Importance of Security

Thursday, December 1st, 2011

Everybody knows web application are now de facto standard in daily use. We go even further as we have more and more mobile devices.
We are building our apps in such a way we can access it from mobile phones, tablets and even e-book readers.

So nobody should be surprised that companies involved in web standards have published article focused on web application security.

  • Google: Browser Security Handbook
  • Google: Web Application Exploits and Defenses part onepart two part threepart fourpart five.
  • Great live step by step tutorial on Gruyere application. It is challenging
  • Mozilla : WebAppSec/Secure Coding Guidelines - Here are some quick wins.
    • For all cookies set the HTTPOnly and Secure flag
    • Make sure login pages are only served on HTTPS and all authenticated pages are only served on HTTPS
    • Don’t trust any user data (input, headers, cookies etc). Make sure to validate it before using it
  • Last but not least OWASP site is one of the best security information site.

Happy Hacking your apps

Posted in java | 2 Comments »

Pedro Newsletter 05.09.2011

Sunday, September 4th, 2011


Posted in java, news | No Comments »

JPA2 Metamodel – how to manage that.

Tuesday, February 22nd, 2011

JPA2 added new typesafe Criteria API. This allows us to build query in strongly-typed manner instead of string based. To provide such functionality JPA2 use Metamodel API described in JSR-317: Chapter 5.

When entity manager factory is bootstrapping for persistence unit, then persistence provider have to initialize metamodel classes so this classes have to be accessible. For application developers it is important to easy generate them.

We can automatically generate metamodel classes we use Annotation Processing API. The structure of metamodel classes are described in JSR-317: Chapter 6.2.1.1. Briefly for every managed class there will be similar class with name of metamodel class plus “_”, and for every property there will be SingularAttribute for non-collection and
Attribute for Collection|Set|List|Map attribute.

Thanks to that metamodel classes we can write a query, which is type safe and probably more important we can easy do refactorings. That’s in theory, because IDE have to have access to metamodel classes, so the question arise how to manage this classes. I was wonder about three option here:

  1. Keep generated metamodel as normal code and commit into repository.
  2. Use external tool to generate metamodel and include results as IDE sources.
  3. Use IDE support, if exists.

First solution is portable, no IDE configuration, no problems between different IDE’s and so on. The disadvantage of this solution is that we have to remember about generating metamodel classes after we change our code and than commit metamodel into repository. Obviously we break the version control system rule, “don’t commit generated files“.

Second one assumes that you are using some kind of build tool (eg. maven). Then we can setup generation step into that tool (for maven it is maven-processor-plugin) and we setup our IDE to point to that sources. The bad thing about that is that we have to run the tool, otherwise we have not actual metamodel.

Third one is use your IDE for that. Sadly configuration isn’t automatic and every IDE has it’s own way to do this. JPA 2.0 Typesafe Criteria API and Annotation Processing Howto article describes how to do this in IntelliJ IDEA.

Both second and third solution has one additional flaw. You have to specify which annotation generator you want to use. That ties you to JPA provider implementation.

Here you find annotation processor names:

EclipseLink
org.eclipse.persistence.internal.jpa.modelgen.CanonicalModelProcessor
Hibernate
org.hibernate.jpamodelgen.JPAMetaModelEntityProcessor
OpenJPA
org.apache.openjpa.persistence.meta.AnnotationProcessor6

We can find processor parameters and switches in javadocs, in EclipseLink case, processor is in internal package, that makes finding parameters and switches a little bit harder, but we can check source code, or use Google.

I try to use third one and second one as fallback for people which use different IDE than IntelliJ, but I’m not happy with that solution.

How do you process  JPA2 metamodel classes?


Tags:
Posted in java | 2 Comments »

Spring Template Objects Testing

Monday, February 21st, 2011

My friend asked me, how we should test this piece of code

public void fire(final NotificationMessage message) {
  jmsTemplate.send(new MessageCreator() {
    @Override
    public Message createMessage(Session session) throws JMSException {
      return session.createObjectMessage(message);
    }
  });
}

Mock, stubs, arguments matchers are not successful here. Of course we can mock jmsTemplate, verify if send method was executed, but this way we only test if springframework works properly. Should we leave this to integration test?

Of course not, and our business part is: session.createObjectMessage(message). We have to change our code. First at all we provide second method.

public void fire(final NotificationMessage message) {
  this.fire(message, getMessageCreator(message));
}
public|protected| void fire(final NotificationMessage message, MessageCreator mc) {
  jmsTemplate.send(mc);
}

This two methods are easily testable by using mocks and verifying object interactions. We can decide about method modifier:

  • public – if we want second function to be available in our API.
  • protected – for future subclass usage.
  • package public – for use in package.
  • or even private

Finally we have decide about getMessageCreator(message).

  1. Provide Factory Method for it: MessageCrator getMessageCreator(NotificationMessage message); 
    MessageCreator getMessageCreator(final NotificationMessage message) {
  return new MessageCreator() {
    @Override
    public Message createMessage(Session session) throws JMSException {
      return session.createObjectMessage(message);
    }
  };
}
  2. Create Class which implements MessageCreator interface 
    public class NotificationMessageCreator implements MessageCreator {
    private final NotificationMessage message;

    public NotificationMessageCreator(NotificationMessage message) {
        this.message = message;
    }
    @Override
    public Message createMessage(Session session) throws JMSException {
        return session.createObjectMessage(message);
    }
}

I think both approaches are ok, so choose better one for you.

Of course you may argue that you don’t need unit test, you will have integration test for that part of the code. Unfortunately integration tests are slow and from time to time they fail, so for simple check I prefer unit test.

Summary

We use a lot of Spring Template Object helpers, and most of the time we are tempted to create anonymous class in place. This way we make our code hard to unit test. Consider this approach to make your code easier to test and maintain. What do you think about that?


Tags: , ,
Posted in java, spring, springframework, testing | 2 Comments »

Spring Data – Redis – tutorial

Sunday, January 30th, 2011

Spring Data project provides a solution to access data stored in new emerging technologies like NoSQL databases, cloud based services etc. When we look into SpringSource git repository we see a lot of spring-data projects:

  • spring-data-commons: common interfaces and utility class for other spring-data projects.
  • spring-data-column: support for column based databases. It has not started yet, but there will be support for Cassandra and HBase
  • spring-data-document: support for document databases. Currently MongoDB and CouchDB are supported.
  • spring-data-graph: support for graph based databases. Currently Neo4j is supported.
  • spring-data-keyvalue: support for key-value databases. Currently Redis and Riak are supported and probably Membase will be supported in future.
  • spring-data-jdbc-ext: JDBC extensions, as example Oracle RAC connection failover is implemented.
  • spring-data-jpa: simplifies JPA based data access layer.

I would like to share with you how you can use Redis. First step is to  download it from redis.io web page. Here is useful site try.redis-db.com where we can run Redis commands and also read step by step tutorial. This tutorial shows us all structures Redis supports (list,set,sorted set and hashes) and some useful commands. A lot of reputable sites use Redis today .

After download and unpacking we should compile Redis (version 2.2 (it is release candidate) is preferable one to use since some commands do not work in version 2.0.4).

> make

> sudo make install

Once we run this commands we are all set to run the following five commands:

  • redis-benchmark – for benchmarking Redis server
  • redis-check-aof – check the AOF (Aggregate Objective Function), and it can repair that.
  • redis-check-dump – check rdb files for unprocessable opcodes.
  • redis-cli – Redis client.
  • redis-server – Redis server.

We can test Redis server.

>redis-server

[1055] 06 Jan 18:19:15 # Warning: no config file specified, using the default config. In order to specify a config file use ‘redis-server /path/to/redis.conf’

[1055] 06 Jan 18:19:15 * Server started, Redis version 2.0.4

[1055] 06 Jan 18:19:15 * The server is now ready to accept connections on port 6379

[1055] 06 Jan 18:19:15 – 0 clients connected (0 slaves), 1074272 bytes in use

and Redis client.

> redis-cli

redis> set my-super-key “my-super-value”

OK

Now we create a simple Java project in order to show how simple a spring-data-redis module essentially is.

> mvn archetype:create -DgroupId=info.pietrowski -DpackageName=info.pietrowski.redis -DartifactId=spring-data-redis -Dpackage=jar

Next we have to add in pom.xml milestone spring repository, and add spring-data-redis as dependence, after that all needed dependencies will be fetched.

Next we are creating resources folder under main folder, and create application.xml which will have all the configuration.

We can configure the JedisConnectionFactory,  in two different ways, One – we can provide JedisShardInfo object in shardInfo property or second – we can provide host (default localhost), port (default 6379), password (default empty) and timeout (default 2000) properties. One think to keep in mind is  that JedisShardInfo object has precedence and allows to setup weight, but only allows constructor injection.

We can set factory to use connection pooling by setting the value of propery  pooling to ‘true’ (default).

See application.xml comments to see three different way of configuration.

Note: There are two different libraries supported Jedis and JRedis, there have very similar names and both have the same factory name. See the difference (two r isn’t enough for me):

  • org.springframework.data.keyvalue.redis.connection.jedis.JedisConnectionFactory
  • org.springframework.data.keyvalue.redis.connection.jredis.JredisConnectionFactory

Similar to what we do in Spring, we configure template object providing it with connection factory. We will perform all the operations through this template object. By default we need to provide only Connection Factory, but there are more properties we can provide:

  • exposeConnection (default false) – if we return real connection or proxy object.
  • keySerializer, hashKeySerializer, valueSerializer, hashValueSerializer (default JdkSerializationRedisSerializer) which delegates serialization to default Java serialization mechanism.
  • stringSerializer (default StringRedisSerializer) which is simple String to byte[] (and back) serializer with UTF8 encoding.

We are ready to execute some code which will be cooperating with Redis instance. Spring-Data provide us with two ways of interaction, First is by using execute method and providing RedisCallback object. Second is by using *Operations helpers (it will be explained later)

When we are using RedisCallback we have access to low level Redis commands, see this list of interface (I won’t put all the method here because it is huge list):

Check RedisCallbackExample class, this was the hard way and the problem is we have to convert our objects into byte arrays in both directions, the second way is easier. Spring Data provides for us Operations objects, than we have much more simpler API and all byte<->object conversion is made by serializer we setup (or the default one). Higher level API (you will easily recognize *Operation *Commands equivalents):

Most of methods get key as first parameters so we have even better API for multiple operation on the same key:

Check RedisCallbackExample class to see some easy examples of *Operations usage. One important thing to mention is that you should use stringSerializers for keys, otherwise you will have problems from other clients, because standard serialization adds class information. Otherwise you end with such keys:

  1. “\xac\xed\x00\x05t\x00\x05atInt”
  2. “\xac\xed\x00\x05t\x00\nmySuperKey”
  3. “\xac\xed\x00\x05t\x00\bsuperKey”

Till now we just check API for Redis, but Spring Data offers more for us. All cool stuff is in org.springframework.data.keyvalue.redis.support package and all sub-packages. We have than:

  • RedisAtomicInteger – Atomic integer (CAS operation) backed by Redis.
  • RedisAtomicLong – Same as previous for Long.
  • RedisList – Redis extension for List, Queue, Deque, BlockingDeque and BlockingQueue with two additional methods List range(start, end) and RedisList trim(start, end).
  • RedisSet – Redis extension for Set with additional methods: diff, diffAndStore, intersect, intersectAndStore, union, unionAndStore.
  • RedisZSet – Redis extension for SortedSet. Note that Comparator is not applicable here so this interface extends normal Set and provide proper methods similar to SortedSet.
  • RedisMap – Redis extension for Map with additional Long increment(key, delta) method

Every interface currently have one Default implementation. Check application-support.xml for examples of configuration and RedisSupportClassesExample for examples of use. There is lot of useful information in the comments as well.

Summary

The library is first milestone release so there are minor bugs, documentation isn’t as perfect as we used to and current version needs no stable Redis server but this is definitely a great library which allow us to use all this cool NoSQL stuff in a “standard” Spring Data Access manner.

Awesome job!

This post is only useful if you checkout the code: from bitbucket , for the lazy ones here is spring-data-redis zip file as well.


Tags: ,
Posted in java, spring, springframework | 4 Comments »

« Older Entries

about me

My name is Sebastian Pietrowski. I've finished Warsaw University as Master degree. During my studies I started work for merlin.pl. The primary language I use is Java but I have also programmed in Python, Ruby and Scala. I worked as a technical solution architect at merlin.pl. infrastructure when we were moving from PL/SQL to J2EE. I engineering a great performance optimized solution that made the application 10 times faster than requirements and 85 times faster as original solution.

Currently, I am working as a Senior Expert at F.Hoffmann-La Roche to help define future roadmap in design and development of Enterprise software at Roche and Genentech and build adoption for new technologies. I'm continuously mentoring new developers, helping them understand how important test driven development is and empowering them to get better at their daily job. I'm involved in many activities which brings new technologies for better and faster development. You can find more details on my LinkedIn profile.

But don’t get me wrong, I am not your typical nerd. I'm a pleasant guy that you can drink a glass of wine with me and talk about a range of topics with. My leisure activities include playing basketball, soccer and listening to music. I try to be pragmatic while staying focused on application performance and tuning with success in my daily work.

My favorite quote from Yoda's and my life’s motto is: Do, or do not. There is no try.