Tuesday, June 16, 2009

WS-SecurityPolicy Examples

Normally I wouldn't want to write and say that an OASIS spec makes an interesting read; but WS-SecurityPolicy Examples is interesting in that is annotates both common policy files and example messages. Could do with a little bit more fleshing out in the SAML section.

Monday, June 15, 2009

Jersey and OAuth documentation

Quick follow up from JavaOne, there is now some documentation on using Jersery with OAuth.

Friday, June 12, 2009

JavaOne 2009, day three

The keynote on the thursday morning was from Microsoft, some of it was fairly content free but the interoperability stuff was interesting. There have a special lab that work on interoperability that works with a range of technologies. It is refreshing to see the amount of work that has gone into this after years of apparently making things harder than necessary for developers. Probably it is just a matter of the software development world growing up and will hopefully be the trend for the future.

From the web services point of view the most interesting presentation of the day was concerning the Stonehenge project hosted on Apache. This looked at a modularized business application where component from either .NET or JEE can be swapped in and out at will. Interesting example of how WS-* standard are maturing and the good work Sun and MS have done in this area.

There were two numbers that were of interest in this presentation. The first is 73% which is the number of developer who use .NET as part of there day to day work. (Pretty sure this must include anybody who uses IE for example; but it was made clear) The second is 41, the poor chap from Microsoft unfortunately got the meaning to life the universe any everything quite wrong. :-)

TS-4402 Metro Web Services Security Usage Scenarios

Conveniently in the same room as I as presenting in Harold Carr who is the lead for all things web services in Sun. He had some really nice slides explain the details of WS-Security in various combination which are well worth a look. Netbeans was used to show the basic security profiles, looks like it makes it much easier to get started and pick a relevant technology combination. There is a lot we can learn from how Netbeans deals with security.

TS-4993 Dealing with Asynchrony n Java Technology Based Web Services

This appeared to go over okay, really quite happy with the numbers. (We think around 300-400 which was good given the overall numbers from last year). I guess time and review forms will tell if the crowd liked it. Had Lucas Jellema in the front row taking pictures now and then which made the occasion just that little bit more relaxed.

Got a good question about Async and REST, gave me a lot to ponder as I got lost on the way back from my afternoon meetings.

Lunch / afternoon meeting / after dark

Had a nice lunch with Manoj my co presenter, Lucas and Wouter who works with Lucas. Then I had a meeting with the weblogic web service team who happen to work in down town SF so I got to go topside for a few hours.

It was nice to put some faces to people, hey Thorick say hi to everybody for me, and then have a very civilized afternoon tea with bone china cups and cucumber sandwiches that is a tradition in that office. (Feels like home) I did then make a tactical mistake on the walk back to my hotel; glad I 'discovered' Broad Street in the sun rather than at night.

By the time I had managed to get back to the hotel, I had just enough time to pick up a nice big glass of wine at the after dark bash along with some food before my planned evening sessions. I would have enjoyed the after dark party better if it had been outside; but apparently there was as chance of rain..... oh well. Also it would be nice if the party continued until an hour *after* the presentation finished to give more time for socializing... oh well.

BOF-4903 A RESTful approach to Identity-Based Web Services

Didn't really get a lot from this, it might have been just the long walk; but I didn't really jell with what the presenters were saying. Some mention of ID-WSF was made.

BOF-5376 Building Consistent RESTful APIs in a High Performance Environment

This was a really interesting presentation from the developers behind the LinkedIn RESTful API. They have to scale so they have been thinking a lot about how things fit together. They described the tension between Variety, the ability to get just what you want, and Uniformity which is different APIs return a consistent model.

In order to ensure Uniformity they talked about the importance of a consistent data model. A old concept but something that people seem to have forgotten in the rush to REST. To deal with the Variety issue that made an interesting use of matrix URIs to allow clients to only get the information back they want:

Basic data model is:

/people
  /id
  /name
  /email
  /photo
  /best-friend
  /friends (People[])
  /jobs (Jobs[])
/companies

Return the basic record for user 123, probably too much information for most cases

.../people/123

Return just the name and photo for user 123

.../people/123:(name,photo)

Return the friends for user 123 with there names and the names and pictures of there best friends

.../people/123/friends:(name,photo,best-friends:(name,photo))

Return the friends for user 123 with there sorted by name

.../people/123/friends;sort=name:(name,photo)


The cool thing about these is that they appear in the HTTP log so it is easy to see which is getting hit the most and optimize for that case. In one case study they reduced traffic to a partner by 28% which I guess all adds up. I guess you need be more relaxed about how your schemas are designed if using XML. Less of a problem if you are using JSON. I wonder how hard this would be to do in Jersey.....

