users@glassfish.java.net

[gf-users] Re: Java EE 7 Hands-on-Lab Updated (for You to Use)

From: Andreas Junius <andreas.junius_at_gmail.com>
Date: Sun, 15 Mar 2015 15:36:29 +1030

Without starting an anti-maven campaign - Wayne is bloody right. I
personally use ant only, because it forces me at least to think what to
add and where to get it first.
Security issues are definitely going to be a major topic - anyone
reading the news should agree with that. It's high time that security
becomes part of JEE, not just something that every JEE compliant server
implements in a different way. But that's a different topic.

Security considerations should definitely be part of the tutorial. If it
is not covered, bad habits will develop until it's too late. i know
there are books out there for that, I bought recently Oracle's Iron clad
Java. But it should be part of every tutorial.

Andy




On 15/03/15 15:11, Wayne Pollock wrote:
> On 3/14/2015 10:14 PM, Arun Gupta wrote:
>> Wayne,
>>
>> See in line ...
>>
>> On Sat, Mar 14, 2015 at 4:06 PM, Wayne Pollock <pollock_at_acm.org> wrote:
>>> ...
>>> Maven scares me. As far as I can tell from the Google searching I've
>>> done, the Maven central repository consists of unsigned contributed code.
>>> The maven tool automatically downloads, installs, and runs such code. I
>>> can't imagine how much longer it will be, before malware makes its way
>>> into developers' PCs, and ultimately to servers, using maven as an
>>> attack vector.
>>
>> Maven is indeed scary, but a pragmatic reality. So we all have to get
>> used to it :)
>
> I don't agree with that. I can imagine legal liability issues if you
> use Maven on a production server, knowing its security holes exist.
>
> I know there are alternatives such as ant tasks. (Those aren't signed
> either, but at least you must manually download and install them, so
> you have a chance to examine them for malware before use.)
>
> In any case, I don't like telling students that "Java EE is all
> hand-waving, GUI and/or "mvn deploy" commands, and never mind
> understanding it all; just click here, then click there, and that's
> Java EE programming."
>
>>
>> Have you looked at https://github.com/javaee-samples/javaee7-samples
>> that shows Hello World samples for different Java EE 7 technologies?
>> They can run against WildFly or GlassFish.
>>
>> There is also https://github.com/javaee-samples/javaee7-simple-sample
>> that is a simple sample to showcase different Java EE 7 technologies.
>>
>
> I have. They too use Maven.
>
>>> ...
>
>> Have you looked at
>> http://www.mastertheboss.com/jboss-server/wildfly-8/maven-configuration-for-java-ee-7-projects-on-wildfly?
>>
>>
>
> I have. I like the site MasterTheBoss.com, but all the tutorials there use
> Maven, Eclipse, or Netbeans. I don't mind that really, I use Eclipse myself.
>
> But I do like explanations on what the tools are doing so one can visualize
> the sub-tasks, trouble-shoot setups, transfer the knowledge to a new
> toolset (and we all know that sooner or later, there will be new tools!),
> and roll-your-own deployment scripts if you want. I like to examine downloaded
> WAR files in 7-zip, and assess their quality. Without understanding of
> manifest files, I would never have found the cause of the GF 4.01 bugs.
>
> I believe these skills are important, if not for the beginner to have, at
> least important for a beginner to know about. That's why I would like at
> least a Hello, World that used basic deployment and compilation tools,
> and comments in other tutorials about what has been left out for clarity,
> with pointers to, say, the CERT/Oracle secure coding website.
>
> (FYI, I have a Java code signing demo and tutorial at
> <http://wpollock.com/AJava/SignedCodeDemo/>, if anyone is interested.
> Given Oracle's directions, learning code signing is important. (And
> no, I'm not interested in any tutorial that just states
> "use mvn sign". :-)