Here are some of the JSP Database access best practices urls: http://java.sun.com/developer/technicalArticles/javaserverpages/servlets_jsp/
https://bpcatalog.dev.java.net/nonav/solutions.html
http://java.sun.com/reference/blueprints/ https://blueprints.dev.java.net/
Download the Blueprints book from: https://blueprints.dev.java.net/books.html
There are two ways of accessing database from a JSP page. One using a Java Bean Object, which could be using EJB or POJO (Plain Old Java Object), however EJB and POJO have converged in EJB 3.0.
For pages embedding SQL database access code, its strongly recommended to use JSTL (JSP Standard Template Lib.), which is specified in JSR 052 and here is an coding example from Oracle.
The Database tables needs to be converted to Java objects in many models, there are a few frameworks available for doing it. Notably EJB 3.0 has an excellent architecture. One should also consider Apache Object Relation Bridge , JDO (Java Database Access) and Hibernate (which is EJB 3 compatiable)
One could use Druid, an open source tool for database porting it also have a Java Object generator using Hybernate. A better, free but not open source software exists called C24 IO.
For new development one must seriously consider JSF (Java Server Faces) which is the next logical step from Struts. Its specified by JSR-127. One must not use adhoc models for navigating between pages.
I strongly recommend to follow the coding style specified by Sun.
Tuesday, October 25, 2005
Thursday, August 25, 2005
Delving into Compiere
In lookout for an Open Source Java ERP, I landed up with Compiere. We installed and tried to run it. Then I thought buying the user manual will make life easier, it did to a certain extent. Encouraged, I started to look under its hood. I was in for the shock of my life!
Let me start with the good things first. It has a comprehensive Swing based GUI. It even boasts of its own look and feel called Compiere looks! Another interesting thing is its JDO type of data model, which is generated by a Java tool in their dbport module. They have a Web based interface, which is still in beta state (as of 2.52e), it misbehaves a bit.
The downside is that the JDO type model also heavily depend on stored procedure written in PL/SQL and Oracle 10g is the only fully supported database. So much for its Open Source credentials! Though to be fair, I could see some efforts to make it run on other databases as well.
Having said that, they have JBOSS sitting tight inside it. But the disappointing aspect is the way they have used EJB. They pass around objects to the Session Beans which are SQL aware, the client side is also fully SQL aware. This is one of the glaring ANTI DESIGN PATTERN.
I think all Java J2EE programmers must study Compiere J2EE design as to learn how not to program in EJB.
I encourage all Java programmers to have a look at
You can download Compiere from http://sourceforge.net/projects/compiere/
Best of luck, please don't die laughing!
Let me start with the good things first. It has a comprehensive Swing based GUI. It even boasts of its own look and feel called Compiere looks! Another interesting thing is its JDO type of data model, which is generated by a Java tool in their dbport module. They have a Web based interface, which is still in beta state (as of 2.52e), it misbehaves a bit.
The downside is that the JDO type model also heavily depend on stored procedure written in PL/SQL and Oracle 10g is the only fully supported database. So much for its Open Source credentials! Though to be fair, I could see some efforts to make it run on other databases as well.
Having said that, they have JBOSS sitting tight inside it. But the disappointing aspect is the way they have used EJB. They pass around objects to the Session Beans which are SQL aware, the client side is also fully SQL aware. This is one of the glaring ANTI DESIGN PATTERN.
I think all Java J2EE programmers must study Compiere J2EE design as to learn how not to program in EJB.
I encourage all Java programmers to have a look at
[installed dir]/compiere-all/serverRoot/src/main/ejb/org/compiere/session/ServerBean.java You can download Compiere from http://sourceforge.net/projects/compiere/
Best of luck, please don't die laughing!
Wednesday, August 24, 2005
Apache XML verses Sun Java XML
Apache XML technologies, xml.apache.org, are implemented in Java, (though many API also support C++ and Perl). Sun Java XML API, also have a catchment of XML technologies. What are the differences and similarities in their approaches? Which is better?
Basically, both XML Apache and Sun Java agree upon and acknowledge the XML standards like XSD, XPATH, SOAP, WSDL to name a few. Also they agree upon the core XML API like SAX and DOM. Sun proclaims that there are three ways to parse XML SAX, DOM and Streams. XML over streams are implicitly acknowledged by XML Apache. There have also been cross contributions between Sun Java and XML Apache. The Java XML core API, reference implementation provided by Sun in JDK 1.5 is that of Apache Xerces. Also Apache Axis figured in Sun's Java Web Services Toolkit.Some of the API and packages do conflict, like that of ApacheXML Beans with JAXB. Apache claims that it fully implements XSD , at the same time, it criticizes JAXB for not fully supporting XSD (XML Schema). Sun Java acknowledges in its documentation that JAXB partially supports XSD.
