Saturday, December 15, 2007

EclipseWebEnabler by Alphaworks

The eclipse plugin that would enable your eclipse for remote access using Mozilla browser.

Amazing idea, a very innovative eclipse plugin. It still needs a lot of work but definitely I would keep a track of its changes.

You need to see it to believe it.

It could change the way we use central repositories forever. I'm just waiting for it to be completely functional.

Download and try from

Sunday, November 25, 2007

Hourly Clock

Announcing the availability of Hourly Clock a Google Gadget developed by me. It uses the nice Google gadget API to show a simple clock and give hourly reminders of the time. So don't let the time just pass by, use this gadget....

Non WS-I document literal web service

A document literal web service with more than one parts specified for the same message is not WS-I compliant.

<wsdl:message name="HelloDudeSoapIn">
<wsdl:part name="name" element="tns:name"/>
<wsdl:part name="age" element="tns:age"/>

The SOAP message would look like:


Why the restriction, think about validation of the message. I would have to extract the name and age elements seperately and then validate them against an XSD. If the elements were within a single tag...


The person element can be completely validated after the person element is extracted.

Wednesday, November 14, 2007

XPath injection

XPath injection

What is XPath?

XPath (XML Path Language) is an expression language for addressing portions of an XML document, or for computing values (strings, numbers, or boolean values) based on the content of an XML document.
For more information see XPath tutorial.

Understanding the attack

XPath injection is an attack where data is taken from the user without validation (or incomplete validation) and which modifies the behavior of the XPath expression by masquerading XPath as data.

Assume that we have user id and password stored in xml files and we use XPath for validating them. The xml containing the user id and password looks like:


To validate the user id and password against the xml we use the XPath expression
//user[id/text()='+ {input user id} +' and password/text()='+ {input password} +']
we execute the XPath and check if it returns any nodes, if it returns any nodes then the password is valid. If the entered used id is sash and the password is sash123 the XPath would become
//user[id/text()='sash' and password/text()='sash123']

and would return the user node and the password would be validated. If a wrong password is used no node would be returned and the validation would fail.

Now while injecting XPath in the password field ' or 'a' = 'a is entered. The XPath would become
//user[id/text()='sash' and password/text()='' or 'a' = 'a']
which would return multiple rows and the validation would pass.

Simulating the attack

Sample C# code

XmlDocument XmlDoc = new XmlDocument();
XmlDoc.Load("XPATH_INJECT.xml"); // use the same xml as above
XPathNavigator nav = XmlDoc.CreateNavigator();
XPathExpression expr = nav.Compile(
+ textBox1.Text + "' and password/text()='" + textBox2.Text + "']");

XPathNodeIterator iterator = nav.Select(expr);
if (iterator.MoveNext())
result.Text = "passed";
result.Text = "failed";

Sample Java code

XPathFactory factory = XPathFactory.newInstance();
XPath xPath = factory.newXPath();
File xmlDocument = new File("XPATH_INJECT.xml");
InputSource inputSource = new InputSource(
new FileInputStream(xmlDocument));

String user = jTextField1.getText().trim();
String pwd = jTextField2.getText().trim();
XPathExpression expr = xPath.compile(
"//user[id/text()='" + user +
"' and password/text()='" + pwd +
"' ]");
Object result = expr.evaluate(inputSource, XPathConstants.NODESET);

NodeList nodes = (NodeList) result;

jLabel3.setText("Valid"); }
jLabel3.setText("Failed"); }

How to protect against the attack:

There are many ways of preventing this attack

  1. Validate the input
  2. Escape the ' or '' characters
  3. This attack is similar to SQL injection, the most common solution to SQL injection attack is using a prepared statement, but something similar is not available in XPath. This though can be achieved using XQuery but XQuery is not directly supporeted without the use of external libraries in .Net or Java.

The best solution would be escaping the ['] characters, in our example if we replace a ['] with [']['] in the input, we would avoid the attack.
In the previous case our password text entered was ' or 'a' = 'a but this would be modified to '' or ''a'' = ''a
//user[id/text()='sash' and password/text()=''' or ''a'' = ''a']
and would not produce any results (and it is a valid XPath).

This XPath passes in Altova XML spy but not in Java 6 or .Net 2.0

So we still need to find an elegant solution to the problem!!!!

In all the proposed solutions solution (3) is the most elegant but the support is still very limited.

Whats left

Some of the databases now support XPath, in case your database supports XPath be very careful about the inputs (don't forget the validation).


Thursday, October 25, 2007

Practical SOA patterns

The SOA patterns I have discussed do not talk about the organization IT policies but the practical SOA patterns:-
1.1 Avoid point to point Web Services:
Problem: Web Service point to point is STILL point to point; doing a bad practice in XML doesn't make it better.

Effect: An organization believes that they are creating next generation loosely coupled architecture just because they are using Web Services. Web Service calls are invoked directly, using a URI which is hard-coded into the WSDL. Having a highly disorganized and interdependent systems model leads to increased cost of change and a high degree of fragility of the enterprise. When one service is changed a number of other services either fail or behave in unpredictable ways. There is a lack of clarity as to how one service depends on another and what the impact of change is across these services. Consumers then start demanding multiple versions of services, and these add further to the spaghetti in the enterprise.

While designing a BPEL process the endpoints of the web service may not be known, there is no simple way to determine the web service endpoint dynamically.

Resolution: The first step is to indirect all of the calls and this can be done in a number of ways; the least invasive is to "proxy" all web-service requests via some form of mediation. So while the host application is still calling, this is proxied so mediation and routing can be applied if required. The next stage is to understand the different dependencies and identify those which are valid and those which should have been done in a more managed way. A clear governance plan then needs to be created to identify and manage dependencies and versions and to help manage the Web Service infrastructure.

Once this level of management has been created it is time to start considering what the enterprise Service model should be, that requires the creation of the business service architecture and then overtime evolving the current infrastructure to better represent the business that pays for it.
1.2 Use Business Rules to make your process flexible:

Problem: Orchestration Languages provide constructs that break the linear flow of control. These constructs alter the flow of service orchestration based on run time information. These constructs change often.

Effect: In mortgage decisioning a conditional control structure implements the pre-screening step that determines whether the process performs decisioning or generates a rejection letter instead. The conditional verifies eligibility, determining how the orchestration unfolds based on whether the applicant's credit score is above a threshold. In effect, the condition associated with a control structure in the orchestration definition captures a business rule. In case the threshold changes, there is a change in the business process and the process needs to be changed and deployed again.

Resolution: Business rules complement processes. While business processes provide recipes for achieving results, business rules describe the operations, definitions and constraints that apply to an organization in achieving these results. For example a business rule might state that no credit check is required for existing Orchestra Bank customers. A business rules engine integrated with the BPEL manager can be used to solve the problem.

1.3 Use Composite Services to combine multiple services:

Problem: We need to combine the functionality of multiple services and make it available to consumers interested in is as a whole rather than the individual services implementing it.

Effect: Combining existing services could provide significant value over any individual service. In fact the recursive composition is key to the ability of adding value through combining functionality of the existing services. As the number of SOA adopters increases so does the number of choices.

Service consumers require functionality which can be implemented by suitably combining multiple existing services. They do not want to make multiple calls to the individual services and control the invocation flow.

Combining the functionality of existing business services (especially when they are provided by different organizations) requires a certain amount of know how and typically has sensitivities (e.g., the underlying services may change or different providers for these services can be selected). Exposing this knowledge to the service consumer introduces coupling.

Following mergers and acquisitions or through agreements with multiple partners several business services with similar functionality can be available to the enterprise (similarly to the credit check service from the context). These services can be distinguished by their interfaces and SLAs. The availability of multiple choices places the onus of selecting one service to the consumers, thus introducing coupling.

Solution: Expose the services involved in satisfying required functionality and their coordination as a separate service.
I was already using quite a few of these patterns but found them documented in Antipatterns and Orchestration patterns.

Wednesday, September 26, 2007

Java Annotations

I was preparing a talk on annotations in java and ended up learning a few cool stuff.

I believe the utility of annotations would be the freedom from implementing interfaces like the JUnit test case and the EJB 3.0.

New and innovative uses for annotations are also likely to come up.

Annotations is cool if used intelligently. Now if a developer wants to use a annotations to save configuration values I ask can you blame annotations.

The problem lies sometimes in the fuzziness of what is configuration values. Say in hibernate in by bean I hard code my table name, is my table name configuration. I believe not, but in some cases it could be true. I haven't seen table names being different in production environment and development but using annotations makes it less flexible.

Sun could have made the creation of annotations more 'Java like' @interface to define an annotation and the definition of the default values....

The annotation processing tool is also very interesting. The tool ties us with the Sun jdk and probably would evolve as a part of standard SDK distribution.

Presentation is available at :
Example code is available at :

Wednesday, July 4, 2007


When do we get a ClassCastException?

