Monday, February 29, 2016

Algorithm Study

API Development and Study


  1. http://developer.nytimes.com/docs/read/article_search_api_v2
  2. http://stackoverflow.com/questions/7238094/securing-rest-api-without-reinventing-the-wheel
  3. http://stackoverflow.com/questions/853620/secure-web-services-rest-over-https-vs-soap-ws-security-which-is-better?rq=1
  4. http://stackoverflow.com/questions/942951/rest-api-error-return-good-practices?rq=1
  5. https://en.wikipedia.org/wiki/Replay_attack
  6. http://stackoverflow.com/questions/1418114/questions-on-proper-rest-design
  7. http://stackoverflow.com/questions/292732/self-signed-ssl-cert-or-ca
  8. http://stackoverflow.com/questions/7551/best-practices-for-securing-a-rest-api-web-service?rq=1
  9. http://stackoverflow.com/questions/319530/restful-authentication?lq=1
  10. http://security.stackexchange.com/questions/115100/securities-concerns-about-calling-rest-api-from-multiple-servers
  11. https://www.schneier.com/blog/archives/2012/10/sony_playstatio.html
  12. http://madhatted.com/2013/3/19/suggested-rest-api-practices
  13. http://stackoverflow.com/questions/20951419/what-are-best-practices-for-rest-nested-resources
  14. http://docs.oracle.com/middleware/1213/wls/RESTF/secure-restful-service.htm#RESTF284

Indexing: indexing helps for tuning sql performance

Tables a and b are identical and contain 1000 rows, and a column of type BOX.
select * from a cross join b where (a.b && b.b)     --- 0.28 s
Here 1000000 box overlap (operator &&) tests are completed in 0.28s. The test data set is generated so that the result set contains only 1000 rows.
create index a_b on a using gist(b);
create index b_b on a using gist(b);
select * from a cross join b where (a.b && b.b)     --- 0.01 s
Here the index is used to optimize the cross join, and speed is ridiculous.

Wednesday, February 24, 2016

log4javascript quick start tutorial

log4javascript quick start tutorial

Three step guide

  1. Download the code

    Unzip the distribution and copy log4javascript.js into the desired location. No other files are necessary.
  2. Initialize log4javascript in your web page

    Include log4javascript.js in your page using the code below. This code assumes log4javascript is stored in the same directory as your web page.
    <script type="text/javascript" src="log4javascript.js"></script>
    <script type="text/javascript">
     var log = log4javascript.getDefaultLogger();
    </script>
    
    The default logger uses a PopUpAppender which opens a pop-up window. By default, this window will open when the first log message is written. For this to work, you will need to disable any pop-up blockers you may have.
  3. Include logging statements in your code

    You have six logging methods at your disposal, depending on the severity of the message you wish to log. By default, all messages are logged in the pop-up window. The logging methods are:
    • log.trace(message[, message2, ... ][, exception])
    • log.debug(message[, message2, ... ][, exception])
    • log.info(message[, message2, ... ][, exception])
    • log.warn(message[, message2, ... ][, exception])
    • log.error(message[, message2, ... ][, exception])
    • log.fatal(message[, message2, ... ][, exception])
    And that's it, log away. Below are some examples of common types of logging.

Logging examples

  1. A simple logging message string

     log.info("Hello world");
    
    displays
    19:52:03 INFO  - Hello world
    
  2. Logging an error with a message

     try {
      throw new Error("Faking something going wrong!");
     } catch (e) {
      log.error("An error occurred", e);
     }
    
    displays
    19:52:32 ERROR - An error occurred
    Exception: Faking something going wrong! on line number 80 in file basic.html
    
  3. Logging multiple messages with one logging call

     var a = "Hello";
     var b = 3;
     log.debug(a, b);
    
    displays
    19:53:05 DEBUG  - Hello 3
    
  4. Logging an object

    Logging an object:
     var obj = new Object();
     obj.name = "Octopus";
     obj.tentacles = 8;
     log.info(obj);
    
    displays
    19:53:17 INFO  - {
     name: Octopus,
     tentacles: 8
    }
    

Tweaking the default logger

The default logger is fine as a starting point, but what if you want the default logger with a few different options (say, bringing the pop-up to the front whenever a log message is logged, or having new log messages appear at the top of the pop-up rather than the bottom)?
In this case, you will need to create a new logger, then create a PopUpAppender, set options on it, and add it to the logger:
<script type="text/javascript" src="log4javascript.js"></script>
<script type="text/javascript">
 // Create the logger
 var log = log4javascript.getLogger();

