In this post we will share some notes about Security. Cryptography in J2ee architect Certification .

Security

Select from a list security restrictions that Java 2 environments normally impose on applets running in a browser. The Java 2 security model is policy-based and has superseded the sandbox/trusted approach of Java 1.1. In Java 1.1 remote code (applets, for example) that was not trusted was constrained to the sandbox. If the remote code was signed and trusted then it could access local resources.

Cryptography, Digital signatures and Certificates can be used to increase the security of a system. Java offers a number of interfaces for related services. Firewalls are also important for protecting the gateway between trusted and untrusted networks.

Code Source:A combination of a set of signers (certificates) and a code base URL.By default, Java 2 uses a policy file to associate permissions with code sources

Security Policy File: permission is the right to access a protected resource or guarded object. For Java 2 permissions are specified in the security policy file. Only one policy is in effect at a time. A policy file consists of a number of grant entries. Each grant entry describes the permissions (one or multiple) granted to a code source.

Policy class: You can use java.security.Policy to create your own security policy.

java.security package : The following are some of the classes in the java.security package:

CodeSource – This class extends the concept of a codebase to encapsulate not only the location (URL) but also the certificate(s) that were used to verify signed code originating from that location.

KeyStore – This class represents an in-memory collection of keys and certificates. It manages keys and trusted certificates.

MessageDigest – The MessageDigest class provides applications the functionality of a message digest algorithm, such as MD5 or SHA.

Permission – Abstract class for representing access to a system resource.

Policy – This is an abstract class for representing the system security policy for a Java application environment (specifying which permissions are available for code from various sources).

ProtectionDomain – The ProtectionDomain class encapulates the characteristics of a domain, which encloses a set of classes whose instances are granted the same set of permissions.

Security – Centralizes all security properties and common security methods.

Given an architectural system specification, identify appropriate locations for implementation of specified security features, and select suitable technologies for implementation of those features.

Exposure to threats can be mitigated by using:

Authentication, Authorization (ACLs), Protecting Messages, Auditing

Web tier authentication (This is the usual location for this)

• Basic HTTP – the web server authenticates a principal with user name & password from Web client
• Form-based – lets developers customize the authentication user
• HTTPS mutual authentication – the client and server use X.509 certificates to establish identity over a SSL channel. Read more…

Note: This could be pretty old post as I am pasting from my notes and this is an old version.

EJB (Enterprise JavaBeans)

Objectives:

1. List the required classes/interfaces that must be provided for an EJB.
2. Distinguish stateful and stateless Session beans
3. Distinguish Session and Entity beans
4. Recognize appropriate uses for Entity, Stateful Session, and Stateless Session beans
5. State benefits and costs of Container Managed Persistence
6. State the transactional behavior in a given scenario for an enterprise bean method with a specified transactional attribute as defined in the deployment descriptor
7. Given a requirement specification detailing security and flexibility needs, identify architectures that would fulfill those requirements
8. Identify costs and benefits of using an intermediate data-access object between an entity bean and the data resource
9. State the benefits of bean pooling in an EJB container
10. State the benefits of passivation in an EJB container
11. State the benefit of monitoring of resources in an EJB container
12. Explain how the EJB container does lifecycle management and has the capability to increase scalability

References:

Java Enterprise In a Nutshell, Flanagan, Farley, Crawford, & Magnusson, O’Reilly
Mastering Enterprise JavaBeans, Ed Roman,
EJB Enterprise JavaBeans 3rd Edition, Monson-Haefel

OBJECTIVE #1: List the required classes/interfaces that must be provided for an EJB.

SOLUTION:

For all types of EJBs, you need to provide three Java interfaces/classes to fully describe the EJB to an EJB container:

1. The HOME INTERFACE which takes the form:

import javax.ejb.*;
import java.rmi.RemoteException;

public interface MyHomeInterface extends EJBHome
{
public MyRemoteInterface create()
throws RemoteException;
….
}

2. The REMOTE INTERFACE which takes the form:

import javax.ejb.*;
import java.rmi.RemoteException;

public interface MyRemoteInterface extends EJBObject
{
// business method definitions – all of which can throw
// a RemoteException
}

3. The BEAN CLASS itself, which takes two forms:

For Session Beans:

import javax.ejb.*;
import java.rmi.RemoteException;

public class MyBean implements SessionBean
{
// required methods
public void ejbCreate() {}
public void ejbRemove() {}
public void ejbActivate() {}
public void ejbPassivate() {}
public void setSessionContext() {}

// business method implementations
} Read more…

SCEA architect Certification (Part 1) CX 310-052 consists of objective questions and answers on various topics like security, Design patterns , EJb etc. There is practice test on part 1

SCEA Certification Practice test

Apart from this test, you will find other related tests which will will help you in preparation for SCEA.

There is another tests for Design patterns Design pattern practice test

One test on EJB, Enterprise java bean – EJB quiz

JSP and Servlet Quiz Read more…

Symmetric and asymmetric clustering is one of the very important topics in SCEA. In this post , we will talk about asymmetric clustering.

Traditional J2EE application servers work well for a large class of applications. This class can broadly be categorized as applications that run in a stateless cluster in front of a database. I call this a symmetric cluster:

- All the cluster members can perform any task at any time.

- The application is stateless.

- The application is modal which means it only performs work synchronously in response to a client request which can be received using HTTP/IIOP or JMS.

There are other applications that do not work well in such an environment, for example, an electronic trading system in a bank. Such applications typically use tricks that can greatly improve performance such as partitioning, multi-threading and write through caching. These are applications that can exploit asymmetric clustering. An asymmetric cluster is practically the opposite of a symmetric cluster:

- applications can declare named partitions at any point while it’s running

- partitions are highly available uniquely named singletons and run on a single cluster member at a time

- incoming work for a partition is routed to the cluster member hosting the partition

- The application is amodal. Partitions have a lifecycle of their own and can start background threads/alarms as well as respond to incoming events whether they are IIOP/HTTP or JMS/foreign messages.

WebSphere XD offers a new set of programming API’s called the “Partitioning Facility”. These APIs allow applications that require an asymmetric cluster to be deployed on a J2EE server for the first time to my knowledge.

How can partitioning improve application performance? Read more…

In the last post I had written about SCEA – Sun certified J2EE Architect certification topics and  J2EE architect sample questions.

Based on my experience studying for and taking the part 1 of the certification, here is what I would suggest that you read before taking the exam. You could skip a couple of the following references and still pass (don’t skip the EJBs though).

These are example of actual questions from the J2EE Architect certification test as best as I could remember them a couple of hours after taking the exam. I don’t have the exact multiple choice options in most cases, but the following questions should give you some idea how well you need to know at least some of the topic areas. The questions were easier than I had expected for the most part. The questions mostly tested your understanding of terms and concepts at a high level.

There is another test with 22 questions J2EE Architect Certification Practice Test which is similar to what you take in Part 1

The test will tell you how many correct answers there are for each question, and the software will let you know if provide more or less answers than the expected amount. The structure of the multiple choice test was helpful and made the test a little easier. There are 48 questions on the test and you have 90 minutes to complete the test. I finished with 20 minutes to spare and spent the extra time going over my answers. The software allows you to skip questions and also mark questions. After answering question 48, you get a display showing the questions that you have skipped, are incomplete because you didn’t provide as many answers as expected, as well as questions that you have marked. You can then revisit any of the questions. The software also always displays the amount of time you have remaining.

In this next series of posts, I will post tons of articles and notes on Sun’s J2EE architect certification (SCEA). I had taken this exam way back in 2005 . I could not find the study materials until few days back. Now I am posting this stuff and although this might have gone under upgrade, it still could be useful.

The following topic areas are not how Sun breaks it out. Rather, it is how I would break it out in terms of the topics that you need to study. At least 16 out of the 48 questions on the exam when I took it where related to EJBs. There were between 2  and 5 questions on all other topic areas.

Visitor Design Pattern

Problem

Sometimes we have multiple operations that need to be implemented on a structure of objects. Traditionally we would implement each of the objects to derive of a base class with each of the operations, and then override the operations to implement them. This can be a problem if the operations are different in nature, as well as if the number of operations exceeds the number of different subclasses in the tree. How can we overcome this problem?

Solution

The solution is the visitor pattern. The visitor pattern has each object class in the structure only has one method called AcceptVisitor() which takes a visitor class as a parameter. A visitor is an implementation of a particular operation, and has methods for each of the class types in the structure. The object in the structure calls its appropriate method on the visitor. For example, if a tree structure contained two types of classes, Foo and Fib. Then when we wanted to perform a function on them we pass down a visitor that implements the function, and nodes of type Foo call the VisitedFoo() function on the visitor, which implements the function for objects of type Foo

Consequences

It is easy to add operations, simply derive anew visitor class.

However, it is hard to add new class types to the structure, since you need to change both the base class and all subclasses of the visitors for the change.