1
1
Application Servers G22.3033-011
Session 6 - Main ThemeJ2EE Component-Based Computing Environments
Dr. Jean-Claude Franchitti
New York UniversityComputer Science Department
Courant Institute of Mathematical Sciences
2
AgendaComponent TechnologiesDatabase Technology ReviewEJB Component ModelJ2EE Services
JNDI, JMS, JTS, CMP/BMP/JDBC, JavaMail, etc.J2EE Web ArchitecturesSecurity in J2EE Application ServersStructured Applications Design TipsSummaryReadingsAssignment #5
2
3
Summary of Previous Session
COM and COM+Introduction to .NetComponent TechnologiesObject Management ArchitecturesJava-Based Application ServersWindows ServicesSummaryReadingsAssignment #5
4
Additional References
Intranet Architectures and Performance Reporthttp://www.techmetrix.com/lab/benchcenter/archiperf/archiperftoc.shtml#TopOfPage
RMI FAQhttp://java.sun.com/products/javaspaces/faqs/rmifaq.html
CORBA beyond the firewallhttp://www.bejug.org/new/pages/articles/corbaevent/orbix/
Web Object Integration (vision document)http://www.objs.com/survey/web-object-integration.htm
3
5
Application Servers ArchitecturesApplication Servers for Enhanced HTML (traditional)
a.k.a., Page-Based Application ServersMostly Used to Support Standalone Web Applications
New Generation Page-Based Script-Oriented App. ServersFirst Generation Extensions (e.g., Microsoft IIS with COM+/ASP)Servlet/JSP EnvironmentsXSP EnvironmentCan now be used as front-end to enterprise applications Hybrid development environments
Distributed Object Computing PlatformsProvide an infrastructure for distributed communications enabling Still need to merge traditional web-oriented computing with object computing
Object Management ArchitecturesDOC Platform + APIs to reusable services and facilities
OMAs + Component Models -> J2EE, CCM, DNA
6
Part I
VMs and Component TechnologiesJVM and .Net CLR
4
7
Virtual Machines (VMs)
• Provide level of abstraction on top of OSs• Support binary compatibility between components (language
independence / requires language translators)• Support for data marshalling between components and clients• Streamline component installation and deployment• Work at finer granularity level than component infrastructure for
deployment (e.g., classes)
• Compliance with definition of component infrastructure not required• VM is integral part of component infrastructure• VM is not a component technology by itself • Component infrastructure = VM with component support?
8
Java Virtual Machine (JVM)
• Provides OO environment for compiling Java classes and executing compiled bytecodeslocally and remotely
• Provides an execution environment where Java classes in binary format are loaded, verified, and executed
• Hide the platform dependency for developers (WORA)
5
9
.Net• Provides OO environment with local and remote
execution capabilities• Provides an execution environment with additional
support for deployment and versioning of object code• Improves the performance of scripted and interpreted
code• Hides the specifics of the underlying platform
architecture• Provides full code compatibility allowing vendors to
add language compilers which produce MSIL format• .Net provides a Common Type System (CTS) that
allows introspection of managed code
10
.Net(continued)
• .Net provides memory management, threading, and synchronization models similar to the Java environment
• .Net provides a set of base classes and libraries called .Net framework, a virtual machine called CLR, and development languages (e.g., Jscript, Visual Basic, C#, C++, IL Assembler)
• .Net compilers generate Portable Executable code that incorporates MSIL (PE-MSIL) that looks like DLL or EXE
• CLR uses a JIT to translate MSIL modules (assemblies) into native executable code
6
11
Java Platform vs. .Net
• Java runs on any platform with JVM while C# only runs in MS Windows
• Java is the primary language for the JVM while .Net allows unification of PLs under the .Net framework
• Scripting languages are interpreted on the Java platform, while they are compiled on .Net
• Resulting code is bytecode interpreted by JVM, while IL is always translated into native code that is not interpreted
12
Java Virtual Machine Write Once Run Anywhere (WORA) Architecture
7
13
Java Virtual Machine (JVM)(continued)
• Byte Code Verifier • Class Loader (dynamic operation) • Runtime Execution Engine
• Performance bottlenecks: • Byte Code Execution, garbage collection, thread management,
dynamic operations (i.e., class loading, bounds checking, security measures, dynamic class loading, exception handling, reflection, and native method translation)
• Just-in-time compiler • Reduces byte-code interpretation and causes the execution
workload to shift to native compilation and caching of native methods.
• Precompiler
14
Open JVM Interface (OJI)
• Allows any Sun-Compliant JVM (implementing OJI) to become the default JVM for a browser
• Supports Applet, Embed, and Object tags • Supports Java-JavaScript bidirectional
communication • Supports RSA signed applet verification
8
15
.NET Framework
Common Language Runtime (CLR)Accessible to any compiler that produced Microsoft Intermediate Language (IL) code
Runtime ClassesVisual Studio.Net (VS.Net)
Includes VB.Net, VC.Net (C#), and Visual C++.Net
16
.Net Remoting(http://www.dotnetremoting.cc/)
Native .Net Remote Object InvocationAllows Object Invocation and Communications Across Processes and MachinesWire Protocol and Format IndependentExtensible via Custom Formatters (SOAP, Binary, etc.), Channels (HTTP, TCP, etc.), and Sink Chain (i.e., Channels + Formatters) StepsFlexible as Configuration can be Changed after Deployment with Little or no Code ChangesFlexible (IIS not required on server) but more Complex than Web Services
9
17
.Net Remoting Vs. DCOM
Not as Transparent as DCOMHas no COM Interop InvolvedOffers More Deployment OptionsNot Tied to a Specific Wire Protocol or FormatFirewall FriendlyAllows you to Specify which Objects are Remoted
18
.Net CLR and COM+CLR Introduces a Newer and Easier Programming Model for COM+The COM+ Services are still Available only at the OS/Unmanaged WorldTransitions Between Managed/Unmanaged Layers are Taken Care of by “System.EnterpriseServices” Namespace
System.EnterpriseServices.ContextUtil class provides access to contexts (as did CoGetObjectContext)
Services are Made Available to Components Using Attributes
10
19
.NET, Win32, COM, and COM+
.Net applications can call functions that reside in Win32 DLLs via the DllImport attribute of System.Runtime.InteropServices’ platform invocation (PInvoke) services.Net applications can call traditional COM components using Runtime Callable Wrappers (RCWs) which uses interop assemblies (i.e., .Net components) created via COM Interop using the TLBIMP utilityCOM+ services (transactions, object pooling, JIT activation) can be used from .Net (via System.EnterpriseServices namespace).Net runtime uses COM+ to support some of its services (e.g., transactions for managed classes)
20
ContextUtil ClassUseful Static Members
ActivityIdIsSecurityEnabledTransactionIdDesactivateOnReturnMyTransactionVote
Rich Set of Member FunctionsSetCompleteSetAbortEnableCommitDisableCommitIsCallerInRoleGetNamedProperty
11
21
.Net and ServicedComponent
COM+ Class Derives from “ServicedComponent”[ComVisible(true)][ObjectPooling(MinPoolSize=2, MaxPoolSize=5)][Guid(“57F01F20-9C0C-4e63-9588-720D5D537E66)][Transaction(TransactionOption.Required)]public class SVCCompClass : ServicedComponent
In COM+ 1.0, the List of Services Are not ChangedIn COM+ 1.5 (Microsoft Windows XP Professional and .Net server), Newer Services are Available to Leverage CLR Features
22
MDA
• OMG's MDA (Model-Driven Architecture) specification describes:– a PIM - platform-independent models (i.e.
business design)– PSMs - the mapping of a PIM to one or more
platform-specific model • MDA => Model Once, Generate
Everywhere• Review MDA presentations:
– http://www io-software com
12
23
MDA(continued)UML Model (PIM)
AutoColor : StringDoor : IntegerEngine : Integer
<Auto><Color> Red </Color><Door> 4 </Door><Engine> 2 </Engine>
</Auto>
XMI Document (PSM)
XMI
<!Element Auto(Color*,Door*,Engine*)>
XMI DTD, Schema (PSM)
XM
I
MO
F
interface Auto{};
IDL, Java… (PSM)
Class Auto{public String color;public int Door;public int Engine;}
24
The first level of automation ~ 30 Years(Platform independent to platform specific model projection)
Programming IDEs (e.g. JBuilder, Visual Age, NetBeans)
Environment
Programming Language
•Higher levelof expression
•Easier to understand
•Portable•Standardized
PIM
Diverse HW/OS PlatformsPSM
Compiler Engine
•Dependable•Flexible•Configurable•Optimizing•Complete:
Linker, Debugger,Etc.
