Load Properties in Spring MVC

This is a really trivial case, but I have to cover it, because you never know when you'll need it.

We have our application and we need to load a Properties file and use it, specifically in one of your Controllers, just like this...

I know! When we say spring + properties files, everybody think on this case (don't you?): <!-- Properties file certain specific App Stuff --> <context:property-placeholder location="classpath:my-application.properties"/> <!-- Creates reCaptcha Instance --> <bean id="reCaptcha" class="net.tanesha.recaptcha.ReCaptchaImpl"> <property name="privateKey" value="${recaptcha.private.key}" /> <property name="publicKey" value="${recaptcha.public.key}" /> <property name="includeNoscript" value="false" /> </bean>
But this is not the case I want to cover right now, because the one I want to cover is this one:

String value = (String)properties.get(key);

@Controller @RequestMapping(value = "/sitexfer/*") public class SiteXrefController extends BaseCustomController { private static final Logger log = Logger.getLogger(SiteXrefController.class); @Autowired private HttpClient httpClient; @Autowired @Qualifier("SiteXferProperties") private Properties properties; ... private String executeTest(final String serverType, final String instance, final Enumeration<String> headerNames, final HttpServletRequest request){ log.debug("Testing=" + instance + ", serverType=" + serverType); log.debug("Additional Params: " + headerNames); String result = ""; String url = (String)properties.get(serverType+"."+instance); ... return result; } .... } Ahhhh! That's what I meant :D

How can I do that? Simple, trust in Spring! (may the Spring be with you :P ) By using Util Schema <util:properties id="SiteXferProperties" location="classpath:sitexfer-application.properties"/> <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:p="http://www.springframework.org/schema/p" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd"> <util:properties id="SiteXferProperties" location="classpath:sitexfer-application.properties"/> <context:annotation-config/> <context:component-scan base-package="com.bofa.sitexfer.web.controller"/> </beans>

Piece of cake
Pan comido

Cross-site Scripting (XSS)

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

The normal practice is to HTML-escape any user-controlled data during redisplaying in JSP, not during processing the submitted data in servlet nor during storing in DB. In JSP you can use the JSTL (to install it, just drop jstl-1.2.jar in /WEB-INF/lib) <c:out> tag or fn:escapeXml function for this. E.g.

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> ... <p>Welcome <c:out value="${user.name}" /></p> OR <%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %> ... <input name="username" value="${fn:escapeXml(param.username)}">
This is the classic example: http://127.0.0.1:8088/sitexfer-testing/index.jsp?ERROR_MSG=INVALID_TARGET_DOMAIN&authtype=AUTH_T3%20style=width:expression(alert(1))&appname=DEFAULT_TIER3&TARGET=%24SM%24http%3A%2F%2Fwww.google.com Look carefully to the param authtype, did you see the alert(1)??? If you don't write safe code, you might get an infinite loop in your screen :)

For more details please go to: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Log4jConfigListener Deployment Issue on WebLogic

It looks like Spring framework's Log4jConfigListener is having an issue when webapp is deployed as WAR.
Log4jConfigListener is defined in web.xml. I got the below error while deploying the application in weblogic 10.3:

 
weblogic.management.DeploymentException: Cannot set web app root system property when WAR file is not expanded - with nested exception:  [java.lang.IllegalStateException: Cannot set web app root system property when WAR file is not expanded].

The solution is deploy the WAR as exploded or don't use Log4jConfigListener. The spring framework documentation also says the WAR should be exploded.

But... there is a solution available to this without any code change. We just need to set "Archived Real Path Enabled" option checked, just like this:


1. Go to server admin console->Domain-> Web applications. Click the checkbox of Archived Real Path Enabled. This should make an entry into domain config.xml as below. <web-app-container> <show-archived-real-path-enabled>true</show-archived-real-path-enabled> </web-app-container> 2. Second option is at webapp level by updating weblogic.xml as below: true The value of set in the web app has precedence over the value set at the domain level. The default value of this property is false.

This is my example: <?xml version="1.0" encoding="UTF-8"?> <wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd"> <wls:context-root>sitexfer-testing</wls:context-root> <wls:container-descriptor> <wls:show-archived-real-path-enabled>true</wls:show-archived-real-path-enabled> </wls:container-descriptor> </wls:weblogic-web-app>

Deployment in WebLogic

Hi people!
It's been a while since I worked with WebLogic (to be specific in 2004-2005), so I forgot some specific tricks that you've to know (now that I rely a lot on my always reliable Maven and STS), but there is one really important: Don't forget to include in your WEB-INF folder your weblogic.xml <?xml version="1.0" encoding="UTF-8"?> <wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd"> <wls:context-root>sitexfer-testing</wls:context-root> <wls:container-descriptor> <wls:check-auth-on-forward/> <wls:show-archived-real-path-enabled>true</wls:show-archived-real-path-enabled> </wls:container-descriptor> </wls:weblogic-web-app>

I really hate to get married with propietary technologies, my philosophy is simple: (besides "Work Hard, Have Fun") "Use Open Source and Never get married to any vendor" (I usually develop using Tomcat and my target server could be something else - like 90% of my projects - and same thing happens with DB)

SVN for Open Source Projects 4 Free

Have your ever wanted to have your own SVN server on the internet, but don't have enough resources to maintain it?
Is your project an Open Source project?
Does it have only Educational Purposes??
If that's the case, I have an option for you: code.google.com
I just uploaded one of my experiments (my little store app) and it works really nice, unfortunately as all the free stuff on the web, it has some restrictions, but the most important is the space; your quota is just limited to 4096MB LOL!

Now you know, if you don't mind to be judged by the entire open source community and by curious people and some trolls, this is the place to put your experiments and share them with you somewhere else with a SVN client & your friends (& the world!)