Intro: Open Source now and in the future
Simon Phipps, Sun
Talked about the benefits with Open Source. And how it is hard to gain value from taking a snapshot and adding own functionalities without giving the new source code back to the community. You would become the "Regression test slave" as Phipps expressed it. Open Source: "Earn the living by giving back".
Talked a bit about:
ODF (OpenDocument Format)
OpenOffice.org.
Software Patents, compared them to the fact that:
"American have guns because American have guns" and so do they have Patents.
Interoperability is a buzz word that Phipps did not really believed in. He did not have very hight thought of Web Services. So he wanted to introduce a new buzz word "Substitutability". It should be easy to throw out a piece of software and put in a new piece without suffering.
- Open Standards
- OpenSolaris
- OpenSPARC.net
Introduction to Java EE 5 and EJB 3
Mike Keith - Wrote "Pro EJB 3" Book.
This was mainly an introduction to EJB3s and a comparison to EJB 2.1.
Mike showed how EJB3s are simplified by using:
- Annotations
- Dependency Injection
- Simplified Web Services
- New Java Persistence API
JPA - Java Persistence API
Mike Keith
JPA was created as part of EJB3 within the JSR 220
Released May 2006 as part of Java EE 5
Key points
- javax.persistence
- Annotations makes everything much easier, but it is still possible to use XML. (@Entity, @Id etc.)
- Persistence Context - Think of a hash table where all entities are a set of "managed" entity instances.
- EntitiyManager API
-- persist() - Insert a state of an entity into the DB
-- remove(), find(), merge() etc .
The entityManager is injected into the object using it.
- Queries - Dynamic and Static
-- Query API - getResultList() etc.
- ORM
- JPA can used in Java SE as well.
Recommended tools in Eclipse: Dali JPA Tools
Secure Coding Antipatterns: Avoiding vulnerabilities
Marting Englund, Sun
Went through 6 antipatterns - things not to do while coding java thinking about security. Many examples was related to for example applets where the user have access to the source code, but how often are they used in security related solutions these days. Anyway, the 6 antipatterns were:
1. Assuming Objects are Immutable
- Attacker can change signers of a class
How to prevent: Make a copy of mutable output and input parameters (deep cloning)
2. Checks on untrusted source
- Use subclass, e.g. extend File
How to prevent: Create a new object from the untrusted source. Is it really a File object or was it a subclass.
3. Ignoring Changes to Superclasses
All changes propagate to the subclass which might open security holes.
4. Neglecting to validate inputs
- Embedded requests bypassing security checks
Requests examples: GET http://.... or Queries
Good solution: Public method that takes care of all the security (validation) and then calls the Native method.
5. Misusing Public Static variables
- Attackers can replace values whenever, the variable becomes public in the whole JVM.
Good Solution: Use private static or even better Enum.
6. Believe a constructor exception destroys the object
Solution: Use intitialized flag, check the flag in all relevant methods
Following these 6 anitpatterns should make your code more secure. Not really sure it is needed all the time though.
check out:
java.sun.com/security/seccodeguide.html (a new version to be released soon)
