Win a copy of Bad Programming Practices 101 (e-book) this week in the Beginning Java forum!

Rick Salsa

Ranch Hand
+ Follow
since Jul 17, 2001
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Rick Salsa

Originally posted by Brian Buege:

Both great questions!!
Here are a few answers (I'll start from the bottom and work up):
The book includes working sample code for a Java-based SSL tunnel using the JSSE. It also discusses other tunneling products like stunnel. And it discusses them specifically in the context of securing a client-server app. AND, it has working sample code that includes a standalone client talking JDBC to a database, an applet client talking JDBC to a database, and a Java Web Start client talking JDBC to a database.
Next question:
I think that one of the common misconceptions about J2EE security is that it's inflexible. I haven't found that to be the case. There are some things that it doesn't do well, but that's the case with any product.
For example, in SQL it's hard to do some things, but most people would think you were nuts if you suggested rolling your own database. It's kind of the same with J2EE security. There's some stuff that isn't elegant, but I haven't found anything that I couldn't work around yet... Again, just like SQL queries.
J2EE security provides for both declarative (specified in the deployment descriptor) and programatic (handled at runtime) authorization. This allows you to have the best of both worlds: For simple stuff, you can use the authorization in your DD, then when you need to get dynamic, you can interrogate your container to find the identity of the person calling your method and make authorization decisions in your code.
With the advent of JAAS in the newest app servers, this dynamic capability is increased even further and the possiblities are pretty endless.
If you'd like me to be more specific about any of the generalizations I've made above, let me know...
[ October 22, 2002: Message edited by: Brian Buege ]

If you could that be great! So does the book cover programatic security as well? I'm assuming this might be something like isUserInRole, type of thing?
Also, you mentioned that the book talks about securing communcation from client to server, with a swing-jdbc app. What about securing communications with an app server using rmi? Is this mentioned at all and would it be similar to what you describe for the client-sever scenario?
Thanks Brian. The first answer was very informative!
[ October 23, 2002: Message edited by: Rick Salsa ]
15 years ago
Hi Brian,
What's your take on the security interface used provided by most app servers? I have yet to use it in an application myself, but I'm told that is it very unflexible.
I guess I'm looking for something more dynamic that is configurable at runtime. From what I can make out, most container provided security features must be defined in descriptors when deploying.
Is there any way to get around this or do you need to roll your own?
Also, does the book mention securing client-server communication? How does that work, ssh tunneling?
Sorry for the load of questions. Thanks in advance!
15 years ago
Use them all the time!! They're fantastic. We use them at work for every java project we do. Where I work, there are developers and designers. The designers do all the html coding as well. They use the libraries that our framework (WebWork) provides. This way, we have the nothing but tags in our view pages (jsp's), no scriptlets at all. All the work is done use plain old java classes, and the tag libraries pull the results and display them.
This also helps us in getting our projects done quicker. The developers can code and the designers can design all at the same time.
Take a look at WebWork, it's fantastic, and the taglib's that come with it are great!!
Just my 2cents ,
Try this:

