Designing Enterprise Applications
with the Java
TM
2 Platform, Enterprise Edition
Nicholas Kassem and the Enterprise Team
Version 1.0.1
Final Release
October 3, 2000
Copyright 2000 Sun Microsystems, Inc. 901 San Antonio Road, Palo Alto, CA 94303, U.S.A. All rights reserved.
This product or document is protected by copyright and distributed under licenses restricting its use, copying,
distribution, and decompilation. No part of this product or documentation may be reproduced in any form by any
means without prior written authorization of Sun and its licensors, if any.
Third party software, including font technology, is copyrighted and licensed from Sun suppliers.
Sun, Sun Microsystems, the Sun Logo, Java, JavaServer Pages, Enterprise JavaBeans, Java Compatible, JDK, JDBC,
J2EE, J2SE, EJB, JavaBeans, JavaMail, Write Once, Run Anywhere, and Java Naming and Directory Interface are
trademarks or registered trademarks of Sun Microsystems, Inc in the U.S. and other countries.
UNIX is a registered trademark in the United States and other countries, exclusively licensed through X/Open
Company, Ltd.
DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE
EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

Copyright 2000 Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, CA 94303, Etats-Unis. Tous droits
réservés.
Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation,
la copie, la distribution, et la décompilation. Aucune partie de ce produit ou de sa documentation associée ne peut
être reproduite sous aucune forme, par quelque moyen que ce soit, sans l’autorisation préalable et écrite de Sun et
de ses bailleurs de licence, s’il y en a.
Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par
un copyright et licencié par des fournisseurs de Sun.

Sun, Sun Microsystems, le logo Sun Logo, Java, JavaServer Pages, Enterprise JavaBeans, Java Compatible, JDK,
JDBC, J2EE, J2SE, EJB, JavaBeans, JavaMail, Write Once, Run Anywhere, et Java Naming and Directory Interface
sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d’autres
pays.
UNIX est une marque enregistree aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open
Company Ltd.
LA DOCUMENTATION EST FOURNIE "EN L’ETAT" ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET
GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE
PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA
QUALITE MARCHANDE, A L’APTITUDE A UNE UTILISATION PARTICULIERE OU A L’ABSENCE DE CON-
TREFACON.
Contents
v
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xiii
Preface
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvii
1 Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
1.1 Challenges of Enterprise Application Development. . . . . . . . . . . . . . 3
1.1.1 Programming Productivity . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.2 Response to Demand. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.3 Integration with Existing Systems. . . . . . . . . . . . . . . . . . . . . 5
1.1.4 Freedom to Choose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1.5 Maintaining Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 The Platform for Enterprise Solutions . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.1 J2EE Platform Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.2 J2EE Platform Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3 J2EE Application Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3.1 Multitier Application Scenario . . . . . . . . . . . . . . . . . . . . . . 16
1.3.2 Stand-Alone Client Scenario. . . . . . . . . . . . . . . . . . . . . . . . 18

1.3.3 Web-Centric Application Scenario . . . . . . . . . . . . . . . . . . . 19
1.3.4 Business-to-Business Scenario . . . . . . . . . . . . . . . . . . . . . . 20
1.3.5 A Note on the MVC Architecture . . . . . . . . . . . . . . . . . . . . 21
1.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2 J2EE Platform Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
2.1 Component Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.1.1 Applets and Application Clients . . . . . . . . . . . . . . . . . . . . . 26
2.1.2 Web Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.1.3 Enterprise JavaBeans Components . . . . . . . . . . . . . . . . . . . 28
2.1.4 Components, Containers, and Services . . . . . . . . . . . . . . . . 29
2.2 Platform Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.2.1 J2EE Product Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.2 Application Component Provider . . . . . . . . . . . . . . . . . . . . 31
2.2.3 Application Assembler . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
CONTENTS
vi
2.2.4 Deployer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.5 System Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.6 Tool Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.3 Platform Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.3.1 Naming Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.3.2 Deployment Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.3.3 Transaction Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.3.4 Security Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.4 Service Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.4.1 JDBC API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.4.2 Java Transaction API and Service. . . . . . . . . . . . . . . . . . . . 40
2.4.3 Java Naming and Directory Interface . . . . . . . . . . . . . . . . . 40
2.4.4 Connector Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.5 Communication Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

2.5.1 Internet Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.5.2 Remote Method Invocation Protocols. . . . . . . . . . . . . . . . . 42
2.5.3 Object Management Group Protocols. . . . . . . . . . . . . . . . . 43
2.5.4 Messaging Technologies. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.5.5 Data Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.6 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3 The Client Tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
3.1 Requirements and Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.1.1 Operating Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.1.2 Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.1.3 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.2 Overview of Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.3 Web Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.3.1 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.3.2 Content Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.3.3 Types of Web Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.4 EJB Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.4.1 Protocols and Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.4.2 Strengths and Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.4.3 Types of EJB Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.5 Enterprise Information System Clients. . . . . . . . . . . . . . . . . . . . . . . 67
3.6 Designing for Multiple Types of Client . . . . . . . . . . . . . . . . . . . . . . 68
3.6.1 Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.6.2 View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
CONTENTS
vii
3.6.3 Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4 The Web Tier. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
4.1 Web Applications and Web Containers . . . . . . . . . . . . . . . . . . . . . . 75

4.2 Dynamic Content Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.2.1 Common Gateway Interface . . . . . . . . . . . . . . . . . . . . . . . . 76
4.2.2 Servlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.2.3 JavaServer Pages Technology. . . . . . . . . . . . . . . . . . . . . . . 78
4.3 Servlets and JSP Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4.3.1 Web Component Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4.3.2 Servlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.3.3 JSP Pages Versus Servlets. . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.4 JSP Page Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.4.1 JavaBeans Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.4.2 Custom Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.4.3 Using Scriptlets and Expressions . . . . . . . . . . . . . . . . . . . . 88
4.5 Internationalization and Localization . . . . . . . . . . . . . . . . . . . . . . . . 88
4.5.1 Internationalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.5.2 Localization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.6 Application Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4.6.1 Applications with Basic JSP Pages and Servlets. . . . . . . . . 97
4.6.2 Applications with Modular Components. . . . . . . . . . . . . . . 98
4.6.3 EJB-Centric Applications . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.7 Application Migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.7.1 Migrating a Web-Centric Application to Use
Enterprise Beans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
4.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5 The Enterprise JavaBeans Tier. . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
5.1 Business Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5.1.1 Common Requirements of Business Objects . . . . . . . . . . 115
5.2 Enterprise Beans as J2EE Business Objects . . . . . . . . . . . . . . . . . . 117
5.2.1 Enterprise Beans and EJB Containers. . . . . . . . . . . . . . . . 118
5.3 Entity Beans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
5.3.1 Guidelines for Using Entity Beans . . . . . . . . . . . . . . . . . . 122

5.3.2 Persistence in Entity Beans . . . . . . . . . . . . . . . . . . . . . . . . 124
5.4 Session Beans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
5.4.1 Stateful Session Beans. . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
CONTENTS
viii
5.4.2 Stateless Session Beans. . . . . . . . . . . . . . . . . . . . . . . . . . . 128
5.5 Design Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
5.5.1 Data Access Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
5.5.2 Value Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
5.5.3 Session Beans as a Facade to Entity Beans. . . . . . . . . . . . 135
5.5.4 Master-Detail Modeling Using Enterprise Beans . . . . . . . 136
5.6 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
6 The Enterprise Information System Tier. . . . . . . . . . . . . . . . . . . .141
6.1 Enterprise Information System Capabilities and Limitations. . . . . 142
6.2 Enterprise Information System Integration Scenarios . . . . . . . . . . 143
6.2.1 An Internet E-Store Application . . . . . . . . . . . . . . . . . . . . 143
6.2.2 An Intranet Human Resources Application . . . . . . . . . . . 144
6.2.3 A Distributed Purchasing Application . . . . . . . . . . . . . . . 145
6.3 Relational Database Management System Access . . . . . . . . . . . . . 146
6.4 Other Enterprise Information System Access. . . . . . . . . . . . . . . . . 146
6.5 Application Component Provider Tasks. . . . . . . . . . . . . . . . . . . . . 147
6.6 Application Programming Model . . . . . . . . . . . . . . . . . . . . . . . . . . 148
6.7 Programming Access to Data and Functions . . . . . . . . . . . . . . . . . 149
6.7.1 Client API for Enterprise Information System Access . . . 149
6.7.2 Tools for Application Development . . . . . . . . . . . . . . . . . 150
6.7.3 Access Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
6.8 Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
6.8.1 Establishing a Connection. . . . . . . . . . . . . . . . . . . . . . . . . 154
6.8.2 Guidelines for Connection Management. . . . . . . . . . . . . . 155
6.9 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

6.9.1 Security Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
6.9.2 Application Programming Model . . . . . . . . . . . . . . . . . . . 158
6.9.3 Resource Signon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
6.10 J2EE Connector Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
6.11 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
7 Packaging and Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
7.1 Roles and Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
7.2 Packaging J2EE Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
7.2.1 EJB Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
7.2.2 Packaging Components Into EJB Modules. . . . . . . . . . . . 170
7.2.3 Web Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
7.2.4 Packaging Components Into Web Modules . . . . . . . . . . . 173
CONTENTS
ix
7.2.5 Application Client Modules . . . . . . . . . . . . . . . . . . . . . . . 174
7.3 Deployment Descriptors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
7.3.1 Specifying Deployment Descriptor Elements . . . . . . . . . . 176
7.4 Deployment Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
7.4.1 Deployment Tool Actions . . . . . . . . . . . . . . . . . . . . . . . . . 187
7.4.2 Deployment Tool Requirements . . . . . . . . . . . . . . . . . . . . 189
7.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
8 Transaction Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
8.1 Properties of Transactions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
8.2 J2EE Platform Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
8.3 Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
8.3.1 Accessing Multiple Databases. . . . . . . . . . . . . . . . . . . . . . 199
8.3.2 Accessing Multiple Enterprise Information Systems
From Multiple EJB Servers. . . . . . . . . . . . . . . . . . . . . . . . 200
8.4 JTA Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
8.4.1 JTA and JTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

8.5 Transactions in Applets and Application Clients . . . . . . . . . . . . . . 202
8.6 Transactions in Web Components . . . . . . . . . . . . . . . . . . . . . . . . . 202
8.7 Transactions in Enterprise Beans . . . . . . . . . . . . . . . . . . . . . . . . . . 203
8.7.1 Bean-Managed Transaction Demarcation. . . . . . . . . . . . . 204
8.7.2 Container-Managed Transaction Demarcation . . . . . . . . . 204
8.7.3 Transaction Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
8.8 Transactions in Enterprise Information Systems . . . . . . . . . . . . . . 208
8.8.1 JTA Transactions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
8.8.2 Resource Manager Local Transactions . . . . . . . . . . . . . . . 209
8.8.3 Choosing Between JTA and Local Transactions. . . . . . . . 209
8.8.4 Compensating Transactions. . . . . . . . . . . . . . . . . . . . . . . . 210
8.8.5 Isolation Level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
8.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
9 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
9.1 Security Threats and Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . 215
9.2 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
9.2.1 Protection Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
9.2.2 Authentication Mechanisms . . . . . . . . . . . . . . . . . . . . . . . 220
9.2.3 Authentication Call Patterns . . . . . . . . . . . . . . . . . . . . . . . 223
9.2.4 Auto-Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
9.2.5 Exposing Authentication Boundaries with References. . . 225
CONTENTS
x
9.3 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
9.3.1 Declarative Authorization . . . . . . . . . . . . . . . . . . . . . . . . . 226
9.3.2 Programmatic Authorization. . . . . . . . . . . . . . . . . . . . . . . 227
9.3.3 Declarative Versus Programmatic Authorization . . . . . . . 228
9.3.4 Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
9.3.5 Identity Selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
9.3.6 Encapsulation for Access Control. . . . . . . . . . . . . . . . . . . 229

9.3.7 Controlling Access to J2EE Resources. . . . . . . . . . . . . . . 230
9.3.8 Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
9.4 Protecting Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
9.4.1 Integrity Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
9.4.2 Confidentiality Mechanisms . . . . . . . . . . . . . . . . . . . . . . . 235
9.4.3 Identifying Sensitive Components . . . . . . . . . . . . . . . . . . 236
9.4.4 Ensuring Confidentiality of Web Resources. . . . . . . . . . . 236
9.5 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
9.6 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
10 The Sample Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
10.1 Application Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
10.1.1 Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
10.1.2 Functional Specification . . . . . . . . . . . . . . . . . . . . . . . . . . 247
10.2 Application Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
10.2.1 Application Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
10.2.2 Application Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
10.3 The View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
10.3.1 Shopping Interaction Interface . . . . . . . . . . . . . . . . . . . . . 256
10.3.2 JSP Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
10.3.3 Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
10.4 The Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
10.4.1 State in the J2EE Platform . . . . . . . . . . . . . . . . . . . . . . . . 273
10.4.2 Persistent Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
10.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
10.6 The Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
10.6.1 Main . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
10.6.2 RequestProcessor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
10.6.3 RequestToEventTranslator . . . . . . . . . . . . . . . . . . . . . . . . 285
10.6.4 ShoppingClientControllerWebImpl . . . . . . . . . . . . . . . . . 287
10.6.5 ShoppingClientController . . . . . . . . . . . . . . . . . . . . . . . . . 288

