12/12/2003

J2EE Platform
TM
Sang Shin
sang.shin@sun.com
Architecture www.javapassion.com/j2ee

Technology Evangelist
Sun Microsystems, Inc.
1 2

Courses I teach Agenda

? XML (2001) ? What is J2EE?
? Distributed programming using Jini and
TM
? History of Distributed Computing
JavaSpaces technology (2002)
TM

? Evolution of Enterprise Application

? Web services programming using XML and Java TM

Development Frameworks
technology (2002) ? J2EE APIs and Technologies
? J2EE programming with Passion! (It is free!)
TM

– Servlet, JSP, EJB, Connector, J2EE Security

www.javapassion.com/j2ee ? RI, Compatibility Test Suite (CTS)
? Advanced J2EE programming with Passion! (It is ? J2EE and Web Services
free!) ? How to get started with J2EE programming
www.javapassion.com/j2eeadvanced ? Web application framework
3 4
12/12/2003

Enterprise Computing
Challenges Key Products
Portability Technologie App Servers
s
Diverse Web Servers
Environments J2SE™
™
Components
Time-to-market J2EE

What is J2EE?
Databases
Core JMS
Competence Object to DB
Servlet tools
Assembly JSP
Integration Connector Legacy
XML Systems
Data Databases
Binding TP Monitors
XSLT
EIS Systems
5 6

What Is the J2EE? The Java™ 2 Platform

l Open and standard based platform for

l developing, deploying and managing
Java Technology Java Technology Workgroup High-End
l n-tier, Web-enabled, server-centric, and Enabled Devices Enabled Desktop Server Server

component-based enterprise
applications

7 8
12/12/2003

The JavaTM 2 Platform What Do You Get from J2EE?

Java 2 Platform Micro Edition
(J2ME TM )
? API and Technology specifications
Optional
? Development and Deployment Platform
Packages
? Reference implementation
Optional
Packages
? Compatibility Test Suite (CTS)
Java 2 Java 2
Personal
Basis Profile
Personal
Profile
? J2EE brand
Enterprise
Edition
Standard
Edition Foundation Profile MIDP
? J2EE BluePrints
(J2EE) (J2SE) Java
CDC CLDC Card
APIs

JVM KVM CardVM

9 10
* Under development in JCP

Platform Evolution
The
The Network
Network The
The Computer
Computer Network
Network of
of
Catch
Catch Is
Is the
the Computer
Computer Legacy
Legacy to
to Is
Is the
the Embedded
Embedded Network
Network
Phrase
Phrase Objects
Objects the
the Web
Web Network
Network Things
Things of
of Things
Things

Scale
Scale 100s
100s 1,000s
1,000s 1,000,000s
1,000,000s 10,000,000s
10,000,000s 100,000,000s
100,000,000s 100,000,000s
100,000,000s

When/Peak
When/Peak 1984/1987
1984/1987 1990/1993
1990/1993 1996/1999
1996/1999 2001/2003
2001/2003 1998/2004
1998/2004 2004/2007
2004/2007

History of Leaf
Leaf
Protocol(s)
Protocol(s)
XX XX +HTTP
+HTTP
(+JVM)
(+JVM)
+XML
+XML
Portal
Portal
+RM
+RM Unknown
Unknown

Distributed Computing Directory(s)

Directory(s)

Session
Session
NS,
NS, NS+

RPC,
NS+

RPC, XDR
XDR
+CDS
+CDS

+CORBA
+CORBA
+LDAP(*)
+LDAP(*)

+CORBA,
+CORBA,
+UDDI
+UDDI

+SOAP,
+SOAP,
+Jini
+Jini

+RM/Jini
+RM/Jini
+?
+?

+?
+?
RM
RM XML
XML

Schematic
Schematic

11
12/12/2003

TM
Communication Patterns Communication Patterns: Java 2
Client- Web Web Hybrid
Server 3-Tier Application Services P2P Fractal Business
Business Systems
Systems

DB
DB Server
Server
App
App Server
Server J2EE
J2EE
Web
Web Server
Server
Browser
Browser J2SE/
J2SE/
Client
Client J2ME
J2ME
Web
Application

Communication Patterns: Sun ONE

Bus.
Bus.
Sys.
Sys.

Evolution of
XML
XML
DB
DB (UDDI,
(UDDI,
SOAP)
SOAP)
App
App J2EE
J2EE
Web
Web
J2SE/
J2SE/
Enterprise Application
Browser
Browser

Context
Context and
and Identity
Identity
J2ME
J2ME
Frameworks
(LDAP,
(LDAP, Policy,
Policy, Liberty)
Liberty)
Web
Service

16
12/12/2003

Evolution of Enterprise Single Tier (Mainframe-based)

Application Framework
? Single tier
? Two tier
? Three tier ? Centralized model (as opposed distributed
– RPC based model)
– Remote object based ? Dumb terminals are directly connected to
? Three tier (HTML browser and Web server) mainframe
? Proprietary app server
? Presentation, business logic, and data access
are intertwined in one monolithic mainframe
? Standard app server application
17 18

Single-Tier: Pros & Cons Two-Tier

? Pros: SQL request
– No client side management is required Database
SQL response
– Data consistency is easy to achieve
? Cons:
– Functionality (presentation, data model, business logic)
intertwined, difficult for updates and maintenance and
? Fat clients talking to backend database
code reuse – SQL queries sent, raw data returned
? Presentation,Business logic and Data
Model processing logic in client
application
19 20
12/12/2003

Two-Tier Three-Tier (RPC based)

? Pro:
– DB product independence (compared to single-tier model) RPC request SQL request

? Cons: RPC response SQL response

Database

– Presentation, data model, business logic are intertwined

(at client side), difficult for updates and maintenance
– Data Model is “tightly coupled” to every client: If DB
Schema changes, all clients break
– Updates have to be deployed to all clients making System
maintenance nightmare
– DB connection for every client, thus difficult to scale
– Raw data transferred to client for processing causes high
network traffic 21
? Thinner client: business & data model separated
from presentation
– Business logic and data access logic reside in middle
tier server while client handles presentation
? Middle tier server is now required to handle system
services
– Concurrency control, threading, transaction, security,
persistence, multiplexing, performance, etc. 22

