Securing the client side: Building safe web applications with HTML5
It is more important than ever to think of security when developing HTML client functionality. People make mistakes, thats’it. We need more of a programming model that can help us making as few mistakes as possible, See Content security policy Content Security Policy An example is to divide functionality in different blocks, and just give each block as much privilegies as it needs and no more. For example, if one block won’t be executing any script, then we won’t let it. This way we can prevent malicious javascript code from executing in this block. Also consider that nowadays there is no reason not to communicate through HTTPS instead of HTTP. This way it’s so much harder, but not impossible to leak information, and also prevent information from beeing added to the response coming from the server using a “man in the middle attack”.
Behavoiur driven development on the JVM – a state of the union
I have been interested in BDD for a long time, but never really practiced it. In this talk, the presenters first ranted a little about the background of TDD and how the developing speed succeeds non testdriven development over time, but then they moved over to BDD. BDD has som interesting features like tests also becomes documentation for the system. Far better than let’s say Javadoc. This I think moves testing away from often beeing kind of a maintenace weak spot til actually really helping out in describing what the system should do. It’s also interesting in how it approaches testing, not only making unit test but focusing on testing bits and pieces togheter in a moderately predefined way using a tool of your choice. Also known as acceptance testing and/or integration testing.
Example
The story:
Scenario: trader is not alerted below threshold
Given a stock of symbol STK1 and a threshold of 10.0
When the stock is traded at 5.0
Then the alert status should be OFF
Scenario: trader is alerted above threshold
Given a stock of symbol STK1 and a threshold of 10.0
When the stock is traded at 11.0
Then the alert status should be ON
Story as test using JBehave:
public class TraderSteps {
private Stock stock;
@Given("a stock of symbol $symbol and a threshold of $threshold")
public void aStock(String symbol, double threshold) {
stock = new Stock(symbol, threshold);
}
@When("the stock is traded at $price")
public void theStockIsTradedAt(double price) {
stock.tradeAt(price);
}
@Then("the alert status should be $status")
public void theAlertStatusShouldBe(String status) {
ensureThat(stock.getStatus().name(), equalTo(status));
}
}
Using Spring in Scala
Spring has started their effort to bring Scala and spring togheter releasing the second milestone of “Spring Integration Scala DSL“. It’s about adapting their API to fit well also for Scala. Some parts that the presenter demoed was template functionality like jdbc-template, jms-template. Also the dependency injection for scopes singleton, and prototype has been adapted for scala. Making it posible to use scala instead of XML, a Scala config.
The goals of the project are:
- provide a strongly-typed Scala alternative to XML configuration
- raise awareness of Spring Integration in Scala community
- provide first class AKKA integration
- providing seamless integration with Java where Scala developers can still leverage their existing Java investments
Unitils: Full stack testing solutions for enterprise applications
This is an interesting framework acting as the glue between different test frameworks like JUnit, EasyMock, DBUnit, etc. These modules is pluggable. Junit can for example be exchanged by TestNG. So as a developer you get a stack of good testing tools that work togheter, enabling faster project startup. You can configure it per user, which means each user can tweak in it’s own prefered way if desirable. Unitils is reducing boilerplate code and also enables integration and system testing in it’s stack.
The Evolution of Java Persistence
The first 45 minutes of this talk wasn’t much interesting. The presenter came from Oracle – EclipseLink and he started talking about non standard, but possibly to be functionality in eclipseLinks JPA implementation. The interesting part was that they have started a project that will enable JPA/EclipseLink to handle NoSQL datasources. Just as it would be a relational database system. He made som examples using MongoDB where he read and persisted data using EntityManager methods like get() and merge() and showed us the underlying query and we could see that MongoDB queries actually was executed. He also mixed Relational queries with NoSql ones in the same Session. And also executed JPQL queries against MongoDB. This is a good and exciting thing when such a relatively big player in ORM industry focusing on NoSQL. Even if there are tendencies of moving away from ORM soutions. But that’s another story 
Simplicity in Scala design
Despite it’s name, the tips in this talk can be applied to most programming languages, though Scala examples where used. It was about design api methods and functionality to make it obvious how to use them. Prefarably so obvoius that when using a certain functionality there is no need to look at the documentation. To achieve that names is important but also the use or not the use of operators in names. And also how to call methods and how the methods collaborate with each other. If obvous is not achievable, make it guessable, and if that isn’t possible make it easy to remember. Often favour readers over writers. That means beware of making stuff easy to write by making it for example short, because it makes it harder to read code and remember. Use things, like operators as names and so on in contexts that users are familiar with. Now you might be thinking that you heard all this before, but this talk from Bill Venners had that little extra so check out this talk when it gets available at parleys.com
TomEE
Another talk that really made me happy was the one about TomEE. A full certified JavaEE WebProfile application server built on Tomcat. Yes JBoss is also built on tomcat. But this one focuses on ease of use, is very fast and leaves a small footprint. He said that the server can run with default JVM settings. And that was the full-profile version. Startup with a small app containing a servlet, EJB, Webservice, and a POJO took a few seconds embedded in Eclipse. As I said this was the full-version. I’m not a fan of application servers though I only been working with JBoss, and this one probably do not speak for them all. But I was so glad after this talk, because previously if it was up to me I would almost certainly go with Spring or some other tool that do not require an application server and instead deploy in a servlet container. If not very strong reasons not to go with that. But now it really feels like we have a good JavaEE alternative wich has the developer in mind. Thank you TomEE! Ok, I’m usually careful of praising stuff before using it myself, but I’m sure this one is a good thing. Remember also that Tomcat has been around for years and TomEE is built on it. As I mentioned they also have a plus version that includes EJB full, JMS, JAX-WS and more. Though this one is not certified because it excludes things like CORBA.
About the conference
This was my first visit at Devoxx. Compared with for example GOTO Arhus wihch also is a 3 day conference. Devoxx is more for a developer, and has much more focus on the Java platform. Devoxx is also much cheaper,
Otherwise they are pretty similar. Might be a coincidence, but GOTO have had better speakers compared to this years speakers at Devoxx.
