One of the best things about NFJS shows is the pointers to sites I haven't been to and becoming aware of tools that the speakers use. It's not the kind of thing they'd typically devote an entire talk or blog entry on but it can be some very helpful stuff. There's plenty of that here along with overall concepts I got out of the talks.
Great show, maybe my brain will be ready in another year.
- Java Memory Performance and Garbage Collection by Ken Sipe
- Hacking - The Dark Arts by Ken Sipe
- Security Code Review by Ken Sipe
- Keynote: Soft Skills by Ken Sipe
- Spring + JPA + Hibernate by Ken Sipe
- Spring 2.5 without XML by Ken Sipe
- NetKernel by Brian Sletten
- Architecture and Scaling by Ken Sipe
- Git Control of your Source by Stuart Halloway
- Introduction to Hibernate by Scott Leberknight
- Expert Panel
- Real World Hibernate Tips by Scott Leberknight
- Google Your Domain Objects with Hibernate Search by Scott Leberknight
Java Memory Performance and Garbage Collection by Ken Sipe
- With heavy XML, lots of Strings end up into perm space.
- There are 2 kinds of GC
- Minor happens to young memory, relatively inexpensive
- Major happens to old memory, expensive, JVM comes to a halt
- It was thrown out that Spring applications instantiate a lot of classes and keep them around for a long time (singleton bean scope). The topic wasn't fully developed.
- Stateless server SOA type applications use young memory more than old
- Desktop applications use more old memory
- if you have a dual core laptop the JVM probably thinks you're a server and mis-tunes the JVM you can send corrective arguments
- Find all Java processes with
jps - View garbage collection statistics on a process every 250 milliseconds
jstat -gcutil 10201 250 - You can change arguments on a running JVM with
jinfo - You can kick off GC from
jconsoleand also change JVM arguments - VisualVM is a good general tool for looking
at the JVM
- The tool rivals capabilities of commercial profilers
- VisualGC is a plugin for VisualVM, very cool application
- it shows what GC is happening and to what areas of memory (new, old)
- If the old GC is frequent your job is reduce this by tweaking the nature of the application or the JVM settings
- to install the plugin: tools > plugins > (check off VisualGC) > install
- it shows what GC is happening and to what areas of memory (new, old)
Hacking - The Dark Arts by Ken Sipe
- Most security money goes into infrastructure and networking gear
- Most attacks are at the web-application layer
- As security increases, usability usually decreases
- The best hacking tools are on Linux (surprise)
- By far the most common attacks at the web application layer are cross-site scripting and SQL injections
- As part of their re-focus, Microsoft has started to create 'abuse cases' to go along with their use cases. The abuse cases are to call out how their applications may be attacked or mis-used.
- Hackers usually want to set their mac address to something different. It
should be possible to do this through software.
- to avoid identification
- to assume the networking capabilities of another user
- he pointed out an example of using the airport wi-fi, you find out someones mac address on the network, manually switch yours and then become them.
- keylength.com is a good resource for figuring out the strength of your key
- owasp is a good overall security resource
- sans is another good security resource
- aircrack and kismet are good tools for auditing wireless networks.
- nessus is a network vulnerability scanner
- webgoat is a sample insecure J2EE application for learning purposes
- webscarab analyzes web applications. It's useful from more than a security standpoint.
- Recon
- netcraft can tell you what HTTP server and OS a target is using
- hackers might look at job postings to learn about back end technology
- Writing Secure Code is a very good security book (even though it's M$ Press)
- Firefox plugins, gotta use Firefox lots of tools
- hackbar
- tamper data
- firebug can do breakpoints, I didn't know that
Security Code Review by Ken Sipe
- Use PMD and FindBugs to create overall good code
- Here are some good videos of how to use nmap
- Security model should deny everything and allow as needed
- bouncy castle is the most popular Java security library. Java libraries are behind consistently.