The java documentation of ClassCastException states:-

Thrown to indicate that the code has attempted to cast an object to a subclass of which it is not an instance.
For example, the following code generates a ClassCastException:

Object x = new Integer(0);

The statement seems to be a very simple, but not when different class loaders are involved. Another scenario when this exception occurs is when the class accesses an object of the same class loaded by another class loader hierarchy.

I was determined to write a simple code to simulate the exception.

So I wrote two classes to be loaded by different classloaders.

package classldr;

public class Tree {

private String name = "sash";

public String getName() {
return name;

public void setName(String name) { = name;

//------ different file ----------//
package classldr;

public class Person{

public void doIT(Object t)
//try to create the typecast exception here!!
System.out.println("Tree planted : " + ((Tree)t).getName());

I would try to load these classes using different classloaders and simulate the error.

So I created instances of URLClassLoader and did the same. I had to make sure that the class creating the class loaders could not access these classes, as it was the parent of the URLClassLoader and would have actually loaded the class due to delegation model followed by the classloaders.

package classldr;

import java.lang.reflect.Method;

public class TestClassLoader {

public static void main(String[] args) throws Exception {

* Class loader 1 to create instance of Tree class. I have put the
* Person and Tree classes in C:\classldr\ directory.
ClassLoader cl1 = new URLClassLoader(new URL[] { new URL(
"file:C:\\") });
Class c = cl1.loadClass("classldr.Tree");
Object treeNewInstance = c.newInstance();

* Class loader 2 to create instance of Person and Tree class.
ClassLoader cl2 = new URLClassLoader(new URL[] { new URL(
"file:C:\\") });
Class treeClass = cl2.loadClass("classldr.Tree");
Class personTreeClass = cl2.loadClass("classldr.Person");
Object personTreeObj = personTreeClass.newInstance();
Object treeClassObj = treeClass.newInstance();
Method method = personTreeClass.getMethod("doIT",new Class[]{Object.class} );

//pass the object of tree loaded by cl 1 to
//person object loaded by cl 1
method.invoke(personTreeObj,new Object[]{ treeClassObj});

//pass the object of tree loaded by cl 1 to
//person object loaded by cl 2
//should throw a ClassCastException
method.invoke(personTreeObj,new Object[]{ treeNewInstance});

After I spent a lot of time on this I realized it could be demonstrated in a much simpler way. I decided that my URLClassLoader could be a child of the Bootstrap class loader, not necessarily the system class loader.

package classldr;


public class TestClassLoader2 {

public static void main(String[] args) throws Exception {

//get current class location
URL resource = TestClassLoader2.class.getClassLoader().getResource(".");

//create a new classloader to load this class,
//have the parent of the classloader as null
ClassLoader cl1 = new URLClassLoader(new URL[] { resource }, null);
Class c = cl1.loadClass("classldr.TestClassLoader");

//this throws ClassCastException
TestClassLoader2 treeNewInstance = (TestClassLoader2) c.newInstance();

This code was good enough to simulate the exception.

Finally I successfully generated the exception and was feeling very stupid about my first method. :(

Friday, June 8, 2007

Finding Class Version

Facing class mismatch error, I decided to find the JRE version and the compiler version used to compile the class file.

Its easy to get the details of the JRE version using System.getProperties(). A more difficult task was to find out the version of the class file. I could not find any API which did it :(. But I did find out that these details were available in the class file, so I wrote a small code to determine if the class will run on the current version of JRE.

public class ClassRuntimeVersion {
public static void main(String[] args) throws Exception {

FileInputStream fis = null;
DataInputStream dis = null;

try {
if (args.length != 1) {
throw new Exception("specify the class file");

fis = new FileInputStream(args[0]);
dis = new DataInputStream(fis);

if (dis.readInt() != 0xCAFEBABE) {
throw new Exception("not a class file");

short minorVersion = dis.readShort();
short majorVersion = dis.readShort();

System.out.println("Java Class version info");
System.out.println("1.6 50");
System.out.println("1.5 49");
System.out.println("1.4 48");
System.out.println("1.3 47");

float classVersion = Float.parseFloat(majorVersion + "."
+ minorVersion);
System.out.println("Class file compiled version : " + classVersion);

float jreJavaVersion = Float.parseFloat(System

System.out.println("JRE version : " + jreJavaVersion);
if (jreJavaVersion < classVersion) {
System.err.println("You r dead dude, versions did not match");
} finally {
if (fis != null) {
if (dis != null) {

Tuesday, May 29, 2007

Sampling Java SE 6

A lot of new features and API enhancements have been introduced in Java 6 (Mustang). Some of them are discussed briefly.

Compiler API

The new Java Compiler API allows invoking a compiler, gives access to diagnostics, and control over how files are read through a file manager. The file manager allows applications such as IDEs and JSP servers to keep all files in memory, which significantly speeds up compilation. Sun's open source Java EE implementation, GlassFish claims to have already benefited from this API.

//get the java compiler reference
JavaCompiler compiler = ToolProvider.getSystemJavaCompiler();

//compile the Java class
int compilationResult =
null,null,null, "C:\\");

The code snippet shows how to compile a Java file using the Compiler API.

Web Service

The new web services stack provides support for writing XML web service applications. The java classes can be exposed as a .NET interoperable web service with a simple annotation. Java SE 6 adds new parsing and XML to Java object-mapping APIs, previously only available in Java EE platform implementations or the Java Web Services Pack.

To create a web service on Mustang create a java class, annotate it as shown below.

@SOAPBinding(style = SOAPBinding.Style.RPC)
public class Hello {
public String echo() {
return "Hello THBS";

To deploy the web service we just need to write the main method.

public static void main (String [] args) throws Exception {
Hello server = new Hello();
Endpoint.publish("http://localhost:9090/Hello", server);

The deployment can be verified by displaying the wsdl file on the browser
http://localhost:9090/Hello?wsdl. This feature is intended to be used for testing only.

Scripting for the Java Platform

Java SE 6 provides support for scripting, which enables the developers to integrate Java technology and scripting languages by defining a standard framework and interface to do the following:
• Access and control Java based objects from a scripting environment
• Create web content with scripting languages
• Embed scripting environments within Java technology-based applications

The Java Platform, Standard Edition (Java SE), does not mandate any particular script engine, but it does include the Mozilla Rhino engine for the JavaScript programming language.

ScriptEngineManager mgr = new ScriptEngineManager();
ScriptEngine jsEngine = mgr.getEngineByName("JavaScript");
jsEngine.eval("function helloWorld(){"
+ " println('Hello, world!'); "
+ " return 's';" + "}");

Invocable invocableEngine = (Invocable) jsEngine;
invocableEngine.invokeFunction("helloWorld", (Object[]) null);

The example shows how to invoke a JavaScript function using java.

See: Carpe diem: Mustang released


The Java SE 6 development kit co-bundles the all-Java JDBC database, Java DB based on Apache Derby. Out of the box developers have a database that can be used that implements the latest version of JDBC and is embeddable within desktop Java applications. Java DB has a small memory footprint and is fully transactional.

Also provided is JDBC 4.0, a well-used API with many important improvements, such as special support for XML as an SQL datatype and better integration of Binary Large OBjects (BLOBs) and Character Large OBjects (CLOBs) into the APIs.

Desktop Development

Desktop application development just became simpler with Java 6. It provides better platform look-and-feel in Swing technology, LCD text rendering, and snappier GUI performance overall. Java applications can integrate better with the native platform with things like new access to the platform's System Tray and Start menu. At long last, Java SE 6 unifies the Java Plug-in technology and Java WebStart engines, just makes sense. Installation of the Java WebStart application got a much needed makeover.

A new class added to the Java platform is java.awt.Desktop. It allows Java applications to launch associated applications registered on the native desktop to handle a or a file.

Desktop d = Desktop.getDesktop();
//opens the application associated with the txt file in your OS
d.browse(new URI("c:/text_file.txt"));

Similar enhancements have been made to make the development of a java desktop application simpler.

Class file structure update:

The class file structure in Java SE 6 has been modified to provide a much faster and simpler class verification process. The idea is to split the old verification process into two phases: type inferencing (compile time) and type checking (runtime). The new verifier (called the type-checking verifier) no longer needs to infer types because it uses type information embedded in the Java class file to check byte code type consistency. Removing the type inferencing process from the verifier significantly reduces the complexity of verifier code and improves verification performance. This provides performance improvements in byte code verification and thus class loading and start up time.

Monday, May 21, 2007

Mustang :- The Desktop bonus

One of the problems with java over the years is the lack on Desktop support. Sun has taken a major step with the release of Java 6.These changes have brought in a whole new flavour to the java desktop applications.

Java 6 now has system tray support.Now icons in the system tray can be added with menus and event handlers.Some applications that run in the background (eg mail client) can be seen in the system tray. Notifiers can also be provided to sent notification messages. The code demonstrates the use of the new functionality.
package com.sash.java6;

import java.awt.*;
import java.awt.TrayIcon.MessageType;
import java.awt.event.*;

public class SystemTrayTest {

public SystemTrayTest() throws Exception {

if (SystemTray.isSupported()) {

SystemTray tray = SystemTray.getSystemTray();
//image for tray icon
Image image = Toolkit

ActionListener exitListener = new ActionListener() {
public void actionPerformed(ActionEvent e) {

//pop menu for the tray
PopupMenu popup = new PopupMenu();
MenuItem alertItem = new MenuItem("Message");

MenuItem defaultItem = new MenuItem("Exit");

final TrayIcon trayIcon = new TrayIcon(image, "Tray Demo", popup);

alertItem.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent e) {
"Desktop support for Java",

trayIcon.setToolTip("Tooltip test");
} else {
"System tray is currently not supported.");

public static void main(String[] args) throws Exception {

//the system tray icon test
new SystemTrayTest();

Other enhancements include, the introduction of the Desktop API. Using this API now its very easy to open the default email client etc. It also provides an API to open any given file with the default application associated in the OS.

Desktop d = Desktop.getDesktop();
//guess what?
//opens the application associated in your OS with the jpg file
d.browse(new URI("c:/text_file.txt"));

This code opens the default program associated with the text files, on my windows system it opens the file in notepad.

API enhancements have been made to the getTotalSpace, getUsableSpace and getFreeSpace methods have been added. These are very useful enhancements made.

Very nicely done by the sun guys, finally adding some much needed support for the desktop applications.

Friday, April 20, 2007

Source code generator

Recently I had to write some code in Delphi .NET . Instead of using 'getters' and 'setters' like in java using properties is preferred. But writing the properties by hand is very painful.. Imagine having to write all the getters and setters in java by hand and your IDE ( I preferably use Eclipse ) not generate it. So I decided to write a code generator.

The first decision I had to make was which language to use. I can code in Java, C# and Delphi. I did not find any feature present in any of the languages that would make them preferable for the job, so I used Java since I am much more comfortable using this language.

The I had to decide what would be the input and output.

Input would be like :-
 // Make these properties!!!!!
id : integer; // the id

//blah blah comment
id2 : integer;
// so whats up

line_code : string;
rate : integer;

Output would be like:-

   //Variables :::::::

_id : integer;
_id2 : integer;
_line_code : string;
_rate : integer;

//Properties :::::::
Property id : integer
read _id
write _id ;
Property id2 : integer
read _id2
write _id2 ;
Property line_code : string
read _line_code
write _line_code ;
Property rate : integer
read _rate
write _rate ;

I also decided the coolest way to get the input and write the output was the clipboard. So I had to just copy the text into the clipboard and execute the java program. This would write the output into the clipboard.

Now the implementation specific details begin.
The first thing I needed to do was to remove the comments. Also what was needed was to get two lists, one containing the variable names and the other containing the variable types.

And then output it in any way wanted... My complete code is given below..

import java.awt.Toolkit;
import java.awt.datatransfer.Clipboard;
import java.awt.datatransfer.DataFlavor;
import java.awt.datatransfer.StringSelection;
import java.awt.datatransfer.Transferable;
import java.awt.datatransfer.UnsupportedFlavorException;
import java.util.ArrayList;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

public class SashClipboard

public static final String NEWLINE = "\n";

public static String TAB = " ";

public static void main(String[] args) throws UnsupportedFlavorException,

//gets data from clipboard
String data = copyFromClipboard();

// System.out.println(data);

//get the diff lies
String[] lines = data.split(NEWLINE);

// System.out.println(Arrays.asList(lines));
//remove comments '//' and if two stmts exist on same line
ArrayList linesList = removeSingleLineCommentAndMultiStmt(lines);

// System.out.println(linesList);

ArrayList varNameList = new ArrayList();
ArrayList varTypeList = new ArrayList();

getVarAndType(linesList, varNameList, varTypeList);

String output = createOutput(varNameList, varTypeList);


//copy data to clipboard

private static void copyToClipboard(String output)
StringSelection ss = new StringSelection(output);
Clipboard cb = Toolkit.getDefaultToolkit().getSystemClipboard();
cb.setContents(ss, null);

public static String copyFromClipboard() throws UnsupportedFlavorException,
Clipboard cb = Toolkit.getDefaultToolkit().getSystemClipboard();
Transferable contents = cb.getContents(null);
Object transferData = contents.getTransferData(DataFlavor.stringFlavor);
String data = transferData.toString();
return data;

private static String createOutput(ArrayList varNameList,
ArrayList varTypeList)
StringBuilder output = new StringBuilder();

output.append("//Variables :::::::\n\n");
for (int i = 0; i < varNameList.size(); i++)
output.append(TAB + "_" + varNameList.get(i) + " : "
+ varTypeList.get(i) + ";" + NEWLINE);

output.append("\n\n//Properties :::::::\n");

for (int i = 0; i < varNameList.size(); i++)
output.append(TAB + "Property " + varNameList.get(i) + ":"
+ varTypeList.get(i) + NEWLINE + TAB + TAB + " read " + "_"
+ varNameList.get(i) + NEWLINE + TAB + TAB + " write "
+ "_" + varNameList.get(i) + ";" + NEWLINE);
return output.toString();

private static void getVarAndType(ArrayList linesList,
ArrayList varNameList, ArrayList varTypeList)
for (int i = 0; i < linesList.size(); i++)
String line = linesList.get(i);
String[] colonSeperated = line.split(":");
if (colonSeperated.length != 2)
System.out.println("Something wrong " + line);

String[] commaSeperated = colonSeperated[0].split(",");

for (String var : commaSeperated)

* Remove comments '//' and if two stmts exist on same line
* e.g a: integer; b:string;
* if input on a line is
* a:integer; b:integer; //to do something
* it will give two lines i.e
* a:integer;
* b:integer
* @param lines multi lines
* @return a list containg different lines
* and without single line comments
private static ArrayList removeSingleLineCommentAndMultiStmt(
String[] lines)
ArrayList linesList = new ArrayList();
for (int i = 0; i < lines.length; i++)
String[] comment = lines[i].split("//");

String[] multiStmt = comment[0].split(";");
for (String str : multiStmt)
if (!str.trim().equals(""))
return linesList;

It was not just the fact that I code generate the properties and save time, I also loved writing this code..

I think the code is self explanatory. If any doubts please do post your doubts.

Tuesday, March 27, 2007

Java accesibility hack

Invoking a private method/variable using reflection in java is very simple. In the example I invoke the private methodA of the class.

public class A
private void methodA()
This is pretty simple. But can we achieve this by setting setAccessible(true) for the Method.

public class B
public static void main(String[] args) throws Exception
A a = new A();
Method method = A.class.getDeclaredMethod("methodA");
method.invoke(a,new Object[]{});

And the result is that methodA is printed on the console.

Now can we achieve this without the use of reflection? Yes we can and thats the java hack. I'll
explain how...

First write the class A, but mark the methodA as public. Then create a class B as

public class B
public static void main(String[] args) throws Exception
A a = new A();

Compile class A and class B.
javac A
javac B

Run class B.
java B

The output is methodA as expected.

But where is the hack?
Now it comes..

Change the class A and change methodA as private again. Compile class A again only.
javac A

Do not try to compile class B, it will result in an comilation error. Now run B
java B

The output is not an Runtime error, but is methodA.

You can decompile using any java decompiler and see that methodA is still private but still B can invoke it. The probable reason for this is that accessiblity is a compile time check not a runtime one. At runtime it cannot be determined whether it is invoked using this hack or reflection. I cannot think of any other reason this is not done.

Wednesday, March 14, 2007

The role of Representational State Transfer in Web Based computing

A brief introduction to Representational State Transfer (REST)

REpresentational State Transfer or REST is an architectural style consisting of the set of constraints applied to elements within the network architecture. By examining the impact of each constraint as it is added to the evolving style, the properties induced by the Web’s constraints were identified.

But what does Representational State Transfer mean?

Resources are first-class objects; “object” is a subtype of “resource”. Resources are retrieved not as character strings or Blobs but as complete representations
A web page is a representation of a resource.

State means application/session state; is maintained as part of the content transferred from client to server back to client, thus any server can potentially continue transaction from the point where it had left off.

Transfer of State
Connectors (client, server, cache, resolver, tunnel) are unrelated to sessions and is an abstract mechanism which mediates communication, coordination, or cooperation among components. State is maintained by being transferred from clients to servers and back to clients.

REST is centered around two design principles:

Resource as URLs. A resource is something like a “business entity” which we wish to expose as a part of an API. Each resource is represented as a unique URL.

Operations as HTTP method. REST leverages the existing HTTP methods, particularly GET, POST, PUT and DELETE.

REST provides a set of architectural constraints that, when applied as a whole, emphasizes scalability of component interactions, generality of interfaces, independent deployment of components, and intermediary components to reduce interaction latency, enforce security, and encapsulate legacy systems.

