Feature in JSF 2.0 (EE 6) GitHub JsfApplicationJboss.
I'm dedicated agile security architect/system architect/developer with specialty of open source framework.
October 28, 2018
Using JAAS in Tomcat Example
JAAS is part of the Java SE since Java 5, so choosing that API, when you want to deploy to only a web container, such as Tomcat or Jetty, is a good choice.
/META-INF/context.xml. See where best to put your configuration How to handle Configuration in Tomcat with Context
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="BytesLoungeLogin"
userClassNames="com.byteslounge.jaas.UserPrincipal"
roleClassNames="com.byteslounge.jaas.RolePrincipal" />
</Context>
$CATALINA_BASE/conf/jaas.config
BytesLoungeLogin {
com.byteslounge.jaas.BytesLoungeLoginModule required debug=true;
};
And starting
JAVA_OPTS=$JAVA_OPTS "-Djava.security.auth.login.config==$CATALINA_BASE/conf/jaas.config"
Scanning Your System with OpenSCAP
With SCAP and a good policy you can centrally scan your system and verify that they are properly secured and get a nice automatically report at the end.
Resource
Java Smart Card APDU Commands
Almost all smart card are Java Smart Card based. You can manage smart card via the Java Smart Card SDK, but you can also access the card via standard Java SE and javax.smartcardio API.To do that you need to know the card and card type native APDU commands, here are some examples.
Requiring SSL client authentication in a user friendly way in Apache
Requiring SSL client authentication in a user friendly way in Apache
Remember when downgrading to 'SSLVerifyClient require', you also weaken your defense from DOS attacks.
OWASP XSS (Cross-Site Scripting)
XSS is all about scripts sent to a web page and typically it is javascripts.
There are three types of XSS: Stored XSS, Reflected XSS and DOM based XSS
Top 10-2017 A7-Cross-Site Scripting (XSS)
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
To protect against XSS, you must have a strong Data Validation:
- Accept known good otherwise reject (white list), e.g. phone number, only ascii [a-zA-Z0-9])
- Sanitize. i.e. change the user input into an acceptable format. See Input Validation - OWASP Java HTML Sanitizer
- Reject known bad (blacklist), e.g.
, ' (SQL injection)
Beside Data Validation, you should add OWASP Security HTTP Headers. And especially 'X-XSS-Protection: 1; mode=block'.
October 27, 2018
Oracle Code One 2018 Hacking and Hardening Java Web Applications
https://s3.amazonaws.com/cmj-presentations/Hacking+and+Hardening+Java+Web+Apps+-+OC12018.pdf
Kali Linux Varient Virtual Machine https://s3.amazonaws.com/cmj-presentations/hacking-uberconf-2016/hhjwa-2016.1-vbox-amd64.ova
https://github.com/cjudd/wordyninjablog
https://github.com/cjudd/hacking-and-hardening-java-web-apps-workshop
HTTP Caching
https://betterexplained.com/articles/how-to-optimize-your-site-with-http-caching/
Using Expires Headers
ExpiresActive On
ExpiresDefault A0
# 1 YEAR - doesn't change often
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav)$">
ExpiresDefault A31536000
</FilesMatch>
# 1 WEEK - possible to be changed, unlikely
<FilesMatch "\.(jpg|jpeg|png|gif|swf)$">
ExpiresDefault A604800
</FilesMatch>
# 3 HOUR - core content, changes quickly
<FilesMatch "\.(txt|xml|js|css)$">
ExpiresDefault A10800
</FilesMatch>
Using max-age headers
# 1 YEAR
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav)$">
Header set Cache-Control "max-age=31536000, public"
</FilesMatch>
# 1 WEEK
<FilesMatch "\.(jpg|jpeg|png|gif|swf)$">
Header set Cache-Control "max-age=604800, public"
</FilesMatch>
# 3 HOUR
<FilesMatch "\.(txt|xml|js|css)$">
Header set Cache-Control "max-age=10800"
</FilesMatch>
# NEVER CACHE - notice the extra directives
<FilesMatch "\.(html|htm|php|cgi|pl)$">
Header set Cache-Control "max-age=0, private, no-store, no-cache, must-revalidate"
</FilesMatch>
X.509 Standard set of attributes order
"The order of the relative distinguished names (RDNs) in the subject or issuer DN of a certificate on an ASN.1 level reflects the order in the tree (i.e. top-down):"
SEQUENCE {
SET {
SEQUENCE {
OBJECT IDENTIFIER=CountryName (2.5.4.6)
PRINTABLE STRING='US'
}
}
SET {
SEQUENCE {
OBJECT IDENTIFIER=OrganizationName (2.5.4.10)
PRINTABLE STRING='GeoTrust Inc.'
