calling a java method from inside an XSLT

0
So something you need for your XSLT transformation is in a Java class.  How in the world are you suppose to call it?  There are two approaches to this:

Approach 1:
http://stackoverflow.com/questions/13136229/solvedxslt-call-java-instance-method

As part of the namespace, you need to include the class you wish to call.  Include the keyword java: before your full class name.
Note that when you call the method, it uses a : instead of a . between the class and the method name.
ie:
xmlns:SimpleDateFormat="java:java.text.SimpleDateFormat"


However if you get the following error..... then you're going to have to switch gears and go with....Basically, what is happening is you are using the free version of the Saxon parser and it doesn't support this type of declaration.

Note that direct calls to Java methods are not available under Saxon-HE

Approach 2:
In this approach, you basically have to explicitly register a ExtensionFunctionDefintion. This is basically the function interface definition...specifying the input/output and also the java logic you wish to use to calculate the result obj. Once done, just include the approach namespace (as you define in getFunctionQName()) and call the component like a regular xslt function.
http://www.saxonica.com/documentation/extensibility/integratedfunctions/ext-full-J.html

Jackson helps you to "Ajaxify" your Spring service in less than 5 mins

0
You can now turn your Spring service into an ajax service easily with the use of annotation and Jackson

Let's say you have a service to search for a product, something like this:

public class productServiceImpl{

private ProductDao productDaoImpl;

public List search(String searchString){
productDao.search(searchString);
}

}

And usually your Spring MVC controller will be something like this

@Controller
@RequestMapping("/product")
public class ProductController{

private ProductService productService;

@RequestMapping("/search")
public List search(@RequestParam("searchString") String searchString, ModelMap model) {
return productService.search(searchString);
}

To expose the search service as an ajax service, simply
1. Add jackson to your library if you haven't do so
2. Add to your applicationContext.xml
Remember also add the schema Location
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
to specify the name space
3. add @ResponseBody before the return type in the method as follow

@RequestMapping("/jsonsearch")
public @ResponseBody List search(@RequestParam("searchString") String searchString, ModelMap model) {
return productService.search(searchString);
}

That's it!

To access this simply send request to
http://localhost:8080/myapp/product/search?searchString=iphone




Could not parse configuration: /hibernate.cfg.xml Caused by: org.dom4j.DocumentException: Connection refused

1

If you every run into the below,

org.hibernate.HibernateException: Could not parse configuration: /hibernate.cfg.xml
 at org.hibernate.cfg.Configuration.doConfigure(Configuration.java:1500)
 at org.hibernate.cfg.Configuration.configure(Configuration.java:1434)
 at org.hibernate.cfg.Configuration.configure(Configuration.java:1420)
 at org.hibernate.tutorial.hbm.NativeApiIllustrationTest.setUp(NativeApiIllustrationTest.java:47)
 at junit.framework.TestCase.runBare(TestCase.java:132)
 at junit.framework.TestResult$1.protect(TestResult.java:110)
 at junit.framework.TestResult.runProtected(TestResult.java:128)
 at junit.framework.TestResult.run(TestResult.java:113)
 at junit.framework.TestCase.run(TestCase.java:124)
 at junit.framework.TestSuite.runTest(TestSuite.java:243)
 at junit.framework.TestSuite.run(TestSuite.java:238)
 at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:83)
 at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:49)
 at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
 at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
 at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
 at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
 at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
Caused by: org.dom4j.DocumentException: Connection refused: connect Nested exception: Connection refused: connect
 at org.dom4j.io.SAXReader.read(SAXReader.java:484)
 at org.hibernate.cfg.Configuration.doConfigure(Configuration.java:1490)
 ... 17 more

it means that the XML parser is having a problem trying to access your DTD definition. So first thing to do is to see if you can browse the url for it directly and also check your proxy settings. In my case, I changed it

from
<!DOCTYPE hibernate-configuration PUBLIC
        "-//Hibernate/Hibernate Configuration DTD 3.0//EN"
        "http://www.hibernate.org/dtd/hibernate-configuration-3.0.dtd">

to

<!DOCTYPE hibernate-configuration PUBLIC
        "-//Hibernate/Hibernate Configuration DTD 3.0//EN"
        "http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">

I think you can also try using "http://www.jboss.org/dtd/hibernate/hibernate-configuration-3.0.dtd". It seems like hibernate.org fwds to the jboss location anyways.

(as of today....unless the urls change again)

unit testing private methods

0
next time i want to test private methods again, remember the answer to this....

Answer in Stack Overflow

DOWNLOADING DOCUMENTS VIA SSL CONNECTION ON IE... part 2 + Sitemesh 2.2.1

0
After doing a code release last week, we discovered that our application had a caching issue since some of the .js files we changed weren't getting loaded properly. This was a surprise to us since we have html meta tags on each page for no caching and we also have included the no caching directives in our http response headers.

So what's going on? it had to do with the matter in which we included the no caching directives in our http response header. Our site uses sitemesh and we decided to include those directives in our sitemesh main decorator page. Big mistake, because sitemesh has a bug, and for some reason, it can't recognize the jsp scriptlets that we used to add the no caching directives.

Our solution? provide a filter that sites in front of our application that filters that applies the no caching directives to our secured pages and our javascript resources. (note, you need to modify the below code before using.. read the rest of the article to see why)

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

/**
 *
 * adds the no caching directives into the http response header
 * see:
 * http://en.wikipedia.org/wiki/List_of_HTTP_headers
 * http://www.i18nguy.com/markup/metatags.html
 * 
 */
public class NoCachingFilter implements Filter {

 private static final String CACHE_CONTROL_PARAM ="Cache-Control";
 private static final String CACHE_CONTROL_VALUE ="no-cache";
 
 private static final String PRAGMA_PARAM = "Pragma";
 private static final String PRAGMA_VALUE = "no-cache";
 
 private static final String EXPIRES_PARAM = "Expires";
 private static final int EXPIRES_VALUE = 0;
 
 private FilterConfig filterConfig = null; 
 

 public void init(FilterConfig filterConfig) throws ServletException {
  this.filterConfig = filterConfig;
  
 }


 public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {    
  
  
  HttpServletResponse response = (HttpServletResponse) servletResponse;
  response.setHeader(CACHE_CONTROL_PARAM,CACHE_CONTROL_VALUE);
  response.setHeader(PRAGMA_PARAM,PRAGMA_VALUE);
  response.setIntHeader(EXPIRES_PARAM,EXPIRES_VALUE);
  
  // continue with remaining filters
  filterChain.doFilter(servletRequest, servletResponse);
    
  //note: must be done before else the response is already commited.
 }

 public void destroy() {
  filterConfig = null;  
 }
}
That was mistake number 2. After a round of testing, we discovered that some of our file downloads would not work, namely, we ran into this internet explorer bug.

Internet Explorer file downloads over SSL do not work with the cache control headers.

This issue may occur if any one or more of the following conditions are true:
The Do not save encrypted pages to disk check box is selected in Internet Explorer 6.0 SP1.
The server sends the "Cache-Control: No Store" header.
The server sends the "Cache-Control: No Cache" header.

Looks familiar? well this is definitely related to my earlier post. I guess now, I know the root cause. I guess I should have also read that article more closely last time. This part is incredibly interesting since microsoft themselves recommends you to use the no cache directives...

Are you using the Cache-Control header with the ASP "Response.CacheControl" property or through a returned HTTP header? This is the only way to truly prevent caching in Internet Explorer

My updated solution modifies my filter to provide an exclusion list so that I don't add any "no caching" directives on downloaded content. All the other pages will have the protection of "no caching". If anyone has better ideas, please feel free to comment and share your ideas!

Appendix:
Here are a list of other references i found related to this problem:
- It seems the the issue occurs in ie7 as well.
- a long list of related issues or different descriptions of the same issue.

XSS in the HTTP Header's Accept Language when using Struts 1.2

1
At my work, we have a policy of using HP's WebInspect to scan our applications before they are allowed to go into production and I just got an interesting finding this week. The WebInspect scanner tried to perform a XSS (cross site scripting) attack by putting something into the HTTP header's Accept Language! Now, I'm not really sure how exploitable this is (perhaps some security expert can comment?) since all our traffic is via https, so there's really no way to inject some scripts into the http header unless the host machine making the request has been compromised?

This was the http request used....

GET /programmingPanda/someUrl.jsp HTTP/1.1
Accept: */*
Referer: https:///programmingPanda/someUrl
Accept-Language: "><script>alert('hi')</script>
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: www.programmingPandaHost.com
Pragma: no-cache
Connection: Keep-Alive
Cookie:
JSESSIONID=0021w1Z_9Fg27Vg1xhKHDgX1YLR:1244ioqb0;CustomCookie=WebInspect30127ZXC16B0
44F25944608B21BBFFEC74B3453YE540


and the end result was this....


<html xmlns:"http://www.w3.org/1999/xhtml" lang=""><script>alert('hi')</script>" xml:lang=""><script>alert('hi')</script>">


Anyways, I was tasked with checking this out. After some digging, I found that the html tag in our application was being generated by the struts taglib's html tag. According to the specifications, it seems that the lang attribute of the html tag has the following behaviour...


Renders a lang attribute with the locale stored in the user's session.
If not found in the session, the language from the Accept-Language HTTP header is used.
If still not found, the default language for the server is used.


So with the Accept-Language not being validated for special characters, we were getting XSS-ed!

The solution? In this case, we used a filter to provide a default locale into the user's session if non is detected to avoid using the Accept-Language in the HTTP header. This may not be the best or most correct solution, but it is one that fits our needs and timeline.


//provide some default locale and set it into the struts defined attribute, Globals.LOCALE_KEY
session.setAttribute(Globals.LOCALE_KEY, locale);

downloading documents via SSL connection on IE

0
I ran into a pretty interesting issue today. (This is a follow up of my earlier post ). I was trying to download some text file from our application using IE6. Suddenly I get a very unexpected error:
Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later.

I was super surprised because I was 100% the file was there. Did some research online, and it seems to be related to this issue
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q316431&



It seems that when you download from an SSL session, and IE6 can't save it temporarily to disk locally, it has issues. Lucky for me, this is an internal application, and I could just my users to ensure their browser settings are as below.


You can get to here from Tools > Internet Options > Advanced. Scroll down to the bottom in the Security section. And look for “Do not save encrypted pages to disk”. Make sure this is turned OFF