Jason Lee 2012-03-01

As you may know by now, we released GlassFish 3.1.2 yesterday. Tim Quinn has a nice overview of some of the security-related changes, but one change he didn't cover was one in the RESTful administration area, namely CSRF protection. I won't go into the details of what CSRF attack is here, but I do want to show we've added protections to GlassFish to make sure the server is as secure as possible.

For the curious, we implemented the CSRF protection using a filter provided by the Jersey team. As you can see from the javadoc, this change only affects requests that change state (POST, PUT, DELETE, etc). To update your client code, all you need to do is add the X-Requested-By header. Its value doesn't matter:

That's all there is to it. It's a very simple change, but an important one. If you run into any issues with this, please let us know!

Jason Lee 2012-02-15

Recently, Matt Raible again presented his Comparing JVM Web Frameworks , this time at JFokus 2012. The intent of the presentation, as best as I can gather from half a world away, is to prevent some of the major JVM-based web frameworks, showing the various strengths and weaknesses, which will allow the audience to choose a framework more easily. While the goal is laudable, I'm just not sure how well executed the attempt was.

Jason Lee 2012-02-14

I had the opportunity today to present an introduction to CDI at the Oklahoma City Java Users Group . It was a smaller crowd, but they had great questions nonetheless. After a rough start in a workspace that wasn't quite as clean as it should have been, I think the went fairly well. I had a good time at least. : )

Thanks to all those that came out and asked questions during and after. If you'd like to play with the code .

Jason Lee 2012-01-26

JAX-RS is the specification that describes how to build RESTful interfaces in a Java EE environment. Jersey is the reference implementation of that spec, and, like many implementations, offers features above and beyond what spec does. One feature that I've been working with recently is the POJOMapping feature, which makes writing services and clients much easier, as well as typesafe.

For the GlassFish Administration Console, we have quite a few tests (about 133 at last count). Given the nature and architecture of the application, we've chosen Selenium to drive our tests. One of the problems we've faced, though, is understanding why a test failed due to the length of time the tests take (roughly 1.5 hours to run the whole suite). Sometimes, we can look at the log and know exactly what failed, but not the why. Did the screen render correctly? Did, perhaps, the click, etc. not get performed (we've seen instances of that) leaving the application in a state not expected by the test? Since I usually start the tests and move on to something else, we had no way of knowing. Until now. I finally sat down and figured out how to grab a screen shot when a test fails. I've distilled that technique down to its essentials, which I'll share here.