XSS in the HTTP Header's Accept Language when using Struts 1.2

1
At my work, we have a policy of using HP's WebInspect to scan our applications before they are allowed to go into production and I just got an interesting finding this week. The WebInspect scanner tried to perform a XSS (cross site scripting) attack by putting something into the HTTP header's Accept Language! Now, I'm not really sure how exploitable this is (perhaps some security expert can comment?) since all our traffic is via https, so there's really no way to inject some scripts into the http header unless the host machine making the request has been compromised?

This was the http request used....

GET /programmingPanda/someUrl.jsp HTTP/1.1
Accept: */*
Referer: https:///programmingPanda/someUrl
Accept-Language: "><script>alert('hi')</script>
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: www.programmingPandaHost.com
Pragma: no-cache
Connection: Keep-Alive
Cookie:
JSESSIONID=0021w1Z_9Fg27Vg1xhKHDgX1YLR:1244ioqb0;CustomCookie=WebInspect30127ZXC16B0
44F25944608B21BBFFEC74B3453YE540


and the end result was this....


<html xmlns:"http://www.w3.org/1999/xhtml" lang=""><script>alert('hi')</script>" xml:lang=""><script>alert('hi')</script>">


Anyways, I was tasked with checking this out. After some digging, I found that the html tag in our application was being generated by the struts taglib's html tag. According to the specifications, it seems that the lang attribute of the html tag has the following behaviour...


Renders a lang attribute with the locale stored in the user's session.
If not found in the session, the language from the Accept-Language HTTP header is used.
If still not found, the default language for the server is used.


So with the Accept-Language not being validated for special characters, we were getting XSS-ed!

The solution? In this case, we used a filter to provide a default locale into the user's session if non is detected to avoid using the Accept-Language in the HTTP header. This may not be the best or most correct solution, but it is one that fits our needs and timeline.


//provide some default locale and set it into the struts defined attribute, Globals.LOCALE_KEY
session.setAttribute(Globals.LOCALE_KEY, locale);

downloading documents via SSL connection on IE

0
I ran into a pretty interesting issue today. (This is a follow up of my earlier post ). I was trying to download some text file from our application using IE6. Suddenly I get a very unexpected error:
Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later.

I was super surprised because I was 100% the file was there. Did some research online, and it seems to be related to this issue
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q316431&



It seems that when you download from an SSL session, and IE6 can't save it temporarily to disk locally, it has issues. Lucky for me, this is an internal application, and I could just my users to ensure their browser settings are as below.


You can get to here from Tools > Internet Options > Advanced. Scroll down to the bottom in the Security section. And look for “Do not save encrypted pages to disk”. Make sure this is turned OFF



Recipe: Spring + JPA Annotation + Hibernate

1
Modern OO applications use a lot of Models to present the business domain object. It is often that we have to write a matching data access object for each models, and in most cases they are just normal CRUD operations.

What I am trying to do here is to create a generic way to create DAO from POJO that uses JPA as mapping tool to simplify the repeating tasks. The following example uses hibernate for DB connectivity.

Of course you can simply use EJB 3.0 and remove all this completely by using method like entityManager.persist(), but if we want to stay away from EJB and persistence model, this should give you a very good place to start. (I am using JPA as my mapping tool only because of my personal preference, you can use hibernate annotation, and it should work exactly the same way).

Step 1 - Create the Generic class
I am using the sample from the "Don't repeat the DAO". I think this is pretty neat.

GenericDao Interface

package com.blogspot.programmingpanda.commons

import java.io.Serializable;
import java.util.Collection;

public interface GenericDao&ls;T, PK extends Serializable> {
Collection<T> listAll();
}


The implementation...
GenericDaoHibernateImpl

package com.blogspot.programmingpanda.commons

import java.io.Serializable;
import java.util.Collection;
import org.springframework.orm.hibernate3.support.HibernateDaoSupport;

public class GenericDaoHibernateImpl<T, PK extends Serializable> extends HibernateDaoSupport implements GenericDao<T, PK> {

private Class<T> type;

public GenericDaoHibernateImpl(Class<T> type){
this.type = type;
}

public Collection<T> listAll() {
return this.getHibernateTemplate().loadAll(this.type);
}

/**
* @return the type
*/
public Class<T> getType() {
return type;
}

/**
* @param type the type to set
*/
public void setType(Class<T> type) {
this.type = type;
}
}


Once we have the generic DAO class, we can use spring to inject the model into the DAO.

Now we have to create the model and use JPA to do the O/R Mapping

Step 2 - Create the model and map it to the database

package com.blogspot.programmingpanda.commons.models;

import java.io.Serializable;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;

@Entity
@Table(name="myschema.model")
public class MyModel implements Serializable {

private Integer id;
private String col1;
private String col2;

/**
* @return the id
*/
@Id
@Column(name="id")
@GeneratedValue(strategy = GenerationType.AUTO)
public Integer getId() {
return id;
}

@Column(name="col1")
public String getCol1() {
return col1;
}

@Column(name="col2")
public String getCol2() {
return col2;
}

/** And all those setter method **/



Step 3 - Spring Config
After the Model and GenericDao class, all we have to do is to
i) Let the session factory know the class(es) to map

<!-- Annotation Session Factory Bean -->
<bean id="sessionFactory"
class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
<property name="dataSource" ref="mysqlDataSource"/>
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQL5Dialect</prop>
</props>
</property>
<property name="annotatedClasses">
<list>

<value>com.blogspot.programmingpanda.commons.models.MyModel</value>
</list>

</property>
</bean>

ii) Create the dao by injecting the class into the GenericDao

<!-- This bean will replace the actual Dao class -->
<bean id="myModelDao" class="com.blogspot.programmingpanda.commons.GenericDaoHibernateImpl" autowire="byName">
<constructor-arg>
<value>com.blogspot.programmingpanda.commons.models.MyModel</value>
</constructor-arg>
</bean>


The full applicationContext.xml will look something like this

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">

<bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>/WEB-INF/spring-config/dev.properties</value>
</list>
</property>
</bean>

<bean id="systemPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" />

<!-- MySql DS -->
<bean id="mysqlDataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="${mysql.url}" />
<property name="username" value="${mysql.username}" />
<property name="password" value="${mysql.password}" />
</bean>

<!-- Annotation Session Factory Bean -->
<bean id="sessionFactory"
class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
<property name="dataSource" ref="mysqlDataSource"/>
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQL5Dialect</prop>
</props>
</property>
<property name="annotatedClasses">
<list>

<value>com.blogspot.programmingpanda.commons.models.MyModel</value>
</list>

</property>
</bean>
<!--sessionFactory will get autowired-->
<bean id="hibernateInterceptor"
class="org.springframework.orm.hibernate3.HibernateInterceptor"
autowire="byName" />

<!-- This bean will replace the actual Dao class -->
<bean id="myModelDao" class="com.blogspot.programmingpanda.commons.GenericDaoHibernateImpl" autowire="byName">
<constructor-arg>
<value>com.blogspot.programmingpanda.commons.models.MyModel</value>
</constructor-arg>
</bean>

<!-- Inject the Dao to an action -->
<bean id="action" class="actions.ListAction">
<property name="myModelDao" ref="myModelDao" />
</bean>

</beans>


Conclusion
This is only a minimal example demonstrating how we can use spring, JPA annotation and a generic dao template to avoid writing DAO class for each model we create in our application. You can always extend the GenericDao class to include your own method(s) other than the generic CRUD methods.

