SlideShare a Scribd company logo

ProjectManagementSystemPaperFINAL

K
Karen Carter
1 of 43
Download to read offline
Masters Project Documentation: Project Management System By Karen Carter Advisor: Dr. Jonathan Cook
Abstract Existing project management and bug-tracking tools are primarily aimed at industry use and as such are inadequate for use in an academic setting. Project Management System is a web application written in Java, JavaScript, and HTML backed by HSQLDB, and seeks to provide a more appropriate system for managing student projects. The system was developed using modern development techniques with a focus on security, correct design, and efficiency. There are many opportunities for further development of the system, including improving the user interface and adding additional statistical and reporting capabilities.
1 1 Introduction The goal of this project, entitled Project Management System, is to create a web-based application for use by professors and instructors in managing student projects. It is primarily intended for use in the realm of computer science, but could be adapted for use in other realms. The system is intended to be as stable, well-designed, and professional as possible. Each user of the system is defined as being an instructor or not, and has a profile containing contact information for use by other users. A user’s account includes a setting for whether or not the user wishes to receive email updates from the system when changes are made to projects with which the user is associated, and an email address to be used for that purpose. Projects may only be created by instructors, and system-wide variables (lists of default values) may only be edited by instructors. Projects accommodate a single instructor and one or more students, and only the users associated with a project may view it and make changes to it. Projects are primarily made up of tasks. Tasks have a creator and an assignee. Comments may be made by all associated users on both the project itself and its tasks. Links to outside resources (e.g., websites, files, images) may be created by all associated users for individual tasks. It is possible to define two different types of relationships between tasks. First, a task may be dependent on other tasks. That is, the user to whom the task is assigned may be unable to work on the task until other tasks have been completed. Second, a task may be a subtask of another single task. This allows larger tasks to be broken up into smaller tasks and organized. Both projects and tasks have due dates and can be marked finished when they are completed. Projects and tasks have a variety of other attributes that can be used to categorize and define them appropriately. The system also includes utilities for creating an initial empty database, adding
2 fake data to the database, and exporting the data in the database to both XML- and CSV- formatted files. This paper will describe the need for web-based project management and bug tracking systems, some of the existing systems and their short-comings with regards to the academic environment, and the initial development of Project Management System when it began as a class project. It will then describe the research and development subsequent to the class project, including improvements in performance, database-related code, and security. The paper will then describe typical use cases and discuss the pros and cons of the project as it exists today. Finally the paper will describe possibilities for future work and enhancements. 2 Background 2.1 Web-based Project Management and Bug Tracking There is a variety of existing web-based project management and bug tracking tools. These are primarily aimed at the business realm and seek to coordinate and document the efforts of development teams consisting of multiple developers and possibly also testers, technical writers, subject matter experts, managers, and other professionals. They provide ways to prioritize work and to keep track of bugs and other development tasks to make sure nothing slips through the cracks. Some of these applications also facilitate communication between team members and provide ways to keep everyone updated as to what everyone else is doing. Project management systems may also include ways to track productivity, documentation tools such as wikis, budgeting or cost-tracking tools, and many other primarily business-oriented tools.
3 2.2 Existing Tools Existing tools are aimed at the business realm, and as such have flaws when used in an academic context. Bug tracking systems I have used, such as Bugzilla1 and Roundup2 , have a narrow focus. They are only designed to track development-related tasks, such as defects and suggested improvements. These tools also assume that all users are of the same professional level. That is, everyone is working together and has more or less the same authority, even if they are in different roles, without the kind of oversight and difference in education and experience found in a student project being overseen by a professor. A system for academic use would ideally be broader and encompass tasks such as writing papers and doing research, in addition to giving professors and instructors more control than students. Many project management tools, on the other hand, can be extremely complicated with many parts that would never be used in an academic context. Redmine3 is such a tool, and although I have found that it works very well in a complex professional development context, the wiki, news, Gantt chart, document and file management, among others would likely never be used for an academic project. It also generally requires more maintenance and a heavier-weight relational database management system. Other project management tools, such as Trello4 , have insufficient structure to guide students unfamiliar with such tools. Students may mark tasks as done when they are not, create tasks that should be comments, and so forth. Further, similarly to Bugzilla and Roundup, users 1 Mozilla Foundation, Bugzilla (bug-tracking system), used until November 2011 while employed at Physical Science Laboratory, Available from http://www.bugzilla.org/, Last accessed on 2013/04/20 2 Roundup-Team, Roundup (issue-tracking system), used during class project in Spring 2011, Available from http://roundup.sourceforge.net/, Last accessed on 2013/04/20 3 Jean-Philippe Lang, Redmine (project management web application), currently in use as of 2013/04/20 while employed at New Mexico Department of Agriculture, Available from http://www.redmine.org/projects/redmine, Last accessed on 2013/04/20 4 Fog Creek Software, Inc., Trello (project management application), Available from https://trello.com/, Last accessed on 2013/04/20
4 are assumed to be of the same experience level, so there is no mechanism for oversight and control by a professor. 2.3 Initial Experience 2.3.1 Description Project Management System began as a class project in Spring 2011 for CS581 Advanced Software Engineering5 . By the end of the semester the core functionality was in place, but it was difficult to use and included some design decisions that turned out to be problematic in practice. Further, as I had not yet completed any database-related classes, the data access layer was very poorly and inefficiently designed. With the help of large numbers of internet resources as well as advice from peers, I was, however, able to create a correctly designed and normalized database schema. As there was still much to do to bring the project up to a usable, stable, and well-designed condition, I decided to continue development by turning it into a Masters project, rather than abandoning it. 2.3.2 Requirements The biggest initial requirement6 for the class project was that it should be web-based, but easy to install and manage, including not being required to manage a database such as one would have to do for MySQL or other more complex database management systems. Support for simple database management systems, such as HSQLDB or SQLite, was therefore required, and 5 Karen Carter, Project Management System (slideshow presentation covering class project), Published Spring 2011, Last accessed 2013/04/20, Available at https://docs.google.com/presentation/d/1rZLu4eN4KOnBHDf2lRVjr04HUQYSznlyI_fpdoBML_k/edit?usp=sharing &authkey=CP7D8IgM 6 Karen Carter, My Project Requirements (initial class project requirements and completion dates), published Spring 2011, Last accessed 2013/04/20, Available at https://docs.google.com/spreadsheet/ccc?key=0Auez0eXd5ysadF9IWVFkUHpEbmtEUEw5S0JvdHZPTnc&usp=sh aring
5 allowing arbitrary database management systems to be used was initially required (this requirement turned out to be impractical as explained below). Login names and passwords for all users were also required, and anonymous viewing was not allowed. The project needed to support projects with deadlines and tasks, tasks with deadlines, priorities, progress estimates, classifications, and comments on all levels. An ability to define subtasks and attach them to other tasks was required, as well as basic sanitization of user input and an automatic build system with the ability to generate Javadocs, along with written instructions describing how to deploy the system. The project needed to support up to 25 students and to have specialized user interface options for professors and students, such as being able to view a list of their unfinished tasks and a list of recent comments, and for the professor to be able to see when students were unable to proceed without the professor completing some task. The project was required to include configurable options such as configurable lists (used in drop-down boxes in the application), font sizes, and colors. These configuration changes needed to be able to be made from within the application and not require a rebuild in order for them to take effect. Optional requirements that were also implemented were being able to mark tasks as dependent on other tasks, an ability to attach useful URLs to tasks, support for multiple professors within the same system (although not for a single project), an email-update system, and an ability to export project data into both CSV and XML. During the initial development period, further research revealed that one of the original requirements for the system, to have database-independent code, was infeasible without adding some type of object-relational mapping framework, such as Hibernate, which is designed to work with many different types of databases. This is because syntax and functionality vary so much between different relational database management systems (RDBMSes) on even a very basic
6 level, such as creating tables with auto-incrementing primary keys. So even though such statements are being executed via JDBC in this application, so that they can be executed on any RDBMS with a JDBC driver, the SQL statements themselves would need to be different to accommodate different RDBMSes. For example, in an HSQLDB, an identity column is used for this purpose, and it is automatically a primary key and therefore also guaranteed to be unique7 . In other databases such as DB2, however, identity columns are not automatically primary keys nor even necessarily unique8 . So in HSQLDB, to create a table with an auto-incrementing primary key and one other column, the following code would suffice: CREATE TABLE TestTable(id INT IDENTITY GENERATED BY DEFAULT AS IDENTITY (START WITH 1, INCREMENT BY 1), value INT NOT NULL); whereas in DB2 the following would be required: CREATE TABLE TestTable(id INT GENERATED ALWAYS AS IDENTITY (START WITH 1, INCREMENT BY 1), value INT NOT NULL, PRIMARY KEY(id)); The second statement would result in an error when executed in an HSQLDB, so neither version of the statement will work for all RDBMSes. So at a minimum the database and table creation code would need to be changed in order to use another RDBMS. 2.3.3 Design The overall architecture of Project Management System, as well as the technology used to create it, has mostly stayed constant throughout the project. The system uses a 4-tier 7 HSQLDB Development Group, Chapter 9. SQL Syntax (guide to HSQLDB), Publication date 2007/02/19, Last accessed 2013/04/20, Available at http://www.hsqldb.org/doc/guide/ch09.html#create_table-section 8 IBM, Administration Guide: Planning (guide to DB2), Publication date 2006/10/27, Last accessed 2013/04/20, Available at http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp?topic=%2Fcom.ibm.db2.udb.admin.doc%2Fdoc%2F c0004762.htm
7 architecture comprised of the presentation layer (JSP9 , HTML10 , JavaScript11 , jQuery12 , and CSS13 ), application layer (Java Servlet14 ), data access layer (JDBC15 ), and database layer (HSQLDB16 ), as seen in figure 1. Tomcat17 is the application server and controls much of the security for the application. Libraries used include DbUnit18 and opencsv19 for exporting the database to XML and CSV respectively, JavaMail20 for sending notification messages, and Apache Commons21 for escaping user input. Later the OWASP Enterprise Security API22 for escaping user input before inserting it into HTML, plus SLF4J23 and log4j24 for logging were added. 9 Oracle, JavaServer Pages Technology, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/javaee/jsp/index.html 10 HTML Working Group, W3C HTML, Last update 2013/01/24, Last accessed 2013/04/20, Available at http://www.w3.org/html/ 11 Mozilla Developer Network, JavaScript, Last update 2013/03/14, Last accessed 2013/04/20, Available at https://developer.mozilla.org/en-US/docs/JavaScript 12 The jQuery Foundation, jQuery, Last accessed 2013/04/20, Available at http://jquery.com/ 13 W3C, Cascading Style Sheets home page, Last update 2013/04/20, Last accessed 2013/04/20, Available at http://www.w3.org/Style/CSS/Overview.en.html 14 Oracle, Java Servlet Technology, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/index-jsp-135475.html 15 Oracle, Java SE Technologies – Database, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/javase/jdbc/index.html 16 The hsql Development Group, HyperSQL, Last update 2012/08/22, Last accessed 2013/04/20, Available at http://hsqldb.org/ 17 The Apache Software Foundation, Apache Tomcat, Last update 2013/03/26, Last accessed 2013/04/20, Available at http://tomcat.apache.org/ 18 DbUnit Development Team, About DbUnit, Last update 2012/09/30, Last accessed 2013/04/20, Available at http://www.dbunit.org/ 19 opencsv Development Team, opencsv, Last update 2011/07/28, Last accessed 2013/04/20, Available at http://opencsv.sourceforge.net/ 20 Oracle, JavaMail, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/javamail/index.html 21 The Apache Software Foundation, Apache Commons, Last accessed 2013/04/20, Available at http://commons.apache.org/ 22 OWASP, Category: OWASP Enterprise Security API, Last update 2012/08/29, Last accessed 2013/04/20, Available at https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API 23 QOS.ch, Simple Logging Façade for Java (SLF4J), Last accessed 2013/04/20, Available at http://www.slf4j.org/ 24 The Apache Software Foundation, Apache Log4j 2, Last accessed 2013/04/20, Available at http://logging.apache.org/log4j/2.x/
8 Figure 1. Architecture Diagram 2.3.4 Positives One good thing that came out of the initial development was a well-designed database schema, as seen in figure 2. This was a result of studying basic definitions of normalization and the proper way to handle lists of values as reference tables. Appropriate primary keys and foreign keys were also defined wherever necessary. In addition data types for columns were defined appropriately and NOT NULL and UNIQUE constraints were added wherever required. After completing a database class it was possible to revisit the schema and verify that it was correctly designed. Subsequently the only changes made to the schema were to facilitate additional functionality or to make certain queries simpler, such as removing a surrogate auto-
9 incrementing key for users and instead changing the schema and SQL statements to use the natural key of each user’s username. Figure 2. Database Schema Diagram 2.3.5 Negatives After the initial development in Spring 2011, there was a number of major issues that needed to be addressed. The issue that most affected usability was that, instead of considering individual requests on their own, they were considered within the context of a certain workflow. The user was required to first view a project, then view individual tasks, so that there was no way to bookmark a certain task and return to it later, share a link to a task or project with another user from the project, or have multiple browser windows open to different projects at the same time. The last issue would be a major hindrance for instructors, at the very least. This issue was caused by storing too much information, such as the currently selected project, in the session
10 instead of only storing information in the request and considering requests on their own. Also of great concern to potential users was the fact that the application lacked any sort of protection for confidential information, namely user passwords. Passwords were stored in plain text in the database and SSL was not used to protect passwords when users logged in. There were also several issues of concern from a development and design standpoint. Debugging was made exponentially more difficult by the fact that the application didn't log error messages in any way. Tomcat logs still functioned, but any errors from within the application itself were swallowed. As mentioned previously I had virtually no database experience prior to working on this project. As a result I only knew how to do the most basic of SELECT statements in SQL, and so used no JOIN statements at all throughout the data access layer. This resulted in very poorly designed and overly complicated data access code, where it took multiple repeated queries to retrieve the data for any slightly complex object. Connection pooling for database connections was not used, so certain pages had extremely bad performance with even a trivial amount of data in the database. Instead of retrieving just the necessary information with one query, all the projects and all their tasks were loaded at once, each with a separate call to the data access layer and thus each with its own opening and closing of a database connection; the time required for such operations quickly became non-trivial. Finally the system did not close JDBC resources properly, so if any type of error occurred while working with the database, memory leaks could easily result.
11 3 Research and Development 3.1 Redesign and Rewrite of Application and Data Access Layers The largest and most time-consuming development task was redesigning and rewriting most of the application and data access layers, along with chunks of code in the presentation layer. As mentioned above, originally the system required a certain workflow. First the user would login, and all of their projects would be loaded. Then they would request a certain project, with the project number being relative to the user (so user A requesting project 1 might retrieve a different project than user B requesting project 1). At that point all the tasks for the project were loaded. Then the user would request a certain task associated with the project, and again the task number was relative to the specific project. The project and task information was stored in the session rather than in the individual request, so another result of this was that a user could not have multiple tabs open to different projects at the same time. This was changed so that each request was considered independently and so that the project and task numbers were universal. A user could therefore bookmark a task and go directly to that task at a later time, and students working on the same project could send a link for a certain task to one another. The data access layer had to be changed so that tasks and projects were loaded individually for each request instead of pre-loaded and stored in the session when the user logged in or visited a project page. Some methods were rewritten while others had to be eliminated and changed to something entirely new. The application layer had to be rewritten to make calls to the database for every request instead of assuming some information was already loaded, and in both the application layer and presentation layer the numbering scheme had to be changed to reflect using the actual database IDs rather than numbers relative to the specific user and project involved in the request.
12 3.2 Database-Related Improvements After the initial development during Spring 2011, research continued on various database-related topics. The first issue that was addressed was that of proper closing of database resources in the event of an exception or error. In Java 6, closing resources correctly was extremely cumbersome. It required multiple nested try-catch-finally blocks, like this:
13 try { Connection conn = DriverManager.getConnection("jdbc:mysql://" + host + "/" + name, username, password); try { PreparedStatement statement = conn.prepareStatement("SELECT * FROM TestTable WHERE id = ?"); try { statement.setString(1, id); ResultSet rs = statement.executeQuery(); try { while (rs.next()) { doSomething(); } } catch (SQLException e) { e.printStackTrace(); } finally { rs.close(); } } catch (SQLException e) { e.printStackTrace(); } finally { statement.close(); } } catch (SQLException e) { e.printStackTrace(); } finally { conn.close(); } } catch (SQLException e) { e.printStackTrace(); } This process was complicated and error-prone. In addition, very few online resources (even very reputable ones) showed the correct procedure, so even finding out how to correctly close all resources was difficult. After doing quite a bit of research, the above method seemed
14 most correct, although there were still many conflicting tutorials. Luckily Java 7 added an "automatic resource management" or ARM via the try-with-resources capability25 . The project was migrated to Java 7 in order to take advantage of this feature. With Java 7 the above code can be condensed to this: try (Connection conn = DriverManager.getConnection("jdbc:mysql://" + host + "/" + name, username, password); PreparedStatement statement = conn.prepareStatement("SELECT * FROM TestTable WHERE id = ?")) { statement.setString(1, id); try (ResultSet rs = statement.executeQuery()) { while (rs.next()) { doSomething(); } } catch (SQLException e) { e.printStackTrace(); } } catch (SQLException e) { e.printStackTrace(); } which is much easier both to write and to understand. The next problem to be addressed was the issue of some pages loading very slowly due to repeated calls to the data access layer and repeated opening and closing of connections to the database. First, both the application layer and data access layer code were rewritten so that only a single call to the data access layer was made, and thus only one connection to the database was opened and closed. Then the code was rewritten to make use of connection pooling so that opening and closing connections would no longer be slow. At first the intention was to directly 25 Oracle, The try-with-resources Statement, Last accessed 2013/04/20, Available at http://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html
15 use Apache Commons DBCP26 , but subsequently the discovery was made that Tomcat itself has support for connection pooling built in27 , so the code was changed to use that. 3.3 Security The next area for improvement was security. Although most of the data in the system is not particularly confidential, it does contain users' passwords, which might be reused on other sites and thus should be protected as much as possible. SSL was enabled in Tomcat by creating a self-signed certificate and adding the appropriate information to Tomcat's configuration files28 . This protects the user's password while in transit from their machine to the server upon which the system resides. In addition, research was done on ways to secure passwords in the database. The most highly recommended way to do this is using a one-way hash, and three different algorithms for this purpose are highly recommended29 . They are bcrypt30 , scrypt31 , and PBKDF232 . All three are computationally slow when executed on ordinary hardware, and all three can be adjusted as time goes on and processors get faster so that they stay computationally slow. bcrypt and PBKDF2 are both established algorithms that were created more than 10 years ago (in 1999 and 2000 respectively). bcrypt has an advantage in that the algorithm cannot be sped up by using a 26 The Apache Software Foundation, commons DBCP, Last update 2010/11/25, Last accessed 2013/04/20, Available at http://commons.apache.org/proper/commons-dbcp/ 27 The Apache Software Foundation, JNDI Datasource HOW-TO, Last update 2013/03/22, Last accessed 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples-howto.html 28 The Apache Software Foundation, SSL Configuration HOW-TO, Last update 2013/03/22, Last accessed 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html 29 https://news.ycombinator.com/item?id=3724772, http://security.stackexchange.com/questions/4781/do-any- security-experts-recommend-bcrypt-for-password-storage, http://www.reddit.com/r/PHP/comments/1c210u/opinions_on_password_safetybcryptscryptpbkdf2/ 30 Niels Provos and David Mazieres, A Future-Adaptable Password Scheme, Date published 1999/04/28, Available at http://static.usenix.org/events/usenix99/provos/provos_html/node1.html 31 Colin Percival, Stronger Key Derivation Via Sequential Memory-Hard Functions, Date presented May 2009, Available at http://www.tarsnap.com/scrypt/scrypt.pdf 32 B. Kaliski, PKCS #5: Password-Based Cryptography Specification Version 2.0, Date published September 2000, Available at http://tools.ietf.org/html/rfc2898
16 GPU, whereas PBKDF2 can be. scrypt is still relatively new, dating from 2009, and in addition to being processor-intensive it is also memory-intensive, thus increasing the hardware cost for brute-forcing the algorithm. bcrypt was chosen over scrypt due to its longer, proven track-record and the fact that it was unclear how the demands on memory for scrypt would affect the performance of the server on which it was run. In order to use bcrypt, a custom Tomcat Realm had to be written, as Tomcat's only default support is for SHA, MD2, or MD5, which are all currently outdated and considered inadequate protection33 . The Java implementation jBCrypt34 was used. Ways to secure the database itself were also researched. HSQLDB can restrict access to the database server in various ways by rejecting incoming connections according to settings in a configuration file35 . Access was restricted so that the only connections that are accepted come from the same server on which HSQLDB is running. Figure 3 depicts the layers of security used to protect user passwords on their way from the client to the database and back out. 33 Bugzilla Bug, Tomcat Servlet Container development, Last updated 2012/08/28, Last accessed 2013/04/20, Available at http://comments.gmane.org/gmane.comp.jakarta.tomcat.devel/123309 34 Damien Miller, jBCrypt, Last updated 2010/02/01, Last accessed 2013/04/20, Available at http://www.mindrot.org/projects/jBCrypt/ 35 The HSQL Development Group, HyperSQL User Guide, Last update 2013/03/18, Last accessed 2013/04/20, Available at http://hsqldb.org/doc/2.0/guide/guide.html#lsc_acl
17 Figure 3. Password Security Measures The best ways to protect against malicious user input were also researched. The project initially used Apache Common’s StringEscapeUtils36 and Java’s URLEncoder37 to escape user input and theoretically make it safe for display or for use in URLs; however, simply using StringEscapeUtils is not actually sufficient. Escaping strings for display in a web page requires different methods depending on where in the document (as the value of a text input, as a link, inside a header, etc.) the string will be displayed. The Open Web Application Security Project 36 The Apache Software Foundation, Class StringEscapeUtils, Last update 2011/07/19, Last accessed 2013/04/20, Available at http://commons.apache.org/proper/commons-lang/javadocs/api- 3.1/org/apache/commons/lang3/StringEscapeUtils.html 37 Oracle, Class URLEncoder, Last accessed 2013/04/20, Available at http://docs.oracle.com/javase/6/docs/api/java/net/URLEncoder.html
18 (OWASP) has utilities to deal with these different scenarios properly38 , and so their library was added to the project and their utilities were used to escape all user input that needed to be displayed. URLEncoder’s method is sufficient for escaping input that will be part of a URL, so it is still used. Finally a few more ways to secure the system were researched and implemented. Tomcat provides a Lockout Realm, which automatically locks out a user for a certain period of time if there are too many failed login attempts by that user within a certain period of time39 . This provides a nice trade-off so that legitimate users who have forgotten a password can simply wait to try again, but brute-forcing a password would be extremely time-consuming. PreparedStatements and parameterization for all SQL queries involving user input were used to try and eliminate any possibility of SQL injection attacks. This is the primary method to prevent such attacks in Java40 . Finally, checks on users' authorization to perform CRUD operations were added on multiple levels. First user authorization is checked within the presentation layer, so that legitimate users cannot accidentally try to do something they are not authorized to do. Then authorization is checked within the application layer, to ensure that malicious users cannot purposely do something they are not authorized to do. Lastly the data access layer itself checks authorization, in order to ensure the integrity of the database at all times. 3.4 Logging In order to facilitate debugging and trouble-shooting, logging was also implemented in order to see where issues occur, if they do. In the initial development of the system, DBUnit was 38 OWASP, XSS (Cross Site Scripting) Prevention Cheat Sheet, Last update 2013/03/15, Last access 2013/04/20, Available at https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet 39 The Apache Software Foundation, Realm Configuration HOW-TO, Last update 2013/03/22, Last access 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#LockOutRealm 40 OWASP, Preventing SQL Injection in Java, Last update 2009/05/27, Last access 2013/04/20, Available at https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
19 used in order to export the database to XML. DBUnit has logging built into it, and so the jars for slf4j and log4j were already included, so they were used for the actual logging code. It was very simple to set up using configuration files, and that plus compiling with debug mode on means that in the log the line numbers where issues occur can also be seen. Logging was added to all existing code in all try-catch blocks, as well as other places that seemed useful. Finally, the application’s overall error handling was addressed. Instead of using the default Tomcat error- page the application was configured to use a global error page (which also ties into security: if an attacker knows the application is running on Tomcat then they can target Tomcat itself), and made sure that in the event of an error such as a badly formatted date or other exception, the user will be forwarded to the error page. A choice of two error pages is given to the administrator of the system via configuration files. One only displays a generic error message and information on who to contact for help. The other displays detailed information on the exception that occurred as well as where in the code it occurred. Thus the administrator can choose how much information should be revealed to users of the system in case of errors. An authorization error page was also added, for when a user attempts to access a resource they are not allowed to access. 3.5 Software Development Methodology Throughout both the initial and later development of the system I used a version of the Scrum software development methodology41, 42 , tweaked to account for it being a one-person 41 Ken Schwaber and Jeff Sutherland, The Scrum Guide, Last update October 2011, Last accessed 2013/04/20, Available at http://www.scrum.org/Portals/0/Documents/Scrum%20Guides/Scrum_Guide.pdf#zoom=100 42 Henrik Kniberg, Scrum and XP from the Trenches, Published 2007/10/04, Last accessed 2013/04/20, Available at http://www.infoq.com/minibooks/scrum-xp-from-the-trenches
20 project43 . In the later part of the development I tried to be more formal, using burndown charts and recording sprint planning, retrospectives, and reviews on a blog44 . For over a year I have also been using Scrum as a part of my work as a full-time software developer. What I have discovered is that, although Scrum is extremely useful in a full-time work-environment, many of its benefits cannot be transferred to sporadic part-time work such as that done on a student project. With full-time work of 40 hours per week, after a few sprints a velocity does become apparent, and this can be used to forecast how many story-points should be included in future sprints. With part-time work, however, the amount of hours available for work per sprint varies greatly, so forecasting and planning are much more difficult. The burndown charts themselves were nearly useless for Project Management System. Scrum is still useful as an organizational tool, but trying to strictly timebox work into sprints is nearly impossible. It becomes a case of getting as much done as you can in the time available, and work frequently gets carried over from one sprint into the next, according to what has the highest priority. I believe this is an endemic problem with student projects: due to the unpredictability of how many hours are available for work, in addition to the lack of co-location during working hours and varying levels of commitment (for projects of more than one student), software development methodologies developed in industry cannot provide the same benefits in academia. In the later development of the system I had also hoped to incorporate test-driven development (TDD). Despite large amounts of research online and reading Test Driven Development: By Example45 , I was unable to figure out how to incorporate TDD into the project. In part this is because it is far easier to begin with TDD than to attempt to retrofit it into an 43 http://blog.jgpruitt.com/tag/personal-scrum/, http://www.21apps.com/agile/doing-agile-in-a-team-of-one-day2/, http://brainslink.com/2011/07/scrum-for-one-can-be-done-almost/ 44 Karen Carter, Shambling Towards Perfection, Last update 2013/04/18, Last accessed 2013/04/20, Available at http://shamblingblindly.blogspot.com/ 45 Kent Beck, Test Driven Development: By Example, Published 2002/11/18
21 existing project, but also because TDD itself is a difficult concept to grasp for anything other than trivial examples (yet trivial examples are by far the most common for TDD tutorials and articles). Some practitioners went so far as to claim that TDD should be learned in person from someone who already knows TDD. Ultimately I decided it would take too much time away from the other required development work to attempt to truly implement TDD in the project. 4 Evaluation 4.1 Examples and Screen Shots In a typical usage scenario, the instructor begins by creating a project. Figure 4 is the screen on display when he begins this process. Figure 4. Initial Screen for Creating a Project
22 He enters the student associated with the project, the project type, due date, and other information, as displayed in Figure 5. Figure 5. Entering Student Information Next the instructor creates tasks for the student and enters their priority, due date, and other information, as shown in Figure 6. Figure 6. Creating Task for Student
23 Before one task can be completed, a second task must be finished, so the instructor marks the first task as dependent on the second task. Figure 7. Defining Task as Dependent
24 One of the tasks was entered with an incorrect due date, so the instructor edits the task. This is displayed in Figure 8. Figure 8. Editing Task
25 Next, the instructor adds a comment and a link to the task, demonstrated in Figure 9 and Figure 10. Figure 9. Professor Creating Comment Figure 10. Professor Creating Link
26 To make sure everything is correct, the instructor views the task with the comment and link. This is seen in Figure 11. Figure 11. Viewing Completed Task
27 Now the instructor can view all the tasks associated with the project, as seen in Figure 12. Figure 12. Viewing Tasks for a Project Figure 13 displays the instructor’s view when he checks which tasks remain unfinished. Figure 13. List of Unfinished Tasks
28 The instructor can view the comments and links that have been created in the last two weeks, as seen in Figure 14. Figure 14. Last Two Weeks of Comments and Links The instructor can see a list of users that currently exist in the system, as shown in Figure 15. Figure 15. Instructor's View of Registered Users
29 As seen in Figure 16, the instructor can edit his profile if any information was not initially filled out or was filled out incorrectly. Figure 16. Instructor Editing Personal Profile
30 With the tools shown in Figure 17, the instructor can edit any of the default values for a variety of things: task priorities, project types, etc. Figure 17. Professor Editing Default Values Finally the student logs in, and Figure 18 displays his own view of the project. Figure 18. Student's View of Project
31 4.2 Quality Analysis 4.2.1 Automated Tools Starting out, one of the goals for the system was to have code that is as correct as possible in design and implementation. To this end research was done on some of the automated tools available for static code analysis46 . Three widely used tools that are available as Eclipse47 plug- ins were chosen: Checkstyle48 , FindBugs49 , and PMD50 . Checkstyle was originally designed to check whether code adheres to a coding standard, but has been expanded to look for duplicate code, problems with design, and bug patterns. FindBugs analyses Java bytecode and looks for patterns that indicate possible bugs, such as variables that are never used, concatenating strings to be used in JDBC calls (instead of parameterizing them), and many other types of potentially problematic coding practices. PMD looks for many of the same kinds of issues that FindBugs does, but analyses Java source code. All three tools are expandable, so developers can create custom rules for the tools to look for. Of the three, FindBugs was the most useful by far. Virtually all of the things FindBugs marked were genuine issues, so it was a very useful tool and it helped to resolve some things that could have led to bugs in the application. Checkstyle and PMD, however, raised a huge number of flags, so much so that nearly every line was flagged, yet many of the flags were invalid or at least extremely debatable. This included most of Checkstyle’s style warnings, such as giving opening curly brackets their own line. There were also flags by PMD on issues such as using 46 Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster, A Comparison of Bug Finding Tools for Java, Published 2004/11/02, Available at http://www.cs.umd.edu/~jfoster/papers/issre04.pdf 47 The Eclipse Foundation, Eclipse, Last access 2013/04/20, Available at http://www.eclipse.org/ 48 David Schneider and Lars Ködderitzsch, Eclipse-Checkstyle Integration, Last access 2013/04/20, Available at http://eclipse-cs.sourceforge.net/ 49 Bill Pugh and Andrey Loskutov, FindBugs – Find Bugs in Java Programs, Last update 2012/12/10, Last access 2013/04/20, Available at http://findbugs.sourceforge.net/ 50 PMD, PMD, Last update 2013/04/05, Last access 2013/04/20, Available at http://pmd.sourceforge.net/
32 System.out.println for output in a command-line tool, or overriding javax.servlet.http.HttpServlet.doGet, doing what Tomcat’s own documentation discusses51 . PMD also flagged every single parameter and variable that could be declared final. Declaring parameters as final, while possible, is a questionable practice, as some say it clutters code for little benefit and reduces code clarity, although others claim it reduces bugs and improves code quality52 . Both Checkstyle and PMD were also harder to configure than FindBugs, so it would have taken a lot of work to get them configured to ignore the types of errors that were less useful or seemed erroneous. In the end Checkstyle and PMD were turned off and only FindBugs was left enabled, and its flags were continuously reviewed to check for any potential issues. During the course of the project, large amounts of code were completely rewritten to correct mistakes and misjudgments made during the initial development when the project was merely a class project. Another very helpful Eclipse plugin used to clean up the old code and remove now-unused methods was UCDetector53 . It detected methods that were no longer being called anywhere within the project. It also provided recommendations on classes and methods that were more public than they needed to be. This helped in making the code base more readable, making sure outdated methods couldn’t be called mistakenly, and that internal methods weren’t called improperly by other classes. 51 The Apache Software Foundation, Class HttpServlet, Last access 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/HttpServlet.html 52 http://stackoverflow.com/questions/266806/is-there-any-performance-reason-to-declare-method-parameters-final- in-java, http://stackoverflow.com/questions/316352/why-would-one-mark-local-variables-and-method-parameters- as-final-in-java, http://stackoverflow.com/questions/5380177/final-arguments-in-interface-methods-whats-the- point?rq=1 53 Jörg Spieler, UCDetector: Unnecessary Code Detector, Last update 2013/04/11, Last access 2013/04/20, Available at http://www.ucdetector.org/
33 4.2.2 Design Principles Throughout the project proper coding techniques were followed as much as possible, and research was done to try and further improve design and programming techniques54 . Code was reused whenever possible, following the Don’t Repeat Yourself (DRY) principle, and interfaces were used for the data models and data access layer, following the design by contract approach. 4.2.3 Unaddressed Issues There were some design and technique issues that could not be improved due to the time constraints of the project. The biggest of these, in terms of its presence in code, is that instead of using JavaServer Pages Standard Tag Library (JSTL)55 , scriptlets (sections of plain Java code) are used throughout the presentation layer. Scriptlets have been considered outdated and not good coding practice for years56 , although many online tutorials still use them, and following those tutorials led to their initial inclusion in the project. An attempt was made to rewrite the existing scriptlets into JSTL, but unfortunately much extra work is needed to use static methods57 such as those in the OWASP library for encoding user input, which are used in nearly every JSP. Custom EL functions would need to be written58 and/or web.xml would need to be 54 Andrew Hunt and David Thomas, The Pragmatic Programmer: From Journeyman to Master, Published 1999/10/30 55 Oracle, JavaServer Pages Standard Tag Library, Last access 2013/04/20, Available at http://www.oracle.com/technetwork/java/index-jsp-135995.html 56 http://stackoverflow.com/questions/4535423/jstl-vs-jsp-scriptlets, http://www.coderanch.com/t/469280/JSP/java/Scriptlet-JSTL, http://www.coderanch.com/t/414294/JSP/java/scriptlets-EL-JSTL, https://groups.google.com/forum/?fromgroups=#!topic/comp.lang.java.programmer/W5cER3Q21cQ 57 StackOverflow, How to call a static method in JSP/EL?, Last update 2012/05/08, Last accessed 2013/04/20, Available at http://stackoverflow.com/questions/6395621/how-to-call-a-static-method-in-jsp-el 58 JavaRanch, Define EL Functions, Last accessed 2013/04/20, Available at http://www.coderanch.com/how- to/java/DefineELFunctions
34 updated to conform to Servlet 3.0 specifications59 , and there was insufficient time to figure out exactly how this would work and get it working. The other major area, primarily in terms of user experience, where time prohibited best practices was in user interface design. Although I took a user interface design class and researched on my own60, 61 , there was not time to improve the design and work with users to figure out where the system could most use improvement, what most impeded their workflow, or what features were most needed from a user experience perspective. As a result the system is fully functional and capable of performing the essential tasks needed to manage and track a student project, but it does not have the most efficient or effective design and may make certain tasks more difficult than they could be. Information is also not necessarily presented in the clearest or easiest-to-understand manner. Better grouping of related fields, clearly highlighting required fields, and more verification and validation of user input would all greatly enhance the user interface. 5 Conclusions 5.1 Future Work 5.1.1 Last Updated/Last Active Features There is a number of issues that were not addressed and features that were not developed due to time constraints. These could be addressed in the future, given enough time. In addition 59 StackOverflow, how to call parameterized method from JSP using JSTL, Last update 2012/05/25, Last access 2013/04/20, Available at http://stackoverflow.com/questions/7121303/how-to-call-parameterized-method-from-jsp- using-jstl 60 Jeff Johnson, Designing with the Mind in Mind: Simple Guide to Understanding User Interface Design Rules, Published 2010/06/03 61 Jeff Johnson, GUI Bloopers 2.0, Second Edition: Common User Interface Design Don’ts and Dos (Interactive Technologies), Published 2007/09/10
35 to replacing scriptlets with JSTL and improving the user interface design, as mentioned above, currently unused columns were added to the database to support a number of features that were not implemented. Columns were added to track who last updated projects and tasks and at what time the last update occurred. Columns were also added to track the last login date for users. These columns were intended to be used in a variety of ways, in addition to simply displaying this data for users to see. They could be used to show the user what tasks and projects have been updated since the last time they logged in, to order tasks and projects by their last update, and to show instructors when students last logged in, to see if they have been using the system or not. 5.1.2 Subtask and Dependent Task Relationship Features Columns were also added to support visualization features with regards to task dependency and subtask relationships. First, cycles would need to be detected and prevented during task editing. Then, since each task may only be a subtask of one other task, but a task may have many subtasks, the set of tasks in subtask relationships would form a set of trees. Columns were added to support path enumeration for these relationships, as described in SQL Antipatterns62 , as that method would be very fast for the most frequent usecase of seeing all descendants and ancestors of a task, and it would be fairly simple to implement. Each task can depend on many tasks and can have many tasks dependent on it, so the set of tasks in dependency relationships would form a set of directed acyclic graphs (DAGs). Representing DAGs in a database is more complicated63 , but a new table was added to support this using an adjacency list containing the complete list of paths (the transitive closure) of the graph. 62 Bill Karwin, SQL Antipatterns: Avoiding the Pitfalls of Database Programming, Published 2010/07/02 63 Kemal Erdogan, A Model to Represent Directed Acyclic Graphs (DAG) on SQL Databases, Published 2008/01/10, Last accessed 2013/04/20, Available at http://www.codeproject.com/Articles/22824/A-Model-to- Represent-Directed-Acyclic-Graphs-DAG-o
36 Adding this functionality would enable visualizing the DAGs and trees formed by the task relationships, and could also be used for ordering the tasks according to these relationships when viewing the tasks as part of the project page. 5.2 Enhancements 5.2.1 Ease of Use There are many opportunities for further enhancements aside from those that were already researched or partially started. The ability for the user to reset a forgotten password would be extremely useful, and adding an “undo” capability would also help when the user makes a mistake. Adding a mobile-formatted version or actual mobile apps (Android, iOS, etc.) would assist in making the application more accessible for a variety of users. Options for sorting tasks by different values (priority, type, due date, etc.) would also help make the application more usable according to the user’s needs. More options for exporting data, such as exporting a user’s projects through the web interface, would make the application more flexible and allow users to take data with them after a project is over or when switching to a different system. Allowing data import would also be helpful for users wanting to start with a fresh installation or in the event of splitting off a project into a new project. 5.2.2 Security and Stability Adding requirements for the length and/or complexity of user passwords would protect users from having their passwords guessed by others. Security could also be enhanced by further restricting access to the database by restricting the privileges for the database user according to
37 what actions are allowed for each table. For example, tasks and projects are never completely deleted, so not allowing the database user used by the web application to perform deletes on those tables would be helpful. Adding unit tests with JUnit64 and DBUnit, along with other tests of functionality and even of the user interface, would improve stability and help ensure legacy code would not break when code was edited or updated. Upgrading to HTML 5 and CSS 3 would assist in making the code more future-proof. 5.3 Conclusion Project Management System attempts to serve the unique needs of academic project management. The basic functionality for managing projects, creating and editing tasks, and recording progress is present, fairly efficient, and includes basic security features. There are many opportunities for further development, including refining the user interface, adding additional features, and further enhancing security and the user experience. 64 junit-team, JUnit, Last accessed 2013/04/20, Available at http://junit.org/
38 References Andrew Hunt and David Thomas, The Pragmatic Programmer: From Journeyman to Master, Published 1999/10/30 B. Kaliski, PKCS #5: Password-Based Cryptography Specification Version 2.0, Date published September 2000, Available at http://tools.ietf.org/html/rfc2898 Bill Karwin, SQL Antipatterns: Avoiding the Pitfalls of Database Programming, Published 2010/07/02 Bill Pugh and Andrey Loskutov, FindBugs – Find Bugs in Java Programs, Last update 2012/12/10, Last access 2013/04/20, Available at http://findbugs.sourceforge.net/ Bugzilla Bug, Tomcat Servlet Container development, Last updated 2012/08/28, Last accessed 2013/04/20, Available at http://comments.gmane.org/gmane.comp.jakarta.tomcat.devel/123309 Colin Percival, Stronger Key Derivation Via Sequential Memory-Hard Functions, Date presented May 2009, Available at http://www.tarsnap.com/scrypt/scrypt.pdf Damien Miller, jBCrypt, Last updated 2010/02/01, Last accessed 2013/04/20, Available at http://www.mindrot.org/projects/jBCrypt/ David Schneider and Lars Ködderitzsch, Eclipse-Checkstyle Integration, Last access 2013/04/20, Available at http://eclipse-cs.sourceforge.net/ DbUnit Development Team, About DbUnit, Last update 2012/09/30, Last accessed 2013/04/20, Available at http://www.dbunit.org/ Fog Creek Software, Inc., Trello (project management application), Available from https://trello.com/, Last accessed on 2013/04/20 Henrik Kniberg, Scrum and XP from the Trenches, Published 2007/10/04, Last accessed 2013/04/20, Available at http://www.infoq.com/minibooks/scrum-xp-from-the-trenches HSQLDB Development Group, Chapter 9. SQL Syntax (guide to HSQLDB), Publication date 2007/02/19, Last accessed 2013/04/20, Available at http://www.hsqldb.org/doc/guide/ch09.html#create_table-section HTML Working Group, W3C HTML, Last update 2013/01/24, Last accessed 2013/04/20, Available at http://www.w3.org/html/ http://blog.jgpruitt.com/tag/personal-scrum/, http://www.21apps.com/agile/doing-agile-in-a- team-of-one-day2/, http://brainslink.com/2011/07/scrum-for-one-can-be-done-almost/ http://stackoverflow.com/questions/266806/is-there-any-performance-reason-to-declare-method- parameters-final-in-java, http://stackoverflow.com/questions/316352/why-would-one- mark-local-variables-and-method-parameters-as-final-in-java, http://stackoverflow.com/questions/5380177/final-arguments-in-interface-methods- whats-the-point?rq=1 http://stackoverflow.com/questions/4535423/jstl-vs-jsp-scriptlets, http://www.coderanch.com/t/469280/JSP/java/Scriptlet-JSTL, http://www.coderanch.com/t/414294/JSP/java/scriptlets-EL-JSTL,
39 https://groups.google.com/forum/?fromgroups=#!topic/comp.lang.java.programmer/W5c ER3Q21cQ https://news.ycombinator.com/item?id=3724772, http://security.stackexchange.com/questions/4781/do-any-security-experts-recommend- bcrypt-for-password-storage, http://www.reddit.com/r/PHP/comments/1c210u/opinions_on_password_safetybcryptscr yptpbkdf2/ IBM, Administration Guide: Planning (guide to DB2), Publication date 2006-10-27, Last accessed 2013/04/20, Available at http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp?topic=%2Fcom.ibm.db2.u db.admin.doc%2Fdoc%2Fc0004762.htm JavaRanch, Define EL Functions, Last accessed 2013/04/20, Available at http://www.coderanch.com/how-to/java/DefineELFunctions Jean-Philippe Lang, Redmine (project management web application), currently in use as of 2013/04/20 while employed at New Mexico Department of Agriculture, Available from http://www.redmine.org/projects/redmine, Last accessed on 2013/04/20 Jeff Johnson, Designing with the Mind in Mind: Simple Guide to Understanding User Interface Design Rules, Published 2010/06/03 ———, GUI Bloopers 2.0, Second Edition: Common User Interface Design Don’ts and Dos (Interactive Technologies), Published 2007/09/10 Jörg Spieler, UCDetector: Unnecessary Code Detector, Last update 2013/04/11, Last access 2013/04/20, Available at http://www.ucdetector.org/ junit-team, JUnit, Last accessed 2013/04/20, Available at http://junit.org/ Karen Carter, My Project Requirements (initial class project requirements and completion dates), published Spring 2011, Last accessed 2013/04/20, Available at https://docs.google.com/spreadsheet/ccc?key=0Auez0eXd5ysadF9IWVFkUHpEbmtEUE w5S0JvdHZPTnc&usp=sharing ———, Project Management System (slideshow presentation covering class project), Published Spring 2011, Last accessed 2013/04/20, Available at https://docs.google.com/presentation/d/1rZLu4eN4KOnBHDf2lRVjr04HUQYSznlyI_fpd oBML_k/edit?usp=sharing&authkey=CP7D8IgM ———, Shambling Towards Perfection, Last update 2013/04/18, Last accessed 2013/04/20, Available at http://shamblingblindly.blogspot.com/ Kemal Erdogan, A Model to Represent Directed Acyclic Graphs (DAG) on SQL Databases, Published 2008/01/10, Last accessed 2013/04/20, Available at http://www.codeproject.com/Articles/22824/A-Model-to-Represent-Directed-Acyclic- Graphs-DAG-o Ken Schwaber and Jeff Sutherland, The Scrum Guide, Last update October 2011, Last accessed 2013/04/20, Available at http://www.scrum.org/Portals/0/Documents/Scrum%20Guides/Scrum_Guide.pdf#zoom= 100
40 Kent Beck, Test Driven Development: By Example, Published 2002/11/18 Mozilla Developer Network, JavaScript, Last update 2013/03/14, Last accessed 2013/04/20, Available at https://developer.mozilla.org/en-US/docs/JavaScript Mozilla Foundation, Bugzilla (bug-tracking system), used until November 2011 while employed at Physical Science Laboratory, Available from http://www.bugzilla.org/, Last accessed on 2013/04/20 Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster, A Comparison of Bug Finding Tools for Java, Published 2004/11/02, Available at http://www.cs.umd.edu/~jfoster/papers/issre04.pdf Niels Provos and David Mazieres, A Future-Adaptable Password Scheme, Date published 1999/04/28, Available at http://static.usenix.org/events/usenix99/provos/provos_html/node1.html opencsv Development Team, opencsv, Last update 2011/07/28, Last accessed 2013/04/20, Available at http://opencsv.sourceforge.net/ Oracle, Class URLEncoder, Last accessed 2013/04/20, Available at http://docs.oracle.com/javase/6/docs/api/java/net/URLEncoder.html ———, Java SE Technologies – Database, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/javase/jdbc/index.html ———, Java Servlet Technology, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/index-jsp-135475.html ———, JavaMail, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/javamail/index.html ———, JavaServer Pages Standard Tag Library, Last access 2013/04/20, Available at http://www.oracle.com/technetwork/java/index-jsp-135995.html ———, JavaServer Pages Technology, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/javaee/jsp/index.html ———, The try-with-resources Statement, Last accessed 2013/04/20, Available at http://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html OWASP, Category: OWASP Enterprise Security API, Last update 2012/08/29, Last accessed 2013/04/20, Available at https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API ———, Preventing SQL Injection in Java, Last update 2009/05/27, Last access 2013/04/20, Available at https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java ———, XSS (Cross Site Scripting) Prevention Cheat Sheet, Last update 2013/03/15, Last access 2013/04/20, Available at https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Chea t_Sheet PMD, PMD, Last update 2013/04/05, Last access 2013/04/20, Available at http://pmd.sourceforge.net/
41 QOS.ch, Simple Logging Façade for Java (SLF4J), Last accessed 2013/04/20, Available at http://www.slf4j.org/ Roundup-Team, Roundup (issue-tracking system), used during class project in Spring 2011, Available from http://roundup.sourceforge.net/, Last accessed on 2013/04/20 StackOverflow, How to call a static method in JSP/EL?, Last update 2012/05/08, Last accessed 2013/04/20, Available at http://stackoverflow.com/questions/6395621/how-to-call-a- static-method-in-jsp-el ———, How to call parameterized method from JSP using JSTL, Last update 2012/05/25, Last access 2013/04/20, Available at http://stackoverflow.com/questions/7121303/how-to- call-parameterized-method-from-jsp-using-jstl The Apache Software Foundation, Apache Commons, Last accessed 2013/04/20, Available at http://commons.apache.org/ ———, Apache Log4j 2, Last accessed 2013/04/20, Available at http://logging.apache.org/log4j/2.x/ ———, Apache Tomcat, Last update 2013/03/26, Last accessed 2013/04/20, Available at http://tomcat.apache.org/ ———, Class HttpServlet, Last access 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/HttpServlet.html ———, Class StringEscapeUtils, Last update 2011/07/19, Last accessed 2013/04/20, Available at http://commons.apache.org/proper/commons-lang/javadocs/api- 3.1/org/apache/commons/lang3/StringEscapeUtils.html ———, commons DBCP, Last update 2010/11/25, Last accessed 2013/04/20, Available at http://commons.apache.org/proper/commons-dbcp/ ———, JNDI Datasource HOW-TO, Last update 2013/03/22, Last accessed 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples- howto.html ———, Realm Configuration HOW-TO, Last update 2013/03/22, Last access 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#LockOutRealm ———, SSL Configuration HOW-TO, Last update 2013/03/22, Last accessed 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html The Eclipse Foundation, Eclipse, Last access 2013/04/20, Available at http://www.eclipse.org/ The HSQL Development Group, HyperSQL User Guide, Last update 2013/03/18, Last accessed 2013/04/20, Available at http://hsqldb.org/doc/2.0/guide/guide.html#lsc_acl ———, HyperSQL, Last update 2012/08/22, Last accessed 2013/04/20, Available at http://hsqldb.org/ The jQuery Foundation, jQuery, Last accessed 2013/04/20, Available at http://jquery.com/ W3C, Cascading Style Sheets home page, Last update 2013-04-20, Last accessed 2013/04/20, Available at http://www.w3.org/Style/CSS/Overview.en.html

