Friday, May 9, 2008

JavaOne - Day Five

What's New in Ajax - Ben Galbraith, Dion Almaer

New frameworks, plug-ins, UI toolkits. Browser can become a bottleneck (single thread only) but is virtually multi-threaded using Google Gears, message communication with browser.

Cloud computing services: Amazon EC2, Google App Engine, Aptana Cloud - takes care of hosting infrastructure freeing developers to focus on applications.

  • Prototype - Lightweight Ajax/JavaScript helpers

  • GWT - hate JavaScript? Use Java

  • jQuery - new DOM-centric JavaScript helper (start with a page and add to it)

  • dojo - soup-to-nuts Ajax/JavaScript platform


LinkedIn Communication Architecture - Ruslan Belkin, Sean Dawson

100% Java, Spring glue for entire architecture. Parallel collection using java.util.concurrent to improve performance. Asynchronous communication with JMS.

Enterprise Undo - Andrew Dinn, Jonathan Halliday

JTA and EJB 3.0 annotation based ACID transaction management are insufficient for extended transactions.

Use Business Activity Framework.

e.g.
@BACompensatedBy ("cancelHotelRoom")

public int bookHotelRoom(int roomNumber)

public boolean cancelHotelRoom(int reservation number)

Detecting and Defending Against Security Vulnerabilities for Web 2.0 - Ray Lai

Use tools to detect. No one tool will catch all; need to use them all.

Use defensive coding and testing tools.

Addressing Tomorrow's Security Requirements in Enterprise Applications - Ben Alex

  • Simple web application security

  • Single Sign On and Federated Identity

  • Method authorization


Use Spring Security 2

Tips

  • Use a proven security framework; don't roll your own

  • Start simply, and add complexity incrementally

  • Consider user registration requirements

  • Plan for federated identity, particularly involving OpenID

  • For in-house applications, consider NTLM and CAS

  • Employ Captcha techniques to mitigate DoS attacks

  • Favor method authorization over web authorization

  • Annotations-based authorization metadata is quick and easy

  • Very carefully consider any domain object instance security

  • Prefer Basic authentication for RESTful, HTTPS interactions

  • Leverage WSS for transport-independent SOAP

No comments: