Win a copy of OCP Java SE 8 Programmer II Exam Study Guide this week in the OCP forum!

Dave Teare

Ranch Hand
+ Follow
since Oct 09, 2002
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Dave Teare

Hi all,
What does WebSphere do if a message delivered to an MDB fails multiple times? (i.e. fails more than the maximum retry setting) I assume it must store it somewhere for an admin to look at. Where is this and what tools are available to process / review them?
I want to use a MDB to process credit card orders and don't want to worry about lost messages. Of course I will use CMT s.t. if the MDB fails the message will be returned to the queue, but I am worried about poisoned messages.
Thanks!
--Dave.
14 years ago
Thanks for the response C Chavan, this is an interesting idea.
A few thoughts / issues I have:
1. You mention calling the CC validator via JMS, is this different than using a MDB? I assume they are identical since MDB piggybacks on JMS. I ask because in the EJB 2.0 spec it says that messages are not delivered until you commit your transaction. I am currently using CMT, which will not work for what you describe (at least not in a single bean).
2. How would I poll the DB row waiting until it changes to "completed"? I assume I read it, if it is in state "waiting", I do a Thread.sleep(), right? Is this use of threads violating the EJB spec? If I remember correctly, it says you can't create threads, but maybe I can use static methods on them. :roll:
Assuming I wanted to keep CMT, I guess I would end up looking something like this:

Is this what you were expecting? I could also acheive this result from the action class with 2 remote calls, like this:

I'm not sure if I will do it this way, but it is definetly food for thought. I would rather spawn a thread to call the web service and join it before my Session Bean completes - as described in my response to Kyle. But this mediator is a neat idea....
Any thoughts?
Thanks!
--Dave.
[ March 20, 2004: Message edited by: Dave Teare ]
Hi Kyle,
Thanks for your response. Essentially I have a 3rd party web service that I need to call to validate the CC number. The QoS agreement states ~3 second response. I also have some business logic that needs to be performed which prepares a Unit of Work; this takes ~3 seconds. I want to run these in parallel s.t. it takes 3 seconds instead of 6.
What I was thinking was to fork off a thread that will call the web service at the beginning of my Session Bean, perform my work, and then join the CC validation thread. If the CC was not valid, I would setRollbackOnly, and throw my application exception. If the CC was valid, I would store the confirmation number into my UoW and then exit normally. CMT would then commit my UoW.
With this approach, I don't mind that my CC thread doesn't have a transaction since I don't plan on using it. I just don't like disobeying the spec, even though I might not agree with it.
I've thought about MDB's, but sending messages to a queue is part of the transaction. The message won't be sent until I commit.
Any thoughts?
Thanks!
--Dave.
Okay, I am sure this is a hot topic and am prepared for a religious argment!
I want to create a Thread inside of my session bean, but the specification says I am not allowed. I understand that the spec is "trying to help developers" by allowing them not to worry about threading issues (something that I think is unreasonable - it's like saying you shouldn't have to understand instance variables are not thread safe in servlets - it's something you simply have to know).
Anyway, I would like to know what terrible things will happen to me if I create a new thread inside my bean - will the world come to an end? Will WebSphere slap my hand? Or will everything be fine except that I broke a rule?
I simply want to call a service that will asyncronously call a third party to validate a credit card number. While this is happening, I would like to get a DB transaction ready to commit. If the CC# is valid, I commit the TX; if not, I rollback and notify the user of the failure. If everything is fine, I would also like to send an email with javamail - but that is multithreaded too....
Can I do this safely? Any consequences?
Thanks!
--Dave.
Hi all,
I am having a random excption happen when calling request.getRequestURL(). I'm using struts and am certain that my code can handle multi-threads (i.e. the request is not stored in a static variable). Also, this fails only 0.2% of the time - so I wonder if it is a WAS bug or if I am doing something wrong.
The exception is attached below. Any help would be greatly appreciated!
Thanks!
--Dave.
14 years ago
Hi Wes,
SSO is simple, really - as long as every app uses the same authentication token (or course, getting agreement on the token is the hard part )
What type of token does your custom login module create? I assume a homegrown userid+expiryDate+XYZ, all encrypted via JCE? If so, you will need to change the other J2EE app to extract the user id from your token (in web land, from the cookie - cookies will work if both apps use the same domain). Of course, you probably don't have the source code for this other app, or are not allowed to change it.
If the other app is using the container's auth mechanism (i.e. WebSphere uses LTPA, not sure what Oracle uses), then you will need to follow suit. Perhaps oracle has a public API for generating tokens that your login module can call? If they are like IBM, it is private and you can't use it.
I am in a similar situation. I want to write my own auth manager, but I am afraid about integration with other apps. I want to call IBM's code to create the LTPA, but the &&@$%@'s have a private impl (man, I need JBoss!). So, I am left calling the j_security_check servlet programmatically. What a bloody hack.
Hope this helps. Let me know...
--Dave.

