Overview of reliable open source frameworks

December 19th, 2008 by nils

In a Time of Less, Do More with Open Source: Top 25 Open Source Projects That Will Help Trim Development Budgets

Palamida published a useful list of reliable open source frameworks on their blog. There are no surprises on the list but they put it in relation to the person years it took to create these frameworks. Interesting!

“Security Patterns revealed” Talk at Devoxx08

December 18th, 2008 by nils

This talk was given by Mike Wiesner, Senior Consultant at SpringSource.

Missing input validation is the root of all evil!
– Mike Wiesner, Devoxx 2008

Mike started by showing an overview of the most important security threats in web applications. The top three are cross-site scripting, SQL injection and directory traversal (Example). In other words, by paying attention to proper input validation in your web application, you can prevent about 80% of potential security issues.

He talked in depth about the following patterns:

Intercepting Validator

  • Client-side validation is just a way to make the application more user friendly, it can not replace server side validation
  • JSR 303 – Bean Validation -> AOP can be used as Intercepting Validator

Single Accesss Point

  • Reference Monitor with AOP
  • security is applied by annotations on method level
  • advantage is that you can test security and functionality separately -> security tests don’t execute application logic and security can be disabled for functional tests

These are a few other patterns he mentioned:

  • Role Based Access Control or Role Based Security (Wikipedia article)
  • Role-Rights Definition
  • Controlled Object Factory
  • Data Driven Security
  • Multi-Level Security
  • Security Session

An other interesting thing he mentioned is XACML, a security policy management standard from OASIS that defines security policies in XML.

Apart from the patterns, that are definitely worth looking at, what I took home from this talk is that the most important thing when implementing security is to think. Patterns are just abstract ideas to help creating a good design for your application. They are not blue prints that can be applied blindly.

“Imagine the Impact”

December 16th, 2008 by nils

This GM video from 1990 really makes it seem odd that car manufacturers nowadays still claim to be struggling with battery and range problems in the development of electric cars. Knowing that this car actually went into production in 1996 as EV1, only to be taken off the roads again several years later in 2003, makes the title of this video “Imagine the Impact” seem almost sarcastic.

Recently reports have been current in certain newspapers that Mr. Thomas A. Edison, the inventor, has at last perfected the storage battery, and that within a few months electrically propelled vehicles, costing little to buy and next to nothing to maintain, will be on the market. The same story has appeared regularly for years and yet matters do not appear to have advanced much.

– International Herald Tribune, November 1, 1907

“JAX-RS: The Java API for RESTful Web Services” Talk at Devoxx08

December 15th, 2008 by nils

This talk was given by Paul Sandoz. He showed a few examples and listed the following existing implementations of JSR 311 (JAX-RS):

He was testing the services on a command line with curl (i.e. curl -v -d x=1 -H “Accept: application/xml” http://localhost:8080/xyz or “Accept: application/json”).

The JAX-RS Overview is supposed to be a good starting point to implement RESTful web services. His presentation and a zip file wih examples can be downloaded from his blog.

“Easy Entity Versioning with Envers” Talk at Devoxx08

December 13th, 2008 by nils

This talk was given by Adam Warski. He is the creator of Envers, a framework that provides entity versioning for hibernate. It does this by creating additional auditing tables and inserting data to them on update/insert and delete. This creates global revisions, similar to the way it is done in Subversion. In order to activate versioning for a class, the @Versioned annotation is used. User information is not automatically stored with the revisions but can be added by implementing a custom RevisionListener.

Envers is now a hibernate core module and will be included in the next release of hibernate.

Here is a link to the current version of Envers

JavaRebel

December 10th, 2008 by nils

Just came across this at Devoxx: JavaRebel – like JVM HotSwap but without all the limitations. And I got a 90 day free license card… Nice!

Let’s go!

December 9th, 2008 by nils

Done! My new website is online… just in time for Devoxx ’08. Tomorrow morning I’ll be heading over to Antwerp and hopefully arrive at around 10:30, in time to miss a boring presentation about JavaFX and instead hear what the IBM people have to say about RFID. Hope to be blogging from there, so stay tuned!


View Larger Map

Cheers, Nils