Tuesday Oct 15, 2013

Securing WebSocket Endpoints

As you know, WebSocket is a key capability standardized into Java EE 7. When I talk to developers, many wonder how WebSockets are to be secured. One very nice characteristic for WebSocket is that it in fact completely piggybacks on HTTP. This means that all the well-understood ways of securing web applications instantly applies to WebSocket including SSL/TLS, Basic Authentication, Digest Authentication, LDAP, role based authorization and all the robust security infrastructure built into modern application servers like GlassFish and WebLogic. In a brief blog post, Pavel Bucek demonstrates how to secure WebSocket endpoints in GlassFish using TLS/SSL. Besides the server-side, he also includes a secure client side code example using the wss: protocol.

For a more complete example, you could look at the code for my joint JavaOne 2013 session with Ryan Cuprak and Bala Muthuvarathan titled "Android and iOS Development with Java EE 7". Do let me know if you need more detailed coverage focused on the topic, I will be happy to put something together on my personal blog.

Thursday Apr 18, 2013

The Java Update, Applets/Web Start and GlassFish

By now, most of us know about the Java SE security vulnerability that affects primarily Java Applets. You might be relieved to know that the latest Java update, Java 7 Update 21, looks to fix that vulnerability. Java EE expert group member and key community figure Markus Eisele did an awesome job explaining the details and providing further context.

Although the security vulnerabilities definitely do not affect server-side applications (the ones running on GlassFish), GlassFish has had support for launching Java EE application clients using Java Web Start. If you don't know what Web Start is, you are hardly alone - it's even less prevalent than Applets these days. The java.com site does a pretty good job of explaining Web Start. The Java update affects Web Start too, so if you are using it, you'll need to be aware of the changes. Oracle's Tim Quinn explains what you need to watch out for.

Friday Jan 25, 2013

Oracle Speaks up on Java Security

As many of you are keenly aware, there has been a veritable media firestorm around the recent Java vulnerability. As you know, the vulnerability pertains to Java on the browser, not server-side Java, desktop Java or emdedded Java. You may also have been frustrated with Oracle's relative silence on the issue.

Hopefully it comes as some relief that Oracle is now starting to openly speak up on the issue. The lead for Oracle Security Martin Smith and Doland Smith from the OpenJDK team very recently had a conference call with worlwide JUG leaders. The recordings of the meeting is available here. This was a frank two-way discussion with Java community leaders about Java security, bundled software installers, openness, communication and the technical/journalistic quality of recent press coverage in some venues. As Donald and Martin indicate on the call, we can expect this to be the tip of the iceberg of what will be done on the Java Security and communication fronts.

You are encouraged to participate in this crucial dialog and provide your feedback.

John Spragge offers his opinions on these very issues in his intelligent, insightful blog post: A passionate defence of Java's virtues. It is well worth a read if you are a fan of GlassFish, Java EE or Java.

Tuesday May 15, 2012

SecuritEE in the Cloud

Java EE 7 and the Cloud theme continue to move full steam ahead. In a PaaS environment where infrastructure is shared and configuration tends to be split between the PaaS Provider (vendor or IT) and the PaaS user, security requires additional flexibility.

The SecuritEE blog covers Java EE security. The first two entries (here, here) begin to address Java EE 7 PaaS security.

If security is important to your Java EE applications, add the RSS feed to your reader.

Thursday Mar 01, 2012

GlassFish 3.1.2 coverage - Admin Console, mod_jk, EclipseLink, press, and other screencasts

Now that GlassFish 3.1.2 is out the door (download it here) we can have a look at some of the coverage for the release focusing on specific features.

ALT_DESCR

• John has a presentation walking through the main new features of GlassFish 3.1.2
• Amy blogs about Apache mod_jk load-balancing with 3.1.2
• The Oracle Java Blog covers the highlights of the release.
• Anissa has all the details about the Web Console improvements
• Tim discusses the changes made to Secure Administration
• Blaise covers the impact of having EclipseLink's MOXy not integrated
• Arun covers with Sathyan the main new 3.1.2 release themes
• Anissa has a short screencast highlighting the new DCOM provisioning feature
• Arun has a rundown of the new features
• Paul has an post on the updated GlassFish 3.1.2 documentation
• MartinG covers what's new in Metro 2.2, JAXB 2.2.5 and JAX_WS 2.2.6
• Jason has the details for REST Security in 3.1.2
• Anissa also has this Managing Application Scoped Resources from the 3.1.2 Console screencast
• Byron discusses in greater details the new DCOM Configuration utility
• Joe covers the new secure by default GlassFish 3.1.2 feature and its impact
• Adam Bien has a 5-minute screencast showing Java EE 6 with NetBeans 7.1.1 and GlassFish 3.1.2
• Bhakti has the main release points as well as details on the updated NetBeans code samples for GlassFish
• Long-time tools guy, Vince provides an update GlassFish+Eclipse.
• TSS has a list of main themes for the release
• Heise.de also cover the main new features for GlassFish 3.1.2 (German)
• javahispano.org covers the simultaneous releases of NetBeans 7.1.1 and GlassFish 3.1.2 (Spanish)
• ITeye also covers the news (Chinese)
GlassFish 3.1.2 released (H-Online)
GlassFish 3.1.2 verfügbar (Entwickler.de)
Lançado GlassFish 3.1.2 (under-linux.org)
GlassFish Enterprise Server 3.1.2 (ZDNet Downloads)
GlassFish 3.1.2 - Oracle's Java EE server gets an update (JAXenter)
NetBeans IDE 7.1.1 Released, with Support for GlassFish 3.1.2 (Oracle Java blog)
NetBeans IDE 7.1.1 is here, quick to support newest Glassfish (JAXenter)

