4. Plan J2EE security from the beginning.
Enable WebSphere security. This allows your EJB and URL to at least access all authorized users. Don't ask why - it is done.
In the customers who work with us, the customers who have intended to enable WebSphere J2EE security have been very small, and this has always been surprised. It is estimated that only 50% of customers are intended to use this feature. For example, we have worked with some large financial institutions (banks, agents, etc.), they have not intended to enable security. Fortunately, this problem is resolved when deployed.
It is dangerous to use J2EE security. Suppose your application needs security (almost all applications need), you betting your developers can build their own security system, and this system is better than you bought from J2EE manufacturers. This is not a good bet, providing security for distributed applications is unusual. For example, you need to use a network security dollar to control access to EJB. In our experience, most of them build security systems are unsafe, and have a major defect, which makes the product system extremely fragile.
Some reasons that do not use J2EE security include: Worrying performance decline, believes other security, such as NETEGRITY SITEMINDER, can replace J2EE security, or do not know WebSphere Application Server security features and features. Don't fall into these traps, especially, although products like Netegrity Siteminder provide excellent security features, just it is impossible to protect the entire J2EE application. These products must be combined with the J2EE application server to protect your system.
Other common reasons why J2EE security is: the role-based model does not provide sufficient granular access control to meet complex business rules. Although the truth is like this, this should not be a reason not to use J2EE security. Conversely, J2EE verification and J2EE roles should be combined with specific expansion rules. If complex business rules need to make security decisions, write the corresponding code, and its security decisions should be based on direct use and reliable J2EE authentication information (user ID and role).
5. Create what you know.
Repeated development work will allow you to gradually master all J2EE modules. To start from creating a small and simple module instead of starting from the beginning, you will immediately involve all modules.
We must admit that J2EE is a huge system. If a development team is just starting to use J2EE, it will be difficult to master it. There are too many concepts in J2EE and the API need to be mastered. In this case, the key to successfully master J2EE is starting from a simple step.
This approach can be achieved by creating small and simple modules in your application. If a development team creates a simple domain model and the back-end persistence mechanism (perhaps JDBC), it enhances their self-confidence, so they will use this domain model to go Master the use of the front end development of Servlet and JSP. If a development group finds it necessary to use EJB, they also use simple session Facades on the persistent EJB components managed by the container, or use JDBC-based Data Access Objects, DAOs. Instead of skiping these to use more complex constructions (such as messaging beans and JMS).
This method is not a new method, but there are very few developing groups to cultivate their skills in this way. Conversely, most development groups are to build all modules immediately, while involving view layers, model layers, and controllers in MVC, what they often fall into the pressure of progress. They should consider some agile development methods, such as extreme programming (XP), which use an incremental learning and development. In XP, there is a process called modelfirst, which involves building domain models as a mechanism to organize and implement user scenes. Basically, you have to build a domain model as the primary section of the user scene you want to implement, and then build a user interface (UI) as the result of the user scene on top of the domain model. This method is ideal for a development group to learn only one technique, rather than letting them face a lot of situations (or let them read a lot of books), which will crash them. Also, development of repetition of each application layer may contain some appropriate modes and best practices. If you start using some patterns such as data access objects and session Facades, you should not use domain logic in your JSP and other view objects.
Finally, when you develop some simple modules, you can perform performance testing for your application at the beginning of the beginning. If performance test is performed until the later application development, this often has a disastrous consequence.
6. Always use the session Facades when using the EJB component.
Never expose entity beans directly to any user type. The entity bean can only use the local EJB interface (LOCAL EJB Interfaces).
When using the EJB component, use a session facades is a confirmation of undoubted best practices. In fact, this general practice is widely applied to any distributed technique, including CORBA, EJB, and DCOM. Fundamentally, your application's distribution "cross-zone" is below the underlying, the less time consumption of small blocks due to multiple repetitive network relays. The method to achieve this is to create a large-scale Facades object. This object contains a logical subsystem, so you can complete some useful business features through a method call. This method can not only reduce the network overhead, but also creating a transaction environment within EJBs to create a transaction environment for the entire business function, can also greatly reduce the number of access to the database.
The EJB local interface (starting from the EJB 2.0 specification) provides performance optimization methods for coexisting EJBs. The local interface must be explicitly accessed by your application, which requires a change in the code to prevent the application to change when configuring EJB later. Since session, Facades and the entire EJB it contains should be local for each other, we recommend using local interfaces using entity beans behind session facade. However, the implementation of session facades itself (typical examples such as stateless session beans) should be designed as remote interfaces.
For performance optimization, you can add a local interface to the session Facades. This uses this fact that in most cases (at least in the web application), your EJB client and EJB will also exist in the same Java Virtual Machine (JVM). Another situation, if the session facade is locally called, you can use the J2EE application server configuration optimization ("No Local Copies" in WebSphere. However, you must notice that these alternative scenarios will change the interaction method from the PASS-BY-VALUE to pass-by-reference. This may have a very subtle error in your code. When you use these scenarios, you should consider its feasibility at this. If you use a remote interface in your session (instead of local interface), you can also configure the same session Facades in a compatible manner in J2EE 1.4 as a web service. This is because JSR 109 (Web Service Deployment in J2EE 1.4) requires remote interfaces that use stateless session beans as an interface implemented by EJB Web services and EJB. This is worth it, because this can add the number of client types to your business logic.
7. Use stateless session beans instead of state session beans.
Doing so allows your system to stand the error. Use httpsession storage and user-related status.
In our point of view, the concept of stateful session bean is outdated. If you think about it carefully, a stateful session bean is actually identical to a CORBA object in the architecture, nothing more than an object instance, binding to a server, and relying on the server to manage its lifecycle. If the server is turned off, this object does not exist, then this bean's client information does not exist.
The J2EE Application Server provides failover (Failover) provided by stateful session beans to solve some problems, but there is no state-of-state solution that is not expanded. For example, in WebSphere Application Server, requests for stateless session beans are implemented by balanced loading of member clusters deployed in a stateless session. Conversely, the J2EE application server cannot balance the request for state Beans. This means that the loading process of the server in your cluster will be uneven. In addition, using status session beans will add some status to your application server, which is also a bad practice. This increases the complexity of the system and makes problems complicated in the event of a failure. A key principle of creating a robust distributed system is to use stateless behavior.
Therefore, we recommend using a stateless session bean method for most applications. Any user-related state related to the user should be transmitted to the EJB in the form of parameters (and store it by using a mechanism such as HttpSession) or from persistence backend (eg, by using entity beans) ) Search as part of the EJB transaction. In appropriate, this information can be cached in memory, but pay attention to save this cache potential challenge in a distributed environment. The cache is very suitable for readup data.
In summary, you have to make sure that stretchability is taken into account from the beginning. Check all the ideas in the design and take into account whether you can run normally when your application is running on multiple servers. This rule is not only suitable for the above-mentioned application code, but also for the case of MBean and other management interfaces. Avoiding statusity is not just recommendations for IBM / WebSphere, this is a basic J2EE design principle.