Three-tier (RPC based): Pros & Three-Tier (Remote Object based)

Cons
? Pro: Object request SQL request
– Business logic can change more flexibly than 2-tier Database
Object response SQL response
model
? Most business logic reside in the middle-tier server
? Cons: ? Business logic and data model captured in
– Complexity is introduced in the middle-tier server objects
– Client and middle-tier server is more tightly-coupled – Business logic and data model are now described in
(than the three-tier object based model) “abstraction” (interface language)
– Code is not really reusable (compared to object ? Object models used: CORBA, RMI, DCOM
model based) – Interface language in CORBA is IDL
23 – Interface language in RMI is Java interface 24
12/12/2003

Three-tier (Remote Object based):

Pros & Cons
? Pro:
– More loosely coupled than RPC model
– Code could be more reusable
? Cons:
– Complexity in the middle-tier still need to be
addressed

25

Three-tier (Web Server based):

Pros & Cons Trends
? Pro: ? Moving from single-tier or two-tier to multi-
– Ubiquitous client types tier architecture
– Zero client management ? Moving from monolithic model to object-
– Support various client devices based application model
J2ME-enabled cell-phones
?
? Moving from application-based client to
? Cons: HTML-based client
– Complexity in the middle-tier still need to be
addressed

27 28
12/12/2003

Single-tier vs. Multi-tier Monolithic vs. Object-based

Single tier Multi-tier Monolithic Object-based

l No separation among l Separation among l 1 Binary file l Pluggable parts

presentation, business
logic, database
l Hard to maintain l More flexible to change,
presentation, business
logic, database l Recompiled, l Reusable
relinked, l Enables better
i.e. presentation can redeployed design
change without
affecting other tiers everytime there is l Easier update
a change l Implementation
can be separated
from interface
l Only interface is
published
29 30

Outstanding Issues & Solution Proprietary Solution

? Comlexity at the middle tier server still remains ? Use "component and container" model in
? Duplicate system services still need to be which container provides system services in
provided for the majority of enterprise a well-defined but with proprietary manner
applications ? Problem of proprietary solution: Vendor
– Concurrency control, Transactions
– Load-balancing, Security
lock-in
– Resource management, Connection pooling ? Example: Tuxedo, .NET
? How to solve this problem?
– Commonly shared container that handles the above
system services
– Proprietary versus Open-standard based
31 32
12/12/2003

Open and Standard Solution

? Use "component and container" model in
which container provides system services in a
well-defined and as industry standard
J2EE is that standard that also provides
Why J2EE?
?

portability of code because it is based on Java

technology and standard-based Java
programming APIs

33 34

Platform Value to Developers Platform Value to Vendors

? Can use any J2EE implementation for
development and deployment
– Use J2EE RI or Sun ONE Platform Edition which are
free for development/deployment and then use
high-end commercial J2EE products for actual
deployment
? Vast amount of J2EE community resources
– Many J2EE related books, articles, tutorials, quality
code you can use, best practice guidelines, design
patterns etc.
? Can use off-the-shelf 3rd-party business
components
? Vendors work together on specifications and
then compete in implementations
– In the areas of Scalability, Performance, Reliability,
Availability, Management and development tools,
and so on
? Freedom to innovate while maintaining the
portability of applications
? Do not have create/maintain their own
proprietary APIs
35 36
12/12/2003

Platform Value to Business

Customers
? Application portability
? Many implementation choices are possible J2EE API's &
based on various requirements
– Price (free to high-end), scalability (single CPU to
Technologies
clustered model), reliability, performance, tools, and
more
(page 14, 1st slide)
– Best of breed of applications and platforms
? Large developer pool
37 38

J2EE 1.3 APIs and Technologies

J2EE 1.4 Contents
Version
Java 2 SDK, Standard Edition 1.3 ? J2SE 1.4 (improved) ? Servlet 2.4
RMI/ IIOP 1.0 ? JAX-RPC (new) ? JSP 2.0
JDBC™ 3.0
Java Messaging Service 1.0.2b ? Web Service for J2EE ? EJB 2.1
JNDI 1.2.1
Servlet 2.3 ? J2EE Management ? JAXR
JavaServer Pages™ 1.2
JavaMail 1.2 ? J2EE Deployment ? Connector 1.5
JavaBeans™ Activation Framework 1.0.1 ? JMX 1.1 ? JACC
Enterprise JavaBeans 2.0
Java Transaction API 1.0.1 ? JMS 1.1 ? JAXP 1.2
Java Transaction Service 1.1
Connector Architecture 1.0 ? JTA 1.0 ? JavaMail 1.3
ECPerf™ 1.0 ? JAF 1.0
39 40
12/12/2003

What is a Servlet?
? Java™ objects which extend the functionality
of a HTTP server
? Dynamic contents generation
? Better alternative to CGI, NSAPI, ISAPI, etc.
– Efficient

Servlet –
–
Platform and server independent
Session management
– Java-based

41 42

CGI versus Servlet Servlet vs. CGI

CGI Servlet Request
RequestCGI1
CGI1 Child
Childfor
forCGI1
CGI1
l Written in C, C++, Visual l Written in Java Request CGI
CGI
RequestCGI2
CGI2 Based Child
Basic and Perl l Powerful, reliable, and Based Childfor
forCGI2
CGI2
l Difficult to maintain, efficient Webserver
Webserver
Request
RequestCGI1
non-scalable, non- l Improves scalability, CGI1 Child
Childfor
forCGI1
CGI1
manageable reusability (component
l Prone to security based) Request
RequestServlet1
Servlet1 Servlet
problems of l Leverages build-in security Servlet Based
Based Webserver
Webserver
programming language of Java programming
Request
RequestServlet2
language Servlet1
l Resource intensive and Servlet2 Servlet1
inefficient l Platform independent and JVM
JVM
l Platform and portable Request Servlet1 Servlet2
Servlet2
application-specific

43 44
12/12/2003

Servlets Request and

What does Servlet Do?
Response Servlet Container
? Receives client request (mostly in the form
Request
of HTTP request)
? Extract some information from the request
Browser ? Do content generation or business logic
HTTP
Request
Servlet process (possibly by accessing database,
Response invoking EJBs, etc)
Web
? Create and send response to client (mostly
Response
Server in the form of HTTP response) or forward
the request to another servlet
45 46

