In this post we will share some notes about Security. Cryptography in J2ee architect Certification .

Security

Select from a list security restrictions that Java 2 environments normally impose on applets running in a browser. The Java 2 security model is policy-based and has superseded the sandbox/trusted approach of Java 1.1. In Java 1.1 remote code (applets, for example) that was not trusted was constrained to the sandbox. If the remote code was signed and trusted then it could access local resources.

Cryptography, Digital signatures and Certificates can be used to increase the security of a system. Java offers a number of interfaces for related services. Firewalls are also important for protecting the gateway between trusted and untrusted networks.

Code Source:A combination of a set of signers (certificates) and a code base URL.By default, Java 2 uses a policy file to associate permissions with code sources

Security Policy File: permission is the right to access a protected resource or guarded object. For Java 2 permissions are specified in the security policy file. Only one policy is in effect at a time. A policy file consists of a number of grant entries. Each grant entry describes the permissions (one or multiple) granted to a code source.

Policy class: You can use java.security.Policy to create your own security policy.

java.security package : The following are some of the classes in the java.security package:

CodeSource – This class extends the concept of a codebase to encapsulate not only the location (URL) but also the certificate(s) that were used to verify signed code originating from that location.

KeyStore – This class represents an in-memory collection of keys and certificates. It manages keys and trusted certificates.

MessageDigest – The MessageDigest class provides applications the functionality of a message digest algorithm, such as MD5 or SHA.

Permission – Abstract class for representing access to a system resource.

Policy – This is an abstract class for representing the system security policy for a Java application environment (specifying which permissions are available for code from various sources).

ProtectionDomain – The ProtectionDomain class encapulates the characteristics of a domain, which encloses a set of classes whose instances are granted the same set of permissions.

Security – Centralizes all security properties and common security methods.

Given an architectural system specification, identify appropriate locations for implementation of specified security features, and select suitable technologies for implementation of those features.

Exposure to threats can be mitigated by using:

Authentication, Authorization (ACLs), Protecting Messages, Auditing

Web tier authentication (This is the usual location for this)

• Basic HTTP – the web server authenticates a principal with user name & password from Web client
• Form-based – lets developers customize the authentication user
• HTTPS mutual authentication – the client and server use X.509 certificates to establish identity over a SSL channel. Read more…

If you are planning to take any of the Sun or mysql certification exams after June 1, it is important for you to understand that Prometric will no longer be conducting the tests. Oracle has switched to Pearson VUE

From Oracle’s website

Effective June 1, 2011, Java, Oracle Solaris, MySQL, and NetBeans certification exams will be offered through a new test delivery partner – Pearson VUE – and will no longer be available through Prometric.

This will consolidate all Oracle Certification exams within the operations of a single testing vendor so we can provide better service and global testing coverage for these Oracle certification exams. Pearson VUE currently has over 5,000 test centers worldwide in 165 countries.

To help prepare you for this transition, here are some important dates for you to be aware of:

• If you are planning to take an exam on/after June 1: Registration will begin at Pearson VUE on May 16, 2011 for all scheduled exams on or after June 1. Visit pearsonvue.com/oracle on or after this date to create a new web account and get started.
• If you are currently registered to take an exam with Prometric or planning to take an exam on or before May 31: You can continue to register at Prometric through May 23, 2011 (walk-in registrations will be permitted through May 31, 2011), but you must complete your exam by June 1, 2011.

If you currently have a Sun or Oracle exam voucher or exam retake voucher:All vouchers will still be valid through their original expiration date and will be redeemable with Pearson VUE starting on May 16, 2011.

Full announcement can be viewed here

For users  who have been taking the Spring certification practice tests 1 and  Spring certification practice tests 2 at skill-guru  have raise the concern that

We have contacted the creator of these tests Ikoko , and he has clarified thatthe Spring documentation for the exam syllabus has changed (improved) since he had created the exam so the tests now appear to be different to the syllabus

The historical documentation and support for the certification has been poor from Spring and might even be incorrect.

he also pointed out that Skill-guru test-takers basing their opinions on the Spring documentation and not actually doing the Spring exam are therefore possibly misled by the official documentation

From Ikoko’s email

I sat both the 2.5 exam and 3.0 exam so have experienced both exams first-hand and have been keen to keep my exams accurate based on real exam-experience and not any vague syllabus published by Spring

Having said all, this at a higher topic level I only noticed the category of SpEL (Spring expression language) being a category in my tests that was not in the offical syllabus. I had 1 SpEL question in test 1, and 2 questions in test 2. I have now removed all three questions.