Role of REST in web based applications

REST's "client-stateless-server" constraint forbids session state on the server. Designing within this constraint promotes the system properties of visibility, reliability, and scalability. But the server-side Web applications wish to provide a great deal of personalization to a single user, so they must choose between two designs. The first is to send a massive amount of state information with each client request, so that each request is context-complete and the server can remain stateless. A second simpler solution favored by application developers and middleware vendors alike is to send a simple user identity token and associate this token with a "user session" object on the server side. The second design directly violates the client-stateless-server constraint. It certainly enables desirable user functionality (especially personalization), but it places tremendous strain on the architecture.

The REST constraints provide scalability; say in a clustered environment if the state of client is maintained at the server side then the state has to be replicated across the servers which will be a huge performance overhead.

An AJAX application does not require full page refresh. The fact that Ajax lets us interact with a server without a full refresh puts the option of a stateful client back on the table. This has profound implications for the architectural possibilities for dynamic immersive Web applications: Because application resource and data resource binding is shifted to the client side, these applications can enjoy the best of both worlds the dynamic, personalized user experience we expect of immersive Web applications and the simple, scalable architecture we expect from RESTful applications.

Because the Ajax application engine is just a file, it's also proxyable. On a large corporate intranet, only a single employee might ever download a particular version of the application's Ajax engine, and everyone else just picks up a cached copy from the intranet gateway. So with regard to application resources, a well-designed Ajax application engine aligns with REST principles and provides significant scalability advantages versus server-side Web applications.

RESTful Web Services

The problem of interoperability is very fundamental and deals with what we call the “accidental architecture” where an organization consists of several different technologies and has to make them interoperable. The simpler the solution less will be the overhead in making such systems interoperable. The fundamental problem the web services world solves is interoperability. The question is whether to use SOAP based Web Services or REST web services.

Despite the lack of vendor support, Representational State Transfer (REST) web services have been very successful. For example, Amazon's web services have both SOAP and REST interfaces, and 85% of the usage is on the REST interface. Compared with other styles of web services, REST is easy to implement and maintain.

The SOAP based web services are standardized and standards have been published for the SOAP based web services. They can be used over several transports layer protocols like HTTP, JMS and FTP. REST makes the web service more WEB based. It uses only the HTTP protocol and thus can’t be used with JMS or FTP.

HTTP is not a transport protocol. SOAP treats HTTP as a transport protocol like TCP. HTTP only exists to carry bits, namely SOAP messages, with or without a method name. HTTP is an application protocol; it doesn't send bits, it transfers representational state.

REST isn't the best solution for every Web service. Data that needs to be secure should not be sent as parameters in URIs. If large amounts of data are used in the URI it can become very difficult to maintain and in extreme cases it can even go out of bounds. In such cases SOAP is a preferable solution. But it's important to try REST first and resort to SOAP only when necessary. This helps keep application development simple and accessible.

Fortunately, the REST philosophy is catching on with developers of Web services. The latest version of the SOAP specification now allows certain types services to be exposed through URIs (although the response is still a SOAP message). Similarly, users of Microsoft .NET platform can publish services so that they use GET requests. All this signifies a shift in thinking about how best to interface Web services.

Developers need to understand that sending and receiving a SOAP message isn't always the best way for applications to communicate. Sometimes a simple REST interface and a plain text response does the trick—and saves time and resources in the process.

Should we use REST ?

Arguments against non-REST designs

They break Web architecture, particularly caching. They don't scale well. They have significantly higher coordination costs


What kind of scaling is most important is application-specific. Not all apps are Hotmail, Google, or Amazon Integration between two corporate apps has different scaling and availability needs
The right approach to one isn't necessarily the right approach to the other

The REST argument

A service offered in a REST style will inherently be easier to consume than some complex API:
• Lower learning curve for the consumer
• Lower support overhead for the producer

What if REST is not enough?

What happens when you need application semantics that don't fit into the GET / PUT / POST / DELETE generic interfaces and representational state model?

Nearly all the applications can fit into the GET / PUT / POST / DELETE resources / representations model. These interfaces are sufficiently general. Other interfaces considered harmful because they increase the costs of consuming particular services.

Asynchronous operations

There is no complete solution for asynchronous operations available for REST.
Notifications can be sent back as POSTs (the client can implement a trivial HTTP server). Piggyback them on the responses to later requests.


The client is ultimately responsible for maintaining the transactions. Other designs for REST aren't much better.

The beginning

The use of REST is on the rise. The ease of use and scalability of the REST based applications stand apart. REST is the beginning of the next generation of Web based computing.

Friday, March 2, 2007

Running a class not in the classpath

This piece of code displays the invocation of a class not in the classpath of the application. This can be used to write utilities.

Say I have a jar file present on my system in say a directory "c:/MyUtils" (I have used windows locations, no reason why this should not work on any other OS) named SystemUtils.jar which has a main class in a class com.sash.DoIt. This jar is not in my classpath and I need to execute it. The following piece of code executes the main method.
 File file = new File("c:\\MyUtils\\SystemUtils.jar");
ClassLoader cl = new URLClassLoader(new URL[] { file.toURI().toURL()});
Class cls = cl.loadClass("com.sash.DoIt");
Method mainMethod = cls.getDeclaredMethod("main", new Class[]{String[].class});
mainMethod.invoke(null, new Object[]{null});

Very interesting stuff. Never used it but waiting for the first oppertunity to use this in one of my projects :).

Tuesday, February 27, 2007

Mustang released

The announcement made here is pretty old. It’s been in beta phase for some time and the final release has also been made some time back. Here I visit some of the new features in Mustang. I have been using Eclipse as a preferred java editor for a long time, though I've tried NetBeans, JDeveloper etc. Eclipse 3.2 has support for Mustang.
The feature I would talk about is the Scripting feature. This feature can be used to execute scripts in various languages. Mustang ships with the Rhino scripting engine for JavaScript. Its pretty interesting. I tried out various features of the Rhino Engine.

The major questions which I wanted an answer to were:
1. How to share data between Java and JavaScript?
2. Where is the utility of such scripting?
3. Can I add different Scripting engines?

The answer to the first question you can find in the example below. The sending of data from Java to Javascript was very simple and it even JavaScript recognized objects from user created classes (Java Car class has an object on which getName method could be invoked by the JavaScript). The return value also works. The List created in Java and modified in JS reflected in Java again. Awesome! Totally awesome!
Now the reasons given to use scripting language was what I am not convinced with.(Scripting for the Java Platform --> Reasons to Use a Scripting Language). I think the reasons to use scripting would be more specific, like using existing test scripts in some scripting language.
We can add different scripting engines according to specs.

Sample code explaining most of the concepts:-
import java.lang.reflect.Method;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

import javax.script.Invocable;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import javax.script.ScriptException;

public class TheScript
private final static String METHOD_HELLO = "function helloWorld(){"
+ " println('Hello, world!'); " + " return 's';" + "}";

private final static String METHOD_HELLO_NAME = "function helloName(){"
+ " println('Hello,'+ name.getName() +' !'); " + " return 's';"
+ "}";

private final static String METHOD_HELLO_LIST = "function helloList(){"
+ "var x;" + "var names = namesListKey.toArray(); "
+ " for(x in names)" + " {" + " println('Hello,'+ names[x] +' !');"
+ " }" + " namesListKey.add(\"king\");" + "}";

private final static String THE_JAVA_SCRIPT = METHOD_HELLO

public static void main(String[] args) throws ScriptException,
ScriptEngineManager mgr = new ScriptEngineManager();
ScriptEngine jsEngine = mgr.getEngineByName("JavaScript");

// simple java method

// invoke method METHOD_HELLO
Invocable invocableEngine = (Invocable) jsEngine;
invocableEngine.invokeFunction("helloWorld", (Object[]) null);

// simple java method where java objects are used by javascript

// The parameter type is user defined object
// which is converted into a javascript object
// i.e I can use getName method of Car class
Car car = new Car();

// invoke method METHOD_NAME
jsEngine.put("name", car);
Object invokeFunction = invocableEngine.invokeFunction("helloName",
(Object[]) null);

// the return type should have been mapped by script provider
// Mozilla Rhino provides the mapping for number and string types
System.out.println(" --------------------------------- "
+ invokeFunction + " ----");

List namesList = new ArrayList(Arrays.asList(new String[] { "sash",
"siva", "baldie" }));
jsEngine.put("namesListKey", namesList);
invocableEngine.invokeFunction("helloList", (Object[]) null);



public static class Car
private String name;

public String getName()
return name;

public void setName(String name)
{ = name;



Thursday, January 11, 2007

Invoker class

For a long time I've been thinking how to write code to get the name of the calling class, some days back I was reading an article which arose my curiosity again. I was successful doing it in two ways.

1. Stacktrace method

One of the hints which I got was our exception class, whenever an exception is thrown we get the whole stack strace, which includes the invoking classes.
Throwable t = new Throwable(); 
StackTraceElement callerClass = t.getStackTrace()[1];

Gets the class name :)

2. Security Manager method

class SM extends SecurityManager {
public Class[] getClassContext() {
return super.getClassContext();

SM sm = new SM();
Class[] classContext = sm.getClassContext();

Bingo, got the class name. getClassContext() is a protected method, to use it we need to extend security manager or use it as I've done above.