users@glassfish.java.net

[gf-users] Re: Java EE 7 Hands-on-Lab Updated (for You to Use)

From: Pollock, Wayne <wpollock_at_hccfl.edu>
Date: Sun, 15 Mar 2015 04:06:32 +0000

On 3/14/2015 9:02 PM, Reza Rahman wrote:
> As a suggestion, why not create a (mostly) tool free Java EE hello world tutorial of your own? If you (or anyone else) wrote something like that up, I'd be happy to help get it out there - I think many people might find it at least an intellectually compelling exercise.

I did, years ago. It remains one of my more popular web pages:

<http://wpollock.com/AJava/WAR/myServletWAR.htm>

(I especially like how little has changed since I wrote it; GUIs and
deployment tools come and go, but a WAR file is still just a WAR file.)

If anyone think this can be polished up sufficiently to be hosted at
java.net, I would be happy to try; suggestions and help welcome.

> I personally think there's actually quite a bit of good material out there already as to secure Java EE/web application coding practices, but even more of that I suppose can't hurt.
> Realistically these are out of scope for the very, very basic API tutorial the lab very clearly is. For example the security practices part would be much better handled in a bit more of an advanced project like the one we have in CargoTracker.java.net.
>

I agree. However, without any mention of that in the basic tutorials, how
would a beginner know what they see is not a best practice? Even basic tutorials
can state something to the effect of "Note, secure coding practices have been
omitted, to clarify the example of Java EE. See some-URL for more information."
I don't believe adding such a statement would confuse the target audience.

> Finally as to reported GlassFish bugs, I would say wait just a bit longer. We will be actively working on a GlassFish 5/Java EE 8 branch soon and I'm sure bugs will be triaged appropriately. In the meanwhile, feel free to point out any specific ones I should follow up on internally right now.
>

Thank you for that. I was frustrating not to hear anything, not even,
"I don't have that issue", or "We'll look at it later". (Even "You're
a moron, don't post here anymore" would have been welcome. :-)

However, the moderator has deleted my bug report. I will email you
directly (off-list) a copy of the report. (I have posted on this
forum previously, 10/26/2014, but again did not receive any feedback;
perhaps a moderator deleted that report, as well as a few follow up
posts I made.)

