Featured FREE Whitepapers

What's New Here?


What’s Cooking in Java 8 – Project Lambda

What is project lambda: Project lambda is the project to enable lambda expressions in java language syntax. Lambda expressions are major syntax in functional programming languages like lisp. Groovy would be the closest relative of java that has support for lambda expressions, also known as closures. So what is a lambda expression? It is a block of code that can be assigned to a variable or passed as an argument to a method or passed as an argument to another lambda expression just like any other data. The code can also be invoked whenever required. The main motivation behind supporting this in java is to remove a lot of boiler plate code in using certain API that require some code from the API user, but end up using inner classes just because of java’s syntax requirements. The most common such API is the java threading API where we need to be able to tell the API which code to execute in a new thread, but end up implementing Runnable. The specification is still under development and is continuously changing. This article just gives an idea as to what to expect. Functional interfaces: The java specification developers hardly ever want to modify the JVM specification, and this case is no exception. So they are making the specification in a way so that lambda can be implemented without any modification in the JVM. So you can compile a class easily with source version 1.8 and target version 1.5. So the lambda code will be kept in an implementation of an anonymous class implementing an interface that has only one method. Well not exactly, the interface can have more than one method, but it must be implementable by a class that defines only one method. We will call such an interface a functional interface. The following are some examples of functional interfaces. //A simple case, only one method //This is a functional interface public interface Test1{ public void doSomething(int x); }//Defines two methods, but toString() is already there in //any object by virtue of being subclass of java.lang.Object //This is a functional interface public interface Test2{ public void doSomething(int x); public String toString(); }//The method in Test3 is override compatible with //the method in Test1, so the interface is still //functional public interface Test3 extends Test1{ public void doSomething(int x); }//Not functional, the implementation must //explicitly implement two methods. public interface Test4 extends Test1{ public void doSomething(long x); }Lambda expressions: In java 8, the lambda expressions are just a different syntax to implement functional interfaces using anonymous classes. The syntax is indeed much simpler than that for creating anonymous classes. The syntax mainly is of this form: argumentList -> body The argumentList is just like java method argument list – comma separated and enclosed in parentheses, with one exception – if there is only one argument, the parentheses are optional. Also it is optional to mention the types of the arguments. In case the types are not specified, they are inferred. The body can be of two types – expression body and code block body. An expression body is just a valid java expression that returns a value. A code block body contains a code block just like a method body. The code block body has the same syntax as the method body including the mandatory pair of braces. The following example shows how a new thread is implemented using lambda syntax. //The thread will keep printing "Hello" new Thread(() -> { while(true){ System.out.println("Hello"); }}).start();The expression syntax is shown in the following example public interface RandomLongs{ public long randomLong(); }RandomLongs randomLongs = () -> ((long)(Math.random()*Long.MAX_VALUE)); System.out.println(randomLongs.randomLong());Generics and lambda: But what if we want to implement a generic method using lambda? The specification developers have come up with a nice syntax, the type parameters are declared before the type arguments. The following shows an example – public interface NCopies{ public <T extends Cloneable> List<T> getCopies(T seed, int num); }//Inferred types for arguments also supported for generic methods NCopies nCopies = <T extends Cloneable> (seed, num) -> { List<T> list = new ArrayList<>(); for(int i=0; i<num; i++) list.add(seed.clone()); return list; };A point to note: The actual interface and method implemented by a lambda expression depends on the context in which it is used. The context can be setup by the existence of either an assignment operation or by the passing of parameter in a method invocation. Without a context, the lambda is meaningless, so its not correct to simply call a method directly on a lambda expression. For example, the following will give a compilation error – public interface NCopies{ public <T extends Cloneable> List<T> getCopies(T seed, int num); }//This code will give a compilation error, //As the lambda is meaningless without a context (<T extends Cloneable> (seed, num) -> { List<T> list = new ArrayList<>(); for(int i=0; i<num; i++) list.add(seed.clone()); return list; }).getCopies(new CloneableClass(), 5);However, the following would be perfectly alright, because there is an assignment context for the lambda.NCopies nCopies = <T extends Cloneable> (seed, num) -> { List<T> list = new ArrayList<>(); for(int i=0; i<num; i++) list.add(seed.clone()); return list; }; nCopies.getCopies(new CloneableClass(), 5);The stripped down lambda: Lisp’s support for lambda is much more flexible than this. The whole lisp language is based on lambda. However, java has to restrict the syntax to fit into its own syntax. Besides, lisp is an interpreted language, which has the advantage of doing stuff in the runtime when all informations are available. Java being a compiled language, it has to stick to much more stringent rules for types and control-flow etc., so as to avoid surprises at runtime. Considering this, the stripped down lambda in java 8 does not look that bad. Reference: What’s Cooking in Java 8 – Project Lambda from our JCG partner Debasish Ray Chawdhuri  at the Geeky Articles blog....

