Security in your Software-as-a-Service (SAAS) Application

‘Credit Crunch’ might be the favourite buzzword of the moment, but ‘Security’ and ‘Software as a Service’ are not very far behind. Ok, they’re a long way behind ‘will I lose my house’ or ‘will I have a job tomorrow’, but you get the idea. So I’m proud to associated by this article by Max and Chicco, even in a very minor way (as a reviewer).

IBM Developer works logo

Here’s the 2 minute overview of Securing a multi-tenant SAAS Appliction, just published on IBM Developerworks.

  1. Software as a Service (SAAS) has a great pitch – let us host your software for you, cheaper and less hassle than managing it yourself.
  2. Most SAAS companies host multiple clients on one server = New security concerns.
  3. LDAP (Similar to Windows Directory) is a standard already in wide use for Authentication (making sure people who they say they are).
  4. Spring Security (aka Acegi) is a well used Authorisation toolkit – i.e. make sure those people only do things they are allowed to do.
  5. The article shows you how to bring SAAS , LDAP and Spring Security together to get secure, scalable , hosted applications using the very best in widely understood technologies.

Of course, I’m not going to spill the beans on how exactly they do it; for that you’re going to have to hotfoot it over to the IBM Developerworks website.

Many Eyes – A Web 2 Service from IBM – Graph Pretty Picture from Excel

It’s been a while since we posted a pretty picture on the blog. Not an Andrea Corr or Paris Hilton kind of pretty picture, but one to liven up the general flow of text on this site.

Just as well then that IBM has announced ManyEyes , an online Service to take boring old numbers and turn them into the kind of graphics that you see below. It’s pretty simple to use : upload your data in a table (Excel like) format, then select how you want to view it. They even provided a wizard to allow you to link the results on your own site.

For example: This is the Value of 1 US Dollar against the Other Major Currencies (Euro , Yen, Sterling , Yuan).

Interesting, in this Ajax-y world, that it’s implemented as a Java Applet. Maybe Bruce was right?

Enterprise Java Presentation , Stephens Hotel , Dublin

You may remember we did the Enterprise Java presentation at DCU back in October for the wireless skillnet in Ireland. We’re doing a follow up presentation, this time in Central Dublin, on the 22nd January. The audience is mainly business people with some sort of interest or connection with technology.
Irish Dev has more details.

The topics covered include:

  • What Problem are we trying to solve?
  • Enterprise Java Architecture Overview.
  • Benefits to the Enterprise.
  • Alternatives (.Net , PHP , Oracle , Lightweight Java Frameworks , scripting)
  • Vendors (IBM, Oracle, Sun , Bea , JBoss and SAP)
  • Market Trends – Resource availability (can we get the people to do this?)
  • Enterprise Web 2.0 and Service Orientated Aritecture (SOA).
  • Integrating with other Systems ( Legacy Systems, Oracle etc)
  • Enterprise Java Beans 3 (EJB3)
  • Middleware (MOM, Rule Engines, Workflow)
  • Security – Application and Server Level including Java Access & Authorization Service (JAAS).
  • Frameworks (Struts , JSF, ADF, DWR, Spring, Hibernate)
  • .Net interoperability
  • What’s next for Enterprise Java?

Information Storage for Dummies (and how to make it secure)

Doing a lot of database work for a client right now so now it’s a good time to recap on where you can store your information. This might be basic stuff , but it’s essential basic stuff.

  • Spreadsheets, of which Microsoft Excel is the most popular. How the PC and Microsoft began their 25 year reign. Ironically their availability online (care of Google Docs and Google Spreadsheets) threatens to end the PC era and usher in the Web 2.0 one.Spreadsheets are never secure. If I can get a copy of them (and letting me read one means that I have a copy) then I can read everything. Everything. Most Excel passwords can be cracked within seconds.
  • Take a couple of spreadsheets, glue them together and put links between the sheets. Now you’ve more of less got an entry level database, such as Microsoft Access. It’s aimed at people who need more power than Excel, but are not developers.

    The trouble is that Access is not secure (see problem above) and that it doesn’t scale very well (for more than a couple of people using it at once). Both Access and Excel come with versions of Microsoft Office.

Access Splash Screen

  • So you have your information, and now you want to stick it on the web. MySql is the database of choice. Free, lightweight and with excellent tool support (e.g. phpMyAdmin), MySql is what powers this website. If you know what you’re doing (e.g. Google or Amazon) it will scale very very well.
  • For most people , the next step up is to a serious Enterprise database. Oracle, MS Sql-Server and it’s cousin Sybase are the main contenders in this area. DB2 from IBM is a distant fourth place while Sybase is strong in financial institutions. While MySql is catching up in features, most companies chose one of the main three because of their track record, a long list of people and vendors that support them, and because of ‘lock-in’. Once you choose a database it’s very hard to change.

So there you have it. Don’t let me see you trying to run a company on Excel or Access again. Or at least, don’t complain to me when it falls over!

Open Java changes everything

Now that the dust is beginning to settle on Sun’s Decision to open source Java , what does it actually mean for you? That’s you as in a Business user, you as in a Java Developer , and you as a member of the wider IT Community?