 // Create a PopUpAppender with default options
 var popUpAppender = new log4javascript.PopUpAppender();

 // Change the desired configuration options
 popUpAppender.setFocusPopUp(true);
 popUpAppender.setNewestMessageAtTop(true);

 // Add the appender to the logger
 log.addAppender(popUpAppender);

 // Test the logger
 log.debug("Hello world!");
</script>
See this example in action (opens in new window)
Refer to the manual for more information about configuring appenders and more details about PopUpAppender.

Sending log messages to the server

For this you will need to use an AjaxAppender as follows:
 var ajaxAppender = new log4javascript.AjaxAppender(URL);
 log.addAppender(ajaxAppender);
Now your log messages will appear in the pop-up window and be sent asynchronously to the URL you specify in the form of HTTP post parameters. No server-side code to process these requests is provided with log4javascript.
See AjaxAppender for more details on formatting log messages.

Changing the format of log messages

Using a Layout, you can format log messages however you like. For example:
 var log = log4javascript.getLogger("mylogger");
 var popUpAppender = new log4javascript.PopUpAppender();
 var layout = new log4javascript.PatternLayout("[%-5p] %m");
 popUpAppender.setLayout(layout);
A call to
 log.debug("Hello world");
will now result in output in the pop-up window of
[DEBUG] Hello world
See PatternLayout for more details on formatting log messages.

Mail Sending procedure using struts2

1. If we want to send mail from my project then we need to less secure my gmail account. For this
purpose we need to go below links and  make this option enabled.
https://www.google.com/settings/security/lesssecureapps


Access for less secure apps  Enabled
If this was you
You can switch to an app made by Google such as Gmail to access your account (recommended) or change your settings at https://www.google.com/settings/security/lesssecureapps so that your account is no longer protected by modern security standards.


2. Struts.xml:
<!-- SMTP configuration -->
<param name="host">smtp.gmail.com</param>
<param name="port">465</param>
<param name="userName">mohona.ict.mbstu@gmail.com</param>  
<param name="password">makhondim77$#@!</param>
<!-- End of SMTP configuration -->


3. EmaiUtility.java:
Properties props = new Properties();
props.put("mail.smtp.user", userName);
props.put("mail.smtp.password", password);
props.put("mail.smtp.host", host);
props.put("mail.smtp.port", port);
props.put("mail.debug", "true");
props.put("mail.smtp.auth", "true");
props.put("mail.smtp.starttls.enable", "true");
props.put("mail.smtp.EnableSSL.enable", "true");
props.setProperty("mail.smtp.socketFactory.class",
"javax.net.ssl.SSLSocketFactory");
props.setProperty("mail.smtp.socketFactory.fallback", "false");
props.setProperty("mail.smtp.port", "465");
props.setProperty("mail.smtp.socketFactory.port", "465");
Here we need to use the port number as 465.
4. Links:
http://www.codejava.net/frameworks/struts/send-e-mail-with-attachments-in-struts2?showall=&start=4
5. http://www.codejava.net/attachments/article/221/Struts2EmailApp.zip


6. Error: org.xml.sax.SAXParseException: The entity name must immediately follow the '&' in the entity reference.


If we use password as like makhondim77(*& in xml file which contains & sign then we have to follow the following rules.


Common in xml how to escape the errors:
  1. ampersand (&) is escaped to &amp;
  2. double quotes (") are escaped to &quot;
  3. single quotes (') are escaped to &apos;
  4. less than (<) is escaped to . &lt;

SQL Injection and how to prevent it? Hibernet/JPA/SQL

SQL Injection
1.      Prepared Statement and Callable Statement:
A PreparedStatement represents a precompiled SQL statement that can be executed multiple times without having to recompile for every execution.
Secure Code:
PreparedStatement stmt = connection.prepareStatement("SELECT * FROM users WHERE userid=? AND password=?");
stmt.setString(1, userid);
stmt.setString(2, password);
ResultSet rs = stmt.executeQuery();

Why this code is secure?
Ans: This code is not vulnerable to SQL Injection because it correctly uses parameterized queries. By utilizing Java's PreparedStatement class, bind variables (i.e. the question marks) and the corresponding setString methods, SQL Injection can be easily prevented.

Vulnerable Code 1:
// Example #1
String query = "SELECT * FROM users WHERE userid ='"+ userid + "'" + " AND password='" + password + "'";
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);

Why this code is vulnerable?
Ans: This code is vulnerable to SQL Injection because it uses dynamic queries to concatenate malicious data to the query itself. Notice that it uses the Statement class instead of the PreparedStatement class.

Vulnerable Code 2:
// Example #2
String query = "SELECT * FROM users WHERE userid ='"+ userid + "'" + " AND password='" + password + "'";
PreparedStatement stmt = connection.prepareStatement(query);
ResultSet rs = stmt.executeQuery();

Why this code is vulnerable?
Ans: This code is also vulnerable to SQL Injection. Even though it uses the PreparedStatement class it is still creating the query dynamically via string concatenation.



2.      Hibernate:

How to Fix SQL Injection using Hibernate?

Hibernate facilitates the storage and retrieval of Java domain objects via Object/Relational Mapping (ORM). It is a very common misconception that ORM solutions, like hibernate, are SQL Injection proof. Hibernate allows the use of "native SQL" and defines a proprietary query language, named, HQL (Hibernate Query Language); the former is prone to SQL Injection and the later is prone to HQL (or ORM) injection.
This article is intended to illustrate how certain syntax offered by hibernate to define SQL & HQL, is better over the other, in terms of defense against SQL and/or HQL injection attacks.
Secure Usage:
Code-1:
/* Positional parameter in HQL */
Query hqlQuery = session.createQuery("from Orders as orders where orders.id = ?");
List results = hqlQuery.setString(0, "123-ADB-567-QTWYTFDL").list();

Code-2:
/* named parameter in HQL */
Query hqlQuery = session.createQuery("from Employees as emp where emp.incentive > :incentive");
List results = hqlQuery.setLong("incentive", new Long(10000)).list();

Code-3:
/* named parameter list in HQL */
List items = new ArrayList();
items.add("book"); items.add("clock"); items.add("ink");
List results = session.createQuery("from Cart as cart where cart.item in (:itemList)").setParameterList("itemList", items).list();

Code-4:
/* JavaBean in HQL */
Query hqlQuery = session.createQuery("from Books as books where book.name = :name and book.author = :author");
List results = hqlQuery.setProperties(javaBean).list();
//assumes javaBean has getName() & getAuthor() methods.


Code-5:
/* Native-SQL */
Query sqlQuery = session.createSQLQuery("Select * from Books where author = ?");
List results = sqlQuery.setString(0, "Charles Dickens").list();

Why above 5 codes are secure ?
Ans:
The above code snippets use parameter binding to set data. The JDBC driver will escape this data appropriately before the query is executed, making sure that data is used just as data.
Assuming data used in the above code snippets is user input, that has not been validated or escaped and it contains malicious database code (payload), the payload will be escaped appropriately by the JDBC driver (since parameterized queries are used), such that it would be used as data and not as code.
Vulnerable Code:
List results = session.createQuery("from Orders as orders where orders.id = " + currentOrder.getId()).list();

List results = session.createSQLQuery("Select * from Books where author = " + book.getAuthor()).list();

Why this code is vulnerable ?
Ans:
Assuming orderId and author are user input that have not been validated or escaped, it leaves the above queries vulnerable to SQL and HQL(ORM) injection attacks.

3.      Java Persistence API(JPA):

How to Fix SQL Injection using the Java Persistence API (JPA) ?

Java Persistence API (JPA), is an ORM solution that is a part of the Java EE framework. It helps manage relational data in applications that use Java SE and Java EE. It is a common misconception that ORM solutions like JPA (Java Persistence API) are SQL Injection proof. JPA allows the use of native SQL and defines its own query language, named, JPQL (Java Persistence Query Language). The former is prone to traditional SQL injection attacks and the later is prone to JPQL (or ORM) injection attacks.
This article is intended to illustrate how certain syntax offered by JPA to define SQL & HQL, is better over the other, in terms of defense against SQL and/or HQL injection attacks.
Secure usage:
Code-1:
/* positional parameter in JPQL */
Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1");
List results = jpqlQuery.setParameter(1,"123-ADB-567-QTWYTFDL").getResultList();

Code-2:
/* named parameter in JPQL */
Query jpqlQuery = entityManager.createQuery("Select emp from Employees emp where emp.incentive > :incentive");
List results = jpqlQuery.setParameter("incentive",
new Long(10000)).getResultList();

Code-3:
/* named query in JPQL - Query named "myCart" being "Select c from Cart c where c.itemId = :itemId" */
Query jpqlQuery = entityManager.createNamedQuery("myCart");
List results = jpqlQuery.setParameter("itemId", "item-id-0001").getResultList();

Code-4:
/* Native SQL */
Query sqlQuery = entityManager.createNativeQuery("Select * from Books where author = ?", Book.class);
List results = sqlQuery.setParameter(1, "Charles Dickens").getResultList();

Why above 4 codes are secure ?
Ans:
The above code snippets use parameter binding to set data. The JDBC driver will escape this data appropriately before the query is executed; making sure that data is used just as data.
Assuming data used in the above code snippets is user input, that has not been validated or escaped and it contains malicious database code (payload), the payload will be escaped appropriately by the JDBC driver (since parameterized queries are used), such that it would be used as data and not as code.
Vulnerable Code:
List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();

List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();

int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();

Why this code is vulnerable ?
Ans:
Assuming orderId, author & itemId are user input that have not been validated or escaped as required, it leaves the above queries vulnerable to SQL and JPQL (ORM) injection attacks.

You can use Prepared Statements wrong like this:
Code:
String strUserName = request.getParameter("Txt_UserName");
 PreparedStatement prepStmt = con.prepareStatement("SELECT * FROM user WHERE userId = '+strUserName+'");


So be sure to use Prepared Statements WITH ALL Bind Variables.
Code:
String selectStatement = "SELECT * FROM User WHERE userId = ? ";
PreparedStatement prepStmt = con.prepareStatement(selectStatement);
prepStmt.setString(1, userId);
ResultSet rs = prepStmt.executeQuery();


Tuesday, February 23, 2016

Learning and Coding Area

1. Github -- Coding
2. Online problem solving rating(https://codility.com/https://www.hackerrank.com/domains, Codechef, ACM etc.)
3. StackOverflow.com
4. Linkedin.com
5. Youtube Video Channel

Wednesday, February 17, 2016

What is law of Demeter?

Method এর ক্ষেত্রে Parameter Pass করার সময়ে --
 যদি আমার একটি Object এর একটি Parameter প্রয়োজন হয়, সেক্ষেত্রে আমি শুধুমাত্র ঐ Object এর Parameter টাকে Pass করব। পুরা Object টাকে Pass করবো না। এটা করলে সেটা Law of Demeter-এর Violation হবে।

Never break the Law of Demeter (LoD)
Breaking the Law of Demeter is Like Looking for a Needle in the Haystack (খড়ের গাঁদায় সূচ খোঁজা)

class Mechanic {
       Engine engine;

       Mechanic(Context context) {
              this.engine = context.getEngine();
       }
}

A given object should assume as little as possible about the structure or properties of anything else (including its sub-components)


The Mechanic does not care for the Context. You can tell because Mechanic does not store the reference to Context. Instead the Mechanic traverses the Context and looks for what it really needs, the Engine. 

1. To write tests, I have to create the Context just so when I construct the Mechanic it can reach in the Context and get what it really needs, the Engine. But context is never something which is easy to create.

2. Today we have fancy tools such as JMock and EasyMock, surely we can mock out Context. Yes, you can! BUT: 
3. Typical setup of a mock is about 5 lines of code. So your test will contain a lot of junk which will mask the real purpose of the test.
4. These tests will be fragile. Every time you refactor something in context, or how context interacts, you are running the risk of breaking your tests.
5. What if you want to test class Shop which needs a reference to Mechanic? Well then you have to mock out Context again

What is single responsibility principle?

Single Responsibility Principle:


A single class follow his architecture. It will only play it's own role. A DAO class will not do any business logic related task.

If it do mismatch then it will be violation of single responsibility principle.

Monday, February 15, 2016

Some Interview Questions

Most Important Questions were as follows:
1) Difference between == and equals()


2) What is the requirements for a object to be used as a key on hashmap


3) What is difference betwen ConcurrentMap and SynchronizedMap


4) What is difference betwen HashMap and TreeMap


5) Which collection you should use if your need to do frequent delete/insert operation?


6) Which collection you should use if your need to use if you need faster get operation?


7) How did you handled security in Spring?


8) How did you handle dynamic query in Mybatis?


9) What is the differenc between Rest App vs Rest Webservice


10) How did handle transaction in project?



11) How did you handle composit primary key in hibernate?


12) How did you handle many to many relationsip in hibernate?


13) What are the collections availbe in hibernate FW?


14) How did you handle optimistic locking in hibernate?


Question:

What is the requirements for a object to be used as a key on hashmap?

Ans: 


You need to override equals() and hashcode() methods of a class whose objects you want to use as Key in a hashmap... This is required because hashmap uses these 2 methods to retrieve the stored values... Read implementation of hashmap for more details... It will clear away your doubt completely.


When a class does not override the equals() or hashCode() methods, the default implementations found on the Object class are used instead. In particular, equals() simply does a check for reference equality.
That immediately explains why your approach isn't working: the new Key object clearly isn't referring to the old Key object.
If you'd like to be able to specify a new instance with the same property, then you should override the equals() method with an implementation that meets your criteria for key equality. You should override hashCode() as well, to have full control over the key comparison process.

Resource Link:

  1. https://www.quora.com/What-two-methods-do-you-need-to-implement-a-key-object-in-HashMap
  2. https://stackoverflow.com/a/9440415/2293534

3) What is difference betwen ConcurrentMap and SynchronizedMap?
---
╔═══════════════╦═══════════════════╦═══════════════════╦═════════════════════╗
║   Property    ║     HashMap       ║    Hashtable      ║  ConcurrentHashMap  ║
╠═══════════════╬═══════════════════╬═══════════════════╩═════════════════════╣ 
║      Null     ║     allowed       ║              not allowed                ║
║  values/keys  ║                   ║                                         ║
╠═══════════════╬═══════════════════╬═════════════════════════════════════════╣
║Is thread-safe ║       no          ║                  yes                    ║
╠═══════════════╬═══════════════════╬═══════════════════╦═════════════════════╣
║     Lock      ║       not         ║ locks the whole   ║ locks the portion   ║        
║  mechanism    ║    applicable     ║       map         ║                     ║ 
╠═══════════════╬═══════════════════╩═══════════════════╬═════════════════════╣
║   Iterator    ║               fail-fast               ║       fail-safe     ║ 
╚═══════════════╩═══════════════════════════════════════╩═════════════════════╝


Hashtable locks the object, while ConcurrentHashMap locks only the bucket.


ConcurrentHashMap:
=================
1. use ConcurrentHashMap. It allows concurrent modification of the Map from several threads without the need to block them.
2. Use this, if performance is critical, and each thread only inserts data to the map, with reads happening less frequently. 

Collections.synchronizedMap(map)
========
1. Collections.synchronizedMap(Map) - they use very simple synchronization, which means that only one thread can access the map at the same time.
2. As it creates a blocking Map which will degrade performance, albeit ensure consistency (if used properly).
3. Use this if you need to ensure data consistency, and each thread needs to have an up-to-date view of the map.

Resource Link: https://stackoverflow.com/questions/510632/whats-the-difference-between-concurrenthashmap-and-collections-synchronizedmap

The main difference between these two is that ConcurrentHashMap will lock only portion of the data which are being updated while other portion of data can be accessed by other threads. However, Collections.synchronizedMap() will lock all the data while updating, other threads can only access the data when the lock is released. If there are many update operations and relative small amount of read operations, you should choose ConcurrentHashMap.

Also one other difference is that ConcurrentHashMap will not preserve the order of elements in the Map passed in. It is similar to HashMap when storing data. There is no guarantee that the element order is preserved. While Collections.synchronizedMap() will preserve the elements order of the Map passed in. For example, if you pass a TreeMap to ConcurrentHashMap, the elements order in the ConcurrentHashMap may not be the same as the order in the TreeMap, but Collections.synchronizedMap() will preserve the order.

Furthermore, ConcurrentHashMap can guarantee that there is no ConcurrentModificationException thrown while one thread is updating the map and another thread is traversing the iterator obtained from the map. However, Collections.synchronizedMap() is not guaranteed on this.