Generator,Projection
13
25
MDA= New automation levels ~ Last 8 Yearshttp://www.omg.org/mda
Environment
Generator Engine
•Dependable•Flexible•Configurable•Debuggable•Optimizing•Complete
Architectural IDEs
Model (UML, BOM…) &Modeling Style (J2EE, eEPC, COBOL, .NET…)
•Higher levelof expression
•Easier to understand
•Portable•Standardized
PIM
PSM
Generator,Projection
P-Stack: A Level of Automation
Models to CodeModels to Models
26
Architectural IDEshttp://www.io-software.com,
ArcStyler Core Modules
Rational Rose Programming IDE
MDA Cartridges
The Unified Process
PatternRefinementAssistant
UMLRefinementAssistant
Build,Deploy & Test
Support
BEA WebLogic
IBM WAS NT, z/OS
J2EE/EJB, .NET
Borland, JBoss
Oracle, IONA
BusinessObject
Modeler
IDS ARIS
MDA-EngineEngine
with Meta IDE
Open MDA/UML/XML Repository
Optional integrated Tools
Std. MDA Projections
Architect Edition adds support
forcustom infrastructure
MDA-Cartridge IDE & MDA Engine
14
27
Model Driven Development Tool(http://www.sygel.com/)
28
Model Driven Development Tool(continued)
15
29
Towards XML Model Based Computing
Step 1: Document Object ModelStep 2: XML Data BindingStep 3: Standard XML Information ModelsStep 4: XML Application Services Frameworks
Processing, Rendering, Querying, Secure Messaging
Step 5: XML-Based “Web Object Model”Web Services Architecture
Step 6: XML Model Driven Architectures (to come)
30
Agile Modeling & XPhttp://www.agilemodeling.com/, http://www.agilemodeling.com/resources.htm
• Practices-based software process whose scope is to describe how to model and document in an effective and “agile” manner
• One goal is to address the issue of how to apply modeling techniques on software projects taking an agile approach such as:– eXtreme Programming (XP)– Dynamic Systems Development Method (DSDM)– SCRUM– etc.
• Using modeling throughout the XP lifecycle– http://www.agilemodeling.com/essays/agileModelingXPLifecycl
e.htm
16
31
“Agile” Methodologies
See Session 8 Sub-Topic 2 Presentation:Sample Project Development Methodology
http://www.thoughtworks.com/library/agileEAIMethods.pdfhttp://www.thoughtworks.com/library/newMethodology.pdf
32
Part II
Database Technology Review
17
33
Java Database Technology Review
Session 6 handout: “Java and Database Technology - JDBC”Data ModelingLogical Database DesignPhysical Database DesignDatabase System Programming ModelsDatabase ArchitecturesDatabase Storage ManagementDatabase System Administration Commercial Systems: www.oracle.com.,www.ibm.com/db2, www.informix.com,www.sybase.com
34
Java Database Technology Review(continued)
Parallel and Distributed DatabasesWeb DatabasesData Warehousing and Data MiningMobile DatabasesSpatial and Multimedia DatabasesGeographic Information SystemsActive DatabasesTemporal DatabasesDeductive Databases
18
35
Java Database Technology Review(continued)
Java and ODBs:Related Developments:
Persistent Object StoresObject-Oriented Database Management SystemsObject/Relational Mapping Automation
See Object-Oriented Database Articles athttp://www.odbmsfacts.com/
XQuery Toolkits (e.g., Oracle’s OJXQI, XQJ)http://otn.oracle.com/sample_code/tech/xml/xmldb/jxqi.html
Enterprise Database Architectures:e.g., Oracle 9i PSP, PL/SQL, Java Stored Procedures, etc.
36
Java and ODBs - JDO
Java Data Objects (JDO) API (http://access1.sun.com/jdo)Transparent database accessSuitable implementation for
Persistent helper classes for session beansDelegate classes for BMP Entity BeansDelegate classes for CMP Entity Beans
19
37
JDBC: Pure Java and ODBC-Drivers
38
Basic and Advanced JDBC
See Session 12 Handouts:Java and Database Technology - JDBCEnterprise JavaBeans Patterns
See Session 12 Demo Programs on JDBCJava databases
http://sourceforge.net/projects/hsql/http://www.pointbase.com/
20
39
JDBC API 3.0(http://java.sun.com/products/jdbc/index.html,
http://www.wiley.com/extras/jdbc_3_java_db_connectivity/)
JDBC Technology Core features (java.sql package)Scrollable result setsUpdatable result setsBatch updatesSavepoints
JDBC Optional Package features (javax.sql package)JNDI supportConnection poolingDistributed transactionsRowset objects (JavaBeans)Statement pooling
40
URL-Based Database Connection
21
41
Part III
EJB Component Model
Also See Session 6 Handout on:
“The Enterprise JavaBeans (EJB) Server Component Model”“Technical Introduction to Enterprise JavaBeans”
“Introduction to Enterprise JavaBeans”“Enterprise JavaBeans FAQs”
“Is EJB Right for Me?”
and Session 6 Sub-Topic 1 Presentation on:
“Using Enterprise JavaBeans”
42
JavaBeans Review• The JavaBeans component architecture allows
reusable component development• The JavaBeans specification defines a set of standard
component software APIs for the Java platforms• Javabeans components interoperate with ActiveX• JavaBeans APIs are portable to mainstream
containers (IE, VB, Microsoft Word, Lotus Notes, etc.)
• JavaBeans and Enterprise JavaBeans are like Apples and Oranges!
22
43
JavaBeans Review (Java)Bean
Java class that implements Serializable, has zero-argument constructor, usually had a set of features (properties, methods, and events)Plug-in component in an applicationFeatures exposed to application via event notification, methods, and propertiesUsable and reusable in any application that needs its features
BeanInfo classProvides explicit specification of a bean’s features
Bound PropertyNotifies registered listeners of a value change
Constrained PropertyAllows a listener to send a veto exception to the bean using a try-catch
Serialized JavaBeanBean’s state stored in a serialized (flat) file (to save state across JVM sessions) and bean is instantiated from the “ser” file
Property Sheet EditorPrimarily used in visual composition to set a bean’s property
44
JavaBeans Review(continued)
JAR fileJava implementation of a zipped fileUsed to package a bean and its serialized fileAlso used to package all the classes needed to execute an applet, or to package an EJB, etc.
23
45
JavaBeans ConceptsJavaBeans API makes it possible to write component software in JavaComponents are self-contained, reusable software unitsComponents can be visually composed into applets or applications using visual application builder toolsJavaBeans components are called BeansA “Beans aware” builder tool maintains Beans in a palette or toolboxJavaBeans Activation Framework (JAF)
Identify the type of data at runtime and instantiate the appropriate bean to perform operations on that data
46
JavaBeansJavaBeans are Reusable Java Software Components
Ensure robustness, maintainability, and good application designA Component Model Subsumes:
Component as a packaged software object with a standardized interface and reusable in multiple applications
SpecificationProgramming ModelDeployment ModelAdministration Model
Component architectureHow components interact with each other and with software tools
JavaBeans Specification and Toolshttp://java.sun.com/products/javabeans/beanbuilderSpecification:
http://java.sun.com/products/javabeans/docsEvents and explicit BeanInfo class are not as important when working with server-side applications
24
47
Beans Characteristics
Properties are a Bean’s appearance and behavior attributes that can be changed at design timeBeans use events to communicate with other beansA “Beans aware” builder tool maintains Beans in a palette or toolboxPersistence enables Beans to save their state and restore that state later
48
JavaBeans CharacteristicsWritten in JavaStandard Java class/instanceConform to Sun’s JavaBeans Specification
Set of public featuresSimple/boolean/indexed properties, methods, eventsProperties access attributes via getter/setter methods
Note: Dynamic tables no longer available in WSAD 5.0Requires a zero-argument constructorImplements serializable interface
Tools are available to dynamically interrogate beans and determine its interface, or set of features
Visual programming using IBM Visual Age for Java or Visual Composition Editor
e.g., a Button actionPerformed event can trigger a bean methodTools allow visual layout, properties customization, wiring, and packaging
JSP Editors: JavaBeans usage in JSPs to relate HTTP input parameters to a bean’s parameter, or to pass results from a servlet to a JSPIBM Common Connector Framework (CCF) and J2EE Connectors use JavaBeans to connect to EISs such as CICS or IMS
25
49
JavaBeans Bound PropertiesBound Properties are Used to Notify Other BeansNotification Mechanism
Compliant to JDK 1.1 event modelEvent source (bean with bound property)Event target/listener (notification target)Listeners can be registered using a helper class
java.beans.PropertyChangeSupporteventListener implements EventListener Interfaces (e.g., PropertyChangeListener, ActionListener, MouseListener, etc.)
firePropertyChange method builds PropertyChangeEvent and notifies registered listenersSee listener example in Unit 16 where objects referenced from the HttpSession are notified when added to/removed from a HttpSession
Notification is less important with servlets and JSPs
50
JavaBeans Constrained PropertiesInterested Parties Can Validate or Vero a ChangeVeto Expressed by Throwing a PropertyVetoExceptionContrained properties are not typically used in server-side development
26
51
Customization and Serialized Beans A Bean may have its own “Customizer” class
e.g., AWT component used to customize the beanThis does not apply to the use of JavaBeans in JSPs
Beans may be shipped with a prototypical instance as a serialized object
Application builder can instantiate the bean from the “ser” fileThis does not apply to the use of JavaBeans in JSPsYou can instantiate a JavaBean in a JSP from its serialized representation
52
Beans Builder Tools
Discover Beans’ properties, methods, and events by introspection:
By adhering to specific naming conventions known as design patternsBy explicitly providing property, method, and event information with a related Bean Information class
27
53
JavaBeans Activation Framework(Glasgow release of the JavaBeans Component Model)
Extensible Runtime Containment and Services ProtocolDCOM Activation Framework
Drag and Drop Subsystem for the Java Foundation ClassesJavaBeans Activation Framework (JAF)
A Data typing and command registry APILets users discover an arbitrary data object type (e.g., file)Users can then lookup command applications or beans that can process such data type (e.g., browser plug-in to view/edit file)Can activate the command
54
J2EE Platform: The Whole is Greater than the Sum of its Parts
28
55
J2EE: A Complete Computing Environment
Platform SpecificationLists required elements of the platformLists policies to follow for a valid implementation
Reference ImplementationSemantically correct prototype to test against
Compatibility Test SuiteAPI-level compatibility, component-level tests, end-to-end compatibility
Application Programming Model: java.sun.com/j2ee
56
J2EE Features
• Standard Documents and Software Libraries• Specification • Programming Model • Platform • Reference Implementation • Compatibility Test Suite
• http://www.javasoft.com/j2ee/docs.html
29
57
J2EE Server and Containers
58
Servlets Technology(http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Servlets.html
http://www.java-shop.com/jsp.htm)
Java’s standard mechanism for writing code that runs and extends the functionality of a servlet engineA servlet is to a server what an applet is to a browserHTTP servlets
Replacement for CGIStandard mechanisms for handling cookies, sessions, session/application contextsAdvantages over CGI: performance, platform and web-server independance
Servlet filters are new in the Java Servlet Specifiation 2.3
30
59
JSP Technology(http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/JSPIntro.html)
Answer to Microsoft’s Active Server PagesProvide mechanism for including tags/scriptlets into an HTML or XML pageJSPs have .jsp extension and are processed using a special servlet
JSP page is compiled into a servlet upon first access or after each modification
Ability to instantiate and access JavaBeans within JSP pages
60
Distributed Multitiered Applications
31
61
Server Communications
62
Web Tier and J2EE Application
32
63
Web Tier and J2EE Application
64
Business and EIS Tiers
33
65
Enterprise JavaBeans (EJBs)
Enterprise Application Platforms:Provide model for the development and deployment of reusable Java server componentsSupport component modelingHandle the serving of EJBs
Next Steps:“Model-Centric” Application Development
66
Enterprise JavaBeans Container
34
67
Enterprise JavaBeans and Services
Application ServerContainer
Enterprise JavaBean
ServicesLifecycle
Transaction
Security
Load Balancing
Error Handling
Persistence*
* In the EJB 1.0 specification support for persistence services isoptional. In the EJB 1.1 specification it is mandatory.
Threading
68
Sample DemoBean Application Architecture
35
69
Entity Beans in EJB Application ServersRepresent sets of data (all or part of a database table or a view)Functionality limited to creation, update, and deletion of dataManage persistence of dataMaintained in a cacheCan be container or bean managed
Container-managed beans are under the control of an application server for persistence and transaction managementContainer-managed beans are restricted in the type and complexity of data they can manageBean-managed beans rely on user provided code for persistence and transaction management
70
Session Beans in EJB Application Servers
Handle the business logic of EJB applicationsMay use multiple entity beans to gather application data
36
71
Session and Entity Beans
Application Server
ATMSession
Bean
AccountEntity Bean
B
Transfer $100 fromAccount A to Account B
Subtract
$100
Add $100
Database
Update Account
Update Account
AccountEntity Bean
A
72
EJB Physical Partioning
WebServer
WebServer
WebServer
EJBServer
EJBServer
EJBServer
WebBrowser
WebBrowser
WebBrowser
Database
EJBs communicate to thedatabase through Java DatabaseConnectivity (JDBC). Theapplication server pools andmanages database connectionsfor maximum efficiency.
The application server distributesload across all available EJBservers and provides fail-over ifone of the EJB servers goesdown.
A Domain Name System (DNS)server routes incoming browserrequests evenly across a pool ofweb servers. This technique isreferred to as DNS round-robining.The application server providesfail-over if one of the web serversgoes down.
37
73
Java-Based and J2EEApplication Servers
Third-Party Vendorshttp://www.app-serv.com/contend.html
See:www.javapro.com: Special Edition on Application Servers (Fall 2001)http://www.java-zone.com/free/articles/sf0101/sf0101-1.asphttp://www.mgm-edv.de/ejbsig/ejbservers.htmlhttp://www.javaworld.com/javaworld/tools/jw-tools-appserver.html
http://www.appserver-zone.com/
http://www.devx.com/devxpress/gurl.asp?i=1X1095373X7360
WebSphere Architecture and Programming Model:http://www.research.ibm.com/journal/sj/373/bayeh.html
74
Commercial Application Servers
Xoology ConcertoSybase EAServerIONA iPortalAligo M-1Advanced Network Systems WebIxOracle9iBEA WebLogicIBM WebSphere
38
75
J2EE: A Complete Computing Environment
Platform SpecificationLists required elements of the platformLists policies to follow for a valid implementation
Reference ImplementationSemantically correct prototype to test against
Compatibility Test SuiteAPI-level compatibility, component-level tests, end-to-end compatibility
Application Programming Model: java.sun.com/j2ee
76
The Three Cs: Components, Containers, Connectors
39
77
J2EE: Components
Enterprise JavaBeansServer-side solutions can be built without regards for the database, transaction server, or application they run on
ServletsRun on vast majority of web servers
JavaServer PagesDynamic content leverages off the full power of Java
78
J2EE: Containers
Containers provide high-performance, scalable environments for J2EE-enabled serversJ2EE-enabled servers support EJB-based components, servlets, and JSP-based pages
40
79
J2EE: Connectors
Connectors allow J2EE-based solution to preserve, protect, and leverage off of existing enterprise investments
80
J2EE: Unifying the Three Cs
Single platformStandard platform-independent technologyApplications built with components can be run on any J2EE server, and are able to talk to enterprise-class systems that exist today
41
81
EJB Component/Programming Model
82
Creating an EJB ComponentExample:try {
// get the JNDI naming contextContext initialCtx = new InitialContext ();
// use the context to lookup the home interfaceCheckingHome home =
(CheckingHome) initialCtx.lookup ("checking");
// use the home interface to create the enterprise BeanChecking server = home.create ();
// invoke business methods on the beanserver.createAccount (1234, "Athul", 1000671.54d);
} catch (Exception ex) {ex.printStackTrace ();
}
42
83
Sample Java Application Server Services
84
BEA WebLogic Application Server
43
85
Part IV
J2EE Services
Also See Session 5 and Session 6 Handouts on:
“JNI”“JTS - Demarcated Transaction Support”
“Understanding Java Messaging and JMS”“EJB Patterns”
“Persistence in EJB Frameworks”“Efficient CMP Development”
and Session 6 Sub-Topic 2 Presentation on:
“Designing Databases for eBusiness Solutions”
86
J2EE OMA Services
Activation ServicesRMI Activation FrameworkJavaBeans Activation Framework
Naming and Directory ServiceJNDI and JNDI SPIs for CosNaming, RMI, NIS, NDS, LDAP
Trading ServiceJini
JTA and JTSMessaging Services
JMSJavaMail
44
87
Java and Database Technology JavaSpaces
Create and store objects with persistenceAllow process integrityhttp://www.javasoft.com/products/javaspaces/index.html
JDBC Data Access APIAccess tabular data sources from Javahttp://www.javasoft.com/products/jdbc/index.html
J2EE database access and container managed persistence (http://java.sun.com/j2ee/j2sdkee/techdocs/guides/ejb/html/DevGuideTOC.html)
Pjama: Orthogonal Persistence for the Java Platform http://www.sun.com/research/forest/opj.main.htmlhttp://www.dcs.gla.ac.uk/pjava/
88
EJB Persistence Service Architecture
See Persistence Service Interface for Entity Beans:http://jsp.java.sun.com/javaone/javaone2000/pdfs/TS-1498.pdf
See JBoss Persistence Manager Architecture:http://javatree.web.cern.ch/javatree/share/opt/net/jboss-2.0/docs/container.html
JAWS (Just Another Web Store) is the default CMP (Container Manager Persistence) plugin that performs basic O/R functionality against a JDBC-store
See Patterns for Object Relational Access Layershttp://www.objectarchitects.de/ObjectArchitects/orpatterns/EJBPersistence
45
89
Persistence Service Performance Issues
Complexity of an optimal access layerObject to Tuple Layer Logical MappingPhysical Layer Mapping
Caching to reduce database traffic and disk I/OData Clustering
Application must still be maintainable at a reasonable cost
See Session 6 Handouts and Presentations:“Efficient CMP Development”“Enterprise JavaBeans Patterns”“Designing Databases for eBusiness Solutions”
90
Java Messaging Service
Handles both Synchronous and Asynchronous MessagingTopic / point-to-point messagingQueue / publish-and-subscribe messaging
Common Way for Java Programs to Create / Send / Receive / Read Enterprise MessagesUsed in Conjunction with MOM Products
e.g., TIBCO, MQSeries
Different Message TypesTextMessages, MapMessages, ObjectMessages, etc.
46
91
Java Messaging Service (JMS)(connection, session, and messaging facilities)
92
JMS Synchronous Subscriber Example// Lookup admin objects on default host
InitialContext ic = null;
ic = new InitialContext ();
ic.bind ();
// Lookup connection factory and Topic names
TopicConnectionFactory tcf =
(TopicConnectionFactory) ic.lookup ("primaryTCF");
Topic topic = (Topic)ic.lookup("primaryTopic");
// Dispose of InitialContext Resources
ic.dispose();
// Create and start a topic connection
TopicConnection topicConnection = tcf.createTopicConnection();
topicConnection.start ();
System.out.println("Creating topic session: not transacted, auto ack");
47
93
JMS Synchronous Subscriber Example(continued)
// Create topic session on the connection just created
TopicSession topicSession =
topicConnection.createTopicSession(false,1);
// Create subscriber
TopicSubscriber topicSubscriber =
topicSession.createSubscriber(topic);
// Listen for messages synchronously (blocking receive)
while (true) {
TextMessage textmsg2 = (TextMessage)topicSubscriber.receive();
System.out.println("Received : " + textmsg2.getText() );
}
94
J2EE Connector Architecture• Component-Container Architecture
• http://java.sun.com/features/2000/08/connect.html
• J2EE Container Environment • J2SE Platform • Java Enterprise APIs • Java Enterprise Implementations • Deployment Services • Management Services
• Component-Container Models • EJB App Servers, Web App Servers (SRV/JSP), Applet
Clients, Application Clients
48
95
J2EE Connector Architecture(continued)
96
[Asset Managers]
Vendor Agnostic MiddlewareMQ Series MSMQ JMS TIBCO SeeBeyond
Open Adaptors
MessagingReliable Messaging Transactional IntegrityTwo Phase Commit
[Business Process Engine]
ISO 15022
Secure IP
Network
Pervasive Devices
Asset managers
[NOI/Orders]
rendezvousDeGate
eWay
[Order Capture]
Collaboration
IQ IQ IQ
Scal
a bili
ty
[Order Matching]
ELBP
ELBP
Mainframe
[Settlement]
Java Bean Connectors
[ECNs]
Secure IP
Network
[Data Aggregation and intra day reporting]
• Exceptions• Real Time Analytics
1
24
5
7
[Order Execution]
[Confirms]6
ENTERPRISE LEVELBusiness Process [Trade execution]
1 2
3
4
5 6
3
[Custodians]
Faul
t Tol
eran
ce
Sample XML-Based MOM Architecture
49
97
Part V
J2EE Web Architectures
Also See Session 3 and Session 6 Handouts on:
“Applets, Servlets, and Java Server Pages”“Servlets”
“The Basics of the Palm Platform and the PalmOS Emulator”“MIDP Extensions and MIDlets”
98
Web-Enabled Architectures (evolution)
Traditional client-server technologyCGI frameworksPage-based extended HTML environmentsDistributed object computing platformsJava-BasedObject Management Architectures (OMAs)Component-based computing environmentsWeb Services platformsNext generation application servers (reflective, multimedia- and agent enabled, MDA-compliant, etc.)
50
99
Web-Enabled Architectures(continued)
Application Servers for Enhanced HTML (traditional)a.k.a., Page-Based Application ServersTag-Oriented (e.g., Macromedia ColdFusion 5.0 Server)Script Oriented (e.g., Microsoft IIS with ASP, PHP)Mostly Used to Support Standalone Web ApplicationsTypically less expensive than standalone and IDE-based serversHTML-based development
New Generation Page-Based Script-Oriented App. ServersFirst Generation Extensions (e.g., Microsoft IIS with COM+/ASP)Servlet/JSP EnvironmentsXSP EnvironmentCan now be used as front-end to enterprise applications Hybrid development environments
100
Web and Client Application Services
Activation ServicesClient: MIME Handler, and Applet ActivationWeb Server: File-Stream, Process, Script Engine, Servlet, JSP, and EJB Activation
Naming and Directory ServiceDNS and Java-Based DNS InterfacingNIS, NDS, LDAP
Custom Transaction ServicesBased on Encina, Tuxedo, etc.
Custom Messaging ServicesTIBCO
MQSeries
51
101
Catalog of Patterns(www.martinfowler.com/eaaCatalog)
Domain Logic Patterns (e.g., Service Layer)Data Source Architectural Patterns
e.g., Data MapperObject-Relational Behavioral Patterns
e.g., Unit of WorkObject-Relational Structural Patterns
e.g., Inheritance MappersObject-Relational Metadata Mapping Patterns
e.g., RepositoryWeb Presentation Patterns
e.g., MVC, Application ControllerDistribution Patterns (e.g., Remote Façade, DTO)Offline Concurrency Patterns (e.g., Implicit lock)Session State Patterns (e.g., Server Session State)Base Patterns (e.g., record set, value object)
102
MVC Patternsplits user interface interaction into three different roles
52
103
Application Controller Pattern
104
Data Transfer Object Patternobject that carries data between processes to reduce the number of calls
53
105
Remote Facade Patternprovide coarse-grained object façade to optimize network usage
106
MVC or Model 2 Design Pattern From Architectural to Design and Enterprise Patterns
Christopher AlexanderGamma et al., etc.
Used to implement Modern Web Applications as a combination ofServlets/Servlet filters
Controller receiving/filtering requests from the userUpdates the application’s model composed of JavaBeansPasses the page request to a view JSP
Java Server PagesDisplay information based on the current state of the application’s modelNot limited to HTML (e.g., JSP tags, XML/XSL, etc.)
JavaBeans (visual and non-visual)Enable component reuse
Custom Tag LibrariesMake it possible to move source code out of the JSP where it is difficult to maintain and into reusable JavaBeans
Rich array of Java APIsView implemented via tier-x display components
54
107
Architectural ConsiderationsPage-Centric v.s. Dispatcher Type
Page-Centric architectures have a JSP handling the request directlyDispatcher architectures include a Servlet that handles the request and delegates to a JSPSample architectural patterns:
Page-View (Page-Centric)Page-View with Bean (Page-Centric)Mediator-View (Dispatcher)Mediator-Composite View (Dispatcher)Service-to-Workers (Dispatcher)
108
MVC SummaryBenefits of MVC Design
Groups of Developers can work on various areas in parallel
Much easier to reuse prebuilt components focused on a specific responsibility
View coded separately makes it easier to update the look and feel of an application
Examples of GUI JavaBeansJButton, JList, JTable (Swing)
Examples of Invisible JavaBeansInvoice, Customer, Employee, controller classes, servlets, database access classes, etc.
Components of the Model, View, ControllerModel refers to business classes, (many) views refer to various GUI ways to access the model, and (many) controllers take GUI requests and invoke the proper part of the model
55
109
J2EE Web-Enabling Component Models
Javasoft’s Applet Tutorial:http://java.sun.com/docs/books/tutorial/applet/TOC.html
Swing Applets:http://java.sun.com/docs/books/tutorial/uiswing/start/swingApplet.html
Java Web Start:http://www.javasoft.com/products/javawebstart/index.html
Servlets, Servlet filters, Cocoon/XSPsSee previous sessions and related session 3 handouts
Connected DevicesSee related session 6 handout on the Palm PlatformSee http://webdev.apl.jhu.edu/~rbe/kvm/
110
Java Servlets & Java Server Pages
See Session 3 Handout:Applets, Servlets, and Java Server Pages
See Javasoft’s Documentation on Servlets:http://java.sun.com/products/servlet/index.html
See Javasoft’s Documentation on JSPs:http://java.sun.com/products/jsp/
Servlet Example: Cocoonhttp://xml.apache.org
56
111
Introduction to Servlets and JSPsSee http://www.java-shop.com/jsp.htmServlets (http://java.sun.com/products/servlet/)
Java’s standard mechanism for writing code that runs and extends the functionality of a servlet engineA servlet is to a server what an applet is to a browserHTTP servlets
Replacement for CGIStandard mechanisms for handling cookies, sessions, session/application contextsAdvantages over CGI: performance, platform and web-server independance
Servlet filters are new in the Java Servlet Specifiation 2.3
Java Server Pages (http://java.sun.com/products/jsp/)Answer to Microsoft’s Active Server PagesProvide mechanism for including tags/scriptlets into an HTML or XML pageJSPs have .jsp extension and are processed using a special servlet
JSP page is compiled into a servlet upon first access or after each modificationAbility to instantiate and access JavaBeans within JSP pages
112
MVC or Model 2 Design Pattern
Used to implement Modern Web Applications as a combination ofServlets/Servlet filters
Controller receiving/filtering requests from the userUpdates the application’s model composed of JavaBeansPasses the page request to a view JSP
Java Server PagesDisplay information based on the current state of the application’s model
JavaBeansEnable component reuse
Custom Tag LibrariesMake it possible to move source code out of the JSP where it is difficult to maintain and into reusable JavaBeans
Rich array of Java APIs
57
113
Servlets and JSPs Examples JSP displaying a banner image based on who is referring the user to the site:
<%@ page import="com.ibm.jspredbook.*;” errorPage="error.jsp" %>
<body bgcolor="#FFFFFF">
<!--the referer header is used to trap the url the user is coming from -->
<IMG SRC="/servlets/ImgServlet?from=<%=request.getHeader("Referer")%>">
</body>
</html>
114
Servlets and JSPs Examples(continued)
Servlet referenced in the IMG tag of the previous slide (partial):package com.ibm.projsp;import javax.servlet.*;import javax.servlet.http.*;import java.util.*;import java.io.*;public class ImageServlet extends HttpServlet {
private String docHome = ".";public void service( HttpServletRequest request,
HttpServletResponse response)throws ServletException, IOException {
HttpSession session = request.getSession(true);ServletConfig config = getServletConfig();ServletContext application = config.getServletContext();File file = findFile(request, response);if (file == null) { return; } else {
response.setContentType(application.getMimeType(file.getName()));response.setContentLength((int) file.length());sendFile(file, response);} }
58
115
Architectural ConsiderationsPage-Centric v.s. Dispatcher Type
Page-Centric architectures have a JSP handling the request directlyDispatcher architectures include a Servlet that handles the request and delegates to a JSPSample architectural patterns:
Page-View (Page-Centric)Page-View with Bean (Page-Centric)Mediator-View (Dispatcher)Mediator-Composite View (Dispatcher)Service-to-Workers (Dispatcher)
116
Cocoon 2Web Publishing framework implemented as a servletRequires a servlet engine to operateCocoon 2 has been rearchitected to truly support the MVC patternCocoon processor:
Cocoon Java type that takes a DOM tree as an input and produces another
Cocoon producer:Cocoon Java type used to feed the initial XML content to the Cocoon processing pipelinee.g., Cocoon serves static XML documents using its built-in FileProducer
Cocoon processing instructions act upon a whole document, which generates a result document
<?cocoon-process type="xsp"?>Result document is passed to the next Cocoon processorSimilar to servlet chaining
Alternatives: Rocket, CPan’s, http://xmlsoftware.com/publishing/
59
117
Introduction to XSPsSee:
Apache Cocoon technology: http://xml.apache.org/cocoon/XSP / JSP differences: http://www.onjava.com/lpt/a/620Publishing Frameworks:http://www.oreilly.com/catalog/javaxml/chapter/ch09.html#69379
XSP:Core technology available in Apache Cocoon 2Approach separates content, style, and logic as XML files and uses XSL to merge them
XSP engine Implemented as a Cocoon processor that accepts an XSP as inputTranslates XSP into equivalent source program, compiles, loads and executes itXSP generates producers while JSP technology generates servletsAll XSP producers are derived from an abstract base class XSPPage
118
Minimal XSP PageXML document that has the following characteristics:
Processing instruction invoking the XSP processor:<?cocoon-process type="xsp"?>
Document root element must be:<xsp: page>
All language and Taglib declarations must appear as attributes in the root element tag:
e.g., <xsp:page language="java" xmlns:xsp="http://www.apache.org/1999/XSP/Core”>
Optional elements:<xsp:logic> (procedural logic embedding) and <xsp:expr> (programexpression inlining)
Optional processing of the resulting page via a style sheet for viewing purpose
<?cocoon-process type="xslt"?><?xml-stylesheet href="sample.xsl" type="text/xsl"?>
Note: Minimal JSP page is an HTML document
60
119
XSP Example XSP logic tag:. . .<p>
Good<xsp:logic>String timeOfDay = (new SimpleDateFormat("aa")
).format(new Date());
if (timeOfDay.equals("AM")) {<xsp:content>Morning</xsp:content>
} else {<xsp:content>Afternoon</xsp:content>
}</xsp:logic>!
</p>. . .
May be rephrased using a library tag as: ...<p>Good <util:time-of-day/>!</p>...
