Thursday, January 18, 2007

Updating the SpringBlog App from "Pro Spring" to Spring v2 and Hibernate v3.2

I've been refreshing my skills with Hibernate and Spring lately, and one of the activities I took upon myself was to update the SpringBlog application provided in the book Pro Spring from Apress.

Since the book was written in 2005, it is based on previous releases of Spring (v1.1) and Hibernate (v2.1). The current release of Spring is v2.02, and the current version of Hibernate is v3.2. (as of Jan 2007)

Here is a list of some of some upgrades I made to take advantage of improvements in Spring v2 and Hibernate v3 features:

  • Changed from declarative transaction to annotation-based transactional support

  • Modified the HibernateDAO classes so they do not rely on HibernateDaoSupport. The SessionFactory is injected via Spring.

I also had to make several changes due to runtime problems with the newer libraries. Maybe these worked in Spring v1.1 and Hibernate 2, they didn't work for me with Spring v2 and Hibernate v3 without modification:

  • - I had to create a new Comment class and copy the data from the incoming comment variable (which is really based on CommentForm). This is the exact same things that existing code in the class had to do with EntryForm.

  • Hibernate*Dao.delete() -- The delete() feature did not work for any of the Domain classes. There were errors because you cannot create objects with null values in non-null properties. And therefore - you couldn't delete those objects. So the technique used in the downloaded app doesn't work. Instead I had to perform a load() followed by a delete(). The book Java Persistence with Hibernate describes this type of logic in Section 9.3.1 (page#407).

  • I had to add a Filter based on the Spring class OpenSessionInViewFilter in my web.xml. The reasons it were necessary are described in this link from the Hibernate site.

  • Updated all package references to use the newer hibernate3 package provided in the spring-hibernate3.jar

It took me several hours to get this working -- I hope these suggestions save others some time!

Monday, January 8, 2007

Ajax Security -- Changing the nature of the Attack Surface...

Jeremiah Grossman of Whitehat Security published an article titled Myth-Busting AJAX (In)security. In this article, he posed two interesting questions (with answers)...

Does AJAX cause a larger “Attack Surface”?

Does AJAX make the “Attack Surface” harder to find?
Yes and No.

Technically, I agree. But Ajax does in fact change the nature of the Attack Surface. In a traditional dynamic page-based web application - the web application reacts to page-level HTTP requests and responds with page-level responses. And the response is a full page rendered in HTML.

So although possible, the responses were not easy to digest quickly unless tagged with explicit ids, names, or class identifiers.

With Ajax, the request/response food chain acts more like an API library function calls which is what makes them more attractive. So security vulnerabilities like the one found in gmail are easy to exploit and take advantage of.

To eliminate or minimize these types of problems -- Developers must treat every Ajax entry-point as if its a published and self-documented API function call. Assume that somebody, somewhere will figure out how to call your API out-of-context. And the developer needs to takes steps to make that risk as close to zero as possible.

Friday, January 5, 2007

Where have all the programmers gone?

At the start of 2007, I thought I'd take a moment to look at Google statistics in Google Trends to review the search patterns for the term Java over the past year. There was concern at the beginning of 2006 that we were witnessing the end of the Java era. Based on the year-end graphs, it's not looking good for Java -- the pattern is showing a dramatic drop in early 2006 that has never recovered.

So where are all the Java programmers going? Maybe everybody is discovering the language/framework Ruby on Rails? According to the graph...Ruby is not picking up a lot of programmers (although Ruby is holding steady)

How about DotNet. Maybe Microsoft programmers are picking up all the lost Java souls? According to the, DotNet is also in decline.

And actually -- all major language are in decline...




So the question remains...where have all the programmers gone? I spent a grand total of 15 minutes trying various keywords, and the trend was universal. After much head-scratching - I think I've found them!

Here's my theory...let's start by taking a look at the location of the top 10 "java" search regions...

1. India
2. Poland
3. Singapore
4. Romania
5. Czech Republic
6. Hong Kong
7. Slovakia
8. Slovenia
9. Columbia
10. Indonesia

And for completeness, here is the list of top 10 DotNet search regions. The countries are different, but the areas of the world are similar:

1. India
2. Singapore
3. South Africa
4. Pakistan
5. Viet Nam
6. Slovenia
7. Malaysia
8. Hong Kong
9. Japan
10. Czech Republic

Are you concerned too? Not a single country with english-as-a-first-language in the top 10 Google Search Regions for the word "Java", "DotNet" or ".Net". My theory is that the programmers haven't left -- it's just that the bulk of programmers are now all overseas, and simply performing searches in their native languages. One limitation of Google Trends is that it is only for the english-language at this time.

Any evidence to support this theory? Let's take a closer look at Ruby -- what is interesting about Ruby is that it shows the least amount of decline of all the programming languages.

Top 10 regions for Ruby searches:

1. New Zealand
2. Ireland
3. Australia
4. United Kingdom
5. United States
6. Canada
7. Japan
8. Singapore
9. Philippines
10. Morocco

A large portion of the Ruby programmers are in english-speaking countries. Therefore the Google search patterns support the notion of a healthy english-speaking programming community.

Welcome to 2007 -- where it appears that English, and United States has lost its technology dominance in the eyes of the Internet world.

So where have all the programmers gone? Overseas