Growing hairy software, guided by tests

Software grows organically. One line at a time, one change at a time. These changes soon add up. In an ideal world, they add up to a coherent architecture with an intention revealing design. But sometimes software just grows hairy – full of little details that obscure the underlying logic. What makes software hairy and how can we stop it? Hairy code  Generally code starts out clean – brand new, shiny code. But each time you make a change that doesn’t quite fit the original design you add a hair – a small, subtle detail. It doesn’t detract from the overall purpose of the code, it just covers a specific detail that wasn’t thought of originally. One hair on its own is fine. But then you add another, and another, and another. Before you know it, your clean, shiny code is covered in little hairs. Eventually code becomes so hairy you can’t even see the underlying design any more. Let’s face it, we’re all basically maintenance programmers. How many of us actually work on a genuinely greenfield project? And anyway, soon after starting a greenfield project, you’re changing what went before and you’re back into maintenance land. We spend most of our time changing existing code. If we’re not careful, we spend most of our time adding new hairs. The simplest thing  When changing existing code, there’s a temptation to make the smallest change that could possibly work. Generally, it’s a good approach. Christ, TDD is great at keeping you focused on this. Write a test, make it pass. Write a test, make it pass. Do the simplest thing that could possibly work. But, you have to do the refactor step. “Red, green, refactor“, people. If you’re not refactoring, your code’s getting hairy. If you’re not refactoring, what you just added is a kludge. Sure, it’s a well tested, beautifully written kludge; but it’s still a kludge. The trouble is, it’s easy to forgive yourself. But it’s just a little if statement It’s just one little change. In this specific case we want to do something subtly different. It may not look like it, but it’s a kludge. You’ve described the logic of the change but not the reason. You’ve described how the behaviour is different, but not why. Congratulations, you just grew a new hair. An example Perhaps an example would help right about now. Let’s imagine we work for an online retailer. When we fulfill an order, we take each item and attempt to ship it. For those that are out of stock, we add to a queue to ship as soon as we get new stock. public class OrderItem { public void shipIt() { if (stockSystem.inStock(getItem()) > getQuantity()) { warehouse.shipItem(getItem(), getQuantity(), getCustomer()); } else { warehouse.addQueuedItem(getItem(), getQuantity(), getCustomer()); } } }As happens with online retailers, we’re slowly taking over the universe: now we’re expanding into shipping digital items as well as physical stuff. This means that some orders will be for items that don’t need physical shipment. Each item knows whether it’s a digital product or a physical product; the rights management team have created an electronic shipment management system (email to you and me) – so all we need to do is make sure we don’t try and post digital items but email them instead. Well, the simplest thing that could possibly work is: public class OrderItem { public void shipIt() { if (getItem().isDigitalDelivery()) { email.shipItem(getItem(), getCustomer()); } else if (stockSystem.inStock(getItem()) > getQuantity()) { warehouse.shipItem(gettem(), getQuantity(), getCustomer()); } else { warehouse.addQueuedItem(getItem(), getQuantity(), getCustomer()); } } }After all, it’s just a little “if”, right? This is all fine and dandy, until in UAT we realise that we’re showing delivery in 3 days for digital items. That’s not right, so we get a request to show immediate delivery for digital items. There’s a method on Item that calculates estimated delivery date: public class Item { private static final int STANDARD_POST_DAYS = 3; public int getEstimatedDaysToDelivery() { if (stockSystem.inStock(this) > 0) { return STANDARD_POST_DAYS; } else { return stockSystem.getEstArrivalDays(this) + STANDARD_POST_DAYS; } } }Well, it’s easy enough – each item knows whether it’s for digital delivery or not, so we can just add another if: public class Item { private static final int STANDARD_POST_DAYS = 3; public int getEstimatedDaysToDelivery() { if (isDigitalDelivery()) { return 0; } else if (stockSystem.inStock(this) > 0) { return STANDARD_POST_DAYS; } else { return stockSystem.getEstArrivalDays(getSKU()) + STANDARD_POST_DAYS; } } }After all, it’s just one more if, right? Where’s the harm? But little by little the code is getting hairier and hairier. The trouble is you get lots of little related hairs smeared across the code. You get a hair here, another one over there. You know they’re related – they were done as part of the same set of changes. But will someone else looking at this code in 6 months time? What if we need to make a change so users can select electronic and/or physical delivery for items that support both? Now I need to find all the places that were affected by our original change and make more changes. But, they’re not grouped together, they’ve been spread all over. Sure, I can be methodical and find them. But maybe if I’d built it better in the first place it would be easier? A better way  This all started with a little boolean flag – that was the first smell. Then we find ourselves checking the state of the flag and switching behaviour based on it. It’s almost like there was a new domain concept here of a delivery method. Say, instead I create a DeliveryMethod interface – so each Item can have a DeliveryMethod. public interface DeliveryMethod { void shipItem(Item item, int quantity, Customer customer); int getEstimatedDaysToDelivery(Item item); }I then create two concrete implementations of this: public class PostalDelivery implements DeliveryMethod { private static final int STANDARD_POST_DAYS = 3; @Override public void shipItem(Item item, int quantity, Customer customer) { if (stockSystem.inStock(item) > quantity) { warehouse.shipItem(item, quantity, customer); } else { warehouse.addQueuedItem(item, quantity, customer); } } @Override public int getEstimatedDaysToDelivery(Item item) { if (stockSystem.inStock(item) > 0) { return STANDARD_POST_DAYS; } else { return stockSystem.getEstArrivalDays(item) + STANDARD_POST_DAYS; } } }public class DigitalDelivery implements DeliveryMethod { @Override public void shipItem(Item item, int quantity, Customer customer) { email.shipItem(item, customer); } @Override public int getEstimatedDaysToDelivery(Item item) { return 0; } }Now all the logic about how different delivery methods work is local to the DeliveryMethod classes. This groups related changes together; if we later need to make a change to delivery rules we know exactly where they’ll be. Discipline  Ultimately writing clean code is all about discipline. TDD is a great discipline – it keeps you focused on the task at hand, only adding code that is needed right now; all the while ensuring you have near complete test coverage. However, avoiding hairy code needs yet more discipline. We need to remember to describe the intention of our change, not just the implementation. Code is primarily to be read by humans so expressing the reason the code does what it does is much more important than expressing the logic. The tests only ensure your logic is correct, you also need to make sure your code reveals it’s reasoning. References: Growing hairy software, guided by tests from our JCG partner David Green at the Actively Lazy blog. ...

Apache Camel 2.9 Released – Top 10 Changes

On the last day of 2011 the Apache Camel artifacts just managed to be pushed to the central maven repo, just shy 1.5 hours before champagne bottles was cracked and we entered 2012. The 2.9 release is a record breaking release with about 500 JIRA tickets resolved since the 2.8 released 5 months ago. Here is a break down of 10 of the most noticeable improvements and new features: 1. JAR dependencies reduced. The camel-core JAR now only depend on the API from slf4j. On top of that about 15 components, no longer depends on Spring JARs. I have previously blogged about this. 2. The Simple language has been overhauled and has a much improved syntax parser, which gives precise error details, what is wrong. You can now also have embedded functions inside functions as well. And we have unary operators, such as ++ to easily increment counters. I also started experimenting with ternary operators, so expect Conditional and the Elvis operator to be introduced in the future :) I have previously blogged about this. 3. The Bean Component has been much improved as well. Now you can define bindings explicit in the method name option, to fully 100% decouple your bean code from Camel, when using more complicated bindings. Likewise you can pass in values such as literals, numbers, booleans etc as well. The bean component can now also invoke static methods directly, as well invoking private class beans if an interface exists. I have previously blogged about this. 4. Splitting big XML files in a streaming mode with low memory footprint is now possible. There is a tokenizer solution, that is pure String based by scanning tokens. And another solution to use the StAX and JAXB APIs. The former requires no JAXB bindings, as required by the latter solution. I have previously blogged about these two solutions [1] and [2]. 5. More cloud components. We now have 2 new AWS components for Simple Email Service, and Simple DB. There is also a new JClouds component. 6. Using request-reply over JMS with fixed reply queues now supports a new exclusive option which performs faster, than the default assumed shared queue. Likewise the JMS consumer supports a new asyncConsumer option, to allow the JMS consumer to leverage the asynchronous non-blocking routing engine. All good stuff that if enabled can make JMS goes faster under certain use-cases. 7. Added a new number of JMX annotations to allow custom components to easily expose custom JMX attributes and operations. We also have JMX load statistics on the ManagedCamelContext MBean which is similar to the unix top command, which has average load stats for the last 1-minute, 5-minutes, and 15-minutes. 8. The camel-cxf component now supports OSGi blueprint configuration for the CXF-RS as well. 9. There is a number of new Apache Karaf Camel commands for further managing your Camel applications from the command shell. 10. And as usual there is a lot of minor improvements and bug fixes as well. For example the file/ftp components now support the sendEmptyMessageWhenIdle to .. yeah send an empty message when there was no files to poll. Likewise the script and language components now more easily allow to load scripts from file/classpath. And the Camel Test Kit, now have more juice for swapping endpoints before unit testing, which makes it easier to swap real endpoints with mocks and whatnot without touching your route code in the tests. And we have as usual upgraded to the latest and greatest of 3rd party libraries, such as Apache CXF 2.5.1, Groovy 1.8.5, Jackson 1.9.2, AWS 1.2.12, Spring 3.0.6, and JPA2 etc. You can see more details at the 2.9 release notes, such as details about other improvements and bug fixes etc. Reference: Apache Camel 2.9 Released – Top 10 Changes from our JCG partner Claus Ibsen at the Claus Ibsen riding the Apache Camel blog....

What is behind System.nanoTime()?

In java world there is a very good perception about System.nanoTime(). There is always some guys who says that it is fast, reliable and, whenever possible, should be used for timings instead of System.currentTimemillis(). In overall he is absolutely lying, it is not bad at all, but there are some drawback which developer should be aware about. Also, although they have a lot in common, these drawbacks are usually platform-specific. WINDOWS Functionality is implemented using QueryPerformanceCounter API, which is known to have some issues. There is possibility that it can leap forward, some people are reporting that is can be extremely slow on multiprocessor machines, etc. I spent a some time on net trying to find how exactly QueryPerformanceCounter works and what is does. There is no clear conclusion on that topic but there are some posts which can give some brief idea how it works. I would say that the most useful, probably are that and that ones. Sure, one can find more, if search a little bit, but info will be more or less that same. So, it looks like implementation is using HPET, if it is available. If not, then it uses TSC with some kind of synchronization of the value among CPUs. Interestingly that QueryPerformanceCounter promise to return value which increases with constant frequency. It means that in case of using TSC and several CPUs it may have some difficulties not just with the fact that CPUs may have just different value of TSC, but also may have different frequency. Keeping all that in mind Microsoft recommends to use SetThreadAffinityMask to stuck thread which calls to QueryPerformanceCounter to single processor, which, obviously, is not happening in JVM. LINUX Linux is very similar to Windows, apart from the fact that it is much more transparent (I managed to download sources :) ). The value is read from clock_gettime with CLOCK_MONOTONIC flag (for real man, source is available in vclock_gettime.c from Linux source). Which uses either TSC or HPET. The only difference with Windows is that Linux not even trying to sync values of TSC read from different CPUs, it just returns it as it is. It means that value can leap back and jump forward with dependency of CPU where it is read. Also, in contract to Windows, Linux doesn’t keep change frequency constant. On the other hand, it definitely should improve performance. SOLARIS Solaris is simple. I believe that via gethrtime it goes to more or less the same implementation of clock_gettime as linux does. The difference is that Solaris guarantees that counter will not leap back, which is possible on Linux, but it is possible that the same value will be returned back. That guarantee, as can be observed from source code, is implemented using CAS, which requires sync with the main memory and can be relatively expensive on multi-processor machines. The same as on Linux, change rate can vary. CONCLUSION The conclusion is king of cloudy. Developer has to be aware that function is not perfect, it can leap back or just forward. It may not change monotonically and change rate can vary with dependency on CPU clock speed. Also, it is not as fast as many may think. On my Windows 7 machine in a single threaded test it is just about 10% faster than System.currentTimeMillis(), on multi threaded test, where number of threads is the same as number of CPUs, it is just the same. So, in overall, all it gives is increase in resolution, which may be important for some cases. And as a final note, even when CPU frequency is not changing, do no think that you can map that value reliably to system clock, see details here. APPENDIX Appendix contains implementations of the function for different OSes. Source code is from OpenJDK v.7. Solaris // gethrtime can move backwards if read from one cpu and then a different cpu // getTimeNanos is guaranteed to not move backward on Solaris inline hrtime_t getTimeNanos() { if (VM_Version::supports_cx8()) { const hrtime_t now = gethrtime(); // Use atomic long load since 32-bit x86 uses 2 registers to keep long. const hrtime_t prev = Atomic::load((volatile jlong*)&max_hrtime); if (now <= prev) return prev; // same or retrograde time; const hrtime_t obsv = Atomic::cmpxchg(now, (volatile jlong*)&max_hrtime, prev); assert(obsv >= prev, "invariant"); // Monotonicity // If the CAS succeeded then we're done and return "now". // If the CAS failed and the observed value "obs" is >= now then // we should return "obs". If the CAS failed and now > obs > prv then // some other thread raced this thread and installed a new value, in which case // we could either (a) retry the entire operation, (b) retry trying to install now // or (c) just return obs. We use (c). No loop is required although in some cases // we might discard a higher "now" value in deference to a slightly lower but freshly // installed obs value. That's entirely benign -- it admits no new orderings compared // to (a) or (b) -- and greatly reduces coherence traffic. // We might also condition (c) on the magnitude of the delta between obs and now. // Avoiding excessive CAS operations to hot RW locations is critical. // See http://blogs.sun.com/dave/entry/cas_and_cache_trivia_invalidate return (prev == obsv) ? now : obsv ; } else { return oldgetTimeNanos(); } }Linux jlong os::javaTimeNanos() { if (Linux::supports_monotonic_clock()) { struct timespec tp; int status = Linux::clock_gettime(CLOCK_MONOTONIC, &tp); assert(status == 0, "gettime error"); jlong result = jlong(tp.tv_sec) * (1000 * 1000 * 1000) + jlong(tp.tv_nsec); return result; } else { timeval time; int status = gettimeofday(&time, NULL); assert(status != -1, "linux error"); jlong usecs = jlong(time.tv_sec) * (1000 * 1000) + jlong(time.tv_usec); return 1000 * usecs; } }Windows jlong os::javaTimeNanos() { if (!has_performance_count) { return javaTimeMillis() * NANOS_PER_MILLISEC; // the best we can do. } else { LARGE_INTEGER current_count; QueryPerformanceCounter(¤t_count); double current = as_long(current_count); double freq = performance_frequency; jlong time = (jlong)((current/freq) * NANOS_PER_SEC); return time; } }Reference: What is behind System.nanoTime()? from our JCG partner Stanislav Kobylansky at the Stas’s blog . Inside the Hotspot VM: Clocks, Timers and Scheduling Events Beware of QueryPerformanceCounter() Implement a Continuously Updating, High-Resolution Time Provider for Windows Game Timing and Multicore Processors High Precision Event Timer (Wikipedia) Time Stamp Counter (Wikipedia)...

PopupMenu in JavaFX 2

Creating Popup Menus To create a Popupmenu in JavaFX you can use the ContextMenu class. You add MenuItems to it and can also create visual separators using SeparatorMenuItem.In the example below I’ve opted to subclass ContextMenu and add the MenuItems on its constructor. public class AnimationPopupMenu extends ContextMenu{ public AnimationPopupMenu() { (...) getItems().addAll( MenuItemBuilder.create() .text(ADD_PARTICLE) .graphic(createIcon(...)) .onAction(new EventHandler() { @Override public void handle(ActionEvent actionEvent) { // some code that gets called when the user clicks the menu item } }) .build(),(...) SeparatorMenuItemBuilder.create().build(), MenuItemBuilder.create() .text(ADD_DISTANCE_MEASURER) .onAction(new EventHandler() { @Override public void handle(ActionEvent actionEvent) { // Some code that will get called when the user clicks the menu item } }) .graphic(createIcon(...)) .build(), (...) ); }Line 5: I get the Collection of children of the ContextMenu and call addAll to add the MenuItems; Line 6: Uses the MenuItem builder do create a MenuItem; Line 7: Passes in the text of the menu item. Variable ADD_PARTICLE is equal to “Add Particle”; Line 8: Calls graphic which receives the menu item icon returned by createIcon:ImageView createIcon(URL iconURL) { return ImageViewBuilder.create() .image(new Image(iconURL.toString())) .build(); }Line 9: onAction receives the event handler which will be called when the user clicks the menu item; Line15: Finally the MenuItem gets created by executing build() on the MenuItemBuilder class; Line18: Creates The Separator which you can see on the figure on the start of this post. It’s the dotted line between “Add Origin” and “Add Distance Measurer”; The other lines of code just repeat the same process to create the rest of the menu items.Using JavaFX Popup Menus inside JFXPanel If your embeding a JavaFX scene in a Swing app you’ll have to do some extra steps manually, if you don’t there won’t be hover animations on the popup menu and it won’t get dismissed automatically when the user clicks outside of it. There is a fix targeted at JavaFX 3.0 for this – http://javafx-jira.kenai.com/browse/RT-14899 First you’ll have to request the focus on the javafx container so that the popup gets hover animations and when you click outside your app window it gets dismissed. In my case I pass a reference to the javafx swing container on the construtor of the popup menu, then I’ve overwritten the show method of ContextMenu so as to request the focus on the swing container before actually showing the popup: public void show(Node anchor, MouseEvent event) { wrapper.requestFocusInWindow(); super.show(anchor, event.getScreenX(), event.getScreenY()); }And lastly you’ll have to also dismiss the popup when the user clicks inside the javafx scene but outside of the popup by calling hide(). I almost forgot.. thanks to Martin Sladecek (Oracle JavaFX team) for giving me some pointers. Reference: PopupMenu in JavaFX 2 from our JCG partner Pedro Duque Vieira at the Pixel Duke blog....