120
XSP v.s. JSP XSP
Tailored to maximize code reuse
Allows separation of content from presentationDevelopers handle content generation (content can static or generated via servlets or Java code)
XML/XSL authors handle style/presentation via style sheet modifications
As XSP processing occurs prior to styling, the content can be presented in various waysKeep development teams well isolatedCan use IBM's Bean Scripting Framework (BSF) to support other scripting languages in addition to Java
JSPPopular and widely understoodRequires tight collaboration between application developers and presentation designersAt best presentation designers must understand how to use tag libraries
61
121
Web- & XML-Enabling Readings
Java as CGIhttp://www.javaworld.com/javaworld/jw-01-1997/jw-01-cgiscripts.html
http://www.apl.jhu.edu/~hall/java/CGI-with-Java.html
Mapping HTML to XMLhttp://db.cis.upenn.edu/W4F/Documentation/XML-mapping.html
XML-Related Technologieshttp://java.sun.com/features/2001/02/xmlj2ee.p.htmlhttp://xml.apache.org/cocoon/userdocs/xsp/xsp.htmlhttp://www.planetexml.com/article.php3?id_article=17http://www-124.ibm.com/developerworks/projects/bsf
122
Part VI
Security in J2EE Application Servers(more on SSL and Servlet authentication/integrity/privacy to come in session 7)
See Session 6 Sub-Topic 3 Presentation on:
“Java 2 Security”
62
123
Java Security
Java Security APIhttp://www.javasoft.com/security/index.html
Signed Applets:http://java.sun.com/products/plugin/1.2/docs/signed.html
RSA Signed Applets:http://java.sun.com/products/plugin/1.3/docs/nsobjsigning.html
124
Pre Java 2 Security
63
125
Java 2 Security(secure application distribution using Java cryptography API)
Secure Application DistributionApplications stored as a self-executing encrypted fileOnly class file data is encryptedMain executable file must be distinguishable
Four PhasesPackagingEncryption/DecryptionLoadingExecution
126
Java Security
Java Security APIJava Authentication and Authorization Service (JAAS)Java Cryptography Extension (JCE)Java Secure Socket Extension (JSSE)http://www.javasoft.com/security/index.html
Signed Applets:http://java.sun.com/products/plugin/index-1.4.html
RSA Signed Applets:http://java.sun.com/j2se/1.4.1/docs/guide/plugin/developer_guide/rsa_how.htmlhttp://java.sun.com/j2se/1.4.1/docs/guide/plugin/developer_guide/rsa_signing.htmlhttp://java.sun.com/j2se/1.4/docs/guide/plugin/developer_guide/rsa_deploying.html
64
127
Java 2 Security
128
Java 2 Security
65
129
Applet Security • Java Plug-In Security Reference
• http://java.sun.com/j2se/1.4/docs/guide/security/index.html
• Security Features • RSA signed applet (jar signing in the JDK) • HTTPS (handled via browser) • Liveconnect for Java-JavaScript
bidirectional communication • Origin of HTML page must be same as that of applet • JavaScript must be signed and “UniversalBrowserRead”
permission must be enabled for JavaScript (default is local Java policy)
130
Java 2 Security
66
131
Applet Plug-In • Needed for RSA signed applet verification • Provides enhanced applet debugging and
management features • Java Plug-in included as part of the JRE 1.4.1
• http://java.sun.com/products/plugin/
• JDK 1.3.1_01 was the first version to include Java Plug-in (1.3) software
• Consult the Java Plug-in documentation• http://java.sun.com/j2se/1.4/docs/guide/plugin/
• Using the HTML APPLET tag converter• http://java.sun.com/j2se/1.4/docs/guide/plugin/developer_gu
ide/html_converter.html
132
Java 2 Plugin Architecture (http://java.sun.com/j2se/1.4/jre/)
67
133
Security Requirements for Distributed Applications
Security model based on the origin of running code is not sufficientAuthentication (i.e., checking credentials) of either or both parties is necessary as requests themselves must be trustedBoth client and server may want to check their identities (i.e., mutual authentication)Security scheme should support authorization levels
134
Basic Authentication with HTTPHTTP Built-in challenge/response authentication
Verify that both parties know a shared passwordClient HTTP request:
GET /secureApp/resource1 HTTP/1.1 Host:fooServer challenge:
HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=“homer”Client: Get /secureApp/resource1 HTTP/1.1 Host:foo Authorization: Basic (base-64 encoded user name/password)Server: if (ok) then (possibly) “403 Access Denied” else “401 Unauthorized”,
Limitations:Authentication info must be included with every request, as it cannot be cached securely, and base-64 encoding is not encryption => need encrypted link and strong server authentication
68
135
Digest Authentication with HTTP 1.1Client must prove knowledge of a password without transmitting itMore safeguards against replay attacksAuthenticate header contains the authentication scheme (“digest”), realm, and “nonce” (i.e., “number once”)Client calculates a digest in response based on these parameters and the user name/password, HTTP method and request URIDigest is a fixed-length encoding of some data (MD5 algorithm)
Data cannot be inferred from the digestTwo digests are identical for the same data
Server creates a message digest using the client response and compares itLimitations: servers must store client passwords securely, and the approach is still subject to replay attacks (need to secure the “nonce”
parameter using URL/IP address/time stamp/private key and server would need to refuse a previously seen “nonce”)
136
HTTP-related Security(inherent limitations)
The safer the “nonce”, the greater the load on the server, and the more authentication required on the part of the callerMultiple authentication schemes
Server sends a challenge with multiple WWW-authenticate headersNot a good idea as authentication scheme can be easily downgraded to acquire passwords
Both basic and digest authentication rely on a shared secretNo provision for secure exchange of shared secretNo cryptographic assurance of parties’ identityDo not use the secret to guarantee data integrityDo not use the secret to hide data using encryption
69
137
Encrypted CommunicationEncrypt data with a key so that it can only be decrypted with a matching keySymmetric key: same key used for encryption/decryptionAsymmetric key: key split into private/public key
Public key encryption can only be decrypted via private key, while private key encryption can be publicly decryptedData hiding: data encrypted using a public key so that only intended recipient gets it, or use symmetric keyData signing:
Recipient can tell where data comes from and check integritySender runs a one-way algorithm over the data to generate a hashHash is a fixed-length encoding (128 to 256 bits) encrypted with the keyResulting signature is sent along with the dataBeing able to decrypt the signature verifies sender’s identity (if he used private/symmetric key) and hash comparison verifies data integrity
138
Encrypted Communication(continued)
Asymmetric encryption is slow for encrypting/decrypting bulk dataAsymmetric encryption should be used to exchange symmetric keys
Prepare symmetric key, encrypt it with target recipient’s publickey, and sign it with your private keyRecipient can verify the message came from you, and is the only one to be able to decrypt itRecipient can do the same to send his symmetric keyIssue is to exchange public keys to start with
Put each public key into a package or “certificate”Sign the certificate with the private key of a trusted authorityVarious Certicate Authorities are available (e.g., Verisign)
70
139
Secure Socket Layer (SSL)
Uses four-way handshake to build up trust between parties using public key encryption and certificatesProcess ends up with the two parties negotiating a cipher suite and exchanging a set of session keys used for bulk encryption and data integrityTwo modes:
Mutual authentication: caller and server exchange certificates to establish each other’s identityServer authentication: server sends a certificate to the caller to reveal its own identity
140
Enabling SSL for a Web ServerPort 443 reserved for HTTP over SSL (HTTPS requests)Server must install a certificate (Verisign or other CA)Server configuration details are vendor specificClient code needs to load a security provider that does SSL and must set a system property (example below uses Sun-supplied security provider):
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());System.setProperty(“java.protocol.handler.pkgs”,
“com.sun.net.ssl.internal.www.protocol”);
Example: TomCat 4 beta 1 server (servlet 2.3 reference implementation)Download/install JSSE 1.0.2 or later, and put JAR files in $JAVA_HOME/jre/lib/extEdit $JAVA_HOME/jre/lib/security/java.security, and add security.provider.2=com.sun.net.ssl.internal.ssl.ProviderExecute keytool -genkey -alias tomcat -keyalg RSA with a password value of “changeit”Uncomment SSL HTTP/1.1 Connector (to run on port 8443 by default) in $CATALINE_HOME/conf.server.xml
71
141
J2EE Security Mechanisms(to be continued)
HTTP authentication and SSL in servlet/JSP architectureIntegrity/privacy contraints for servletsProgrammatic securityetc.
