warning: Creating default object from empty value in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/modules/taxonomy/ on line 33.
Leeland's picture

Shell Scripts That In-Line Java

Sometimes the simplest things get overlooked. There are many times where I need to do something a little cross system languages. For example dynamically deciding on the right arguments to feed to a Java tool or service JVM. Or when I need to do some undirected graph manipulations of data from PowerShell or bash. There is no reason to not step up to the higher level language to get the job done.

Leeland's picture

Java Performance Cheat Sheet

An Oracle Java Architect, Rupesh Ramashandran posted a great 'cheat sheet' for JVM performance tuning. Essentially he shows what the key 15 tuning parameters are (of the 50+ available) where you are most likely to get the best results. He also gives solid clues for logging and diagnoses. If you need to get better performance from the JVM this post will save you lots of time and effort. He covers production JVM instances running on multi-core server class machines.

His Blog entry is at

Leeland's picture

Dynamic Tomcat configuration using parameter substitutions

I was looking for a way to make a dynamic Tomcat configuration that could leave off editing XML files. I knew that Tomcat supported parameter substitution. However, I could not find a list of what was provided by default. Yes I know the phrase "your mileage my vary" applies deeply to this. None the less it seemed to me there had to be a reasonable list.

Leeland's picture

Connecting Python to a Java Rest Servlet using POST

Pulled my hair out for too long to admit to over this. I had to tie a Python script to a servlet but the amount of data was too large for a GET. I wrote the whole thing in a quick sprint but then it didn't work. It worked if I pumped data to it via a GET request. But, when I shifted to a POST it stopped working. After a lot of RTM and Googling I still didn't see my error. After a coffee and a walk I looked at it and did a head slap. In the Python code I had set the Content-type to "text/plain;charset=UTF-8".

Leeland's picture

Android Note Taking Application

Just a quick note on notes. I want to be able to take notes efficiently on my Android phone which I can then sync to a computer, edit, and sync back. But wait, there is more:

* Ability to write and read notes on the mobile phone
* True Sync notes (with merge) to and from a computer
* Ability to create, edit, and search notes on the computer
* Must be able to do this without posting notes on some network service (but does not exclude a network service)
* Import/export notes from simple text files with some basic formatting (limited wiki like support)

Leeland's picture

Sad Day For Java

Not entirely unexpected but still pretty sad today the Apache Software Foundation resigned in protest from the Java SE/EE Executive Committee.

I had held out hopes that Oracle would reverse their mindset but that is not to happen.

Leeland's picture

Unit Testing Java

Basic testing patterns are important. But it is also important to properly plan the testing. Building a matrix really helps make sure you are covering all the basis.

A simple case is something that will compare two items for you. These little helper classes need to be built all the time for sorted lists and other such uses. However, it is amazingly easy to get something out of alignment. So for argument sake lets stick with something simple: "Compare two strings as being equal, allowing nulls to be used such that 2 nulls return true."

Leeland's picture

Where should exceptions go?

Lets talk about exceptions for a moment. At the office a discussion came up that essentially was about if we should group our exception objects together into a single module/subsystem wide package or have them called out in the packages next to the code they were used by.

Personally I think packages specific to exceptions are bad ideas because it detaches them from the business objects they are supposed to be supporting. An exception should represent the possible result of a direct action on a domain object. I think they should be subsystem/object specific.

Leeland's picture

Defensive Java Programming Notes (11 of 11) Top 13 Best Practices

Best Practice #1 Do Input Validation

Input validation verifies or cleans up inputs to the application. Essentially trust no data from any source until it has been proven to be safe based on some established format verification process. Input validation is a critical part of a web service's reliability and security (or any software application for that matter). By failing to validate input data an application may do very unexpected things given a garbled (accidentally or intentionally) input leading to a security violation or a vulnerable state.

Input Validation:

Leeland's picture

Java SecureString Class

Secure string implementation is very hard. A secure string is a means to keep and use confidential data. Essentially the text cannot be stored as plain text and definitely cannot be stored in a Java String object since that is immutable and there is no definable point when it will be removed from the system.

Secure String Implementations should:

  • text is encrypted for privacy when being used
  • deleted from computer memory when no longer needed
  • not be allowed to be paged to swap memory
  • cannot be seen via memory inspection
Leeland's picture

Defensive Java Programming Notes (10 of 11) Web Container Security Features

Warning this is amazingly boring.

Web containers are things like Apache Tomcat, WebSphere, Java Systems Webserver, JBOSS, Weblogic, and lots more.

There are some common things:

  • Web applications created by developers

  • Security needs for a given web application are usually deployment-specific

  • Deployers should be able to specify security settings without changing application code

Leeland's picture

Defensive Java Programming Notes (09 of 11) Poorly Implemented Cryptography

Cryptography is effective only if it is used properly. It is way too easy to use very strong cryptography libraries very wrong. The most common problems with cryptography implementations are:

  • Use of home grown algorithms (lets face it unless you have a PhD in mathematics and another in cryptography you should not write a cryptographic algorithm for a production system.);

  • Cryptography depends on REALLY random seed data and the standard rand() calls are NOT random enough for strong enough cryptographic functions let alone strong cryptographic solutions;

Leeland's picture

Defensive Java Programming Notes (08 of 11) Information Disclosure

There is never any reason to dump detailed data out to the users. Log it, maybe tack on an error ID to it and then send a message to the user that there was an error.

Web applications should never dump data like stack traces, ODBC error messages, authentication error messages, or anything else that exposes a detail about the implementation of the site.

Sometimes error message or unexpected outputs give an attacker a significant advantage in attacking a system. Examples of useful information that will aid an attacker are:

Leeland's picture

Defensive Java Programming Notes (07 of 11) HTTP Response Splitting

This is where an attacker is able to convince the browser that there where actually two HTTP responses and the browser thinks the second response is the body, which would be completely controlled by the attacker.


Would direct the user's browser to

Typically this is used to do other kinds of attacks like:

  • Cross-Site Scripting
Leeland's picture

Defensive Java Programming Notes (06 of 11) Cross-Site Request Forgery (CSRF or XSRF)

Tricks the victim's browser into performing (undesirable) actions on behalf of the victim. There is no EASY way for the site to tell if a request submitted is valid or a XSRF attack because this attack causes the browser to do exactly what it is supposed to do using those behaviors against the victim. Examples are:

  • Transfer Funds
  • Changing Passwords
  • Purchasing an Item

Thread Slivers eBook at Amazon

Syndicate content