Multi-Tenancy using JPA, Spring and Hibernate – Part One

Multi-tenancy allows an application to behave as multiple independent applications hosted for different clients (i.e. organisations). This might not sound impressive, however as the number of clients increase it becomes more evident that it is easier and more cost effective to run a single application hosted for all the clients rather than hosting an independent application for each client.

Multi-tenancy has become more popular lately and is very useful for the economy in software companies since it makes your service more affordable using cheaper installations/costs. This is because multi-tenancy can lead your business to a higher level of competitive differentiation.

Application Logging "Worst Practices"

Outline

1. Why Logging ? Why not logging ?
2. Developpers and logging 
3. Bad log - good log ? 
4. Conclusions ans action items

Log Data Overview

• What logs?
• Audit logs
• Transaction logs
• Intrusion logs
• Connection logs
• System performance records
• User activity logs
• Various alerts and other messages

• From Where ?
• Firewalls/intrusion prevention
• Routers/switches
• Intrusion detection
• Servers, desktops, mainframes
• Business applications
• Databases
• Anti-virus
• VPNs

“ Standard” Messages

• 10/09/200317:42:57,10.10.94.13,48352,10.10.97.14,909,,,accept,tcp,,,,909,10.10.93.29,,0,,4,3,,' 9Oct2003 17:42:57,accept,labcpngfp3,inbound,eth2c0,0,VPN-1 & FireWall-1,product=VPN-1 & FireWall-1[db_tag={0DE0E532-EEA0-11D7-BDFC-927F5D1DECEC};mgmt= labcpngfp3;date=1064415722;policy_name= Standard],labdragon,48352,10.10.97.14,909, tcp,10.10.93.145,',eth2c0,inbound
• Oct 9 16:29:49 [10.10.94.4] Oct 09 2003 16:44:50: %PIX-6-302013: Built outbound TCP connection 2245701 for outside:10.10.98.67/1487 (10.10.98.67/1487) to inside:10.10.94.13/42562 (10.10.93.145/42562) PIX
• 2003-10-20|15:25:52|dragonapp-nids|TCP-SCAN|10.10.94.10|10.10.94.13|0|0|X|------S-|0|total=484,min=1,max=1024,up=246,down=237,flags=------S-,Oct20-15:25:34,Oct20-15:25:52|

What Commonly “Gets Logged”?

• System or software startup, shutdown, restart, and abnormal termination (crash)
• Various thresholds being exceeded or reaching dangerous levels such as disk space full, memory exhausted, or processor load too high
• Hardware health messages that the system can troubleshoot or at least detect and log
• Access to resources and authentication decisions
• Network connections , failed and successful
• User access privilege changes such as the su command—both failed and successful
• User credentials and access right changes , such as account updates, creation, and deletion—both failed and successful
• System configuration changes and software updates—both failed and successful

Why Logs? What Are They Good For?

• Security teams
• Monitor, detect, investigate, track, analyze
• Auditors
• Well, audit 
• The rest of IT
• Troubleshoot, measure, verify, monitor
• Finally, developers
• “ Hmmmm… maybe for debugging… I dunno  ”

Why NOT Log? Why Logs Are Baaaaaaad! 

• “ Who needs logs? I sure don’t!” - “ Debugger is better! Printf is fine too…”
• Isn’t it what system (network) infrastructure does?
• It slows down the systems, uses up disk and memory
• “ It was not in the spec ”
• We don’t know what to log – we will log something (and then hate it)
• We don’t know how to do it – we will do it somehow (and then hate it more…)

Performance Tweak

Before assembling your greppable log statement you may want to check log.isInfoEnabled() or log.isDebugEnabled(). This way you save on some cpu cycles:

// Uses many cpu cycles:
String fancyLogString = buildFancyLogString();
    
// Does nothing because "debug" is currently disabled in log4j.properties:
log.debug( fancyLogString );

Better:

if ( log.isDebugEnabled() )
{
  // Uses many cpu cycles:
  String fancyLogString = buildFancyLogString();

  // Does nothing because "debug" is currently disabled in log4j.properties:
  log.debug( fancyLogString );
}

Separate files for different areas of interest

For each file, you'll need a separate Logger.

private static Logger log = Logger.getLogger( MyClass.class )
private static Logger connectionsLog = Logger.getLogger( "connections." + MyClass.class.getName() )
private static Logger stacktracesLog = Logger.getLogger( "stacktraces." + MyClass.class.getName() )
private static Logger httpLog = Logger.getLogger( "http." + MyClass.class.getName() )

List of useful HTTP headers

This page lists useful security-related HTTP headers. In most architectures these headers can be set in web server configuration (Apache, IIS, nginx), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.

Plus d'infos +

HTTP Session time-out settings and overwrite precedence rules

Technote (troubleshooting)

Problem(Abstract)

It is possible to set the HTTP Session time-out in various places on the IBM® WebSphere® Application Server Administrative Console. It is also possible to set HTTP Session time-out for the application packaging process.

Since Session time-out can be set in multiple places, it is necessary to understand how the ultimate Session time-out for an application is determined.

Cause

Application needs HTTP session time-out set.

Resolving the problem

The HTTP Session time-out can be set in the following places:

• From the Administrative Console at the server, Enterprise application, and Web application levels
• At the time when the application is packaged
• In the application code

Single sign on to a IBM WebSphere Portal through IBM Tivoli Access Manager WebSEAL

Concrete scenarios offer Tivoli security tips

This article highlights some of the important points to be considered while integrating IBM® Tivoli® Access Manager for e-business with IBM WebSphere® Portal for the purpose of providing authentication to a portal through single sign-on (SSO). It provides detailed steps for configuring a Trust Association Interceptor++ (TAI++), which is one of several ways to configure SSO. It also discusses WebSphere Portal (WP) session management. This article provides very useful information about SSO mechanisms, such as LTPA, TAI, TAI++. This information is very helpful to differentiate between these SSO mechanisms and make selections among them. This article also covers steps required to create keys for enabling security using the IBM Key Management Utility. Command line options are also provided along with GUI options so that a user cannot get stuck even if the GUI is not available. These steps are also useful for those who are using IBM Key Management Utility for key management purpose.

Plus d'infos +

WebSEAL Administrator's Guide

Configuration des paramètres de communication

Les sections suivantes décrivent des informations générales sur le serveur WebSEAL:

• "Configuring WebSEAL for HTTP requests"
• "Configuring WebSEAL for HTTPS requests"
• "Restricting connections from specific SSL versions"
• "Timeout parameters for HTTP/HTTPS communication"
• "Additional WebSEAL server timeout parameters"

AJAX vs Tivoli Access Manager WebSEAL

Cet article décrit les défis trouvés lors de l'introduction Asynchronous JavaScript ™ et XML (AJAX) techniques de programmation dans Tivoli Access Manager IBM (TAM) de l'environnement WebSEAL . Il donne une aperçu de la technologie de WebSEAL et une introduction aux méthodes AJAX. Les considérations sont décrites pour les développeurs AJAX lorsque vous travaillez avec WebSEAL. Les solutions possibles aux problèmes qui peuvent survenir sont fournis, ainsi que la liste des exemplaires qui aide les développeurs AJAX pour réussir dans un environnement WebSEAL.

Plus d'infos +

Java Optimization Rules

Java Optimization Rules 

Rule 1: Use_String_length_to_compare_empty_string_variables

Severity:  High
Rule:  The String.equals() method is overkill to test for an empty string. It is quicker to test if the length of the string is 0.
Reason:  The String.equals() method is overkill to test for an empty string. It is quicker to test if the length of the string is 0.

Usage Example: 

package com.rule;
class Use_String_length_to_compare_empty_string_violation
{
 public boolean isEmpty(String str)
 {
  return str.equals("");  // VIOLATION
 }
}

Should be written as:

package com.rule;
class Use_String_length_to_compare_empty_string_correction
{
 public boolean isEmpty(String str)
 {
  return str.length()==0;  // CORRECTION
 }
}

Le top 10 des problèmes de performances des applications J2EE

les 10 principaux problèmes de performance des applications Java / J2EE. Voici le classement:

#10 – Logging excessif
#09 – Mauvaise configuration du serveur d’application
#08 – Usage incorrecte de Java EE
#07 – Utilisation abusive du XML
#06 – Mauvaise utilisation des fonctions de ‘Cache’
#05 – Consommation mémoire
#04 – Mauvaises performances des bibliothèques tierces
#03 – Mauvaise gestion de la concurrence
#02 – Utilisation abusive de la distribution
#01 – Mauvaise utilisation de la base de données