Came across this nice problem today: The java.util.Calendar class provides a method "before(Object)" which is supposed to tell you if the calendar calling that method is before the given object. BUT, as stated in the javadocs it only works if the passed object is a calendar itself. If its a java.util.Date object, then forget it, the method just returns false, even though you would expect the calendar to be able to compare its date with a Date object. I can't quite figure out how come they don't just require a Calendar instead of an object. There is nothing in the code to give the reason. So, I just don't get it. But it's been like that for three years now, so I guess we just need to get used to it :-(
Tag: java
Cross Site Scripting (XSS) and Denial of Service (DoS) using AJAX and other Technologies
The other day I was wondering how Google Analytics works... You put a few lines of Javascript into your page and it loads another script to send data back to one of its servers. I assumed they used an AJAX XMLHttpRequest to send stats to their server. However, an XMLHttpRequest created in Javascript (or any script language for that matter) can only make calls back to the server where the browser made the original request, not where it loaded the script. So if for example a site abc.com has a page which loads a script from def.com, the script can create an XMLHttpRequest object but it can ONLY make calls to abc.com. Hmmm... that's not entirely true. With IE 6.0.2900 and probably earlier versions of Firefox / other browsers it was possible to make the XMLHttpRequest object call any server, which would be great for a Denial of Service (DoS) attack. Imagine you have a site with millions of page views a day? And your'e feeling unfriendly and want to create a DoS attack against your foe. Easy, you put some script in a page which is frequently viewed, and unknowingly, every one of your readers viewing that page makes a call to your foe's website, stretching its abilities to relpy to all requests, resulting in the DoS attack, which might even take down the server... Or even worse, an unfriendly user of yours posts some content to a forum containing a script to perform that DoS on their own…
ThreadLocal and Thread Pools
ThreadLocal is a mechanism that can be used to put data onto a thread so that it can be accessed from any code using that thread. One use is to make contextual information relevant to the current thread available throughout the stack trace, for example a transaction context, or security context. If you use it yourself, you need to watch out if the environment in which it runs gets its threads from a thread pool (e.g. if your application runs in a managed container such as in an app server). Typically a thread pool gives no guarantee that the ThreadLocal (or indeed other internal state) will be cleared next time the thread is taken from the thread pool. This means you could have an issue - consider this case: Two web applications deployed in the same EAR (or even seperate EARs depending upon your class loader configuration and deployment) - both set a thread local which is a map (key / value pairs). One application, in a given case, processing a web request doesn't set a value in the map and calls a service which reads that unset value using a key (the same key is used within both applications). Instead of being unset (null / empty), that unset value could be a value from the other application, if the thread is not new and your code does not clean up the thread local before returning the thread to the pool. I did some tests and these were the results:…
Spring Services Anywhere
I recently embarked on some Spring "re-training" (I haven't looked at it in a few years and it was time to get my skills up to scratch again). Since the last time I looked at Spring, I have worked on a couple of rich (thick) client projects where it was almost impossible to find people with both server skills and GUI skills (the market is quite good at the moment and people like me with all those skills get snapped up very quickly ). Anyway, since it is hard to find strong GUI programmers who also know how to deploy an app server and start it, it becomes desirable to be able to run the services inside the same JVM as the GUI programmer is developing in. There is then no wasted time due to EJB configurations and all the crap that comes with server development. About 18 months ago, I got around the problem by quickly implementing a clever service locator. It worked brilliantly, the only real problem being that we had a few bugs because people had developed code which worked when services were local but not when they were remote. The effort in fixing those bugs was however minimal. On my current project, we are using a proprietary framework based on Inversion of Control and Dependency Injection. Based upon its configuration, a client can call services locally or remotely too. If calling services remotely, they are invoked inside a stateless session bean which uses reflection and proxies…
Secure Remoting with Spring and JBoss
If you are faced with having to write a rich client application in a multi-tier Java EE environment, you will typically connect to the application server over RMI. In theory, you are meant to use the servers Application Client Container and deploy your application as a client in that container. You probably won't do that though, because the client container is unfriendly for many reasons: As an example, the WebSphere 6.1 Client Container is a 200 megabyte install, Client Containers tend to be started as batch commands which set up the environment in which your application will run. If you however have an application that is meant to be started with a sexy launcher, as is the case with Eclipse RCP applications, you will struggle to get the environment created properly by the launcher, and its not supported by the vendor anyway, If you need to connect to the server securely (ie. so that serverside you have a valid security context allowing you to authorise users to call given services), then I personally have never been able to get the security callback mechanism to work. Theoretically you can tell the container to call your code at the point which it logs on to the server in order to get the credentials (eg. you can pop up a little login window), For these reasons, I have never ever used a client container in a production environment. Instead I have repeatedly gone to the trouble of getting the client environment fit so…
OSGi – Just another fad?
In the last few weeks I have heard the term OSGi come up more and more, and one blog posting I read suggested that it was the hot topic of 2008. So I started to research a little. I am currently working heavily with the Eclipse Rich Client Platform building applications which use services deployed to IBM WebSphere. Both these platforms are built up on OSGi (the standard) and both use Eclipse Equinox (an implementation of the standard). So it must be important right? Well you don't have to read too much before you start to get the feeling that you have been there and done that before. One aim of OSGi is to provide a micro kernel for deploying and managing services. Well, from a high level, JMX (MBeans) already does that. Not enough? Well there used to be a project called Apache Avalon Phoenix, which was a mirco kernal and although that project died and was resurrected as Loom from Codehaus (which incidentally has a very interesting history of Apache and Phoenix), it is still the basis of some big projects like the Apache James mail server. Other micro kernals? How about JBoss? There is a good blog article dicussing how JBoss has been based on a micro kernel for some time now. The idea is nothing new and in fact in their case, OSGi does not really go far enough that they could be solely based on it. Actually, doesn't the Java EE EJB specification let you…
Eclipse Help / Infocenter – External Web Application Mode
Previously in this blog, the Eclipse Help / Infocenter was discussed and details on how to set up the help for an RCP application were given. But often you want to have your help for an application online as well as part of the product, for example if the customer does not have the latest version of the product installed. Indeed the IBM and Eclipse web sites have what they call an Infocenter - an online version of their help system. In reality, when the Eclipse Help System is running, it runs as an embedded web server within your application. So in theory, it should be possible to deploy that as a standard web application. Quoting the Eclipse Help, "The help system can run in three modes: workbench (normal), infocenter, and standalone." Normal is when it is part of your application. Infocenter is when it runs as a seperate process acting as a web server. Standalone is when it is used outside of an RCP application. In fact, from Eclipse 3.4 upwards, it can also be deployed as a standard Java EE web application. The following blog shows how to deploy that help to a standard Java EE web server, namely Tomcat 5.5. Unfortunately, at the time of writing, there is no simple way to get this running. Neither is there any good tutorial showing how to overcome the pitfalls of the descriptions provided in the Eclipse 3.4 Help (search for WAR and you will get the details). Those details…
Eclipse Help / Infocenter – Workbench Mode
Eclipse offers plugin authors the ability to add Eclipse Help to their plugins. Opening that help will give a nice window with searchable help, something like this (click on the image to see it in full size): The following blog entry shows how to integrate help into an RCP application (or indeed a plugin or feature). The first thing you need to do, is to extend your plugin.xml to tell your plugin that you want to have help. In the source view of your plugin.xml include the following extension points: To go with these entries, you now need to add the help folder to your plugin project: The html folder under the help folder contains simple HTML documents for each page of help that you want to write. The toc.xml file is the table of contents which defines what appears in the left pane of the help system when it is opened. The help_contexts.xml file contains mappings from "context names" to files which are relevant for that context. Contexts are used when opening context sensitive help, for example when pushing the F1 button. An example of the toc.xml follows: <toc label="BookStore"> <topic label="Introduction" href="help/html/general/overview.html"></topic> <topic label="Starting Up" href="help/html/general/startup.html"></topic> <topic label="The Process" href="help/html/general/process.html"></topic> <topic label="Screens"> <topic label="Customers" href="help/html/views/Customers.html"></topic> <topic label="Products" href="help/html/views/Products.html"></topic> </topic> <topic label="Frequently Asked Questions" href="help/html/general/faq.html"></topic> </toc> An example of the help_contexts.xml follows: <?xml version="1.0" encoding="UTF-8"?> <!--==================================================================== Definition of Context-Sensitive-Help (for the F1 Button) ========================================================================--> <contexts> <!--==================================================================== In the code, set the context on the control…
EJB Frustrations
This is by far not the first time I had worked on a project with EJBs (Enterprise Java Beans, see http://java.sun.com/javaee/), so why am I still amazed at the time wasted in the development of them, relating to configuration issues, compiling time (double compilation due to RMI requirements), slowing down of development environments due to the vast resource requirements of application servers, and obscure error messages? That last point deserves expansion - on Websphere, not only do you sometimes get strange CORBA related error messages on the client which have absolutely nothing to do with the problem, but you also get orb trace files secretly dumped with no warning! And similar on the server with the ffdc traces that get dumped, with a very simple warning message printed in the logs... I recently reviewed our current system to ensure that errors in logs were extremely concise and at the same time provide the exact details that second and third level support needs to resolve problems. Unique error codes, showing the customer the timestamp to report, User messages as well as technical messages in the logs for support staff, and so on. Shame application server vendors couldn't do a little more to make developing on their systems somewhat more efficient...
Login doesn’t appear to work?
I've come across the following problem in IE7 in several products which I initially commented on at the MVN Forum forum (incidentally MVN Forum is a great open source Java Web Forum). Here is a copy: First, thanks for MVNForum - I've used it before, and I have now come back 4 years later to use it again. Its perfect for an all Java platform! But I have a strange bug, which I have figured out. For some reason, with IE7, Tomcat 5.5.9 (and later), MySQL 4.1.x, I find that with IE7 only (not Firefox), it is putting the jsessionid into the URL instead of using a cookie. I have tried changing all the settings in MVN as well as in IE, but it still uses URL rewriting when using my site, even though the cookies work perfect on this forum... I can't figure that bit out... Anyway, I debugged into MVNForum to see what was going on, and I noticed that after one enters their login details, it sends a redirect. In this redirect, the "redirect-to URL", does not contain the jsessionid, and so a new session is started. That means users cannot then do admin, or whatever, depending on user permissions, because the server thinks its a new session and wants them to authenticate again. I used the debugger and on line 426 of com.mvnforum.user.UserModuleProcessor (right at the bottom of the process(HttpServletRequest, HttpServletResponse) method), I modified the value of the responseURI in the JVM, to include ";jsessionid=XXX" where…
