Monday, February 29, 2016
API Development and Study
- http://developer.nytimes.com/docs/read/article_search_api_v2
- http://stackoverflow.com/questions/7238094/securing-rest-api-without-reinventing-the-wheel
- http://stackoverflow.com/questions/853620/secure-web-services-rest-over-https-vs-soap-ws-security-which-is-better?rq=1
- http://stackoverflow.com/questions/942951/rest-api-error-return-good-practices?rq=1
- https://en.wikipedia.org/wiki/Replay_attack
- http://stackoverflow.com/questions/1418114/questions-on-proper-rest-design
- http://stackoverflow.com/questions/292732/self-signed-ssl-cert-or-ca
- http://stackoverflow.com/questions/7551/best-practices-for-securing-a-rest-api-web-service?rq=1
- http://stackoverflow.com/questions/319530/restful-authentication?lq=1
- http://security.stackexchange.com/questions/115100/securities-concerns-about-calling-rest-api-from-multiple-servers
- https://www.schneier.com/blog/archives/2012/10/sony_playstatio.html
- http://madhatted.com/2013/3/19/suggested-rest-api-practices
- http://stackoverflow.com/questions/20951419/what-are-best-practices-for-rest-nested-resources
- http://docs.oracle.com/middleware/1213/wls/RESTF/secure-restful-service.htm#RESTF284
Indexing: indexing helps for tuning sql performance
Tables a and b are identical and contain 1000 rows, and a column of type BOX.
select * from a cross join b where (a.b && b.b) --- 0.28 s
Here 1000000 box overlap (operator &&) tests are completed in 0.28s. The test data set is generated so that the result set contains only 1000 rows.
create index a_b on a using gist(b);
create index b_b on a using gist(b);
select * from a cross join b where (a.b && b.b) --- 0.01 s
Here the index is used to optimize the cross join, and speed is ridiculous.
Wednesday, February 24, 2016
log4javascript quick start tutorial
log4javascript quick start tutorial
Three step guide
Download the code
Unzip the distribution and copy log4javascript.js into the desired location. No other files are necessary.Initialize log4javascript in your web page
Include log4javascript.js in your page using the code below. This code assumes log4javascript is stored in the same directory as your web page.
<script type="text/javascript" src="log4javascript.js"></script> <script type="text/javascript"> var log = log4javascript.getDefaultLogger(); </script>
The default logger uses aPopUpAppender
which opens a pop-up window. By default, this window will open when the first log message is written. For this to work, you will need to disable any pop-up blockers you may have.Include logging statements in your code
You have six logging methods at your disposal, depending on the severity of the message you wish to log. By default, all messages are logged in the pop-up window. The logging methods are:
log.trace(message[, message2, ... ][, exception])
log.debug(message[, message2, ... ][, exception])
log.info(message[, message2, ... ][, exception])
log.warn(message[, message2, ... ][, exception])
log.error(message[, message2, ... ][, exception])
log.fatal(message[, message2, ... ][, exception])
Logging examples
A simple logging message string
log.info("Hello world");
displays19:52:03 INFO - Hello world
Logging an error with a message
try { throw new Error("Faking something going wrong!"); } catch (e) { log.error("An error occurred", e); }
displays19:52:32 ERROR - An error occurred Exception: Faking something going wrong! on line number 80 in file basic.html
Logging multiple messages with one logging call
var a = "Hello"; var b = 3; log.debug(a, b);
displays19:53:05 DEBUG - Hello 3
Logging an object
Logging an object:
var obj = new Object(); obj.name = "Octopus"; obj.tentacles = 8; log.info(obj);
displays19:53:17 INFO - { name: Octopus, tentacles: 8 }
Tweaking the default logger
The default logger is fine as a starting point, but what if you want the default logger with a few different options (say, bringing the pop-up to the front whenever a log message is logged, or having new log messages appear at the top of the pop-up rather than the bottom)?In this case, you will need to create a new logger, then create a
PopUpAppender
, set options on it, and add it to the logger:<script type="text/javascript" src="log4javascript.js"></script> <script type="text/javascript"> // Create the logger var log = log4javascript.getLogger(); // Create a PopUpAppender with default options var popUpAppender = new log4javascript.PopUpAppender(); // Change the desired configuration options popUpAppender.setFocusPopUp(true); popUpAppender.setNewestMessageAtTop(true); // Add the appender to the logger log.addAppender(popUpAppender); // Test the logger log.debug("Hello world!"); </script>See this example in action (opens in new window)
Refer to the manual for more information about configuring appenders and more details about
PopUpAppender
.Sending log messages to the server
For this you will need to use anAjaxAppender
as follows:var ajaxAppender = new log4javascript.AjaxAppender(URL); log.addAppender(ajaxAppender);Now your log messages will appear in the pop-up window and be sent asynchronously to the URL you specify in the form of HTTP post parameters. No server-side code to process these requests is provided with log4javascript.
