Monday, October 09, 2017

JAX-RS 2.0 Tip of the Day: Using MOXy and Forms Example on GlassFish 5.0

Glass Fish
I have been tasked with doing some JAX-RS coding during my day job. I wanted to update my skills for JAX-RS which is one of my favorite technologies. I specifically use Jersey which I find very well done and easy to use. As a number of you may know... I am a GlassFish fan too (one just needs to look at my banner). I decided to use my trusty NetBeans 8.2 install to write a quick example.

MOXy is enabled by default if you add the dependency to your Maven project.


This is a great feature, and I wanted to give it a spin instead of using Jackson, or Jettison. The usage was as simple as adding a @XmlRootElement annotation to the model class. The rest was handled automagically.

The entire project including a war file are available on Github: jaxrs-form-data-parameters.

A simple platform independent file is used to setup the application.


We set up web resource (service) to handle our requests.


That's it! You now have a JAX-RS Web Service. The project runs successfully on GlassFish 5.0 (.war file on GitHub).

NOTE: MOXy has some issues running on GlassFish 4.1, 4.1.1, and 4.2.

Sunday, October 08, 2017

JSF HTML Whitespace, JS, and CSS Compression

This is the second approach to whitespace removal, JS, and CSS compression. In my article Whitespace Servlet Filter, I mentioned that I tried a number of approaches using htmlcompressor to accomplish this task.

This was my second approach which was to wrap the ResponseWriter in JSF to accomplish this task. The approach worked, but was abandoned before I finished writing some additional code to handle AJAX. This could be easily resolved with code that is similar to that found in Whitespace Servlet Filter.

This approach is very specific to JSF and relies on the project being pure JSF. The filter approach is more flexible in my judgement. I did think it was important to publish the code though on Github.

The code for the project can be found here: jsf-html-compressor.

Whitespace Servlet Filter

A few years ago I worked on a number of different techniques to strip the whitespace out of web pages. My goal was to come up with a solution for JSF pages. I tried a number of different solutions,  but they were all based on a framework called htmlcompressor which is a now abandoned project in the archives of Google Code. This framework used the Google Closure Compiler to handle the heavy lifting.

This solution worked flawlessly when we tested it on JSF pages, but there was a push to use pre-minified pages for static content, and leave JSF pages alone. I abandoned this project until I was using Google PageSpeed to check the speed of some pages to enhance their performance.  I remembered this approach I tried back in 2011, and tried it again with great success and only minor tweaking. I have decided to publish the code on Github.

The project can be found here: whitespace-filter.


Friday, October 06, 2017

Embedded Tomcat 8.5

I was recently tasked with updating an embedded application that we use from Apache Tomcat 8.0.0 RC5. Yes, the project used a release candidate when it was created. I imagine it was like a number of projects where the project was being developed and the expectation was that Apache Tomcat 8.0 would be released and that they would update everything. Well that temporary solution became a permanent one. Years passed and finally a security audit brought to light that the application was out of date, and on further observation a release candidate was used.

I went back and looked at RC5, and subsequent versions including release notes. Release candidate 5 was very similar to Apache Tomcat 7. In fact, the same authentication was used. This changed in the actual 8.0 release where a new authentication mechanism was put into place. This change may have prevented those early adopters from updating the project since the authentication mechanism would have delayed the project since the internals would have needed a rewrite.

I was blessed with upgrading the project, but I also needed to look at using the latest stable version of Apache Tomcat 8.5.x. After trying out some of the new code I was pleasantly surprised at how easy it was to implement a very simple application in Apache Tomcat 8 embedded.

One of the items I really like is the ability to programmatically add various web objects like servlets to the container. It was slick and easy to accomplish. Think of it like a programmatic web.xml file.

The code for the sample project can be found on github at: tomcat-8-embedded

Friday, September 01, 2017

Splitting a Space Separated Dataset with awk

I thought I would publish a simple script on how I split a dataset that looks like below into a CSV file which Excel could work on. The issue I was having was that Excel couldn't seem to find the spaces and use them. I would end up with extra data in columns on my Mac. Perhaps a flaw in the Excel program, or a flaw in the data, or both. However, awk digested it just fine. So here is my script to make it a little more useful for Excel. Mind you it is simple, but there are 1.7 million lines of logging, and it took about a second on my machine to convert. Slick by any measure. The problem now is that Excel is choking on the number of records to display in a chart.

Wednesday, August 09, 2017

Docker and Apple Server Service: How to use ports 80 and 443 on Mac OS X

Introduction

I was trying to deploy some Docker containers yesterday which use ports 80 and 443. OK, I will confess that I was trying to deploy Wordpress or Bitnami Wordpress and MySQL to containers to see if I could migrate my personal blog to Wordpress. Eventually, I am hoping to migrate all of my blogs to a new blogging environment.

Problem

Well the containers would not deploy because the ports 80 and 443 were being used. A quick connection to localhost confirmed that the Apple Server.app was using these ports for running its processes. So I logged into the Server.app only to discover no way to turn it off.

Solution

Apple Server.app service is simply that... a service. The launchctl command will allow us to stop and start services. So I tried to stop the service only to discover it will automatically restart on a new PID. The only solution apparently is to unload the service temporarily. The following commands will allow you to unload and load the com.apple.serviceproxy service, and check its status. This will allow you to use Docker containers on those ports while doing your development and testing.

Sunday, August 06, 2017

Apache Tomcat Container Managed Security and HTTP Security Headers

Secure j_security_check Response Headers

Introduction

I was recently tasked with resolving a security issue with Apache Tomcat. The issue was that a series of Filter classes that were implemented in the web.xml were being bypassed when we are using container managed security, e.g. j_security_check. The filters were adding security headers:
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN
  • X-XSS-Protection: 1; mode=block
When the response is returned, it would include these values. The filters were written prior to the org.apache.catalina.filters.HttpHeaderSecurityFilter. They duplicate the functionality, but the Apache version has a few more features. The Apache version is generally implemented in the web.xml file for the whole server, e.g., <CATALINA_HOME>/conf/web.xml. The code is really well written, and I would recommend using it except if you are using container managed security.

Issue

Container managed security,j_security_check, is implemented using a Valve. In particular, this intercepts the call and returns the form based login page which contains something like this: The resulting response does not contain the headers noted above using either our custom filters, nor from the Apache HttpHeaderSecurityFilter. Our automated security testing software, OWASP Zap caught it.

Solution

The easiest solution I came up with was to implement a couple of valves that add the selected response headers. I then added the Valve implementations to the <CATALINA_HOME>/conf/context.xml. Adding them to the default context.xml file allows them to be used on all applications deployed to the server. If you don't want applied to every application, you can add it to the context.xml file in the individual project.

The project can be found on Github here: tomcat-security-valves.
<dependency>
  <groupId>com.bluelotussoftware</groupId>
  <artifactId>tomcat-security-valves</artifactId>
  <version>1.0.0</version>
</dependency>

An example application using the default Apache Tomcat realm is available here: tomcat-container-managed-security

XContentTypeOptionsValve.java



XFrameOptionsValve.java



XSSProtectionValve.java


Friday, July 21, 2017

autolink-java framework

I have been looking for a good and simple "Java library to extract links (URLs, email addresses) from plain text". I was searching on Github and found this little gem called autolink-java by Robin Stocker (robinst).

This library was used in a proof-of-concept (POC) I was working on at work. We needed to be able to extract all of the links from a page, and display them. This includes hyperlinks and email addresses. This little gem met the bill, and was quick to parse the text file I used.

The example requires the following maven dependencies:
This framework extracted a list of URLs from a file that looks like this:
As you can see, it generates a nice extraction of the URLs from the surrounding text. Give it a try and let me know what you think.

The project has been uploaded to Bitbucket and can be found here: autolink-java-extractor.

Coming Back Online

It has been a while since I wrote a blog post on technology. I was trying to figure out my place in the world both professionally, and personally. Everyone has a personal journey. I think mine has just begun again. Over my short life, I have done all sorts of amazing, and some not so amazing things.

One of the things I know is that I need to get back to technology blogging. I have been using all sorts of cool technology, and some frameworks that get things done. Are they always the best... not always, but they solve problems that we face as developers. Sometimes we need something to convert a File to a List<String> objects. Sometimes it is reading a list of String values and finding a URL in the list.

Hopefully, I can give some talented developers a kudo for a good tool, or framework. Perhaps this will be my way of saying thank you.

Popular Posts