OAuth with Spring Security

From Wikipedia: OAuth (Open Authentication) is an open standard for authentication. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically username and password. There are a lot of posts talking about OAuth from Client Side, for example how to connect to service providers like Twitter or Facebook, but there are less posts about OAuth but from Server Side, more specificaly how to implement an authentication mechanism using OAuth for protecting resources, and not for accessing them (Client Side Part). In this post I will talk about how to protect your resources, using Spring Security (Spring Security OAuth). The example will be simple enough to understand the basics for implementing an OAuth service provider. I have found this post that explains with a simple example, what OAuth is and how it works. I think it is a good starting point with OAuth http://hueniverse.com/2007/10/beginners-guide-to-oauth-part-ii-protocol-workflow/ Now it is time to start writing our service provider. First of all I will explain what our Service Provider will offer. Imagine you are developing a website (called CV) where users will register and after that they will be able to upload their Curriculum Vitae. Now we are going to transform this website to a Service Provider where OAuth will be used for protecting resources (Curriculm Vitae of registered users). Imagine again that some companies have agreed with CV people that when they publish job vacances, users will have the possibility of uploading their curriculum directly from CV site to HR department instead of sending by email or copy & paste from document. As you can see here is where OAuth starts managing security between CV website and Company RH site. In summary we have a Curriculum Vitae Service Provider (CV) with protected resource (document itself). Companies that offer users the possibility of acquiring directly their Curriculum Vitae from CV are the Consumers. So when a user visits company job vacancies (in our example called fooCompany) and wants to apply for a job, he only has to authorize FooCompany “Job Vacancies” website with permissions to download its Curriculum Vitae from CV site. Because we will use Spring Security for OAuth authentication, first of all we are going to configure Spring Security into SpringMVC CV application. Nothing special here: In web.xml file we define Security Filter: <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter><filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>And in root-context.xml we define protected resources and authentication manager. In this case In memory apporoach is used: <http auto-config='true'> <intercept-url pattern="/**" access="ROLE_USER" /> </http><authentication-manager> <authentication-provider> <user-service> <user name="leonard" password="nimoy" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>Next step, create an Spring Controller that returns the Curriculum Vitae of logged user: @RequestMapping(value="/cvs", method=RequestMethod.GET) @ResponseBody public String loadCV() { StringBuilder cv = new StringBuilder(); cv.append("Curriculum Vitae -- Name: ").append(getUserName()).append(" Experience: Java, Spring Security, ..."); return cv.toString(); }private String getUserName() { Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); String username; if (principal instanceof UserDetails) { username = ((UserDetails)principal).getUsername(); } else { username = principal.toString(); } return username; }This controller returns directly a String, instead a ModelView object. This String is sent directly as HttpServletResponse. Now we have got a simple website that returns the Curriculum Vitae of logged user. If you try to access to /cvs resource, if you are not authenticated, Spring Security will show you a login page, and if you are already logged, your job experience will be returned. Works as any other website that are using Spring Security. Next step is modifing this project for allowing external sites can access to protected resources using OAuth 2 authentication protocol. In root-context.xml: <beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices"> <beans:property name="supportRefreshToken" value="true" /> </beans:bean><oauth:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices"> <oauth:verification-code user-approval-page="/oauth/confirm_access" /> </oauth:provider><oauth:client-details-service id="clientDetails"> <oauth:client clientId="foo" authorizedGrantTypes="authorization_code" /> </oauth:client-details-service>First bean, is an OAuth2ProviderTokenServices interface implementation with id tokenServices. The OAuth2ProviderTokenServices interface defines operations that are necessary to manage OAuth 2.0 tokens. These tokens should be stored for subsequent access token can reference it. For this example InMemory store is enough. Next bean is <oauth:provider>. This tag is used to configure the OAuth 2.0 provider mechanism. And in this case three parameters are configured; the first one is a reference to a bean that defines the client details service, explained in next paragraph. The second one is token service for providing tokens, explained in previous paragraph, and the last one is the URL at which a request for authorization token will be serviced. This is the typically Authorize/Denny page where service provider asks to user if it permits the Consumer (in our case fooCompany) accessing to protected resources (its Curriculum Vitae). Last bean is <oauth:client-details-service>. In this tag you define which clients you authorize to access to protected resources with previous authentication. In this case because CV company has agreed with foo company that they can connect to its Curriculum Vitae Service, a client is defined with id foo. Now we have our application configured with OAuth. Last step is creating a controller for taking requests from /oauth/confirm_access URL. private ClientAuthenticationCache authenticationCache = new DefaultClientAuthenticationCache(); private ClientDetailsService clientDetailsService;@RequestMapping(value="/oauth/confirm_access") public ModelAndView accessConfirmation(HttpServletRequest request, HttpServletResponse response) { ClientAuthenticationToken clientAuth = getAuthenticationCache().getAuthentication(request, response); if (clientAuth == null) { throw new IllegalStateException("No client authentication request to authorize."); }ClientDetails client = getClientDetailsService().loadClientByClientId(clientAuth.getClientId()); TreeMap<String, Object> model = new TreeMap<String, Object>(); model.put("auth_request", clientAuth); model.put("client", client); return new ModelAndView("access_confirmation", model); }This controller returns a ModelAndView object with client information and which page should be shown for granting permission to protected resources. This JSP page is called access_confirmation.jsp and the most important part is: <div id="content"><% if (session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) != null && !(session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) instanceof UnapprovedClientAuthenticationException)) { %> <div class="error"> <p>Access could not be granted. (<%= ((AuthenticationException) session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION)).getMessage() %>)</p> </div> <% } %> <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION"/><authz:authorize ifAllGranted="ROLE_USER"> <h2>Please Confirm</h2><p>You hereby authorize <c:out value="${client.clientId}"/> to access your protected resources.</p><form id="confirmationForm" name="confirmationForm" action="<%=request.getContextPath() + VerificationCodeFilter.DEFAULT_PROCESSING_URL%>" method="post"> <input name="<%=BasicUserApprovalFilter.DEFAULT_APPROVAL_REQUEST_PARAMETER%>" value="<%=BasicUserApprovalFilter.DEFAULT_APPROVAL_PARAMETER_VALUE%>" type="hidden"/> <label><input name="authorize" value="Authorize" type="submit"/></label> </form> <form id="denialForm" name="denialForm" action="<%=request.getContextPath() + VerificationCodeFilter.DEFAULT_PROCESSING_URL%>" method="post"> <input name="<%=BasicUserApprovalFilter.DEFAULT_APPROVAL_REQUEST_PARAMETER%>" value="not_<%=BasicUserApprovalFilter.DEFAULT_APPROVAL_PARAMETER_VALUE%>" type="hidden"/> <label><input name="deny" value="Deny" type="submit"/></label> </form> </authz:authorize> </div>As you can see Spring Security OAuth provides helper classes for creating confirmation form and deny form. When the result is submitted, URL /cv/oauth/user/authorize (internally managed) is called, there OAuth decides if returns protected resource (String returned by loadCV() method) to caller or not depending on what option user has chosen. And that’s all about creating an OAuth 2 system using Spring Security OAuth. But I suppose you are wondering how to test it, so for the same price I will explain how to write the client part (Consumer) using Spring Security OAuth too. Client application (called fooCompany) is also a SpringMVC web application with Spring Security. Spring Security part will be ignored here. The client application contains a home page (home.jsp) that has a link to Spring Controller that will be responsible to download Curriculum Vitae from CV site, and redirecting content to a view (show.jsp). @RequestMapping(value="/cv") public ModelAndView getCV() { String cv = cvService.getCVContent(); Map<String, String> params = new HashMap<String, String>(); params.put("cv", cv); ModelAndView modelAndView = new ModelAndView("show", params); return modelAndView;}As you can see is a simple Controller that calls a Curriculum Vitae service. This service will be responsible to connect to CV website, and download required Curriculum Vitae. Of course it deals with OAuth communication protocol too. Service looks: public String getCVContent() { byte[] content = (getCvRestTemplate().getForObject(URI.create(cvURL), byte[].class)); return new String(content); }The suggested method for accessing those resources is by using Rest. For this porpose Spring Security OAuth provides an extension of RestTemplate for dealing with OAuth protocol. This class (OAuth2RestTemplate) manages connection to required resources and also manages tokens, OAuth authorization protocol, … OAuth2RestTemplate is injected into CVService, and it is configured into root-context.xml: <oauth:client token-services-ref="oauth2TokenServices" /><beans:bean id="oauth2TokenServices" class="org.springframework.security.oauth2.consumer.token.InMemoryOAuth2ClientTokenServices" /><oauth:resource id="cv" type="authorization_code" clientId="foo" accessTokenUri="http://localhost:8080/cv/oauth/authorize" userAuthorizationUri="http://localhost:8080/cv/oauth/user/authorize" /><beans:bean id="cvService" class="org.springsource.oauth.CVServiceImpl"> <beans:property name="cvURL" value="http://localhost:8080/cv/cvs"></beans:property> <beans:property name="cvRestTemplate"> <beans:bean class="org.springframework.security.oauth2.consumer.OAuth2RestTemplate"> <beans:constructor-arg ref="cv"/> </beans:bean> </beans:property> <beans:property name="tokenServices" ref="oauth2TokenServices"></beans:property> </beans:bean>See that OAuth2RestTemplate is created using an OAuth resource that contains all information about where to connect for authorizing access to protected resource, and in this case is CV website, see that we are referencing an external website, although in this example we are using localhost. Also service provider URL (http://localhost:8080/cvs/cv) is set, so RestTemplate can establish a connection to content provider, and in case that authorization process ends successful, retrieving requested information. <oauth:resource> defines OAuth resources, in this case, the name of the client (remember that this value was configured in server side client details tag for granting access to OAuth protocol). Also userAuthorizationUri is defined. This is the URI to which the user will be redirected if the user is ever needed to authorize access to the resource (this is an internal URI managed by Spring Security OAuth). And finally accessTokenUri, the URI OAuth provider endpoint that provides the access token (internal URI too). Also creating a consumer using Spring Security OAuth is simple enough. Now I will explain the sequence of events that happens when a user wants to give access to foo company for retrieving its Curriculum Vitae. First of all user connects to foo website, and click on post curriculum vitae link. Then getCV method from controller is called. This method calls cvService, that at the same time creates a connection to resource URI (CV) using OAuth2RestTemplate. And this class acts as a black box, from client side, you don’t know exactly what this class will do but it returns your Curriculum Vitae stored in CV website. As you can imagine this class manages all workflow related to OAuth, like managing tokens, executing required URL redirections to get permissions, … and if all steps are performed successful, stored Curriculum Vitae in CV site will be sent to foo company site. And that’s all steps required to allow your site to act as Service Provider using OAuth2 authorization protocol. Thanks of Spring Security folks, it is much easier that you may think at first. Hope you find it useful. Download ServerSide (CV) Download ClientSide (fooCompany) Reference: OAuth with Spring Security from our JCG partner Alex Soto at the One Jar To Rule Them All blog....

