Category Archives: General

Quick Scheduling

Productivity, ,

Are your partners/friends etc. in different places and doesn’t have a common platform to let each other know of their Yes/No for a meeting? You can use this awesome web application to do it in a very easy fashion. How secure it is, i cannot comment, but if these details are fine to be seen by others, this seems very good option for doing just this.

http://doodle.com/

Disclaimer:- There might be other sites which aids you do just this but this is my suggestion. I am not saying that this is the best solution though.

Page Visitors: 168

Secured FTP – SFTP Vs. FTPS

General, ,

I do work using various protocols such as FTP, SFTP, FTPS etc. as my application does interact with other application using these protocols for various integration needs. Recently i came to an interesting topic while looking for various protocols for evaluation purpose. All the various file transfer protocol namely FTP, SFTP and FTPS come into evaluation and it sparked a debate as to which one should be included for secured FTP, SFTP or FTPS. To answer this i had to do a bit of research on the internet and i don’t have to do anything of my own in my post. I just had to plagiarize various content in the internet as written by awesome authors. The reference for these have been given in my reference section below my post.

While doing the research i managed to pull out some important points in some structured manner which i would like to present below:

FTP protocol – takes roots in year 1980

Disadvantages

  • Lack of the uniform format for directory listing (this problem has been partially solved by introducing MLST command, but it’s not supported by some servers).
  • Presence of the secondary connection (DATA connection).
  • Standard FTP doesn’t provide security requirements as required in modern day application integration and this is the main reason for looking for other options to transfer data in a much secured fashion.
  • Even though the protocol is simple, it still isn’t very firewall friendly, because of the need to open two ports per session and the need in one of the more efficient permutations, to open one of the ports inbound.

The two mainstream protocols available for Secure FTP transfers are named

  • SFTP (SSH File Transfer Protocol – FTP over SSH) – Ideally SFTP doesn’t have anything to do with FTP or FTPS. It’s called as FTP over SSH as the FTP standard is there for a long time and it’s a popular one for file transfer. So some people do refer SFTP as FTP over SSH.
  • FTPS (FTP over SSL/TLS)

Advantages (Both)

  • Offer a high level of protection since they implement strong algorithms such as AES and Triple DES to encrypt any data transferred. To be more precise they use a combination of an asymmetric algorithm (RSA, DSA), a symmetric algorithm (DES/3DES, AES, Twhofish and so on), and a key-exchange algorithm.
  • Support a wide variety of functionality with a broad command set for transferring and working with files.

Notable differences between SFTP and FTPS is how connections are authenticated and managed.

SFTP (SSH File Transfer Protocol – FTP over SSH)

In General:

  • A connection gets authenticated using different techniques.  For a basic authentication it just requires a user id and password to connect to the SFTP server. The important difference with respect to standard FTP is that in this case any user ids and passwords supplied over the SFTP connection will be encrypted.
  • SSH keys and fingerprinting can also be used to authenticate SFTP connections in addition to, or instead of, passwords; whereas FTPS does not support this.
  • With respect to implementation, SFTP is a clear winner as opposed to FTPS, as it is more firewall friendly. It requires only a single port number 22 to be opened through the firewall. This port will be used for all SFTP communications, including the initial authentication, any commands issued, as well as any data transferred.

Pros:

  • Has good standards background that strictly defines most (if not all) aspects of operations
  • Has only one connection (no need for DATA connection)
  • The connection is always secured
  • The directory listing is uniform and machine-readable
  • The protocol includes operations for permission and attribute manipulation, file locking, and more functionality

Cons:

  • The communication is binary and can’t be logged “as is” for human reading
  • SSH keys are harder to manage and validate
  • The standards define certain things as optional or recommended, which leads to certain compatibility problems between different software titles from different vendors
  • No server-to-server copy and recursive directory removal operations

FTPS (FTP over SSL/TLS)

In General:

  • With FTPS, a connection is authenticated using a user id, password and through certificate(s).  Like SFTP, the users and passwords for FTPS connections will also be encrypted. When a FTPS client connects to a FTPS server, the client verifies if the server’s certificate is trusted. The certificate is considered trusted if either the certificate was signed off by a known certificate authority (CA), like Verisign, or if the certificate was self-signed (by your partner) and you have a copy of their public certificate in your trusted key store.
  • FTPS can be very difficult to patch through a tightly secured firewall since FTPS uses multiple port numbers. The initial port number (default of 21) is used for authentication and passing any commands.  However, every time a file transfer request (get, put) or directory listing request is made, another port number needs to be opened.  You and your trading partners will therefore have to open a range of ports in your firewalls to allow for FTPS connections, which can be a security risk for your network.

Pros:

  • Widely known and used
  • The communication can be read and understood by humans
  • Provides services for server-to-server file transfer
  • SSL/TLS has good authentication mechanisms (X.509 certificate features)
  • FTP and SSL/TLS support is built into many Internet communication frameworks

Cons:

  • Doesn’t have a uniform directory listing format
  • Requires a secondary DATA channel, which makes it hard to use behind the firewalls
  • Doesn’t define a standard for file name character sets (encodings)
  • Not all FTP servers support SSL/TLS
  • Doesn’t have a standard way to get and change file and directory attributes

Summary/Conclusion

In summary, SFTP and FTPS are both very secure with strong authentication options.  In general, SFTP is technologically superior to FTPS. Since SFTP is much easier to port through firewalls, and FTPS due to this reason (needs a range of opts to be opened) puts additional security treats to the network, I believe SFTP is the clear winner in case you need a secure FTP for your application integration needs.

In our protocol evaluation, considering the above points, I feel we can go with SFTP for secured file transfer and can omit FTPS. FTPS is omitted not because it is not suitable, but because it does the same things as SFTP and is superior in many ways as opposed to FTPS.

Reference

http://blog.goanywheremft.com/2011/10/20/sftp-ftps-secure-ftp-transfers/

http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c14329/FTPS-vs-SFTP-What-to-Choose.htm

https://www.eldos.com/sbb/articles/4672.php?page=all

Page Visitors: 2272

Spring Framework Vs. JEE – Part III

General, JEE, Spring Core, ,

This is my final blog on this topic, hopefully. Part I of the blog can be found in here and Part II of this blog can be found in here.

I do at times think that my blog title itself is misleading or rather incorrect as I don’t feel that there needs to be a comparison between the two as both can exists together in one application without any issues at all. In fact if that’s the case we can use the best of both and be happy. But, there does exist this debate for a very long time and now a days Oracle also at times gives a comment to kill Spring Framework (buy and kill it to reduce competition, Oracle’s buying spree logic) and go with standards. Being the creators and maintainers of the Java language they do have the right to promote JEE but I feel they don’t have to have such a stance IMHO.

The community with full adoption of language has made it to a be a standard. Similarly when Spring Framework came in existence it was indeed helping Java developers use Java and avoid the complexities to develop enterprise application. In fact we have to give full credit to Spring Framework in keeping Java language alive and kicking. I have heard many times, even from my own managers that Java is too heavy and not that good for application development when you compare .NET. Spring to some extent have been bale to bring that easiness to it by taking the complexities away. At the moment also there might not be that much comparison between easiness with respect to .NET, but community is ready to develop applications using Java. Again for enterprise application comparing .NET and Java (JEE) is not that of a good idea because of so many reasons. Don’t want to divulge too much off the topic here.

As Kelly Tisdell mentions in his blog, JEE has definitely taken some page out of Spring Book and added onto its big Java bible and spreads a word across that “Java is standard, so migrate to JEE from Spring to be in standard”. It doesn’t say directly that stop using Spring but it has that tone in it.

Even after taking those pages, to develop an enterprise application from scratch using JEE does have its won complexities and Spring does have that easiness to it (might be subjective and debatable, but that what i feel). Most of nicer features in Spring has now crept into JEE under different names and much refined fashion (JEE have learned from mistakes and corrected it) for sure and that’s the reason developers have been prompted to think for this migration.

I wanted to put more facts in here rather than my opinions, but after so long I have indeed lost interest in filling in more details and i thought that i will just give my opinion and close this not so ending blog post.  Apologies for same.

In my opinion, Spring and JEE should marry each other and an enterprise application should be developed taking into good points from both. I am in no way saying that JEE or Spring scores over the other because both are really good platforms to develop your enterprise applications.

Page Visitors: 305

Spring Framework Vs. JEE – Part II

General, JEE, Spring Core, , ,

As promised this is my second part of my blog. The first part of the blog can be accessed from here.

As part writing this blog i browsed through various blogs on the same topic. As i told in my first blog, this really is a holy war and over coming few months and years, this will rage even harder.

I bust out into laugh after reading one of the blogs, the link for which is as given below:-

http://broadleaf.tumblr.com/post/31333966305/broadleaf-continues-to-choose-spring-framework

The point that i burst outlaughing when the author stated as below:-

<quote>

…… Java EE 5 took a few pages out of Spring’s book and simplified the development of enterprise components with…….

</quote>

Yes, JEE sure did take some very crucial and important pages out of Spring book and because of which it is becoming superior day-by-day if not by huge margin. Spring with full support from its community is not far behind and with foundation in place, its building up components one after another. Its also adding in more and more support for open source libraries with ever growing sub-projects under the Spring Framework umbrella.

Also now its is slowly becoming a norm when considering a new open source for development to see how strongly it can be integrated into Spring and how seamless Spring configurations can be used. In my web service framework comparison, you wouldn’t believe, this was considered as one of the requirements and it will be a bonus for any open source to state that “they can be integrated into Spring” with some few lines of Java or XML configuration.

Spring has an edge by keeping it open for good open source libraries to plug on at any time and replace these libraries with a new one by mere configurations (at-least theoretically possible… :)). Java theoretically is “Write once run anywhere”, but is it truly that easy for a a production application to move from one environment to a new one… Hmmm… I don’t think so… 🙂

I am sort of exhausted already writing this blog. I will have to put you all in some suspense and put everything else that i plan to write in a new blog part. Hold on tight and i am sure i wouldn’t make you unhappy. Expect third part in another 3 days time. Its weekend here and i am really looking forward to it in a big way.

Page Visitors: 379

Spring Framework Vs. JEE – Part I

General, JEE, Spring Core, , ,

Am I playing with fire here. Perhaps Yes.

As many say, this truly classify itself to be a holy war for predominance and will surely stir some dirty stuff out into the air.

One of my colleagues recently came to me and had a small debate as to why the our organization selected Spring over JEE. He was very much in favor of JEE especially JEE 6.

We sometime back (more than an year) had an exercise in which the task was to choose organization wide Java framework. As you guessed right, we did have Spring Framework and JEE as strong candidates. Our approach was really methodical and a methodology which was devised internal to the organization was used.

In this methodology the two candidates was put into test. First of all, various architecture quality attributes were put in such as Performance, Scalability, Testability etc. and then various requirements in these attributes were classified/grouped together. Once we have that, we get the various stakeholders involved and get their buy in and their stand on the overall acceptance of these quality attributes and rank it. We then went on with POC (Proof of Concept) and each requirement was rated against each of the chosen frameworks.

Finally after a grueling exercise of rating various requirement for each of the framework, a final rating comes out which give good indication as to which on quality attributes gets favored for each of the framework and according to the stakeholders, which one to choose out of these two. The choice was made and there was no surprise, it was Spring Framework.

For our company now the chosen default framework is Spring and anything else if it is taken, it goes as an exception.

For me when i say that i use Spring Framework, it doesn’t in any way mean that i don’t use JEE. They cannot be mutually exclusive, rather when combined together, it gives immense advantage to the project that you are developing. We do use Spring as our choice of framework but haven’t just taken out JEE in any sense out of the window, rather when the right time comes another evaluation as detailed above will be done to asses the situation even further. Till that time i feel choosing Spring as the default framework is a good one in all aspects.

In my next blog (Click here), I would try to give some of the major points, which made us choose Spring as a default framework of choice for developing any application within the organization.

Earlier i have done couple of comparisons as detailed below:-

Spring Integration Vs. Apache Camel

Web Service Framework Comparison – 2013 – Part I

Web Service Framework Comparison – 2013 – Part II

Page Visitors: 1054

Spring Professional Certification Exam

General, Spring Certification, , ,

With Spring Framework gaining recognition day by day, getting certified will be one of the most valuable credentials in Java.

Can I write this exam?

One of the pre-requisites to write this exam is to have a training taken from SpringSource on Core Spring. If that’s the case, why should we have a book which also aims at helping readers to prepare for SpringSource Certification? Earlier there was an alternative which is called “Grandfathered” candidate, whereby an individual having adequate Proficiency evaluated by SpringSource could by-pass the training and get the exam voucher. While writing this book, I could read from SpringSource website that this is no longer applicable. Even after the training I feel there are so much required to actually pass the exam and get good score in the certification. The class manual is too easy and doesn’t cover edge cases so clearly isn’t sufficient. This book also goes into details of each objectives on which the exam is based.

How many questions?

There are a total of 50 questions to be answered. The questions are organized by subject areas detailed in the exam certification study guide provided by SpringSource.

Following that philosophy, here’s the distribution for Spring 3 as per Jeanne Boyarsky’s Spring 3.X Certification Experiences (http://www.selikoff.net/2010/08/20/jeannes-core-spring-3-certification-experiences/):

  • Container and test (20)
  • AOP (10)
  • JDBC (3)
  • Transactions (4)
  • Web (2)
  • REST (2)
  • Remoting  (2)
  • Security (2)
  • JMS (2)
  • JMX (2)

How much time do I get to write this exam?

You get total of 90 minutes to complete the exam, even reading the rules. Most people wont find this a problem, because usually these are not tricky, long or complicated.

How are the questions like?

The questions are aimed at testing the candidate’s depth and the actual working knowledge in Spring Framework. Each question has four answer choices. Even though it is multiple choices, it cannot be thought that you need to choose only one right answer. Answering a question makes the type of questions as follows:-

  • Select one answer
  • Select X answers
  • Select one or more answers (Very hard and tricky)
  • Select the one that is not correct (make sure that you read the question carefully to fall into wrong selection)

Most of the questions are fairly at a high level with few detailed ones. Usually it doesn’t stray from the course or study guide.

How many questions do I have to answer correctly?

The passing score for the exam is 76%. This boils down to 38 correct answers out of 50 questions. At the time of writing this book, all questions were equally scored, so 38/50 would give you the passing score for the exam.

How much does it cost?

In the case of Spring Certification it’s very tricky. As mentioned earlier the pre-requisites for taking this exam is training from SpringSource on Core Spring. According to various factors this can change. So it will not be a good idea to give an exact figure for the certification exam. If you have taken the training you get a voucher containing one free attempt at the certification test. Retakes are usually $150, I think that would be one of the reasons you need this book.

How can I register for the exam?

Once you get the exam voucher, you can register at any certified spring certification center. The exam can be taken at one of over 4500 world-wide testing facilities (http://www.pearsonvue.com/springsource/).

Exam resources available

You can get various resources which will be of help to you in the spring certification guide (http://www.springsource.com/files/core-spring-3.0-certification-study-guide_0.pdf) itself. Some very good links and resource locations are given below:

Spring Certification Path

SpringCertification

Figure 1 SpringSource Developer Certification Path

Page Visitors: 14548

Post-Redirect-Get Pattern in JSF

General, Web Application, , ,

Recently i have written a blog on how to implement PRG pattern in your Spring MVC web application in here. In this blog i would explain implementing this pattern in your JSF based web applications. I think this can be used for any JSF implementations like RichFaces, MyFaces etc.

Having said that, for me writing this blog post is very easy as i am not going to write it myself. Rather i would direct you to well written blog on the same topic by Ed Burns in the below URL:-

https://blogs.oracle.com/enterprisetechtips/entry/post_redirect_get_and_jsf

For AJAX based submissions there shouldn’t be any issues because these requests are being submitted by JavaScript.

Ed is currently the co-spec lead for JavaServer Faces. He is the coauthor of JavaServer Faces: The Complete Reference and the author of Secrets of the Rockstar Programmers. He is also the coauthor of the upcoming book JavaServer Faces 2.0: The Complete Reference. Read Ed Burns’s blog.

I wrote this blog so that i cover the two most used web application frameworks with respect to this pattern and its implementation.

Page Visitors: 1285