Archive for the ‘Development’ tag
Going Functional with Scala
Lately it seems like functional programming has been the talk of the town, the new (old) paradigm that is making a comeback in a major way. For a while, I resisted the urge to follow the paradigm de jour, being the hard core OO guy that I am, but now it is clear to me that it is more than just hype. There are many reasons functional programming makes sense as a paradigm for developing software today, but the one that I am most interested in is the fact that it handles concurrency so well, thus providing us the building blocks to develop extremely scalable applications.
FP (Functional Programming) has been on my mind for a while. The seed was placed there in late 2007 by the Java Posse listening to their interview with Martin Odersky. They were not talking about FP per se, but more about a specific JVM language called Scala (pronounced skah-lah not scale-la). Scala is not a pure functional language, it is actually a fusion between functional and object oriented programming. It brings together the best of both worlds. My exposure to Scala did not end there, as I got another huge dose at Java One 2008. Two of my favorite sessions there were either on Scala, or Scala was a major discussion point.
The first session was the Script Bowl. This session was not specifically about Scala, it was more of a JVM scripting language battle, and in the end JRuby was crowned king by the audience. In my mind, Scala was the clear winner, because of the simple, yet elegant and powerfull concurrency demonstrated. The presenter wrote what looked like a relatively simple program, and it was capable of indexing tons of RSS feed dumps in real time on a typical multi-core laptop computer. I remember thinking to my self, wow, it would take me a lot more time and effort to write a similar program in Java, and it probably wouldn’t have the same level of scalability as the one demonstrated. The Scala code was able to fully utilize the multi-core processors it was running on.
The second session was on Scala presented by the father of Scala him self Martin Odersky. During that session I was wowed again with some of Scala’s features like it:
- is scalable because it works for very small and very large systems.
- “is the Java programming language of the future.”
- is object oriented, functional, and a scripting language.
- leverages Actor’s as the primary concurrency construct.
- fits seamlessly in to a Java environment.
- is a composition language, as it adds the notion of Traits.
- has an updated type system supporting type inference.
After those two sessions, I headed over to the Java One bookstore to check out the Beta version of Programming in Scala. I was impressed, but couldn’t help thinking, is Scala for me? Can I use it at work? Is it viable in the enterprise?
Fast forward 7 months to today, and let me answer my own questions with one word: yes!
- Is it for me? Yes, because Scala is not only something new, it is something advanced, because it was written in a no compromise academic environment. If nothing else it is a great way to broaden my horizons as a programmer.
- Can I use this at work? Yes, Scala code compiles down to Java byte code, so theoretically, if I was very evil, I could write all my code at work in Scala, run Scalac on it, and add the class files to the application, and no one would be any the wiser. Will I do that? No way, I am simply trying to illustrate a point that Scala is totally compatible with any existing Java environment.
- Is it viable in the enterprise? Yes, with its advanced concurrency model, I can only imagine the type of throughput you can achieve. (Looking forward to finding out)
Now you know where my interest in Scala comes from. Hopefully after reading this post, you will be a bit curious about it as well.
Keyboard Shortcuts
Do you want to learn all of the keyboard shortcuts to your favorite Java IDE, but just don’t have time to study a cheat sheet? Are you envious of your team lead because when you peer program with them, they are able to get things done without using the mouse?
You ask your self how did they do it? Do they memorize a cheat sheet while on the Subway? Do they go home and practice coding every night? Are they gifted with great memories? Well, they may be all of these things, but you don’t have to be!
All you need to do is install a plugin called Key Promoter that is available for both Intellij and Eclipse. The way it works is every time you use your mouse to accomplish a task that can be accomplished via a keyboard shortcut, it pops up a window and lets you know. In the Intellij version, it actually keeps track of how many times you used your mouse for each action. It becomes insulting after a while if you see you used your mouse 20 times for the same action, knowing it has shown you the corresponding keyboard shortcut each time.
For more details you can find the Intellij plugin here, and the Eclipse plugin here.
Simple Security for HTTP Based RESTful Services (Part 2)
In part one of this series, we examined one potential solution that turned out to be not so good. In this post lets try to find a solution using the same design, but a better implementation.
To recap, we decided to use the simplest solution which is to add a security hash to each service call. The first approach we tried was adding the security hash to the XML payload of each service call. The conclusion was that approach was not very elegant, and actually quite ugly.
Let us now discuss a more elegant solution. Keeping the same parameters in place, namely, we want to pass the hash along with each service request, where can we place it where it will not cause the implementation to be ugly? Why don’t we try by add the Hash as a field in the Http header?
The request would look like:
PUT http://blah.com/services/someEntity/226 HTTP/1.1 Accept: text/xml Content-Type: text/xml User-Agent: Jakarta Commons-HttpClient/3.1 Host: somehost:port Hash: 53b383c67a03d23a38b6f52f4a732553 Content-Length: 380 <someEntity> <fieldOne> fieldOne </fieldOne> <fieldTwo> fieldTwo </fieldTwo> </someEntity>
As you can see, the hash has been added to the Http header (line 6). To verify the hash, we need to do create a Servlet Filter that verifies the Hash.