Recommended

Web application presentation
Web application presentationWeb application presentation
Web application presentationEhsan Ullah Kakar
 
10.1.1.88.6399
10.1.1.88.639910.1.1.88.6399
10.1.1.88.6399Jeffrey Peden
 
Cavaros
CavarosCavaros
CavarosToo Jannarong
 
Project report on blogs
Project report on blogsProject report on blogs
Project report on blogsKritika Chauhan
 
Resume-PRPearce
Resume-PRPearceResume-PRPearce
Resume-PRPearcePatrick R. Pearce, Sr.
 
Kilian, Roger Resume 01.15
Kilian, Roger Resume 01.15Kilian, Roger Resume 01.15
Kilian, Roger Resume 01.15Roger Kilian
 
Web 2 presentation newest assessment outcomes.
Web 2 presentation newest assessment outcomes.Web 2 presentation newest assessment outcomes.
Web 2 presentation newest assessment outcomes.pdingley
 
Web Engineering
Web EngineeringWeb Engineering
Web EngineeringMuhammad Muzammal
 

Recommended

Web application presentation
Web application presentationWeb application presentation
Web application presentationEhsan Ullah Kakar
 
10.1.1.88.6399
10.1.1.88.639910.1.1.88.6399
10.1.1.88.6399Jeffrey Peden
 
Cavaros
CavarosCavaros
CavarosToo Jannarong
 
Project report on blogs
Project report on blogsProject report on blogs
Project report on blogsKritika Chauhan
 
Resume-PRPearce
Resume-PRPearceResume-PRPearce
Resume-PRPearcePatrick R. Pearce, Sr.
 
Kilian, Roger Resume 01.15
Kilian, Roger Resume 01.15Kilian, Roger Resume 01.15
Kilian, Roger Resume 01.15Roger Kilian
 
Web 2 presentation newest assessment outcomes.
Web 2 presentation newest assessment outcomes.Web 2 presentation newest assessment outcomes.
Web 2 presentation newest assessment outcomes.pdingley
 
Web Engineering
Web EngineeringWeb Engineering
Web EngineeringMuhammad Muzammal
 
ACB Company Profile
ACB Company ProfileACB Company Profile
ACB Company ProfileAmerican Breeze
 
Round Solution_english_webinar_28_01_4_LI
Round Solution_english_webinar_28_01_4_LIRound Solution_english_webinar_28_01_4_LI
Round Solution_english_webinar_28_01_4_LIJuan Martin
 
Google
GoogleGoogle
GoogleValentinaRivera24
 
Portales de actividades
Portales de actividadesPortales de actividades
Portales de actividadesDiana Paola Galindo Caro
 
Residential housing company brochure beglinwoods architects
Residential housing company brochure beglinwoods architectsResidential housing company brochure beglinwoods architects
Residential housing company brochure beglinwoods architectsSimon Woods
 
achieving SYNERGY Case Studies
achieving SYNERGY Case Studiesachieving SYNERGY Case Studies
achieving SYNERGY Case StudiesAileen Armstrong
 
RotationProposal_ShorrockM_D1
RotationProposal_ShorrockM_D1RotationProposal_ShorrockM_D1
RotationProposal_ShorrockM_D1Meghann Shorrock
 
Informatica
InformaticaInformatica
Informaticaandrea garcia
 
Preliminry report
Preliminry report Preliminry report
Preliminry reportJiten Ahuja
 
9) final report
9) final report9) final report
9) final reportAftab Popatia
 
216328327 nilesh-and-teams-project
216328327 nilesh-and-teams-project216328327 nilesh-and-teams-project
216328327 nilesh-and-teams-projecthomeworkping8
 
Project Tracking System
Project Tracking SystemProject Tracking System
Project Tracking Systemncct
 
Ignou MCA 6th Semester Synopsis
Ignou MCA 6th Semester SynopsisIgnou MCA 6th Semester Synopsis
Ignou MCA 6th Semester SynopsisHitesh Jangid
 
Pm610 1103 b-02-schwappach-loren-p4-db5
Pm610 1103 b-02-schwappach-loren-p4-db5Pm610 1103 b-02-schwappach-loren-p4-db5
Pm610 1103 b-02-schwappach-loren-p4-db5Loren Schwappach
 
COET3A1.Powerpoint Presentation
COET3A1.Powerpoint PresentationCOET3A1.Powerpoint Presentation
COET3A1.Powerpoint Presentationtroyjan27
 
Formal Definition of Collaborative Spaces
Formal Definition of Collaborative Spaces Formal Definition of Collaborative Spaces
Formal Definition of Collaborative Spaces Juan Manuel Gonzalez Calleros
 
Document Management System: Redesign Proposal
Document Management System: Redesign ProposalDocument Management System: Redesign Proposal
Document Management System: Redesign ProposalFaiz Shariff
 
Vol 1 issue 2 june 2015
Vol 1 issue 2 june 2015Vol 1 issue 2 june 2015
Vol 1 issue 2 june 2015Durreesamin Journal Australia (ISSN: 2204-9827)
 
chapters
chapterschapters
chaptersChandan Chaurasia
 
Chapter_1_INTRODUCTION.pdf
Chapter_1_INTRODUCTION.pdfChapter_1_INTRODUCTION.pdf
Chapter_1_INTRODUCTION.pdfKamal Acharya
 
Chapter_1_INTRODUCTION.pdf
Chapter_1_INTRODUCTION.pdfChapter_1_INTRODUCTION.pdf
Chapter_1_INTRODUCTION.pdfKamal Acharya
 
Project Scheduling
Project SchedulingProject Scheduling
Project SchedulingMSharmilaDeviITDEPT
 

More Related Content

Viewers also liked

Round Solution_english_webinar_28_01_4_LI
Round Solution_english_webinar_28_01_4_LIRound Solution_english_webinar_28_01_4_LI
Round Solution_english_webinar_28_01_4_LIJuan Martin
 
Residential housing company brochure beglinwoods architects
Residential housing company brochure beglinwoods architectsResidential housing company brochure beglinwoods architects
Residential housing company brochure beglinwoods architectsSimon Woods
 
achieving SYNERGY Case Studies
achieving SYNERGY Case Studiesachieving SYNERGY Case Studies
achieving SYNERGY Case StudiesAileen Armstrong
 
