David Chandler's Journal of Java Web and Mobile Development

  • David M. Chandler

    Web app developer since 1994 and Google Cloud Platform Instructor now residing in Colorado. Besides tech, I enjoy landscape photography and share my work at ColoradoPhoto.gallery.

  • Subscribe

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 223 other followers

  • Sleepless Nights…

    June 2011
    S M T W T F S
  • Blog Stats

    • 1,029,169 hits

Archive for June, 2011

Configuring the App Engine development server

Posted by David Chandler on June 30, 2011

Last week, I posted a way to preserve the local Datastore when using Maven by setting a system property datastore.backing_store=path. Although it’s not explicitly documented, it appears that many dev mode services can be configured this way. The configuration flags are documented with the local unit testing Javadocs like this one for LocalDatastoreService. Click on the property, then the link to Constant Field Values to find the associated String you can use in a -D argument as shown in last week’s post. Note that unit tests can configure services directly by calling setters on the test helper like LocalDatastoreServiceTestConfig.

Happy tweaking…

Posted in AppEngine | Leave a Comment »

Fibonacci fun with GWT

Posted by David Chandler on June 29, 2011

SunflowerI’ve posted a new GWT Canvas demo at gwt-sunflower.appspot.com. Works in all modern browsers and IE>=9. You may need to refresh the page after loading due to a bug in the SliderBar that I haven’t dug into yet.

Like the previous demo, the math provides the fun. Each time you move the slider, the app clears the canvas and draws dots 1…n, where n is the number of seeds shown in the slider. The position of each seed n is computed using the equations in polar form shown above the figure. The key to the geometry is the golden angle (represented by Φ), which is simply the golden ratio as a fraction of a circle, where the golden ratio is approximated by the quotient of two successive Fibonacci numbers (example: 55 / 89 ≈ 0.618). The basic algorithm to fill the seed head (mathematically speaking, not biologically) is a dial going around and around like the hands of a clock, but counterclockwise in this example. Every time the dial reaches a multiple of the golden angle (0.618 x 360° ≈ 222.5°), a seed pops out. The distance of the seed from the center (r) is proportional to the square root of the seed number.

At any given time in the flower’s “growth,” the number of spiral arms apparent at the outer edge is a Fibonacci number (0,1,1,2,3,5,8,13,21,34,…). The number of spiral arms going in the opposite direction is the next nearest Fibonacci number. This property is true of real sunflowers and in fact, most flowers in the daisy family. See, for example, this tiny wildflower I photographed with my “poor man’s macro lens,” an extension tube. The diameter of the flower was less than half the width of my pinky fingernail.

In order to improve graphical performance, the app uses a coordinate space which is only half the actual pixel size (example: 200×200 vs. 400×400). HTML5 Canvas automatically scales the virtual coordinate space to fill the actual pixel space.

Here’s the essential GWT code.

   * Draw the complete figure for the current
   * number of seeds
  private void drawFrame() {
    front.clearRect(0, 0, maxD, maxD);
    for (int i=0; i<numSeeds; i++)
      double theta = i * PI2 / PHI;
      double r = Math.sqrt(i) * SCALE_FACTOR;
      double x = xc + r * Math.cos(theta);
      double y = yc - r * Math.sin(theta);

   * Draw a small circle representing a seed centered at (x,y)
   * @param x Center of the seed head
   * @param y Center of the seed head
  private void drawSeed(double x, double y) {
    front.arc(x, y, SEED_RADIUS, 0, PI2);

The entire source code is available via the link below the figure.


Posted in Google Web Toolkit | 4 Comments »

Preserving the Datastore when using App Engine dev server with Maven

Posted by David Chandler on June 25, 2011


I’m currently working on a GWT+GAE Maven project and the local datastore gets wiped every time I start the dev server, whether using mvn clean gae:run or Google Plugin for Eclipse.


Per the official dev server doc, the local datastore is stored in WEB-INF/appengine-generated/local_db.bin. For most Maven projects, the WEB-INF directory is located under target/${project.build.finalName}, so local_db.bin is under the target directory, which gets wiped every time you mvn clean. It also gets wiped when launching dev mode with Google Plugin for Eclipse.


Specify an alternate path to the dev server datastore.

In Eclipse, edit the project’s Run Configuration and add this to the VM args:


This will put the local datastore in the project root directory, where it won’t get wiped every time you launch the dev server.

In the project’s POM, add this to the configuration section for maven-gae-plugin:


Many thanks to Marcel Overdijk for pointing the way on the maven-gae-plugin group.

Posted in AppEngine | 4 Comments »

Are Private Clouds Really Safer?

Posted by David Chandler on June 24, 2011

For the second time in two weeks (first in Detroit, then in Atlanta), I’ve listened to a panel discussion on cloud computing in which a panelist has claimed that private clouds are safer than “The Cloud.” In both cases, the panelist was a data center vendor (hmmm…) and in both cases, the other panelists were not so readily agreed. The vendor rep in Atlanta kept mentioning the possibility of network sniffing, as though someone might be able to penetrate Amazon’s hardware virtualization, gain access to the real Ethernet controller, put it in promiscuous mode, and then sniff traffic on … the one wire running to the switch?

Bob Reid of the kotter group asked the best question of the evening: is there any empirical evidence that public cloud computing is safer than private cloud? In other words, has anyone ever successfully penetrated Amazon’s hardware virtualization, App Engine’s VM, etc. and used it to obtain other customers’ data? Said data center vendor acknowledged that social engineering is a much more likely attack vector and can be used just as successfully in a private cloud as public, but then repeated his concerns about the public cloud without citing any evidence. Thankfully, Dennis Hurst, founder of the Cloud Security Alliance, nailed it: the studies show that most break-ins are due to application design flaws and have nothing to do with the hosting environment.

There’s no doubt that some CxOs get a warm fuzzy from knowing that their data is on “their own” servers; however, this would appear to be a false sense of security. If anything, public cloud providers are safer (Dennis Hurst alluded to this earlier in the discussion) because security is an inherent design consideration. All public cloud providers rely on some form of virtualization, whether at the hardware layer (AWS) or a Java VM with security restrictions like App Engine and no doubt do continuous testing to ensure the security of the virtualization layer. The strength of the security sandbox is fundamental to the offering, and public cloud providers can afford to employ the best and brightest to get it right (unlike regional data center vendors–are you sure you’ve got the latest patches?).

Furthermore, public cloud offerings are typically built around services like AWS’s SimpleDB and App Engine’s Datastore, which are not subject to attacks like SQL injection because the service APIs don’t allow you to execute arbitrary database commands. Service APIs significantly limit attack surface, which is one reason why I prefer App Engine’s approach to virtualization over Amazon’s (granted, I’m a little biased). With AWS, you’re still responsible to configure your virtual machine instances correctly, albeit you have to explicitly open network ports so you’re not wide open by default.

The question, I think stands: is anyone aware of an incident in which a public cloud customer obtained access to another customer’s data by penetrating the security sandbox? Methinks the cloud offerings of today are generally much safer than the shared Web hosting arrangements of the past because of the superior virtualization technology employed today. Once upon a time, you could use CFFILE on a mis-configured ColdFusion host or similar technique in ASP to gain access to the file system on the shared host. But as far as I know, no one has demonstrated such an exploit against AWS, App Engine, Azure, etc.

Social engineering, insider leaks, and application flaws (which are arguably *less* likely using public cloud services) remain the most likely attack vectors, and CxOs should carefully evaluate FUD from data center vendors before rejecting the public cloud on the basis of security concerns. And while I’m at it, unless a “private cloud” offers elasticity, multi-tenancy, and metered service, I don’t think it can properly be called cloud. Dedicated / colocated hosting has been around for a long time and has its merits, but please don’t “cloud” the vocabulary.

Posted in AppEngine, Web App Security | 1 Comment »

Google I/O 2011 Highlights

Posted by David Chandler on June 1, 2011

This was my first year at Google I/O, and what a way to start! Besides speaking 3x, I was involved with the GWT Developer Sandbox, GWT Office Hours, and a GWT mini summit the night before I/O for the GWT Developer Sandbox exhibitors and GWT framework authors. The months leading up to I/O were very stressful, but the end result was well worth the effort.

You came for the code

Highly Productive GWT @ I/O 2011The defining moment for me this year was 10:15am Tuesday, the first presentation after the first keynote. This was the moment of truth we’d all been waiting for. People inside and outside Google had been asking for months, “Did I/O sell out in 59 minutes because people just want the free stuff, or did they come for the code?” As I looked over an audience of 300+ people in a room that seated 239 assembled to hear about Highly Productive GWT, the answer was obvious: you came for the code (watch the first 45 sec of the session to hear the audience confirm it).

All of the GWT sessions (filter for Developer Tools track) were packed, many of them standing room only. Besides giving the latest tips on performance and showing off the latest tools, the GWT team demo’d lots of bleeding edge coolness in GWT: mobile development, game programming (hello, disgruntled avians!), and RequestFactory tooling for native Android apps. It was an exciting year for GWT developers.

I/O is more than a clever name

Google I/O is all about the developer community. Despite the mythical status of many, Google engineers and open source contributors are real people, too, and I/O is the premier place to get acquainted, give feedback, and get help. Besides meeting the session speakers, each product team holds Office Hours for 3 hours each day staffed by engineers, where hundreds of folks got their technical questions answered and hob-nobbed with others in the community.

Said one long-time GWT community member:

The discussions I had there were both a great learning experience and an important source of ideas and motivation. Networking with the extended GWT community was very nice. I feel like I could get working right away with Jeff Larsen, Pierre Coirier, Hilbrand Bouwkamp and others whom I only met via forums before the I/O.

I likewise enjoyed meeting many folks in the GWT community whose names you’ll recognize from the GWT group: Philippe Beaudoin and Christian Goudreau (gwt-platform), Pierre Coirier (mvp4g), Stephen Haberman (gwt-mpv), Jeff Larsen, Jeff Schnitzer (objectify-appengine), and many others. How did they all get to I/O, you wonder? Many were invited to take part as speakers or Sandbox exhibitors. Some made it a point to sign up as soon as registration opened, and others engaged in heroic measures (Pierre was one of 10 winners in the Last Call for I/O contest). My own path to I/O was extreme, as it involved getting hired by Google last year 🙂 It was a tremendous privilege to serve one of the most talented and enthusiastic developer communities in the world. Besides meeting well-known participants in the community, I also enjoyed meeting the mostly invisible developers who build with GWT every day, learning about the creative and powerful things you’re doing with GWT, listening to your pain points, etc. In the age of everything digital, there is still no substitute for putting a face to a name and getting the story behind the story.

GWT Developer Sandbox

Besides the GWT sessions and Office Hours, the GWT Developer Sandbox (filter for Developer Tools) was a great place to meet companies using or supporting GWT and to pick the brains of fellow GWT developers. The GWT team selected a wide range of companies to participate this year, from public-facing apps (DayZipping, Broadcastr, LoseIt.com) to B2B (BookedIn, GBST) to enterprise and tools/frameworks (JBoss, Apptio, Vaadin). Check out their Web sites and get some ideas for your own apps. There’s a lot going on in the GWT universe.

Related Product Highlights

I was pretty focused on GWT this year, but there were lots of other exciting announcements and sessions for developers: App Engine backends, full-text search, and Pipeline API (map reduce), all of which I hope to dig into before next year’s I/O. Sessions on PageSpeed and Chrome DevTools are required viewing for Web developers who care about performance and productivity. NFC with Android is a promising new technology for all kinds of apps like mobile payments with Google Wallet. And of course, Chromebooks are expected to greatly accelerate the demand for rich Web apps in the cloud. It’s a great time to be a GWT and App Engine developer!

Geek Fest

Nothing says “happy geeks” like the Google I/O 2011 photos, so I’ll conclude with that. Huge thanks to all the GWT developers who attended this year’s I/O and made it the best GWT event ever!

Posted in Google Web Toolkit | 3 Comments »

%d bloggers like this: