I have several ideas for the next SUG talk, I think they are all really exciting, but I will welcome your comments. The choices are:
- Securing Spring web and WS applications.
- Introduction to OSGi with Spring Dynamic Modules and dm Server
- Spring on the server side, Ruby on the client
Securing Spring web and WS applications
In this talk, we will take an existing, well-written Spring web application and crack it. We will use Mallory’s services and show script and XHTML injection, cookie stealing, the “other four” HTTP methods and — Mallory’s favourite — SQL injection.
Next, we will take another Eastern European, Eve, and we’ll show how we can snoop on WS messages, we will demonstrate how Mallory can modify the message. We will also show how we can cut Eve out and how we will detect that Mallory is making changes to our messages.
You’ll experience our Eastern European team at its dark, foreign and generally menacing best 
OSGi, Spring DM and dm Server
We have done quite a bit of development using the dm Server and OSGi. We can show how to make most of OSGi in your new applications. We will show the usual tricks of updating dependencies at runtime, we will also show OSGi fragments and dynamically extensible web applications.
You will see web applications deploy and update in seconds!
Spring on the server side, Ruby on the client
This should please all of you out there who think that Java web applications with servlet, JSPs, taglibs, and all that are just too complicated for the task. In this talk, we’ll show how to have a complex (and easily load-balanced) services tier in Java and Spring and how to make the most of the agility of Ruby on the client. You’ll see loads of JSON and REST.
If time permits, we may sprinkle it with memcached magic dust.
Please comment
So, please help me decide which talk would go down the best. I look forward to your comments either in this blog or on my e-mail.
I really like the securing web apps topic, particularly in regards to then securing web services.
As an additional section to the same talk, I could maybe deliver an addendum at the end of the talk on securing REST services using Spring Security, or maybe in its own talk?
I really liked your talk last night, I can only imagine it was getting fairly frenetic towards the end, glad I could help with spotting the controller issue though! I couldn’t keep quiet as I really wanted to see the end of your talk!
Anyway I’m really interested in OSGI and would love to see more about that. If you have any tips on reducing duplication between build tool dependency analysis (e.g. Ivy) and the dependency stuff you get from OSGI manifests that would be quite interesting too.
Hi Ben,
Thanks for spotting the method in the wrong controller. It was one of those “it must work now” moments!
As for OSGi, search for dm Server migration on YouTube, we’ve published a screencast, where we took an application from WebLogic 9 and moved it to dm Server.
I guess the dependency at compile time and runtime is worth a longer chat, we can set up a phone call if you want.
Hope to see you at the next SUG.
A great talk from both yourself & Rob. Very informative. Thanks.
Of the three topics OSGi would be my preferred first but they will all be interesting so I am easy.
I would prefer to cover one topic per night and cover it well rather than rushing two.
Spring security topic sounds good to me. We did a demo application at work used for developer education that demonstrated the OWASP Top 10. We had 2 versions of the same application (Spring MVC/Hibernate). One insecure with vunerabilities and another that demonstrated how to secure the application. What we found was that Spring security out of the box does not cover all of the vunerabilities. Our goal was to write as little code as possible, in the end we used a mix of Spring Security, HDIV and some of the ESAPI code. So would be really interesting to se how you would attach the OWASP Top 10 using only SPring Security.
I’m sure this subject could easily take up the whole meeting especially if you throw in REST web service security.
Cheers
Paul
Pingback: Alexander