Saturday, March 25, 2006

SSL Protocol

    This is a simple informational posting. Since I am reading Java security, I thought I'd share some information about SSL with readers of this blog.

    SSL or Secure Sockets Layer is a layer above regular TCP/IP sockets which is used to encrypt and decrypt all data exchanged between the sockets. SSL is used for several reasons;
    - To ensure that the client and server know exactly who they are talking with.
    - To ensure the integrity of data that is exchanged.
    - To ensure that an eavesdropper cannot access the data while it is transmitted.

    Before the data exchange can actually begin, the client and server must establish an SSL connection using the following steps.
    1. The client send the server it's SSL version number, and cipher settings.
    2. The server send the client it's SSL version number, cipher settings, and it's public key certificate.
    3. The client authenticates the server using the certificate. After successful authentication the client generates a premaster secret, encrypts it with the servers public key and send it to the server.
    4. The server decrypts the premaster secret and generates a master secret.
    5. Both client and server generate session keys from the master secret. These will be used henceforth to encrypt and decrypt data that is exchanged.
    6. The client sends a message to the server saying that all future data will be encrypted with the session key, and also indicates that the client portion of the handshake is complete.
    7. The server sends a message to the client saying that all future data will be encrypted with the session key and also indicates that it's portion of the handshake is complete.
    8. The actual data exchange can now begin.

    In the above steps I have assumed that the server does not need to authenticate the client. If it does, then the client will also have to give it's certificate to the server using which the server will authenticate the client.

    Hope this posting was useful to either refresh your memory on SSL or to get a fundamental understanding if you did not already know what SSL was.

Thursday, March 23, 2006

Maybe We Do Need An MVC Framework

A few days ago I wrote on the disadvantages of using an MVC framework in a web based project. The main points of contention were that it takes time to learn a framework and sometimes we have to learn different different frameworks for different clients, each adding to the learning curve. At times we have to understand the entire framework just to use a part of it.

However upon further deliberation I think that we cannot obviate the need for a framework. Even if we choose not to use an available framework, we will still have to write code to provide the functionality. Over time that code will evolve into our own home grown framework. The time we will have to invest in creating and maintaining the code will be way more than the time it will take to learn something like Struts. I think frameworks are here to stay. But there might be a shift to light weight frameworks that allow us to extend them by adding components. More about that later!

Wednesday, March 22, 2006

Why Java Does Not Support Uninitialized Local Variables

In Java a local variable has to be initialized before it can be used. I always thought the reason for imposing this rule was to ensure that variables are never used with junk values if a programmer forgets to initialize them. This would result in runtime bugs. However while reading "Java Security - Scott Oaks" I realized that there is a also a security concern in allowing usage of initialized variables. A rogue programmer could create a very large uninitialized variable and then inspect the contents of it's memory location. Such an operation could compromise the security of the machine on which the program (applet) is being run.

Tuesday, March 21, 2006

Java Web Frameworks

Java source dot net lists 38 Java web frameworks. Check it yourself at their website. I do not know if all of them are of production quality, but still 38 is way too many web frameworks. Many of these frameworks have been created by people who got frustrated with the current set of frameworks. I think I am begining to get frustrated with the sheer volume of what is available. Maybe having too many choices is'nt always a good thing.

Sunday, March 19, 2006

MVC and AJAX

Most web based J2EE application use an MVC framework like Struts, Velocity, Spring, etc. All these frameworks provide a Controller which intercepts requests from the client and determines the model element to invoke. Will this change once AJAX becomes more widely adopted? When we use AJAX, all requests first go to the AJAX engine which in turn makes an HTTP request to the server. The response is monitored by a callback function which acts upon the response when it is recieved.

A reason why an alternative architecture may emerge, is because of the shortcomings of using an MVC framework. Despite of the advantages that are promised by some of these frameworks, they do have many strings attached. Once you use a framework, you have to do things *their* way. They very often influence the application's architecture also. Making the architecture flexible enough to replace the framework has to be done by creating a layer of abstraction between the application and the framework. This adds to the complexity and cost of the application. Most MVC frameworks cannot be used without a rather steep learning curve. This problem is even more pronounced when a team has to invest time in learning different frameworks for different clients. I have known people to take as much as a month to get comfortable with Struts, which is quite a huge time investment.

However frameworks do have their advantages also, which is why they are probably so popular. The biggest advantage is reusing the plumbing code of the framework, and declarative programming which most frameworks support. Declarative programming however has it's own drawbacks. As the application grows in size the configuration files tend to become very unwieldy.

Frameworks are not necessarily bad. I think a balance has to be created between using a framework and creating our own code. Perhaps light weight frameworks will work best. I used a big time user of frameworks, but over the years I have realized that the productivity benefit of the plumbing code comes at the cost of a steep learning curve. This is particularly painful when we have to undergo the learning curve of an entire framework for using just a part of it.

An architecture that might emerge is one in which the Controller resides on the client (written in Javascript) as opposed to the server. It receives the request from the AJAX engine and determines the appropriate webservice to invoke. The webservice returns an XML to which an XSL is applied and the result is displayed in the browser. Such an architecture removes the need of complex MVC frameworks and uses a simple controller written in Javascript.

I am not sure if a light weight, client side MVC framework is what will be used in the future, but I do think there are advantages to such a design. I would like to know what people think. Based on the comments I will discuss pros and cons of such a design in the next few posts.

Tuesday, March 14, 2006

Performance Anti Patterns

Some time back Frank Sommers wrote a blog on Artima.com in which he highlighted some software performance Anti Patterns. A few developers also added to the list from their experience. Below are some of the points mentioned in the Blog.
- Not thinking of performance (at all) during development
- Measuring and comparing the wrong things
- Algorithmic antipathy
- Reusing (old) software
- Iterating too much
- Focusing on what you can see, rather than what the real problem is
- Layering too much software on each other
- Too many threads (improperly used threads)
- Premature optimization
- Overuse of IO operations or ignoring those that are being used
- Not having an execution flow model, only a component view
- Incorrect use of Exceptions
- XML overuse (or improper use)
- Improper understanding of sw/hw configuration parameters
- Bad string handling
- Imbalanced use of database processing and high level language processing
You can read the blog on Artima's website.

Tuesday, March 07, 2006

Installed Ubuntu Linux

Yesterday I installed Ubuntu Linux on an old Samsung V25 laptop. The installation process was pretty smooth, except for the blinking screen. The screen resolution selector did not show the resolution of my machine (1024x768), so I selected the closest match of 1200x800. Rest was smooth, Ubuntu installed properly with a few post installation hiccups.
- The GUI started with a screen resolution of 640x480. The screen resolution preferences box from the admin menu did not have any other option. That was a let down. However after some Googling I found out that I could get the original resolution of my monitor by tweaking the refresh rates in /etc/X11/xorg.conf. I added two lines in the 'monitor' section -
HorizSync 31,5-48,5
VertRefresh 40-70
This did the trick. The resolution was perfect.

-This version 5.10 had proper ACPI support, which the previous version 5.04 lacked. However when I unplugged the power cable the icon in the tool bar took about 5-10 seconds to change to battery power. The screen dimmed immediately, which was good. The battery icon once displayed, showed the proper available battery power.

-The mouse moved too fast. I reduced the acceleration and increased the sensitivity slightly to make the mouse move at a speed, that I was comfortable with.