What's New Here?


Apache Camel 2.9 Released – Top 10 Changes

On the last day of 2011 the Apache Camel artifacts just managed to be pushed to the central maven repo, just shy 1.5 hours before champagne bottles was cracked and we entered 2012. The 2.9 release is a record breaking release with about 500 JIRA tickets resolved since the 2.8 released 5 months ago. Here is a break down of 10 of the most noticeable improvements and new features: 1. JAR dependencies reduced. The camel-core JAR now only depend on the API from slf4j. On top of that about 15 components, no longer depends on Spring JARs. I have previously blogged about this. 2. The Simple language has been overhauled and has a much improved syntax parser, which gives precise error details, what is wrong. You can now also have embedded functions inside functions as well. And we have unary operators, such as ++ to easily increment counters. I also started experimenting with ternary operators, so expect Conditional and the Elvis operator to be introduced in the future :) I have previously blogged about this. 3. The Bean Component has been much improved as well. Now you can define bindings explicit in the method name option, to fully 100% decouple your bean code from Camel, when using more complicated bindings. Likewise you can pass in values such as literals, numbers, booleans etc as well. The bean component can now also invoke static methods directly, as well invoking private class beans if an interface exists. I have previously blogged about this. 4. Splitting big XML files in a streaming mode with low memory footprint is now possible. There is a tokenizer solution, that is pure String based by scanning tokens. And another solution to use the StAX and JAXB APIs. The former requires no JAXB bindings, as required by the latter solution. I have previously blogged about these two solutions [1] and [2]. 5. More cloud components. We now have 2 new AWS components for Simple Email Service, and Simple DB. There is also a new JClouds component. 6. Using request-reply over JMS with fixed reply queues now supports a new exclusive option which performs faster, than the default assumed shared queue. Likewise the JMS consumer supports a new asyncConsumer option, to allow the JMS consumer to leverage the asynchronous non-blocking routing engine. All good stuff that if enabled can make JMS goes faster under certain use-cases. 7. Added a new number of JMX annotations to allow custom components to easily expose custom JMX attributes and operations. We also have JMX load statistics on the ManagedCamelContext MBean which is similar to the unix top command, which has average load stats for the last 1-minute, 5-minutes, and 15-minutes. 8. The camel-cxf component now supports OSGi blueprint configuration for the CXF-RS as well. 9. There is a number of new Apache Karaf Camel commands for further managing your Camel applications from the command shell. 10. And as usual there is a lot of minor improvements and bug fixes as well. For example the file/ftp components now support the sendEmptyMessageWhenIdle to .. yeah send an empty message when there was no files to poll. Likewise the script and language components now more easily allow to load scripts from file/classpath. And the Camel Test Kit, now have more juice for swapping endpoints before unit testing, which makes it easier to swap real endpoints with mocks and whatnot without touching your route code in the tests. And we have as usual upgraded to the latest and greatest of 3rd party libraries, such as Apache CXF 2.5.1, Groovy 1.8.5, Jackson 1.9.2, AWS 1.2.12, Spring 3.0.6, and JPA2 etc. You can see more details at the 2.9 release notes, such as details about other improvements and bug fixes etc. Reference: Apache Camel 2.9 Released – Top 10 Changes from our JCG partner Claus Ibsen at the Claus Ibsen riding the Apache Camel blog....

What is behind System.nanoTime()?

In java world there is a very good perception about System.nanoTime(). There is always some guys who says that it is fast, reliable and, whenever possible, should be used for timings instead of System.currentTimemillis(). In overall he is absolutely lying, it is not bad at all, but there are some drawback which developer should be aware about. Also, although they have a lot in common, these drawbacks are usually platform-specific. WINDOWS Functionality is implemented using QueryPerformanceCounter API, which is known to have some issues. There is possibility that it can leap forward, some people are reporting that is can be extremely slow on multiprocessor machines, etc. I spent a some time on net trying to find how exactly QueryPerformanceCounter works and what is does. There is no clear conclusion on that topic but there are some posts which can give some brief idea how it works. I would say that the most useful, probably are that and that ones. Sure, one can find more, if search a little bit, but info will be more or less that same. So, it looks like implementation is using HPET, if it is available. If not, then it uses TSC with some kind of synchronization of the value among CPUs. Interestingly that QueryPerformanceCounter promise to return value which increases with constant frequency. It means that in case of using TSC and several CPUs it may have some difficulties not just with the fact that CPUs may have just different value of TSC, but also may have different frequency. Keeping all that in mind Microsoft recommends to use SetThreadAffinityMask to stuck thread which calls to QueryPerformanceCounter to single processor, which, obviously, is not happening in JVM. LINUX Linux is very similar to Windows, apart from the fact that it is much more transparent (I managed to download sources :) ). The value is read from clock_gettime with CLOCK_MONOTONIC flag (for real man, source is available in vclock_gettime.c from Linux source). Which uses either TSC or HPET. The only difference with Windows is that Linux not even trying to sync values of TSC read from different CPUs, it just returns it as it is. It means that value can leap back and jump forward with dependency of CPU where it is read. Also, in contract to Windows, Linux doesn’t keep change frequency constant. On the other hand, it definitely should improve performance. SOLARIS Solaris is simple. I believe that via gethrtime it goes to more or less the same implementation of clock_gettime as linux does. The difference is that Solaris guarantees that counter will not leap back, which is possible on Linux, but it is possible that the same value will be returned back. That guarantee, as can be observed from source code, is implemented using CAS, which requires sync with the main memory and can be relatively expensive on multi-processor machines. The same as on Linux, change rate can vary. CONCLUSION The conclusion is king of cloudy. Developer has to be aware that function is not perfect, it can leap back or just forward. It may not change monotonically and change rate can vary with dependency on CPU clock speed. Also, it is not as fast as many may think. On my Windows 7 machine in a single threaded test it is just about 10% faster than System.currentTimeMillis(), on multi threaded test, where number of threads is the same as number of CPUs, it is just the same. So, in overall, all it gives is increase in resolution, which may be important for some cases. And as a final note, even when CPU frequency is not changing, do no think that you can map that value reliably to system clock, see details here. APPENDIX Appendix contains implementations of the function for different OSes. Source code is from OpenJDK v.7. Solaris // gethrtime can move backwards if read from one cpu and then a different cpu // getTimeNanos is guaranteed to not move backward on Solaris inline hrtime_t getTimeNanos() { if (VM_Version::supports_cx8()) { const hrtime_t now = gethrtime(); // Use atomic long load since 32-bit x86 uses 2 registers to keep long. const hrtime_t prev = Atomic::load((volatile jlong*)&max_hrtime); if (now <= prev) return prev; // same or retrograde time; const hrtime_t obsv = Atomic::cmpxchg(now, (volatile jlong*)&max_hrtime, prev); assert(obsv >= prev, "invariant"); // Monotonicity // If the CAS succeeded then we're done and return "now". // If the CAS failed and the observed value "obs" is >= now then // we should return "obs". If the CAS failed and now > obs > prv then // some other thread raced this thread and installed a new value, in which case // we could either (a) retry the entire operation, (b) retry trying to install now // or (c) just return obs. We use (c). No loop is required although in some cases // we might discard a higher "now" value in deference to a slightly lower but freshly // installed obs value. That's entirely benign -- it admits no new orderings compared // to (a) or (b) -- and greatly reduces coherence traffic. // We might also condition (c) on the magnitude of the delta between obs and now. // Avoiding excessive CAS operations to hot RW locations is critical. // See http://blogs.sun.com/dave/entry/cas_and_cache_trivia_invalidate return (prev == obsv) ? now : obsv ; } else { return oldgetTimeNanos(); } }Linux jlong os::javaTimeNanos() { if (Linux::supports_monotonic_clock()) { struct timespec tp; int status = Linux::clock_gettime(CLOCK_MONOTONIC, &tp); assert(status == 0, "gettime error"); jlong result = jlong(tp.tv_sec) * (1000 * 1000 * 1000) + jlong(tp.tv_nsec); return result; } else { timeval time; int status = gettimeofday(&time, NULL); assert(status != -1, "linux error"); jlong usecs = jlong(time.tv_sec) * (1000 * 1000) + jlong(time.tv_usec); return 1000 * usecs; } }Windows jlong os::javaTimeNanos() { if (!has_performance_count) { return javaTimeMillis() * NANOS_PER_MILLISEC; // the best we can do. } else { LARGE_INTEGER current_count; QueryPerformanceCounter(¤t_count); double current = as_long(current_count); double freq = performance_frequency; jlong time = (jlong)((current/freq) * NANOS_PER_SEC); return time; } }Reference: What is behind System.nanoTime()? from our JCG partner Stanislav Kobylansky at the Stas’s blog . Inside the Hotspot VM: Clocks, Timers and Scheduling Events Beware of QueryPerformanceCounter() Implement a Continuously Updating, High-Resolution Time Provider for Windows Game Timing and Multicore Processors High Precision Event Timer (Wikipedia) Time Stamp Counter (Wikipedia)...

