Wednesday, October 17, 2007

Stealth mode: upgrade your system and don't tell everyone

Want to try JPA or Spring? But you have an old software system, and don't have the luxury of a clean new software project?

Don't wait!
Add Spring and/or Hibernate to your old Java software system. Instead of waiting, put in a STEALTH upgrade that is low-friction, low cost, and low visibility to the customers and others around the project. You can boast later when the system succeeds because of the new technologies.

We've all made some excuses for NOT upgrading the technology of a system. (But we can address each of these):
* I can't afford to overhaul the whole system
* Our Java servers don't support it, we cannot upgrade the Java server
* What will my manager or customer think?

Upgrade the whole system?
No software engineer has time & money to do that. So I suggest looking for a new feature and only upgrading that part of the system: this is the low-friction part. There's no need to overhaul every working DAO, leave them for later until you need to change them to keep costs down. Maybe you've got a new model object you are adding, why not use Spring and Hibernate to manage that object? Who needs to drag around the old EJB2 patterns, or your own home-grown JDBC DAO's just to keep the system consistent? In the end, you may finish the feature upgrade faster because you used Hibernate and Spring Transactions. After you try it, you may decide to convert other DAO's as changes happen to those parts of the system. This can all be done under the radar - Stealth mode - without kicking off a major overhaul of every DAO in the system.

Upgrade my app server?
You may think that your Java App server doesn't support Hibernate or Spring, but Hibernate and Spring are simply jar libraries that can be deployed inside your web app, and do not require an upgrade to your server. So go ahead and add the jar files inside your web app (or WAR or EAR file), and use them freely. If you'd like to use EJB3, and you have an app server that does not support it like Tomcat or IBM, you could use JBoss Embeddable EJB3 container- yet another free, OSS jar library that can be put inside your web app. Hibernate and Spring can even work in Java 1.4, (EJB3 and JPA need Java5).

What will people think?
Your customers and users of the system may not be able to spell JDBC, but that's OK, besides that is why they pay YOU, the software engineer. So they will not care whether you use Hibernate, OpenJPA, iBATIS, or raw JDBC. Many of your managers will not care either, as long as it doesn't cause the boat to rock in server operations (and it won't as described above in upgrading your app server). If your customer/manager is curious, you can tell him that many good things will be coming: like short development times, developers will be excited about the new technology. If you need to convince other developers, remind them that these technologies are popular for a reason, and its a good skill for a software developer to have for the future.

Marketing this kind of strategy is a challenge. Selling this idea to your customers, colleagues, and managers is probably a bigger challenge than actually making the software changes. Just keep in mind that some people will not care, and don't need to be scared by change, so leave them out of the conversation except to say that their new features will be coming soon. NOT telling them is not deception or evil, its just too much information (TMI), and it can sometimes be scary. So if they keep asking questions, tell them everything, but remember to tell them that confidence is high, risk is low, and everyone is doing it. The software people who know the system should get excited, not scared, by the new technologies adding power and speed to the system. Consider the alternative - try to hire a Java developer by telling him he gets to maintain old EJB2 CMP. Software engineers run away from those technologies, you won't get anyone to hire on without lying, and your current developers will leave in short order too.

The Stealth approach can avoid the hoopla and resistance that happens when any kind of change is suggested. So take advantage of the trust they place in you to make the right technology choice. You will get to use new technologies, your system will be better, and nobody needs to be the wiser. In the end you may get it all done faster and easier too.

-Jay Meyer

Friday, October 5, 2007

Harpoon Technologies Announces Terracotta Partnership

Harpoon Technologies and Terracotta Partner to Provide Consulting Services October 5, 2007

Harpoon Technologies Open Source Experts to Provide Consulting

ST. LOUIS – (October 5, 2007) – Harpoon Technologies, provider of open source consulting services, and Terracotta, a leader in infrastructure software for enterprise Java high availability and scalability, today announced a partnership to respond to growing demand for help implementing Terracotta clustering

Terracotta offers IT organizations a lightweight approach to scalability that lowers costs and simplifies deployment by reducing development effort and easing the load on application servers and databases. Terracotta uses high-performance mapping of server memory changes, called Network-Attached Memory, to share temporary “work-in-progress” data among servers. That makes an application highly available without placing such temporary data in an expensive relational database. It also provides dramatic cost savings and much higher performance and scalability than either databases or application-tier caches.

