Technology
CB:
Security's one part of the JBOSS manual that I haven't read
through in depth. But from what I have read, it looks like you've been doing a
lot of cool stuff there. Am I correct that it mostly involves better
integration between the J2EE server and its environment... With things like
existing LDAP directories?
SS:
It's somewhat that...
It's a simplification of direct application of JAAS as the mechanism to integrate into security
architectures. [It's also about] going
beyond J2EE's security model, which is role based... which is not enough in
general. [To implement security you need to consider] what's in the database,
the state of the bean, the state of the user application profile.
CB:
So going beyond roles means implementing security policies where an app needs
to decide complex things like... if this
is a premium customer and they've spent this amount, and it's Tuesday and a
full moon then you allow them to this or that.... ?
SS:
Yup.
CB:
But that still sounds like you have to implement a lot of custom Java code...
SS:
It's going to be custom java code. We don't write that. We simply have an
architecture that allows you to extract that from your business logic... The only
way you can do this in the context of J2EE today is to embed those [security]
rules in your business logic.
CB:
By...wrapping the security constraint code directly around the code for your
business methods?
SS:
Yes
CB:
So you have a way of kind of factoring this out into a separate class?
SS:
[Yes]... That's coming from our interceptor
design. It's a way of taking that separation that J2EE espouses in role
based security and saying OK, that's good, but you need that in general, for
arbitrary security stuff. In the future I might look at maybe trying to
introduce maybe a security language to help simplify or eliminate some of that
code. But in general... if you're
super-duper whacked in your security requirements you are going to have to
write some code.
CB:
In the couple of days I spent tinkering with JBOSS I didn't notice any kind of
GUI deployment tool where I could click and set up things. Is it all XML files
right now?
MF:
Well... we've had a checkered history with the GUI. So has BEA by the way. It
turns out that J2EE [deployment] is really cumbersome.... You have jars, and
files and classes inside... and the WAR, and the EAR... the META-inf.... It's very
cumbersome to build a structure like that.
BEA had a GUI where you click through 10 panels any time you want to get
anything done, and anytime you wanted to repackage it you had to go through the
same thing. The first time you see it you go "Oooh a GUI"...
CB:
But I guess when you're continually stepping through the test/build cycle, you
don't want to use the stupid GUI.
MF:
Yeah, your arm gets tired and by the tenth time...you want to simplify.
CB:
With scripting?
MF:
Yes. So it's ANT ... we have straight ANT scripts, where you just build from your
GUI development environment. We had [a
GUI]... but people really didn't use it.
BEA did the same thing. They had a GUI and went back to
recommending ANT for deployment.
CB:
How easy is it to port applications from other app servers to JBOSS?
BS:
We ported Dow Jones from BEA to JBOSS in two days... But it
was Bill Burke doing the
work. So maybe it's a week for your average man.
SS:
But if you've never seen a given application server... yeah,
it can take some time. Because you've
got to [consider] "what does this whacky Weblogic tag mean in this
application?"
So there's two parts, right? There's the standard J2EE part
which is just going to map perfectly. And there's the application server
specific part which... who knows whether that maps? It may not map at all
!... That's where your problems come in.
In JBOSS all of our custom services... in 4.0... will be
manifest sections of our custom deployment descriptors. I mean, you'll see the
breadth of JBOSS's customizability in 4.0. Right now [these custom services]
happen to be spread across deployment descriptors.
CB:
So 4.0 will have one XML file instead of....
MF:
Instead of the J2EE mess, where you have way too many files. [We want] to take
each file and generate one file by XSL transformation, and have just one
file [which defines] all the services, and that's also our repository for the
configuration.
CB:
Now when you do all your
XSL transformations and munge these descriptors into one file – is this
something where I just have a view into the configuration information, or can I
actually modify it?
MF:
I don't know we haven't wrote it yet, but ...
SS:
You'll be able to modify it ! But
ultimately, we want to go beyond XML as the only mechanism. We really want an
object model that describes it. In fact, you'll have an MBean. You'll go into
our run time and edit the characteristics of the deployment.
MF:
You can modify it dynamically with JMX today.
SS:
Not all our stuff though...
CB:
So when you're saying you can actually modify deployment
characteristics with JMX at run time... I'm confused... my brain is still stuck
with this XML idea of defining deployment things, but your stuff will...
SS:
Correct ! Everything
is objects ! I can go in and add,
for example, a new row at run time [that defines] security [constraints]. Some
people have asked for this, but it's something that J2EE doesn't support,
because you've got to put it in the friggin' static file.
CB:
Ohhh. I see. That's cool. I like the idea of having everything in one place and
runtime modifiable. Go do that! You have my endorsement.
BS:
That's why developers love us. Now we've got to convince
managers that they've got to love us too.
Last Modified
November 27, 2002
New on the Java Boutique:
New Review:
Time Management Made Easy with the Quartz Enterprise Job Scheduler
Why not just use the Java timer API? This open source scheduling
API boasts simplicity, ease-of-integration, a well-rounded feature
set, and it's free!
New Applet:
Reverse Complement
Reverse Complement is a simple applet that converts DNA or RNA
sequences into three useful formats.
Elsewhere on internet.com:
WebDeveloper Java
Lots of Java information on webdeveloper.com
WDVL Java
Thorough Java resource at the Web Developer's Virtual Library.
ScriptSearch Java
Hundreds of free Java code files to download.
jGuru: Your View of the Java Universe
Customizable portal with online training, FAQs, regular news updates, and tutorials.
New on the Java Boutique:
New Review:
Time Management Made Easy with the Quartz Enterprise Job Scheduler
Why not just use the Java timer API? This open source scheduling
API boasts simplicity, ease-of-integration, a well-rounded feature
set, and it's free!
New Applet:
Reverse Complement
Reverse Complement is a simple applet that converts DNA or RNA
sequences into three useful formats.
Elsewhere on internet.com:
WebDeveloper Java
Lots of Java information on webdeveloper.com
WDVL Java
Thorough Java resource at the Web Developer's Virtual Library.
ScriptSearch Java
Hundreds of free Java code files to download.
jGuru: Your View of the Java Universe
Customizable portal with online training, FAQs, regular news updates, and tutorials.
| 
