Embedded Tomcat 8.5

I was recently tasked with updating an embedded application that we use from Apache Tomcat 8.0.0 RC5. Yes, the project used a release candidate when it was created. I imagine it was like a number of projects where the project was being developed and the expectation was that Apache Tomcat 8.0 would be released and that they would update everything. Well that temporary solution became a permanent one. Years passed and finally a security audit brought to light that the application was out of date, and on further observation a release candidate was used.

I went back and looked at RC5, and subsequent versions including release notes. Release candidate 5 was very similar to Apache Tomcat 7. In fact, the same authentication was used. This changed in the actual 8.0 release where a new authentication mechanism was put into place. This change may have prevented those early adopters from updating the project since the authentication mechanism would have delayed the project since the internals would have needed a rewrite.

I was blessed with upgrading the project, but I also needed to look at using the latest stable version of Apache Tomcat 8.5.x. After trying out some of the new code I was pleasantly surprised at how easy it was to implement a very simple application in Apache Tomcat 8 embedded.

One of the items I really like is the ability to programmatically add various web objects like servlets to the container. It was slick and easy to accomplish. Think of it like a programmatic web.xml file.

The code for the sample project can be found on github at: tomcat-8-embedded

Apache Tomcat Container Managed Security and HTTP Security Headers

Secure j_security_check Response Headers

Introduction

I was recently tasked with resolving a security issue with Apache Tomcat. The issue was that a series of Filter classes that were implemented in the web.xml were being bypassed when we are using container managed security, e.g. j_security_check. The filters were adding security headers:

• X-Content-Type-Options: nosniff
• X-Frame-Options: SAMEORIGIN
• X-XSS-Protection: 1; mode=block

When the response is returned, it would include these values. The filters were written prior to the org.apache.catalina.filters.HttpHeaderSecurityFilter. They duplicate the functionality, but the Apache version has a few more features. The Apache version is generally implemented in the web.xml file for the whole server, e.g., <CATALINA_HOME>/conf/web.xml. The code is really well written, and I would recommend using it except if you are using container managed security.

Issue

Container managed security,j_security_check, is implemented using a Valve. In particular, this intercepts the call and returns the form based login page which contains something like this: The resulting response does not contain the headers noted above using either our custom filters, nor from the Apache HttpHeaderSecurityFilter. Our automated security testing software, OWASP Zap caught it.

Solution

The easiest solution I came up with was to implement a couple of valves that add the selected response headers. I then added the Valve implementations to the <CATALINA_HOME>/conf/context.xml. Adding them to the default context.xml file allows them to be used on all applications deployed to the server. If you don't want applied to every application, you can add it to the context.xml file in the individual project.

The project can be found on Github here: tomcat-security-valves.

<dependency>
  <groupId>com.bluelotussoftware</groupId>
  <artifactId>tomcat-security-valves</artifactId>
  <version>1.0.0</version>
</dependency>

An example application using the default Apache Tomcat realm is available here: tomcat-container-managed-security

XContentTypeOptionsValve.java

---

XFrameOptionsValve.java

---

XSSProtectionValve.java

---

Book Review: Murach's Java Servlets and JSP

Cyndi Vasquez sent me this title a while back. I have been so bogged down that I finally got a chance to look at it. Thanks Murach... this is a good book.

The book is written in a style that many will either love, or hate. I personally am on the former. The pages on the left side are an explanation of the technical matter, and the right side are examples. The book is designed to guide you from front to back on an adventure into programming. Along the safari, I assure you will be pleased. The quarry is knowledge and this book is the tool to capture it.

The books is divided into five sections which will take you from absolute beginner to accomplished Servlet and JSP aficionado. It will even teach you a little about databases, and JSF along the way. There are two appendices that will show you how to set up your computer either Mac, or PC before you get started on your journey.

One of the thrills about this book is the use of NetBeans. I believe that NetBeans is the easiest tool for developing web based applications using Servlets and JSP. It also is my preferred tool for Java development in general. The book not only teaches you about the essentials of the title technologies, but helps you gain an in-depth knowledge of a valuable IDE that you can bank your career on.

Section one covers the basics of the technology and the MVC pattern. This is followed by a crash course on HTML, CSS, and web technologies based on Java.  The 8th chapter on EL is a great reference for how to use this important technology in your web applications.

Section three covers essential database skills to get you started with web development. These skills are the bare minimum to get started, but are complete for the purpose of this book. Keep in mind, these are the basics.

Section four is the meat of the book. This covers the advanced Servlet and JSP skills. It also covers some additional technologies like JSF. My favorite parts of this section are chapters 18, 19, and 20. The HTTP Request and Response skills are something every developer should strive to make sure they understand. Chapter 19 covers listeners which are truly your friends. Chapter 20 covers another often misused, abused, and otherwise fantastic technology. The filter can make your life as a web developer a great pleasure, or a rabbit hole in which you feel like Alice in Wonderland.

The final concluding section five puts all of the pieces together in a Music Store website. The Music Store website uses most of the technologies covered, and takes the learner to the next level with clear and concise directions.

Overall this is a great book for anyone interested in learning about Servlet and JSP technology. Please keep in mind that all Java web technologies are based on the Servlet foundation. JSF is nothing more than a veneer on top of this technology as an example.

JSF 2.2 Tip of the Day: Hidden Field Validation

Hidden Mines

Introduction

How often do you have validators on your hidden fields? I recently performed a security audit of an application that did not have validators associated with the hidden fields on the page. I suspect that the out of sight, out of mind mentality prevailed. Admittedly, I have often short circuited some development and put hidden fields in a JSF page without a validator. My expectation is that the data in the field would be used to provide information that may be needed by the application. However, if these fields have setters... and the results are stored in a database... I think you get the picture.

Methodology

I decided to create a more complex than really necessary example to show how to validate a <h:inputHidden /> field. In the example, you can enter names into an <h:inputText /> which will use JavaScript to update the hidden field. The validation will be activated on form submission. Additionally, a value change listener will update the planet name, and update the planet to the new planet. The validation will prevent putting in planets that don't exist in the enum for current Planets. You can confirm this by entering a bogus name, or poor Pluto that was kicked out of the planetary club.

Code

The code for this example was developed using NetBeans 8.0 IDE on GlassFish 4+ and Apache Tomcat 8+ using JSF 2.2 (Mojarra).

The code for the project can be downloaded from Bitbucket: hidden-field-validation

Planets.java

---

PlanetValidator.java

---

IndexBean.java

---

index.xhtml

---

Tomcat 7: Custom Valve

I was asked today by a colleague for some help on creating a valve for use with Apache Tomcat 7. I had never done one before, so I thought I would give it a quick try. +Craig McClanahan  had done a great job on creating a simple mechanism for creating a Valve with a lot of the heavy lifting done by ValveBase.

Creating your own valve is really simple using NetBeans 7.2.1 along with Apache Maven.

1. Create a Maven Java Application.
2. Add the following dependency:
   
3. Create your Java class and extend it from ValveBase.
4. Implement invoke(Request request, Response response)
5. Build your library (.jar) file
6. Install the library in the ${tomcat.home}/lib directory.
7. Configure server.xml to use your new Valve. For example:
   
8. Start the server to see your new valve in action

Here is my simple example.

ProcessingValve.java

Here is the output...

INFO: Server startup in 1442 ms
Dec 27, 2012 5:54:01 PM com.bluelotussoftware.tomcat.ProcessingValve invoke
INFO: Header --> host Value --> localhost:8080
Dec 27, 2012 5:54:01 PM com.bluelotussoftware.tomcat.ProcessingValve invoke
INFO: Header --> host Value --> localhost:8080
Dec 27, 2012 5:54:01 PM com.bluelotussoftware.tomcat.ProcessingValve invoke
INFO: Header --> host Value --> localhost:8080
Dec 27, 2012 5:54:01 PM com.bluelotussoftware.tomcat.ProcessingValve invoke
INFO: Header --> host Value --> localhost:8080

As you can see it was very easy to implement. Here is the code for my example: valve-example.zip

The source can also be found on Bitbucket: valve-example

JSF 2.1.x on Tomcat 6.0

Why does it need to be so difficult to find the right combinations of voodoo to make enterprise applications work? I don't really want an answer. It is just a rhetorical question.

Cay Horstmann has a really good blog entry on JSF 2.0 and Tomcat. It is from a couple of years ago though.

I thought that I would add a little more information to well of knowledge. I have JSF 2.1.1-b04 running on Tomcat 6.0.32 with the addition of new EL (Expression Language) libraries and a context parameter to the web.xml

pom.xml

---

        <dependency>
            <groupId>javax.el</groupId>
            <artifactId>el-api</artifactId>
            <version>2.2.1-b04</version>
        </dependency>
        <dependency>
            <groupId>org.glassfish.web</groupId>
            <artifactId>el-impl</artifactId>
            <version>2.2.1-b05</version>
        </dependency>

web.xml

---

    <context-param>
        <param-name>com.sun.faces.expressionFactory</param-name>
        <param-value>com.sun.el.ExpressionFactoryImpl</param-value>
    </context-param>

These minor additions allow you to take full advantage of JSF 2.1.x EL syntax. This includes the capability to include parameters to your EL methods such as the action in the h:commandButton below:

        <h:form id="form1">
            <h:inputText id="inputText1" value="#{indexBean.message}"/>
            <h:commandButton id="commandButton1" type="submit" value="Submit" 
                             action="#{indexBean.someAction(value)}"/>
        </h:form>

Book Review: Pro Netbeans IDE 6 Rich Client Platform Edition

Disclaimer: Adam Myatt and I have been on the JavaOne 2008 and 2009 Tools and Languages Review Committee. I don't believe that there is any predjudice for/against the book, but in the interest of disclosure I thought it important to mention. Don't you wish politicians had that much honesty?

I had the pleasure of reading the Pro NetBeans IDE 6 Rich Client Platform Edition book by Adam Myatt. I had read it a while ago, but I did not have the time to do a review on it. The book is sixteen chapters long, and covers a variety of topics from download and installation to developing rich client applications. The book covers version 6/6.1 of NetBeans, but there is significant applicability to version 6.5 to make it worth purchasing.

The book has a primary target of new users to the NetBeans IDE. It is designed to take you from novice user to power user in a systematic organized way. The book is sufficiently modular that you can choose to read individual modules, or go from cover to cover. The chapters stand on their own so that you do not need to worry about missing something in a previous chapter if you decide to browse.

Based on the easy reading style and effectiveness of communicating complex topics, I would give the book (4/5) stars.

Chapter 1:
Downloading, Installing, and Customizing NetBeans

This chapter covers the basics of installation, and explains a number of options available for configuration.

Chapter 2:
The Source Editor

Here we cover the basics of the source code editor and its windows. It also covers some interesting features of the source editor like the error stripe and annotation glyphs. The error stripe allows the user to go directly to any errors which are in the code. The annotation glyph provides the user with suggestions. These may be as simple as reminding you to mark @Override on an overridden method.

One of the best discussions in the chapter has to do with built-in and custom macros you can create to simplify coding tasks. This was a great explanation of how it works.

Chapter 3:
Code Completion and Templates

Code completion is what makes an IDE so valuable. This chapter covers the NetBeans code completion technology in detail.

It also covers code templates which are a boon to any developer who learns to use them. Adam really explains this in a manner that makes them easy to learn and use.

Chapter 4:
Debugging

I thought I was fairly sophisticated in my use of debugging. This chapter made me feel inadequate. After reading it and implementing some of the ideas, I feel I am back to being an expert.

Note: I found one error on page 95. The third paragraph has Run --> Run File -->Run Debug Evaluate Expression. It should be Run --> Run File --> Run to Cursor.

I would buy the book for this chapter alone.

Chapter 5:
Profiling

This chapter covers profiling for performance. Sun and NetBeans has spent a lot of time creating this technology (like DTrace), instrumenting, and providing tools. It is a shame that they really have not promoted these capabilities to the developer community.

Adam has spent a lot of time detailing profiling and providing great examples to get you into it. His explanations may be enough to encourage developers to use these really great tools.

This chapter also includes how to profile remote JVMs and application servers. It is a really slick explanation and demo.

Chapter 6:
Managing Version Control

This chapter covers version control system implementations in NetBeans. It covers CVS and Subversion. Since the book was written, the Subversion implementaion has had numerous improvements. NetBeans 6.1 and 6.5 also include support for Mercurial.

Chapter 7:
Generating and Accessing Javadoc

This chapter covers Javadocs and tools in the IDE to make Javadocs easier to create. I must admit I thought they were already easy, but there are some features to make it even easier including code completion.

Chapter 8:
Managing Builds with Ant and Maven

This covers Apache Ant and Maven implementations in NetBeans. Adam covers some of the features of Ant with a high degree of skill. He covers the NetBeans implementation very well.

The section on Maven is a weak spot in the book. In fairness, the version of NetBeans which the book was based on had poor Maven capabilites. Version 6.5 of NetBeans has much better tools for handling Maven.

Chapter 9:
JUnit Testing

This chapter covers JUnit testing. This is another chapter that is a little to weak. NetBeans 6.0, 6.1, and 6.5 have some really great implementations for doing JUnit testing. This chapter does not do it justice.

Chapter 10:
Refactoring

This chapter covers refactoring. NetBeans has some really great refactoring tools.

JetBrains IntelliJ IDEA is the gold standard for refactoring, but each generation of NetBeans brings it one step closer.

There are some comprehensive explanations of how to use the refactoring tools in NetBeans. If you want to master the IDE, this chapter, and chapters 4, and 11 are a must.

Chapter 11:
Code Quality Tools

This chapter covers some of the really great plugins that are available for NetBeans including: Checkstyle, PMD, and SQE (FindBugs). If you are not using these static analysis tools in your code, you are doing yourself and customers a disservice. This chapter covers the tools in enough detail to get your interest. These plugins are in constant development, and you should check the latest versions and updates out.

These tools will make your code much better. You as a developer need to understand why. When Checkstyle marks code as a "Magic Number", you need to read the explanation. Understanding the why will help you to avoid these problems in your future code.

Chapter 12:
Developing JRuby/Ruby on Rails Applications

This chapter covers developing JRuby, and Ruby-on-Rails (RoR) applications using NetBeans. The chapter is not designed to teach you to program in Ruby, but to show you what features are available in the IDE. The NetBeans support for Ruby is fantastic. A number of other IDE developers are trying to emulate the functionality. I think that most Ruby developers will find that the support is a quantum leap in terms of ease and functionality over more traditional tools.

There is a note on page 297 which explains a really neat feature. If an existing application is deployed using Webrick, or Mongrel on port 3000, the IDE will increment the port number to prevent port in use errors.

Chapter 13:
Developing Web Applications

This is a long chapter covering web application development. The first part of the chapter covers the functionality of the IDE in terms of what features it provides. This includes items like the Javascript and CSS editors. Both of these tools are really useful.

The Javascript editor and debugger have been vastly improved in NetBeans 6.5.

The CSS editor with a change viewer make designing, or changing a CSS file a snap.

The chapter also covers the application server features and HTTP monitor. Specifically it covers Apache Tomcat and GlassFish. It explains how to add additional servers like JBoss, or Websphere to allow those server deployments.

The second half of the chapter covers web application development frameworks. The section covers Struts, Struts 2, Visual Java Server Faces (JSF) (Project Woodstock), and JMaki.

The Struts and Struts 2 section is relatively small. It provides the user with the basics of how to create and use Struts based projects.

The section on Visual JSF development is extensive and makes the book worth purchasing. The explanation on how to get started will set you on the right path. The section on visual data binding is elegant and simple. It also covers the Visual Database Query Editor. This functionality has been updated in NetBeans 6.5, but the explanation here still applies.

Note: Visual JavaServerFaces (JSF) development in NetBeans has been frozen. The promise of Project Woodstock in a version 4.3 release and beyond has been abandoned officially by Sun. The current supported version is 4.2. It will continued to be supported by the NetBeans team for the foreseeable future. The push by Sun is to provide support using third party providers of JSF components. The best of these providers is ICEFaces. They have a really great set of components, and have provided a transition plan for Project Woodstock developers.

The section on JMaki is too brief to really provide a great explanation of this great technology.

Chapter 14:
Developing Web Services: JAX-WS, SOA, BPEL, and RESTful

This chapter covers JAX-WS, SOA, BPEL, and RESTful services. These projects have undergone extensive updates which makes the information here slightly dated. The basic procedures are the same, but there are better tools in NetBeans 6.5.

Chapter 15:
Developing GUI Applications

This chapter covers GUI application development. It is the best aggregation on the subject I have seen. There are a number of tutorials on the NetBeans site, and some good explanations of the features, but this is the best explanation I have seen. There is a great tutorial example of how to use the various components of the IDE to do visual Swing development. I was impressed and learned some new things too.

There is a section on the Swing Application Framework (JSR-296) which is the best I have seen. This technology is supposed to make Swing development easier. I used the information in here to create an enterprise wide application in 1/4 of the time it normally takes. It was also less error prone since the framework handles threading and concurrency issues.

Note: On page 427 there is a code example that has the user add a showHelloWorld method. There is a missing variable that needs to be added. It should have:

private JDialog helloWorldBox;

There is another section on Beans Binding (JSR-296) which covers another ease of use technology for Swing. It allows the developer to bind data components to Swing components in an easy and consistent way. The explanation here of the technology combined with JSR-295 makes Swing development easy. It also covers the Database Table Editor to make modifying tables easy to use as part of the binding process.
Note: Page 431, last paragraph indicates that you can use the DOUGHNUTS table node to use the table editor, this is not correct. You must open the table, and select a column to open the table editor.

Note: Page 442, to use the validator you have created, you must compile the code first. Either by selecting the class itself and compiling it, or clean and building your project.

I personally found that the GUI project development section was crucial to me for using these great new technologies, and development of a successful enterprise Swing application.

Chapter 16:
Developing Rich Client Applications

This chapter covers the development of Rich Client Platform applications using the NetBeans platform as the base for your application. This section provides an introduction to the technology, and the basics of how to create your own branded rich client applications.

Summary:

I would recommend this book to anyone who wants to learn more about the NetBeans IDE.

Based on the easy reading style and effectiveness of communicating complex topics, I would give the book (4/5) stars.

Running Woodstock 4.1 on Apache Tomcat 6.x

This is part of a comment I posted previously, but I thought it might worth mentioning with some details

To get the components to work with Apache you will need to download the Sun JSF 1.2 RI and install it in the lib directory. You will also need the Java Standard Tag Library (JSTL) implementation. The Apache JSTL 1.1 implementation needs to be installed in the lib directory.

Once these libraries are installed, you may check that the Woodstock libraries will run by installing the Woodstock examples.

Once these steps are completed and you run the examples you should see this this page