10.6.6 StateMachine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
CONTENTS
xi
10.6.7 ScreenFlowManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
10.6.8 Model-View Synchronization . . . . . . . . . . . . . . . . . . . . . . 294
10.7 MVC Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
10.8 Stateless Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
10.8.1 Example: A Mailer Bean. . . . . . . . . . . . . . . . . . . . . . . . . . 298
10.9 Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
10.10 Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
10.11 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
10.11.1 Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
10.11.2 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
10.12 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Afterword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313
Glossary
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Index
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
xiii
Foreword
THE Java
TM
platform was conceived to connect door knobs to light switches—
smart door knobs to smart light switches, certainly, but door knobs to light switches
nonetheless. And yet it is now widely used for building large server-side applica-
tions which run on some of the largest computers in the world. It is the fate of great
inventions to be used in ways unimagined by their creators even when the cre-
ators—like James Gosling, creator of the Java programming language—see a

horizon the rest of us do not glimpse. This is part of what makes an invention great.
In retrospect, the phenomenal success of the Java platform on servers might
seem inevitable. After all, the platform provides exactly what is needed to trans-
form the Internet from a publishing medium to a transactional one. The Java plat-
form is available on all of the many different servers where Internet applications
run. “Write Once, Run Anywhere
TM
”works so the programs can be quickly tested
and deployed. Engineers are several times more productive when they write to the
Java platform. But being the right thing at the right time isn’t the whole story. Two
more elements were needed: Technical leaders who were looking in a different
direction than most of us were, and business leaders who were eager to work
together in new ways so the ideas could become reality. The result was the devel-
opment of consistent products across the computer industry in a surprisingly short
period of time.
I joined the JavaSoft Division of Sun Microsystems in late 1995, recruited by
Eric Schmidt and Bill Joy, to lead the then tiny band of engineers and marketers.
We grew as fast as we could, barely keeping up with the early success of the Java
platform and the industry alliances we’d made around it. Even then, when the
focus was on applets running in browsers, when version 1.0 had not yet shipped,
there were two brilliant engineers with a different idea—Rick Cattell and Graham
Hamilton. They were thinking about the Java runtime environment on servers, and
even mainframes. Because of them, the now ubiquitous JDBC
TM
technology was
the first significant addition to the Java platform. Many excellent engineers have
followed Rick and Graham. But they started it. I’m pleased that I was clever
enough to listen to them as we expanded the group and the vision for the platform.
Until recently, “rocket scientists” have been needed to build the applications
the industry clamored for—applications that create new ways to do business over

the Internet while drawing on the resources already in place, such as databases,
FOREWORD
xiv
transaction systems, inventory systems, invoicing systems, and credit systems.
These applications need to scale to thousands, even millions, of users. They must
interact with a wide array of legacy technologies that can’t be replaced, and they
have to be built in a hurry. The engineers who can build them are few—the rocket
scientists of our industry. But Rick and Graham saw a way to make the process a
lot easier by building the rocket science into the Java platform, bringing portabil-
ity and consistency through industry standardization, enabling quick adoption by
adapting to the systems already in place, and making development much easier by
automating most of the complicated details of server programming. These ideas
became the underpinnings of the Java 2 Platform, Enterprise Edition.
JDBC was a huge hit. As soon as the Java community released it, drivers for
all the important databases materialized in the market. Applications using JDBC
rapidly appeared in large numbers. The success of JDBC lead to a parade of other
middleware and database adapter projects—the Java Naming and Directory Inter-
face
TM
API for uniform access to naming and directory services, the Java Message
Service for asynchronous exchange of data and events, the Java Transaction API
and Java Transaction Service for transactions, JavaServer Pages
TM
technology for
building dynamic Web pages, Java XML for developing XML-oriented applica-
tions, and the Enterprise JavaBeans
TM
architecture, a component model for server
applications. All of these were developed in collaboration with industry partners
in a process created by Rick and Graham and later refined and formalized as the

Java Community Process.
The seminal offering of JDBC in 1996 soon grew into an amazing array of
facilities, each with its own acronym and release plan. For those who didn’t live
with the various “J*’s” (and for some of us who did) it could be confusing. When
vendors announced support for Enterprise JavaBeans
TM
1.0 before the specifica-
tion had been completed, we realized it was time to make this now very successful
portfolio a little easier to understand and manage.
The Java 2 Platform, Enterprise Edition (J2EE
TM
platform) brings all of these
pieces together. The J2EE platform is defined by four key pieces: the specifica-
tion, the reference implementation, the compatibility test suite, and the J2EE
Blueprints design guidelines. The specification defines how the J2EE platform
works, whether it is included in an application server, a database, or anywhere
else. The reference implementation is useful for experimenting with the J2EE
platform and it offers a working standard for comparison. The compatibility test
suite ensures that J2EE vendors implement fully compliant versions of the plat-
form to ensure “Write Once, Run Anywhere” portability, and these design guide-
lines show developers how the pieces fit together to make up complete
FOREWORD
xv
applications. The key J2EE specifications are published in Java 2 Platform, Enter-
prise Edition : Platform and Components Specifications (also from Addison-Wes-
ley), while supplemental specifications are available at
/>j2ee
. The reference implementation used to create the examples in this book is
available on the Sun Microsystems Java Software Web site at
http://

