TurboManage

1. Love your people. Listen to your employees. Give them the tools & support they need to do their jobs. Clear roadblocks. Keep hope alive. Act as though the people closest to the work are the ones with the best ideas about how to improve it. Empower them to fix what’s broken.

2. Have a plan. This is one of the greatest ways you can serve your people. If you do nothing else, when employees ask “which of your #1 priorities do you want me to work on today?” you should be able to pick one. If you can’t, what do they need you for? No problems worth solving can be solved without focus.

Sorry folks, still figuring out the best way to make all this work. From henceforth, you can find me at http://learnjsf.com.

/dmc

My ApacheCon presentation, Securing MyFaces Applications Against the OWASP Top Ten, is now available at http://learnjsf.com in the Security section. Learnjsf.com will also be the new home for my JSF blog, JSF code, and more to come, so click the “Subscribe” link there to continue receiving the feed.

Thanks!

/dmc

To run Tree2 with client-side expansion, you need JavaScript in the page <HEAD>. Normally, this gets added by the Tomahawk ExtensionsFilter. This doesn’t work in a portal, however, because servlet filters don’t run in a portal. There are some patches in MYFACES-434 (portlet filter) you may be able to use, but here’s an easier workaround. I’ve used this successfully with Tomahawk 1.1.3 in both Jetspeed2 and Liferay.

First, use Tree2 with server-side expansion so as not to require JavaScript. The ExtensionsFilter is therefore needed only to serve up the image resources needed by Tree2, and image requests are handled through the Faces Servlet, not the portal, so the ExtensionsFilter will run as normal for these requests. However, Tomahawk 1.1.3 checks to see if the ExtensionsFilter has been configured, which fails in the portal context. Fortunately, you can disable the check with a web.xml context param.

So to summarize, you can use Tree2 1.1.3 in a portal without any of the MYFACES-434 patches if

1. You use server-side toggle
2. You configure ExtensionsFilter as normal for the Faces Servlet
3. You disable the ExtensionsFilter configuration check as follows in web.xml:

    <context-param>
         <param-name>org.apache.myfaces.CHECK_EXTENSIONS_FILTER</param-name>
         <param-value>false</param-value>
     </context-param>

/dmc

Suppose you want to create a table of items and enable one or more action links for each item; for example, a list of files with a “check out” and “delete” link next to each. The usual approach is to create a java.faces.model.ListDataModel in your backing bean and call its getRowData() method from the action method in your backing bean to get the item for which the action was taken. These are great JSF features, but I recently found you can avoid even this code.

The trick is to put your action method in the class that represents the item. Then you can reference it directly in the view template, like this:

<h:dataTable value="#{fileMgr.items}" var="item">
    <h:column>
        <h:outputText value="#{item.name}" />
    </h:column>
    <h:column>
        <h:commandLink value="Check out"
            action="#{item.actionCheckOut}" />
    </h:column>
</h:dataTable>

In this example, fileMgr is the backing bean, and item is the datatable var representing a model object. The trick here is that JSF will go ahead and call the actionCheckOut() method on the item object, even though it’s in a model class, not a backing bean. This way, you don’t even have to mess with ListDataModel.

Neat as this is, it is usually only appropriate in the case of simple toggle actions that affect only the item properties. Most other actions (especially delete) are likely to need references to the entire collection of items or other classes such as DAOs which you would not want to reference directly in a class representing a domain object such as an item. Still, it will save a layer of code for simple actions and I’m tickled that it works.

Just a quick note for those who have been waiting for online registration for my upcoming class on JSF for Struts Developers in Atlanta. In order to give every student the best possible learning experience, registration is limited to 15 students.

My presentation on this subject has been selected for the upcoming ApacheCon US 2006! If you’d like to be a technical reviewer beforehand, please e-mail me at the address on the Consulting menu above. See you there!

The JavaServer Faces (JSF) API is an excellent foundation for building secure Web applications because of its component-oriented nature, carefulness surrounding data validation, and numerous extension points. Apache myFaces builds on this strength by providing components which offer built-in protection against many of the OWASP Top Ten attacks including form parameter tampering and cross-site scripting. In this presentation, we’ll review how myFaces protects against these attacks and move on to explore JSF extensions you can deploy to provide complete protection against the OWASP Top Ten, including forced browsing, information leakage in select boxes, and unauthorized method execution. Specifically, we’ll look at centralized approaches to ensuring that every field and form is properly validated, a phase listener and view handler to prevent forced browsing and assist with detection of session hijacking, a customer converter and component to hide sensitive information such as IDs in menu options, and a JAAS permission checker for component actions (event handler methods).

/dmc

Just a quickie time-saver here. I hate having to use the mouse to navigate through code (yes, I can still use vi) as it slow and bothered my right shoulder enough over time to force me to mouse with my left hand. If you’re like me, you’ll want to know about:

Ctrl+Shift+T (Open Type) Just type the first few letters of the Java class you’re looking for, and voila, you can use the arrow keys to find exactly the right one. No more clicking on folders in Package Explorer.

Ctrl+Shift+R (Open Resource) Same drill, but works for any resource in the Package Explorer.

You can find a bunch more of my favorite keyboard shortcuts in my Eclipse Google Notebook (linked on left).

/dmc

Much has been written about the virtues of the lazy programmer, the one who never likes to write the same code twice. For the lazy programmer, coding anything once is fun because it’s a learning experience, but coding it twice is tedious. Not only that, but also it is dangerous because manual repetition means there are too many degrees of freedom for error. And not only that, but doing the same thing twice when you could have done it once is WASTE. One of the principal ways you improve throughput in any system is to eliminate waste (think for just a moment about your body).

The brilliance of the lazy programmer is that he can recognize when he has just done the same thing twice. Others don’t see they have done the same thing at all. In other words, the lazy programmer’s mind works at a higher level of abstraction. He can factor out the common code in the right dimensions and build abstractions so he never has to generate waste by writing that code again (and of course, this is fun because it’s a new kind of code). Then he sees the common factors in the successive versions of those abstractions, and after 10 years or so, can build something as beautifully well-factored as, say, JavaServer Faces.

I submit that the same ability for abstract thinking and automation are key requirements for Operations and QA, too. For an Ops guy to follow a standard procedure for system installations is mere competence (if the Ops organization has no such procedures, the Ops manager should be replaced–there is no excuse for such a lack of discipline). The truly great Ops people learn a system well enough to automate its installation and maintenance. They wield power tools with funky names like sed, perl, bash, and even InstallShield. They can run some command that will reinstall and reconfigure every server on the network in the event of a disaster and they know it works because they use the script for daily installs.

But, alas, like the lazy programmer, the lazy ops guy is rarely seen. In his place are (very) hard-working drones who manually repeat the same steps day after day, spend most of their time reacting to the perpetual crisis, and wonder why they live in a world of chaos.

If your Ops people are always busy, it might be a sign that they aren’t doing their job!

/dmc

A veteran software manager recently gave me same valuable insights on finding highly productive and effective QA people.

These two questions reveal a great deal about someone’s mindset and approach to software testing:

1. How do you generate large amounts of test data?
2. What are the pitfalls of automated Web testing and how do you get around them?

Unfortunately, the people running many QA organizations don’t understand these things themselves and wonder why their automated testing efforts repeatedly fail. Those rare few who do and ’splain it to them are prone to get fired because it’s not safe to be smarter than the boss.Almost any programmer can tell you what you need to do to deep testing of a system: how to test each subsystem, how to generate meaningful test data that will really exercise the system, how to do positive and negative (no side effects) testing directly in the database vs. relying solely on what shows up on the screen, etc. In other words, the programmer knows more ways the system can (and can’t) fail because of their knowledge of how it works.

QA and Development should talk more often.