Tuesday, December 29, 2009

Best practices for exception handling in Java

Exception handling is an often ignored area in enterprise software design. It comes out more as an after thought rather than being an integral part of initial design.
I've seen cases where
  • logs are polluted with too many exceptions leading to delay in performing root cause analysis
  • root cause exceptions get eaten up when thrown to upper level stacks and only a generic exception is logged
  • sufficient exception details aren't recorded with the default log levels
Maybe customers should include exception handling use cases, and how well and quickly products allow root cause analysis as part of their POCs. This would lead to vendors spending resources in improving this area of their software.

Also, checkout this excellent article on "Exception management and error tracking in J2EE".

Wednesday, December 23, 2009

Connecting cloud apps to desktop apps using OAUTH and SAML

Enterprise Single Sign On (ESSO) solutions provide SSO for desktop apps such as Outlook by providing the storing the username/password securely and passing it to the desktop app when required.
Now, if the desktop app (such as Outlook) needs to go out to the cloud to fetch data, and the cloud app if federation enabled, then can such federation be extended to the desktop app?

Google has already solved it using OAuth for Installed Applications. The article doesn’t explicitly call out SAML, but if you have enabled SAML on your Google Apps deployment, it gets used instead.

Also, see Pat Patterson's blog entry on this topic.

Testing SAML polices

There are many testing tools (including one bundled with Oracle Fusion Middleware Control) that allow creating WS-Security username token and inserts it into the request message. But, if the service accepts a SAML token, then such tools don't come in handy. One has to develop a client application and apply SAML client policy to add SAML token to the message.

But, there's one free tool that can come in handy for such situations. It's Vordel SOAPbox.
Checkout this blog entry from Mark O' Neill for details, and give the tool a try.

Friday, December 18, 2009

Gartner's John Pescatore on 2010 Security Threats and Trends

See what Gartner's John Pescatore has to say about emerging security threats and trends in 2010.
There are two very new challenges. What we're seeing happening right now is certainly the threats have changed, but also business processes and the demands put on the IT organization and the information security organization are changing at the same time. At the same time that threats are getting more targeted, the business, even government agencies, are demanding that users be allowed to use home PC's, their own smart phones, iPhones and the like, being allowed to work from home, being allowed to use social networks, use consumer grade things like Google apps and Skype and the like.
So at the same time that the threats are getting more focused, IT is being forced to relinquish some control over the hardware and software and services that users use to get the business done and touch privacy related information and critical business processes. So dealing with those two challenges simultaneously, we're targeted deeper threats and having to give up some levels of control. That, I believe, is the major challenge facing security programs today.

I think 2010 into 2011 will be the start where we start to see vulnerabilities found in all these virtualization and Smart Grid technologies and other forms of wireless, and inevitability new technologies new vulnerabilities, and the attackers leap on those very, very quickly. So I think that is probably some of the new things we will see.
For more details visit full article at http://www.bankinfosecurity.com/articles.php?art_id=1926&pg=4

Tuesday, December 8, 2009

Tutorial: Creating Oracle prebundled machine images for the cloud

Here's an excellent tutorial by Kiran C. Nair on how to create a custom VM image prebundled with Oracle Weblogic Server 11g and Oracle Database XE, and utilities to run at user-defined runlevels. The created images are not restricted to AWS but are fully compatible with any cloud that uses Xen as the hypervisor layer (for example, Eucalyptus Open Cloud).

The prebundled applications and utilities may be customized according to user preferences or demands.

Kiran C. Nair specializes in JEE, client-server architecture, and performance lifecycle analysis at SETLabs, the research wing of Infosys Technologies Ltd.