PopupMenu in JavaFX 2

Creating Popup Menus To create a Popupmenu in JavaFX you can use the ContextMenu class. You add MenuItems to it and can also create visual separators using SeparatorMenuItem.In the example below I’ve opted to subclass ContextMenu and add the MenuItems on its constructor. public class AnimationPopupMenu extends ContextMenu{ public AnimationPopupMenu() { (...) getItems().addAll( MenuItemBuilder.create() .text(ADD_PARTICLE) .graphic(createIcon(...)) .onAction(new EventHandler() { @Override public void handle(ActionEvent actionEvent) { // some code that gets called when the user clicks the menu item } }) .build(),(...) SeparatorMenuItemBuilder.create().build(), MenuItemBuilder.create() .text(ADD_DISTANCE_MEASURER) .onAction(new EventHandler() { @Override public void handle(ActionEvent actionEvent) { // Some code that will get called when the user clicks the menu item } }) .graphic(createIcon(...)) .build(), (...) ); }Line 5: I get the Collection of children of the ContextMenu and call addAll to add the MenuItems; Line 6: Uses the MenuItem builder do create a MenuItem; Line 7: Passes in the text of the menu item. Variable ADD_PARTICLE is equal to “Add Particle”; Line 8: Calls graphic which receives the menu item icon returned by createIcon:ImageView createIcon(URL iconURL) { return ImageViewBuilder.create() .image(new Image(iconURL.toString())) .build(); }Line 9: onAction receives the event handler which will be called when the user clicks the menu item; Line15: Finally the MenuItem gets created by executing build() on the MenuItemBuilder class; Line18: Creates The Separator which you can see on the figure on the start of this post. It’s the dotted line between “Add Origin” and “Add Distance Measurer”; The other lines of code just repeat the same process to create the rest of the menu items.Using JavaFX Popup Menus inside JFXPanel If your embeding a JavaFX scene in a Swing app you’ll have to do some extra steps manually, if you don’t there won’t be hover animations on the popup menu and it won’t get dismissed automatically when the user clicks outside of it. There is a fix targeted at JavaFX 3.0 for this – http://javafx-jira.kenai.com/browse/RT-14899 First you’ll have to request the focus on the javafx container so that the popup gets hover animations and when you click outside your app window it gets dismissed. In my case I pass a reference to the javafx swing container on the construtor of the popup menu, then I’ve overwritten the show method of ContextMenu so as to request the focus on the swing container before actually showing the popup: public void show(Node anchor, MouseEvent event) { wrapper.requestFocusInWindow(); super.show(anchor, event.getScreenX(), event.getScreenY()); }And lastly you’ll have to also dismiss the popup when the user clicks inside the javafx scene but outside of the popup by calling hide(). I almost forgot.. thanks to Martin Sladecek (Oracle JavaFX team) for giving me some pointers. Reference: PopupMenu in JavaFX 2 from our JCG partner Pedro Duque Vieira at the Pixel Duke blog....

