Atanas Roussev – J2EE, Java Developer, UI Engineer, Resume – Vancouver

Every now and then I need to use the Velocity templating. And the first thing I always experience is that nasty failure.

SEVERE: ResourceManager : unable to find resource 'template.vm'
 in any resource loader.
Exception in thread "main"
org.apache.velocity.exception.ResourceNotFoundException:
 Unable to find resource 'template.vm'
...

Velocity is so picky and always complains about the .VM template not being found. And I always start fiddling around, making sure file name is correct, making sure the VM file is right file location, class path location and yet same cruel error ResourceNotFoundException…

The answer for “properly” configuring Velocity and making it happy is bellow:

Properties p = new Properties();

// Uncomment if template.vm is being loaded from file system
//p.setProperty( "resource.loader", "file" );
// absolute or relative path
//p.setProperty( "file.resource.loader.path", "./src" );
//p.setProperty( "file.resource.loader.class",
   "org.apache.velocity.runtime.resource.loader.FileResourceLoader" );

// Uncomment if "template.vm" is being loaded from class path, jar, zip,..
//p.setProperty( "resource.loader", "class" );
//p.setProperty( "class.resource.loader.class",
  "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader" );

VelocityEngine ve = new VelocityEngine();
ve.init(p);
Template t = ve.getTemplate("template.vm");

All said, I am not sure why Velocity team designed it in such a strict way. Instead the engine should be smart enough to find the template directly from Class path location or File resource. Why so difficult?

One year ago I was involved with Selenium as part of a web automated testing project. I discovered multiple limitations with the Selenium framework, mainly with its integration with existing CruiseControl architecture. Having some time lately, I explored the idea of Selenium4j, a framework translating Selenium HTML scripts to Java Junit tests. I hosted to project at

http://code.google.com/p/selenium4j/

Problems with Selenium IDE HTML tests

java -jar selenium-server.jar -multiwindow -htmlSuite "*iexplore"
"https://www.website.com" "C:\suite.html" "C:\results.html"

Motivation for Selenium4j

WebDriver (Selenium2) solution?

Looking into WebDriver there is no analog of the Selenium IDE. The IDE is an amazing tool for recording the user clicks and it should be great if WebDriver solve the HTML automation integration. It seems that the later version of the IDE (1.0.5 as of writing) provides better support for the new Selenium2 API. Yet, the problem with HTML test integration is still on the table. As long as you record your script and export it to HTML,  you are on your own. You need to manually use the IDE to translate the HTML scripts to the desired language (Java in my case), then you need to copy the source, paste it to you Eclipse/Netbeans, make sure compiles, configure it properly. In other words, it’s not fun.  WebDriver should provide a solution that simplifies that process and at the end the recorded Selenium IDE script should be seamlessly integrated within an automated environment. In that context, Selenium4j is an example how HTML could be easily translated to a Java JUnit sources.

How does Selenium4j work?

Interesting. I’ve build few Mathematics Applets 10 years ago. Yet, I can still discover their links on internet. I’ve just found my Spirals Applet being featured at comPADRE – a Physics and Astronomy community site.

Applet is http://www.roussev.org/applets/spiral/spiral.html.

And the Spirals Algorithm is as simple as:

import java.applet.Applet;
import java.awt.Color;
import java.awt.Graphics;

public class HelloSpirals extends Applet {
   int max = 100;
   int centerPosition = 150;
   double angle = 22 / (double) 128;

   public void paint( Graphics g){
      setBackground(Color.black);
      g.setColor(Color.red);

      for (int i = 0; i < max; i++) {
         int[] coordEnd = getCoordinates(i);
         int[] coordStart = getCoordinates(i - 1);
         g.drawLine(centerPosition + coordStart[0],
                         centerPosition + coordStart[1],
                         centerPosition + coordEnd[0],
                         centerPosition + coordEnd[1]);
      }
   }

   private double getAngle( int inx){
      return (inx - 1) * angle;
   }

   private int[] getCoordinates( int inx){
      double angle = getAngle(inx - 1);
      int x = (int) Math.round(inx * Math.cos(angle));
      int y = (int) Math.round(inx * Math.sin(angle));

      return new int[] { x, y };
   }
}

Looking for a Maven2 EJB3 ready to run project? I came across this post. I gathered all the good ideas and grouped them together in ejb3-maven Google Code project.

https://code.google.com/p/ejb3-maven/

The project consists of three sub-projects - ejb, war and ear.

