2. Abstract
Existing project management and bug-tracking tools are primarily aimed at industry use
and as such are inadequate for use in an academic setting. Project Management System is a web
application written in Java, JavaScript, and HTML backed by HSQLDB, and seeks to provide a
more appropriate system for managing student projects. The system was developed using
modern development techniques with a focus on security, correct design, and efficiency. There
are many opportunities for further development of the system, including improving the user
interface and adding additional statistical and reporting capabilities.
3. 1
1 Introduction
The goal of this project, entitled Project Management System, is to create a web-based
application for use by professors and instructors in managing student projects. It is primarily
intended for use in the realm of computer science, but could be adapted for use in other realms.
The system is intended to be as stable, well-designed, and professional as possible.
Each user of the system is defined as being an instructor or not, and has a profile
containing contact information for use by other users. A user’s account includes a setting for
whether or not the user wishes to receive email updates from the system when changes are made
to projects with which the user is associated, and an email address to be used for that purpose.
Projects may only be created by instructors, and system-wide variables (lists of default values)
may only be edited by instructors. Projects accommodate a single instructor and one or more
students, and only the users associated with a project may view it and make changes to it.
Projects are primarily made up of tasks. Tasks have a creator and an assignee. Comments may
be made by all associated users on both the project itself and its tasks. Links to outside resources
(e.g., websites, files, images) may be created by all associated users for individual tasks. It is
possible to define two different types of relationships between tasks. First, a task may be
dependent on other tasks. That is, the user to whom the task is assigned may be unable to work
on the task until other tasks have been completed. Second, a task may be a subtask of another
single task. This allows larger tasks to be broken up into smaller tasks and organized. Both
projects and tasks have due dates and can be marked finished when they are completed. Projects
and tasks have a variety of other attributes that can be used to categorize and define them
appropriately. The system also includes utilities for creating an initial empty database, adding
4. 2
fake data to the database, and exporting the data in the database to both XML- and CSV-
formatted files.
This paper will describe the need for web-based project management and bug tracking
systems, some of the existing systems and their short-comings with regards to the academic
environment, and the initial development of Project Management System when it began as a
class project. It will then describe the research and development subsequent to the class project,
including improvements in performance, database-related code, and security. The paper will
then describe typical use cases and discuss the pros and cons of the project as it exists today.
Finally the paper will describe possibilities for future work and enhancements.
2 Background
2.1 Web-based Project Management and Bug Tracking
There is a variety of existing web-based project management and bug tracking tools.
These are primarily aimed at the business realm and seek to coordinate and document the efforts
of development teams consisting of multiple developers and possibly also testers, technical
writers, subject matter experts, managers, and other professionals. They provide ways to
prioritize work and to keep track of bugs and other development tasks to make sure nothing slips
through the cracks. Some of these applications also facilitate communication between team
members and provide ways to keep everyone updated as to what everyone else is doing. Project
management systems may also include ways to track productivity, documentation tools such as
wikis, budgeting or cost-tracking tools, and many other primarily business-oriented tools.
5. 3
2.2 Existing Tools
Existing tools are aimed at the business realm, and as such have flaws when used in an
academic context. Bug tracking systems I have used, such as Bugzilla1
and Roundup2
, have a
narrow focus. They are only designed to track development-related tasks, such as defects and
suggested improvements. These tools also assume that all users are of the same professional
level. That is, everyone is working together and has more or less the same authority, even if they
are in different roles, without the kind of oversight and difference in education and experience
found in a student project being overseen by a professor. A system for academic use would
ideally be broader and encompass tasks such as writing papers and doing research, in addition to
giving professors and instructors more control than students.
Many project management tools, on the other hand, can be extremely complicated with
many parts that would never be used in an academic context. Redmine3
is such a tool, and
although I have found that it works very well in a complex professional development context, the
wiki, news, Gantt chart, document and file management, among others would likely never be
used for an academic project. It also generally requires more maintenance and a heavier-weight
relational database management system.
Other project management tools, such as Trello4
, have insufficient structure to guide
students unfamiliar with such tools. Students may mark tasks as done when they are not, create
tasks that should be comments, and so forth. Further, similarly to Bugzilla and Roundup, users
1
Mozilla Foundation, Bugzilla (bug-tracking system), used until November 2011 while employed at Physical
Science Laboratory, Available from http://www.bugzilla.org/, Last accessed on 2013/04/20
2
Roundup-Team, Roundup (issue-tracking system), used during class project in Spring 2011, Available from
http://roundup.sourceforge.net/, Last accessed on 2013/04/20
3
Jean-Philippe Lang, Redmine (project management web application), currently in use as of 2013/04/20 while
employed at New Mexico Department of Agriculture, Available from http://www.redmine.org/projects/redmine,
Last accessed on 2013/04/20
4
Fog Creek Software, Inc., Trello (project management application), Available from https://trello.com/, Last
accessed on 2013/04/20
6. 4
are assumed to be of the same experience level, so there is no mechanism for oversight and
control by a professor.
2.3 Initial Experience
2.3.1 Description
Project Management System began as a class project in Spring 2011 for CS581
Advanced Software Engineering5
. By the end of the semester the core functionality was in
place, but it was difficult to use and included some design decisions that turned out to be
problematic in practice. Further, as I had not yet completed any database-related classes, the
data access layer was very poorly and inefficiently designed. With the help of large numbers of
internet resources as well as advice from peers, I was, however, able to create a correctly
designed and normalized database schema. As there was still much to do to bring the project up
to a usable, stable, and well-designed condition, I decided to continue development by turning it
into a Masters project, rather than abandoning it.
2.3.2 Requirements
The biggest initial requirement6
for the class project was that it should be web-based, but
easy to install and manage, including not being required to manage a database such as one would
have to do for MySQL or other more complex database management systems. Support for
simple database management systems, such as HSQLDB or SQLite, was therefore required, and
5
Karen Carter, Project Management System (slideshow presentation covering class project), Published Spring 2011,
Last accessed 2013/04/20, Available at
https://docs.google.com/presentation/d/1rZLu4eN4KOnBHDf2lRVjr04HUQYSznlyI_fpdoBML_k/edit?usp=sharing
&authkey=CP7D8IgM
6
Karen Carter, My Project Requirements (initial class project requirements and completion dates), published Spring
2011, Last accessed 2013/04/20, Available at
https://docs.google.com/spreadsheet/ccc?key=0Auez0eXd5ysadF9IWVFkUHpEbmtEUEw5S0JvdHZPTnc&usp=sh
aring
7. 5
allowing arbitrary database management systems to be used was initially required (this
requirement turned out to be impractical as explained below). Login names and passwords for
all users were also required, and anonymous viewing was not allowed. The project needed to
support projects with deadlines and tasks, tasks with deadlines, priorities, progress estimates,
classifications, and comments on all levels. An ability to define subtasks and attach them to
other tasks was required, as well as basic sanitization of user input and an automatic build system
with the ability to generate Javadocs, along with written instructions describing how to deploy
the system. The project needed to support up to 25 students and to have specialized user
interface options for professors and students, such as being able to view a list of their unfinished
tasks and a list of recent comments, and for the professor to be able to see when students were
unable to proceed without the professor completing some task. The project was required to
include configurable options such as configurable lists (used in drop-down boxes in the
application), font sizes, and colors. These configuration changes needed to be able to be made
from within the application and not require a rebuild in order for them to take effect. Optional
requirements that were also implemented were being able to mark tasks as dependent on other
tasks, an ability to attach useful URLs to tasks, support for multiple professors within the same
system (although not for a single project), an email-update system, and an ability to export
project data into both CSV and XML.
