Java Web Programming Training

INHERITANCE AND POLYMORPHISM:
Abstract Classes: may contain method implementations and unimplemented method definitions. A class can only extend one abstract class.
A valid example of inheritance is:
.Animated is a class
|Human extends animated
||Individual extends Human
|||Employee Extends Individual

Facts:
* Employee cannot extend Human and Manager at the same time
* At Employe is an Individual and Human and Animated.

Interfaces: Contains only method definitions and constants. A class can implement more than one interface.

METHODS:
* Primitive types (lower case type [8 primitive types]) when used as parameters generate a new variable with a scope local to the invoked method.
* Objects when used as parameters are references to the original class in the invoking method, thus, any operations on the parameter variable are actually being executed in the original object. This behavior does not hold across serialized and deserialized instances of an object, use RMI to keep the references across virtual machines and applications.

SERIALIZATION:
* TRANSIENT means that the code in methods is not stored along with the data, it is a good security measure to protect business rules and special algorithms.
* RECURSIVE (recursively) serializes the object type members of a class.
* VERSIONING: http://www.javaworld.com/javaworld/jw-03-1998/jw-03-beans-p2.html
* STATIC VARIABLES are never serialized.

JSP:
* When first run a jsp page the tomcat environment generates a .java file and compiles it as a Servlet.

* TOMCAT: Configuration at server and app level
* CLASSLOADER: A class that loads the libraries referenced in the import clause, it has a predefined search order: bootstrap, %JAVA_HOME%/common/lib; webapps/AppName/WEB-INF/lib/*.jar

SOFTWARE:
Jdk 1.4.0.2_05
NetBeans 3.6
Jboss 4.0.03sp1
Tomcat 5.0.28
Ant 1.6.2
Hypersonic

Installation:

• create a %home% user variable for each product (java, jboss, hypersonic, tomcat, etc.)
• That considerably eases and shortens your PATH variable (also user)
  

FILE TYPES:

• WAR Web Archives
• JAR Java Archive
• EAP
  

WEB APP FOLDER STRUCTURE:

• META-INF: App generated metadata
  
• WEB-INF: Has the web.xml file and the classes folder where servlet classes reside
• WEB-INF/web.xml: contains the servlet to class mappings.

EVOLUTION:
oak => java 1.0 (poc) => java 1.1 => java2 1.2

REFERENCE:
* (Sun) The J2EETrademarked 1.4 Tutorial: http://java.sun.com/j2ee/1.4/docs/tutorial/doc/
* (Sun) Java 1.4 API Specification (javadoc): http://java.sun.com/j2ee/1.4/docs/api/
* (Oracle) Web Services Tutorial: http://www.oracle.com/technology/tech/webservices/htdocs/series/index.html

DB Security Research

Q: I wonder if proxy authentication and secure application roles are of any benefit in a business intelligence context....
A: Combining secure application roles with proxy authentication is a very useful technique that prevents users to direclty assume application roles. "Proxy authentication distinguishes between a middle tier creating a session on behalf of a user and the user connecting directly" and prevents the user from assuming the role when directly connected to the database.

The additional benefit of a secure application role is that it can count on additional security restrictions as the IP Address of the middle tier server or the original session assuming the role.

Another useful feature available through OCI, JDBC and thin JDBC is the use of client identifiers when the middle tier is configured to use connection pooling, this allows the middle tier to reuse connections while still being able to audit on behalf of which "CLIENT IDENTIFIER" (IP, Middle tier user. Not DB user) an operation is being executed.

Q: Which are Oracle 10g's main authentication mechanisms?
A:

• Database Authentication: The user account is created and administered in the Oracle database, which is automatically able to authenticate that user. This method works well for application users/roles and small user communities, as the number of user accounts is directly related to the DBA maintenance effort required.
• External Authentication: The user account is still maintained in the database but both password management and authentication are performed by an external entity/service. The main benefits of this method are the chance to provide a single sign-on capability and the wider array of authentication mechanisms available which enables the organization to leverage some user repositories already in place. Types of External Authentication include:

1. OS Authentication: Once validated by the OS an user would be able to gain access to the database trasparently and the authorization part would use the OS credentials to determine the privileges of the user. This method should not be recommended and requires extensive planning before it is rolled out.
2. Network Authentication: Requires that Oracle Advanced Security be enabled and configured to use third-party authentication mechanisms
   

• Global Authentication and Authorization: By using Enterprise Roles a central LDAP directory can be in charge of both centrally maintaining user accounts and their authorized privileges. This, to the limit of my knowledge, would require you to use Oracle Internet Directory which would be duplicated effort if you already have a directory server.
• Proxy Authentication and Authorization: More suited for multi-tier applications, it allows the database to distinguish between the privileges granted to the middle-tier and those of the end user of the application. See the Oracle Database Security Guide - 3.2 Recommended Application Design Practices to Reduce Risk for more information.
  

NOTE: If you end up using Oracle Advanced Security and the business requires a strong level of encryption it is always nice to incorporate SSL in your configuration (See also How SSL works with other authentication methods...).