OAuth with Spring Security

From Wikipedia: OAuth (Open Authentication) is an open standard for authentication. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically username and password. There are a lot of posts talking about OAuth from Client Side, for example how to connect to service providers like Twitter or Facebook, but there are less posts about OAuth but from Server Side, more specificaly how to implement an authentication mechanism using OAuth for protecting resources, and not for accessing them (Client Side Part). In this post I will talk about how to protect your resources, using Spring Security (Spring Security OAuth). The example will be simple enough to understand the basics for implementing an OAuth service provider. I have found this post that explains with a simple example, what OAuth is and how it works. I think it is a good starting point with OAuth http://hueniverse.com/2007/10/beginners-guide-to-oauth-part-ii-protocol-workflow/ Now it is time to start writing our service provider. First of all I will explain what our Service Provider will offer. Imagine you are developing a website (called CV) where users will register and after that they will be able to upload their Curriculum Vitae. Now we are going to transform this website to a Service Provider where OAuth will be used for protecting resources (Curriculm Vitae of registered users). Imagine again that some companies have agreed with CV people that when they publish job vacances, users will have the possibility of uploading their curriculum directly from CV site to HR department instead of sending by email or copy & paste from document. As you can see here is where OAuth starts managing security between CV website and Company RH site. In summary we have a Curriculum Vitae Service Provider (CV) with protected resource (document itself). Companies that offer users the possibility of acquiring directly their Curriculum Vitae from CV are the Consumers. So when a user visits company job vacancies (in our example called fooCompany) and wants to apply for a job, he only has to authorize FooCompany “Job Vacancies” website with permissions to download its Curriculum Vitae from CV site. Because we will use Spring Security for OAuth authentication, first of all we are going to configure Spring Security into SpringMVC CV application. Nothing special here: In web.xml file we define Security Filter: <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter><filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>And in root-context.xml we define protected resources and authentication manager. In this case In memory apporoach is used: <http auto-config='true'> <intercept-url pattern="/**" access="ROLE_USER" /> </http><authentication-manager> <authentication-provider> <user-service> <user name="leonard" password="nimoy" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>Next step, create an Spring Controller that returns the Curriculum Vitae of logged user: @RequestMapping(value="/cvs", method=RequestMethod.GET) @ResponseBody public String loadCV() { StringBuilder cv = new StringBuilder(); cv.append("Curriculum Vitae -- Name: ").append(getUserName()).append(" Experience: Java, Spring Security, ..."); return cv.toString(); }private String getUserName() { Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); String username; if (principal instanceof UserDetails) { username = ((UserDetails)principal).getUsername(); } else { username = principal.toString(); } return username; }This controller returns directly a String, instead a ModelView object. This String is sent directly as HttpServletResponse. Now we have got a simple website that returns the Curriculum Vitae of logged user. If you try to access to /cvs resource, if you are not authenticated, Spring Security will show you a login page, and if you are already logged, your job experience will be returned. Works as any other website that are using Spring Security. Next step is modifing this project for allowing external sites can access to protected resources using OAuth 2 authentication protocol. In root-context.xml: <beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices"> <beans:property name="supportRefreshToken" value="true" /> </beans:bean><oauth:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices"> <oauth:verification-code user-approval-page="/oauth/confirm_access" /> </oauth:provider><oauth:client-details-service id="clientDetails"> <oauth:client clientId="foo" authorizedGrantTypes="authorization_code" /> </oauth:client-details-service>First bean, is an OAuth2ProviderTokenServices interface implementation with id tokenServices. The OAuth2ProviderTokenServices interface defines operations that are necessary to manage OAuth 2.0 tokens. These tokens should be stored for subsequent access token can reference it. For this example InMemory store is enough. Next bean is <oauth:provider>. This tag is used to configure the OAuth 2.0 provider mechanism. And in this case three parameters are configured; the first one is a reference to a bean that defines the client details service, explained in next paragraph. The second one is token service for providing tokens, explained in previous paragraph, and the last one is the URL at which a request for authorization token will be serviced. This is the typically Authorize/Denny page where service provider asks to user if it permits the Consumer (in our case fooCompany) accessing to protected resources (its Curriculum Vitae). Last bean is <oauth:client-details-service>. In this tag you define which clients you authorize to access to protected resources with previous authentication. In this case because CV company has agreed with foo company that they can connect to its Curriculum Vitae Service, a client is defined with id foo. Now we have our application configured with OAuth. Last step is creating a controller for taking requests from /oauth/confirm_access URL. private ClientAuthenticationCache authenticationCache = new DefaultClientAuthenticationCache(); private ClientDetailsService clientDetailsService;@RequestMapping(value="/oauth/confirm_access") public ModelAndView accessConfirmation(HttpServletRequest request, HttpServletResponse response) { ClientAuthenticationToken clientAuth = getAuthenticationCache().getAuthentication(request, response); if (clientAuth == null) { throw new IllegalStateException("No client authentication request to authorize."); }ClientDetails client = getClientDetailsService().loadClientByClientId(clientAuth.getClientId()); TreeMap<String, Object> model = new TreeMap<String, Object>(); model.put("auth_request", clientAuth); model.put("client", client); return new ModelAndView("access_confirmation", model); }This controller returns a ModelAndView object with client information and which page should be shown for granting permission to protected resources. This JSP page is called access_confirmation.jsp and the most important part is: <div id="content"><% if (session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) != null && !(session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) instanceof UnapprovedClientAuthenticationException)) { %> <div class="error"> <p>Access could not be granted. (<%= ((AuthenticationException) session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION)).getMessage() %>)</p> </div> <% } %> <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION"/><authz:authorize ifAllGranted="ROLE_USER"> <h2>Please Confirm</h2><p>You hereby authorize <c:out value="${client.clientId}"/> to access your protected resources.</p><form id="confirmationForm" name="confirmationForm" action="<%=request.getContextPath() + VerificationCodeFilter.DEFAULT_PROCESSING_URL%>" method="post"> <input name="<%=BasicUserApprovalFilter.DEFAULT_APPROVAL_REQUEST_PARAMETER%>" value="<%=BasicUserApprovalFilter.DEFAULT_APPROVAL_PARAMETER_VALUE%>" type="hidden"/> <label><input name="authorize" value="Authorize" type="submit"/></label> </form> <form id="denialForm" name="denialForm" action="<%=request.getContextPath() + VerificationCodeFilter.DEFAULT_PROCESSING_URL%>" method="post"> <input name="<%=BasicUserApprovalFilter.DEFAULT_APPROVAL_REQUEST_PARAMETER%>" value="not_<%=BasicUserApprovalFilter.DEFAULT_APPROVAL_PARAMETER_VALUE%>" type="hidden"/> <label><input name="deny" value="Deny" type="submit"/></label> </form> </authz:authorize> </div>As you can see Spring Security OAuth provides helper classes for creating confirmation form and deny form. When the result is submitted, URL /cv/oauth/user/authorize (internally managed) is called, there OAuth decides if returns protected resource (String returned by loadCV() method) to caller or not depending on what option user has chosen. And that’s all about creating an OAuth 2 system using Spring Security OAuth. But I suppose you are wondering how to test it, so for the same price I will explain how to write the client part (Consumer) using Spring Security OAuth too. Client application (called fooCompany) is also a SpringMVC web application with Spring Security. Spring Security part will be ignored here. The client application contains a home page (home.jsp) that has a link to Spring Controller that will be responsible to download Curriculum Vitae from CV site, and redirecting content to a view (show.jsp). @RequestMapping(value="/cv") public ModelAndView getCV() { String cv = cvService.getCVContent(); Map<String, String> params = new HashMap<String, String>(); params.put("cv", cv); ModelAndView modelAndView = new ModelAndView("show", params); return modelAndView;}As you can see is a simple Controller that calls a Curriculum Vitae service. This service will be responsible to connect to CV website, and download required Curriculum Vitae. Of course it deals with OAuth communication protocol too. Service looks: public String getCVContent() { byte[] content = (getCvRestTemplate().getForObject(URI.create(cvURL), byte[].class)); return new String(content); }The suggested method for accessing those resources is by using Rest. For this porpose Spring Security OAuth provides an extension of RestTemplate for dealing with OAuth protocol. This class (OAuth2RestTemplate) manages connection to required resources and also manages tokens, OAuth authorization protocol, … OAuth2RestTemplate is injected into CVService, and it is configured into root-context.xml: <oauth:client token-services-ref="oauth2TokenServices" /><beans:bean id="oauth2TokenServices" class="org.springframework.security.oauth2.consumer.token.InMemoryOAuth2ClientTokenServices" /><oauth:resource id="cv" type="authorization_code" clientId="foo" accessTokenUri="http://localhost:8080/cv/oauth/authorize" userAuthorizationUri="http://localhost:8080/cv/oauth/user/authorize" /><beans:bean id="cvService" class="org.springsource.oauth.CVServiceImpl"> <beans:property name="cvURL" value="http://localhost:8080/cv/cvs"></beans:property> <beans:property name="cvRestTemplate"> <beans:bean class="org.springframework.security.oauth2.consumer.OAuth2RestTemplate"> <beans:constructor-arg ref="cv"/> </beans:bean> </beans:property> <beans:property name="tokenServices" ref="oauth2TokenServices"></beans:property> </beans:bean>See that OAuth2RestTemplate is created using an OAuth resource that contains all information about where to connect for authorizing access to protected resource, and in this case is CV website, see that we are referencing an external website, although in this example we are using localhost. Also service provider URL (http://localhost:8080/cvs/cv) is set, so RestTemplate can establish a connection to content provider, and in case that authorization process ends successful, retrieving requested information. <oauth:resource> defines OAuth resources, in this case, the name of the client (remember that this value was configured in server side client details tag for granting access to OAuth protocol). Also userAuthorizationUri is defined. This is the URI to which the user will be redirected if the user is ever needed to authorize access to the resource (this is an internal URI managed by Spring Security OAuth). And finally accessTokenUri, the URI OAuth provider endpoint that provides the access token (internal URI too). Also creating a consumer using Spring Security OAuth is simple enough. Now I will explain the sequence of events that happens when a user wants to give access to foo company for retrieving its Curriculum Vitae. First of all user connects to foo website, and click on post curriculum vitae link. Then getCV method from controller is called. This method calls cvService, that at the same time creates a connection to resource URI (CV) using OAuth2RestTemplate. And this class acts as a black box, from client side, you don’t know exactly what this class will do but it returns your Curriculum Vitae stored in CV website. As you can imagine this class manages all workflow related to OAuth, like managing tokens, executing required URL redirections to get permissions, … and if all steps are performed successful, stored Curriculum Vitae in CV site will be sent to foo company site. And that’s all steps required to allow your site to act as Service Provider using OAuth2 authorization protocol. Thanks of Spring Security folks, it is much easier that you may think at first. Hope you find it useful. Download ServerSide (CV) Download ClientSide (fooCompany) Reference: OAuth with Spring Security from our JCG partner Alex Soto at the One Jar To Rule Them All blog....

Java 7: A complete invokedynamic example

Another blog entry in my current Java 7 series. This time it’s dealing with invokedynamic, a new bytecode instruction on the JVM for method invocation. The invokedynamic instruction allows dynamic linkage between a call site and the receiver of the call. That means you can link the class that is performing a method call to the class (and method) that is receiving the call at run-time. All the other JVM bytecode instructions for method invocation, like invokevirtual, hard-wire the target type information into your compilation, i.e. into your class file. Let’s look at an example. Constant pool: #1 = Class #2 // com/schlimm/bytecode/examples/BytecodeExamples ... #42 = Class #43 // java/lang/String ... #65 = Methodref #42.#66 // java/lang/String.length:()I #66 = NameAndType #67:#68 // length:()I #67 = Utf8 length #68 = Utf8 ()I ... {...public void virtualMethodCall(); flags: ACC_PUBLIC Code: stack=1, locals=1, args_size=1 0: ldc #44 // String Hello 2: invokevirtual #65 // Method java/lang/String.length:()I 5: pop 6: return LineNumberTable: line 31: 0 line 32: 6 LocalVariableTable: Start Length Slot Name Signature 0 7 0 this Lcom/schlimm/bytecode/examples/BytecodeExamples; }The bytecode snippet above shows an invokevirtual method call of java.lang.String -> length() in line 20. It refers to item 65 in the contsant pool table which is a MethodRef entry (see line 6). Items 42 and 66 in the constant pool table refer to the class and the method descriptor entries. As you can see, the target type and method of the invokevirtual call is completely resolved and hard-wired into the bytecode. Now, let’s return to invokedynamic! It is important to notice that it is not possible to compile Java code into bytecode that contains an invokedynamic instruction. Java is statically typed. That means that Java performs type checking at compile time. Therefore, in Java, it is possible (and wanted!) to hard-wire all type information of method call receivers into the callers class file. The caller knows the type name of the call target, as demonstrated in our example above. The use of invokedynamic - on the other hand – enables the JVM to resolve exactly that type information at run-time. This is only required (and wanted!) for dynamic languages, such as JRuby or Rhino. Now, suppose you want to implement a new language on the JVM that is dynamically typed. I am not suggesting you should invent *another* language on the JVM, but *suppose* you would, and *suppose* your new language should be dynamically typed. That would mean, in your new language, the linking between a caller and a receiver of a method call is performed at run-time. Since Java 7 this is possible on the bytecode level using the invokedynamic instruction. Because I cannot create an invokedynamic instruction using a Java compiler, I will create a class file that contains invokedynamic myself. Once this class file is created I will run that class file’s main method using an ordinary java launcher. How can you create a class file without a compiler? This is possible by using bytecode manipulation frameworks like ASM or Javassist.The following code snippet shows the SimpleDynamicInvokerGenerator that can generate a class file SimpleDynamicInvoker.class which contains an invokedynamic instruction. public abstract class AbstractDynamicInvokerGenerator implements Opcodes {public byte[] dump(String dynamicInvokerClassName, String dynamicLinkageClassName, String bootstrapMethodName, String targetMethodDescriptor) throws Exception {ClassWriter cw = new ClassWriter(0); FieldVisitor fv; MethodVisitor mv; AnnotationVisitor av0;cw.visit(V1_7, ACC_PUBLIC + ACC_SUPER, dynamicInvokerClassName, null, "java/lang/Object", null);{ mv = cw.visitMethod(ACC_PUBLIC, "<init>", "()V", null, null); mv.visitCode(); mv.visitVarInsn(ALOAD, 0); mv.visitMethodInsn(INVOKESPECIAL, "java/lang/Object", "<init>", "()V"); mv.visitInsn(RETURN); mv.visitMaxs(1, 1); mv.visitEnd(); } { mv = cw.visitMethod(ACC_PUBLIC + ACC_STATIC, "main", "([Ljava/lang/String;)V", null, null); mv.visitCode(); MethodType mt = MethodType.methodType(CallSite.class, MethodHandles.Lookup.class, String.class, MethodType.class); Handle bootstrap = new Handle(Opcodes.H_INVOKESTATIC, dynamicLinkageClassName, bootstrapMethodName, mt.toMethodDescriptorString()); int maxStackSize = addMethodParameters(mv); mv.visitInvokeDynamicInsn("runCalculation", targetMethodDescriptor, bootstrap); mv.visitInsn(RETURN); mv.visitMaxs(maxStackSize, 1); mv.visitEnd(); } cw.visitEnd();return cw.toByteArray(); }protected abstract int addMethodParameters(MethodVisitor mv);}public class SimpleDynamicInvokerGenerator extends AbstractDynamicInvokerGenerator {@Override protected int addMethodParameters(MethodVisitor mv) { return 0; }public static void main(String[] args) throws IOException, Exception { String dynamicInvokerClassName = "com/schlimm/bytecode/SimpleDynamicInvoker"; FileOutputStream fos = new FileOutputStream(new File("target/classes/" + dynamicInvokerClassName + ".class")); fos.write(new SimpleDynamicInvokerGenerator().dump(dynamicInvokerClassName, "com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample", "bootstrapDynamic", "()V")); } }I am using ASM here, an all purpose Java bytecode manipulation and analysis framework, to do the job of creating a correct class file format. In line 30 the visitInvokeDynamicInsn creates the invokedynamic instruction. Generating a class that does an invokedynamic call is only half of the story. You also need some code that links the dynamic call site to the actual target, this is the real purpose of invokedynamic. Here is an example. public class SimpleDynamicLinkageExample { private static MethodHandle sayHello;private static void sayHello() { System.out.println("There we go!"); }public static CallSite bootstrapDynamic(MethodHandles.Lookup caller, String name, MethodType type) throws NoSuchMethodException, IllegalAccessException { MethodHandles.Lookup lookup = MethodHandles.lookup(); Class thisClass = lookup.lookupClass(); // (who am I?) sayHello = lookup.findStatic(thisClass, "sayHello", MethodType.methodType(void.class)); return new ConstantCallSite(sayHello.asType(type)); }}The bootstrap method in line 9-14 selects the actual target of the dynamic call. In our case the target is the sayHello() method. To learn how the bootstrap method is linked to the invokedynamic instruction we need to dive into the bytecode of SimpleDynamicInvoker that we’ve generated with SimpleDynamicInvokerGenerator. E:\dev_home\repositories\git\playground\bytecode-playground\target\classes\com\schlimm\bytecode>javap -c -verbose SimpleDynamicInvoker.classClassfile /E:/dev_home/repositories/git/playground/bytecode-playground/target/classes/com/schlimm/bytecode/SimpleDynamicInvoker.class Last modified 30.01.2012; size 512 bytes MD5 checksum 401a0604146e2e95f9563e7d9f9d861b public class com.schlimm.bytecode.SimpleDynamicInvoker BootstrapMethods: 0: #17 invokestatic com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample.bootstrapDynamic:(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; Method arguments: minor version: 0 major version: 51 flags: ACC_PUBLIC, ACC_SUPER Constant pool: #1 = Utf8 com/schlimm/bytecode/SimpleDynamicInvoker #2 = Class #1 // com/schlimm/bytecode/SimpleDynamicInvoker #3 = Utf8 java/lang/Object #4 = Class #3 // java/lang/Object #5 = Utf8 <init> #6 = Utf8 ()V #7 = NameAndType #5:#6 // "<init>":()V #8 = Methodref #4.#7 // java/lang/Object."<init>":()V #9 = Utf8 main #10 = Utf8 ([Ljava/lang/String;)V #11 = Utf8 com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample #12 = Class #11 // com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample #13 = Utf8 bootstrapDynamic #14 = Utf8 (Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; #15 = NameAndType #13:#14 // bootstrapDynamic:(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; #16 = Methodref #12.#15 // com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample.bootstrapDynamic:(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; #17 = MethodHandle #6:#16 // invokestatic com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample.bootstrapDynamic:(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; #18 = Utf8 runCalculation #19 = NameAndType #18:#6 // runCalculation:()V #20 = InvokeDynamic #0:#19 // #0:runCalculation:()V #21 = Utf8 Code #22 = Utf8 BootstrapMethods { public com.schlimm.bytecode.SimpleDynamicInvoker(); flags: ACC_PUBLIC Code: stack=1, locals=1, args_size=1 0: aload_0 1: invokespecial #8 // Method java/lang/Object."<init>":()V 4: returnpublic static void main(java.lang.String[]); flags: ACC_PUBLIC, ACC_STATIC Code: stack=0, locals=1, args_size=1 0: invokedynamic #20, 0 // InvokeDynamic #0:runCalculation:()V 5: return }In line 49 you can see the invokedynamic instruction. The logical name of the dynamic method is runCalculation, this is a fictitious name. You can use any name that makes sense, also names like “+” are allowed. The instruction refers to item 20 in the contant pool table (see line 33). This in turn refers to index 0 in the BootstrapMethods attribute (see line 8). There you can see the link to the SimpleDynamicLinkageExample.bootstrapDynamic method that links the invokedynamic instruction to the call target. Now if you call the SimpleDynamicInvoker using the java launcher, then the invokedynamic call is executed.The following sequence diagram illustrates what’s happening when the SimpleDynamicInvoker is called using the java launcher.The first call of runCalculation using invokedynamic issues a call to the bootstrapDynamic method. This method does the dynamic linkage between the calling class (SimpleDynamicInvoker) and the receiving class (SimpleDynamicLinkageExample). The bootstrap method returns a MethodHandle that targets the receiving class. This method handle is cached for repetitive invocations of the runCalculation method. That’s all in terms of invokedynamic. I have some more sophisticated examples published here in my Git repo. I hope you’ve enjoyed reading this – in times of shortage! Cheers, Niklas Reference:“Java 7: A complete invokedynamic example from our” JCG partner Niklas. http://docs.oracle.com/javase/7/docs/technotes/guides/vm/multiple-language-support.html http://asm.ow2.org/ http://java.sun.com/developer/technicalArticles/DynTypeLang/ http://asm.ow2.org/doc/tutorial-asm-2.0.html http://weblogs.java.net/blog/forax/archive/2011/01/07/calling-invokedynamic-java http://nerds-central.blogspot.com/2011/05/performing-dynamicinvoke-from-java-step.html...

Simple Security Rules

Wow! Citi really messed up their online security. They included account information as part of the URL. You could alter the URL and access someone else’s account information. Yikes o rama, that’s a bad design. I’ve seen a fair number of bad security designs in my time, but I’ve come up with a list of simple security rules:Security by obscurity never works. Assume the attacker has your source code. If you are doing some super cool obscuring of the data (like storing the account number in the URL in some obscured manner like the Citi folks apparently did), someone can and will break your algorithm and breach your system. If any part of a system can read data, all parts of the system can. For example, if you’re writing an iOS app and are encrypting the data in the local database, the fact that you can decrypt it to use it in your app means that someone else can also decrypt it. A corollary to the above is that once data escapes your server, the bad guys can get the data, so let as little of the data out as possible. Also, never trust the data on the wire. Any HTTP/HTTPS request can be forged and tampered with. This means that if you send a primary key in a hidden field as part of an HTML form, ensure that when the form is submitted, the primary key is the same one your originally sent. But you say, “How can I verify it’s the one I sent… I wouldn’t have sent the primary key if I could keep the state on the server side and somehow correlate the form submission to the DB record that the form was submitted against.” Yeah, well Lift and Seaside and WebObjects and others have solved that problem. Know your types as you’re parsing the request and composing a response. Use an ORM that correctly escapes String parameters. Never “shell out”. Rails and Django have markers on Strings that indicate that they are to be “trusted” or they require HTML encoding. This addresses substantially all the cross site scripting related issues. Lift carries the DOM around as part of the page composition so it always knows what should be HTML encoded. Any framework that composes a response simply by writing Strings to a response is de facto insecure. Use random numbers for everything. SSL uses random numbers for keys. Lift uses random numbers for field names (except in test mode where having stable field names is necessary for automated testing). Use session-duration random numbers as opaque identifiers so that data doesn’t leak from the server to the client. Where you can’t use random numbers, encrypt any identifiers with a session-specific encryption key and make sure you have some salt in the thing being encrypted so the key cannot be rainbow-tabled. Test. Security testing is just testing and should be done at the unit and integration level. Security tests should be a normal part of your unit test suite as well as any integration testing that you do. Your QA people should understand common vulnerabilities (e.g., XSS) just like they understand common programming errors (e.g., NPE) and should test for them. Make the OWASP Top 10 a normal part of your check-in and code review process. This means that every material feature should have a list of the OWASP Top 10 associated with it and a 1 sentence description of the exposure to the vulnerability and anything done in the code to defend against exposure. Once developers do this regularly, it’ll take 5 minutes to fill out the list, but more importantly, it will create a culture of awareness. Never assume that your systems are secure. Always assume there are vulnerabilities… just like it’s good to assume there will always be bugs in software. It’s our jobs to identify the vulnerabilities, assess the risks of penetration, and prioritize remediation. Also, the only way to keep data out of the hands of the bad guys is to toss the hard drives containing the data into an active volcano (entropy is your friend.) If you can access the data, the bad guys can. The only issue is how much effort they are willing to put into getting to the data. If it’s not worth their time or there are easier targets, those targets will be attacked. Think of security as a series of obstacles rather than a single insurmountable wall. In order for the bad guys to get to the pot of gold, they have to evade many many obstacles. This makes it hard for them and increases the chances you’ll observe them trying to overcome an obstacle.I’ll wind up with some thoughts on the whole RSA/Lockheed break-in. This is perfect example of a pot of gold being very valuable (control information for drones, aircraft design plans, etc.) and an attack that was long ranging and very methodical. The attackers probed the weaknesses in individuals within RSA (could this or this have been part of the probe?) Sent targeted documents that contained zero-day flaws to a small number of weak individuals. Once the attackers gained control of the individual’s machines, they were able to probe the network and escalate privileged in such a way that the actually accessed the RSA key database. This was the time RSA should have voided all the RSA keys and re-issued new ones. Failure to do that should be a company-ending event for RSA… but I editorialize. I’m just postulating here, but I’m guessing that the attackers used rogue certs to do man-in-the-middle to get Lockheed RSA key/username/password combinations. Because the CA issuing the certs was trusted and there are enough rough CAs floating around, it’s no longer out of the realm of possibility to do man-in-the-middle attacks of SSL layers (re-route traffic and use rogue cert). If you know that current value of an RSA key, you can narrow down the device that is associated with an account (and if you do the same attack 3 or 4 times, you can figure out exactly which device it is) so that with each device seed number, you can determine what the current-time value of the correct RSA key for a given account. Next, you waltz into the VPN or whatever that’s being secured and do whatever trivial privilege escalation you need to do to get to the right file servers. Anyway, for the kind of systems most of us are building, sticking to my security outline above should yield good results, but if the target is valuable enough and the attacker is skilled and persistent enough, they can break almost any system. Reference: Simple Security Rules from our JCG partner David Pollak at the Good Stuff blog....