Sunday Jul 31, 2011

GlassFish Security Webinar - August 9th

Our next GlassFish Webinar is coming up soon on Tuesday 9th August and is called "Securing Oracle GlassFish Server 3.1". So don't be a fool and click on the link to register and receive your invitation!

You may also want to mark your calendar for the August 25th webinar on GlassFish 3.1.1 and Java 7 and keep an eye on glassfish.org/webinars for the registration link.

ALT_DESCR

Friday May 20, 2011

GlassFish Security Guide - hardening and more

With the release of GlassFish 3.1, we've added a new volume to the product documentation library - a Security Guide.

This information was previously spread across multiple books and mainly in the Admin Guide.

ALT_DESCR

In addition to the hardening chapter, you'll also find the following topics covered :
Audit Modules
Authentication Realms
WebServices Security
Cluster-related security
Secure Admin
Integration with Oracle Access Manager (OAM)

Keep an eye on http://glassfish.org/webinars/ for an upcoming GlassFish Security webinar.

Friday Mar 11, 2011

GlassFish 3.1 SOTD #11 - Change Master Password

In this eleventh post of the SOTD (Screencast Of The Day) series following the release of GlassFish 3.1, here is Bhakti's Change Master Password.

This 5-minute demo discusses how to change the master password used to encrypt the DAS en instances keystores from it default value to something more secure. Bhakti has all more in this detailed blog entry.

This screencast is hosted on the GlassFish YouTube Channel.

Sunday Oct 17, 2010

GlassFish Tips and Links #12: Maven on Helios, Basic Authentication, Jersey 1.4, Bye AMX, JavaSE 6u22...

Recent Tips and News on Java EE 6 & GlassFish:

Informational Sign

Tips

Maven troubles on Eclipse Helios causes problem deploying app to GlassFish
• ... but see Harald's tutorial
Basic Authentication in GlassFish 3 (Maksim Sorokim)
Jersey 1.4 was released on September 11th (Paul)
More on Web Sockets and HTML5 in Glassfish - covers using the SQL API (Santiago)
Update to deploying webservices on Glassfish 3.1 cluster (Bhakti)
Spring vs. Java EE and Why I Don't Care (Eberhard Wolff)

GlassFish 3.1

Admin UI is now 100% based on REST; no more AMX (ludo)
Progress in moving GlassFish to Kenai infrastructure (eduardo)

Links and News

eApps Cloud Release notes v .99.2 - Beta will include Liferay on GlassFish
Habari OpenMQ Client (library for Delphi and Free Pascal to access OpenMQ)

From Oracle

• Countdown to decommissioning SunSolve "later this year"
   Goodbye SunSolve, Helloooo MOS!, SunSolve Retirement Notice - Oct'10 and FAQ
• Sun GlassFish Enterprise Server 2.1.1 p8 now available.
• JavaSE 6u22 is out with security bugs - Release Notes, twitter @rolilad
• Oracle's October Critical Patch Update at eSecurityPlanet.

En Español

Control del nivel de aislamiento transaccional en JPA
EJB 3.1 en Porlets de Liferay (Apuntes de Java)

Event News

Reports
Slides and Trip Report for SVCP 2010:
   [1], [2], [3], [4], [5], [6].
This Week's Events
• Oct 19th, YaJUG, Luxembourg (details)
   Java EE 6 + GlassFish, Alexis MP
• Oct 20th: eBig Java SIG, Oakland/CA (details)
   Java EE 6 = Less Code + More Power, Arun Gupta
New Events
• Dec 6-Dec 8: NYC - Marakana, (details)
   JSF 2.0 Training Course, Kito Mann
• Dec 13-Dec 17: NYC (details)
   Programming with Java and Java EE 6, Yakov Fain, Farata Systems

Sunday Jul 25, 2010

Closed Networks and the GlassFish Update Center

One of the best features about all the versions of GlassFish 3 is how easy it is to update it through the IPS-based Update Center. The same GUI and CLI tools can be used to upgrade from 3.0 to 3.0.1, to Add or Remove components and to switch from the Open Source to the Oracle's Commercial release.

