Tag: javaone2008

I’ve just been to a very interesting BOF by Ludovic Champenois at JavaOne about the new PHP support in NetBeans. The talk was in the context of the new OpenSolaris WebStack so some time was spent on this, including the unique DTrace functionality which looks neat, but I found the NetBeans demo the most interesting.

NetBeans has great support for Ruby and JavaScript and now PHP is starting to get some of that goodness too. At the moment it is only available as either an Early Access release with just the core PHP stuff or in NetBeans trunk (6.5) but it looks very promising. It has:

• code completion
• PHP documentation
• variable renaming
• source navigation
• goto type
• extensible templates and auto-comments
• integrated debugging with XDebug

Sure, you don’t get all the neat refactoring you can have with a statically typed language like Java but even just the variable/method/class renaming is a big help. The code completion is good and the navigation even works over the filesystem in ‘require’ statements. Debugging works just like normal NetBeans debugging including all the usual stuff like call stack, mouse-over variable values, step-in/out, etc. A JMaki plugin brings all that goodness as well.

It’s still fairly early days but it looks pretty neat and maybe PHP finally has a good open source IDE.

This was a popular session. The queue stretched down the hall, out the front door and around the block. It covered the main vulnerabilities bad guys exploit to attack websites. It was a good session given by Joe Walker who also gave the BOF on Comet.

First up was cross-site request forgery or CSRF. This is basically misusing people’s cookies. For example if a user is logged in to bank.com on one tab and then they visit evilsite.com on another tab it is possible to do something like: <iframe src=”bank.com/transfer?amt=all&dest=dr_evil” />. No JavaScript required. The only real way to prevent CSRF attacks is to include some kind of authentication token in every request that is separate from the cookie, like a hash of the user’s session ID. These tokens shouldn’t be in GET requests as they could cause problems with bookmarks, etc and GET requests should be idempotent. So a hidden POST field is better. You can use the OWASP servlet filter to add these hidden fields.

He also covered JSON hijacking and the old favourite, XSS. An interesting point was that if your site has an XSS vulnerability that will allow bypassing of any CSRF protections you may have put in place. One of the biggest problems for preventing XSS is that browsers will render any old crap. Basically the web is broken.

I attended a session by Bill Pugh (although sometimes it seemed more like a TB ward with all the coughing and sneezing going on) about using FindBugs on large code bases. FindBugs is a static analysis tool that analyses your class files without executing the program. Some people don’t think it should be needed but smart programmers still make dumb mistakes and FindBugs can catch these.

FindBugs can scale to very large code bases; Google has fixed more than 1000 issues discovered by FindBugs. Bill’s talk described ways of using FindBugs on a large project where the number of issues found can be overwhelming. For example, running FindBugs on Eclipse 3.4M2 discovered 36,000 issues. This can be made manageable by using FindBugs filters to filter out:

• Low priority issues (leaves 26,000)
• Vulnerability to malicious code (5,000)
• issues also present in v3.3 (now down to 62 issues)

The reason the vulnrability to malicious code is filtered as this is mainly for code that will run untrusted code, like the JVM.

Another key point was to integrate FindBugs into your CI. Hudson has a good plugin that can display historical results and cause FindBugs issues to affect the health of a build. It can also notify who caused the issue.

Bill gave some typical warnings density of 0.3 – 0.6 medium or high priority warnings per 1000 LOC and about 1 – 4 other potentially relevant warnings per 1000 LOC. But don’t use these numbers to judge whether your project is good or bad!

To narrow what issues you should be investigating he suggested ignoring the low priority issues. High/medium issues are useful for ranking issues within a pattern but not across patterns, ie, don’t just look at high issues. Each bug has a category, for example, correctness (code seems clearly wrong), security (xss, sql injection), bad practice (violates good practice), dodgy code (something weird that might be wrong), i18n, etc.

We use Hudson at work, so it’s probably worth trying the plugin to see what it turns up.

Tonight I went to a very interesting BOF given by Alex Russell and Joe Walker about Comet. Also known as ‘Reverse Ajax’, Comet is a way of implementing ‘push’ technology in the browser. Basically, it is just long-lived or delayed-response HTTP connections; so a client will open an HTTP connection and then this is kept open to push data to the client. It is needed because now that many sites use Ajax it means page refreshes don’t happen as much as they used to so while parts of a page may be refreshed through ajax, other parts of the page may become out of date. It is used for things like asynchronous updates in GMail, chat in Meebo and collaborative editing in Google Docs.

It looks really cool and seems to finally be the push technology that was hyped in the 90’s.

You can’t use a normal web server like Apache as it would collapse under all the connections it would need to keep open so comet must be run on a server like Jetty that supports the techonology. However, it is possible to retrofit an existing app using an external cometd server. The original server serves a page but the clients open long-lived connections to this external cometd server (eg jetty) which then routes ‘events’ from the app server to the clients. Apparently it is quite easy to convert an existing app to use this external cometd approach.

JavaOne was the first I’d heard of this technology and it sounds really cool. They showed a fancy graph that suggested there weren’t problems with scaling the technology to many thousands of concurrent connections.

It seems like this could be used to deliver ads to pages that are heavily ajax-based and so don’t see many page refreshes and therefore ad views. Maybe we need a new ‘Comet’ tag type in OpenX.

By the way, ‘Comet’ doesn’t mean anything, it is just a bad pun.

I saw a great talk about jMaki which looks like an awesome lightweight framework to easily integrate ajax into your apps. It wraps common ajax libraries like jQuery, Dojo, etc. It uses the familiar convention over configuration to make things quick to develop and has multiple server-side language support, for example, PHP, JSP and Ruby. It also supplies an xml http proxy to interact with services outside of your domain.

A jMaki wiget is a bundle of: component.htm, component.js and css any of which can be edited if you want to easily customise the widgets.

jMaki implements all the best practices of YSlow such as minimizing http requests, combining css and scripts, defining css at the top and javascript at bottom and setting cache control headers as well as gzipping content.

It has plugins for eclipse and NetBeans but the demo of the NetBeans plugin was pretty cool; you can just drag and drop widgets from the palette into a jsp page and jMaki handles all the YSlow performance stuff. jMaki charting provides some neat charting widgets but one of the coolest demos was of jMaki webtop which is a widget that allows you to deploy a set of widgets and allow users to position the widgets, set properties, and connect them to services available to the application. In fact the NetBeans plugin makes it so easy it literally took me five minutes to create this simple test webtop app while waiting for the next session.

Functional Testing of Web Applications using Canoo WebTest and groovy was given by Dierk Konig, the founder of WebTest. He described four approaches to functional testing of webapps:

• capture/replay
• model based
• data driven
• scripted

Capture/replay creates a script from user action. This is a typical approach in commercial testing software but it is hardly usable at all for testing.

Capture/replay is the least cost-effective way of test automation

Model based testing uses expected vs unexpected behaviour. Data driven uses data variations on the same workflow. So you will have tables of input parameters and expected outputs but this is really good only if you just test against data variations.

WebTest uses a scripted approach which gives maximum power and flexibility but also maximum responsibility.

Dierk said they aim for running about 100 tests per minute so when the number of tests grows larger than about 1000 they split the tests up into suites which can be run in parallel using ant.

WebTest has lots of tests already including tests for PDFs, Excel and email but you can also write your own tests using either ant or groovy. Groovy is easier.

Dierk is also a commiter to the Grails project and WebTest comes integrated with Grails. He created a very simple Grails CRUD application and then running this in webtest was as simple as:

$ grails create-webtest Attendee
$ grails run-webtest

These commands created and ran automatically generated webtests.

He also demo’d the FireFox WebTest Recorder extension which can help start to build a test ‘interactively’ in the browser.

Clark Richey gave an interesting session on using DBUnit to test your database access layer code. Testing your DB access code can take a lot of code but it isn’t really ‘boilerplate’ as you have to test for corner cases and side effects. Using DBUnit can reduce the amount of code you need to write.

He gave some best practices for testing database code:

• Multiple databases per developer (eg, _dev & _test)
• Ensure the state of the database prior to testing
• Test in small chunks of data
• Don’t try to load everything into the db for a single test

DBUnit looks useful. You can define datasets in XML and there are lots of helpful methods for assertions. However there are some limitations:

• Not useful for validating queries that don’t alter the state of the database but DBUnit can still be used for populating the test data
• Dealing with foreign keys on autogenerated IDs is tricky – can’t really verify foreign key relationships

I liked the Java University session I had with Chris Richardson so I thought I would attend his talk on using EC2 for testing. He’d obviously read my previous post as he made a reference to me calling his accent “mutant”. Chris, I hope I didn’t cause offense! After introducing AWS and EC2 his talk was mainly about his open source framework called Cloud Tools which is a framework written in Groovy that’s used for deploying and testing Java apps on EC2. It was interesting, especially considering we’ve been using EC2 for testing at work for quite a while now.

He has a nice idea of using JetS3t to accelerate uploading of code. Basically, JetS3t is used to sync changes to code to an S3 bucket and then the deployed instances grab the code from the bucket which is obviously much faster than uploading it over DSL every time. He also has a maven plugin that gives you useful goals like deploy and db-save. It also has a JMeter goal for performance testing.

He finished off his talk with a few highlights of the Groovy language, managing to talk about Groovy GStrings without a hint of a smile.

Today was the first day of JavaOne proper and it was packed! There are so many people here! I arrived for breakfast at about 8am and already a queue was forming for the opening keynote general session. By the time I joined the end of it it had stretched the length of the Moscone Center. When I got inside the massive hall it was more like a rock concert. Loud music was pumping and some awesome break dancers were performing on stage. Then just before the keynote was to start James Gosling started firing t-shirts into the crowd using a giant slingshot held between two other people.