Roy Fielding's Untangled blog

Came up a few times at JavaOne, makes an interesting read.

Thursday, June 11, 2009

JavaOne 2009, day two

So day two started with a general mobility technical session which I am afraid I didn't stick around for very long in. It did appear to introduce a new word "Trendencies"; but still nothing being demoed really caught my eye. JavaFX for mobile is interesting I guess; but still iPhone appears to have a better experience. (Not that I actually own one of the beasties.)

Back to the speakers lounge then for presentation prep and catching up on emails.... until the real fun of the day begins.

TS-4641 State: You're doing it Wrong - Alternative Concurrency Paradigms on the JVM

I have to say that in general I was really impressed with this presentation although I was slightly disappointed that all of the examples given were in languages such as Clojure and Scala. He did make some convincing arguments though at in some particular cases you can on deal with this problem with language support and that with the VM you can ring fence that code.

The basic problem is that in order to deal with multi-core processors you need some way of dealing with shared state There are some helper classes in the VM with the addition of locks and queue; but that the basic model of synchronization is hard to use and maintain. Most people make mistakes at one time or another.

He first covered share transactional memory using Clojure, (more on Clojure state managment here.). Showed some pretty powerful examples, I would recommend you download the presentation when posted on the JavaOne site in a few weeks. It was one of those dense presentations where if you took notes you missed something important or interesting.

Then we went onto the Actor model. which is better for co-ordination applications. The examples where in Scala; but the classic implementation of this is in Erlang. Interesting case study of Ericson using this model to achieve 31ms of down time a year in there ATM switches.

The final topic covered was Data Flow Concurrency using either Oz or a library knocked together library based on Scala that the presenter has put together. The intriguing thing about this model is that the model is deterministic. It will either always deadlock or never deadlock, which makes testing so much easier.

Again very dense; but the slides were very detailed so well worth reading when they become available.

TS 5154 XTP: Patterns for Scalng the SOA, WOA and REST Predictably with Java Technology-Based Data Grid

Now this was actually by an oracle bod; but sometimes the easiest way to see these presentations live is at conferences. This was concerned with dealing with cases where you need to deal with high loads, XTP == eXtreme Transaction Processing.

Now in SOA you tend to end up passing a particular document through various steps via technologies such as ESB. Each hope can be expensive and XML is moved and serialized. You can't throw more hardware at this problem and at some point you need to changes how things are put together.

The suggestion is to use the Application Grid to store the information passed into the system and then pass a key into this share memory store around. You can also rely on asynchronous writes to the SQL database from the grid which means that you are never blocked in this way.

One other interesting use case is that use of caching in a data grid as described in the presentation can save a lot by reducing load on Mainframes. Maintenance contracts on old big iron is often related to load so reducing the amount of network accesses can result in cost savings. Interesting not only in this context.

You can find more on this topic in this article in SOA Journal.

Food at the Moscone

A brief interlude to talk about the lunches at Moscone: yuech. Now I have gotten that over with...

TS 5217 "Effective Java": Still Effective After All These Years

Josh is always a engaging speaker it is well worth going even if you have read the 2nd edition of the book. (For one reason of another I just got around to the updated version). I wont cover this too much as you should just read the book but it is worth mentioning the "PECS" mnemonic in Item 28 when coverings designing APIs.

PECS = Producer extends, consumer super

This is useful when you are trying to decided whether to use "super" or "extends" when defining generic parameters. It is slightly tricky because you are considering what the parameter to the method is doing not the method itself. For example:

public interface Stack<<E>
{

   public <E> pushAll(Set<? extends E> src); // src produces objects
   public void popInto(Collection<? super E> dst); // dst consumes items from the stack

}

There is an interesting corner case that the JDK doesn't deal with cases where the defined generic types are not directly related. You need to us an explicit type parameter which I have not come across before.


Set<Integer> ints = ....
Set<Double> doubles = ....
Set<Number> numbers = Set.union(ints,doubles);

// Wont compile, instead use an explicit type parameter

Set<Number> numbers = Set.<Number>union(ints,doubles);

Again just buy the book. :-)

TS-5295 Designing and Building Security into REST Applications

This was a presentation that didn't 100% match the abstract; but was interesting none the less. The first part focused on REST apis for administering OpenSSO instance and some fairly basic stuff about securing the web. The second part dealt with OAuth which I had to admit I had never heard of before; but was mentioned more than once over the time I was at JavaOne.

The most interested usecase of OAuth is for delegated access. So for example you your mashup site needs to access some resources from say Flikr.com. OAuth defines how your mashup site requests authorization and provided a set of HTTP headers that allow the site to access a particular defined resource. Useful if you want to share something for just a day for example.

They have recently checked in a bunch of Jersey filters to help implement OAuth on the client side. Nothing documented yet outside slide sets but you can peek at the source here.

TS-4883 Coding REST and SOAP Together

I was hoping that this presentation would give some insights on how to make a resource hierarchy into SOAP messages and vice vera. They didn't go into such details which is a shame as this topic would really be quite interesting. Probably I didn't read the abstract closely enough.

One point work mentioning is that if you take a class with both JAX-WS and JAX-RS annotation on it remember you have to secure it twice. Securing the service with WS-* won't protect the REST side.

More food

I was kinda obsessed by food that day having forgotten to eat yesterday so decided to skip out of the conference center for some food, I ended up at Lori's diner on Powell Street. Nice fresh air before diving back into dungeon.

BOF-5105 Hudson Commnity Meet-Up

The most interest part of this presentation was on a Hudson extension called drools. (Documentation to come) This allowed you to basically draw a process flow for you build system, including human step and splits joins etc, and deploy it to the hudson server. Look quite powerful to me. Hopefully there will be some more documentation on this soon so I can download and start playing.

There was also some demos of Netbeans integration. Being able to create a hudson job from a project was nice - also some monitoring tools.

There was one question about maintaining and building project branches; but the answer was to either clone jobs - which we do already or write your own extension.

BOF Test tools BOF

This was a little bit of a infomercial for PushToTest; but it did contain some interesting bits and bobs.

First of was the Windmill project as an alternative to Selenium. Appears to be moving faster and support authoring on more platforms. The second was they by using Rhino HTMLUnit is now able to run most of JQuery without even involving a web browser. Interesting from an automation point of view. Push to test have an open source script fixture that mashes up Selenium and HTMLUnit to this affect; but the life of me I couldn't find it on the website.

Friday, June 5, 2009

Async REST

I was asked today at the end of the presentation about what we thought an Async REST service would look like. At the time I was not sure; but after thinking about it the pattern is probably quite simple.

Consider an business making an insurance claim of some kind on behalf of an employee. So the client sends a POST message to the insurance resource as it want to create a new insurance claim. In the message it contains not only a reference to the resource for the employee but also a new sub resource for the employee that represents the claim. Since we are doing async the server response with 201 and with a URI to a resource to represent the insurance claim.

Time passes...

Eventually the server processing the work will POST its response back into the particular claim resource which we specified on invocation. In my example the message contains a reference to the insurance claim; but I suspect this is not required as would be implicit in the use of the resource on the client.

Now since the response is a POST as well it creates a new resource, in this case a claim response, which is returned to the server. In my experience insurance claims often take multiple goes so there could be multiple responses for a give claim. This would appear to complete the asynchronous message exchanges.

Does appear to make sense, mind you it is 00:30 at the moment so I will have to review in the morning, and all without the use of any WS-* standard.

Thursday, June 4, 2009

Logging with music , eh?

Sometimes it is the presentation you miss that sound interesting, take for example a presentation on JFugue and Log4Fugue. A Java API for making music and one for converting log messages into tunes.