During the initial development period, further research revealed that one of the original
requirements for the system, to have database-independent code, was infeasible without adding
some type of object-relational mapping framework, such as Hibernate, which is designed to work
with many different types of databases. This is because syntax and functionality vary so much
between different relational database management systems (RDBMSes) on even a very basic
8. 6
level, such as creating tables with auto-incrementing primary keys. So even though such
statements are being executed via JDBC in this application, so that they can be executed on any
RDBMS with a JDBC driver, the SQL statements themselves would need to be different to
accommodate different RDBMSes. For example, in an HSQLDB, an identity column is used for
this purpose, and it is automatically a primary key and therefore also guaranteed to be unique7
.
In other databases such as DB2, however, identity columns are not automatically primary keys
nor even necessarily unique8
. So in HSQLDB, to create a table with an auto-incrementing
primary key and one other column, the following code would suffice:
CREATE TABLE TestTable(id INT IDENTITY GENERATED BY DEFAULT AS IDENTITY (START WITH 1,
INCREMENT BY 1), value INT NOT NULL);
whereas in DB2 the following would be required:
CREATE TABLE TestTable(id INT GENERATED ALWAYS AS IDENTITY (START WITH 1, INCREMENT BY
1), value INT NOT NULL, PRIMARY KEY(id));
The second statement would result in an error when executed in an HSQLDB, so neither version
of the statement will work for all RDBMSes. So at a minimum the database and table creation
code would need to be changed in order to use another RDBMS.
2.3.3 Design
The overall architecture of Project Management System, as well as the technology used
to create it, has mostly stayed constant throughout the project. The system uses a 4-tier
7
HSQLDB Development Group, Chapter 9. SQL Syntax (guide to HSQLDB), Publication date 2007/02/19, Last
accessed 2013/04/20, Available at http://www.hsqldb.org/doc/guide/ch09.html#create_table-section
8
IBM, Administration Guide: Planning (guide to DB2), Publication date 2006/10/27, Last accessed 2013/04/20,
Available at
http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp?topic=%2Fcom.ibm.db2.udb.admin.doc%2Fdoc%2F
c0004762.htm
9. 7
architecture comprised of the presentation layer (JSP9
, HTML10
, JavaScript11
, jQuery12
, and
CSS13
), application layer (Java Servlet14
), data access layer (JDBC15
), and database layer
(HSQLDB16
), as seen in figure 1. Tomcat17
is the application server and controls much of the
security for the application. Libraries used include DbUnit18
and opencsv19
for exporting the
database to XML and CSV respectively, JavaMail20
for sending notification messages, and
Apache Commons21
for escaping user input. Later the OWASP Enterprise Security API22
for
escaping user input before inserting it into HTML, plus SLF4J23
and log4j24
for logging were
added.
9
Oracle, JavaServer Pages Technology, Last accessed 2013/04/20, Available at
http://www.oracle.com/technetwork/java/javaee/jsp/index.html
10
HTML Working Group, W3C HTML, Last update 2013/01/24, Last accessed 2013/04/20, Available at
http://www.w3.org/html/
11
Mozilla Developer Network, JavaScript, Last update 2013/03/14, Last accessed 2013/04/20, Available at
https://developer.mozilla.org/en-US/docs/JavaScript
12
The jQuery Foundation, jQuery, Last accessed 2013/04/20, Available at http://jquery.com/
13
W3C, Cascading Style Sheets home page, Last update 2013/04/20, Last accessed 2013/04/20, Available at
http://www.w3.org/Style/CSS/Overview.en.html
14
Oracle, Java Servlet Technology, Last accessed 2013/04/20, Available at
http://www.oracle.com/technetwork/java/index-jsp-135475.html
15
Oracle, Java SE Technologies – Database, Last accessed 2013/04/20, Available at
http://www.oracle.com/technetwork/java/javase/jdbc/index.html
16
The hsql Development Group, HyperSQL, Last update 2012/08/22, Last accessed 2013/04/20, Available at
http://hsqldb.org/
17
The Apache Software Foundation, Apache Tomcat, Last update 2013/03/26, Last accessed 2013/04/20, Available
at http://tomcat.apache.org/
18
DbUnit Development Team, About DbUnit, Last update 2012/09/30, Last accessed 2013/04/20, Available at
http://www.dbunit.org/
19
opencsv Development Team, opencsv, Last update 2011/07/28, Last accessed 2013/04/20, Available at
http://opencsv.sourceforge.net/
20
Oracle, JavaMail, Last accessed 2013/04/20, Available at
http://www.oracle.com/technetwork/java/javamail/index.html
21
The Apache Software Foundation, Apache Commons, Last accessed 2013/04/20, Available at
http://commons.apache.org/
22
OWASP, Category: OWASP Enterprise Security API, Last update 2012/08/29, Last accessed 2013/04/20,
Available at https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
23
QOS.ch, Simple Logging Façade for Java (SLF4J), Last accessed 2013/04/20, Available at http://www.slf4j.org/
24
The Apache Software Foundation, Apache Log4j 2, Last accessed 2013/04/20, Available at
http://logging.apache.org/log4j/2.x/
10. 8
Figure 1. Architecture Diagram
2.3.4 Positives
One good thing that came out of the initial development was a well-designed database
schema, as seen in figure 2. This was a result of studying basic definitions of normalization and
the proper way to handle lists of values as reference tables. Appropriate primary keys and
foreign keys were also defined wherever necessary. In addition data types for columns were
defined appropriately and NOT NULL and UNIQUE constraints were added wherever required.
After completing a database class it was possible to revisit the schema and verify that it was
correctly designed. Subsequently the only changes made to the schema were to facilitate
additional functionality or to make certain queries simpler, such as removing a surrogate auto-
11. 9
incrementing key for users and instead changing the schema and SQL statements to use the
natural key of each user’s username.
Figure 2. Database Schema Diagram
2.3.5 Negatives
After the initial development in Spring 2011, there was a number of major issues that
needed to be addressed. The issue that most affected usability was that, instead of considering
individual requests on their own, they were considered within the context of a certain workflow.
The user was required to first view a project, then view individual tasks, so that there was no way
to bookmark a certain task and return to it later, share a link to a task or project with another user
from the project, or have multiple browser windows open to different projects at the same time.
The last issue would be a major hindrance for instructors, at the very least. This issue was
caused by storing too much information, such as the currently selected project, in the session
12. 10
instead of only storing information in the request and considering requests on their own. Also of
great concern to potential users was the fact that the application lacked any sort of protection for
confidential information, namely user passwords. Passwords were stored in plain text in the
database and SSL was not used to protect passwords when users logged in.
There were also several issues of concern from a development and design standpoint.
Debugging was made exponentially more difficult by the fact that the application didn't log error
messages in any way. Tomcat logs still functioned, but any errors from within the application
itself were swallowed. As mentioned previously I had virtually no database experience prior to
working on this project. As a result I only knew how to do the most basic of SELECT
statements in SQL, and so used no JOIN statements at all throughout the data access layer. This
resulted in very poorly designed and overly complicated data access code, where it took multiple
repeated queries to retrieve the data for any slightly complex object. Connection pooling for
database connections was not used, so certain pages had extremely bad performance with even a
trivial amount of data in the database. Instead of retrieving just the necessary information with
one query, all the projects and all their tasks were loaded at once, each with a separate call to the
data access layer and thus each with its own opening and closing of a database connection; the
time required for such operations quickly became non-trivial. Finally the system did not close
JDBC resources properly, so if any type of error occurred while working with the database,
memory leaks could easily result.
13. 11
3 Research and Development
3.1 Redesign and Rewrite of Application and Data Access Layers
The largest and most time-consuming development task was redesigning and rewriting
most of the application and data access layers, along with chunks of code in the presentation
layer. As mentioned above, originally the system required a certain workflow. First the user
would login, and all of their projects would be loaded. Then they would request a certain
project, with the project number being relative to the user (so user A requesting project 1 might
retrieve a different project than user B requesting project 1). At that point all the tasks for the
project were loaded. Then the user would request a certain task associated with the project, and
again the task number was relative to the specific project. The project and task information was
stored in the session rather than in the individual request, so another result of this was that a user
could not have multiple tabs open to different projects at the same time.
This was changed so that each request was considered independently and so that the
project and task numbers were universal. A user could therefore bookmark a task and go directly
to that task at a later time, and students working on the same project could send a link for a
certain task to one another. The data access layer had to be changed so that tasks and projects
were loaded individually for each request instead of pre-loaded and stored in the session when
the user logged in or visited a project page. Some methods were rewritten while others had to be
eliminated and changed to something entirely new. The application layer had to be rewritten to
make calls to the database for every request instead of assuming some information was already
loaded, and in both the application layer and presentation layer the numbering scheme had to be
changed to reflect using the actual database IDs rather than numbers relative to the specific user
and project involved in the request.
14. 12
3.2 Database-Related Improvements
After the initial development during Spring 2011, research continued on various
database-related topics. The first issue that was addressed was that of proper closing of database
resources in the event of an exception or error. In Java 6, closing resources correctly was
extremely cumbersome. It required multiple nested try-catch-finally blocks, like this:
15. 13
try
{
Connection conn = DriverManager.getConnection("jdbc:mysql://" + host + "/" + name,
username, password);
try
{
PreparedStatement statement = conn.prepareStatement("SELECT * FROM TestTable
WHERE id = ?");
try
{
statement.setString(1, id);
ResultSet rs = statement.executeQuery();
try
{
while (rs.next())
{
doSomething();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
finally
{
rs.close();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
finally
{
statement.close();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
finally
{
conn.close();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
This process was complicated and error-prone. In addition, very few online resources
(even very reputable ones) showed the correct procedure, so even finding out how to correctly
close all resources was difficult. After doing quite a bit of research, the above method seemed
16. 14
most correct, although there were still many conflicting tutorials. Luckily Java 7 added an
"automatic resource management" or ARM via the try-with-resources capability25
. The project
was migrated to Java 7 in order to take advantage of this feature. With Java 7 the above code
can be condensed to this:
try (Connection conn = DriverManager.getConnection("jdbc:mysql://" + host + "/" +
name, username, password);
PreparedStatement statement = conn.prepareStatement("SELECT * FROM TestTable
WHERE id = ?"))
{
statement.setString(1, id);
try (ResultSet rs = statement.executeQuery())
{
while (rs.next())
{
doSomething();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
which is much easier both to write and to understand.
The next problem to be addressed was the issue of some pages loading very slowly due to
repeated calls to the data access layer and repeated opening and closing of connections to the
database. First, both the application layer and data access layer code were rewritten so that only
a single call to the data access layer was made, and thus only one connection to the database was
opened and closed. Then the code was rewritten to make use of connection pooling so that
opening and closing connections would no longer be slow. At first the intention was to directly
25
Oracle, The try-with-resources Statement, Last accessed 2013/04/20, Available at
http://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html
17. 15
use Apache Commons DBCP26
, but subsequently the discovery was made that Tomcat itself has
support for connection pooling built in27
, so the code was changed to use that.
3.3 Security
The next area for improvement was security. Although most of the data in the system is
not particularly confidential, it does contain users' passwords, which might be reused on other
sites and thus should be protected as much as possible. SSL was enabled in Tomcat by creating
a self-signed certificate and adding the appropriate information to Tomcat's configuration files28
.
This protects the user's password while in transit from their machine to the server upon which the
system resides.
In addition, research was done on ways to secure passwords in the database. The most
highly recommended way to do this is using a one-way hash, and three different algorithms for
this purpose are highly recommended29
. They are bcrypt30
, scrypt31
, and PBKDF232
. All three
are computationally slow when executed on ordinary hardware, and all three can be adjusted as
time goes on and processors get faster so that they stay computationally slow. bcrypt and
PBKDF2 are both established algorithms that were created more than 10 years ago (in 1999 and
2000 respectively). bcrypt has an advantage in that the algorithm cannot be sped up by using a
26
The Apache Software Foundation, commons DBCP, Last update 2010/11/25, Last accessed 2013/04/20, Available
at http://commons.apache.org/proper/commons-dbcp/
27
The Apache Software Foundation, JNDI Datasource HOW-TO, Last update 2013/03/22, Last accessed
2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples-howto.html
28
The Apache Software Foundation, SSL Configuration HOW-TO, Last update 2013/03/22, Last accessed
2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
29
https://news.ycombinator.com/item?id=3724772, http://security.stackexchange.com/questions/4781/do-any-
security-experts-recommend-bcrypt-for-password-storage,
http://www.reddit.com/r/PHP/comments/1c210u/opinions_on_password_safetybcryptscryptpbkdf2/
30
Niels Provos and David Mazieres, A Future-Adaptable Password Scheme, Date published 1999/04/28, Available
at http://static.usenix.org/events/usenix99/provos/provos_html/node1.html
31
Colin Percival, Stronger Key Derivation Via Sequential Memory-Hard Functions, Date presented May 2009,
Available at http://www.tarsnap.com/scrypt/scrypt.pdf
32
B. Kaliski, PKCS #5: Password-Based Cryptography Specification Version 2.0, Date published September 2000,
Available at http://tools.ietf.org/html/rfc2898
18. 16
GPU, whereas PBKDF2 can be. scrypt is still relatively new, dating from 2009, and in addition
to being processor-intensive it is also memory-intensive, thus increasing the hardware cost for
brute-forcing the algorithm. bcrypt was chosen over scrypt due to its longer, proven track-record
and the fact that it was unclear how the demands on memory for scrypt would affect the
performance of the server on which it was run. In order to use bcrypt, a custom Tomcat Realm
had to be written, as Tomcat's only default support is for SHA, MD2, or MD5, which are all
currently outdated and considered inadequate protection33
. The Java implementation jBCrypt34
was used.
Ways to secure the database itself were also researched. HSQLDB can restrict access to
the database server in various ways by rejecting incoming connections according to settings in a
configuration file35
. Access was restricted so that the only connections that are accepted come
from the same server on which HSQLDB is running. Figure 3 depicts the layers of security used
to protect user passwords on their way from the client to the database and back out.
33
Bugzilla Bug, Tomcat Servlet Container development, Last updated 2012/08/28, Last accessed 2013/04/20,
Available at http://comments.gmane.org/gmane.comp.jakarta.tomcat.devel/123309
34
Damien Miller, jBCrypt, Last updated 2010/02/01, Last accessed 2013/04/20, Available at
http://www.mindrot.org/projects/jBCrypt/
35
The HSQL Development Group, HyperSQL User Guide, Last update 2013/03/18, Last accessed 2013/04/20,
Available at http://hsqldb.org/doc/2.0/guide/guide.html#lsc_acl
19. 17
Figure 3. Password Security Measures
The best ways to protect against malicious user input were also researched. The project
initially used Apache Common’s StringEscapeUtils36
and Java’s URLEncoder37
to escape user
input and theoretically make it safe for display or for use in URLs; however, simply using
StringEscapeUtils is not actually sufficient. Escaping strings for display in a web page requires
different methods depending on where in the document (as the value of a text input, as a link,
inside a header, etc.) the string will be displayed. The Open Web Application Security Project
36
The Apache Software Foundation, Class StringEscapeUtils, Last update 2011/07/19, Last accessed 2013/04/20,
Available at http://commons.apache.org/proper/commons-lang/javadocs/api-
3.1/org/apache/commons/lang3/StringEscapeUtils.html
37
Oracle, Class URLEncoder, Last accessed 2013/04/20, Available at
http://docs.oracle.com/javase/6/docs/api/java/net/URLEncoder.html
20. 18
(OWASP) has utilities to deal with these different scenarios properly38
, and so their library was
added to the project and their utilities were used to escape all user input that needed to be
displayed. URLEncoder’s method is sufficient for escaping input that will be part of a URL, so
it is still used.
Finally a few more ways to secure the system were researched and implemented. Tomcat
provides a Lockout Realm, which automatically locks out a user for a certain period of time if
there are too many failed login attempts by that user within a certain period of time39
. This
provides a nice trade-off so that legitimate users who have forgotten a password can simply wait
to try again, but brute-forcing a password would be extremely time-consuming.
PreparedStatements and parameterization for all SQL queries involving user input were used to
try and eliminate any possibility of SQL injection attacks. This is the primary method to prevent
such attacks in Java40
. Finally, checks on users' authorization to perform CRUD operations were
added on multiple levels. First user authorization is checked within the presentation layer, so
that legitimate users cannot accidentally try to do something they are not authorized to do. Then
authorization is checked within the application layer, to ensure that malicious users cannot
purposely do something they are not authorized to do. Lastly the data access layer itself checks
authorization, in order to ensure the integrity of the database at all times.
3.4 Logging
In order to facilitate debugging and trouble-shooting, logging was also implemented in
order to see where issues occur, if they do. In the initial development of the system, DBUnit was
38
OWASP, XSS (Cross Site Scripting) Prevention Cheat Sheet, Last update 2013/03/15, Last access 2013/04/20,
Available at https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
39
The Apache Software Foundation, Realm Configuration HOW-TO, Last update 2013/03/22, Last access
2013/04/20, Available at http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#LockOutRealm
40
OWASP, Preventing SQL Injection in Java, Last update 2009/05/27, Last access 2013/04/20, Available at
https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
21. 19
used in order to export the database to XML. DBUnit has logging built into it, and so the jars for
slf4j and log4j were already included, so they were used for the actual logging code. It was very
simple to set up using configuration files, and that plus compiling with debug mode on means
that in the log the line numbers where issues occur can also be seen. Logging was added to all
existing code in all try-catch blocks, as well as other places that seemed useful. Finally, the
application’s overall error handling was addressed. Instead of using the default Tomcat error-
page the application was configured to use a global error page (which also ties into security: if an
attacker knows the application is running on Tomcat then they can target Tomcat itself), and
made sure that in the event of an error such as a badly formatted date or other exception, the user
will be forwarded to the error page. A choice of two error pages is given to the administrator of
the system via configuration files. One only displays a generic error message and information on
who to contact for help. The other displays detailed information on the exception that occurred
as well as where in the code it occurred. Thus the administrator can choose how much
information should be revealed to users of the system in case of errors. An authorization error
page was also added, for when a user attempts to access a resource they are not allowed to
access.
3.5 Software Development Methodology
Throughout both the initial and later development of the system I used a version of the
Scrum software development methodology41, 42
, tweaked to account for it being a one-person
41
Ken Schwaber and Jeff Sutherland, The Scrum Guide, Last update October 2011, Last accessed 2013/04/20,
Available at http://www.scrum.org/Portals/0/Documents/Scrum%20Guides/Scrum_Guide.pdf#zoom=100
42
Henrik Kniberg, Scrum and XP from the Trenches, Published 2007/10/04, Last accessed 2013/04/20, Available at
http://www.infoq.com/minibooks/scrum-xp-from-the-trenches
22. 20
project43
. In the later part of the development I tried to be more formal, using burndown charts
and recording sprint planning, retrospectives, and reviews on a blog44
. For over a year I have
also been using Scrum as a part of my work as a full-time software developer. What I have
discovered is that, although Scrum is extremely useful in a full-time work-environment, many of
its benefits cannot be transferred to sporadic part-time work such as that done on a student
project. With full-time work of 40 hours per week, after a few sprints a velocity does become
apparent, and this can be used to forecast how many story-points should be included in future
sprints. With part-time work, however, the amount of hours available for work per sprint varies
greatly, so forecasting and planning are much more difficult. The burndown charts themselves
were nearly useless for Project Management System. Scrum is still useful as an organizational
tool, but trying to strictly timebox work into sprints is nearly impossible. It becomes a case of
getting as much done as you can in the time available, and work frequently gets carried over
from one sprint into the next, according to what has the highest priority. I believe this is an
endemic problem with student projects: due to the unpredictability of how many hours are
available for work, in addition to the lack of co-location during working hours and varying levels
of commitment (for projects of more than one student), software development methodologies
developed in industry cannot provide the same benefits in academia.
In the later development of the system I had also hoped to incorporate test-driven
development (TDD). Despite large amounts of research online and reading Test Driven
Development: By Example45
, I was unable to figure out how to incorporate TDD into the project.
In part this is because it is far easier to begin with TDD than to attempt to retrofit it into an
43
http://blog.jgpruitt.com/tag/personal-scrum/, http://www.21apps.com/agile/doing-agile-in-a-team-of-one-day2/,
http://brainslink.com/2011/07/scrum-for-one-can-be-done-almost/
44
Karen Carter, Shambling Towards Perfection, Last update 2013/04/18, Last accessed 2013/04/20, Available at
http://shamblingblindly.blogspot.com/
45
Kent Beck, Test Driven Development: By Example, Published 2002/11/18
23. 21
existing project, but also because TDD itself is a difficult concept to grasp for anything other
than trivial examples (yet trivial examples are by far the most common for TDD tutorials and
articles). Some practitioners went so far as to claim that TDD should be learned in person from
someone who already knows TDD. Ultimately I decided it would take too much time away from
the other required development work to attempt to truly implement TDD in the project.
4 Evaluation
4.1 Examples and Screen Shots
In a typical usage scenario, the instructor begins by creating a project. Figure 4 is the
screen on display when he begins this process.
Figure 4. Initial Screen for Creating a Project
24. 22
He enters the student associated with the project, the project type, due date, and other
information, as displayed in Figure 5.
Figure 5. Entering Student Information
Next the instructor creates tasks for the student and enters their priority, due date, and
other information, as shown in Figure 6.
Figure 6. Creating Task for Student
25. 23
Before one task can be completed, a second task must be finished, so the instructor marks
the first task as dependent on the second task.
Figure 7. Defining Task as Dependent
26. 24
One of the tasks was entered with an incorrect due date, so the instructor edits the task.
This is displayed in Figure 8.
Figure 8. Editing Task
27. 25
Next, the instructor adds a comment and a link to the task, demonstrated in Figure 9 and
Figure 10.
Figure 9. Professor Creating Comment
Figure 10. Professor Creating Link
28. 26
To make sure everything is correct, the instructor views the task with the comment and
link. This is seen in Figure 11.
Figure 11. Viewing Completed Task
29. 27
Now the instructor can view all the tasks associated with the project, as seen in Figure 12.
Figure 12. Viewing Tasks for a Project
Figure 13 displays the instructor’s view when he checks which tasks remain unfinished.
Figure 13. List of Unfinished Tasks
30. 28
The instructor can view the comments and links that have been created in the last two
weeks, as seen in Figure 14.
Figure 14. Last Two Weeks of Comments and Links
The instructor can see a list of users that currently exist in the system, as shown in Figure
15.
Figure 15. Instructor's View of Registered Users
31. 29
As seen in Figure 16, the instructor can edit his profile if any information was not
initially filled out or was filled out incorrectly.
Figure 16. Instructor Editing Personal Profile
32. 30
With the tools shown in Figure 17, the instructor can edit any of the default values for a
variety of things: task priorities, project types, etc.
Figure 17. Professor Editing Default Values
Finally the student logs in, and Figure 18 displays his own view of the project.
Figure 18. Student's View of Project
33. 31
4.2 Quality Analysis
4.2.1 Automated Tools
Starting out, one of the goals for the system was to have code that is as correct as possible
in design and implementation. To this end research was done on some of the automated tools
available for static code analysis46
. Three widely used tools that are available as Eclipse47
plug-
ins were chosen: Checkstyle48
, FindBugs49
, and PMD50
. Checkstyle was originally designed to
check whether code adheres to a coding standard, but has been expanded to look for duplicate
code, problems with design, and bug patterns. FindBugs analyses Java bytecode and looks for
patterns that indicate possible bugs, such as variables that are never used, concatenating strings
to be used in JDBC calls (instead of parameterizing them), and many other types of potentially
problematic coding practices. PMD looks for many of the same kinds of issues that FindBugs
does, but analyses Java source code. All three tools are expandable, so developers can create
custom rules for the tools to look for.
Of the three, FindBugs was the most useful by far. Virtually all of the things FindBugs
marked were genuine issues, so it was a very useful tool and it helped to resolve some things that
could have led to bugs in the application. Checkstyle and PMD, however, raised a huge number
of flags, so much so that nearly every line was flagged, yet many of the flags were invalid or at
least extremely debatable. This included most of Checkstyle’s style warnings, such as giving
opening curly brackets their own line. There were also flags by PMD on issues such as using
46
Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster, A Comparison of Bug Finding Tools for Java, Published
2004/11/02, Available at http://www.cs.umd.edu/~jfoster/papers/issre04.pdf
47
The Eclipse Foundation, Eclipse, Last access 2013/04/20, Available at http://www.eclipse.org/
48
David Schneider and Lars Ködderitzsch, Eclipse-Checkstyle Integration, Last access 2013/04/20, Available at
http://eclipse-cs.sourceforge.net/
49
Bill Pugh and Andrey Loskutov, FindBugs – Find Bugs in Java Programs, Last update 2012/12/10, Last access
2013/04/20, Available at http://findbugs.sourceforge.net/
50
PMD, PMD, Last update 2013/04/05, Last access 2013/04/20, Available at http://pmd.sourceforge.net/
34. 32
System.out.println for output in a command-line tool, or overriding
javax.servlet.http.HttpServlet.doGet, doing what Tomcat’s own documentation discusses51
.
