“Advanced Web Application Security” by Jeremiah Grossman and Joe Walker @ JavaOne 2008

The queue for this session was huge and started outside of the Moscone center. It was interesting and well organized but the characterization “advanced” was not very accurate. Of course you cannot have any “advanced” presentation on a crowd of hundreds and you should give Jeremiah and Joe the credit for keeping a good balance.

Here are some points that are not very trivial:

  • You can mess with your friends Google search history with simple basic CSRF
  • The OWASP servlet filter is a nice tool
  • Mentioned a way to make a double cookie check both on the body and the HTTP headers and said that it was the way DWR works, but didn’t quite elaborate on it.
  • They mentioned several times that there is a wrong and right way to use JSON and it would be nice to provide more details but I suppose time was an issue.
  • Maybe the corner stone of JavaScript hacking is the action to override Object(). This is also a nice way to do AOP.
  • There are many-many places where JavaScript is executed in a web page besides the <script> element like attributes (javascript:), event listeners, browser specific event listeners, CSS (inline and imports), etc. so…
    • … you might consider using AntiSamy
  • With XSS you can grab the secret token and then launch a CSRF

Some things that I feel that should also be added in a similar presentation should be:

    • Application layer firewalls like mod_security
    • Hacking browser extensions that users typically have like firebug, Greasemonkey, etc.
    • Protecting your app from malicious JSON
    • Browser standards compliance mode (IE8 ) as a way to protect from attacks that aim at malformed HTML

Java Rockstars Panel @ JavaOne

A few hours ago I attended the “Java Rockstars Panel”, a press only event with:

I will try to summarize some key points:

  • This year is about Java on the client, the ubiquity of the platform and the energy of the community.
  • Tim Bray likes JavaScript’s ubiquity 🙂
  • Fact of life: Ruby and Python are (almost) as old as Java (chronologically
  • Alternative (scripting) languages that will be able to run on the JVM with automatically increase their potential user base
  • “People love the Web platform because it has no platform vendor” – Tim Bray
  • Having no real specs for dynamic languages (except JavaScript) makes it hard for people trust them.

JavaOne Day #1 Report: ROCKING!

Yesterday JavaOne 2008 kicked off:

Attendants were welcomed in the General Session by various dancing acts.

Then James Gosling was tossing his personally designed t-shirts.

The prediction that a Java Posse member made yesterday at CommunityOne that Jonathan Schwartz will make a joint appearance with Steve Jobs, hug on stage and announce that Java will be available on the iPhone was… not fulfilled.

Instead we were shown a biometric censors experiment held in Moscone during JavaOne. BTW all badges are RFID and scanned with a nokia phone. They also demonstrated the usage of sensors and Java code for measuring and manage climate inside Moscone.

Then Rich Green:

  • Invited Ian Freed of Amazon on stage who talked about the Kindle and gave a short presentation that illustrated how Java empowers this device. If you didn’t know it ALL Kindle applications are Java.
  • Invited Rikko Sakaguchi from Sony Ericsson on stage who showed a promotional video of a new device that will be launched later this year and said that “Java is the core strategy of Sony Ericsson”!
  • Showed a demo with Facebook and LiveConnect app/plugin that uses JavaFX. Showed it also on a JavaME phone. Really impressive, even though the slow Moscone network created problems.
  • Continued with a JavaFX demo that demonstrated that emphasized on the design capabilities of the technology. It was really eye pleasing. Also emphasized the 3D, HD video and sound capabilities of the platform.
  • Repeated the ConnectedLife demo on the Google Android emulator.
  • Talked about Glassfish modular new architecture.

One of the highlights was the appereance of Neil Young on stage. He talked about his effort to collect all his musical legacy to BlueRay and how Java enables him to provide an nice interface to it all. I would have liked it if he could stayed a bit longer and had his guitar with him 🙂

After the general session I had the pleasure of accidentally meeting Doris Chen, one of our beloved Java Evangelists that visit Greece regularly to talk about the latest and greatest in Java Land.

The conference is so huge and packet with people from all over the world that I would suggest to Sun to consider something like JavaOne Europe.

Continuying with the individual sessions that I personally found more interesting:

“The Duke and the Elephant: PHP Meets Java? Technology–the Best of Both Worlds” by Rob Nicholson

  • Why use PHP (fairly obvious)
  • Why use PHP+Java+Groovy: leverage the power and communities of all platforms
  • WebSphere sMash: Agile application development using dynamic scripting and RESTful Web Services (based on JSON?)
  • They seemed to have implemented some kind of PHP 5 runtime over Java SE. It sounds very interesting and I’ll have to look into the licensing information.

Blogger Q&A with Jonathan Schwartz and Rich Green

  • How long Jonathan spents blogging and other related questions
  • Bloging company policy and sensorcip
  • JavaFX platform questions
  • Sun/Google/Android
  • Java and iPhone
  • more…

“JavaScript? Programming Language: The Language Everybody Loves to Hate” by Roberto Chinnici

Outline:

  • Introduction to the functional nature of JavaScript
  • Mentioned that you can only have scope through functions (but later showed scope with objects)
  • Suggested that some Higher Order Functions library might be useful
  • Said that with no tail recursion it is easy to blow a stack
  • Browser implementations are primitive
  • Made a reference to Google project Caja
  • Showed several examples form frameworks like Dojo, jQuery and Prototype that alienated the typical Java programmer.

For those who don’t know yet, Roberto is one of the people that brough us Phobos. As I suggested after the discussion they should really put an effort to making it work with continuation. This is a programming model quite different then the one most web developers are accustomed to and it would strengthen Phobos position as an alternative framework. Especially as we enter more and more to the era of server-side Javascript with products like Jaxter by Aptana and the long awaited Rhino on Rails by Google.

BTW Roberto some of your comments where a bit biased against the functional and prototypical nature of the language but we all know you love it 😉

“Building Secure Mashups with OpenAjax” by Jon Ferraiolo

  • What is the OpenAjax Allience
  • The interoperability problems between the various toolkits
  • OpenHub 1.0 -> enables multiple ajax runtimes to work together (pub/sub). Included in the Dojo framework
  • Security issues in mashups
  • OpenAjax Hub 1.1 -> Adds pub/sub with the server (eg. Comet) and framework for secure mashups
  • OpenAjax Metadata

CommunityOne 2008 verdict… AWESOME!

Today me and Panos attended CommunityOne and I have to say that the event exceeded my expectations. The sheer scale of this event was something I hadn’t seen in the past!

Moscone Center was surrounded with street signs and people holding signs that pointed to the various designated areas.

The general session that kicked off was broadcasted live on the internet, as one of the speakers informed us.


HD abuse

I’ve spent most of my time in the RedMonk Unconference and also attended the Java Posse podcast recording during lunch time. Their podcast is my favorite one second to the Software Engineering Radio.

Also I attended a session by Zend about their framework and how they are planning to implement Comet applications. I use the word “planning” because from what I understood they don’t actually have any concrete plans. For example the speaker talked about a Comet server implementation in C that a PHP app would use through CLI, but when I approached him with the question if this would be given out as a PECL module or about the licensing, he couldn’t disclose any information. Anyway, since more than 50% of web apps are made in PHP, I’d like this community to overcome the challenges that the Comet paradigm brings and do it in a timely fashion.

I was also happy to accidentally bump into Reginald Hutcherson at the stairs. Regi is a Java Evangelist that has been regularly visiting us in Athens, Greece with his team.

I still have a couple of sessions that I would like to attend and I’ll go back to the hotel to rest since I still haven’t gotten over the jetlag and tomorrow JavaOne opens. This means dozens of great sessions and even more parties 🙂

Having a pet dog I really-really enjoyed the fact that there are people inside Moscone that (are allowed to) go around with their dogs. Actually I’ve read that one out of two SF residents has dog. Two thumbs up people!

JavaOne: San Francisco here we come!!!

This year me and my JHUG-buddy Panos will be attending JavaOne which is held at the Moscone Center in San Francisco.

I’m very excited since JavaOne is the flag-ship of all Java related conferences and probably one of the biggest (if not THE biggest) conferences in the world for software developers. Moreover it’s a celebration where people from all over the globe:

  • come together in one of the most beautiful cities in the US,
  • get high quality sessions from domain experts
  • exchange experiences, ideas and their vision for the Java platform and
  • network with their idols and with each other.

There are several sessions I’m eagerly looking forward to attending like:

  • “The Java™ Platform Portlet Specification 2.0 (JSR 286)” by Stefan Hepper (WebSphere Portal Server)
  • “Asynchronous Ajax for Revolutionary Web Applications” by Jean-François Arcand (Grizzly)
  • “The JavaScript™ Programming Language for Enterprise Application Scripting: Five Years of Experience” by Olivier Modica
  • “Comet: The Rise of Highly Interactive Web Sites” by Alex Russell (Dojo)
  • “JavaScript™ Programming Language: The Language Everybody Loves to Hate” by Roberto Chinnici (Phobos)

We have planned our visit so we can also participate in CommunityOne, one day before JavaOne, where there will be many interesting sessions concerning:

  • Projects and Strategy
  • Linux Communities
  • Databases: MySQL, postgreSQL
  • Web and Application Servers: GlassFish, Apache
  • Scripting and Rich Internet Applications (RIAs): PHP, Python, Ruby, Javascript, JavaFX, AJAX, jMaki
  • Tools and IDEs: NetBeans, Eclipse
  • Next Generation Web Applications
  • Web Scale Computing
  • … and much more

You still have time to join us…

Here is the opening video from last year’s JavaOne: