Over the last couple of large projects I have noticed a trend in the way software developers/engineers/architects like to come out with statements like "that code is shit". I'm not just talking about me saying it, or how they react to the code that I write (come on, I write great code!). But general sweeping statements like this crop up all the time on these projects, related to everyones code. And managers then perpetuate these statements. I think the reason is easy to understand. When a developer takes over responsibility for some code they want to make it clear that any problems with that code are unrelated to them. They don't want to take responsibility for the code which someone else has written. Because writing code is inherently creative and the same functionality can be written many different ways, you are almost guaranteed that a developer taking over some code "would have written it differently". What I have also noticed is that the developers coming out with statements like this do not know or do not want to understand the conditions under which the code was originally written. As an architect, I realise there are many many factors which influence the creation of code, budget being a major one. What some developers also do not fully appreciate is that the perfect implementation not only doesn't exist (because every developer would do it differently) but that it often isn't required. The perfect solution considers many cases which don't need to be…
Author: Ant
Java EE Security and Spring
Spring Security (originally ACEGI) does not seem to work out of the box with Java EE security (see here). I guess the reason is clear, namely that the people from Spring don't want you to be tied into Java EE and that makes sense because Spring something that you can use without Java EE. But instead of having to learn something new and instead of having to configure my security in a non-standard way, I wanted a way to ensure my services are only called by someone with the right authorization, exactly when they are deployed in a Java EE environment. Since a standard web application running in a Java EE container can be configured to have security, I expected to be able to configure Spring to use the web request to check the Principal for its security roles before calling a service, but that isn't possible. So, I set to work to quickly create a little library to help me out. The first step was to implement a Filter in the web application so that it could intercept every call and insert the web request (containing the Principal) into a ThreadLocal variable. The idea was that the ThreadLocal variable could then be used further up the call stack to query the security roles of the authenticated user. The filter implementation looks like this: public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { //set the request in the security…
White Papers
I have just uploaded two papers: Agile Software Development of Service Oriented Architectures, Business Process Models and Enterprise Service Buses Service Oriented Architecture Strategies They can be downloaded from: http://www.maxant.ch/white-papers
java.util.Calendar and the before method
Came across this nice problem today: The java.util.Calendar class provides a method "before(Object)" which is supposed to tell you if the calendar calling that method is before the given object. BUT, as stated in the javadocs it only works if the passed object is a calendar itself. If its a java.util.Date object, then forget it, the method just returns false, even though you would expect the calendar to be able to compare its date with a Date object. I can't quite figure out how come they don't just require a Calendar instead of an object. There is nothing in the code to give the reason. So, I just don't get it. But it's been like that for three years now, so I guess we just need to get used to it :-(
Cross Site Scripting (XSS) and Denial of Service (DoS) using AJAX and other Technologies
The other day I was wondering how Google Analytics works... You put a few lines of Javascript into your page and it loads another script to send data back to one of its servers. I assumed they used an AJAX XMLHttpRequest to send stats to their server. However, an XMLHttpRequest created in Javascript (or any script language for that matter) can only make calls back to the server where the browser made the original request, not where it loaded the script. So if for example a site abc.com has a page which loads a script from def.com, the script can create an XMLHttpRequest object but it can ONLY make calls to abc.com. Hmmm... that's not entirely true. With IE 6.0.2900 and probably earlier versions of Firefox / other browsers it was possible to make the XMLHttpRequest object call any server, which would be great for a Denial of Service (DoS) attack. Imagine you have a site with millions of page views a day? And your'e feeling unfriendly and want to create a DoS attack against your foe. Easy, you put some script in a page which is frequently viewed, and unknowingly, every one of your readers viewing that page makes a call to your foe's website, stretching its abilities to relpy to all requests, resulting in the DoS attack, which might even take down the server... Or even worse, an unfriendly user of yours posts some content to a forum containing a script to perform that DoS on their own…
Blog Piracy…
The internet never ceases to amaze me... For it appears someone at ease with a cyrillic language is copying my blog word for word: http://rational_software_architect.softblog.biz/category/work/page/2/ I guess I shall take it as a compliment. I also guess they are just an RSS subscriber and their blog gets updated automatically, so perhaps all of my future postings will have copyright notices in them :-( So, this posting is Copyright 2008, Ant Kutschera! UPDATE: Excellent - I see the site has been taken down! I wonder if its because of the email I sent to their provider, or because they just got bored? Probably the latter :-( If you notice that the site is ever up again, please post a comment below to inform me. Thanks!
ThreadLocal and Thread Pools
ThreadLocal is a mechanism that can be used to put data onto a thread so that it can be accessed from any code using that thread. One use is to make contextual information relevant to the current thread available throughout the stack trace, for example a transaction context, or security context. If you use it yourself, you need to watch out if the environment in which it runs gets its threads from a thread pool (e.g. if your application runs in a managed container such as in an app server). Typically a thread pool gives no guarantee that the ThreadLocal (or indeed other internal state) will be cleared next time the thread is taken from the thread pool. This means you could have an issue - consider this case: Two web applications deployed in the same EAR (or even seperate EARs depending upon your class loader configuration and deployment) - both set a thread local which is a map (key / value pairs). One application, in a given case, processing a web request doesn't set a value in the map and calls a service which reads that unset value using a key (the same key is used within both applications). Instead of being unset (null / empty), that unset value could be a value from the other application, if the thread is not new and your code does not clean up the thread local before returning the thread to the pool. I did some tests and these were the results:…
Complexity makes for exponential maintenance costs?!
The title of this article isn't a fact, just a thought. However the thought comes from the experience of putting a very complex application into production and watching what happens. So long as there is stuff to do on the application, e.g. further releases adding more functionality, the maintenance costs are minimal, because you can plan the people who do the maintenance to do spend say 20% of their week on maintenance tasks while spending the rest of their time on building the new functionality. But what happens when there is no more new functionality to build? What happens if suddenly there is no budget for new functionality? Well, you normally scale down the team, reducing head count to the minimum required to keep the knowledge about the application. You will probably put them part-time on other projects. But now it gets hard. If the application is very complex or uses many differing technologies, it might not be possible to efficiently (in terms of reducing knowledge loss) reduce the size of the team below a specific size. If you application uses say a BPEL Engine, an Oracle Database, a Java Application Server, has a web front end and connects to several external business partners requiring knowledge of complex business rules, you probably already have the requirement to keep more than five people for maintenance. Mostly, this doesn't cause a problem, because those people can happily staff other projects. But if the application is so complicated that they are certain to…
Reporting Stats
A few years ago when I was the integration architect in charge of my Global 500 customers EAI projects, the product that we used did not really offer any way to track the number of messages travelling through the system. To get around this, we added a little library that recorded a small amount of information about each message. The idea was that every application (message flow) within the EAI system would be instrumented with this code and we would gain an oversight over which interfaces were the important ones and which ones made a return on their investment. The sort of data we collected was: Interface / Application / Process Name Message Type Message Size Timestamp Status (eg. IN, OUT, SUCCESS, FAIL) Correlation Token (in case several messages belonged together) Error (ie. details of an error) Custom Data (specific to each interface / app / process) There was probably more... it was a few years ago now :-) Anyway, we soon discovered that there were applications that were not even being used, even though our customers had paid many tens of thousands of dollars for them (ok, I admit that isn't a lot of money in the IT world). Since then Google has created its "Analytics" offering which generates some excellent reports for web site statistics. Indeed, maxant has always collected web stats for the websites it runs. It is very important to know your users / customers usage patterns, in order to be able to understand their real…
Spring Services Anywhere
I recently embarked on some Spring "re-training" (I haven't looked at it in a few years and it was time to get my skills up to scratch again). Since the last time I looked at Spring, I have worked on a couple of rich (thick) client projects where it was almost impossible to find people with both server skills and GUI skills (the market is quite good at the moment and people like me with all those skills get snapped up very quickly ). Anyway, since it is hard to find strong GUI programmers who also know how to deploy an app server and start it, it becomes desirable to be able to run the services inside the same JVM as the GUI programmer is developing in. There is then no wasted time due to EJB configurations and all the crap that comes with server development. About 18 months ago, I got around the problem by quickly implementing a clever service locator. It worked brilliantly, the only real problem being that we had a few bugs because people had developed code which worked when services were local but not when they were remote. The effort in fixing those bugs was however minimal. On my current project, we are using a proprietary framework based on Inversion of Control and Dependency Injection. Based upon its configuration, a client can call services locally or remotely too. If calling services remotely, they are invoked inside a stateless session bean which uses reflection and proxies…