}
}
SET {
SEQUENCE {
OBJECT IDENTIFIER=CommonName (2.5.4.3)
PRINTABLE STRING='GeoTrust Global CA'
}
}
}
C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA
"However, for the string representation of a DN there are two standards: OpenSSL shows the attributes by default as they are actually stored in the certificate, while RFC 2253/4514 reverses the order."
"... the output consists of the string encodings of each RelativeDistinguishedName in the RDNSequence (according to Section 2.2), starting with the last element of the sequence and moving backwards toward the first."
CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
"Also note that there are certificates "in the wild" which have multiple OUs in their DNs or less common attribute types from RFC 4519 like SERIALNUMBER or UID. I have also seen quite a few certificates, where the RDNs were actually encoded in the wrong order."
Reference:
All HTTP Status Code and How They Fits Together
A good description of all HTTP status code and how they fits together. https://github.com/for-GET/http-decision-diagram
CSRF Support Out-Of-Box in EE 7 (JSF 2.2)
Example https://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:h="http://java.sun.com/jsf/html" xmlns:f="http://java.sun.com/jsf/core">
<h:head>
<title>JSF 2.2 CSRF</title>
</h:head>
<h:body>
<h:form>
<p>Go to a protected page via postback</p>
<p>
<h:commandButton id="button_postback" value="Go to protected view" action="/result" />
</p>
</h:form>
</h:body>
</html>
If we look at the generated source, we see that JSF has added a javax.faces.ViewState.
"The hidden view state field is very similar to a CSRF token, but it's purpose is to find the session state associated with the request. Basically, that's already what the session id does. But JSF also supports the browser's "back" button. To do so, it stores more than one session state. The JSF implementation I analyzed this morning, Mojarra 2.2.12, uses an LRU cache with up to 15 entries. In other words: you can go back as far as fifteen steps in the history. That should be enough for most use cases."
"The view state token consists of two parts. The first part never changes. It's associated with the session. The second part is associated with a certain point of time in history. In other words: it changes with every post request. In that, it's similar to the one-time-token I mentioned above."
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"><head id="j_idt2">
<title>JSF 2.2 CSRF</title></head><body>
<form id="j_idt5" name="j_idt5" method="post" action="/example-javaee7/faces/person.xhtml" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="j_idt5" value="j_idt5" />
<p>Go to a protected page via postback</p>
<p><input id="button_postback" type="submit" name="button_postback" value="Go to protected view" />
</p>
</p><input type="hidden" name="javax.faces.ViewState" id="j_id1:javax.faces.ViewState:0" value="3375434139797034458:2702846074378544391" autocomplete="off" />
</form></body>
</html>
October 26, 2018
How to Set System Properties via File in EAP 6
Use the -P option, e.g. # bin/standalone.sh -P path/to/my/system.properties
How to Generate WADL in JBoss EAP 7
The bad news there is no supported way. The best you can get is by CLI.
/deployment=example-javaee7.war/subsystem=jaxrs:read-resource(include-defaults=true, include-runtime=true, recursive=true) { "outcome" => "success", "result" => {"rest-resource" => {"se.magnuskkarlsson.person.boundary.PersonResource" => { "resource-class" => "se.magnuskkarlsson.person.boundary.PersonResource", "rest-resource-paths" => [{ "resource-path" => "/person", "consumes" => undefined, "produces" => undefined, "java-method" => "java.lang.String se.magnuskkarlsson.person.boundary.PersonResource.hello()", "resource-methods" => ["GET /example-javaee7/rest/person"] }], "sub-resource-locators" => undefined }}} }
You can replace you application name with wildcard to make the expression generic. '/deployment=*/subsystem=jaxrs:read-resource(include-defaults=true, include-runtime=true, recursive=true)'
The other option is using org.jboss.resteasy.wadl.ResteasyWadlServlet, but I did not get that to work with EAP 7.1.0, but the idea of modifying your war seems the wrong way to do it.