PMD also flagged every single parameter and variable that could be declared final. Declaring
parameters as final, while possible, is a questionable practice, as some say it clutters code for
little benefit and reduces code clarity, although others claim it reduces bugs and improves code
quality52
. Both Checkstyle and PMD were also harder to configure than FindBugs, so it would
have taken a lot of work to get them configured to ignore the types of errors that were less useful
or seemed erroneous. In the end Checkstyle and PMD were turned off and only FindBugs was
left enabled, and its flags were continuously reviewed to check for any potential issues.
During the course of the project, large amounts of code were completely rewritten to
correct mistakes and misjudgments made during the initial development when the project was
merely a class project. Another very helpful Eclipse plugin used to clean up the old code and
remove now-unused methods was UCDetector53
. It detected methods that were no longer being
called anywhere within the project. It also provided recommendations on classes and methods
that were more public than they needed to be. This helped in making the code base more
readable, making sure outdated methods couldn’t be called mistakenly, and that internal methods
weren’t called improperly by other classes.
51
The Apache Software Foundation, Class HttpServlet, Last access 2013/04/20, Available at
http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/HttpServlet.html
52
http://stackoverflow.com/questions/266806/is-there-any-performance-reason-to-declare-method-parameters-final-
in-java, http://stackoverflow.com/questions/316352/why-would-one-mark-local-variables-and-method-parameters-
as-final-in-java, http://stackoverflow.com/questions/5380177/final-arguments-in-interface-methods-whats-the-
point?rq=1
53
Jörg Spieler, UCDetector: Unnecessary Code Detector, Last update 2013/04/11, Last access 2013/04/20,
Available at http://www.ucdetector.org/
35. 33
4.2.2 Design Principles
Throughout the project proper coding techniques were followed as much as possible, and
research was done to try and further improve design and programming techniques54
. Code was
reused whenever possible, following the Don’t Repeat Yourself (DRY) principle, and interfaces
were used for the data models and data access layer, following the design by contract approach.
4.2.3 Unaddressed Issues
There were some design and technique issues that could not be improved due to the time
constraints of the project. The biggest of these, in terms of its presence in code, is that instead of
using JavaServer Pages Standard Tag Library (JSTL)55
, scriptlets (sections of plain Java code)
are used throughout the presentation layer. Scriptlets have been considered outdated and not
good coding practice for years56
, although many online tutorials still use them, and following
those tutorials led to their initial inclusion in the project. An attempt was made to rewrite the
existing scriptlets into JSTL, but unfortunately much extra work is needed to use static
methods57
such as those in the OWASP library for encoding user input, which are used in nearly
every JSP. Custom EL functions would need to be written58
and/or web.xml would need to be
54
Andrew Hunt and David Thomas, The Pragmatic Programmer: From Journeyman to Master, Published
1999/10/30
55
Oracle, JavaServer Pages Standard Tag Library, Last access 2013/04/20, Available at
http://www.oracle.com/technetwork/java/index-jsp-135995.html
56
http://stackoverflow.com/questions/4535423/jstl-vs-jsp-scriptlets,
http://www.coderanch.com/t/469280/JSP/java/Scriptlet-JSTL,
http://www.coderanch.com/t/414294/JSP/java/scriptlets-EL-JSTL,
https://groups.google.com/forum/?fromgroups=#!topic/comp.lang.java.programmer/W5cER3Q21cQ
57
StackOverflow, How to call a static method in JSP/EL?, Last update 2012/05/08, Last accessed 2013/04/20,
Available at http://stackoverflow.com/questions/6395621/how-to-call-a-static-method-in-jsp-el
58
JavaRanch, Define EL Functions, Last accessed 2013/04/20, Available at http://www.coderanch.com/how-
to/java/DefineELFunctions
36. 34
updated to conform to Servlet 3.0 specifications59
, and there was insufficient time to figure out
exactly how this would work and get it working.
The other major area, primarily in terms of user experience, where time prohibited best
practices was in user interface design. Although I took a user interface design class and
researched on my own60, 61
, there was not time to improve the design and work with users to
figure out where the system could most use improvement, what most impeded their workflow, or
what features were most needed from a user experience perspective. As a result the system is
fully functional and capable of performing the essential tasks needed to manage and track a
student project, but it does not have the most efficient or effective design and may make certain
tasks more difficult than they could be. Information is also not necessarily presented in the
clearest or easiest-to-understand manner. Better grouping of related fields, clearly highlighting
required fields, and more verification and validation of user input would all greatly enhance the
user interface.
5 Conclusions
5.1 Future Work
5.1.1 Last Updated/Last Active Features
There is a number of issues that were not addressed and features that were not developed
due to time constraints. These could be addressed in the future, given enough time. In addition
59
StackOverflow, how to call parameterized method from JSP using JSTL, Last update 2012/05/25, Last access
2013/04/20, Available at http://stackoverflow.com/questions/7121303/how-to-call-parameterized-method-from-jsp-
using-jstl
60
Jeff Johnson, Designing with the Mind in Mind: Simple Guide to Understanding User Interface Design Rules,
Published 2010/06/03
61
Jeff Johnson, GUI Bloopers 2.0, Second Edition: Common User Interface Design Don’ts and Dos (Interactive
Technologies), Published 2007/09/10
37. 35
to replacing scriptlets with JSTL and improving the user interface design, as mentioned above,
currently unused columns were added to the database to support a number of features that were
not implemented. Columns were added to track who last updated projects and tasks and at what
time the last update occurred. Columns were also added to track the last login date for users.
These columns were intended to be used in a variety of ways, in addition to simply displaying
this data for users to see. They could be used to show the user what tasks and projects have been
updated since the last time they logged in, to order tasks and projects by their last update, and to
show instructors when students last logged in, to see if they have been using the system or not.
5.1.2 Subtask and Dependent Task Relationship Features
Columns were also added to support visualization features with regards to task
dependency and subtask relationships. First, cycles would need to be detected and prevented
during task editing. Then, since each task may only be a subtask of one other task, but a task
may have many subtasks, the set of tasks in subtask relationships would form a set of trees.
Columns were added to support path enumeration for these relationships, as described in SQL
Antipatterns62
, as that method would be very fast for the most frequent usecase of seeing all
descendants and ancestors of a task, and it would be fairly simple to implement.
Each task can depend on many tasks and can have many tasks dependent on it, so the set
of tasks in dependency relationships would form a set of directed acyclic graphs (DAGs).
Representing DAGs in a database is more complicated63
, but a new table was added to support
this using an adjacency list containing the complete list of paths (the transitive closure) of the
graph.
62
Bill Karwin, SQL Antipatterns: Avoiding the Pitfalls of Database Programming, Published 2010/07/02
63
Kemal Erdogan, A Model to Represent Directed Acyclic Graphs (DAG) on SQL Databases, Published
2008/01/10, Last accessed 2013/04/20, Available at http://www.codeproject.com/Articles/22824/A-Model-to-
Represent-Directed-Acyclic-Graphs-DAG-o
38. 36
Adding this functionality would enable visualizing the DAGs and trees formed by the
task relationships, and could also be used for ordering the tasks according to these relationships
when viewing the tasks as part of the project page.
5.2 Enhancements
5.2.1 Ease of Use
There are many opportunities for further enhancements aside from those that were
already researched or partially started. The ability for the user to reset a forgotten password
would be extremely useful, and adding an “undo” capability would also help when the user
makes a mistake.
Adding a mobile-formatted version or actual mobile apps (Android, iOS, etc.) would
assist in making the application more accessible for a variety of users. Options for sorting tasks
by different values (priority, type, due date, etc.) would also help make the application more
usable according to the user’s needs.
More options for exporting data, such as exporting a user’s projects through the web
interface, would make the application more flexible and allow users to take data with them after
a project is over or when switching to a different system. Allowing data import would also be
helpful for users wanting to start with a fresh installation or in the event of splitting off a project
into a new project.
5.2.2 Security and Stability
Adding requirements for the length and/or complexity of user passwords would protect
users from having their passwords guessed by others. Security could also be enhanced by further
restricting access to the database by restricting the privileges for the database user according to
39. 37
what actions are allowed for each table. For example, tasks and projects are never completely
deleted, so not allowing the database user used by the web application to perform deletes on
those tables would be helpful.
Adding unit tests with JUnit64
and DBUnit, along with other tests of functionality and
even of the user interface, would improve stability and help ensure legacy code would not break
when code was edited or updated. Upgrading to HTML 5 and CSS 3 would assist in making the
code more future-proof.
5.3 Conclusion
Project Management System attempts to serve the unique needs of academic project
management. The basic functionality for managing projects, creating and editing tasks, and
recording progress is present, fairly efficient, and includes basic security features. There are
many opportunities for further development, including refining the user interface, adding
additional features, and further enhancing security and the user experience.
64
junit-team, JUnit, Last accessed 2013/04/20, Available at http://junit.org/
40. 38
References
Andrew Hunt and David Thomas, The Pragmatic Programmer: From Journeyman to Master,
Published 1999/10/30
B. Kaliski, PKCS #5: Password-Based Cryptography Specification Version 2.0, Date published
September 2000, Available at http://tools.ietf.org/html/rfc2898
Bill Karwin, SQL Antipatterns: Avoiding the Pitfalls of Database Programming, Published
2010/07/02
Bill Pugh and Andrey Loskutov, FindBugs – Find Bugs in Java Programs, Last update
2012/12/10, Last access 2013/04/20, Available at http://findbugs.sourceforge.net/
Bugzilla Bug, Tomcat Servlet Container development, Last updated 2012/08/28, Last accessed
2013/04/20, Available at
http://comments.gmane.org/gmane.comp.jakarta.tomcat.devel/123309
Colin Percival, Stronger Key Derivation Via Sequential Memory-Hard Functions, Date presented
May 2009, Available at http://www.tarsnap.com/scrypt/scrypt.pdf
Damien Miller, jBCrypt, Last updated 2010/02/01, Last accessed 2013/04/20, Available at
http://www.mindrot.org/projects/jBCrypt/
David Schneider and Lars Ködderitzsch, Eclipse-Checkstyle Integration, Last access 2013/04/20,
Available at http://eclipse-cs.sourceforge.net/
DbUnit Development Team, About DbUnit, Last update 2012/09/30, Last accessed 2013/04/20,
Available at http://www.dbunit.org/
Fog Creek Software, Inc., Trello (project management application), Available from
https://trello.com/, Last accessed on 2013/04/20
Henrik Kniberg, Scrum and XP from the Trenches, Published 2007/10/04, Last accessed
2013/04/20, Available at http://www.infoq.com/minibooks/scrum-xp-from-the-trenches
HSQLDB Development Group, Chapter 9. SQL Syntax (guide to HSQLDB), Publication date
2007/02/19, Last accessed 2013/04/20, Available at
http://www.hsqldb.org/doc/guide/ch09.html#create_table-section
HTML Working Group, W3C HTML, Last update 2013/01/24, Last accessed 2013/04/20,
Available at http://www.w3.org/html/
http://blog.jgpruitt.com/tag/personal-scrum/, http://www.21apps.com/agile/doing-agile-in-a-
team-of-one-day2/, http://brainslink.com/2011/07/scrum-for-one-can-be-done-almost/
http://stackoverflow.com/questions/266806/is-there-any-performance-reason-to-declare-method-
parameters-final-in-java, http://stackoverflow.com/questions/316352/why-would-one-
mark-local-variables-and-method-parameters-as-final-in-java,
http://stackoverflow.com/questions/5380177/final-arguments-in-interface-methods-
whats-the-point?rq=1
http://stackoverflow.com/questions/4535423/jstl-vs-jsp-scriptlets,
http://www.coderanch.com/t/469280/JSP/java/Scriptlet-JSTL,
http://www.coderanch.com/t/414294/JSP/java/scriptlets-EL-JSTL,
41. 39
https://groups.google.com/forum/?fromgroups=#!topic/comp.lang.java.programmer/W5c
ER3Q21cQ
https://news.ycombinator.com/item?id=3724772,
http://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-
bcrypt-for-password-storage,
http://www.reddit.com/r/PHP/comments/1c210u/opinions_on_password_safetybcryptscr
yptpbkdf2/
IBM, Administration Guide: Planning (guide to DB2), Publication date 2006-10-27, Last
accessed 2013/04/20, Available at
http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp?topic=%2Fcom.ibm.db2.u
db.admin.doc%2Fdoc%2Fc0004762.htm
JavaRanch, Define EL Functions, Last accessed 2013/04/20, Available at
http://www.coderanch.com/how-to/java/DefineELFunctions
Jean-Philippe Lang, Redmine (project management web application), currently in use as of
2013/04/20 while employed at New Mexico Department of Agriculture, Available from
http://www.redmine.org/projects/redmine, Last accessed on 2013/04/20
Jeff Johnson, Designing with the Mind in Mind: Simple Guide to Understanding User Interface
Design Rules, Published 2010/06/03
———, GUI Bloopers 2.0, Second Edition: Common User Interface Design Don’ts and Dos
(Interactive Technologies), Published 2007/09/10
Jörg Spieler, UCDetector: Unnecessary Code Detector, Last update 2013/04/11, Last access
2013/04/20, Available at http://www.ucdetector.org/
junit-team, JUnit, Last accessed 2013/04/20, Available at http://junit.org/
Karen Carter, My Project Requirements (initial class project requirements and completion dates),
published Spring 2011, Last accessed 2013/04/20, Available at
https://docs.google.com/spreadsheet/ccc?key=0Auez0eXd5ysadF9IWVFkUHpEbmtEUE
w5S0JvdHZPTnc&usp=sharing
———, Project Management System (slideshow presentation covering class project), Published
Spring 2011, Last accessed 2013/04/20, Available at
https://docs.google.com/presentation/d/1rZLu4eN4KOnBHDf2lRVjr04HUQYSznlyI_fpd
oBML_k/edit?usp=sharing&authkey=CP7D8IgM
———, Shambling Towards Perfection, Last update 2013/04/18, Last accessed 2013/04/20,
Available at http://shamblingblindly.blogspot.com/
Kemal Erdogan, A Model to Represent Directed Acyclic Graphs (DAG) on SQL Databases,
Published 2008/01/10, Last accessed 2013/04/20, Available at
http://www.codeproject.com/Articles/22824/A-Model-to-Represent-Directed-Acyclic-
Graphs-DAG-o
Ken Schwaber and Jeff Sutherland, The Scrum Guide, Last update October 2011, Last accessed
2013/04/20, Available at
http://www.scrum.org/Portals/0/Documents/Scrum%20Guides/Scrum_Guide.pdf#zoom=
100
42. 40
Kent Beck, Test Driven Development: By Example, Published 2002/11/18
Mozilla Developer Network, JavaScript, Last update 2013/03/14, Last accessed 2013/04/20,
Available at https://developer.mozilla.org/en-US/docs/JavaScript
Mozilla Foundation, Bugzilla (bug-tracking system), used until November 2011 while employed
at Physical Science Laboratory, Available from http://www.bugzilla.org/, Last accessed
on 2013/04/20
Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster, A Comparison of Bug Finding Tools
for Java, Published 2004/11/02, Available at
http://www.cs.umd.edu/~jfoster/papers/issre04.pdf
Niels Provos and David Mazieres, A Future-Adaptable Password Scheme, Date published
1999/04/28, Available at
http://static.usenix.org/events/usenix99/provos/provos_html/node1.html
opencsv Development Team, opencsv, Last update 2011/07/28, Last accessed 2013/04/20,
Available at http://opencsv.sourceforge.net/
Oracle, Class URLEncoder, Last accessed 2013/04/20, Available at
http://docs.oracle.com/javase/6/docs/api/java/net/URLEncoder.html
———, Java SE Technologies – Database, Last accessed 2013/04/20, Available at
http://www.oracle.com/technetwork/java/javase/jdbc/index.html
———, Java Servlet Technology, Last accessed 2013/04/20, Available at
http://www.oracle.com/technetwork/java/index-jsp-135475.html
———, JavaMail, Last accessed 2013/04/20, Available at
http://www.oracle.com/technetwork/java/javamail/index.html
———, JavaServer Pages Standard Tag Library, Last access 2013/04/20, Available at
http://www.oracle.com/technetwork/java/index-jsp-135995.html
———, JavaServer Pages Technology, Last accessed 2013/04/20, Available at
http://www.oracle.com/technetwork/java/javaee/jsp/index.html
———, The try-with-resources Statement, Last accessed 2013/04/20, Available at
http://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html
OWASP, Category: OWASP Enterprise Security API, Last update 2012/08/29, Last accessed
2013/04/20, Available at
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
———, Preventing SQL Injection in Java, Last update 2009/05/27, Last access 2013/04/20,
Available at https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
———, XSS (Cross Site Scripting) Prevention Cheat Sheet, Last update 2013/03/15, Last access
2013/04/20, Available at
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Chea
t_Sheet
PMD, PMD, Last update 2013/04/05, Last access 2013/04/20, Available at
http://pmd.sourceforge.net/
43. 41
QOS.ch, Simple Logging Façade for Java (SLF4J), Last accessed 2013/04/20, Available at
http://www.slf4j.org/
Roundup-Team, Roundup (issue-tracking system), used during class project in Spring 2011,
Available from http://roundup.sourceforge.net/, Last accessed on 2013/04/20
StackOverflow, How to call a static method in JSP/EL?, Last update 2012/05/08, Last accessed
2013/04/20, Available at http://stackoverflow.com/questions/6395621/how-to-call-a-
static-method-in-jsp-el
———, How to call parameterized method from JSP using JSTL, Last update 2012/05/25, Last
access 2013/04/20, Available at http://stackoverflow.com/questions/7121303/how-to-
call-parameterized-method-from-jsp-using-jstl
The Apache Software Foundation, Apache Commons, Last accessed 2013/04/20, Available at
http://commons.apache.org/
———, Apache Log4j 2, Last accessed 2013/04/20, Available at
http://logging.apache.org/log4j/2.x/
———, Apache Tomcat, Last update 2013/03/26, Last accessed 2013/04/20, Available at
http://tomcat.apache.org/
———, Class HttpServlet, Last access 2013/04/20, Available at
http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/HttpServlet.html
———, Class StringEscapeUtils, Last update 2011/07/19, Last accessed 2013/04/20, Available
at http://commons.apache.org/proper/commons-lang/javadocs/api-
3.1/org/apache/commons/lang3/StringEscapeUtils.html
———, commons DBCP, Last update 2010/11/25, Last accessed 2013/04/20, Available at
http://commons.apache.org/proper/commons-dbcp/
———, JNDI Datasource HOW-TO, Last update 2013/03/22, Last accessed 2013/04/20,
Available at http://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples-
howto.html
———, Realm Configuration HOW-TO, Last update 2013/03/22, Last access 2013/04/20,
Available at http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#LockOutRealm
———, SSL Configuration HOW-TO, Last update 2013/03/22, Last accessed 2013/04/20,
Available at http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
The Eclipse Foundation, Eclipse, Last access 2013/04/20, Available at http://www.eclipse.org/
The HSQL Development Group, HyperSQL User Guide, Last update 2013/03/18, Last accessed
2013/04/20, Available at http://hsqldb.org/doc/2.0/guide/guide.html#lsc_acl
———, HyperSQL, Last update 2012/08/22, Last accessed 2013/04/20, Available at
http://hsqldb.org/
The jQuery Foundation, jQuery, Last accessed 2013/04/20, Available at http://jquery.com/
W3C, Cascading Style Sheets home page, Last update 2013-04-20, Last accessed 2013/04/20,
Available at http://www.w3.org/Style/CSS/Overview.en.html