142
Servlet Authentication
Declarative security rules specified in Web application deployment descriptor (web.xml)Servlet container concerns:
Does the communication between caller/server require encryption or integrityAre there authorization constraints for resourcesAre there particular authentication requirements
Servlet only authenticates if a secure resource is being accessed while application-wide authentication is required and the container cannot figure out who is making the call
72
143
Application-Wide Security ConstraintsFollowing descriptor will prompt container authentication in response to HTTP GET http://someServer/secureApp/sales/salestargets:
<web-app><security-constraint>
<web-resource-collection>
<web-resource-name>SalesStuff
<web-resource-name><url-pattern>
/sales/*</url-pattern><http-method>GET</http-method>
<web-resource-collection></security-constraint>
144
Application-Wide <login-config>Following descriptor forces caller to authenticate using basic scheme:<web-app><login-config>
<auth-method>BASIC
</auth-method><realm-name>homer</realm-name>
<login-config></web-app>
DIGEST and client-side certificate authentication are also supported
73
145
FORM-Based Authentication
<auth-method> can be set to FORM to allow the Web application to define its own login pagesYou would need to define a <form-login-config> with <form-login-page> and <form-error-page>You must use FORM actions as defined in the servlet specification
j_security_check, j_username, and j_passwordPOST as the FORM methodUpon detection of j_security_check, the container uses internal mechanism to authenticate the caller, and uses a session ID maintained via a cookie
146
FORM-Based Authentication(inherent limitations)
Same limitations as basic authenticationNot secure by default
No strong authenticationPassword passed in the clear
Can force the form-based login interaction to take place over a secure channel by specifying a transport guarantee for the secured resource.Once the caller has been authenticated (by any scheme supported), the caller’s identity is propagated whenever a downstream servlet or JSP page is called
74
147
Servlet Integrity/Privacy
Guarantee level of integrity/privacy for data passed between caller and server:
Use CONFIDENTIAL <transport-guarantee> (user constraint)Can tell who the call came from and check the data integrityCan ensure data privacy (only intended recipient can see data)
Other possible settingsINTEGRITY (data integrity but no data privacy)NONE (no data integrity/privacy)
INTEGRITY and CONFIDENTIAL imply SSL (caller uses HTTPS)
148
Securing Web Resources via User Roles(applicable to servlets, JSPs, and other static content)
Container allows or disallows access based on the type of callerDeployment descriptor is used to define roles for a given Web application
<web-app><security-role>
<role-name>Sales</role-name></security-role><security-role>
<role-name>Managers</role-name></security-role>
</web-app>
Access to resource granted if no authentication scheme is in place, the Web collection has no role-based security constraint, or the caller is in at least one role allowed access
75
149
Securing Web Resources via User Roles(allowing resource access)
Example:<web-app>
<security-constraint><web-resource-collection>
<web-resource-name>SalesStuff
</web-resource-name><url-pattern>/sales/*</url-pattern><http-method>GET</http-method>
<web-resource-collection><auth-constraint>
<role-name>Sales</role-name><role-name>Managers</role-name>
</auth-constraint>
150
JBoss.org Jboss 2.4.4-2.4.10(security)
EJB 1.1 security model and custom security via security proxy layerEJB 1.1 declarative security via JAAS LoginModules and Subjects
Business methods do not contain any security related logic
<method-permission> <role-name>employee</role-name>
<method>
<ejb-name>EmployeeService</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
EJB 1.1 Custom security APIjava.security.Principal getCallerPrincipal()boolean isCallerInRole(java.lang.String roleName)
76
151
JBoss.org Jboss 2.4.4-2.4.10(standard ejb-jar.xml security elements)
152
Securing Web Resources via User Roles(advantages)
Java has no real notion of “identity” of the executing codeAll security checks are based on where the code came fromServlet container loads all servlet/JSP-related code
Origin of code in that case is tightly managed
Could replace Java security manager by one that checks system and server resource access based on behalf of whom code is executingRole-based access techniques is easier
servlet/JSP never get to run if access is deniedNo need to delay checks until the code attempts to acquire resources programmatically as it makes security administration more difficult, coding harder, and it executes unnecessary code
77
153
Programmatic SecurityRole-based security limitations
keeps access control configuration separate from servlet/JSP codeProgrammers don’t need to write security-related codeStatic and inflexible approachNot possible to defer access check until run time or to dynamically reassign role membership at run time
More flexible approachDefine <security-role-ref> for each servlet in the application that uses role-based security, and call isUserInRole()In the absence of <security-role-def>, the container defaults to checking against the list of <security-role> elements
154
Programmatic Security(other features)
Servlet can find out whether a request was made over a secure channel:
ServletRequest.isSecure( )Servlet can gain access to characteristics of the secure channel:
ServletRequest.getAttribute( )e.g., javax.servlet.request.cipher-suite, javax.servlet.request.key-size, javax.servlet.request.X509Certificate
Similar declarative/programmatic security applies to EJBsAlternative is Java 2 security APIs and JSSE
Authentication, integrity, privacyKey and certificate management and manipulation
78
155
Part VII
Structured Application Design Tips
156
Structured Applications Design TipsReuse: should focus on Domain Models/System Family ArchitecturesApplications should separate the various information elements (i.e., content, logic, style, and architecture/handling schemes)Various content formats: presentation, message, storage, etc.Application architecture supports:
Web Enabling (WE), XML Enabling (XE), Data Enabling (DE), Enterprise System Assurance Enabling (ESAE)
Various application support services to support:Interactions with users via content (content + logic) - WEEncoding of user requests as secure (portable) messages (content generation) -XE/ESAEProcessing of user requests via logic (content + logic) - XERendering of content via logic using style (content + style + logic) - WE/XEQuerying information via logic (content + logic) - XE/DEInteractions with back office via content (content + logic) - XE/ESAE
79
157
Generic Architecture Blueprint+ Architecture Design Methodology + Mgmt
XML Application Infrastructure(logic)
XML Application Services(logic)
Applications of XML(structured content/object data, style information)
Technology Infrastructure(hardware platforms)
XML Applications(logic) Logical View Implementation View
Process View Deployment View
Use CaseView
Use CaseView
Applications of
XML
Structure
Style
XMLApplications
Content
Management
Processing
Querying
Rendering
Applicationand
Technology Infrastructure
Additional Services
158
Sample Conceptual Architecture Diagram(e.g., virtual classroom environment)
Technology Infrastructure (OS and hardware)
XML Application (logic )
XML Application Infrastructure (logic)
Applications of XML (content/style) XML Application Services (logic )
Legend
Presentation Enabling(posting, querying, locating, viewing)
SMIL
JSP Engine / SMIL Viewer (processing, rendering)
Web Community Avatar-Based Chat Platform
Web-Based Infrastructure(lightweight client machines, server platforms)
Q&A Enabling (questions capture, integration, viewing)
XLF
3rd Party Tool
SMILAuthoring
Tool
XLF Processing/Rendering
XML POP Framework (processing, rendering)
XMLAuthoring
Tool
80
159
Investigating Logging Infrastructure(e.g., virtual classroom environment)
160
Refined Application Architecture Blueprint(e.g., virtual classroom environment)
Users—
Sales TradiDesk
UserInterfaces
ClientAdministrator
Marketing
Client
Support
Phone
PDA
Connectivitye-Business
Portal e-Business Services
Data Repositories
Legacy Systems
Web
Visitor
VPN
Facilitator
FacilitatorAdministrator
UserData
LegacyDatabases
XML-Based Application Data
Back-OfficeSystems
Component Manager
XML/WebEnablingFacilities
81
161
Mapping Application to App. Infrastructure
Business Constraints
Application ModelContent Model
Web Interface
Data ModelLogical Data
PrinciplesAssumptions
Constraints
PresentationNavigation
Look and Feel
Business modelOrganization
Location
Process
Logical Application ModelExecution &
MarketSystems
EFIExecutionSystems
FXExecutionSystems
MarketSystems
Core Components
ServicesEvents
Externalization
Licensing
Messaging
Naming
Persistence
TransactionSecurity
Common Facilities
Backup /Recovery
Channels
ErrorHandling
XML POP
Help XML MOM
Monitoring
PerformanceTuning
Query / Search
Reporting
SystemAdmin
Domain SpecificClient API
EFI ExecutionInterface
FX ExecutionInterface
MarketInstrument
Reference data
Markets
Portalinterfaces
Client Handler
Client to Corecomponents
Handler
Global Front EndSystem
ClientInterface
Components
Technology Infrastructure Model
Execution &Market
Systems
InstrumentRepository
ForeignExchange
MarketSystems
EuroFixed
Income
Core ComponentsClient Handler
Preferences andOperating
Constraints
Sun E220/Solaris 2.6nC
ipher SSL acceleratorW
ebsphere:- H
TTP svr- servlet engine- jsp engine
Web ServerServlets & JSP
StreamingServer
(https & http)
Sun E220/Solaris 2.6TIBC
O Stream
ing SvrnC
ipher SSL accelerator
Global Front EndSystem
Client ServicesAdministrator
XML, SWIFT, FIX,Email, Fax
ClientWorkstation
System Admin& Support
Sun E420/Solaris 2.6200GB raid5 Disk ArrayiPlanet Enterprise SvrWebtrends
Admin/ReportingServer
Database Server
Sun E4500/Solaris 2.650G
B Disk Array
Sybase 11.9.2
Security &Entitlements Srv
Sun E420/Solaris 2.6enC
omm
erce GetAccess
50GB D
isk ArrayApplicationServer
Sun E420/Solaris 2.6W
ebsphereM
Qseries
162
Sample Logical Architecture Diagram(e.g., virtual classroom environment)
Uni
vers
ity In
tern
et L
AN
Uni
vers
ity In
trane
t WA
N
University Intranet LAN
Professor
Facilitators
Clients
Students
Presentation Enabling:AuthoringPosting
Q&A Enabling:AuthoringPosting
BusinessFunctions Users
NT &Unix
Win2000
IVR
UniversityInternet or
Intranet LANs
UniversityInternet LAN
PBX-Based Service
Connectivity
Facilitator Interfaces
Call Forwarding,Teleconferencing, etc.
Front Office Apps
Ft Off. & Web Apps
Portal Mgmt.Interface
Maintenance Apps
Web-EnabledApplications
Client Interfaces
Telephony-BasedServices
Web-EnabledApplications
"Lights Out" Svcs
XML, Email, Fax
e-BusinessPortal
Integrated Data Architecture Layer
e-Business Services
Front Office Apps
Data Mining
Educational Applications(Custom Java Applications)
Facilitator Application,Channel, and Client/
System Admin Interfaces
Business Intelligence(Customer Analysis, Course Planning)
Customer Care Services(Call Center Support: Educational & Systems)
Personalization Interface
Channels Interface(Browsers, PDAs, WAPs)
Remote Training Interface
Customer Calls Handling(ACD, Flex-Routing, Call Center Mgmt.)
