Adding JSTL/JSP EL to your web applicaton (updated)

Quite some environments do not come with JSTL: Eclipse for JEE (Galileo), Tomcat 6, Jetty 6... Follow these steps to add them:

1. Add JSTL
   Grab the JSTL API (jstl-api.jar) and JSTL implementation (jstl-impl-1.2.jar).
   Add the jars to your Container (e.g. Tomcat) lib directory (or your webapp lib).
   Alternatively add them using maven dependencies:
   

   <dependency>
     <groupId>javax.servlet</groupId>
     <artifactId>jstl</artifactId>
     <version>1.2</version>
   </dependency>
   

2. Make sure the web-app root element in web.xml supports at least servlet 2.4/JSP 2.0

   <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
    http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">

   If you use <taglib> elements in web.xml, make sure they are embedded in a <jsp-config> element.

Wikileaks: free speech to the test

As much as I understand that the US wants to protect its confidential information, incidents like these are a good test for democratic values. After all there's a lot of criticism on China. But just how much better are other regimes?

• Wikileaks got bumped from US Amazon cloud servers. A good indication of inherent risks of control one has when running cloud based services.
• Wikileaks was also removed from French servers. Because France does not want confidential diplomatic information of other coutnries to be available. I doubt that France is applying this as a general rule to all diplomatic information from all countires.
• Wikileaks was removed from DNS provider EveryDNS, because it breached the terms of contract. The ongoing denial of service attacks against the site were compromising the service for other clients. Instead of giving good service and protection and going after the attackers, the service provider says the customer is in error? Fun: now botnets can remove all EveryDNS customers by picking them as a DOS target.
• Paypal (a subsidiary of US based eBay) blocks donations for WikiLeaks because they do not transfer money for criminal activities. The strange thing about these actions by US companies is that they are based on private company regulations rather than public law.

Using JPA with Spring

SL-370 module 1 shows an example of using JPA with Java SE.
If you want to use Spring with JPA, the java code is just like in Java EE. Here's how the configuration files for Spring look for an example similar to the Java SE example:

persistence.xml

<?xml version="1.0" encoding="UTF-8"?>
<persistence version="2.0"
xmlns="http://java.sun.com/xml/ns/persistence"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/persistence
http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd">
 <persistence-unit name="StockPU" transaction-type="RESOURCE_LOCAL">
 <provider>org.eclipse.persistence.jpa.PersistenceProvider</provider>
 <properties>
  <property name="javax.persistence.jdbc.user" value="public"/>
  <property name="javax.persistence.jdbc.password" value="public"/>
  <property name="javax.persistence.jdbc.url" 
   value="jdbc:derby:MyDB;create=true"/>
  <property name="javax.persistence.jdbc.driver" 
   value="org.apache.derby.jdbc.EmbeddedDriver"/>
  <property name="eclipselink.ddl-generation" value="drop-and-create-tables"/>
  <property name="eclipselink.logging.level" value="SEVERE"/>
 </properties>
 </persistence-unit>
</persistence>

Spring XML configuration snippet(e.g. in application-config.xml):

<bean id="entityManagerFactory" 
 class="org.springframework.orm.jpa.LocalEntityManagerFactoryBean" 
 lazy-init="true">
 <property name="persistenceUnitName" value="StockPU" />
</bean>
<bean name="transactionManager" 
 class="org.springframework.orm.jpa.JpaTransactionManager">
 <property name="entityManagerFactory" ref="entityManagerFactory" />
</bean>

<tx:annotation-driven />

IPFilter Components / Solaris 10

 For  Solaris 10 8/7 (u4) and higher:

• Commands
  • svcadm: enable/disable ipfilter
  • ipf: manage rulebase
    • -Fa: flush (remove) all rules
    • -f file: load rules from file
  • ipnat: manage Network Access Translation rules
    • -F: flush (remove) all rules
    • -f file: load rules from file
  • ipfstat: show statistics
    • -io: show active rulebase
• Daemons
  • ipmon: monitor logging device
    • -D: daemon mode
    • -s: log to syslog local0 facility
• Files
  • /dev/ipl: device from which you can read log entries
• Kernel module
• ipf
• Links
• FAQ

Windows 7: Subsystem for Unix-based applications (SUA)

Yesterday I was trying to telnet from my new Windows 7 PC and... telnet was not there anymore. I had to go to "Control panel>Programs and Features>Turn Windows features on or off" to activate it.
While being in turn features on/off there was some other interesting stuff:

• NFS client (!)
• Subsystem for Unix-based applications

Subsystem for Unix-based applications (SUA) is the new name for Windows Services for UNIX (SFU),which in its turn is an evolution of the Interix system that Microsoft acquired. It is a set of utilities that make Windows POSIX compliant and eligible for tenders that require POSIX. Compliance is a very different goal then features and usability, so don't expect too much. The option is only present on Ultimate/Enterprise editions (Vista or later).

After rebooting  I could go to All Programs > Subsystem for Unix-based applications and... download utilities for Subsystem for Unix-based applications. That's right, it just enables the possibility to run POSIX programs, but Unix utilities themselves were not bundled, not even a shell.


Going to the download page you get these choices:

1. Utilities and SDK for UNIX-based Applications_AMD64.exe
• use for 64 bit Windows on Intel or AMD x86 processors
2. Utilities and SDK for UNIX-based Applications_IA64.exe 
• Use for Intel itanium
3. Utilities and SDK for UNIX-based Applications_X86.exe
•  use for 32bit Windows on Intel or AMD x86 processors

Take special care, to download the AMD64 file for Intel 64bit x86 architecture. Microsoft supposes unix heads know that AMD did not follow Intel on the 64bit Itanium path and made a 64 bit x86 (pentium) architecture version. Afterwards Intel followed the AMD strategy and started producing 64bit x86 processors as well.

When installing, choose custom installation if you want to include GNU stuff.  When installation is done, Windows prompts for another reboot.

Your system is by default installed with a root directory mapped to c:\Windows\SUA. You can now start a shell from the SUA menu. You can also run commands from windows by passing them as arguments  to c:\Windows\posix.exe. From a SUA shell you can access your windows drives from /dev/fs (e.g. /dev/fs/C is your C  drive).

Solaris Bookmarks (updated)

 Oracle

• documentation
• Reference
• Articles
• Oracle Technology Network (OTN) (was bigadmin)
• Technical Articles
• Solaris for Linux administrators
• Oracle CommandComparo
  
• Linux to Solaris administration guide
• OpenSolaris
• With the purchase by Oracle the open source distribution of Solaris was discontinued. OpenIndiana is a public domain fork. Solaris Express continues with binary snapshots, starting with Solaris 11.

 Information

• Softpanorama
• c0t0d0s0
• Jean Christophe’s learning solaris

Software

• Solaris Companion Software
• Community SoftWare
• Sun Freeware
• Blastwave 

Solaris 11 express released

Oracle has made the first release of Solaris 11 Express available for download. The final release will be somewhere next year. It is the first major Solaris release under the governance of Oracle. You can download the OS for free (and for testing). Take care: the default download is a text based installer, scroll down to get a GUI based installer.

New feature digest:

• Image Packaging System (IPS)
• A new software package system
• Repositories (depot servers) providing packages over the network
• mirrors
• can assist in network install (Automated Installer)
• Automatic updates
• legacy solaris packages (pkg) supported
• Distribution constructor builds an OS image from a manifest (descriptor file). Images can be
• directly installed on client
• ISO image
• VM image
• Boot environments: streamlined Live Upgrade using ZFS snapshots
• ZFS
• ZFS boot/root environment
• deduplication: detect duplicate data and store single copy
• encrypted datasets
• security
• root is a role now
• labeling extensions
• apply labels to IPSec
• apply labels to ZFS datasets
  
• require an extra password to access a labeled resource
• bash is the default user shell, ksh the default system shell
• optional graphical boot screen
• CUPS printing service is the default printing service
• printer discovery
• Open Sound System API support (Boomer)
• Linux removable media management replaces the volume manager (vold)
• Command assistant: full text search tool to get information on Solaris commands
• git is bundled (distributed version control system for development)
• Networking enhancements

Solaris 11 networking enhancements

As of Solaris 11 Express 2010.11 these enhancements are included:

• Network automagic (NWAM): dynamically configure fixed or wireless network depending on discovery and profiles

  

  Network automagic

• sockets no longer use STREAMS
• Solaris can work as a (L2) bridge (IETF TRILL)
• unified handling of different types of network interfaces (project Clearview)
• dladm extended (project Brussels)
• virtual interfaces, IP tunnels and IPMP can now be accessed as generic IP interfaces. They can now be sniffed (e.g. lo0, traffic between zones...) , asssigned as an exlusive stack to a zone...
• use virtual network interfaces (VNIC), virtual switches (etherstubs) and virtual routers, bridges and servers (zones) to siumulate an entire network on a single system (project Crossbow)
• zones can exclusivly own an IP stack without a dedicated physical interface (NIC)
• Link protection: limit ability of NIC to send spoofed packets
• VRRP  (Virtual Router Redundancy protocol)

Earlier Solaris 10 networking enhancements.

Java annotations primer (updated)

Slides: an introduction to annotations in Java.

Solaris 10 networking enhancements by release overview (updated)

Overview of most important changes for networking in solaris 10 releases.
3/5 (base)

• specify source IP by (virtual) interface. Example:

  # ifconfig eri0 usesrc vni0
  The virtual IP vni interface is not associated with any physical hardware and is thus immune to hardware failures. If vni0 has address 10.0.0.1 assigned to it, the system will prefer 10.0.0.1 as the source address for any packets originated by local connections that are sent through eri0.

• RIPv2, BGP, and OSPF through GNU Zebra (adapted for Solaris)
• /usr/lib/mail -> /etc/mail/cf
• routeadm command
• rdisc wrapped into in.routed
• use ifconfig to configure ipforwarding for individual interfaces
• IP quality of service (IPQoS)
• WAN boot installation
• SSH 3.5p1 (adapted for Solaris)
• Stream Control Transmission Protocol (SCTP)

1/6 (u1)

• SMTP over TLS
• source address filtering on multicast traffic
• dladm command for data link (layer 2) configuration, link aggregation (ethernet trunk)
• IGMPv3 and MLDv2 (IPv6) routing support

6/6 (u2)

• IPFilter for IPv6

11/6 (u3)

• Mandatory Access Control (from Trusted Solaris) for networking and other functions
• Set secure by default network profile during installation

8/7 (u4)

• SMF based routing services (svcadm in addition to routeadm)
• merge /etc/inet/ipnodes (for IPv6) into /etc/inet/hosts
• GNU Quagga routing suite replaces GNU Zebra
• Key Management Framework for PKI
• encryption kit included + MD4, MD5, SHA1, and SHA2
• exclusive access to physical network interfaces by non-global zones
• DHCPv6 client
• IPFilter firewall enhancements
  
  • pfil driver/daemon removed (replaced by packet filter hooks)
  • IPv6 support
  • loopback interface support
    

5/9 (u7)

• SHA2 512bit, Diffie-Hellman 4096 bit

10/9 (u8)

• NTP 4.1.2
  

9/10 (u9)

• The client queue runner is now a separate daemon (svc:/network/smtp:sendmail-client). It used to be part of sendmail  (svc:/network/smtp:sendmail).
• The net_access privilege has been added to the basic privilege set. Denying this privilege, cuts network access.

Handling comments with SAX

DOM and StAX will readily handle XML comments.
With SAX 2 you will need to register an extra handler, LexicalHandler, to be called for comments and other lexical events (CDATA, DTD, Entities). The JAXP adapter class DefaultHandler2 is an adapter for all SAX2 handlers, including the LexicalHandler.
Here's a little code snippet, that shows how to set up your SAX parser to print comments:

      SAXParser parser = SAXParserFactory.newInstance().newSAXParser();
      parser.setProperty(
        "http://xml.org/sax/properties/lexical-handler",
        new LexicalHandler() {
          public void comment(char[] ch, int start, int length)
            throws SAXException {
            System.out.println(
              "/* comment: " + String.valueOf(ch, start, length) + " */");
          }
          public void startDTD(String name, String publicId, String systemId)
            throws SAXException { }
          public void endDTD() throws SAXException { }
          public void startEntity(String name) throws SAXException { }
          public void endEntity(String name) throws SAXException { }
          public void startCDATA() throws SAXException { }
          public void endCDATA() throws SAXException { } 
        });

DOM editing validation

The example below adds DOM schema validation while modifying the in-memory DOM. It uses DOM load/save example as a basis.
We are adding a text node instead of a comment now, to generate a schema inconsistency.
The checking kicks off when you call normalizeDocument.
Also compare with the parsing validation example.

// SimpleDOML3MemXSD.java

import com.sun.xml.internal.ws.developer.ValidationErrorHandler;
import org.w3c.dom.*;
import org.w3c.dom.bootstrap.DOMImplementationRegistry;
import org.w3c.dom.ls.*;

import javax.xml.XMLConstants;
import java.io.OutputStreamWriter;

public class SimpleDOML3MemXSD {

  public static void main(String args[]) {
    Document doc;
    try {
      // Create DOM Document using DOM Level 3 Load
      DOMImplementationLS ls = (DOMImplementationLS) DOMImplementationRegistry.
        newInstance().getDOMImplementation("LS");
      LSParser builder = ls.createLSParser(
        DOMImplementationLS.MODE_SYNCHRONOUS,
        "http://www.w3.org/2001/XMLSchema");
      doc = builder.parseURI(args[0]);
      DOMConfiguration config = doc.getDomConfig();
      // for DTD use XMLConstants.XML_DTD_NS_URI
      config.setParameter("schema-type", XMLConstants.W3C_XML_SCHEMA_NS_URI);
      config.setParameter("validate", true);
      config.setParameter("error-handler", new StdErrorHandler());
      //Obtain root elements
      Element root = doc.getDocumentElement();

      // Add text (NOT ALLOWED BY SCHEMA)
      Text text = doc.createTextNode("Training text");
      root.appendChild(text);

      //Now validate
      doc.normalizeDocument();

     // Output to standard output; using DOM Level 3 save
      LSOutput target = ls.createLSOutput();
      target.setCharacterStream(new OutputStreamWriter(System.out));
      ls.createLSSerializer().write(doc, target);
    } catch (Exception e) {
      System.out.println(e.getMessage());
      e.printStackTrace();
      System.exit(0);
    }
  }

  private static class StdErrorHandler implements DOMErrorHandler {

    public boolean handleError(DOMError e) {
      String prefix = "Severity ";
      if (e.getLocation().getLineNumber() != -1) {
         prefix = "Line " + e.getLocation().getLineNumber()
          + " column  " + e.getLocation().getColumnNumber()
          + ", severity ";
      }
      System.err.println(
        prefix + e.getSeverity()
          + " issue: " + e.getMessage());
      return true;
    }
  }
}

DOM XML Load validation

The example below adds DOM schema validation when you are parsing the XML input file to the DOM load/save example.
The example also features a DOM Level 3 DOMErrorHandler.
Also compare with the editing validation example.

// SimpleDOML3XSD.java

import org.w3c.dom.*;
import org.w3c.dom.bootstrap.DOMImplementationRegistry;
import org.w3c.dom.ls.*;

import javax.xml.XMLConstants;
import java.io.OutputStreamWriter;

public class SimpleDOML3LSXSD {

  public static void main(String args[]) {
    Document doc;
    try {

      // Create DOM Document using DOM Level 3 Load
      DOMImplementationLS ls = (DOMImplementationLS) DOMImplementationRegistry.
        newInstance().getDOMImplementation("LS");
      LSParser builder = ls.createLSParser(
        DOMImplementationLS.MODE_SYNCHRONOUS,
        // for DTD use XMLConstants.XML_DTD_NS_URI
        XMLConstants.W3C_XML_SCHEMA_NS_URI);
      DOMConfiguration config = builder.getDomConfig();
      config.setParameter("validate", true);
      config.setParameter("error-handler", new StdErrorHandler());
      doc = builder.parseURI(args[0]);

      // Obtain root elements
      Element root = doc.getDocumentElement();

      // Add comment texts
      Comment comment = doc.createComment("Training text");
      root.appendChild(comment);

      // Output to standard output; using DOM Level 3 save
      LSOutput target = ls.createLSOutput();
      target.setCharacterStream(new OutputStreamWriter(System.out));
      ls.createLSSerializer().write(doc, target);

    } catch (Exception e) {
      System.out.println(e.getMessage());
      e.printStackTrace();
      System.exit(0);
    }
  }

  private static class StdErrorHandler implements DOMErrorHandler {

    public boolean handleError(DOMError e) {
      String prefix = "Severity ";
      if (e.getLocation().getLineNumber() != -1) {
         prefix = "Line " + e.getLocation().getLineNumber()
          + " column  " + e.getLocation().getColumnNumber()
          + ", severity ";
      }
      System.err.println(
        prefix + e.getSeverity()
          + " issue: " + e.getMessage());
      return true;
    }
  }
}

Load and Save XML with DOM (Level 3)

Prior to DOM Level 3, DOM did not standardize reading and writing XML.
Below is the  SL-385 code 4-2 modified to use the standard DOM level 3 Load and Save (LS) API.
An alternative JAXP (but not DOM standard) way is to read using the JAXP DocumentBuilder and to write using the JAXP transformer (TrAX XSLT).
(I included a comment showing DOM LS writing starting from a DocumentBuilder obrained from JAXP reading as well.)

// SimpleDOML3LS.java
import org.w3c.dom.*;
import org.w3c.dom.bootstrap.DOMImplementationRegistry;
import org.w3c.dom.ls.*;
import java.io.OutputStreamWriter;

public class SimpleDOML3LS {

  public static void main(String args[]) {
    Document doc;
    try {

      // Create DOM Document using DOM Level 3 Load 
      DOMImplementationLS ls = (DOMImplementationLS) DOMImplementationRegistry.
          newInstance().getDOMImplementation("LS");
      LSParser builder = ls.createLSParser(
        DOMImplementationLS.MODE_SYNCHRONOUS,
        null);
      doc = builder.parseURI(args[0]);

      // Obtain root elements
      Element root = doc.getDocumentElement();

      // Add comment texts
      Comment comment = doc.createComment("Training text");
      root.appendChild(comment);

      // Output to standard output; using DOM Level 3 save

      // If you parsed using a JAXP DocumentBuilder
      // you can also get your LSimplementation from your Document:
      // DOMImplementationLS ls = (DOMImplementationLS) doc.
      //   getImplementation().getFeature("LS","3.0");
      LSOutput target = ls.createLSOutput();
      target.setCharacterStream(new OutputStreamWriter(System.out));
      ls.createLSSerializer().write(doc, target);

    } catch (Exception e) {
      System.out.println(e.getMessage());
      e.printStackTrace();
      System.exit(0);
    }
  }
}

To add newlines/indents to enhance readability of the output, replace in the above example

ls.createLSSerializer().write(doc, target);

with

      LSSerializer serializer = ls.createLSSerializer();
      DOMConfiguration serializerConfig = serializer.getDomConfig();
      serializerConfig.setParameter("format-pretty-print", Boolean.TRUE);
      serializer.write(doc, target);

Oracle buys Passlogix SSO

You got to eat if you want to grow, and Oracle keeps on festing on other companies.
The last buy is a very rational one, and one that will easily integrate into the company.
Oracle was already reselling Passlogix under its own brand as part of its Identity and access management suite and is in-housing the technology now. Additionally Sun Microsystems, which became a piece of the Oracle pie last year, was partnering with PassLogix for Sun Identity and Access management as well.
Oracle's Identity and Access Management suite, will emerge as of the completest in the market.

Google adds keyboard search navigation

Google's empire is built on providing an ordinary search utility. Still it keeps finding opportunities for enhancement while keeping it simple.
We already have suggest, a drop down box with search term autocompletion suggestions.
Only last month we got instant search, showing search results as you type.
Both are shown in the picture to the left.

Now Google is adding keyboard navigation, allowing you to move down through results (and to next page) using the arrow keys. Keyboard navigation starts after you hit enter in the search box. The current selected item is indicated by the little blue arrow head to the left. Hit enter again to go to the target page.

You need to be logged in with instant search enabled.

Still, criticists say that the blue arrow could be interpreted as a recommendation of the link to the user. It will point to the first position which is often an advertisement, Google's primary source of revenue.

jspx document

Minimal solution of list headers JSTL exercise (SL-314-EE6 mod 6 lab 1) without any <%…%>  tags (e.g. for taglib declaration).
The document must be saved in a .jspx file (e.g. index.jspx):

<html xmlns:jsp="http://java.sun.com/JSP/Page"
      xmlns:c="http://java.sun.com/jsp/jstl/core">
  <jsp:directive.page contentType="text/html;charset=UTF-8"/>
  <head><title>Header jspx page</title></head>
  <body>
    Request headers:
    <ul>
      <c:forEach var="zheader" items="${header}">
        <li>${zheader}</li>
      </c:forEach>
    </ul>
  </body>                                     
</html>

LibreOffice: OOo without Oracle

The OpenOffice public domain community has separated itself from its Oracle head. The body will walk on as The Document Foundation.
Back in the previous millenium Sun Microystems bought a German office suit, called StarOffice, running on Unix as well as Windows.
Sun rebranded the product to OpenOffice and made it a free, public domain competitor for MS Office.
OpenOffice came under the stewardship of Oracle, when it acquired Sun.
Oracle's decision to charge for a previously free MSOffice plugin, that allows it to read the Open Document Format (ODF), created a lot of irritation in the public domain community.
Meanwhile Oracle is continuing work on, Oracle Cloud Office, based on JavaFX technology. Remark that it  does not have the Open word in its name.
Recently Oracle closed up Sun's OpenSolaris OS. In response a community project, OpenIndiana, was created.
In a preemtive strike, the community (FSF, Oasis, Google, Novell, Red Hat, Gnome...)  now has declared it's independance of Oracle. Because Oracle holds the trademark, the suite has been rebranded to LibreOffice.

Glassfish 3 Admin Console hangs behind a proxy

When installing glassfish you can install the updatetool (default on) and configure proxysettings for it.
If the proxy settings do not match the currently active proxy the glassfish admin console may hang.
The glassfish web admin console will not forward your browser proxy settings to the updatetool, which has its own settings. It will wait for the updatetool to return, which never happens.

Here's a solution from the forums:
Change the update configuration using updatetool in GlassfishInstallDir/bin (it may ask you to install the tool first, just do so and start updatetool again).
In the tool go to preferences and enter correct proxy settings  (or disable automatic updates in the updates tab).

Alternatively, if you fail to install the tool, you can just kick out the module $GLASSFISH_HOME/glassfish/modules/console-updatecenter-plugin.jar by renaming it.

Google just bought you some GWT tools

Google bought the instantiations developer tools and makes them avaialable for free. The suite contains Eclipse GUI builders, code analysis and testing tools. more...

JSP Model 2 / Web MVC

Bronze medal for website Sint-Niklaas

The new website of the city of Sint-Niklaas, we built in partnership with the fine crew at coworks, ended on a third place in the Indigov Monitor. Indigov monitor screens all communal websites in Flanders and Brussels.
Great news!

How to get Java EE6 libraries

If you want to download Java EE6 libraries, Oracle bundles the whole glassfish server, and more with the java EE6 SDK. Other application servers also bundle the libraries.
That’ a whole lot of bloat if you just want to compile a little webapp. You can just put a small subset of the glassfish jars in your classpath:

• glassfish_install_dir/glassfish/modules/javax.servlet.jar
• glassfish_install_dir/glassfish/modules/javax.servlet.jsp.jar
• glassfish_install_dir/glassfish/modules/javax.servlet.jsp.jstl.jar 
• glassfish_install_dir/glassfish/modules/jstl-impl.jar
• glassfish_install_dir/glassfish/modules/javax.ejb.jar (if using ejb)

If you are using maven this is not so much of a problem, just add a dependency to your POM.

<dependencies>
  <dependency>
    <groupId>javaee</groupId>
    <artifactId>javaee-api</artifactId>
    <version>6.0</version>
    <scope>provided</scope>
  </dependency>
</dependencies>
<repository>
   <id>java.net</id>
   <name>GlassFish Maven Repository</name>
   <url>http://download.java.net/maven/2</url>
</repository>

Use artifactId javaee-web-api if you just want the web profile.
If you are not using maven, you can just download the jars from the maven repository:

• http://download.java.net/maven/2/javax/javaee-api/6.0/javaee-api-6.0.jar
• http://download.java.net/maven/2/javax/javaee-web-api/6.0/javaee-web-api-6.0.jar

For Java EE5 that is:

<dependency>
  <groupId>javaee</groupId>
  <artifactId>javaee-api</artifactId>
  <version>5</version>
  <scope>provided</scope>
</dependency>

• http://download.java.net/maven/1/javaee/jars/javaee-api-5.jar

Project cycle coverage by methodology

Internet map

French/Belgian newspapers sue public television

Newspapers judge that articles on the new RTBF site are unfair comptition, given that RTBF articles are payed by the government.The RTBF site is slooow, but that might just be a youth disease.
Having worked for the Corelio newspapers, I've seen the difficulty of making an online newspaper profitable.
You can argue that a public server is not needed where a good commercial service exists.
Then again, I would not like to see public television dropped in favour of commercial television, which is a case that is very similar to the public/commercial e-newspaper debate.

Google scribe

This is the ultimate blog entry: Written by the tool on topic. Put Scribe in your toolbar and it will autocomplete web forms.
Superb toy, at first glance it seems a bit too eager though, when positioned in the middle of a sentence, it tends to add stuff without asking.

Intel integrates optical connections in a chip

Intel has integrated optical transmitters (lasers) in silicon chips. Together with existing (and new high speed) optical receivers this will allow chips to communicate directly through optical connections.
In the medium term this can signal the end of electronical chip wiring.

Joda Time Presentation

Joda time is an alternative to java.util.Date and java.util.Calendar. An introduction.

The national cloud

Google has launched Google Apps for Government. It is a variant of its cloud application suite (mail, calendar, docs, ...) that is guaranteed to store its data in the US. Similar services for other countries may follow. It is clear that one country does not want to store its data in another country for security reasons.
It is interesting to see if this service will also come to Google App Engine and commercial applications.
It may remove an important legal hurdle: the country where an application's are stored will determine the laws that will be applied to them and under which jurisdiction actions on your data can be ordered.
Note that although Google guarantees where your data are stored, it does not guarantee where your application runs.

MVC diagram

Diagram for the InfoTool MVC example in SL-285

Google to introduce micropayment links

According to La Repubblica Google is developing a pay-per-click system, for visiting indexed links, called Newspass. Content propviders will be able to offer text, images and video that is found and payed through Google.

Applying UML and patterns: Quotes

Le temps est un gran professeur,
mais malheureusement il tue tous ses élèves.

Hector Berlioz

You should use iterative development only on projects you want to succeed.

Martin Fowler

Le mieux est l’ennemi du bien.

Voltaire

Fast, cheap, good: choose any two.

In theory, there’s no difference between practice and theory.
But, in practice, there is.

Jan van de Snepscheut

Hardware, n: The parts of a computer system that can be kicked.

0x2B | ~0x2B

Hamlet

Je n’aime pas ce mot bombe.
Ce n’est pas une bombe mais simplement un appareil qui explose.

Jacques Le Blanc, French ambassador to New Zealand, on France's nuclear testing

Cats are smarter than dogs.
You can’t get eight cats to pull a sled through the snow.

Jeff Valdez

To iterare is human,
to recurse divine.

Any sufficiently advanced bug is indistinguishable from a feature.

Rich Kulawiec

Luck is the residue of design.

Branch Rickey

Virtue is insufficient temptation.

George Bernard Shaw

Error, no keyboard – Press F1 to continue

early PC BIOS message

If you were plowing a field,
which would you rather use?
Two strong oxen or 1024 chickens?

Seymour Cray

The most likely way for the world to be destroyed, most experts agree, us by accident.
That’s where we come in;
we’re computer professionals.
We cause accidents.

Nathaniel Borenstein

internet liability

• A German court ruled someone can be liable if his WIFI connection is unprotected and that connection is used for illegal acts.


• Many end users do not understand a thing about internet security, it seams a bit harsh to punish them for that.
• It is like jailing someone because he left his car open and it was stolen to rob a bank.
• A US court ruled that if you are mailing a link to a website, you are liable for the contents of the page it links to.


• This is similar to an earlier ruling on links to illegal downloads.
• Liability for actual text is a different case all together. 

standalone tomcat?

A returning topic here is wether you should always run apache httpd as a front end to tomcat for a website.
While apache is more feature rich (non-JVM technologies, URL rewriting, authentication features...) performance is fine on a standalone tomcat:

JSP history of writing bean properties

• JSP 0.9

<% ActionForm form = (ActionForm) request.getAttribute(”LoginForm”); %>
<%= form.getUserName()%>

• JSP 1.0

<jsp:useBean id=“form" class=“be.uniway.LoginForm" />
<jsp:getProperty name=“form" property=“userName" />

• Struts

<bean:write name=“loginForm" property="userName"/>

• JSP 1.2

<c:out value} ="${loginForm.userName}">

• JSP 2.0

${loginForm.userName}

Browser fingerprinting

JSTL/JSP EL alternate Struts excercise solution

The De Post/PMC excercises (and the Struts blank sample application) are based on

• Struts
  • tags-bean
  • tags-logic
  • tags-html
• JSP scriptlets

In this post we will show how to move this to

• Struts
  • tags-html
• JSTL
• JSP expression language

To enable JSTL/JSP/EL support in your application follow these instructions. Here’s the table from the excercise rendered with JSTL/JSP EL:

<c:forEach  var="product" items="${List}"  varStatus ="status">
  <tr class="${(status.index%2==1)?'odd':'even'}">
    <td>
      <html:link action="<%=modify%>" paramId="id" paramName="product" paramProperty="id">
        <html:img srcKey="icon.edit" altKey="icon.alt.edit" border="0"/>
      </html:link> 
    </td> 
    <td>
      <html:link action="<%=remove %>" paramId="id" paramName="product" paramProperty="id">
        <html:img srcKey="icon.trash" altKey="icon.alt.trash" border="0"/>
      </html:link>
    </td>
    <td> ${product.name}</td> 
    <td> ${product.description}</td>
  </tr>
</c:forEach>

SAP buys Sybase

In my previous company our two main products were Sun and Sybase.
Both have now been sold within a short interval:
Sybase to SAP
Sun to Oracle

Struts 1 action (mapping) element

Dealing with Hibernate proxies

To deal with lazy loading Hibernate uses proxy objects.
Pitfalls for this approach have been documented. Basically the instanceof operator can fail on a sublcass of an entity.
The bug ticket on this has been rejected, with typical JBoss flair:

If you think this through a bit more carefully, you will see why it is impossible.

Gavin King

Still JPA compliancy requires the instanceof operator to work correctly.
Here are some ways to deal with the proxies:

• de-proxy
• visitor

ZFS Commands

Rosetta stone for Unix

A dynamic table with command equivalents for different flavours of Unix.

Oracle free software reality check

Policy shifts, almost 3 months after Oracle acquired Sun:

• Oracle has blocked access to Solaris security patches for people without a support contract.
• Oracle has stopped shipping free OpenSolaris CD’s.
• Oracle is discontinuing the open and free Sun Identity Manager.
• Oracle has made the MS Office ODF 1.2 plugin paying (with a minimum of $9000 for 100 users).

7500 users sell their soul online

From the legal conditions of GameStation:
By placing an order via this Web site on the first day of the fourth month of the year 2010 Anno Domini, you agree to grant Us a non transferable option to claim, for now and for ever more, your immortal soul. Should We wish to exercise this option, you agree to surrender your immortal soul, and any claim you may have on it, within 5 (five) working days of receiving written notification from gamestation.co.uk or one of its duly authorised minions.

Solaris disk layout

On a SPARC system

• VTOC is in cylinder 0, sector 0 and can contain 8 slices
  
  
  • slice 2 by convention represents the entire disk
• the primary boot block is in cylinder 0, sectors 1-15
• A file system can start on cylinder 0, sector 16

On x86 the situation is a bit more complicated:

If Solaris is installed on cylinder 1 (typical) disk cylinder 1 = Solaris (relative) cylinder 0.
Solaris x86 VTOC supports 16 slices:

• 0-7: like SPARC slices
• 8: boot slice (relative cylinder 0)
• 9: on IDE/SATA disks default alternate slice (relative cylinder 1 and 2)
• 10-15: unused

Register a Solaris system for patch updates

You can bring a Solaris automatically up to date with the latest recommended or security (if you do not have a support contract) patches.

You can do this using

• a graphical tool: /usr/bin/updatemanager
• a command line tool: /usr/sbin/smpatch

updatemanager will guide you through a series of screens to register yourself and your system. Even if you use the graphical tool to register, you can use the command line interface later on to keep your system up to date.

Here’s the procedure to register without using the graphical updatemanager tool.

1. Register for a Sun Online account on the web. This is a common account for accessing SunSolve, Sun developer connection…
2. Prepare a registration file and fill in your user name, password, system and optionally other information like contract number and proxy. You can use /usr/lib/breg/data/RegistrationProfile.properties  as a template.
3. Register your system

 # sconadm –a –r <yourRegistrationFile>

Here’s a Sunsolve howto on this topic.

Gosling Goes

James Gosling father of euh... NeWS (Network Windowing System) leaves Sun Oracle.
A great many people will be yelling the end is nigh.
Not me.

Black hat SEO

Hackers automatically create pages with popular keywords (breaking news...) based on resources like Google Trends. They create networks of crosslinked bogus pages hosted on compromised, legitimate websites. When a crawler comes along the page is fed to the search engine.
When a user is redirected to the URL by a search engine, the site detects that this is a normal browser access and redirects the user to malware sites.
A paper by Sophos explains the technique.

passwords & toothbrushes

google maps: public transport

GUI architecture patterns

Model View Controller is the common architecture for graphical user interfaces.
There are however many variations on it, partly depending on the underlying technology.
As a result MVC is often misunderstood, and the same names are used for different beasts.
Here's a clear overview of MVC and its brethern.

Cloud: what's the what

A small internal intro to cloud computing and NoSQL (pdf)

Revision control tools survey

A recent small versioning tools survey on the Toughtworks development mailing list by Martin Fowler:

Subversion has replaced CVS as the tool of choice.

Appreciation of reputed commercial tools like Rational Clearcase and Microsoft Team Foundation Server (version control) is shockingly low.

Thoughtworks is both involved in Open Source projects (jMock, CruiseControl ...) as a MicroSoft Gold Certified Partner, so these opinions should be fairly neutral. 

Distributed tools Git (by Mr Linux, Linus Thorvalds) and Mercurial get the highest approval rates. These tools copy the whole repository to the local system, not just the revision you're working on. Advantages are:

• you can work with revisions while being diconnected
  
  • faster access
• commit and publish are separate events.
  
  • developers can more easily make an intermediate commit before starting to write speculative code, without having to worry about the commit breaking the published code.
  • extra actions can be added between commit and publish
    
    • publish permission can be restricted

On the other hand subversion has an intuitive command line interface and the better windows GUI. You'd expect it to be more economic on disk space on the client as it does not store all revisions, but this is not the case, due to the efficient diff/storage algorithms of tools like git.

Belgian EID risks

Interesting papers on Belgian EID by Pieter Verhaegen: 

• Threats 
• Improvements

Belgian e-ID description
The Belgian e-ID card is a smart card that allows Belgian citizens to prove their identity and to sign electronic documents. Private information such as the owner's name, his address, a digital picture of the owner and his National Registry Number (Social Security Number) is stored on the card and signed by the government. Two PIN-protected key pairs allow digital authentication and signing.
Pilot projects for foreigner and kids e-ID cards are being executed.
To use the card in (web) applications the user needs a card reader and a middleware application (by the fedict government service). Applications typically interact with the card via an API  offered by this middleware, which is documented in the developer guide.
The card's public keys are embedded in a certificate containing the RRN and the name of the card holder, signed by the government. The private keys can only be activated (not read) with a PIN code.


Some of Pieter's remarks

• The unique identity key is the National Registry Number (RRN).  The Belgian Privacy commission states that this key may only be stored by applications after official approval by them (National register act of 8/8/1983, ammended 25/3/2003, art 5), as mentioned in the FAQ. The FAQ sugggests to use a hash instead of the RRN.
• As the RRN is not protected by the PIN, developers tend to think that just reading it is sufficient for authentication, rather that using client side SSL authentication.
• Once the authentication PIN is entered, the authentication certificate can be used multiple times without notifying the user. A malicious application might authenticate to other sites on the user's behalf

The FEDICT middleware application is not mandatory. It can be replaced by another application. This is at once a risk (malicious middleware application) and a  feature (openness, extensibility). The eid-applet, for instance, can be used with or without the middleware and comes with an excellent developer guide.

Some tips on using e-ID in an application.

virtual strike

This week all sites of Belgian agencies look different...

Lucene in the cloud (with diamonds)

Solr is now AmazonEC2 ready.
Acquia, the company behind Drupal, is selling Acquia Search, a commercial service based on it.
Another Lucene based server which we've been using, Searchblox, is also available commercially on AmazonEC2.

Rebranded

Java / web application security links

• Java security libraries and frameworks
• Java 6 SE Security
• JEE 5 tutorial security chapters
• Spring Security (formerly acegi)
•  Java security guidelines, vulnerabilities and assessment
• Open Web Application Security Project (OWASP)
• Web application top ten vulnerabilities
• Building Secure Web Applications and Web Services
• Code Review Guide
• Web Application Testing
• Center for Internet Security (CIS)
• apache web server
• tomcat
• U.S. DOD DISA (Defense Information Systems Agency) Security Technical Implementation Guides (STIGS)
• Security checklists (application development, webserver general, tomcat, weblogic, apache...)
• Web server STIG 


• JavaScript (GWT)

Our security officer

On google, human rights and business opportunities

Chinese efforts to censor the Internet have been very limited.

Bill Gates

Sunset

After what seemed like ages, the EC has given the green light to the take over of Sun by Oracle.
I have been working on Sun almost from the start of my working life, so this is a bit of a sad moment.
The delay was caused by opposition by former MySQL owners, and hurt Sun badly.
These guys first cashed in when they sold their product and now wanted to have their word to say on what happens with it. I entirely agree with old JBoss badmouth Marc Fleury on this.