6 posts categorized "glassfish"

11/25/2010

GlassFish Community vs JBoss Community: Patches

A recent post on The Aquarium highlighted one fairly compelling difference for enterprises to take into consideration between the community versions of glassfish and jboss:  GlassFish provides security and bug fix updates to customers using either GlassFish Open Source Edition or Oracle Glassfish Server.  JBoss typically does not.  

JBoss has responded to this post explaining the JBoss Product Lifecycle and highlighting the benefits of using EAP vs Community Editions and does make the point that Community versions of JBoss are meant for cutting-edge apps.  The problem with cutting-edge apps, however, is that, presumably, designers of these applications probably want to make money off of them, too.  Today, the most common method for accepting payments on the web is still the credit card and if you are accepting credit card payments, you must comply with PCI Compliance guidelines (in addition to any of the other compliancy frameworks we have to follow).

This is unfortunate for JBoss because it would not be uncommon at some point during a quarterly PCI compliance scan to be tagged with vulnerabilities like "JBoss Enterprise Application Platform Status Servlet Request Remote Information Disclosure", where you are directed to the installation of a hotfix or fixpack, which simply isn't available if you are using the community version of the product.  Yes, even though the vulnerability lists JBoss Enterprise Application Platform 4.2 and 4.3 as being vulnerable, the community version of JBoss 4.2 is just as vulnerable.  The difference being that one does not have the ability to patch the community version at all but to simply wait for the next release of the community version that may include a fix for the problem, come up with some workaround, or get EAP.  

Consider the following issue with JBoss 5.0.1.  JBoss 5.0.1 has a vulnerability that leaves the server subject to not only an information disclosure issue but a particularly nasty denial-of-service vulnerability inherited from JBoss's use of Apache Tomcat. If you are a JBoss EAP 5.0.1 user, you have a patch available.  If you are a community edition user, you're in a bit of a pickle.  JBoss 5.0.1 Community Edition was released in February 2009 and version 5.1.0 was released about three months later.  Has the fix been included in 5.1.0?  It's tough to tell based on the release notes. (If anyone knows, let me know!)

One of things that open source software is famous for over closed source equivalents is the rapid release of updates and patches but to have a major project not doing this (and actually charging for updates) feels extremely strange.

So, the moral of the story here for infrastructure, operations, and security teams is that going live with a community version of JBoss is probably not a really good idea whereas going live with that same cutting edge application using GlassFish community edition is a little safer.  You may still have concerns with commercial support vs. community support but access to security updates does not appear to be an issue with GlassFish Open Source Edition.  


Update: The first comment below is a response to this post from JBoss's Lead Security Architect, in which he appears to be agreeing with me that JBoss Community is not suitable for deployments if your organization has compliance requirements that must be adhered to. This should probably not be read as an official position from Red Hat/JBoss, however, as personal blogs do not reflect the opinions of the employer.

12/30/2009

Cay Horstmann: Integrating JSF 2.0 with Tomcat

I came across this article today, which I thought others might find interesting as well: JSF 2.0 and Tomcat.  It looks like integrating the two is not as nice as I would have assumed it to be but it can be done—you just won't be able to go live with it if you brag about it to the Ops guys.  Cay does, however, suggest looking into Glassfish instead of trying to integrate it with tomcat 6 but he does detail all the painful steps necessary to get it working.  Alternatively, beta-fresh JBoss Web Server 3.0 provides a JSF 2.0 implementation as well if you are more comfortable with JBoss and want to get your feet wet with JSF2 now.  

Also, while visiting the Sun developer site, I discovered this "Introducing JSF 2.0 Tour" (login required) screencast by Sun Senior Staff Engineer Ed Burns that provides an overview of all the neat new things in JSF 2.0.  I'm watching it now!

DISCLAIMER:  I do not suggest going live with anything in beta because, ultimately, I'm an Infrastructure and Operations guy but I can't imagine the beta cycle for JBoss Web Server 3 being all that long of a wait.  So if you want to see what JSF2 is about now, you could certainly give the beta a test drive now while waiting for JBoss Web (or JBoss AS6) to go GA.  

In addition, I do not suggest switching to Glassfish or JBoss either from whatever you might be using unless your company is willing to fund a support contract during the development stages and for at least the first year after going live.  Just because something is open source and freely downloadable does not make it any less complex than a commercial solution.

10/20/2009

Sun Publishes Glassfish vs. JBoss Comparison Guide

Poor Redhat.  First SpringSource declares war and now Sun is joining in.  Today Sun made available a 14 page Glassfish vs. JBoss Comparison Guide, (Sun login required to download).  Check it out.  It actually makes for pretty interesting reading and if I was eager to see Redhat/JBoss's response to SpringSource, they've now got me besides myself with excitement waiting to hear how they respond to both SpringSource and Sun!  It's going to be epic!!