java.sun.com/j2ee/download.html
.
Many people contributed to the Java 2 Platform, Enterprise Edition. Mala
Chandra joined the group to lead the server efforts and quickly became the chief
crusader. Her passion and determination carried the project around, over, or
through many obstacles. Jeff Jackson, Connie Weiss, Karen Tegan, and Tom
Kincaid provided exceptional engineering management. Technical leadership
came from many, including Mark Hapner, Vlada Matena, Bill Shannon, Shel
Finkelstein, Eduardo Pelegri-Llopart, Larry Cable, and Nick Kassem. Bill Roth,
Gina Centoni, George Paolini, and Kathy Knutsen kept the Sun crew connected to
the industry.
A staggering list of companies helped build this new server platform—a
“Who’s Who” of the industry; big, small, old and new. BEA Systems, IBM,
Oracle and Sun Microsystems stand out as the companies who worked on nearly
every piece, but they were never alone. Many companies sent their most senior
architects and engineers and their most experienced managers to quickly build a
common platform that set a new standard for ease of development, scalability, and
applicability. They put these new Java platform technologies in their products,
both old and new. The most widely deployed databases and the newest develop-
ment tools from Silicon Valley startups now share the same interfaces. We are all
the beneficiaries of their foresight and commitment.
In many ways, this book represents the culmination of these collective efforts.
Designing Enterprise Applications with the Java 2 Platform, Enterprise Edition
effectively demonstrates how this new platform simplifies and streamlines the
design, development, and deployment of a new generation of enterprise applica-
tions.
Jon Kannegaard
Vice President and Deputy Director
Sun Microsystems Laboratories
Mountain View, California

March 20, 2000
xvii
Preface
THIS book describes a standard approach to designing multitier enterprise appli-
cations with the Java™ 2 Platform, Enterprise Edition. The book does not contain
information on how to use individual J2EE™ technologies to develop applica-
tions, but rather focuses on guidelines for distributing application functionality
across tiers and choosing among design options within each tier.
The book describes the principles and technologies employed in building J2EE
applications and the specific approach adopted by a sample application. Striking a
balance between specificity on the one hand, and articulating broader principles
on the other, is never easy. The hope is that the principles presented are both con-
sistent with and complement the sample application documented in the book.
This book is most relevant to IT managers, system architects, and enterprise
application developers considering a transition to or intending to use the J2EE plat-
form or vendors providing J2EE products.
How This Book Is Organized
This book contains the following chapters:
• Chapter 1, “Introduction,” discusses challenges in building enterprise appli-
cations and describes how the J2EE platform addresses those challenges. The
chapter also discusses application scenarios that the J2EE platform supports.
• Chapter 2, “J2EE Platform Technologies,” provides an overview of the
component, service, and communication technologies supported by the J2EE
platform.
• Chapter 3, “The Client Tier,” presents implementation options for J2EE cli-
ents and provides guidelines for choosing among these options.
• Chapter 4, “The Web Tier,” describes technologies available for supporting
development in the Web tier. It includes guidelines and techniques for using
J2EE Web components and describes several Web application architectures.

• Chapter 5, “The Enterprise JavaBeans Tier,” describes the capabilities of
PREFACE
xviii
the EJB tier of the J2EE platform and discusses design choices for implement-
ing business logic.
• Chapter 6, “The Enterprise Information System Tier,” describes recom-
mended approaches for accessing enterprise information systems and how J2EE
components must be configured to access them.
• Chapter 7, “Packaging and Deployment,” describes the capabilities provid-
ed by the J2EE platform for packaging and deploying J2EE applications, pro-
vides heuristics and practical tips on how to use these capabilities, and
provides recommendations to the vendors who provide deployment tools.
• Chapter 8, “Transaction Management,” describes the transaction services
provided by the J2EE platform and provides recommendations on how to best
use those services.
• Chapter 9, “Security,” describes the mapping of the J2EE security model to
enterprise computing environments and infrastructures.
• Chapter 10, “The Sample Application,” illustrates the J2EE programming
model in the context of an in-depth description of a multitier J2EE application.
• “Glossary,” is a list of words and phrases found in this book and their defini-
tions.
Obtaining the Sample Application
You can download the sample application described in this book from:
/>The sample application requires a J2EE v1.2 compliant platform on which to
run. From the sample application download page you can also download Sun’s
J2EE SDK, a freely available implementation of the J2EE v1.2 platform.
Related Information
Pointers to J2EE documentation can be found at:
/>PREFACE
xix

For information on how to use the J2EE SDK to construct multitier enterprise appli-
cations refer to the J2EE Developer’s Guide, available at:
/>The J2EE technologies cited in this book are described in their specifications:
• Java™ 2 Platform, Enterprise Edition Specification, Version 1.2 (J2EE spec-
ification). Copyright 1999, Sun Microsystems, Inc. Available at
http://ja-
va.sun.com/j2ee/download.html
.
• Java™ 2 Platform, Standard Edition, Version 1.2.2 (J2SE specification).
Copyright 1993-99, Sun Microsystems, Inc. Available at
http://ja-
va.sun.com/products/jdk/1.2/docs/api/index.html
.
• Java™ Servlet Specification, Version 2.2 (Servlet specification). Copyright
1998, 1999, Sun Microsystems, Inc. Available at
/>ucts/servlet
.
• JavaServer Pages™ Specification, Version 1.1 (JSP specification). Copyright
1998, 1999, Sun Microsystems, Inc. Available at
/>ucts/jsp
.
• Enterprise JavaBeans™Specification, Version 1.1 (EJB specification). Copy-
right 1998, 1999, Sun Microsystems, Inc. Available at
/>products/ejb
.
• JDBC™ 2.0 API (JDBC specification). Copyright 1998, 1999, Sun Microsys-
tems, Inc. Available at
/>• JDBC™ 2.0 Standard Extension API (JDBC extension specification). Copy-
right 1998, 1999, Sun Microsystems, Inc. Available at
/>products/jdbc

.
• Java™ Transaction API, Version 1.0.1 (JTA specification). Copyright 1998,
1999, Sun Microsystems, Inc. Available at
/>jta
.
• Java™ Transaction Service, Version 0.95 (JTS specification). Copyright
1997-1999, Sun Microsystems, Inc. Available at
/>ucts/jts
.
• Java Naming and Directory Interface™, Version 1.2 (JNDI specification).
PREFACE
xx
Copyright 1998, 1999, Sun Microsystems, Inc. Available at http://ja-
va.sun.com/products/jndi
.
• Java IDL. Copyright 1993-99, Sun Microsystems, Inc. Available at
http://
java.sun.com/products/jdk/1.2/docs/guide/idl/index.html.
• RMI over IIOP 1.0.1. Available at />• Java™ Message Service, Version 1.0.2 (JMS specification). Copyright 1998,
Sun Microsystems, Inc. Available at
/>• JavaMail™ API Design Specification, Version 1.1 (JavaMail specification).
Copyright 1998, Sun Microsystems, Inc. Available at
/>products/javamail
.
• JavaBeans™ Activation Framework Specification, Version 1.0.1 (JAF speci-
fication). Copyright 1998, Sun Microsystems, Inc. Available at
http://ja-
va.sun.com/beans/glasgow/jaf.html
.
Typographic Conventions

Table 1 describes the typographic conventions used in this book.
Table 1 Typographic Conventions
Typeface or
Symbol Meaning Example
AaBbCc123 The names of commands, files,
and directories; interface, class,
method, and deployment
descriptor element names;
programming language
keywords
Edit the file Main.jsp.
How to retrieve a UserTransaction
object.
Specify the resource-ref element.
AaBbCc123 Variable name The files are named XYZfile.
AaBbCc123 Book titles, new words or terms,
or words to be emphasized
Read Chapter 6 in User’s Guide. These
are called class options. You must be
root to do this.
PREFACE
xxi
Acknowledgments
This book is the result of many people’s efforts.
Each Enterprise Team member had primary responsibility for one chapter and
made significant contributions to other chapters. In addition, Danny Coward wrote
the initial draft of the deployment chapter.
The authors of the J2EE specifications and the developers of the reference
implementation provided useful input at various points during the development of
the J2EE programming model.

We are indebted to Rick Cattell, Bill Shannon, Mark Hapner, John Crupi,
Sean Brydon, and many other reviewers who provided feedback on early versions
of the manuscript.
Jim Inscore and Stephanie Bodoff provided editorial oversight of this project.
About the Author
NICHOLAS KASSEM is a Senior Staff Engineer with Sun Microsystems and has
influenced and had responsibility for a number of technologies and initiatives within
Java Software including the Java Web Server, Java Embedded Server, the Servlet API,
JavaServer Pages, Java Message Queuing, and the J2EE programming model. He is cur-
rently leading the XML Messaging initiative.
Nicholas has over twenty years industry experience and has held senior engineer-
ing and management positions at Philips (Data Systems) and the Santa Cruz Opera-
tion. He has had direct responsibility for a wide variety of engineering projects
including the development of Data Communications Gateway Hardware (DISOSS),
Novell and Lan Manager protocol stacks, and an implementation of OSF DCE on
SCO UNIX. He is an Engineering Graduate of Birmingham University in the UK.
1
CHAPTER 1
Introduction
by Nicholas Kassem
THE Internet and World Wide Web represent a foundation on which enterprises
are working to build an information economy. In this economy, information takes on
as much value as goods and services, and becomes a vital part of the market. The
information economy challenges today’s enterprises to radically re-think the way
they do business.
Predictions about the future of this economy range from glowing scenarios of
dynamic new business, industrial, and financial environments capable of unlim-
ited expansion, to gloom and doom prophecies of overinflated expectations and
unsustainable hypergrowth. Whatever the predictions, the reality is that enter-
prises have always tried to gain a competitive advantage by any reasonable means

at their disposal, including the latest technologies. This is a natural survival
instinct: all viable enterprises, including for-profit, non-profit, and government
institutions, continuously look for ways to keep pace by adopting such changes.
Complacent organizations routinely fall by the wayside, while the innovators
work to transform new challenges into business success.
In the information economy, information assets take on far-reaching strategic
value to an organization. The ability to capitalize on this value is key to success.
Organizations that succeed will do so by increasing their productivity in moving
information into the marketplace.
While these may appear to be new challenges, in many ways the Internet and
World Wide Web only intensify a challenge that has long faced information tech-
nology professionals: the demand for responsive management of information
assets. The initial response to this demand was to ensure that all critical business
functions were effectively managed by computerized systems. More recently, the
response has been to strive for greater integration among these systems, and
CHAPTER 1 INTRODUCTION
2
increased ability to correlate data from disparate sources into information that
serves specific strategic needs. Corporate mergers, acquisitions, and partnerships
have provided additional incentive for organizations to integrate such information.
Distributed custom applications are the packages in which an organization
delivers information as a commodity. Custom applications add value to and
extract value from the information assets of an organization. They allow IT orga-
nizations to target specific functionality to specific user needs. By making infor-
mation available within an organization, they add strategic value to the
management and planning processes. By selectively projecting information assets
outside the organization, they enable exchanges that are mutually valuable to cus-
tomers, suppliers, and the organization itself.
In the competitive environment of the information economy, response time is
key to the value of custom applications to the enterprise. Organizations need to

quickly develop and deploy custom applications, and to easily refine and enhance
them to improve their value. They need ways to simply and efficiently integrate
these applications with existing enterprise information systems, and to scale them
effortlessly to meet changing demands. All these factors affect an organization’s
ability to respond quickly to changes in the competitive environment.
The goal of the Java
TM
2 Platform, Enterprise Edition (J2EE
TM
platform) is to
define a standard of functionality that helps meet these challenges and thus
increases the competitiveness of enterprises in the information economy. The
J2EE platform supports distributed applications that take advantage of a wide
range of new and evolving technologies, while simplifying development through a
component-based application model. The J2EE model supports applications
ranging from traditional client-server applications delivered over corporate intra-
nets to e-commerce Web sites on the Internet.
In presenting the J2EE
TM
Blueprints programming model, this book hopes to
provide enterprise application developers with a strategic perspective on the chal-
lenges of the information economy, and a methodical exploration of ways the
J2EE platform supports custom applications to meet a reasonably broad range of
application requirements. The underlying theme of this discussion is that the J2EE
platform provides a single, unified standard that enhances the opportunity for
enterprises to project their business information systems beyond their historical
borders, while avoiding risks inherent in the task.
This book approaches the J2EE Blueprints programming model by taking a
logical view of enterprise platforms and suggesting ways to partition application
functionality to use the technologies provided by the J2EE platform most effec-

tively. The intent is to divide the problem of architecting and developing multitier
CHALLENGES OF ENTERPRISE APPLICATION DEVELOPMENT
3
applications with J2EE into manageable portions, then apply appropriate technol-
ogies to the portions, leading to more maintainable and scalable solutions. In the
process, certain simplifying assumptions are made, not to trivialize certain factors,
but to focus on the essential J2EE theme. Note that none of the statements in this
book should be interpreted as mandates or requirements, but rather as advice, sug-
gestions, and simple recommendations.
1.1 Challenges of Enterprise Application Development
While timing has always been a critical factor to adopting new technologies, the
accelerated pace inherent in a virtual, information-driven business model has put
even greater emphasis on response times. To leverage Internet economics, it’s
imperative not only to project enterprise systems into various client channels, but to
do so repeatedly and in a timely manner, with frequent updates to both information
and services. The principal challenge is therefore one of keeping up with the Inter-
net’s hyper-competitive pace while maintaining and leveraging the value of existing
business systems. In this environment, timeliness is absolutely critical in gaining
and maintaining a competitive edge. A number of factors can enhance or impede an
organization’s ability to deliver custom enterprise applications quickly, and to maxi-
mize their value over their lifetime.
1.1.1 Programming Productivity
The ability to develop and deploy applications is key to success in the information
economy. Applications need to go quickly from prototype to production, and to con-
tinue evolving even after they are deployed.
Productivity is thus vital to responsive application development. Providing
application development teams with standard means to access the services
required by multitier applications, and standard ways to support a variety of cli-
ents, can contribute to both responsiveness and flexibility.
One destabilizing factor in Internet and other distributed computing applica-

tions is the current divergence of technologies and programming models. Histori-
cally (in Web terms), technologies such as HTML and CGI have provided a
mechanism for distributing dynamic content, while backend systems such as
transaction processors and database management systems have provided con-
trolled access to the data to be presented and manipulated. These technologies
present a diversity of programming models, some based on well-defined stan-
CHAPTER 1 INTRODUCTION
4
dards, others on more ad-hoc standards, and others still on proprietary architec-
tures.
With no single application model, it can be difficult for teams to communicate
application requirements effectively and productively. As a result, the process of
architecting applications becomes more complex. What’s more, the skill sets
required to integrate these technologies aren’t well organized for effective division
of labor. For example, CGI development requires coders to define both content
and layout to appear on a dynamic Web page.
Another complicating factor in application development time is the choice of
clients. While many applications can be distributed to Web browser clients
through static or dynamically generated HTML, others may need to support a spe-
cific type of client, or to support several types of clients simultaneously. The pro-
gramming model needs to support a variety of client configurations, with
minimum effect on basic application architecture or the core business logic of the
application.
1.1.2 Response to Demand
Imagine a brick-and-mortar business trying to increase its customer base by a scale
of 10. How much time and effort would they expend on remodelling storefronts,
building new warehouses, and so on, to keep up? The fact is, the constant rework
would drastically impact their ability to serve the customers they’re trying to attract.
This holds for businesses in the information economy as well. The ability for
applications to scale easily and automatically to accommodate anticipated—or

unexpected—growth is key to achieving the goals. Systems that require any
restructuring or redeployment to scale will impede growth and diminish the com-
pany’s expected performance.
In order to scale effectively, systems need to be designed to handle multiple
client interactions with ease. They need mechanisms for efficient management of
system resources and services such as database connections and transactions.
They need to have access to features such as automatic load balancing without any
effort on the part of the application developer. Applications should be able to run
on any server appropriate to anticipated client volumes, and to easily switch server
configurations when the need arises.
CHALLENGES OF ENTERPRISE APPLICATION DEVELOPMENT
5
1.1.3 Integration with Existing Systems
Much of the data of value to organizations has been collected over the years by
existing information systems. Much of the programming investment resides in
applications on those same systems. The challenge for developers of enterprise
applications is how to reuse and commoditize this value.
To achieve this goal, application developers needs standard ways to access
middle-tier and backend services such as database management systems and
transaction monitors. They also need systems that provide these services consis-
tently, so that new programming models or styles aren’t required as integration
expands to encompass various systems within an enterprise.
1.1.4 Freedom to Choose
Application development responsiveness requires the ability to mix and match solu-
tions to come up with the optimum configuration for the task at hand. Freedom of
choice in enterprise application development should extend from servers to tools to
components.
Choices among server products gives an organization the ability to select con-
figurations tailored to their application requirements. It also provides the ability to
move quickly and easily from one configuration to another as internal and external

demand requires.
Access to the appropriate tools for the job is another important choice. Devel-
opment teams should be able to adopt new tools as new needs arise, including
tools from server vendors and third-party tool developers. What’s more, each
member of a development team should have access to tools most appropriate to
their skill set and contribution.
Finally, developers should be able to choose from a ready market of off-the-
shelf application components to take advantage of external expertise and to
enhance development productivity.
1.1.5 Maintaining Security
Somewhat ironically, projecting information assets to extract their value can jeopar-
dize that very value. Traditionally, IT departments have been able to maintain a rela-
tively high level of control over the environment of both servers and clients. When
information assets are projected into less-protected environments, it becomes
increasingly important to maintain tight security over the most sensitive assets,
while allowing seemingly unencumbered access to others.