See
AjaxAppender
for more details on formatting log messages.Changing the format of log messages
Using aLayout
, you can format log messages however you like. For example:var log = log4javascript.getLogger("mylogger"); var popUpAppender = new log4javascript.PopUpAppender(); var layout = new log4javascript.PatternLayout("[%-5p] %m"); popUpAppender.setLayout(layout);A call to
log.debug("Hello world");will now result in output in the pop-up window of
[DEBUG] Hello worldSee
PatternLayout
for more details on formatting log messages.
NB. All external links open in a new window.Written by Tim Down. tim@log4javascript.org
log4javascript is distributed under the Apache License, Version 2.0
log4javascript is distributed under the Apache License, Version 2.0
Original Link: http://log4javascript.org/docs/quickstart.html
Mail Sending procedure using struts2
1. If we want to send mail from my project then we need to less secure my gmail account. For this
purpose we need to go below links and make this option enabled.
https://www.google.com/settings/security/lesssecureapps
Access for less secure apps Enabled
If this was you
You can switch to an app made by Google such as Gmail to access your account (recommended) or change your settings at https://www.google.com/settings/security/lesssecureapps so that your account is no longer protected by modern security standards.
2. Struts.xml:
<!-- SMTP configuration -->
<param name="host">smtp.gmail.com</param>
<param name="port">465</param>
<param name="userName">mohona.ict.mbstu@gmail.com</param>
<param name="password">makhondim77$#@!</param>
<param name="password">makhondim77$#@!</param>
<!-- End of SMTP configuration -->
3. EmaiUtility.java:
Properties props = new Properties();
props.put("mail.smtp.user", userName);
props.put("mail.smtp.password", password);
props.put("mail.smtp.host", host);
props.put("mail.smtp.port", port);
props.put("mail.debug", "true");
props.put("mail.smtp.auth", "true");
props.put("mail.smtp.starttls.enable", "true");
props.put("mail.smtp.EnableSSL.enable", "true");
props.setProperty("mail.smtp.socketFactory.class",
"javax.net.ssl.SSLSocketFactory");
props.setProperty("mail.smtp.socketFactory.fallback", "false");
props.setProperty("mail.smtp.port", "465");
props.setProperty("mail.smtp.socketFactory.port", "465");
Here we need to use the port number as 465.
4. Links:
http://www.codejava.net/frameworks/struts/send-e-mail-with-attachments-in-struts2?showall=&start=4
5. http://www.codejava.net/attachments/article/221/Struts2EmailApp.zip
6. Error: org.xml.sax.SAXParseException: The entity name must immediately follow the '&' in the entity reference.
If we use password as like makhondim77(*& in xml file which contains & sign then we have to follow the following rules.
