Posts Tagged ‘j2ee architect’

Preparing for J2EE Architect Certification – Understanding Security

June 7th, 2011 No comments

In this post we will share some notes about Security. Cryptography in J2ee architect Certification .


Select from a list security restrictions that Java 2 environments normally impose on applets running in a browser. The Java 2 security model is policy-based and has superseded the sandbox/trusted approach of Java 1.1. In Java 1.1 remote code (applets, for example) that was not trusted was constrained to the sandbox. If the remote code was signed and trusted then it could access local resources.

Cryptography, Digital signatures and Certificates can be used to increase the security of a system. Java offers a number of interfaces for related services. Firewalls are also important for protecting the gateway between trusted and untrusted networks.

Code Source:A combination of a set of signers (certificates) and a code base URL.By default, Java 2 uses a policy file to associate permissions with code sources

Security Policy File: permission is the right to access a protected resource or guarded object. For Java 2 permissions are specified in the security policy file. Only one policy is in effect at a time. A policy file consists of a number of grant entries. Each grant entry describes the permissions (one or multiple) granted to a code source.

Policy class: You can use to create your own security policy. package : The following are some of the classes in the package:

CodeSource – This class extends the concept of a codebase to encapsulate not only the location (URL) but also the certificate(s) that were used to verify signed code originating from that location.

KeyStore – This class represents an in-memory collection of keys and certificates. It manages keys and trusted certificates.

MessageDigest – The MessageDigest class provides applications the functionality of a message digest algorithm, such as MD5 or SHA.

Permission – Abstract class for representing access to a system resource.

Policy – This is an abstract class for representing the system security policy for a Java application environment (specifying which permissions are available for code from various sources).

ProtectionDomain – The ProtectionDomain class encapulates the characteristics of a domain, which encloses a set of classes whose instances are granted the same set of permissions.

Security – Centralizes all security properties and common security methods.

Given an architectural system specification, identify appropriate locations for implementation of specified security features, and select suitable technologies for implementation of those features.

Exposure to threats can be mitigated by using:

Authentication, Authorization (ACLs), Protecting Messages, Auditing

Web tier authentication (This is the usual location for this)

  • Basic HTTP – the web server authenticates a principal with user name & password from Web client
  • Form-based – lets developers customize the authentication user
  • HTTPS mutual authentication – the client and server use X.509 certificates to establish identity over a SSL channel. Read more…
Categories: Uncategorized Tags:

Preparing for J2EE Architect Certification – EJB

March 3rd, 2011 1 comment

Note: This could be pretty old post as I am pasting from my notes and this is an old version.

EJB (Enterprise JavaBeans)


1. List the required classes/interfaces that must be provided for an EJB.
2. Distinguish stateful and stateless Session beans
3. Distinguish Session and Entity beans
4. Recognize appropriate uses for Entity, Stateful Session, and Stateless Session beans
5. State benefits and costs of Container Managed Persistence
6. State the transactional behavior in a given scenario for an enterprise bean method with a specified transactional attribute as defined in the deployment descriptor
7. Given a requirement specification detailing security and flexibility needs, identify architectures that would fulfill those requirements
8. Identify costs and benefits of using an intermediate data-access object between an entity bean and the data resource
9. State the benefits of bean pooling in an EJB container
10. State the benefits of passivation in an EJB container
11. State the benefit of monitoring of resources in an EJB container
12. Explain how the EJB container does lifecycle management and has the capability to increase scalability


Java Enterprise In a Nutshell, Flanagan, Farley, Crawford, & Magnusson, O’Reilly
Mastering Enterprise JavaBeans, Ed Roman,
EJB Enterprise JavaBeans 3rd Edition, Monson-Haefel

OBJECTIVE #1: List the required classes/interfaces that must be provided for an EJB.