Reminds me of the Anthem spread sheet in the first Dirk Gently book. (Bonus Geek fact this story started life as a Doctor Episode)

Wednesday, June 3, 2009

JavaOne Session write ups

Running a little bit behind on this, just too much to see and do it seems. I suppose I could just dump my notes directly; but it seems more polite to write them up properly so that they are some use to others.

Hopefully catch up on the flight home if I get a better seat on the plane... now on to "More Effective Java"....

JavaOne 2009, day one, part two

TS-3966 Using REST and WS-* Together for SOA

I really liked this presentation it appeared to give a balanced view of the topic and the presenter was clear. The key point to take home from this presentation is that both WS-*, SOAP web services, and REST services are valid implementations for SOA. Neither thought are ideal for all situations.

The key point of SOA from the point of view of this presentation the key point of SOA is to introduce loose coupling so you can change implementations on the fly. This is contrasted to RPC style services where even changing the number of parameters would require the service to be shutdown and all client modified.

On balance SOAP has all the enterprise features such as WS-TX and WS-RM; but REST, at least over HTTP, works better over the web. (Even simple stuff like allowing GET for caching) You can roll your own enterprise features on top of REST/HTTP but you pretty much end up with the complication seen in WS-*.

Is it interesting to understand that just at the moment we have a consistent WS interop story that the technical world want to drop all of this and start again. Having said that REST does work better over the net, you can cache values where required although I am not sure how this works in practice.

Interestingly if we had a SOAP 1.3 that had come control over HTTP methods then you could get many of the advantages of REST but with the consistent interop standard that SOAP gives you.

The presenters view was that the RESTvsSOAP debate was useful and instructive; but that going forward we should focus more fixing the problems with both rather than bickering. Which I kinda agree with.

The summary was that for cross web use REST/HTTP but for interop at the moment you will find that WS-* wins because of the number of add-hoc relationships you currently see in REST because of the lack of standard. Interesting point of view.

Tuesday afternoon technical session

I was a bit late as Lucas Jellema happen to pick the one of the hundreds of tables at lunch that I was sitting at. Very odd to hear the words ... "Do you know Gerard Davison". Might 2.5 seconds of fame I guess.

I had a good chat with Lucas even had some time to give him some quick previews of some features in JDeveloper. But pressed for time at that point; but was happy to bump into him and will hope to keep in touch.

Lots of stuff in JDK 7 in the presentation; but nothing particularly interesting. The one significant project was "Jigsaw" which reduces the JDK into much smaller modules. For example desktop profile made up of base; awt and swing. Really does cut down on the core download. Oh for the day we don't have to download the Corba support all those useless classes which pollute code insight.

There was the a little bit on EE6; but to be honest not anything new apart some new scheduling annotations in EJB 3.1 which are nice for timed events.

The one really interesting API is JSR 303 Bean Validation. This allows you to perform assertions such as string length etc. Using meta annotations you can define you only validators, this looks like a nice API for general use.

Then a little bit on profiles, in particular the web one. Then a really nice demo using net beans and glassfish. They think Sept'09 for the final version of EE6 along with a matching glassfish soon after.

The final demo was for there Open ESB demo app http://www.cluedin.org. Had some really nice web ui as part of project Fuji that allowed you to draw out a lot of the interaction flow. Looks very powerful.

TS-4629 Tips and Tricks for Ajax Push Applications

Pretty fun presentation; but the take home message is that you have to be really careful to architect you broadcast mechanism to deal with client that die of block. So if you need to broadcast to 30 browsers you need to consider how many thread you need to service this and perhaps us non-blocking NIO.2 to service these request. The other thing to consider is even consolidation, for example an application that updates x,y location and drop some intermediate event to improve performance.

Also to consider is conversation fragmentation in a cluster, but the solution to this was not covered in detail except that in most cases it is going to involve a JMS queue of some kind.

TS 4544 Introduction to CEP

Interesting stuff about monitoring real world information, this was in particular a demo of the Oracle implementation which was interesting. Runs on top of the RT version of the RocketVM because of the needs to continuously monitor events and correlate them as they arrive.

A good introduction to this topic; but I don't know enough to comment any further... Pretty cool fire service demo at the end showing real world information being integrated in real time.

TS 4213 Securing Web and Service Orientated Architectures with Apache Axis, WSS4J, Spring and OpenLDAP.

Now I have notes to prove I went to this presentation; but I think JetLag was hitting hard. I cannot make any sense of them at all. :-)

BOF-5493 Qup Vadis JavaFX Production Suite

Just a lot of work on making JavaFX very tool able. One thing of interest is the idea of a event bus so you can listen to common events and easily wire them up to actions. They have a special file format to encode designed artifacts, FXD/FXZ, that the designers can export from the normal design tooling such as creator.

Some things for the future would be a UI Contract that the designer can verify they are creating the correct objects and controls that the programmer has asked for. Also a binary format that better allows incremental load would be nice.

The tooling we demoed in several keynotes and was really quite impressive to my mind, I wonder how much it will cost.

BOF-3826 The Collections Connection

Started of with talking about collections is JDK the first thing we quite interesting in that they were proposing language changes to support array literal and look ups. Granted this is syntactic sugar; but something you should really expect from a modern language.

 

List<String> list = ["a", "b", "c"];
Map<Integer, String> map = {1: "One"}

// Or treat as arrays

print(list[0]);
map["1"] = "One";

Collections.sort in JDK 7 is much faster for lists that have some order and is much more efficient in it usage of memory. They we going to use the TimSort algorithm from Python.

They then went onto talk about Google collections which is nearly at 1.0; but not quite.

They have support for proper immutable lists rather than the Unmodifiable wrapper we currently have in Java. Written from the ground up to be faster as have less to worry about when compared to writable list. For example immutable set has a 2-3x smaller memory footprint when compared to the normal set. Also they provide builder methods to create literal immutable arrays which is nice. The suggestion is to always use immutable collection, never pass mutable ones which I kinda can agree with.

They have nice support for MultiSet and MultiMaps. Now original I wasn sure why you would need a MutliSet as it appeared to be the same as list. The main difference is that it has different rules for order equality. The MultiSet doesn't care about order to it is useful in some situations.

Really nice map builder interface to configure just the right amount of soft / weak keys in a map. Really useful for caches.

Take a look at the google collections project; but bare in mind some will make it into the JDK.

BOF-5009 Comet for Everyone, Everywhere

Nothing much new here that I haven't mentioned on the blog before, apart from the code snippet to launch a local version, kinda like Endpoint for JAX-WS:

// Like Endpoint.publish
SelectorThread st = GrizzlServerFactory.create("http://localhost:9999/");

They did mention the MessageTransformer class used to help prevent XSS hacks and injection bugs, they also talked a little bit about getting the broadcaster to be more efficient.

I did ask if you could get a broadcaster by name, and they said they would look into it.

And then with my brain thoroughly frazzled it was time to find some room service back at the code as it was after 10:30pm. (Right no it is actually Friday, time for me to catch a plane)

Tuesday, June 2, 2009

Larry Ellison makes an appearance on stage at JavaOne 2009 keynote

You can watch it live on the java one conference page. Or the recording later here, Larry is about 1:15 in or so.

JavaOne 2009, day one, part one

Morning keynote

So after a fitful nights sleeps I make it to the keynote which a little time to spare. The keynote room in 90 degree on from last year which give a good feel for the smaller numbers. Normally it would fill this massive underground room at Moscone, today it looks like only about 60% of it. Still the atmosphere is much better today, I guess that I could chalk up yesterday to the jet lag.

On minor niggle is that in previous year you always go an extra gift if you were either a speaker or a Alumni. (I am both) This year only paying Alumni get anything, which is a shame as I need a new jacket for Canoeing. Oh well as they say beggars can't be choosers.

From the stands at the pavilion last night you can guess there will be a lot about the cloud. I am not personally sure how this one will end up but from my experience there is at least a strong need for little fluffy clouds (lfc) within organizations. For example farms to build and test code using Hudson is something I have been involved with recently at work. Of course with the right infrastructure these should be transparently relocatable to big iron clouds on the internet. Just how much companies want to expose there system this way though is open for debate. For example I can't see many companies risking source code on the net just so they could make use of cloud services to build and test.

But I guess onto the keynote presentation, lovely DJ at the start which set the mood at start of the presentation.