- Most important things for security if doing PKI
- key strength
- time (how often you rotate)
- Logging
- Should get IP address of requestor
- Log all failed attempts at logging in
- Consider using a debug log for developers and an audit for forensics
- Deep Fried Bytes episode 11 is recommended
- You should store application passwords inside of a keystore. This seems impractical to me, gotta look into it
Keynote: Soft Skills by Ken Sipe
- You are in charge of your career, your company is in charge of your job
- Consume a lot of information (RSS feeds)
- Share information
- Increase your digital footprint; blog, don't just complain, offer solutions
- Learn quickly, unlearn quicker
- Be the dumbest in the room
- Don't hoard information, you add more value by sharing
- Leadership is integrity and skill
- Always have an elevator speech ready about how you are adding value
Spring + JPA + Hibernate by Ken Sipe
- JPA specification
- SQL Squirrel is an open source Java JDBC application, has a simple graphing capability
- Groovy objects are simpler to put together and you can annotate them just like Java POJOs
- Hibernate
JpaSupportTemplateisn't recommended
Spring 2.5 without XML by Ken Sipe
- Unrelated:Jersey has annotations for ReST services
- AOP annotations
- Vertical
@PointCut("bean(account*)) - Horizontal
@PointCut("bean(*Dao))
- Vertical
- AutoWiring
- Field based
- don't need setters for dependencies
- don't need XML configuration
- injecting alternate dependencies (mocks) may be painful (maybe reflection?)
- Field based
- Ken really likes SpringMVC
- they're really getting the config smooth
- it's the future of Springs web-services story
- ClassPathBeanDefinitionScanner can make it possible to completely go without XML configuration
NetKernel by Brian Sletten
- Roy Fielding Phd Thesis on ReST
- NetKernal has increased performance and reduced team size in real-world situations
- Even if you don't like it or get it, you should be aware this technology exists
- NetKernel is a modern micro-kernel environment on the JVM
- Runs all JVM languages easily
- The transformation of data (termed resource) is an integral concept
- Conceptually it's similar to Unix pipes; passing data on and small simple tools to re-use
- XQuery is a SQL-like syntax for getting data in and out of XML
- He used the musicbrainz API for examples, it's ReSTful
- Overall it's hard to describe but very compelling
Architecture and Scaling by Ken Sipe
- Don't look to langauge (Groovy, JRuby) as the culprit in performance issues
- Scalability is the linear increase of response time under increased load
- At some point all systems go exponential
- Identify this point and set up systems to reject users before the system goes down
- Scaling
- Vertical: add more CPU, RAM
- sometimes it's the answer but has obvious limitations
- applicable for stateful applications
- Horizontal: add more nodes
- takes initial performance hits because of up-front hardware and networking
- scales out more than vertical
- applicable for stateless applications
- Vertical: add more CPU, RAM
- highscalability.com is a good resource
- Polling doesn't scale
- Watch unbound queries
- Jetty has a new asynch request model for their Servlet 3.0 implementation, keep an eye on this
- Pro Java EE Performance - chapter 9 is free online, shows how to go about capacity planning
- SLAs should be based on load (concurrent requests)
- Use jmeter for capacity planning
- Refer to Amdahl's Law when considering how much improvement to expect by making a portion of your application parallel
- Look into cloud computing, cloudstatus is a resource for seeing how they perform
Git Control of your Source by Stuart Halloway
- Git is a bigger mind-shift than going from CVS to SVN
- Git keeps around everything unless you trigger or ask for garbage collection to happen, so if you really screw up it probably has local history around
Introduction to Hibernate by Scott Leberknight
- H2 is the successor to HSQLDB
- Highly recommended to use Spring if you ever do Hibernate
- A caveat to annotated fields is that your setter doesn't get called by the framework
session.get()gets a fully populated object graphsession.load()returns a proxy you can use for lazy-loading- It doesn't request child collections until you ask for them
- You can do HQL, criteria and QBE queries
Expert Panel
- JVM is more relevant as a platform than Java is relevant as a language
- TDD more important in the age of dynamic languages
- Polyglot programming
- Keep an eye on innovation in the Microsoft CLR & C#
- Interest in functional langauges on the JVM
- Not too concerned about the health of Java with respect to Sun's financial problems
- Jay says they get bought in 2009 by a private equity firm
Real World Hibernate Tips by Scott Leberknight
- Don't use all features of Hibernate, just because it's there doesn't mean you should use it
- Hibernate settings can make the log files much easier to read
<prop key="hibernate.show_sql">true</prop> <prop key="hibernate.format_sql">true</prop>
- You can use the improved naming strategy, it's more sane_for_databases.
<property name="namingStrategy" ref="improvedNamingStrategy"/>
- SQLProfiler uses
SQLSpy to profile your database usage
- Set up selenium tests against your application and compare SQLProfiler results before and after trying different persistence performance improvements
- Don't waste time trying to conform to the JPA if you don't have to
Google Your Domain Objects with Hibernate Search by Scott Leberknight
- Luke is a tool for seeing what your Lucene directory is storing
- RDBMS sucks at full text searching, Lucene is good and scales
- Hibernate Search sits atop Lucene and Hibernate