The reason for this partial XSD support in Sun Java; provides an insight into the differences in their respective design philosophies.
For Sun Java objects are the prime focus whereas Apache views XML as prime.
In Sun's philosophy you think in Java, and use XML for persisting Java Objects for storage and inter process communications.
Whereas, Apache's philosophy is to think in XML and use Java as an underlying implementation components. Thus lies the basic reason for the differences in their approaches.
I will not judge as to which of the two approaches are better, since I use both depending on which model fits the problem at hand the best. Languages are structural models for channeling the though process. Some languages have edge over the others in a given problem domain for providing a range of solutions.
Use either of the model that suits you and you feel at ease with, while modeling a solution to a given problem.
Ashish Banerjee (www.Ashish.Banerjee.name)
Sun Tzu : The Art of Cyber Warfare
By Ashish Banerjee, www.Ashish.Banerjee.name, 12 May 2005.
We needed a framework for thinking and designing security for mission critical geographically distributed banking application over a wide area network.
Our goal was to provide the financial transactions, databases and computing infrastructure with highest possible security.
What does security mean in terms of information domain?
Information security must address Authenticity and Confidentiality. Authenticity involves data integrity and non repudiation. Data Integrity means that we are assured that the information is not tampered with and data packets have not been re-transmitted (or replayed) with malicious intent. Non repudiation means that the author of the record is not able to deny its originality, it mainly involves public key based digital signature. Confidentiality involves the assurance that no one is able to snoop on the communication and only authorized persons within the organization can access the information.
We found that the warfare paradigm suited us the best.
Sun Tzu, an ancient Chinese general in 6th century BC, wrote the Art of Warfare over 2000 years ago and yet its principles are still used in modern warfare as well as in management thinking. Sun Tzu 's central doctrine is: To win without fighting is the best. We have adopted this doctrine for our security framework.
By thinking about security as a transformation of warfare into cyberspace, enables us to get the best of the two prevalent security models namely: the asset centric security and the perimeter centric security.
In the asset centric model, the assets like servers and databases are protected while in the perimeter based model, the focus is on protecting the corporate boundary. But in our framework, we model the Information Infrastructure Security as a manifest of warfare in virtual reality. Thus we are able to cover both the assets as well as the boundary.
Understanding the warfare terrain is the highest responsibility of the general, and it is imperative to examine them: Sun Tzu.
In our security framework we first define three concepts:
Terrain
Domain
Territory
The warfare Terrain encompasses all the network space from where the attack can be launched on our domain. Domain encompasses our territory as well as all the networking pathways, not owned by us, through which our data flows. The Territory encompasses all our computing assets, databases and networking infrastructures owned by us. The aim is to keep or domain secured and protect our territory.
Thus Terrain in a superset of Domain, which is a superset of Territory.
Imagine that you are a baron owning two castles and you need to transport foodstuff from one of your castles to another. You do not own the road connecting the two, as it passes through a friendly neighboring fiefdom. The roads passes through a valley surrounded by high mountains, not owned your neighbor nor yourself. In this analogy the two castles are your Territory. The road and the castles your Domain. And, the Terrain would constitute the high mountains, the valley, the road and the castles.
You may ask, why is castles included in the warfare terrain? Well, to protect ourselves from the enemy within. A study found that nearly 70% of the attacks are launched by insiders having intimate knowledge of the system's internal security.
Making armies able to take on opponents without being defeated is a matter of unorthodox and orthodox methods: Sun Tzu.
This brings us to face the enemy. Enemy is any entity who intends to attack our territory. In order to plan our defenses, we need to profile our potential enemies and chart out their motives.
A non exhaustive list of enemy profiles and their motives are:
A disgruntled current or ex employee, whose motive may be to harm the company.
A greedy employee out to make a quick money.
A hacker wanting to hold your data hostage for extracting a ransom.
A teenager out to prove herself a wise crack.
A customer wanting to gain an unfair advantage by fudging your accounts.
A competitor wanting an access to your trade secrets or your customer databases.
You can add more to this list. Also there are situations where the above profiled may collaborate to achieve their ends.
Invincibility is a matter of defense, vulnerability is a matter of attack: Sun Tzu.
Having profiled our potential attackers, lets see what are the types of attacks they can launch:
Denial of Service attack: the network or a server is rendered unusable by flooding it by spurious traffic.
Trojans: A program has trap doors built in to compromise the system, but sending information out or letting people in.
Facade: A dummy resource erected to fool the legal users to give out secret information. For example, a dummy ATM machine was setup by attackers to collect the credit card PIN numbers!
