Java ee – Google 2007 JavaOne Advance Conference Guide User Manual

Page 31

technical sessions | track four : java EE |

Java EE

TS-4514 Three Approaches to Securing Your JavaServer Faces

Technology/Spring/Hibernate Applications

Jaya Doraiswamy, ELM Resources
Ray Lai, Intuit

There are at least three security frameworks for securing your JavaServer
Faces technology/Spring/Hibernate applications. Container security
(such as page navigation), JavaServer Faces technology security (role-
based security for JavaServer Faces components), and the Spring-Acegi
framework (role-based access for web pages and Spring beans) are
frameworks that address different problems in different tiers. Picking an
inappropriate solution may affect the overall security.

Security for JavaServer Faces technology/Spring/Hibernate applications
should be end-to-end instead of security for the web tier. This session
discusses how different security frameworks can secure the web pages
components; the business tier, such as the JavaBeans architecture; the
data tier, such as data objects using Hibernate; and techniques to support
both web and nonweb applications and a variety of security providers,
such as Java Authentication and Authorization Service (JAAS), database,
and LDAP.

The session uses a loan application example. Developers get perspective
on when and why each security framework should be used and the
drawbacks of each.

TS-4532 Building an Embeddable Enterprise Content

Management Core with the Latest Java Technologies

Florent Guillaume, Nuxeo

This session describes the architecture and implementation of an
embeddable, extensible enterprise content management core for Java EE
and simpler platforms. The presentation starts by describing the general
architectural concepts used as building blocks:

• A schema and document model, reusing XML schemas and making

good use of XML namespaces, where document types are built with
several facets

• A repository model, using hierarchy and versioning, with the Content

Repository API for Java (JSR 170) being one of the possible back ends

• A query model, based on the Java Persistence query language

(JSR 220) and reusing the path-based concepts from Java Content
Repositories (JCR)

• A fine-grained security model, compatible with WebDAV concepts and

designed to provide flexible security policies

• An event model using synchronous and asynchronous events, allowing

bridging through Java Message Service (JMS) or other systems to other
event-enabled frameworks

• A directory model, representing access to external data sources using

the same concepts as for documents but taking advantage of the
specificities of the data back ends

Suitable abstraction layers are put in place to provide the required level
of flexibility. One of the main architectural tasks is to find commonalities
in all the systems used (or whose use is planned in the future) so
framework users need to learn and use a minimal number of concepts.
The result is a set of concepts that are fundamental to enterprise
document management and are usable through direct Java technology-
based APIs, Java EE APIs, or SOA. The presentation shows, for each of
the main components, which challenges have been met and overcome

when building a framework in which all components are designed to be
improved and replaced by different implementations without sacrificing
backward compatibility with existing ones.

The described implementation, Nuxeo Core, can be embedded in a basic
Java technology-based framework based on OSGi (such as Eclipse) or in one
based on Java EE, according to the needs of the application using it. This
means that the core has to function without relying on Java EE services
but also has to take advantage of them when they are available (providing
clustering, messaging, caching, remoting, and advanced deployment).

The session includes a demo. Attendees should have intermediate
knowledge of Java technology concepts and design patterns and an
understanding of the content management problem space.

TS-4568 Java Persistence API: Portability do’s and don’ts

Michael Keith, Oracle

The Java Persistence API has been declared the unifying standard
for POJO persistence in the enterprise. It offers enterprise runtime
portability in exchange for using its runtime API and metadata portability
if its annotation or XML format is used to specify O/R mapping and/or
persistence metadata.

One of the biggest wins for users is the pluggability of implementations,
allowing mixing and matching of Enterprise JavaBeans (EJB) technology
containers and persistence providers. This gives an application the ability
to pull out an existing persistence provider and plug another one in, an
ideal scenario for comparing performance and scalability. An important
requirement for this to be possible, though, is that the application be
portably written and decoupled from all proprietary features and API calls.

Although the first release of the Java Persistence API specification
includes the most important and heavily used persistence features, it
does not specify every feature that has been uncovered by more than a
decade of O/R mapping and Java technology-based object persistence.
The most useful of these features, such as fine-grained user code for
object mappings, database schema generation, or read-only reference
entities, are supported by many of the current O/R persistence products
and will likely be added to a subsequent specification release. Until
that time, however, persistence developers should be aware of the
features that are standard and those that currently lie outside the
standard. This presentation outlines some of the boundaries defined
by the current Java Persistence API specification, 1.0, and examines
practices that can cause an application to stray from the portability
path. It discusses some of the different aspects of portability, including
source code, compile-time and link-time incompatibilities, and semantic
and metadata-based dependencies.

TS-4089 Web Beans Update

TS-4225 What’s New in the Java Portlet Specification 2.0 (JSR 286)?

TS-4247 Enterprise JavaBeans 3.5 Technology

TS-4249 The Top 10 Ways to Botch Enterprise Java Technology-Based Application

Scalability and Reliability

TS-4436 Technical Overview of GlassFish Build V2

TS-4439 Minimalist Testing Techniques for Enterprise Java Technology-Based Applications

TS-4514 Three Approaches to Securing Your JavaServer Faces Technology/Spring/

Hibernate Applications

TS-4532 Building an Embeddable Enterprise Content Management Core with the Latest

Java Technologies

TS-4568 Java Persistence API: Portability Do’s and Don’ts