Feed aggregator

Distributed Tasks Execution and Scheduling in Java, Powered By Redis

Javalobby Syndicated Feed - Tue, 13-Sep-16 00:31

The ability to immediately execute or schedule a task or job is becoming a typical requirement for a modern distributed Java application. Such requirements have became more essential for those who also use Redis.

Redisson is now providing a new convinient way to perform such distributed task execution and scheduling through the standard JDK ExecutorService and ScheduledExecutorService API, with submitted tasks executed on Redisson nodes, which are connected to the same Redis database.

Categories: Java

Solving Spring NoClassDefFoundError, ClassNotFoundException, and MethodNotFoundExceptions Errors

Javalobby Syndicated Feed - Tue, 13-Sep-16 00:31

I see a lot of Spring questions on StackOverflow about NoClassDefFoundError, ClassNotFoundException, and MethodNotFoundExceptions, especially with Spring Boot. The cause is nearly always a change to a build dependency in Gradle or Maven that has resulted in the mixing of dependencies. This post considers how approach these issues, providing a starting point, and possibly resolving these issues.

  • Do a clean build – the conflict is being caused by out of date libraries in the maven repository
  • If problems still exist then check Spring’s bill-of-materials to see what versions are recommended, and if they are in conflict with your own pom file versions. The purpose of the bom is discussed in my previous post(https://glenware.wordpress.com/2016/09/07/maven-bill-of-materialsbom/)
  • Check which spring-framework-bom you are using – the import will be of the form:

In this case we are using 4.3.2.RELEASE. You can then check what versions of other packages spring is using using mvnrepository (https://mvnrepository.com/artifact/org.springframework/spring-framework-bom/4.3.2.RELEASE).

Categories: Java

Security of Atlassian Connect add-ons

codecentric Blog - Mon, 12-Sep-16 23:54

By Erik Petzold and Oliver Hoogvliet

As we saw in the Introduction to Atlassian Connect, add-ons are stand-alone web applications, operated by different vendors. They communicate with the Atlassian application through the internet. Especially for enterprises this may raise questions about security and data protection. We will investigate on these aspects in this article without going too much into detail, but instead by showing how many points need to be considered.

We use JIRA as example, but the considerations can be applied to other Connect applications (Confluence, HipChat, BitBucket) as well.


In the following, we will examine four different areas, where security aspects are relevant. The image gives an overview to structure them.


We will focus on the following topics:

  1. The communication between the Atlassian application and the add-on
  2. The authorization concept of the Atlassian product
  3. Requirements on the Connect add-on
  4. Protection of private add-ons

Communication between the two applications

As described, both applications interact via public network, which requires protection of their communication. Data is sent through the internet and must not be manipulated or read by others. Therefore Connect is using two mechanisms to secure the communication: HTTPS and JWT.

Before giving a deeper insight into these mechanisms, we would like to give a short introduction into add-ons’ life cycle: A Connect add-on can provide webhooks. These webhooks are registered for different activities and application phases. During installation of the add-on, an exchange of security information takes place. This also includes a shared secret, which will be important later in this section.

For add-ons which should be listed in marketplace, secured communication with HTTPS is mandatory. This way, transmitted data is encrypted and cannot be read by unauthorized persons/programs. Encryption has to covers every kind of communication, including the installation of the add-on descriptor and especially the exchange of security information during installation.

Furthermore, JWT is used to sign messages, which offers an authentication mechanism. For every message, the originator can be validated. Therefore the formerly exchanged secret is used.

Requests to the JIRA REST API have always to be signed, or they will be treated like anonymous users, who have only minimal or even no permissions. By reading the signature, the application can infer the related user and can perform further security checks (see next section).

For every incoming message on the add-on, the signature should also be validated. The Atlassian application signs every message, but the responsibility to check this signature stays on add-on vendor’s site. Only if he verifies it, he can be sure that the request came from an authenticated partner. Atlassian supports the developer by providing libraries for the creation and validation of JWT tokens.


Atlassian Connect supports granting of permissions on single add-ons. This is realized through an add-on-user, which can be configured like a normal user (but will not be accounted on the user budget of your license).

Permissions like “reading” and “writing” data can be specified in the add-on descriptor. These are called “scopes”. If the add-on wants to change data in the application, the write scope is required.

The requested scopes are shown during the installation process of the add-on and have to be confirmed by the administrator. This also applies to updates in case they require new scopes.

Security of the add-on

Now that we have seen how the communication and the access to the core application are protected, it’s time to have a look at the add-on application itself. Secure communication is no use if the add-on itself is completely vulnerable for attacks.

For vendors, it is mandatory to provide a “Data Security & Privacy Statement“ in the Marketplace listing. Atlassian has recommendations and guidelines on that, but the responsibility of implementation is on add-on vendor’s site. When storing data, add-ons should handle tenants’ data separately. The plugin instance can be used by different cloud instances of different customers, who must not access each other’s data. Of course, the storage itself has to be protected against access and manipulation by third parties.

This last point applies in general to the whole web application and the underlying system. As such an application can be built and operated in various ways, we can provide only very general hints for security here. There are some well known attack scenarios, following some basic principles. Recommendations to prevent such attacks exist and can be found in the linked pages.

Besides the protection from direct attacks, for users the availability and stability are also important factors. Unavailability of the add-on can limit or even block processes at the customer. Therefore, a continuous running add-on application is crucial for them. Even individually planned maintenance windows are nearly impossible, as the add-on can be used by different cloud instances of customers around the world, residing in different time zones. So again, the vendor has the responsibility to ensure this aspect of security/availability.

Another import point in this area is protection against loss of data, e.g. on hardware failures. So there is a need for backups and redundant systems.

Private add-ons in marketplace

For customers that want to write their own add-ons for internal use, Atlassian offers the possibility to list them as “private add-on” in the Marketplace. Additionally there are ways to bypass the marketplace completely. We will describe both options in the following section.

The add-on can be listed as “private” in Marketplace and is then visible only within the vendor’s organization. For the installation in JIRA a separate token is needed to make the add-on visible. Tokens can be managed on a separate page by the vendor. They are valid for a single JIRA instance.

To install the add-on, the administrator of the JIRA instance needs to explicitly allow integration of private add-ons. Afterwards, the installation can happen through marketplace with the token.

This first option produces some effort, but has the benefit of being the official way and offering some support by Atlassian, like monitoring of availability.

The second option is to include the plugin in development mode. This allows installation without registration in marketplace, but is not intended by Atlassian to be used for production usage. There is no automatic monitoring and a critical point is the missing transmission of license information which hinders the protection against unauthorized usage by third parties.

In conclusion there are two ways to include private add-ons in the cloud application. For mission critical processes, the official way with private marketplace listing is highly recommended. But for a fast and simple start, there is also the option to use the development mode.

Here we want to provide a last hint about publicity: Even if the name “private add-on” does not suggest this at first glance, these add-ons (their REST API) need to be publicly available through the internet like every other public add-on. So all the concepts discussed before apply also to these ‘private’ cloud add-ons.


As the article shows, there are many aspects that influence the security of a cloud add-on. One also needs to be aware of the fact, that server add-ons cannot be stated as secure in general. They can also contain huge security leaks and also hosting an own JIRA instance by a customer can bring its risks if he has no experience in doing so.

The question, if Connect add-ons are (more or less) secure, can not be answered in general. Atlassian supports the vendor by providing libraries and enforcing encrypted communication. There are also recommendations and the documentation of Connect contains a part about security. But the main responsibility remains in the hand of the add-on vendor. He has to consider many things and needs to handle them correctly, then the Connect add-ons can be seen as secure. The review by the user is very hard here, so in the end, the decision whether to trust a cloud add-on vendor or not remains a customer’s responsibility and a serious question.

The post Security of Atlassian Connect add-ons appeared first on codecentric Blog.

Categories: Agile, Java, TDD & BDD

Custom Data Search for Powerful Identity Management in Java

Javalobby Syndicated Feed - Mon, 12-Sep-16 23:31

Custom Data is one of the standout features of Stormpath’s authentication and user management API. It allows you to store up to ten megabytes of unstructured (JSON) data alongside any Stormpath resource. This can be any manner of application-specific user data; our clients use it for everything from custom profile fields to authorization roles, or even references to external data.

Custom Data is backed by a custom-built microservices architecture that indexes every data element you store on an Account. This makes searching that data blazingly fast. The typical processing time is less than 50 milliseconds, even under load.

Categories: Java

Gradients of Immutability

Javalobby Syndicated Feed - Mon, 12-Sep-16 06:09

Good objects are immutable, but not necessarily constants. I tried to explain it here, here, and here, but now it's time to make another attempt. Actually, the more I think about it, the more I realize that immutability is not black or white — there are a few more gradients; let's take a look.

As we agreed here, an object is a representative of someone else (some entity or entities, other object(s), data, memory, files, etc.). Let's examine a number of objects that look exactly the same to us but represent different things, then analyze how immutable they are and why.


This is constant; it doesn't allow any modifications to the encapsulated entity and always returns the same text (I've skipped constructors for the sake of brevity):

Categories: Java

Architecture Is About Tradeoffs

Javalobby Syndicated Feed - Mon, 12-Sep-16 06:09

I just finished reading an interesting article here on DZone about the benefits of Java EE in contrast to microservices. In my opinion, it's always salutary to see an argument like this that goes against the prevailing trend, because it helps us to remember that one of the most important rules of architecture is the one defined by Robert Heinlein: There Ain't No Such Thing as a Free Lunch (TANSTAAFL).

I myself spent a few years as the architect of a large-scale system built on Java Enterprise technology, and I was the one who selected the technology we used. My reasons were very similar to those given by Mr. Soika. I knew that we were building an application with lots of short connections to update and retrieve data from the database; I knew that much of our system was driven by external events, and we needed to integrate publish-subscribe messaging; and I was devising the replacement for a system that, due to technical limitations when it was built, was missing a clean separation between user interface, business logic, and data storage.

Categories: Java

Implementation Independence

Javalobby Syndicated Feed - Mon, 12-Sep-16 06:09

“Design to interfaces, not implementations.” This is the advice that the Gang of Four gave us in their book, Design Patterns: Elements of Reusable Object Oriented Software. This means to hide implementation details and only present what is to be accomplished by crafting method signatures around testable behaviors. It means using APIs to create clear contracts for services while hiding as much as possible about how those services do their work. Much of the job of a good programmer is to find ways of encapsulating as much as possible while still creating the desired behavior.

I like to think of myself as an enlightened human being. I believe in equality not just for all humans but for all living things. But I don’t share that same attitude in my software. With people, I want to share as much as I can, but with my objects I want to hide as much of the world as possible from them. All of my software is on a nee-to-know basis. While that may sound a bit harsh at first, it stops my code from being pinned down by many implementation details and allows me to easily refactor and extend it with little friction.

Categories: Java

Open Source Release Cycle Tyranny

Javalobby Syndicated Feed - Mon, 12-Sep-16 06:09

The little talked about stress of Open Source project release management…

So I really enjoy writing code. Been doing it for years, since I was 8! I still do it now when work needs me to, or in my less than copious free time.

Categories: Java

Floating Point: Between Blissful Ignorance and Unnecesssary Fear

Javalobby Syndicated Feed - Mon, 12-Sep-16 06:09

Most programmers are at one extreme or another when it comes to floating point arithmetic. Some are blissfully ignorant that anything can go wrong, while others believe that danger lurks around every corner when using floating point.

The limitations of floating point arithmetic are something to be aware of, and ignoring these limitations can cause problems, like crashing airplanes. On the other hand, floating point arithmetic is usually far more reliable than the application it is being used in.

Categories: Java

Spring for Apache Kafka 1.1.0 Milestone 2 Available

Javalobby Syndicated Feed - Mon, 12-Sep-16 06:08

I am pleased to announce that the second milestone for Spring for Apache Kafka version 1.1.0.M2 is now available in the spring milestone repo.

This includes some bug fixes and the following new features:

Categories: Java

How HashMap Works in Java

Javalobby Syndicated Feed - Mon, 12-Sep-16 00:31

How a HashMap works internally has become a popular question in almost all the interview. As almost everybody knows how to use a HashMap or the difference between HashMap and Hashtable. However, many people fail when the question is "How does a HashMap work internally?"

So the answer to the question is that it works based on the hashing principle, but it is not as simple as it sounds. Hashing is the mechanism of assigning unique code to a variable or attribute using an algorithm to enable easy retrieval. A true hashing mechanism should always return the same hashCode() when it is applied to the same object.

Categories: Java

First Iteration — A Command-Line Application: Part 5

Javalobby Syndicated Feed - Sat, 10-Sep-16 22:31

Review All Code Changes So Far

We are on our way to developing and exploring various technologies of web applications and web services, but we begin with a simple program that turns into a resuable component. Read the previous section here!

To view all the latest code (prior to changes made during this article), 

Categories: Java

Spring Cloud Stream Brooklyn.RC1 Is Available

Javalobby Syndicated Feed - Sat, 10-Sep-16 00:31

On behalf of the team, I am pleased to announce the release of the first release candidate of the Spring Cloud Stream Brooklyn release train. Spring Cloud Stream Brooklyn.RC1 is available for use in the Spring Milestone repository, a detailed description of its features can be found in the reference documentation. Release notes are available here and include important information on the migration path.

As this release follows closely the previous milestone release it contains a small number of fixes, and one major addition, which is support for Kafka 0.10 via drop-in dependency replacement.

Categories: Java

First Iteration — A Command-Line Application: Part 4

Javalobby Syndicated Feed - Fri, 09-Sep-16 22:30

Continue With Test-Driven Development

We are on our way to developing and exploring various technologies of web applications and web services, but we begin with a simple program that turns into a resuable component. Read the previous section here!

Add Key JUnit Test

Now it is time to add one of the very important, defining tests, that will compel us to dive in do some real software work in analysis, design, implementation, and we'll have to deal with concurrency.

Categories: Java

Savor the Servlet 3.0

Javalobby Syndicated Feed - Fri, 09-Sep-16 08:23

We have been using Servlets and its versions for decades. The majority of production applications (legacy deployed applications) use Servlet 2.5. Nowadays, more Servlet 3 deployments are happening and people are migrating from Servlet 2.5 to the latest Servlet 3 specification to leverage the power of zero XML,annotation approach and much more.

Lets discuss Servlet 3.0 with an example. The Servlet 3.0 specification is available as JSR 315 in Java EE stack. Many application servlers like JBoss, Jetty, and of course Glassfish are supporting this Servlet specification. In my example, I will be using JBoss application server. You can use your preferred application server and do any required configuration changes for runing this example.

Categories: Java

JSON-B Test Drive Using JAX-RS

Javalobby Syndicated Feed - Fri, 09-Sep-16 08:21

This is a quick post about JSON-B specification which is due in Java EE 8. It’s main purposes are:

  • Provide JSON binding i.e. marshalling and un-marshalling to and from Java objects
  • Eclipselink will server as Reference Implementation
  • Supports Java object model to JSON mapping via annotations
  • Supports default mapping for implicit transformations b/w Java model and JSON (without annotation/additional metadata)
  • Produce JSON schema from Java classes
  • Support further customization of default mapping mechanisms as well as partial mapping (part of JSON doc needs to be mapped to Java model)
  • Will integrate with JSON-P and probably with JSON API JEP 198 (Java SE API for JSON processing) if needed

Please Note That

  • This is just a quick test of the JSON-B implementation in a Java EE 7 container
  • It not an ideal scenario, i.e. it does not demonstrate integration of the JSON-B spec with a Java EE container (at least not yet).
  • I am not aware of Java EE 8 builds which ship with JSON-B as of right now.

From a (Java EE 8) Container Integration Perspective (Near Future)

The integration should be seamless and transparent — the way it is in case of JSON-P and JAXB annotated classes, i.e. you will ideally be able to annotate your Java classes using JSON-B annotations and expect them to be serialized or deserialized automatically by the container (e.g. JAX-RS runtime).

Categories: Java

Don’t Shoehorn Java 8 Streams Into Every Problem

Javalobby Syndicated Feed - Fri, 09-Sep-16 08:21

With Java 8 being mainstream now, people start using Streams for everything, even in cases where that’s a bit exaggerated (a.k.a. completely nuts, if you were expecting a hyperbole here). For instance, take mykong’s article here, showing how to collect a Map’s entry set stream into a list of keys and a list of values: http://www.mkyong.com/java8/java-8-convert-map-to-list

The code posted on mykong.com does it in two steps:

Categories: Java

3R Principles of Programming

Javalobby Syndicated Feed - Fri, 09-Sep-16 08:21


Programming is an Art. When we program, often we think that programs are a set of instructions fed to a computer for solving business use cases. Though it is true, programs also serve more than that in the real world.

Let us start with a code snippet that runs without any problems.

Categories: Java

Great Technology Never Gets Old? Linux Celebrates 25 years!

Javalobby Syndicated Feed - Fri, 09-Sep-16 02:31

It’s quite hard to imagine a world without Linux in it, but in reality one of the industry de-facto standard operating environments has just reached its quarter century anniversary. This blog looks at the story of how we got here.

In the IT world of 1991, the desktop market was just blossoming, the personal computer was becoming more powerful, intel were breaking Moore’s law with reckless abandon, and Microsoft were starting to get their act together with a brand new exciting development that was to hit the streets a year later, called Windows. The server market was also expanding. An interminable list of organizations including IBM, HP, Sun, TI, Siemens, ICL, Sequent, DEC, SCO, SGI, Olivetti were building proprietary chips, machines and UNIX variants. UNIX had already by that stage enjoyed significant success since making the leap from academia to commerce, and everyone was trying to get a share of the spoils.

Categories: Java

Forbidden APIs of Java

Javalobby Syndicated Feed - Fri, 09-Sep-16 00:31

Software developers try to take care of many cases when they develop software. They make checks for null comparisons, checking for a negative for a function variable which should be positive, etc. They also want to write generic software which can run on Windows, Linux, etc. cause they do not know where it will be run.

However, there may be still huge problems which haven’t been detected. Do you make case insensitive String comparisons in Java? Consider this:

Categories: Java

Thread Slivers eBook at Amazon

Syndicate content