Working from the list and reviewing remember the milk

0
i've been reading the pragamtic programmer series for the last few years now. i've been trying to incorporate their ideas into my daily work routine whenever i get a chance.

i was reminded of one this week when i realized my todo list at work was getting a little out of control and consisted of a piece of paper with my ugly hand writing on it. Having a todo list is definitely the first step in getting organized, but i was not doing one thing correctly. One of the rules (from Pragmatic Programmers: Ship It!), was that the list must be publically available and easy to update/publish. So, here I have this massive list of things to do, and my team wasn't aware of it.

to correct this grave mistake, i signed myself up for a Remember the Milk account. It is a simple to do list manager that allows multiple lists, tagging, notes, calendar integration, rss feeds, sync-ing with smart devices (if u pay for pro) on top of the standard to do list features. so far, i've found this quite easy to pick up. i'm still poking around, so i'm a little slow at putting in my massive list into the system, but there are a lot of keyboard shortcuts that I'm sure will make things lightning fast when i manage to remember them. One other cool thing is that it supports Google Gears! the only thing that i dont like about right now is... when i add a priority to an item, it automatically updates the list to keep it sorted (the default sort is by priority). however, i feel like i "lost" my item, b/c i dont know where it is in my list anymore. i would much rather that I have a manual refresh button that i could click when i'm ready to re-sort the list.

i guess a simple test of the product's effectiveness is if i'm still using it 4 wks later? stay tuned to find out!!!

By the way...here are the tips for maintaining a good list as per the author of "Ship it!".

Tips:
  • Organize whatever daily task list you do have into a formal copy of The List.
  • Prioritize your work and add rough time estimates.
  • Start working on the highest-priority item on The List. no cheating! If some crisis forces a lower-priority item higher, record it. You should be using your list to help you determine what you are working on next.
  • Add all new work to The List, make sure it is an accurate reflection of your current tasks.
  • Move items to your finished list as you complete tasks (this makes surviving status reports and "witch-hunts" much easier).
  • Review The List every morning (aka updated daily)
  • Make sure the list is publically available
  • Maintaining The List should not require too much effort.
Signs you are doing it wrong
  • You're too busy to update the list or it takes too long.
  • The list gets outdated because you don't update it frequently enough.
  • It takes a long time to complete one item on the list (the items are too large)
  • No one else knows about your list or there are mulitple versions

getting an HTTP 405 on IIS

0
i was trying to set up this web application to connect to a HTTP server (happened to be IIS) that is serving some pre-generated report files. The offshore developer that had been working on this had some problems getting it going, so it was left to me to deal with it. The web application was using Apache HttpClient to connect to the http server using some standard http client code below:

<snip>

HttpClient client = new HttpClient();

PostMethod method = new PostMethod(filePath);
method.setRequestHeader("Content-type", "text/html");
client.executeMethod(method);
input = method.getResponseBodyAsStream();
responseBean.setInputStream(input);

</snip>


that resulted in IIS throwing this at us......

The page cannot be displayed
The page you are looking for cannot be displayed because an invalid method (HTTP verb) was used to attempt access.

Please try the following:

Contact the Web site administrator if you believe that this request should be allowed.
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.

HTTP Error 405 - The HTTP verb used to access this page is not allowed.
Internet Information Services (IIS)

Technical Information (for support personnel)

Go to Microsoft Product Support Services and perform a title search for the words HTTP and 405.
Open IIS Help, which is accessible in IIS Manager (inetmgr),
and search for topics titled Setting Application Mappings, Securing Your Site with Web Site Permissions, and About Custom Error Messages.



So basically what was happening was that IIS didn't like the POST method that was being used. (HTTP 405 --> Method Not Allowed). The fix? quite simple, use a GET! =) It is easy to forget that POST's primary objective is to post data to the server, not to obtain data from it.

As web devs, we see HTTP 404s a lot...and the occasional 403. it's not everyday you see a 405!

Using different log4j proerties for different environment in spring 2

1
Default location of log4j properties is in /WEB-INF/classes/logj4.properties. There are ways to point log4j to different properties. In spring, we can do something like this.


<!-- log4j setting -->
<bean id="log4jInitialization"
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetClass"
value="org.springframework.util.Log4jConfigurer" />
<property name="targetMethod" value="initLogging" />
<property name="arguments">
<list>
<value>log4j.properties</value>
</list>
</property>
</bean>


where initLogging takes (String location), you can use absolute path or relative path here. But a more elegant way is to use a variable for the application root. like this


<value>${webapp.root}/${log4j.properties.location}</value>


You can get the ${webapp.root} from webAppRootKey. To bring it to the next level we can group all configs into 1 properties file and that will make the build process easier.

The full setup looks something like this

/WEB-INF/web.xml

<listener>
<listener-class>org.springframework.web.util.WebAppRootListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>webapp.root</param-value>
</context-param>


/WEB-INF/applicationContext.xml

<bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>/WEB-INF/spring-config/dev.properties</value>
</list>
</property>
</bean>
<!-- log4j setting -->
<bean id="log4jInitialization"
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetClass"
value="org.springframework.util.Log4jConfigurer"/>
<property name="targetMethod" value="initLogging"/>
<property name="arguments">
<list>
<value>${webapp.root}/${log4j.properties.location}</value>
</list>
</property>
</bean>


/WEB-INF/spring-config/dev.properties

#log4j setting
log4j.properties.location=WEB-INF/log4j-config/log4j.dev.properties


/WEB-INF/log4j-config/log4j.dev.properties

log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.Target=System.out
log4j.appender.stdout.Threshold=DEBUG
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p %c{1}:%L - %m%n

log4j.rootLogger=DEBUG, stdout

/WEB-INF/log4j-config/log4j.prod.properties

# Configuration for receiving e-mails when ERROR messages occur.
log4j.appender.mail=org.apache.log4j.net.SMTPAppender
log4j.appender.mail.To=to@mydomain.com
log4j.appender.mail.From=from@mydomain.com
log4j.appender.mail.SMTPHost=smtp.mydomain.com
log4j.appender.mail.Threshold=ERROR
log4j.appender.mail.BufferSize=1
log4j.appender.mail.Subject=An application error occured
log4j.appender.mail.layout=org.apache.log4j.HTMLLayout

# Standrd System.out appender
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.Target=System.out
log4j.appender.stdout.Threshold=INFO
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p %c{1}:%L - %m%n

log4j.rootLogger=INFO, stdout, mail

Accessing Context/System (Application Root) properties in Spring

0
In the last post I talked about how to parameterize the applicationContext.xml with a properties file. But sometime we would like to access system/context properties in the applicationContext.xml (for example, you want to reference a file in your webapp, but the class only takes absolute path). The spring PropertyPlaceholderConfigurer class would do the work for you as well.

By default, the system property mode is set to use fall back (SYSTEM_PROPERTIES_MODE_FALLBACK), which means if a property is not in our properties file that we supply, the property will be filled with the one in the context/system.

One good use would be getting the application root and use it to reference a config file.

For example

${webapp.root}/WEB-INF/velocity


(In reference to Spring documentation velocity properties chapter)

In order to use ${webapp.root} you will need to setup WebAppRootListener in web.xml



org.springframework.web.util.WebAppRootListener



and assign it to a context param



webAppRootKey
webapp.root


Parameterize Spring applicationContext with properties file

0
Spring has a very useful class called PropertyPlaceholderConfigurer that helps you to parameterize your applicationContext.xml file. In order to use this, you will need to add the bean in spring like this




/WEB-INF/spring-config/dev.properties




where the property location points to the list of properties files.

I use this primarily becasue
1. easier to maintain properties in a properties file than applicationContext
2. switch between different environments, e.g. development vs. staging vs. production

An example of the use of this would be

/WEB-INF/web.xml


org.springframework.web.context.ContextLoaderListener



contextConfigLocation
/WEB-INF/applicationContext.xml



/WEB-INF/spring-config/dev.properties

# Dev DB Setting
mysql.driver=com.mysql.jdbc.Driver
mysql.url=jdbc:mysql://dev.mydomain.com:3306/
mysql.username=devuser
mysql.password=xxx

/WEB-INF/spring-config/prod.properties

# Product DB Setting
mysql.driver=com.mysql.jdbc.Driver
mysql.url=jdbc:mysql://prod.mydomain.com:3306/
mysql.username=produser
mysql.password=xxx

/WEB-INF/applicationContext.xml




/WEB-INF/spring-config/dev.properties













To switch between environments, all you have to update is


/WEB-INF/spring-config/prod.properties

in the applicationContext.xml

To make it fancier, of course you can supply the properties to an ant script when you build your application.