You'll need to create this method in your subclass and then call

Give that a try and let me know if it works. That should do it for you. I know its worked for me.
[ July 02, 2002: Message edited by: Rick Salsa ]
An idea would be to compile a list of the different app servers for users. Mainly links to where they can be downloaded. Possibly little blurbs on how to set them up and run them?
Hi Rick,
First off, I must say thanks for the awesome book!! I've learned a lot from it.
As for EJB-QL and CMP, I'm using it on a open source project that I'm working on at the moment (when I have time... ). We are also going to be using it on a few projects at work. I think its the cat's a@%!! It saves a lot of time and I don't have to worry about any JDBC. I also like the fact, that with most containers, all I have to do is tell it what datasource I want to use, and it takes care of the persistance for me!! No need to create a DAO interface and implementations for each db I want to run on. The container takes care of it for me with CMP.
My only grip right now with EJB-QL is its lack of support with Date fields (like using LIKE functions on them) and the fact that you can't run an ORDER BY on them. I hear that they are working on that right now... Just means that you'll have to create a EJB-QL query to get around it.
It's a big time saver!! I'm currently using it with JBoss, but plan on trying it out with JRun and Orion.
As for XDoclet, I haven't had the time to play with it yet It looks very interesting and it will for sure save a lot of time. From what I've read about it, and from what you've mentioned, it will create all the deployment descriptors and any vendor specific files for you. Setup the build in ant and run specific deployments for each app server. Can't get much simpler than that. Makes the whole portability issue less of a pain in the butt.
I plan on looking over the articles soon.
Just my 2cents,
Hi Chu,
That will depend on your appserver. I use JBoss, and I know that I had to map Dates to java.sql.Timestamp. Check your appserver's documentation. There should be some sort of XML file that contains these mappings.
Are your servlets and EJB's running in the same container?
If your servlet's are not contained in your appserver, ie, your using Tomcat and Weblogic, you'll need to use a regular Entity bean, instead of a Local Entity Bean.
[ June 12, 2002: Message edited by: Rick Salsa ]
[ June 12, 2002: Message edited by: Rick Salsa ]
Well, it really depends on a couple of things.
First off, what is the application to run on? Windows or Unix/Linux? If you're running Unix/Linux, you'll need to take into account file and directory permissions. Depending on where you want to write the file to, does your servlet container have read-write permissions to it?
Also, do you want to have to read and write BLOBs to your db? what kind of access time is it going to take to do this.
I've only done this with writing to a file system, but I hear of a lot apps that write to a db. With a db, you'll be able to add fields to the table that hold information on the file, like owner, last date modified(last upload time). You could also add a field that locks the record, so it can be downloaded if its checked out. You could do this as well if working with a file system, but I think it would be easier to implement using a db.
So depending on what you want to do, a db might be better, but BLOBs take up a lot of space in db table, so if space is small, maybe look to straight files.
I'd like to hear if anyone has compared the access times of the two. Which would be faster? I'd think it would be the filesystem, but I could be wrong.
16 years ago
Hi Jim,
Everything works 100%!! Thanks a lot for your help with this.
16 years ago

Originally posted by Jamal Hasanov:
Thanks Rick,
But start guide doesn't include everything...(for example how to add Oracle DS)

Take a look in JBOSS_HOME\docs\examples\jca In there, you should find a file called oracle-service.xml. That is what to need to add an Oracle DS. You can pretty much use that, you'll need to change some of the values to match yours. Then, drop your copy into JBOSS_HOME\server\default\deploy. That should do it.
[ June 10, 2002: Message edited by: Rick Salsa ]

Originally posted by Jim Yingst:
Ah, you've stumbled into one of my pet peeves - a catch that does nothing. Look here for more info. Consider - what happens if the caller specifies a field or method name that doesn't exist?

lol. I guess it wouldn't help by saying I was too lazy to type it in.... I have to figure out exactly how I want to handle than in my application. For now a StackTrace should do. Thanks for keeping me from getting sloppy
I now see where I was going wrong. I'm going to try out this and I'll let you know how it goes... Thanks for all your help Jim.
Would there be an easy way of doing this? Just curious...
16 years ago
Great! Thanks Jim. I think I do have it wrong. here's the method that I've created:

So, I should change getField to getMethod? What I want to do here, is have the user pass in a string which refers to the name of a class member of a object (it has a corresponding get method).
So for getMethod, would it look something like this?

The part I'm unsure of invokeing the method. Would this be correct than:

If you could give me some pointers or tips, that would be fantastic!!
The field that the getAscending() method takes will also be on a methods like getStartDate(); So I'd pass in startDate. Would this mean that I would now have to pass in getStartDate? From what I have seen in reflection examples, it would appear to me that invoke only works with methods that take in parameters, but I could totally misinterpreting it.
Thanks a lot!!
[ June 07, 2002: Message edited by: Rick Salsa ]
16 years ago
Your best bet is the quick start guide. The pay for documentation is for things like Clustering, etc., the advanced features.
JBoss 3.0 has a lot of new features that weren't available in the 2.x versions... JBoss 2.x is EJB 1.1 compliant, while JBoss 3.0 is EJB 2.0 compliant. A lot of new features to implement, therefore more to learn about in relation to configuring.... Actually, I find the new versions easier to configure, no need to worry about jaws.xml .....
Going over the quick start guide should get you up and running....
Hi all,
I have a question on whether something is possible? I want to, at runtime, call a method dynamically for a comparison. For example:

Is something like this possible? I've looked at the reflection API but couldn't get it to work. I could end up getting the field I wanted, but using it for a comparison wouldn't work:

I hope this is clear. Any suggestions or pointers to information would be helpful. Thanks!!
16 years ago