Wednesday, October 19, 2005

print.google.com

Come here to view any book. You will be happy.

Monday, October 17, 2005

Lucene - text search engine

Apache Lucene is a high-performance, full-featured text search engine Information Retrieval (IR) library written entirely in Java. It is a technology suitable for nearly any application that requires full-text search, especially cross-platform. It lets you add indexing and searching capabilities to your applications.

Monday, October 10, 2005

Saturday, October 08, 2005

Quick Solution for Existing Web Application Security

Web applications are becoming more popular software for the customer. As web application go online, security parts need to be pay attention to. Problems arise when the application can not distinguish between legitimate and illegitimate requests coming from a browser.

Through a Web browser, I touch my account information. I also touch your account information. Web application server need to validate whether I have permission to touch your account information. However, server side form date validation is really time consuming and sometimes it is nearly impossible, especially for existing web application system.

In this paper, an DES two-ways encryption/decryption are introduced in the form data validate in the web application.

Using GET/POST, some sensitive data are display in the user HTML forms or URL. For example:

http://www.yourdomain.com/accounts/editAccount.do?aId=5

Anyone can easily change the aId value and submit the changed URL to the server. One solution for this is check this user permission on the server side. Another way, we also can check whether client changed the aId, I means the aId I passed and the aId I receive.

To see whether client changes the sensitive data, the DES encrypting algorithm is used in the system. The example code is list at the end of this paper[1]:

For the above URL, I encrypted the sensitive data with the DES algorithm before passing it to the remote client. Now the client browser get the following URL:

http://www.yourdomain.com/accounts/editAccount.do?aId=SMsDoJFsmlc=5

As above example, the encrypt result is “SMsDoJFsmlc=”, the original value is “5”. When the client submit this URL to the server side, I get the encrypted aId from the request, call the decrypt(String) and get the original value.

Now suppose we change the aId as something else, this will make the decrypt result and original data value does not match. We know the client changed the value and just reject the client request.

Thursday, October 06, 2005

Securing the application with SecurityFilter

Enterprise-level business applications need rigorous security regulations with varying roles; each role also requires its own set of access control lists. These roles become more important in Web-based applications, which are accessible to a wider audience. In most cases, application security must control access to each attribute that's visible on the screen.

When access to web applications needs to be restricted to certain users and groups, Tomcat provides its realm implementations. A realm groups a collection of web resources together and puts a protection mechanism around them that requires users who wish to access them to authenticate themselves, and for Tomcat to check their authorization. However, tomcat does not did enough for real application. Here comes SecurityFilter which built on the top of tomcat.

SecurityFilter is a Java Servlet Filter that mimics container managed security. It provides robust security and automatic authentication services for web applications.

Wednesday, October 05, 2005

Unit Testing with JUnit

JUnit provides the following features:

It provides an API that allows us to create a repeatable unit test with a clear pass/fail result.

It includes tools for running our tests and presenting the results.

It allows multiple tests to be grouped together to run in a batch.

It is very lightweight and simple to use. It takes little time to learn how it works.

It is extensible. It's the de facto unit testing framework for Java. There is a large community pf developers using it. Many free extensions are available to help us use it in specific situation. Plus, countless articles and books on the subject are avaibale.

Page Decorate with SiteMesh

SiteMesh is a web-page layout and decoration framework and web- application integration framework to aid in creating large sites consisting of many pages for which a consistent look/feel, navigation and layout scheme is required.

SiteMesh intercepts requests to any static or dynamically generated HTML page requested through the web-server, parses the page, obtains properties and data from the content and generates an appropriate final page with modifications to the original. This is based upon the well-known GangOfFour Decorator design pattern.

SiteMesh can also include entire HTML pages as a Panel within another page. This is similar to a Server-Side Include, except that the HTML document will be modified to create a visual window (using the document's Meta-data as an aid) within a page. Using this feature, Portal type web sites can be built very quickly and effectively. This is based upon the well-known GangOfFour Composite design pattern.

SiteMesh is built using Java 2 with Servlet, JSP and XML technologies. This makes it ideal for use with J2EE applications, however it can be integrated with server-side web architectures that are not Java based such as CGI (Perl/Python/C/C++/etc), PHP, Cold Fusion, etc...

SiteMesh is very extensible and is designed in a way in which it is easy to extend for custom needs.

http://www.opensymphony.com/sitemesh/

Web Application Framework Compare

Apache Struts framework

Pros:
The “Standard” - lots of Struts jobs
Lots of information and examples
HTML tag library is one of the best
Cons:
ActionForms - they’re a pain
Can’t unit test - StrutsTestCase only does integration
Project has been rumored as “dead”
Spring MVC

Pros:
Lifecyle for overriding binding, validation, etc.
Integrates with many view options seamlessly: JSP/JSTL, Tiles, Velocity, FreeMarker, Excel, XSL, PDF
Inversion of Control makes it easy to test
Cons:
Configuration intensive - lots of XML
Requires writing lots of code in JSPs
Almost too flexible - no common parent Controller
WebWork

Pros:
Simple architecture - easy to extend
Tag Library is easy to customize - backed by Velocity
Interceptors are pretty slick
Cons:
Small Community
Documentation only recently written, few examples
Client-side validation immature
Java Server Faces

Pros:
J2EE Standard - lots of demand and jobs
Fast and easy to develop with
Rich Navigation framework
Cons:
Tag soup for JSPs
Immature technology - doesn’t come with everything
No single source for implementation

Why use Hibernate?

One of the most complicated and time-consuming tasks of developing an enterprise application is writing the code to store and load data from a database at the appropriate times. Hibernate is the right tool to remedy this.

Hibernate is a powerful, ultra-high performance object/relational persistence and query service for Java. Hibernate lets you develop persistent classes following common Java idiom - including association, inheritance, polymorphism, composition, and the Java collections framework. Hibernate allows you to express queries in its own portable SQL extension (HQL), as well as in native SQL, or with Java-based Criteria and Example objects.

Hibernate allows us mapping an object model to a relational schema, keeping object model and database schema in sync. It also makes us easy persisting and retrieving an object from database.

www.hibernate.org