Renat Zubairov

Actually I want to use embedded tomcat in my application. Sort to have a servlet container for one VIP web application. And I really don't want to deploy all directories needed by Tomcat.
Also I've found solution - Tomcat doing it by default so, now I have 5 jars + 1 war for all tomcat and webapp. It works fine.

Hello All!
I have a question concerning embedded tomcat.
How to make it even more embedded as it is?
E.G. Read default web.xml, context.xml, tomcat-users.xml etc not from the file system but directly from the JAR (for example using class.getResourceAsStream())?
Is there any standart way to acomplish it?

BR
Renat

Hello All,

I'm new to SWING and GUI programming. Could you tell me what is the most used frameworks for GUI, e.g. in serverside I use struts, hibernate, commons-logging etc. What is the most usefull frameworks for GUI part?

Thanks.

Renat

Hello Ryan,

I've looked on it. It's quite ok, but it didn't solve my problem (as far as I figure out). BTW I'm need instance based authorization;
My problem is that I can't put a permission checking code in the model classes because those classes are modified not only by the clients (via controllers) but also by the ORM tool during load from the DB.
Example I have a model class:
public class User { private String name; private String password; public User { // Do nothing here } public String getName() { return name;} public String getPassword() { return password; } public void setName(String value) { name = value; } public void setPassword(String value) { password = value; } }

If I put a permission checks in it it would looks like
public class User { private String name; private String password; public User { JAASUtil.checkCreation(this); } public String getName() { JAASUtil.checkReadAcces(this); return name; } public void setName(String value) { JAASUtil.checkWriteAccess(this); name = value; } .... etc. }

Then I've got an exception because my ORM tool (Hibernate) trying to instantiate and set a values from database. But Hibernate is not authorized (and it shouldnt I guess).

I've found one (bad) solution - put checks in the controller classes but this is really bad solution.
Another solution is AOP (AspectJ) i.e.
do checks in
cflow(UserFlow) && (!cflow(HibernateFlow))
But you know, it's not standart solution.

Dear All,
I have a question concerning authorization strategies for Web tier. My assumptions:
1. Web tier is implemented using JSP or Velocity templates
2. Model is stored in the DB using ORM tool (Hibernate)
3. Model is directly accessable by the web tier, i.e. controller (Strust) get the model from the ORM and put in in the request context where it's accessed (readed) by JSP or Velocity templates.

I'm trying to implement security using JAAS and my security implementation is based on following assumptions:
1. No hardcoded policies - every access to the data (read or write) should be checked by the JAAS
2. I can't put JAAS permissions checks in the model because it's being readed and changed by ORM tool (for example during load of data from the database Hibernate creates an instance and then calls setter methods to fill object with data) therefore I need to put security checks (runAsPrivileged) to all controller (in MVC sence) classes which is not possible because I'm using Velocity which is reflection based;

So, I can't employ JAAS in my case
What is my mistake?

BTW this book is already aviable in Edonkey (P2P) networks.

Originally posted by Craig Anders:
Hello,

I was attending JavaONE lastweek. I picked up a poster and Book preview chapter illustrates "Security patterns for J2EE applications". It sounded like a patterns effort from Sun microsystems. You may able to find some related information for your problems and particularly contacts from "www.coresecuritypatterns.com".

-C

Dear All,
I have a question concerning authorization strategies for Web tier. My assumptions:
1. Web tier is implemented using JSP or Velocity templates
2. Model is stored in the DB using ORM tool (Hibernate)
3. Model is directly accessable by the web tier, i.e. controller (Strust) get the model from the ORM and put in in the request context where it's accessed (readed) by JSP or Velocity templates.

I'm trying to implement security using JAAS and my security implementation is based on following assumptions:
1. No hardcoded policies - every access to the data (read or write) should be checked by the JAAS
2. I can't put JAAS permissions checks in the model because it's being readed and changed by ORM tool (for example during load of data from the database Hibernate creates an instance and then calls setter methods to fill object with data)

Based on previous assumption _I cant do athorization on the WEB tier at all_
Because I have no means to modify all calls from JSP/Velocity in order to add permission checks.

May be I'm wrong?

No.
Entity beans have only a "veto" right. It can only mark transcation as "rollBackOnly".

Hi All!
How is login/logout is typically done. I'm just chosing between two options:
1. Entity bean represents user and have a business methods is obtained via finder method with login and password and stored using Handle.
2. Statefull session bean do this (session facade), therefore it manage a session for user.
Which one do you prefer and why?
P.S. Two client types are exists (Web and Swing)
[ May 29, 2004: Message edited by: Renat Zubairov ]

Hi Thomas,
Stole as far as I understood means that data in EntityBean may be changed since the last time I've got it. Offcource in this case transactional isolation comes into a play, but nevertheless.