Originally posted by Wes Hughes:
We are using JAAS and a custom login module to authenticate users to our J2EE app. We are now required to share authentication with another J2EE app running on the same server (i.e. a user can go back and forth without having to re-authenticate). Is this even possible? We're running on Oracle 9iAS, which does support SSO but this not really the approach that we are looking for (but may have to consider).
Thanks.

14 years ago
Hi Busty,
I don't think you are able to fiddle with the logged in principle in the manner you discuss. If you are using J2EE, and you expect this principle to be propagated to downstream servers, then you need to rely on the containers impl. For example, in WebSphere, an LTPA token is generated that contains the user id and password, and so in your example, once the password changes, the token becomes invalid, and WAS will likey throw an exception when trying to reestablish the credentials.
I would simply re-login the user by calling the LoginModule with the new userid and password. I've never done this before, but I would hope the LoginModule would overwrite the existing credentials. In fact, you could just call the JAAS logout first to ensure this happens.
Let me know what you think or how it turns out.
--Dave.
14 years ago
Yogi,
I replied to your similar message in the WebSphere forum. Go look at it and let me know if it fixed your problem.
--Dave.
14 years ago
Sorry - I said base action class when I meant to say base action servlet. This servlet is registered in web.xml and delegates to the standard struts impl once access control is enforced.
14 years ago
Hi Chaitanya,
I take it you decided the form-based login approach is insufficient for your needs. I came to the same conclusion and used JAAS for authentication too. Once you perform your own authentication, you disable the web containers ability to perform declarative access control, and must do everything yourself (unless you programmatically create the same login token used by said conatiner and stuff it into a cookie/url rewrite).
I know in WebSphere that once you try to intoduce a RDBMS-based persmission scheme, you are on your own. I assume other containers are similar.
Given this, my plan is to have a base action class (I'm using struts, use a front-controller or filter otherwise) that will enforce that each request contains an authenticated user (if the resource is protected), and verify their role is allowed to access it (via DB lookup, etc). The problem I have is how to define which resources are protected. Perhaps I will use an XML file with a format similar to web.xml; or perhaps each action should be stored in the DB and a join between the user/role/action tables would determine access.
What do you think? Let's brainstorm together...
--Dave.
14 years ago
Sorry Sandy,
I don't understand your question. Now, I just got back from vacation in Mexico so perhaps the sun has fried my brain
Are you writting a telnet application that will validate users against JAAS, or are you trying to test your JAAS login module using telnet?
From what I understand, the LoginModule impl will live in your application server, say WebSphere, and you will connect to it from your client using the code posted above. Of course, if you are not using WAS, you need to find an example for your particular env.
If you're simply trying to test your JAAS LoginModule impl, I would write a JUnit test that excercises your module, I don't see how telnet would fit in since the transport is specific to your env (i.e., WAS runs over IIOP).
Now, on my vacation I did read a great Struts book that showed you how to connect to your app server via telnet s.t. you could see the data traffic between a browser and a servlet. Is this similar to what yoy are trying?
--Dave.
14 years ago
Hi Martin,
I've had this same frustration - statically included JSP's are not part of the "isChanged" algorithm for a given JSP. What I do is delete the generated class files (AppServer/temp in WAS, don't know about WSAD) in order to force all JSP's to be recompiled. This sucks, but at least I don't have to go edit every JSP that includes header.jsp, copyright.jsp, etc.
Hope this helps.
--Dave.
14 years ago
Hi Yogi,
Download IBM's FormLoginSample; the HomeController.java does what you're looking for.

Hope this helps!
--Dave.
14 years ago
Kyle,
You mentioned that if we use the JAAS login API, the LTPA cookie will be created automatically. By cookie I assume you mean a cookie is stored into the HttpServletResponse, but how can this be since the request object is not passed into the JAAS api (nor should it, imho). Here is the code I found from boulder:

Is there another api I should be using, or did you mean to say an LTPA token would be generated and sent to downstream servers?
Thanks for clarifying.
--Dave.
14 years ago
Hi Ramesh,
I assume by "EJB local references" you mean using "pass-by reference" semantics as opposed to "pass-by value". If so, you can configure WebSphere 5.0 to do this in the admin console under Servers->server1->ORB Service. There is a check-box for "Pass by reference". When enabled, this specifies that the ORB is to pass parameters by reference instead of by value, which bypasses a copy operation.
I enabled this, but the performance gains were not that great. On the positive side, however, it didn't hurt
Hope this helps.
--Dave.
14 years ago