Java_J2EE_Job_Interview_Companion

EJB components are not truly object oriented, as they have restrictions for using inheritance and polymorphism.

EJB modules cannot be tested outside an EJB container and debugging an EJB inside a container is very difficult.

Note: EJB 3.0 is taking ease of development very seriously and has adjusted its model to offer the POJO (Plain Old Java Object) persistence and the new O/R mapping model based on Hibernate. In EJB 3.0, all kinds of enterprise beans are just POJOs. EJB 3.0 extensively uses Java annotations, which replaces excessive XML based configuration files and eliminate the need for rigid component model used in EJB 1.x, 2.x. Annotations can be used to define the bean’s business interface, O/R mapping information, resource references etc. Refer Q18 in Emerging Technologies/Frameworks section.

Q 70: What are the implicit services provided by an EJB container? SF FAQ

A 70:

Lifecycle Management: Individual enterprise beans do not need to explicitly manage process allocation, thread management, object activation, or object destruction. The EJB container automatically manages the object lifecycle on behalf of the enterprise bean.

State Management: Individual enterprise beans do not need to explicitly save or restore conversational object state between method calls. The EJB container automatically manages object state on behalf of the enterprise bean.

Security: Individual enterprise beans do not need to explicitly authenticate users or check authorization levels. The EJB container automatically performs all security checking on behalf of the enterprise bean.

Transactions: Individual enterprise beans do not need to explicitly specify transaction demarcation code to participate in distributed transactions. The EJB container can automatically manage the start, enrolment, commitment, and rollback of transactions on behalf of the enterprise bean.

Persistence: Individual enterprise beans do not need to explicitly retrieve or store persistent object data from a database. The EJB container can automatically manage persistent data on behalf of the enterprise bean.

Q 71: What are transactional attributes? SFTI FAQ

A 71: EJB transactions are a set of mechanisms and concepts, which insures the integrity and consistency of the database when multiple clients try to read/update the database simultaneously.

Transaction attributes are defined at different levels like EJB class, a method within a class or segment of a code within a method. The attributes specified for a particular method take precedence over the attributes specified for a particular EJB class. Transaction attributes are specified declaratively through EJB deployment descriptors. Unless there is any compelling reason, the declarative approach is recommended over programmatic approach where all the transactions are handled programmatically. With the declarative approach, the EJB container will handle the transactions.

Q 72: What are isolation levels? SFTIPI FAQ

A 72: Isolation levels provide a degree of control of the effects one transaction can have on another concurrent transaction. Since concurrent effects are determined by the precise ways in which, a particular relational database

handles locks and its drivers may handle these locks differently. The semantics of isolation mechanisms based on these are not well defined. Nevertheless, certain defined or approximate properties can be specified as follows:

Isolation levels are not part of the EJB specification. They can only be set on the resource manager either explicitly on the Connection (for bean managed persistence) or via the application server specific configuration. The EJB specification indicates that isolation level is part of the Resource Manager.

As the transaction isolation level increases, likely performance degradation follows, as additional locks are required to protect data integrity. If the underlying data does not require such a high degree of integrity, the isolation level can be lowered to improve performance.

Q 73: What is a distributed transaction? What is a 2-phase commit? SFTI FAQ

A 73: A Transaction (Refer Q43 in Enterprise section) is a series of actions performed as a single unit of work in which either all of the actions performed as a logical unit of work in which, either all of the actions are performed or none of the actions. A transaction is often described by ACID properties (Atomic, Consistent, Isolated and Durable). A distributed transaction is an ACID transaction between two or more independent transactional resources like two separate databases. For the transaction to commit successfully, all of the individual resources must commit successfully. If any of them are unsuccessful, the transaction must rollback in all of the resources. A 2-phase commit is an approach for committing a distributed transaction in 2 phases.

Phase 1 is prepare: Each of the resources votes on whether it’s ready to commit – usually by going ahead and persisting the new data but not yet deleting the old data.

Phase 2 is committing: If all the resources are ready, they all commit – after which old data is deleted and transaction can no longer roll back. 2-phase commit ensures that a distributed transaction can always be committed or always rolled back if one of the databases crashes. The XA specification defines how an application program uses a transaction manager to coordinate distributed transactions across multiple resource managers. Any resource manager that adheres to XA specification can participate in a transaction coordinated by an XAcompliant transaction manager.

Q 74: What is dooming a transaction? TI

A 74: A transaction can be doomed by the following method call CO

ejbContext.setRollbackOnly();

The above call will force transaction to rollback. The doomed transactions decrease scalability and if a transaction is doomed why perform compute intensive operations? So you can detect a doomed transaction as shown below:

CO

public void doComputeIntensiveOperation() throws Exception {

if ( ejbContext.getRollbackOnly() ) {

return; // transaction is doomed so return (why unnecessarily perform compute intensive // operation)

}

else { performComplexOperation();

}

}

is raised so that the transaction can be rolled back and retried.

Note: The testing for changes can be done by comparing the values, timestamp or version numbers.

Q 79: How can we determine if the data is stale (for example when using optimistic locking)? TI A 79: We can use the following strategy to determine if the data is stale:

Adding version numbers

1.Add a version number (Integer) to the underlying table.

2.Carry the version number along with any data read into memory (through value object, entity bean etc).

3.Before performing any update compare the current version number with the database version number.

4.If the version numbers are equal update the data and increment the version number.

5.If the value object or entity bean is carrying an older version number, reject the update and throw an exception.

Note: You can also do the version number check as part of the update by including the version column in the where clause of the update without doing a prior select.

Adding a timestamp to the underlying database table.

Comparing the data values.

These techniques are also quite useful when implementing data caching to improve performance. Data caches should regularly keep track of stale data to refresh the cache. These strategies are valid whether you use EJB or other persistence mechanisms like JDBC, Hibernate etc.

Q 80: What are not allowed within the EJB container? SF

A 80: In order to develop reliable and portable EJB components, the following restrictions apply to EJB code implementation:

Avoid using static non-final fields. Declaring all static fields in EJB component as final is recommended. This enables the EJB container to distribute instances across multiple JVMs.

Avoid starting a new thread (conflicts with EJB container) or using thread synchronization (allow the EJB container to distribute instances across multiple JVMs).

Avoid using AWT or Swing functionality. EJBs are server side business components.

Avoid using file access or java.io operations. EJB business components are meant to use resource managers such as JDBC to store and retrieve application data. But deployment descriptors can be used to store <enventry>.

Avoid accepting or listening to socket connections. EJB components are not meant to provide network socket functionality. However the specification lets EJB components act as socket clients or RMI clients.

Avoid using the reflection API. This restriction enforces Java security.

Can’t use custom class loaders.

Q 81: Discuss EJB container security? SFSE

A 81: EJB components operate inside a container environment and rely heavily on the container to provide security. The four key services required for the security are:

Identification: In Java security APIs this identifier is known as a principal.

Authentication: To prove the identity one must present the credentials in the form of password, swipe card, digital certificate, finger prints etc.

Authorization (Access Control): Every secure system should limit access to particular users. The common way to enforce access control is by maintaining security roles and privileges.

Data Confidentiality: This is maintained by encryption of some sort. It is no good to protect your data by authentication if someone can read the password.

The EJB specification concerns itself exclusively with authorization (access control). An application using EJB can specify in an abstract (declarative) and portable way that is allowed to access business methods. The EJB container handles the following actions:

Find out the Identity of the caller of a business method.

Check the EJB deployment descriptor to see if the identity is a member of a security role that has been granted the right to call this business method.

Throw java.rmi.RemoteException if the access is illegal.

Make the identity and the security role information available for a fine grained programmatic security check.

public void closeAccount() {

if (ejbContext.getCallerPrincipal().getName().equals(“SMITH”)) { //…

}

if (!ejbContext.isCallerInRole(CORPORATE_ACCOUNT_MANAGER)) {

throw new SecurityException(“Not authorized to close this account”);

}

}

Optionally log any illegal access.

There are two types of information the EJB developer has to provide through the deployment descriptor.

Security roles

Method permissions

Example:

<security-role> <description>

Allowed to open and close accounts </description> <role-name>account_manager</role-name>

</security-role> <security-role>

<description>

Allowed to read only </description> <role-name>teller</role-name>

</security-role>

There is a many-to-many relationship between the security roles and the method permissions.

<method-permission> <role-name>teller</role-name> <method>

<ejb-name>AccountProcessor</ejb-name> <method-name>findByPrimaryKey</method-name>

</method> </method-permission>

Just as we must declare the resources accessed in our code for other EJBs that we reference in our code we should also declare the security role we access programmatically to have a fine grained control as shown below.

<security-role-ref> <description>

Allowed to open and close accounts </description> <role-name>account_manager</role-name> <role-link>executive</role-link>

</security-role-ref>

There is also many-to-many relationship between the EJB specific security roles that are in the deployment descriptor and the application based target security system like LDAP etc. For example there might be more than one group users and individual users that need to be mapped to a particular EJB security role ‘account_manager’.

Q 82: What are EJB best practices? BP FAQ

A 82:

Use local interfaces that are available in EJB2.0 if you deploy both the EJB client and the EJB in the same server. Use vendor specific pass-by-reference implementation to make EJB1.1 remote EJBs operate as local. [Extreme care should be taken not to affect the functionality by switching the application, which was written and tested in pass-by-reference mode to pass-by-value without analyzing the implications and re-testing the functionality.

Wrap entity beans with session beans to reduce network calls (refer Q84 in Enterprise section) and promote declarative transactions. Where possible use local entity beans and session beans can be either local or remote. Apply the appropriate EJB design patterns as described in Q83 – Q87 in Enterprise section.

Cache ejbHome references to avoid JNDI look-up overhead using service locator pattern.

Handle exceptions appropriately (refer Q76, Q77 in Enterprise section).

Avoid transaction overhead for non-transactional methods of session beans by declaring transactional attribute as “Supports”.

Choose plain Java object over EJB if you do not want services like RMI/IIOP, transactions, security, persistence, thread safety etc. There are alternative frameworks such as Hibernate, Spring etc.

Choose Servlet’s HttpSession object rather than stateful session bean to maintain client state if you do not require component architecture of a stateful bean.

Apply Lazy loading and Dirty marker strategies as described in Q88 in Enterprise section.

Q 83: What is a business delegate? Why should you use a business delegate? DPPI FAQ

A 83: Questions Q83 – Q88 are very popular EJB questions.

Problem: When presentation tier components interact directly with the business services components like EJB, the presentation components are vulnerable to changes in the implementation of business services components.

Solution: Use a Business Delegate to reduce the coupling between the presentation tier components and the business services tier components. Business Delegate hides the underlying implementation details of the business service, such as look-up and access details of the EJB architecture.

Business delegate is responsible for:

Invoking session beans in Session Facade.