I need a good article or book to quote regarding HTTPS versus HTTP performance. I know that HTTPS is slower than HTTP, but I'd like some hard numbers if any of your fellas know of any. Today's been interesting, I feel like I've been writing all day, but I've only managed to get about 3-4 pages done. Damn...
The frustrating part is that I have to qualify everything and remember back to when I first started messing with security in web applications, when I first configured SSL in Tomcat, when I first tried to get form-based authentication on iPlanet (what a CF that was)! I'm hoping the audience for this book is fairly J2EE-fluent, but I feel that there are probably going to be a fair amount of newbies as well. It'd be interesting to write a book for the java.bloggers community. I could skip half the fluff and get right to the stuff - the actual code!
Oh well, tomorrow should be better, I'll be adding/verifying code examples, and divulging all the cool tricks I've learned over the years. I've been doing all this authoring on OS X, and I have to say it's been an enjoyable experience. iTunes cranked, a set of nice Sony (MDR-V600) headphones and enough caffeine (not to mention deadline-adrenaline) to stunt Abbie's growth.
I'm digging into JAAS this afternoon as I enjoy the vacancy of the Winter Break at DU's Penrose Library. Man, what a great school - I used to love it when we'd get off 6 weeks for Christmas Break - from Thanksgiving through January - how sweet is that!?
The reason I'm writing on this cold (32°F) afternon is to get some thoughts on JAAS in web applications. I'm giving it about a paragraph of coverage, explaining that it's mainly for declaring authentication and authorization in policy files. Furthermore, it's only invoked when running your application (or Tomcat) with a security manager. However, it's not really needed in web applications because 1) container-managed/web.xml is good enough, and 2) authentication mechanisms never really need to be that fine-grained. Whaddya think? Am I wrong, does it deserve more coverage? Don't most app servers use JAAS under the covers?
The Tomcat developers turned off the ability to create symbolic links (symlinks) in 4.1.x. This really threw a wrench in my ability to upgrade as I use symlinks to point to resources outside my webapp all the time. I don't do it for jars, but for common image or documentation directories. In Tomcat 4.1.12 (the latest release), you were supposed to be able to turn symlinks back on by adding the following to your app's context:
<Resources
className="org.apache.naming.resources.FileDirContext"
allowLinking="true" caseSensitive="false" />
The bad news? This didn't work! I'm happy to report that with the lastest 4.1.16 beta, this does work! So, for instance, if you want to turn on symlinks in the ROOT context, add the following to your server.xml:
<Context path="" docBase="ROOT" debug="0">
<Resources
className="org.apache.naming.resources.FileDirContext"
allowLinking="true" caseSensitive="false" />
</Context>
I've gotten approval from Wrox to use struts-xdoclet as my sample app for my chapters on Security and Struts. I've also received committer rights from Ted Husted on the Struts project at SourceForge. I haven't checked anything in yet, because I still don't have a good name. While I think struts-xdoclet is a good descriptive name, it doesn't have the pizzazz I'm looking for. So the naming discussion continues. I'm thinking of actually leaving "Struts" out of the name as it seems to make other names more difficult when combined. I like the idea of kindling, which we use to start fires at the cabin, but I don't know if that makes a good app name.
Back to the point of this post, what are your recommendations for a good open source license? I don't really care how people use struts-xdoclet, so do I even need to license it? What happens if I don't include a license?
A Struts WML Tag Library has been posted to the struts-dev mailing list. It's a "pre-release", which means the project is probably not stable, but I'm guessing the technology and tags are.
Struts-wml taglib, 'raw prerelease' is available here:
http://sourceforge.net/projects/struts-wml/
Here's the release notes:
This is a fully functional 'prerelease' which includes source code, sample
application, documentation, binary and libraries. It's still somewhat
unpolished (therefore raw prerelease). If you're willing to hack arround
with it a little bit, you're welcome to download it. Please don't forget to
contribute your changes back to the project! [Full Post]
Now it's your responsibility to get a WML project that you can implement this on!