The same machinery is also used to install Commercial Patches, where it provides an experience that is much easier than in v2. With the transition to Oracle it's taken a bit to get the v3 patch pipeline, but eventually you will see the same frequency as with the v2 patches.

This all normally works through the standard repositories at Oracle but sometimes your computer has limited internet connectivity, so, what do you do? The solution is to create a local repository. This is actually Very Easy to Do (tm). And a local repository is also useful for many other things.

As you noticed if you followed the links, all these topics are now described in the, recently updated, Administration Guide; check out the Extending and Updating the GlassFish Server.

Saturday Apr 24, 2010

Fundamo, OSGi, iPad.. and More GlassFish News - April 24rd, 2010

Financial services on the go - GlassFish for Fundamo and profit
Alexis recently published a new Adoption Story on how Fundamo uses GlassFish v2 and OpenMQ for its Enterprise Platform. Overview at stories entry, details in questionnaire, and an overview in this earlier short video interview.
We are always interested in more GlassFish adoption stories, both from (non-paying) users and from (paying) customers.   Stories come from all industries and around the world, the last few entries are PSA Peugeot Citroën (France/Auto), iVox (Belgium/Print), NHIH (US/Gov-Health Care) and Suncorp (Australia/Finantial).

OSGi/JMS/MDB Example
Sahoo's latest post describes a hybrid OSGi/JavaEE example that uses JMS and Message Driven Beans and leverages GlassFish v3.  Post includes source code and detailed description.

Siebel CRM Support for the iPad
Oracle shows how to use their server-side REST APIs and the iPad SDK to provide access to Siebel CRM from the iPad.   Devices like the iPad (and the iPhone) seem a very good match for the Oracle Fusion Applications

Innovating at Warp-Speed: Monitis Announces Java Monitoring from the Cloud
Monitis announces Java Application Monitoring, a cloud-based monitoring solution for JMX-based applications, including GlassFish containers.  More details in announcement and product page.

EJB 3.1 Asynchronous Session Beans
From Paris, with love... Patrick Champion provides a short example of using EJB 3.1's @Asynchronous annotation.  More benefits of JavaEE 6!

Alfresco community 3.3 installation on Glassfish
A short but detailed description of how to install Alfresco Community 3.3 with GlassFish v2.1 and MySQL.

Getting started with Glassfish V3 and SSL
The JavaDude provides a tutorial on how to use GlassFish v3 with SSL.

Sunday Apr 04, 2010

Leveraging Servlet 3.0 - Authentication without Forms using GlassFish v3 and Vaadin

The new Servlet 3.0 specification in JavaEE 6 (JSR website, JavaOne Session, VC podcast) packs many new features, including Annotations, Dynamic Registration, Pluggability and Asynchronous Support.

Servlet 3.0 also includes quite a number of security improvements, as described by Kumar a couple of months ago in a Summary of new Security Features in Servlet 3.0. As Ron explains, one of the themes is that Java EE 6 and Servlet 3.0 Converge on Container Security Functionality, another is extra functionality, as explained by Nithya's 3 recent posts ([1], [2], [3]) covering http-method-omission element in web.xml, and the authenticate and login methods of HttpServletRequest.

ALT DESCR

A great example of the new functionality is Bobby's Authentication Without the Form where he modifies the RIA app in Creating Secure Vaadin Applications using JavaEE 6 to use the new login machinery and thus remove the need for extraneous JSP files.

Bobby's very complete post includes full source code and a nice Screencast; note it requires a recent build of GlassFish 3.0.1 due to a bug in 3fcs.

You may also want to refer to the JavaEE 6 javadocs (e.g. HttpServletRequest) and to the JavaEE 6 Tutorial: Part I (e.g. see Web Application Security) and Part II (requires free registration).

I had not noticed Vaadin previously but it seems to be gaining some popularity; its programming model is strongly server-centric and generates client-code via GWT. You can see a Online Sampler and it recently deployed a Component Directory; its KB has a number of articles on how to use it with GlassFish Server. They also announced deals recently with BlackBelt Factory and with our old Liferay friends.

While chasing the sources for this spotlight I bumped into a number of other Java-based RIA frameworks including: Echo and ZK as well as frameworks like Flex/BlazeDS, GWT, and the JSF-based frameworks we know.