Setup log4j to send email when an application error occur

7
Apache log4j is an excellent logging facility to log application information. It is extremely easy to setup and it is very powerful. It comes with an email appender by default which you can config it to sends email when you log.

Example: Logs message to standard system.out on INFO and Sends email when an application error occurs


# Configuration for receiving e-mails when ERROR messages occur.
log4j.appender.mail=org.apache.log4j.net.SMTPAppender
log4j.appender.mail.To=to@mydomain.com
log4j.appender.mail.From=from@mydomain.com
log4j.appender.mail.SMTPHost=smtp.mydomain.com
log4j.appender.mail.Threshold=ERROR
log4j.appender.mail.BufferSize=1
log4j.appender.mail.Subject=An application error occured
log4j.appender.mail.layout=org.apache.log4j.HTMLLayout

# Standrd System.out appender
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.Target=System.out
log4j.appender.stdout.Threshold=INFO
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p %c{1}:%L - %m%n

log4j.rootLogger=INFO, stdout, mail


This is pretty simple. The only setting that controls what to send is the Threshold property of the appender.

Map struts .action/.do to the URL root

0
To map the URL root to certain welcome file, we normally just specify the welcome-file in the web.xml like this


index.html
index.jsp



What this means is, if in a directory without specifying any file name, the web application will first look for index.html and then index.jsp.

Now add struts framework into the picture, default struts extension for 1 and 2 is *.do and *.action respectively.

There are 2 ways of making our application pointing to the special struts action.

#1: Meta redirect
You can keep index.html or index.jsp as welcome-file and what you need to do is put a meta refresh in these index files

Struts 1
meta equiv="refresh" content="0;URL=/homepage.do"


Struts 2
meta equiv="refresh" content="0;URL=/homepage.action"


But the downside of this is - whatever action name you use would appear on the browser. (i.e. www.mydomain.com always appear as www.mydomain.com/homepage.action even user types in www.mydomain.com)

#2: Change welcome-file and add dummy place holder file

The second way (or better way) of fixing the struts action mapping to the URL root is to update the welcome-file list.

Struts 1

homepage.do



Struts 2

homepage.action



And then in the WebContent Root, add a dummy file (e.g. in Struts 2 you need an empty file homepage.action)*This step is important, without the empty dummy file, it won't work, at least in Tomcat*

Now when you hit http://www.mydomain.com your application will hit the homepage.action directly without adding the homepage.action after your url.

Nvidia Video Card on Ubuntu

0
I have been having problem in setting up Ubuntu on my Dell Workstation. Ubuntu documentation provide minimal help so as the forums. And I finally got this

http://albertomilone.com/nvidia_scripts1.html

The script auto detects your video card and install proper driver.

And of course before you run this, I recommend you to uninstall all your drivers and refresh your X.11 setting to default.

Struts 2 ONGL issue on Google App Engine

0
GAE(Google App Engine) is a very high security environment, which google limits you in everything. In order to setup your struts 2 on GAE properly, you will need to change the OgnlRuntime security manager.

