Java EE Security Refcard is now available for download at no cost.

Java EE Security refcard is available for download. This refcard covers Java EE 6 security and discuss how each application server supports the specs. The refcard covers authentication, authorization, and transport security in Web Application, EJB application and web services by introducing the concept and the related annotations and deployment descriptors which help us realize the concept.

GlassFish, Geronimo and JBoss are discussed in the refcard to show how we can use the vendor specific deployent descriptors for implementing the security design of our applications.

Following list shows how what are covered in this.

  • Security in Java EE applications
  • Authentication an Authorization in Java EE
  • Web Applications Security
    • Authentication and Authorization in Web Module
    • Enforcing Transport Security
    • Other Security Elements of Web application deployment descriptors
    • Using Annotations to enforce security in Web modules
    • Programmatic Security in Web Module
  • EJB Applications Security
    • EJB module deployment descriptors
    • Security Annotation of EJB modules in Java EE 6
    • Securing EJB Modules programmatically
  • Application Client Security
    • Security enforcement in Geronimo ACC
    • Security enforcement in JBoss ACC
  • Defining Security in Enterprise application level
  • Securing Web Services in Java EE

  • Web Services Security in Web Modules
  • Web Services Security in EJB Modules
  • Web Services Authentication in GlassFish
  • Web Services Authentication in Geronimo
  • Web Services Authentication in JBoss

The refcard comes with 4 figures showing relation between different element and components in Java EE  along with 7 tables explaning the deployment descriptors elements and security annotations. For most of the above headings you will find sample code included in the refcard showing how we can do implement the discussed functionality according to Java EE and mentioned application Servers.

State of Open Source Java EE Application Servers

This is a very basic review of active and available open source Java EE Application servers and Servlet container (Web containers) to let the community know which active containers are available and what is the general status of each container. The article can simply act as a start point for anyone need to select one of them for later use in development or product. Detailed comparison of these production cover many pages of a tick book.

Full blown Open Source Java EE Application Servers:

Resin, a well known product from Caucho is an open source Java EE application server which has been around for quite a long time and many small and large deployment of it are serving small and large systems like DZone itself.

Current stable version of Resin is 3.1.9 which fully support Java EE 5 and the development version which will replace the current one is 4.0.1. Resin licensing Schema is a bit different with other alternatives. They provide a GPL-ed version for open source distributer and evaluators while commercial usage requires paying Caucho some per/CPU – per/year fees. Different editions of Resin is available with a different set of features and capabilities and each edition has its own pricing schema. You can find more about the different versions and licensing fees at: Licensing

Resin come with Clustering, high availability support and benefits from an integrated caching system. Similar to GlassFish Resin support hosting PHP applications using Quercus.

For the administration and management, Resin took an alternate path by providing a light weight monitoring application to let administrators and developers see status of different services in the application server and left the the administrators to perform administrative and configuration tasks trough configuration files.

When it come to development tools support you can expect NetBeans, Eclipse and IntelliJ integration along with integration with Ant, Maven, and Ivy.

  • Download link: http://www.caucho.com/download/ You can get version 4.0.1
  • How to start: goto install_dir/bin and issue /resin.sh start or resin.bat start dependin on your OS
  • Monitoring Console: details: URL: http://127.0.0.1:8080/resin-admin/ You will need to create a user and password to proceed further. Follow the on-screen steps to create the user and password.

Geronimo: The Apache Java EE application server which is obviously distributed under ASF. Geronimo lacks behind GlassFish when it come to implementing new Java EE specification but it benefits from a good administration console compared to JBoss. Clustering is available trough 3rd party products like Terracotta and there is no out of the box support for clustering and high availability. Geronimo is well integrated with other apache projects like ServiceMix and ActiveMA. Current version of Geronimo is v2.1.4 and fully support Java EE 5 specification. Commercial support for Geronimo is available through IBM WebSphere Application Server Community Edition.

Two separate distribution of Geronimo is available, one with Jetty as web container and the other one with Tomcat as the web container. All Major IDEs support Geronimo as a development server.

GlassFish: Mainly developed by sun Microsystems and benefits from a modular, and extend-able architecture. GlassFish is in the front line of providing the community with new Java EE specification implementation and in the same time it provides all users with features like: advanced administration channels, out of the box clustering and high availability, OSGI runtime deployment and so on. Using Glassfish means that users can easily sign a contract and get support from Sun without need to change the deployment bits. current GlassFish stable version is GlassFish 2.1.1 and the next major version is GlassFish v3 which is a fully Java EE 6 compliant and OSGI based application server. The new version is due to be released on November this year. Open source GlassFish is accessible under CDDL and GPL licenses.

GlassFish benefits from integration with a wide set of Sun products starting from operating system (Solaris) up to the IDE (NetBeans). GlassFish ESB, Open Portal, OpenSSO and OpenMQ are some of the notable projects that GlassFish is well integrated with.

Another strength in GlassFish is integration with Sun HADB which can form a proven highly available infrastructure without spending any penny for the required software and licenses.

All Major IDEs support GlassFish as a development server and it means an easy start for developing Java EE applications using GlassFish.

JBoss: It was present in the open source community longer than other projects and benefits from Red hat support. JBoss Application server provides Clustering and high availability out of the box but the administration console which included in the distribution from version 5.1 is not advanced enough to let administrators manage the all application server resources . The included administration and management console is an embedded version of Jopr (http://www.jboss.org/jopr). This console will acts as a single point of administration and management for all JBoss technologies like ESB, cache et. Current version of JBoss is 5.1.0.GA and next upcoming version is 5.2. JBoss is distributed under LGPL and anyone interested can get commercial support from Red Hat. JBoss community distribution and enterprise distribution are two different package and and moving from community support to commercial support means installing an alternate version of Jboss named JBoss Enterprise Middleware.

JBoss application server benefits from integration with a wide range of middleware provided by JBoss. This products include caching, BPM, ESB, portal and so on. On the development side, it benefits from JBoss Developer Studio (not available for free) which is based on Eclipse and provide tooling for wide range of middlewares provided by Jboss.

All Major IDEs support JBoss as a
development server and it means an easy start for developing applications on top of this application server

JOnAS is one the flagship projects in OW2 consortium and in contrast with having less buzz in the news and blogosphere it benefits from a profound modular architecture based on OSGI. JOnAS administration console is well designed and benefits from a slick user interface. Jonas benefits form integration with JASMINe for designing, deploying and administrating a clustered environment.

Current version of Jonas is 5.1 which fully support Java EE 5, the next planned version is 5.2 which is due to be released in Feb 2010 with basic support of Java EE and self management. Major IDEs like Eclipse and NetBeans support JOnAS as a development server. Jonas is distributed under LGPL

Servlet Containers:

Jetty: Jetty is considered an alternative to Tomcat to some level. Because of the differences between these containers architecture each of them has its user base. Jetty is considered lighter, easier to embed and highly modular while Tomcat is considered more feature rich. Both projects benefit from a good performance under heavy load but it certainly can change from version to version and between different use cases. A cluster of jetty instances can be configured using any of Gigaspaces, WADI, Terracotta, etc. Jetty does not have a management console and everything should go through the configuration files by adding required changes to the configuration files. A good comparison between Tomcat and Jetty can be found at: http://www.webtide.com/choose/jetty.jsp

  • Download link: http://www.eclipse.org/jetty/downloads.php
  • How to start: goto install_dir/bin and issue ./jetty.sh start or jetty.bat start depending on the OS
  • Administration console details: No administration console.

Note: before attempting to start Jetty add following line in the install_dir/bin/jetty.sh or jetty.bat depending on the OS.

For Windows:

set JETTY_HOME=path/to/jetty/install/dir

For Linux, UNIX..:

export JETTY_HOME=path/to/jetty/install/dir

Note: before starting tomcat add following line in the install_dir/conf/tomcat-users.xml inside the tomcat-users node:

<user username="tomcat" password="tomcat" roles="manager"/>

Conclusion: None of this projects can fit all development and deployment plans and requirement. Each of them has its strenghts and weak points compared to other 5 competitive projects. What one need to do is testing all of them and decide which one is better.

Four open source Java application servers compared

I was looking at feeds that my email client fetched during the day and I find am interesting one which lead me to an article written by Jonathan Campbell. Article can be found at http://www.javaworld.com/javaworld/jw-12-2007/jw-12-appservers.html

Jonathan compared 3 different application server/ servlet container by thier support of Java EE 5 and some other factors. article explained about each feature that he compared application servers based on it. Jonathan did not included GlassFish in his review of "open source Java application servers" and only included 3 application servers/ Servlet containers including Tomcat, Jboss and Geronimo. :-), So I thought I should include some facts here in order to make the comparison fair to all parties.

