Sunday, March 29, 2009

SCEA 5.0 Exam Questions - 5

Few more questions for the exam:

57. The Java system you are enhancing needs an integration point to an external system to gain access to data stored in a database. The application uses an open database connectivity data source to access data. What do you use to connect to the database ?

A. XML over HTTP
B. RPC-style SOAP
D. JDBC-ODBC bridge driver

Correct Answer: D

58. Java Connector Architecture (JCA) as a technology solution addresses certain needs for your Java applications. What is the best description of a JCA solution. ?

A. asynchronuous message-based interfaces
B. integration of slow responders in a loosely-coupled way
C. access tightly-coupled business logic of legacy systems
D. integration of systems/components and guaranteing message delivery

Correct Answer: C

59. Your client is interested in the benefits or integration with an external system using RMI-IIOP, RMI-JRMP, and CORBS for external inegration. What should you tell your client?

A. An RMI-JRMP client can call a CORBA server.
B. A CORBA client can call an RMI_JRMP server.
C. An RMI-JRMP client can call an RMI_IIOP server.
D. A CORBA client CANNOT call an RMI-IIOP server.

Correct Answer: C

60. Your online e-commerce application has a message driven bean (MDB) that calls an email server. Which statement about invoking the MDB is true?

A. The client can access the MDB directly.
B. The client accesses the MDB using an interface.
C. A message driven bean is simply a JMS message provider.
D. A JMS message is sent to the destination to which the MDB is listening.

Correct Answer: A

61. SOAP was selected as an integration technology for the flexibility of messaging styles it supports (in particular, how an XML payload can be presented in a SOAAP message). Which message style statement is correct?

A. The body of an RPC-style SOAP message cannot be a literal message.
B. The XML payload for a document-style message cannot be an encoded message.
C. The XML payload for RPC and document-style messages guarantee XML payload delivery.
D. An RPC-style message has the XML payload wrapped inside an operation element in a SOAP body

Correct Answer: D

62. As part or you Java application, you are required to integrate with an external system that has a Java web service. Tha java web service is using synchronous communication and exposes several methods with varying method signatures. Which technology do you use for this solution?


Correct Answer: B

63. Your company is going through an extensive security audit and it has been identified that your internet-facing web site is vulnerable to SQL injection from authenticated users. Which two are appropriate for mitigating this threar? (Choose two.)

A. Using security roles in the deployement descriptor
B. In stored procedures called with prepared statements
C. Adding an intercepting validation filter to your syste,
D. Requiring SSL in the deployement descriptor transport guarantee.

Correct Answers: B, C.

64. Your competitor is trying to crash your web site by using various Denial of Service attacks. Which two flaws should you protect against for this specific threat? (Choose two.)

A. SQL injection
B. buffer overflow
C. Man in the middle
D. session hijacking
E. weak password exploits

Correct Answers: A, B

65. Which is an appropriate technique for minimizing the consequences of a successful attack?

A. Input validation
B. Principle of least privilege
C. Encryption os wire transmissions
D. Use of strong/two-factor authentication

Correct Answer: B

66. What is the appropriate location to configure a JSP based application to require secure communication between a broswer and particular resources?

A. In the application code
B. In the business-tier code
C. In the broswer configuration
D. In the deployement descriptor
E. In the web server configuration

Correct Answer: D.

67. Service methodA(), implemented in a session bean, performs a highly sensitive operation. This operation must be available in limited ways to low privilege users to support a low sensitivity operationB()

Which approach addresses the requirements most securely?
A. mark the methodA() as accessible to all necessary roles
B. mark the methodA() as accessible to all appropriate roles, and use the programmatic security model to impose the necessary additional restrictions
C. mark the methodA() as accessible to all appropriate roles, and use the deployment desciptor to indicate the conditions under which each role can invoke the high priority method
D. mark methodA() as accessible only to a special role, then use a run-as element to invoke A() from B(); before making the call to A(), B() checks that conditions are appropriate for the call

Correct Answer: D.

Saturday, February 28, 2009

SCEA 5.0 Exam Questions - 4

Few more questions for the exam:

41. Which design pattern is usefull for hiding the construction and implementation details of an object?

A. Flyweight
B. Singleton
C. Abstract Factory
D. Chain of Command
Correct Answer: C

42. Some media players use a virtual proxy for image loading. What is the benefit of using a virtual proxy?

A. It controls access to the original object.
B. It defers creation of expensive objects until necessary.
C. It provides a local representation for an object in a different address space.
D. It is a replacement for a bare pointer that performs additional actions when an object is accessed.

Correct Answer: B

43. What are two capabilities of the Decorator pattern ? (Choose two.)

A. Provides a unified interafe to a subsystem
B. Converts the interface of a class into another interface
C. Is used when the base class is unavailable for subclassing
D. Promotes loose coupling by keeping objects from referring to each other
E. Modifies responsibilities to individual objects dynamically and transparently

Correct Answers: C, E

44. You are building a web application that must integrate to a content management system(CMS). Your company currently has a homegrown CMS, but management is considering purchasing a new CMS.
Unfortunately, you have little confidence that their lates choice, BigCMS, is likely to be the final decision. After analyzing the interface to BigCMS, you find that its interface is different from the homegrown CMS. Furthermore, you suspect that any other third-party CMS will have yet another interface.

What is the simplest pattern that would isolate your web application from the interface of the CMS tool ?
A. Proxy
B. Bridge
C. Adapter
D. Service Locator
E. Business Delegate

Correct Answer: C

45. What is a benefit of using the Transfer Object pattern ?

A. Reduces requests across the network
B. Avoids the overhead of using EJB finder methods for large searches
C. Separates the business state and related behavior from the rest of the appliation
D. Implements parent-child relationships efficiently when imlementing Business Objects

Correct Answer: A

46. What are two benefits of using the Value List Handler pattern? (Choose two.)

A. Improves network performence
B. Facilitates exposing existing services
C. Provides an alternative to petentially inefficient EJB finders.
D. Facilitates post-processing across heterogeneous requsts
E. Provides a mechanism to support shared eleemnts of composite views

Correct Answers: A, C

47. A company created its own MVC-like framework in the years before struts and JSF. Unfortunately, the company's Front Controller has become bloated with too many features including fine-grained authorization, view dispatching, and business logic invocation. Which three patterns could be applied to reduce the complexity of the Front Controller? (choose three.)

A. Mediator
B. Command
C. View Helper
D. Intercepting Filter
E. Composite View.
F. Application controller

Correct Answers: B, D, F

48. What are two advantages of the Business Delegate pattern? (Choose two.)

A. Increases the scalability of remote services
B. Decouples presentation logc from business logic
C. Avoids unnecessary invocation of remote services
D. Hides underlying communication details of the service
E. Enables transparent presistent storage of the business entity

Correct Answers: C, D

49. What are two advantages of a thin client, three tier architecture over a thick client, two-tier architecture ? (choose two.)

A. It is more secure.
B. It is more reliable
C. It is easier to maintain.
D. It makes it easier to manage the application deployment.

Correct Answers: C, D

50. A teenage fashion website, has a multi-tier web application with 103 web servers, 12 middle-tier servers, and a large RDBMS server with more than enough capacity to support peak loads. You are the architect of the system, and you are concerned about reliability of the web application. Which change could you make to improve reliability ?

A. Add additional web servers.
B. Add additional database servers
C. Add additional middle-tier servers
D. Reduce the number of web servers
E. Reduce the number of middle-tier servers.

Correct Answer: B

51. Which is NOT a valid reason to separate presentation from business logic ?

A. Improved scalability
B. Improved performence
C. Separation of cencerns
D. Improved maintainability

Correct Answer: B

52. A company is considering re-architecting their application from a two-tier to a three-tier architecture. To see what impact the new architecture would have on their non-funtional requirements (NFRs), they created a prototype.
When they tested the prototype based on their three-tier architecture they noticed, contrary to expectations, that the prototype was less scalable than the original two-tier solution.
Which two statements explain the result? (Choose two.)

A. Clients end up competing for CPU cycles on the common business logic tier.
B. Clients end up competing for resources on the back-end database used by the application.
C. Clients did NOT share interest in any domain objects, but the business tier spent too much time coordinating among clients anyway.
D. Clients did NOT share interest in any domain objects and the business tier ran out of memory to represent all domain objects required by the clients.

Correct Answers: A, D

53. Which two statements are true only when implementing rich client applications, and NOT when implementing web browser-based clients that support only HTML? (Choose two.)
A. Information can be sent to the client by the server, without client polling
B. Information can be encrypted prior to delivering it to the client and decrypted when received to the client.
C Information can be compressed prior to delivering it to the client and decompressed when received ro the client.
D. Information can be delivered to the client incrementally, without requiring that the server deliver all the information to be presented to the client on each update.

Correct Answers: A, D

54. A bank designed its first-generation web-based banking system aroung a Java technology rich client application that interacts with server-side service objects implemented as stateful session beans in a portable Java EE application. For their second-generation system, the company wants to open the architecture to other types of clients. The company is considering exposing its existing stateful session bean service as a web service. Which statement is true ?

A. Session beans cannot be exposed as web services.
B Stateful session beans cannot be exposed as web services.
C. Stateful session beans are automatically exposed as web services.
D. Stateful session beans annotated with @WebService are exposed as web services.