This is the error you will get on browser

HTTP ERROR: 404

result 'null' not found
RequestURI=/

And on your log

Jul 20, 2009 3:37:20 AM com.opensymphony.xwork2.util.logging.commons.CommonsLogger error
SEVERE: Unable to set parameter [location] in result of type [org.apache.struts2.dispatcher.ServletDispatcherResult]
Caught OgnlException while setting property 'location' on type 'org.apache.struts2.dispatcher.ServletDispatcherResult'. - Class: ognl.OgnlRuntime
File: OgnlRuntime.java
Method: invokeMethod
Line: 508 - ognl/OgnlRuntime.java:508:-1
at com.opensymphony.xwork2.ognl.OgnlUtil.internalSetProperty(OgnlUtil.java:392)
at com.opensymphony.xwork2.ognl.OgnlUtil.setProperty(OgnlUtil.java:143)
at com.opensymphony.xwork2.ognl.OgnlReflectionProvider.setProperty(OgnlReflectionProvider.java:91)
...
...

What you have to do to fix this problem is to add a listener to set the security manager to null.

Listener:

import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.http.HttpSessionAttributeListener;
import javax.servlet.http.HttpSessionBindingEvent;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;

import ognl.OgnlRuntime;

public class ONGLFixListener implements ServletContextListener, HttpSessionListener, HttpSessionAttributeListener {

public ONGLFixListener() {
}

public void contextInitialized(ServletContextEvent servletContextEvent) {
OgnlRuntime.setSecurityManager(null);
}

//Empty methods that do nothing for the interfaces


web.xml


com.example.ONGLFixListener



This should fix the problem. =D

Showing database size

0
My co-worker asked me how big is the mysql DB, I don't really know how so I did a little research and found this...


SELECT table_schema "Database", sum( data_length + index_length ) / 1024 / 1024 "Data Base Size in MB"
FROM information_schema.TABLES GROUP BY table_schema ;


And it works =D
It basically just go to the information_schema and sum up the size of the tables of each schema.

The output looks something like this

+--------------------+----------------------+
| Database | Data Base Size in MB |
+--------------------+----------------------+
| dms | 4.51943684 |
| hrform | 0.06588364 |
| information_schema | 0.00390625 |
| mysql | 0.42193222 |
| ptrng | 0.05598068 |
| securewiki | 1.52050400 |
| wiki | 584.47095490 |
+--------------------+----------------------+

Add mime type in tomcat to prevent IE from opening binary files instead of downloading

0
Not sure why tomcat doesn't have .iso and .msi mime types in web.xml. And smart Microsoft IE doesn't do a great job in file download without proper http header, it actually opens .msi and .iso and display it. In order to help IE download the binaries probably.(Note that, it works fine on Firefox and Safari). You have to explicitly add the mime type in your tomcat. To do this, simply add



iso
application/octet-stream



in the $CATALINA_HOME/conf/web.xml (or your webapp's web.xml)

Logging in shell script

0
We all enjoy the logging facilities in the modern programming language (e.g. log4j in java, c# logging in c#)

but what about shell script? The answer is an one liner


LOG(){echo "$(date +%c) $*"}

for console and

LOG(){echo "$(date +%c) $*" >> log.txt}

for txt out put.

Of course this is not the as sophisticated as the logging framework like log4j, but it simple and easy to use.

To use the function simply calls

LOG "Message"

Using apache http server as a front end of zope

0
There are a lot of benefit of using apache http server as a front end of an application server. One of the reason is security. Linux doesn't allow you open port under 1024 for a non root user.

And in some cases it is a good idea to use apache as your front end anyway (e.g. you want to use apahce for load balancing or as a proxy server, or take advantage of a very stable http server)

I personally use apache as a front end for plone+zope and tomcat. Here is a brief description on how to run apache in front of a zope+plone setup

When you have your zope+plone setup, you will access the plone instance like this
http://myhost:8000/Plone
or in general
http://[host]:[port]/[name_of_plone_instance]

and ZMI should be running here:
http://myhost:8000/manage

In order to hide plone+zope behind apache, you will have to add this into your apache config file

RewriteRule ^/(.*) http://127.0.0.1:8000/VirtualHostBase/http/%{HTTP_HOST}:80/Plone/VirtualHostRoot/$1 [L,P]

where %{HTTP_HOST} is a apache variable which will be automatically filled in.

The first part of the rewrite rule
RewriteRule ^/(.*) http://127.0.0.1:8000/

What it does is to tell apache to route all the port 80 request to localhost port 8000 which zope is running.

The second part of the rewrite rule
VirtualHostBase/http/%{HTTP_HOST}:80/Plone/VirtualHostRoot/$1 [L,P]


is to tell the VirtualHostMonster in zope to map all the url in the page to port 80 even it is on port 8000

So now when we hit the url http://myhost/ it direct all the traffic to the underlying plone instance at port 8080.

At this point, everything should work nicely. But what if we want to go to access port 8080 for the ZMI. If you have port 8080 open, you should be able to just hit it on your favorite browser. What if we do not want to poke a hole on the firewall. What you can do is to do a port forwarding over ssh.

ssh -L 9999:localhost:8080 myhost

What it does is open a secure tunnel and forward all the traffic from the remote host to your local box.

In general, you will do

ssh -L [local_port]:localhost:[remote_port] [remote_host]

So when you hit the URL, http://localhost:9999/manage you should be able to see the ZMI in the remote host.

apache in front of application server

0
For security reason, Linux doesn't want you to run your stuff on port 80 except apache. And in some cases it is a good idea to use apache as your front end anyway (e.g. you want to use apahce for load balancing or as a proxy server)

I personally use apache as a front end for plone+zope and tomcat.

When you have your zope+plone setup, you will access the plone instance like this
http://myhost:8000/Plone
or in general
http://:/

and ZMI should be running here:
http://myhost:8000/manage

In order to hide plone+zope behind apache, you will have to add this into your apache config file

RewriteRule ^/(.*) http://127.0.0.1:8000/VirtualHostBase/http/%{HTTP_HOST}:80/Plone/VirtualHostRoot/$1 [L,P]

where %{HTTP_HOST} is a apache variable which will be automatically filled in.

The first part of the rewrite rule
RewriteRule ^/(.*) http://127.0.0.1:8000/

What it does is to tell apache to route all the port 80 request to localhost port 8000 which zope is running.

The second part of the rewrite rule
VirtualHostBase/http/%{HTTP_HOST}:80/Plone/VirtualHostRoot/$1 [L,P]

is to tell the VirtualHostMonster in zope to map all the url in the page to port 80 even it is on port 8000

So now when we hit the url http://myhost/ it direct all the traffic to the underlying plone instance at port 8080.

At this point, everything should work nicely. But what if we want to go to access port 8080 for the ZMI. If you have port 8080 open, you should be able to just hit it on your favorite browser. What if we do not want to poke a hole on the firewall. What you can do is to do a port forwarding over ssh.

ssh -L 9999:localhost:8090 myhost

What it does is open a secure tunnel and forward all the traffic from the remote host to your local box.

In general, you will do

ssh -L :localhost:

So when you hit the URL, http://localhost:9999/manage you should be able to see the ZMI in the remote host.

showing code snippets in blogs

0
drunken programmer has been complaining that his blog posts can't include his code properly. So I dug out some research I did a few months ago on how to set up your blog to include code snippets. Of course, some smart cookie has thought of how to do this already.

Here's a quick step by step...

1) add the syntax highlighter css and js to the < head> section of your site.

<link href="http://alexgorbatchev.com/pub/sh/2.0.278/styles/shCore.css" rel="stylesheet" type="text/css">
<link href="http://alexgorbatchev.com/pub/sh/2.0.278/styles/shThemeDefault.css" rel="stylesheet" type="text/css">
<script src="http://alexgorbatchev.com/pub/sh/2.0.278/scripts/shCore.js" type="text/javascript"></script>
<script src="http://alexgorbatchev.com/pub/sh/2.0.278/scripts/shBrushJScript.js" type="text/javascript"></script>
<script src="http://alexgorbatchev.com/pub/sh/2.0.278/scripts/shBrushCSharp.js" type="text/javascript"></script>
<script src="http://alexgorbatchev.com/pub/sh/2.0.278/scripts/shBrushSql.js" type="text/javascript"></script>
<script src="http://alexgorbatchev.com/pub/sh/2.0.278/scripts/shBrushXml.js" type="text/javascript"></script>
<script type="text/javascript">
SyntaxHighlighter.all();
</script>


2) add the required css to the <head> section of your site

.syntaxhighlighter .line .content .block
{
background: none !important;
}


3) that's it!!! (some ppl say that you need to set the convert line break option in blogger OFF, but mine is running ok wih it ON)

4) now for actually using the syntax highlighter. make sure that your code is surrounded by <pre> tags. Here is an example

<pre class="brush:js">
alert("Hello world");
</pre>


5) note that the brush type specified in this case is "js" so that it will do syntax highlighting appropriate for javascript. The list of all supported brush types can be found here. Note that the brush list matches the javascript import statements you added to your <head> section in step 1.

6) finally, make sure that any content you put in between the <pre> tags are bracket escaped using something similar to this


Add a custom Spring Security filter/handler

2
What I am trying to do is to write a log to the database when a user logout and we are using Spring Security 2.x + CAS. So I guess the best place to implement this will be along the Spring Security filter.

http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ns-config.html#ns-custom-filters

We can replace a filter by extending org.springframework.security.ui.SpringSecurityFilter and add that into the filter chain





But instead of extending the filter a better way is to add a handler to the default logout filter.










public class LogLogoutHandler implements LogoutHandler{
public void logout(HttpServletRequest arg0, HttpServletResponse arg1, Authentication arg2) {
// Log info to DB
}
}


Sidenote: if you are using sec:custom-filter, make sure you do not have any reference to the same namespace which will cause a conflict. (i.e. you cannot do sec:logout if you are using a custom logout filter)

localize database

0
I am working on a project which I have to write a help module and it has to be l10n (coz we have Japanese and Chinese customers). And because I want the content to be editable TTW, everything has to be in the DB. Another requirement is that if the content hasn't been translated, the default content (in English will be displayed).

The following is the DB schema (mysql dialect)

CREATE TABLE `help_manager`.`helps` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`topic` varchar(512) NOT NULL,
`content` varchar(16384) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8

CREATE TABLE IF NOT EXISTS `help_manager`.`helps_l10n` (
`id` INT NOT NULL ,
`locale_id` INT NOT NULL ,
`topic` VARCHAR(512) NOT NULL ,
`content` VARCHAR(16384) NULL ,
PRIMARY KEY (`id`, `locale_id`) ,
INDEX `helps_fk` (`id` ASC) ,
INDEX `locale_fk` (`locale_id` ASC) ,
CONSTRAINT `helps_fk`
FOREIGN KEY (`id` )
REFERENCES `help_manager`.`helps` (`id` )
ON DELETE NO ACTION
ON UPDATE NO ACTION,
CONSTRAINT `locale_fk`
FOREIGN KEY (`locale_id` )
REFERENCES `help_manager`.`locale` (`id` )
ON DELETE NO ACTION
ON UPDATE NO ACTION)
ENGINE = InnoDB
DEFAULT CHARACTER SET = utf8
COLLATE = utf8_general_ci

CREATE TABLE IF NOT EXISTS `help_manager`.`locale` (
`id` INT NOT NULL AUTO_INCREMENT ,
`locale` VARCHAR(8) NULL ,
PRIMARY KEY (`id`) )
ENGINE = InnoDB


So here is how you select contents from the table with a specific locale

SELECT COALESCE (hl.topic,h.topic) , COALESCE(hl.content, h.content) FROM helps h LEFT JOIN (helps_l10n hl, `locale` l) ON (h.id=hl.id AND l.id=hl.locale_id) AND l.locale = 'ja_JP'

Side note
mysql UTF8 encoding:
utf8_bin: compare strings by the binary value of each character in the string

utf8_general_ci: compare strings using general language rules and using case-insensitive comparisons

utf8_general_cs: compare strings using general language rules and using case-sensitive comparisons


for example:
Ä == A => True
Ü == U => True