Productive JavaFX 8

Adam Bien

MVP model view presenter.
Afterburner apache project fw. giving Inversion of code.
FXML comes with javafx

Coding demo from scratch.
WYSIWYG gui editor in netbeans.

Presenter works like controller, injected with widgets designed in FXML.
Private members need @fxml annotation, public get for free.

Model holds state, service talks to backend, both pojos.
Everything injected is singleton.

Lambdas supported.

Creating Our Robot Overlords: Autonomous Drone Development with Java and the Internet of Things

Quadcopters with Rick Astley in the background. Could it get any better?

Agenda:
Autonomous flight
Anatomy of a quadcopter
Raspberry pi
IoT
3D flight sim
Self aware drone

Autonomous flight:
Choosing a drone with api, $300.00
Brain, raspberry pi
Power
Making it all work

Parrot AR.Drone 2.0
Good community
Java, parroteer api

Raspberry pi model B
2 wifi adapters
16Gb sd card
10 minute battery default, switched out with larger
Pi was wireless access point

Power supply for pi onboard, added weight. Couldn't power thru quadcopter power supply.

Key is firmware controller on drone
Pi had usb mobile phone charger, ethernet cable
Keeping connection took tweaking.

IoT on netbeans.
MQTT broker, pubsub messages.
Drone provides data back, navigational, error, etc.

Demo!

Downward camera detects orientation rondel, target, to set home. Then records and report deltas based on motor use and tilt to give vector.

3D simulation
Mesh of tie fighter.
Lambda function.
Duration and power based actions.
Stage demo with tie fighter.

Self-aware drone: more sensors, more power and weight, maybe new platform.

Coding for the Future: The IDE (R)evolution for the Next Generation

Coding for the future
Director of netbeans engineering

The road to here:

• Ide wars in the 2000s
• Soon two horse race with netbeans and eclipse
• Most moved to build eclipse plugins.
• Intellij commercial
• Then an evolution occurred that took project data from ide and stored them in ant maven, hudson,etc. Devs can now use ide of source on shared project.

Recent trends:

• Polyglot world, outside java. 
• Code completion, debugger, etc.
• JavaScript big player, difficult to tool.

Is java tooling mature:

• Debugger, compiler, error handling, etc now popularly available.
• Mostly enhancement requests now.
• Wysiwyg where possible.

Web ide

• Code editor in browser
• Orion is e.g.
• Combination of editor and cloud platform
• Mostly for web client technologies. Easy to tool to run in browser.
• Feature set in web ide lower and so is expectation's.
• How to integrate with back end.
• Lose performance compared to standalone ide.
• Offline mode a problem.
• Not a replacement.

Opportunities for growth:

• Interacting with managed systems, clouds.
• Much different than deploying war to local server.
• Amazon, google, mbaas.
• Hard to emulate on local machine.
• Really only write custom code, rest provided.
• Will always need it people which is a wall.
• Tools don't allow for easy debugging

• Combination with developer services
• CI + code analysis + git
• Rule based propagation
• CI + indexing with maven a problem. Stop indexing libraries.
• Run code analysis on git repo. Should have find refs etc. Warnings on stable code etc.

• Configuration Management
• Setting up dev env locally.
• Painful
• Changing projects can become expensive.
• Encapsulate dev and execution envs. One click setup.
• What to use for encapsulation? 
• VMs? Gets expensive for multiple users. Local ide with remote source can be problem in some ides.
• Containers on hosted cloud service. Is it the same env?security. Local ide remote source problem.
• Containers not really isolated
• Locally downloaded containers. Same source problem.
• Container density limited if using big systems like weblogic
• Docker improving.

Who is well positioned to deliver?

• Difficult to charge for browser based ide.
• Primary value is cloud integration.
• Have own cloud or partner with one.
• Amazon and google integrating their own small infrastructures.

Netbeans pitch

• Split ui from logic
• Run in multi tenant server
• Core libs as services.
• Oracle dev cloud service
• Tailwind code editor
• Various cloud services

Jump-Starting Lambda Programming

Stuart Marks
Principle member of technical staff
Java platform group, oracle

Intro level lamba coding and Streams api

Example Person.java
Application robocall()
Forloop over list of persons

Change code to also check age > 18 or 17, etc.
Use parameter age

Parameterization is key.

Change to also check minimum age. Refactor with age range.

Now also need males only in some cases. Hard to parameterize. Nulls can mean don't care or don't know.

After a while, value parameterization becomes a problem.

Caller wants to determine whether to robocall.
Library needs those parameters.

This is a function, takes person, returns boolean.
It's like an anonymous inner class.

Let's create PersonPredicate function takes Person returns boolean or from person to boolean. Uses comparator to determine if should be called based on input and return types.

Pass PersonPredicate as arg to robocall

Caller has to create a PersonPredicate which is ugly. Anonymous inner class.

Passing behaviour before java 8.

Lambda can replace.

robocall(p -> p.getage() >= 16)

Equates to PersonPredicate or compile error. No need to declare types.

Lambda is abbreviation for anonymous inner class.

There are expression lambda that have no return. Also statement lambda with return statement.

Zero args must have ().
Two or more args must be as (a,b)

Method reference Person::tostring
Same as p -> p.tostring

Need another parameter to say what to do with selected persons.
PhoneNumberConsumer with accept()
Now have two function interfaces.

New requirement: multiple numbers.
Create another behaviour parameter.
PhoneNumberFromPerson with apply() takes Person returns number

Now 3 arg lambda expressions or 3 single-method interfaces. Called functional interfaces. You get instance of interface as param but think of it as a function. Lambda can be used where ever functional interface can be expected.

If robocalling want home number, if texting mobile.

Can genericize functional interfaces.

A lot are provided in java.util.function.
@FunctionalInterface not requires but good idea. 
Adds javadoc, compiler checking,

Chain togeher: Source - filter - mapping - foreach (last 3 are lambdas)

List of Person as Stream then filter then map or transform then foreach and operation.

New stream method on list.

New language feature default method. In java 8 interfaces can now have static methods. Default impl also provided. Subclass overrides default impl normally. Class wins over default method impl in interface. A functional interface has an abstract method.

Stream uses builder pattern or pipeline. New streams api.

Streams:

• 0or more values
• No storage
• Not ordered
• Like iterator
• Allows serial or Parallel processing

Stream pipeline:

• A source
• 0 or more intermediate operations
• A terminal operation at end.

.skip(3,8) to sublist
.limit(5)
.sorted() overloaded to take comparator
.distinct() drops dupes
.flatmap() Takes in an element and return a different number of elements

A source, 0 or more intermediate operations, a terminal operation at end. 

Stream sources:

• Stream.empty
• Stream.of
• Arrays.stream(arr,2,6)
• Stream.generate() calls forever must use cutoff like limit()
• Stream.iterate
• Stream.range
• "String".chars().foreach( ch -> sysout) ints so use string.valueof(ch) to output strings
• Files reader.lines()
• Splitasstream

Terminal ops:

• .collect(tolist)
• .toarray(n -> new string[n]) or string[]::new
• .count()
• .anymatch() short circuits
• .findfirst after filter returns new first element returns Optional possibly containing a result.

Optional:

• Might contain result
• Also OptionalInt, etc
• .get()
• .orElse( value)

Parallelism:

• Add .parallel()
• .foreach becomes jumbled
• Lambdas must not interfere with stream source. Like ConcurrentModificationException.
• AtomicLong can be used in parallel ops but contention so long
• Better is reduction, sum by adding plus between each. Mathematically it doesn't have to be done in order.
• .reduce()
• .sum() as convenience

Collector:

• Deals with immutable objects, e.g ArrayList.
• Works intermediately with temp lists then aggregated
• .collect(Collectors.toList()) also tostring
• Huge family in library.

What's Next for the WebSocket API?

Pavell Bucek, Oracle

Websocket 1.0:

Websocket protocol, 2011, two way communication, better resource allocation. uses http then upgraded to websocket then only websocket frames.

Ajax practice long polling has one open connection. Requests are much larger than a small message. Wastes resources.

Websocket frames are very efficient with good size to data ratio.

Annotated and programmatic way to deploy and access web socket endpoints.

Event driven. @onopen, OnMessage, onerror. Also more complicated programmatic api.

Encoders, decoders, cdi, path query params, header interceptors.

Websocket 1.1, aug 2014 in Jdk8

Session.addmessagehandler
Whole and partial subinterfaces.

Some things that might be introduced in java ee 8. Not guaranteed to be there, speculation.
Cdi issues, @requestscope, sessionscope, applicationscope, convesationscope
Httpupgradehandler not covered in cdi scope.

Low level frame support not yet complete. Filers and interceptors too (only change headers).

Not a real good presentation. The guy next to me fell asleep. Talked about possible future of websockets.

The Anatomy of a Secure Web Application Using Java

Themes:

• Simplicity
• Common sense
• Household analogy

5 security layers

• Java secure socket ext
• Java ee sec
• Spring sec - locks on door
• Web app fw - household permissions turn on tv
• Db functions - what channels can child watch

Tutorial online, canonical app. Fortressdemo and fortressdemo2 on github.

Tomcat server, turn on https connector in server.xml, provide keystore

Java ee container, add to web.xml, do you have role to not y/n
Policy decision point file.
Use openldap sentry rbac controls 0- 3.

3 std interfaces

• 1 admin
• 2 review
• 3 system

Encryption,, openldap uses open ssl

Spring security, mappings between pages and roles.

Web framework
Wicket e.g passing page and role

Db access object
check access in dao
Encryption
MySQL, openssl

Demo

Fortress suite for rbac, was openldap hosted now apache. Includes audit.

Paas (?)
Pivotal Cloud Foundry
Platform as a service
You manage vm, has provided scaling.
Upgrade app to use cloud if easy. Cloud foundry's idm out of scope
Ldap not in cloud
Cloud Foundry vm warden container, Servlet container, war.
5 areas of cf security to reconfigure.

Different context, you don't setup tomcat, Cloud Foundry does. So ssl termination is at cloud. Only one cert needed for all transactions.

Mysql connection same. No jdbc. Injected at runtime.

Jee realm config and j2sse trust store, install build packs in Cloud Foundry (stack).

Linux containers, Warden container isolation of mult. processes. Shell, environment, pids independent of other apps. Chroot on steroids. Multiple vms per warden.

Cloud Foundry can install on laptop.

A very fast presentation with a lot of diagrams = hard to take notes on. But the idea was very interesting, security at every layer and a freely available presentation (from Oracle somewhere) and github projects. Not sure if Cloud Foundry is free or not but even the non-cloud application security part was good enough. I wonder if the github project will have a link to the presentation.

Let's Talk JAX-RS.next!

Marek Potociar
JAX-RS specification lead
Oracle, Cloud Application Foundation
Also does Jersey

What to expect in JAX-RS in Java EE 8.

JAX-RS:

• Improvement over servlets for web services.
• Started 2008.
• JAX-RS 2.0 released in Java EE 7

Next in Java EE 8:

• Performance
• Better integration in container
• Hypermedia improvements

Server-sent events - standard http connect, server push stream async.
Ajax long polling - not standard but is technique. Manual reconnect.
Server-sent events - standard api and format. Html5 compliant. Seamless reconnect.
Websocket- new http protocol. Decouples request and response.

Server-sent events :

• Streaming async. Events
• Same infrastructure
• Fits ajax and html5

Async http request / response cycle: Client connects, invokes resource, async response. On invoke, can respond, pass response stream info.

In Jersey new SseBroadcaster, constructs with and return EventOutput with info.
New Outboundevent (uses builder api)
Broadcaster.broadcast(event)

Client: EventSource javascript api, override onEvent receives event with data. Also have pull model.

Non-blocking I/O:

• Servlet 3.1 leveraged.
• Register callback in which you respond to data.
• Must be backward compatible.

Reactive programming model:

• Customer logs in and gets destination suggestions, weather, etc. Orchestrated.
• Can be resource intensive. To solve, get cust details, async get concurrent destinations, weather, etc.
• Hard to read and maintain, callback hell
• Best is Reactive client composing dataflows. E.g Rxjava, java 8, guava.

Declarative security:

• JAX-RS has no security. Planned for Java EE 8. Oauth 2 used a lot now.
• Looking for decoupled declarative annotation based. @denyAll at controller level and @rolesAllowed on methods.

MVC integration:

• Controversial. Different flavors in mvc
• Separate spec.
• Write mvc in view response. Spring mvc popular, action oriented with templates.
• New framework will build on JAX-RS, probably facelets. @template(name=page.jsp) on resource method.

Jsonb binding

• Object mapping.
• Still jsr

Context Dependency Injection (CDI) alignment:

• Java EE context and injection alignment.
• Will take time, JAX-RS older than CDI.
• Runs outside Java EE container.
• Want to run on small devices.
• CDIi making changes, eg modular, portable.

Securing Java: Track Opening Presentation

Milton Smith, 
Senior Principle Security Program,
Java Platform Group

Security remediation, features, highlights.

Threat landscape, defensive measures, security features.

Remediation:

• Critical patch update (CPU
• Security alert hotfix, can't wait.

Security features highlights:

• New java 7 features. 
• Disable java. 
• Best before date to update. 
• Security slider, secure vs risk. Exploits so remove low and custom security level. 
• Signing for sandboxed apps with privileges separate. 
• Standardize CRLs revocation. 
• Repurposing Jars so lock jars to specific servers. 
• Java malware so whitelisting for enterprise and partners using deployment ruleset. 
• Warning when jre out of date, with disabling. 
• Improved uninstaller. 
• Malware so code-signing default for applets. Consumer based support for legacy applets.

• New java 8 featues: 
• all 7 
• TLS1.2 as default transport encryption. 
• Enhanced revocation services with caching. 
• Static analysis tool for dependencies (3rd party analysis). 
• Type annotations, @readonly, etc. String tainting tool. 
• TLS extension for cloud use, 1 IP to multiple servers.

"Iron Clad Java" book from oracle.

Common security myths or misnomers:

• Slow to upgrade or patch best for production. Exploiters have patched vulnerabilities.
• Hackers need your code. Not true, probably would be confusing.
• Attackers are gifted. They're like engineers, some gifted, some not.
• Never a security incident = secure. Need to know threat landscape. Fix ones that matter.
• Security and compliance same.
• Security is impossible. Do your best.

Oracle working with MS to update java.

Upcoming CPU: October, 2014.

Hybrid Analysis Mapping: Making Security and Java Developer Tools Play Nice Together

Dan Cornell,

Denim Group

Toolkits for testers and devs based on open source OWASP (Open Web Application Security Project), ZAP, Threadfix and eclipse.

Security spans multiple disciplines:

• Infomation security - can't fix problem, wrong skillset
• Audit and compliance - healthcare, financials
• Risk management - same
• Software developers - write code, have to take on tasks.

New disciplines:

• Physical security - old
• Information security - relevant
• App security - new discipline but immature metrics. New tools, codescanning, etc.

Scale of problem:

• Legacy code
• Quantity of apps
• Not a lot of qualified devs
• Must automate.

What to do:

• Gather data - Compare money spent on infrastructure vs dev
• Communicate with stakeholders
• Automate
• Repeat

App vulnerability management:

• Automated static and dynamic tests as well as manual.
• Vulnerabilities can persist.
• No easy way for teams to work together.

Threadfix:

• Site has metrics on vulnerability remediation, e.g. where time is spent, making sure not to break code, confirmation, environment setup high.
• Open source. Load and normalize data and interact teams. Findbugs, jira, many more.
• webbased.
• Shows apps with most vulnerabilities, hotspots.
• Divide vulnerabilities into teams and apps.
• Loads scan, does diff to see change tracking, and produces stats. Can mark false positive. Identifies vulnerabilities caught by multiple scans.
• Slice data into technologies, e.g show only vulnerabilities found by 2 scanners or only cross-site scripting vulnerability.
• Single view for security analyst.
• Load via rest, cli and Jenkins plugin. Can be automated. 
• Creates a consolidated view, allows you to prioritize, and translates into dev tools. Manage security tasks in jira.

Unique vulnerability:

• Common weakness enumeration (CWE), relative url - directory misconfiguration
• CWE, relative url, injection pt - sql injection
• Injection pts - get put params, cookies
• CWEs - OWASP top 10 good.

Top-down obvious apps + custom + mobile + cloud = Attack Surface Model

Some apps matter more. Allocate resources. Compliance is a high consumer.

App test:

• Dynamic (running) and static (code) analysis.
• Eg Dataflow analysis
• Automated scanning, static analysis, manual app and static testing.
• E.g. authenticated vs not authenticated tests
• Breadth first, automation key, base-testing of all. Has limitations.
• Results are diffed, normalized and false positives identified.

Hybrid Analysis Mapping of static to dynamic scanning results. 

• Take friction out of process. See dynamic vulnerability, match changed code. E.g. HP Fortify to IBM Appscan example.
• Dynamic - Spider to enumerate attack surface. Fuzz to identify vulnerabilities based on e.g. request/response. 
• Static - Tainted input, source of sql injections. 
• Standardize vulnerability types. Match dynamic and static. Improve static parameter parsing.
• Info used: git url. Framework type e.g. jsp and/or spring. Extra if available.

Endpoint DB available of framework element to vulnerability to code. E.g, jsp getParameter calls or spring stuff. Smarter scanning and merging.

Attack Surface Model can know things dynamic scanner does not. Plugin for OWASP ZAP to connect to server, give baseurl then import results in Eclipse-based app. Fuzzing can find other potential vulnerabilities.

Prioritize:

• Filters can show by type, fix time, etc. 
• Ship data to defect tracker, e.g. jira (attach to application). 
• Can create multiple defects. 
• ThreadFix will poll status. P
• ushed to dev teams. 
• Map to line of code, load code, open Threadfix view to see vulnerability per line.
• Benchmark against other organizations. See stats and make decisions on technologies.

Threadfix.org.

My thoughts:

• A very good presentation with no marketing hype. 
• Well-evolved software process.
• Might be of more use if we used Findbugs more consistently but creating Jira tasks from Findbugs reports sounds do-able.

Flowers in my Hair