Common in xml how to escape the errors:
- ampersand (&) is escaped to &
- double quotes (") are escaped to "
- single quotes (') are escaped to '
- less than (<) is escaped to . <
SQL Injection and how to prevent it? Hibernet/JPA/SQL
SQL Injection
1. Prepared Statement and Callable Statement:
A
PreparedStatement represents a precompiled SQL statement that can be executed
multiple times without having to recompile for every execution.
Secure
Code:
PreparedStatement
stmt = connection.prepareStatement("SELECT * FROM users WHERE userid=? AND
password=?");
stmt.setString(1, userid);
stmt.setString(2, password);
ResultSet rs = stmt.executeQuery();
Why this
code is secure?
Ans: This code is not vulnerable to SQL Injection because it correctly
uses parameterized queries. By utilizing Java's PreparedStatement class, bind
variables (i.e. the question marks) and the corresponding setString methods,
SQL Injection can be easily prevented.
Vulnerable
Code 1:
//
Example #1
String query = "SELECT * FROM users WHERE userid ='"+
userid + "'" + " AND password='" + password +
"'";
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);
Why this
code is vulnerable?
Ans: This code is vulnerable to SQL Injection because it uses dynamic
queries to concatenate malicious data to the query itself. Notice that it uses
the Statement class instead of the PreparedStatement class.
Vulnerable
Code 2:
// Example #2
String query = "SELECT * FROM users WHERE userid ='"+
userid + "'" + " AND password='" + password +
"'";
PreparedStatement stmt = connection.prepareStatement(query);
ResultSet rs = stmt.executeQuery();
Why this
code is vulnerable?
Ans: This code is also vulnerable to SQL Injection. Even though it uses
the PreparedStatement class it is still creating the query dynamically via
string concatenation.
2. Hibernate:
How to Fix SQL Injection using Hibernate?
Hibernate facilitates the storage and
retrieval of Java domain objects via Object/Relational Mapping (ORM). It is a
very common misconception that ORM solutions, like hibernate, are SQL Injection
proof. Hibernate allows the use of "native SQL" and defines a
proprietary query language, named, HQL (Hibernate Query Language); the former
is prone to SQL Injection and the later is prone to HQL (or ORM) injection.
This article is intended to illustrate
how certain syntax offered by hibernate to define SQL & HQL, is better over
the other, in terms of defense against SQL and/or HQL injection attacks.
Secure Usage:
Code-1:
/* Positional parameter in HQL */
Query hqlQuery = session.createQuery("from Orders as orders
where orders.id = ?");
List results = hqlQuery.setString(0,
"123-ADB-567-QTWYTFDL").list();
Code-2:
/* named parameter in HQL */
Query hqlQuery = session.createQuery("from Employees as emp
where emp.incentive > :incentive");
List results = hqlQuery.setLong("incentive", new
Long(10000)).list();
Code-3:
/* named parameter list in HQL */
List items = new ArrayList();
items.add("book"); items.add("clock");
items.add("ink");
List results = session.createQuery("from Cart as cart where
cart.item in (:itemList)").setParameterList("itemList",
items).list();
Code-4:
/* JavaBean in HQL */
Query hqlQuery = session.createQuery("from Books as books
where book.name = :name and book.author = :author");
List results = hqlQuery.setProperties(javaBean).list();
//assumes javaBean has getName() & getAuthor() methods.
Code-5:
/* Native-SQL */
Query sqlQuery = session.createSQLQuery("Select * from
Books where author = ?");
List results = sqlQuery.setString(0, "Charles
Dickens").list();
Why
above 5 codes are secure ?
Ans:
The above code snippets use
parameter binding to set data. The JDBC driver will escape this data appropriately before the query
is executed, making sure that data is used just as data.
Assuming data used in the above code
snippets is user input, that has not been validated or escaped and it contains
malicious database code (payload), the payload will be escaped appropriately by
the JDBC driver (since parameterized queries are used), such that it would be
used as data and not as code.
Vulnerable
Code:
List
results = session.createQuery("from Orders as orders where orders.id =
" + currentOrder.getId()).list();
List results = session.createSQLQuery("Select * from Books
where author = " + book.getAuthor()).list();
Why this
code is vulnerable ?
Ans:
Assuming orderId
and author are user input that have not been
validated or escaped, it leaves the above queries vulnerable to SQL and
HQL(ORM) injection attacks.
3. Java Persistence API(JPA):
How to Fix SQL Injection using the Java Persistence API (JPA) ?
Java Persistence API (JPA), is an ORM
solution that is a part of the Java EE framework. It helps manage relational
data in applications that use Java SE and Java EE. It is a common misconception
that ORM solutions like JPA (Java Persistence API) are SQL Injection proof. JPA
allows the use of native SQL and defines its own query language, named, JPQL
(Java Persistence Query Language). The former is prone to traditional SQL
injection attacks and the later is prone to JPQL (or ORM) injection attacks.
This article is intended to illustrate
how certain syntax offered by JPA to define SQL & HQL, is better over the
other, in terms of defense against SQL and/or HQL injection attacks.
Secure usage:
Code-1:
/* positional parameter in JPQL */
Query jpqlQuery = entityManager.createQuery("Select order
from Orders order where order.id = ?1");
List results =
jpqlQuery.setParameter(1,"123-ADB-567-QTWYTFDL").getResultList();
Code-2:
/* named parameter in JPQL */
Query jpqlQuery = entityManager.createQuery("Select emp
from Employees emp where emp.incentive > :incentive");
List results = jpqlQuery.setParameter("incentive",
new Long(10000)).getResultList();
Code-3:
/* named query in JPQL - Query named "myCart" being
"Select c from Cart c where c.itemId = :itemId" */
Query jpqlQuery =
entityManager.createNamedQuery("myCart");
List results = jpqlQuery.setParameter("itemId",
"item-id-0001").getResultList();
Code-4:
/* Native SQL */
Query sqlQuery = entityManager.createNativeQuery("Select *
from Books where author = ?", Book.class);
List results = sqlQuery.setParameter(1, "Charles
Dickens").getResultList();
Why
above 4 codes are secure ?
Ans:
The above code snippets use parameter
binding to set data. The JDBC driver will escape this data appropriately before the query
is executed; making sure that data is used just as data.
Assuming data used in the above code
snippets is user input, that has not been validated or escaped and it contains
malicious database code (payload), the payload will be escaped appropriately by
the JDBC driver (since parameterized queries are used), such that it would be
used as data and not as code.
Vulnerable
Code:
List
results = entityManager.createQuery("Select order from Orders order where
order.id = " + orderId).getResultList();
List results = entityManager.createNativeQuery("Select *
from Books where author = " + author).getResultList();
int resultCode = entityManager.createNativeQuery("Delete
from Cart where itemId = " + itemId).executeUpdate();
Why this
code is vulnerable ?
Ans:
Assuming orderId, author & itemId
are user input that have not been validated or escaped as required, it leaves
the above queries vulnerable to SQL and JPQL (ORM) injection attacks.
Code:
String strUserName =
request.getParameter("Txt_UserName");
PreparedStatement prepStmt = con.prepareStatement("SELECT * FROM user WHERE userId = '+strUserName+'");
PreparedStatement prepStmt = con.prepareStatement("SELECT * FROM user WHERE userId = '+strUserName+'");
So be sure to use Prepared Statements WITH ALL Bind Variables.