> Sent from my iPhone
>
>> On Mar 14, 2015, at 7:06 PM, Wayne Pollock <pollock_at_acm.org> wrote:
>>
>> It is a fine idea, well implemented. Yet, I do have concerns I'd like
>> to discuss.
>>
>> Too many of these tutorials rely on GUIs and/or maven. The result is
>> a lack of understanding of the underlying processes. I would like to
>> see *just one* "Hello EE world" tutorial that describes compiling and
>> deploying a WAR using nothing but javac and jar. Once the basics of
>> how EE works (the directory structure of a WAR, the proper setting of
>> CLASSPATH, etc.) is done, *then* is the time to go on to teaching the
>> Java EE technologies using automation and GUIs, if you wish.
>>
>> Maven scares me. As far as I can tell from the Google searching I've
>> done, the Maven central repository consists of unsigned contributed code.
>> The maven tool automatically downloads, installs, and runs such code. I
>> can't imagine how much longer it will be, before malware makes its way
>> into developers' PCs, and ultimately to servers, using maven as an
>> attack vector.
>>
>> Glassfish 4.1 scares me. I have reported the problem with it many times,
>> to a deafening silence. It contains bad/corrupted jars in the official
>> distribution, both from Oracle and from java.net. You can't see the
>> errors if you build using a GUI such as Netbeans, or using ant or maven.
>> But, add the javaee.jar to your CLASSPATH, and compile anything such as:
>>
>> class Foo {}
>>
>> with:
>>
>> javac -Xlint:all Foo.java
>>
>> and you will get about 20 warning messages about bad or missing
>> jar files. (I did make a bug report on this as well.) I am
>> currently switching my Java classes to use Wildfly. It's hard
>> because, like all Java EE servers, the Wildfly docs make no mention
>> of how to build code without using maven or some GUI IDE. They don't
>> seem to come with a javaee.jar, or equivalent.
>>
>> The new paradigm is "Devops". Developers need to understand something
>> about deployment, instrumenting code, logging, etc., in addition to
>> understanding CDI or Java messaging. They need to know how to design
>> file formats and message formats; many real-world enterprise
>> applications do use files along with databases. Your tutorial
>> should also address these issues, if possible.
>>
>> Finally, I would like tutorials to show correct security coding
>> practices, such as the proper normalization, sanitization, and
>> validation of external (untrusted, or "tainted") data. It's scary
>> that even today, the #1 vulnerability is SQL injections. Yet, try
>> to find any Java EE tutorials that do this, or any textbooks either.
>> I haven't found any. No wonder each new generation of programmers
>> makes the same errors.
>>
>> Thanks for the opportunity to vent a bit. Hopefully, you'll find
>> my arguments have at least a little bit of merit. If so, you don't
>> need to change the code; just add some comments here and there about
>> what was left out for the sake of clarity, with some pointers to
>> more information. As I said in the beginning, this is a good
>> tutorial and well implemented. I just think it can be improved to
>> give students a deeper understanding of Java EE development and
>> deployment, and of security best practices.
>>
>> --
>> Wayne Pollock
>>
>>> On 3/13/2015 6:10 PM, Reza Rahman wrote:
>>> Folks,
>>>
>>> Many of you are probably already familiar with the official Java EE 7 Hands-on-Lab
>>> (https://glassfish.java.net/hol/). It is an excellent learning resource initiated
>>> Arun Gupta while still at Oracle. I just finished successfully delivering the lab
>>> once again at DevNexus 2015. In preparation for DevNexus and beyond I made a few
>>> updates/changes:
>>>
>>> * I tried to make the lab entirely self-directed and self-paced for attendees by
>>> removing as many possible stumbling blocks (however minor) as possible.
>>> * I updated the lab to use GlassFish 4.1 and NetBeans 8.0.2.
>>> * I polished up the code to make it as realistic as possible within the scope of a
>>> simple lab.
>>>
>>> The first bullet point above is what I would really like to bring your attention to.
>>> Every time I have run this lab I've tried to execute it such that it requires bare
>>> minimum or no involvement from me and in fact I believe I've succeeded in doing just
>>> that. The reason this really matters is that I think this lab material has much
>>> greater potential than just something else our team does at conferences. I believe
>>> that the lab is now in a state such that anyone can go through the lab entirely on
>>> their own, by just using the public HOL page. More importantly I think it is possible
>>> with very little effort for someone to lead the lab in their user group or company. I
>>> highly encourage you to do so if you have an interest in supporting the Java EE
>>> community. If needed, our team could provide any help that you may need (such as
>>> being present virtually or working with you one-on-one to get you prepared). I've
>>> supplied all the resources that you should need on the public HOL page.
>>>
>>> Do drop me a note off alias if you have any feedback on this, if there's anything
>>> that I can improve with the lab or if you need any help. For sake of completeness, I
>>> should mention that Arun also now has his own version of the lab
>>> (https://github.com/javaee-samples/javaee7-hol) that you should also take a look at
>>> if time permits.
>>>
>>> Cheers,
>>> Reza | Java EE Evangelist
>>> Cell: 267-798-9331
>>> Home Office: 215-736-1208
>>> Google/Skype: m.reza.rahman
>>> Twitter: @reza_rahman
>>> https://blogs.oracle.com/theaquarium/
>>> https://blogs.oracle.com/reza/
>>> https://cargotracker.java.net
>>>
>>> P.S.: In this same vein I'd like to point out that I've added detailed speaker notes
>>> to my version of our current flagship Java EE 8 talk:
>>> http://www.slideshare.net/reza_rahman/javaee8 (PowerPoint source available for
>>> download). Making use of this, you could deliver this talk yourself. As an example,
>>> Hanneli Tavante did this at ConFoo and Josh Juneau will be doing that soon at the
>>> Chicago Coder Conference. Of course talks are highly personal and I don't expect that
>>> anyone will just use my deck as-is (in fact neither Hanneli nor Josh are doing that).