Reference:
Exception Handling in JAX-RS 1.1 (EE 6)
ExceptionMapper
Exception/Error handling in JAX-RS is really good, you can write a custom error handler and registered it with @Provider.
import javax.json.Json;
import javax.json.JsonObject;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.ExceptionMapper;
import javax.ws.rs.ext.Provider;
@Provider
public class IllegalArgumentExceptionMapper implements ExceptionMapper {
@Override
public Response toResponse(IllegalArgumentException exception) {
JsonObject body = Json.createObjectBuilder().add("title", exception.getMessage()).build();
return Response.status(Response.Status.BAD_REQUEST).entity(body).build();
}
}
Test
import javax.ws.rs.GET;
import javax.ws.rs.Path;
@Path("/person")
public class PersonResource {
@GET
public String hello() {
throw new IllegalArgumentException("exception from hello");
}
}
$ curl -i http://localhost:8080/example-javaee7/rest/person
HTTP/1.1 400 Bad Request
Connection: keep-alive
X-Powered-By: Undertow/1
Server: JBoss-EAP/7
Content-Type: application/json
Content-Length: 32
Date: Fri, 26 Oct 2018 17:09:16 GMT
{"title":"exception from hello"}
Standardizing REST Error
Different people write different error message, but there is a standard - Problem Details for HTTP APIs RFC 7807
3.1. Members of a Problem Details Object
A problem details object can have the following members:
o "type" (string) - A URI reference [RFC3986] that identifies the
problem type. This specification encourages that, when
dereferenced, it provide human-readable documentation for the
problem type (e.g., using HTML [W3C.REC-html5-20141028]). When
this member is not present, its value is assumed to be
"about:blank".
o "title" (string) - A short, human-readable summary of the problem
type. It SHOULD NOT change from occurrence to occurrence of the
problem, except for purposes of localization (e.g., using
proactive content negotiation; see [RFC7231], Section 3.4).
o "status" (number) - The HTTP status code ([RFC7231], Section 6)
generated by the origin server for this occurrence of the problem.
o "detail" (string) - A human-readable explanation specific to this
occurrence of the problem.
o "instance" (string) - A URI reference that identifies the specific
occurrence of the problem. It may or may not yield further
information if dereferenced.
For example:
HTTP/1.1 400 Bad Request
Content-Type: application/problem+json
Content-Language: en
{
"type": "https://example.net/validation-error",
"title": "Your request parameters didn't validate.",
"invalid-params": [ {
"name": "age",
"reason": "must be a positive integer"
},
{
"name": "color",
"reason": "must be 'green', 'red' or 'blue'"}
]
}
Reference:
October 25, 2018
JavaEE 8 Deployment Descriptor
Introduction
https://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/index.html
web
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
</web-app>
CDI
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/beans_2_0.xsd"
bean-discovery-mode="all" version="2.0">
</beans>
JPA
<?xml version="1.0" encoding="UTF-8"?>
<persistence xmlns="http://xmlns.jcp.org/xml/ns/persistence"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/persistence http://xmlns.jcp.org/xml/ns/persistence/persistence_2_2.xsd"
version="2.2">
<persistence-unit name="PROD" transaction-type="JTA">
<jta-data-source>java:jboss/datasources/MySQL8DS</jta-data-source>
<class>se.magnuskkarlsson.myproject.entity.User</class>
<properties>
<property name="hibernate.dialect" value="org.hibernate.dialect.MySQL8Dialect" />
<!-- <property name="hibernate.dialect" value="org.hibernate.dialect.H2Dialect" /> -->
<property name="hibernate.hbm2ddl.auto" value="update" />
<property name="hibernate.show_sql" value="false" />
<property name="hibernate.format_sql" value="false" />
<property name="hibernate.generate_statistics" value="false" />
<property name="hibernate.cache.infinispan.statistics" value="false" />
</properties>
</persistence-unit>
</persistence>
CSRFGuard by OWASP
What is Cross-Site Request Forgery, CSRF?
In previous OWASP Web Top Ten CSRF has always been around, but not in 2017. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project. And the reason for that is partly CSRF is now starting to be built in the web framework, but also other vulnerabilities gets more attention, due to technique shift.
On OWASP Cheat Sheet you can read more about CSRF https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series.
How to Use OWASP CSRFGuard
Maven dependency:
<dependency>
<groupId>org.owasp</groupId>
<artifactId>csrfguard</artifactId>
<version>3.1.0</version>
</dependency>
Activate in web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CsrfGuardFilter</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CsrfGuardFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name>
<url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
</web-app>
If you only are rendering your web pages on the server, you can remove JavaScriptServlet.
Configure: Add Owasp.CsrfGuard.properties to your classpath, see https://github.com/aramrami/OWASP-CSRFGuard/blob/9e26fc1b0f992b7eb70357e17690497ee48e2440/csrfguard-test/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties.