About Harpoon Technologies
Harpoon Technologies is a provider of Open Source Consulting Services. Harpoon Technologies offers performance tuning, custom development, and training. The company is headquartered in St. Louis. For more information, please visit

About Terracotta, Inc.
Terracotta’s infrastructure software provides affordable and scalable high availability for Java applications. Companies use Terracotta to offload work from databases and application servers and to reduce their development efforts. Founded in 2003, Terracotta, Inc., is a private firm headquartered in San Francisco. More information is available at Terracotta’s open source community is available at

Friday, August 10, 2007

Writing Secure Applications

This presentation was originally given at the St. Louis Java user Group.

Security topics in the internet age remain esoteric and the domain of experts. Firewalls and Intrusion Prevention Systems are only parts of the complete security picture. Application security is an essential piece of the security puzzle, and without it, the sensitive application is still in jeopardy, even with the strongest network and OS security. Yet many developers lack the knowledge needed to protect their sensitive data using secure application development techniques.

The presentation focuses on tools and techniques that developers can use write a secure application from scratch, or test an already-installed application. Attacks will be discussed such as SQL injection, cross-site scripting, dictionary attacks. These attacks can be foiled using testing tools, Java Cryptography (JCE), and secure design techniques. Tools and code samples will demonstrate these techniques so that you may apply them to your applications. We'll also look at Risk Assessment, impact analysis and the bigger picture of security or SOx audits, in case your system is audited.

Download the presentation here.

-Jay Meyer

Thursday, August 9, 2007

How to avoid SQL injection in Hibernate (A Hibernate Urban Legend)

Somewhere along the line java developers came to believe that Hibernate protects you from SQL injection. I'm not sure where they came to believe that. Maybe it is because you no longer have to write SQL and Hibernate does many other magical things - it has to protect you against SQL injection.

I'm tired of telling java developers that HQL has the same vulnerabilities as SQL, they don't believe me and think Hibernate offers them some sort of magical protection from bad HQL. Basically, what I term bad HQL is when named parameters are not used. Consider the following example:

String goodParameter="Raj lane";

Query badQuery = session.createQuery("from Address a where a.street='"+goodParameter+"'");

I have SQL logging turned on so I can see that the generated SQL is as follows:

select address0_.addressId as addressId, address0_.street as street1_ from Address address0_ where address0_.street='Raj lane'

Now consider the following where I attempt "HQL Injection"

String badParameter="la' or '1'='1";

Query reallyBadQuery = session.createQuery("from Address a where a.street='"+badParameter+"'");

And the resulting SQL:

select address0_.addressId as addressId, address0_.street as street1_ from Address address0_ where address0_.street='la' or '1'='1'

Note that the above SQL passes the parameter directly into the SQL. The generated SQL will return all rows in the table. Which is bad, but SQL injection opens us up to much worse attacks. So the moral of the story is to use named parameters, the above code can be fixed as follows:

String badParameter="la' or '1'='1";

Query reallyBadQuery = session.createQuery("from Address a where a.street=:street");

reallyBadQuery.setParameter("street", badParameter);

Rajesh Patel

Harpoon Technologies

Thursday, July 19, 2007

Harpoon Technologies Expert Presentations

Harpoon Technologies employs many open source experts. We have shared our knowledge by giving presentations on EJB3, JSF, JBPM, XFire, Jabber and Seam. We strongly believe that these technologies represent the best of breed in the java space.

All of our presentations can be located at

If you would like for us to give one of these presentations at your company, please let us know.
Rajesh Patel

Wednesday, April 4, 2007

Seam Presentation

Quite a large crowd turned out for the Seam presentation that I gave at the gateway JUG last night. The java industry appears to be in a pivotal moment in the shift from Struts. All the indications that I see is that Struts 2.0 is not going to take off, but JSF see significant adoption in the near future. Most new projects that I have heard about are choosing JSF!

Here is my Seam presentation:
Seam Presentation