Keynote - Learning from Apache to create Open Specifications
David Recordon

Open source development has reached a stable and remarkable maturity. With services like SourceForge and Google Code for hosting projects, the Open Source Initiative to vet and curate Open Source licenses, and organizations like the FSF and Apache where like-minded developers can work together to build sustainable and open communities around Open Source projects, and the support of hundreds of thousands of developers and major corporations alike, the success of open source is firmly established.

Yet when we turn our attention away from open source and instead to specifications and standards for the open web, much of this infrastructure doesn't yet exist. Formal standards bodies may enforce interoperability, but they don't always guarantee that a standard is freely implementable by everyone or that the development community is open to all potential contributors. As software development is increasingly centered on protocols and formats instead of simply source code, many newer initiatives, like Microformats, OpenID, OAuth and OpenSocial, have had to each invest time and money reinventing the legal and organizational infrastructure required to ensure that the specifications they create are open and their communities are healthy and run in meritocratic fashions.

Isn't there a better way? What can we learn from the open source movement that will help us create open specifications for the web?

The newly created Open Web Foundation is tackling this exact question by borrowing heavily from the proven model established by the Apache Foundation. This talk discusses the Open Web Foundation's progress so far, our goals for the future, and how you can get involved.

Scaling Apache 2.x in all dimensions
Colm MacCarthaigh

Using the right tricks, the Apache httpd server is capable of astounding performance; handling tens of thousands of concurrent downloads, ultra-responsive and ultra-fast web-serving and clever caching of dynamic requests. This session will cover benchmarking and tuning of Apache httpd for static and dynamic content, optimising for SSL and using routing protocols as cost-effective load-balancers.

Apache Projects on DTrace
Theo Schlossnagle

Many Apache projects are focused on performance. Performance and scalability are often primary considerations when choosing Apache projects for deployment. The web stack is deep and complicated and sometimes performance issues can evade even the most tenacious. In this talk we'll take a holistic approach to analyzing performance problems in production environments by using DTrace to look at problems as systemic problems.

Advanced Reverse Proxy Load Balancing in Apache HTTP Server 2.2
Jim Jagielski

One of the main new features in Apache 2.2 is the enhancement of the proxy module, allowing Apache to proxy not only HTTP as before, but also AJP. Coupled with the dynamic load balancing capability also new in 2.2, see why Apache is now an even more capable reverse proxy, and see why mod_jk may no longer be required. Included are helpful real-world hints in configuration for high-availability failover environments.

Hardening Enterprise Apache Installations Against Attacks
Sander Temme

Enterprise installations of Apache are particularly attractive targets for malicious attacks including Denial of Service, defacement, theft of data or service and installation of zombies or viruses. Hardening your deployment against such attacks calls for some special techniques and tactics. Come to this session to learn about attack detection techniques, server protection, secure deployment of multiple servers, configuration of firewall "demilitarized zones" and judicious use of SSL encryption. How do you deploy an off-the-shelf application that insists on writing to the file system? And what steps do you take to securely deploy Apache on Windows or UNIX? This presentation will explore solutions to these very real situations.

Web Intrusion Detection with ModSecurity
Ivan Ristic

Intrusion detection is a well-known network security technique -- it introduces monitoring and correlation devices to networks, enabling administrators to monitor events and detect attacks and anomalies in real-time. Web intrusion detection does the same but it works on the HTTP level, making it suitable to deal with security issues in web applications. This session will start with an overview of web intrusion detection and web application firewalls, discussing where they belong in the overall protection strategy. The second part of the talk will discuss ModSecurity and its capabilities. ModSecurity is an open source web application firewall that can be deployed either embedded (in the Apache HTTP server) or as a network gateway (as part of a reverse proxy deployment). Now in it's fifth year of development, ModSecurity is mature, robust and flexible. Due to its popularity and wide usage it is now positioned as a de-facto standard in the web intrusion detection space.

Keynote - Standing on the shoulders of giants
Shahani Markus Weerawarana

In 1675, in a letter to Robert Hooke, the British mathematician and physicist, Isaac Newton, famously said, "If I have seen farther than others, it is because I was standing on the shoulders of giants."

Today, the spirit of open source has reached across all nations, fueling innovation, making a difference in ways never before thought possible.

Living and working in the small island nation of Sri Lanka, I have been immensely fortunate to have also been drawn in by the magnetic force of open source. I have witnessed the birth of a new global community rising above the depths of despair after a devastating tsunami, I have seen the realization of ambitious dreams and I have experienced the benefits of readily available cutting-edge technology.

All this has been possible because of the "giants" in the world of open source. These giants are the people from around the world who have come together with their hearts, minds and hands - they are the people in the global open source communities. These giants are the people who have responsibly worked together with a great sense of transparent collaboration resulting in projects that have brought forth enormous benefits to the entire world.

This is a collection of real-life stories and first-hand accounts that highlight the significant impact, panoramic change and compelling innovation that these "giants" of the open source world have - possibly unknowingly - unleashed.

Lunch Presentation: Apache 101 - Behind the Scenes of the ASF
Lars Eilebrecht

This presentation will give you everything you always wanted to know about the Apache Software Foundation (ASF), but were afraid to ask. It will show you that there is more than just the Apache web server, and provide you with information on how the ASF works. The difference between membership and committership, who decides what, how elections take place, the technical infrastructure, project management committees, and the philosophy behind the incubator. Come and see behind the scenes of the Apache Software Foundation and its many projects.

(In)secure Ajax and Web 2.0 Web Sites
Christian Wenz

Web 2.0 took the internet world by storm. Especially attackers welcome the new possibilities created by Ajax, the increased use of JavaScript, opening up applications via web services, and user generated content. This session shows common pitfalls with modern "Web 2.0" applications and help you to avoid becoming the next victim on the ever-growing list. Web security has not changed that much, but web applications have. Ajax introduced new and dangerous attacks, and it is vital to know appropriate countermeasures. Come to this (technology-agnostic) session to learn best practices for state-of-the-art websites.

Geronimo Security, now and in the future
David Jencks

Security can be divided into negotiation for credentials, credential validation, and authorization.
First we'll look at setting up and swapping credential validation in geronimio, a simple process everyone has to do to secure an application. As an example we'll show how to use a local file based realm in development switching to a ldap or jdbc based realm for production.

Then we'll look at the JACC authorization framework where the security constraints in the javaee deployment descriptors and annotations are translated into java permissions and used, together with a principal-role mapping, to authorize requests at runtime. If time allows we'll look at swapping JACC implementations. We'll look at extending the JACC concepts to other authorization decisions such as in portal frameworks.

Finally we'll look at the upcoming JASPI support that allows pluggable negotiation for credentials and see how it can be used to plug openid authentication into a web app to replace basic or form based authentication.

Securing Apache Tomcat for your Environment
Mark Thomas

A default Apache Tomcat installation is secure but each installation environment is different and may have additional security requirements. This presentation will examine the security configuration options available in Apache Tomcat, when to use them (and when not to use them) and the threats they might help mitigate. The rationale behind having resource passwords (eg for database access) in clear text in server.xml will also be discussed.

Securing Communications with your Apache HTTP Server
Lars Eilebrecht

This talk will introduce you to the fundamentals of securing the client-server communication of your Apache HTTP Server with HTTPS. We will start by explaining the basics of X.509 server and client certificates, certification authorities, and using the OpenSSL toolkit. The TLS/SSL protocol will be introduced and how it is used together with HTTP in order to provide for data encryption, integrity, and authentication. The basic configuration of the Apache HTTP Server will be explained, as well as the Mozilla Firefox and Microsoft Internet Explorer clients. We will walk through some standard use cases and common pitfalls and issues when using HTTPS.

Administering Apache Geronimo 2.x
David Jencks

Apache Geronimo 2.x is certified Java Enterprise Edition 5.0 container suitable for everything from a development environment to enterprise-level deployments. Geronimo leverages many Apache projects, such as Tomcat, OpenEJB, ActiveMQ, Derby. In this session discuss what is involved in administering Geronimo, the first steps in getting Geronimo ready for a production environment, show how the all powerful web based Geronimo console simplifies various tasks viz. a) Administering embedded Tomcat, ActiveMQ, Derby. b) Deploy/start/stop applications & other server components. c) Creating JMS Resources, Database pools, Security realms, etc. d) Installing plugins for Geronimo. e) Managing keys, digital certificates and configuring SSL. We also show how to run multiple server instances from the same installation. After attending the session the audience will gain good knowledge on administering Geronimo and be familiar with do's and dont's while using Geronimo.

Java Monitoring and Trouble Shooting Tools In Action
Bill Au

CNET Networks owns a global network of popular web sites with a combined average daily page views of over 86.3 million. To keep our sites running smoothly, we frequently have to monitor and trouble shoot our Java applications. In additional to the tools and utilities that come with Java, we also use a few free tools to get the job done. In this session, we will demonstrate how these tools can be used to monitor and trouble shoot some common problems that we have come across. There will also be a general question-and-answer and open discussion at the end for attendees to share their favorite tools, tricks, and/or best practices in monitoring and trouble shooting Java applications. In additional to covering the tools that comes with Java (jconsole, jhat, jinfo, jmap, jstat), we will also take about a few free tools that we use. We will demonstrate these tools by using them against sample Java programs that exhibit some of the problem that we have come across in our Java applications: memory leak, OutOfMemoryError, slow performance. After the demonstration, the floor will be open for question-and-answer and discussion with attendees. I plan to ask the participants to share their experience in the subject matter, along with their favorite tools, tricks, and best practices.

Keynote - struct.new("future", :open, :microsoft)
Sam Ramji

Lunch Presentation: Apache 101 - The Apache Way
J Aaron Farr

Apache prides itself on its emphasis of community driven development. But in practice, how does this work? Aaron Farr shares lessons learned from the inner working of The Apache Software Foundation -- from its principles and practices, to the people and businesses around it.

Apache James - The Complete Email Application Platform
Danny Angus

This presentation will introduce the audience to the Apache James mailserver, outlining its major features and focusing on James' capability as a mature and highly flexible email application platform that can be used in complex enterprise systems, small business or workgroups, or as a platform for R and D in email related topics. It will also include an overview of the complimentary products hosted by the Apache James project; the Mailet API, JSeive, JSPF, mime4j and postage.

Scripting your Java Application with BSF 3.0
Felix Meschberger

One very important functionality of modern extensible applications is support for developping such extensions in any scripting languages. Many scripting languages available today provide some sort of Java integration but each integration is different making it very difficult for the vendor of the application to support more than one scripting language. Enter the Java Script API as defined in JSR-223. This API provides support for standardized integration of scripting languages in Java applications. Bindings already exist for a number fo scripting languages such as Groovy, JavaScript, Python, Ruby, Tcl. This session will show how easy it is to add scripting support to a Java application using the Java Scripting API and thus support whatever scripting language the user of the application likes to use. Practical demonstrations using Apache BSF 3.0 as the Java Scripting API implementation and Apache Sling as a Java application to be scripted will show how easy it is to add scripting support and to add scripting languages quickly and at runtime without even restarting the application.

Mod_wombat: Multithreaded Scripting in the Apache HTTP Server with Lua
Brian McCallister

Mod_wombat lets you write efficient and fast modules in Lua for the multi-threaded Worker and Event MPMs. Lua is a very fast scripting language specifically designed for embedding and extension -- making it a perfect match for the Apache HTTP Server. Learn how to setup, write a module, optimize it, and easily move from Lua to C and back again with mod_wombat!