Validating a Domain Name using Commons-Validator

A quick example of using DomainValidator to validate a domain name.

JSF 2.3 Tip of the Day: Single Select Menu Item Example

One of my new colleagues is new to JSF development, and asked for some assistance in creating a JSF <h:selectOneMenu/> which had a blank option. I came up with a quick example using JSF 2.3 and CDI on GlassFish 5.0.

The web page (index.xhtml) looks like the following:

The backing bean (IndexBean.java) contains the list of items for the menu and the logic to hold the selected value:


All in all a very simple example. I was asked what my dependencies looked like so here is the one last piece.


The NetBeans Maven project can be downloaded here: jsf23-cdi-selectonemenu-example

JAX-RS 2.0 Tip of the Day: Using MOXy and Forms Example on GlassFish 5.0

Glass Fish

I have been tasked with doing some JAX-RS coding during my day job. I wanted to update my skills for JAX-RS which is one of my favorite technologies. I specifically use Jersey which I find very well done and easy to use. As a number of you may know... I am a GlassFish fan too (one just needs to look at my banner). I decided to use my trusty NetBeans 8.2 install to write a quick example.

MOXy is enabled by default if you add the dependency to your Maven project.


This is a great feature, and I wanted to give it a spin instead of using Jackson, or Jettison. The usage was as simple as adding a @XmlRootElement annotation to the model class. The rest was handled automagically.

The entire project including a war file are available on Github: jaxrs-form-data-parameters.

A simple platform independent file is used to setup the application.


We set up web resource (service) to handle our requests.


That's it! You now have a JAX-RS Web Service. The project runs successfully on GlassFish 5.0 (.war file on GitHub).

NOTE: MOXy has some issues running on GlassFish 4.1, 4.1.1, and 4.2.

Embedded Tomcat 8.5

I was recently tasked with updating an embedded application that we use from Apache Tomcat 8.0.0 RC5. Yes, the project used a release candidate when it was created. I imagine it was like a number of projects where the project was being developed and the expectation was that Apache Tomcat 8.0 would be released and that they would update everything. Well that temporary solution became a permanent one. Years passed and finally a security audit brought to light that the application was out of date, and on further observation a release candidate was used.

I went back and looked at RC5, and subsequent versions including release notes. Release candidate 5 was very similar to Apache Tomcat 7. In fact, the same authentication was used. This changed in the actual 8.0 release where a new authentication mechanism was put into place. This change may have prevented those early adopters from updating the project since the authentication mechanism would have delayed the project since the internals would have needed a rewrite.

I was blessed with upgrading the project, but I also needed to look at using the latest stable version of Apache Tomcat 8.5.x. After trying out some of the new code I was pleasantly surprised at how easy it was to implement a very simple application in Apache Tomcat 8 embedded.

One of the items I really like is the ability to programmatically add various web objects like servlets to the container. It was slick and easy to accomplish. Think of it like a programmatic web.xml file.

The code for the sample project can be found on github at: tomcat-8-embedded

Splitting a Space Separated Dataset with awk

I thought I would publish a simple script on how I split a dataset that looks like below into a CSV file which Excel could work on. The issue I was having was that Excel couldn't seem to find the spaces and use them. I would end up with extra data in columns on my Mac. Perhaps a flaw in the Excel program, or a flaw in the data, or both. However, awk digested it just fine. So here is my script to make it a little more useful for Excel. Mind you it is simple, but there are 1.7 million lines of logging, and it took about a second on my machine to convert. Slick by any measure. The problem now is that Excel is choking on the number of records to display in a chart.

