Marcel Dullaart

Thanks for the quick response and the clarification.
I was under the impression that Spring DM came with extensions not covered by the spec, that originated my question.
Me, as an architect, usually prefer to follow standards, striving to make the actual business code vendor independent as much as can be.

Kind regards,
Marcel Dullaart

PS guess I have to catch up on the subject again

Hi folks,

Congrats with the release of your book about OSGi.

What do you think about the Spring DM implementation versus the JSR-291 specification?
Follow the JCP standard or use alternative API's such as Spring DM?

Kind regards,
Marcel Dullaart

It depends on the users local rights whether or not he/she can edit policy files. Users with Local Admin rights obviously can.
We have a centralized rollout model, thanks for that suggestion, but there are different profiles for installation. JWS/JNLP conceptually seems to be an interesting alternative, therefore am I investigating manners to control the permissions these applications can get.

So far these are the alternatives:

all-permissions, runs in the trusted environment, no influence on granted permissions

unsecured, runs in the untrusted environment, full influence on granted permissions through the javaws.policy

write our JWS launcher that forces certain pre-defined policies onto JWS applications

The latter gives the greatest flexibility, but also requires us to roll-out a modified JRE to each workstation and maintain the launcher.

Examining the jars, IMHO, only reveals the possible actions required by the application, not the location. E.g. accessing a file on the local system may be permitted in certain locations, but denied in others.

Thanks for the feedback,
Marcel

Thanks Maneesh for your answer, I really appreciate it.

Its indeed the code I want to restrict access for.
With JWP you download applications from the internet of which, signed or not, you don't really know what its doing, nor where its coming from.
That's why we want to restrict the permissions for the application to a certain degree, the application must be able to do its job, but nothing else.

Being an architect I'd like to come up with a standard way for our company to restrict the permissions 3rd party applications get to a predefined set.

Yesterday I found out that it is possible to restrict permissions if the JWP application's jnlp file does not specify the <all-permissions/>.
It appeared that the permissions defined in the javaws.policy are effective then.

But it would be best if this would also work with security settings enabled in the JNLP.

Kind regards,
Marcel Dullaart

Hello,

Today I closely examined the specification (jsr-56), the first section of paragraph 5.6 reads:

This specification specifies two trusted environments, the all-permissions environment and an
environment that meets the security specifications of the J2EE Application Client environment. Both of
these environments provide unrestricted access to the network and local disk. Thus, an application can
intentionally or unintentionally harm the local system. An application must only be launched if it is
trusted.

Is there no way whatsoever to restrict this somewhat?

Sure hope anyone here has some insights in this.

Kind regards,
Marcel Dullaart

Hi all,

Is there anyway to restrict the permissions a signed JNLP/JWS application receives?
For testing this I wrote a little app that, with a button click, can create, read, write to, and delete a file.
With the unsigned version I get an AccessControlException, as expected, while with the signed version I can do all tasks.

Then I first added the following policy to the javaws.policy file, but without any effect:
grant signedBy "demo", codeBase "http://demo:8080/signed-demo.jar" { permission java.io.FilePermission "C:/TEMP/jnlp-test.txt", "read"; }
So I added it to the java.policy file, but this also doesn't have any effect.
Is this at all possible? If so, how can I accomplish this?

Thanks for your time and help.
Marcel Dullaart

Hi Craig,

I am mostly interested in Spring MVC support for RESTFull services at th emoment.
Does Spring MVC support JAX-RS type services?

Looking forward to reading a copy of your book.

Cheers,
Marcel Dullaart

Hi
I have seen this quite annoying issue as well on Ganymede!
It just seems to pop-up every now and then. And it goes away, but I cannot pin point (yet) what causes this.

Hi Ashish,

Grading should have been started I guess.
There are 2 website that you could look at see this thread for more details.

Cheers,
Marcel

Hi Vivian,

I had the same issue as both of you guys. I took part III on June 17th, and found my results on prometric site at June 26th (see my post).
I continued to check the result in Sun's certificate manager website and found pending all the time (it still says pending right now).
So I send a message to who2contact@sun.com on July, 1st, but only got this answer on July 9th:

Dear Marcellino Dullaart,

Thank you for contacting Sun Certification Customer Support. We are happy to assist you. We apologize for the delay in processing your request. We are currently experiencing high email volume which is delaying our response time.

We apologize for the delay in the posting of your exam results. We have verified your exam results from the Assignment Watcher database and processed your certification as a Sun Certified Enterprise Architect for Java Platform Enterprise Edition Technology in the Sun CertManager Database at http://www.certmanager.net/sun.

Your Sun certification welcome package is being processed. Please allow up to four weeks for delivery.

There is a technical issue in Prometric�s testing system that is preventing exam scores from being transferred to our database for many candidates. Until the issue is resolved, we have verified your passing exam result and manually granted your certification. The exam results will not appear until a later date. This will cause no problems with your certified status.

Please let us know if we may be of further assistance. Thank you for choosing Sun products and services.

Sincerely,

Michele Castle

Sun Certification Customer Support
who2contact@sun.com

Last Saturday I received my certificate.

So bottom line, I guess, is keep mailing them and you will get the results.

Grtz,
Marcel

Congratulations
You've beaten me with 1 point

Ciao,
Marcel

You can use any generally released J2EE platform. When I did my Part II, I used J2EE 1.4.

And so did I. I did specify the exact Java Specifications used including the version numbers, so in generqal J2EE 1.4 and more specific EJB 2.1, Servlet 2.4 etc.

Suc6,
Marcel

Congratulations, you can now call yourself an architect

Ciao,
Marcel

Congrats!

You lost less points on the class and component diagrams then me.
I guess its now time to party for you as well

On which websites are your results published?
I can still only find my results on the CertManager website, but the Certification database still shows pending.

Ciao,
Marcel

Thank you all for responses, even Cameron

It would be great if you can share your Part II/III experience and approach.

For part III I took the questions listed in this post.

Regarding the assignment I think it is always wise to use a proper tool for creating your model.
Something like Rational Rose, Sparx EA, StarUML, etc. But the tool must at least ensure that your model is in sync.
This way every identifier is consistently named across your class diagram and sequence diagrams.

At first I read the assignment several times, keeping notes of the inconsistencies and unclear requirements.
Some of these un-clarities were explained further down, or hidden deeper in the description. Others were just unclear, so i made my own assumption about it and tried to keep these consistent in the model.

I used UML 2.1 in my models and have the sequence diagrams split up in parts, where a top diagram for each use case was used to show the inter action of the actor with the system. Each method in the top level diagram was detailed on its own detail sequence diagram, that showed the interaction within the system for the function.

Marcel