JavaOne, DayThree

Originally posted 2005-06-30 08:57:37

I awoke this morning chilled. I finally discovered that my window was ajar–no wonder the street sounds penetrate so fully. I’d never thought to check that–only a moron would open a window in Jacksonville, Florida. Opening a window lets out the bought air and lets in the mosquitos. I think I’ll close it tonight–maybe I’ll be able to sleep past 4:30.

Not having any JavaOne experience to draw from, I never realized how impressive a show Sun puts on. The facilities are excellent. The signs everywhere are beautiful, and look as if they’re permanent fixtures in the Moscone Center. Java logos festoon every view. The wireless network works pretty well, though had some problems yesterday. Sun Ray stations sprawl throughout, and anyone with a badge can insert his (or her, but mostly his) card to surf the web, check email, etc. Large movie screens show movies throughout the day. Clusters of theme-colored beanbags offer rest for tired feet, though I don’t think I could cozy up to a public beanbag. A massage station rehabilitates aching backs. I’ve already blogged about the amazing screens used in the general sessions. These folks can put on a show. One idea for improvement: electrical outlet trees so we laptop users can recharge during the day.

I’ve been surprised at the number of presentation laptops running Windows. It seems that almost every presenter uses a Dell running Windows XP. Sure, they use gvim (or NetBeans or Eclipse) to show code, and Firefox to show browser results, but they’ve opened their kimonos to their detriment, don’t you think? I thought I’d see all *nix-based machines (Solaris, Linux, Mac OS X). I feel somewhat betrayed–I thought they’d all be ubergeeks!

We got a hot breakfast at Mel’s Diner (Alice was nowhere in sight), and headed for the general session, presented by Nokia, on wireless devices. I have no interest in the wireless game, so I caught up on email (though I did pay enough attention to the presentation to know to send a text-message vote for something silly, hoping to win an N-Gage. I didn’t.

The two Diet Cokes I drank at breakfast started shrieking, so I slunk out of the Nokia presentation and stilled the screams. Then, like an alcoholic that can’t say no, I slipped into the bookstore and bought three more books:

• Find the Bug
• Robust Java
• Core JavaServer Faces

They gave me a free hat for buying Sun books. Regift.

\”Nine Ways to Hack a Web Application\” attracted scores of users, including me. So many, in fact, that the session spilled into an overflow room. No big deal, I thought, as I filed into the overflow room. Boy, was I wrong. We in the overflow got to watch a blurry presentation and listen to a fuzzy soundtrack that sometimes evaporated altogether. Despite the difficulties, however, the presentation offered valuable information. it covered OWSAP’s Top Ten Security Vulnerabilities with suggestions for countermeasures:

1. Unvalidated input — remember that attacker can change any part of the HTTP request before submission, so trust nothing.
2. Broken access control — don’t build your own authentication, but use your container’s.
3. Broken account/session management — encrypt user ID in cookie.
4. Cross-site scripting — never display what’s posted, and do whitelist (rather than blacklist) filtering.
5. Buffer Overflows — this is why the session’s titled \”Nine Ways . . . .\” You can ignore this with Java.
6. Injection flaws — use PreparedStatements, avoid Runtime.exec().
7. Improper error handling — Don’t give user too much information (e.g. stack traces), as it doesn’t help the user, but DOES help attacker.
8. Insecure storage — store only what’s necessary, store hashes where possible, use only vetted, public cryptographic algorithms.
9. Denial of service — do load testing to make sure your app performs well.
10. Insecure configuration management — use hardening guides, turn off unused services.

The Hibernate 3.0 session overflowed its room, then overflowed its overflow, so I moseyed over to the author-signing booth and met Rob Harrop, author of Pro Spring. He was kvetching to Steve Anglin that he was signing a book that had already sold out. Poor guy.

After lunch, we wandered the pavilion floor, skipped the wheel, and then headed to more sessions.

\”Tapestry in Action\” moved far too fast (the presenter was summing up 35 minutes into his 60 minute presentation), but certainly gave a flavor of the Tapestry framework. It claims to break from the \”web\” mentality, returning to an OO/componentized mindset. It’s not Struts++, a la JavaServer Faces or Shale. Each slide seemed to have the jwcid (Java Web Component ID) Magic attribute everywhere. It looks solid, but the author and presenter, Howard Lewis Ship, confessed that non-web Java developers have an easier time picking it up, that web developers have to unlearn some things about HTTP requests and URLs and query strings first before they can wrap their minds around Tapestry.

JavaServer Faces and Spring seem to hold most of the buzz in the Java web space right now, so I went to the session called \”JSF and Spring: Superfluity or Synergy,\” or some permutation of that. Rod Johnson, creator of Spring, talked most of the time. I’d try to maintain suspense about how the presentation answered the question it posed, but they wouldn’t have formulated a presentation on the subject if the answer had been superfluity. In sum, JSF aims to do one thing well, while Spring tries to apply a level of consistency across the entire application. If you desire, you can simply plug JSF into your Spring application instead of Spring MVC. In fact, you shouldn’t feel any guilt doing so–the Spring people encourage that you plug in other technologies into their framework as you see fit.

In the Web Smackdown, the next session I went to), representatives from five web frameworks gave a brief overview of their respective frameworks, then answered questions from the audience. The frameworks:

• JavaServer Faces
• WebWork
• Struts-Shale
• Tapestry
• Wicket

\”Hey, Rob!\” you’re thinking. \”You left out Spring MVC and Spring WebFlow!\” Actually, I didn’t leave them out. The presenters did. Glaringly. Maybe Rod Johnson was talked out after giving two presentations, but you’d think they’d have found someone to step up. The smackdown had an incomplete feel, without Spring’s comments.

Someone from Sun moderated the discussion, ringing a bell anytime he sensed an attack. The representative for WebWork seemed defensive, but in all no framework rose above the others. They all work well, they all have their warts. Pick one. Run with it. Get involved. Submit patches. Help out.

I then bought another book–Rod Johnson’s J2EE Development without EJB. I really hope my wife isn’t reading this. I also really hope I can fit everything into my suitcase for the trip home.

For dinner, we walked down Stockton, through the Stockton tunnel, into Chinatown, and we ate at Yuat Lee. I had the squid, and Herve had the Kung Pao Prawns. Good food.

We hit the After Dark Bash long enough to get free ice cream, then skipped out on Dennis Miller to hit some Birds-of-a-Feather sessions. We’re either dedicated or gooberish. I went to a session called \”The Developer’s Toolbox,\” which talked about the java.net web site and community, and then presented a few nice-to-have development tools:

• Which4j (http://which4j.dev.java.net) — finds classes in the classpath
  * Parse-dot-classpath (http://parse-dot-classpath.dev.java.net) — runs an Eclipse project without opening Eclipse
  * JavaDoc Online (http://www.javadoconline.com) — finds javadoc online, has an Eclipse plugin
  * Whirlycache (http://whirlycache.dev.java.net) — configurable in-memory object cache
  * Hudson (http://hudson.dev.java.net) — similar to CruiseControl, but easier to configure
  * SquirrelSQL (http://squirrel-sql.dev.java.net) — SQL editor
  * HAT (http://hat.dev.java.net) — analyzes a heap dump file
  * Resource Bundle Editor (http://resourcebundleeditor.dev.java.net) — Edits resource bundles
  * TCPMON (http://tcpmon.dev.java.net) — monitor TCP traffic
  * Ashkelon (http://ashkelon.sourceforge.net) — improved Javadoc browser
  * Abeille Forms Designer (http://abielle.dev.java.net) — Swing GUI builder
  * Napkin Look & Feel (http://napkinlaf.sourceforge.net) — Napkin-like l&f for Swing

Note to presenters: Henry Sugar might have been able to read a card from its back in four seconds, but I need a little more time to read a slide, especially when it contains code. Though not all presenters flipped through their slide decks too fast, many did. I don’t know how much was nervousness, how much was poor planning, or how much was ambition, but slowing down would have been helpful.

Determined to understand the crowing about Apt, I went to the session called \”Annotations and Code Automation.\” Flip-flip-flip went the slides. Here’s what I caught:

Benefits

• Generated code is expert’s code
• Generated code is consistent
• Generated code is not versioned (I didn’t understand this benefit)
• You get enhanced productivity

How to build your own annotation

1. Define an annotation type
2. Create an Annotation Processor
3. Create an Annotation Processor Factory
4. Create a file with a certain name (didn’t catch it) in META-INF/services that contains your factories

I guess what I’m still missing is not the how, it’s the why. How do you determine whether to solve a specific problem you face with annotations? The mechanism for using annotations seems simple. I’d hate, though, to push in annotations just because it’s the latest thing, shoehorning it into the process because I can, not because it’s the best solution. I’m going to another session on day four–I have high hopes.

The last round of sessions for the day (the 10:30 – 11:20 round) held nothing worth staying awake for, at least for us, so we retired for the night.