So the first general session was on the theme of the whole conference; “Java + You”. There were lots of demos of how Java is being used on the “four screens” of your life (I think these are your PC, phone, TV and car). Probably the coolest demonstrations were of JavaFX, used for creating rich internet applications similar to Adobe’s flex and AIR. You can make some cool applets using JavaFX but the coolest thing is you can drag these applets off the web page and onto your desktop and they continue to run. In fact you can then close the web page and keep the applet locally to be run on its own whenever you want. That’s cool!

The first technical session I attended was on IBM’s WebSphere sMash and ProjectZero. This is a “commercial project with a transparent development process” and is a rapid application development environment that is geared around developing RESTful mash-ups and Web 2.0 apps. It supports PHP, Groovy and Java and contains a PHP interpreter written in Java. At the moment this interpreter runs an intermediate representation of the PHP code but in future they plan to compile it to byte code. It contains its own web-based IDE and the application that is produced contains its own web server. So you can have a number of these applications running and they are started and stopped using an inetd type service. It looks like it is targeted at the enterprise developer who wants to throw something together quickly for internal use.

Joshua Bloch, Chief Java Architect at Google, gave an interesting talk on ‘More Effective Java’ which was a selection of points from his new book. He spent quite a bit of time on hints for using enums. For example, replacing bitfields with enums. There are lots of problems with bitfields: not typesafe, no namespaces, printed values are cryptic, eg ’12’, don’t scale – if number of constants grows beyond 64 you’re screwed. A solution is to use EnumSet and you end up with nicer code like text.applyStyles(EnumSet.of(Style.BOLD, Style.ITALIC)).

Rod Johnson from Spring gave a session on new features of Spring 2.5. He listed a whole heap of new features like:

• overhaul of Spring MVC
• enhanced testing support with JUnit4
• extended SQL error code mappings for popular RDBMSs
• integration with latest versions of JavaEE 5 APIs (Servlet 2.5, JSP 2.1)

but he focussed mainly on annotations.

Using annotation based DI can reduce the external config required and is more concise but downsides include:

• per-type not per-instance
• won’t work for legacy code
• need to recompile java code to change configuration
• not suited to externalizing simple types

Even so, Rod suggested fairly extensive use of annotations. You can use the @Autowired annotation which is Spring’s own syntax and uses the default autowire by type behaviour. This is the same as using autowiring in xml files but by using annotations you can be more selective. Of course the downside is you are using a spring specific annotation. If you don’t like this you can use the @Resource annotation although it is not as powerful as @Autowired so is not a best practice.

Rod also went through some of the other annotations like @Component which allows component scanning (where Spring scans your classpath for annotated classes). I can see how annotations are nice but it also means you lose your ‘application blueprint’ when all your beans are defined in xml.

Bill Pugh gave a really interesting talk on “Defective Java Code: Turning WTF Code into a Learning Experience”. Bill is responsible for the cool FindBugs static analysis tool and he had good tips for some common errors. He spent quite a bit of time discussing the equals method which can be trickier to implement than it might seem. The following must be true when implementing the equals method:

• equals(null) returns false
• if x.equals(y) then x.hashCode() == y.hashCode()
• equals is reflexive, symmetric and transitive

Symmetry is very important as non-symmetric equals can produce confusing and hard to reproduce results. He also discussed the debate of using instanceof or getClass() when implementing equals. Basically, both have problems. if you use instanceof and override equals you may break symmetry. If you use getClass then you cannot have a subclass equal to superclass. However you only need to worry about this when designing with subclasses.
Bill described different types of equality:

• Object equality (the default and useful more than you would suspect)
• Value equality (eg ArrayList and LinkedList representing {1,2,3} are equal)
• Behaviour equality (objects are equal if you can’t distinguish them based on behaviuor) – more subtle

Use of getClass will cause any subclasses to break equality. Also, use of getClass in hibernate objects will cause failures. However, if you use instanceof and override it you must not change the semantics of equals – all you can do is use a more efficient algorithm or instrument for debugging/performance monitoring. getClass is sometimes used in abstract base classes (eg BasicPermission class). If you use instanceof consider declaring the equals method final. Basically the moral is you should document your equals semantics. FindBugs can detect common problems with equals methods, for example, there are two equals methods in the JDK and four in eclipse that always return false plus one in eclipse that always returns true.

After the Rails stuff from yesterday I was interested to hear Guillaume Laforge talking about Groovy and Grails. This is a cool platform that uses Groovy in a Rails-type framework. What’s interesting is that it makes use of such projects as Spring and Hibernate yet simplifies their use so there is much less configuration required. For example, you don’t need to create hibernate mapping XML files.
The syntax is very Java-like (unlike Ruby) and integrates tightly with Java at every level. You can reuse legacy code and while Grails comes with jetty for development it is simple to package it as a war file for deployment on tomcat or some other app server.