Earl Douglas

An embedded Jetty server provides a quick and easy means of testing web applications. In this example I expand on A Secure RESTful Web Service, which requires manual steps of building and deploying a web application to an existing and configured application server. I introduce an embedded Jetty server which is started as part of testing, and enables tests to run without the manual steps of building and deploying the web application. It also eliminates the need to have a discrete application server available for testing.

I thought it would be fun to see if I could create a completely self-contained runnable web application that wasn't bound to the traditional application server plus WAR file pattern. After playing with embedded Jetty, and Maven's jar, dependency, and assembly plugins, I came up with a working solution.

Data at rest encryption is a commonly important pattern in any enterprise application within which certain information must be protected when placed in a persisted state. Among the difficulties of building applications that support data at rest encryption are distinguishing encrypted data from unencrypted data at the application layer, and the algorithms needed to handle translating from one to the other. An application which is aware that at some points its data may be encrypted and at other points it may not violates the practice of separation of concern.

Many coffee shops and book stores provide both a seemingly limitless supply of legal addictive stimulants and wireless Internet access. The two in combination yield a great opportunity to do some coding. The problem is that usually the wireless connection is unencrypted, leaving you vulnerable to anyone who wants to come along and sniff your traffic. To solve this problem, I once again reach into my bag of tools and pull out SSH, the oft overlooked Swiss Army Knife of secure communications.

REST-style architecture lends a comfortable aspect of familiarity to web services by enforcing a somewhat strict architectural style with which we have become accustomed to in our daily use of the web. It eliminates the unpredictable and sometimes obtuse web services definitions created in analogy to arbitrary verbs. It limits the types of actions taken by a web service to those of CRUD, and the resources on which to perform such actions to those identifiable by URLs.

SSH tunneling is a simple but powerful way to secure a communications channel for an otherwise unsecured protocol.

Imagine an environment with two servers: ServerA and ServerB. ServerB hosts a MySQL database on the conventional port 3306, and ServerA maintains a JDBC connection to it. This connection is wide open to packet sniffing and other man-in-the-middle attacks, and is especially vulnerable when ServerA and ServerB reside in physically separate networks.

Contract-first web services epitomise the pattern of loose coupling as applied to distributed web-based systems. The methodology is founded on the establishment of a service contract, which both client and server entities agree to implement. With the service contract in place, client and server entities have the freedom to implement it in any way they like, with all functionality abstracted from one another behind the service contract.

I'm a big fan of Krypto, and have a habit of writing an implementation of it on any programmable device I get my hands on.

Setting the class path can be quite bothersome when you have many separate JAR files to deal with. An easy way to manage obese class paths is with download extensions. Through a list of JAR files in the MANIFEST.MF file within a given JAR file, you can automatically include an arbitrary number of JAR files on the class path.

Let's imagine we have the following two classes in our project:

 

JSR-330: Dependency Injection for Java defines a collection of annotations which are used to define dependencies and their providers and scopes within a compliant application or framework. It is immediately recognizable by developers familiar with Google Guice, but is less so to developers familiar with Spring. Nevertheless, Spring's analog to (and influence on) JSR-330 is presented in the similarities between the two (not to mention Rod Johnson's participation as a Specification Lead of the JSR-330 team).