The Village at the Keystone Resort
Colorado Software Summit
Java and XML Programming Conference
October 26 – 31, 2003
Keystone Conference Center


Dan Johnsson – Frobozz AB, Sweden

State Is Not Evil

One popular myth in J2EE is that stateful session EJBs (SF SB) are troublesome, and should be avoided. It is not uncommon that architect groups dictate that SF SBs should not be used at all. These decisions are often more based on rumours than on rational well-informed judgements. The sad truth is that the alternative solutions are often worse then SF SBs. The results are architectures which have lost their foundation in the business domain, often resulting in lower extensibility, reliability and more often than not containing security breaches.

In this presentation, we examine SF SBs in depth. We see in what kind of environment they constitute no problem, and under what circumstances they start consuming a lot of resources. For the class of applications where SF SBs become troublesome, we investigate alternative solutions (cookies, http-sessions, and databases) and compare them with regard to performance, reliability, extensibility and security.

The J2EE Security Model

Even practising architects sometimes have only a vague idea of how to use the J2EE standard security model. It is not uncommon to see architectures that reinvent and implement similar security functionality instead of using the existing, built-in mechanisms. In this presentation we explain what functionality you get from the J2EE security model and how to configure it. Especially we look at authentication (Web-based and JAAS client-app), role-based authorisation and resource control.

In authentication we study the different ways containers can establish a client identity. For the Web-container we see when and why we would use BASIC HTTP-authentication, FORM-based authentication, or a CLIENT-CERTificate. For the application container we see how we have more liberty to use a JAAS LoginModule to plug in our own authentication, e.g. smart-cards. In authorisation we see how the EJB role-based security system keeps the focus on the business domain, and how this comes to its best in a service based architecture. For resource control we investigate the options for configuring access control: static configuration, support for programmatic control and principal/credential mappings.

We also study the support for integrating the J2EE security mechanisms against existing security systems (such as LDAP-directory containing user and authorisation information). This discussion will revolve around de facto (non-standardised) support that is commonly spread among vendors and initiatives for standardising it, such as the "Java Authentication Service Provider Interface for Containers" (JSR 196) and "Java Authorization Contract for Containers" (JSR 115). This will also work as our looking-glass into the future to see in which direction security standards will evolve.

Picture of Dan Johnsson

Dan Johnsson is VP Java Mentoring and Head of Research Department at Frobozz AB, Sweden. He was educated at Uppsala University, where he had his first contact with Java in 1995. Since leaving Academia he has been programming, consulting, and teaching Java. His interest in J2EE began with the release of the EJB 1.1 spec. In his role of consultant and teacher (e.g. Sun's courses on EJB, Servlet/JSP, and J2EE architecture) he has been in contact with most of the pioneering J2EE systems in Sweden. He has a unique combination of technical and pedagogical skills.



* Return to Top *

© 1997 – 2003  Kovsky Conference Productions Inc.  All rights reserved.