Correct Answer: B

55. Brokers at a firm currently use a two-tier application to execute stock transactions on behalf the their customers. Business componens within the application enforce a number of complex business rules that ensure that stock transactions are executed properly.
Management has decided that clients should be able to execute their own transactions to streamline operations. Management also wants clients to run the same existing two-tier applications from their home computers. They have hired you to advise them on how to proceed to unsure that no illegal stock transactions are executed once the application is available directly to clients.

Which two recommendations should you give to this brokerage firm? (Choose two.)
A. The code already checks for correct execution so they can deliver the application to clients "as is"
B. Checks for correctness should be rewritten as database constraints because the application running on the client might be modified.
C. The application should be re-architected as a thee-tier solution. That way, validation checks can be moved to a server-side business tier, which remains trustworthy.
D. The application should be obfuscated before it is delivered to the client. That way, clients cannot modify it. Therefore, the validation checks currently implemented will remain trustworthy.

Correct Answers: B, C

56. A travel company re-architected its application from a two-tier to a three-tier architecture. To see what impact the new architecture would have on its non-functional requirements(NFR), the company intends to build a prototype based on the new architecture. The company compared the MFR metrics associated with the new prototype against the metrics from their original two-tier solution. What is an advantage of the original two-tier solution?

A. It has better availability because it has fewer single point of failure.
B. It has better manageability because each client has its own copy of the application.
C. It has better performence because each client must use is own set of domain objects.
D. It has better scalability because each client can access the database independently of other clients.

Correct Answer: A

Saturday, February 14, 2009

SCEA 5.0 - Exam Questions - 3

Few more questions for the exam:

31. Which two can be used to maintain convesational state ? (Choose two.)

A. Entity beans
B. Http session
C. Stateful session beans
D. message-driven beans
E. stateless session beans

Correct B,C

32. You are the architect of a project that will provide an external, low latency, scalable, and highly- available sevice for handling string transactions. Each request consists of a short string ID and laguage key, limited to "EN", "FR", "ES", "DE", and "JP". Each response is a simple unicode string averaging 256 bytes in size, and there will be no more than 50,000 records for each language. All the records have aleady been translated and changes to the records will be rare.

What should you do to ensure that your service wll scale and perform well as new clients are added ?
A - store all the records in an LDAP server and use JNDI to access them from the web tier
B - deploy a standard 3-tier solution that is supported by a fast and reliable relational database
C - deploy a single service on many servers in the web tier, each storing all the records in memory
D - store all of the records in a network attached file system so they can be served directly from the file system

Correct: C

33.Tou are the architect of a web application that uses JSF as a presentation tier for business processes coded as stateless session beans. When you add new code to the stateless session beans to address new accounting requirements, without changing the interface, you discover that the new business processes are being ignored by some of the JSF components.

Which might be the cause of this problem?
A - The presentation tier is relying on validation logic in the business tier.
B - The broswer is caching out-of-date versions of the JSF components.
C - The business processes are not rigorously encpsulated in the session beans.
D - The new session beans have been deployed incorrectly, and proper deployment will resolve the problem.

Correct: C

34. You have refactored your legacy Java application into a three-tiered architecture. Your security audit group is concerned that your architecture may be vulnerable to security threats in the separate tiers. Which two methods can you use to reduce those threats? (Choose two).

A - programmatic security in the EJB entities
B - interecepting filters between the view and the controller
C - intercepting filters between the controller and the model
D - role-based security for the EJBs in the deployement descriptor

Correct: B,D

35. Drag and drop the question. Drag the items to the proper locations.


36. The current architecture of a fashion website consists of one web server, three application servers, and a database. You, as the lead architect, recommend adding more web servers. What are two valid justifications for new architecture? (Choose two.)
A. New web servers will decrease latency for I/O-bound requests.
B. Adding multiple web servers will have a positive impact on scalability.
C. Adding new web servers will increase the overall availability of the web site.
D. New web servers will increase the number of user accounts that can be supported.
Correct: B,C
37. Which three statements are true about delegation as on OO design technique? (Choose three.)
A. It is applied to a system only at compile time.
B. It is an essential element of the State pattern.
C. It is an essential element of the Singleton pattern.
D. It allows you to replace inheritance with composition.
E. In Java technology, it is always implemented through the use of generics.
F. It always requires that at least two objects are involved in handling a request.
Correct: B, D, F
38. Which two statements are true about the Flyweight pattern? (Choose two.)
A. It allows a single instance of a class to virtually represent many instances.
B. When used approximately it can reduce memory demands on your servers.
C. It allows for many instances of a class to be controlled by a single instance.
D. It allows many tightly related, homogeneous objects to each maintain their own state.
Correct: A, B
39. Which two techniques can used to provide polymorphic behavior? (Choose two.)
A. extending a class and adding a new method
B. implementing two interfaces in the same class
C. extending a class and overriding an existing method
D. implementing an interface with several different classes

Correct: C, D

40. As a project architect, you are selecting technologies for a complex, n-tier web application's virtual platform. At this stage in the project, which two technologies should be of primary consideration? (choose two.)

B. Linux
D. Firefox
E. Tomcat

Correct: A, C

Monday, February 9, 2009

SCEA1.5 - My Experience

Hi I have attended SCEA5.0 recently, I'm updating all the information from my experience and posted the material that I have prepared as part of my preparation.
It consists of all the questions on new technologies and new versions exactly to say J2EE 1.5 technologies.
Below are the types of questions that I have faced:
Which one to use JSF , JSP, Servlets
Which one to use JPA, JDO or JDBC
Which one to use EJB3.0 or older
Which one to use web services, SOA, session beans, JMS
Security questions from JAAS
Desing Patterns

The below topics are mandatory to prepare:
Web Services (JAX-WS, JAX-RPS)
XML binding JAXB,(i think SaTX)
GOf Desgin patterns
J2EE design patterns
JSF etc.,

Here is the tutorial for which sun is covering the exam

These are few questions from SCEA 1.5 exam (that i found on the net and repeated in the exam):
1.What are the three primary roles in a web service interaction? (Choose three.)
Correct:A C E

2.A stock trading company is writing a new application for stock market forecasting. A significantportion of the work required by the business logic involves navigating through the persistentobject model. As lead architect on this project, you have chosen JPA over EJB2 entity beans toimplement these persistent objects. You have done this to maximize performance whennavigating through the model. Why does JPA offer better performance for this task?
A.JPA guarantees referential integrity at the object level.
B.JPA allows the application to specify lazy or eager retrievals.
C.JPA simplifies the source code that implements the object model.
D.The guaranteed referential integrity in EJB2 entity beans is expensive.

3.A developer creates a Java web service to be used by consumers in an SOA. This SOA uses aUDDI service registry. How can the developer make the new service available to consumers?A.deploy to the registry using JAXR
B.publish to the registry using JAXR
C.query the registry using JAXRPC the registry using JAXRPC

4.With the release of a new product line, there has been a significant increase in the volume oftransactions on your web site. You need to scale your application and manage session failover.What is the best option for scalability?
A.add additional web servers and application servers
B.introduce a High Availability pair and utilize sticky sessions
C.add additional application servers and implement DNS round robin
D.add additional application servers and use clustered HttpSession

5.You are asked to architect an SOA solution that leverages Java web services. The architectureneeds to be flexible and allow for the SOAP 1.1, SOAP 1.2, and REST implementations. Which JavaEE technology should you use?

For Java related information please visit my other blog

it will have few java issues and solutions for them.

Sunday, February 8, 2009

SCEA 5.0 - Exam Questions - 2

Few more Questions for SCEA 5.0:

6. You are architecting an online ordering application with these requirements: Users access the system over the Internet using HTML. An email message is sent to the user confirming the order.
Users must log in and are validated using LDAP. The product catalog is stored in a relationaldatabase. All orders are logged to the internal fulfillment system. Orders must not be lost.

WhichJava EE technology should be used to send orders to the fulfillment system?


7.An online sporting goods store's web application uses HTTPSession to store shopping carts.When the application is initially deployed, the business plan predicts only a few customers willaccess the site. Over time, the store projects a steady increase in volume. The deployment plancalls for a single web container in the initial deployment. As demand increases, the plan calls formultiple web containers on separate hardware with clustered HTTPSession objects. Which twoprinciples will help the application meet the requirements and optimize performance? (Choosetwo.)

A.The application should store as much as possible in HTTPSession objects.
B.The application should NOT make frequent updates to HTTPSession objects.
C.The application should make coarsegrainedupdates to HTTPSession objects.
D.The application should create new HTTPSession objects instead of updating existing objects.

Correct:B C

8.You are writing a utility that searches for existing web services provided by large companiesthrough UDDI. Your web site allows the user to input search criteria using eventdriven,statemanagedGUI screens, performs the search, and displays them in a formatted HTML page.Which technologies would you use for this application?



9.A company has a web service that provides the most recent price for stocks, mutual funds, andcommodities. The company has the only web service that allows a person to check prices on allthree financial assets with one call. Its system does not store this information but sends individualcalls to each of the primary vendors for an asset and then aggregates the response to therequester. The company has committed to support a nonfunctionalrequirement (NFR) forperformance that states it must process all requests within three seconds and each of the threevendors is obligated to support the NFR as dictated by the company.