Including Glassfish into Jonathan matrix will give us the following table: *Notice*

Feature

JBoss 4.2

Geronimo 2

Tomcat 6

GlassFish 2

Java EE 5 compliance

Partial

Yes

No

Yes

EJB 3.0 capable

Yes

Yes

Available

Yes

JSP 2.1 and 2.5 capable

Yes

Yes

Yes

Yes

JavaServer Faces 1.2 support

Yes

Yes

Available

Yes

Custom plug-in support

Yes

Yes

No

?

Business-rules engine support

Available

Available

Available

Available

Hibernate 3.x support

Yes

Available

Available

Yes, based on below description

JBoss Seam support

Yes

Yes

Available

Yes

Clustering support

Yes

Yes

Partial

Yes

Eclipse IDE connector support

Yes

Yes

Yes

Yes

 

Following descriptions further explain some of what Glassfish can provides in relation of the above table

  • GlassFish fully support Java EE 5 with all its related JSRs like JSP 2.1 (JSR 245), Servlet 2.5(154), EJB 3.0(JSR 245), etc.
  • GlassFish support clustering and cluster management out of the box, a cluster can be configured from both CLI and Administration console.
  • GlassFish administration console allows you to configure your load balancer :-), for example you can configure a Sun Java Web Server which works as load balancer to add or add/ remove an instance from its list of servers, either manually or automatically if a new node joined the cluster or removed from the cluster
  • GlassFish allows you to manage resources for entire cluster at once instead of applying them for each instance, for example you can deploy a web application into a cluster of 10 instances instead of deploying it seperately for each instance.
  • GlassFish has a very wide array documentation both from Sun Microsystems (for free) and from GlassFish community.
  • GlassFish installation is as easy as executing 2 commands.
  • Deploying applications into GlassFish or even an entire cluster of glassfish instances is just 2 clicks away.
  • Quality of GlassFish components is out of any question, Metro is well known for supporting new WS-* standards, EJB support uses Toplink Essentials, MQ server is Sun open sourced MQ, etc.
  • GlassFish has very good interoperability with some other open source projects like, OpenESB and OpenSSO which allows you to have what you need to kick start your J2EE application without looking at any additional configuration.
  • Certainly performance is something which everyone should have in mind before considering other feaures, take a look at http://www.spec.org/jAppServer2004/results/res2007q3/jAppServer2004-20070703-00073.html and http://weblogs.java.net/blog/sdo/archive/2007/07/sjsas_91_glassf.html to find out more about how much capable GlassFish is.
  • GlassFish has connectors for both Eclipse and Netbeans, although other mentioned servers have a connector in Netbeans and Eclipse.
  • Seam support is available from GlassFish 1 upward.
  • Business rule engine support is available from OpenESB project integration.
  • About hibernate support, I cannot understand whether Jonathan means to use Hibernate as a persistence provider or plainly as an ORM, by the way both of this ?features? are available for GlassFish users.
  • GlassFish has an Update center, which allows you to update your application server from a remote repository.
  • GlassFish runs on all mentioned platforms, from Windows to AIX (Glasdfish 2 update 1 runs on AIX) and there is no restriction for you to run it on your platform of choice.

Mentioned items are in relation to what orginal article tried to compare. GlassFish can be used by a ROR developer by its integration with first class ROR IDE (Netbeans 6), It can serve you VOIP and SIP requirement by means of sailfin,etc. Any user with any kind of requirement will find GlassFish a suitable application server.

Although Jonathan did not mentioned GlassFish directly, but he gives his opinion by writing:In my experience commercial application servers have more bugs than the open source servers compared in this article, and they are more difficult to install. Deployment can also be an issue — at least with the recent version of Sun’s Java Application Server. The article co
uld be more complete if Jonathan included GlassFish in his comparsion chart and at then end he could write that GlassFish has problematic deployment procedure

 

An statement which looks odd to me is: In my experience commercial application servers have more bugs than the open source servers compared in this article, and they are more difficult to install., Althogh it will be a complex procedure to setup a Cluser of Websphere (as a commercial application servers ) using websphere XD, Object Grid, and other available packages that faciliate enterprise scale deployment of Websphere, but WebSphere has a decent performance and reliability which is very hard to deny.

Notice: Some parts of this table taken from Jonathan Campbell article published by javaworld and is available at http://www.javaworld.com/javaworld/jw-12-2007/jw-12-appservers.html