Java 7: A complete invokedynamic example

Another blog entry in my current Java 7 series. This time it’s dealing with invokedynamic, a new bytecode instruction on the JVM for method invocation. The invokedynamic instruction allows dynamic linkage between a call site and the receiver of the call. That means you can link the class that is performing a method call to the class (and method) that is receiving the call at run-time. All the other JVM bytecode instructions for method invocation, like invokevirtual, hard-wire the target type information into your compilation, i.e. into your class file. Let’s look at an example. Constant pool: #1 = Class #2 // com/schlimm/bytecode/examples/BytecodeExamples ... #42 = Class #43 // java/lang/String ... #65 = Methodref #42.#66 // java/lang/String.length:()I #66 = NameAndType #67:#68 // length:()I #67 = Utf8 length #68 = Utf8 ()I ... {...public void virtualMethodCall(); flags: ACC_PUBLIC Code: stack=1, locals=1, args_size=1 0: ldc #44 // String Hello 2: invokevirtual #65 // Method java/lang/String.length:()I 5: pop 6: return LineNumberTable: line 31: 0 line 32: 6 LocalVariableTable: Start Length Slot Name Signature 0 7 0 this Lcom/schlimm/bytecode/examples/BytecodeExamples; }The bytecode snippet above shows an invokevirtual method call of java.lang.String -> length() in line 20. It refers to item 65 in the contsant pool table which is a MethodRef entry (see line 6). Items 42 and 66 in the constant pool table refer to the class and the method descriptor entries. As you can see, the target type and method of the invokevirtual call is completely resolved and hard-wired into the bytecode. Now, let’s return to invokedynamic! It is important to notice that it is not possible to compile Java code into bytecode that contains an invokedynamic instruction. Java is statically typed. That means that Java performs type checking at compile time. Therefore, in Java, it is possible (and wanted!) to hard-wire all type information of method call receivers into the callers class file. The caller knows the type name of the call target, as demonstrated in our example above. The use of invokedynamic - on the other hand – enables the JVM to resolve exactly that type information at run-time. This is only required (and wanted!) for dynamic languages, such as JRuby or Rhino. Now, suppose you want to implement a new language on the JVM that is dynamically typed. I am not suggesting you should invent *another* language on the JVM, but *suppose* you would, and *suppose* your new language should be dynamically typed. That would mean, in your new language, the linking between a caller and a receiver of a method call is performed at run-time. Since Java 7 this is possible on the bytecode level using the invokedynamic instruction. Because I cannot create an invokedynamic instruction using a Java compiler, I will create a class file that contains invokedynamic myself. Once this class file is created I will run that class file’s main method using an ordinary java launcher. How can you create a class file without a compiler? This is possible by using bytecode manipulation frameworks like ASM or Javassist.The following code snippet shows the SimpleDynamicInvokerGenerator that can generate a class file SimpleDynamicInvoker.class which contains an invokedynamic instruction. public abstract class AbstractDynamicInvokerGenerator implements Opcodes {public byte[] dump(String dynamicInvokerClassName, String dynamicLinkageClassName, String bootstrapMethodName, String targetMethodDescriptor) throws Exception {ClassWriter cw = new ClassWriter(0); FieldVisitor fv; MethodVisitor mv; AnnotationVisitor av0;cw.visit(V1_7, ACC_PUBLIC + ACC_SUPER, dynamicInvokerClassName, null, "java/lang/Object", null);{ mv = cw.visitMethod(ACC_PUBLIC, "<init>", "()V", null, null); mv.visitCode(); mv.visitVarInsn(ALOAD, 0); mv.visitMethodInsn(INVOKESPECIAL, "java/lang/Object", "<init>", "()V"); mv.visitInsn(RETURN); mv.visitMaxs(1, 1); mv.visitEnd(); } { mv = cw.visitMethod(ACC_PUBLIC + ACC_STATIC, "main", "([Ljava/lang/String;)V", null, null); mv.visitCode(); MethodType mt = MethodType.methodType(CallSite.class, MethodHandles.Lookup.class, String.class, MethodType.class); Handle bootstrap = new Handle(Opcodes.H_INVOKESTATIC, dynamicLinkageClassName, bootstrapMethodName, mt.toMethodDescriptorString()); int maxStackSize = addMethodParameters(mv); mv.visitInvokeDynamicInsn("runCalculation", targetMethodDescriptor, bootstrap); mv.visitInsn(RETURN); mv.visitMaxs(maxStackSize, 1); mv.visitEnd(); } cw.visitEnd();return cw.toByteArray(); }protected abstract int addMethodParameters(MethodVisitor mv);}public class SimpleDynamicInvokerGenerator extends AbstractDynamicInvokerGenerator {@Override protected int addMethodParameters(MethodVisitor mv) { return 0; }public static void main(String[] args) throws IOException, Exception { String dynamicInvokerClassName = "com/schlimm/bytecode/SimpleDynamicInvoker"; FileOutputStream fos = new FileOutputStream(new File("target/classes/" + dynamicInvokerClassName + ".class")); fos.write(new SimpleDynamicInvokerGenerator().dump(dynamicInvokerClassName, "com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample", "bootstrapDynamic", "()V")); } }I am using ASM here, an all purpose Java bytecode manipulation and analysis framework, to do the job of creating a correct class file format. In line 30 the visitInvokeDynamicInsn creates the invokedynamic instruction. Generating a class that does an invokedynamic call is only half of the story. You also need some code that links the dynamic call site to the actual target, this is the real purpose of invokedynamic. Here is an example. public class SimpleDynamicLinkageExample { private static MethodHandle sayHello;private static void sayHello() { System.out.println("There we go!"); }public static CallSite bootstrapDynamic(MethodHandles.Lookup caller, String name, MethodType type) throws NoSuchMethodException, IllegalAccessException { MethodHandles.Lookup lookup = MethodHandles.lookup(); Class thisClass = lookup.lookupClass(); // (who am I?) sayHello = lookup.findStatic(thisClass, "sayHello", MethodType.methodType(void.class)); return new ConstantCallSite(sayHello.asType(type)); }}The bootstrap method in line 9-14 selects the actual target of the dynamic call. In our case the target is the sayHello() method. To learn how the bootstrap method is linked to the invokedynamic instruction we need to dive into the bytecode of SimpleDynamicInvoker that we’ve generated with SimpleDynamicInvokerGenerator. E:\dev_home\repositories\git\playground\bytecode-playground\target\classes\com\schlimm\bytecode>javap -c -verbose SimpleDynamicInvoker.classClassfile /E:/dev_home/repositories/git/playground/bytecode-playground/target/classes/com/schlimm/bytecode/SimpleDynamicInvoker.class Last modified 30.01.2012; size 512 bytes MD5 checksum 401a0604146e2e95f9563e7d9f9d861b public class com.schlimm.bytecode.SimpleDynamicInvoker BootstrapMethods: 0: #17 invokestatic com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample.bootstrapDynamic:(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; Method arguments: minor version: 0 major version: 51 flags: ACC_PUBLIC, ACC_SUPER Constant pool: #1 = Utf8 com/schlimm/bytecode/SimpleDynamicInvoker #2 = Class #1 // com/schlimm/bytecode/SimpleDynamicInvoker #3 = Utf8 java/lang/Object #4 = Class #3 // java/lang/Object #5 = Utf8 <init> #6 = Utf8 ()V #7 = NameAndType #5:#6 // "<init>":()V #8 = Methodref #4.#7 // java/lang/Object."<init>":()V #9 = Utf8 main #10 = Utf8 ([Ljava/lang/String;)V #11 = Utf8 com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample #12 = Class #11 // com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample #13 = Utf8 bootstrapDynamic #14 = Utf8 (Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; #15 = NameAndType #13:#14 // bootstrapDynamic:(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; #16 = Methodref #12.#15 // com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample.bootstrapDynamic:(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; #17 = MethodHandle #6:#16 // invokestatic com/schlimm/bytecode/invokedynamic/linkageclasses/SimpleDynamicLinkageExample.bootstrapDynamic:(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;)Ljava/lang/invoke/CallSite; #18 = Utf8 runCalculation #19 = NameAndType #18:#6 // runCalculation:()V #20 = InvokeDynamic #0:#19 // #0:runCalculation:()V #21 = Utf8 Code #22 = Utf8 BootstrapMethods { public com.schlimm.bytecode.SimpleDynamicInvoker(); flags: ACC_PUBLIC Code: stack=1, locals=1, args_size=1 0: aload_0 1: invokespecial #8 // Method java/lang/Object."<init>":()V 4: returnpublic static void main(java.lang.String[]); flags: ACC_PUBLIC, ACC_STATIC Code: stack=0, locals=1, args_size=1 0: invokedynamic #20, 0 // InvokeDynamic #0:runCalculation:()V 5: return }In line 49 you can see the invokedynamic instruction. The logical name of the dynamic method is runCalculation, this is a fictitious name. You can use any name that makes sense, also names like “+” are allowed. The instruction refers to item 20 in the contant pool table (see line 33). This in turn refers to index 0 in the BootstrapMethods attribute (see line 8). There you can see the link to the SimpleDynamicLinkageExample.bootstrapDynamic method that links the invokedynamic instruction to the call target. Now if you call the SimpleDynamicInvoker using the java launcher, then the invokedynamic call is executed.The following sequence diagram illustrates what’s happening when the SimpleDynamicInvoker is called using the java launcher.The first call of runCalculation using invokedynamic issues a call to the bootstrapDynamic method. This method does the dynamic linkage between the calling class (SimpleDynamicInvoker) and the receiving class (SimpleDynamicLinkageExample). The bootstrap method returns a MethodHandle that targets the receiving class. This method handle is cached for repetitive invocations of the runCalculation method. That’s all in terms of invokedynamic. I have some more sophisticated examples published here in my Git repo. I hope you’ve enjoyed reading this – in times of shortage! Cheers, Niklas Reference:“Java 7: A complete invokedynamic example from our” JCG partner Niklas. http://docs.oracle.com/javase/7/docs/technotes/guides/vm/multiple-language-support.html http://asm.ow2.org/ http://java.sun.com/developer/technicalArticles/DynTypeLang/ http://asm.ow2.org/doc/tutorial-asm-2.0.html http://weblogs.java.net/blog/forax/archive/2011/01/07/calling-invokedynamic-java http://nerds-central.blogspot.com/2011/05/performing-dynamicinvoke-from-java-step.html...