Where, in the message flow,is it appropriate to measure whether all the NFRs are met?
A.when a request is received and a response is sent to the requester
B.when a request is received, first call to vendor, last response from vendors, response is sent to arequester
C.when a requester sends a request, the request is received, each call to vendor, each response fromvendor, requester receives response
D.when a request is received, each call to vendor, each response from a vendor, a response is sent to arequester


10.A Java web component, EJB component, or another web service can be a client to a webservice. Which Java API can the client use to access the web service through a Service EndpointInterface?



11.Which three are parts of a SOAP message? (Choose three.)

A.SOAP body
B.SOAP endpoint
C.SOAP headers
D.SOAP handlers
E.SOAP attachments

Correct:A C E

12.You are integrating with a single legacy Enterprise Information System. You are interested inthe transaction management capabilities of the Java Connector Architecture. This new systemneeds the capability to invoke multiple operations against this single legacy system. Theseoperations succeed together or fail together as a group. To which minimum level of transactionmanagement are you going to set your resource adapter?

A.No transaction
B.Local transaction
C.Distributed transaction
D.Container Managed transaction


13.What is an advantage of XML over HTTP, as compared to SOAP over HTTP, for web services?

A.guaranteed delivery
B.more security options
C.smaller message size
D.strongly typed parameters


14.An application needs to invoke a service on a remote system over a low latency connection,and then wait for a response. Which two are best for this type of invocation? (Choose two.)

A.JMS topic
B.JMS queue
D.synchronous web service
E.asynchronous web service

Correct:C D

15.Your new architecture needs to access the business logic of an Enterprise Information Solution(EIS). What are three benefits of using the Java Connector Architecture to connect to EIS insteadof implementing a proprietary solution? (Choose three.)
C.loose coupling
D.connection pooling
E.Common Client Interface

Correct:A D E

16.Your web application requires access to several different services, so you created a ServiceLocator class to be used by the UI developers on the team. New services with different interfacesare occasionally added. Unfortunately, the caching benefits of the Service Locator class are NOTbeing realized because a new instance of this class is being created in every backing beanmethod that requires a service.

Which pattern should you apply to eliminate this problem?
D.Factory Method
E.Business Delegate


17.What are two benefits of using the Value List Handler pattern? (Choose two.)

A.improves network performance
B.facilitates exposing existing services
C.provides an alternative to potentially inefficient EJB finders
D.facilitates postprocessingacross heterogeneous requests
E.provides a mechanism to support shared elements of composite views

Correct:A C

18.What are two capabilities of the Abstract Factory pattern? (Choose two.)

A.creates wholeparthierarchies
B.creates families of related objects
C.enforces dependencies between concrete classes
D.specifies the types of objects to create using a sample instance
E.separates the construction of a complex object from its representation

Correct:B C

19.A teenage fashion web site, includes a set of pages for displaying and browsing their catalog,as well as pages for making fashion suggestions that also display tables of catalog entries.Currently, the JSP code uses scriptlets that perform database SELECT statements and format theresults in HTML tables. You have been hired to help reduce the maintenance overhead when eitherthe look is modified or the database schema changes.

Which two patterns, used together, do youapply to reduce this maintenance overhead? (Choose two.)
A.View Helper
B.Front Controller
C.Composite View
D.Data Access Object

Correct:A D

20.A new security feature has been requested for an existing web application with the followingrequirements: All requests must be logged to a secure database. Each request must betimestampedwith the start and completion times. Each request must contain the IP address ofthe client that made the request.

Which pattern is most applicable for this new feature?A.Strategy
B.Front Controller
C.Abstract Factory
D.Intercepting Filter
E.Model View Controller


21.Which two are benefits of using the Intercepting Filter pattern? (Choose two.)

A.allows the recombination of filters
B.provides efficient data sharing between filters
C.facilitates creating a generic command interface
D.facilitates common processing across heterogeneous requests
E.helps to minimize coupling between the presentation and business tiers

Correct:A D

22.You are building a subsystem that has several complex components, but you want to hide thatcomplexity from the client code.

Which pattern can you apply to hide this complexity?A.Proxy


23.Some media players use a virtual proxy for image loading.

What is the benefit of using a virtualproxy?
A.It controls access to the original object.
B.It defers creation of expensive objects until necessary.
C.It provides a local representation for an object in a different address space.
D.It is a replacement for a bare pointer that performs additional actions when an object is accessed.


24.Your company's web site is supported with a cluster of loadbalancedweb servers and adatabase server. To reduce expenses, your company must replace your current cluster of webservers with a single web server. All servers under consideration have the same specification.

Which three items will be negatively impacted by this rearchitecture?(Choose three.)

Correct:B C D

25.A company manufactures widgets for sale to distributors. Distributors call this company when they want to order more widgets. The company wants the distributors to send orders using XML documents over the Internet to reduce the number of data entry personnel needed. It has no control over the distributor's technologies. The company does not want the orders to impact the performance of the other users. You have been assigned the task of designing the new API.

Which approach do you take? the API as a JMS queue the API as an RMI interface the API as a synchronous web service the API as an asynchronous web service


26.You have been tasked with improving the availability of an existing threetierapplication. Whatis your first step in evaluating what changes should be made to the architecture to achieve thegoal?

A.monitor network traffic between tiers
B.separate presentation from business logic
C.identify and document all single points of failure
D.cluster the presentation tier without session replication


27.Which nonfunctionalrequirement is a disadvantage for a twotierarchitecture?


28.A travel company is designing an application to allow customers to browse for information onany flights operating domestically and to place new reservations on any of those flights. Thecompany makes the following assumptions: significant read volume, in terms of operations thecustomers will perform significant overlap, in the search criteria of customers simple processingof each customer browse/update request .

What advice can you give this company?
A.use a twotierarchitecture (rich client directly accessing the database) because running copies of thebusiness logic in each client provides significant advantages in terms of processing time per request
B.use a threetierarchitecture (thin client >application server >database) because executing businesslogic remotely on a central location results in better performance per request
C.use a threetierarchitecture (thin client >application server >database) because the shared businessserver allows them to cache information with high likelihood of cache hits, which reduces the load on thedatabase
D.use a twotierarchitecture (rich client directly accessing the database) because each client can operateon its own business objects, independently of others, which provides significant advantages from reducedlatency due to synchronization


29.A company provides call center support for corporations worldwide.Each agent in the callcenter can be assigned to multiple call center customers. All of the company's customers useWindowsbased user interfaces and it has just signed a new customer that uses a Java EEbackend and wants a rich interface. The company is developing a user interface for the newcustomer with the following requirements: Customer service representatives (CSRs) must be ableto work with minimal training on the application. CSRs must be able to switch between call centersystems quickly. Screens must have a Windows "look and feel." 2000 agents spread across fourlocations must be able to use the system.

What advice would you give this company on the userinterface (UI)?
A.write the UI using JSP and JSTL
B.write the UI using JSPs with embedded scriptlets
C.write the UI using Ajax, accessing servlets directly
D.write the UI using Java Swing and distribute using JNLP


30.A travel company decides to rearchitecttheir twotierapplication (where each client ran itsown copy of the application against a shared database) and hires you as their lead architect. Yousuggest they rearchitecttheir application as a browserbased,threetiersolution: presentation,business logic, and persistence. You also suggest they deploy each of the three tiers on its owncomputer.

Why is the three tier solution more scalable than the twotiersolution?
A.Every client runs its own GUI application. Clients do not compete for resources for presentationpurposes.
B.Clients share the same business logic tier. Clientspecificobjects can be stored centrally, optimizingaccess.
C.Every client shares the same business logic tier. Each client competes with each other for resources onthat JVM.
D.Clients share the same business logic tier. Duplicate effort can be avoided by sharing objects, reducingthe load on the database.


SCEA1.5 - Architecture Concepts

Common Architecture Concepts:
Scalability is the ability to economically support the required quality of service as the load increases.
Two types: Vertical and Horizontal

Vertical: Achieved by adding capacity (memory, CPUs, etc.) to existing servers.
Requires few to no changes to the architecture of a system.
Increases: Capacity, Manageability
Decreases: Reliability, Availability (single failure is more likely to lead to system failure)
Vertical scalability is usually cheaper than horizontal scalability.
J2EE supports vertical scaling because of automatic lifecycle management. Adding more capacity to a server allows it to manage more components (EJBs, etc.).

Horizontal:Achieved by adding servers to the system.Increases the complexity of the system architecture.Increases: Reliability, Availability, Capacity, Performance (depends on load balancing), FlexibilityDecreases: Manageability (more elements in the physical architecture)
J2EE supports horiz. scaling because the container and server handle clustering and load-balancing.
Availability and reliability are obtained through scalability.
Scalability affects capacity. The more scalable the system is the more capacity it can support. This must be traded-off against the complexity & manageability costs.

Flexibility is the ability to change the architecture to meet new requirements in a cost-efficient manner.
A flexible system should be more maintainable in the face of changes to the environment and/or to the application itself.
Flexibility improves: Availability, Reliability, ScalabilityFlexibility slightly decreases: Performance, Manageability
Flexibility is achieved via code that can be distributed across servers with load balancing that prevents one system from being overburdened. The use of a multi-tier architecture also helps achieve flexibility.