Apache Tomcat Container Managed Security and HTTP Security Headers

Secure j_security_check Response Headers

Introduction

I was recently tasked with resolving a security issue with Apache Tomcat. The issue was that a series of Filter classes that were implemented in the web.xml were being bypassed when we are using container managed security, e.g. j_security_check. The filters were adding security headers:

• X-Content-Type-Options: nosniff
• X-Frame-Options: SAMEORIGIN
• X-XSS-Protection: 1; mode=block

When the response is returned, it would include these values. The filters were written prior to the org.apache.catalina.filters.HttpHeaderSecurityFilter. They duplicate the functionality, but the Apache version has a few more features. The Apache version is generally implemented in the web.xml file for the whole server, e.g., <CATALINA_HOME>/conf/web.xml. The code is really well written, and I would recommend using it except if you are using container managed security.

Issue

Container managed security,j_security_check, is implemented using a Valve. In particular, this intercepts the call and returns the form based login page which contains something like this: The resulting response does not contain the headers noted above using either our custom filters, nor from the Apache HttpHeaderSecurityFilter. Our automated security testing software, OWASP Zap caught it.

Solution

The easiest solution I came up with was to implement a couple of valves that add the selected response headers. I then added the Valve implementations to the <CATALINA_HOME>/conf/context.xml. Adding them to the default context.xml file allows them to be used on all applications deployed to the server. If you don't want applied to every application, you can add it to the context.xml file in the individual project.

The project can be found on Github here: tomcat-security-valves.

<dependency>
  <groupId>com.bluelotussoftware</groupId>
  <artifactId>tomcat-security-valves</artifactId>
  <version>1.0.0</version>
</dependency>

An example application using the default Apache Tomcat realm is available here: tomcat-container-managed-security

XContentTypeOptionsValve.java

---

XFrameOptionsValve.java

---

XSSProtectionValve.java

---

autolink-java framework

I have been looking for a good and simple "Java library to extract links (URLs, email addresses) from plain text". I was searching on Github and found this little gem called autolink-java by Robin Stocker (robinst).

This library was used in a proof-of-concept (POC) I was working on at work. We needed to be able to extract all of the links from a page, and display them. This includes hyperlinks and email addresses. This little gem met the bill, and was quick to parse the text file I used.

The example requires the following maven dependencies:
This framework extracted a list of URLs from a file that looks like this:
As you can see, it generates a nice extraction of the URLs from the surrounding text. Give it a try and let me know what you think.

The project has been uploaded to Bitbucket and can be found here: autolink-java-extractor.

How to Generate an SHA-2 (SHA-256) Self-Signed Certificate in Java

I was working on a couple of SSL based issues when I made a couple of observations. The default self-signed key generation in Java does not meet today's requirements for web development.

SHA-1 based certificates (default) are no longer going to be accepted by the majority of browsers. Microsoft has set a deadline of February 2014, Mozilla,  and Chrome on 1 January 2017.

Additionally, a key size of less than 2048 is considered insecure as well, so we need to make sure the key size is at least 2048.

So how do you generate a SHA-2 (SHA-256) certificate in Java? Here is an example below.

keytool -genkey -alias example -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 3650 -keystore keystore.jks

In this example we create a certificate with validity of 10 years. The -sigalg SHA256withRSA is used to set it to SHA-256.

Abuse Report Format (ARF) Message Generator

Wikipedia

 I have been working on testing a feedback loop, and wanted a simple mechanism to do the testing.

I was surprised that I couldn't find any framework when I was searching to do it. As any good developer, I decided to write my own way of testing it.

The Abuse Report Format (ARF) Message Generator takes a raw email, and sends it back to the server that sent it as an abuse feedback report.

The code requires JavaMail API and Sun DSN API.

The project includes a custom mailcap file to handle the new ARF report format.

The code is located on Github including the sample usage here: arf-message-generator

Log4j2 java.util.logging (JUL) Adapter Example

Introduction

I was looking for an example of how to implement the java.util.logging (JUL) adapter in a project. This would almost seem to be a no brainer of an idea with lots of examples of how to do it. Alas, I didn't find much of anything. So I thought I would share some wisdom of how to implement the JUL Adapter.

Implementation

You need to tell the application to use the JUL adapter. There are two easy ways to accomplish this.

1. The easiest is to pass a VM option to the application: -Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager
2. Alternatively, you can use a static initializer in your class. This is important because the value needs to be set before the logger is called.

The code for the project can be found on GitHub here: log4j2-jul-example

Code

JSF 2.2 Tip of the Day: Using Hibernate Validators with JSF

Introduction

Hibernate validators offer a plethora of validators to make your development work much easier. Some of the common ones that are used are @NotNull, @NotBlank, and @NotEmpty. To take advantage of these validators, and avoid some misconceptions, a little information needs to be provided.

@NotNull

Everyone likes this particular annotation, and it can be a real life saver. However something that often catches developers using it on JSF is that JSF treats empty form fields as empty strings. This is not the same as null. So if you want JSF to capture these values and treat them as null values, you need to tell JSF to do so. This is accomplished by adding the following context parameter to the web.xml file.

    <context-param>
         <param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
         <param-value>true</param-value>
    </context-param>

Once this is added to the context, all blanks will be treated as null values. Be mindful of any side effects created from this change.

@NotEmpty

This validator causes a lot of confusion. The value can not be null, but can be any character including whitespace, e.g. You can enter a space, and it will accept it.

@NotEmpty

This is the most useful annotation from my standpoint. This makes sure that the input is not null, and is not an empty string like white spaces. This is really what I think most developers are really after anyway. They want to make sure that users fill in form fields.

Code

The code for this project can be found on Github, and includes some additional bonus code such as using locales, and custom messages. The code can be found here: jsf-hibernate-validator.

JSF 2.2 Tip of the Day: Using ValueExpressions and VariableMapper to set EL using a PhaseListener

The title seems like a mouthful, and it is. I had some code which I used to demonstrate how to set EL values using a PhaseListener. I was going to delete the code when I decided that it was the second time someone in a short span of time asked me the same question, and I should post how to do it.

The use of a PhaseListener to set EL values seems to the casual observer like Voodoo magic. You will see the EL expressions on the page, and they magically seem to populate. In some ways it is like a classical interceptor which can make your code really seem magical, and lead to confusion. This approach though has its place, and if used correctly can solve a lot of issues. One example is determining if a <ui:include src="XXX" rendered="#{EL_VARIABLE_HERE}" /> should render.

It can also be used to set the src value on the fly. An always popular question on how to resolve.

The project can be found on GitHub here: jsf-ve-phaselistener

So the output looks like a nice set of name value pairs using the Greek alphabet as variable names.

Google Guava IP and Hostname Validation

I was trying to come up with a way to validate hostnames and IP addresses. I didn't want to spend time trying to do it myself. I figured that this should be a common situation, and likely someone had already written a tool to do just such a thing. I was right. Google Guava has a couple of interesting classes that do exactly what I was looking for.

For folks who may not be familiar with Guava, it is a framework of really helpful utilities that can be used for a variety of situations. Most folks who use Guava in my experience use the collections classes. However, there is a boon for anyone who digs a little deeper.

We will use two specific classes from the Guava framework to do our validations. The first is InternetDomainName which is used to validate the domain name. The other is InetAddresses to check our IP address for validity.

There are some caveats to the InternetDomainName class which are explained here: InternetDomainNameExplained.

In the code below, we see that it is very easy to use and it works very well.

Book Review: Murach's Java Servlets and JSP

Cyndi Vasquez sent me this title a while back. I have been so bogged down that I finally got a chance to look at it. Thanks Murach... this is a good book.

The book is written in a style that many will either love, or hate. I personally am on the former. The pages on the left side are an explanation of the technical matter, and the right side are examples. The book is designed to guide you from front to back on an adventure into programming. Along the safari, I assure you will be pleased. The quarry is knowledge and this book is the tool to capture it.

The books is divided into five sections which will take you from absolute beginner to accomplished Servlet and JSP aficionado. It will even teach you a little about databases, and JSF along the way. There are two appendices that will show you how to set up your computer either Mac, or PC before you get started on your journey.

One of the thrills about this book is the use of NetBeans. I believe that NetBeans is the easiest tool for developing web based applications using Servlets and JSP. It also is my preferred tool for Java development in general. The book not only teaches you about the essentials of the title technologies, but helps you gain an in-depth knowledge of a valuable IDE that you can bank your career on.

Section one covers the basics of the technology and the MVC pattern. This is followed by a crash course on HTML, CSS, and web technologies based on Java.  The 8th chapter on EL is a great reference for how to use this important technology in your web applications.

Section three covers essential database skills to get you started with web development. These skills are the bare minimum to get started, but are complete for the purpose of this book. Keep in mind, these are the basics.

Section four is the meat of the book. This covers the advanced Servlet and JSP skills. It also covers some additional technologies like JSF. My favorite parts of this section are chapters 18, 19, and 20. The HTTP Request and Response skills are something every developer should strive to make sure they understand. Chapter 19 covers listeners which are truly your friends. Chapter 20 covers another often misused, abused, and otherwise fantastic technology. The filter can make your life as a web developer a great pleasure, or a rabbit hole in which you feel like Alice in Wonderland.

The final concluding section five puts all of the pieces together in a Music Store website. The Music Store website uses most of the technologies covered, and takes the learner to the next level with clear and concise directions.

Overall this is a great book for anyone interested in learning about Servlet and JSP technology. Please keep in mind that all Java web technologies are based on the Servlet foundation. JSF is nothing more than a veneer on top of this technology as an example.

JSF 2.2 Tip of the Day: p:passthrough and How to use it

I was asking my team to go through their JSF pages, and to update the XML namespaces to use the latest namespace from the JSF 2.2 specification. While I was looking at the code, I found a number of instances where developers were adding attributes like name to <h:commandButton /> and NetBeans correctly was identifying that there is an issue with that.

Fortunately, some of these attributes were passing through to the underlying page without needing p:passthrough. However, you should not rely on such functionality to work. If the VDL Document does not show it as an attribute, you shouldn't expect it to work.

Alright, so how do we do it correctly?

There is no magic here. It is simply a matter of adding the attribute with a prefix of p:, for example p:name="someName" for the name attribute. This will result in the attribute being passed through the rendered and added to the resulting output.

So I have an example, and the resulting output.

The resulting output will run the JavaScript associated with the passed through attributes, or set the CSS styling. Very simple and easy to implement.

Customizing Blogger

Introduction

I want to start by blaming Markus Eisele for my misadventures. I was looking at his blog and liked the makeover he gave it. I did find the template he was using, but decided that I would write my own. Well I thought this should be an easy thing to do. I severely underestimated the challenge of making a custom template for myself. It turns out that one of the easiest things turns out to be the hardest. Alright Markus you are off the hook... it may just be my bravado, and belief I can build a better mousetrap that led me down the long lonesome road.

Google is well known for having good and sometimes great APIs for their technology. Blogger is an exception to that rule. There is not one clear cut schema for their layout that I can find ironically using Google itself. You figure with all of the templates and bloggers that this would be covered ad nauseum.  It is not though.

Technologies

I was looking for a simple and elegant framework to make my blog sites look professional, and also make them portable. I had the following requirements:

1. Mature framework
2. Can be found on a CDN
3. Easy to use
4. Simple to implement
5. Well Documented
6. Lots of examples
7. Flexible
8. Customizable
9. Response UI
10. HTML5
11. Portable
12. JSF Compatible
13. Works with NetBeans IDE for Tooling

I looked at a number of frameworks including Foundation, and Bootstrap. I ended up choosing Foundation since it seemed to be easier to use for me. Your milage my vary.

The first thing I wanted to know was what was the minimum required for a template on Blogger. I discovered that are a couple of versions of the template: an HTML 4.01 version (v.1) and an HTML 5 version (v.2) which are somewhat a hybrid mix of XML, and (X)HTML. I published the basic templates on Gist as shown below.

