, I'm just not like that. I'm always trying to poke holes in things - whether they were Invented Here or Not.

but that might be too high-level for your taste. Their are other, less-abstract options.

exception handling, this is one area where Spring does a good job: "The Spring Framework's handling of SQLException is one of its most useful features in terms of enabling easier JDBC development and maintenance. The Spring Framework provides JDBC support that abstracts SQLException and provides a DAO-friendly, unchecked exception hierarchy."

Automatic connection closing (and other boiler-plate code) is obviously a hard requirement to be handled by the fwk.

Gavin King

there are a bunch of people

They don't understand, or see the value of, using managed objects to represent their persistent data.

Um. Why? Why would that be a bad thing? I imagine that any app with 1000 queries has tens of thousands of classes already. What's the problem? Why is defining a class worse than writing a method?