Oracle Openworld Directory Index

Building eCommerce Applications Using JDeveloper
Dr. Paul Dorsey
Dulcian, Inc.
www.dulcian.com
Agenda
Overview
JDeveloper vision and new features
Learning the new environment
Java Server Pages (JSPs)
Security Issues
Conclusions


Overview
JDeveloper is Oracle’s Java development environment.
Now the tool of choice for creating Java applications
Product history
Originally based on JBuilder source code
Now completely rewritten in Java
Closely integrated with Oracle database via Business Components for Java (BC4J)
Standard Java Swing components connect directly to BC4J code (no more Data Aware Components (DACs)!)
What is JDeveloper good for?
Creating applications
Competes with Oracle Forms, VB, PowerBuilder
Any Java development effort
Supports Java Server Pages (JSPs)
Primary method for building Internet applications
Create tags that look like HTML, are converted to Java and back to HTML
Minimal HTML support in JDeveloper
JDeveloper – the vision – 9i and beyond
Need to deliver Forms quality applications over the Internet as JSPs
Enhance JDeveloper capability to do this
Currently still need front-end tool like FrontPage or Dreamweaver
Goal for JDeveloper to be the sole Oracle design and development environment
Support all functionality from:
Designer
Developer
SQL Navigator/TOAD
Built-in Profiler allows developers to monitor application performance
New features in 9i
Stake out new ground for long-term development
UML Class Modeler
Improvement over old Object Database Designer (ODD)
Can be used for Java classes
Activity Modeler – version of Oracle Workflow
Fine grain version control feature
Similar to Designer
Improved BC4J Tester
Learning the new environment
Very steep learning curve
Much more complex environment
What you need to build JSPs:
Java
XML
JDBC
JavaScript
HTML
SQLJ

You also need some knowledge of:
Application servers
Firewalls
HTML editors
FrontPage
Dreamweaver

How to build JSPs
DON’T!!! (at first)
Start by building a Java Application.
Use the JDeveloper3 Handbook (Dorsey & Koletzke, Oracle Press, 2001) to master basic concepts.
Build using JDeveloper 9i.
Convert to JSPs.

Java Server Pages (JSPs)
How can you safely deploy applications over the Internet?
Use an application server such as Apache or Oracle 9i
Applications cannot be purely Java for security and firewall reasons.
JDeveloper has limited HTML visual editing capabilities
Use a separate HTML product (FrontPage, Dreamweaver)
For additional functionality (e.g. complex data validation), JavaScript is needed to extend HTML
How do JSPs work?
JSPs are extensions of servlet technology
Servlet is a program stored and run on the web application server.
JSP accepts requests from a client browser through HTTP data stream and constructs a page by querying the database and outputting HTML tags mixed with data from queries
Page is then constructed dynamically by the program (like a Common Gateway Interface (CGI))
Servlets
Advantages of servlets
Only require a new thread not a new process like CGI programs
Significant resource savings for the application server
Provides performance benefits
Coded entirely in Java
Portable
Do not need CGI language (e.g. Perl)

JSPs
Variation of servlet idea
Dynamic and static elements
Developers can fix parts of application that do not change (e.g. HTML tag at the end of the page, boilerplate) using servlets
JSPs converted to servlets when they are run
Code is cleaner than servlet code
JSP Code
Sample of JSP code created by JDeveloper
<%@ page contentType="text/html;charset=WINDOWS-1252"%><HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=WINDOWS-1252"><META NAME="GENERATOR" CONTENT="Oracle JDeveloper"><TITLE>Hello World</TITLE></HEAD><BODY><H2>The following output is from JSP code:</H2><P> <% out.println("Hello World"); %></P></BODY></HTML>
Sample mixes HTML and JSP tags
.jsp extension indicates to server that page requested a JSP file.
JSP runtime architecture
When JSP is first accessed, it creates a Java file, compiles file into bytecode in a .class file
For subsequent accesses, .class file is cached
JSP container runs .class file in JVM session
Java and class files generated dynamically from JSP source code file.
BC4J layer sits on application server and communicates with the database
Advantages of JSPs
Each page loads quickly
Send out plain HTML – easily readable in any browser
Smaller client requirement
No JVM running on the client
Presentation look and feel is embedded in HTML tags and cascading style sheets
Web graphics designers can create look and feel.
Java programmers can write dynamic JSP sections.
Disadvantages of JSPs
Added complexity
JSP tags and architecture
Setting up web serer to support servlet API and JSP container
Limitations of HTML
Can include embedded JavaScript
Need skills in Java, HTML and JavaScript
JSP-generated HTML cannot use rich features of AWT and Swing component libraries available for Java applications and applets
Debugging is more difficult
JDeveloper offers remote debugging
Web Bean Solution
JDeveloper provides web beans that output HTML
Helps solve problem that JSPs cannot use AWT and Swing components
Including JSP calls to web beans on server when JSP is accessed.
Bean contains properties set in code that tailor its behavior.
Methods in beans can be called to alter bean’s behavior or features.
Sample tag structure
Code to embed JSNavigationBar bean into a JSP file:

