NoSQL Now 2011 Conference - My Session: Security Considerations in NoSQL Data Access

I will be speaking at NoSQL Now 2011 Conference next week. My title of my session is:

Security Considerations in NoSQL Data Access


The NoSQL DB's have been getting lot of attention lately and there hasn't been much discussion on the security of the applications accessing these non relational databases.

The main focus of my talk will be to give an overview of the current state of security support by the leading NoSQL DB vendors like MongoDB, Neo4J, Cassandra, and CouchDB. I will also discuss the emerging trends, tools and techniques, and best practices in the NoSQL Data Security space.

It's great to see an entire conference focusing on one of the emerging trends in software application development area such as the NoSQL Databases.

If you are interested in attending the conference, you can register for it at the following link:

http://nosql2011.wilshireconferences.com/reg.cfm

Training Class on Enterprise Java Application Development using Spring and Hibernate

I am organizing a free training class in the Austin area on "Enterprise Java Development Using Spring and Hibernate Frameworks". If you live in the area and are interested in attending this class, here is the registration link:

http://enterprise-java-spring.eventbrite.com/

Training Class Details:

Title:
Training: Enterprise Java Application Development using Spring and Hibernate

Session Format: Tutorial
Date: March 12, 2011 (Saturday)
Time: 9 AM to 1 PM
Duration: 4 hours
Target Audience: Java/Java EE Developers and Solution Architects
Session Type: Introductory (Note: If you are already familiar with Spring and Hibernate frameworks, feel free to skip this class and sign-up for the next session where I will cover the advanced topics in Spring.)

Location: IASA Global Headquarters

Address:
11044 Research Blvd.
Suite B-400
Austin, TX 78759

Abstract:
Since its first release back in 2004, Spring Framework has become a popular choice for developing enterprise applications. At the core, Spring supports Dependency Injection (DI), Aspect-oriented Programming (AOP), and enterprise service abstraction. After a brief overview of design concepts like DI and AOP, this tutorial focuses on the last part - enterprise service abstraction that helps the Java developers to integrate their applications with many widely used technologies.

In this tutorial, we will build a web application based on the widely used application architecture layers (Database, Data Access, Domain, Service, Controller, and Presentation), add persistence (using JPA and Hibernate 3) in the DA layer and transaction management (using Spring Transaction Management) in the Service layer. We will add the application security (authentication & role based authorization) to the application using Spring Security.

Tutorial Outline (with estimated coverage time in minutes):
- Introduction (15)
- Example Web Application Setup Details (15)
- Spring Lightweight Container Architecture, including Inversion of Control (IoC) (15)
- Pragmatic AOP (15)
- Agile, domain-driven design techniques with Spring (15)
- Unit testing in isolation (15)
- System integration testing support (15)
- Persistence (using JDBC and JPA/Hibernate options) (30)
- Declarative transaction management (30)
- Validation (15)
- Spring Security (Authentication & Authorization) (15)

Key Takeaways:
You will leave with the practical knowledge of using Spring and Hibernate in developing enterprise Java web applications.

Pre-Requisites:
- Working knowledge of Java/JavaEE technologies
- Familiarity with development tools like Eclipse IDE, Maven, and JUnit.
- Bring your laptops to this tutorial as it will be a hands-on workshop and come ready to code.

JavaOne 2010 Presentation: Application Security Enhancements in Java EE 6

I spoke at JavaOne 2010 conference yesterday on the topic of Application Security Enhancements in Java EE 6.

Java EE 6, released earlier this year, includes several significant enhancements especially in the areas of annotation based authentication and authorization in the web tier. So, if you are developing lightweight web applications where you don't want to use EJB components for the application security requirements, you now have a choice of implementing the authentication (declaratively or programmatically) and authorization aspects in the Controller classes (Servlets).

Session abstract:
Java EE 6 includes some interesting security enhancements in the areas of Web container security as well as authentication and authorization aspects in Web application development. This session will give an overview of these new security features and discuss the details of how to use them, with help of a sample Java application, in real-world enterprise Java applications. The discussion will include how developers can take advantage of programmatic and declarative (@ServletSecurity, @DeclareRoles) security features. It will also include a discussion on Java EE security technologies such as Java Authentication Service Provider Interface for Containers (JSR 196) and Java Authorization Contract for Containers (JSR 115).

I did couple of demo's on how to use the new security features. This is my first time attending JavaOne conference as a speaker and it's been a great experience so far.

I also wrote on InfoQ website about the new security features provided by Java EE 6 release.

If you have been using other security frameworks like Spring Security, Java EE 6 is definitely you should look at. While there are some differences in what Spring Security 3 framework offers in terms of role based access, EL based authorization etc, the new web-tier security features in Java EE 6 make it easier to implement the security aspects without coupling the security logic with application or business logic.

SATURN 2010 Conference

I will be speaking at the upcoming SATURN 2010 conference next month. My presentation title is "Agile Architect - Integrating Enterprise Architecture into Agile and Lean Software Development". I will discuss an agile architecture framework on how to integrate the architecture concerns into the Agile Software Development environments.

The discussion includes various organizational, team structure, and process changes we implemented to make Enterprise Architecture (EA) efforts an integral part of the software development and management processes. Some of these changes include "Architecture and Security Assessment" and "SOA Assessment" in those projects that have the architecture significance and potential for creating reusable Components and Services.

The other techniques we implemented to make architecture and design aspects blend with the Development, Unit Testing and Continuous Integration (CI) steps in the Agile Software Development Lifecycle (SDLC) are Domain-Driven Design (DDD), Model Driven Software Development (MDSD), and Automated Policy Enforcement. I will talk about these techniques in detail in the presentation.

SATURN is a great conference to attend. I attended the last year's conference which had speakers like John Zachman and Rebecca Wirfs-Brock give keynote presentations. There were several real-world project based presentations which is one of the things I look for in any conference. There were also very interesting BOF sessions on topics like Architecture Validation.

If you are currently working or looking to learn architecture skills to get into the Architecture area, checkout the SATURN 2010 conference and if you are interested register for the conference.

ITARC Denver 2010 Conference

I will be speaking at the upcoming ITARC conference in Denver. The title of my presentation is "Agile Architect: Integrating Enterprise Architecture into Agile and Lean Software Development".

In the presentation, I will discuss the details of an Agile Architecture framework we introduced in our projects to make Enterprise Architecture efforts an integral part of the software development and management processes. The discussion includes the changes we had to make in terms of Teams, Process, and Tools & Technologies. I will talk about the process changes we made to include new steps like Architecture and SOA Assessments in those projects that have the architecture significance and potential for creating reusable Components and Services.

I will also discuss other techniques to make architecture and design aspects blend with the Development, Unit Testing and Continuous Integration (CI) steps in the Agile Software Development Lifecycle (SDLC). These techniques include Domain-Driven Design (DDD), Model Driven Software Development (MDSD), and Automated Policy Enforcement.

If you are currently working on or looking to learn the architecture skills to get into Architecture space, check it out the speaker line-up and if you are interested in attending, register for the conference.

OSGI In Action Book

Java language provides the modularity when designing and coding applications using the Object Oriented Design and Programming concepts. But it doesn't provide a mechanism to take the Java code designed and developed using modular concepts (OOP) to deploy in a modular fashion. This is where OSGi technology comes into picture. You can organize the Java classes using the packaging structure and the scope of the classes to control the visibility of a class to other classes, but when it comes to deploying the applications, you have to package them in a monolithic WAR file or an EAR file which don't provide too much flexibility in controlling what classes and libraries (JAR files) that you want to bundle in the application archive files. This limitation has led to the JEE container vendors come up with proprietary implementations of addressing the modularity aspect (e.g. You can deploy an EAR file as a common library, instead of an application, in WebLogic server).

This is the main focus of the book OSGi in Action by authors Richard S. Hall, Karl Pauls, Stuart McCulloch, and David Savage. It's a good addition to OSGi resources and for the Java developers who are currently using or considering using OSGi technology in their applications.

The book starts with the discussion on what is modularity, Java's modularity limitations related to classpath and limited modular deployment support in Java model and explains how OSGi technology addresses these limitations.

The authors talk about the two parts of OSGi Platform:

• OSGi framework (this is the run-time environment that provides OSGi functionality) and
• OSGi standard services framework (which defines the reusable APIs for tasks such as Logging and Preferences).

They also discuss the three layers of OSGi specification:

• Module Layer: This layer covers the packaging and sharing the code. It defines the OSGi module concept, called a Bundle, which is a JAR file with extra meta-data.
• Lifecycle Layer: This layer provides the run-time module management and access to the underlying OSGi framework. It defines the bundle lifecycle operations like install, update, start, stop, and uninstall.
• Service Layer: This layer covers the interaction and communication among modules, specifically the components contained in them.

The authors discuss the Bundles concept in OSGi, how to define them with metadata and the benefits of modularizing the program. These benefits include:

• Logical boundary enforcement
• Reuse improvement
• Configuration verification
• Version verification
• Configuration flexibility

The event model support in OSGi is also covered.

OSGi Event Model
The OSGi framework supports two types of events:

• BundleEvents (these events report any changes in the lifecycle of bundles) and
• FrameworkEvents (these events report the changes in the framework).

The authors also talk about the OSGi design patterns such as Listener and Whiteboard and some OSGi anti-patterns in the areas of updating a bundle. Best practices in managing the versioning of packages and bundles, how to run multiple versions in the same JVM with the example of a Preferences service.

The discussion in the book includes a sample Java application (paint program). The application build and package examples use Ant as the build tool. It would have been nice if they used Maven tool which is what I use at work for building and packaging the Java applications.

There is also discussion on how to test the OSGi applications using mock objects approach when calling the OSGi APIs and container testing to discover any potential class loading or visibility issues. The OSGi test tools listed are OPS4J's Pax-Exam, Spring DM's test support, and Dynamic Java's DA-Testing.

Topics like debugging Java applications and embedding the OSGi framework in applications are also covered. Security, another important aspect in enterprise application deployment, is also covered in detail.

To put OSGi in perspective, the authors also talk about how OSGI relates to other technologies like Java Enterprise Edition, Jini, NetBeans Platform, Java Management Extensions, Lightweight containers (PicoContainer, Spring, and Apache Avalon), Java Business Integration (JBI), JSR's 277 (module system for Java) and 294 (Improved Modularity Support in the Java Programming Language), Service Component Architecture (SCA) and .NET technology.

Overall, this book is an excellent resource for Java developers of all levels of expertise in OSGi technology.

ITARC Austin 2010 Conference

I will be speaking at the upcoming IT Architect Conference (ITARC) in Austin this week. My presentation sessions details are as follows:

Fundamentals Track:

• Integrating Enterprise Architecture into Agile and Lean Software Development Environments
• Security Architecture Policy Enforcement and EA Governance Using AspectJ and SpringAOP Techniques

It's a conference worth attending with a great line-up of speakers and sessions and the registration price is very affordable.

There are two keynote presentations.

• Keynote: Gaining Operational Excellence and Agility Through Enterprise Architecture, Presented by Roy Hunter, Senior Director, Enterprise Architecture at Oracle
• Afternoon Keynote: IT Complexity Crisis; Danger and Opportunity, Roger Sessions CTO, Object Watch

Check out the conference agenda for more details on other sessions. I am looking forward to the conference.