Sunday, May 22, 2011

Load Properties in Spring MVC

This is a really trivial case, but I have to cover it, because you never know when you'll need it.

We have our application and we need to load a Properties file and use it, specifically in one of your Controllers, just like this...

I know! When we say spring + properties files, everybody think on this case (don't you?):
But this is not the case I want to cover right now, because the one I want to cover is this one:
String value = (String)properties.get(key);


Ahhhh! That's what I meant :D

How can I do that? Simple, trust in Spring! (may the Spring be with you :P ) By using Util Schema

Piece of cake
Pan comido

Friday, May 20, 2011

Cross-site Scripting (XSS)

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

The normal practice is to HTML-escape any user-controlled data during redisplaying in JSP, not during processing the submitted data in servlet nor during storing in DB. In JSP you can use the JSTL (to install it, just drop jstl-1.2.jar in /WEB-INF/lib) <c:out> tag or fn:escapeXml function for this. E.g.

OR
This is the classic example: Look carefully to the param authtype, did you see the alert(1)??? If you don't write safe code, you might get an infinite loop in your screen :)

For more details please go to: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Wednesday, May 18, 2011

Log4jConfigListener Deployment Issue on WebLogic

It looks like Spring framework's Log4jConfigListener is having an issue when webapp is deployed as WAR.
Log4jConfigListener is defined in web.xml. I got the below error while deploying the application in weblogic 10.3:

 
weblogic.management.DeploymentException: Cannot set web app root system property when WAR file is not expanded - with nested exception:  [java.lang.IllegalStateException: Cannot set web app root system property when WAR file is not expanded].

The solution is deploy the WAR as exploded or don't use Log4jConfigListener. The spring framework documentation also says the WAR should be exploded.

But... there is a solution available to this without any code change. We just need to set "Archived Real Path Enabled" option checked, just like this:


1. Go to server admin console->Domain-> Web applications. Click the checkbox of Archived Real Path Enabled. This should make an entry into domain config.xml as below. 2. Second option is at webapp level by updating weblogic.xml as below: true The value of set in the web app has precedence over the value set at the domain level. The default value of this property is false.

This is my example:

Tuesday, May 17, 2011

Deployment in WebLogic

Hi people!
It's been a while since I worked with WebLogic (to be specific in 2004-2005), so I forgot some specific tricks that you've to know (now that I rely a lot on my always reliable Maven and STS), but there is one really important: Don't forget to include in your WEB-INF folder your weblogic.xml

I really hate to get married with propietary technologies, my philosophy is simple: (besides "Work Hard, Have Fun") "Use Open Source and Never get married to any vendor" (I usually develop using Tomcat and my target server could be something else - like 90% of my projects - and same thing happens with DB)

Monday, May 9, 2011

SVN for Open Source Projects 4 Free

Have your ever wanted to have your own SVN server on the internet, but don't have enough resources to maintain it?
Is your project an Open Source project?
Does it have only Educational Purposes??
If that's the case, I have an option for you: code.google.com
I just uploaded one of my experiments (my little store app) and it works really nice, unfortunately as all the free stuff on the web, it has some restrictions, but the most important is the space; your quota is just limited to 4096MB LOL!

Now you know, if you don't mind to be judged by the entire open source community and by curious people and some trolls, this is the place to put your experiments and share them with you somewhere else with a SVN client & your friends (& the world!)