RotationProposal_ShorrockM_D1
RotationProposal_ShorrockM_D1RotationProposal_ShorrockM_D1
RotationProposal_ShorrockM_D1Meghann Shorrock
 

Viewers also liked (8)

ACB Company Profile
ACB Company ProfileACB Company Profile
ACB Company Profile
 
Round Solution_english_webinar_28_01_4_LI
Round Solution_english_webinar_28_01_4_LIRound Solution_english_webinar_28_01_4_LI
Round Solution_english_webinar_28_01_4_LI
 
Google
GoogleGoogle
Google
 
Portales de actividades
Portales de actividadesPortales de actividades
Portales de actividades
 
Residential housing company brochure beglinwoods architects
Residential housing company brochure beglinwoods architectsResidential housing company brochure beglinwoods architects
Residential housing company brochure beglinwoods architects
 
achieving SYNERGY Case Studies
achieving SYNERGY Case Studiesachieving SYNERGY Case Studies
achieving SYNERGY Case Studies
 
RotationProposal_ShorrockM_D1
RotationProposal_ShorrockM_D1RotationProposal_ShorrockM_D1
RotationProposal_ShorrockM_D1
 
Informatica
InformaticaInformatica
Informatica
 

Similar to ProjectManagementSystemPaperFINAL

Preliminry report
Preliminry report Preliminry report
Preliminry reportJiten Ahuja
 
216328327 nilesh-and-teams-project
216328327 nilesh-and-teams-project216328327 nilesh-and-teams-project
216328327 nilesh-and-teams-projecthomeworkping8
 
Project Tracking System
Project Tracking SystemProject Tracking System
Project Tracking Systemncct
 
Ignou MCA 6th Semester Synopsis
Ignou MCA 6th Semester SynopsisIgnou MCA 6th Semester Synopsis
Ignou MCA 6th Semester SynopsisHitesh Jangid
 
Pm610 1103 b-02-schwappach-loren-p4-db5
Pm610 1103 b-02-schwappach-loren-p4-db5Pm610 1103 b-02-schwappach-loren-p4-db5
Pm610 1103 b-02-schwappach-loren-p4-db5Loren Schwappach
 
COET3A1.Powerpoint Presentation
COET3A1.Powerpoint PresentationCOET3A1.Powerpoint Presentation
COET3A1.Powerpoint Presentationtroyjan27
 
Document Management System: Redesign Proposal
Document Management System: Redesign ProposalDocument Management System: Redesign Proposal
Document Management System: Redesign ProposalFaiz Shariff
 
Chapter_1_INTRODUCTION.pdf
Chapter_1_INTRODUCTION.pdfChapter_1_INTRODUCTION.pdf
Chapter_1_INTRODUCTION.pdfKamal Acharya
 
Chapter_1_INTRODUCTION.pdf
Chapter_1_INTRODUCTION.pdfChapter_1_INTRODUCTION.pdf
Chapter_1_INTRODUCTION.pdfKamal Acharya
 
A Web-Based Project Management System
A Web-Based Project Management SystemA Web-Based Project Management System
A Web-Based Project Management SystemLori Moore
 

Similar to ProjectManagementSystemPaperFINAL (20)

Preliminry report
Preliminry report Preliminry report
Preliminry report
 
9) final report
9) final report9) final report
9) final report
 
216328327 nilesh-and-teams-project
216328327 nilesh-and-teams-project216328327 nilesh-and-teams-project
216328327 nilesh-and-teams-project
 
Project Tracking System
Project Tracking SystemProject Tracking System
Project Tracking System
 
Ignou MCA 6th Semester Synopsis
Ignou MCA 6th Semester SynopsisIgnou MCA 6th Semester Synopsis
Ignou MCA 6th Semester Synopsis
 
Pm610 1103 b-02-schwappach-loren-p4-db5
Pm610 1103 b-02-schwappach-loren-p4-db5Pm610 1103 b-02-schwappach-loren-p4-db5
Pm610 1103 b-02-schwappach-loren-p4-db5
 
COET3A1.Powerpoint Presentation
COET3A1.Powerpoint PresentationCOET3A1.Powerpoint Presentation
COET3A1.Powerpoint Presentation
 
Formal Definition of Collaborative Spaces
Formal Definition of Collaborative Spaces Formal Definition of Collaborative Spaces
Formal Definition of Collaborative Spaces
 
Document Management System: Redesign Proposal
Document Management System: Redesign ProposalDocument Management System: Redesign Proposal
Document Management System: Redesign Proposal
 
Vol 1 issue 2 june 2015
Vol 1 issue 2 june 2015Vol 1 issue 2 june 2015
Vol 1 issue 2 june 2015
 
chapters
chapterschapters
chapters
 
Chapter_1_INTRODUCTION.pdf
Chapter_1_INTRODUCTION.pdfChapter_1_INTRODUCTION.pdf
Chapter_1_INTRODUCTION.pdf
 
Chapter_1_INTRODUCTION.pdf
Chapter_1_INTRODUCTION.pdfChapter_1_INTRODUCTION.pdf
Chapter_1_INTRODUCTION.pdf
 
Project Scheduling
Project SchedulingProject Scheduling
Project Scheduling
 
Dsdm
DsdmDsdm
Dsdm
 
CP_FINAL_PPT.pptx
CP_FINAL_PPT.pptxCP_FINAL_PPT.pptx
CP_FINAL_PPT.pptx
 
A Web-Based Project Management System
A Web-Based Project Management SystemA Web-Based Project Management System
A Web-Based Project Management System
 
Bright
BrightBright
Bright
 
Bright copy
Bright copyBright copy
Bright copy
 
SDJ
SDJSDJ
SDJ
 

ProjectManagementSystemPaperFINAL

  • 1. Masters Project Documentation: Project Management System By Karen Carter Advisor: Dr. Jonathan Cook
  • 2. Abstract Existing project management and bug-tracking tools are primarily aimed at industry use and as such are inadequate for use in an academic setting. Project Management System is a web application written in Java, JavaScript, and HTML backed by HSQLDB, and seeks to provide a more appropriate system for managing student projects. The system was developed using modern development techniques with a focus on security, correct design, and efficiency. There are many opportunities for further development of the system, including improving the user interface and adding additional statistical and reporting capabilities.
  • 3. 1 1 Introduction The goal of this project, entitled Project Management System, is to create a web-based application for use by professors and instructors in managing student projects. It is primarily intended for use in the realm of computer science, but could be adapted for use in other realms. The system is intended to be as stable, well-designed, and professional as possible. Each user of the system is defined as being an instructor or not, and has a profile containing contact information for use by other users. A user’s account includes a setting for whether or not the user wishes to receive email updates from the system when changes are made to projects with which the user is associated, and an email address to be used for that purpose. Projects may only be created by instructors, and system-wide variables (lists of default values) may only be edited by instructors. Projects accommodate a single instructor and one or more students, and only the users associated with a project may view it and make changes to it. Projects are primarily made up of tasks. Tasks have a creator and an assignee. Comments may be made by all associated users on both the project itself and its tasks. Links to outside resources (e.g., websites, files, images) may be created by all associated users for individual tasks. It is possible to define two different types of relationships between tasks. First, a task may be dependent on other tasks. That is, the user to whom the task is assigned may be unable to work on the task until other tasks have been completed. Second, a task may be a subtask of another single task. This allows larger tasks to be broken up into smaller tasks and organized. Both projects and tasks have due dates and can be marked finished when they are completed. Projects and tasks have a variety of other attributes that can be used to categorize and define them appropriately. The system also includes utilities for creating an initial empty database, adding
  • 4. 2 fake data to the database, and exporting the data in the database to both XML- and CSV- formatted files. This paper will describe the need for web-based project management and bug tracking systems, some of the existing systems and their short-comings with regards to the academic environment, and the initial development of Project Management System when it began as a class project. It will then describe the research and development subsequent to the class project, including improvements in performance, database-related code, and security. The paper will then describe typical use cases and discuss the pros and cons of the project as it exists today. Finally the paper will describe possibilities for future work and enhancements. 2 Background 2.1 Web-based Project Management and Bug Tracking There is a variety of existing web-based project management and bug tracking tools. These are primarily aimed at the business realm and seek to coordinate and document the efforts of development teams consisting of multiple developers and possibly also testers, technical writers, subject matter experts, managers, and other professionals. They provide ways to prioritize work and to keep track of bugs and other development tasks to make sure nothing slips through the cracks. Some of these applications also facilitate communication between team members and provide ways to keep everyone updated as to what everyone else is doing. Project management systems may also include ways to track productivity, documentation tools such as wikis, budgeting or cost-tracking tools, and many other primarily business-oriented tools.
  • 5. 3 2.2 Existing Tools Existing tools are aimed at the business realm, and as such have flaws when used in an academic context. Bug tracking systems I have used, such as Bugzilla1 and Roundup2 , have a narrow focus. They are only designed to track development-related tasks, such as defects and suggested improvements. These tools also assume that all users are of the same professional level. That is, everyone is working together and has more or less the same authority, even if they are in different roles, without the kind of oversight and difference in education and experience found in a student project being overseen by a professor. A system for academic use would ideally be broader and encompass tasks such as writing papers and doing research, in addition to giving professors and instructors more control than students. Many project management tools, on the other hand, can be extremely complicated with many parts that would never be used in an academic context. Redmine3 is such a tool, and although I have found that it works very well in a complex professional development context, the wiki, news, Gantt chart, document and file management, among others would likely never be used for an academic project. It also generally requires more maintenance and a heavier-weight relational database management system. Other project management tools, such as Trello4 , have insufficient structure to guide students unfamiliar with such tools. Students may mark tasks as done when they are not, create tasks that should be comments, and so forth. Further, similarly to Bugzilla and Roundup, users 1 Mozilla Foundation, Bugzilla (bug-tracking system), used until November 2011 while employed at Physical Science Laboratory, Available from http://www.bugzilla.org/, Last accessed on 2013/04/20 2 Roundup-Team, Roundup (issue-tracking system), used during class project in Spring 2011, Available from http://roundup.sourceforge.net/, Last accessed on 2013/04/20 3 Jean-Philippe Lang, Redmine (project management web application), currently in use as of 2013/04/20 while employed at New Mexico Department of Agriculture, Available from http://www.redmine.org/projects/redmine, Last accessed on 2013/04/20 4 Fog Creek Software, Inc., Trello (project management application), Available from https://trello.com/, Last accessed on 2013/04/20
  • 6. 4 are assumed to be of the same experience level, so there is no mechanism for oversight and control by a professor. 2.3 Initial Experience 2.3.1 Description Project Management System began as a class project in Spring 2011 for CS581 Advanced Software Engineering5 . By the end of the semester the core functionality was in place, but it was difficult to use and included some design decisions that turned out to be problematic in practice. Further, as I had not yet completed any database-related classes, the data access layer was very poorly and inefficiently designed. With the help of large numbers of internet resources as well as advice from peers, I was, however, able to create a correctly designed and normalized database schema. As there was still much to do to bring the project up to a usable, stable, and well-designed condition, I decided to continue development by turning it into a Masters project, rather than abandoning it. 2.3.2 Requirements The biggest initial requirement6 for the class project was that it should be web-based, but easy to install and manage, including not being required to manage a database such as one would have to do for MySQL or other more complex database management systems. Support for simple database management systems, such as HSQLDB or SQLite, was therefore required, and 5 Karen Carter, Project Management System (slideshow presentation covering class project), Published Spring 2011, Last accessed 2013/04/20, Available at https://docs.google.com/presentation/d/1rZLu4eN4KOnBHDf2lRVjr04HUQYSznlyI_fpdoBML_k/edit?usp=sharing &authkey=CP7D8IgM 6 Karen Carter, My Project Requirements (initial class project requirements and completion dates), published Spring 2011, Last accessed 2013/04/20, Available at https://docs.google.com/spreadsheet/ccc?key=0Auez0eXd5ysadF9IWVFkUHpEbmtEUEw5S0JvdHZPTnc&usp=sh aring
  • 7. 5 allowing arbitrary database management systems to be used was initially required (this requirement turned out to be impractical as explained below). Login names and passwords for all users were also required, and anonymous viewing was not allowed. The project needed to support projects with deadlines and tasks, tasks with deadlines, priorities, progress estimates, classifications, and comments on all levels. An ability to define subtasks and attach them to other tasks was required, as well as basic sanitization of user input and an automatic build system with the ability to generate Javadocs, along with written instructions describing how to deploy the system. The project needed to support up to 25 students and to have specialized user interface options for professors and students, such as being able to view a list of their unfinished tasks and a list of recent comments, and for the professor to be able to see when students were unable to proceed without the professor completing some task. The project was required to include configurable options such as configurable lists (used in drop-down boxes in the application), font sizes, and colors. These configuration changes needed to be able to be made from within the application and not require a rebuild in order for them to take effect. Optional requirements that were also implemented were being able to mark tasks as dependent on other tasks, an ability to attach useful URLs to tasks, support for multiple professors within the same system (although not for a single project), an email-update system, and an ability to export project data into both CSV and XML. During the initial development period, further research revealed that one of the original requirements for the system, to have database-independent code, was infeasible without adding some type of object-relational mapping framework, such as Hibernate, which is designed to work with many different types of databases. This is because syntax and functionality vary so much between different relational database management systems (RDBMSes) on even a very basic
  • 8. 6 level, such as creating tables with auto-incrementing primary keys. So even though such statements are being executed via JDBC in this application, so that they can be executed on any RDBMS with a JDBC driver, the SQL statements themselves would need to be different to accommodate different RDBMSes. For example, in an HSQLDB, an identity column is used for this purpose, and it is automatically a primary key and therefore also guaranteed to be unique7 . In other databases such as DB2, however, identity columns are not automatically primary keys nor even necessarily unique8 . So in HSQLDB, to create a table with an auto-incrementing primary key and one other column, the following code would suffice: CREATE TABLE TestTable(id INT IDENTITY GENERATED BY DEFAULT AS IDENTITY (START WITH 1, INCREMENT BY 1), value INT NOT NULL); whereas in DB2 the following would be required: CREATE TABLE TestTable(id INT GENERATED ALWAYS AS IDENTITY (START WITH 1, INCREMENT BY 1), value INT NOT NULL, PRIMARY KEY(id)); The second statement would result in an error when executed in an HSQLDB, so neither version of the statement will work for all RDBMSes. So at a minimum the database and table creation code would need to be changed in order to use another RDBMS. 2.3.3 Design The overall architecture of Project Management System, as well as the technology used to create it, has mostly stayed constant throughout the project. The system uses a 4-tier 7 HSQLDB Development Group, Chapter 9. SQL Syntax (guide to HSQLDB), Publication date 2007/02/19, Last accessed 2013/04/20, Available at http://www.hsqldb.org/doc/guide/ch09.html#create_table-section 8 IBM, Administration Guide: Planning (guide to DB2), Publication date 2006/10/27, Last accessed 2013/04/20, Available at http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp?topic=%2Fcom.ibm.db2.udb.admin.doc%2Fdoc%2F c0004762.htm
  • 9. 7 architecture comprised of the presentation layer (JSP9 , HTML10 , JavaScript11 , jQuery12 , and CSS13 ), application layer (Java Servlet14 ), data access layer (JDBC15 ), and database layer (HSQLDB16 ), as seen in figure 1. Tomcat17 is the application server and controls much of the security for the application. Libraries used include DbUnit18 and opencsv19 for exporting the database to XML and CSV respectively, JavaMail20 for sending notification messages, and Apache Commons21 for escaping user input. Later the OWASP Enterprise Security API22 for escaping user input before inserting it into HTML, plus SLF4J23 and log4j24 for logging were added. 9 Oracle, JavaServer Pages Technology, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/javaee/jsp/index.html 10 HTML Working Group, W3C HTML, Last update 2013/01/24, Last accessed 2013/04/20, Available at http://www.w3.org/html/ 11 Mozilla Developer Network, JavaScript, Last update 2013/03/14, Last accessed 2013/04/20, Available at https://developer.mozilla.org/en-US/docs/JavaScript 12 The jQuery Foundation, jQuery, Last accessed 2013/04/20, Available at http://jquery.com/ 13 W3C, Cascading Style Sheets home page, Last update 2013/04/20, Last accessed 2013/04/20, Available at http://www.w3.org/Style/CSS/Overview.en.html 14 Oracle, Java Servlet Technology, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/index-jsp-135475.html 15 Oracle, Java SE Technologies – Database, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/javase/jdbc/index.html 16 The hsql Development Group, HyperSQL, Last update 2012/08/22, Last accessed 2013/04/20, Available at http://hsqldb.org/ 17 The Apache Software Foundation, Apache Tomcat, Last update 2013/03/26, Last accessed 2013/04/20, Available at http://tomcat.apache.org/ 18 DbUnit Development Team, About DbUnit, Last update 2012/09/30, Last accessed 2013/04/20, Available at http://www.dbunit.org/ 19 opencsv Development Team, opencsv, Last update 2011/07/28, Last accessed 2013/04/20, Available at http://opencsv.sourceforge.net/ 20 Oracle, JavaMail, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/javamail/index.html 21 The Apache Software Foundation, Apache Commons, Last accessed 2013/04/20, Available at http://commons.apache.org/ 22 OWASP, Category: OWASP Enterprise Security API, Last update 2012/08/29, Last accessed 2013/04/20, Available at https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API 23 QOS.ch, Simple Logging Façade for Java (SLF4J), Last accessed 2013/04/20, Available at http://www.slf4j.org/ 24 The Apache Software Foundation, Apache Log4j 2, Last accessed 2013/04/20, Available at http://logging.apache.org/log4j/2.x/
  • 10. 8 Figure 1. Architecture Diagram 2.3.4 Positives One good thing that came out of the initial development was a well-designed database schema, as seen in figure 2. This was a result of studying basic definitions of normalization and the proper way to handle lists of values as reference tables. Appropriate primary keys and foreign keys were also defined wherever necessary. In addition data types for columns were defined appropriately and NOT NULL and UNIQUE constraints were added wherever required. After completing a database class it was possible to revisit the schema and verify that it was correctly designed. Subsequently the only changes made to the schema were to facilitate additional functionality or to make certain queries simpler, such as removing a surrogate auto-
  • 11. 9 incrementing key for users and instead changing the schema and SQL statements to use the natural key of each user’s username. Figure 2. Database Schema Diagram 2.3.5 Negatives After the initial development in Spring 2011, there was a number of major issues that needed to be addressed. The issue that most affected usability was that, instead of considering individual requests on their own, they were considered within the context of a certain workflow. The user was required to first view a project, then view individual tasks, so that there was no way to bookmark a certain task and return to it later, share a link to a task or project with another user from the project, or have multiple browser windows open to different projects at the same time. The last issue would be a major hindrance for instructors, at the very least. This issue was caused by storing too much information, such as the currently selected project, in the session
  • 12. 10 instead of only storing information in the request and considering requests on their own. Also of great concern to potential users was the fact that the application lacked any sort of protection for confidential information, namely user passwords. Passwords were stored in plain text in the database and SSL was not used to protect passwords when users logged in. There were also several issues of concern from a development and design standpoint. Debugging was made exponentially more difficult by the fact that the application didn't log error messages in any way. Tomcat logs still functioned, but any errors from within the application itself were swallowed. As mentioned previously I had virtually no database experience prior to working on this project. As a result I only knew how to do the most basic of SELECT statements in SQL, and so used no JOIN statements at all throughout the data access layer. This resulted in very poorly designed and overly complicated data access code, where it took multiple repeated queries to retrieve the data for any slightly complex object. Connection pooling for database connections was not used, so certain pages had extremely bad performance with even a trivial amount of data in the database. Instead of retrieving just the necessary information with one query, all the projects and all their tasks were loaded at once, each with a separate call to the data access layer and thus each with its own opening and closing of a database connection; the time required for such operations quickly became non-trivial. Finally the system did not close JDBC resources properly, so if any type of error occurred while working with the database, memory leaks could easily result.
  • 13. 11 3 Research and Development 3.1 Redesign and Rewrite of Application and Data Access Layers The largest and most time-consuming development task was redesigning and rewriting most of the application and data access layers, along with chunks of code in the presentation layer. As mentioned above, originally the system required a certain workflow. First the user would login, and all of their projects would be loaded. Then they would request a certain project, with the project number being relative to the user (so user A requesting project 1 might retrieve a different project than user B requesting project 1). At that point all the tasks for the project were loaded. Then the user would request a certain task associated with the project, and again the task number was relative to the specific project. The project and task information was stored in the session rather than in the individual request, so another result of this was that a user could not have multiple tabs open to different projects at the same time. This was changed so that each request was considered independently and so that the project and task numbers were universal. A user could therefore bookmark a task and go directly to that task at a later time, and students working on the same project could send a link for a certain task to one another. The data access layer had to be changed so that tasks and projects were loaded individually for each request instead of pre-loaded and stored in the session when the user logged in or visited a project page. Some methods were rewritten while others had to be eliminated and changed to something entirely new. The application layer had to be rewritten to make calls to the database for every request instead of assuming some information was already loaded, and in both the application layer and presentation layer the numbering scheme had to be changed to reflect using the actual database IDs rather than numbers relative to the specific user and project involved in the request.
  • 14. 12 3.2 Database-Related Improvements After the initial development during Spring 2011, research continued on various database-related topics. The first issue that was addressed was that of proper closing of database resources in the event of an exception or error. In Java 6, closing resources correctly was extremely cumbersome. It required multiple nested try-catch-finally blocks, like this:
  • 15. 13 try { Connection conn = DriverManager.getConnection("jdbc:mysql://" + host + "/" + name, username, password); try { PreparedStatement statement = conn.prepareStatement("SELECT * FROM TestTable WHERE id = ?"); try { statement.setString(1, id); ResultSet rs = statement.executeQuery(); try { while (rs.next()) { doSomething(); } } catch (SQLException e) { e.printStackTrace(); } finally { rs.close(); } } catch (SQLException e) { e.printStackTrace(); } finally { statement.close(); } } catch (SQLException e) { e.printStackTrace(); } finally { conn.close(); } } catch (SQLException e) { e.printStackTrace(); } This process was complicated and error-prone. In addition, very few online resources (even very reputable ones) showed the correct procedure, so even finding out how to correctly close all resources was difficult. After doing quite a bit of research, the above method seemed
  • 16. 14 most correct, although there were still many conflicting tutorials. Luckily Java 7 added an "automatic resource management" or ARM via the try-with-resources capability25 . The project was migrated to Java 7 in order to take advantage of this feature. With Java 7 the above code can be condensed to this: try (Connection conn = DriverManager.getConnection("jdbc:mysql://" + host + "/" + name, username, password); PreparedStatement statement = conn.prepareStatement("SELECT * FROM TestTable WHERE id = ?")) { statement.setString(1, id); try (ResultSet rs = statement.executeQuery()) { while (rs.next()) { doSomething(); } } catch (SQLException e) { e.printStackTrace(); } } catch (SQLException e) { e.printStackTrace(); } which is much easier both to write and to understand. The next problem to be addressed was the issue of some pages loading very slowly due to repeated calls to the data access layer and repeated opening and closing of connections to the database. First, both the application layer and data access layer code were rewritten so that only a single call to the data access layer was made, and thus only one connection to the database was opened and closed. Then the code was rewritten to make use of connection pooling so that opening and closing connections would no longer be slow. At first the intention was to directly 25 Oracle, The try-with-resources Statement, Last accessed 2013/04/20, Available at http://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html
  • 17. 15 use Apache Commons DBCP26 , but subsequently the discovery was made that Tomcat itself has support for connection pooling built in27 , so the code was changed to use that. 3.3 Security The next area for improvement was security. Although most of the data in the system is not particularly confidential, it does contain users' passwords, which might be reused on other sites and thus should be protected as much as possible. SSL was enabled in Tomcat by creating a self-signed certificate and adding the appropriate information to Tomcat's configuration files28 . This protects the user's password while in transit from their machine to the server upon which the system resides. In addition, research was done on ways to secure passwords in the database. The most highly recommended way to do this is using a one-way hash, and three different algorithms for this purpose are highly recommended29 . They are bcrypt30 , scrypt31 , and PBKDF232 . All three are computationally slow when executed on ordinary hardware, and all three can be adjusted as time goes on and processors get faster so that they stay computationally slow. bcrypt and PBKDF2 are both established algorithms that were created more than 10 years ago (in 1999 and 2000 respectively). bcrypt has an advantage in that the algorithm cannot be sped up by using a 26 The Apache Software Foundation, commons DBCP, Last update 2010/11/25, Last accessed 2013/04/20, Available at http://commons.apache.org/proper/commons-dbcp/ 27 The Apache Software Foundation, JNDI Datasource HOW-TO, Last update 2013/03/22, Last accessed 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples-howto.html 28 The Apache Software Foundation, SSL Configuration HOW-TO, Last update 2013/03/22, Last accessed 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html 29 https://news.ycombinator.com/item?id=3724772, http://security.stackexchange.com/questions/4781/do-any- security-experts-recommend-bcrypt-for-password-storage, http://www.reddit.com/r/PHP/comments/1c210u/opinions_on_password_safetybcryptscryptpbkdf2/ 30 Niels Provos and David Mazieres, A Future-Adaptable Password Scheme, Date published 1999/04/28, Available at http://static.usenix.org/events/usenix99/provos/provos_html/node1.html 31 Colin Percival, Stronger Key Derivation Via Sequential Memory-Hard Functions, Date presented May 2009, Available at http://www.tarsnap.com/scrypt/scrypt.pdf 32 B. Kaliski, PKCS #5: Password-Based Cryptography Specification Version 2.0, Date published September 2000, Available at http://tools.ietf.org/html/rfc2898
  • 18. 16 GPU, whereas PBKDF2 can be. scrypt is still relatively new, dating from 2009, and in addition to being processor-intensive it is also memory-intensive, thus increasing the hardware cost for brute-forcing the algorithm. bcrypt was chosen over scrypt due to its longer, proven track-record and the fact that it was unclear how the demands on memory for scrypt would affect the performance of the server on which it was run. In order to use bcrypt, a custom Tomcat Realm had to be written, as Tomcat's only default support is for SHA, MD2, or MD5, which are all currently outdated and considered inadequate protection33 . The Java implementation jBCrypt34 was used. Ways to secure the database itself were also researched. HSQLDB can restrict access to the database server in various ways by rejecting incoming connections according to settings in a configuration file35 . Access was restricted so that the only connections that are accepted come from the same server on which HSQLDB is running. Figure 3 depicts the layers of security used to protect user passwords on their way from the client to the database and back out. 33 Bugzilla Bug, Tomcat Servlet Container development, Last updated 2012/08/28, Last accessed 2013/04/20, Available at http://comments.gmane.org/gmane.comp.jakarta.tomcat.devel/123309 34 Damien Miller, jBCrypt, Last updated 2010/02/01, Last accessed 2013/04/20, Available at http://www.mindrot.org/projects/jBCrypt/ 35 The HSQL Development Group, HyperSQL User Guide, Last update 2013/03/18, Last accessed 2013/04/20, Available at http://hsqldb.org/doc/2.0/guide/guide.html#lsc_acl
  • 19. 17 Figure 3. Password Security Measures The best ways to protect against malicious user input were also researched. The project initially used Apache Common’s StringEscapeUtils36 and Java’s URLEncoder37 to escape user input and theoretically make it safe for display or for use in URLs; however, simply using StringEscapeUtils is not actually sufficient. Escaping strings for display in a web page requires different methods depending on where in the document (as the value of a text input, as a link, inside a header, etc.) the string will be displayed. The Open Web Application Security Project 36 The Apache Software Foundation, Class StringEscapeUtils, Last update 2011/07/19, Last accessed 2013/04/20, Available at http://commons.apache.org/proper/commons-lang/javadocs/api- 3.1/org/apache/commons/lang3/StringEscapeUtils.html 37 Oracle, Class URLEncoder, Last accessed 2013/04/20, Available at http://docs.oracle.com/javase/6/docs/api/java/net/URLEncoder.html
  • 20. 18 (OWASP) has utilities to deal with these different scenarios properly38 , and so their library was added to the project and their utilities were used to escape all user input that needed to be displayed. URLEncoder’s method is sufficient for escaping input that will be part of a URL, so it is still used. Finally a few more ways to secure the system were researched and implemented. Tomcat provides a Lockout Realm, which automatically locks out a user for a certain period of time if there are too many failed login attempts by that user within a certain period of time39 . This provides a nice trade-off so that legitimate users who have forgotten a password can simply wait to try again, but brute-forcing a password would be extremely time-consuming. PreparedStatements and parameterization for all SQL queries involving user input were used to try and eliminate any possibility of SQL injection attacks. This is the primary method to prevent such attacks in Java40 . Finally, checks on users' authorization to perform CRUD operations were added on multiple levels. First user authorization is checked within the presentation layer, so that legitimate users cannot accidentally try to do something they are not authorized to do. Then authorization is checked within the application layer, to ensure that malicious users cannot purposely do something they are not authorized to do. Lastly the data access layer itself checks authorization, in order to ensure the integrity of the database at all times. 3.4 Logging In order to facilitate debugging and trouble-shooting, logging was also implemented in order to see where issues occur, if they do. In the initial development of the system, DBUnit was 38 OWASP, XSS (Cross Site Scripting) Prevention Cheat Sheet, Last update 2013/03/15, Last access 2013/04/20, Available at https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet 39 The Apache Software Foundation, Realm Configuration HOW-TO, Last update 2013/03/22, Last access 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#LockOutRealm 40 OWASP, Preventing SQL Injection in Java, Last update 2009/05/27, Last access 2013/04/20, Available at https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
  • 21. 19 used in order to export the database to XML. DBUnit has logging built into it, and so the jars for slf4j and log4j were already included, so they were used for the actual logging code. It was very simple to set up using configuration files, and that plus compiling with debug mode on means that in the log the line numbers where issues occur can also be seen. Logging was added to all existing code in all try-catch blocks, as well as other places that seemed useful. Finally, the application’s overall error handling was addressed. Instead of using the default Tomcat error- page the application was configured to use a global error page (which also ties into security: if an attacker knows the application is running on Tomcat then they can target Tomcat itself), and made sure that in the event of an error such as a badly formatted date or other exception, the user will be forwarded to the error page. A choice of two error pages is given to the administrator of the system via configuration files. One only displays a generic error message and information on who to contact for help. The other displays detailed information on the exception that occurred as well as where in the code it occurred. Thus the administrator can choose how much information should be revealed to users of the system in case of errors. An authorization error page was also added, for when a user attempts to access a resource they are not allowed to access. 3.5 Software Development Methodology Throughout both the initial and later development of the system I used a version of the Scrum software development methodology41, 42 , tweaked to account for it being a one-person 41 Ken Schwaber and Jeff Sutherland, The Scrum Guide, Last update October 2011, Last accessed 2013/04/20, Available at http://www.scrum.org/Portals/0/Documents/Scrum%20Guides/Scrum_Guide.pdf#zoom=100 42 Henrik Kniberg, Scrum and XP from the Trenches, Published 2007/10/04, Last accessed 2013/04/20, Available at http://www.infoq.com/minibooks/scrum-xp-from-the-trenches
  • 22. 20 project43 . In the later part of the development I tried to be more formal, using burndown charts and recording sprint planning, retrospectives, and reviews on a blog44 . For over a year I have also been using Scrum as a part of my work as a full-time software developer. What I have discovered is that, although Scrum is extremely useful in a full-time work-environment, many of its benefits cannot be transferred to sporadic part-time work such as that done on a student project. With full-time work of 40 hours per week, after a few sprints a velocity does become apparent, and this can be used to forecast how many story-points should be included in future sprints. With part-time work, however, the amount of hours available for work per sprint varies greatly, so forecasting and planning are much more difficult. The burndown charts themselves were nearly useless for Project Management System. Scrum is still useful as an organizational tool, but trying to strictly timebox work into sprints is nearly impossible. It becomes a case of getting as much done as you can in the time available, and work frequently gets carried over from one sprint into the next, according to what has the highest priority. I believe this is an endemic problem with student projects: due to the unpredictability of how many hours are available for work, in addition to the lack of co-location during working hours and varying levels of commitment (for projects of more than one student), software development methodologies developed in industry cannot provide the same benefits in academia. In the later development of the system I had also hoped to incorporate test-driven development (TDD). Despite large amounts of research online and reading Test Driven Development: By Example45 , I was unable to figure out how to incorporate TDD into the project. In part this is because it is far easier to begin with TDD than to attempt to retrofit it into an 43 http://blog.jgpruitt.com/tag/personal-scrum/, http://www.21apps.com/agile/doing-agile-in-a-team-of-one-day2/, http://brainslink.com/2011/07/scrum-for-one-can-be-done-almost/ 44 Karen Carter, Shambling Towards Perfection, Last update 2013/04/18, Last accessed 2013/04/20, Available at http://shamblingblindly.blogspot.com/ 45 Kent Beck, Test Driven Development: By Example, Published 2002/11/18
  • 23. 21 existing project, but also because TDD itself is a difficult concept to grasp for anything other than trivial examples (yet trivial examples are by far the most common for TDD tutorials and articles). Some practitioners went so far as to claim that TDD should be learned in person from someone who already knows TDD. Ultimately I decided it would take too much time away from the other required development work to attempt to truly implement TDD in the project. 4 Evaluation 4.1 Examples and Screen Shots In a typical usage scenario, the instructor begins by creating a project. Figure 4 is the screen on display when he begins this process. Figure 4. Initial Screen for Creating a Project
  • 24. 22 He enters the student associated with the project, the project type, due date, and other information, as displayed in Figure 5. Figure 5. Entering Student Information Next the instructor creates tasks for the student and enters their priority, due date, and other information, as shown in Figure 6. Figure 6. Creating Task for Student
  • 25. 23 Before one task can be completed, a second task must be finished, so the instructor marks the first task as dependent on the second task. Figure 7. Defining Task as Dependent
  • 26. 24 One of the tasks was entered with an incorrect due date, so the instructor edits the task. This is displayed in Figure 8. Figure 8. Editing Task
  • 27. 25 Next, the instructor adds a comment and a link to the task, demonstrated in Figure 9 and Figure 10. Figure 9. Professor Creating Comment Figure 10. Professor Creating Link
  • 28. 26 To make sure everything is correct, the instructor views the task with the comment and link. This is seen in Figure 11. Figure 11. Viewing Completed Task
  • 29. 27 Now the instructor can view all the tasks associated with the project, as seen in Figure 12. Figure 12. Viewing Tasks for a Project Figure 13 displays the instructor’s view when he checks which tasks remain unfinished. Figure 13. List of Unfinished Tasks
  • 30. 28 The instructor can view the comments and links that have been created in the last two weeks, as seen in Figure 14. Figure 14. Last Two Weeks of Comments and Links The instructor can see a list of users that currently exist in the system, as shown in Figure 15. Figure 15. Instructor's View of Registered Users
  • 31. 29 As seen in Figure 16, the instructor can edit his profile if any information was not initially filled out or was filled out incorrectly. Figure 16. Instructor Editing Personal Profile
  • 32. 30 With the tools shown in Figure 17, the instructor can edit any of the default values for a variety of things: task priorities, project types, etc. Figure 17. Professor Editing Default Values Finally the student logs in, and Figure 18 displays his own view of the project. Figure 18. Student's View of Project
  • 33. 31 4.2 Quality Analysis 4.2.1 Automated Tools Starting out, one of the goals for the system was to have code that is as correct as possible in design and implementation. To this end research was done on some of the automated tools available for static code analysis46 . Three widely used tools that are available as Eclipse47 plug- ins were chosen: Checkstyle48 , FindBugs49 , and PMD50 . Checkstyle was originally designed to check whether code adheres to a coding standard, but has been expanded to look for duplicate code, problems with design, and bug patterns. FindBugs analyses Java bytecode and looks for patterns that indicate possible bugs, such as variables that are never used, concatenating strings to be used in JDBC calls (instead of parameterizing them), and many other types of potentially problematic coding practices. PMD looks for many of the same kinds of issues that FindBugs does, but analyses Java source code. All three tools are expandable, so developers can create custom rules for the tools to look for. Of the three, FindBugs was the most useful by far. Virtually all of the things FindBugs marked were genuine issues, so it was a very useful tool and it helped to resolve some things that could have led to bugs in the application. Checkstyle and PMD, however, raised a huge number of flags, so much so that nearly every line was flagged, yet many of the flags were invalid or at least extremely debatable. This included most of Checkstyle’s style warnings, such as giving opening curly brackets their own line. There were also flags by PMD on issues such as using 46 Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster, A Comparison of Bug Finding Tools for Java, Published 2004/11/02, Available at http://www.cs.umd.edu/~jfoster/papers/issre04.pdf 47 The Eclipse Foundation, Eclipse, Last access 2013/04/20, Available at http://www.eclipse.org/ 48 David Schneider and Lars Ködderitzsch, Eclipse-Checkstyle Integration, Last access 2013/04/20, Available at http://eclipse-cs.sourceforge.net/ 49 Bill Pugh and Andrey Loskutov, FindBugs – Find Bugs in Java Programs, Last update 2012/12/10, Last access 2013/04/20, Available at http://findbugs.sourceforge.net/ 50 PMD, PMD, Last update 2013/04/05, Last access 2013/04/20, Available at http://pmd.sourceforge.net/
  • 34. 32 System.out.println for output in a command-line tool, or overriding javax.servlet.http.HttpServlet.doGet, doing what Tomcat’s own documentation discusses51 . PMD also flagged every single parameter and variable that could be declared final. Declaring parameters as final, while possible, is a questionable practice, as some say it clutters code for little benefit and reduces code clarity, although others claim it reduces bugs and improves code quality52 . Both Checkstyle and PMD were also harder to configure than FindBugs, so it would have taken a lot of work to get them configured to ignore the types of errors that were less useful or seemed erroneous. In the end Checkstyle and PMD were turned off and only FindBugs was left enabled, and its flags were continuously reviewed to check for any potential issues. During the course of the project, large amounts of code were completely rewritten to correct mistakes and misjudgments made during the initial development when the project was merely a class project. Another very helpful Eclipse plugin used to clean up the old code and remove now-unused methods was UCDetector53 . It detected methods that were no longer being called anywhere within the project. It also provided recommendations on classes and methods that were more public than they needed to be. This helped in making the code base more readable, making sure outdated methods couldn’t be called mistakenly, and that internal methods weren’t called improperly by other classes. 51 The Apache Software Foundation, Class HttpServlet, Last access 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/HttpServlet.html 52 http://stackoverflow.com/questions/266806/is-there-any-performance-reason-to-declare-method-parameters-final- in-java, http://stackoverflow.com/questions/316352/why-would-one-mark-local-variables-and-method-parameters- as-final-in-java, http://stackoverflow.com/questions/5380177/final-arguments-in-interface-methods-whats-the- point?rq=1 53 Jörg Spieler, UCDetector: Unnecessary Code Detector, Last update 2013/04/11, Last access 2013/04/20, Available at http://www.ucdetector.org/
  • 35. 33 4.2.2 Design Principles Throughout the project proper coding techniques were followed as much as possible, and research was done to try and further improve design and programming techniques54 . Code was reused whenever possible, following the Don’t Repeat Yourself (DRY) principle, and interfaces were used for the data models and data access layer, following the design by contract approach. 4.2.3 Unaddressed Issues There were some design and technique issues that could not be improved due to the time constraints of the project. The biggest of these, in terms of its presence in code, is that instead of using JavaServer Pages Standard Tag Library (JSTL)55 , scriptlets (sections of plain Java code) are used throughout the presentation layer. Scriptlets have been considered outdated and not good coding practice for years56 , although many online tutorials still use them, and following those tutorials led to their initial inclusion in the project. An attempt was made to rewrite the existing scriptlets into JSTL, but unfortunately much extra work is needed to use static methods57 such as those in the OWASP library for encoding user input, which are used in nearly every JSP. Custom EL functions would need to be written58 and/or web.xml would need to be 54 Andrew Hunt and David Thomas, The Pragmatic Programmer: From Journeyman to Master, Published 1999/10/30 55 Oracle, JavaServer Pages Standard Tag Library, Last access 2013/04/20, Available at http://www.oracle.com/technetwork/java/index-jsp-135995.html 56 http://stackoverflow.com/questions/4535423/jstl-vs-jsp-scriptlets, http://www.coderanch.com/t/469280/JSP/java/Scriptlet-JSTL, http://www.coderanch.com/t/414294/JSP/java/scriptlets-EL-JSTL, https://groups.google.com/forum/?fromgroups=#!topic/comp.lang.java.programmer/W5cER3Q21cQ 57 StackOverflow, How to call a static method in JSP/EL?, Last update 2012/05/08, Last accessed 2013/04/20, Available at http://stackoverflow.com/questions/6395621/how-to-call-a-static-method-in-jsp-el 58 JavaRanch, Define EL Functions, Last accessed 2013/04/20, Available at http://www.coderanch.com/how- to/java/DefineELFunctions
  • 36. 34 updated to conform to Servlet 3.0 specifications59 , and there was insufficient time to figure out exactly how this would work and get it working. The other major area, primarily in terms of user experience, where time prohibited best practices was in user interface design. Although I took a user interface design class and researched on my own60, 61 , there was not time to improve the design and work with users to figure out where the system could most use improvement, what most impeded their workflow, or what features were most needed from a user experience perspective. As a result the system is fully functional and capable of performing the essential tasks needed to manage and track a student project, but it does not have the most efficient or effective design and may make certain tasks more difficult than they could be. Information is also not necessarily presented in the clearest or easiest-to-understand manner. Better grouping of related fields, clearly highlighting required fields, and more verification and validation of user input would all greatly enhance the user interface. 5 Conclusions 5.1 Future Work 5.1.1 Last Updated/Last Active Features There is a number of issues that were not addressed and features that were not developed due to time constraints. These could be addressed in the future, given enough time. In addition 59 StackOverflow, how to call parameterized method from JSP using JSTL, Last update 2012/05/25, Last access 2013/04/20, Available at http://stackoverflow.com/questions/7121303/how-to-call-parameterized-method-from-jsp- using-jstl 60 Jeff Johnson, Designing with the Mind in Mind: Simple Guide to Understanding User Interface Design Rules, Published 2010/06/03 61 Jeff Johnson, GUI Bloopers 2.0, Second Edition: Common User Interface Design Don’ts and Dos (Interactive Technologies), Published 2007/09/10
  • 37. 35 to replacing scriptlets with JSTL and improving the user interface design, as mentioned above, currently unused columns were added to the database to support a number of features that were not implemented. Columns were added to track who last updated projects and tasks and at what time the last update occurred. Columns were also added to track the last login date for users. These columns were intended to be used in a variety of ways, in addition to simply displaying this data for users to see. They could be used to show the user what tasks and projects have been updated since the last time they logged in, to order tasks and projects by their last update, and to show instructors when students last logged in, to see if they have been using the system or not. 5.1.2 Subtask and Dependent Task Relationship Features Columns were also added to support visualization features with regards to task dependency and subtask relationships. First, cycles would need to be detected and prevented during task editing. Then, since each task may only be a subtask of one other task, but a task may have many subtasks, the set of tasks in subtask relationships would form a set of trees. Columns were added to support path enumeration for these relationships, as described in SQL Antipatterns62 , as that method would be very fast for the most frequent usecase of seeing all descendants and ancestors of a task, and it would be fairly simple to implement. Each task can depend on many tasks and can have many tasks dependent on it, so the set of tasks in dependency relationships would form a set of directed acyclic graphs (DAGs). Representing DAGs in a database is more complicated63 , but a new table was added to support this using an adjacency list containing the complete list of paths (the transitive closure) of the graph. 62 Bill Karwin, SQL Antipatterns: Avoiding the Pitfalls of Database Programming, Published 2010/07/02 63 Kemal Erdogan, A Model to Represent Directed Acyclic Graphs (DAG) on SQL Databases, Published 2008/01/10, Last accessed 2013/04/20, Available at http://www.codeproject.com/Articles/22824/A-Model-to- Represent-Directed-Acyclic-Graphs-DAG-o
  • 38. 36 Adding this functionality would enable visualizing the DAGs and trees formed by the task relationships, and could also be used for ordering the tasks according to these relationships when viewing the tasks as part of the project page. 5.2 Enhancements 5.2.1 Ease of Use There are many opportunities for further enhancements aside from those that were already researched or partially started. The ability for the user to reset a forgotten password would be extremely useful, and adding an “undo” capability would also help when the user makes a mistake. Adding a mobile-formatted version or actual mobile apps (Android, iOS, etc.) would assist in making the application more accessible for a variety of users. Options for sorting tasks by different values (priority, type, due date, etc.) would also help make the application more usable according to the user’s needs. More options for exporting data, such as exporting a user’s projects through the web interface, would make the application more flexible and allow users to take data with them after a project is over or when switching to a different system. Allowing data import would also be helpful for users wanting to start with a fresh installation or in the event of splitting off a project into a new project. 5.2.2 Security and Stability Adding requirements for the length and/or complexity of user passwords would protect users from having their passwords guessed by others. Security could also be enhanced by further restricting access to the database by restricting the privileges for the database user according to
  • 39. 37 what actions are allowed for each table. For example, tasks and projects are never completely deleted, so not allowing the database user used by the web application to perform deletes on those tables would be helpful. Adding unit tests with JUnit64 and DBUnit, along with other tests of functionality and even of the user interface, would improve stability and help ensure legacy code would not break when code was edited or updated. Upgrading to HTML 5 and CSS 3 would assist in making the code more future-proof. 5.3 Conclusion Project Management System attempts to serve the unique needs of academic project management. The basic functionality for managing projects, creating and editing tasks, and recording progress is present, fairly efficient, and includes basic security features. There are many opportunities for further development, including refining the user interface, adding additional features, and further enhancing security and the user experience. 64 junit-team, JUnit, Last accessed 2013/04/20, Available at http://junit.org/
  • 40. 38 References Andrew Hunt and David Thomas, The Pragmatic Programmer: From Journeyman to Master, Published 1999/10/30 B. Kaliski, PKCS #5: Password-Based Cryptography Specification Version 2.0, Date published September 2000, Available at http://tools.ietf.org/html/rfc2898 Bill Karwin, SQL Antipatterns: Avoiding the Pitfalls of Database Programming, Published 2010/07/02 Bill Pugh and Andrey Loskutov, FindBugs – Find Bugs in Java Programs, Last update 2012/12/10, Last access 2013/04/20, Available at http://findbugs.sourceforge.net/ Bugzilla Bug, Tomcat Servlet Container development, Last updated 2012/08/28, Last accessed 2013/04/20, Available at http://comments.gmane.org/gmane.comp.jakarta.tomcat.devel/123309 Colin Percival, Stronger Key Derivation Via Sequential Memory-Hard Functions, Date presented May 2009, Available at http://www.tarsnap.com/scrypt/scrypt.pdf Damien Miller, jBCrypt, Last updated 2010/02/01, Last accessed 2013/04/20, Available at http://www.mindrot.org/projects/jBCrypt/ David Schneider and Lars Ködderitzsch, Eclipse-Checkstyle Integration, Last access 2013/04/20, Available at http://eclipse-cs.sourceforge.net/ DbUnit Development Team, About DbUnit, Last update 2012/09/30, Last accessed 2013/04/20, Available at http://www.dbunit.org/ Fog Creek Software, Inc., Trello (project management application), Available from https://trello.com/, Last accessed on 2013/04/20 Henrik Kniberg, Scrum and XP from the Trenches, Published 2007/10/04, Last accessed 2013/04/20, Available at http://www.infoq.com/minibooks/scrum-xp-from-the-trenches HSQLDB Development Group, Chapter 9. SQL Syntax (guide to HSQLDB), Publication date 2007/02/19, Last accessed 2013/04/20, Available at http://www.hsqldb.org/doc/guide/ch09.html#create_table-section HTML Working Group, W3C HTML, Last update 2013/01/24, Last accessed 2013/04/20, Available at http://www.w3.org/html/ http://blog.jgpruitt.com/tag/personal-scrum/, http://www.21apps.com/agile/doing-agile-in-a- team-of-one-day2/, http://brainslink.com/2011/07/scrum-for-one-can-be-done-almost/ http://stackoverflow.com/questions/266806/is-there-any-performance-reason-to-declare-method- parameters-final-in-java, http://stackoverflow.com/questions/316352/why-would-one- mark-local-variables-and-method-parameters-as-final-in-java, http://stackoverflow.com/questions/5380177/final-arguments-in-interface-methods- whats-the-point?rq=1 http://stackoverflow.com/questions/4535423/jstl-vs-jsp-scriptlets, http://www.coderanch.com/t/469280/JSP/java/Scriptlet-JSTL, http://www.coderanch.com/t/414294/JSP/java/scriptlets-EL-JSTL,
  • 41. 39 https://groups.google.com/forum/?fromgroups=#!topic/comp.lang.java.programmer/W5c ER3Q21cQ https://news.ycombinator.com/item?id=3724772, http://security.stackexchange.com/questions/4781/do-any-security-experts-recommend- bcrypt-for-password-storage, http://www.reddit.com/r/PHP/comments/1c210u/opinions_on_password_safetybcryptscr yptpbkdf2/ IBM, Administration Guide: Planning (guide to DB2), Publication date 2006-10-27, Last accessed 2013/04/20, Available at http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp?topic=%2Fcom.ibm.db2.u db.admin.doc%2Fdoc%2Fc0004762.htm JavaRanch, Define EL Functions, Last accessed 2013/04/20, Available at http://www.coderanch.com/how-to/java/DefineELFunctions Jean-Philippe Lang, Redmine (project management web application), currently in use as of 2013/04/20 while employed at New Mexico Department of Agriculture, Available from http://www.redmine.org/projects/redmine, Last accessed on 2013/04/20 Jeff Johnson, Designing with the Mind in Mind: Simple Guide to Understanding User Interface Design Rules, Published 2010/06/03 ———, GUI Bloopers 2.0, Second Edition: Common User Interface Design Don’ts and Dos (Interactive Technologies), Published 2007/09/10 Jörg Spieler, UCDetector: Unnecessary Code Detector, Last update 2013/04/11, Last access 2013/04/20, Available at http://www.ucdetector.org/ junit-team, JUnit, Last accessed 2013/04/20, Available at http://junit.org/ Karen Carter, My Project Requirements (initial class project requirements and completion dates), published Spring 2011, Last accessed 2013/04/20, Available at https://docs.google.com/spreadsheet/ccc?key=0Auez0eXd5ysadF9IWVFkUHpEbmtEUE w5S0JvdHZPTnc&usp=sharing ———, Project Management System (slideshow presentation covering class project), Published Spring 2011, Last accessed 2013/04/20, Available at https://docs.google.com/presentation/d/1rZLu4eN4KOnBHDf2lRVjr04HUQYSznlyI_fpd oBML_k/edit?usp=sharing&authkey=CP7D8IgM ———, Shambling Towards Perfection, Last update 2013/04/18, Last accessed 2013/04/20, Available at http://shamblingblindly.blogspot.com/ Kemal Erdogan, A Model to Represent Directed Acyclic Graphs (DAG) on SQL Databases, Published 2008/01/10, Last accessed 2013/04/20, Available at http://www.codeproject.com/Articles/22824/A-Model-to-Represent-Directed-Acyclic- Graphs-DAG-o Ken Schwaber and Jeff Sutherland, The Scrum Guide, Last update October 2011, Last accessed 2013/04/20, Available at http://www.scrum.org/Portals/0/Documents/Scrum%20Guides/Scrum_Guide.pdf#zoom= 100
  • 42. 40 Kent Beck, Test Driven Development: By Example, Published 2002/11/18 Mozilla Developer Network, JavaScript, Last update 2013/03/14, Last accessed 2013/04/20, Available at https://developer.mozilla.org/en-US/docs/JavaScript Mozilla Foundation, Bugzilla (bug-tracking system), used until November 2011 while employed at Physical Science Laboratory, Available from http://www.bugzilla.org/, Last accessed on 2013/04/20 Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster, A Comparison of Bug Finding Tools for Java, Published 2004/11/02, Available at http://www.cs.umd.edu/~jfoster/papers/issre04.pdf Niels Provos and David Mazieres, A Future-Adaptable Password Scheme, Date published 1999/04/28, Available at http://static.usenix.org/events/usenix99/provos/provos_html/node1.html opencsv Development Team, opencsv, Last update 2011/07/28, Last accessed 2013/04/20, Available at http://opencsv.sourceforge.net/ Oracle, Class URLEncoder, Last accessed 2013/04/20, Available at http://docs.oracle.com/javase/6/docs/api/java/net/URLEncoder.html ———, Java SE Technologies – Database, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/javase/jdbc/index.html ———, Java Servlet Technology, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/index-jsp-135475.html ———, JavaMail, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/javamail/index.html ———, JavaServer Pages Standard Tag Library, Last access 2013/04/20, Available at http://www.oracle.com/technetwork/java/index-jsp-135995.html ———, JavaServer Pages Technology, Last accessed 2013/04/20, Available at http://www.oracle.com/technetwork/java/javaee/jsp/index.html ———, The try-with-resources Statement, Last accessed 2013/04/20, Available at http://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html OWASP, Category: OWASP Enterprise Security API, Last update 2012/08/29, Last accessed 2013/04/20, Available at https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API ———, Preventing SQL Injection in Java, Last update 2009/05/27, Last access 2013/04/20, Available at https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java ———, XSS (Cross Site Scripting) Prevention Cheat Sheet, Last update 2013/03/15, Last access 2013/04/20, Available at https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Chea t_Sheet PMD, PMD, Last update 2013/04/05, Last access 2013/04/20, Available at http://pmd.sourceforge.net/
  • 43. 41 QOS.ch, Simple Logging Façade for Java (SLF4J), Last accessed 2013/04/20, Available at http://www.slf4j.org/ Roundup-Team, Roundup (issue-tracking system), used during class project in Spring 2011, Available from http://roundup.sourceforge.net/, Last accessed on 2013/04/20 StackOverflow, How to call a static method in JSP/EL?, Last update 2012/05/08, Last accessed 2013/04/20, Available at http://stackoverflow.com/questions/6395621/how-to-call-a- static-method-in-jsp-el ———, How to call parameterized method from JSP using JSTL, Last update 2012/05/25, Last access 2013/04/20, Available at http://stackoverflow.com/questions/7121303/how-to- call-parameterized-method-from-jsp-using-jstl The Apache Software Foundation, Apache Commons, Last accessed 2013/04/20, Available at http://commons.apache.org/ ———, Apache Log4j 2, Last accessed 2013/04/20, Available at http://logging.apache.org/log4j/2.x/ ———, Apache Tomcat, Last update 2013/03/26, Last accessed 2013/04/20, Available at http://tomcat.apache.org/ ———, Class HttpServlet, Last access 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/HttpServlet.html ———, Class StringEscapeUtils, Last update 2011/07/19, Last accessed 2013/04/20, Available at http://commons.apache.org/proper/commons-lang/javadocs/api- 3.1/org/apache/commons/lang3/StringEscapeUtils.html ———, commons DBCP, Last update 2010/11/25, Last accessed 2013/04/20, Available at http://commons.apache.org/proper/commons-dbcp/ ———, JNDI Datasource HOW-TO, Last update 2013/03/22, Last accessed 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples- howto.html ———, Realm Configuration HOW-TO, Last update 2013/03/22, Last access 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#LockOutRealm ———, SSL Configuration HOW-TO, Last update 2013/03/22, Last accessed 2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html The Eclipse Foundation, Eclipse, Last access 2013/04/20, Available at http://www.eclipse.org/ The HSQL Development Group, HyperSQL User Guide, Last update 2013/03/18, Last accessed 2013/04/20, Available at http://hsqldb.org/doc/2.0/guide/guide.html#lsc_acl ———, HyperSQL, Last update 2012/08/22, Last accessed 2013/04/20, Available at http://hsqldb.org/ The jQuery Foundation, jQuery, Last accessed 2013/04/20, Available at http://jquery.com/ W3C, Cascading Style Sheets home page, Last update 2013-04-20, Last accessed 2013/04/20, Available at http://www.w3.org/Style/CSS/Overview.en.html