Raible Designs

JavaOne: Where are the good parties at?

In a week from today, I'll begin the annual trek to one of the best conferences on the planet: JavaOne. By "best conferences", I don't mean it has the best technical content - that award goes to NFJS, The Colorado Software Summit and The Spring Experience.

JavaOne has the best networking opportunities. Of all the conference-goers I know, most of them will be at JavaOne.

I'm flying into San Francisco on Monday, driving to Mountain View to work for a few hours, playing in the company's weekly softball game, then heading back to downtown San Francisco for the networking. Tuesday through Thursday, I plan on doing the same thing: commuting to Mountain View during the day, returning to JavaOne for the parties. I have a free blogger pass, so I could attend sessions, but networking seems more important. If there's any good BOFs at night, I may attend those.

So where and where are the good parties at JavaOne 2008? Here's what I know about so far - I'll add to this list as comments start flowing in:

• Sunday: GlassFish: Thirsty Bear @ 7
• Monday: IONA: Zebulon @ 6, JavaBloggers: Thirsty Bear @ 7:30
• Tuesday: CodeGear: Thirsty Bear @ 5:30, TangoSolarMetric: Zebulon @ 9
• Wednesday: Adobe: Jillian's @ 6:30, Eclipse: Thirsty Bear @ 7, Tiki Bar Party: The Bamboo Hut @ 8
• Thursday: JBoss: Jillian's @ 5:30, QCon: Zebulon @ 6:30

I don't have details on the JBoss party, but I did receive an e-mail about it. Since my flight leaves before the party starts, I must've deleted it.

When and where is the Java Bloggers Meetup? What about the Solarmetric/Tangosol party? Is it now the SpringSource/BEA/Oracle party?

See y'all next week - I hope the networking opportunities are better than ever.

Related: JavaOne 2004, JavaOne 2005 and JavaOne 2006.

Apache 2 on OS X: Configuring mod_proxy and SSL

I recently had to setup Apache as a front-end web server for multiple backend servlet containers. The backend containers serve up different web applications, and the Apache front-end unites them from a hostname and port standpoint. The following instructions describe how to configure Apache 2 on Mac OS X to proxy requests to Tomcat or Jetty running on localhost:8080. It also shows how to enable SSL on Apache and force it for certain URLs in your Java web application.

Apache comes pre-installed on OS X, so you should be able to start it by enabling "Web Sharing" in System Preferences > Sharing.

$APACHE_HOME on Leopard is /etc/apache2. On Tiger, it's /etc/httpd. If you've upgraded Tiger to Leopard, it's likely you'll have both directories so make sure you're modifying the right one. I lost a few hours figuring this out, so hopefully this knowledge will appease some googler in the future.

Configuring mod_proxy

1. Open $APACHE_HOME/httpd.conf and add the following on line 480 - at the very bottom, just before "Include /private/etc/apache2/other/*.conf".

   #
   # Proxy Server directives. 
   #
   <IfModule mod_proxy.c>
       ProxyRequests On
       ProxyPreserveHost On
   
       ProxyStatus On
       <Location /status>
           SetHandler server-status
   
           Order Deny,Allow
           Deny from all
           Allow from 127.0.0.1
       </Location>
   
       ProxyPass    /myapp    http://localhost:8080/myapp
   </IfModule>

   ProxyPreserveHost allows request.getServerName() and request.getServerPort() to work as if there is no proxy server in place. In other words, even though Tomcat is running on 8080, request.getServerPort() will return 80.

2. The most important line is the last one as this is the dictates the location of your applications. Add more lines as you need to add more applications.
3. If everything is configured correctly, you should be able to run sudo apachectl restart and navigate to http://localhost/status. If you receive a "forbidden" error, make sure your /etc/hosts has an entry mapping 127.0.0.1 to localhost (as one of the last entries), or change "Allow from 127.0.0.1" to "Allow from localhost". If you get a "Server not found" error, you can tail the error log at "/var/log/apache2/error_log".

One issue I've seen with mod_proxy is when a request comes in and the backend server is down. When this happens, Apache returns a 503 Service Temporarily Unavailable and it doesn't seem to go away after the backend server is restarted. It does resume proxying after a while, but I haven't determined what causes the proxy to come back to life. If you know a setting that forces mod_proxy to check for the backend server on every request, please let me know.

Configuring SSL

1. Open $APACHE_HOME/httpd.conf and uncomment the following on line 470:

   Include /private/etc/apache2/extra/httpd-ssl.conf

2. Open $APACHE_HOME/extra/httpd-ssl.conf and change line 78 to:

   ServerName localhost:443

3. In httpd-ssl.conf, change line 99 to:

   SSLCertificateFile "/private/etc/apache2/ssl.key/server.crt"

4. In httpd-ssl.conf, change line 107 to:

   SSLCertificateKeyFile "/private/etc/apache2/ssl.key/server.key"

5. In httpd-ssl.conf, add the following after SSLEngine on to allow proxying via HTTPS:

   SSLProxyEngine on

6. Follow the Using mod_ssl on Mac OS X tutorial. For "Common Name/Server Name", use "localhost". You can download the source for mod_ssl (which you need at one point during the tutorial) at http://www.modssl.org/source/.
7. Run sudo apachectl restart and go to https://localhost. If you get a "Server not found" error, run sudo apachectl -t to verify the syntax of your config files or tail -f /var/log/apache2/error_log to verify there are no errors in the log files.

Forcing HTTPS for certain URLs
If you proxy requests from /myapp -> http://localhost:8080/myapp, request.isSecure() will return false. If you change it to /myapp -> https://localhost:8443/myapp, request.isSecure() will return true. I needed to figure out a way to have http://localhost/myapp go to http://localhost:8080/myapp and https://localhost/myapp to go http://localhost:8443/myapp. Even better, I wanted to configure things in a way so request.isSecure() returned the value based on the originally requested URL, not on the proxied URL. Configuration like the following would be ideal:

ProxyPass    http://*/myapp    http://*:8080/myapp
ProxyPass    https://*/myapp   https://*:8443/myapp

The solution I came up with is to standardize on secure URLs in my application. That is, use /secure/* as a prefix for all URLs that should be accessed via SSL. To follow this convention and force it, I added the following in my application's web.xml file:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Secure Area</web-resource-name>
    <url-pattern>/secure/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

Once this is in place, accessing http://localhost/myapp/secure/index.html will result in an error. Accessing it using https will succeed. Following this, you can change your ProxyPass rules to the following and all requests to /secure/* will be https; other requests will be sent to http. The order of the rules below is important.

ProxyPass    /myapp/secure   https://localhost:8443/myapp/secure
ProxyPass    /myapp          http://localhost:8080/myapp

If this isn't a good strategy for you, Tomcat has the ability to use a redirectPort (in server.xml) that auto-redirects from http to https when CONFIDENTIAL is used in web.xml. I'm not sure if this redirect will carry through values from a form post.

Upgrading to Spring Security 2.0

This evening I spent a few hours and upgraded AppFuse to use Acegi Spring Security 2.0. The upgrade was fairly straightforward:

• %s/org.acegisecurity/org.springframework.security/g
• Upgraded dependencies (exclusions are necessary if you're using Spring 2.5.x and don't want 2.0.x dependencies pulled in):

  <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-core-tiger</artifactId>
      <version>${spring.security.version}</version>
      <exclusions>
          <exclusion>
              <groupId>org.springframework</groupId>
              <artifactId>spring-core</artifactId>
          </exclusion>
          <exclusion>
              <groupId>org.springframework</groupId>
              <artifactId>spring-support</artifactId>
          </exclusion>
      </exclusions>
  </dependency>
  ...
  <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-taglibs</artifactId>
      <version>${spring.security.version}</version>
      <exclusions>
          <exclusion>
              <groupId>org.springframework</groupId>
              <artifactId>spring-web</artifactId>
          </exclusion>
      </exclusions>
  </dependency>
  

• Changed taglib prefix from "authz" to "security" and change the associated taglib declaration to:

  <%@ taglib uri="http://www.springframework.org/security/tags" 
      prefix="security" %>
  

• In web.xml, I changed <filter-class> to org.springframework.web.filter.DelegatingFilterProxy. Since I didn't name my filter springSecurityFilterChain, I also had to add the following <init-param>:

      <init-param>
          <param-name>targetBeanName</param-name>
          <param-value>springSecurityFilterChain</param-value>
      </init-param>
  

• Lastly, I modified security.xml to use the new syntax. AppFuse's security.xml went from 175 lines to 33 with the new security namespace configuration!

It's hard to believe I first looked at Acegi almost 4 years ago. At that time, I said it contained too much XML for my needs. Ben's reaction:

Seriously, the "whole lotta XML" gives you exponentially more power and flexibility than a method such as this could ever hope to provide you.

It's nice to see that Spring Security 2.0 gives you exponentially more power and flexibility without all the XML. Thanks guys!

P.S. You can also view the full changelog for this upgrade.

Update: If you're using <authz:authentication property="fullName"/> in your JSPs, you'll need to change it to <security:authentication property="principal.fullName"/>.

Jetty and Resin closing in on Tomcat's popularity

From Greg Wilkin's Jetty Improves in Netcraft survey (again):

As with most open source projects, it's very hard to get a measure of who/how/where/why Jetty is being used a deployed. Downloads long ago became meaningless with the advent of many available bundling and distribution channels. The Netcraft Web Survey is one good measure, as it scans the internet and identifies which server sites run. In the results released April 2008, Jetty is identified for 278,501 public server, which is 80% of the market share of our closest "competitor" tomcat (identified as coyote in the survey). Jetty is currently 12th in the league table of identified servers of all types and will be top 10 in 6 months if the current trajectory continues.

If you look at the Netcraft numbers, you might also notice that Resin isn't far behind Jetty. If you look at the Indeed Job Trends graphs for the three, there seems to be some interesting information there too. The first graph is absolute and the second is relative.

tomcat, resin, jetty Job Trends

tomcat jobs - resin jobs - jetty jobs

tomcat, resin, jetty Job Trends

tomcat jobs - resin jobs - jetty jobs

If you're using Spring Dynamic Modules to deploy a web application, which server do you think is better? Both Tomcat 6 and Jetty 6 seem to work just fine in Equinox.

The Web Framework Smackdown Questions

I'm doing my Web Frameworks Smackdown this morning at TheServerSide Conference. A few weeks ago, I asked What Would You Ask the Web Framework Experts? on Javalobby and LinkedIn. Here's a summary of those questions:

• What is the overall performance of your framework as it compares to others?
• How does your web framework position themselves in relation to Web Beans?
• How easy is it to create a re-useable component in your framework? Is it as easy as sub-classing an existing component?
• What is the key differentiating characteristic of your framework that makes it better than the rest?
• What do you think about the various scopes introduced by Seam, e.g. conversation vs request or session? If you support these additional scopes, do you also provide some sort of concurrency control?
• Why can't we, the Java Community, come together and adopt the best application framework and settle the web development subject?
• What are you doing to help with developer productivity?
• 2008 is a huge year for the mobile web. How do you help developers build great mobile web applications?
• If you couldn't use your framework, what would you use and why?
• How do you enable rich Ajax applications?
• Can a developer make a change to source, and hit RELOAD in the browser to see the change? If not, why not?
• What do you think about the whole Flex revolution, and do you think you are competitors to this technology?
• How easy is it to create a module and plug it into a bigger application, complete with configuration, code, and view?

Of course, there's many more questions on the aforementioned pages, these are just some that I hope to ask during the panel. Sitting on the panel: Don Brown (Struts 2), Keith Donald (Spring MVC), Ed Burns (JSF), David Geary (GWT), Geert Bevin (RIFE/OpenLaszlo) and Justin Gehtland (Rails). I tried to get Flex and Grails folks, but they'd either left the conference already or are speaking at the same time.

Update: InfoWorld has some modest coverage of this event in Web frameworks debated at TheServerSide Java Symposium.

An Irish Pub moves into the Neighborhood

In August 2006, I described how happy I was to be living in the DU Neighborhood and how we had so many good restaurants around. Today, I discovered there's a new Irish Pub that opened this week. While I don't live in the same house that I did in August 2006, I still live close by, a mere 5 blocks from Julie's house. While the old location was excellent, with Sushi, Indian and Liquor on the same block - my new location is 6 blocks from the Light Rail and a 1/2 block from the Elementary School Abbie and Jack will attend next year. DU is 5 blocks away - which is great for hockey games and gym memberships.

Why am I rambling on like this? I don't know, I just wanted to write down how much I like this neighborhood. With Spring starting yesterday, a beautiful day today and DU beating North Dakota last night - life is very good.

Today's agenda: skiing with the kids at Copper. WCHA Championship tonight.

The AppFuse Primer is now available!

From David Whitehurst's blog:

The AppFuse Primer is published! And, you can order your copy today. It's been a long road getting this done, but I'm excited about it and I hope you will be too. Please visit the site and consider the purchase of a copy today at http://www.sourcebeat.com/books/appfuse.html.

For more information, see SourceBeat's Press Release.

This book is as up-to-date as you can get. While I hope to do another AppFuse release in the coming months, this book should be up-to-date for quite some time.

Proposal accepted for OSCON 2008

From an e-mail I received earlier this afternoon:

We are pleased to accept the following proposal for OSCON 2008.

* Web Frameworks of the Future: Flex, GWT, Grails and Rails

It has been scheduled for 16:30 on 23 Jul 2008.

My Abstract:

What if the choices in web framework was reduced to 4? If RIA are the way of the future, it's possible that these 4 frameworks are the best choices for this development paradigm. This session will explore these frameworks, as well as entertain many other's opinions on the future of web development.

RESTful backends are easy to create with both Rails and Grails. Ajax frontends are simple to create and maintain with GWT. Flex gives you flash and a pretty UI. If you're an HTML developer, Rails allows you to quickly develop MVC applications. If you're a Java Developer, GWT + Grails might be a match made in heaven. This session is designed to help you learn more about each framework and decide which combination is best for your project.

I'm really looking forward to learning about GWT and Flex in the coming months. If you have any experience (or opinions) about the abstract above, I'd love to hear it. The louder the better.

For those who haven't been, OSCON is one of those truly special conferences. Possible reasons:

• It's only an hour from my parent's house
• It's a beautiful time of year in Portland
• It's always the same weekend as the Oregon Brewers Festival
• It's a kickass conference with the greatest diversity of Open Source Committers

I'm going for all 4 reasons and even made a reservation to stay at The Kennedy School. Should be a fun show.

Maven Integration for Eclipse

If you're a Maven user and like Eclipse, you might want to checkout the new Maven Integration Plugin for Eclipse 0.9.0. Euxx has a couple blog posts talking about the new features - looks like pretty cool stuff to me.

• Indexing Maven repositories - for offline browsing of repositories.
• Making a good use of Maven metadata - materializing projects from dependencies.
  

The second feature is especially cool. If your dependencies supply SCM information - you can import the project from its source control system. Maven may have warts, but it also has incredible potential.

Scott Bain on Writing and Publishing a Book

Scott Bain has an interested blog entry called Writing and Publishing a Book:

Good to know - thanks Scott! I've been thinking about writing a book again and was actually considering writing first and shopping for a publisher later. I guess that's the wrong approach eh?