The ability to ensure the integrity and consistency of the application and all of its transactions.
You increase reliability through the use of horizontal scalability, i.e., by adding more servers. This only works up to a certain point, though.
When you increase reliability you increase availability.

Availability is about assuring that services are available to the required number of users for the required proportion of time.

The ability to modify or add functionality without impacting the existing functionality.
The key to an extensible design is to make an effective OO design. Extensibility pays the most towards the font end of a system.
Some rough guidelines:More than 25 top-level classes will lead to problems
Every use case should be able to be implemented using domain model methods
J2EE supports extensibility because it is component-based and allows you to separate the roles of an app. JSPs can handle presentation. Servlets can handle routing, and EJBs can handle business logic.

Architectural performance is concerned with creating an architecture that forces end-to-end performance.
The purpose of an architecture that ensures performance is to control expensive calls and to identify bottlenecks.
If you know the boundaries of the various parts of the system, the technologies, and the capabilities of the technologies you can do a good job of controlling performance.
You want to minimize the number of network calls your distributed app makes – make a few “large” calls that get a lot of data vs. lots of calls that get small amounts of data.
Try to minimize process-to-process calls because they are expensive.
Use resource pooling to reduce the number of expensive resources that need to be created like network connections, database connections, etc.

Manageability refers to the ability to manage a system to ensure the health of the system.
A single tier or monolithic app would be more manageable from a management perspective than a multi-tier system but this must be weighed against the possibility of a change rippling through a monolithic app.
A simple architecture may not be as flexible or available as a more complex system but the amount of effort required to keep the system up & functioning will be less.
A component-based architecture like J2EE offsets some of the manageability problems caused by a multi-tier system.

Security ensures that info is neither modified nor disclosed except in accordance with the security policy.
Tradeoffs: personal privacy, ease of use, and expense.
A highly secure system is: More costly, Harder to define and develop, Requires more watchdog activities
Principles of Security:
Identity – The user is correctly ID’d thru an authentication mechanism
Authority – The user can perform only allowed activities
Integrity – Data can only be modified in allowed ways
Privacy – Data is disclosed to authorized entities in authorized ways
Auditability – The system maintains logs of actions taken for later analysis


UML Terms:
Dependency: a change in one element can affect the semantics of another element.
Represented by: dashed line with arrow

Association: represents set of connections between objects
Represented by: solid line with arrow or without arrow may have multiplicity

Aggregation: represents the relationship between whole and the part
Represented by: solid line with open diamond arrowdiamond side one is whole

Composition: whole part relationship but its a stronder form of aggregation
Represented by: solid line with filled diamond, diamond side is part

Generalization:is parent and child relationship
Represented by: solid line with triangular open arrow, extends keyword

Realization: interface and implemenation class
Represented by: dashed arrow with triangular open arrow, implements keyword

Include relationship in usecase - that the other use case can reuse the coommon factored out use case.

Difference between Aggregation & Composition:
Aggregation defines a part of relationship but both objects can exist independently. But with composite aggregation if one part is removed then the other part will be removed. Think of a plane the wings have a composite aggregation relationship with the body of the plane.

SCEA1.5 - Internationalization

Internatinalization & Localization:
Internationalization: Adapting a program for use in any country is called Internationalization. Localization: The process of adapting a program for use in a particular country is referred to as Localization.

Other classes related to Internationalization:
Locale - Language (en, es), Regional (GB,US,), Variant (WIN, POSIX)

Servlet - setContentType(), setLocale();
JSP - pageEncoading, contentType() (for default encoading file.proprties)

Java supported font types - Serif, Sans-serif, Monospaced, Dialog and DialogInput (

Saturday, February 7, 2009

SCEA1.5 - Design Patterns

Benefits of using design patterns:
Improves communication between designers by use of pattern names vs. the details of the patterns.
Captures experience of solving a type of problem.
Provide a way of reusing design.
Provide a mechanism for making designs more reusable.
Provides a mechanism for systematizing the reuse of things that have been seen before.
Can be used to teach good design.

Abstract Factory:
The Abstract Factory pattern is used for creating many objects that are dependent on each other.
Also known as Kit
Used in J2EE - DAO and VO assembler, J2SE-java.awt.Toolkit
J2EE technology uses this pattern for the EJB Home interface, which creates new EJB objects.
Related patterns-Factory method,Prototype, concrete factpty often Singleton.
It isolates concrete classes.
It makes exchanging product families easy.
It promotes consistency among products.Supporting new kinds of products is difficult.

The builder pattern separates the construction and representation of an object. The client is shielded from the objects construction only needing to specify it's content and type.
Related patterns-Abstract factory is similar to builder in that it too may construct complex objects,The primary difference is that the builder pattern focuses on constructing a complex object step by step, AbstractFactory's emphasis is on families of product objects(either simple or complex), Builder returns the product as a final step,but as far as the Abstract pattern is concerned, the product gets returned immediately. A composite is what is builder often builds.

Factory Method:
Factory Method pattern provides an interface for creating an object that allows either sub classes or helper classes to create that object.
Aslo knowna as: virtual constructor
Used in J2EE-EJBHome, EJBLocalHome, QueueConnectionFactory, TopicConnectionFactory, J2SE- Collator, ContentHandlerFactory, InitialContextFactory, SocketFactory
PrototypeJ2EE technology uses this pattern for the EJB Home interface, which creates new EJB objects.
Aslo knowna as: virtual constructor
Related patterns: absract factory,within Template Methods,
Eliminates the need to bind application-specific classes into your code.
Gives subclasses a hook for providing an extended version of an object being constructed.

The Prototype pattern is used to create new objects by copying its prototype.specify the kinds of objects to create using a prototypical instance,and create new objects by copying this prototype.
Used in J2SE-java.lang.Object
Related patterns-Prototype and abstract factory are competing is some ways.
Design that make heavy use of the composite and decorator patterns often can
benefit from prototype as well.

Ensure a class only had one instance and provide a global point of access to it.The Singleton doesn't just create a single instance it can also be used to create a variable number of instances of a class.J2SE-java.lang.Runtime
Related patterns:Abstract factory,builder and prototye can be implemented using singleton

The Adapter pattern implements an interface known to its clients and provides an instance of a class not known to its clients.
Also known as: Wrapper
Used in JCA architecture, J2SE-java.awt.event.ComponentAdapter
Related patterns-Bridge,Decorator,Proxy

The Bridge pattern creates a separation between abstractions and classes that implement those abstractions
Also known as Handle/Body
Related patterns-An abstract factory can create and configure a particular bridge.

Compose objects into tree structure to represent part-whole hierarchies.Composite lets clients treat individual objects and compositions of objects uniformly
Related patterns: Chain of responsibility, Decorator, Flyweight, Iterator, Visitor

Decorator Pattern:
The Decorator pattern isn't used to build objects. It adds extra functionality to existing objects
Also known as: Wrapper
Used in J2EE-EJBObject, J2SE-BufferedReader
Related patterns: Adapter,Composite,Strategy
In J2EE technology, The EJB object is a decorator for the bean because the bean’s functionality is expanded to include remote dehavior.

Provide a unified interface to a set of interfaces in a subsystem.Facade defines a higher level interface that makes the sub system easies to use
Used in
Related patterns: AbstractFactory, Mediator,Single tons

Use sharing to support large numbers of fine grained objects efficientlyWhen the instances of your class can be used interchangeably and you want to reduce the number of instances created in order to improve performance
Used in J2SE-java.lang.String
Related patterns: Composite,State and Strategy

Provide a surrogate or placeholder for another object to control access to it In this scenario what you are essentially trying to do is filter all packets that don't meet a certain set of requirements. This behavior is just like a Proxy server dropping packets from certain IP address etc
Also known as Surrogate
The EJB’s remote interface(EJBObject) acts as a proxy for the bean. Proxy is also used in RMI.
Related patterns: Adapter,Decorator

Chain of responsibility:
Avoid coupling the sender of a request to its receiver by giving mmore than one object a chance to handle the request.Chain the receiving objects and passthe request along the chain until an object handles it.
Uused in J2EE-ReqestDispatcher in the servlets/JSP API
Related patterns: composite

Encapsulate a request as an object,there by letting you parameterize clients with different requests,queue or log requests and support undoable operations
Also known as Action of Transaction
Used in J2EE-Message Beans,servlets and JSPs
Related patterns: Composite,Memonto

Given a language,define a representation for its grammer along with an interpreter that uses the representation to interpret sentences in the language.
Related patterns:composite,iterator,visitor
Iterator:Provide a way to access the elements of an aggregate object sequentially without exposing its underlying representation.
Also known as- Cursor
Used in J2SE- Iterator,Enumaration
Related patterns: Composite,Factory method,Memento

Define an object that encapsulates how a set of objects interact. mediator promotes loose coupling by keeping objects from referring to each other explicitly
and it lets you vary their interaction independentlyThe Mediator pattern allows you to co-ordinate state changes between other objects by using one object.
Related patterns: Facade Observer

Without violating encapsulation, capture and externalise an object's internal state so that the object can be restored to this state later.
Also known as Token
J2EE-Entiry Bean using Bean managed persistence
Related patterns: Command, Iterator

Define a one to many dependency between objects so that when one object changes its state,all its dependents are notified and updated automatically.
When you need classes to be notified of events but you don't know which classes or if you will need to add more at a later date.
Also known as: Dependents,Publish-subscribe
Used in J2SE-Observable,Observer
Related patterns:Mediator.Singleton

Allow an object to alter its behavior when its itnernal state changes.The object will appear to change its class.
Also known as: Objects for states
Related patterns:Flyweight, singletons

Define a family of algorithms, encapsulate each one,and make them interchangable. Strategy lets the algorithm vary independently from clients that uses it.
Also known as-Policy
Related patterns: Flyweight

Template method:
Define the skeleton of an algorithm in an operation,deferring spme steps to sub classes.Template method lets sub classes redefine certain steps of an algorithm without changing the algorithms structure
Related patterns: Factory method,Strategy

Represent an operation to be performed on the elements of an object structure. Visitor lets you define a new operation without changing the classes of the elements on which it operates
Related patterns: Composite, Interpreter

SCEA1.5 - Few Terms related to JAX-WS, JAX-RPC and JAXB

Reasons you may want to stay with JAX-RPC 1.1:
If you want to stay with something that's been around a while, JAX-RPC will continue to be supported for some time to come. If you don't want to step up to Java 5. If you want to send SOAP encoded messages or create RPC/encoded style WSDL.
Reasons to step up to JAX-WS 2.0:
If you want to use the new message-oriented APIs. If you want to use MTOM to send attachment data. If you want better support for XML schema through JAXB. If you want to use an asynchronous programming model in your Web service clients. If you need to have clients or services that can handle SOAP 1.2 messages. If you want to eliminate the need for SOAP in your Web services and just use the XML/HTTP binding. If you like playing with leading edge technology.
JAX-WS style of web services is built on JSR-224 specification.It uses annotations (JSR-181) and new data binding stack JAXB. JbossWS 2.0 >= series whichis used in this porting exercise is JAX-WS compliant.It supports SOAP 1.1 and SOAP 1.2.Their are quiet a few notable differences between JAX-WS and JAX-RPC. SOAP 1.2
JAX-RPC and JAX-WS support SOAP 1.1. JAX-WS also supports SOAP 1.2. XML/HTTP
The WSDL 1.1 specification defined an HTTP binding, which is a means by which you can send XML messages over HTTP without SOAP. JAX-RPC ignored the HTTP
binding. JAX-WS adds support for it. WS-I's Basic Profiles
JAX-RPC supports WS-I's Basic Profile (BP) version 1.0. JAX-WS supports BP 1.1. (WS-I is the Web services interoperability organization.) New Java features
JAX-RPC maps to Java 1.4. JAX-WS maps to Java 5.0. JAX-WS relies on many of the features new in Java 5.0.Java EE 5, the successor to J2EE 1.4, adds support for JAX-WS, but it also retains support for JAX-RPC, which could be confusing to today's Web services
novices. The data mapping model
JAX-RPC has its own data mapping model, which covers about 90 percent of all schema types. Those that it does not cover are mapped to
JAX-WS's data mapping model is JAXB. JAXB promises mappings for all XML schemas. The interface mapping model
JAX-WS's basic interface mapping model is not extensively different from JAX-RPC's; however:
JAX-WS's model makes use of new Java 5.0 features.JAX-WS's model introduces asynchronous functionality. The dynamic programming model
JAX-WS's dynamic client model is quite different from JAX-RPC's. Many of the changes acknowledge industry needs:
It introduces message-oriented functionality.It introduces dynamic asynchronous functionality.JAX-WS also adds a dynamic server model, which JAX-RPC does not have. MTOM (Message Transmission Optimization Mechanism)
JAX-WS, via JAXB, adds support for MTOM, the new attachment specification. Microsoft never bought into the SOAP with Attachments specification; but it
appears that everyone supports MTOM, so attachment interoperability should become a reality. The handler model
The handler model has changed quite a bit from JAX-RPC to JAX-WS.JAX-RPC handlers rely on SAAJ 1.2. JAX-WS handlers rely on the new SAAJ 1.3 specification.

Difference between original WSDL and modified WSDL
No import statement required hereHelloWorld is not a complex type but just an element, if it is complex type it adds another layer in SOAP PacketSimilarly HelloWorldRespons is not a complex type but just an element

JAXB: JAXB provides methods for unmarshalling XML instance documents into Java content trees,and then marshalling Java content trees back into XML instance documents. JAXB alsoprovides a way to generate XML schema from Java objects
JAXB 2.0 includes several important improvements to JAXB 1.0:¦ Support for all W3C XML Schema features. (JAXB 1.0 did not specify bindings for some ofthe W3C XML Schema features.)¦ Support for binding Java-to-XML, with the addition of the javax.xml.bind.annotationpackage to control this binding. (JAXB 1.0 specified the mapping of XML Schema-to-Java,but not Java-to-XML Schema.)
A significant reduction in the number of generated schema-derived classes.
Additional validation capabilities through the JAXP 1.3 validation APIs.
Smaller runtime libraries.

Unmarshalling: Unmarshalling provides a client application the ability to convert XML data into JAXB-derivedJava objects
Marshalling: Marshalling provides a client application the ability to convert a JAXB-derived Java object treeback into XML data.

SCEA1.5 - Transaction Attributes

Transactional attributes of bean methods are specified in the deployment descriptor. Here are the attributes and what they mean :

TX_BEAN_MANAGED: The bean programmatically controls it’s own txEJB 1.0 Only boundaries via JTA.

NotSupported: The bean CANNOT be involved in atransaction at all. When a bean method is called, any existing tx is suspended.

Required: The bean must ALWAYS run in a transaction. If a tx is already running, the bean joins in that tx. If not, the container starts a tx for you.

RequiresNew: The bean must ALWAYS run in a NEW transaction. Any current tx is suspended.

Supports: If a transaction is underway, the bean joins in that tx, otherwise runs with no tx at all.

Mandatory: Mandates that a transaction must already be running when the bean method is called or an exception is thrown back to the caller.

Never: If a tx is underway the bean will throw aEJB 1.1 Only RemoteException, otherwise the methodRuns normally without a tx.

SCEA1.5 - Legacy Connectivity

Upgrading Client-Tier GUIs:
In cases where the GUI is loosely coupled to the other legacy tiers you can use an applet or a small application to replace the GUI.
Applets can communicate with the other tiers via TCP sockets. The applet can be signed and trusted, if necessary to access resources.
Applets can also communicate with COM and CORBA objects (using bridge or Java IDL).

Screen Scrapers :
Screen scrapers may be used to integrate applet (or other) interface with an existing system. They are particularly useful when the client interface is
tightly coupled to the other tiers of the system.
A screen scraper is an application that translates an existing client interface into a set of objects.
Screen scrapers usually function as a terminal emulator on one end and an object interface on the other. The screen scraper is configured to read data from
terminal fields of the legacy interface and make them available via objects.
Screen scrapers have the following advantages:
Provides a low-level object-based interface to the legacy app.
Allows you to build a new GUI over the existing client interface.
Disadvantages of screen scrapers:
Any changes to the legacy interface can break the new GUI.
Prone to causing errors in the new GUI because of unexpected outputs from the legacy interface.
Prone to causing the new GUI to “freeze” when the legacy interface is expecting input that the screen scraper in unaware of.

Object Mapping Tools:
Object mapping tools can be used if you choose to ignore the existing legacy interface and access the underlying tiers directly.
These tools are used to create proxy objects that access legacy system functions and make them available in an object-oriented form.
Object mapping tools are usually more effective than screen scrappers because they are not dependent on the format generated by the existing legacy

When u have access to mainframe source code use Object-mapping, if u dont have access to mainframe source code use screen scrapping.

Upgrading Application Business Logic:
Java servlets provide a capability to make existing applications available via an intranet or the Internet.
Clients (browsers and/or applets) access servlets via HTTP or HTTPS. The servlets take the requests and communicate with the legacy system.
EJBs provide a component-based approach to upgrading legacy applications.
Java’s support for CORBA enables CORBA objects to be accessed from Java and Java objects to be accessed as CORBA objects.
Microsoft’s JVM provides (or used to provide) a bridge between Java and COM objects.
JNI may be used to write custom code to interface new business logic with an existing legacy system.

Upgrading the Data Storage Tier:
JDBC may be used to access relational databases in a legacy system.
In many cases the legacy database will not support a pure JDBC driver. If the database provides ODBC support the JDBC-ODBC bridge can be used.
If the existing legacy database is hierarchical or flat-file then it may be able to be imported into an RDBMS.

Securing Legacy System Components:
Retrofitting a system with security is generally more expensive and less productive the redesigning and redeveloping the system to operate in a secure
manner. However, budget constraints may prevent this.
Legacy systems may be isolated from threats by placing them behind a firewall.
Access control to legacy systems can be controlled by requiring users and external applicationsto authenticate themselves with the firewall before they can
access the legacy system. Auditing features of the legacy system should be used to determine who is accessing the legacy system and when.
A VPN may be used to secure all communications with a legacy system.
Check what is needed for VT100 terminal? Given ans JDBC with SQL, for MQseries - EJB session bean with JMS message, JNDI allows to connect to LDAP server
When u have access to mainframe source code use Object-mapping,if u dont have access to mainframe source code use screen scrapping.

Offboard server:
An off-board server is simply a proxy server for legay system
Enable secure remote access to a mainframe by forwarding SSL requests to serial connections

Fast Lane Reader:
The Fast Lane Reader design pattern provides a more efficient way to access tabular, read-only data. A fast lane reader component directly accesses
persistent data using JDBCTM components, instead of using entity beans. The result is improved performance and less coding, because the component represents
data in a form that is closer to how the data are used.

How to connec to VT100 terminal?
Use JDBC with SQL
How to connect to MQseries ?
Use EJB session bean with JMS message
How to connect to LDAP server?
JNDI allows to connect to LDAP server

SCEA1.5 - Messaging

Java Messaging Service (JMS):
JMS provides a common way for Java programs to create, send, receive and read an enterprise messaging system’s messages.
JMS defines a set of message interfaces.
JMS provides client interfaces for point-to-point (PTP) and publish-subscribe systems.
PTPbuilt around the concept of message queueseach message is addressed to a specific queue; clients get messages from the queue(s) created tohold their messages

Publishers address messages to a node or addressSystem distributes the messages arriving from a publisher to the subscribers of that publisher
Nothing prevents a JMS application from combining PTP and publish-subscribe but JMS focuses on applications that use one approach or the other.

Asynchronous messaging:
Loose coupling between sender and receiver
Does not block sender
Network does not need to be available, messages can be queuedLeast demanding on comm. mechanisms
Good for publish-subscribe

Synchronous messaging:
Tight coupling between sender and receiver
Blocks sender until receiver is finished processing
Network must be availableMore demanding on comm.
Mechanisms Good for transaction processing, Fail-safe comm.
Coping with error situations

JMS does NOT include the following:
Load balancing/fault tolerance
Error/advisory notification
Wire protocol
Message Type Repository

SCEA1.5 - Protocols

HTTP Properties:
Client-Server Architecture The HTTP protocol is based on a request/response paradigm. The communication generally takes place over a TCP/IP connection on the Internet. The default port
is 80, but other ports can be used. This does not preclude the HTTP/1.0 protocol from being implemented on top of any other protocol on the Internet, so long
as reliability can be guaranteed.
The HTTP protocol is connectionless and stateless After the server has responded to the client's request, the connection between client and server is dropped
and forgotten. There is no "memory" between client connections. The pure HTTP server implementation treats every request as if it was brand-new, i.e. without
An extensible and open representation for data types HTTP uses Internet Media Types (formerly referred to as MIME Content-Types) to provide open and
extensible data typing and type negotiation. When the HTTP Server transmits information back to the client, it includes a MIME-like (Multipart Internet Mail
Extension) header to inform the client what kind of data follows the header. Translation then depends on the client possessing the appropriate utility (image
viewer, movie player, etc.) corresponding to that data type.

HTTPS(Secure Hypertext Transfer Protocol) :
HTTPS (Secure Hypertext Transfer Protocol) is a Web protocol developed by Netscape and built into its browser that encrypts and decrypts user page requests
as well as the pages that are returned by the Web server. HTTPS is really just the use of Netscape's Secure Socket Layer (SSL) as a sublayer under its
regular HTTP application layer. (HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP.) SSL uses a 40 or 128-bit key
size for the RC4 stream encryption algorithm, which is considered an adequate degree of encryption for commercial exchange.
Suppose you use a Netscape browser to visit a Web site such as NetPlaza ( and view their catalog. When you're ready to order, you
will be given a Web page order form with a URL that starts with https://. When you click "Send," to send the page back to the catalog retailer, your
browser's HTTPS layer will encrypt it. The acknowledgement you receive from the server will also travel in encrypted form, arrive with an https:// URL, and
be decrypted for you by your browser's HTTPS sublayer.
HTTPS and SSL support the use of X.509 digital certificates from the server so that, if necessary, a user can authenticate the sender. SSL is an open,
nonproprietary protocol that Netscape has proposed as a standard to the World Wide Consortium (W3C). HTTPS is not to be confused with SHTTP, a security-
enhanced version of HTTP developed and proposed as a standard by EIT.

CORBA and IIOP assume the client/server model of computing in which a client program always makes requests and a server program waits to receive requests
from clients. When writing a program, you use an interface called the General Inter-ORB Protocol (GIOP). The GIOP is implemented in specialized mappings for
one or more network transport layers. Undoubtedly, the most important specialized mapping of GIOP is IIOP, which passes requests or receives replies through
the Internet's transport layer using the Transmission Control Protocol (TCP). Other possible transport layers would include IBM's Systems Network
Architecture (SNA) and Novell's IPX.
For a client to make a request of a program somewhere in a network, it must have an address for the program. This address is known as the Interoperable
Object Reference (IOR). Using IIOP, part of the address is based on the server's port number and Internet Protocol (IP) address. In the client's computer, a
table can be created to map IORs to proxy names that are easier to use. The GIOP lets the program make a connection with an IOR and then send requests to it
(and lets servers send replies). A Common Data Representation (CDR) provides a way to encode and decode data so that it can be exchanged in a standard way.
CORBA is not the only architecture that uses IIOP. Because a TCP/IP-based proxy is usable on almost any machine that runs today, more parties now use IIOP.
When another architecture is IIOP-compliant, it not only establishes a well-proven communication transport for its use, but it also can communicate with any
ORB implementation that is IIOP-compliant. The possibilities are endless.

The Transport layer employs JRMP, also known as the RMI Wire Protocol, to send method invocations and associated parameters and to return values and
exceptions from one Java virtual machine (JVM) to another. JRMP is a simple protocol consisting of five messages, plus an extra five for multiplexing flow
All JRMP sessions consist of a header followed by one or more messages. The header contains just the ASCII codes for the characters JRMI , the protocol
version, and the "subprotocol" to be used. There are three subprotocols: SingleOpProtocol, StreamProtocol, and MultiplexProtocol. SingleOpProtocol signifies
that only one message follows a header before the end of a session (i.e., the connection closes). StreamProtocol and MultiplexProtocol can transfer one or
more messages. The latter is used when multiplexing calls from both client and server on a single socket, as described below.
Communicating clients and servers typically each open a socket to the other (i.e., both systems connect and listen for connections). The client's socket
typically invokes methods on server-side objects, and the server's socket calls client-side objects (e.g., callbacks). The figure shows a hypothetical
StreamProtocol situation. The client sends the Call message to invoke a server object's method; the server then invokes this method and replies with a Return
containing any results. Assuming that a remote object is returned, the client then sends a DgcAck message to let the server's garbage collector know that it
has received the remote object. On another socket, the server sends a Ping to find out whether the client is alive, which replies with a PingAck.
Default applet security restrictions deny applets the right to open sockets back to any server other than their originating host; they also block any attempt
to listen for socket connections. This being the case, how do clients listen for server connections?
Enter the MultiplexProtocol and its group of five messages: Open , Close , CloseAck , Request, and Transmit. They allow client and server to simulate the
StreamProtocol's two-way communication using a single socket. In the current implementation, up to 256 virtual connections can be opened, each identified by
a unique ID.
Unfortunately, connecting via a socket back to the server is not always possible for applets running behind firewalls (e.g., on a corporate intranet), which
typically block any attempt to open a socket back to the Internet. Should it fail to open a connection, an RMI client wraps its method invocation inside the
body of an HTTP request (which is the protocol browsers use to communicate with Web servers), and the RMI server sends any results as an HTTP response.
This workaround is a smart solution, since HTTP is a firewall-trusted protocol. Still, performance takes a hit due to the time needed to convert messages to
HTTP requests. In addition, no multiplexing of invocations can be accomplished, because keeping the connection open between client and server is not part of
HTTP 1.0. The primary reason for SingleOpProtocol's existence is to encapsulate RMI through HTTP.

RMI This is a possible if the objects in the user interface and the business layers are all Java objects. The persistence layer is mostly
accessed through JDBC. Other relational object mapping of the data layer is also possible. Advantage of RMI Object are passed by value. The server/ client
can reconstitute the objects easily. Data type can be any Java objects. Any Java objects can be passed as arguments. Arguments has to implement the
serializable interface Disadvantage of RMI Heterogeneous objects are not supported. Corba If the objects in the client layer and the business layer are
heterogeneous, i.e. the objects are implemented in C, C++ Java, Smalltalk then Corba is most suitable. Advantage of Corba Heterogeneous objects are
supported. Disadvantage of Corba Objects are not passed by value, only the argument data is passed. The server/ client has to reconstitute the objects with
the data. Only commonly accepted data types can be passed as arguments. Dcom This works best in windows environment. Distributed Object Communication Advantages Disadvantages HTTP Simple, Established Has to communicate to a Servlet, Java Server pages Cannot communicate to a Java class directly RMI Object are passed by value. The server/ client can reconstitute the objects easily. Object are passed by reference Data type can be any Java objects. Any
Java objects can be passed as arguments. Arguments has to implement the Serializable interface Heterogeneous objects are not supported. Corba Heterogeneous objects are supported. Objects are not passed by value, only the argument data is passed. The server/ client has to reconstitute the
objects with the data. Only commonly accepted data types can be passed as arguments Dcom If windows is the deployment platform suits well with the operating system This works in windows environment at best Distributed Object Frameworks Distributed Object Frameworks are RMI, Corba, Dcom, EJB. Basic Three-Tier Java Technology Architecture The three-Tier Java
Technology Architectureis achieved by HTML, Applet, Java Application on the client. Servlet, Java Server Pages on the Middle Tier. JDBC communication to the
persistence or Database layer Client C to M comm. Middle M to P comm. Persistence HTML HTML with applet HTTP Servlet Java Server Pages JDBC RDBMS Legacy File Java Application JRMP RMI Server JDBC RDBMS Legacy File Java Application RMI- II0P EJB JDBC RDBMS Legacy File Java Application ( Not a Java 3 tier) IIOP Corba JDBC RDBMS Legacy File

Conclusions: HTTP and HTTPS are very similar protocols with only the fact that HTTPS provides a layer of security(the SSL). They are both capable of passing a variety of
data types but there is no logic, objects may only be executed if there's another protocol to handle them. HTTP is the lowest layer of logic and can only be
used as a delivery mechanism for other protocols. JRMP is a robust object server that communicates well when working with JAVA based objects. It is capable
of passing objects refrences rather than just values that have to be reconstituted so that the object may be executed by the client rather than the server.
In the even that the server is secure or cannot communicate in the most efficient manner JRMP falls back to HTTP. JRMP is only capable of passing JAVA
objects. IIOP is the most flexible of the transport mechanisms, it can communicate objects created in C, C++, JAVA, and smalltalk but only passes data by
value requiring the server to do all the work and requiring that only common data types be passed as arguments making it more restrictive than JRMP which
allows any JAVA data type.

Default Portnumbers for the above protocols:
Http : 80, 8080
HTTPS,SSL: 443, 8443
JRMP: 1099
LDAP: 389
LDAP Over SSL - IIOP: 636

SCEA1.5 - Security

The Java 2 security model is policy-based and has superseded the sandbox/trusted approach of Java 1.1.
In Java 1.1 remote code (applets, for example) that was not trusted was constrained to the sandbox. If the remote code was signed and trusted then it could
access local resources.
Code Source:A combination of a set of signers (certificates) and a code base URLBy default, Java 2 uses a policy file to associate permissions with code sources
Security Policy File:A permission is the right to access a protected resource or guarded objectFor Java 2 permissions are specified in the security policy fileOnly one policy is in effect at a timeA policy file consists of a number of grant entriesEach grant entry describes the permissions (one or multiple) granted to a code source
Policy class - You can use to create your own security policy. package
The following are some of the classes in the package:
CodeSource – This class extends the concept of a codebase to encapsulate not only the location (URL) but also the certificate(s) that were used to verify
signed code originating from that location.
KeyStore – This class represents an in-memory collection of keys and certificates. It manages keys and trusted certificates.
MessageDigest – The MessageDigest class provides applications the functionality of a message digest algorithm, such as MD5 or SHA.
Permission – Abstract class for representing access to a system resource.
Policy – This is an abstract class for representing the system security policy for a Java application environment (specifying which permissions are available
for code from various sources).
ProtectionDomain – The ProtectionDomain class encapulates the characteristics of a domain, which encloses a set of classes whose instances are granted the
same set of permissions.
Security – Centralizes all security properties and common security methods.
Given an architectural system specification, identify appropriate locations for implementation of specified security features, and select suitable
technologies for implementation of those features.
Exposure to threats can be mitigated by using:
AuthenticationAuthorization (ACLs)Protecting MessagesAuditing

Web tier authentication :
Basic HTTP
– the web server authenticates a principal with user name & password from Web client
Form-based – lets developers customize the authentication user
HTTPS mutual authentication – the client and server use X.509 certificates to establish identity over a SSL channel.
EJB/EIS tier authentication:
For EJBs can use protection domains. Thus the EJB tier could entrust the web tier to vouch for the identity of users.
Put a protected web resource in front of a protected EJB resource
Have every web resource that calls an EJB resource route through a protected web resource
For access to EIS tier resources authentication is usually carried out by the component accessing the EIS resource.
You can have the container manage the EIS resource authentication or have the app do this itself.
In J2EE a container serves as an authorization boundary between callers and its components. The authorization boundary is inside the authentication boundary
so authorization occurs within the context of successful authentication.
For component to component invocations inside the container the calling component must make its credentials available to the called component.
You can have file-based & code-based security in J2EE.
Access control policy is set a deployment time.
Controlling access to resources in the container (deployment descriptor)
To control access to web resources, specify constraint in the deployment descriptor.To control access to EJB, specify roles in the deployment descriptor.You can specify methods of the remote & home interface that each security role is allowed to invoke
Protecting Messages:
To ensure message integrity you can use:
Message signature – a enciphered digest of the message contents (costly in terms of CPU cycles)
Message confounder – ensures message authentication is useful only once
A deployer must configure the containers involved in a call to implement integrity mechanisms either because the call will traverse open or unprotected
networks or because the call will be made between components that do not trust each other.
When security is breached it is usually more important to know who has been allowed access than who has not.
Audit records need to be well protected – tapes or logging to a printer vs disk drive

Basic Services:• Block incoming data that might contain hacker attack.• Hide information about topology of the network. Make it seems like all requests come from one IP address.• Screen outgoing traffic.
3 basic types.
Packet Filter Firewall: Looks at the information related to IP address of a packet, types of connections, etc. and then provides filtering based on that.
Uses this info. to decide which packets to let through and which to deny. IP spoofing may fool some of these.
Application-Level Proxies: Work at the application level to provide proxy services. Allows more specific inspection of the packets. Can use application level
knowledge to decide what to filter. Usually requires separate proxy for each type of application you want to filter.
Stateful Packet Inspection Firewall: Examines and remembers outgoing packets so that when incoming packets come in, that information will be used to
determine whether or not to let the incoming packets through. For example, if an incoming packet wasn’t requested by any outgoing packets, it will be

Java sandbox consists of following elements:• Byte code verifier• Access controller• Security manager• Class loader (applet class loader, url class loader, rmi class loader, default internal class loader, custom built class loaders)• Security package (security provider interface, message digests, keys, certificates, digital signatures, encryption)
AccessControllerChecking permission is done by checking the permissions associated with the protection domain for each method on the stack starting from the top. If each
protection domain on the stack allows access, then it is granted.
Using PrivilegedAction and PrivilegedExceptionAction, protection domains can grant privileges to code that has called it but not to code that it calls.
GuardedObjectAllows you to embed another object within it such that all access to that object will first have to go through a guard, usually the AccessController.
MessageDigestSmall sequence of bytes that represents the actual input data. In order to use the digest, you also need a copy of the original data so that you can
calculate the digest on it again and compare it to the digest that was given to you. For example, to do authentication, the user needs to enter his
id/password but you don’t want that to be sent in clear text over the network so they send you the digest instead. Then you take that and compare it to a
digest that you calculate on their password and if it matches the digest they sent to you, then you can authenticate them. Message digests do not need any
key to calculate. Also you can’t derive anything about the actual data from the digest.
Digital SignatureUsed to uniquely identify an entity, non-repudiation. The way it works is you calculate a message digest on some piece of data and then you encrypt that
digest with your private key. Then you send that data along with the encrypted digest to the other party. The other party then uses that data to calculate
another digest and then encrypts it with your public key. Then they compare it to the signature that you sent them and if it matches, then your identity is
CertificateContains 3 pieces of information:• Name of entity for whom certificate has been issued, known as the “subject”• Public key associated with the subject• Digital signature of the issuer (some CA) of the certificate which verifies the information in the certificate.
Java Security
AccessController introduced in 1.2.
In 1.2, classes on the CLASSPATH can also be subject to a security model.
Bytecode verifier verifies the Java language safety constraints of the bytre code:• In 1.1, all non-local classes are sent thru byte code verification.• In 1.2, all classes except core Java classes are sent thru verification.
Classloaders work with security manager to enforce security roles:• Classloader knows where class was loaded from.• Knows whether or not the class came with a digital signature.• Different instances of classloaders group classes into different namespaces based on which instance of the classloader loaded it.
In 1.2, SecureClassLoader was introduced.
In 1.2, URLClassLoader was introduced.
Classloaders have to load the system classes first.

Trusted vs. Untrusted Classes:
In JDK 1.0, classes loaded from CLASSPATH are considered trusted while those loaded from a class loader are untrusted.
In JDK 1.1, same rules apply but a class loaded from a jar file may have a digital signature giving it more privileges.
In JDK 1.2, classes form core API are trusted and other classes are given privileges based on where they were loaded (codebase, codesource?). However, this
requires special command-line args. BY default, classes from CLASSPATH are considered trusted.

Thread Security:
Threads are grouped into a hierarchy---in theory, the policy of security should be such that threads may only manipulate threads that are below them in the
In JDK 1.1, this isn’t true, each applet is given an individual thread group and threads within that group can manipulate other threads within that group
without respect to any hierarchy.
In JDK 1.2, thread hierarch operates as expected.
Untrusted classes may only manipulate threads that they have created.Untrusted classes may only manipulate thread groups that they have created.
Threads of untrusted classes must belong to specified groups .
CodeSource: encapsulation of location from which classes were obtained.
Permission: encapsulation of request to perform a particular operation.
Policies: encapsulation of all the specific permissions that should be granted to specific code sources.
ProtectionDomain: encapsulation of a codesource and the permissions granted to that particular code source.
Security Policy
Policy file:• Collection of policy entries.• Each entry is specific to one code source and should list all permissions for that code source.• Single policy file can have multiple entries.• May contain an additional entry to specify the location of the keystore in which public keys for the signers listed the policy file should be found.• Each grant entry represents a protection domain.
Protection Domain
Each class in the VM may belong to one and only one protection domain. Set by the class loader when the class is defined.
The permissions for any particular operation can be considered to be the intersection of all permissions of each protection domain on the stack at the time
the operation is called.
Using the “doPrivileged” method of the AccessController, you can temporarily allow a class to perform an action that it normally would not be allowed to do.
Key factory and key specifications available only in Java 1.2. They allow for exporting and importing keys using various specifications.
Keys from the Sun provider use DSA algorithm.
Key pair generation is done by KeyPairGenerator, a standard engine of Java security.
Key Management
“Keytool” stores individual private and public keys with retrieval subject to a password.
“Keystore” is the database of the keytool.
Keytool works on a file that contains a set of private keys and certificates for those keys.
Each entry in the keystore has:• Alias: name for referencing that entity• One or more certificates for that entity’s identify.• Optionally, a private key which can be protected by a password.
Represented by the “KeyStore” class.
There are 2 types of entries: Key entry and Certificate entry.
Key entries contain both public and private keys and may contain multiple certificates in a certificate chain.
Certificate entries contain only public keys in a certificate.

Signed Classes:
Delivered as signed jar files.
In JDK 1.1, use “javakey” to sign it.
In JDK 1.2, use “jarsigner” to sign it.
Each file in a jar file may be signed by a different group of identities and some may not be signed.
“KeyGenerator” class used for generating new secret keys.
“SecretKeyFactory” converts from algorithmic or encoded key specifications to actual key objects and translates keys from one implementation to another.
“KeyAgreement” class can also be used to generate secret key between multiple people. SunJCE provider uses “Diffie-Hellman” protocol for generation.

Applet Security:
Most browsers limit a lot of things that applets can do. Sun’s appletviewer allows more access to applets.
Two ways in which applets can be considered trusted:• Applet is installed on local disk in a directory in the CLASSPATH.• Applet is signed by identity marked as trusted in your identity database (keystore?).
Applets cannot do the following things with files:• Check for the existence of the file.• Read the file• Write the file.• Rename the file.• Create a directory on the client file system• List the files in this file (as if it were a directory)• Check the file’s type.• Check the timestamp of when the file was modified.• Check the file’s size.
Using Sun’s appletviewer, you can grant applets special privileges to perform those file operations.
Applets cannot open network connection to any host other than the one it came from (the host where the html page was obtained or the host specified in the
codebase parameter of the applet tag.
To open network connection, the host name has to be specified exactly the same. If you used an IP address, you can’t use a name now and vice versa.
Applets loaded through client’s local file system using CLASSPATH can do the following:• Read and write files.• Load libraries on the client.• Execute processes.• Exit the VM.• Are not passed through bytecode verifier.

SCEA1.5 - Few Queries

How many tiers are there in J2EE Application ?
J2EE applications have the following tiers: Client (Browsers, Applications, Applets, Mobile clients and so on), Web (presentation tier consisting of JSP as
view and Servlets as controllers), EJB (Business Tier, consisting of EJB and supporting classes), EIS Integration (Java classes that integrate to the
Enterprise Information System tier) and finally the EIS tier (relational databases, XML databases, ERP systems and so on.)

Confused with UserInRole and CallerInRole ?
Servlet - getUserPrincipal() and isUserInRole() - Servlet is called by user so UserInRole comes in servlet code
EJB - getCallerPrincipal() and isCallerInRole() - EJB is called by servlet not by the user directly, so CallerInRole comes in EJB code

What is the use of DAO ?
EJBs are remote objects that consume significant system resources and network bandwidth. You can use Data Access Objects to encapsulate the logic required to
access databases.
Data Access Objects:
Allow EJBs to delegate responsibility for database access and free them from complex data access routines.
Make code more maintainable.
Provide an easier migration path to CMP
Allow you to adapt data access to different schemas and different databases.

Thursday, February 5, 2009

SCEA1.5 - Few Terms for exam

Session failover: ----- In a clustered environment, all requests for a particular session are directed to the same WebSphere Portal server instance in the cluster. In other words, after a user establishes a session (for example, by logging in), the user is served by the same WebSphere Portal server instance for the duration of the session. To verify which server is handling user requests for a session, you can view the global settings portlet in WebSphere Portal, which displays the node name of the WebSphere Portal server handling requests. If one of the WebSphere Portal servers in the cluster fails, the request is rerouted to another WebSphere Portal server in the cluster. If distributed sessions support is enabled (either by persistent sessions or memory-to-memory session replication), the new server can access session data from the database or another WebSphere Portal server instance

JMS delivery modes: ---The message delivery semantics cover a range of once-and-only-once to at-most-once delivery. In the once-and-only-once delivery mode, a message is guaranteed by the JMS provider to always arrive at the intended destination no matter what, and it's sent only once. Even in the pub/sub model in which multiple receivers may consume a copy of a broadcasted message, the rules still apply within the relative view of each consumer. Once-and-only-once delivery guarantee is accomplished by the JMS provider through the combination of a store-and-forward mechanism and a rigidly defined set of message acknowledgments
At-most-once delivery is a less stringent QoS setting on a message - the JMS provider is allowed to occasionally lose a message. A classic example I like to use is a stock feed application. If the broadcast of a particular ticker symbol doesn't reach its intended destination, another one will be along shortly.
Whether it's once-and-only-once or at-most-once, the key word is once. Regardless of the guaranteed-ness of the delivery mode, the JMS provider is responsible for ensuring that the messages are delivered in the exact order in which they are sent.

Polling ---- Server Polling - (Reverse Ajax)
Keeping the displayed information up-to-date was always difficult in web world. Before AJAX, one had to use JavaScript or META Refresh tag to get the page refreshed. This was quite annoying from the user experience point of view. However it was not as annoying as something that I experienced few days ago on one of the banks website (a bank in Australia). I was filling out the form and there were couple of select boxes on the page. I selected an option in the select box and moved onto next field just to realize that as I was typing, the page has been reloaded and all data entered past that select-box was gone and had to be re-typed again. Very, very annoying - and it's AJAX age already!
Server polling, in my humble opinion, is a great feature of AJAX. There is no need to refresh the whole page to obtain the required information. With AJAX, it is possible to:
update the forms with information as the user moves through the form (e.g. country - state - city)get the feedback about a long server-side or transport process (e.g. progress bar showing the percentage of the uploading file)fake the push of the updated data from the server (think stock prices, weather, traffic info)

SEI (Service end point implementation): ----
JAX-WS technology enables the implementation of Web services based on both the standard service endpoint interface and a new Provider interface. JAX-WS service endpoints are similar to the endpoint implementations in the Java API for XML-based RPC (JAX-RPC) specification. Unlike JAX-RPC, the requirement for a service endpoint interface (SEI) is optional for JAX-WS Web services. JAX-WS services that do not have an associated SEI are regarded as having an implicit SEI, whereas services that have an associated SEI are regarded as having an explicit SEI. The service endpoint interfaces required by JAX-WS are also more generic than the service endpoint interfaces required by JAX-RPC. With JAX-WS, the SEI is not required to extend the java.rmi.Remote interface as required by the JAX-RPC specification.
The JAX-WS programming model also leverages support for annotating Java classes with metadata to define a service endpoint implementation as a Web service and define how a client can access the Web service. JAX-WS supports annotations based on the Metadata Facility for the Java Programming Language (JSR 175) specification, the Web Services Metadata for the Java Platform (JSR 181) specification and annotations defined by the JAX-WS 2.0 (JSR 224) specification, which includes Java Architecture for XML Binding (JAXB) annotations. Using annotations, the service endpoint implementation can independently describe the Web service without requiring a WSDL file. Annotations can provide all of the WSDL information necessary to configure your service endpoint implementation or Web services client. You can specify annotations on the service endpoint interface used by the client and the server, or on the server-side service implementation class.

EJB timer service: ---- Consider a reporting Application, that will send report in the form of mails, every Monday, or a Billing Service that sends credit or debit bills on the 1st of every month. These applications depend on time-based events. To be more precise, these applications should allow developers to schedule some business logic or process so that they can be executed at some regular intervals of time. This is the core concept behind EJB Timers.
EJB Timer Services are services that are provided by the container (or the Application Server) and developers can take advantage of the timer services by registering one or more enterprise beans for time-based notification.
Different Types of Timers:EJB basically supports two forms of Timer objects:
Single Action Timer Interval Timer

Streaming API for XML (StAX): --- a streaming Java-based,event-driven, pull-parsing API for reading and writing XML documents. StAX enables you tocreate bidrectional XML parsers that are fast, relatively easy to program, and have a lightmemory footprint.StAX is the latest API in the JAXP family, and provides an alternative to SAX,DOM, TrAX, andDOMfor developers looking to do high-performance stream filtering, processing, andmodification, particularly with low memory and limited extensibility requirements.To summarize, StAX provides a standard, bidirectional pull parser interface for streaming XML