HTTP GET and POST

Requests and Responses ? The most common client requests
? What is a request? – HTTP GET & HTTP POST
– Information that is sent from client to a server ? GET requests:
? Who made the request

– User entered information is appended to the URL in a

? What user-entered data is sent
query string
? Which HTTP headers are sent
– Can only send limited amount of data
? What is a response? ? .../servlet/ViewCourse?FirstName=Sang&LastName=Shin
– Information that is sent to client from a server ? POST requests:
? Text(html, plain) or binary(image) data
– User entered information is sent as data (not appended
? HTTP headers, cookies, etc to URL)
47 – Can send any amount of data 48
12/12/2003

First Servlet
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;

Public class HelloServlet extends HttpServlet {

public void doGet(HttpServletRequest request,
HttpServletResponse response)

Session Tracking
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.println("<title>First Servlet</title>");
out.println("<big>Hello Code Camp!</big>");
}
}
49 50

Why Session Tracking? Session Tracking Use Cases

? Need a mechanism to maintain state
across a series of requests from the same
user (or originating from the same
browser) over some period of time
– Example: Online shopping cart
? Yet, HTTP is stateless protocol
– Each time, a client talks to a web server, it opens
a new connection
? When clients at an on- line store add an
item to their shopping cart, how does
the server know what’s already in the
cart?
? When clients decide to proceed to
checkout, how can the server determine
which previously created shopping cart is
theirs?

51 52
12/12/2003

Sessions Three Session Tracking

Mechanisms
Client 1
? Cookies
server
Session 1 ? URL rewriting
Session ID 1
? Hidden form fields
? Note that these are just underlying
Client 2 Session ID 2 mechanisms and do not provide high-level
Session 2 programming APIs

53 54

What is Cookie? Cookies as Session Tracking

? Cookie is a small amount of information sent
by a servlet to a Web browser ? Advantages:
? Saved by the browser, and later sent back to – Very easy to implement
the server in subsequent requests – Highly customizable
? A cookie's value can uniquely identify a client – Persist across browser shut-downs
– So cookies are commonly used for session ? Disadvantages:
management – Often: users turn off cookies for privacy or
? A cookie has a name, a single value, and security reason
optional attributes – Not quite universal browser support

55 56
12/12/2003
URL Rewriting
? URLs can be rewritten or encoded to include
session information.
? URL rewriting usually includes a session id
? Session id can be sent as an added
parameter:
– http://.../servlet/Rewritten?sessionid=688
57
Now Without “Session
Tracking” Feature of Servlet
? You have to perform the following tasks yourself
by using one of three session-tracking mechanisms
– Generating and maintaining a session id for each
session
– Passing session id to client via either cookie or URL
– Extracting session id information either from cookie or
URL
– Creating and maintaining a hashtable in which session
id and session information are stored
– Coming up with a scheme in which session information
can be added or removed
59
URL Rewriting as Session
Tracking Mechanism
? Advantages:
– Let user remain anonymous
– They are universally supported(most styles)
? Disadvantages:
– Tedious to rewrite all URLs
– Only works for dynamically created documents
58
“ Session Tracking” Feature of
Servlet
? Provides higher-level API for session tracking
– Built on top of Cookie or URL rewriting
? Servlet container maintains
– internal hashtable of session id's
– session information in the form of HttpSession
? Generates and maintains session id transparently
? Provides a simple API for adding and removing
session information (attributes) to HttpSession
? Could automatically switch to URL rewriting if
cookies are unsupported or explicitly disabled 60
12/12/2003

What are Java Servlet Filters? What Can a Filter Do?

? New component framework for intercepting
? Examine the request headers
and modifying requests and responses ? Customize the request object if it wishes to
– Filters can be chained and plugged in to the system modify request headers or data
during deployment time ? Customize the response object if it wishes to
? Allows range of custom activities: modify response headers or data
– Marking access, blocking access ? Invoke the next entity in the filter chain
– Caching, compression, logging ? Examine response headers after it has invoked
– Authentication, access control, encryption the next filter in the chain
– Content transformations ? Throw an exception to indicate an error in
? Introduced in Servlet 2.3 (Tomcat 4.0) 61
processing 62

How Servlet Filter Work?

Servlet Servlet
Container Filter Chain

Filter 1 Filter 2 Filter N

JSP
doFilter(
User Servlet service(
ServletRequest,
implemented container ServletRequest,
ServletResponse,
filters filter ServletResponse)63 64
FilterChain)
12/12/2003

What is JSP Technology? What is JSP page?

? Enables separation of business logic from
presentation
– Presentation is in the form of HTML or
XML/XSLT
– Business logic is implemented as Java Beans or
custom tags
– Better maintainability, reusability
? Extensible via custom tags
? Builds on Servlet technology
? A text-based document capable of
returning dynamic content to a client
browser
? Contains both static and dynamic
content
– Static content: HTML, XML
– Dynamic content: programming code, and
JavaBeans, custom tags

65 66

JSP Sample Code Servlets and JSP - Comparison

<html> Servlets JSP
Hello World!
<br>
<jsp:useBean id="clock" • HTML code in Java • Java-like code in HTML
class=“calendar.JspCalendar” /> • Any form of Data • Structured Text
Today is • Not easy to author a • Very easy to author a
<ul> web page web page
<li>Day of month: <%= clock.getDayOfMonth() %>
<li>Year: <%= clock.getYear() %> • Code is compiled into a
</ul> servlet
</html>

67 68
12/12/2003

JSP Benefits
? Content and display logic are separated
? Simplify development with JSP, JavaBeans
and custom tags
? Supports software reuse through the use of
components
? Recompile automatically when changes are
made to the source file
Web-Tier Security
? Easier to author web pages Issues
? Platform-independent
69 70

General Security Issues Security Issues at Web-Tier

? Authentication for identity verification
– Making sure a user is who he claims he is
? Authorization (Access control)
– Making sure a resource gets access only by user who
as access priviledge
– The user has to be authenticated first
? Confidentiality (Privacy)
–
Making sure nobody can read the sensitive data
while it is on the wire
71
? Preventing unauthorized users from
accessing “access controlled” web resource
– If unauthenticated user tries to access “access
controlled” web resource, web container will
automatically ask the user to authenticate himself
first
– Once authenticated, web container (and/or web
components) enforces access control
? Preventing attackers from changing or
reading sensitive data while it is on the wire
– Data can be protected via SSL
72
12/12/2003

HTTP Basic Authentication

? Web server collects user identification (user
name and password) through a browser
provided dialog box
? Not secure since user name and password are
HTTP Basic in “easily decode'able” form over the wire

Authentication- –
–
Encoding scheme is Base64
Someone can easily decode it
based ?
– Not encrypted
Would need SSL for encrypting password
Web tier Security 73 74

Steps for Basic Authentication- Step 1: Set up username,

based Web-tier Security
1. Set up username, passwords, and roles
(realms)
2. Tell web container that you are using Basic
authentication
3. Specify which URLs (web resources) should be
access-controlled (password-protected)
4. Specify which URLs should be available only
with SSL (data integrity and confidentiality
protected)
75
passwords, and roles (Realms)
? Schemes, APIs, and tools for setting up usernames,
passwords, and roles (realms) are web container
and operational environment specific
– Flat-file based, Database, LDAP server
– Passwords could in encrypted or unencrypted form
? Tomcat 4.0 can work with the following realms
– default: file, unencrypted form
– Relational database (via JDBCRealm)
– LDAP server (via LDAPRealm)
76
12/12/2003

Example: Tomcat's default Step 2: Tell web container that you

? <install-dir>/config/tomcat-users.xml are using Basic authentication
? Unencrypted: not secure but easy to set up ? In web.xml file of your web application
and maintain <web-app>
...
<security-constraint>...</security-constraint>
<?xml version='1.0'?> <login-config>
<tomcat-users> <auth-method>BASIC</auth-method>
<role rolename="manager"/> <realm-name>realm name</realm-name>
<role rolename="employee"/> </login-config>
...
<role rolename="admin"/> </web-app>
<user username="sang" password="sangPassword"
roles="manager,employee"/>
</tomcat-users>
77 78

Step 3: Specify which URLs should Step 4: Specify which URLs should
be access-controlled be available only with SSL
<web-app> <web-app>
... ...
<security-constraint> <security-constraint>
<web-resource-collection> <web-resource-collection>
<web-resource-name>WRCollection</web-resource-name> <web-resource-name>WRCollection</web-resource-name>
<url-pattern>/loadpricelist</url-pattern> <url-pattern>/loadpricelist</url-pattern>
<http-method>GET</http-method> <http-method>GET</http-method>
</web-resource-collection> </web-resource-collection>
<auth-constraint> <auth-constraint>
<role-name>admin</role-name> <role-name>admin</role-name>
</auth-constraint> </auth-constraint>
<user-data-constraint> <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> </user-data-constraint>
</security-constraint> </security-constraint>
<login-config> <login-config>
<auth-method>BASIC</auth-method> <realm-name></realm-name> <auth-method>BASIC</auth-method> <realm-name></realm-name>
</login-config> </login-config>
... ...
</web-app> 79 </web-app> 80
12/12/2003

Form-based Authentication
? Web application collects user identification
(user name, password, and other
information) through a custom login page
? Not secure since user name and password are
Form-based in “easily decode'able” form over the wire

Authentication –
–
Encoding scheme is Base64
Someone can easily decode it
based ?
– Not encrypted
Would need SSL for encrypting password
Web-tier Security 81 82

Steps for Form-based Authentication

based Web-tier Security
1.Set up username, passwords, and roles (realms)
2. Tell web container that you are using Form-based
authentication
3. Create Login page
4. Create Login failure error page
5.Specify which URLs (web resources) should be
access-controlled (password-protected)
6.Specify which URLs should be available only with
SSL (data integrity and confidentiality protected)
84
12/12/2003

Step 1: Set up username, Step 2: Tell web container that you

passwords, and roles (Realms) are using Form-based authentication
? Same as in Basic-authentication ? In web.xml file of your web application
<web-app>
...
<security-constraint>...</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>realm name</realm-name>
</login-config>
...
</web-app>

85 86

Step 3: Create Login Page Step 4: Create Login Failure page

? Can be HTML or JSP page ? Can be HTML or JSP page
? Contains HTML form like following ? No specific content is mandated

<FORM ACTION="j_security_check" METHOD="POST">

…
<INPUT TYPE="TEXT" NAME="j_username">
…
<INPUT TYPE="PASSWORD" NAME="j_password">
…
</FORM>

87 88
12/12/2003

Step 5: Specify which URLs should be Step 6: Specify which URLs should be
access-controlled (Same as Basic Auth) available only with SSL (Same as Basic Auth)
<web-app> <web-app>
... ...
<security-constraint> <security-constraint>
<web-resource-collection> <web-resource-collection>
<web-resource-name>WRCollection</web-resource-name> <web-resource-name>WRCollection</web-resource-name>
<url-pattern>/loadpricelist</url-pattern> <url-pattern>/loadpricelist</url-pattern>
<http-method>GET</http-method> <http-method>GET</http-method>
</web-resource-collection> </web-resource-collection>
<auth-constraint> <auth-constraint>
<role-name>admin</role-name> <role-name>admin</role-name>
<role-name>executive</role-name> </auth-constraint>
</auth-constraint> <user-data-constraint>
<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
<transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>
</user-data-constraint> </security-constraint>
</security-constraint> <login-config>
<login-config> <auth-method>FORM</auth-method> <realm-name></realm-name>
<auth-method>FORM</auth-method> <realm-name></realm-name> </login-config>
</login-config> ...
... </web-app>
</web-app> 89 90

Basic vs. Form-based

Authentication
Basic Form-based
• Uses “browser provided • Uses “web application
dialog box” to get provided login page” to get
username and password username and password
• Only username and • Custom data can be
password can be collected collected
• Might result in different • Can enforce consistent look
look and feel and feel
• HTTP Authentication
header is used to convey
• Form data is used to convey
username and password
EJB
•
username and password
No good way to enter a
new user name
• Can enter a new user name
via login page
(Enterprise Java Beans)
91 92
12/12/2003

What is EJB Technology? Why EJB Technology?

? Cornerstone of J2EE
? A server-side component technology
? Easy development and deployment of
Java technology-based application that
are:
– Transactional, distributed, multi-tier, portable,
scalable, secure, …
93
? Leverages the benefits of component-
model on the server side
? Separates business logic from system code
? Provides framework for portable
components
– Over different J2EE-compliant servers
– Over different operational environments
? Enables deployment-time configuration
– Deployment descriptor
94

Do You Need an EJB Tier? EJB Architecture

? Yes, if you want to leverage middleware features
provided by container
– Resource management, instance life-cycle
management, concurrency control and threading
– Persistence, transaction and security management
– Messaging, scalability, availability
? Yes, if you want to build portable and reusable
business components
? Maybe not, for a simple application whose main
function is reading database tables
95 96
12/12/2003

EJB Architecture Contracts Client View Contract

? Contracts are specified in EJB specification ? Client of an EJB can be
? Client view contract – Web tier components: Servlet and JSP
– Contract between client and container – Standalone Java application
– Applet
? Component contract
– Another EJB in same or different container
– Contract between an Enterprise Bean and its
Container – Web services client (in EJB 2.1)
? Provides development model for clients
using EJB services

97 98

Client View Contract (Contd.) Component Contract: What

Container does (for Beans)
? Client view contract is comprised of ? Enables EJB method invocations from clients
– Home interface ? Manage the life cycle of EJB bean instances
? For local or remote clients
?
Contains methods for creating and locating beans
? Implements home and remote interfaces
– Remote interface ? Provide persistence for CMP entity beans
? For local or remote clients ? Provide runtime context information to beans
? Contains business methods ? Manage transactions, security, exceptions, etc...
– Object identity ? Implements callbacks
– Metadata interface
– Handle
99 100
12/12/2003

EJB Contracts Types of Beans

? Session Beans
– Stateful session beans
Client
Client view contract Enterprise – Stateless session beans
bean instances
? Entity Beans
EJB Component
Container contract – Bean Managed Persistence (BMP)
– Container Managed Persistence (CMP)
EJB server
? Message Driven Beans
– JMS
– JAXM
101 102

Session Beans When to Use Session

? Does work on behalf of a single client
? Is not persistent and hence relatively short
lived
– Is removed when the EJB™ server crashes
? Does not represent data in data store,
although can access/update such data
? Bean class implements
javax.ejb.SessionBean interface
103
Beans?
? Use Session beans to model process or control
objects specific to a particular client.
? To model workflow, processes or tasks,
manage activities (make reservation,
purchase...).
? To Coordinate processes between entity beans,
control interactions of beans.
? To Move business application logic from Client
to the Server Side.
104
12/12/2003

2 Types of Session Beans Examples of Session Beans

? Stateless: execute a request and return a
result without saving any client specific ? Stateless session beans
state information
– Catalog
– transient ? No client specific state needs to be preserved

– temporary piece of business logic needed by a

– Interest calculator
specific client for a limited time span
? No client specific state needs to be preserved
? Stateful: maintains client specific state
? Business logic with no need for database access

Stateless Session bean Stateful Session bean

? Staeful session beans
State instance data – Shopping cart
? Client specific state needs to be preserved

105 106

Entity Beans Entity Beans

? Provides object view of data in data store ? Clients normally look up (find) an existing
– Its lifetime not related to the duration of entity EJB
interaction with clients – Creation means adding a row to a database table
– Lives as long as data exists in database i.e. Long – Finding means finding a row in a existing database
lived table
– In most cases, synchronized with relational ? Entity bean instance has unique identifier
databases
called primary key
? Shared access among clients
– Primary key can be any class
? Bean class implements
javax.ejb.EntityBean interface
107 108
12/12/2003

Examples of Entity Beans 2 Types of Entity Beans

? Customer
– Customer data has to persist, thus is maintained
in the database
– Customer data has to survive server crash
– Customer data is shared by many clients
– Each customer has unique identification such as
customer number
? CMP (Container Managed Persistence)
– Persistence is managed by Container
– Persistence requirements are specified in
deployment descriptor
– Bean developer does not have to worry about
providing persistence logic in his code
? BMP (Bean Managed Persistence)
– Persistence logic code is provided by Bean
developer

109 110

When to Use CMP vs. BMP? Session Beans and Entity Beans
? CMP entity beans Session Beans
– With CMP 2.0, there is no reason not to use CMP
? Represent a business
– Database independence process
– Higher performance ? One instance per client
– Easy to develop and deploy ? Short-lived: Life of
client is life of bean
? BMP entity beans ? Transient
– More programmatic control is desired ? Doesn’t survive server
crashes
? May be transactional
Entity Beans
? Represent business data
? Shared instance for
multiple clients
? Long-lived: as long as
data in database
? Persistent
? Survive server crashes
?
Always transactional

111 112
12/12/2003

Entity and Session Beans—

Typical Architecture Entity and Session Beans

113 114

Message-Driven Beans (MDB)

? Acts as a consumer of asynchronous
messages
? Cannot be called directly by clients
– Activated upon message arrival
– No home or remote interface
? Clients interact with MDB by sending
messages to the queues or topics to which JMS
they are listening
(Java Message Service)
? Stateless
115 116
12/12/2003

Java Message Service (JMS)

? Messaging systems (MOM) provide
– Decoupled communication
– Asynchronous communication
– Plays a role of centralized post office
? Benefits of Messaging systems
– Flexible, Reliable, Scalable communication
systems
? Point-to-Point, Publish and Subscribe Connector Architecture
? JMS defines standard Java APIs to
messaging systems
117 118

m x n Problem Before Connector

Connector Architecture Architecture
? Defines standard SPI for integrating J2EE m n
technology with EIS systems App SAP
– CICS, SAP, PeopleSoft, etc. Server1
? Before Connector architecture, each App App EIS2
server has to provide an proprietary adaptor Server2
for each EIS system App EIS3
– m (# of App servers) x n (# of EIS'es) Adaptors Server3
? With Connector architecture, same adaptor App EIS4
works with all J2EE compliant containers Server
– 1 (common to all App servers) x n (# of EIS'es)
Adaptors 119 120
12/12/2003

Connector Architecture
? Defines
– Connection pooling
– Security
– Transaction

Other J2EE APIs &

Technologies
121 122

JNDI JDBC
? Java Naming and Directory Interface ? Provides standard Java programming API
? Utilized by J2EE applications to locate to relational database
resources and objects in portable fashion – Uses SQL
– Applications use symbolic names to find object ? Vendors provide JDBC compliant driver
references to resources via JNDI which can be invoked via standard Java
– The symbolic names and object references have programming API
to be configured by system administrator

123 124
12/12/2003

J2EE Management (JSR-77) J2EE Management (JSR-77) - J2EE 1.4

? Management applications should be able
to discover and interpret the managed data
of any J2EE platform
? Single management platform can manage
multiple J2EE servers from different vendors
? Management protocol specifications ensure
a uniform view by SNMP and WBEM
management stations
? Leverages JMX
125
? Management information model
• example: J2EE app server, EJB beans
? Mapping the information model to
• CIM (Common Information Model)
• SNMP MIB (Management Information Base)
• Java APIs for J2EE Management EJB component
(MEJB)
• Exposes managed objects as JMX Managed Beans
(Mbeans)
126

J2EE Deployment (JSR-88) - J2EE 1.4 JMX

Tools J2EE Platforms JMX API into
Standard the J2EE 1.4 platform
Dynamic Deployment
IDEs Deployment API
(Universal Remote)
JMX

Vendor Deploy
JMX
Tools
App
J2EE App Server

Management Tools JMX de-facto

A single technology for the J2EE platform

127 128
12/12/2003

JACC (Java Authorization Contract

for Containers) - J2EE 1.4
? Defines contract between J2EE containers
and authorization policy modules
–

–
Provider configuration subcontract
Policy configuration subcontract
J2EE as End-to-End
– Policy enforcement subcontract Architecture
? Enable application servers to integrate with
enterprise user registries and authorization
policy infrastructure
129 130

The J2EE Platform Architecture J2EE is End-to-End Solution

Firewall
J2EE
Application
B2B Server
Applications Client

Enterprise
Existing Enterprise Information
JavaBeans™
B2C Applications Client Systems (EIS):
Applications Client Relational
Database,
Web Enterprise Legacy
Client Server JavaBeans Applications,
Web JSP,
Services Servlets ERP Systems
Client
Application Server HTML/XML
Wireless Enterprise Other Services:
Enterprise
JNDI, JMS,
Applications Information Client Middle JavaMail™ Information
Systems
Tier Tier Tier

131 132
12/12/2003

N-tier J2EE Architecture

J2EE
Component & Container
Architecture
Web Tier EJB Tier

133 134

J2EE Containers & Components Containers and Components

Applet Container Web Container EJB Container Containers Components
Applet HTTP/
Handle Handle
JSP Servlet RMI EJB
HTTPS

J2SE
l Concurrency l Presentation
RMI/IIOP

RMI/IIOP

JavaMail JavaMail
Security Business Logic
JDBC

JDBC

l l
JMS

JTA
JNDI

JMS

JTA
JNDI

App Client JAF JAF

Container l Availability
App HTTP/ J2SE
Client HTTPS l Scalability
RMI l Persistence
RMI/IIOP

Transaction
JDBC
JMS
JNDI

J2SE J2SE
l Lifecycle
management
l Management
Database
135 136
12/12/2003

Containers & Components

? Containers do their work invisibly
– No complicated APIs
– They control by interposition
J2EE Application
? Containers implement J2EE Development & Deployment
– Look the same to components Life Cycle
– Have great freedom to innovate

137 138

J2EE Application Lifecycle Illustration

Development Lifecycle Creation Assembly Deployment
Assembled
Created by J2EE Modules and Augmented J2EE APP
Processed
? Write and compile component code Component
Developer
by Application
Assembler
by Deployer

– Servlet, JSP, EJB Deploy

? Write deployment descriptors for

components J2EE Container

? Assemble components into ready-to-

deploy'able package Enterprise
Components
? Deploy the package on a server

139 140
12/12/2003

J2EE Roles The Deployment Descriptor

? Component provider ? Gives the container instructions on how to
manage and control behaviors of the J2EE
– Bean provider
components
? Application assembler – Transaction
? Deployer – Security
? Platform provider – Persistence
– Container provider ? Allows declarative customization (as
opposed to programming customization)
? Tools provider
– XML file
? System administrator ? Enables portability of code
141 142

Possible J2EE Application

Anatomies
Web Server EJB Server

DB & EIS

J2EE Application
Resources

Anatomies
Browser Web Server EJB Server

Stand-alone

143 144
12/12/2003

J2EE Application Anatomies Which One to Use?

? 4-tier J2EE applications
? Depends on several factors
– Requirements of applications
– HTML client, JSP/Servlets, EJB, JDBC/Connector
– Availability of EJB tier
? 3-tier J2EE applications
– Availability of developer resource
– HTML client, JSP/Servlets, JDBC
? 3-tier J2EE applications
– EJB standalone applications, EJB, JDBC/Connector
? B2B Enterprise applications
– J2EE platform to J2EE platform through the exchange
of JMS or XML-based messages
145 146

What and Why a Reference

Implementation?
? Validates specification
? Fully-compliant
J2EE ? Fully-functional
Reference Implementation, ? Not commercial quality
– Scalability
Compatibility Suite, Brand – Performance
? Use it for prototyping
? Java Web Services Developer Pack is
147
production quality, however 148
12/12/2003

Compatibility Test Suite J2EE Application Verification Kit

(CTS) (J2EE AVK)
? Ultimate Java™ technology mission: ? How can I test my J2EE application portability?
– Write Once, Run Anywhere ™
• Obtain the J2EE RI 1.3.1 and the J2EE Application
– My Java-based application runs on any Verification Kit (J2EE AVK)
compatible Java virtual machines ? Self verification of application
– My J2EE based technology-based application
will run on any J2EE based Compatible – Static verification
platforms – Dynamic verification
? Obtain the tests results, verify that all
criteria are met
149 150

Compatible Products J2EE™ Technology Licensees

for the J2EE Platform (Brand) AOL Gemstone NEC Sonic
ATG Hitachi Nokia Sybase
ATG iPlanet BEA Systems IBM Merant Secant
Bea Systems Macromedia HP Bluestone Interworld Oracle Corp. SpiritSoft
Borland NEC BroadVision In-Q-My Cape Clear Talarian
Computer Oracle Borland IONA Persistence TIBCO
Associates Compaq iPlanet Pramati TMAX Soft
Pramati
CA Lutris SAS Institute TogetherSoft
Fujitsu SilverStream Fujitsu Macromedia Silverstream Trifork
Hitachi Sybase WebGain
HP Talarian
IBM Trifork
IONA
151 152
12/12/2003

The J2EE Platform “Ecosystem,” Major Investment in

Application Servers and… Compatibility by the Industry
? Tools ? Sun has spent scores of engineer years
– IDE’s: Borland JBuilder Enterprise, WebGain Visual developing tests
Cafe’, IBM Visual Age for Java™,
Forte™ for Java™, Oracle JDeveloper, Macromedia Kawa ? Licensees have spent scores of engineer
– Modeling, Performance, Testing, etc. years passing the tests
? Enterprise Integration: Connectors, ? Testing investment on top of specification
Java Message Service (JMS) API, XML investment, implementation investment,
? Components business investments
? Frameworks ? In total, tens of millions of dollars invested in
? Applications J2EE platform compatibility by the industry
153 154

J2EE BluePrint
? Best practice guidelines, design patterns
and design principles
– MVC pattern

J2EE Blueprint & ? Covers all tiers

– Client tier
Pet Store Application – Web tier
– Business logic (EJB) tier
– Database access tier
? Sample code
– Java Pet Store
155 156
12/12/2003
Web Services
Support in J2EE 1.4
157
Design Goals J2EE Web Services
Framework
? Portability of Web services component
– Over different vendor platform
– Over different operational environment
? Leveraging existing J2EE programming models
for service implementation
? Easy to program and deploy
– High-level Java APIs
– Use existing deployment model
159
J2EE 1.4 Theme
? Major theme is Web Services
? Allow J2EE applications to be exposed as
SOAP/HTTP based Web services
? Integrate with existing Web services
Ensure interoperability
?
• SOAPBuilder effort
• Will support WS-I Basic profile
158
What Is a J2EE Web Service?
? A set of endpoints (ports) operating on
messages
? Ports are operating within a container
– Container provides runtime environment
– Contract for runtime environment are specified in
JAX-RPC, EJB 2.1, JSR 109
? Service is described abstractly in WSDL
document and published to a registry
– WSDL specifies a contract between service provider
and client
160
12/12/2003

Web Service Component and Web Service Components

Container
Web services
? Container vs. Component model components

– Web services components get executed within a

container
– Components are portable (under J2EE 1.4)
? Web service components
– Web-tier (Servlet-based endpoint)
– EJB-tier (Stateless session bean-based endpoint)

161 Source: Web Services for J2EE (JSR 109), V1.0

162

Web Services for J2EE (JSR 109)

? Addresses overall Web services architecture
over J2EE
– Deployment requirements for Web service clients and

Java APIs for –

endpoints
Standard deployment descriptors
Web Services over J2EE – JAX-RPC programming model
– JNDI lookup of service objects
– Container-managed security
– Declaration of handlers and serializers
163 164
12/12/2003

JAX-RPC JAX-RPC Architecture Diagram

? Servlet-based Web service endpoint model JAX-RPC JAX-RPC
Client WSDL Document Service Endpoint
? XML data types to/from Java types mapping JavaïWSDL WSDLóJava
Generated Code
? WSDL to/from Java mapping
Container Container
? JAX-RPC Client Programming Models
? SOAP Message Handler framework Client-side JAX-RPC
Runtime System
Server-side JAX-RPC
Runtime System

? Extensible type mapping

SOAP

HTTP
165 166

Relationship to WSDL SOAP Message Handlers

JAX-RPC describes a Web Service as a collection
of remote interfaces and methods
Tools are used to convert between WSDL
documents and sets of Java remote interfaces
(“Generate Web Services Files” menu in Sun ONE
Studio 5, “wscompile” in Java WSDP)
WSDL describes a Web Service as a
collection of ports and operations
167
? Handlers let you access/modify SOAP
request and response messages
– Typically used to process service contexts in SOAP
header blocks
– Can be used to extend functionality of Web services
runtime system
? J2EE containers (which provide Web services
runtime) are likely to use them internally to provide
session/transaction propagation
? Example handlers:
– encryption, decryption, authentication,
authorization, logging, auditing, caching 168
12/12/2003

SOAP Message Handlers SOAP Message Handlers

? Pluggable and chainable
– Through standardized programming API
– Portable across implementations SOAP Message Handler Chain
? Has its own lifecycle <Request>
Service
– JAX-RPC runtime system calls init(), destroy() of a Handler Handler Endpoint (Port)
handler
? Handler instances can be pooled
? MessageContext is used to share properties SOAP Message
<Response>
among handlers in a handler chain
169 170

JAX-RPC Client Programming Service Implementation

Models public class AttachmentServiceImpl extends AttachmentService {
? Stub-based (least dynamic) public String storeImageService(DataHandler dh,
String imageFileName){
– Both interface (WSDL) and implementaion (stub) ...
created at compile time BufferedInputStream in =
? Dynamic proxy new BufferedInputStream (dh.getInputStream());
...
– Interface (WSDL) created at compile time
– Implementation (dynamic proxy) created at
runtime }

? Dynamic invocation interface (DII)

– Both interface (WSDL) and implementaion
created at runtime 171 172
12/12/2003

Client sending Attachment SAAJ

public class AttachmentServiceClient {
public static void main(String[] args) {
? Handles low-level SOAP message handling
... • Contains the API for creating and populating a SOAP
DataHandler dh =
messages conforming to SOAP 1.1 and SOAP with
new DataHandler(new FileDataSource(filename));
Attachment specifications
AttachmentService myProxy = ...
String response = myProxy.storeImageService(dh, filename); • Used by high-level APIs (such as JAX-RPC runtime)
... ? Contains API necessary for sending request-
}
}
response (non-provider-model) messages
? Separated out from JAXM 1.0 into JAXM 1.1
and SAAJ 1.1
173 174