Simple Security Rules

Wow! Citi really messed up their online security. They included account information as part of the URL. You could alter the URL and access someone else’s account information. Yikes o rama, that’s a bad design. I’ve seen a fair number of bad security designs in my time, but I’ve come up with a list of simple security rules:Security by obscurity never works. Assume the attacker has your source code. If you are doing some super cool obscuring of the data (like storing the account number in the URL in some obscured manner like the Citi folks apparently did), someone can and will break your algorithm and breach your system. If any part of a system can read data, all parts of the system can. For example, if you’re writing an iOS app and are encrypting the data in the local database, the fact that you can decrypt it to use it in your app means that someone else can also decrypt it. A corollary to the above is that once data escapes your server, the bad guys can get the data, so let as little of the data out as possible. Also, never trust the data on the wire. Any HTTP/HTTPS request can be forged and tampered with. This means that if you send a primary key in a hidden field as part of an HTML form, ensure that when the form is submitted, the primary key is the same one your originally sent. But you say, “How can I verify it’s the one I sent… I wouldn’t have sent the primary key if I could keep the state on the server side and somehow correlate the form submission to the DB record that the form was submitted against.” Yeah, well Lift and Seaside and WebObjects and others have solved that problem. Know your types as you’re parsing the request and composing a response. Use an ORM that correctly escapes String parameters. Never “shell out”. Rails and Django have markers on Strings that indicate that they are to be “trusted” or they require HTML encoding. This addresses substantially all the cross site scripting related issues. Lift carries the DOM around as part of the page composition so it always knows what should be HTML encoded. Any framework that composes a response simply by writing Strings to a response is de facto insecure. Use random numbers for everything. SSL uses random numbers for keys. Lift uses random numbers for field names (except in test mode where having stable field names is necessary for automated testing). Use session-duration random numbers as opaque identifiers so that data doesn’t leak from the server to the client. Where you can’t use random numbers, encrypt any identifiers with a session-specific encryption key and make sure you have some salt in the thing being encrypted so the key cannot be rainbow-tabled. Test. Security testing is just testing and should be done at the unit and integration level. Security tests should be a normal part of your unit test suite as well as any integration testing that you do. Your QA people should understand common vulnerabilities (e.g., XSS) just like they understand common programming errors (e.g., NPE) and should test for them. Make the OWASP Top 10 a normal part of your check-in and code review process. This means that every material feature should have a list of the OWASP Top 10 associated with it and a 1 sentence description of the exposure to the vulnerability and anything done in the code to defend against exposure. Once developers do this regularly, it’ll take 5 minutes to fill out the list, but more importantly, it will create a culture of awareness. Never assume that your systems are secure. Always assume there are vulnerabilities… just like it’s good to assume there will always be bugs in software. It’s our jobs to identify the vulnerabilities, assess the risks of penetration, and prioritize remediation. Also, the only way to keep data out of the hands of the bad guys is to toss the hard drives containing the data into an active volcano (entropy is your friend.) If you can access the data, the bad guys can. The only issue is how much effort they are willing to put into getting to the data. If it’s not worth their time or there are easier targets, those targets will be attacked. Think of security as a series of obstacles rather than a single insurmountable wall. In order for the bad guys to get to the pot of gold, they have to evade many many obstacles. This makes it hard for them and increases the chances you’ll observe them trying to overcome an obstacle.I’ll wind up with some thoughts on the whole RSA/Lockheed break-in. This is perfect example of a pot of gold being very valuable (control information for drones, aircraft design plans, etc.) and an attack that was long ranging and very methodical. The attackers probed the weaknesses in individuals within RSA (could this or this have been part of the probe?) Sent targeted documents that contained zero-day flaws to a small number of weak individuals. Once the attackers gained control of the individual’s machines, they were able to probe the network and escalate privileged in such a way that the actually accessed the RSA key database. This was the time RSA should have voided all the RSA keys and re-issued new ones. Failure to do that should be a company-ending event for RSA… but I editorialize. I’m just postulating here, but I’m guessing that the attackers used rogue certs to do man-in-the-middle to get Lockheed RSA key/username/password combinations. Because the CA issuing the certs was trusted and there are enough rough CAs floating around, it’s no longer out of the realm of possibility to do man-in-the-middle attacks of SSL layers (re-route traffic and use rogue cert). If you know that current value of an RSA key, you can narrow down the device that is associated with an account (and if you do the same attack 3 or 4 times, you can figure out exactly which device it is) so that with each device seed number, you can determine what the current-time value of the correct RSA key for a given account. Next, you waltz into the VPN or whatever that’s being secured and do whatever trivial privilege escalation you need to do to get to the right file servers. Anyway, for the kind of systems most of us are building, sticking to my security outline above should yield good results, but if the target is valuable enough and the attacker is skilled and persistent enough, they can break almost any system. Reference: Simple Security Rules from our JCG partner David Pollak at the Good Stuff blog....