CSR Assisted Services(Product Support, Issue Resolution, Proactive
Account Mgmt.)
Email XMLInterfaces Fax
Internet-Based Services(XML interfaces, Email, Browser)
Collaborative Applications(2D Avatars, Classroom Navigation, Chat, Events)
Real Time Services(Web Channels, Chat, TV Events, etc.)
Collaborative Applications(2D Avatars, Classroom Navigation, Chat, Events)
Voice/Data IntegrationTeleweb / Web Integration Services
(Consolidated Messaging, Telephone-Based WebServices, Video Conf., etc.)
(via VPN)
Software / Global ContentMonitoring / Backup
PBX-Based Services
TeachingAssistant
Presentation Enabling:Authoring
Q&A Enabling:Integration
System Support:MonitoringSystem Admin.Help Desk
FaxbackIVR
Telephony Svcs
NT &Unix
Win2000
UniversityInterne or
Intranet LANs
Front Office Apps
Ft Off. & Web Apps
"Lights Out" Services
Telephony Svcs
PDA/WAP Applications
Win2000
Web Applications Client Interface(Presentation querying, locating, and viewing -
Questions capture and Q&A viewring)
Self Care Services(tutorials, online help)
In scope
Out of scope
Legend:
WAP Server
(via VPN)
Third Party Data
Content-Mgmt Repository
XML-based presentationoriented publishing
templates
Component ManagerApplication Server Back-Office SystemsXML/Web Enabling Facilities
Client Request HandlerSubnet (within DMZ)
Web Server
Servlet Engine
Client Request HandlerFirewall
Component ManagerFirewall
Servlets/JSPs: session hdlr SMIL presentation hdlr Q&A hdlr XML MOM/POP hdlr etc.
Facilitator/Client Admin. Servlets
System Administration Servlets
Legacy Systems
Chat PlatformApplication Logic
Chatroom Component
ChatUser Component
Client & SystemAdministration Component
Entitlement & SecurityComponent
ConnectorsCourse Production Systems)
Support Services
Process Automation &Dynamic Content Mgmt.
Session/State Mgmt.
Site Development Svc.
XML Core Services(Doc Hdlr, Version Manager)
DataWarehouse-DrivenProcessing
Legacy Operational Data
DesktopFilesystems
In Memory Database
Customer ProfilesTime CriticalInformation
Global Application Data Replicas
Business Information Warehouse
Operational Data StoreClient Knowledge Engine
Metadata Repository
XMLMOM & POPTemplates
Educational ResearchEducational News
etc.
SMIL DataXLF Data
Operational Data
Local Account DataEntitlement/Security Data
etc.
JSP Engine
Client Request Handler API
University SystemsFirewall
Client Administration
Login, Authentification,Non-Repudiation
Router
Presentation Enabling:QueryingLocatingViewing
Q&A Enabling:CaptureViewing
Registration Systems
Accounting Systems
Sales/Marketing Systems
Internal Administration
Course Development Systems
Human Resources Systems
Payroll Systtems
Course Production Systems
Proxy Server
Support Systtems
Client Support Systtems(carreer management, alumnirelations, library support, etc.)
Database Management Systems (DBMS)
82
163
Sample Logical Architecture Diagram(e.g., virtual classroom environment)
Facilitators, and Production Interfaces
Component Manager
XML/Web Enabling Facilities
Firewall
Database Server
ApplicationServer
Uni
vers
ity In
trane
t LA
N (d
ual)
Firewall
Firewall
Router
Router
Firewall / IIOP Proxy Server
Tape SiloVeritas NetworkBackup (shared service)
University Mgmt. Firewall
University Systems & Network Management Environment
IntrusionDetection
Connects toall devices below
Security &Entitlements Srv
IntrusionDetection
Intrusion Detection
Internet
UniversityIntranet LAN Professor/TA
HSRP
Sun E220/Solaris 2.6nC
ipher SSL acceleratorApache H
TTP severTom
Cat servlet engine
TomC
at jsp engine
Alteon AC3
Sun E220/Solaris 2.6Checkpoint Firewall-1StonebeatIONA Wonderwall Proxy Server
Sun E220/Solaris 2.6C
heckpoint Firewall-1
Stonebeat
Sun E420/Solaris 2.6W
ebLogic
Sun E4500/Solaris 2.650G
B Disk Array
Sybase 11.9.2
Sun E420/Solaris 2.6enC
omm
erce GetAccess
50GB D
isk Array
Web-EnabledApplications
FacilitatorApplication andClient/SystemAdministration
Interfaces
Students, Professor, and TA Interfaces
Web-EnabledApplications
Clients/FacilitatorsApplication/Admin
Interfaces(e.g.,SOJA Applet)XML, Email, Fax
CollaborativeApplications
(e.g., Chat Applet)
Channels Interface
Sun E420/Solaris 2.6200GB raid5 Disk ArrayiPlanet Enterprise SvrWebtrends
Admin/ReportingServer
LoadBalancers
Web ServerServlets & JSP
Engines
Intrusion Detection
Sun E220/Solaris 2.6Checkpoint Firewall-1Stonebeat
NFR
Flight Recorder
Rem
ote-1N
FR Flight R
ecorderR
emote-1
Client Request Handler
Servlets/JSPs:- session handler- SMIL presentation handler- Q&A handler- Cocoon 2 XML POP handler
NFR Flight RecorderRemote-1
ClientWorkstation
Professor/TAWorkstation
Back-Office Systems
Client Administration
Internal Administration
ProgramAdministrator
Uni
vers
ity In
tern
et L
AN
(dua
l)
Support Services
XML Core Services
Session/State/EOD Mgmt
Dynamic Content Mgmt
Chat PlatformApplication Logic
ChatUser Component
ChatRoom Component
Global Application Data
SMIL DataXLF Data
Operational Data
Content Mgmt. Repository
XML POPTemplates
164
Structured Applications Design TipsReuse: should focus on Domain Models/System Family ArchitecturesApplications should separate the various information elements (i.e., content, logic, style, and architecture/handling schemes)Various content formats: presentation, message, storage, etc.Application architecture supports:
Web Enabling (WE), XML Enabling (XE), Data Enabling (DE), Enterprise System Assurance Enabling (ESAE)
Various application support services to support:Interactions with users via content (content + logic) - WEEncoding of user requests as secure (portable) messages (content generation) -XE/ESAEProcessing of user requests via logic (content + logic) - XERendering of content via logic using style (content + style + logic) - WE/XEQuerying information via logic (content + logic) - XE/DEInteractions with back office via content (content + logic) - XE/ESAE
83
165
Part VIII
Conclusion
166
Summary
J2EE component-based development environments are an evolution of distributed computing platforms based on RMI and RMI-IIOPJ2EE provides a platform specification, a reference implementation, a compatibility test suite, and a reusable component development and deployment modelThe EJB specification describes the J2EE reusable server component modelJ2EE architectures automate the integration of OMA services in Java enterprise applications, provide web-enabling and secure-messaging facilities, and enterprise assurance features
84
167
Readings
ReadingsBuilding J2EE Applications with IBM WebSphere:
Chapters 1-8, 16, 18Microsoft .Net Distributed Applications:
Sections on COM+ ServicesHandouts posted on the course web siteExplore J2EE environmentsRead related white papers/documentation on the J2EE environments
168
Project Frameworks
Project Frameworks Setup (ongoing)Apache Web Server (version 1.3.28/2.0.47, www.apache.org)Perl (version 5.8.0, www.perl.com)Microsoft IIS with COM+/.Net and ASPSun One Active Server Pages 4.0
http://wwws.sun.com/software/chilisoft/index.htmlApache TomcatMacromedia JRun4Apache Cocoon 2/XSPVisibroker, OrbacusRMI-IIOP
85
169
AssignmentAssignment:
Explore the textbooks’ references to Application Server technology (continued)#5a: Investigate J2EE development environments. Write a short report that documents your findings and recommendations with respect to selection criteria in support of development environments for application server technologies covered in this session#5b: See homework #5 specification (due date is 11/05/03)
170
Next Session:J2EE Component-Based
Computing Environments (Part II)
WebLogicWebSphereOpen Source J2EE Environments
Jboss, (Enhydra), (OpenEJB), etc.