<% deptNavBar.setShowNavigationButtons(true); deptNavBar.setReleaseApplicationResources(false); deptNavBar.initialize(pageContext, "testBeanPRJ_deptempbuscomp_DeptempbuscompModule.DeptView"); deptNavBar.render();%>
Where are JSPs useful?
Anywhere CGI-generated or static HTML pages can be used
For Internet applications with no firewall limitations or Java requirements for the client
Still cannot emulate client-server applications
Only rudimentary development
Limitations of HTML
Still the best alternative for Internet eCommerce applications
Application Security
Centers on hardware and communication between application and other resources
To evaluate security, consider the following:
Memory utilization
Buffer overflow results
Privileges granted to applications running on or interacting with machine
Choice of operating system has significant impact on overall security
Java Security
Top priority in design considerations for Java language
Pointers eliminated
Permission levels, digital certificates, cryptographic keys, signed files added
Applets are secure by design
Must have special permissions to interact with other system resources
Default Java security files
java.policy Basic policy file that stores your default permissions to access specified properties, allow thread stopping, and grant socket listening privileges.
java.security Master security properties file that stores information about your registered Cryptography Package Providers, system-wide policy files, IdentityScope use, keystore type, and package access definitions.
cacerts System-wide repository for trusted certificates. This file currently ships with a limited number of trusted certificates from certification authority providers, such as VeriSign.
You can find these Java security-related files in directories such as:
JDeveloper JDEV_HOME\java1.2\jre\lib\security
Oracle8i ORACLE_HOME\javavm\lib\security
Oracle run time D:\Program Files\Oracle\jre\x.x.x\lib\security
Security Permissions
Traditional Java applications are designed to run in standalone mode on a client machine
Few security restrictions or requirements
Applets run on a client browser after Internet download
Significant security requirements
Default level – prevents damage to operating system
Use APIs or 3rd party toolsets to change security
Modify permissions for a specific applet
Applications packaged in .jar files can also have constrained security as in applets.
JDeveloper still does not include a usable code obfuscator so care must be taken since Java class files are vulnerable to decompilation.
Types of Users
Need to consider two classes of users
Internal – require more sophisticated tools
Customer service representatives on the road
Managers
Other employees requiring remote access to information
General access
People using the Internet
Implementing Controls
Need to implement four key concepts:
Identification
User IDs and passwords, biometrics, digital media, digital signatures
Authorization
Read-only mode/trusted users
Verification
Digital signatures, hash codes
Encryption
Public and private keys
Security and JDeveloper
Most security has nothing to do with JDeveloper
Firewalls
Security Keys
Firewalls
Software that tells the machine which ports (I/O addresses) to listen to
Validated by:
IP Address
User Name
Firewall Login
Common Ports
Newsgroups – 117
Oracle – 11521
AppServer – 80
Secure Socket – 132
Simple Architecture
Switch – dynamic partitioning of communication resources – 100MB/sec
Where can we put the firewalls?
Answer: Firewalls can be Anywhere
DB Server
App Server
Switch
Preferred: a dedicated firewall box
Medium Size Business (Not Toys-R Us/Not Paranoid)
Large Company(Paranoid)
Completely isolate Internet access from company
Separate database servers
Use periodic updates to keep systems in synch
None of this had anything to do with Java
Logical model






Encryption is NOT always slower
There is some compression going on
Encrypted pages with lots of graphics are much slower
A tale of two keys
Public and private
I keep the private
I send the public
My users encrypt with public key
I decrypt with private key
Encryption algorithm is built into browser…so you need 2!!
MS Explorer
Netscape
Buy from VeriSign
$15 for a key set (no need to pay more)
Expensive Keys
1) I sent my $15…
-
-
4) I presented myself with an officer of the company and a notary.
No more secure – only more expensive
Only implement if customers understand…
Therefore…pay the $15
Using Encryption
When using encryption you must use:
A secure socket
New port
Part of App Server
IAS – Comes with it
Apache – Pay for it
Invoking secure pages
User will get messages about entering and leaving secure areas
Graphics in secure pages are very slow
Accessing secure pages
1. Leave web server alone
Call pages through ‘HTTPS:\\’….. OR
2. Put secure pages in a separate directory
In Apache, use “SSLRequireSSL” to flag that directory as secure
Can’t call page directly using relative address because of secure sockets
So….
Explicitly call page
or
Redirect command (pretty nasty)
3. Advanced stuff
SSLRequire – Allows filtering to be passed (Name, Password…) e.g. for internal payroll system
Conclusions
JDeveloper can be used to build very complex applications.
Goes beyond the capabilities of Oracle Forms
Still a newer, less mature environment
Steep learning curve includes other languages and tools
More sophisticated development environment
Supports client/server and Internet applications
Transition will not be easy, cheap or painless.
References
The following sources have been helpful in understanding the development environment surrounding the creation of applications using JDeveloper:
Effective JavaTM Programming Language Guide (The JavaTM Series)by Joshua Bloch, Addison Wesley Professional, 2001, ISBN: 0201310058
Java 2: The Complete Reference (Osborne Complete Reference Series)by Herbert Schildt McGraw-Hill Professional Publishing, 2000, ISBN: 0072130849
The JavaTM Tutorial: A Short Course on the Basics (The JavaTM Series)by Mary Campione, Kathy Walrath, Alison Huml, Addison-Wesley Pub Co; 2000, ISBN: 0201703939
Oracle JDeveloper 3 Handbook, by Dr. Paul Dorsey & Peter Koletzke, Oracle Press, 2001, ISBN: 0072127163.
Refactoring: Improving the Design of Existing Code, by Martin Fowler, Addison-Wesley Pub Co., ISBN: 0201485672.
Please submit articles!
Anyone with articles they would like to submit to IOUG’s SELECT Magazine or the New York Oracle Users Group Technical Journal, please email them to me at paul_dorsey@dulcian.com
Contact Information
Dr. Paul Dorsey – paul_dorsey@dulcian.com
Dulcian Website: www.dulcian.com
Oracle JDeveloper 3 Handbook
by Dr. Paul Dorsey & Peter Koletzke

Oracle Developer: Advanced Forms & Reports
by Peter Koletzke & Dr. Paul Dorsey

Oracle8 Design Using UML Object Modeling
by Dr. Paul Dorsey & Joseph Hudicka

Oracle Designer Handbook
by Peter Koletzke & Dr. Paul Dorsey