Skip to main content

Ominous Man

Posted by editor on September 24, 2008 at 5:43 AM PDT


Brian Goetz says your webapp may be broken

Concurrency expert Brian Goetz has a serious warning to webapp developers: put mutable objects in your HttpSession and you're probably a concurrency accident waiting to happen.

That's the problem lurking behind his recent article, provocatively entitled, Are all stateful Web applications broken?

While thread-safety is a term we typically use to describe code, in
actuality it is about data. Specifically, thread safety is about
properly coordinating access to mutable data that is accessed by
multiple threads. Servlet applications are frequently thread-safe by
virtue of the fact that they do not share any mutable data and
therefore require no additional synchronization. But there are lots
of ways that shared state can be introduced into Web applications —
not only scoped containers like HttpSession and
ServletContext, but also static fields and instance fields
of HttpServlet objects. Once a Web application wants to
share data across requests, the application developer must pay
attention to where that shared data is and ensure that there is
sufficient coordination (synchronization) between threads when
accessing the shared data to avoid threading hazards.

Once you put mutable data into the HttpSession, you're exposed to the possibility of various failures caused by multiple threads accessing the data simultaneously, such as one thread putting the data into an inconsistent state while another reads it.

Fortunately, Brian considers a number of solutions, some more complete than others, so if you have a webapp that puts mutable data in your session object, you might want to take a look.

Also in Java Today,
the JCP SE/EE Executive Committee has voted 15-0-1 to approve JSR 311, the Java API for RESTful Web Services. The API specifies the javax.ws.rest package, and provides an API for working with websites that adhere to the REST web service architecture. java.net's Jersey project, part of GlassFish, provides the reference implementation for the JSR.

Next week's Ask The Experts topic on SDN will be OpenSSO, which simplifies the deployment of transparent single sign-on (SSO) as a security component in a network environment. "Got a question about OpenSSO? Post it during this session and get answers from four key members of Sun's identity and access management team: Rajeev Angal, Aravindan Ranganathan, Dilli Dorai, and Qingwen Cheng. You can post questions about OpenSSO on starting September 29."

Today's Weblogs start with Ed Burns considering a
JSFOne idea: infer to-view-id. "At JSFOne, someone suggested modifying the navigation rule system such that if the to-view-id is absent from a navigation-case, the to-view-id value be inferred from the outcome."

Long-absent blogger Rich Unger remarks
I can't turn my back on you people for a second! "...much less an entire year!"

Finally, Sekhar Vajjhala looks at
Verification Tools for Migration to GlassFish. "When migrating a Java EE/J2EE application to GlassFish, verification is for Java EE/J2EE compliance is a useful step. Verification can be done using different tools. Here is a summary of verification support in different tools."

In today's Forums,
km explains a perception issue in
Re: Precompile JSP problems. "Again, I am sorry that this is all not obvious. The most important point about asadmin is that it is a remotable admin client. You can have asadmin running on your laptop and all your domains on other (big) machines and still, you can manage all of them from your laptop. That brings in a fine point about asadmin that ~95% of its commands are "remote", working on a particular "domain" and work based on that domain's admin server's 5-tuple -- host name, admin port-number, admin user name, password and security status. The default values for 3 of them make it indistinguishable what asadmin really does. Since default values are "localhost", "4848" and false for host, port and security status respectively, it's not immediately clear that asadmin running on "localhost" would actually send an HTTP request to the domain that's listening on 4848 on "localhost". Hope this makes it clear(er)."

Ryan de Laplante asks about the status of modularization in
GlassFish V3: OSGi, HK2 and JSR 277. "This blog entry gave me the impression that HK2 was going to be the reference implementation for JSR 277, and that is why GlassFish V3 was using it: http://www.xlml.com/aehso/2007/05/15/glassfish-v3-hk2-modules/. But later GlassFish V3 chose OSGi. I know it uses a hybrid approach of HK2 + OSGi: http://weblogs.java.net/blog/ss141213/archive/2008/04/glassfish_v3_on.html. I'm wondering if HK2 is not going to be an implementation of JSR 277, and of OSGi is going to become the foundation of JSR 277?"

Finally abhikiki needs help eliminating deprecated APIs in
Jaxb upgradation to 2.0. "In Jaxb 2.0,some interfaces like javax.xml.bind.validator are deprecated. What are the replacement for that in jaxb 2.0? I have code written with these interfaces(Jaxb1.x). How do I replace them with jaxb2.0?"

Current and upcoming Java
Events :

Registered users can submit event listings for the href="http://www.java.net/events">java.net Events Page using our href="http://today.java.net/cs/user/create/e">events submission form.
All submissions go through an editorial review before being posted to the
site.

Archives and Subscriptions: This blog is delivered weekdays as
the Java
Today RSS feed. Also, once this page is no longer featured as the
front page of java.net it will be
archived along with other past issues in the href="http://today.java.net/today/archive/">java.net Archive.

Brian Goetz says your webapp may be broken

Blog Links >>