Featured FREE Whitepapers

What's New Here?


PopupMenu in JavaFX 2

Creating Popup Menus To create a Popupmenu in JavaFX you can use the ContextMenu class. You add MenuItems to it and can also create visual separators using SeparatorMenuItem.In the example below I’ve opted to subclass ContextMenu and add the MenuItems on its constructor. public class AnimationPopupMenu extends ContextMenu{ public AnimationPopupMenu() { (...) getItems().addAll( MenuItemBuilder.create() .text(ADD_PARTICLE) .graphic(createIcon(...)) .onAction(new EventHandler() { @Override public void handle(ActionEvent actionEvent) { // some code that gets called when the user clicks the menu item } }) .build(),(...) SeparatorMenuItemBuilder.create().build(), MenuItemBuilder.create() .text(ADD_DISTANCE_MEASURER) .onAction(new EventHandler() { @Override public void handle(ActionEvent actionEvent) { // Some code that will get called when the user clicks the menu item } }) .graphic(createIcon(...)) .build(), (...) ); }Line 5: I get the Collection of children of the ContextMenu and call addAll to add the MenuItems; Line 6: Uses the MenuItem builder do create a MenuItem; Line 7: Passes in the text of the menu item. Variable ADD_PARTICLE is equal to “Add Particle”; Line 8: Calls graphic which receives the menu item icon returned by createIcon:ImageView createIcon(URL iconURL) { return ImageViewBuilder.create() .image(new Image(iconURL.toString())) .build(); }Line 9: onAction receives the event handler which will be called when the user clicks the menu item; Line15: Finally the MenuItem gets created by executing build() on the MenuItemBuilder class; Line18: Creates The Separator which you can see on the figure on the start of this post. It’s the dotted line between “Add Origin” and “Add Distance Measurer”; The other lines of code just repeat the same process to create the rest of the menu items.Using JavaFX Popup Menus inside JFXPanel If your embeding a JavaFX scene in a Swing app you’ll have to do some extra steps manually, if you don’t there won’t be hover animations on the popup menu and it won’t get dismissed automatically when the user clicks outside of it. There is a fix targeted at JavaFX 3.0 for this – http://javafx-jira.kenai.com/browse/RT-14899 First you’ll have to request the focus on the javafx container so that the popup gets hover animations and when you click outside your app window it gets dismissed. In my case I pass a reference to the javafx swing container on the construtor of the popup menu, then I’ve overwritten the show method of ContextMenu so as to request the focus on the swing container before actually showing the popup: public void show(Node anchor, MouseEvent event) { wrapper.requestFocusInWindow(); super.show(anchor, event.getScreenX(), event.getScreenY()); }And lastly you’ll have to also dismiss the popup when the user clicks inside the javafx scene but outside of the popup by calling hide(). I almost forgot.. thanks to Martin Sladecek (Oracle JavaFX team) for giving me some pointers. Reference: PopupMenu in JavaFX 2 from our JCG partner Pedro Duque Vieira at the Pixel Duke blog....

OAuth with Spring Security

From Wikipedia: OAuth (Open Authentication) is an open standard for authentication. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically username and password. There are a lot of posts talking about OAuth from Client Side, for example how to connect to service providers like Twitter or Facebook, but there are less posts about OAuth but from Server Side, more specificaly how to implement an authentication mechanism using OAuth for protecting resources, and not for accessing them (Client Side Part). In this post I will talk about how to protect your resources, using Spring Security (Spring Security OAuth). The example will be simple enough to understand the basics for implementing an OAuth service provider. I have found this post that explains with a simple example, what OAuth is and how it works. I think it is a good starting point with OAuth http://hueniverse.com/2007/10/beginners-guide-to-oauth-part-ii-protocol-workflow/ Now it is time to start writing our service provider. First of all I will explain what our Service Provider will offer. Imagine you are developing a website (called CV) where users will register and after that they will be able to upload their Curriculum Vitae. Now we are going to transform this website to a Service Provider where OAuth will be used for protecting resources (Curriculm Vitae of registered users). Imagine again that some companies have agreed with CV people that when they publish job vacances, users will have the possibility of uploading their curriculum directly from CV site to HR department instead of sending by email or copy & paste from document. As you can see here is where OAuth starts managing security between CV website and Company RH site. In summary we have a Curriculum Vitae Service Provider (CV) with protected resource (document itself). Companies that offer users the possibility of acquiring directly their Curriculum Vitae from CV are the Consumers. So when a user visits company job vacancies (in our example called fooCompany) and wants to apply for a job, he only has to authorize FooCompany “Job Vacancies” website with permissions to download its Curriculum Vitae from CV site. Because we will use Spring Security for OAuth authentication, first of all we are going to configure Spring Security into SpringMVC CV application. Nothing special here: In web.xml file we define Security Filter: <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter><filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>And in root-context.xml we define protected resources and authentication manager. In this case In memory apporoach is used: <http auto-config='true'> <intercept-url pattern="/**" access="ROLE_USER" /> </http><authentication-manager> <authentication-provider> <user-service> <user name="leonard" password="nimoy" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>Next step, create an Spring Controller that returns the Curriculum Vitae of logged user: @RequestMapping(value="/cvs", method=RequestMethod.GET) @ResponseBody public String loadCV() { StringBuilder cv = new StringBuilder(); cv.append("Curriculum Vitae -- Name: ").append(getUserName()).append(" Experience: Java, Spring Security, ..."); return cv.toString(); }private String getUserName() { Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); String username; if (principal instanceof UserDetails) { username = ((UserDetails)principal).getUsername(); } else { username = principal.toString(); } return username; }This controller returns directly a String, instead a ModelView object. This String is sent directly as HttpServletResponse. Now we have got a simple website that returns the Curriculum Vitae of logged user. If you try to access to /cvs resource, if you are not authenticated, Spring Security will show you a login page, and if you are already logged, your job experience will be returned. Works as any other website that are using Spring Security. Next step is modifing this project for allowing external sites can access to protected resources using OAuth 2 authentication protocol. In root-context.xml: <beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices"> <beans:property name="supportRefreshToken" value="true" /> </beans:bean><oauth:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices"> <oauth:verification-code user-approval-page="/oauth/confirm_access" /> </oauth:provider><oauth:client-details-service id="clientDetails"> <oauth:client clientId="foo" authorizedGrantTypes="authorization_code" /> </oauth:client-details-service>First bean, is an OAuth2ProviderTokenServices interface implementation with id tokenServices. The OAuth2ProviderTokenServices interface defines operations that are necessary to manage OAuth 2.0 tokens. These tokens should be stored for subsequent access token can reference it. For this example InMemory store is enough. Next bean is <oauth:provider>. This tag is used to configure the OAuth 2.0 provider mechanism. And in this case three parameters are configured; the first one is a reference to a bean that defines the client details service, explained in next paragraph. The second one is token service for providing tokens, explained in previous paragraph, and the last one is the URL at which a request for authorization token will be serviced. This is the typically Authorize/Denny page where service provider asks to user if it permits the Consumer (in our case fooCompany) accessing to protected resources (its Curriculum Vitae). Last bean is <oauth:client-details-service>. In this tag you define which clients you authorize to access to protected resources with previous authentication. In this case because CV company has agreed with foo company that they can connect to its Curriculum Vitae Service, a client is defined with id foo. Now we have our application configured with OAuth. Last step is creating a controller for taking requests from /oauth/confirm_access URL. private ClientAuthenticationCache authenticationCache = new DefaultClientAuthenticationCache(); private ClientDetailsService clientDetailsService;@RequestMapping(value="/oauth/confirm_access") public ModelAndView accessConfirmation(HttpServletRequest request, HttpServletResponse response) { ClientAuthenticationToken clientAuth = getAuthenticationCache().getAuthentication(request, response); if (clientAuth == null) { throw new IllegalStateException("No client authentication request to authorize."); }ClientDetails client = getClientDetailsService().loadClientByClientId(clientAuth.getClientId()); TreeMap<String, Object> model = new TreeMap<String, Object>(); model.put("auth_request", clientAuth); model.put("client", client); return new ModelAndView("access_confirmation", model); }This controller returns a ModelAndView object with client information and which page should be shown for granting permission to protected resources. This JSP page is called access_confirmation.jsp and the most important part is: <div id="content"><% if (session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) != null && !(session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) instanceof UnapprovedClientAuthenticationException)) { %> <div class="error"> <p>Access could not be granted. (<%= ((AuthenticationException) session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION)).getMessage() %>)</p> </div> <% } %> <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION"/><authz:authorize ifAllGranted="ROLE_USER"> <h2>Please Confirm</h2><p>You hereby authorize <c:out value="${client.clientId}"/> to access your protected resources.</p><form id="confirmationForm" name="confirmationForm" action="<%=request.getContextPath() + VerificationCodeFilter.DEFAULT_PROCESSING_URL%>" method="post"> <input name="<%=BasicUserApprovalFilter.DEFAULT_APPROVAL_REQUEST_PARAMETER%>" value="<%=BasicUserApprovalFilter.DEFAULT_APPROVAL_PARAMETER_VALUE%>" type="hidden"/> <label><input name="authorize" value="Authorize" type="submit"/></label> </form> <form id="denialForm" name="denialForm" action="<%=request.getContextPath() + VerificationCodeFilter.DEFAULT_PROCESSING_URL%>" method="post"> <input name="<%=BasicUserApprovalFilter.DEFAULT_APPROVAL_REQUEST_PARAMETER%>" value="not_<%=BasicUserApprovalFilter.DEFAULT_APPROVAL_PARAMETER_VALUE%>" type="hidden"/> <label><input name="deny" value="Deny" type="submit"/></label> </form> </authz:authorize> </div>As you can see Spring Security OAuth provides helper classes for creating confirmation form and deny form. When the result is submitted, URL /cv/oauth/user/authorize (internally managed) is called, there OAuth decides if returns protected resource (String returned by loadCV() method) to caller or not depending on what option user has chosen. And that’s all about creating an OAuth 2 system using Spring Security OAuth. But I suppose you are wondering how to test it, so for the same price I will explain how to write the client part (Consumer) using Spring Security OAuth too. Client application (called fooCompany) is also a SpringMVC web application with Spring Security. Spring Security part will be ignored here. The client application contains a home page (home.jsp) that has a link to Spring Controller that will be responsible to download Curriculum Vitae from CV site, and redirecting content to a view (show.jsp). @RequestMapping(value="/cv") public ModelAndView getCV() { String cv = cvService.getCVContent(); Map<String, String> params = new HashMap<String, String>(); params.put("cv", cv); ModelAndView modelAndView = new ModelAndView("show", params); return modelAndView;}As you can see is a simple Controller that calls a Curriculum Vitae service. This service will be responsible to connect to CV website, and download required Curriculum Vitae. Of course it deals with OAuth communication protocol too. Service looks: public String getCVContent() { byte[] content = (getCvRestTemplate().getForObject(URI.create(cvURL), byte[].class)); return new String(content); }The suggested method for accessing those resources is by using Rest. For this porpose Spring Security OAuth provides an extension of RestTemplate for dealing with OAuth protocol. This class (OAuth2RestTemplate) manages connection to required resources and also manages tokens, OAuth authorization protocol, … OAuth2RestTemplate is injected into CVService, and it is configured into root-context.xml: <oauth:client token-services-ref="oauth2TokenServices" /><beans:bean id="oauth2TokenServices" class="org.springframework.security.oauth2.consumer.token.InMemoryOAuth2ClientTokenServices" /><oauth:resource id="cv" type="authorization_code" clientId="foo" accessTokenUri="http://localhost:8080/cv/oauth/authorize" userAuthorizationUri="http://localhost:8080/cv/oauth/user/authorize" /><beans:bean id="cvService" class="org.springsource.oauth.CVServiceImpl"> <beans:property name="cvURL" value="http://localhost:8080/cv/cvs"></beans:property> <beans:property name="cvRestTemplate"> <beans:bean class="org.springframework.security.oauth2.consumer.OAuth2RestTemplate"> <beans:constructor-arg ref="cv"/> </beans:bean> </beans:property> <beans:property name="tokenServices" ref="oauth2TokenServices"></beans:property> </beans:bean>See that OAuth2RestTemplate is created using an OAuth resource that contains all information about where to connect for authorizing access to protected resource, and in this case is CV website, see that we are referencing an external website, although in this example we are using localhost. Also service provider URL (http://localhost:8080/cvs/cv) is set, so RestTemplate can establish a connection to content provider, and in case that authorization process ends successful, retrieving requested information. <oauth:resource> defines OAuth resources, in this case, the name of the client (remember that this value was configured in server side client details tag for granting access to OAuth protocol). Also userAuthorizationUri is defined. This is the URI to which the user will be redirected if the user is ever needed to authorize access to the resource (this is an internal URI managed by Spring Security OAuth). And finally accessTokenUri, the URI OAuth provider endpoint that provides the access token (internal URI too). Also creating a consumer using Spring Security OAuth is simple enough. Now I will explain the sequence of events that happens when a user wants to give access to foo company for retrieving its Curriculum Vitae. First of all user connects to foo website, and click on post curriculum vitae link. Then getCV method from controller is called. This method calls cvService, that at the same time creates a connection to resource URI (CV) using OAuth2RestTemplate. And this class acts as a black box, from client side, you don’t know exactly what this class will do but it returns your Curriculum Vitae stored in CV website. As you can imagine this class manages all workflow related to OAuth, like managing tokens, executing required URL redirections to get permissions, … and if all steps are performed successful, stored Curriculum Vitae in CV site will be sent to foo company site. And that’s all steps required to allow your site to act as Service Provider using OAuth2 authorization protocol. Thanks of Spring Security folks, it is much easier that you may think at first. Hope you find it useful. Download ServerSide (CV) Download ClientSide (fooCompany) Reference: OAuth with Spring Security from our JCG partner Alex Soto at the One Jar To Rule Them All blog....

Java 7: A complete invokedynamic example

Another blog entry in my current Java 7 series. This time it’s dealing with invokedynamic, a new bytecode instruction on the JVM for method invocation. The invokedynamic instruction allows dynamic linkage between a call site and the receiver of the call. That means you can link the class that is performing a method call to the class (and method) that is receiving the call at run-time. All the other JVM bytecode instructions for method invocation, like invokevirtual, hard-wire the target type information into your compilation, i.e. into your class file. Let’s look at an example. Constant pool: #1 = Class #2 // com/schlimm/bytecode/examples/BytecodeExamples ... #42 = Class #43 // java/lang/String ... #65 = Methodref #42.#66 // java/lang/String.length:()I #66 = NameAndType #67:#68 // length:()I #67 = Utf8 length #68 = Utf8 ()I ... {...public void virtualMethodCall(); flags: ACC_PUBLIC Code: stack=1, locals=1, args_size=1 0: ldc #44 // String Hello 2: invokevirtual #65 // Method java/lang/String.length:()I 5: pop 6: return LineNumberTable: line 31: 0 line 32: 6 LocalVariableTable: Start Length Slot Name Signature 0 7 0 this Lcom/schlimm/bytecode/examples/BytecodeExamples; }The bytecode snippet above shows an invokevirtual method call of java.lang.String -> length() in line 20. It refers to item 65 in the contsant pool table which is a MethodRef entry (see line 6). Items 42 and 66 in the constant pool table refer to the class and the method descriptor entries. As you can see, the target type and method of the invokevirtual call is completely resolved and hard-wired into the bytecode. Now, let’s return to invokedynamic! It is important to notice that it is not possible to compile Java code into bytecode that contains an invokedynamic instruction. Java is statically typed. That means that Java performs type checking at compile time. Therefore, in Java, it is possible (and wanted!) to hard-wire all type information of method call receivers into the callers class file. The caller knows the type name of the call target, as demonstrated in our example above. The use of invokedynamic - on the other hand – enables the JVM to resolve exactly that type information at run-time. This is only required (and wanted!) for dynamic languages, such as JRuby or Rhino. Now, suppose you want to implement a new language on the JVM that is dynamically typed. I am not suggesting you should invent *another* language on the JVM, but *suppose* you would, and *suppose* your new language should be dynamically typed. That would mean, in your new language, the linking between a caller and a receiver of a method call is performed at run-time. Since Java 7 this is possible on the bytecode level using the invokedynamic instruction. Because I cannot create an invokedynamic instruction using a Java compiler, I will create a class file that contains invokedynamic myself. Once this class file is created I will run that class file’s main method using an ordinary java launcher. How can you create a class file without a compiler? This is possible by using bytecode manipulation frameworks like ASM or Javassist.The following code snippet shows the SimpleDynamicInvokerGenerator that can generate a class file SimpleDynamicInvoker.class which contains an invokedynamic instruction. public abstract class AbstractDynamicInvokerGenerator implements Opcodes {public byte[] dump(String dynamicInvokerClassName, String dynamicLinkageClassName, String bootstrapMethodName, String targetMethodDescriptor) throws Exception {ClassWriter cw = new ClassWriter(0); FieldVisitor fv; MethodVisitor mv; AnnotationVisitor av0;cw.visit(V1_7, ACC_PUBLIC + ACC_SUPER, dynamicInvokerClassName, null, "java/lang/Object", null);{ mv = cw.visitMethod(ACC_PUBLIC, "<init>", "()V", null, null); mv.visitCode(); mv.visitVarInsn(ALOAD, 0); mv.visitMethodInsn(INVOKESPECIAL, "java/lang/Object", "<init>", "()V"); mv.visitInsn(RETURN); mv.visitMaxs(1, 1); mv.visitEnd(); } { mv = cw.visitMethod(ACC_PUBLIC + ACC_STATIC, "main", "([Ljava/lang/String;)V", null, null); mv.visitCode(); MethodType mt = MethodType.methodType(CallSite.class, MethodHandles.Lookup.class, String.class, MethodType.class); Handle bootstrap = new Handle(Opcodes.H_INVOKESTATIC, dynamicLinkageClassName, bootstrapMethodName, mt.toMethodDescriptorString()); int maxStackSize = addMethodParameters(mv); mv.visitInvokeDynamicInsn("runCalculation", targetMethodDescriptor, bootstrap); mv.visitInsn(RETURN); mv.visitMaxs(maxStackSize, 1); mv.visitEnd(); } cw.visitEnd();return cw.toByteArray(); }protected abstract int addMethodParameters(MethodVisitor mv);}public class SimpleDynamicInvokerGenerator extends AbstractDynamicInvokerGenerator {@Override protected int addMethodParameters(MethodVisitor mv) { return 0; }public static void main(String[] args) throws IOException, Exception { String dynamicInvokerClassName = "com/schlimm/bytecode/SimpleDynamicInvoker"; FileOutputStream fos = new FileOutputStream(new File("target/classes/" + dynamicInvokerClassName + ".class")); fos.write(new SimpleDynamicInvokerGenerator().dump(dynamicInvokerClassName, "com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample", "bootstrapDynamic", "()V")); } }I am using ASM here, an all purpose Java bytecode manipulation and analysis framework, to do the job of creating a correct class file format. In line 30 the visitInvokeDynamicInsn creates the invokedynamic instruction. Generating a class that does an invokedynamic call is only half of the story. You also need some code that links the dynamic call site to the actual target, this is the real purpose of invokedynamic. Here is an example. public class SimpleDynamicLinkageExample { private static MethodHandle sayHello;private static void sayHello() { System.out.println("There we go!"); }public static CallSite bootstrapDynamic(MethodHandles.Lookup caller, String name, MethodType type) throws NoSuchMethodException, IllegalAccessException { MethodHandles.Lookup lookup = MethodHandles.lookup(); Class thisClass = lookup.lookupClass(); // (who am I?) sayHello = lookup.findStatic(thisClass, "sayHello", MethodType.methodType(void.class)); return new ConstantCallSite(sayHello.asType(type)); }}The bootstrap method in line 9-14 selects the actual target of the dynamic call. In our case the target is the sayHello() method. To learn how the bootstrap method is linked to the invokedynamic instruction we need to dive into the bytecode of SimpleDynamicInvoker that we’ve generated with SimpleDynamicInvokerGenerator. E:\dev_home\repositories\git\playground\bytecode-playground\target\classes\com\schlimm\bytecode>javap -c -verbose SimpleDynamicInvoker.classClassfile /E:/dev_home/repositories/git/playground/bytecode-playground/target/classes/com/schlimm/bytecode/SimpleDynamicInvoker.class Last modified 30.01.2012; size 512 bytes MD5 checksum 401a0604146e2e95f9563e7d9f9d861b public class com.schlimm.bytecode.SimpleDynamicInvoker BootstrapMethods: 0: #17 invokestatic com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample.bootstrapDynamic:(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; Method arguments: minor version: 0 major version: 51 flags: ACC_PUBLIC, ACC_SUPER Constant pool: #1 = Utf8 com/schlimm/bytecode/SimpleDynamicInvoker #2 = Class #1 // com/schlimm/bytecode/SimpleDynamicInvoker #3 = Utf8 java/lang/Object #4 = Class #3 // java/lang/Object #5 = Utf8 <init> #6 = Utf8 ()V #7 = NameAndType #5:#6 // "<init>":()V #8 = Methodref #4.#7 // java/lang/Object."<init>":()V #9 = Utf8 main #10 = Utf8 ([Ljava/lang/String;)V #11 = Utf8 com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample #12 = Class #11 // com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample #13 = Utf8 bootstrapDynamic #14 = Utf8 (Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; #15 = NameAndType #13:#14 // bootstrapDynamic:(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; #16 = Methodref #12.#15 // com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample.bootstrapDynamic:(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; #17 = MethodHandle #6:#16 // invokestatic com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample.bootstrapDynamic:(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; #18 = Utf8 runCalculation #19 = NameAndType #18:#6 // runCalculation:()V #20 = InvokeDynamic #0:#19 // #0:runCalculation:()V #21 = Utf8 Code #22 = Utf8 BootstrapMethods { public com.schlimm.bytecode.SimpleDynamicInvoker(); flags: ACC_PUBLIC Code: stack=1, locals=1, args_size=1 0: aload_0 1: invokespecial #8 // Method java/lang/Object."<init>":()V 4: returnpublic static void main(java.lang.String[]); flags: ACC_PUBLIC, ACC_STATIC Code: stack=0, locals=1, args_size=1 0: invokedynamic #20, 0 // InvokeDynamic #0:runCalculation:()V 5: return }In line 49 you can see the invokedynamic instruction. The logical name of the dynamic method is runCalculation, this is a fictitious name. You can use any name that makes sense, also names like “+” are allowed. The instruction refers to item 20 in the contant pool table (see line 33). This in turn refers to index 0 in the BootstrapMethods attribute (see line 8). There you can see the link to the SimpleDynamicLinkageExample.bootstrapDynamic method that links the invokedynamic instruction to the call target. Now if you call the SimpleDynamicInvoker using the java launcher, then the invokedynamic call is executed.The following sequence diagram illustrates what’s happening when the SimpleDynamicInvoker is called using the java launcher.The first call of runCalculation using invokedynamic issues a call to the bootstrapDynamic method. This method does the dynamic linkage between the calling class (SimpleDynamicInvoker) and the receiving class (SimpleDynamicLinkageExample). The bootstrap method returns a MethodHandle that targets the receiving class. This method handle is cached for repetitive invocations of the runCalculation method. That’s all in terms of invokedynamic. I have some more sophisticated examples published here in my Git repo. I hope you’ve enjoyed reading this – in times of shortage! Cheers, Niklas Reference:“Java 7: A complete invokedynamic example from our” JCG partner Niklas. http://docs.oracle.com/javase/7/docs/technotes/guides/vm/multiple-language-support.html http://asm.ow2.org/ http://java.sun.com/developer/technicalArticles/DynTypeLang/ http://asm.ow2.org/doc/tutorial-asm-2.0.html http://weblogs.java.net/blog/forax/archive/2011/01/07/calling-invokedynamic-java http://nerds-central.blogspot.com/2011/05/performing-dynamicinvoke-from-java-step.html...

Simple Security Rules

Wow! Citi really messed up their online security. They included account information as part of the URL. You could alter the URL and access someone else’s account information. Yikes o rama, that’s a bad design. I’ve seen a fair number of bad security designs in my time, but I’ve come up with a list of simple security rules:Security by obscurity never works. Assume the attacker has your source code. If you are doing some super cool obscuring of the data (like storing the account number in the URL in some obscured manner like the Citi folks apparently did), someone can and will break your algorithm and breach your system. If any part of a system can read data, all parts of the system can. For example, if you’re writing an iOS app and are encrypting the data in the local database, the fact that you can decrypt it to use it in your app means that someone else can also decrypt it. A corollary to the above is that once data escapes your server, the bad guys can get the data, so let as little of the data out as possible. Also, never trust the data on the wire. Any HTTP/HTTPS request can be forged and tampered with. This means that if you send a primary key in a hidden field as part of an HTML form, ensure that when the form is submitted, the primary key is the same one your originally sent. But you say, “How can I verify it’s the one I sent… I wouldn’t have sent the primary key if I could keep the state on the server side and somehow correlate the form submission to the DB record that the form was submitted against.” Yeah, well Lift and Seaside and WebObjects and others have solved that problem. Know your types as you’re parsing the request and composing a response. Use an ORM that correctly escapes String parameters. Never “shell out”. Rails and Django have markers on Strings that indicate that they are to be “trusted” or they require HTML encoding. This addresses substantially all the cross site scripting related issues. Lift carries the DOM around as part of the page composition so it always knows what should be HTML encoded. Any framework that composes a response simply by writing Strings to a response is de facto insecure. Use random numbers for everything. SSL uses random numbers for keys. Lift uses random numbers for field names (except in test mode where having stable field names is necessary for automated testing). Use session-duration random numbers as opaque identifiers so that data doesn’t leak from the server to the client. Where you can’t use random numbers, encrypt any identifiers with a session-specific encryption key and make sure you have some salt in the thing being encrypted so the key cannot be rainbow-tabled. Test. Security testing is just testing and should be done at the unit and integration level. Security tests should be a normal part of your unit test suite as well as any integration testing that you do. Your QA people should understand common vulnerabilities (e.g., XSS) just like they understand common programming errors (e.g., NPE) and should test for them. Make the OWASP Top 10 a normal part of your check-in and code review process. This means that every material feature should have a list of the OWASP Top 10 associated with it and a 1 sentence description of the exposure to the vulnerability and anything done in the code to defend against exposure. Once developers do this regularly, it’ll take 5 minutes to fill out the list, but more importantly, it will create a culture of awareness. Never assume that your systems are secure. Always assume there are vulnerabilities… just like it’s good to assume there will always be bugs in software. It’s our jobs to identify the vulnerabilities, assess the risks of penetration, and prioritize remediation. Also, the only way to keep data out of the hands of the bad guys is to toss the hard drives containing the data into an active volcano (entropy is your friend.) If you can access the data, the bad guys can. The only issue is how much effort they are willing to put into getting to the data. If it’s not worth their time or there are easier targets, those targets will be attacked. Think of security as a series of obstacles rather than a single insurmountable wall. In order for the bad guys to get to the pot of gold, they have to evade many many obstacles. This makes it hard for them and increases the chances you’ll observe them trying to overcome an obstacle.I’ll wind up with some thoughts on the whole RSA/Lockheed break-in. This is perfect example of a pot of gold being very valuable (control information for drones, aircraft design plans, etc.) and an attack that was long ranging and very methodical. The attackers probed the weaknesses in individuals within RSA (could this or this have been part of the probe?) Sent targeted documents that contained zero-day flaws to a small number of weak individuals. Once the attackers gained control of the individual’s machines, they were able to probe the network and escalate privileged in such a way that the actually accessed the RSA key database. This was the time RSA should have voided all the RSA keys and re-issued new ones. Failure to do that should be a company-ending event for RSA… but I editorialize. I’m just postulating here, but I’m guessing that the attackers used rogue certs to do man-in-the-middle to get Lockheed RSA key/username/password combinations. Because the CA issuing the certs was trusted and there are enough rough CAs floating around, it’s no longer out of the realm of possibility to do man-in-the-middle attacks of SSL layers (re-route traffic and use rogue cert). If you know that current value of an RSA key, you can narrow down the device that is associated with an account (and if you do the same attack 3 or 4 times, you can figure out exactly which device it is) so that with each device seed number, you can determine what the current-time value of the correct RSA key for a given account. Next, you waltz into the VPN or whatever that’s being secured and do whatever trivial privilege escalation you need to do to get to the right file servers. Anyway, for the kind of systems most of us are building, sticking to my security outline above should yield good results, but if the target is valuable enough and the attacker is skilled and persistent enough, they can break almost any system. Reference: Simple Security Rules from our JCG partner David Pollak at the Good Stuff blog....

Java Swing Tic-Tac-Toe

Hello people! Wow its been a while since I posted something here…! I must say I really miss writing stuff and I promise I wont get into a ‘writer’s block’ again. Hopefully .. A helluva lot of things happened in the last two months and I’ve got loads to say. But in this post Im just gonna publish a small application that I wrote sometime ago. Its a TicTacToe game application. There’s not much to be learnt from this particular program but I really want to get outta this impasse and hence Im posting this today. I actually wrote this code to show off some of the really cool features of Java to one of my friends who also wrote the same application in a “C++”-esque style. And btw that friend of mine even developed code for the computer player. But after completing his code he sadly realized the basic fact that you cannot win in TicTacToe if you play perfectly!! Hehe So I did not venture into that area. Well to be honest, Im not really interested in writing AI apps. But I thought of adding Network Multiplayer functionality to this application since I love network programming. But unfortunately I havent had the time to do so. Anywaiz the application works like this – the game is autostarted once launched and the status bar indicates which player’s turn its now and rest is just simple tictactoe! And at the end of the game the app is automatically reset. Onto the code.. import javax.swing.*;import java.awt.*; import java.awt.event.*; import java.util.logging.Logger;/** * TicTacToe Application * @author Steve Robinson * @version 1.0 */class TicTacToeFrame extends JFrame {JButton [][] buttons= new JButton[3][3]; JTextField statusBar; GamePanel panel; Integer turn; GameListener listener=new GameListener(); Integer count;public TicTacToeFrame() { setLayout(new BorderLayout());panel=new GamePanel(); add(panel,BorderLayout.CENTER);statusBar=new JTextField("Player1's Turn"); statusBar.setEditable(false); add(statusBar,BorderLayout.SOUTH);setTitle("Tic Tac Toe!"); setVisible(true); setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE); setBounds(400,400,300,300); }class GamePanel extends JPanel {public GamePanel() { setLayout(new GridLayout(3,3)); turn =1; count=0; for(int i=0;i<3;i++) for(int j=0;j<3;j++) { buttons[i][j]=new JButton(); buttons[i][j].putClientProperty("INDEX", new Integer[]{i,j}); buttons[i][j].putClientProperty("OWNER", null); buttons[i][j].addActionListener(listener); add(buttons[i][j]); } } }class GameListener implements ActionListener { public void actionPerformed(ActionEvent e) { count++; JButton b=(JButton)e.getSource(); Integer[]index=(Integer[]) b.getClientProperty("INDEX");//System.out.println(turn); //turn // //System.out.println("["+index[0]+"]"+"["+index[1]+"]"); // b.putClientProperty("OWNER", turn); Icon ico=new ImageIcon(turn.toString()+".gif"); b.setIcon(ico); b.setEnabled(false); boolean result=checkVictoryCondition(index); if(result) { JOptionPane.showMessageDialog(null, "Player "+turn.toString()+" Wins"); initComponents(); } else { if(turn==1) { turn=2; statusBar.setText("Player2's Turn"); } else { turn=1; statusBar.setText("Player1's Turn"); } } if(count==9) { JOptionPane.showMessageDialog(null, "Match is a draw!"); initComponents();}}Integer getOwner(JButton b) { return (Integer)b.getClientProperty("OWNER"); }//PrintButtonMap for Diagnostics void printbuttonMap(Integer [][]bMap) { for(int i=0;i for(int j=0;j System.out.print(bMap[i][j]+" "); System.out.println(""); } }boolean checkVictoryCondition(Integer [] index) { /*Integer[][]buttonMap=new Integer[][] { { getOwner(buttons[0][0]),getOwner(buttons[0][1]),getOwner(buttons[0][2])}, { getOwner(buttons[1][0]),getOwner(buttons[1][1]),getOwner(buttons[1][2])}, { getOwner(buttons[2][0]),getOwner(buttons[2][1]),getOwner(buttons[2][2])} };printbuttonMap(buttonMap); */Integer a=index[0]; Integer b=index[1]; int i;//check row for(i=0;i<3;i++) { if(getOwner(buttons[a][i])!=getOwner(buttons[a][b])) break; } if(i==3) return true;//check column for(i=0;i<3;i++) { if(getOwner(buttons[i][b])!=getOwner(buttons[a][b])) break; } if(i==3) return true;//check diagonal if((a==2&&b==2)||(a==0&&b==0)||(a==1&&b==1)||(a==0&&b==2)||(a==2&&b==0)) { //left diagonal for(i=0;i if(getOwner(buttons[i][i])!=getOwner(buttons[a][b])) break; if(i==3) return true;//right diagonal if((getOwner(buttons[0][2])==getOwner(buttons[a][b]))&&(getOwner(buttons[1][1])==getOwner(buttons[a][b]))&&(getOwner(buttons[2][0])==getOwner(buttons[a][b]))) return true;}return false;} }void initComponents() { for(int i=0;i<3;i++) for(int j=0;j<3;j++) { buttons[i][j].putClientProperty("INDEX", new Integer[]{i,j}); buttons[i][j].putClientProperty("OWNER",null); buttons[i][j].setIcon(null); buttons[i][j].setEnabled(true); turn=1; count=0; statusBar.setText("Player1's Turn");} }}class TicTacToe {public static void main(String[] args) { EventQueue.invokeLater(new Runnable(){ public void run() { TicTacToeFrame frame=new TicTacToeFrame(); } });}}The code is rather straightforward. Ive used two properties in the Buttons to store some information used for checking the winning condition. One is the “OWNER” property which indicates which user currently owns the square and the “INDEX” property which indicates the square’s index in the grid (ie [1,1], [1,2]… etc) Once any player clicks on a square, the OWNER property is updated and the victoryCondition is checked by using the OWNER properties of all the buttons. The rest of the code is self explanatory. And adding keyboard support for the second player is a pretty easy job. As they say… “I leave that as an exercise”! Hahaha Well I really hope I get some time so that I can add network functionality to this application. Cheers, Steve. —– I forgot to attach the image icon files that will be used by the application. You can download it from here http://www.mediafire.com/?d7d93v2342dxind Just extract the contents to the folder that contains the code. Thanks to my friend “Gur Png” for telling me about this. Reference: Java TicTacToe from our JCG partner Steve Robinson at the Footy ‘n’ Tech blog....

Regular Expressions in Java – Soft Introduction

A regular expression is a kind of pattern that can be applied to text (String, in Java). Java provides the java.util.regex package for pattern matching with regular expressions. Java regular expressions are very similar to the Perl programming language and very easy to learn. A regular expression either matches the text ( or a part of it) or it fails to match. * If regular expression matches a part of text then we can find it out which one. ** If regular expression in complex, then we can easily find out which part of the regular expression matches with which part of the text. A First Example The regular expression “[a-z]+” matches all lower case letters in the text. [a-z] means any character from a to z, inclusive and + means “one or more”. Suppose we supply a string “code 2 learn java tutorial”. How to do it in Java First, you must compile the pattern : import java.util.regex.*; Pattern p = Pattern.compile(“[a-z]+”); Next you must create a matcher for the text by sending a message to the pattern : Matcher m = p.matcher(“code 2 learn java tutorial”); NOTE : Neither Pattern nor Matcher have a public constructor, we create it by using methods in Pattern class. Pattern Class: A Pattern object is a compiled representation of a regular expression. The Pattern class provides no public constructors. To create a pattern, you must first invoke one of its public static compile methods, which will then return a Pattern object. These methods accept a regular expression as the first argument. Matcher Class: A Matcher object is the engine that interprets the pattern and performs match operations against an input string. Like the Pattern class, Matcher defines no public constructors. You obtain a Matcher object by invoking the matcher method on a Pattern object. After we have done the above steps, and now that we have matcher m, we can check whether the match has been found or not and if yes then from which index position it starts, etc. m.matches() returns true if the pattern matches the entire string or else false. m.lookingAt() returns true if the pattern matches at the beginning of the string , and false otherwise. m.find() returns true if pattern matches any part of the text. Finding what was matched After a successful match, m.start() will return the index of the first character matched and m.end() will return the index of the last character matched, plus one. If no match was attempted, or if the match was unsuccessful, m.start() and m.end() will throw an IllegalStateException – This is a RuntimeException, so you don’t have to catch it It may seem strange that m.end() returns the index of the last character matched plus one, but this is just what most String methods require – For example, “Now is the time“.substring(m.start(), m.end()) will return exactly the matched substring. Java Program : import java.util.regex.*;public class RegexTest { public static void main(String args[]) { String pattern = "[a-z]+"; String text = "code 2 learn java tutorial"; Pattern p = Pattern.compile(pattern); Matcher m = p.matcher(text); while (m.find()) { System.out.print(text.substring(m.start(), m.end()) + "*"); } } }Output: code*learn*java*tutorial*. Additional Methods If m is a matcher, then – m.replaceFirst(replacement) returns a new String where the first substring matched by the pattern has been replaced by replacement – m.replaceAll(replacement) returns a new String where every substring matched by the pattern has been replaced by replacement – m.find(startIndex) looks for the next pattern match, starting at the specified index – m.reset() resets this matcher – m.reset(newText) resets this matcher and gives it new text to examine (which may be a String, StringBuffer, or CharBuffer) Regular Expression Syntax Here is the table listing down all the regular expression metacharacter syntax available in Java:Subexpression Matches^ Matches beginning of line.$ Matches end of line.. Matches any single character except newline. Using m option allows it to match newline as well.[...] Matches any single character in brackets.[^...] Matches any single character not in brackets\A Beginning of entire string\z End of entire string\Z End of entire string except allowable final line terminator.re* Matches 0 or more occurrences of preceding expression.re+ Matches 1 or more of the previous thingre? Matches 0 or 1 occurrence of preceding expression.re{ n} Matches exactly n number of occurrences of preceding expression.re{ n,} Matches n or more occurrences of preceding expression.re{ n, m} Matches at least n and at most m occurrences of preceding expression.a| b Matches either a or b.(re) Groups regular expressions and remembers matched text.(?: re) Groups regular expressions without remembering matched text.(?> re) Matches independent pattern without backtracking.\w Matches word characters.\W Matches nonword characters.\s Matches whitespace. Equivalent to [\t\n\r\f].\S Matches nonwhitespace.\d Matches digits. Equivalent to [0-9].\D Matches nondigits.\A Matches beginning of string.\Z Matches end of string. If a newline exists, it matches just before newline.\z Matches end of string.\G Matches point where last match finished.\n Back-reference to capture group number “n”\b Matches word boundaries when outside brackets. Matches backspace (0x08) when inside brackets.\B Matches nonword boundaries.\n, \t, etc. Matches newlines, carriage returns, tabs, etc.\Q Escape (quote) all characters up to \E\E Ends quoting begun with \QReference: Regular Expressions in Java from our JCG partner Farhan Khwaja at the Code 2 Learn blog....

Some Interview Questions to Hire a Java EE Developer

The Internet is full of interview questions for Java developers. The main problem of those questions is that they only prove that the candidate has a good memory, remembering all that syntax, structures, constants, etc. There is not real evaluation of his/her logical reasoning. I’m listing bellow some examples of interview questions that check the knowledge of the candidate based on his/her experience. The questions were formulated to verify whether the candidate is capable of fulfilling the role of a Java enterprise applications developer. I’m also putting the anwsers in case anybody want to discuss the questions. 1. Can you give some examples of improvements in the Java EE5/6 specification in comparison to the J2EE specification? The new specification favours convention over configuration and introduces annotations to replace the use of XML for configuration. Inheritance is not used to define components anymore. They are defined, instead, as POJOs. To empower those POJOs with enterprise features, dependency injection was put in place, simplifying the use of EJBs. The persistence layer was fully replaced by the Java Persistence API (JPA). 2. Considering two enterprise systems developed in different platforms, which good options do you propose to exchange data between them? We can see as potential options nowadays the use of web services and message queues, depending on the scenario. For example: when a system needs to send data, as soon as they are available, to another system or make data available for several systems, then a message queuing system is recommended. When a system has data to be processed by another system and needs back the result of this processing synchronously, then web service is the most indicated option. 3. What do you suggest to implement asynchronous code in Java EE? There are several options: one can post messages to a queue to be consumed by a Message-Driven Bean (MDB); or annotate a method with @Timer to define the time to execute the code programmatically; or annotate a method with @Scheduler to define the time to execute the code declaratively. 4. Can you illustrate the use of Stateless Session Bean, Stateful Session Bean and Singleton Session Bean? Stateless Session Beans are used when there is no need to preserve the state of objects between several business transactions. Every transaction has its own instances and instances of components can be retrieved from pools of objects. It is recommended for most cases, when several operations are performed within a transaction to keep the database consistency. Stateful Session Beans are used when there is the need to preserve the state of objects between business transactions. Every instance of the component has its own objects. These objects are modified by different transactions and they are discarded after reaching a predefined time of inactivity. They can be used to cache those data with intensive use, such as reference data and long record sets for pagination, in order to reduce the volume of IO operations with the database. A singleton session bean is instantiated once per application and exists for the lifecycle of the application. Singleton session beans are designed for circumstances in which a single enterprise bean instance is shared across and concurrently accessed by clients. They maintain their state between client invocations, which requires a careful implementation to avoid conflicts when accessed concurrently. This kind of component can be used, for example, to initialize the application at its start-up and share a specific object across the application. 5. What is the difference between queue and topic in a message queuing system? In a queue there is only one producer of messages and only one consumer of these messages (1 – 1). In a topic there is a publisher of messages and several subscribers that will receive those messages (1 – N). 6. Which strategies do you consider to import and export XML content? If the XML document is formally defined in a schema, we can use JAXB to serialize and deserialize objects into/from XML according to the schema. If the XML document does not have a schema, then there are two situations: 1) when the whole XML content should be consider: In this case, serial access to the whole document is recommended using SAX, or accessed randomly using DOM; 2) when only parts of the XML content should be considered, than XPath can be used or StAX in case operations should be executed immediately after each desired part is found in the document. 7. Can you list some differences between a relational model and an object model? An object model can be mapped to a relational model, but there are some differences that should be taken into consideration. In the relational model a foreign key has the same type of the target’s primary key, but in the object model and attribute points to the entire related object. In the object model it is possible to have N-N relationships while in the relational model an intermediary entity is needed. There is no support for inheritance, interface, and polymorphism in the relational model. 8. What is the difference between XML Schema, XSLT, WSDL and SOAP? A XML Schema describes the structure of an XML document and it is used to validate these documents. WSDL (Web Service Definition Language) describes the interface of SOAP-based web services. It can refer to XML schemas to define existing complex types passed by parameter or returned to the caller. SOAP (Simple Object Access Protocol) is the format of the message used to exchange data in a web service call. XSLT (eXtensible Stylesheet Language Transformation) is used to transform XML documents into other document formats. 9. How would you configure an environment to maximize productivity of a development team? Every developer should have a personal environment capable of executing the whole application in his/her local workstation. The project should be synchronized between developers using a version control system. Integration routines must be executed periodically in order to verify the compatibility and communication between all components of the system. Unit and integration tests must be executed frequently. — You can increment this set of questions covering other subjects like unit testing, dependence injection, version control and so on. Try to formulate the questions in a way that you don’t get a single answer, but a short analysis from the candidate. People can easily find answers on the Internet, but good analysis can be provided only with accumulated experience. Reference: Some Interview Questions to Hire a Java EE Developer from our JCG partner Hildeberto Mendonca at the Hildeberto’s Blog....

Automatically generating WADL in Spring MVC REST application

Last time we have learnt the basics of WADL. The language itself is not as interesting to write a separate article about it, but the title of this article reveals why we needed that knowledge. Many implementations of JSR 311: JAX-RS: The Java API for RESTful Web Services provide runtime WADL generation out-of-the-box: Apache CXF, Jersey and Restlet. RESTeasy still waiting. Basically these frameworks examine Java code with JSR-311 annotations and generate WADL document available under some URL. Unfortunately Spring MVC not only does not implement the JSR-311 standard (see: Does Spring MVC support JSR 311 annotations?), but it also does not generate WADL for us (see: SPR-8705), even though it is perfectly suited for exposing REST services. For various reasons I started developing server-side REST services with Spring MVC and after a while (say, thirdy resources later) I started to get a bit lost. I really needed a way to catalogue and document all available resources and operations. WADL seemed like a great choice. Fortunately Spring framework is open for extension and it is easy to add new features based on existing infrastructure if you are willing to dig through the code for a while. In order to generate WADL I needed a list of URIs that an application handles, what HTTP methods are implemented and – ideally – which Java method handles each one of them. Obviously Spring does that job already somewhere during boot-strapping MVC DispatcherServlet – scanning for @Controller, @RequestMapping, @PathVariable, etc. – so it seems smart to reuse that information rather then performing the job again. Guess what, it looks like all the information we need is kept in an oddly named RequestMappingHandlerMapping class. Here is a debugger screenshot just to give you an overview how rich information is available:But it gets even better: RequestMappingHandlerMapping is actually a Spring bean which you can easily inject and use: @Controller class WadlController @Autowired()(mapping: RequestMappingHandlerMapping) { @RequestMapping(method = Array(GET)) @ResponseBody def generate(request: HttpServletRequest) = new WadlApplication() }That’s right, we will use yet another Spring MVC controller to generate WADL document. Last time we managed to generate JAXB classes representing WADL document (after all WADL is an XML file) so by returning empty instance of WadlApplication we are actually returning empty, but valid WADL: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application xmlns="http://wadl.dev.java.net/2009/02"/>I won’t explain the details of the implementation (full source code is available including sample application). It was basically a matter of rewriting Spring models to WADL classes. If you are interested, have a look at WadlGenerator.scala that is a central point of the solution and test cases. Here is one of them: test("should add parameter info for template parameter in URL") { given("") val mapping = Map( mappingInfo("/books", GET) -> handlerMethod("listBooks"), mappingInfo("/books/{bookId}", GET) -> handlerMethod("readBook") ) when("") val wadl = generate(mapping) then("") assertXMLEqual(wadlHeader + """ <resource path="books"> <method name="GET"> <doc title="com.blogspot.nurkiewicz.springwadl.TestController.listBooks"/> </method> <resource path="{bookId}"> <param name="bookId" required="true" /> <method name="GET"> <doc title="com.blogspot.nurkiewicz.springwadl.TestController.readBook"/> </method> </resource> </resource> """ + wadlFooter, wadl) }Unfortunately I was too lazy to correctly name given/when/then blocks. But tests should be pretty readable. The only technical difficulty I would like to mention was translating flat URI patterns provided by Spring infrastructure to hierarchical WADL objects (basically a tree). Here is a simplified version of this problem: having a list of URI patterns as follows: /books /books/{bookId} /books/{bookId}/reviews /books/best-sellers /readers /readers/{readerId} /readers/{readerId}/account/new-password /readers/active /readers/passiveGenerate the following tree data structure:Of course the data structure is as simple as a Node object holding a label and a children list of Nodes. Not really that challenging, but probably an interesting CodeKata. So what is it all about with this WADL? Is the XML really more readable and helps in managing REST-heavy applications? I wouldn’t even bother playing with it if not the great soapUI support for WADL. The WADL generated for an example application I pushed as well can be easily imported to soapUI:Two features are worth mentioning. First of all soapUI displays a tree of REST resources (as opposed to flat list of operations when WSDL is imported). Next to every HTTP method there is a corresponding Java method that handles it (this can be disabled) for troubleshooting and debugging purposes. Secondly, we can pick any HTTP method/resource and invoke it. Based on WADL description soapUI will create user-friendly wizard where one can input parameters. Default values are automatically populated. When we are done, the application will generate HTTP request with correct URL and content, displaying the response when it arrives. Really helpful! By the way have you noticed the max and page query parameters? Our small library uses reflection to find @RequestParam annotations so e.g. the following controller: @Controller @RequestMapping(value = Array("/book/{bookId}/review")) class ReviewController @Autowired()(reviewService: ReviewService) { @RequestMapping(method = Array(GET)) @ResponseBody def listReviews( @RequestParam(value = "page", required = false, defaultValue = "1") page: Int, @RequestParam(value = "max", required = false, defaultValue = "20") max: Int) = new ResultPage(reviewService.listReviews(new PageRequest(page - 1, max))) //... }will be translated into WADL-compatible description: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application xmlns="http://wadl.dev.java.net/2009/02"> <doc title="Spring MVC REST appllication"/> <resources base="http://localhost:8080/api"> <resource path="book"> <!-- --> <resource path="{bookId}"> <param required="true" style="template" name="bookId"/> <!-- --> <resource path="review"> <method name="GET"> <doc title="com.blogspot.nurkiewicz.web.ReviewController.listReviews"/> <request> <param required="false" default="1" style="query" name="page"/> <param required="false" default="20" style="query" name="max"/> </request> </resource> </resource> </resource> </resource </application>Hope you had fun with this small library I have written. Feel free to include it in your project and don’t hesitate to report bugs. Full source code under Apache license is available on GitHub: https://github.com/nurkiewicz/spring-rest-wadl. Reference: Automatically generating WADL in Spring MVC REST application from our JCG partner Tomasz Nurkiewicz at the Java and neighbourhood blog....

Source Code is an Asset, Not a Liability

Some people have tried to argue that source code is a liability, not an asset. Apparently this “is now widely accepted” and “this is a very strong idea that has a lot of impact across the IT industry and in the way developers view and perform their day-to-day work”. Really? The argument, as far as I can follow it, is that while engineers are paid to help design and build bridges and power plants, as developers we’re paid to “deliver business value”, and… “Source code is merely the necessary evil that’s required to create value” Source code, the software that we create, is only a means to and end. The software itself has no value, or worse it has negative value, because it creates a drag on your ability to innovate and move forward. The more code that you have, the higher your maintenance costs will be, therefore… “… the best code of all is the code that’s never written.” Michael Feathers, who has a lot of smart things to say about source code, joined in on this discussion. In The Carrying-Cost of Code he says that “code is inventory. It is stuff lying around and it has substantial cost of ownership. It might do us good to consider what we can do to minimize it.” He goes so far as to suggest a goofy thought experiment where “every line of code written disappears exactly three months after it is written”. The point of this would be to get developers and the business to understand that the “costs of carrying code are real, but no one accounts for them”. Feathers reinforces the valid points about the drag that unmaintained or poorly maintained legacy code has on companies. Writing less code to solve a problem is a good thing – it’s (usually) more efficient and (usually) costs less to maintain a smaller code base. And yes there is a necessary cost to maintaining software and working with existing software and changing it. But none of this changes the fact that software is an asset If you build and operate a power plant or a bridge, you have to maintain it – just like software. And like a bridge or a power plant, a newer, more modern, better-designed, more efficient and simpler asset is better than a big, old, complicated, expensive-to-maintain one. The “software is a liability” argument seems to be that it’s not the software that’s the asset, it’s the “features and options” – the capabilities that the software provides. This is like saying that it’s not the power plant (which a company spent millions of dollars to design and engineer) that’s a valuable asset to a company, it’s the energy that it generates. It’s not the bridge – it’s the ability to drive over water. It’s not the airplane, it’s the ability to fly. Pretending that software has no value in itself is silly. Try explaining this to accountants (don’t depreciate the airplane, depreciate the ability to fly!) and IP lawyers and to investors who buy software companies for their IP. They all understand that software and the ideas embodied in it are valuable and need to be treated as assets. The ideas themselves are only worth so much, even if they’re patented. But the ideas realized in software, actualized and proven and ready to be used or (better) already being used – that’s where the real value is. And this is the value that needs to be maintained and preserved. Software is more valuable than other assets The important difference between software and other assets is that software is much more plastic than other engineering work. Software is “soft” – it can be changed easily and inexpensively and quickly. This makes software more strategically valuable than “hard” assets like a building because software can be continuously adapted and renewed in response to changing situations, and transformed to create new business opportunities. Software has to be changed to stay useful. The problem is NOT that we HAVE TO maintain software and change it to do things that it was never intended to do, to work in ways that it was never designed to, to do things that we couldn’t imagine a few years ago. This is the opportunity that software gives us – that we CAN do this. This is why Software is Eating the World. Reference: Source Code is an Asset, Not a Liability from our JCG partner Jim Bird at the Building Real Software blog....

14 Golden Eggs of Good UI Design

As I discussed, I have been to “Rules for Good UI Design” by Joe Nuxoll (@joeracer) at Devoxx 2011. In this talk, he was giving 14 “Golden Eggs” for designing a user interface (UI). The “Golden Eggs” have been written down from Joe’s slides – I hope without big mistakes. The comments are my summaries from his talk. The full version of Joe’s talk will be available at Parleys soon. 1 – The underlying data structure should not define the user interface This is a topic Joe has been talking about in a few Java Posse episodes already. And it is simple: By looking at the UI, you should not be able to see already the data structure. The UI should be solely tailored to be easy to perceive and understand by the user. Users don’t think in data structures typically – don’t make them. 2 – The interface should not define the data structure With the former rule at hand, some of us engineers tend to go out, design a view and make the data structure look exactly the same. This it not how it is supposed to be. We have layers in all of our applications to abstract away the data structure, for example in the database, from the user interface. So we should do it. Design the data structure to be efficient and elegant for storing. Not like in the user interface. 3 – Need must proceed technology You never ever should user HTML 5 because it is HTML 5. You should not use anything for the sake of technology. Think about the user, think about their expectations. What user experience do you want to give them? This should lead your technology decisions. 4 – Start the process with real use cases When starting to design a UI, use a real use case. Not an abstract one, a generalized one. Use something the user will really do with the application. Use example interactions and data which are realistic. 5 – Identify distinct categories of people that will use your app Identify which kind of persons will use your apps. Split them into categories and give them a real name like ‘Ben’ or ‘Anna’. Give them a personality – this is called personas in a design process. Attach one persona to each use case you want to discuss. As a side note: If you have two very different personas, think about the trade-off for creating two UIs compared to making one configurable. It is sometimes cheaper to create two UIs. 6 – Think in flows not in features For the user experience it is important to think in application flows. Meaning the process of clicking through an “Login Process” with all state changes and transitions. Don’t think about a login screen. Similar – if you design a design prototype, make it functional. The steps going through the design is as important as the look on the screen. 7 – Prototype often. Abandom prototypes often UI design is developed in prototypes. Create a prototype of your apps UI – and then throw it away. If you do not throw it away, it is not a prototype! 8 – Make the next step obvious When you are inside a dialog of your application, the next step the user wants to do should always be very obvious. Make it never hard to find the login button, the next button or the create new user button if this is, what the user wants to do. 9 – Reduce the number of perceived things To understand this, you have to understand how our brain works, when it perceives a user interface. There are always three phases: In the emotional phase, the brain recognizes colors, layouts and images on the screen. It sets the tone of the interaction with the UI. In the parsing phase, the brain figures out the purpose of every element on the screen. It prepares the user for the task. In the execute phase, the user starts to interact with the first element of the UI. The more elements are on the screen, the more elements have to be parsed in the second phase. The more elements, the harder it is to understand for the user what he should do. The more elements, the more time the user needs, to understand the UI. 10 – Leverage muscle memory. Be consistent Our brain is a muscle. It can be trained. It reacts to common patterns. So make your UI consistent to use. Same things should always look the same. And they should align with the behavior the user expects from his operating system. 11 – Think outside the page load. If you can do stuff in-place If you are inside the web, avoid complete page loads. Use the techniques offered by AJAX to load new elements or information in place. So the user does not have to re-parse all the elements because they are gone temporarily. 12 – Use transitions to change state If your application changes the state, use simple transitions to make clear what is happening. For example, if you hide someting, fade it out so the user knows where to look if he wants to have it back. 13 – Iterate & Refine. Iterate & Refine The process of designing a UI is iterative. You have to make a lot of proposals and be ready to change your mind. Extend them. Add new designs. Combine them. Throw some ideas away and use others to iterate further. 14 -Provide your customer with great experience. Never break the experience of a user. This is not limited to the user interface of your app. It includes your support contatcs, your twitter feed and your homepage. Everything should be friendly to the user and provide him with the best experience he can have. The best customer experience. Reference: 14 Golden Eggs of Good UI Design from our JCG partner Johannes Thönes at the Johannes Thönes blog....
Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy | Contact
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.
Do you want to know how to develop your skillset and become a ...
Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

Get ready to Rock!
You can download the complementary eBooks using the links below: