Friday, July 31, 2009

New Features and Enhancements in JDK 7

Thursday, July 30, 2009

Tips for Using Tomcat in Production

  1. If you're running on a 1.5+ JVM, add the following to your JAVA_OPTS in catalina.sh (or catalina.bat for Windows):

    1. -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/home/j2ee/heapdumps

    Then use a tool such as YourKit to analyze the heapdump file.

  2. Straight from the Tomcat documentation on Jasper 2...

    When using Jasper 2 in a production Tomcat server you should consider making the following changes from the default configuration.
    development - To disable on access checks for JSP pages compilation set this to false.
    genStringAsCharArray - To generate slightly more efficient char arrays, set this to true.
    modificationTestInterval - If development has to be set to true for any reason (such as dynamic generation of JSPs), setting this to a high value will improve performance a lot.
    trimSpaces - To remove useless bytes from the response, set this to true.

  3. Use Tomcat's clustering/session replication capability to minimize application user impact during maintenance periods.
  4. Implement custom error pages to hide raw exception messages. To do this, simply add something like the following to your web.xml:

    1. <error-page>
    2.    <error-code>404</error-code>
    3.    <location>/error/404.html</location>
    4. </error-page>

  5. Eliminate System.out and System.err statements from application code and use a logging toolkit such as Log4J for application logging.
  6. Leverage Tomcat's shared library directory. If you're loading several applications with several of the same library dependencies, consider moving them from the applications' WEB-INF/lib directory to Tomcat's shared library {catalina.home}/shared/lib. This will reduce the memory used by each application and result in smaller WAR files.

  7. Tweak memory parameters. Most of the time you will want to make a change to the default settings. The best advice here is to create a development environment that matches your production environment and load test the application. While you do this you can also use a profiler to identify bottlenecks, etc.
  8. Remove unnecessary applications.
  9. Secure the Manager application. By default there are no users with the manager role. To make use of the manager webapp you need to add a new role and user into the CATALINA_HOME/conf/tomcat-users.xml file.

    1. <role rolename="manager">
    2.    <user username="darren" password="ReallyComplexPassword" roles="manager"></user>
    3. </role>

    Use a valve to filter by IP or hostname to only allow a subset of machines to connect (i.e. LAN machines). This can be configured at the Engine, Host, or Context level in the conf/server.xml by adding something like the following:


    1. <!-- allow only LAN IPs to connect to the manager webapp -->
    2. <!-- contrary to the current Tomcat 5.5 documation the value for 'allow' is not a regular expression -->
    3. <!-- future versions may have to be specified as 192.168.1.* -->
    4. <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.*"></Valve>

  10. Strip down server.xml by removing comments to make it easier to read and remove connectors that you don't need. An easy way to do this is the following: Rename CATALINA_HOME/conf/server.xml to CATALINA_HOME/conf/server-original.xml and rename CATALINA_HOME/conf/server-minimal.xml to CATALINA_HOME/conf/server.xml. The minimal configuration provides the same basic configuration, but without the nested comments is much easier to maintain and understand. Do not delete the original file as the comments make it useful for reference if you ever need to make changes. Unless you are using Tomcat with the Apache server, comment out this line in CATALINA_HOME/conf/server.xml:
    <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3">

  11. Split your Tomcat installation for added flexibility when it comes time to upgrade Tomcat. See the "Advanced Configuration - Multiple Tomcat Instances" section in the RUNNING.txt file of the Tomcat distribution.
  12. Precompile JSPs (at build time).
  13. Secure directory listings. In CATALINA_HOME/conf/web.xml:

    1. <servlet>
    2.    <servlet-name>default</servlet-name>
    3.    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>   
    4.    <init-param>
    5.       <param-name>debug</param-name>
    6.       <param-value>0</param-value>
    7.    </init-param>
    8.    <init-param>
    9.       <param-name>listings</param-name>
    10.       <param-value>false</param-value>  <!-- make sure this is false -->
    11.    </init-param>
    12.    <load-on-startup>1</load-on-startup>
    13. </servlet>

  14. If you have multi-core CPUs or more than one CPUs on your server, it might be beneficial to increase the thread pool beyond the default 250. On the other hand, if you have a slow server, decreasing the thread pool will decrease the overhead on the server.
  15. Monitor application applications via Tomcat MBeans. This article provides some great insight on how to do this.
  16. Consider JDK 1.5 or even better JDK 1.6 to take advantage of performance improvements.