A very simple filter would look like:
public class VerifyHashFilter implements Filter {
public void doFilter(ServletRequest request,
ServletResponse response,FilterChain chain)
throws IOException, ServletException {
if(((HttpServletRequest)request).getHeader("HASH").equals("12345"))
chain.doFilter(request,response)
else
((HttpServletResponse)response).setStatus(401);
}
}
Then our service code implementation would change to:
@Path("/services")
public class SomeEntityServiceImpl {
@PUT
@Path("/someEntity/{id}")
@Consumes("text/xml")
public void updateSomeEntity(SomeEntity entity,
@PathParam("id") int id) {
dao.saveOrupdate(entity)
}
}
To test our service, we can use curl:
$ curl -i -H 'HASH:12345' http://localhost:9095/rest-test HTTP/1.1 200 OK Content-Type: application/xml Content-Length: 71 Server: Jetty(6.1.14) <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <someEntity> <fieldOne>fieldOne</fieldOne> <fieldTwo>fieldTwo</fieldTwo> </someEntity>
And the negative test:
$ curl -i -H 'HASH:54321' http://localhost:9095/rest-test HTTP/1.1 401 Unauthorized Content-Length: 0 Server: Jetty(6.1.14)
As you can see, the implementation code is much cleaner and reusable now. The service code can be called from anywhere within the application without having to worry about a security hash. It is safe to assume that if the code makes it as far as the service, it passed through the security filter thus making the request authorized. Having that assumption as part of the design allows you to write much more generic and reusable code.
Please keep in mind this concept is nothing new, as this solution is an over simplification of how the Spring Security module works. The value in this solution is it doesn’t have dependencies on any external frameworks. When designing this solution, that was one of the determining factors.
Next time you need to implement a quick authorization mechanism for your REST service, make sure you keep the Http header along with a Servlet filter in mind.
Simple Security for HTTP Based RESTful Services (Part 1)
This is going to be the first in a series of posts discussing potential ways of securing bi-directional RESTful based HTTP services. For this series we are going to make the requirements quite simple, namely, “secure” simply means the caller of the service is authorized to invoke it. Lets assume that this solution is being deployed along with a simple IP addresses restriction mechanism. Since IP address’s can easily be spoofed, this solution is the next level of defense to ensure the identity of the caller.
There are many different potential solutions to this problem, but for this series, we are going to focus on the simplest solution which is to add a security hash to each service call. This post assumes you understand how to secure B2B communications with the use of a security hash. If you need a refresher, please refer to this post on the subject.
Since we know the design for securing our communications, we need to decide on an implementation. The first potential implementation we are going to examine is adding a “security hash” to the XML payload for each service call.
The embellished XML payload would look like:
<someEntity> <hash>4723af11bef05fc6207bd22cd163d9db</hash> <fieldOne> ... </fieldOne> <fieldTwo> ... </fieldTwo> </someEntity>
with the “hash” field (line 2) representing the security hash.
The interface of the SomeEntity service, would look like:
public interface SomeEntityService {
public void updateSomeEntity(SomeEntity entity, int id) throws SecurityException;
}
with an implementation that looks like:
@Path("/services")
public class SomeEntityServiceImpl {
@PUT
@Path("/someEntity/{id}")
@Consumes("text/xml")
public void updateSomeEntity(SomeEntity entity,
@PathParam("id") int id)
throws SecurityException {
if (validateHash(entity))
dao.saveOrupdate(entity)
else
throw new SecurityException("Not Authorized");
}
}
With the actual HTTP Client call looking like:
PUT http://blah.com/services/someEntity/226 HTTP/1.1 Accept: text/xml Content-Type: text/xml User-Agent: Jakarta Commons-HttpClient/3.1 Host: somehost:port Content-Length: 380 <someEntity> <hash>4723af11bef05fc6207bd22cd163d9db</hash> <fieldOne> fieldOne </fieldOne> <fieldTwo> fieldTwo </fieldTwo> </someEntity>
There you have it, our first potential solution to the problem. We now need to examine if this solution is correct, and if it is, is it elegant?
First things first, is it correct? If you trace through the code, you can see that before the service makes a call to the DAO, it checks to verify the validity of the hash field (line 10). If the hash it is not valid, it will throw an Exception, which in turn would return a 401 to the user. It would not be possible for a client to access the DAO without having the proper hash as part of the XML Payload.
Even though this approach would perform as expected, it has two main issues, the first being it mixes concerns. What we mean by mixes concerns is it mixes business logic with security logic. This is a standard problem that applies to layered architectures. The main side effect of this problem is it makes the code very difficult to reuse. Lets me demonstrate this with a simple code fragment:
// Code in a Web Controller class somewhere
try {
someEntitySvc.updateSomeEntity(entity);
} catch (SecurityException e) {
// Nothing we can do... We don't have the hash???
}
As you can see from this simple example the implementation of the service is not generic enough to be usable by a Controller in the Web Tier. Firstly, even if the Web Tier knew about he hash, the code becomes polluted with Exception handling for an Exception that is not applicable to this client. Secondly, the Web Tier simply doesn’t have any knowledge of the hash, and putting logic here to generate the hash just to use the service would not make any sense from a design perspective.
The second issue with this approach is the fact that you can only apply it to Http methods that accept a payload. What about methods that do not accept a Payload, I.e., GET? To make this work for the GET method, we would have to pollute our GET method implementation with a @Consumes(“text/xml”) tag, which functionally would work, but from a API design perspective, it is quite ugly. As a consumer of a GET method, all you need to know is the id of the entity you wish to “get”. Adding an XML payload for “security” purposes is a bad and cumbersome design.
With all that being said, it looks like this is not the best solution to the problem. Stay tuned for part two of this series where we will discuss a more elegant approach to solving this problem.