For all types of EJBs, you need to provide three Java interfaces/classes to fully describe the EJB to an EJB container:

1. The HOME INTERFACE which takes the form:

import javax.ejb.*;
import java.rmi.RemoteException;

public interface MyHomeInterface extends EJBHome
public MyRemoteInterface create()
throws RemoteException;

2. The REMOTE INTERFACE which takes the form:

import javax.ejb.*;
import java.rmi.RemoteException;

public interface MyRemoteInterface extends EJBObject
// business method definitions – all of which can throw
// a RemoteException

3. The BEAN CLASS itself, which takes two forms:

For Session Beans:

import javax.ejb.*;
import java.rmi.RemoteException;

public class MyBean implements SessionBean
// required methods
public void ejbCreate() {}
public void ejbRemove() {}
public void ejbActivate() {}
public void ejbPassivate() {}
public void setSessionContext() {}

// business method implementations
} Read more…

Categories: Uncategorized Tags:

SCEA Certification Practice test – Part 1

January 29th, 2011 No comments

SCEA architect Certification (Part 1) CX 310-052 consists of objective questions and answers on various topics like security, Design patterns , EJb etc. There is practice test on part 1

SCEA Certification Practice test

Apart from this test, you will find other related tests which will will help you in preparation for SCEA.

There is another tests for Design patterns Design pattern practice test

One test on EJB, Enterprise java bean – EJB quiz

JSP and Servlet Quiz Read more…

Categories: Uncategorized Tags:

What is asymmetric clustering – Part 1

January 9th, 2011 No comments

Symmetric and asymmetric clustering is one of the very important topics in SCEA. In this post , we will talk about asymmetric clustering.

Traditional J2EE application servers work well for a large class of applications. This class can broadly be categorized as applications that run in a stateless cluster in front of a database. I call this a symmetric cluster:

– All the cluster members can perform any task at any time.

– The application is stateless.

– The application is modal which means it only performs work synchronously in response to a client request which can be received using HTTP/IIOP or JMS.

There are other applications that do not work well in such an environment, for example, an electronic trading system in a bank. Such applications typically use tricks that can greatly improve performance such as partitioning, multi-threading and write through caching. These are applications that can exploit asymmetric clustering. An asymmetric cluster is practically the opposite of a symmetric cluster:

– applications can declare named partitions at any point while it’s running

– partitions are highly available uniquely named singletons and run on a single cluster member at a time

– incoming work for a partition is routed to the cluster member hosting the partition

– The application is amodal. Partitions have a lifecycle of their own and can start background threads/alarms as well as respond to incoming events whether they are IIOP/HTTP or JMS/foreign messages.

WebSphere XD offers a new set of programming API’s called the “Partitioning Facility”. These APIs allow applications that require an asymmetric cluster to be deployed on a J2EE server for the first time to my knowledge.

How can partitioning improve application performance? Read more…

Categories: Uncategorized Tags:

J2EE Architect Study material

January 9th, 2011 2 comments

In the last post I had written about SCEA – Sun certified J2EE Architect certification topics and  J2EE architect sample questions.

Based on my experience studying for and taking the part 1 of the certification, here is what I would suggest that you read before taking the exam. You could skip a couple of the following references and still pass (don’t skip the EJBs though).

Material Usage
Enterprise JavaBeans, 2nd Ed., by Richard Monson-Haefel, O’Reilly, ISBN: 1-56592-869-5 Read chapters 1 – 9 and discuss in a study group. Cover around 50 – 60 pages per week. While this book is pretty good, it goes into more detail than I think you need in order to pass part 1. If you can find a more concise introduction to EJBs, you may be able to spend less time studying EJBs. Some chapters are interesting in this book while others seem very dry to me (however, still useful).  Forming a study group will really help you get through this book and help you retain what you learn.
EJB 1.1 Specification Reference from time to time while reading the EJB book by Haefel for clarification.
Java Messaging Service Tutorial, Chapters 1 & 2 (15 pages total)’ Good intro to JMS and just about right for what you need on the exam.
Fault Tolerance for CORBA-based Distributed Computing.

Nice short article that gives you the concepts.
Jguru article on Internationalization

Just about right for the exam. However, someone said that there was a pretty good tutorial on Sun’s website. You might try Suns tutorial first. While pretty good, I thought this article wasn’t as clear as it could have been. However, it is about the right amount for the test.
Network Security: A Simple Guide to Firewalls


Easy to read and short article that introduces the concepts and terms of firewalls. Another article on firewalls in addition or instead of this one would be useful. However, I don’t know of any others.
JavaWorld article on RMI over IIOP

Pretty good, but you might check for a related tutorial on Suns website instead.
Java Security Evolution and Concepts, Part 1 and Part 2

From my experience on the exam, you just need to know very basic concepts and terminology about encryption and security in general as well as something about JDK 1.2 security model and possibly the difference between JDK 1.1 and JDK 1.2 security models. You might want to read another article about JDK security. However, I don’t have any other references.
Introduction to SSL

I’m not sure this one is necessary. Consider skipping this one. I don’t recall any questions specifically about SSL on the exam, but other people’s exam notes often include SSL suggesting that you might get a question on it.
The book Design Patterns by Gamma, Helm, Johnson and Vlissides (often referred to as the Gang of Four (GoF)), Adddison-Wesley Do not try to read this book front to back. I recommend reading roughly the first four pages of each pattern and that may be more than you need for the test. The questions were very basic, straight forward questions about the easier to remember patterns such as singleton, proxy and iterator. We covered 5 patterns per week discussing all five patterns in one hour. We used the rest of the meeting time to do practice exam questions on other topics. In order to touch on 5 patterns in an hour, someone needs to come prepared with discussion questions and lead the discussion with quite a bit of authority without being overbearing. The goal during the meeting is not to discuss each pattern in detail, but to at least touch on each one briefly. The primary benefit of the study group is that it encourages you to read about the 5 patterns on your own time because you know that you are going to come and discuss it. You get the most benefit from the reading. The meeting just encourages you to read and also helps you retain what you learned.
The Design Patterns Java Companion

This book illustrates the GoF patterns with implementations in Java. Skim through the sections in this book on any patterns that aren’t real clear to you after reading about them in the GoF. However, don’t spend too much time on this book. Use it as a reference only.
UML Distilled Read the front and back covers and skim through as much of the book as necessary to understand how the notation on the front and back covers of the book is used.
Categories: Uncategorized Tags:

J2EE Architect Certifcations sample questions

January 9th, 2011 1 comment

These are example of actual questions from the J2EE Architect certification test as best as I could remember them a couple of hours after taking the exam. I don’t have the exact multiple choice options in most cases, but the following questions should give you some idea how well you need to know at least some of the topic areas. The questions were easier than I had expected for the most part. The questions mostly tested your understanding of terms and concepts at a high level.

There is another test with 22 questions J2EE Architect Certification Practice Test which is similar to what you take in Part 1

The test will tell you how many correct answers there are for each question, and the software will let you know if provide more or less answers than the expected amount. The structure of the multiple choice test was helpful and made the test a little easier. There are 48 questions on the test and you have 90 minutes to complete the test. I finished with 20 minutes to spare and spent the extra time going over my answers. The software allows you to skip questions and also mark questions. After answering question 48, you get a display showing the questions that you have skipped, are incomplete because you didn’t provide as many answers as expected, as well as questions that you have marked. You can then revisit any of the questions. The software also always displays the amount of time you have remaining.

Question Comments/My Answer
Where is JNDI used in JSM? It is used to look up several of the key objects in the JSM model.
What pattern does JDBC ResultSet implement? Iterator
What aspect of firewalls affects the ability of various protocols to get through. Three of the possible answers were: port filtering, address filtering and address translation. Not sure what is the right answer. Let me know if you have an answer and please give me a reference where I can find documentation that supports the answer.
What 2 services does EJBs provide? Three of the 4 options were: life cycle management, transaction services, remote method invocation I believe the answer is life-cycle management and transaction services. EJBs do provide remote access, but it isn’t considered a considered a service.
Where would encryption be necessary in a scenario where a buyer and a seller used a web browser to buy and sell items on the web and credit card info was verified by a separate system. Items being sold are stored in a database. Select 2 of the three possible places: between buyer and server, seller and server, server and credit card authority. Where ever credit card info is passed which is from buyer to system/database and between system and credit card authority. I don’t recall anything more specific than this being asked about encryption. Some questions that I can’t remember in detail required knowledge of JDK security model and I believe it touched on the differences between JDK 1.1 and JDK 1.2 security models.
What aspects of a system vary by locale? String formats, dates, order that things are sorted, how currency is displayed.
What kind of operations should be performed in ejbPassivate and ejbActivate on a stateful EJB? Free/restore connections to resources.
One question tested my understanding of EJB transaction attributes (not supported, supported, required, required new, etc.)
One question required understanding of a Handle object relative to EJBs.
Categories: Uncategorized Tags:

J2EE Architect Certification Topics

January 9th, 2011 No comments

In this next series of posts, I will post tons of articles and notes on Sun’s J2EE architect certification (SCEA). I had taken this exam way back in 2005 . I could not find the study materials until few days back. Now I am posting this stuff and although this might have gone under upgrade, it still could be useful.

The following topic areas are not how Sun breaks it out. Rather, it is how I would break it out in terms of the topics that you need to study. At least 16 out of the 48 questions on the exam when I took it where related to EJBs. There were between 2  and 5 questions on all other topic areas.

Topic Area Comments
Architecture Concepts and Terms General stuff like what affects scalability, maintainability, availability. Also, things like HTTP tunneling and screen scrappers.
Clustering You need to know what clustering is in general and what quality attributes (e.g. scalability, maintainability, etc. it affects). I have a general idea what clustering is, but I didn’t read anything on clustering and probably got a question or two wrong as a result.
Security Need to know very basic/general terms and concepts about encryption. Also need to understand JDK 1.2 and possibly JDK 1.1 security model.
UML Had 3 or 4 very simple questions about UML notation and terminology. The questions were about class diagram notation and sequence diagram notation. Very basic. You don’t need to read a whole book or even most of a book to get these right. Just review a summary of UML notation such as the front and back pages of the UML Distilled book.
Patterns Very straight forward questions about the purpose of simple patterns such as iterator, singleton and proxy.
Protocols Requires general understanding of SHTML, IIOP, RMI-IIOP.
JMS Very basic questions that had to do with what is JMS good for and the terms such as publish/subscribe, topics, queues, point-to-point, asynchronous.
Firewalls/DNS Round-Robin Need to understand a little bit about firewalls and DNS round-robin relate as well as what might happen in different scenarios involving a client trying to access some resource through a firewall on a given ip address and port number considering what the firewall is configured to allow/disallow and what kind of firewall it is.
Categories: Uncategorized Tags:

Visitor Design Pattern

January 9th, 2011 No comments

Visitor Design Pattern


Sometimes we have multiple operations that need to be implemented on a structure of objects. Traditionally we would implement each of the objects to derive of a base class with each of the operations, and then override the operations to implement them. This can be a problem if the operations are different in nature, as well as if the number of operations exceeds the number of different subclasses in the tree. How can we overcome this problem?


The solution is the visitor pattern. The visitor pattern has each object class in the structure only has one method called AcceptVisitor() which takes a visitor class as a parameter. A visitor is an implementation of a particular operation, and has methods for each of the class types in the structure. The object in the structure calls its appropriate method on the visitor. For example, if a tree structure contained two types of classes, Foo and Fib. Then when we wanted to perform a function on them we pass down a visitor that implements the function, and nodes of type Foo call the VisitedFoo() function on the visitor, which implements the function for objects of type Foo


It is easy to add operations, simply derive anew visitor class.

However, it is hard to add new class types to the structure, since you need to change both the base class and all subclasses of the visitors for the change.

Example of visitor design pattern

Categories: Uncategorized Tags: