Raible Designs

Upgrading to Spring Security 2.0

This evening I spent a few hours and upgraded AppFuse to use Acegi Spring Security 2.0. The upgrade was fairly straightforward:

• %s/org.acegisecurity/org.springframework.security/g
• Upgraded dependencies (exclusions are necessary if you're using Spring 2.5.x and don't want 2.0.x dependencies pulled in):

  <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-core-tiger</artifactId>
      <version>${spring.security.version}</version>
      <exclusions>
          <exclusion>
              <groupId>org.springframework</groupId>
              <artifactId>spring-core</artifactId>
          </exclusion>
          <exclusion>
              <groupId>org.springframework</groupId>
              <artifactId>spring-support</artifactId>
          </exclusion>
      </exclusions>
  </dependency>
  ...
  <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-taglibs</artifactId>
      <version>${spring.security.version}</version>
      <exclusions>
          <exclusion>
              <groupId>org.springframework</groupId>
              <artifactId>spring-web</artifactId>
          </exclusion>
      </exclusions>
  </dependency>
  

• Changed taglib prefix from "authz" to "security" and change the associated taglib declaration to:

  <%@ taglib uri="http://www.springframework.org/security/tags" 
      prefix="security" %>
  

• In web.xml, I changed <filter-class> to org.springframework.web.filter.DelegatingFilterProxy. Since I didn't name my filter springSecurityFilterChain, I also had to add the following <init-param>:

      <init-param>
          <param-name>targetBeanName</param-name>
          <param-value>springSecurityFilterChain</param-value>
      </init-param>
  

• Lastly, I modified security.xml to use the new syntax. AppFuse's security.xml went from 175 lines to 33 with the new security namespace configuration!

It's hard to believe I first looked at Acegi almost 4 years ago. At that time, I said it contained too much XML for my needs. Ben's reaction:

Seriously, the "whole lotta XML" gives you exponentially more power and flexibility than a method such as this could ever hope to provide you.

It's nice to see that Spring Security 2.0 gives you exponentially more power and flexibility without all the XML. Thanks guys!

P.S. You can also view the full changelog for this upgrade.

Update: If you're using <authz:authentication property="fullName"/> in your JSPs, you'll need to change it to <security:authentication property="principal.fullName"/>.

TSSJS Vegas Begins

This morning, I woke up early and headed down to the opening ceremonies for TheServerSide Java Symposium in Vegas. Joseph Ottinger and Eugene Ciurana kicked off the show and welcomed the seemingly large audience of Java Developers. After the introduction, Neal Ford delivered a keynote titled Language-Oriented Programming: Shifting Paradigms. You can download Neal's presentation from the TSSJS Wiki (requires creating an account).

I started live-blogging Neal's keynote, but quickly gave up when I realized it was going to be a very good talk and I'd miss the essence of it if I tried to write it down. So I closed my laptop, sat back and enjoyed. Neal is an excellent speaker and did a great job of telling a story of the next evolution in Java Development. First off, he talked about artwork, the Renaissance and the Age of Enlightenment.

The plethora of Frameworks today is similar to the Renaissance (where everyone painted Madonna and Child) in that they're all very similar, and most of them are configured with XML. XML is the external DSL that configures the framework and its needed to allow late-binding and flexibility. The reason folks use XML is because of Java's limitations as a language. There are better mechanisms (languages) to construct this DSL. He gave examples using Ruby and Groovy. Furthering the notion of DSLs are Language Workbenches that allow programmers to write DSLs that are IDE-aware, so tools like IntelliJ IDE can offer code completion and such. If DSLs are the next evolution of programming, then tools like IntelliJ's MPS (to be open sourced before year end) are going to become very important.

I think one of the most important things I took away was that the building blocks for the next generation of development is already there. Neal referenced Ola Bini and his idea of the Polygot Language Platform. He showed the following image of what the Polygot Platform might look like, where the Stable Layer is written in Java, it has a low-ceremony/dynamic language on top of it, and then a DSL that pertains to the particular application. If we start developing using this type of platform, we'll quickly move into our own Age of Enlightenment - where we're still using all the frameworks, we're just putting a prettier face (DSL) on them.

This was a very good talk that I enjoyed immensely. I'm glad I sat back and listened instead of typing like mad.

After Neal's Keynote, I went to Brian Goetz's talk on Java Performance Myths. In this session, Brian talked about how object allocation is no longer slow, benchmark frameworks are often flawed, (uncontended) synchronization is not slow and a couple other things. The room was packed and 10-20 people ended up standing up in the back. I didn't learn anything revolutionary as this talk seemed to be written a couple of years ago.

Following Java Performance Myths, I headed to my room to get some work done. On the way, I discovered the "gas is out" at the Venetian and it's recommended folks go across the street to eat lunch and such. I'm about to head back to the conference to grab some grub - it'll be interesting to see if this situation has caused any lunch chaos.

The AppFuse Primer is now available!

From David Whitehurst's blog:

The AppFuse Primer is published! And, you can order your copy today. It's been a long road getting this done, but I'm excited about it and I hope you will be too. Please visit the site and consider the purchase of a copy today at http://www.sourcebeat.com/books/appfuse.html.

For more information, see SourceBeat's Press Release.

This book is as up-to-date as you can get. While I hope to do another AppFuse release in the coming months, this book should be up-to-date for quite some time.

The LinkedIn Journey Continues

As you might know, I've spent the last several months working for one of the coolest clients ever: LinkedIn. They hired me back in July 2007 and I was impressed on day one. I was originally hired to help them evaluate open source Java web frameworks and try to determine if moving from their proprietary one to an open source one would help improve developer productivity.

After looking at all the options, I recommended we look at Struts 2 and Spring MVC - primarily because they seemed to be the best frameworks for a LinkedIn-type of application. Another Engineer and I prototyped with Struts 2 for about 6 weeks and came up with a prototype that worked quite well. While our mission was successful, we found a couple issues with Struts 2 and standard JSP that might actually hurt developer productivity more than it helped.

Following this project, I worked on the New Homepage Team, which is now visible to everyone that logs onto LinkedIn. My role was minimal, but it was still a very fun project to work on. You know those widgets in the right panel? I did the initial UI and backend integration for those. All the business logic, Ajax/JavaScript, CSS, and optimization was done by other folks on the team. Shortly after this project went live in November, I started prototyping again with Spring MVC + JSP.

The reason I was asked to prototype with Spring MVC was because they were using Spring on the backend, Spring MVC in a couple other projects, and a new project was being kicked off that used Grails. Rather than add another framework (Struts 2) to the mix, they wanted to see if they could suppress any further framework proliferation.

After a month of prototyping with Spring MVC + JSP, my results weren't as good as Struts 2. With Struts 2, I was able to use OGNL to do all the things their current JSP implementation allows them to do (call methods with arguments, use statics in EL, etc.). With standard JSP, a lot of this wasn't possible. If it was - it required writing lots of tag libraries and made it more cumbersome for developers to do certain things. At the end of that project, I determined that using FreeMarker might solve these problems. I also determined that neither Struts 2 nor Spring MVC would solve the ultimate problem of developer productivity. Neither framework would allow developers to go from make-a-change-and-deploy, wait-3-minutes-to-see-change-in-browser to make-a-change, save and wait-15-seconds-to-see-change-in-browser.

I recommended that this be the ultimate goal - to get rid of the deployment cycle and to allow minimal turnaround when deploying modified classes. After that problem was solved, it's true that moving to an open source web framework would likely provide an easier-to-remember API. However, the problem with moving to a new web framework would be that everything used to construct the existing site would suddenly become legacy code.

In the end, we concluded that the best solution might be to enhance the existing framework to be more like the available open source options. This would allow existing applications to keep using their code -- and if we enhance properly -- new applications can use a simpler, less verbose API and a templating framework that's easier to understand. We can make LinkedIn's version of JSP more like standard JSP while allowing its powerful EL to remain. We can add support for JSP Tag Libraries and Tag Files.

One of the benefits of moving to an open source web framework is there's a community, documentation and books that describe the best (or most common) ways to solve problems with the framework. LinkedIn has this, but it's all in code and no one seems to have a high-level of confidence that the way that they did it is the "best" way. Developers communicate well, but all the knowledge is stuck in their heads and inboxes - there's no way for new developers to search this knowledge and figure it out on their own without asking somebody.

By adopting an open source web framework, it's possible to solve part of this problem, but I think it's still going to exist - where a few engineers know how to use the framework really well (for the specific application) and the rest don't. We determined that regardless of open source vs. proprietary framework, what was needed was a set of developers that acted as authorities on how to develop web applications at LinkedIn. A UI Frameworks Team if you will. This would be their only job and they would never get pulled from this to work on projects or complete tasks related to LinkedIn's products. Some developers mentioned that they'd been asking for this for years, and some folks had even been hired for this. However, the formulation of this group has never happened and it's obvious (now more than ever) that it'd be awesome to have them.

The UI Frameworks Team
At the end of 6 months, it seemed my work was done at LinkedIn. I liked the idea of a UI Frameworks Team and recommended they start it with the authors of the existing web framework. They agreed this was a good idea. A few days later, I was pulled into the CTO's office and he offered me the job. He offered me the challenge of building this team and told me I could do it remotely (from Denver) and hire my own people to help me with it. I gulped as I realized I'd just been offered the opportunity of a lifetime. I knew that while this might not be the best option for LinkedIn, it certainly was an excellent opportunity for me. I said I'd think about it.

In the meantime, I was given a project which you might've read about. They asked me to migrate a Rails application to Grails and try to determine if they really needed both frameworks. I spent 2 weeks coming up to speed on both and flew to Mountain View to deliver my conclusion. Here's an excerpt from an internal blog post I wrote.

The application that I was asked to port from Rails to Grails? The one that was launched last week - LinkedIn Mobile.

After doing this research, I stepped up to the plate and accepted the offer to start a UI Frameworks Team and recruited some kick-ass Java Developers I know to be the founding members. Last week, I flew out to Mountain View to do some kickoff meetings and start getting the infrastructure in place so we can document, support and release code like a well-oiled open source project. There's nothing saying we won't use an open source web framework as the underlying engine, but I think this should be an excellent chance to see the power of open source governance and development style in a corporate environment.

Director of Engineering, Core Experience
I should mention one last thing. If you're an experienced Java Developer/Architect with a passion and deep knowledge of UI development (JavaScript, CSS, HTML), we've got a Director of Engineering, Core Experience position with your name on it. I might even get to interview you if you apply for this job. Furthermore, whoever gets hired will likely work very closely with my team. What's not to like about that!?

Java 5 Sucks according to Clinton Begin

I stumbled upon Clinton Begin's blog this evening and found his only post about how much he hates Java 5:

Anyone who knows me has already knows that I'm no fan of Java 5. Honestly, since Java 5 was released, Java has dropped from 1st to 4th on my list of languages that I consider when starting a new application. It was such a disappointment to me, both because of the poor implementation of the new features, as well as the omission of some fairly basic features.
...
I'm looking to Ruby, Groovy and C# 3.0 before I look to Java. Not so much because those languages are better than Java 5, but more because Java 1.4 was better than Java 5. Java is going downhill at the hands of Sun and the JCP. Sad, sad, sad...

Clinton has some very good points in his rant. Unfortunately, I don't think anything is being done to fix them.

For those that don't know, Clinton is the inventor of iBATIS and one of the heros of the Java Community that took on .NET when they said had a version of the J2EE Petstore that was one-third the lines of code (LOCs) and 28 times faster. Most of the JPetStore links don't work anymore, but you can read the announcement on TSS.

Clinton is also one of those no-bullshit type of people I really enjoy hanging out with. I've had several beers with him at many conferences and have always enjoyed his perspective. However, there's something that smells about this rant of his. If he hates Java 5 so much, and loves Java 1.4, why doesn't iBATIS implement a 1.4 feature? An enhancement request to support for JDBC 3 Generated Keys in iBATIS has been open for almost 3 years! C'mon Clinton - it would've taken you less time to implement this than to write your rant.

The New Javalobby Sucks?

I didn't say it, Jesse Sightler did. Even though he didn't say "it sucks" explicitly, that's what I read in his post:

Is it just me, or has the new Javalobby proven to be a significant step backwards? The old site was a Slashdot style discussion system with a pace very appropriate to the pace of news flowing from the Java community. The light emphasis on announcements was welcome, and useful while at the same time not being overstated.

The new site feels a lot like TheServerSide.Com from a few years ago. They've gone to a system where the frontpage is updated frequently (many times per day) and the content there is seldom interesting enough to attract any significant discussion. Unfortunately, this means that the overwhelming number of articles on the frontpage appear dry and uninteresting. I don't think I've really read anything there since the switch to the new format.

For the sake of the site, I do hope they figure out their mistake here. There is no shame in turning this into worsethanfailurethedailywtf all over again (hopefully you get that reference).

I like the new site because I visit it more than the old one. Of course, that could be a direct result of me posting there. If I could change one thing, I'd like to see a java.blogs-style aggregator of all zones (then I'd turn off the .NET and Kids Code Zones).

Do you agree with Jesse? Should Javalobby change back to the old-way of using forums?

I believe the reason for the change was because DZone has become so much more popular than Javalobby. I think they're hoping to capitalize on that brand name and extend it to other communities. Look at the following graph from Alexa for proof. More traffic = more $$ from advertisers.

Web Application Frameworks based on Real-World Popularity

I received an interesting (spam?) comment on my What Web Application framework should you use? entry today:

A useful resource to compare Java web frameworks (Spring, Tapestry, Struts, OpenLaszlo,...) and also PHP, Python, Ruby web frameworks:

http://www.therightsoft.com/softwaretechnologies/webframeworks

If you go to the site, you'll see they have a hierarchical list of web application frameworks based on real-word popularity. First of all, I'm unsure of what "real-word" popularity is.

Let's assume this is a typo and it should be "real-world" popularity. Where is the credible source for this data? Where is the link to this credible source? I like the list, its sortability and filterability, but there's no evidence that it's true. Care to elaborate on your sources [email protected]?

Maven 2 Archetypes get a much needed improvement

Yesterday, a new version of the Maven Archetype Plugin was released. This release incorporates many of the improvements that were developed in a different project - code named "Archetype NG". The two major improvements are 1) you only have to use "mvn archetype:create" now and 2) you can create archetypes from existing projects.

I haven't tried #2, but #1 seems to work pretty well (especially since AppFuse archetypes are the first 9 ).

[Read More]

Reviews: Getting Started with Grails, Rails for Java Developers and Groovy Recipes

Two weeks ago, I mentioned a number of books I was hoping to read to get up to speed on Rails and Grails quickly. Over the last two weeks, I was able to polish off three of these (listed in order of reading):

• Getting Started with Grails
• Rails for Java Developers
• Groovy Recipes

Below are short reviews of each book.

Getting Started with Grails
The Good: This is the perfect book to learn the basics of Grails quickly. At 133 pages, I was able to read this entire book in one sitting. The first couple chapters are very introductory, but likely necessary for beginners. The good news is you start writing your first Grails application on page 7 (Chapter 3).

Chapter 4 (Improving the User Experience) is good in that it shows you how to do warning, error and confirmation messages. This is something often overlooked in web frameworks and Rails and its "flash" concept seem to have made it important again. I remember way back in 2003 when I complained about frameworks not allowing messages to live through a redirect - everyone said it was something you didn't need. Now it's a standard part of most web frameworks.

The Bad: Uses Grails 0.3.1. This is understandable since the book was written in 2006 and published in 2007. Also, it doesn't cover testing that much (5 pages). If testing is so easy with Groovy and if Grails has Canoo WebTest support built-in, it should be shown IMO.

Rails for Java Developers
The Good: This was an interesting book for me because it uses AppFuse for many of its Java-based examples. Unfortunately, it uses the Struts 1.x version which is cumbersome and verbose as far as Java web frameworks go. The most impressive part of this book is how Justin and Stu do an excellent job of walking the line and not insulting Java nor developers using it. They provide an easy to understand view of Rails from a Java Developer's perspective. There's detailed chapters on ActiveRecord (as it compares to Hibernate), ActiveController (compared to Struts) and ActiveView (compared to JSP). This book has excellent chapters on Testing, Automating the Development Process and Security.

The Bad: This book was published over a year ago, so it uses an older version of Rails. This means some commands don't work if you're using Rails 2.0. It's also a little light on Ruby, so I didn't feel I learned as much about the language as I was hoping to. That's understandable as it's more of a Rails book than a Ruby book.

Groovy Recipes (Beta from Jan 3, 2008)
The Good: I really like the style of this book and that it shows you how to get things done quickly with code samples. It's very no-nonsense in the fact that it contains a lot of code and howtos. I really like Scott's writing style and found this book the easiest to read of the three. This may have something to do with my eagerness to learn Groovy more than anything. The most refreshing part about this book is how up-to-date it is. Because it's a Beta, it seems to contain the most up-to-date information on Groovy and Grails. After reading Getting Started with Grails and working with it for a couple weeks, the first Grails chapter seemed a little basic - but that's likely because I've figured out how to mix all those recipes already. The Grails and Web Services chapter definitely has some interesting content, but I've rarely had a need to implement these recipes in a real-world environment. I'd rather see recipes on testing the UI (with the WebTest plugin) and how to use GWT and Flex with Grails. If SOUIs are the way of the feature, this is a must.

The Bad: Not much information on testing with GroovyTestCase, mock objects or implementing Security. If one of Groovy's sweet spots is testing, why isn't there more coverage on this topic? The Java and Groovy integration chapter is especially good, but there's very limited information on Ant and Maven. It's likely the websites provide sufficient documentation, but the Maven section only fills 5 lines on an otherwise blank page. The biggest problem I have with this book is I really like the recipes writing style and would love to see more tips and tricks. At 250 pages, I was able to finish this book with pleasure in a few days.

What's Next?
Now I'm reading JRuby on Rails (Apress) and Programming Groovy (Pragmatic Programmers). Following that, I'll be perusing dead-tree versions of Struts 2 Web 2.0 Projects (Apress), Prototype and script.aculo.us (Pragmatics) and Laszlo in Action (Manning). If any publishers want to send me books on GWT and Flex, I'd be happy to add them to my list.

Grails 1.0 and JRuby on Rails on WebSphere

A couple of interesting things happened today that relate to my Grails vs. Rails quest for knowledge.

The first is that Grails 1.0 was released. This was apparently a huge event as it swamped Codehaus' servers for a couple hours. This morning, it was pretty cool to shake Graeme's hand and congratulate him on the release. I also got to meet Jeff Brown for the first time. Who needs to go to a conference when you get to talk to these guys at work?

Secondly, I found an article by Ryan Shillington that shows how to deploy a Rails application to WebSphere. To me Rails + WebSphere seems like the last thing a Rails advocate would want - but who knows. In my experience, most developers that use WebSphere don't do it by choice.

For companies that have invested a lot of time and money into the JVM as a platform, it seems like Grails is the clear winner over Rails. However, the line gets blurry when you start talking about JRuby. I think JRuby will get there, but I don't believe it's there yet. If you look at the two major JRuby on Rails success stories (from Oracle and Sun), they've had to fix performance issues as part of their projects. With big companies investing in the platform, it's highly likely performance will be fixed in the near future. I believe both the Groovy and JRuby teams have said performance enhancements are their top priority for their next releases.

I think the biggest news related to performance of dynamic languages on the JVM is the new Da Vinci Machine project.

This project will prototype a number of extensions to the JVM, so that it can run non-Java languages efficiently, with a performance level comparable to that of Java itself.

Dynamic languages on the JVM seem to have a very bright future.

I got involved with Struts and Spring just before their 1.0 releases. Is it simply a coincidence that I happened to start looking into Grails right before its 1.0 release?