Spy wares: These are malicious program, usually get in through emails or rouge web sites, monitor your desktop for password typing and send back this information.
Man in the middle: In this type of attack, the communication is intercepted and modified for malicious reasons, by getting into and becoming a part of the communication channel.
Phishing: a type of social engineering attack, where official looking emails are send to harvest passwords and access codes.
IP Masquerading: A machine or a router is reprogrammed within the network of an service provider to redirect traffic to another computer.
DNS spoofing: The DNS server, which resolve the IP address for a domain name, is hijacked to resolve a trusted site name to a malicious computer.
Hack in: software venerability or a weak password is exploited by the attacker to break into the system.
Snooping: The attacker access the communication, many a times, the security authorities have hooks into the public IT infrastructures; this authority can be misused by an agent.
Authority misuse: An authorized internal person, misuses his access to manipulate the system to their advantage. A programmer had once programed to drop the rounded off change to his bank accounts!
Again the above list is not exhaustive and newer methods are always being invented.
It is hard to know as the dark; its movement is like pealing thunder: Sun Tzu.
We not come to the point of planning our defenses. There are three situations in defense:
Preemptive : This is the best situation to be in, we have not been attacked and yet be are prepared for it. Erecting a firewall and venerability testing are the two most common plans for this situation.
Under Attack: Here we have been attacked and need to respond to the situation. Fighting a DOS (Denial of Service) attack is one of the most challenging example.
Postmortem : This situation arises after our security have been compromised. This is the worst situation of the three to face. We need to trace the intruder, sanitize the resources to remove any Trojans or spy wares also we need to inform and co-operate with legal agencies and collect the log files as evidence to trace and book the offender. An offender who goes Scott-free is likely to attack again.
Armies must know there are adaptations of the five kind of fire attacks, and adhere to them scientifically: Sun Tzu
In the warfare paradigm software tools, algorithm and programs become the weapons. Weapons, are technology tools and can be both used for defense as well as attacks.
There are many such tools available and since this is a general white paper, we shall come out with a detailed paper on specific tools applicable within our security framework. However many security sites like www.insecure.org and linux.org list many security tools in use.
One who is good at martial arts overcome other's forces without battle: Sun Tzu.
One of the strategies is to shrink the terrain. The optimum being domain being equal to the terrain. This can be achieved in multiple ways. One of them being, taking a VPN (Virtual Private Network) from a single vendor, having MPLS and IPSec protocols running over IPv6.
The maximum security you can get is to shrink the domain into your territory. That is you own all the networking as well as computing infrastructure. This scheme is however, not practical for most of the real life financial domain applications. For example, most of the financial transactions including ATM traffic in USA is routed over Internet!
So it is said that victory can be made: Sun Tzu.
Reference: The Art of War by Sun Tzu, translated by Thomas Cleary. ISBN 1-56957-100-7, Published by www.Shambhala.com
Wednesday, August 17, 2005
Open Source ERP for Small Enterprises
We needed an Open Source ERP solution for small enterprises.
As I am personally inclined towards Java and XML (I love Dot Net architecture too! I co-authored a C# Web Services Book with Wrox.com); So I googled with the keywords "Open Source Java ERP", and up comes compiere everytime. Tiny ERP (www.tinyERP.org) also popped up and so did some wierd site have 5th Gen affiliations (I thought 5G was dead with Japanese AI initiative in mid and late 80's)!
I thus have zeroed on to compiere.org and www.tinyERP.org
TinyERP site tempted me by their FAQ, which says that it takes a few minutes to install their ERP! Though indeed it took me less than a minute to download, they forgot to mention in the FAQ that it also needs Python runtime and postgreSQL.
TinyErp is implemented in Python . Hope the snake loves Java! There is indeed a Java implementation available for Python called Jython. Netbeans, my favourite IDE, also seems to support Python coyote.dev.java.net!
Though TinyERP is less than a meg, PostgreSQL 8.03 is about 17 MB and Python runtime is about 10 MB.
Having said that, its been more than an hour since my temptation to try tinyERP and I am yet to see it running. I have since then downloaded and installed Python and PostgreSQL. The server setup script now wants psycopg (PostgreSQL module),libxml2 (libxml2 python bindings), libxslt (libxslt python bindings).
I feel like being crushed by a python! But, having gone this far, might as well download and install these as well. For all the tinyERP dependencies click here
After some two hours and addtional 8 to 10 MB downloads later,(thanks to broadband, downloads take no time), I was finally able to run the TinyERP client and server setup without any ugly Error messages.
But, I am yet to see any screens!
After a few false starts, I was finally been able to run the TinyERP server. It uses XML-RPC and serves at port 8069 by default. XML-RPC, hmmm..., its a good idea!
But I am yet to see any screens! so let me try and start the client. Yes! I could do it! The screens are pretty neat. Now in next few days I shall be exploring its features.
Earlier on, I had ignored GNU Enterprise GNUe, probably because it was not written in Java, but now that I have installed Python and have to certain extent overcome my ophidiophobia. I am in a good mind to try GNUe as well.
On the other hand, Compiere (Release 2.5.2e) runtime is about 27 MB and the source is about 33 MB.
Though they claim to be DB independent they have listed Oracle 10g as their requirement! The site however claims to be database independent in design, it also says : "At this point, only Oracle is fully supported. The installation on Sybase is Beta and currently requires good knowledge of Sybase and Compiere. Other databases will follow."
In contrast to TinyERP, installing Compiere was relatively smoother. This may be because we are native to Java. The biggest hurdle in Compiere installation is Oracle 10g installation. This beast needs 1GB of RAM, but we had a 512MB physical memory, so we increased the swap area and then increased the virtual memory to 4GB. If the virtual memory is less than a GB, Oracle gives out a warning and installs. But thereafter it haunts you with all sorts of problems. My colleagues at SIPL , Amit Goel and Shalendra Joshi installed Compiere and Oracle 10g. It took about 2 days to tame the dragon called 10g. Thereafter, following the instruction, Amit had a text book installation that took about an hour. Now we are off to explore its functionality.
Ashish Banerjee (www.Ashish.Banerjee.name)
As I am personally inclined towards Java and XML (I love Dot Net architecture too! I co-authored a C# Web Services Book with Wrox.com); So I googled with the keywords "Open Source Java ERP", and up comes compiere everytime. Tiny ERP (www.tinyERP.org) also popped up and so did some wierd site have 5th Gen affiliations (I thought 5G was dead with Japanese AI initiative in mid and late 80's)!
I thus have zeroed on to compiere.org and www.tinyERP.org
TinyERP site tempted me by their FAQ, which says that it takes a few minutes to install their ERP! Though indeed it took me less than a minute to download, they forgot to mention in the FAQ that it also needs Python runtime and postgreSQL.
TinyErp is implemented in Python . Hope the snake loves Java! There is indeed a Java implementation available for Python called Jython. Netbeans, my favourite IDE, also seems to support Python coyote.dev.java.net!
Though TinyERP is less than a meg, PostgreSQL 8.03 is about 17 MB and Python runtime is about 10 MB.
Having said that, its been more than an hour since my temptation to try tinyERP and I am yet to see it running. I have since then downloaded and installed Python and PostgreSQL. The server setup script now wants psycopg (PostgreSQL module),libxml2 (libxml2 python bindings), libxslt (libxslt python bindings).
I feel like being crushed by a python! But, having gone this far, might as well download and install these as well. For all the tinyERP dependencies click here
After some two hours and addtional 8 to 10 MB downloads later,(thanks to broadband, downloads take no time), I was finally able to run the TinyERP client and server setup without any ugly Error messages.
But, I am yet to see any screens!
After a few false starts, I was finally been able to run the TinyERP server. It uses XML-RPC and serves at port 8069 by default. XML-RPC, hmmm..., its a good idea!
But I am yet to see any screens! so let me try and start the client. Yes! I could do it! The screens are pretty neat. Now in next few days I shall be exploring its features.
Earlier on, I had ignored GNU Enterprise GNUe, probably because it was not written in Java, but now that I have installed Python and have to certain extent overcome my ophidiophobia. I am in a good mind to try GNUe as well.
On the other hand, Compiere (Release 2.5.2e) runtime is about 27 MB and the source is about 33 MB.
Though they claim to be DB independent they have listed Oracle 10g as their requirement! The site however claims to be database independent in design, it also says : "At this point, only Oracle is fully supported. The installation on Sybase is Beta and currently requires good knowledge of Sybase and Compiere. Other databases will follow."
In contrast to TinyERP, installing Compiere was relatively smoother. This may be because we are native to Java. The biggest hurdle in Compiere installation is Oracle 10g installation. This beast needs 1GB of RAM, but we had a 512MB physical memory, so we increased the swap area and then increased the virtual memory to 4GB. If the virtual memory is less than a GB, Oracle gives out a warning and installs. But thereafter it haunts you with all sorts of problems. My colleagues at SIPL , Amit Goel and Shalendra Joshi installed Compiere and Oracle 10g. It took about 2 days to tame the dragon called 10g. Thereafter, following the instruction, Amit had a text book installation that took about an hour. Now we are off to explore its functionality.
Ashish Banerjee (www.Ashish.Banerjee.name)
Subscribe to:
Posts (Atom)