Secure your Java EE projects by using JOnAS Java EE server audit & diagnostic tools

# 1

OW2 Annual Conference 2010, November 24-25, La Cantine, Paris. www.ow2.org.

Diagnostic & Audit system for Java EE applications

Secure your Java EE project with the performance diagnostic tool provided by OW2 JOnAS

Florent Benoit, BULL/OW2 [ @florentbenoit ]

# 2


Summary● Context● Environment : OW2 Java EE JOnAS Application server● Diagnostic tool

● Presentation● Demo

● Audit tool● Presentation● Demo

● Conclusion

# 3


Context

# 4


Why these tools ?● Java EE specification:

● Ensure portability of applications● Nothing about performance

● Application performance / Reliability ?● Applications can be Java EE compliant without being reliable

● Finding performance problems ?● Not so easy to find the problem with all components that are

linked together.● Traceability

● Get a log for each executed operation● «Cost» of services

● For example, to know the memory used for a request

# 5


Environment : OW2 Java EE JOnAS Application server

# 6


JOnAS: Java EE Application server● Java EE 5 certified● Java EE services:

● Web Container: Tomcat (6 & 7) / Jetty● EJB3 persistence / JPA 1 & 2: EasyBeans (EclipseLink,

Hibernate, OpenJPA)● Transactions: JOTM● Clustering: CMI● Web Services: CXF/Axis2● Asynchronous Messages: JORAM● OSGi: Felix et IPOJO

● Administration: web console, commands, API, JASMINe (Advanced management tool)

# 7


JOnAS : Open Source Server● Developed as an open source server (LGPL) within

OW2: http://jonas.ow2.org● OW2: independent industry consortium dedicated to

developing open source code middleware● Major contributors for JOnAS :Bull, France Telecom,

Peking University, INRIA, UJF, UNIFOR, SERLI

● Linked OW2 projects : EasyBeans, JASMINe, JORAM, JOTM, CMI

http://jonas.ow2.org/

# 8


OSGi native Architecture ● Dynamically adaptable

platform● OSGi based services● Modularity / Extensibility● Profiles● Enhanced application server

life cycle● On-Demand services● Dynamic configuration● Adaptable

# 9


Diagnostic tool

# 10


Diagnostic toolJDBC Connection leak detector

# 11


« Pool » of JDBC connections

● Limit the number of physical connections to the database● Optimize the time to provide a JDBC connection to the

application

datasource.getConnection();

connection.createStatement();

....

....

connection.close(); DataSource Pool

# 12


Forgot to call connection.close() ?

● Problem :No more available connections for new clients● → Connections never closed

– → don't go back in the pool● → Other clients are waiting

– No free connections in the pool !

Busy connections (used by applications) or not yet closed

Empty Pool DataSource Pool

# 13


Handling the connection leak ?

● Avoid these connection leaks in production ?● Automatic close of JDBC Connections by JOnAS

– At the end of a method call (EJB stateless / HTTP request), remove() on stateful EJB beans.

● Life-time of JDBC connections– If no calls are done on a JDBC connection for a given amount of

time, this connection is released and go back in the pool

● These solutions are only patches● Goal: Fix the problem in the application's code

– Help provided by the JOnAS web console● Track the root of the problem

# 14


Servlet using JDBC connections

55 protected void doGet(....) {56 response.setContentType("text/html");57 PrintWriter out = response.getWriter();58 out.println("<html><body>");5960 DataSource ds = null;61 try {62 ds = (DataSource) new InitialContext().lookup("jdbc_1");63 ds.getConnection();64 } catch (NamingException e) {65 e.printStackTrace();66 } catch (SQLException e) {67 e.printStackTrace();68 } finally {69 out.println("</body></html>");70 out.close();71 }7273 }

# 15


Screenshot of JOnAS Admin console

Line to analyze

# 16


Servlet with the JDBC error

55 protected void doGet(....) {56 response.setContentType("text/html");57 PrintWriter out = response.getWriter();58 out.println("<html><body>");5960 DataSource ds = null;61 try {62 ds = (DataSource) new InitialContext().lookup("jdbc_1");63 ds.getConnection();64 } catch (NamingException e) {65 e.printStackTrace();66 } catch (SQLException e) {67 e.printStackTrace();68 } finally {69 out.println("</body></html>");70 out.close();71 }7273 }

# 17


DemoTracking JDBC connection leaks

# 18


Diagnostic toolMonitoring/displaying JVM Threads

# 19


Information about JVM threads

# 20


DemoThreads monitoring

# 21


Audit tools

# 22


Goals of the audit system [1/2]● Development

● Discovery of the software architecture of applications and calls between the Java EE modules

→ Difficult to track (complex/distributed applications )● Tracking the performance problems:

→ Enhance the performance→ Identify the component that is causing the problem

● Qualifying● Statistics on features/services that are used (top 10, ...)● Adapt applications to their usage● Trends on applications/services

– Response time, ...

# 23


● Production● Audit● Traceability● Log of services that have been used● Billing (You pay what you're using)

– (Google App Engine)

Goals of the audit system [2/2]

# 24


Commercial Tools

● Commercial tools● CA Wily Introscope®

● dynaTrace

● BMC AppSight

● Compuware Vantage Analyzer

# 25


Solution based on interceptors● Different level of interceptors

● Enabling/disabling on demand● EJB 3

● Invocation (Business service calls)● Lifecycle (Start/Stop)

● HTTP requests● Servlet filter

● JNDI access● Each call on the context returned by the command

new InitialContext() »: lookup, bind, etc.

# 26


Architecture of the Audit System

EasyBeans

Tomcat

JNDI Audit log

JOnAS Admin (Audit module)

JMXNotifications

Jconsole / JMX Client

Audit System

JASMINe

# 27


Collected data [1/2]● EJB3

● Invocation– Bean's name– Identity (name + roles)– Called method

● @Local● @Remote● OnMessage

– Size of method parameters– Result– Elapsed time in the method– Exceptions

# 28


● HTTP● URL● Encoding● Client (protocol,host, port)● SessionId● Query● Status HTTP

● JNDI● Method that is called on the InitialContext

– bind, lookup, ...– Parameters (if any)

● Elapsed time

Collected data [2/2]

# 29


Traceability / Logger● Client of Audit MBeans

● Collecting data● Storage in a log file● Human readable format[10/03/04 22:05:35] class org.ow2.util.auditreport.impl.InvocationAuditReport requestStart = 1267736735591573000 requestStop = 1267736735591630000 requestDuration = 0.057 businessMethod = getCalculator@Local BeanName = Calculator target = /easybeans/audit-sample.ear/audit-sample-ejb.jar/SessionFacade/getCalculator@Local paramSize = 5 returnSize = 0 freeMemoryBefore = 25623392 totalMemoryBefore = 64126976 freeMemoryAfter = 25617704 totalMemoryAfter = 64126976 sweepMarkTime = 873 scavengeTime = 5170 user = ANONYMOUS roles = [JOnAS] requestTimeStamp = 1267736735580 methodStackTrace = [java.lang.Thread.getStackTrace(Thread.java:1409) - ..... ] methodParameters = null

Elapsed timeCalled method

Identity

Parameters

mailto:getCalculator@Local

# 30


Screenshot of the tool

# 31


Screenshot of a method's graph

# 32


Advanced mode● Tracking a request on several servers● Tracking asynchronous calls

● Sending to JMS queue / Receiving from a JMS queue

JMS

Servlet

Server 1

Servlet

EJB

Server 2

MDB

Server 3

IDID

IDID

IDID

EJB

Server 4

IDID

CollectingEvents

# 33


Demonstration

# 34


Demo● Goal of the demonstration

● Enhancing the performances of an application– Discovering problems– Solving problems– Checking this with the audit console

● Traceability of calls in an application

# 35


Conclusion

# 36


Conclusion [1/2]

● Preventing performance problems→ Secure a project

● Tools can be used in designing/integrating/production ● In production, an other Java EE server may be used

● Tool bundled with JOnAS● Key feature comparing to other Java EE servers● Ready to use● Open Source / LGPL● Integrated in JOnAS 5.2

# 37


● Supervising OSGi service● Available OSGi services● Links between components/services● …

● Supervising JPA● Life cycle of “Entities”

● Other metrics● SQL request

– Number of requests– Elapsed time of requests

● ...

Conclusion: what's next ? [2/2]

# 38


Q & A

Florent Benoit, BULL/OW2 [ @florentbenoit ]

Secure your Java EE projects by using JOnAS Java EE server audit & diagnostic tools

Technology

Transcript of Secure your Java EE projects by using JOnAS Java EE server audit & diagnostic tools