Code:
String selectStatement = "SELECT * FROM User WHERE userId =
? ";
PreparedStatement prepStmt = con.prepareStatement(selectStatement);
prepStmt.setString(1, userId);
ResultSet rs = prepStmt.executeQuery();
PreparedStatement prepStmt = con.prepareStatement(selectStatement);
prepStmt.setString(1, userId);
ResultSet rs = prepStmt.executeQuery();
Tuesday, February 23, 2016
Learning and Coding Area
1. Github -- Coding
2. Online problem solving rating(https://codility.com/, https://www.hackerrank.com/domains, Codechef, ACM etc.)
3. StackOverflow.com
4. Linkedin.com
5. Youtube Video Channel
2. Online problem solving rating(https://codility.com/, https://www.hackerrank.com/domains, Codechef, ACM etc.)
3. StackOverflow.com
4. Linkedin.com
5. Youtube Video Channel
Monday, February 22, 2016
HashMap Vs HashTable
- HashMap permits one null key and multiple null values. Hashtable doesn't permit any sort of nulls (key or values).
- http://javahungry.blogspot.com/2014/03/hashmap-vs-hashtable-difference-with-example-java-interview-questions.html
Sunday, February 21, 2016
Next Episode - 1
- http://java67.blogspot.sg/2014/01/how-hashset-is-implemented-or-works-internally-java.html
- http://sqlblog.com/blogs/aaron_bertrand/archive/2009/10/08/bad-habits-to-kick-using-old-style-joins.aspx
- https://phpdelusions.net/sql_injection
- https://xhr.spec.whatwg.org/
- http://www.indeed.com/r/Md-Mahedi-Kaysar/96b3e2cac2099cf7
- http://stackoverflow.com/users/13/chris-jester-young
Wednesday, February 17, 2016
What is law of Demeter?
Method এর ক্ষেত্রে Parameter Pass করার সময়ে --
যদি আমার একটি Object এর একটি Parameter প্রয়োজন হয়, সেক্ষেত্রে আমি শুধুমাত্র ঐ Object এর Parameter টাকে Pass করব। পুরা Object টাকে Pass করবো না। এটা করলে সেটা Law of Demeter-এর Violation হবে।
Never
break the Law of Demeter (LoD)
Breaking the Law of Demeter is Like Looking for a Needle in the Haystack (খড়ের গাঁদায় সূচ খোঁজা)
class Mechanic {
Engine engine;
Mechanic(Context context) {
this.engine = context.getEngine();
}
}
A given object should assume as little as possible about the structure or properties of anything else (including its sub-components)
The Mechanic does not care for the Context. You can tell because Mechanic does not store the reference to Context. Instead the Mechanic traverses the Context and looks for what it really needs, the Engine.
1. To write tests, I have to create the Context just so when I construct the Mechanic it can reach in the Context and get what it really needs, the Engine. But context is never something which is easy to create.
2. Today we have fancy tools such as JMock and EasyMock, surely we can mock out Context. Yes, you can! BUT:
3. Typical setup of a mock is about 5 lines of code. So your test will contain a lot of junk which will mask the real purpose of the test.
4. These tests will be fragile. Every time you refactor something in context, or how context interacts, you are running the risk of breaking your tests.
5. What if you want to test class Shop which needs a reference to Mechanic? Well then you have to mock out Context again
What is single responsibility principle?
Single Responsibility Principle:
A single class follow his architecture. It will only play it's own role. A DAO class will not do any business logic related task.
If it do mismatch then it will be violation of single responsibility principle.
Monday, February 15, 2016
Some Interview Questions
Most Important Questions were as follows:
1) Difference between == and equals()
2) What is the requirements for a object to be used as a key on hashmap
3) What is difference betwen ConcurrentMap and SynchronizedMap
4) What is difference betwen HashMap and TreeMap
5) Which collection you should use if your need to do frequent delete/insert operation?
6) Which collection you should use if your need to use if you need faster get operation?
7) How did you handled security in Spring?
8) How did you handle dynamic query in Mybatis?
9) What is the differenc between Rest App vs Rest Webservice
10) How did handle transaction in project?
11) How did you handle composit primary key in hibernate?
12) How did you handle many to many relationsip in hibernate?
13) What are the collections availbe in hibernate FW?
14) How did you handle optimistic locking in hibernate?
You need to override equals() and hashcode() methods of a class whose objects you want to use as Key in a hashmap... This is required because hashmap uses these 2 methods to retrieve the stored values... Read implementation of hashmap for more details... It will clear away your doubt completely.
Resource Link:
1) Difference between == and equals()
2) What is the requirements for a object to be used as a key on hashmap
3) What is difference betwen ConcurrentMap and SynchronizedMap
4) What is difference betwen HashMap and TreeMap
5) Which collection you should use if your need to do frequent delete/insert operation?
6) Which collection you should use if your need to use if you need faster get operation?
7) How did you handled security in Spring?
8) How did you handle dynamic query in Mybatis?
9) What is the differenc between Rest App vs Rest Webservice
10) How did handle transaction in project?
11) How did you handle composit primary key in hibernate?
12) How did you handle many to many relationsip in hibernate?
13) What are the collections availbe in hibernate FW?
14) How did you handle optimistic locking in hibernate?
Question:
What is the requirements for a object to be used as a key on hashmap?Ans:
You need to override equals() and hashcode() methods of a class whose objects you want to use as Key in a hashmap... This is required because hashmap uses these 2 methods to retrieve the stored values... Read implementation of hashmap for more details... It will clear away your doubt completely.
When a class does not override the
equals()
or hashCode()
methods, the default implementations found on the Object
class are used instead. In particular, equals()
simply does a check for reference equality.
That immediately explains why your approach isn't working: the new
Key
object clearly isn't referring to the old Key
object.
If you'd like to be able to specify a new instance with the same property, then you should override the
equals()
method with an implementation that meets your criteria for key equality. You should override hashCode()
as well, to have full control over the key comparison process.Resource Link:
- https://www.quora.com/What-two-methods-do-you-need-to-implement-a-key-object-in-HashMap
- https://stackoverflow.com/a/9440415/2293534
3) What is difference betwen ConcurrentMap and SynchronizedMap?
---
|
Hashtable locks the object, while ConcurrentHashMap locks only the bucket.
Resource Link: https://stackoverflow.com/a/17776425/2293534
ConcurrentHashMap:
=================
1. use ConcurrentHashMap. It allows concurrent modification of the Map from several threads without the need to block them.
2. Use this, if performance is critical, and each thread only inserts data to the map, with reads happening less frequently.
Collections.synchronizedMap(map)
========
1. Collections.synchronizedMap(Map) - they use very simple synchronization, which means that only one thread can access the map at the same time.
2. As it creates a blocking Map which will degrade performance, albeit ensure consistency (if used properly).
3. Use this if you need to ensure data consistency, and each thread needs to have an up-to-date view of the map.
Resource Link: https://stackoverflow.com/questions/510632/whats-the-difference-between-concurrenthashmap-and-collections-synchronizedmap
The main difference between these two is that ConcurrentHashMap will lock only portion of the data which are being updated while other portion of data can be accessed by other threads. However, Collections.synchronizedMap() will lock all the data while updating, other threads can only access the data when the lock is released. If there are many update operations and relative small amount of read operations, you should choose ConcurrentHashMap.
Also one other difference is that ConcurrentHashMap will not preserve the order of elements in the Map passed in. It is similar to HashMap when storing data. There is no guarantee that the element order is preserved. While Collections.synchronizedMap() will preserve the elements order of the Map passed in. For example, if you pass a TreeMap to ConcurrentHashMap, the elements order in the ConcurrentHashMap may not be the same as the order in the TreeMap, but Collections.synchronizedMap() will preserve the order.
Furthermore, ConcurrentHashMap can guarantee that there is no ConcurrentModificationException thrown while one thread is updating the map and another thread is traversing the iterator obtained from the map. However, Collections.synchronizedMap() is not guaranteed on this.
Resource Link: https://stackoverflow.com/a/26958843/2293534
Subscribe to:
Posts (Atom)