Posts tagged with #java


There are different points of view on how logging levels should be used in code. I will share mine. My assumption is: «There should be no errors in logs when everything is fine.» The idea is that the strongest log level should trigger alarm causing immediate notification (push or SMS) to operations team. Accordingly, that’s how logging levels should be used: error – Some action should be taken immediately! Ops team should enable email or sms notifications when a message of that king appears in logs.

Making your web application flawless against security attacks is a challenge for every java developer. In this article I will briefly describe common practical development techniques that can help you to achieve it.

OWASP Top 10, a list of the 10 Most Critical Web Application Security Risks, includes following risks:

  • A1 - Injection
  • A2 - Broken Authentication & Session Management
  • A3 - Cross-Site Scripting (XSS)
  • A4 - Insecure Direct Object References
  • A5 - Security Misconfiguration
  • A6 - Sensitive Data Exposure
  • A7 - Missing Function Level Access Control
  • A8 - Cross-Site Request Forgery (CSRF)
  • A9 - Using Components with Known Vulnerabilities
  • A10 - Unvalidated Redirects and Forwards

In this article I will highlight most important java coding techniques for building secure web applications.

Deploying application into secure environment adds some restrictions on logging and log management. OWASP community gives some useful recommendations. OWASP Security Testing Guide Recommendations OWASP Security Testing Guide defines a number of questions to be answered when reviewing applciaiton logging configuration (see OTG-CONFIG-002): 1. Do the logs contain sensitive information? Log files should not contain any sensitive data. Anyway, log file access must be restricted: Event log information should never be visible to end users.

One of the first requirement of Netty ISO8588 client connector was the support for automatic reconnect.

One of the first receipts I came across was Thomas Termin’s one. He suggests adding a ChannelHandler which will schedule the calling of client’s connect() method once a Channel becomes inactive. Plus adding ChannelFutureListener which will re-create a bootstrap and re-connect if initial connection was failed.

Although this is a working solution, I had a feeling that something is not optimal. Namely, the new Bootstrap is being created on every connection attempt.

So, I created a FutureListener which should be registered once a Channel is closed.

I’ve been meaning to write a small tutorial for building web applications. Now it’s time! Let’s define the steps and choose some solutions for developing back-end java web application.

I will give my design recommendations and list a technologies I would use. You may have your own opinion and you may share it in comment. Over time, this post may change since my favourites are also changing over time.

Spring Boot is an excellent tool to bootstrap java application. Most of the references mention how to create a standalone java application, optionally with embedded web server (tomcat or jetty). But Spring Boot supports also creating web applications intended to run within servlet container. Here is example of maven pom.xml file for Spring-Boot-enabled web application:

Spring Framework offers very flexible means for binding application components. Externalizable properties, composite configuration, nested application contexts and profiles.

Sometimes, it is necessary to control whether particular beans or @Configuration will be loaded or not. Spring Framework v.4.1.x does not provide that feature out of the box. But, hopefully, Spring allows conditional bean initialization (see @Profile implementation and @Configurable). So, I created the annotation @Enabled which allows me to control bean instantiation via properties.

@Enabled indicates that a component is eligible for registration when evaluated expression is true. This annotation should be used in conjunction with Configuration and Bean annotations.

When developing java web application it is often annoying to manage third-party javascript libraries. Especially, when it is necessary to upgrade some of them. The project «WebJars» makes a life easier for such lazyefficient developers, like me :-) There is a wide range of popular javascript libraries packaged int Jar archives and ready to be included as a dependencies into your project. It is described in the documentation how to configure resource mapping in a web framework of your choice.

Jolokia Logo

Very often there is a need to monitor the Java application server. For example, external monitoring tool, like Nagious/Zenoss/Zabbix needs to get some metrics, like heap memory usage or thread count.

Usual way to get that metrics is to setup access to application server via JMX.

But, sometimes, it is not possible to leave some other port opened for JMX and the only port available is HTTP(80 or 8080) or HTTPS(443 or 8443).

Here the Jolokia comes to rescue!

JSON has became a de-facto standard for webservices, replacing XML web services. It has native support in web browser clients.

That makes JSON is the standard of choice for UI-oriented services. It has a good support on mobile devices. Also, it provides smaller data payload size compared to XML and it’s very sufficient for high-load systems as it saves a traffic. But what is for data validation? For XML web services there is a XML Schema. It comes ti mind, that similar standard for JSON should be called «JSON Schema». And it really exists!

Chronicle by Peter Lawrey: This library is an ultra low latency, high throughput, persisted, messaging and event driven in memory database. The typical latency is as low as 80 nano-seconds and supports throughput of 5-20 million messages/record updates per second. This library also supports distributed, durable, observable collections (Map, List, Set) The performance depends on the data structures used, but simple data structures can achieve throughput of 5 million elements or key/value pairs in batches (eg addAll or putAll) and 500K elements or key/values per second when added/updated/removed individually.

There is no sense to run profiler in instrumentation mode on a high load. Instead of using instrumentation you should use sampling mode. This article describes the difference between instrumentation and sampling modes. JVisualVM is a good free tool for this task.

When configuring executors in multithreaded application, do not forget to assign names to your threads. It simplifies later profiling a lot, when you see a meaningful thread names in your profiler. For example, you may use CustomizableThreadFactory from SpringFramework for that.

I’ve recently switched logback configuration of our application from XML to Groovy. Configuration file is not about 5 times smaller and can be displayed on one screen! Groovy helped to remove duplicating parts of configurations by using for loop. The moving was easy thanks to online conversion tool. And don’t forget to add a groovy-all runtime dependency to your project config.

I have had spent some time recently making netty 3.6 sending some message when connection has been established.

What documentation suggests to do is to extend SimpleChannelUpstreamHandler and override method channelConnected(...). It works fine unless SslHandler is used in the pipeline. If handler is present, channelConnected() was never called on my handler. The problem was caused by client, which did not initialized SSL handshake on connection. Until handshake completed, no other ChannelHandlers are notified. Hopefully, there is a convenient way to initiate handshake on the client. Netty documentation states:

Sometimes it is necessary to export a spring managed bean to JNDI context. Here I want to show how do it.

In spring, there is a bean that provides a similar functionality for exporting to MBean server: MBeanExporter. Unfortunately, there is no standard JNDI bean exporter implementation in Spring Framework (current version is 2.5.6) - (Why?). But it’s easy to write it yourself: