[2018 oracle code one] developing java applications with microsoft visual studio code

Developing Java Applications with Visual Studio Code
Speaker: Fred Bricon

For more blog posts, see The Oracle Code One table of contents

VS Code

  • Lightweight extensible “source code editor”
  • Open source
  • Developed by Microsoft, but vibrant community
  • Led by Erich Gamma (Gang of Four and one of the original authors of Eclipse)

Language Server Protocol

  • language specific smarts
  • standard protocol to minimize effort to support multiple development tools/languages
  • open source protocol
  • development led by microsoft
  • JSON RPC 2.0 messages
  • tool opens/edits docs/displays errors. language server initializes languages tools/identify compilation error/etc.

Eclipse JDT.LS

  • Implemented language server for Java in Java.
  • Running language server launches headless Eclipse behinds scenes
  • Adds custom commands
  • Extensible through OSGi bundles

Vs Code – Java

  • RedHat developed thin wrapper.
  • Launched late 2016
  • Updates about twice a month
  • Half a million extensions
  • Other Java tools
    • debugger (from MS)
    • test runner (from MS)
    • Fabric8 analytics
    • java decompiler
    • lombok support
    • checkstyle
    • maven
    • dependency analytics – new plugin to flag components with CVEs. Plugin not completely ready. Not all CVEs loaded yet. Just something to play with at this point.
  • VS Code LiveShare – plugin where can share content of workspace with up to 50 people. They can even set breakpoints in your workspace.

Next steps

  • Better refactoring support
  • Quick fixes from problems view
  • Huge backlog; more improvements soon


Note: I have a bunch of notes to myself of things I want to try. I also want to ask Thomas for a copy of his workspace preferences file. It seems more reasonable than the defaults.

  • Autocompletion
  • Lightbulb with option to run/debug – have to turn on code lens in workspace settings
  • Click triangle in bottom left corner to see problems/output/debug console view at bottom
  • F2 = rename variable [command F2 on Mac]
  • Debugger on left view on screen
  • Showed hiding . files . Preference > settings. Edit workspace settings to control Ant style patterns on what see. (Edit settings as json)
  • New Java Dependencies plugin. Came out recently. Can see Maven dependencies
  • Command shift o – see outline in file [want to try; didn’t work on first shot]
  • command p – list all files in project
  • Command click – navigate into class [want to try; didn’t work on first shot]
  • Organize imports – alt shift o
  • Saving gives instant feedback – need to turn on
  • Run test runner. Code lens shows red/green test status in class itself.
  • Can type “get” and getters are suggested (vs typing them in)
  • Showed changing code while app is running
  • Using a bad dependency gives CVE error in problems view

My take: FRC (FIRST Robotics Competition) teams are using VS Code this year. I’ve learned a little but am nowhere near fluent. So was really looking forward to the demo. Plus hearing the story of how the plugins came to be is interesting. But seeing someone use it who is comfortable with the tool is even more valuable.

[2018 oracle code one] JWT’s suck

JWTs Suck
Speaker: Randall Degges

For more blog posts, see The Oracle Code One table of contents

JWT (JSON Web Token)

  • pronounced “jot”
  • JSON data
  • cryptographically signed
  • Not encrypted most of the time
  • Prove that some JSON data can be trusted
  • Common use case: Website generates JWT after validating credentials. Website then sends JWT to browser and browser stores in localStorage. Then browser sends to website for subsequent requests.
  • There are stateless and stateful JWT. The later maps to a session id. People don’t use stateful JWTs.
  • 2012 – Spec came out
  • 2014 – began gaining adoption/marketing
  • seven of the first 10 hits on jwt are marketing pitches


  • JWT stores session id as JSON blob. In cookie, just a string.
  • Session cookies are underappreciated
  • Use HttpOnly flag
  • Use SameSite-strict flag
  • Use secure flag
  • Browser sends cookie header to website

HTML Local Storage

  • JavaScript only accessible
  • Store key value pairs in browser

Myths about JWTs

  • JWTs are easier to use – JWTs require additional tools, libraries and knowledge to function. Developer effort. Vs session cookies which are built into all web frameworks.
  • JWTs are more flexible – Cookies can store one piece of data per cookie or serialize into a cookie. JWT has claims which are certain pieces of data that always included – ex: when token created/expires. Cookie actually expires at expiration times. Tokens don’t disappear automatically
  • JWTs are more secure – Cryptographically signed and can be encrypted. However, actually using the encryption feature is rare. The spec is complicated and libraries vary in support. Also multiple vulnerabilities in past two years.
  • JWTs prevent CSRF – Cookies are susceptible to CSRF because sent to server automatically. Local storage is safe from CSRF because developer needs to write JavaScript to send the data. However, you are now vulnerable to XSS which is worse. CSRF is far easier to fix than XSS because most websites link to Google Analytics, third party jquery, etc. OWASP recommends not storing any sensitive information in local storage.
  • JWTs are better for cross domain authentication – Good when create temporary token that lasts for 10 seconds. It is used between the login service and your app.
  • JWTs are more efficient than cookies – 179 bytes. If just sign the id part, is 64 bytes. Difference even greater when add data.
  • JWTS are easy to revoke – Could change signing key of application, but that also logs out the other users. Alternatively, use the revocation list pattern so can invalidate one. But now you’ve introduced state/database/cache.

Better use cases for JWT

  • Short duration (one minute or less) for one time use
  • ex: downloading a file, reseting a password

My take: I hadn’t heard of JWTs. So I learned a lot! It was fun hearing the audience questions/comments/statements was fun. That said, I need to read up on the topic to see the other point of view.

[2018 oracle code one] mastering jpa performance

Mastering JPA Performance
Speaker: Thomas Broll

For more blog posts, see The Oracle Code One table of contents


  • Users complain
  • With microservices more important beause more calls


  • Apache lang has ImmutableTriple class


  • Monior – number sql statemtenrs, cpu, i/o
  • hibernate.show_sql = true
  • run jstack while transaction running to see where stuck
  • Check JDBC driver batch size

Create – Performance improvements

Scenario: writing large amounts of data

  • Use table generator (vs sequence generator) where gt batch of ids so not a roud trip to get it each time. Even better to use external UUID generator
  • JPA only supports one open batch. But goes to database if do a query or persist a different entity. So faster if persist by entity

Read – Performance improvements

  • 1+N problem. One statement in code. Executes more statement to get relationships. All, XToOne are eagerly loaded
  • Can provide hints to eagerly or lazy load
  • fetch query to get data actually needed – can put it in the JQL query
  • Can get Hibernate statistics for number of queries/loads/fetches
  • Cal setFirstResult() and setMaxResults() on query object

Update – Performance improvements

  • Auto flushes are caused by transaction commit, insert/delete, query or explicitly flush()
  • Performance cost due to dirty checks and actual updates. Cost also depends on size of persistence context
  • Call getReference() to get empty proxy. This allows saving without changing in database?

Delete – Performance improvements

  • Remove() requires persistent entities, requires loading reference
  • Delete by query could be more efficient


  • Two orders of maginude worse when database on different continent.
  • 35 minutes to do 5 second run when database on a different continent

My take: It’s been a while since I look at this topic. It was a good mix of review and things I never knew. Not having a physical network between the machine and database really hanges the numbers. It would have been nice to use a cloud database to get those numbers [scratch that; he did at the very end. I would have liked to see it earlier]