info.michael-simons.eu » Java

Get the uptime of your Java VM

Michael — Wed, 08 Feb 2012 10:26:00 +0000

You don’t need JConsole or similar for just displaying the approximate uptime of your application respectively your Java Virtual Machine:

import java.lang.management.ManagementFactory;
 
public class Demo {
	public static void main(String... args) {
		final long uptime = ManagementFactory.getRuntimeMXBean().getUptime();
		System.out.println(String.format("Up for %dms", uptime));
	}
}

If you use Joda-Time (and you should if you have anything to do with date/datetime processing), you can format it nicely like so:

import java.lang.management.ManagementFactory;
import java.text.MessageFormat;
 
import org.joda.time.Period;
import org.joda.time.PeriodType;
import org.joda.time.format.PeriodFormatter;
import org.joda.time.format.PeriodFormatterBuilder;
 
public class Demo {
	public static void main(String... args) {
		final Period vmUptime = new Period(ManagementFactory.getRuntimeMXBean().getUptime()).normalizedStandard(PeriodType.yearDayTime());
		final PeriodFormatter pf = new PeriodFormatterBuilder()
				.printZeroAlways()
				.appendDays().appendLiteral(MessageFormat.format("{0,choice,0# days, |1# day, |2# days, }", vmUptime.getDays()))
				.minimumPrintedDigits(2)
				.appendHours().appendLiteral(":").appendMinutes()
				.toFormatter();
		System.out.println(String.format("Up for %s", pf.print(vmUptime)));
	}
}

You also have a nice example of the often unknown MessageFormat.

Share This

The dangers of Javas ImageIO

Michael — Wed, 25 Jan 2012 07:52:11 +0000

Javas ImageIO works… well, most of the time. It contains some unfixed, jpeg related bugs, but it works.

It may contain some dangers when used in a webbased application for generation large images on the fly.

Most problems are related to ImageIOs filed based caching and not flushing buffers when an IOException in an underlying stream occurs.

First, the javax.imageio.ImageReader. It caches some data in files. It is essential to dispose the reader and the underlying ImageInputStream after use if it’s not needed anymore like so:

if(imageReader.getInput() != null && imageReader.getInput() instanceof ImageInputStream)			
  ((ImageInputStream)imageReader.getInput()).close();
imageReader.dispose();

If it isn’t closed and disposed, the temporary cache files are either deleted not at all or maybe at the next garbage collection. I was able to bring down a VM by “java.io.FileNotFoundException: (Too many open files)” several times because i didn’t close a reader in a loop. Even the classloader wasn’t able to load any new classes after the ImageReader going mad on the file handle.

The other side is the javax.imageio.ImageWriter. There is an issue mentioned in the Tomcat Wiki.

I used the ImageWriter to dynamically create large images. I directly passed the javax.servlet.ServletOutputStream to the ImageWriter. If the generation of images takes long enough, there’s a good chance that the client aborts the request and the ServletOutputStream gets flushed right when the ImageWriter is writing to it. I didn’t have the exceptions mentioned in the wiki but my VM crashed. Great. I guess it had something to do with the native org.apache.coyote.ajp.AjpAprProtocol Ajp Apr connector i use, but that’s just guessing.

I solved this problem by using a temporary file and its related outputstream which i then stream like described here. This solution is not only faster but i also can catch any exception related to an aborting client.

Also take care to dispose the write as well like so:

try {
	 imageWriter.setOutput(out);
	 imageWriter.write(null, new IIOImage(image, null, null), iwp);
	 out.flush();
 } catch(IOException e) {                        
	 imageWriter.abort();                    
	 throw e;
 } finally {
	 try {                           
		 out.close();                            
	 } catch(Exception inner) {                              
	 }
	 imageWriter.dispose();
 }

This took me several hours to figure out… I hope someone finds this post useful.

Share This

Optimizing web resources with wro4j, Spring and ehcache

Michael — Wed, 18 Jan 2012 10:18:11 +0000

I think that almost no website today can do without JavaScript. There are some incredible good JavaScript libraries like jQuery for which an enormous mass of plugins and extensions exits.

The downside of this is, that for example the JavaScript code of my daily picture project Daily Fratze is bigger than the whole startpage of my first “homepage” was.