The keynote did seem to start with an announcement that JDK 7 had been released, this was later corrected, but it did cause some confusion and lots of frantic web surfing in the crowd. This was correct in the afternoon keynote.

They did a bit on how ebay uses java. Billions of database transaction; but what was interesting is that they didn't explicitly say they used JEE technology. That could just be a typo though.

With a bit of a tease the next section was announced as the world most successful smart phone. I suspect that more than a few people in the crowd thought we were going to get Java on the iPhone; but it was of course RIM talking about blackberries. The demo was kind-of retro at least in the parts of the UI that were from blackberry. Didn't make me want to develop for that platform really no compared with the stuff that comes out from apple.

Moved on to consumer stuff, such as kindle. Demo of BluRay but appears more of a plug for Sony films rather than any specific for Java. Verizon then Intel followed and I was kinda loosing hope.....

Things go more interesting when they showed JavaFX running on a LG HD tv. Interesting that the java VM on the TV had lost of graphics acceleration so you can quite happily run java apps that overlay and embed HD video.

Nandini Ramani, no idea why I thought to note that down, came on stage to present on JavaFX tooling. Using web start which is interesting as sun really seems to bringing this back. Perhaps this relates to the Java Application store which makes a lots of use Some really nice feature to show FX for different displays at the same time. Lots of NeXT like screen guides for laying items out. Some nice visual wiring so you can connect say buttons to video assets. Looks like really nice tooling, works with the apple store. Annoyingly this tool wont be available until the end of the year would have been better if they said that at the start of the presentation.

The next segment focused on the new app store. They have been playing with the idea for some time; but the key is to make it easy for developer to convert there work into money without having to build out loads of infrastructure. I wonder if this will be linked with some kind of cloud offering to support the back end of applications.

Note there are two URL to look at http://store.java.com which is the public face and http://java.sun.com/warehouse which is the developer front end. Interesting in the public beta everything is free. They specifically want feedback on the money model which is kind-of interesting.

One final feature is that because underneath they are using web start you can preview apps without doing a full install. You can just "Preview" it in the app store which basically does a temporary download and install.

To highlight the different programming models they highlighted RuneScape which looked kinda fun. (Apparently in the Guinness book of records and the worlds most downloaded game or something) The game is free to play but they make money by converting users into paying subscribers. (They claim a 20% conversion rate which is pretty good)

Now on to some back patting and a video about the start of java etc. Talk about management is bravery etc, appeared to be focusing on old times. End of an era feel it to.... followed by the standard T-Shirt silliness.

The keynote ended with Larry Ellison coming on stage after some Oracle / Sun merger jokes. Not going to talk about this as we have been specifically asked not to comment on the merger. You can always watch the keynote on the javaone site as I previous noted.

Then up to the gardens above the Moscone center to do presentation prep... which took me to the end of the first morning.

JavaOne 2009 not going to be very good? Update: maybe.

Now it might be that I have been awake for 20 odd hours, that I couldn't open my laptop because the seat pitch on the plane is too small, and that the weather is much better at home than in California, and there were no nibbles at the JavaOne Pavilion opening part; but I am not 100% sure that JavaOne will be much fun this year.

I spent a good hours walking around the trade stands; but could find nothing really to grab my interest. This is odd as I often have to go back again and again to this room as there is so much going on. The schedule also doesn't seem to grab my attention, normally I can't find time to see all the presentations I want to. This year I find I can take an afternoon of to visit the WLS people and do a bit of use case analysis. Never a good sign.

Now it may be the lack of big players such as IBM and Oracle; but I feel this is going to be a much lower key that in previous years. Now it could be just because of the economic downturn but I have the feeling that Sun is going to throw a party this year but no-one has the heart to bring it... (Actually it might just be the lack of Rob C, Tim G or Jon M to hang around with that makes the difference I guess thinks will seem better when I speak to Manoj in the morning.)

Perhaps I will feel more positive in the morning after I have breathed in what-ever they spray into keynote rooms to get everybody excited.

Update:

Well they did something in the keynote, not sure if it was the project, the air of the appearance of Larry; but the JavaOne mood is back again. Phew.