Java Swing Tic-Tac-Toe

Hello people! Wow its been a while since I posted something here…! I must say I really miss writing stuff and I promise I wont get into a ‘writer’s block’ again. Hopefully .. A helluva lot of things happened in the last two months and I’ve got loads to say. But in this post Im just gonna publish a small application that I wrote sometime ago. Its a TicTacToe game application. There’s not much to be learnt from this particular program but I really want to get outta this impasse and hence Im posting this today. I actually wrote this code to show off some of the really cool features of Java to one of my friends who also wrote the same application in a “C++”-esque style. And btw that friend of mine even developed code for the computer player. But after completing his code he sadly realized the basic fact that you cannot win in TicTacToe if you play perfectly!! Hehe So I did not venture into that area. Well to be honest, Im not really interested in writing AI apps. But I thought of adding Network Multiplayer functionality to this application since I love network programming. But unfortunately I havent had the time to do so. Anywaiz the application works like this – the game is autostarted once launched and the status bar indicates which player’s turn its now and rest is just simple tictactoe! And at the end of the game the app is automatically reset. Onto the code.. import javax.swing.*;import java.awt.*; import java.awt.event.*; import java.util.logging.Logger;/** * TicTacToe Application * @author Steve Robinson * @version 1.0 */class TicTacToeFrame extends JFrame {JButton [][] buttons= new JButton[3][3]; JTextField statusBar; GamePanel panel; Integer turn; GameListener listener=new GameListener(); Integer count;public TicTacToeFrame() { setLayout(new BorderLayout());panel=new GamePanel(); add(panel,BorderLayout.CENTER);statusBar=new JTextField("Player1's Turn"); statusBar.setEditable(false); add(statusBar,BorderLayout.SOUTH);setTitle("Tic Tac Toe!"); setVisible(true); setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE); setBounds(400,400,300,300); }class GamePanel extends JPanel {public GamePanel() { setLayout(new GridLayout(3,3)); turn =1; count=0; for(int i=0;i<3;i++) for(int j=0;j<3;j++) { buttons[i][j]=new JButton(); buttons[i][j].putClientProperty("INDEX", new Integer[]{i,j}); buttons[i][j].putClientProperty("OWNER", null); buttons[i][j].addActionListener(listener); add(buttons[i][j]); } } }class GameListener implements ActionListener { public void actionPerformed(ActionEvent e) { count++; JButton b=(JButton)e.getSource(); Integer[]index=(Integer[]) b.getClientProperty("INDEX");//System.out.println(turn); //turn // //System.out.println("["+index[0]+"]"+"["+index[1]+"]"); // b.putClientProperty("OWNER", turn); Icon ico=new ImageIcon(turn.toString()+".gif"); b.setIcon(ico); b.setEnabled(false); boolean result=checkVictoryCondition(index); if(result) { JOptionPane.showMessageDialog(null, "Player "+turn.toString()+" Wins"); initComponents(); } else { if(turn==1) { turn=2; statusBar.setText("Player2's Turn"); } else { turn=1; statusBar.setText("Player1's Turn"); } } if(count==9) { JOptionPane.showMessageDialog(null, "Match is a draw!"); initComponents();}}Integer getOwner(JButton b) { return (Integer)b.getClientProperty("OWNER"); }//PrintButtonMap for Diagnostics void printbuttonMap(Integer [][]bMap) { for(int i=0;i for(int j=0;j System.out.print(bMap[i][j]+" "); System.out.println(""); } }boolean checkVictoryCondition(Integer [] index) { /*Integer[][]buttonMap=new Integer[][] { { getOwner(buttons[0][0]),getOwner(buttons[0][1]),getOwner(buttons[0][2])}, { getOwner(buttons[1][0]),getOwner(buttons[1][1]),getOwner(buttons[1][2])}, { getOwner(buttons[2][0]),getOwner(buttons[2][1]),getOwner(buttons[2][2])} };printbuttonMap(buttonMap); */Integer a=index[0]; Integer b=index[1]; int i;//check row for(i=0;i<3;i++) { if(getOwner(buttons[a][i])!=getOwner(buttons[a][b])) break; } if(i==3) return true;//check column for(i=0;i<3;i++) { if(getOwner(buttons[i][b])!=getOwner(buttons[a][b])) break; } if(i==3) return true;//check diagonal if((a==2&&b==2)||(a==0&&b==0)||(a==1&&b==1)||(a==0&&b==2)||(a==2&&b==0)) { //left diagonal for(i=0;i if(getOwner(buttons[i][i])!=getOwner(buttons[a][b])) break; if(i==3) return true;//right diagonal if((getOwner(buttons[0][2])==getOwner(buttons[a][b]))&&(getOwner(buttons[1][1])==getOwner(buttons[a][b]))&&(getOwner(buttons[2][0])==getOwner(buttons[a][b]))) return true;}return false;} }void initComponents() { for(int i=0;i<3;i++) for(int j=0;j<3;j++) { buttons[i][j].putClientProperty("INDEX", new Integer[]{i,j}); buttons[i][j].putClientProperty("OWNER",null); buttons[i][j].setIcon(null); buttons[i][j].setEnabled(true); turn=1; count=0; statusBar.setText("Player1's Turn");} }}class TicTacToe {public static void main(String[] args) { EventQueue.invokeLater(new Runnable(){ public void run() { TicTacToeFrame frame=new TicTacToeFrame(); } });}}The code is rather straightforward. Ive used two properties in the Buttons to store some information used for checking the winning condition. One is the “OWNER” property which indicates which user currently owns the square and the “INDEX” property which indicates the square’s index in the grid (ie [1,1], [1,2]… etc) Once any player clicks on a square, the OWNER property is updated and the victoryCondition is checked by using the OWNER properties of all the buttons. The rest of the code is self explanatory. And adding keyboard support for the second player is a pretty easy job. As they say… “I leave that as an exercise”! Hahaha Well I really hope I get some time so that I can add network functionality to this application. Cheers, Steve. —– I forgot to attach the image icon files that will be used by the application. You can download it from here http://www.mediafire.com/?d7d93v2342dxind Just extract the contents to the folder that contains the code. Thanks to my friend “Gur Png” for telling me about this. Reference: Java TicTacToe from our JCG partner Steve Robinson at the Footy ‘n’ Tech blog....

Regular Expressions in Java – Soft Introduction

A regular expression is a kind of pattern that can be applied to text (String, in Java). Java provides the java.util.regex package for pattern matching with regular expressions. Java regular expressions are very similar to the Perl programming language and very easy to learn. A regular expression either matches the text ( or a part of it) or it fails to match. * If regular expression matches a part of text then we can find it out which one. ** If regular expression in complex, then we can easily find out which part of the regular expression matches with which part of the text. A First Example The regular expression “[a-z]+” matches all lower case letters in the text. [a-z] means any character from a to z, inclusive and + means “one or more”. Suppose we supply a string “code 2 learn java tutorial”. How to do it in Java First, you must compile the pattern : import java.util.regex.*; Pattern p = Pattern.compile(“[a-z]+”); Next you must create a matcher for the text by sending a message to the pattern : Matcher m = p.matcher(“code 2 learn java tutorial”); NOTE : Neither Pattern nor Matcher have a public constructor, we create it by using methods in Pattern class. Pattern Class: A Pattern object is a compiled representation of a regular expression. The Pattern class provides no public constructors. To create a pattern, you must first invoke one of its public static compile methods, which will then return a Pattern object. These methods accept a regular expression as the first argument. Matcher Class: A Matcher object is the engine that interprets the pattern and performs match operations against an input string. Like the Pattern class, Matcher defines no public constructors. You obtain a Matcher object by invoking the matcher method on a Pattern object. After we have done the above steps, and now that we have matcher m, we can check whether the match has been found or not and if yes then from which index position it starts, etc. m.matches() returns true if the pattern matches the entire string or else false. m.lookingAt() returns true if the pattern matches at the beginning of the string , and false otherwise. m.find() returns true if pattern matches any part of the text. Finding what was matched After a successful match, m.start() will return the index of the first character matched and m.end() will return the index of the last character matched, plus one. If no match was attempted, or if the match was unsuccessful, m.start() and m.end() will throw an IllegalStateException – This is a RuntimeException, so you don’t have to catch it It may seem strange that m.end() returns the index of the last character matched plus one, but this is just what most String methods require – For example, “Now is the time“.substring(m.start(), m.end()) will return exactly the matched substring. Java Program : import java.util.regex.*;public class RegexTest { public static void main(String args[]) { String pattern = "[a-z]+"; String text = "code 2 learn java tutorial"; Pattern p = Pattern.compile(pattern); Matcher m = p.matcher(text); while (m.find()) { System.out.print(text.substring(m.start(), m.end()) + "*"); } } }Output: code*learn*java*tutorial*. Additional Methods If m is a matcher, then – m.replaceFirst(replacement) returns a new String where the first substring matched by the pattern has been replaced by replacement – m.replaceAll(replacement) returns a new String where every substring matched by the pattern has been replaced by replacement – m.find(startIndex) looks for the next pattern match, starting at the specified index – m.reset() resets this matcher – m.reset(newText) resets this matcher and gives it new text to examine (which may be a String, StringBuffer, or CharBuffer) Regular Expression Syntax Here is the table listing down all the regular expression metacharacter syntax available in Java:Subexpression Matches^ Matches beginning of line.$ Matches end of line.. Matches any single character except newline. Using m option allows it to match newline as well.[...] Matches any single character in brackets.[^...] Matches any single character not in brackets\A Beginning of entire string\z End of entire string\Z End of entire string except allowable final line terminator.re* Matches 0 or more occurrences of preceding expression.re+ Matches 1 or more of the previous thingre? Matches 0 or 1 occurrence of preceding expression.re{ n} Matches exactly n number of occurrences of preceding expression.re{ n,} Matches n or more occurrences of preceding expression.re{ n, m} Matches at least n and at most m occurrences of preceding expression.a| b Matches either a or b.(re) Groups regular expressions and remembers matched text.(?: re) Groups regular expressions without remembering matched text.(?> re) Matches independent pattern without backtracking.\w Matches word characters.\W Matches nonword characters.\s Matches whitespace. Equivalent to [\t\n\r\f].\S Matches nonwhitespace.\d Matches digits. Equivalent to [0-9].\D Matches nondigits.\A Matches beginning of string.\Z Matches end of string. If a newline exists, it matches just before newline.\z Matches end of string.\G Matches point where last match finished.\n Back-reference to capture group number “n”\b Matches word boundaries when outside brackets. Matches backspace (0x08) when inside brackets.\B Matches nonword boundaries.\n, \t, etc. Matches newlines, carriage returns, tabs, etc.\Q Escape (quote) all characters up to \E\E Ends quoting begun with \QReference: Regular Expressions in Java from our JCG partner Farhan Khwaja at the Code 2 Learn blog....
Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy | Contact
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.
Do you want to know how to develop your skillset and become a ...
Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

Get ready to Rock!
You can download the complementary eBooks using the links below: