The Source for Java Technology Collaboration
User: Password:
Register | Login help    

Search

Online Books:
java.net on MarkMail:

Ominous Man

Posted by editor on September 24, 2008 at 5:43 AM PDT

Brian Goetz says your webapp may be broken

Concurrency expert Brian Goetz has a serious warning to webapp developers: put mutable objects in your HttpSession and you're probably a concurrency accident waiting to happen.

That's the problem lurking behind his recent article, provocatively entitled, Are all stateful Web applications broken?

While thread-safety is a term we typically use to describe code, in actuality it is about data. Specifically, thread safety is about properly coordinating access to mutable data that is accessed by multiple threads. Servlet applications are frequently thread-safe by virtue of the fact that they do not share any mutable data and therefore require no additional synchronization. But there are lots of ways that shared state can be introduced into Web applications — not only scoped containers like HttpSession and ServletContext, but also static fields and instance fields of HttpServlet objects. Once a Web application wants to share data across requests, the application developer must pay attention to where that shared data is and ensure that there is sufficient coordination (synchronization) between threads when accessing the shared data to avoid threading hazards.

Once you put mutable data into the HttpSession, you're exposed to the possibility of various failures caused by multiple threads accessing the data simultaneously, such as one thread putting the data into an inconsistent state while another reads it.

Fortunately, Brian considers a number of solutions, some more complete than others, so if you have a webapp that puts mutable data in your session object, you might want to take a look.

Also in Java Today, the JCP SE/EE Executive Committee has voted 15-0-1 to approve JSR 311, the Java API for RESTful Web Services. The API specifies the javax.ws.rest package, and provides an API for working with websites that adhere to the REST web service architecture. java.net's Jersey project, part of GlassFish, provides the reference implementation for the JSR.

Next week's Ask The Experts topic on SDN will be OpenSSO, which simplifies the deployment of transparent single sign-on (SSO) as a security component in a network environment. "Got a question about OpenSSO? Post it during this session and get answers from four key members of Sun's identity and access management team: Rajeev Angal, Aravindan Ranganathan, Dilli Dorai, and Qingwen Cheng. You can post questions about OpenSSO on starting September 29."

Today's Weblogs start with Ed Burns considering a JSFOne idea: infer to-view-id. "At JSFOne, someone suggested modifying the navigation rule system such that if the to-view-id is absent from a navigation-case, the to-view-id value be inferred from the outcome."

Long-absent blogger Rich Unger remarks I can't turn my back on you people for a second! "...much less an entire year!"

Finally, Sekhar Vajjhala looks at Verification Tools for Migration to GlassFish. "When migrating a Java EE/J2EE application to GlassFish, verification is for Java EE/J2EE compliance is a useful step. Verification can be done using different tools. Here is a summary of verification support in different tools."

In today's Forums, km explains a perception issue in Re: Precompile JSP problems. "Again, I am sorry that this is all not obvious. The most important point about asadmin is that it is a remotable admin client. You can have asadmin running on your laptop and all your domains on other (big) machines and still, you can manage all of them from your laptop. That brings in a fine point about asadmin that ~95% of its commands are "remote", working on a particular "domain" and work based on that domain's admin server's 5-tuple -- host name, admin port-number, admin user name, password and security status. The default values for 3 of them make it indistinguishable what asadmin really does. Since default values are "localhost", "4848" and false for host, port and security status respectively, it's not immediately clear that asadmin running on "localhost" would actually send an HTTP request to the domain that's listening on 4848 on "localhost". Hope this makes it clear(er)."

Ryan de Laplante asks about the status of modularization in GlassFish V3: OSGi, HK2 and JSR 277. "This blog entry gave me the impression that HK2 was going to be the reference implementation for JSR 277, and that is why GlassFish V3 was using it: http://www.xlml.com/aehso/2007/05/15/glassfish-v3-hk2-modules/. But later GlassFish V3 chose OSGi. I know it uses a hybrid approach of HK2 + OSGi: http://weblogs.java.net/blog/ss141213/archive/2008/04/glassfish_v3_on.html. I'm wondering if HK2 is not going to be an implementation of JSR 277, and of OSGi is going to become the foundation of JSR 277?"

Finally abhikiki needs help eliminating deprecated APIs in Jaxb upgradation to 2.0. "In Jaxb 2.0,some interfaces like javax.xml.bind.validator are deprecated. What are the replacement for that in jaxb 2.0? I have code written with these interfaces(Jaxb1.x). How do I replace them with jaxb2.0?"

Current and upcoming Java Events :

Registered users can submit event listings for the java.net Events Page using our events submission form. All submissions go through an editorial review before being posted to the site.

Archives and Subscriptions: This blog is delivered weekdays as the Java Today RSS feed. Also, once this page is no longer featured as the front page of java.net it will be archived along with other past issues in the java.net Archive.



Brian Goetz says your webapp may be broken
»
Comments
Comments are listed in date ascending order (oldest first)




 

Feedback  | FAQ  | Press | Terms of Use
Privacy  |  Trademarks | Site Map
 
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Participation.
 
Copyright © 1995-2008 Sun Microsystems, Inc.
Collabnet Logo Cognisync Communities
Powered by Sun Microsystems, Inc.,
CollabNet and Cognisync