  • In the short run (i.e. next 6 months), once the buzz dies down , not much. Remember that it took several years after the Netscape code was open source for Firefox to emerge and change the dynamic of the browser market.
  • In the medium term (between 6 and 24 months) expect some interesting packagings of Java to emerge, similar to the way the various Linux Distros work today. Consider these ‘green shoots’ or prototypes with interesting ideas. A ‘small footprint’ version of Java targeted at Applet developers seems to be one popular opinion of what might emerge. However, unless you are ‘bleeding edge’ or in a niche area the chances are you won’t notice them at this stage.

It is in the longer term (2 years plus) that open source java really makes it’s mark. Some predictions that you can quote back to me later:

– In the same way as JBoss and Geronimo have commoditised the app server market programming languages and runtimes will become a commodity. Expect the .Net platform to be opened (not just standardized) in some limited form.

– Java will become more like .Net with multiple languages running in the standard JVM. We have JRuby and Groovy. It wouldn’t be too hard to add C# to this list. Visual Basic in the JVM (the Sun Semplice Project) is already on it’s way.

– Oracle , IBM , SAP and others already committed to the Java market will become focussed on Java as an even bigger part of the core strategy. Just like the app server market, each will seek to differentiate themselves, perhaps by Service (IBM), by a core database (Oracle) or by leading a niche (SAP). Expect tension between the desire to differentiate (and fragment) and the GPL which seeks to ‘bind them all’.

Apache Harmony , a clean room implementation of Java will continue to gain momentum. It will get picked up by a major vendor in a similar manner to Apple using BSD code.

– Microsoft .Net will end up in a ‘death march’ with Java trying to gain a lead in a feature set. Open source is very good a mimicing existing products (as it makes an easy spec for dispersed developers to write on – just look at Open Office), so (unless software patents get thrown into the mix), it’s hard to see .Net getting a fundamental and lasting edge over the Java Ecosystem.

Update: I’m not saying that .Net is going to go away (nor should it), just that both it and Java are going to be around for a long time to come. Joe and John also have more commentary.

Enterprise Java Presentation at DCU

On Wednesday, I’m presenting on the topic of Enterprise Java at DCU (Dublin City University) , in conjunction with Trigraph.

Trigraph Logo


I’ll blog later about bits and pieces of the slides (for commercial reasons I can’t publish the full set here), but the overview is below.

Description: Success or failure in your business depends on dealing with information faster and better than your competitors. This briefing shows you how Enterprise Java tools can do this and how to apply them to your organisation. Crucially, the briefing shows you when not to use Enterprise Java and details the alternative approaches.The briefing will give delegates an overview of the Java Web development environment, how to architect and distribute multi-tier applications and how to link these components with existing sources of information using Enterprise Application Integration (EAI). Most business have substantial investments in existing and legacy IT systems and the briefing will show how to integrate these with techniques such as JMS Messaging/ MQ Series, SOAP / XML or using the Java Connector Architecture (JCA).

As well as examining the main Java Application Server vendors (including Sun , IBM , Oracle , BEA and JBoss) the briefing will detail the technology stack that they offer. This stack includes Web presentation frameworks and SOA – Service Orientated Architecture at the Front end. In the middle (Business) layer this covers the capture of Business knowledge using Business Rule Engines and workflow (BPEL). At the back (Service) layer, this includes database integration using JDBC, and the Enterprise Service Bus (ESB).

What Problem are we trying to solve?Where Java Fits in Enterprise Computing.
Enterprise Application Integration (EAI).
A Componentised & Connected Enterprise.
Enterprise Java Architecture Overview.
Enterprise Java Platform Roles.
Benefits to the Enterprise.
Alternatives (.Net , PHP , Oracle , Lightweight Java Frameworks , scripting)
Scripting Languages and Enterprise Java (Ruby, Python, Groovy)
Vendors (IBM, Oracle, Sun , Bea , JBoss and SAP)
Vendor Specific Solutions (e.g. Oracle Fusion / ADF , IBM MQ )
Market Trends – Resource availability (can we get the people to do this?)

Foundation Technologies & Techniques.

Enterprise Web 2.0 and Service Orientated Aritecture (SOA).
Integrating with other Systems ( Legacy Systems, Oracle etc)
Enterprise Java Beans 3
Middleware (MOM, Rule Engines, Workflow)
Java on the (Enterprise) Desktop
Web Services / Enterprise Service Bus
Best practices (Code standards, Build standards, Version Control / Iterative Development / Junit)
UI Layer: HTML, Servlets, JSP, XML/XSLT.
XML’s Role in the Enterprise.
Application Tier: EJB, JNDI, JDBC, JDO.
Integration Technologies.
Java Connector Architecture- JCA
RMI, CORBA/IIOP, SOAP.
Security – Application and Server Level
Java Access & Authorization Service (JAAS).
Object-Orientation & UML.
Design Patterns.
Frameworks (Struts , JSF, ADF, DWR, Spring, Hibernate)
.Net interoperability

Enterprise Java Application Architectures.

Overview of Enterprise Application Servers.
Commercial Application Servers.
Distributed Application Models with Enterprise Java.
Enterprise Java Application Server Basics.
How to Choose a Enterprise Java Application Server.
Enterprise Java Application Architecture.
Building a Enterprise Java Application.
Deploying the Application.

Enterprise Java & Your Business.

Planning for Migration.
First Steps.
The Implementation Plan.
Organisational Challenges.
What’s next for Enterprise Java?

Close.