  17. Use the -server JVM option. This enables the server JVM, which JIT compiles bytecode much earlier, and with stronger optimizations. Startup and first calls will be slower due to JIT compilation taking more time, but subsequent ones will be faster.
  18. Use GZIP compression. Look for the service connector you wish to configure for compression and add two attributes, compression and compressableMimeType. For example:
     
    1. <Connector>
    2.    port="80"
    3.    maxHttpHeaderSize="8192"
    4.    URIEncoding="UTF-8"
    5.    maxThreads="150"
    6.    minSpareThreads="25"
    7.    maxSpareThreads="75"
    8.    enableLookups="false"
    9.    redirectPort="8443"
    10.    acceptCount="100"
    11.    connectionTimeout="20000"
    12.    disableUploadTimeout="true"
    13.    compression="on"
    14.    compressableMimeType="text/html,text/xml,text/plain,application/xml">
    15. </Connector>

    For more information, read the Tomcat HTTP Connector documentation.

  19. The default Tomcat configuration provides good protection for most requirements, but does not prevent a malicious application from compromising the security of other applications running in the same instance. To prevent this sort of attack, Tomcat can be run with a Security Manager enabled which strictly controls access to server resources. Tomcat documentation has a good section on enabling the Security Manager.

Wednesday, July 29, 2009

Choosing a Java Web Framework

Choosing a Java Web framework for your project is not getting any easier. Here are some things I think about when choosing a Java Web framework.

  • Is it action based? Action based frameworks generally map actions (defined in an HTML form or URL) to code in the controller tier of the application. Action based frameworks are the most popular type of framework. Most developers have had at least some exposure to these kinds of frameworks. The most popular Java Web framework, Struts, is an action based framework. Examples: Struts, Struts2 (based on WebWork), Spring MVC, Stripes, Ruby on Rails , Grails
  • Is it component based? Component based frameworks create a component abstraction in the view tier. Event listeners capture user actions and map back to code in the controller tier. I am of the opinion that component based framework have a steeper learning curve than action based frameworks. Some will counter that component based frameworks offer greater productivity, once the framework is learned. Programming in a component based framework can sometimes feel like programming Java Swing components. Examples: JavaServer Faces (JSF) implementations (MyFaces, Tapestry, RIFE, Wicket, Google Web Toolkit (GWT), ThinWire, Echo2, IceFaces (JSF implementation), Click
  • Is it page based? Page based frameworks allow you to develop application made of many Web pages. To implement these Web pages, the developer creates HTML (using JSPs or templates), JavaScript and CSS files. All action based frameworks (that I know of) and some component based frameworks are page based. Most of these frameworks now have good support for AJAX. Because you write the Web tier yourself, you also have a lot of control and the ability to adhere to Web standards. Struts is a page based framework. Examples: Struts, Struts2/WebWork, Spring MVC, Stripes, Ruby on Rails (requires JRuby to run in Java), Grails, RIFE, JavaServer Faces (JSF) implementations (MyFaces), Tapestry, RIFE, Wicket
  • Is the Web tier generated? New AJAX frameworks such as Google Web Toolkit, require you to only code in Java. They then generate the entire Web tier for you, so you don’t have to code the HTML, JavaScript or CSS. You will still need to understand CSS concepts in order to style you components. This may be attractive you if you or your team doesn’t have much experience with JavaScript and CSS or you want to keep all of you application logic within Java code. These frameworks are component based and the style of programming is very similar to Swing. AJAX is used heavily by these framework to create a rich user interface. In traditional frameworks, there are many Web pages that work together to form an application. These frameworks may only have one page (a frame) where components and screens are swapped out using AJAX. Examples: Google Web Toolkit (GWT), ThinWire, Echo2, IceFaces (JSF implementation)
  • Is it JSP based? Many frameworks, including Struts, use JSP pages to generate HTML. JSP (JavaServer Pages) are the classic way to generate Web pages in Java. Tag libraries are used within JSP pages to generate HTML. Custom tags can be created fairly easily to add your own functionality. JSP pages get compiled into Java Servlets. Examples: Struts, Struts2/WebWork, Spring MVC, JavaServer Faces (JSF) implementations (MyFaces), Click
  • Is it template based? Some frameworks offer an alternative to JSP pages known as a template. Sometimes a framework only works with templates, while there are also lightweight template libraries, such as Velocity or FreeMarker, that can be used in combination with JSP frameworks. A template is often an HTML file with references to Java components made within the HTML code. Because these files are not JSP pages, they bypass the JSP API which many developers do not like to use. This also give some templates the ability to be viewed by a browser, which makes them nice for Web designers. I list some examples of frameworks that use template out of the box. However, as I mentioned earlier, JSP based frameworks can be made to work with templating technologies. Examples: Facelets (a view handler that can be used with any JSF implementation), Tapestry, RIFE, Wicket, Velocity, Clay (part of Shale), FreeMarker
  • Is it Rails like? The hugely popular Ruby on Rails (RoR) framework has defined its own class of Web framework. Without going into the framework itself, two fundamentals of this framework are “convention over configuration” and “don’t repeat yourself”. Rails like frameworks generate a lot of the application structure up front to make it easy to get up and running. Examples: Ruby on Rails (requires JRuby to run in Java), Grails, Trails
  • Does it support a dynamic scripting language? Many frameworks now have support for dynamic scripting frameworks. If you would rather do most of your Web programming in a scripting language rather than Java (there are many who would), then one of these frameworks might be for you. They tend to be action and page based and have good support for AJAX. Examples: Ruby on Rails (requires JRuby to run in Java), Grails (using Groovy scripting language)
  • Does it support IoC? You will often hear this referred to as “Spring integration”. The Spring Framework is a full stack J2EE application framework. There are many different sub-frameworks within the Spring Framework, and its Spring IoC (inversion of control or dependency injection) framework is its most widely used. IoC frameworks can make it easy to configure Java beans within your application, as well as provide a number of other benefits. Most of the popular frameworks have support in one way or another for Spring IoC. If this is important to you, then you should make sure the framework you are selecting makes it easy to work with Spring IoC. There are other IoC frameworks out there, such as HiveMind and Plexus, but Spring is currently the standard.
  • Does it support Web conversations? Supporting Web conversations is about tracking state across several pages, so if you are using a framework that is page based, then this may be important to you. If it is, then JBoss Seam and Spring Web Flow are frameworks to consider. They are not Web frameworks, but server side frameworks that integrate into the middle tier of your application. Seam uses JSF for its Web tier. Spring Web Flow can integrate with various Web frameworks. Shale, a framework for JSF, also includes support for conversations, as well as RIFE.
  • Is it testable? Many of the popular frameworks are building in formal support for mock objects and other testing concerns. Testing is critical and Web applications tend to be difficult to test.
  • How well does it support security? Is it well supported and maintained? Is it stable? Will it help me adhere to standards? These are things I think about on all projects when selecting a framework and they apply here as well. Especially here, since there are so many Java Web frameworks to choose from and new ones are showing up each month.

Monday, July 27, 2009

Technologies used to censor the Web

IP Blocking

IP Blocking is one of the most basic methods for censorship, as it simply prevents all packets going to or from targeted IP addresses.

But while these sorts of operations are relatively simple to execute, they don't tackle the problem of individual communications between users, especially if the users have set up multi-hop circuits that use multiple servers to create a proxy ring.

Traffic Classification (QoS)

This is a much more sophisticated method of blocking traffic than IP blocking, as one can halt any file sent through a certain type of protocol, such as FTP. Because we know that FTP transfers are most often sent through TCP port 21, they can simply limit the bandwidth available on that port and throttle transfers. "it is not too resource intensive and is fairly easy to set up."

Shallow Packet Inspection

Shallow packet inspection is basically a blunter, broader version of the deep packet inspection (DPI) technique that is used to block packets based on their content. But unlike DPI, which intercepts packets and inspects their fingerprints, headers and payloads, shallow packet inspection makes broad generalities about traffic based solely on checking out the packet header.

"Shallow packet inspection is more judging a book by its cover. If a packet says that it's SSL (Secure Sockets Layer) in the header, then a shallow packet inspector takes it at face value."

Packet Fingerprinting

This is a slightly more refined method of throttling packets than shallow packet inspection, as it looks not only at the packet header but at its length, frequency of transmission and other characteristics to make a rough determination of its content.

"A lot of things don't explicitly say what they are. For example, a lot of VPN traffic is indistinguishable from SSH traffic, which means that it would be throttled if SSH was,". "But what if businesses relied on VPN connections? You'd move the system to fingerprinting, where the two are easily distinguishable."

Deep Packet Inspection / Packet Content Filtering

DPI is the most refined method for blocking Internet traffic. As mentioned above, deep packet inspectors examine not only a packet's header but also its payload. This gives the ability to filter packets at a more surgical level than any of the other techniques discussed so far.

"Viewing a packet's contents doesn't tell you much on its own, especially if it's encrypted," . "But combining it with the knowledge gained from fingerprinting and shallow packet inspection, it is usually more than enough to figure out what sort of traffic you're looking at."