Hope  this clarifies the doubt of our readers and thanks to MaggieL and Shane Mannion for pointing this out

Symmetric and asymmetric clustering is one of the very important topics in SCEA. In this post , we will talk about asymmetric clustering.

Traditional J2EE application servers work well for a large class of applications. This class can broadly be categorized as applications that run in a stateless cluster in front of a database. I call this a symmetric cluster:

- All the cluster members can perform any task at any time.

- The application is stateless.

- The application is modal which means it only performs work synchronously in response to a client request which can be received using HTTP/IIOP or JMS.

There are other applications that do not work well in such an environment, for example, an electronic trading system in a bank. Such applications typically use tricks that can greatly improve performance such as partitioning, multi-threading and write through caching. These are applications that can exploit asymmetric clustering. An asymmetric cluster is practically the opposite of a symmetric cluster:

- applications can declare named partitions at any point while it’s running

- partitions are highly available uniquely named singletons and run on a single cluster member at a time

- incoming work for a partition is routed to the cluster member hosting the partition

- The application is amodal. Partitions have a lifecycle of their own and can start background threads/alarms as well as respond to incoming events whether they are IIOP/HTTP or JMS/foreign messages.

WebSphere XD offers a new set of programming API’s called the “Partitioning Facility”. These APIs allow applications that require an asymmetric cluster to be deployed on a J2EE server for the first time to my knowledge.

How can partitioning improve application performance? Read more…

In the last post I had written about SCEA – Sun certified J2EE Architect certification topics and  J2EE architect sample questions.

Based on my experience studying for and taking the part 1 of the certification, here is what I would suggest that you read before taking the exam. You could skip a couple of the following references and still pass (don’t skip the EJBs though).

These are example of actual questions from the J2EE Architect certification test as best as I could remember them a couple of hours after taking the exam. I don’t have the exact multiple choice options in most cases, but the following questions should give you some idea how well you need to know at least some of the topic areas. The questions were easier than I had expected for the most part. The questions mostly tested your understanding of terms and concepts at a high level.

There is another test with 22 questions J2EE Architect Certification Practice Test which is similar to what you take in Part 1

The test will tell you how many correct answers there are for each question, and the software will let you know if provide more or less answers than the expected amount. The structure of the multiple choice test was helpful and made the test a little easier. There are 48 questions on the test and you have 90 minutes to complete the test. I finished with 20 minutes to spare and spent the extra time going over my answers. The software allows you to skip questions and also mark questions. After answering question 48, you get a display showing the questions that you have skipped, are incomplete because you didn’t provide as many answers as expected, as well as questions that you have marked. You can then revisit any of the questions. The software also always displays the amount of time you have remaining.

In this next series of posts, I will post tons of articles and notes on Sun’s J2EE architect certification (SCEA). I had taken this exam way back in 2005 . I could not find the study materials until few days back. Now I am posting this stuff and although this might have gone under upgrade, it still could be useful.

The following topic areas are not how Sun breaks it out. Rather, it is how I would break it out in terms of the topics that you need to study. At least 16 out of the 48 questions on the exam when I took it where related to EJBs. There were between 2  and 5 questions on all other topic areas.

Visitor Design Pattern

Problem

Sometimes we have multiple operations that need to be implemented on a structure of objects. Traditionally we would implement each of the objects to derive of a base class with each of the operations, and then override the operations to implement them. This can be a problem if the operations are different in nature, as well as if the number of operations exceeds the number of different subclasses in the tree. How can we overcome this problem?

Solution

The solution is the visitor pattern. The visitor pattern has each object class in the structure only has one method called AcceptVisitor() which takes a visitor class as a parameter. A visitor is an implementation of a particular operation, and has methods for each of the class types in the structure. The object in the structure calls its appropriate method on the visitor. For example, if a tree structure contained two types of classes, Foo and Fib. Then when we wanted to perform a function on them we pass down a visitor that implements the function, and nodes of type Foo call the VisitedFoo() function on the visitor, which implements the function for objects of type Foo

Consequences

It is easy to add operations, simply derive anew visitor class.

However, it is hard to add new class types to the structure, since you need to change both the base class and all subclasses of the visitors for the change.