How to use it: Examples from https://github.com/aramrami/OWASP-CSRFGuard/tree/9e26fc1b0f992b7eb70357e17690497ee48e2440/csrfguard-test/src/main/webapp
Exaple HTML
<form id="formTest1" name="formTest1" action="protect.html">
<input type="text" name="text" value="text"/>
<input type="submit" name="submit" value="submit"/>
<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue uri="protect.html"/>"/>
</form>
Example JSP
<csrf:form id="formTest2" name="formTest2" action="protect.html">
<input type="text" name="text" value="text"/>
<input type="submit" name="submit" value="submit"/>
</csrf:form>
Read more https://github.com/aramrami/OWASP-CSRFGuard/tree/9e26fc1b0f992b7eb70357e17690497ee48e2440
And https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project#tab=Main
October 24, 2018
How To Install VirtualBox on Fedora 28
Prerequisite
# cat /etc/fedora-release
Fedora release 28 (Twenty Eight)
Installation
https://www.virtualbox.org/wiki/Linux_Downloads
$ sudo -u root bash
# wget https://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo -P /etc/yum.repos.d/
# yum install VirtualBox
OpenJDK Mission Control 7 on Fedora 28
Oracle has open sourced the Mission Control.
To download prebuild: http://jdk.java.net/jmc/
Homepage OpenJDK Mission Control: http://openjdk.java.net/projects/jmc/
Building from the source, core developer blog http://hirt.se/blog/?p=947.
New feature in OpenJDK Mission Control 7 http://hirt.se/blog/?p=211
Oracle (commercial) documentation and homepage https://docs.oracle.com/javacomponents/
Input Validation - OWASP Java HTML Sanitizer
Why Sanitizing?
If you perform good validation, you stopping attackers by getting in your application via the UI. The input validation strength is in the following order.
- White List. Accept only known good characters and send error back to user.
- Sanitizing. Accept only known good characters and silently remove others and proceed.
- Escape. Accept only known good characters and escape others and proceed.
- Black List. Accept everything accept predefined bad ones.
https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
OWASP Java HTML Sanitizer
OWASP has a free sanitizing library that has been tested thoroughly. https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
<dependency>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>owasp-java-html-sanitizer</artifactId>
<version>20180219.1</version>
<scope>test</scope>
</dependency>
String untrustedHTML = "<html><p>hello</p></html>";
// Sanitizers.FORMATTING allows common formatting elements, currently these
// "b", "i", "font", "s", "u", "o", "sup", "sub", "ins", "del", "strong",
// "strike", "tt", "code", "big", "small", "br", "span", "em"
// Sanitizers.BLOCKS allows common blocks elements, currently these
// "p", "div", "h1", "h2", "h3", "h4", "h5", "h6", "ul", "ol", "li",
// "blockquote"
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.FORMATTING).and(Sanitizers.BLOCKS);
String safeHTML = policy.sanitize(untrustedHTML);
System.out.println("safeHTML='" + safeHTML + "'");
safeHTML='<p>hello</p>'
JavaFX Markup for User Interface
Tired of writing code for creating your user interface? What if you could layout your user interface via an file? E.g.
<BorderPane>
<top>
<Label text="Page Title"/>
</top>
<center>
<Label text="Some data here"/>
</center>
</BorderPane>
That is exactly what FXML is all about in JavaFX.
Bulkhead and Backpressure Pattern with Java EE 7
What is Bulkhead Pattern?
https://en.wikipedia.org/wiki/Bulkhead_(partition)
"Isolate elements of an application into pools so that if one fails, the others will continue to function.
This pattern is named Bulkhead because it resembles the sectioned partitions of a ship's hull. If the hull of a ship is compromised, only the damaged section fills with water, which prevents the ship from sinking."
https://docs.microsoft.com/en-us/azure/architecture/patterns/bulkhead
What is Backpressure Pattern?
Backpressure is about sending good information back to your users that your application is under heavy load and cannot fulfill it's SLA.
https://mechanical-sympathy.blogspot.com/search?q=applying+back+pressure+when+overloaded
Java EE 7 Bulkhead and Backpressure Implementation
https://blog.sebastian-daschner.com/entries/bulkheads-backpressure-javaee
Circuit Breaker Pattern with Java EE 7
What is Circuit Breaker Pattern?
It is fail fast (and in a controlled way, with good error and logging message), when your application is under load. If your application does not handle load gracefully, your application will continue to accept incoming request and that makes performance of your application worse, but more important makes the response time even worse for the connecting clients.
"Handle faults that might take a variable amount of time to recover from, when connecting to a remote service or resource. This can improve the stability and resiliency of an application."
https://docs.microsoft.com/en-us/azure/architecture/patterns/circuit-breaker
Java EE 7 Circuit Breaker Implementation
@Singleton
@Interceptors(Breakr.class)
@ConcurrencyManagement(ConcurrencyManagementType.BEAN)
public class Brittle {
@IgnoreCallsWhen(failures = 2,slowerThanMillis = 10)
public void unstableAndSlow(){
}
@CloseCircuit
public void reset() {}
}
http://www.adam-bien.com/roller/abien/entry/a_6kb_circuit_breaker_for
October 22, 2018
Oracle JDK for Windows is Not Free Anymore
Oracle JDK
Starting from Januari 2019 you need to pay Oracle to use Oracle Java 8 in production. Downloading and using Oracle Java 8 for developing and testing is fine.
"Oracle Customers. Oracle Customers are those Oracle customers with an active (1) Java SE Subscription and/or Java SE Desktop Subscription, (2) support contract for Oracle Java SE Advanced, Oracle Java SE Advanced Desktop, Oracle Java SE Suite, and/or Java SE Support, or (3) Java SE support entitlement for use of Java SE solely with another Oracle product (Visit My.Oracle Support Note 1439822.1 - All Java SE Downloads on MOS – Requires Support Login)."
"Commercial Users. Commercial Users are entities other than Oracle Customers that use Java SE for business, commercial or production purposes as part of a Java application delivered by a third party or developed internally."
"Personal Users. Personal Users are individuals who use Java SE on personal desktops or laptops. Personal users include individuals using Oracle Java SE to develop applications for hobby or educational purposes, play games or run consumer productivity applications."
To read more https://www.oracle.com/technetwork/java/javase/eol-135779.html
And also https://blogs.oracle.com/java-platform-group/oracle-jdk-releases-for-java-11-and-later
OpenJDK for Linux
If you running Linux already, you are also probably also already running OpenJDK, otherwise start use OpenJDK instead of Oracle Java. OpenJDK is natively packaged for Linux so only search for install software on your Linux distro.
To read more https://openjdk.java.net/
But things are also changing for OpenJDK, Oracle wants to skip LTS for OpenJDK and deliver new Major versions every 6 months!
But Red Hat will deliver a OpenJDK 11 LTS for RHEL, https://access.redhat.com/articles/3409141
See also https://access.redhat.com/solutions/3116731.
And Red Hat will deliver this LTS version for Windows as well, but only for Developing purpose https://developers.redhat.com/products/openjdk/download/.
About Red Hat support for OpenJDK 7, 8 and 11 on RHEL platform.
"In addition to distributing and providing lifecycle support for OpenJDK on Red Hat Enterprise Linux, Red Hat’s open source Java middleware products support OpenJDK for Red Hat Enterprise Linux, enabling users to get a full stack support from the operating system through to application services from a single vendor, and other Red Hat products internally run on OpenJDK. We are a leader in offering support to customers worldwide that rely on open source to run their production workloads."
Java Microservice Framework
What is a Microservice?
There are no clear definition, but it is like "fine grained SOA".
Why Microservice?
- "Improves modularity and makes the application easier to understand, develop, and test."
- "It parallelizes development by enabling small autonomous teams to develop, deploy and scale their respective services independently."
- Easier to refactor a small part, instead of a monolithic system.
Why not Microservice?
- "Services form information barriers."
- "Inter-service calls over a network have a higher cost in terms of network latency and message processing time than in-process calls within a monolithic service process."
- "Testing and deployment are more complicated."
- "Moving responsibilities between services is more difficult.[1] It may involve communication between different teams, rewriting the functionality in another language or fitting it into a different infrastructure"
- "Viewing the size of services as the primary structuring mechanism can lead to too many services when the alternative of internal modularization may lead to a simpler design."
Read more https://en.wikipedia.org/wiki/Microservices.
Examples of Java Microservice Framework
- Javalin
- Spark Java
- Micronaut
- Ktor
- Ktor
- Jooby
- Akka HTTP
- Dropwizard
- Jodd
- Armeria
Read more https://www.e4developer.com/2018/06/02/the-rise-of-java-microframeworks/.
Servless/Function-as-a-service, FaaS
What is Serverless/Function-as-a-service, FaaS?
First, it does not mean, you don't need a Server, instead it means, that the developer should focus on the code and not the server.
Also it all about going to the cloud, and that you don't want to worry about running servers, their storage, etc.
Examples of functions:
- Create person.
- Search person.
- Update person.
Read more about at https://serverless.com/learn/overview.
Examples of serverless providers
- Amazon Web Service, AWS
- Microsoft Azure
- IBM OpenWhisk
- Google Could Platform
- Kubeless
- spotinst
- Oracle fn
- Cloudflare
Read more about at https://serverless.com/framework/docs/getting-started/.