Java Swing Tic-Tac-Toe

Hello people! Wow its been a while since I posted something here…! I must say I really miss writing stuff and I promise I wont get into a ‘writer’s block’ again. Hopefully .. A helluva lot of things happened in the last two months and I’ve got loads to say. But in this post Im just gonna publish a small application that I wrote sometime ago. Its a TicTacToe game application. There’s not much to be learnt from this particular program but I really want to get outta this impasse and hence Im posting this today. I actually wrote this code to show off some of the really cool features of Java to one of my friends who also wrote the same application in a “C++”-esque style. And btw that friend of mine even developed code for the computer player. But after completing his code he sadly realized the basic fact that you cannot win in TicTacToe if you play perfectly!! Hehe So I did not venture into that area. Well to be honest, Im not really interested in writing AI apps. But I thought of adding Network Multiplayer functionality to this application since I love network programming. But unfortunately I havent had the time to do so. Anywaiz the application works like this – the game is autostarted once launched and the status bar indicates which player’s turn its now and rest is just simple tictactoe! And at the end of the game the app is automatically reset. Onto the code.. import javax.swing.*;import java.awt.*; import java.awt.event.*; import java.util.logging.Logger;/** * TicTacToe Application * @author Steve Robinson * @version 1.0 */class TicTacToeFrame extends JFrame {JButton [][] buttons= new JButton[3][3]; JTextField statusBar; GamePanel panel; Integer turn; GameListener listener=new GameListener(); Integer count;public TicTacToeFrame() { setLayout(new BorderLayout());panel=new GamePanel(); add(panel,BorderLayout.CENTER);statusBar=new JTextField("Player1's Turn"); statusBar.setEditable(false); add(statusBar,BorderLayout.SOUTH);setTitle("Tic Tac Toe!"); setVisible(true); setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE); setBounds(400,400,300,300); }class GamePanel extends JPanel {public GamePanel() { setLayout(new GridLayout(3,3)); turn =1; count=0; for(int i=0;i<3;i++) for(int j=0;j<3;j++) { buttons[i][j]=new JButton(); buttons[i][j].putClientProperty("INDEX", new Integer[]{i,j}); buttons[i][j].putClientProperty("OWNER", null); buttons[i][j].addActionListener(listener); add(buttons[i][j]); } } }class GameListener implements ActionListener { public void actionPerformed(ActionEvent e) { count++; JButton b=(JButton)e.getSource(); Integer[]index=(Integer[]) b.getClientProperty("INDEX");//System.out.println(turn); //turn // //System.out.println("["+index[0]+"]"+"["+index[1]+"]"); // b.putClientProperty("OWNER", turn); Icon ico=new ImageIcon(turn.toString()+".gif"); b.setIcon(ico); b.setEnabled(false); boolean result=checkVictoryCondition(index); if(result) { JOptionPane.showMessageDialog(null, "Player "+turn.toString()+" Wins"); initComponents(); } else { if(turn==1) { turn=2; statusBar.setText("Player2's Turn"); } else { turn=1; statusBar.setText("Player1's Turn"); } } if(count==9) { JOptionPane.showMessageDialog(null, "Match is a draw!"); initComponents();}}Integer getOwner(JButton b) { return (Integer)b.getClientProperty("OWNER"); }//PrintButtonMap for Diagnostics void printbuttonMap(Integer [][]bMap) { for(int i=0;i for(int j=0;j System.out.print(bMap[i][j]+" "); System.out.println(""); } }boolean checkVictoryCondition(Integer [] index) { /*Integer[][]buttonMap=new Integer[][] { { getOwner(buttons[0][0]),getOwner(buttons[0][1]),getOwner(buttons[0][2])}, { getOwner(buttons[1][0]),getOwner(buttons[1][1]),getOwner(buttons[1][2])}, { getOwner(buttons[2][0]),getOwner(buttons[2][1]),getOwner(buttons[2][2])} };printbuttonMap(buttonMap); */Integer a=index[0]; Integer b=index[1]; int i;//check row for(i=0;i<3;i++) { if(getOwner(buttons[a][i])!=getOwner(buttons[a][b])) break; } if(i==3) return true;//check column for(i=0;i<3;i++) { if(getOwner(buttons[i][b])!=getOwner(buttons[a][b])) break; } if(i==3) return true;//check diagonal if((a==2&&b==2)||(a==0&&b==0)||(a==1&&b==1)||(a==0&&b==2)||(a==2&&b==0)) { //left diagonal for(i=0;i if(getOwner(buttons[i][i])!=getOwner(buttons[a][b])) break; if(i==3) return true;//right diagonal if((getOwner(buttons[0][2])==getOwner(buttons[a][b]))&&(getOwner(buttons[1][1])==getOwner(buttons[a][b]))&&(getOwner(buttons[2][0])==getOwner(buttons[a][b]))) return true;}return false;} }void initComponents() { for(int i=0;i<3;i++) for(int j=0;j<3;j++) { buttons[i][j].putClientProperty("INDEX", new Integer[]{i,j}); buttons[i][j].putClientProperty("OWNER",null); buttons[i][j].setIcon(null); buttons[i][j].setEnabled(true); turn=1; count=0; statusBar.setText("Player1's Turn");} }}class TicTacToe {public static void main(String[] args) { EventQueue.invokeLater(new Runnable(){ public void run() { TicTacToeFrame frame=new TicTacToeFrame(); } });}}The code is rather straightforward. Ive used two properties in the Buttons to store some information used for checking the winning condition. One is the “OWNER” property which indicates which user currently owns the square and the “INDEX” property which indicates the square’s index in the grid (ie [1,1], [1,2]… etc) Once any player clicks on a square, the OWNER property is updated and the victoryCondition is checked by using the OWNER properties of all the buttons. The rest of the code is self explanatory. And adding keyboard support for the second player is a pretty easy job. As they say… “I leave that as an exercise”! Hahaha Well I really hope I get some time so that I can add network functionality to this application. Cheers, Steve. —– I forgot to attach the image icon files that will be used by the application. You can download it from here http://www.mediafire.com/?d7d93v2342dxind Just extract the contents to the folder that contains the code. Thanks to my friend “Gur Png” for telling me about this. Reference: Java TicTacToe from our JCG partner Steve Robinson at the Footy ‘n’ Tech blog....

Regular Expressions in Java – Soft Introduction

A regular expression is a kind of pattern that can be applied to text (String, in Java). Java provides the java.util.regex package for pattern matching with regular expressions. Java regular expressions are very similar to the Perl programming language and very easy to learn. A regular expression either matches the text ( or a part of it) or it fails to match. * If regular expression matches a part of text then we can find it out which one. ** If regular expression in complex, then we can easily find out which part of the regular expression matches with which part of the text. A First Example The regular expression “[a-z]+” matches all lower case letters in the text. [a-z] means any character from a to z, inclusive and + means “one or more”. Suppose we supply a string “code 2 learn java tutorial”. How to do it in Java First, you must compile the pattern : import java.util.regex.*; Pattern p = Pattern.compile(“[a-z]+”); Next you must create a matcher for the text by sending a message to the pattern : Matcher m = p.matcher(“code 2 learn java tutorial”); NOTE : Neither Pattern nor Matcher have a public constructor, we create it by using methods in Pattern class. Pattern Class: A Pattern object is a compiled representation of a regular expression. The Pattern class provides no public constructors. To create a pattern, you must first invoke one of its public static compile methods, which will then return a Pattern object. These methods accept a regular expression as the first argument. Matcher Class: A Matcher object is the engine that interprets the pattern and performs match operations against an input string. Like the Pattern class, Matcher defines no public constructors. You obtain a Matcher object by invoking the matcher method on a Pattern object. After we have done the above steps, and now that we have matcher m, we can check whether the match has been found or not and if yes then from which index position it starts, etc. m.matches() returns true if the pattern matches the entire string or else false. m.lookingAt() returns true if the pattern matches at the beginning of the string , and false otherwise. m.find() returns true if pattern matches any part of the text. Finding what was matched After a successful match, m.start() will return the index of the first character matched and m.end() will return the index of the last character matched, plus one. If no match was attempted, or if the match was unsuccessful, m.start() and m.end() will throw an IllegalStateException – This is a RuntimeException, so you don’t have to catch it It may seem strange that m.end() returns the index of the last character matched plus one, but this is just what most String methods require – For example, “Now is the time“.substring(m.start(), m.end()) will return exactly the matched substring. Java Program : import java.util.regex.*;public class RegexTest { public static void main(String args[]) { String pattern = "[a-z]+"; String text = "code 2 learn java tutorial"; Pattern p = Pattern.compile(pattern); Matcher m = p.matcher(text); while (m.find()) { System.out.print(text.substring(m.start(), m.end()) + "*"); } } }Output: code*learn*java*tutorial*. Additional Methods If m is a matcher, then – m.replaceFirst(replacement) returns a new String where the first substring matched by the pattern has been replaced by replacement – m.replaceAll(replacement) returns a new String where every substring matched by the pattern has been replaced by replacement – m.find(startIndex) looks for the next pattern match, starting at the specified index – m.reset() resets this matcher – m.reset(newText) resets this matcher and gives it new text to examine (which may be a String, StringBuffer, or CharBuffer) Regular Expression Syntax Here is the table listing down all the regular expression metacharacter syntax available in Java:Subexpression Matches^ Matches beginning of line.$ Matches end of line.. Matches any single character except newline. Using m option allows it to match newline as well.[...] Matches any single character in brackets.[^...] Matches any single character not in brackets\A Beginning of entire string\z End of entire string\Z End of entire string except allowable final line terminator.re* Matches 0 or more occurrences of preceding expression.re+ Matches 1 or more of the previous thingre? Matches 0 or 1 occurrence of preceding expression.re{ n} Matches exactly n number of occurrences of preceding expression.re{ n,} Matches n or more occurrences of preceding expression.re{ n, m} Matches at least n and at most m occurrences of preceding expression.a| b Matches either a or b.(re) Groups regular expressions and remembers matched text.(?: re) Groups regular expressions without remembering matched text.(?> re) Matches independent pattern without backtracking.\w Matches word characters.\W Matches nonword characters.\s Matches whitespace. Equivalent to [\t\n\r\f].\S Matches nonwhitespace.\d Matches digits. Equivalent to [0-9].\D Matches nondigits.\A Matches beginning of string.\Z Matches end of string. If a newline exists, it matches just before newline.\z Matches end of string.\G Matches point where last match finished.\n Back-reference to capture group number “n”\b Matches word boundaries when outside brackets. Matches backspace (0×08) when inside brackets.\B Matches nonword boundaries.\n, \t, etc. Matches newlines, carriage returns, tabs, etc.\Q Escape (quote) all characters up to \E\E Ends quoting begun with \QReference: Regular Expressions in Java from our JCG partner Farhan Khwaja at the Code 2 Learn blog....

Some Interview Questions to Hire a Java EE Developer

The Internet is full of interview questions for Java developers. The main problem of those questions is that they only prove that the candidate has a good memory, remembering all that syntax, structures, constants, etc. There is not real evaluation of his/her logical reasoning. I’m listing bellow some examples of interview questions that check the knowledge of the candidate based on his/her experience. The questions were formulated to verify whether the candidate is capable of fulfilling the role of a Java enterprise applications developer. I’m also putting the anwsers in case anybody want to discuss the questions. 1. Can you give some examples of improvements in the Java EE5/6 specification in comparison to the J2EE specification? The new specification favours convention over configuration and introduces annotations to replace the use of XML for configuration. Inheritance is not used to define components anymore. They are defined, instead, as POJOs. To empower those POJOs with enterprise features, dependency injection was put in place, simplifying the use of EJBs. The persistence layer was fully replaced by the Java Persistence API (JPA). 2. Considering two enterprise systems developed in different platforms, which good options do you propose to exchange data between them? We can see as potential options nowadays the use of web services and message queues, depending on the scenario. For example: when a system needs to send data, as soon as they are available, to another system or make data available for several systems, then a message queuing system is recommended. When a system has data to be processed by another system and needs back the result of this processing synchronously, then web service is the most indicated option. 3. What do you suggest to implement asynchronous code in Java EE? There are several options: one can post messages to a queue to be consumed by a Message-Driven Bean (MDB); or annotate a method with @Timer to define the time to execute the code programmatically; or annotate a method with @Scheduler to define the time to execute the code declaratively. 4. Can you illustrate the use of Stateless Session Bean, Stateful Session Bean and Singleton Session Bean? Stateless Session Beans are used when there is no need to preserve the state of objects between several business transactions. Every transaction has its own instances and instances of components can be retrieved from pools of objects. It is recommended for most cases, when several operations are performed within a transaction to keep the database consistency. Stateful Session Beans are used when there is the need to preserve the state of objects between business transactions. Every instance of the component has its own objects. These objects are modified by different transactions and they are discarded after reaching a predefined time of inactivity. They can be used to cache those data with intensive use, such as reference data and long record sets for pagination, in order to reduce the volume of IO operations with the database. A singleton session bean is instantiated once per application and exists for the lifecycle of the application. Singleton session beans are designed for circumstances in which a single enterprise bean instance is shared across and concurrently accessed by clients. They maintain their state between client invocations, which requires a careful implementation to avoid conflicts when accessed concurrently. This kind of component can be used, for example, to initialize the application at its start-up and share a specific object across the application. 5. What is the difference between queue and topic in a message queuing system? In a queue there is only one producer of messages and only one consumer of these messages (1 – 1). In a topic there is a publisher of messages and several subscribers that will receive those messages (1 – N). 6. Which strategies do you consider to import and export XML content? If the XML document is formally defined in a schema, we can use JAXB to serialize and deserialize objects into/from XML according to the schema. If the XML document does not have a schema, then there are two situations: 1) when the whole XML content should be consider: In this case, serial access to the whole document is recommended using SAX, or accessed randomly using DOM; 2) when only parts of the XML content should be considered, than XPath can be used or StAX in case operations should be executed immediately after each desired part is found in the document. 7. Can you list some differences between a relational model and an object model? An object model can be mapped to a relational model, but there are some differences that should be taken into consideration. In the relational model a foreign key has the same type of the target’s primary key, but in the object model and attribute points to the entire related object. In the object model it is possible to have N-N relationships while in the relational model an intermediary entity is needed. There is no support for inheritance, interface, and polymorphism in the relational model. 8. What is the difference between XML Schema, XSLT, WSDL and SOAP? A XML Schema describes the structure of an XML document and it is used to validate these documents. WSDL (Web Service Definition Language) describes the interface of SOAP-based web services. It can refer to XML schemas to define existing complex types passed by parameter or returned to the caller. SOAP (Simple Object Access Protocol) is the format of the message used to exchange data in a web service call. XSLT (eXtensible Stylesheet Language Transformation) is used to transform XML documents into other document formats. 9. How would you configure an environment to maximize productivity of a development team? Every developer should have a personal environment capable of executing the whole application in his/her local workstation. The project should be synchronized between developers using a version control system. Integration routines must be executed periodically in order to verify the compatibility and communication between all components of the system. Unit and integration tests must be executed frequently. — You can increment this set of questions covering other subjects like unit testing, dependence injection, version control and so on. Try to formulate the questions in a way that you don’t get a single answer, but a short analysis from the candidate. People can easily find answers on the Internet, but good analysis can be provided only with accumulated experience. Reference: Some Interview Questions to Hire a Java EE Developer from our JCG partner Hildeberto Mendonca at the Hildeberto’s Blog....

Automatically generating WADL in Spring MVC REST application

Last time we have learnt the basics of WADL. The language itself is not as interesting to write a separate article about it, but the title of this article reveals why we needed that knowledge. Many implementations of JSR 311: JAX-RS: The Java API for RESTful Web Services provide runtime WADL generation out-of-the-box: Apache CXF, Jersey and Restlet. RESTeasy still waiting. Basically these frameworks examine Java code with JSR-311 annotations and generate WADL document available under some URL. Unfortunately Spring MVC not only does not implement the JSR-311 standard (see: Does Spring MVC support JSR 311 annotations?), but it also does not generate WADL for us (see: SPR-8705), even though it is perfectly suited for exposing REST services. For various reasons I started developing server-side REST services with Spring MVC and after a while (say, thirdy resources later) I started to get a bit lost. I really needed a way to catalogue and document all available resources and operations. WADL seemed like a great choice. Fortunately Spring framework is open for extension and it is easy to add new features based on existing infrastructure if you are willing to dig through the code for a while. In order to generate WADL I needed a list of URIs that an application handles, what HTTP methods are implemented and – ideally – which Java method handles each one of them. Obviously Spring does that job already somewhere during boot-strapping MVC DispatcherServlet – scanning for @Controller, @RequestMapping, @PathVariable, etc. – so it seems smart to reuse that information rather then performing the job again. Guess what, it looks like all the information we need is kept in an oddly named RequestMappingHandlerMapping class. Here is a debugger screenshot just to give you an overview how rich information is available:But it gets even better: RequestMappingHandlerMapping is actually a Spring bean which you can easily inject and use: @Controller class WadlController @Autowired()(mapping: RequestMappingHandlerMapping) { @RequestMapping(method = Array(GET)) @ResponseBody def generate(request: HttpServletRequest) = new WadlApplication() }That’s right, we will use yet another Spring MVC controller to generate WADL document. Last time we managed to generate JAXB classes representing WADL document (after all WADL is an XML file) so by returning empty instance of WadlApplication we are actually returning empty, but valid WADL: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application xmlns="http://wadl.dev.java.net/2009/02"/>I won’t explain the details of the implementation (full source code is available including sample application). It was basically a matter of rewriting Spring models to WADL classes. If you are interested, have a look at WadlGenerator.scala that is a central point of the solution and test cases. Here is one of them: test("should add parameter info for template parameter in URL") { given("") val mapping = Map( mappingInfo("/books", GET) -> handlerMethod("listBooks"), mappingInfo("/books/{bookId}", GET) -> handlerMethod("readBook") ) when("") val wadl = generate(mapping) then("") assertXMLEqual(wadlHeader + """ <resource path="books"> <method name="GET"> <doc title="com.blogspot.nurkiewicz.springwadl.TestController.listBooks"/> </method> <resource path="{bookId}"> <param name="bookId" required="true" /> <method name="GET"> <doc title="com.blogspot.nurkiewicz.springwadl.TestController.readBook"/> </method> </resource> </resource> """ + wadlFooter, wadl) }Unfortunately I was too lazy to correctly name given/when/then blocks. But tests should be pretty readable. The only technical difficulty I would like to mention was translating flat URI patterns provided by Spring infrastructure to hierarchical WADL objects (basically a tree). Here is a simplified version of this problem: having a list of URI patterns as follows: /books /books/{bookId} /books/{bookId}/reviews /books/best-sellers /readers /readers/{readerId} /readers/{readerId}/account/new-password /readers/active /readers/passiveGenerate the following tree data structure:Of course the data structure is as simple as a Node object holding a label and a children list of Nodes. Not really that challenging, but probably an interesting CodeKata. So what is it all about with this WADL? Is the XML really more readable and helps in managing REST-heavy applications? I wouldn’t even bother playing with it if not the great soapUI support for WADL. The WADL generated for an example application I pushed as well can be easily imported to soapUI:Two features are worth mentioning. First of all soapUI displays a tree of REST resources (as opposed to flat list of operations when WSDL is imported). Next to every HTTP method there is a corresponding Java method that handles it (this can be disabled) for troubleshooting and debugging purposes. Secondly, we can pick any HTTP method/resource and invoke it. Based on WADL description soapUI will create user-friendly wizard where one can input parameters. Default values are automatically populated. When we are done, the application will generate HTTP request with correct URL and content, displaying the response when it arrives. Really helpful! By the way have you noticed the max and page query parameters? Our small library uses reflection to find @RequestParam annotations so e.g. the following controller: @Controller @RequestMapping(value = Array("/book/{bookId}/review")) class ReviewController @Autowired()(reviewService: ReviewService) { @RequestMapping(method = Array(GET)) @ResponseBody def listReviews( @RequestParam(value = "page", required = false, defaultValue = "1") page: Int, @RequestParam(value = "max", required = false, defaultValue = "20") max: Int) = new ResultPage(reviewService.listReviews(new PageRequest(page - 1, max))) //... }will be translated into WADL-compatible description: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application xmlns="http://wadl.dev.java.net/2009/02"> <doc title="Spring MVC REST appllication"/> <resources base="http://localhost:8080/api"> <resource path="book"> <!-- --> <resource path="{bookId}"> <param required="true" style="template" name="bookId"/> <!-- --> <resource path="review"> <method name="GET"> <doc title="com.blogspot.nurkiewicz.web.ReviewController.listReviews"/> <request> <param required="false" default="1" style="query" name="page"/> <param required="false" default="20" style="query" name="max"/> </request> </resource> </resource> </resource> </resource </application>Hope you had fun with this small library I have written. Feel free to include it in your project and don’t hesitate to report bugs. Full source code under Apache license is available on GitHub: https://github.com/nurkiewicz/spring-rest-wadl. Reference: Automatically generating WADL in Spring MVC REST application from our JCG partner Tomasz Nurkiewicz at the Java and neighbourhood blog....
Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.

Sign up for our Newsletter

15,153 insiders are already enjoying weekly updates and complimentary whitepapers! Join them now to gain exclusive access to the latest news in the Java world, as well as insights about Android, Scala, Groovy and other related technologies.

As an extra bonus, by joining you will get our brand new e-books, published by Java Code Geeks and their JCG partners for your reading pleasure! Enter your info and stay on top of things,

  • Fresh trends
  • Cases and examples
  • Research and insights
  • Two complimentary e-books