We were talking about stateLESS SessionBeans/Facades, therefore the CMT transaction normally will not last longer than the one call to one method of that stateless SessionBean anyway, right?
But within that one call a whole workflow of multiple EntityBean-calls may use that same transaction started by the SessionBean.
So as long as we do not need a transaction spanning several sessions (request/response pairs): Why are we stuck with CMT (container managed transactions) for things like User.addItinerary()? We must use CMT wherever we use EntityBeans, because EntityBeans are supported by CMT only. Is it that what you ment?

Not really. Imagine you need to make more than one modification of VO and therefore EntityBean, and you need to make it in several independent transactions (otherwise it would be one fall everything rolled back).
Also you can't commit transaction inside EntityBean but sometimes it's really needed.

More important: Is it wise to add things like Itinerary to a User VO that probabely is not needed for web clients? Should we not prefere something like a Response VO carrying a User Object, if needed, and an Itinerary (etc.) object with it (for Java and for web clients)?
- - -
BTW: I guess that most containers will automatically begin a [flat] transaction when accessing a SeesionBeans's method having a "Requires" or "RequiredNew" transaction attribute. What I am not sure by myself is: How could we tell the container to use the same transaction for multiple request/response pairs when using CMT? It would not make much sense, I know, but is that possible at all when using CMT?
I think it's impossible to make the same transaction in multiple calls if they are not a subsequent call of one.
[ March 10, 2004: Message edited by: Renat Zubairov ]

Thank you Dushy
I'm also put second one in my solution, but never the less the second approach has a problem with stole data.
For example, we have updatable value object (I mean entity bean should have setData method as well as getData) and under the object complex data tree is stored (agregated). In this case if we are trying to add a new data to VO and we need transactional support for it, we can't do it in VO. We can do it only in Entity bean and the refresh VO representation. Also if we need complex transactional behaviour for Entity beans method (because Entity bean is business object representation, imagine User.addSubscription() or User.addItinerary() ) we are stuck with the CMT.

Hi All,
What do you think about following strategies to handle login and auth. process (for Web/Swing clients):
1. After successfull username/password check we create statefull session bean for user and remote interface stored (with Handler) on the client.
2. We have Stateless facade for Entity/DAO with User value object which is stored on the client side.
And also, how we can leverage build-in features of J2EE (1.2) for that purpose?

Hi
Concerning Business/Domain objects.
Sun strictly recomends to use Entity beans for coarse-grained object which need concurent transactional access. The main word here is coarse-grained therefore use it for simple one dimentional objects is waisting of resources. Concecning access in other applications you can see following:
Entity beans with remote inteface - bad thing should be replaced with Session beans + DTO (Value object) at the back end it can be either local Entity or DAO.
Concerning "WeatherInfo" if object is simple, let it be POJO. If it's read only - POJO is only reasonable solution.
You can display it as simpel object with "DAO" and "VO" stereotypes.
Br
Renat
[ March 08, 2004: Message edited by: Renat Zubairov ]

Hi All
What options do I have if I need to make XML-RPC synch and asynch from (sorry) J2EE 1.2 or 1.3 compatible middleware?
Thanks.
[ March 04, 2004: Message edited by: Renat Zubairov ]

Hi Chris

I am not using J2EE so am unable to uses any tool that need the container.

Hibernate is "powerful, ultra-high performance object/relational persistence and query service for Java" and nothing more, it doesn't need container for doing ORM. You can get everything (transactions, cache, etc) without AppServ.

I am now confused about the fact the Hibernate states that it is an ORM and not a JDO. Can someone help?

See topic "My favorite ORM tool and why" I've spend some hours to write in it concectning this question. Main idea is JDO is made for everything and RDBMS, but Hibernate is only for for RDBMS therefore you can get some sugar in terms of persomance. Also when you are using JDO you can leave your knoledge of SQL aside, because JDO (I mean specification) will never give you a chanse to use it, Hibernate also have it's own query language but it's SQL based and you can get Connection every time you need it.

Any pointer of Hibernate vs CastorJDO would also be appreciated.

Hm... it's evident that JDO in pure form (specification) isn't used, I mean without any cheats. Every vendor add it's own improvemens in JDOQL for example, some of them is already used by most of the vendors (like count(*) ).

Is CastorJDO the best free JDO tool available?

It semms for me that definitely not.
By the way about byte code manipulation, in J2EE it is not in specification.
And also Hibernate is also doing some of it (See CGLIB )
Renat