Thursday Nov 27, 2014

JSR 375: Java EE Security API

Java EE has been used to develop and run enterprise applications securely since years.  Obviously, Java EE and its containers are just parts of the global security equation. When we zoom at the Java EE layer, we see that some of the security capabilities are backed into the specification while others security features are proprietary and specific to the different Java EE implementations.  Sometime, some of the security capabilities are also external add-on's (e.g. 3rd party libraries).  Security is not a self-contained matter as interactions between different components are often required (e.g. a Java EE Application Server needs to interact with an LDAP server).  Things also change when we go from an on-premises deployment to a cloud based deployment.  Finally, portability is never simple when it comes to security.

Java EE needs to evolve to stay relevant and clearly, if we look at the feedback from the Java EE 8 Community Survey, security is an area that could be improved.  And that is the goal of JSR 375 (Java EE Security API) which has just been submitted to the JCP for review.  JSR 375 is slated for inclusion in Java EE 8, its initial scope is based on the community survey feedback, on issues and RFEs filled against the Java EE specifications, on various exchanges EG members had overtime and also on various informal discussions we had during conferences, etc.

The JSR proposal gives a more detailed overview of what it will try to achieve.  In short, JSR 375’s goal is to simplify, standardize, and modernize the Security API across the platform in different area.

  • User Management: Standardization of a ’user service’ API which would enable an application to perform user management operations (e.g. create a user). The ‘user service’ would rely on a ‘user source’ which would be an abstraction of a physical user store (e.g. LDAP, data-bases, etc.).  The user service would be configurable to match the deployment requirements.
  • Password Aliasing: Standardization of syntax for pointing (alias) to passwords stored in a (secure) password repository.  This password repository might then be bundled with an application (e.g. think cloud deployment).
  • Role Mapping: Definition and standardization of a ‘role service’ API that would enable an application to perform various role mapping operations (e.g. querying a group role).  This would be done via different role mappers (e.g. LDAP, files) that would be adaptable based on the environment’s needs.
  • Authorization: Definition of a new CDI interceptor annotation that would be used to preform application-domain rules at the method level.
  • Authentication: Several enhancements are also planned around authentication (e.g. the ability for a web application to offers different authentication methods).

This is the just of overview of the initial scope. In addition, the Experts Group will also have to look at how some of the Java EE orthogonal technologies (e.g. CDI events, Expression Language, etc.) can be leveraged in order to simplify the use of those new APIs.  To know more about this JSR, make sure to read the JSR 375 proposal. You can also watch the replay of the "Java EE 8 Overview" that Linda DeMichiel gave during JavaOne as she has touched some of those ideas during her talk.

JSR 375 has entered the JCP review period; the next step should then be the approval ballot period. And if it passes this ballot, the Experts Group will be formed and the real works (and discussions) will start!   So we are just at the beginning of this effort but it’s nice to see the different pieces of Java EE 8 being put in place...

Wednesday Nov 26, 2014

JMS2 + JCP @ Chicago JUG

On September 4th, I spoke at the Chicago Java User Group on both JMS 2 as well as the basics of the JCP program. Spearheaded by the very capable likes of Freddy Guime and Bob Paulin the Chicago JUG has grown to become one of the most important Java User Groups in the world - both in terms of size, importance and impact. I am proud to say this is my second time to the JUG - a few months ago they had me speak on Java EE 7. My visit this time was very generously sponsored by Jay Zimmerman of the No Fluff Just Stuff (NFJS) tour. NFJS has always made an effort to support Java User Groups around the US.

I started the evening out with my JMS 2 talk (slides below). I also covered some of the possibilities for JMS 2.1.

I spent the last half-hour or so giving a very high level overview of the JCP program. I essentially borrowed Heather VanCura's slides (my own slides on the topic are rather old and developed when I was still an independent). Heather's slides can be found on SlideShare. The Chicago JUG has a very active interest in contributing to the JCP, which is why they had me speak on the topic. In fact with some help from US based Java EE/GlassFish advocate Josh Juneau they will soon be adopting one or more of the Java EE 8 JSRs via Adopt-a-JSR. The Java EE community is very lucky to have Josh's presence in the greater Chicago area. Josh is already an incredibly prolific author and blogger - it is awesome to see him become more prominent as a speaker as well including at JavaOne 2015 (and of course at his own local Chicago JUG).

It was great to be at the Chicago JUG and I hope to return sooner rather than later to the Windy City!

Thursday Nov 20, 2014

Tools for MVC in Java EE 8

Last week at Devoxx, Manfred Riem (MVC 1.0 Co-Specification Lead) did a session on MVC 1.0 (JSR 371) to a packed room. During the session, Geertjan Wielenga (Principal Product Manager in the Oracle Developer Tools) did a cameo appearance to discuss the tooling in the context of MVC. Amongst other things, Geertjan is looking at some of the potential features an IDE could bring to simplify the development of MVC based applications.  During the session, Geertjan did a demo based on a prototype he wrote for NetBeans. This demo was also using Manfred’s experimental action based prototype.

So clearly, it's early days! After all the MVC Experts Group has just started and is now discussing important orientations for the specification (e.g Should the Controller be based on the Servlet API or should it be layered on top of JAX-RS?). Nevertheless, it is interesting to follow Geertjan's explorations around tooling in that space.  This also demonstrates that adding new features to NetBeans is not necessarily a daunting task!

You can find more details on Geertjan's blog: Tools for MVC in Java EE 8 - Part 1 and Part 2.

Tuesday Nov 18, 2014

JavaOne Replay: "Into the Wild with Servlet Async IO"

Greg Wilkins has an impressive 'Web pedigree’; he is the founder and lead developer of Jetty.  Greg is a long-time member of the Servlet Expert Group; he is also a member of the IETF HTTP/2 working group member, etc.!

During his JavaOne session, Greg gave a deep technical overview on Asynchronous IO using the Servlet API.  Greg starts by explaining what asynchronous means in the context of a Servlet. He then goes and explains the Servlet 3.0 asynchronicity support.  The rest of the talk is then spent on the Servlet 3.1 API and how to write effective asynchronous servlets (and how the inner-working of the API).  Greg also shares some of the motivations behind the Servlet 3.1 API and the technical choices behind it. Not only that, Greg is also talking about some 'potential more obvious technical options' and why those options were not selected at the end.

This technical session provides different angles (e.g. Servlet API explanations, some deep technical points such as some of the Jetty implementation details but also best practices advices, etc.).  Overall this session is highly recommended for anyone who want to understand asynchronicity in the context of the Servlet API.


You can find Greg's slides here.

Wednesday Nov 12, 2014

Java EE @ NFJS Pacific Northwest Software Symposium Seattle

As some of you may be aware I recently joined the well-respected US based No Fluff Just Stuff (NFJS) Tour. The NFJS Pacific Northwest Software Symposium was held October 17 - 19 in Seattle, Washington.

I had five talks total over two days, more or less back-to-back. I did talks on Java EE 7/Java EE 8, the Cargo Tracker Java EE Blue Prints, JavaScript + Java EE, Java EE + NoSQL as well as WebSocket. More details, including slide decks and code as well as my NFJS tour schedule, posted on my personal blog.

Monday Nov 10, 2014

JavaOne Replay: eBay and JavaServer Faces

During JavaOne, Sushma Sharma and Ken Paulsen of eBay did a session on Gandalf: 'eBay, Connecting Buyers and Sellers Globally via JavaServer Faces'.

Gandalf is a 'Quick Listing tool'. Gandalf is JSF based tool that let non professional eBay users list their items in order to sell them. Since Gandalf targets non professional users, the tool and the its user interface has to be intuitive and simple. And as mentioned in during the session, that type of users represent the largest population of amongst the eBay sellers. Gandalf an application that is very demanding in terms or features and requirements. Security is obviously a top requirement but accessibility, responsiveness, ... are also very important.

And last but not least, Gandalf is widely used. On a typical day, Gandalf is used by around 200,000 sellers who are adding around 800,000 new listings (again, this is per day!). And that number can grow up to 2.5 millions listings on a peak day! So Gandalf is not really a typical enterprise application, it is more a large scale end-user facing web application.

During their session, Sushma and Ken have discussed JSF, how JSF can scale, ... they have also shared a few JSF tips. Despite the small technical issues (e.g. a few audio hiccups), this J1 session replay is particularly interesting as it clearly kills the 'JSF doesn't scale' myth as this session clearly demonstrate that well designed JSF applications can cope with very demanding requirements.

Thursday Nov 06, 2014

JavaOne Replay: JAX-RS.next

JAX-RS is a key technology of the Java EE platform as REST endpoints are more and more used. Marek Potočiar (JAX-RS Co-Specification Lead) did a session during JavaOne to detail some of the proposed JAX-RS enhancements and extensions that should be part of Java EE 8. These proposals include better support for JSON (JSON-B), improved alignment between JAX-RS and CDI, enhanced support for hypermedia as well as declarative security, server-sent events, and MVC integration. 

Jersey is the open source JAX-RS Reference Implementation but Jersey doesn't limit itself to the specification, i.e. Jersey has also has additional specific features. In some cases, some of the Jersey proprietary features have been standardised and added to the specification (eg. the Client API have been added to JAX-RS 2.0). So it is always interesting to check the Jersey specific extensions as some of those might be potential candidates for inclusion into a future revision of the JAX-RS specification. For example, SSE is currently supported in a Jersey specific manner but the plan is to standardised SSE support in JAX-RS 2.1. So make sure to also watch this 'What's New and Noteworthy in Jersey 2' replay that was presented by Jakub Podlešák and Miroslav Fuksa during JavaOne 2014.

You can get the 'Let’s Talk JAX-RS.next!' slides here.

Wednesday Nov 05, 2014

OTN Virtual Technology Summit

The OTN Virtual Technology Summit is a set of free online events covering various technical topics such as Java SE, Java EE but also Middleware, Database, etc.  Each topic will be presented by a subject matter expert coming either from Oracle or from the community (Java Champions, Oracle ACEs, ...). And during each session, a live chat will let participants ask questions and clarifications on the presented subject. You can check the agenda of the different tracks here.

OTN Virtual Technology Summit is a free event so make sure to register for this month OTN VTS!

  • VTS America : November 18th, 2014 – 9am to 12:30pm PST, register here.
  • VTA Asia : November 19th, 2014 – 10:00am to 1:30pm IST, register here.
  • VTS Europe : November 26th, 2014 – 9am to 12:30pm GMT, register here.

Tuesday Nov 04, 2014

Java EE 8 at Devoxx

Next week (Nov. 10-14), 3.500 Devoxxians from 40 different countries will come to sunny Antwerp to attend the 13th edition of Devoxx (Belgium). Devoxx covers a broad range of topics ranging from Java SE, Mobile and Web Development, Embedded... to Java on the Server. This year Server-side Java track has very good contents including a good Java EE 8 coverage. Also, this year, you have the possibility to ask, in advance, questions to any of the speaker. For that, just check a session page and click on 'Send a question to the speaker'.

You can check the full Devoxx agenda here but here are the sessions that will discuss Java EE 8.

And this is just for Java EE 8! Here are some other Java EE related sessions that are worth to mentions too.

Again, this is just an overview, make sure to check full agenda here.

Also, we are still working on the details but do expect some Java EE 8 coverage during the Devoxx Hackergarten.

Will I see you next week at Devoxx?

Monday Nov 03, 2014

Java EE @ NFJS New England Software Symposium Boston

As some of you may be aware I recently joined the well-respected US based No Fluff Just Stuff (NFJS) Tour. The NFJS New England Software Symposium was held September 19 - 21 in Boston. This is one of the larger NFJS shows and attendance at the show and my sessions was pretty good. It is always encouraging to see the same folks attend more than one talk. On my way to the show I also stopped by at the Connecticut Java User Group. The JUG is led by my friend and co-author for EJB 3 in Action Ryan Cuprak. I've spoken at the JUG a number of times over the years and it was good to be back.

I had five talks total over two days, more or less back-to-back. I did talks on Java EE 7/Java EE 8, the Cargo Tracker Java EE Blue Prints, JavaScript + Java EE, Java EE + NoSQL as well as JMS 2. More details, including slide decks and code as well as my NFJS tour schedule, posted on my personal blog.

Thursday Oct 30, 2014

JavaOne Replay: 'HTTP/2 and Servlet 4' by Ed Burns and Shing Wai Chan

The main focus of Servlet 4 (JSR 369) is to introduce HTTP/2 support into the Java EE Platform. During their JavaOne session, Ed Burns and Shing Wai Chan, the 2 Servlet 4 Specification Leads, gave a good introduction to HTTP/2 and its main features.

Ed and Shing Wai started by explaining some of the HTTP 1.1 limitations we are facing such as Head-of-Line Blocking and how we have all been trying to work-around some of those issues.

They then explained HTTP/2 main features (Binary Framing, Stream Multiplexing and Prioritisation, Server Push, etc.) and how those will solve the HTTP 1.1 limitations.

Some of those new HTTP/2 enhancements are optimisations that are fully transparent to the upper layers (e.g. Stream Multiplexing, Header Compression) but some of those new capabilities might improve applications that are able to exploit them (e.g. Server Push). Ed and Shing Wai showed how the Servlet 4 API might expose some of those capabilities to the developer.

The session was finally concluded with an overview of the HTTP/2 plans for Java SE 9.

Even if you are not really focused on the Web tier, this session is a good HTTP/2 introduction and given the importance of HTTP (and soon HTTP/2), this information should be valuable to your general (IT) knowledge!

You can get the slides here.

Wednesday Oct 29, 2014

Java EE @ NFJS Greater Atlanta Software Symposium

As some of you may be aware I recently joined the well-respected US based No Fluff Just Stuff (NFJS) Tour. The NFJS Greater Atlanta Software Symposium was held September 12 - 14.

