Invariant Properties

  • rss
  • Home

Log once or log early?

Bear Giles | October 16, 2010

First, a really good resource: Java antipatterns.  I plead the Fifth on how many of these things I still do on occasion.

I disagree on one point though – logging once.  I hate reading duplicate stack traces as much as everyone else but I think it’s a mistake to only log once.  What are the problems?

  • Swallowed Exceptions.  It still happens. A lot.  When it does you’ll lose all evidence of a problem unless you logged something earlier.
  • Summarized Exceptions. This is showing the message without the stack trace.  In an ideal world this would tell us exactly what we need to know but in practice it’s often a very generic message.
  • Lost Exceptions. A stack trace will recursively call getCause(). So far so good — but did you know that SQLException includes a nextException() method?  It’s used because a single problem will often cause multiple SQL exceptions and the ‘interesting’ one is usually not the one that’s ultimately propagated to the caller.  The standard stack trace method isn’t smart enough to follow these links.
  • Lost Information.  A stack trace shows the line where the exception occurred but tells us nothing about the context.

There are two sane alternatives.  The first approach is to look for the site of the (probable) original exception so you can catch it, log the method arguments and exception message and then rethrow the exception.   It’s a single line or two in the log and will give you a lot of insight into duplicating the problem.

The second approach is to write an AOP interceptor that you use liberally.  It’s a simple pass-through interceptor except that, in the event of an exception, it will log the method arguments before rethrowing the exception.  This gives you a stack trace complete with method arguments.

I like the second approach since it’s extremely powerful during development but can be easily from the production system.

  1. import java.util.logging.Logger;
  2. import javax.interceptor.AroundInvoke;
  3. import javax.interceptor.InvocationContext;
  4.  
  5. /*
  6.  * Simple interceptor that logs method arguments when an exception  occurs. A simple
  7.  * variant of this lets a method discover it's stack trace at any time. (Just remember
  8.  * to use a ThreadLocal Stack.)
  9.  *
  10.  * @author bgiles
  11.  */
  12. public class SimpleInterceptor {
  13.    private static final Logger log =    Logger.getLogger(SimpleInterceptor.class.getName());
  14.  
  15.    /**
  16.     * Simple interceptor that logs method arguments when an exception  occurs.
  17.     *
  18.     * @param invocation
  19.     * @return
  20.     * @throws Exception
  21.     */
  22.    @AroundInvoke
  23.    public Object logArgumentsOnException(InvocationContext invocation)
  24.        throws Exception {
  25.       Object results = null;
  26.  
  27.       try {
  28.          results = invocation.proceed();
  29.       } catch (Exception e) {
  30.          StringBuilder sb = new StringBuilder(invocation.getMethod().getName());
  31.          sb.append("(");
  32.  
  33.          for (Object o : invocation.getParameters()) {
  34.             sb.append(String.valueOf(o));
  35.             sb.append(", ");
  36.          }
  37.  
  38.          sb.setLength(sb.length() - 2);
  39.          sb.append("): ");
  40.          sb.append(e.getClass().getName());
  41.          sb.append(": ");
  42.          sb.append(e.getMessage());
  43.          log.warning(sb.toString());
  44.          throw e;
  45.       }
  46.       return results;
  47.    }
  48. }
import java.util.logging.Logger;
import javax.interceptor.AroundInvoke;
import javax.interceptor.InvocationContext;

/*
 * Simple interceptor that logs method arguments when an exception  occurs. A simple
 * variant of this lets a method discover it's stack trace at any time. (Just remember
 * to use a ThreadLocal Stack.)
 *
 * @author bgiles
 */
public class SimpleInterceptor {
   private static final Logger log =    Logger.getLogger(SimpleInterceptor.class.getName());

   /**
    * Simple interceptor that logs method arguments when an exception  occurs.
    *
    * @param invocation
    * @return
    * @throws Exception
    */
   @AroundInvoke
   public Object logArgumentsOnException(InvocationContext invocation)
       throws Exception {
      Object results = null;

      try {
         results = invocation.proceed();
      } catch (Exception e) {
         StringBuilder sb = new StringBuilder(invocation.getMethod().getName());
         sb.append("(");

         for (Object o : invocation.getParameters()) {
            sb.append(String.valueOf(o));
            sb.append(", ");
         }

         sb.setLength(sb.length() - 2);
         sb.append("): ");
         sb.append(e.getClass().getName());
         sb.append(": ");
         sb.append(e.getMessage());
         log.warning(sb.toString());
         throw e;
      }
      return results;
   }
}
Comments
No Comments »
Categories
Uncategorized
Comments rss Comments rss
Trackback Trackback

Hot certifications

Bear Giles | October 15, 2010

I came across this in a newsletter from itjobcafe.com:

50 Hot IT Skills on the Rise

 

Here are the 25 certifications and non-certified skills most likely to increase in value over the next six months, as determined by Foote Partners LLC. But President David Foote cautions, “There is simply no such thing as a reliable six-month IT labor forecast in these volatile market conditions.”

Rank
IT Certifications
Non-certified IT Skills
1
SAS Certified Base Programmer
SAP Basis components
2
Red Hat Certified Security Specialist
RAD/extreme programming/agile programming
3
CompTIA Security+
Virtual private networks
4
SAS Certified Advanced Programmer
Business continuity and disaster recovery planning
5
VMware Certified Professional
Web 2.0 skills (AJAX, Adobe Flex, Adobe Flash, JavaScript, JSON)
6
GIAC Security Essentials Certification
Windows 7
7
Citrix Certified Enterprise Administrator
SAP Web Application Server
8
Cisco Certified Network Professional
SAN/storage administration
9
Cisco Certified Internetwork Professional
RFID/wireless sensors
10
Red Hat Certified Technician
Python
11
HP Accredited Integration Specialist
HTML/DHTML/XHTML
12
Microsoft Certified Professional Developer (all)
Business performance management software/systems
13
Sun Certified Systems Administrator for Solaris
SAP BPC (Business Planning and Consolidation)
14
Microsoft Certified Database Administrator
SAP EBP (Enterprise Buyer Professional)
15
Cisco Certified Design Professional
SAP FI — FSCM (Financial Accounting — Financial Supply Chain Management)
16
GIAC Certified Incident Handler
Linux
17
CyberSecurity Forensic Analyst
Ruby/Ruby on Rails
18
Certification Authorization Professional
Social networks (tagging, virtual communities, social bookmarking, etc.)
19
Microsoft Certified Technology Specialist (virtualization)
SAP SCM (Supply Chain Management)
20
GIAC Security Audit Essentials
SAP SRM (Supplier Relationship Management)
21
GIAC Secure Software Programmer
ITIL v3 Foundation
22

IBM Certified Specialist – AIX Basic Op
SAP WM (Warehouse Management)
23

Avaya Certified Specialist
Web Dynapro
24

Check Point Certified Security Administrator
SAP APO (Advanced Planner and Optimizer)
25
GIAC Certified Windows Security Administrator
SAP PP (Production Planning)

Source: Foote Partners IT Skills and Certifications Hot Lists, July 2010. Rankings are based on interviews with hundreds of executives and primary decision-makers from the 2,000 companies in Foote’s database of research partners.

 

I don’t know what to think about this. Surveys of 2000 companies are great but there are major omissions. Where are the Oracle database certifications? Where is the CISSP security certification?  These are both highly respected certifications and other certs in these fields are listed.

What makes this even more bizarre (to me) is that a CISSP is one of the certifications acceptable for the DoD 8570 IAT level III designation (enclave administrator – think website + associated database).  That level is required for ALL personnel doing that work be they military, civilian employees or contractors after 31 Dec 2010.  GCIH is another certification that meets this requirement.

Surely there’s a high demand for a certification that’s required to be an enclave administrator after the end of this year!

As an aside a Security+ certification satisifies DoD 8570 IAT level II (network admin).  It’s not enough to be a full site administrator.

Comments
No Comments »
Categories
Uncategorized
Comments rss Comments rss
Trackback Trackback

PostgreSQL “Zero bytes may not occur in string parameters.” error

Bear Giles | October 6, 2010

I’ve been seeing a repeatable “Zero bytes may not occur in string parameters.” error from my PostgreSQL driver.  This is occurring when (Hibernate) persisting an object with a few @Lob columns.  The problem does not occur when using H2 database in native mode.  This suggests it’s something database-specific – maybe an error in character handling (and maybe it’s H2 that is broken), maybe a difference in the representation in the files (UTF-8?  ISO-8859-1?  USASCII?).

This is a real pain since it throws an IllegalArgumentException(!) and it leaves hibernate totally hosed.  Even closing the session and opening a new one doesn’t work.  I haven’t tried closing the SessionFactory since I don’t have a way to reestablish one.  (Standard spring injection has its own drawbacks.)

I have determined that the problem is bad data in the @Lob.  That surprises me since it should be able to handle just about anything.  I don’t know what the character sequence is since it’s in Chinese.  But knowing that I can turn on/turn off this error by simply marking a column as @Lob/@Column or @Transient gets me a lot further than I was when I could only find google references to queries with explicit string parameters.

Comments
No Comments »
Categories
PostgreSQL
Comments rss Comments rss
Trackback Trackback

Installing Adobe AIR on Ubuntu and noexec /tmp directories

Bear Giles | October 1, 2010

Adobe AIR is a cross-application framework/container. We see this to some extent with web browers and Web 2.0, but AIR is more powerful and doesn’t require an internet connection. Installing AIR is the first step to installing applications like Tweetdeck (twitter client) and Balsamiq (mockups).

Adobe has a Linux version. Download at http://get.adobe.com/air/.

So I get the file, set the ‘executable’ flag, and run it.

Nothing happens.

I eventually determined that the problem is because the installer built an environment in /tmp and then launched an application in that environment. Briefly remounting /tmp with exec permission allowed the installer to run. yay!

Why mount /tmp (and /home, /var/log, and my service directories like /var/lib/postgresql and /var/lib/svn) noexec, nosuid and nodev?

Security. A lot of malware will create an environment that it uses to install itself, or will even hid it itself in the user’s home directory or in an unusual place like the /dev or /var/log directories. If you make these places noexec then the installers and malware itself can’t run. There are few times this is an issue and (presumably) system developers who do need to develop and run applications in their home directories will have good security awareness.

What about nodev? There are a few legitimate uses, e.g., loopback devices that allow you to treat a file as a mountable filesystem, but the concern is that malware (or a malicious user) could create a special device that allows direct access to the hardware. At best this device can be used to eavesdrop on other users, at worst it can be used to destroy the information. (“dd if=/dev/zero of=/dev/sda”) This is something that will have to be treated on a case-by-case basis, but again anyone who needs access to raw devices presumably has good security awareness.

Comments
No Comments »
Categories
linux
Comments rss Comments rss
Trackback Trackback

Solving eclipse's hang-on-startup problem

Bear Giles | October 1, 2010

I love eclipse (and myeclipse) but it occasionally gets into a dark space where it hangs on startup. We’re talking an hour+ with no apparent progress although jconsole/jvisualvm shows that there’s something going on.

“eclipse –clean” doesn’t fix the problem. Rebooting doesn’t fix it. Googling offers some good advice but again it doesn’t fix the problem.

Brad Howerter found the solution. There’s a “.settings” directory under each project. It’s just a cache and can be nuked. Problem solved.

I think what’s happening is that the permissions on one or more files is getting screwed up somehow. The file is marked read-only, it has a persistent OS lock, something. Eclipse tries to do the right thing by retrying but there’s no sanity check to give up (with decent explanation!) after multiple failures. Instead it keeps trying and the application appears to hang. I have no idea why those permissions would be screwed up in the first place though.

Comments
No Comments »
Categories
java
Comments rss Comments rss
Trackback Trackback

Getting through a firewall via proxy

Bear Giles | October 1, 2010

Corporate firewalls. sigh. But sometimes our applications have to get past a firewall. How do you do it?

The best solution is to let somebody else do it. If you’re using HttpComponents (HttpClient was renamed with version 4) it already has support for proxies in the HostConfiguration object. The library is designed to work it so you should just set up the configuration and be done with it.

Sometimes you can’t let somebody else do it. For instance you could be reading a naked stream. This isn’t HTTP at all but these services often sit on port 80 since that port is let through firewalls. A library like HttpComponents/HttpClient might look tempting but it’s not the answer.

So how do you get through the proxy firewall yourself?

The first step is to identify the type of proxy firewall you’re dealing with. All require that you connect to the proxy, most require you to also authenticate yourself.  But you might get lucky and only need to solve the first half of the problem.

Proxy connection

The easiest way to set up a proxy connection is to set two (or three) System properties:

  • http.proxyHost
  • http.proxyPort
  • http.nonProxyHosts (‘|’ separated list with ‘*’ wildcards)

You can set these properties programmatically or via the command line. You can only have one default proxy though – something that may not be acceptable to you.

  1. System.setProperty("http.proxyHost", proxyHost);
  2. System.setProperty("http.proxyPort", proxyPort);
  3. URL url = new URL(destination);
  4. URLConnection conn = url.openConnection();
  5. conn.connect();
System.setProperty("http.proxyHost", proxyHost);
System.setProperty("http.proxyPort", proxyPort);
URL url = new URL(destination);
URLConnection conn = url.openConnection();
conn.connect();

A slightly more difficult approach is to create a Proxy object that is passed to the URL connection.

  1. Proxy proxy = new Proxy(Proxy.Type.HTTP,
  2.    new InetSocketAddress(proxyHost, proxyPort));
  3. URL url = new URL(destination);
  4. URLConnection conn = url.openConnection(proxy);
  5. conn.connect();
Proxy proxy = new Proxy(Proxy.Type.HTTP,
   new InetSocketAddress(proxyHost, proxyPort));
URL url = new URL(destination);
URLConnection conn = url.openConnection(proxy);
conn.connect();

This approach begs a question – where do you create the Proxy? There’s a solution to this since Java 5 – the ProxySelector class. It provides a list of Proxies for a specified URL. You need to create your own ProxySelector and register it as the default ProxyServer but that should be straightforward.

The application code must still know to retrieve a Proxy from the selector but there is no longer a need for that code to know the details of that Proxy.

  1. Proxy proxy = ProxySelector.getDefault().select(url.toURI());
  2. URLConnection conn = url.openConnection(proxy);
  3. conn.connect();
Proxy proxy = ProxySelector.getDefault().select(url.toURI());
URLConnection conn = url.openConnection(proxy);
conn.connect();

Authentication

The classic way to handle http proxy firewall authentication is to set a request header.

  1. Proxy proxy = ProxySelector.getDefault().select(url.toURI());
  2. HttpURLConnection conn = (HttpURLConnection) url.openConnection(proxy);
  3. conn.connect();
  4.  
  5. String encodedUserPwd = Base64.encodeBase64String("user:password".getBytes();
  6. conn.setRequestProxy("Proxy-Authorization", "Basic " +_ encodedUserPwd);
  7. InputStream is = conn.getInputStream();
Proxy proxy = ProxySelector.getDefault().select(url.toURI());
HttpURLConnection conn = (HttpURLConnection) url.openConnection(proxy);
conn.connect();

String encodedUserPwd = Base64.encodeBase64String("user:password".getBytes();
conn.setRequestProxy("Proxy-Authorization", "Basic " +_ encodedUserPwd);
InputStream is = conn.getInputStream();

A second approach is to provide a default authenticator that will be used on all connections.

  1. Authenticator.setDefault(new Authenticator() {
  2.      protected PasswordAuthentication getPasswordAuthentication() {
  3.         return new PasswordAuthentication(username, password.toCharArray());
  4.     }
  5. });
Authenticator.setDefault(new Authenticator() {
     protected PasswordAuthentication getPasswordAuthentication() {
        return new PasswordAuthentication(username, password.toCharArray());
    }
});

If we need to provide multiple authentications we must provide a local implementation of Authenticator that overrides the various static methods to

More info: http://www.rgagnon.com/javadetails/java-0085.html

Comments
No Comments »
Categories
java, security
Comments rss Comments rss
Trackback Trackback

Archives

  • May 2020 (1)
  • March 2019 (1)
  • August 2018 (1)
  • May 2018 (1)
  • February 2018 (1)
  • November 2017 (4)
  • January 2017 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (2)
  • March 2016 (1)
  • February 2016 (3)
  • January 2016 (6)
  • December 2015 (2)
  • November 2015 (3)
  • October 2015 (2)
  • August 2015 (4)
  • July 2015 (2)
  • June 2015 (2)
  • January 2015 (1)
  • December 2014 (6)
  • October 2014 (1)
  • September 2014 (2)
  • August 2014 (1)
  • July 2014 (1)
  • June 2014 (2)
  • May 2014 (2)
  • April 2014 (1)
  • March 2014 (1)
  • February 2014 (3)
  • January 2014 (6)
  • December 2013 (13)
  • November 2013 (6)
  • October 2013 (3)
  • September 2013 (2)
  • August 2013 (5)
  • June 2013 (1)
  • May 2013 (2)
  • March 2013 (1)
  • November 2012 (1)
  • October 2012 (3)
  • September 2012 (2)
  • May 2012 (6)
  • January 2012 (2)
  • December 2011 (12)
  • July 2011 (1)
  • June 2011 (2)
  • May 2011 (5)
  • April 2011 (6)
  • March 2011 (4)
  • February 2011 (3)
  • October 2010 (6)
  • September 2010 (8)

Recent Posts

  • 8-bit Breadboard Computer: Good Encapsulation!
  • Where are all the posts?
  • Better Ad Blocking Through Pi-Hole and Local Caching
  • The difference between APIs and SPIs
  • Hadoop: User Impersonation with Kerberos Authentication

Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

Pages

  • About Me
  • Notebook: Common XML Tasks
  • Notebook: Database/Webapp Security
  • Notebook: Development Tips

Syndication

Java Code Geeks

Know Your Rights

Support Bloggers' Rights
Demand Your dotRIGHTS

Security

  • Dark Reading
  • Krebs On Security Krebs On Security
  • Naked Security Naked Security
  • Schneier on Security Schneier on Security
  • TaoSecurity TaoSecurity

Politics

  • ACLU ACLU
  • EFF EFF

News

  • Ars technica Ars technica
  • Kevin Drum at Mother Jones Kevin Drum at Mother Jones
  • Raw Story Raw Story
  • Tech Dirt Tech Dirt
  • Vice Vice

Spam Blocked

53,314 spam blocked by Akismet
rss Comments rss valid xhtml 1.1 design by jide powered by Wordpress get firefox