32ndAirhacksQ&A.md

32ndAirhacksQ&A.md

Ask questions and see you at November, 7th at 6.PM. CET: http://www.ustream.tv/channel/adambien

Also see archives: airhacks.tv

Dear Adam,

What do you think are the most important advantages of container-managed authentication/authorization? How often does it still make sense? I mean restricting access to EJBs via the Principal and group-2-role mapping by the container is not that useful, if most of the time we're developing RESTful WEB apps and the UI should already know beforehand (before calling the EJB) what actions to display (and must be available) for a given logged-on user and which not?

Isn't it in fact easier to do the whole thing a level higher (Servlet), where (CDI) State,ServletFilters, Interceptors and UI frameworks are already available?

Background:
I am somewhat following the mailing lists of the security EG, specifically https://java.net/projects/servlet-spec/lists/users/archive/2016-04/message/35 and soteria, plus some other works in progress related to JSR375.

The difficulties involved by jumping between container-code and application-code, container-code and the necessary UI seem to be (at least to me) quite complex to both deliver (in terms of the JSR) and implement by the application developer, once the JAVA EE 8 is ready.
In an ideal case it shouldn't be more difficult than deploying the necessary ServletFilter for KeyCloak and let KeyCloak handle the rest. In other words have something like KeyCloak embedded in the app server (or inside Java EE 8), complete with (a customizable, but otherwise ready-to-use) UI for login/registration/management and API for the apps to rely on.

Hi Adam,

Many thanks for this great work.

1. Please are connection pools more reliable than CMP/ Application Server Data-sources in enterprise applications, Please what is your best practice advise as regards this?
2. Please are there times, where running / exposing a web service on the JVM are more robust / better than on an application Server say wildfly or Payara ... ?

Hi Adam

in your JavaOne presentation you talked about using the automatic host resolution via Docker (example was using http://con:8080 and http://prod:8080) and you said you are using your local application server to develop and not dockerized instances, but what if you develop in two services at once. Do you just edit your host file every time to resolve the hosts if you are working in con and prod at the same time?

thank you

Adam,
could you tell about deployment pipeline. It's trivial to build docker images on CI, but how do you update it on production? Do you ssh to production servers or run script already stored on prod server?

Hi Adam, reposting this here as requested: Having the option between multiple docker containers versus multiple payara-micro (java -jar payara-micro.jar --deploy blah.war) instances, which would be preferable? what do you lose/gain with each one? I had a requirement to use payara-micro inside docker containers but figured I could as well just use the payara-micro by itself, I just wanted to know your take on this, Thanks.

Hi Adam,

Please which is better in a JEE project Solr or Elastic Search, the features I am looking at robustness, extensiveness/customization, ease of use?

What is your advice on a search engine , development considering I am dealing with large data sets, so just wondering if I should go with Lucene, Elastic Search or Solr.

Many thanks.

Question from the field: why Java in Docker appears to consume more memory, than -Xmx?

Hi Adam, I'm from Brazil and I started following your work at your blog.

My question is what do you study, read and what are your references nowadays.

What do you recommend for building Java EE microservices with docker. Besides yours on demand workshops.

How to become a better Java EE developer?

Thank you!

Hi Adam,

1. I wanted to ask if ejb-jar.xml will "activate" the possibility of containers to handle EJBs? Reason for this is that we have a case where we package an EAR and inside the EAR is a JAR and this is used as a JMX adapter, and the developers are prohibited to use EJBs since they will not work, even that we have the ejb-jar.xml! (The EAR is deployed in WebLogic Server)

2. What is your opinion on gRPC ? And does it make sense to be used in JEE for microservices?

Thank you!

Hi Adam,

in a project for a large and very security-affine client the question was raised, how to "manage" security patches in docker containers automatically. (E.g. there is a container that rely on an php:apache container where security patches for php should be immediately installed for the application container)

The reason is, that neither the client nor we are aware about tracking all security patches that will come up in the future. So we're looking for an automated solution that periodically looking for updates of container images (and their parent images) and (rebuild and/or) restart the containers with the fetched image updates.

Is there any solution you could suggest?

Just restarting a container will fetch updates from the actual image, but this image will not be built automatically, when a parent image (e.g. FROM centos:latest) will be changed.

Thx a lot + Regards,
Robert

Hello Adam,

I'm having a problem with a JAX-RS API, I have a resource called 'certificates' and a method (POST) generate, like this:

// ... package, imports and application/json
@Path("certificates")
public class CertificatesResource {
    // ... other injects and variables
    @Context
    UriInfo uriInfo;
    // ... other methods

    @POST
    public Response generate(@Valid PostCertificatePayload){
        // ... some logic and persistance
        URI location = uriInfo.getAbsolutePathBuilder().path("/" + certificate.getId()).build();
        return Response.created(location).build();
    }

    // ... other methods
}

(Sorry for pasting code but I thought it was the easiest way.)

It works perfectly if I consume the service directly, but I need a balancer (currently a nginx proxy) and with the balancer, the Location header is the name of the server. Ex:

POST /api/resources/certificates/ HTTP/1.1
Host: nginx.localdomain

HTTP/1.1 201 Created
Server: nginx/1.10.1
Location: http://wildfly.localdomain:8080/api/resources/certificates/5eb377b3-c051-461c-b0f8-fcf3ec48f030

As you can see, the Location header is the Wildfly Server that is not accessible from the DMZ. What could be the nifty way to solve this? Currently I created a parameter in a table with the host that it should return (boring solution).

And even harder, I'm using APIMAN and it exposes a different Context Path. Ex:

POST /apiman-gateway/Organization/api/1.0/certificates/ HTTP/1.1
Host: apigw.localdomain

HTTP/1.1 201 Created
Server: nginx/1.10.1
Location: http://wildfly.localdomain:8080/api/resources/certificates/5eb377b3-c051-461c-b0f8-fcf3ec48f030

As you can see I need the Location header to be https://apigw.localdomain/apiman-gateway/Organization/api/1.0/certificates/5eb377b3-c051-461c-b0f8-fcf3ec48f030.

The final scenario is:

dmz-nginx -> dmz-apiman -> internal-nginx -> internal-wildfly

Have you encountered a scenario like this before? How do you solve the Location header problem?

Thank you and best regards,
Marvin M.

@mmonge: see the http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect option in NGINX

Hi Adam,

What is/are the approach(es) you take to secure your RESTful web services?

After a long struggle with Apache Shiro, I decided get rid of it and write my own authentication and authorization annotation and use them for my micro webservices.
But I'm not sure if I'm in the right direction. I wanted to ask an expert.
Thanks.

@lightbend @AdamBien #microservices is not a goal.The goal is scalable dev process.For some companies mservices on top of #JavaEE are fine

— Lukasz Wachowicz (@vachacz) November 3, 2016

Hi Adam,

When developing a REST application, what's your approach for deploying the (JS based) UI? Do you put it on the same WAR? Create two separete WARs and deploy them to independent server instances? Just copy the JS app to the www folder of an Apache HTTP?

Thanks!

Hi Adam,

My question is about the JDBC vs ORM because almost every project or tutorial includes the use of ORM (eclipselink, hibernate, apache cayenne) but what about the performance because the benefits from the developer's perspective are very clear. Maybe you recomend the use of an enhanced JDBC like Spring JDBC Template or Apache Commons DBUtils.

Thanks in advance.

What does mean SERIALIZABLE in transaction context?

Just a small comment on "JDBC vs ORM" subject (after seeing the podcast):

We have worked on a huge statistical analysis system, where there were KPI graphs for the clients. One of the KPI graphs involved querying about 5-10M records from the database (it was a table with like 700M records). The select speed and transport to application server was nothing (we have been using a very good performing MS SQL server, and we only queried the table by the unique indexes) ~ 1-10 sec.

BUT: processing this amount of data was very slow from JPA side (it doesn't matter if you are using hibernate or eclipselink), since it is instantiating a huge amount of objects through reflection. So, using JDBC was the only option here, if we wanted to process all those records in acceptable time. To my experience, there is a record number, that is the dividing line between JPA and JDBC. So if your queries have no more than 1000-10000 records, you can go safely with JPA. In any other case, just rather use JDBC.

One of my previous colleagues had an experience with querying more records, but he stated, that above selecting 250000 records it had a huge performance impact on hibernate.