I had four talks total over two days, more or less back-to-back. I did talks on Java EE 7/Java EE 8, WebSocket, the Cargo Tracker Java EE Blue Prints and JavaScript + Java EE. More details, including slide decks and code as well as my NFJS tour schedule, posted on my personal blog.

Tuesday Oct 28, 2014

JavaOne Replay: 'Java EE 8 Overview' by Linda DeMichiel

In this JavaOne session, Linda DeMichiel (Java EE 8 Specification Lead) gives an overview of what is currently planned for Java EE 8.

Linda starts by explaining the results of Oracle’s Java EE community surveys and the general thought process behind requirements gathering for Java EE 8.  She then gives technical details around some of the planned enhancements :

  • Enhanced support for HTML5 applications and other web tier features such as server-sent events, the new JSON-B JSR for binding JSON payload to Java objects, support for HTTP 2.0, the new MVC framework, etc. 
  • Ease of development including CDI alignment and ease of use with security interceptors, extended use of CDI scopes, the introduction of CDI based model to simplify Message Driven Beans, etc. 
  • Continued support for portable cloud applications. The sessions goes over the planned Java EE Management API but also touches on the new upcoming Security JSR.
Finally, Linda concludes her session by explaining how you can contribute and help to shape the next version of Java EE, i.e. JSR 366.

Watching Linda's session replay will give you a good idea on where the EG wants to go with Java EE 8.

The sesison slides are also available here.

Hint: double click on the video or the slides to adjust their respective size.

Monday Oct 27, 2014

MyBatis-CDI: Persistence Alternative for Java EE

ORM is a by and large proven technique that has been around for a long time now (believe it or not TopLink was created in the early nineties for Smalltalk and then ported to Java). It maximizes code flexibility and database independence while minimizing boilerplate code and allowing the construction of rich domain models. Even for relatively complex domain models and queries, ORM engines tend to generate better quality SQL optimized to the underlying database than the average Java developer would with considerable time and effort. This is precisely why JPA is the persistence standard for Java EE and why a majority of modern server-side applications use ORM (indeed almost every other major development platform including .NET and Ruby on Rails positions ORM as it's default persistence solution).

That being said, there can certainly be cases where using hand-written native SQL is necessary or desirable. Most people don't seem to realize it, but JPA has always included very good support for native queries to meet these use cases (JPA 2.1 now even includes formal support for stored procedures - the ultimate form of database bound query execution). If you weren't aware of this, you should definitely read Taudo Wenzel's excellent write-up on using JPA native queries to generate reports (a common use case for native queries).

In fact you have other options for native SQL centric persistence in Java EE applications. One of the nicest ones is MyBatis-CDI. It provides a very nice CDI based abstraction for MyBatis, making it extremely easy to use in Java EE applications (in case you are wondering MyBatis is the successor to the old iBatis project). Here is how simple MyBatis CDI code can look like:

In addition to JTA transactions, MyBatis-CDI also supports local transactions. I've personally also successfully used Apache Commons DbUtils with CDI to quickly port over a legacy application with tons of hand-written SQL to Java EE/GlassFish.

Thursday Oct 23, 2014

Events in CDI 2.0

CDI 2.0 (JSR 365) was the first Java EE 8 approved JSR. The CDI Experts Group has already been formed several weeks ago and the first CDI 2.0 EG face to face meeting took place last week in Brno (see feedback here). The EG has ambitious plans for CDI 2.0 (see here) and is working hard to fulfils them, you can track the evolution of their work here.

CDI Events is one of the focus area of CDI 2.0. CDI Events is a simple mechanism that provides an implantation of the Observer pattern where the Event Producer is cleanly decoupled from the Event Consumer(s). This mechanism is available in CDI since the beginning, i.e. CDI 1.0. But for CDI 2.0, the EG plans to improve the overall CDI Event mechanism by adding:

  • Asynchronous events
  • Conversation begins/end events
  • Priorities (ordering of events)
  • Observer Deactivation
  • The ability to observe a group of qualified events ("Qualifier Inheritance")
  • ...

Obviously at this stage, those are just plans, just ideas and clearly introducing some of those features leads to quite a few questions and in some case might also induces potential issues if this is not well thought. Another constraint faced by CDI is that it is a transversal technology that is used across the platform so extra care should be taken. All those new features needs to be discussed in details and challenged, and sometime prototyped, before they are standardised into the CDI specification. The CDI 2.0 EG has recently put together an (evolving) document that describes the thoughts but also the challenges behind some of the CDI Events potential enhancements. This is definitely something to read.

CDI Event is today a useful mechanism. If you have ideas on how events can be improved in CDI 2.0, you should really '@Observe' what is being discussed in the EG and 'fire' comments (I know, in code, it's the opposite, i.e. 'fire' triggers the @Observe ;-) ).