600 likes | 683 Views
Effective Enterprise Java Johannes Brodwall Chief scientist, Steria Norway. www.steria.no. What I have prepared. In order to design, develop or maintain an enterprise information system in Java (web, database) As a senior developer
E N D
Effective Enterprise Java Johannes Brodwall Chief scientist, Steria Norway www.steria.no
What I have prepared • In order to design, develop or maintain an enterprise information system in Java (web, database) • As a senior developer • I want to learn how to approach important aspects of my application
My responsibity as an instructor • To give the best answer I can to the problems you have • To be honest when I’m unsure about a question • To listen to your wishes for topics throughout the tutorial
Konfidensiell - Navn på presentasjon.ppt Your responsibilties as participants • To ask your most pressing questions • To participate actively • To let me know if we spend too much time on a topic • To challenge me when you think I’m wrong
Contents • Architecture • Communication • Processing • State management • Presentation • Security
Top take-aways • Development • Invest in unit and integration level tests • Architecture • Isolate each processing event and abort if you can’t complete • Communication • Fowler's First Law of Distributed Object Design: Don’t distribute your objects • Processing • Prefer local transactions to distributed ones • State management • Understand the underlying relational model before using an ORM tool • Presentation • Design your system from the outside in • Security • Treat all data from outside as tainted
Agenda • Architectural overview of enterprise applications • Sections (a la carte) • Preparated materials • Without prepared materials • Suggestions from you • Things I don’t know • Breaks at ???
Section menu a la carte • Prepared materials • Integration testing • Unit testing enterprise applications • Persistence (ORM basics, ORM advanced) • Scalability • Distributed applications • Security • Client options • Without prepared materials • Continuous Deployment • Putting transactions, state and processing into context • A practical approach to system design • Machine-enabled interfaces • Suggestions from you • Things I don’t know
Participant stories • In order to <solve a problem in my job> • As a <job title> • I want to learn about <subject>
Disclaimer! Code is presented as stand-alone as possible – in real systems, refactor to remove duplication
Enterprise Java Architecture 2009 • Every processing is triggered by an event • Usually: Timed trigger, incoming http request, incoming message • All triggers can be forged • Every processing event should be isolated • Retrieve all data as you need it • Update all data at an end • Do optimistic locking • All objects are short-lived or immortal and stateless • Unexpected errors should rollback everything, log and abort • Any, oh, EJBs are more trouble than they’re worth
Clients Internet/intranet Perimeter Application Information
What you need to care about Identify user Interpret request Render response Yourapplication Identify action and flow Isolate processing Read and persist information
What you need to care about Manage events Present data Server module Identify user API Wire protocol Server module Identify action and flow Read and persist information
Scalability What are you bottlenecks?
Scalability: Only two solutions, one problem • Solution #1: Add more identical nodes • Solution #2: Cache at some level • Problem: Data out of sync
Bottlenecks #1: Make one app server performant • Poor SQL performance – trace and optimize SQL • Garbage collection screw-up – check with a memory profiler • Rendering similar pages repeatedly – page caching • Stateful pages get in the way of caching – make saner URLs • User-info gets in the way of caching – render with JavaScript and cookies • Offload static content • Increase hardware
Bottleneck #2: Horizontal app server scaling • More seldom than you’re led to think! (e.g. stackoverflow.com) • In principle simple: mod_whatever in Apache frontend • Problems: Session • Solutions • No session (authentication in perimeter) • Sticky sessions • Distributed sessions • Cookie-based sessions
Bottleneck #3: Database scalability • Two basic solutions • Expensive, poorly-understood distributed RDBMSs • Caching • Caching: • In application server • In read-only database mirrors • Seperate read and write-requests to different app servers (on HTTP verbs or URLs) • Tradeoff: How often should users see stale data? Should they ever see own stale data?
Integration testing web applications • Live demo
Integration testing web applications @Test publicvoidshouldFindSavedPeople() throws Exception { org.mortbay.jetty.Server server = neworg.mortbay.jetty.Server(0); server.addHandler(newWebAppContext("src/main/webapp", "/")); server.start(); String rootUrl = "http://localhost:" + server.getConnectors()[0].getLocalPort() + "/"; org.openqa.selenium.WebDriverbrowser = neworg.openqa.selenium.htmlunit.HtmlUnitDriver(); browser.get(rootUrl); browser.findElement(By.linkText("Create a new person")).click(); browser.findElement(By.name("full_name")).sendKeys("Johannes Brodwall"); browser.findElement(By.name("create")).click(); browser.findElement(By.name("name_query")).sendKeys("johannes"); browser.findElement(By.name("search")).click(); browser.findElement(By.xpath(".//*[text() = 'Johannes Brodwall']")); }
Unit testing enterprise applications • Live demo: Servlet testing • Live demo: Hibernate testing
Unit testing servlets with Mockito @Test publicvoid shouldSearchForPerson() throws Exception { HttpServletRequest req = org.mockito.Mockito.mock(HttpServletRequest.class); HttpServletResponse resp = mock(HttpServletResponse.class); StringWriter pageSource = new StringWriter(); when(resp.getWriter()).thenReturn(new PrintWriter(pageSource)); when(req.getMethod()).thenReturn("GET"); when(req.getPathInfo()).thenReturn("/find.html"); when(req.getParameter("name_query")).thenReturn("foobar"); PersonDao personDao = mock(PersonDao.class); PersonServlet servlet = new PersonServlet(); servlet.setPersonDao(personDao); servlet.service(req, resp); verify(personDao).find("foobar"); DocumentHelper.parseText(pageSource.toString()); org.fest.assertions.Assertions.assertThat(pageSource.toString()) .contains("<input type='text' name='name_query' value='foobar'"); }
Unit testing Hibernate @Test publicvoidshouldFindPeopleByName() { AnnotationConfigurationconfiguration = newAnnotationConfiguration(); Propertiesproperties = configuration.getProperties(); properties.setProperty(Environment.URL, "jdbc:h2:mem:person-dao-test;MVCC=true"); properties.setProperty(Environment.DRIVER, Driver.class.getName()); properties.setProperty(Environment.CURRENT_SESSION_CONTEXT_CLASS, ManagedSessionContext.class.getName()); properties.setProperty(Environment.HBM2DDL_AUTO, "update"); configuration.addAnnotatedClass(Person.class); SessionFactorysessionFactory = configuration.buildSessionFactory(); ManagedSessionContext.bind(sessionFactory.openSession()); HibernatePersonDaopersonDao = newHibernatePersonDao(sessionFactory); personDao.create(Person.withName("AyeBeeCee"), Person.withName("AyeCee")); sessionFactory.getCurrentSession().flush(); sessionFactory.getCurrentSession().clear(); assertThat(personDao.find("Bee")) .contains(Person.withName("AyeBeeCee")) .excludes(Person.withName("AyeCee")); ManagedSessionContext.unbind(sessionFactory).close(); }
Why? • In order to reduce the amount of dedious work and error prone SQL/jdbc code I write • As a developer who already understands SQL well, • I want to use an ORM to manage my persistence
Basics @Entity publicclass Person { @Id@GeneratedValue(strategy=GenerationType.SEQUENCE) private Long id; private String name; @Override publicbooleanequals(Object obj) { } @Override publicinthashCode() { } }
Advanced: Hacked polymorphic joins @Entity@Table(name="XX_KONTO") publicclassKonto implements Serializable { @EmbeddedId private KontoPk id = new KontoPk(); @Column(name="TREKKPST") private Integer trekkprosent; @ManyToOne(optional=true)@NotFound(action=NotFoundAction.IGNORE) @JoinColumn(name="fodselsnr", referencedColumnName="fodselsnr") private Person person; @ManyToOne(optional=true) @NotFound(action=NotFoundAction.IGNORE) @JoinColumn(name="orgnr", referencedColumnName="orgnr")private Foretak foretak; public KontoEier getEier() { returnperson != null ? person : foretak; }
Advanced: Composite foreign keys as part of primary key @ManyToOne @JoinColumns({ @JoinColumn(name="fylkenr", referencedColumnName="fylkenr", insertable=false, updatable=false), @JoinColumn(name="komnr2", referencedColumnName="komnr2", insertable=false, updatable=false), @JoinColumn(name="ktotype", referencedColumnName="ktotype", insertable=false, updatable=false), @JoinColumn(name="ktonr", referencedColumnName="ktonr", insertable=false, updatable=false)}) private Konto konto;
Advanced: Composite foreign keys as part of primary key @ManyToOne @JoinColumns({ @JoinColumn(name="fylkenr", referencedColumnName="fylkenr", insertable=false, updatable=false), @JoinColumn(name="komnr2", referencedColumnName="komnr2", insertable=false, updatable=false), @JoinColumn(name="ktotype", referencedColumnName="ktotype", insertable=false, updatable=false), @JoinColumn(name="ktonr", referencedColumnName="ktonr", insertable=false, updatable=false)}) private Konto konto;
Advanced: Fetch strategies publicenum FetchType { /** *Definesthatdatamustbelazilyfetched */ LAZY, /** *Definesthatdatamustbeeagerlyfetched */ EAGER };
Always understand what the ORM does • Fetching strategies: • Left outer join • Lazy loading • Inheritance • Table-per-concrete class (union subclass) • Table-per-class (join subclass) • Table-per-class-hierarchy () • Relationships • @OneToMany @ManyToOne • Cascading (broken) • Ownership, mapped-by • When in doubt – make sure to unit test!
Distributed applications • Fowler’s first law of distributed objects: • Don’t distribute your objects • As the server: • Treat your clients as you would a human client: Designed interface, test at the outside, have a ”designer” take a look • As the client: • Each service you use will decrease your understanding, reliability and performance
Why? • In order to get access to data or a service owned by another entity • As a complex application • I want to integrate with the third party service • In order to profit on a valuable service or dataset that I control • As a service provider • I want to provide a remote API to my services • In order to create a rich client interface • As a the client side of a rich internet application • I want to communicate remotely with the server
Bad reasons! • In order to reuse functionality • As a complex application • I want to call a third party internal service • (Seldom worth the saving) • In order to don’t communicate with some other developer • As an introvert loner • I want to hide myself behind a service interface • (How will you be able to assess total complexity?)
How • REST vs SOAP vs ORB • REST is good when you want to use HTTP as an application protocol and not just a transport protocol • ORBs are good when you control both endpoints • SOAP is good when ORBs would be better • Hessian is a binary ORB-protocol over HTTP • Distributed transactions versus idempotent writes • Very few organizations have been able to master distributed transactions • Understand the semantics of HTTP PUT
Security thread #1: Injection • Problem: Client tricks the application to treat data as instructions • SQL commands • HTML code • (In C: return pointer in memory) • Solution: Treat all outside data as tainted • Outside: Request (obviously), files (usually), database (yes!) • Always, alway, always escape tainted data • SQL parameters – Use PreparedStatement • Hibernate parameters – Use parameters or Criteria • HTML snippet – escape
Security threat #2: Client-only validation • Attack: A malicious user looks at a form and changes the parameters en-route (Firefox plugin) • Weakness: The server expects incoming data to be valid • Solution (again): Treat all incoming data as tainted
Security threat #3: Request forgery • Problem: A malicious site tricks the user into submitting a rogue post-request to you • Problem: A malicious email tricks the user into clicking a rogue link to your application • Solution (again): Treat all incoming data as tainted
Client options HTML GWT Flex (or Silverlight :-P) JavaFX Swing
Things to consider • Power of expression • Flex, JavaFX, GWT • Testing round-trip • HTML, Swing, (JavaFX?) • Easy to layout good Uis? • Flex, JavaFX(?) • Simplicity of language • Swing, GWT • Client pervasiveness/perceived ease of installation • HTML, GWT, (Flex) • Client performance requirements • HTML, (GWT)
Things that aren’t issues any more • Communication between client and server • Basically, all use http-based async ORBs • With Swing: Make your own async http ORB a la GWT with SwingWorker and Hessian • Distribution of client • Swing and JavaFX use JavaWebStart