Building Enterprise Web Applications with Spring 3.0 and Spring 3.0 MVC Building Enterprise Web Applications with Spring 3.0 and Spring 3.0 MVC JavaOne 2010 By Abdelmonaim Remani

 Creative Commons Attribution-NonCommercial 3.0 Unported 

 Software Engineer at Overstock.com  Particularly interested in technology evangelism and enterprise software development and architecture  President and Founder of a number of organizations  The Chico Java User Group  The Chico Flex User Group,  The Chico Google Technology User Group.  LinkedIn   Twitter  Who Am I?

Warning This presentation is very long and covers a lot of material

Introduction

 Complex  In terms of requirements  Functional  Non-Functional  Execution  Performance  Reliability  Security  Evolution  Testability  Maintainability  Extendibility  Scalability (Horizontal and Vertical) Enterprise Application Software (EAS)

 In the words of Edsger W. Dijkstra:  […] The Separation of Concerns […] is yet the only available technique for effective ordering of one’s thoughts […]  Artificially Reducing complexity by means of Abstraction  Specific Choices of abstraction  Produces a architectures Enterprise Application Software (EAS)

 The Architecture  Layered / N-Tiered  Presentation Layer  Web Layer  Service Layer  Persistence Layer  Aspects  Middleware  Other Modern Enterprise Application

 A Framework is an architecture  A well-defined structure to solve a problem  A pre-existing hierarchy to be extended  Library  Framework vs. Library  Invoking vs. being invoked  Generic vs. specific  Tools  Compiler, debugger, etc…  Scaffolding and other utilities  Etc… Frameworks

 Heavyweight vs. Lightweight  The need for a platform or a stack (JEE as example)  The ability to load in-demand necessary components  The memory footprint  The build size  Deployment ease  Etc… Frameworks

The Spring Framework

 Application Framework  Java  Other implementations are available (Spring.NET)  Open-Source  Lightweight  Non-Invasive (POJO Based)  Extendible  A platform with well-defined extension points for other frameworks  By Rod Johnson  Expert One-on-One J2EE Design and Development, 2002  J2EE without EJB, 2004  Became the De facto standard of Java Enterprise Applications What is Spring?

 20 Modules Spring Source: Spring 3.0.x Framework Reference

 Wrappers for most popular frameworks  Allowing injection of dependencies into standard implementation  Struts  JSF  Apache Tapestry  Etc…  Full Integration with the JEE stack Libraries

The Address Book

 The Address Book from polymathic-coder.com  A web application for Contact management The Address Book

 Details:  As a user I should be able to view, add, delete, and edit personal contacts data on my address book including:  First Name  Last Name   Phone Number  Image  Primary Actors: Regular user / Administrator  Assumptions:  The user is authenticated and has proper privileges to access the Contact Management Area  Access is granted both through the web interface and a RESTful API Functional Requirements Use Case 1 - Contact Management

 Business Rules  A First Names are required  Phone Numbers must be valid US phone numbers  s must be valid Functional Requirements Use Case 1 - Contact Management

 Details:  As an administrator I should be able to view, add, delete, and edit the user data including:  Username  Password  Role (Regular or Administrator)  Whether the account is enabled or not   Primary Actors: Administrator  Assumptions:  The user is authenticated and has proper privileges to access the User Administration Area  Access is granted through the web interface Functional Requirements Use Case 2 - User Management

 Business Rules  Username is required and must be unique  Passwords must be complex (The should contains at least 1 lowercase letter, 1 uppercase letter, 1 digit, and 1 special character)  s must be valid  An must be sent to the newly created user Functional Requirements Use Case 2 - User Management

 Details:  As an administrator I should be able to view audit and health check reports  Primary Actors: Administrator  Assumptions:  The user is authenticated and has proper privileges to access the Reporting Area  Access is granted through the web interface  The reports are periodically generated by the system Functional Requirements Use Case 3 - Reporting

 RBAC (Role-based access control)  Authentication  Form-based  Http Basic  Authorization  Security Roles  Regular User  Access to personal contact management area  Administrators  Access to personal contact management area  Access to user administration area  Access to reporting area  Access Control  No Rules  Transport Security  Not required Non-Functional Requirements Security

Spring Core

 The problem:  Acquiring Resources via  Instantiation of a concrete class  Using a static method of a singleton factory  Using a Directory Services API that allows for discovery and lookup (JNDI for example)  Etc..  Creates hard dependencies  Coupled code is hard to reuse (DRYness)  Painful Unit Testing Inversion of Control

 The Solution:  Coding against Interfaces  Inversion of Control: Dependency Injection  Reflectively supply external dependency at runtime  The Hollywood principle: “Don’t call us, we’ll call you”  Wait a minute this a lot of work!  Spring to the rescue Inversion of Control

 Container  POJO  Configuration Metadata  XML-Based  Annotation-Based  Java-based Spring Core Source: Spring 3.0.x Framework Reference

JSR 330 – Dependency Injection for Java JSR 330 Spring Annotations  JSR Common Annotations  javax.annotation  JSR 299 – Contexts and Dependency Injection  Scopes and contexts: javax.context  Dependency injection service: javax.inject  Framework integration SPI: javax.inject.manager  Event notification service: javax.event

 Used to mark a class that fulfills a role or a stereotype  Stereotyped classes can be automatically detected  Spring Stereotypes Stereotypical Spring

Domain Model

 A model of the “concepts” involved in the system and their relationships  Anemic Domain Model  POJOs (Plain Old Java Objects) or VOs (Value Objects)  Clear separation between logic and data  Parallel object hierarchies are evil  Metadata is interpreted depending on the context as the object moves across the layers of the application  Object-Relational mapping to persistent entities  Validation  Marshaling / Un-marshaling  Etc… Domain Model

 Ensuring the correctness of data based on a set predefined rules JSR Bean Validation Source: Hibernate Validator Reference Guide Final

 javax.validation  Reference Implementation: Hibernate Validator JSR Bean Validation Source: Hibernate Validator Reference Guide Final

 Instantiation (Items 1 & 2 of Josh Bloch’s Effective Java)  Static Factories  Telescoping  Provide builders  Override the default implementations of hashCode(), toString(), and equals(Object) methods  Use Pojomatic at  Be aware of any circular dependency in your model  Versioning of JSR 317 – JPA 2.0 Domain Model

Persistence Layer

 A logical encapsulation of classes and interfaces whose responsibilities fall within the scope of:  Create, Read, Update, and Delete (CRUD) operations on persistence storage mechanisms such as file systems and Database Management Systems (DBMS)  Interacting with Message-Oriented Middleware (MOM) infrastructures or Message Transfer Agents (MTA) such as JMS or mail servers Persistence Layer

 javax.persistence  Reference Implementation EclipseLink  Primer  A persistence entity is a POJO whose state is persisted to a table in a relational database according to predefined ORM metadata  An entity is managed by an Entity Manager  Do we still need a Persistence Layer?  Highlights  Support for JSR 303 validation JSR 317 – JPA 2.0

 Beans Stereotyped  Enables exception translation to a consistent exception hierarchy  Run-time exceptions and do not have to be declared or caught  Use JPA annotations to inject EntityManager and EntityManagerFactory  Follow a convention (I suggest CRUD)  Declaring transaction semantics Spring Data Access / Integration

 Java Mail API  javax.mail  Spring Helpers for various Templating Engines  Velocity  FreeMarker Spring Data Access / Integration

 Testing  JUnit  Take advantage of what JUnit 4.7 has to offer (Explore Theories, Rules, Etc…)  Libraries  DbUnit  Dumpster  Consider HADES Persistence Layer

Service Layer

 A logical encapsulation of classes and interfaces that provide the system functionality consolidating Units of work. Service layer classes should be:  Transactional  Stateless  Beans Stereotyped  Follow a convention (I suggest VADER) Service Layer

Web Layer

 A logical encapsulation of classes and interfaces whose responsibilities fall within the scope of:  Navigational logic  Rendering page views in the proper order  As simple as mapping a single URL to a single page  As complex as a full work flow engine  Web concerns (Request variables, session variables, HTTP methods, HTTP response codes, Etc…) should be separated from business logic Web Layer

 Two types of Web Frameworks  Request / Response Web Frameworks  Wrap the Servlet API  Adopt push model  Compile result  Push it out to be rendered in a view  Struts, Spring MVC, Etc…  Component Web Frameworks  Dot only hide the Servlet API  Event-driven component  JSF, Tapestry, Etc… Web Layer

Spring MVC

 Request / Response Web Frameworks  A Front Controller Pattern  One Dispatcher servlet  Application Contexts  Application Context  Web Application Context Spring MVC

 The promise Non-invasiveness  Fully annotation-driven  No extension of framework classes  No overriding methods  Controllers  Beans (Spring Managed-POJOs) Stereotyped Spring MVC - Controllers

 Mapping Rules  By  Path  HTTP method  Query Parameters  Request Headers Spring MVC - Controllers

 Handler Methods  Parameters are request inputs  Request data  Command Objects (Domain Objects)  Injection of standard objects  Automatic Type Conversion  Custom Type Conversion  JSR 303 Support  Exposing reference data to the views Spring MVC - Controllers

