Posts in category Programming


There are different points of view on how logging levels should be used in code. I will share mine. My assumption is: «There should be no errors in logs when everything is fine.» The idea is that the strongest log level should trigger alarm causing immediate notification (push or SMS) to operations team. Accordingly, that’s how logging levels should be used: error – Some action should be taken immediately! Ops team should enable email or sms notifications when a message of that king appears in logs.

Recently I was asked how to start with testing UI before backend is completed. It depends on the product a lot. But when we’re talking about web, it is often not clear how the final solution should look like and behave. If so, it is not reasonable to spend much time writing UI tests using tools like Selenium before the first prototype is ready. It is not reasonable to write a presentation layer and, in some cases, a business logic on server side before it is clear what kind of data is required for UI.

Selenide is nice wrapper around selenium web driver allowing to simplify writting UI tests with Selenium.

Some of the cook features are:

  1. jquery-like selector syntax, e.g. $("div.myclass").is(Condition.visible)
  2. Automatic screenshots on assertion failure
  3. Easy starting Selenium WebDriver
  4. And others

So, let’s write some tests on selenide and make it run from maven in a normal browser or in headless mode.

Making your web application flawless against security attacks is a challenge for every java developer. In this article I will briefly describe common practical development techniques that can help you to achieve it.

OWASP Top 10, a list of the 10 Most Critical Web Application Security Risks, includes following risks:

  • A1 - Injection
  • A2 - Broken Authentication & Session Management
  • A3 - Cross-Site Scripting (XSS)
  • A4 - Insecure Direct Object References
  • A5 - Security Misconfiguration
  • A6 - Sensitive Data Exposure
  • A7 - Missing Function Level Access Control
  • A8 - Cross-Site Request Forgery (CSRF)
  • A9 - Using Components with Known Vulnerabilities
  • A10 - Unvalidated Redirects and Forwards

In this article I will highlight most important java coding techniques for building secure web applications.

Deploying application into secure environment adds some restrictions on logging and log management. OWASP community gives some useful recommendations. OWASP Security Testing Guide Recommendations OWASP Security Testing Guide defines a number of questions to be answered when reviewing applciaiton logging configuration (see OTG-CONFIG-002): 1. Do the logs contain sensitive information? Log files should not contain any sensitive data. Anyway, log file access must be restricted: Event log information should never be visible to end users.

One of the first requirement of Netty ISO8588 client connector was the support for automatic reconnect.

One of the first receipts I came across was Thomas Termin’s one. He suggests adding a ChannelHandler which will schedule the calling of client’s connect() method once a Channel becomes inactive. Plus adding ChannelFutureListener which will re-create a bootstrap and re-connect if initial connection was failed.

Although this is a working solution, I had a feeling that something is not optimal. Namely, the new Bootstrap is being created on every connection attempt.

So, I created a FutureListener which should be registered once a Channel is closed.

I’ve been meaning to write a small tutorial for building web applications. Now it’s time! Let’s define the steps and choose some solutions for developing back-end java web application.

I will give my design recommendations and list a technologies I would use. You may have your own opinion and you may share it in comment. Over time, this post may change since my favourites are also changing over time.

There are situations when you need to analyze user’s experience but can’t use a third-party web analytics solutions like Google Analytics or Yandex Metrika. For example, if your production environment is PCI DSS compliant. In this case you have to deploy self-hosted analytics engine and inside your environment and configure user actions tracking in your application. One of the possible solutions is the piwik as analytics engine + Angulartics or angular-piwik for tracking events inside AngularJS application.

Modern web application should be user friendly and notify the User when time consuming operation is on the way, e.g. uploading file or downloading data. There are a some solutions for AngularJS which are fairy easy to integrate. First one is Angular Loading Bar. It can be attached to your application with almost zero configuration and does not affect application design. It attaches the interceptor to $http service and displays a thin progressbar on the top edge of the page.

Stay DRY! Don’t waste your time implementing tags input control for AngularJS yourself! There is an excellent AngularJS module for that called «ngTagsInput». It’s also supports autocomptetion, validations,custom styles and templates. See the demos. It took me just 10 minutes to add that type of control to my application. All you need to do is: 1. Add NPM or Bower dependency npm install ng-tags-input --save bower install ng-tags-input --save Include script and CSS to your html page.

Here are some useful links to security resources: OWASP to 10 v.2013– A list of the 10 Most Critical Web Application Security Risks. OWASP: list of website security attacks OWASP: list of website vulnerabilities OWASP Development Guide – The OWASP Developer Guide 2014 is a dramatic re-write of one of OWASP’s first and most downloaded projects. The focus moves from countermeasures and weaknesses to secure software engineering. The Developer Guide 2014 is a «first principles» book - it’s not specific to any one language or framework, as they all borrow ideas and syntax from each other.

Spring Boot is an excellent tool to bootstrap java application. Most of the references mention how to create a standalone java application, optionally with embedded web server (tomcat or jetty). But Spring Boot supports also creating web applications intended to run within servlet container. Here is example of maven pom.xml file for Spring-Boot-enabled web application:

If you are involved in software development then recalling a basic testing principles once again is not a waste of time. So here are the principles: A necessary part of a test case is a definition of the expected output or result. A programmer should avoid attempting to test his or her own program. A programming organization should not test its own programs. Any testing process should include a thorough inspection of the results of each test.

JetBrains Idea is the perfect IDE for Java. It requires JDK 1.6+ to run. When you want to run it on Mac without Java 1.6 installed, OS will ask you to install it. But if you have already newer Java version installed, you may run Idea under that newer JDK. Execute in terminal: $open /Applications/IntelliJ\ IDEA\ 14.app/Contents/Info.plist TextEdit app will be opened. Find: <key>JVMVersion</key> <string>1.6*</string> then replace 1.

JetBrains Idea is my favorite IDE and I love it! It has the most necessary features for java developer out-of-the-box. Even in Community Edition you’ll find a lot of them! Difference between Community and Ultimate editions is with a set of plugins from JetBrains available. Native plugins are well tested and work like a charm, in contrast with Eclipse, where you have to do install/configure some extra plugins before you can start coding.

Spring Framework offers very flexible means for binding application components. Externalizable properties, composite configuration, nested application contexts and profiles.

Sometimes, it is necessary to control whether particular beans or @Configuration will be loaded or not. Spring Framework v.4.1.x does not provide that feature out of the box. But, hopefully, Spring allows conditional bean initialization (see @Profile implementation and @Configurable). So, I created the annotation @Enabled which allows me to control bean instantiation via properties.

@Enabled indicates that a component is eligible for registration when evaluated expression is true. This annotation should be used in conjunction with Configuration and Bean annotations.

Jetbrains Idea is a perfect IDE (sorry, Eclipse fans). But, like every tool, sometimes it needs some customization to fit your needs. Today I want to show how to adjust it’s code-generation templates.

When you generates a new class or method using Idea, it creates one using predefined templates. You may modify that template in «Settings -> File and Code templates» section.

Modifying file

When developing java web application it is often annoying to manage third-party javascript libraries. Especially, when it is necessary to upgrade some of them. The project «WebJars» makes a life easier for such lazyefficient developers, like me :-) There is a wide range of popular javascript libraries packaged int Jar archives and ready to be included as a dependencies into your project. It is described in the documentation how to configure resource mapping in a web framework of your choice.

JSON has became a de-facto standard for webservices, replacing XML web services. It has native support in web browser clients.

That makes JSON is the standard of choice for UI-oriented services. It has a good support on mobile devices. Also, it provides smaller data payload size compared to XML and it’s very sufficient for high-load systems as it saves a traffic. But what is for data validation? For XML web services there is a XML Schema. It comes ti mind, that similar standard for JSON should be called «JSON Schema». And it really exists!

Some receipts how to optimize Vaadin application.

Is your Vaadin application becoming sluggish? Yes, this can happen - it is no secret. This can happen for every application, with every programming language, with every UI library and with all hardware platforms. Make it a web application and it is not even hard. For end users this is not acceptable, especially when building applications for frequent use. Vaadin: Optimizing Sluggish UI

Chronicle by Peter Lawrey: This library is an ultra low latency, high throughput, persisted, messaging and event driven in memory database. The typical latency is as low as 80 nano-seconds and supports throughput of 5-20 million messages/record updates per second. This library also supports distributed, durable, observable collections (Map, List, Set) The performance depends on the data structures used, but simple data structures can achieve throughput of 5 million elements or key/value pairs in batches (eg addAll or putAll) and 500K elements or key/values per second when added/updated/removed individually.

There is no sense to run profiler in instrumentation mode on a high load. Instead of using instrumentation you should use sampling mode. This article describes the difference between instrumentation and sampling modes. JVisualVM is a good free tool for this task.

When configuring executors in multithreaded application, do not forget to assign names to your threads. It simplifies later profiling a lot, when you see a meaningful thread names in your profiler. For example, you may use CustomizableThreadFactory from SpringFramework for that.

I have had spent some time recently making netty 3.6 sending some message when connection has been established.

What documentation suggests to do is to extend SimpleChannelUpstreamHandler and override method channelConnected(...). It works fine unless SslHandler is used in the pipeline. If handler is present, channelConnected() was never called on my handler. The problem was caused by client, which did not initialized SSL handshake on connection. Until handshake completed, no other ChannelHandlers are notified. Hopefully, there is a convenient way to initiate handshake on the client. Netty documentation states:

Sometimes it is necessary to export a spring managed bean to JNDI context. Here I want to show how do it.

In spring, there is a bean that provides a similar functionality for exporting to MBean server: MBeanExporter. Unfortunately, there is no standard JNDI bean exporter implementation in Spring Framework (current version is 2.5.6) - (Why?). But it’s easy to write it yourself: