Recipe: Scamboli

Posted on March 4, 2009 by Tim Garrett | Permalink 3

Here’s a new category to keep things lively.  This recipe is great!

Scamboli

Ingredients:
-2 loaves of frozen bread dough, thawed
-2 eggs
-1/2 cup vegetable oil
-1/2 tsp salt
-1/2 tsp garlic powder
-1/2 lb pepperoni
-1/2 lb ham
-1/2 tsp oregano
-1/2 tsp parsley
-1/2 tsp pepper
-1/2 tsp basil
-1 lb sausage
-1 lb mozzarella cheese

Roll out the dough to about 10×12 inches.  Mix eggs, oil, and spices.  Spread onto both loaves.  Save some to brush on top after rolled.  Layer pepperoni, sausage, 1/2 cheese, ham, and rest of cheese.  Roll up jelly-roll style.  Seam down and tuck ends.  Bake for 25-35 minutes at 350F.  Slice and dunk in marinara.

Thanks to my sister Jennifer and whoever gave this recipe to her!

Rants , , ,

Oh, the Insanity… In Soviet America the Internet Visits You

Posted on February 21, 2009 by Tim Garrett | Permalink 3

Two of my great interests are politics and technology. Most politicians are brain-dead about technology, and most of my techie friends don’t give a crap about politics. This particular article might turn things on its head a little. It will both provide further proof that politicians are brain-dead and likely incite my techie friends to anger.

http://www.cnn.com/2009/TECH/02/20/internet.records.bill/index.html

These two lovely bills, already in the House and Senate, mean that any usage of DHCP has to be logged for two years. This means any time I use a Wi-fi access point at a hotel, coffee shop, or the airport I would have to give them my personal information to be held for 2 years?! If someone comes over to my house and uses my Wi-fi with their laptop, I have to keep a record of which IP address they were assigned for 2 years?! My office network has to keep track of which employee had which dynamic IP when and retain that information for 2 years?!

You can kiss free and low-cost Wi-fi goodbye. No one will want the legal risk anymore. And, you won’t be able to come over to my house and use my Wi-fi without signing a ledger and providing a thumbprint.

Just like the debate over guns, the stated purpose of protecting children from exploitation is not the only result that can come from it. Just the sheer effort and cost involved with something like this is another backdoor way of expanding the immense government bureaucracy. If it is expensive and a pain to do, no one will do it without enforcement. Need for enforcement means a new government bureau with lots of idiots in suits running around holding press conferences and meeting with Congress in hearings to whine about their funding and rationalize their lack of results.

If the logging requirements were ever expanded to provide real-time government access to this type of data (probably only possible with the biggest ISPs and Wi-fi providers), it could be used to track people’s movements. We all know when you go down that road, the capability will be used for any political advantage conceivable.

What happens if these bills go through? We fail to save the children from harm while continuing to bloat the government. Then, the government controls you and everything you do.

How do you stop this? 8 years ago, I would have said vote Republican. Now, I’m only a Republican because I can’t find anyone I hate less to join up with. The Constitution Party is a bunch of philosophers with apparently no plan to ever gain office at the national level. The Libertarian Party talks about freedom only because they want to secure new freedoms for potheads and degenerates.

Arggggggh.

Geek Speak, Rants

Contract-driven web services with JAX-WS

Posted on July 28, 2008 by Tim Garrett | Permalink 0

Attentive readers will notice that I have previously advocated both contract-first web services and JAX-WS. Although these might seem like contradictory concepts at first glance, I believe I can make a case for the use of these two approaches together. Although many “Hello World” web service examples with JAX-WS simply use the @WebService annotation, a much more sophisticated web service can be developed by digging in to the optional attributes of the javax.jws.WebService annotation. One in particular that jumps out:

-wsdlLocation: allows the specification of a URL of an existing WSDL file. This file can be stored on the web or referenced with a local URL. The WSDL and an external JAX-WS XML bindings file can be used to specify the service operations and the Java type mapping respectively.

Maybe you are not interested in creating your own WSDL or XML bindings file, and you instead want to use Java as your language to express your service contract. Although you lose some power in this arrangement (mainly in the area of XSD data constraints), this may be a more natural approach for most Java developers.

One important consideration in maintaining the contract of a web service is versioning capabilities. If you need to provide backwards-compatibility when you make service operation signature or semantic changes, consider the use of version-based namespaces. Again, the @WebService annotation provides for this with another optional attribute, targetNamespace. It is good practice to embed a version number in both the service endpoint URL and the service namespace to protect against future changes that break backward compatibility.

Having a mechanism for versioning is only half the battle. Having a minimally invasive way to continue to separate your web service endpoint from refactoring and change in your Java code is the key. The approach that I rely on is to inject business services into my service endpoint class rather than directly annotating business services with the JAX-WS annotations. These classes can be a simple 1-to-1 delegate at first, but can adopt more complex mapping and adapting behavior over time if needed for backward compatibility. This allows business services (Java) and web services (JAX-WS/SOAP) to have different refactoring and backward compatibility restrictions (if desired).

The most simple example:

@WebService
public class HelloWorldWebService {
private HelloWorldService service;

public void setHelloWorldService(HelloWorldService service) {
this.service = service; //service delegate injection point
}

@WebMethod
public String helloWorld() {
return service.helloWorld();
}
}

It is tempting to take the easy way out and simply annotate a concrete service class with web service functionality. My preferred breakdown is to have a business service interface, a business service implementation, and a concrete web service endpoint class with annotations. This makes your business services completely unaware of remoting considerations, which is good insulation against future adoptions/un-adoptions of technologies. If the REST advocates have their way and take over the world, you can always rip out your JAX-WS service endpoint class and replace it with the remoting strategy du jour.

You can create a contract-driven SOAP web service with varying degrees of rigor easily with JAX-WS. Understanding your constraints and how closely you want to adhere to contract-driven approaches should allow you to find a happy place where you can leverage the JAX-WS toolset and still build robust and stable web services.

Software development methodologies can easily be adopted with religious zeal, but it is important to remember that our ultimate goal is to build software that delivers on business needs!

Geek Speak , , ,

Imaginary people and the art of software estimation

Posted on July 28, 2008 by Tim Garrett | Permalink 0

When asked to estimate software development, either unilaterally or as part of a team, there are a number of pitfalls you might encounter. You might be building software for a domain you are not entirely familiar with or adopting new technologies with largely unknown risks. Although those are valid issues that might arise, the advice I bring to this blog entry is much simpler. There are no formulas, charts, or dependencies.

To be honest, I have “learned” this lesson before, so I can’t really say this knowledge takes me by surprise. However, the sooner everyone in software development takes it past the recognition stage and adopts it as an inherent philosophy, the better…

When being asked to estimate software development, never rely on imaginary people.

If you have anything less than 100% confidence that a resource will be available to you when needed, assign that resource to “nice-to-have” or contingency features. Delivery dates should never be cited based on possible hires. What all too often happens is the folks with the purse strings remember your commitment to a specific date but forget their obligation to assist with resources. This situation can cause a lot of bitterness and resentment throughout the organization. Worse yet, it all too often is the sign of the beginning of the end for a project.

If you have 2 developers readily available to work on a project for which 10 would be ideal, show the delivery date based on their actual productive capability. It is fine to show delivery dates that are progressively sooner by adding additional people, but it must be made abundantly clear that the one that matters is the one in bold based on actual resource availability.

Even if your developers that are expected to remain imaginary do become available, it is important to remember another related type of developer–the mythical developer and his accompanying productivity. The mythical man month has been discussed in great detail elsewhere, so I won’t spend too much time on it. However, it is important to remember that even a well-resourced project can be run into the ground by mismanagement of resources. Pay special attention to developers’ strengths and weaknesses and make sure you are using them where they can help your team and project the most.

It is sometimes hard to connect the dots between business success and resourcing of projects. The fact is many projects can be delivered much later than anyone would like or with a diminished feature set and still deliver dramatic business value. However, the correct balance between delivery dates, scope, and quality must be agreed upon by everyone involved with a project to ensure success.

Geek Speak ,

Brett Favre

Posted on July 14, 2008 by Tim Garrett | Permalink 0

I know I had you fooled into thinking this was exclusively a tech geek blog. I don’t intend for that to be the case, and I would like to use this forum to sound off about Brett Favre and his retirement flip-flopping. A lot of football fans have suggested that Favre should just be accepted back because a proven quarterback gives more chance than playing with the quarterback of the future. By that logic, who would turn down a 4-time Super Bowl champion like Terry Bradshaw? He is proven after all, and he looks pretty good for 60!

But that’s not really the point. The point is that Favre has jerked the Packers around; not for days, weeks, or months…but YEARS. I for one am just looking for this endless “will he stay or will he go” to end for good.

Rants

Propagating web application credentials through JAX-WS and Spring Security

Posted on July 3, 2008 by Tim Garrett | Permalink 4

I am a big fan of EJB3, but I think certain integration realities in an enterprise environment can limit its relevance. While recently working with EJB3 stateless session beans exposed as JAX-WS web services, I ran into some issues propagating security credentials. I know that this is a fairly seamless process in a traditional Java -> EJB invocation. I had hoped that there was some magic that would provide the analagous solution of security credential propagation from a Java web application to a JAX-WS web service secured with HTTP basic auth (and SSL for the transport mechanism).

I could not dig up any details on this topic, so I came up with my own solution by assembling standard and quasi-standard components.

The end result looked like this:

1. The web application, which used form security, was adapted to use the Spring Security form-based authentication. Although this was a somewhat painful process in the Acegi Security days of configuration hell yore, the Spring Security domain-specific namespace has made it a quite simpler activity. You need a couple of filters and a very simple Spring XML file. Reference docs are here. Anyway, I set up the authentication in the web app to authenticate against the same JAAS realm I had previously used with straight container-managed security.

2. Next, I used the Spring JaxWsPortProxyFactoryBean to wire up my remote web service to appear as a simple business service interface to the web application code. This is pretty cool, because it lets you code your view and controller code completely ignorant of the fact that the model lives somewhere in the SOAP world. I leveraged the new basic authentication functionality of Spring 2.5.5′s JaxWsPortProxyFactory bean and created session-scoped instances. So, I could have an instance of the client bean for each user of the web application, and that client would have its username and password properties initialized from the Spring Security SecurityContext object in scope.

3. Next, I set up my web service (JAX-WS servlet endpoint with injected EJB resource) with Spring Security settings of its own, to include basic authentication against the same realm as the web application (if on different containers, would be different realms but the same underlying authentication store) and HTTPS transport. Then, voila, I had credentials that were equally valid in the web application and the web services.

To be fair, this was a lot of work, but code samples aren’t really necessary as most of the work was in figuring out a valid approach :) However, I believe the benefits will be immense in the long run.

I can always add rules later to enable anonymous callers of certain web service operations, but more often than not, I want to know who the caller is and have their experience (returned data) take that into account. That way I can take advantage of all the neat things that Spring Security offers to create fine-grained security in my services. I can do method-level security, collection-filtering security, and audit logging with ease! At the most primitive level of functionality, I can do a thumbs-up, thumbs-down decision on whether a user is even authenticated and allowed to use a web service.

I have seen some pretty primitive attitudes toward web service security–things like non-SSL transports combined with a simple authentication token that never changes. This is exactly the kind of recklessness I wanted to avoid in my services. SOA is a powerful mechanism when employed properly. One of the premises of SOA is that systems can be easily built by aggregating services. However, that is no reason for the web services to be a free-for-all for anyone who can find a “Hello, this is Axis” servlet and associated WSDL.

Stand with me and build a better web service!

Geek Speak , , ,

Exception handling in your services

Posted on April 4, 2008 by Tim Garrett | Permalink 0

I know my approach to exception handling within services are not original to me, but when I was recently looking for a concise, consolidated written explanation of it to share with a coworker, I couldn’t find one.

In a nutshell, it is:

  • Throw only unchecked exceptions in your business logic; exceptions should not be used for control flow, so why force other modules in business logic to deal with hiccups?
  • Use a transactional management strategy that rolls back transactions on RuntimeException
  • Hide the implementation details of exceptions behind the service layer just as you would the implementation details of the code
  • Define one or more checked exceptions specific to your service layer; when an error propagates up to the top service class, log it and its stacktrace and then throw a generic checked exception

An example:

public interface TestService {
    public void runTest() throws TestServiceException;
}

public class TestServiceException extends Exception {
    public TestServiceException(String message) {
        super(message);
    }
}

public class TestServiceImpl implements TestService {
    private static final Logger logger
            = Logger.getLogger(TestServiceImpl.class);

    public void runTest() throws TestServiceException {
        try {
            //integration with business logic here
            } catch(RuntimeException e) {
                logger.error(e, e);
                throw new TestServiceException(
                        e.getClass().getName()
                        + " encountered in TestService");
            }
        }
    }

This type of standardization is especially important if you have opted to generate web services or other remoting code directly from your services. In the same project I mentioned previously where the web service was required to accept a wide variety of abbreviations and spellings of state names, a remote web service would occasionally throw Oracle database statement errors back to the web service client. This is very dangerous; if combined with poor security practices and other poor coding techniques, it is likely to provide a method for remote SQL injection attacks.

Geek Speak

Your data is important and XSD is your friend

Posted on April 3, 2008 by Tim Garrett | Permalink 0

Whether you have just started building web services or whether it is old hat by now, it is important to take a step back and examine how you have been doing things. Although it is initially cool to quickly generate a service and accompanying WSDL, maybe some client code for testing, and expose your business logic to remote systems, there are more important things involved, like data integrity. It doesn’t matter how quickly you can interact with remote systems if you are getting nothing but junk from the interaction. The old adage “Garbage In, Garbage Out” certainly applies.

How do you know if you are building a robust web service that delivers real value while maintaining data integrity? The answer to this can be found by examining how you handle remote input. Do you assume that everything is OK if an initial test run doesn’t throw an exception? Do you validate input? Do you throw away part of your data and continue processing in spite of it?

Building a robust web service isn’t all that complicated. Here are a few tips:

  • Be specific about your inputs. Is the data element really a xsd:string or is it actually a positiveInteger? If a numeric type, are you specifying ranges? If a string type, are you specifying an enumeration of valid values?
  • Fail early. The job of a web service is to enable easy integration between systems, not to try frantically to make bad data into good data. Make your interface contract clear, and leave client code no choice but to follow the rules.
  • Version your web services. Don’t let your past mistakes haunt you forever. Create new namespaces and URLs for your new, more savvy web services. Then, announce an End of Life schedule for your services. Well-defined web services that communicate in clear messages are best for everyone.

Why am I on this SOAP box? Imagine a web service that accepts every possible value imaginable for a state or province. For example, Connecticut might be Connecticut, connecticut, CT, or C.T. I saw this today. Unless the purpose of your web service is to provide mailing address normalization, this is completely out of line. The S in SOAP used to stand for simple, but if you are building this kind of logic into your web services, you missed the boat.

Services should be contract-driven and should leverage rigid XSD rules and validation before ever being passed into the business logic that makes the service worth exposing remotely in the first place. Clean data gets dirty a lot faster than dirty data gets clean. So, take the steps early on to maintain clean data in your system.

Geek Speak

nokia e51

Posted on March 1, 2008 by Tim Garrett | Permalink 0

I got it. It rocks. How is that for short and to the point?

Geek Speak

Ruby on Rails et al.

Posted on February 23, 2008 by Tim Garrett | Permalink 0

I am an experienced and competent J2EE developer (with some forays into the updated JavaEE technologies). I have worked with most of the big technologies and acronyms from time to time. They are powerful, very powerful. Howevever, they are also big and cumbersome to learn. For a long time, I have taken the stance that the complexity was necessary. You get robustness, correctness, and big industry names behind your project.

Yet, when I was reading through the spec for the Java Business Integration (JBI) API this past week, I was dumbfounded by some of what I would consider unnecessary complexity. Integrating services across a business should not be that much work. Although I don’t know what specific conclusions can be reached about this fact, t is interesting that BEA and IBM, two big enterprise committee members, decided not to vote for the spec.

In a dramatic departure from my previous stances, I am going to go out on a limb and say that Ruby and Rails maybe is capable of delivering most of what Enterprise Java is actually used for and at a dramatic savings in time. I have been reading up on the framework, and I have been very impressed by the power of the conventions-based framework. I see concise, understandable code and lots of freebies. I understand and sympathize with some of the pedantic arguments against Rails. However, that those concerns don’t seem to actually exist as real issues with most real Rails projects indicates to me that most developers who think they are doing Enterprise development actually aren’t.

The features are compelling. You want persistence and you get ActiveRecord. You want MVC and you get a convention-based file/folder and class structure that outlines the distinct responsibilities of the code. You want web services and you get to choose between REST and SOAP (with the simplicity of REST being preferred). You want transactions and you get to choose between service-like transactions that can roll back database state or Object-based transactions that roll back database AND object state. Scalability is all about load balancing your server tiers.

Listen, I don’t think I am ready to be a Ruby on Rails evangelist, but I can’t help but wonder why some of the commercial projects I have worked on have not employed it.

For those who aren’t ready to throw away all their Java infrastructure, I am very impressed with the Grails framework as well.

Geek Speak ,