RESTful Spring MVC 3.0

 Representational State Transfer  Architectural Style  Identifiable Resources  Everything is a resource accessible URI  Uniform Interface based on HTTP methods  GET /contacts reads all contacts  GET /contacts/1 reads the contact whose id is 1  POST /contactscreates a contact  PUT /contacts/1updates the contact whose id is 1  DELETE /contacts/1deletes the contact whose id is 1 RESTful Architecture

 Architectural Style  Resource Representations  Multiple data representation (MIME types) can be specified  Request  Accept HTTP header field or file extension  Response  Content-Type HTTP header field  Stateless Conversion  No session  Scalable  Loosely coupled RESTful Architecture

 Annotations  Spring OXM (Object-XML Mapping)  Marshaling / Unmarshaling RESTful Spring

Presentation Layer

 “Deciding to use Velocity or XSLT in place of an existing JSP is primarily a matter of configuration” Spring 3.0 Documentation  View technologies  JSP & JSTL  Tiles  Velocity  FreeMarker  XSLT  JasperReports  Etc… Spring MVC - Views

 Views are rendered based on handler methods return or ResponseEntity  Many HttpMessageConverters  StringHttpMessageConverter  Jaxb2RootElementHttpMessageConverter  MappingJacksonHttpMessageConverter  AtomFeed/RssChannelHttpMessageConverter  Etc…  Register your own  String  View Resolver and a View Spring MVC - Views

 View Resolvers  InternalResourceViewResolver  ContentNegotiatingViewResolver  BeanNameViewResolver  JasperReportsViewResolver  TilesViewResolver  Etc… Spring MVC - Views

 JSP & JSTL  Spring Tag Library  Spring Form Tag Library  Refer to spring-form.tld  Themes  Overall look-and-feel of your application  A collection of style sheets and images   Theme resolvers  I18N Spring MVC - Views

 Spring Web Flow  For Web Application that are  More dynamic  Non-linear without arbitrary end points  Spring Portlet MVC  A JSR 168 compliant Portlet environnent  Large web application composed with subcomponents on the same web page Spring MVC Complements

Aspects

Spring AOP

 OOP creates a hierarchical object model by nature  Cross cutting concerns  Are not necessarily a part of the application logic  Occur across the object hierarchy in unrelated parts  Examples  Logging  Security  Transaction management  Etc… Aspect-Oriented Programming

 The Problem  Code Tangling  No Cohesion  Code Scattering  Not DRY  The Solution  Aspect Oriented Programming  AspectJ  Modulation of Aspects and weaving into the application code Aspect Oriented Programming

 Spring AOP  Java based AOP Framework  Built on top of AspectJ  Interception based Spring APO

 Joint Point  A point in the execution of the program  Point Cut  An expression that selects one or more joint point  AspectJ Expression Language  Advice  The code to be weaved at a joint point  Aspect  Point Cut + Advice AOP Terminology

 Annotations  Before  AfterReturning  AfterThrowing  After  Around Types of Advices

Spring Security

 Authentication  the verification of the user identity  Authorization  Permissions granted to the identified user  Access Control  By arbitrary conditions that may depend to  Attributes of clients  Temporal and Local Condition  Human User Detection  Other  Channel or Transport Security  Encryption Security Terminology

 Realm  A Defined the authentication policy  User  A defined individual in the Application Server  Group  A defined classification of users by common traits in the Application Server.  Role  An abstract name of the permissions to access a particular set of resources in an application Security Terminology

 Spring Security  JAAS (Java Authentication and Authorization Service)  jGuard  Apache Shiro Available Frameworks

 Security is your responsibility  Features:  It is not the standard  No class loader authorization capabilities  Simple configuration  Portable across containers  Customizable and extendable  Pluggable authentication and web request URI security  Support method interception, Single Sign-On, and Swing clients Spring Security

 Authentication  Form-Based  Basic  Digest  LDAP  NTLM (NT LAN Manager)  SSO (Single Sign-On)  JA-SIG CAS  Open ID  Atlassian Crowd  SiteMinder  X.509 Authentication

 Mechanisms  Interact with the user  Providers  Check credentials  Bundles details in a Thread Local security context holder  Repositories  Store roles and profile info  In Memory  JDBC  LDAP  Etc… Authentication

 Web Authorization  URL-Based  Which URL patterns and HTTP methods are allowed to be accessed by which role  Method Authorization  Reusable  Protocol Agnostic  Uses AOP  Annotations Support  JSR 250   Spring Security EL Authorization

Other

 Job Scheduling  Bulk Processing  Integration  Etc… Other

 If you are interested in  The full-source code of the Address Book Application  A Step-By-Step tutorial  Possibly a screen cast  Go to Support Material

The Silicon Valley Spring User Group

Q & A

Thank You!