With every problem there is a solution, namely JavaScript compressors and minifier. Those tools can compress the code by removing superfluous whitespaces, renaming variables and functions or even by optimizing the code.

So far i have used the YUI compressor maven mojo in my Spring based projects. This is a build time solution that compresses JavaScript and CSS files when creating a war file.

For me it had several disadvantages: I don’t see the effect of compressing when i develop my application and it could not concatenate multiple script files.

The later is important because every additional request a browser makes slows down the loading of a webpage. And manual hacking all JavaScript into one file? No way…

wro4j to the rescue:

Free and Open Source Java project which brings together almost all the modern web tools: JsHint, CssLint, JsMin, Google Closure compressor, YUI Compressor, UglifyJs, Dojo Shrinksafe, Css Variables Support, JSON Compression, Less, Sass, CoffeeScript and much more. In the same time, the aim is to keep it as simple as possible and as extensible as possible in order to be easily adapted to application specific needs.

My goal was to integrate wro4j with Spring and ehcache with a minimum number of additional configuration files.

If you’re interested in some of my ideas, read on:

Please note: This is not the complete solution. The wro.xml is missing as well as some of my infrastructure ideas. But you should get the idea on how to use wro4j with Spring, extend it with your own caching strategy and configure the processors.

First step: Creating a WroFilter implementation that doesn’t depend on wro.properties:

import java.util.Map;
import java.util.Properties;
 
import ro.isdc.wro.http.ConfigurableWroFilter;
import ro.isdc.wro.manager.factory.WroManagerFactory;
 
public class Wro4jFilter extends ConfigurableWroFilter {
	private final WroManagerFactory factory;
 
	public Wro4jFilter(final Map<String, String> properties, final WroManagerFactory wroManagerFactory, final boolean debug) {
		this.factory = wroManagerFactory;
 
		final Properties p = new Properties();
		p.putAll(properties);
		p.put("debug", Boolean.toString(debug));				
		super.setProperties(p);		
	}
 
	@Override
	protected WroManagerFactory newWroManagerFactory() {		
		return this.factory;
	}	
}

As you see this filter accepts a map that is converted to a properties instance from which the superclass is configured. I also inject the WroManagerFactory which will be my interface to ehcache. Finally i can overwrite the debug flag.

This bean is instantiated through an @Configuration class like so:

@Configuration
@Profile("prod")
public class WebConfigProd extends WebConfig {
	@Bean(name="wroFilter")
	@Override
	public Filter getWroFilter() {
		return new Wro4jFilter(super.defaultWroProperties, new Wro4jManagerFactory(super.cacheManager), false);
	}
}

The defaultWroProperties is a Map created from the Spring Environment so that i can keep my wro4j options in my application properties file. cacheManager is an instance of net.sf.ehcache.CacheManager. The CacheManager is needed for my own WroManagerFactory which you'll see later.

To use this filter you need the Spring DelegatinFilterProxy:

>
	>webResourceOptimizer>
	>org.springframework.web.filter.DelegatingFilterProxy>
	>
		>targetBeanName>
		>wroFilter>
	>    	
	>
		>targetFilterLifecycle>
		>true>    	
	>
 >

Having set the targetFilterLifecycle to true is actually essential because the original ro.isdc.wro.http.WroFilter relies on the init method.

So far i only have the filter. What's missing is the wro4j model. This is where groups of JavaScript and CSS files are defined and it can be - among others - an xml file. I want mine to reside with my other configuration files in an dedicated package. To accomplish that i've created a special WroManagerFactory:

import java.io.InputStream;
 
import net.sf.ehcache.CacheManager;
import ro.isdc.wro.cache.CacheEntry;
import ro.isdc.wro.cache.CacheStrategy;
import ro.isdc.wro.cache.ContentHashEntry;
import ro.isdc.wro.extensions.processor.css.YUICssCompressorProcessor;
import ro.isdc.wro.extensions.processor.js.GoogleClosureCompressorProcessor;
import ro.isdc.wro.manager.factory.BaseWroManagerFactory;
import ro.isdc.wro.model.factory.WroModelFactory;
import ro.isdc.wro.model.factory.XmlModelFactory;
import ro.isdc.wro.model.resource.processor.factory.ProcessorsFactory;
import ro.isdc.wro.model.resource.processor.factory.SimpleProcessorsFactory;
import ro.isdc.wro.model.resource.processor.impl.css.CssUrlRewritingProcessor;
 
import com.google.javascript.jscomp.CompilationLevel;
 
public class Wro4jManagerFactory extends BaseWroManagerFactory {
	public final static String CACHE_NAME = "some_cache_name";
	private final CacheManager cacheManager;
 
	public Wro4jManagerFactory(CacheManager cacheManager) {
		this.cacheManager = cacheManager;
	}
 
