Category Archives: Conferences

[2018 oracle code one] JWT’s suck

Posted on by
Reply

JWTs Suck
Speaker: Randall Degges
@rdegges

For more blog posts, see The Oracle Code One table of contents

JWT (JSON Web Token)

  • pronounced “jot”
  • JSON data
  • cryptographically signed
  • Not encrypted most of the time
  • Prove that some JSON data can be trusted
  • Common use case: Website generates JWT after validating credentials. Website then sends JWT to browser and browser stores in localStorage. Then browser sends to website for subsequent requests.
  • There are stateless and stateful JWT. The later maps to a session id. People don’t use stateful JWTs.
  • 2012 – Spec came out
  • 2014 – began gaining adoption/marketing
  • seven of the first 10 hits on jwt are marketing pitches

Cookies

  • JWT stores session id as JSON blob. In cookie, just a string.
  • Session cookies are underappreciated
  • Use HttpOnly flag
  • Use SameSite-strict flag
  • Use secure flag
  • Browser sends cookie header to website

HTML Local Storage

  • JavaScript only accessible
  • Store key value pairs in browser

Myths about JWTs

  • JWTs are easier to use – JWTs require additional tools, libraries and knowledge to function. Developer effort. Vs session cookies which are built into all web frameworks.
  • JWTs are more flexible – Cookies can store one piece of data per cookie or serialize into a cookie. JWT has claims which are certain pieces of data that always included – ex: when token created/expires. Cookie actually expires at expiration times. Tokens don’t disappear automatically
  • JWTs are more secure – Cryptographically signed and can be encrypted. However, actually using the encryption feature is rare. The spec is complicated and libraries vary in support. Also multiple vulnerabilities in past two years.
  • JWTs prevent CSRF – Cookies are susceptible to CSRF because sent to server automatically. Local storage is safe from CSRF because developer needs to write JavaScript to send the data. However, you are now vulnerable to XSS which is worse. CSRF is far easier to fix than XSS because most websites link to Google Analytics, third party jquery, etc. OWASP recommends not storing any sensitive information in local storage.
  • JWTs are better for cross domain authentication – Good when create temporary token that lasts for 10 seconds. It is used between the login service and your app.
  • JWTs are more efficient than cookies – 179 bytes. If just sign the id part, is 64 bytes. Difference even greater when add data.
  • JWTS are easy to revoke – Could change signing key of application, but that also logs out the other users. Alternatively, use the revocation list pattern so can invalidate one. But now you’ve introduced state/database/cache.

Better use cases for JWT

  • Short duration (one minute or less) for one time use
  • ex: downloading a file, reseting a password

My take: I hadn’t heard of JWTs. So I learned a lot! It was fun hearing the audience questions/comments/statements was fun. That said, I need to read up on the topic to see the other point of view.

[2018 oracle code one] mastering jpa performance

Posted on by
Reply

Mastering JPA Performance
Speaker: Thomas Broll
@speakjava

For more blog posts, see The Oracle Code One table of contents

Problem

  • Users complain
  • With microservices more important beause more calls

General

  • Apache lang has ImmutableTriple class

Techniques

  • Monior – number sql statemtenrs, cpu, i/o
  • hibernate.show_sql = true
  • run jstack while transaction running to see where stuck
  • Check JDBC driver batch size

Create – Performance improvements

Scenario: writing large amounts of data

  • Use table generator (vs sequence generator) where gt batch of ids so not a roud trip to get it each time. Even better to use external UUID generator
  • JPA only supports one open batch. But goes to database if do a query or persist a different entity. So faster if persist by entity

Read – Performance improvements

  • 1+N problem. One statement in code. Executes more statement to get relationships. All, XToOne are eagerly loaded
  • Can provide hints to eagerly or lazy load
  • fetch query to get data actually needed – can put it in the JQL query
  • Can get Hibernate statistics for number of queries/loads/fetches
  • Cal setFirstResult() and setMaxResults() on query object

Update – Performance improvements

  • Auto flushes are caused by transaction commit, insert/delete, query or explicitly flush()
  • Performance cost due to dirty checks and actual updates. Cost also depends on size of persistence context
  • Call getReference() to get empty proxy. This allows saving without changing in database?

Delete – Performance improvements

  • Remove() requires persistent entities, requires loading reference
  • Delete by query could be more efficient

Cloud

  • Two orders of maginude worse when database on different continent.
  • 35 minutes to do 5 second run when database on a different continent

My take: It’s been a while since I look at this topic. It was a good mix of review and things I never knew. Not having a physical network between the machine and database really hanges the numbers. It would have been nice to use a cloud database to get those numbers [scratch that; he did at the very end. I would have liked to see it earlier]

[2018 oracle code one] Java 9, 10 and 11: Pitfalls for the Unwary

Posted on by
Reply

Java 9, 10 and 11: Pitfalls for the Unwary
Speaker: Simon Ritter
@speakjava

For more blog posts, see The Oracle Code One table of contents

General

  • If you aren’t already on Java 9 or 10, don’t upgrade to them. Go straight to Java 11. Java 9 and 10 are feature releases, not LTS releases

Compatibility

  • Compatibility has always been very important
  • A few exceptions, but not significant. Was a pattern match search and replace
  • 1.4 – couldn’t use name assert anymore
  • 1.5 – couldn’t use name enum anymore
  • Concept of deprecation added in 1.1 – statement that a newer version is better
  • Java 8 has 492 deprecated API elements and non had ever been removed
  • Going forward, get at least one release or warning. Noted that less than that would be no warning at all.
  • Starting Java 9, things getting removed.
  • “if your code only uses standard Java APIs, it will most likely work” – Mark Reinhold

Java 9 – Module system

  • 75 OpenJDK modules
  • 27 Java SE, 48 JDK (ex: tools)
  • Oracle JDK adds 14 more JDK, 8 Java FX and 2 Oracle specific. Applies to Java 9. Remember Oracle JDK 11 == Open JDK 11
  • Most internal APIs are now encapsulated
  • sun.misc.Unsafe – the clue is in the name. Everyone has used through open source library like spring
  • Can choose not to use modules. Leave everything on classpath. Everything is in the unnamed module which depends on all modules. All packages are exported.
  • Then can migrate to modules gradually. Try automatic modules where don’t have module-info.class file but still treat as module.
  • Try moving existing jar files from classpath to modulepath.
  • “Big Kill Switch” –illegal-access
    • permit – warn for first use of encapsulated API
    • warn – warn for every use of encapsulated API
    • debug – warn and provide stack trace for every use
    • deny – don’t allow use at all
    • At some point, the default will become deny. We don’t know when. Suspect it’ll be a good while.
  • Allow direct access to encapsulated APIS — add exports
    • List package names exposing. Can be to ALL-UNNAMED or to specific packages
    • Alternatively can do this in the jar file manifest. That way library can expose without users having to specify
  • ‘Allow reflective access to encapsulated API –add-opens
    • List package names you want to expose
  • jdeps
    • find dependencies so can see which modules using
    • includes jdk.unsupported which is where sun.unsafe lives
  • java.se – aggregator module – If just use java.se, everything should just work
  • java.se.ee – module not included by default in JDK 9/10
    • ex: corba, transactions, Java activation (beans activation framework), xml bind (JAXB), web services (SOAP based)
    • Audience survey showed a lot of people using SOAP based web services
    • Still affected if use Apache SOAP library because sits on top of java library
    • Options
      • –add-modules – to explicitly add
      • Use standalone package from Maven central – deploy to upgrade module path or standalone version on classpath

Other changes

  • Single underscore is now a keyword. Can no longer use as an identifier. Can use two or more underscores if really want underscore variable name. Will be introducing _ as lambda dummy parameter.
  • Deleted some deprecated methods
  • New tool in Java 9: jdeprscan – static analysis against class files and jar files to report Java SE deprecated APIs
  • JDK/JRE file structure changed. Flatter directory structure. Now have bin/conf/lib/jmods.
  • lib/ext and lib/endorsed removed. If create directory, get fatal error starting JDK. Fails fast!
  • JNLP (Java Network Launch Protocol) – now uses strict parsing
  • Removed lots of JVM flags and others were replaced with different flags.

Version numbers

  • Version string format has changed. Was 1.8.0_131.
  • Fun fact. JDK 7u55 has more patches than JDK 7u60
  • New format $FEATURE.$INTERIM.$UPDATE.$PATCH
    • Feature – main version number
    • Interim – always 0 – reserved for future use
    • Update – 0, 1, 2
    • Patch – for emergency updates

JDK 10

  • var is now a reserved type. Not a reserved word. Can still use as variable name. Can’t create class called “var”.
  • Removed for deprecated code.
  • javah tool removed (for JNI). How do javac -h
  • policytool also removed

JDK 11

  • Oracle JDK – commercial license
  • Oracle Open JDK JDK – Mark Reinhold wants OpenJDK to be an adjective; not a noun. [because people are going to say that?}
  • Browser plugin going away
  • Java Web Start going away. Some alternatives, but no drop in replacement.
  • jmc (monitoring/mission control) – now a standalone package
  • More deprecated code removed

My take: Great humor. And great review for the stuff I knew. Also good clarifications and learning for the parts I did not know. There were a lot of references to Java 9 and 10. For most things, these apply to 11 as well. In a few case, it was confusing what applied to 11 vs what was interim.