Application Servers
| Java application servers form the core of any J2EE-based web site. Application servers extend the ability of an HTTP server from simply returning static content to implementing complex tasks requiring the coordination of diverse applications running on geographically dispersed machines. Most, if not all, of the programming logic associated with a web application executes within an application server. Ensuring that the application server has undergone proper performance tuning is crucial for good web site performance. Chapters 2 and 4 cover the specifics of web application and application server performance. Again, application server performance frequently plays the largest role in web site performance, so tuning your applications, the application server, and the JVM often proves very beneficial to your overall performance and throughput. Chapter 2 covers most of the common J2EE tuning parameters. Your application server probably comes with a tuning guide to cover any vendor-specific features or tuning adjustments. We refer you to these resources rather than repeating this information. However, one feature not discussed in Chapter 2 merits some coverage here. The J2EE specification provides a security infrastructure for application server components . Let's briefly discuss the basics of this security architecture. SecurityThe J2EE security infrastructure specification covers all application server container types. Web containers must implement security for callable servlets and JSPs down to the HTTP request type. EJB containers implement security on each callable method. Client containers may require authentication on invocation. Security of this granularity (for example, enforcing access at the method level) usually implies a significant performance overhead. Additionally, security within an application server cluster encrypts all traffic between servers within the cluster, as well as traffic between the HTTP server's plug-in and web containers within application servers. As discussed in the preceding section, SSL requires encryption and decryption, so these algorithms incur a heavy performance penalty. Therefore, enabling SSL for all transmissions within your web site incurs a significant performance cost. The application server uses security for both authentication and authorization. Authentication verifies that the users (both humans and computer processes) are who they say they are. HTTP servers and web containers sometimes require users to authenticate themselves . (We're all familiar with the pop-up from a browser asking us for a user ID and a password). Using a password known only to a single user is a common method for authentication, but is not the only solution. Client-side certificates provide even more security, but they require additional administration effort to obtain and distribute. Authorization occurs when a process decides whether to permit a specific user access to a resource. As you can imagine, checking for authorization on every access by a client proves quite time-consuming . Specialized security servers often manage authorization data. Mainframes often use IBM's Resource Access Control Facility (RACF) or other specialized databases to manage their authorization data; other types of systems commonly use a server running an implementation of the Lightweight Directory Access Protocol (LDAP). Regardless of which product you use, the performance characteristics of your authorization server become important to the overall throughput of your web site. During your performance testing, include a similar server in your test environment for more accurate test results. We see many web sites using various LDAP servers to support security. These servers frequently become a bottleneck, so some web sites try to improve performance by writing their own LDAP connection pools. If you choose to write such a pool, make sure you follow the guidance in Chapters 2 and 4, as well as other works, for proper pool implementation and use. [1]
 |
EAN: 2147483647
Pages: 126