I have a couple of different blogs and found them to be different so I thought I would share my findings.

The next thing I needed to find out was what was the minimal template I would need for using with Foundation. The template below uses a CDN to deliver the required JS/CSS. The template below is the culmination of a lot of work to make it work with the visual tools on Blogger. Remember to backup your existing template before installing mine.

Conclusion

I finally have a working blog site using the new template, and will update all of my sites to use it. My personal non-technical blog site was the first to use the new template. It is still a work in progress, but it looks very nice. Take a peek for yourself at John Yeary Blogger site.

I have compiled a list of links that I found helpful in trying to figure out their layouts and tags in the references below.

References

Tags

• Layouts Data Tags
• Widget Tags for Layouts

Template References

• How to Make a Blogger Template : The Body and APIs - This was a comprehensive blog with lots of great explanations.
• How To Create Blogger Template From Scratch
• Blogger Template Design
• Understanding the Blogger Template - 2 - This is an older article, but useful.
• Template of Doom - Another older useful article.

Additional References

• Bootstrap vs. Foundation: Which Framework is Better?

A Simple Method to invoke @PreDestroy on a Class

I was experimenting with how to invoke a @PreDestroy annotated method in a class. This will approach will work with other annotations as well.

ExecutorService Conundrum

I was asked by someone to solve a problem with threads that they were having. They wanted to cancel a Future that was sent to an ExecutorService. I told them to look at a previous posts I had done on the subject. However, they insisted that this was different. So I took a look at the code. Alas, it was slightly different, but like most folks including me, they were too close to the problem to see the answer. I looked at it, and at first glance I thought something was askew, but it was not.

The code for this project can be downloaded here: runnable-example
As you can see from the results of the run, the future is canceled, but still keeps running. Then it gets interrupted, and breaks. So the question is why is it still running after being canceled.

Here is the Runnable and the main class to execute it:

MyRunnable.java

---

Main.java

---

So the do you have an answer? The answer is at the bottom of the blog. Don't peek... think!

Reference

• How do you cancel a scheduled Thread in an ExecutorService?
• How to exercise your Daemons - Callable, Future, and ExecutorService
• ExecutorService and CountDownLatch Example

Answer

Simply because you have canceled it, and even interrupted it; it is still a running thread. It is not scheduled, so you are not canceling it before execution.

How do I check if a Class is an instanceof another Class without initializing it?

Illustration: Cathy Wilcox

We had a recent security audit and a question was posed about how to check a Class without doing an instanceof. This turned out to be a great learning experience. There were a couple of issues that needed to be resolved, first we were loading a Class by passing in its name using something similar to the line below: This will load the Class, but from here how do we check that it is an instanceof without instantiating it?
This can be solved by using isAssignableFrom(Class clazz) as shown below. In this case we are checking if SolientGreen is Green. Some of you will find the moral paradox of being "Green" with Soilent Green.
The second issue is a more potential security problem. How do we load the Class without initializing it. If the Class has a static initializer, the code is executed when the class is loaded. Alas, this is handled by using a variation of Class.forName(String name, boolean initialize, ClassLoader loader) which takes a boolean to determine if the class should be initialized, and a ClassLoader if you want to specify a specific loader.

Finally, we can check the Class like this: When this is run, you will not see the message. Very nice indeed!

So here is the remaining code for education and entertainment:
The code for the project can be downloaded from Bitbucket here: assignable

Cassandra Ruby Gem Issues on Mac OS X 10.9.5

I was trying to resolve some issues with building the cassandra gem on Mac OS X 10.9.5. The solution was a multipart solution. You first need to build thrift first which has a known issue, and then build cassandra. This technical tip is very simple. I didn't want to lose it, and I am sure that there are other people out there who will need it.
Note: Please make sure you have updated all the gems in your repository before executing these commands. This will build both required gems.