	@Override
	protected ProcessorsFactory newProcessorsFactory() {
		final SimpleProcessorsFactory rv = new SimpleProcessorsFactory();
                // URLs in CSS needs to be rewritten as it is served from a different location than the original files. I'm not using @import statements, otherwise the appropriate processor should be added for rewriting them as well
		rv.addPreProcessor(new CssUrlRewritingProcessor());	
                // JavaScript compression by the Google Closure compressor	
		rv.addPreProcessor(new GoogleClosureCompressorProcessor(CompilationLevel.SIMPLE_OPTIMIZATIONS));
                // And css by YUI Css Compressor
		rv.addPreProcessor(new YUICssCompressorProcessor());
		return rv;
	}			
 
	@Override
	protected WroModelFactory newModelFactory() {
		return new XmlModelFactory() {
			@Override
			protected InputStream getModelResourceAsStream() {
				return this.getClass().getResourceAsStream("/foo/bar/config/wro.xml");
			}
		};
	}	
 
	@Override
	protected CacheStrategy<CacheEntry, ContentHashEntry> newCacheStrategy() {
		return new Wro4jCacheStrategy<CacheEntry, ContentHashEntry>(this.cacheManager.getCache(CACHE_NAME));
	}	
}

The location of my wro model is handled in newModelFactory. Nothing special. What's more interesting is newCacheStrategy. It get's an ehcache net.sf.ehcache.Cache from the CacheManager and passes it to my caching strategy:

import net.sf.ehcache.Cache;
import net.sf.ehcache.Element;
import ro.isdc.wro.cache.CacheStrategy;
 
public class Wro4jCacheStrategy<K, V> implements CacheStrategy<K, V> {	
	private final Cache cache;
 
	public Wro4jCacheStrategy(Cache cache) {
		this.cache = cache;
	}
 
	@Override
	public synchronized void put(K key, V value) {
		this.cache.put(new Element(key, value, null, null, null));
	}
 
	@SuppressWarnings("unchecked")
	@Override
	public synchronized V get(K key) {
		final Element element = this.cache.get(key);		
		return (V) (element == null ? null : element.getValue());
	}
 
	@Override
	public synchronized void clear() {
		this.cache.removeAll();
	}
 
	@Override
	public synchronized void destroy() {
		this.clear();
	}
}

So far i have:

No need for wro.properties
The wro.xml model along with my other configuration files
The WroFilter initialized by Spring
Having ehcache cache my compressed and concatenated resources

As you might have guessed there is also a WebConfigDev. The development configurations sets wro4j to development mode which means i can turn of minimisation at runtime through an url parameter like so "?minimize=false".

I didn't want to change my jsps all the time so i defined a bean that holds a property minimizeResources that is changable via JMX. I include my JavaScript like so:

 name="script">
	 name="src">
		 value="/wro/project.js">
			 name="minimize">${globalOptions.minimizeResources}>
		>
	>
	 />
>

CSS is analog. I use the jsp:element syntax because all my jsps are actually jspx files.

With this solution i can easily turn off minimization in development mode.

In production mode i now have one compressed JavaScript file instead of 15 files and one CSS file instead of four. The first request takes a second or so but the compressed (and gzipped) content is cached. The Google Closure is actually pretty awesome and reduces my accumulated JavaScript code by over 50%.

Reducing the number of requests necessary had - for me - the biggest impact on my smartphone.

I really can recommend wro4j. It's very extensible and actually pretty easy to use. I cannot only be used to compress files but also can allow you to use CoffeeScript or SASS in Spring or JEE application.

Share This

Creating a CSRF protection with Spring 3.1

Michael — Wed, 11 Jan 2012 09:37:58 +0000

CSRF Attacks still seems to be a problem, a pity that there is no standard solution in the Spring 3.1 framework. Although not probably, i wanted to protect my projects by malicious crafted links.

I didn’t want to use an extra library but something which is already available in the Spring framework. Here is what i come up with:

I choose the token protection mechanism for my implementation.

The core of my solution is the CSRFToken Service:

public interface CSRFTokenService {
	public final static String TOKEN_PARAMETER_NAME = "_tk";
 
	public final static String TOKEN_ATTRIBUTE_NAME = "CSRFToken";
 
	public final static List<String> METHODS_TO_CHECK = Collections.unmodifiableList(Arrays.asList("POST", "PUT", "DELETE"));
 
	/** Generates a new CSRF Protection token */
	public String generateToken();
 
	/** Obtains the token from the session. If there is no token, a new one will be generated */
	public String getTokenFromSession(final HttpServletRequest request);
 
	/** This method tests, if a token is acceptable when a user is logged in */
	public boolean acceptsTokenIn(HttpServletRequest request);
}

import java.security.SecureRandom;
 
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
 
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.springframework.stereotype.Service;
 
import de.dailyfratze.services.CSRFTokenService;
 
@Service("csrfTokenService")
public class CSRFTokenServiceImpl implements CSRFTokenService {
	private final SecureRandom random = new SecureRandom();
 
	@Override
	public String generateToken() {
		final byte[] bytes = new byte[32];
		random.nextBytes(bytes);
		return Base64.encodeBase64URLSafeString(bytes);
	}
 
	@Override
	public String getTokenFromSession(final HttpServletRequest request) {
		return request.getUserPrincipal() == null ? null : this.getTokenFromSessionImpl(request.getSession(false));
	}
 
	private String getTokenFromSessionImpl(final HttpSession session) {
		String token = null;
 
		if(session != null) {
			token = (String) session.getAttribute(TOKEN_ATTRIBUTE_NAME);
			if(StringUtils.isBlank(token))
				session.setAttribute(TOKEN_ATTRIBUTE_NAME, (token = generateToken()));
		}
		return token;
	}
 
	@Override
	public boolean acceptsTokenIn(HttpServletRequest request) {
		boolean rv = false;
 
		// Token is only verified if principal is not null
		if(request.getUserPrincipal() == null) 
			rv = true;
		else {
			final HttpSession session = request.getSession(false);
			rv = session != null && this.getTokenFromSessionImpl(session).equals(request.getParameter(TOKEN_PARAMETER_NAME));
		}
		return rv;
	}
}

“getTokenFromSession” is called right after a user logs in, so that the token gets stored into his session.

As you can see in the implementation of “acceptsTokenIn”, the token is only needed and verified when the principal is not null, meaning when a user is authenticated.

The interface contains some constants: The name of the token in forms and requests and the name of the attribute under which the token is stored in the session. The token itself is just a base64 of some random bytes.

I only want the token to be checked in writing methods: METHODS_TO_CHECK, meaning only in put, delete and posts requests. My applications don’t change state based on get requests.

So where to check for the token? I use a pretty simple Spring “HandlerInterceptor”:

package de.dailyfratze.controller;
 
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
 
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
 
import de.dailyfratze.services.CSRFTokenService;
 
public class CSRFInterceptor implements HandlerInterceptor { 
	@Autowired
	private CSRFTokenService csrfTokenService;
 
	@Override
	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
		boolean rv = true;
		if(CSRFTokenService.METHODS_TO_CHECK.contains(StringUtils.defaultIfBlank(request.getMethod(), "").toUpperCase()) && !csrfTokenService.acceptsTokenIn(request)) {
			response.addHeader("X-DailyFratze-InvalidCSRFToken", Boolean.toString(true));
			response.sendError(HttpServletResponse.SC_FORBIDDEN);
			rv = false;
		} 		
		return rv;
	}
 
	@Override
	public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {	
	}
 
	@Override
	public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {		
	}		
}

This interceptor stops the chain if the request method should be checked and the token is not acceptable by sending a HTTP forbidden error. The additional response header is used by Ajax calls to present a dialog that the session is invalidated.

How to get the token into forms? I wanted to be able to change the token name in only one place so i came up with the following custom tag:

import java.io.IOException;
 
import javax.servlet.http.HttpServletRequest;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.tagext.TagSupport;
 
import org.apache.commons.lang.StringUtils;
 
import de.dailyfratze.services.CSRFTokenService;
import de.dailyfratze.utils.HelperRegistry;
 
/**
 * Creates a hidden input field with the CSRF Token
 * @author michael.simons, 2011-09-20
 */
public class CSRFTokenTag extends TagSupport {
	private static final long serialVersionUID = 745177955805541350L;
 
	private boolean plainToken = false;
 
	@Override
	public int doStartTag() throws JspException {
		final CSRFTokenService csrfTokenService = HelperRegistry.getHelper(super.pageContext.getServletContext(), super.pageContext.getRequest(), CSRFTokenService.class, "csrfTokenService");
		final String token = csrfTokenService.getTokenFromSession((HttpServletRequest) super.pageContext.getRequest());
		if(!StringUtils.isBlank(token))
			try {
				if(plainToken)
					pageContext.getOut().write(token);
				else
					pageContext.getOut().write(String.format("\"hidden\" name=\"%1$s\" id=\"%1$s\" value=\"%2$s\" />", CSRFTokenService.TOKEN_PARAMETER_NAME, token));
			} catch (IOException e) {
			}
		return SKIP_BODY;
	}
 
	@Override
	public int doEndTag() throws JspException {
		return EVAL_PAGE;
	}
 
	public boolean isPlainToken() {
		return plainToken;
	}
 
	public void setPlainToken(boolean plainToken) {
		this.plainToken = plainToken;
	}
 
	public static String getTokenParameterName() {
		return CSRFTokenService.TOKEN_PARAMETER_NAME;
	}
}

with the corresponding mapping:

 version="1.0" encoding="UTF-8" ?>
 xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-jsptaglibrary_2_1.xsd"
	version="2.1">
	>1.0>
	>df>
	>http://michael-simons.eu/taglibs/df>
	>
		>csrfToken>
		>de.dailyfratze.tags.CSRFTokenTag>
		>empty>
		>
			>plainToken>
			>false>	
		>
	>	
	>
		>csrfTokenParameter>
		>de.dailyfratze.tags.CSRFTokenTag>
		>java.lang.String getTokenParameterName()>
	>
>

I can use this tag in forms like so:

Or for generating url parameters for example for ajax calls like so:

So if a token is invalid, the user is either redirect to an error page if it is a normal post, ajax calls through jQuery can be handled like so:

function isInvalidCSRFToken = function(xhr) {
	var rv = false;
	if(xhr.status == 403 && xhr.getResponseHeader('X-DailyFratze-InvalidCSRFToken') == 'true') {			
		alert($('Session is invalid').text());
		rv = true;
	}
	return rv;
}
 
$.ajax({
	type: 'post',
	url: theUrl,	
	dataType: 'text',		
	complete: function(xhr, status) {
		if(isInvalidCSRFToken(xhr))	    				
			return;	    				
		// handle the result
	} 	        
});

The code snippets are all taken from a running project. If you want to use them, use them. The package names are missing and must be added. Also the JavaScript code isn’t complete.

Feel free to comment, if you have suggestions, remarks or anything else. Also, if you can use this, i’d be happy to hear from you.

Share This

oEmbedding twitter updates with Java and WordPress

Michael — Tue, 20 Dec 2011 11:48:34 +0000

I’m really a big fan of oEmbed. My project Daily Fratze acts as oEmbed provider and consumer for example.

Now I’m really happy that twitter announced that it now acts as an oembed provider:

Introducing the statuses/oembed endpoint: dev.twitter.com/docs/api/1/get… ^TS

— Twitter API (@twitterapi) Dezember 8, 2011

(I’d even be happier if twitter would autodiscover providers )

To use this in a Java based application you can use my java-oembed lib with the following configuration:

Oembed oembed = new OembedBuilder(this.httpClient)
	.withCacheManager(cacheManager)
	.withBaseUri("http://yourproject")
	.withConsumer("yourproject")
	.withProviders(					
			new OembedProviderBuilder()
				.withName("twitter")
				.withFormat("json")
				.withMaxWidth(480)
				.withEndpoint("https://api.twitter.com/1/statuses/oembed.%{format}")
				.withUrlSchemes("https?://twitter.com/#!/[a-z0-9_]{1,20}/status/\\d+")
				.build()
	 )
	.withHandlers(new CommonHandler("twitter"))
	.build();

The handler looks like this:

import org.apache.commons.lang.StringEscapeUtils;
import org.jsoup.nodes.Document;
import org.jsoup.nodes.Element;
 
import ac.simons.oembed.OembedResponse;
import ac.simons.oembed.OembedResponseHandler;
 
 
public class CommonHandler implements OembedResponseHandler {
	private String handlerFor;
 
	public CommonHandler(String handlerFor) {
		this.handlerFor = handlerFor;
	}
 
	@Override
	public String getFor() {
		return handlerFor;
	}
 
	@Override
	public void handle(Document document, Element a, OembedResponse response) {
		final StringBuilder hlp = new StringBuilder();
 
		final String title = StringEscapeUtils.escapeHtml(response.getTitle());
		if(response.getType().equalsIgnoreCase("video") || response.getType().equalsIgnoreCase("rich")) {
			hlp.append("\"display:block; text-align:center;\">");
			hlp.append(response.getHtml());
			hlp.append("");
		} else if(response.getType().equalsIgnoreCase("photo")) {			
			hlp.append("\"display:block; text-align:center;\">");			
			hlp.append(String.format("\"%s\" alt=\"%s\" title=\"%s\" style=\"width: %d; height: %d;\" />", response.getUrl(), title, title, response.getWidth(), response.getHeight()));			
			hlp.append("");
		}
 
		a.before(hlp.toString());
		a.remove();		
	}
}

Be careful to get the latest release, twitter has some real large values for cache ages and i needed to update a member from int to long.

To have WordPress automatically embed statusupdates, add the following line to the “functions.php” of your current theme. Create the file if it isn’t available in the root folder of your theme:

wp_oembed_add_provider('#https?://twitter.com/\#!/[a-z0-9_]{1,20}/status/\d+#i', 'https://api.twitter.com/1/statuses/oembed.json', true);

Whenever you add the plain link (whithout an anchor tag) to a statusupdate on a single line in a post, it will be embedded like the example above.

Update

If you are more into plugins, just download my Enable Twitter oEmbed WordPress plugin, install it and you’re good to go.

An alternative to oEmbed for Twitter was the Twitter Blackbird Pie Plugin for WordPress, but why adding more stuff if everything else is already there? My plugin is much more lightweight.

Embedding me looks like this, by the way:

the picture will always show my latest update on daily fratze.

As this is probably the last post here for this year, i wish every visitor some nice christmas holidays!

Share This

Java stuff

Michael — Mon, 28 Nov 2011 09:32:00 +0000

Here is some Java stuff I’ve written over the last year for Daily Fratze. All of the stuff is in use on Daily Fratze since June 2011.

java-akismet: java-akismet is a simple client for Akismet based on the latest version of Apache HttpComponents.
java-oembed: I really like the idea of oEmbed: A mechanism for auto embedding stuff from other sites so that users don’t have to paste some html code into a textbox but just plain links. This is my version of a configurable Java client that can autodetect oEmbed endpoints as well as statically configured endpoints.
java-autolinker: This is my idea of an autolinker based on jsoup. If you want to get autolinking right, you have to parse the text. Just scanning for regex that matches urls or email addresses is not enough. This autolinker first parses the text into a DOM tree and passes all text nodes to the configured linkers. At the moment it supports URLs, email addresses and twitter handles.

I’d be happy if someone can actually use this stuff too or even contribute to it

Share This

Fixing hibernate “Cannot release connection” exception using DBCP and MySQL.

Michael — Mon, 21 Nov 2011 08:04:34 +0000

Every 8 hours i got a Hibernate exception “Cannot release connection” within a Java application using Hibernate, Apache DBCP on Tomcat:

org.hibernate.exception.GenericJDBCException: Cannot release connection
    at org.hibernate.exception.SQLStateConverter.handledNonSpecificException(SQLStateConverter.java:103)
    at org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:91)
    at org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43)
    at org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:29)
    ..
    ..
Caused by: java.sql.SQLException: Already closed.

Not only that the messages polluted my inbox, the exception was visible to the enduser, resulting in a HTTP 500 error. An older blog post i found suggested dismissing DBCP and using c3p0, a solution that i’m not quite found of. At least, the post helped to reproduce the problem within my development setup. The underlying problem was indeed the MySQL wait_timeout.

There’s quite a long documentation on the Tomcat JDBC Connection Pool. Although the Tomcat team recommends their own solution since Tomcat 7, i still wanted to go with DBCP.

The relevant keywords are “testOnBorrow”, “testOnReturn”, “testWhileIdle”, “validationQuery” and “timeBetweenEvictionRunsMillis”. The first 3 are boolean values. If set to true, the query given as validationQuery is executed on borrowing a connection from the pool, on returning or when idling. The first option is not an option on production use as the query is executed before each call. Although “Select 1″ is probably very fast, i just don’t want to have. Also: The problem is an invalidated, idle connection so i set testWhileIdle to true. And what happened? Nothing! The problem stayed. So there is the last option timeBetweenEvictionRunsMillis which should, according to the docs, default to 5 seconds but it doesn’t. The documentation is wrong. It’s under zero, so the eviction thread that tests idle connections never run. I’ve tweeted the tomcat team, but there was no reaction.

So the correct configuration for a DBCP pool database source is:


	type="javax.sql.DataSource"
	driverClassName="com.mysql.jdbc.Driver"
	maxActive="100"
	maxIdle="30"
	maxWait="10000"
	testOnBorrow="false"
	testOnReturn="false"
	testWhileIdle="true"
	validationQuery="Select 1"
	timeBetweenEvictionRunsMillis="1800000"
/>

This way the eviction thread runs every 30 minutes, testing idle connections with the query “Select 1″ and removing them from the pool. The timeBetweenEvictionRunsMillis should not be to low. It should be adapted to the configured MySQL wait_timeout.

Share This

Java and invalid SSL certificates (java-trustprovideragent)

Michael — Mon, 25 Jul 2011 09:28:13 +0000

It’s truly easy to generate a SSL certificate for example to use with tomcat (see here). This certificate is invalid as it is self-signed by you and it often doesn’t match the hostname. This is no problem when your access the project with a browser, with more or less jumps through hoops you accept the development certificate and you’re done.

If you access the site through java itself you’ll have problem with all tools that basically use an URLConnection. You’ll end up with an exception like this:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

This is will hit you for example using HtmlUnit or my oembed client.

It isn’t enough to import the certificate in question using keytool (at least, it didn’t work for me).

I search and i found this post titled “SSL Trust Provider for Java”. Interesting stuff.

This works by providing a “java.security.Provider” through the Security API accepting all certificates. Nice tip, thanks!

I didn’t want to change my sources though so i wrote a very little java agent to instrument my development setup. I also added a “javax.net.ssl.HostnameVerifier” that accepts all host names, in case the certificates cn doesn’t match the development machines hostname. If i want my vm to trust all and everything, i just add “-javaagent:full/path/to/java-trustprovideragent-0.0.1-SNAPSHOT.jar”.

The code is on github java-trustprovideragent, please feel free to use it.

Thanks to the original authors on devcentral.f5.com.

Share This

MySql compatible AES encryption / decryption in Java

Michael — Mon, 18 Jul 2011 12:51:57 +0000

MySQL has an aes_encrypt/aes_decrypt pair of functions (Encryption and Compression Functions) that enable encryption and decryption of data using the official AES algorithm.

The functions are easy to use (select AES_ENCRYPT(‘text’,'password’)) and the result is easy to store (insert into secrets values HEX(AES_ENCRYPT(‘text’,'password’))) as hex values.

I used this technique for a while but i wanted to have a more database agnostic version of this encryption and tried to build the same methods with java.

Although it was relatively easy to find the exact cipher mode (which is AES/ECB/PKCS5Padding), i had a real hard time figuring out how the key is calculated from the given password (the key must be 16bytes long, per default MySql uses AES-128). It turns out that the MySQL algorithm just or’s the bytes of a given passphrase against the previous bytes if the password is longer than 16 chars and just leaves them 0 when the password is shorter than 16 chars. So you can generate a secret key spec in Java for an aes_encrypt/decrypt compatible cipher like so:

import java.io.UnsupportedEncodingException;
 
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
 
import org.apache.commons.codec.binary.Hex;
 
public class Demo {
	public static SecretKeySpec generateMySQLAESKey(final String key, final String encoding) {
		try {
			final byte[] finalKey = new byte[16];
			int i = 0;
			for(byte b : key.getBytes(encoding))
				finalKey[i++%16] ^= b;			
			return new SecretKeySpec(finalKey, "AES");
		} catch(UnsupportedEncodingException e) {
			throw new RuntimeException(e);
		}
	}
 
	public static void main(String... args) throws Exception {
		// Decrypt
		final Cipher decryptCipher = Cipher.getInstance("AES");	        				
		decryptCipher.init(Cipher.DECRYPT_MODE, generateMySQLAESKey("your super secret passphrase", "UTF-8"));
		System.out.println(new String(decryptCipher.doFinal(Hex.decodeHex("56A34D7AB6225616799F6559AA388F07C2C9E53983111BDD5F49F36461AAD789".toCharArray()))));
 
		// Encrypt
		final Cipher encryptCipher = Cipher.getInstance("AES");	        				
		encryptCipher.init(Cipher.ENCRYPT_MODE, generateMySQLAESKey("your super secret passphrase", "UTF-8"));		
		System.out.println(String.format("Select aes_decrypt(unhex('%s'), 'your super secret passphrase');", new String(Hex.encodeHex(encryptCipher.doFinal("Hallo nach Aachen".getBytes("UTF-8")))))); 
	}
}

You need Commons Codec to run these.

This isn’t probably the most secure solution from a cryptographic point of view but it just replicates the built-in MySql function for other databases or just for interoperability. I hope to save someone else time with this as i spent about days about those view lines.

Share This

Apache httpd, Tomcat und sendfile

Michael — Tue, 28 Jun 2011 08:47:04 +0000

I used to use mod_xsendfile by Nils Maier, who’s Homepage doesn’t seem to exist anymore, to send files from Ruby proxied by Apache respectively powered by modrails. Those files shouldn’t be in any public www directory as authorization needs to be checked, but are accessed very often so that streaming them is not an option.

To use this technique you need mod_xsendfile, which is attached to this post.

I just have rewritten my application from Ruby on Rails to Java and it’s easy to add the necessary headers in a HttpServletResponse:

response.setHeader("X-Sendfile", file.getAbsolutePath());
response.flushBuffer();

You may add other headers like Content-Type and the like but you must not modify the body, hence the flushBuffer.

This works quite well… As long as had my Apache httpd running with mpm-prefork.

Switching to Apache mpm-worker caused some problems. I cannot say with a final conclusion that mod_xsendfile was causing troubles but i started to see the wrong files (images in this case) delivered or not delivered at all.

My alternate solution was streaming the files using Channels from java.nio but CPU usage went nuts.

The solution now employed is the using Apache Tomcats asynchronous writes that are available since Tomcat 6. Their documentation is rather short but so is implementing them:

/*
HttpServletRequest request = ...
HttpServletResponse response = ...
*/
 
if(request != null && Boolean.TRUE.equals(request.getAttribute("org.apache.tomcat.sendfile.support"))) {		
  long l = file.length();
  request.setAttribute("org.apache.tomcat.sendfile.filename", absolutePath);
  request.setAttribute("org.apache.tomcat.sendfile.start", 0l);
  request.setAttribute("org.apache.tomcat.sendfile.end", l);
  response.setHeader("Content-Length", Long.toString(l));
  response.flushBuffer();
} else if(use_xsendfile) {
  // see above
} else {
  // stream files
}

What i got wrong at first was setting those attributes in the response. That didn’t work. The must be set in the request and you must take care setting all of those and with the correct type (String respectively long). And that’s it.

The request attribute org.apache.tomcat.sendfile.support will be true when the connector is configured to either use the APR connector (org.apache.coyote.http11.Http11AprProtocol) or the non blocking Java connector (org.apache.coyote.http11.Http11NioProtocol) (the later one being easier to deploy as it has no external dependencies).

CPU usage for sending those files is now nearly 0.

Share This