users@glassfish.java.net

[gf-users] Re: Java EE 7 Hands-on-Lab Updated (for You to Use)

From: Markus Karg <karg_at_quipsy.de>
Date: Mon, 16 Mar 2015 08:37:53 +0100

This is ridiculous. In many real-world projects it is simply impossible to get deep dependency chains right, and when using Maven correctly, it will solve that issue for you completely. Maven does not induce ANY security problem when used right. But it will fail when used wrong -- just as any other tool would.

Maybe you like to discuss this directly with the Maven team on the Maven mailing list, as they can explain how to use it correctly then? :-)

Regards
-Markus

-----Ursprüngliche Nachricht-----
Von: Andreas Junius [mailto:andreas.junius_at_gmail.com]
Gesendet: Sonntag, 15. März 2015 06:06
An: users_at_glassfish.java.net
Betreff: [gf-users] Re: Java EE 7 Hands-on-Lab Updated (for You to Use)

Without starting an anti-maven campaign - Wayne is bloody right. I personally use ant only, because it forces me at least to think what to add and where to get it first.
Security issues are definitely going to be a major topic - anyone reading the news should agree with that. It's high time that security becomes part of JEE, not just something that every JEE compliant server implements in a different way. But that's a different topic.

Security considerations should definitely be part of the tutorial. If it is not covered, bad habits will develop until it's too late. i know there are books out there for that, I bought recently Oracle's Iron clad Java. But it should be part of every tutorial.

Andy




On 15/03/15 15:11, Wayne Pollock wrote:
> On 3/14/2015 10:14 PM, Arun Gupta wrote:
>> Wayne,
>>
>> See in line ...
>>
>> On Sat, Mar 14, 2015 at 4:06 PM, Wayne Pollock <pollock_at_acm.org> wrote:
>>> ...
>>> Maven scares me. As far as I can tell from the Google searching
>>> I've done, the Maven central repository consists of unsigned contributed code.
>>> The maven tool automatically downloads, installs, and runs such
>>> code. I can't imagine how much longer it will be, before malware
>>> makes its way into developers' PCs, and ultimately to servers, using
>>> maven as an attack vector.
>>
>> Maven is indeed scary, but a pragmatic reality. So we all have to get
>> used to it :)
>
> I don't agree with that. I can imagine legal liability issues if you
> use Maven on a production server, knowing its security holes exist.
>
> I know there are alternatives such as ant tasks. (Those aren't signed
> either, but at least you must manually download and install them, so
> you have a chance to examine them for malware before use.)
>
> In any case, I don't like telling students that "Java EE is all
> hand-waving, GUI and/or "mvn deploy" commands, and never mind
> understanding it all; just click here, then click there, and that's
> Java EE programming."
>
>>
>> Have you looked at https://github.com/javaee-samples/javaee7-samples
>> that shows Hello World samples for different Java EE 7 technologies?
>> They can run against WildFly or GlassFish.
>>
>> There is also https://github.com/javaee-samples/javaee7-simple-sample
>> that is a simple sample to showcase different Java EE 7 technologies.
>>
>
> I have. They too use Maven.
>
>>> ...
>
>> Have you looked at
>> http://www.mastertheboss.com/jboss-server/wildfly-8/maven-configuration-for-java-ee-7-projects-on-wildfly?
>>
>>
>
> I have. I like the site MasterTheBoss.com, but all the tutorials
> there use Maven, Eclipse, or Netbeans. I don't mind that really, I use Eclipse myself.
>
> But I do like explanations on what the tools are doing so one can
> visualize the sub-tasks, trouble-shoot setups, transfer the knowledge
> to a new toolset (and we all know that sooner or later, there will be
> new tools!), and roll-your-own deployment scripts if you want. I like
> to examine downloaded WAR files in 7-zip, and assess their quality.
> Without understanding of manifest files, I would never have found the cause of the GF 4.01 bugs.
>
> I believe these skills are important, if not for the beginner to have,
> at least important for a beginner to know about. That's why I would
> like at least a Hello, World that used basic deployment and
> compilation tools, and comments in other tutorials about what has been
> left out for clarity, with pointers to, say, the CERT/Oracle secure coding website.
>
> (FYI, I have a Java code signing demo and tutorial at
> <http://wpollock.com/AJava/SignedCodeDemo/>, if anyone is interested.
> Given Oracle's directions, learning code signing is important. (And
> no, I'm not interested in any tutorial that just states "use mvn
> sign". :-)