Web Services Support in EJB 2.1 JAXR

? Defines Stateless Session Bean-based Web
? Standard Java API for performing registry
services endpoint model operations over diverse set
of registries
– Stateless session bean can be web services
implementation – Web service publication & discovery
– Web services endpoint interface (service definition ? A unified information model for describing
interface) for Stateless session bean business registry content
– Can implement SOAP Message Handlers for
Stateless session bean based endpoint
? Provides multi-layered API abstractions
– Level 0: for UDDI
– Level 1: for ebXML registry/repository
175 176
12/12/2003

JAXR Architecture

How to Get Started

177 178

Step1: How to Get Started (for
Beginners) for Web-tier
? Download and run Java Web Services Developer
Pack (Java WSDP) and its tutorial for web-tier
programming (Servlet and JSP)
? Java Web Services Developer Pack Download
– java.sun.com/webservices/downloads/webservicespack.html
? Java Web Services Developer Pack Tutorial
– java.sun.com/webservices/downloads/webservicestutorial.ht
ml
Step2: How to Get Started (for
Beginners) for EJB tier and Others
? Download and run J2EE 1.3.1 Reference
Implementation (RI)
– In the future course, we will use Sun ONE App Server 7
Platform Edition, which is production quality and is also
freely downloadable
? Study J2EE Tutorial from java.sun.com
– developer.java.sun.com/developer/onlineTraining/J2EE
/Intro2/j2ee.html

179 180
12/12/2003

Step3: Next Step (For Step4: Next Step (For Advanced

Intermediate J2EE Programmers)
? Leverage J2EE Blueprint
? Download and read J2EE Blueprint to learn
the best practice guidelines and design
patterns
? Download and run Java Pet Store as an
example of J2EE application based on best
practice guidelines
– java.sun.com/blueprints/guidelines/designing_e
nterprise_applications_2e/index.html
J2EE Programmers)
? Try J2EE IDE of your choice. Sun ONE Studio 4 EE
has 60 day free license with bunch of sample
programs you can try
? Sun ONE Studio 4 EE
– wwws.sun.com/software/sundev/jde/buy/index.html
? Sun ONE Studio 4 EE tutorial
– wwws.sun.com/software/sundev/jde/examples/index.html
? Other vendors also have good quality J2EE IDE's
– BEA, IBM, Borland
181 182

Step5: Next Step (For Advanced Step6: Next Step (For J2EE 1.4
J2EE Programmers) Features)
? There is no shortage of quality J2EE online ? We will use J2EE 1.4 Beta Reference
resources Implementation for building J2EE
– java.sun.com/j2ee applications that use 1.4 features (or we
– www.theserverside.com might use individually released packages)
– JAXP, JAX-RPC, JAXR, SAAJ
– JMX
– Management and Deployment
– JACC
– ...
183 184
12/12/2003

Next Step (For J2EE 1.4 Features)

? J2EE Application Verification Kit
? EcPerf (SPECJAppServer)
Evolution of Web
Application
Frameworks

185 186

Evolution of MVC Architecture Evolution of Web Application

Design before MVC Model 2
1. No MVC
2. MVC Model 1
3. MVC Model 2
4. Web application framework (based on MVC
Model 2)
? Struts, Sun ONE Application framework
5. Web application framework
? JavaServer Faces (JSR-127)
No MVC Model 1 architecture
187 188
12/12/2003

MVC Model 1 Architecture Why MVC Model 2 Architecture?

? What if you want to present different JSP
pages depending on the data you receive?
– JSP technology alone even with JavaBeans and
Browser JavaBeans custom tags (Model 1) cannot handle it well
(Model)
JSP
(Controller+View)
? Solution
– Use Servlet and JSP together (Model 2)
– Servlet handles initial request, partially process the
Enterprise servers/ data, set up beans, then forward the results to one
Client Tier Middle Tier Data sources of a number of different JSP pages

189 190

MVC Model 2 Architecture Web Application Frameworks

? Based on MVC Model 2 architecture
Servlet ? Web-tier applications share common set of
(Controller)
functionality
Browser Selection of view Access to – Dispatching HTTP requests
Model
JSP – Invoking model methods
(View) – Selecting and assembling views

Client Tier Enterprise servers/

? Provide classes and interfaces that can be
Middle Tier
Data sources used/extended by developers

191 192
12/12/2003

Why Web Application Framework? Web Application Frameworks

? De-coupling of presentation tier and business logic into
separate components ? Apache Struts
? Provides a central point of control ? Sun ONE Application Framework
? Provides rich set of features ? JavaServer Faces (JSR-127)
? Facilitates unit-testing and maintenance
– Standard-based Web application framework
? Availability of compatible tools
? Provides stability
? Enjoys community-supports
? Simplifies internationalization
? Simplifies input validation
193 194

Summary
? J2EE is the platform of choice for
development and deployment of n-tier,
web-based, transactional, component-
Summary & ?
based enterprise applications
J2EE is standard-based architecture
Resources ? J2EE is all about community
? J2EE evolves according to the needs of
the industry

195 196
12/12/2003

Resources Resources
? J2EE Home page ? Java Web Services Developer Pack Download
– java.sun.com/j2ee – java.sun.com/webservices/downloads/webservicespack.html

? J2EE Reference Implementation

? Java Web Services Developer Pack Tutorial
– java.sun.com/webservices/downloads/webservicestutorial.html
– http://java.sun.com/downloads/
? Sun ONE Studio 4 EE
? J2EE Tutorial – wwws.sun.com/software/sundev/jde/buy/index.html
– developer.java.sun.com/developer/onlineTraining/J2
EE/Intro2/j2ee.html
? Sun ONE Studio 4 EE tutorial
– wwws.sun.com/software/sundev/jde/examples/index.html
? J2EE Blueprint
? Sang Shin's free J2EE Programming course
– java.sun.com/blueprints/guidelines/designing_enter
prise_applications_2e/index.html – www.javapassion.com/j2ee
197 198

Evaluation Course #
ISUN2SN

199