The changes I’ve made:

• Replaced hsqldb with MySQL, featuring out-of-container JPA unit testing.
• Replaced TestNG with JUnit4
• Encapsulated the repeatable CRUD methods in abstract BaseDAO supertype (code bellow)
• Fixed the ejb-api not-found Maven dependency discovery by adding additional repository (ejb-api is not available at default http://download.java.net/maven/2/ so I supplement with additional jboss repository http://repository.jboss.com/maven2/).
• Provided sample JNDI utilities helping with session bean discovery

All said, I am looking forward to a complete rails solution where by simply providing the table names, the framework will generate all the ADO classes (in our case JPA DAO classes and entities). Probably this will be my next challenge …

And the sample BaseDao implementation is:

public interface BaseDao<E extends Indexable>{

	/**
	 * Dependency injection setter method.
	 * The method should be used at unit testing
         * during out-of-container DI injection.
	 */
	void setEntityManager(EntityManager em);

	/**
	 * Persists an instance of this new entity to the database
	 */
	E create(E entity);

	/**
	 * Returns a database entity using the given primary key ID.
	 */
	E read(Serializable id);

	/**
	 * Saves changes made to an entity.
	 */
	E update(E entity);

        /**
         * Deletes an entity
         */
	void delete(E entity);

        /**
         * Returns all entities of E type. Probably this
         * would work best with JPA Criteria..
         */
	List list();

        /**
         * Returns the entity 'E' type to current
         * DAO implementation
         */
	Class getType();
}

interface Indexable {
	/**
	 * @return the primary key id
	 */
	Long getId();

	/**
	 * @param id  the primary key id to set
	 */
	void setId(Long id);
}

class BaseDaoImp<E extends Indexable> implements BaseDao<E>{

	/**
	 * The JPA entity manager to be used from all derived DAO classes
	 */
	@PersistenceContext(unitName = Globals.JTA_PERSISTENT_UNIT)
	protected EntityManager em;

	/**
	 * The SessionContext to be used from all derived DAO classes
	 */
	@Resource
	protected SessionContext sc;

	/**
	 * This method should be used only in out-of-container environment
	 * injecting a NON-"JTA" ("RESOURCE_LOCAL") EntityManager
	 */
	public void setEntityManager(EntityManager em) {
		this.em = em;
	}

	public final E create(E entity) {
		em.persist(entity);
		em.flush();
		return entity;
	}

	public final void delete(E entity) {
		em.remove(entity);
		em.flush();
	}

	public final E read(Serializable id) {
		return em.find(getType(), id);
	}

	public boolean exists(Serializable id) {
		return (null != read(id));
	}

	public E update(E entity) {
		em.merge(entity);
		em.flush();
		return entity;
	}

	public List list() {
		Query qry = em.createQuery("from " +
                     getType().getSimpleName());
		return qry.getResultList();
	}
}

I keep spreading the message. While Java gurus are still faithing on those religious best web framework wars , there is hidden winner already.

The best Java web framework award goes to … drumrolls … Finland.

Vaadin – When I saw it for a first time few months back, I was shocked. That what Java is meant to be – Innovative, slick, sexy.

Jboss keep changing their startup files and every time I end up looking for the right spot to attach my JPDA settings. Trying the latest and greatest jboss version 6 I was caught by surprise again searching for the right .bat/.sh file. Damn you JBoss

So to activate JBoss 6 remote debugging:

1. Open ~jboss/bin/run.conf.bat

2. Uncomment the following line:
rem # Sample JPDA settings for remote socket debugging
set “JAVA_OPTS=%JAVA_OPTS% -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=n”

3. Go to jboss folder and fire it up.
~jboss6/run.sh

4. Pay attention. the following line should appear:
Listening for transport dt_socket at address: 8787

3. Finally go back to Eclipse and attach the debug listener
Eclipse / Run / Debug Configurations / Remote Java Application / New

I’ve always wondered why Java 5 was not consistent with @Override annotation type. Today after experiencing the compilation failure again I digged further. The problem:

abstract class Rectangle {
   abstract double getArea();
}
// deriving from abstract class
class Square extends Rectangle {
   @Override
   double getArea() {
      // ...
   }
}

interface Shape {
   double getArea();
}
// implementing an interface
class Square implements Shape {
   @Override
   // Java5 will complain about @Override
   // "method does not override a method from its superclass"
   double getArea() {
      // ...
   }
}

Java compiler will complain about @Override being used yet no such method in parent “method does not override a method from its superclass”? Well, the compiler is wrong as there is such method in parent, but instead of a superclass it is a supertype of an interface.

Luckily Java6 recognized the issue and fixed it. Not sure why this has not been implemented in a first place.

Recently I had to explain how would I design a REST Authentication. My humble thoughts:

Using Basic or Digest is naive.

1. Basic token is a plain Base64 text. To make it worst, you need to send the username and password each time as part of the HTTP packet so any MitM attacker will be able to translate it.

2. The security aspect could be resolved by using Basic over SSL. Yet SSL has it’s performance drawbacks. And in your requirements SSL may not be an option.

3. Using the Digest as being secure, resolves 1 and 2, yet it has disadvantages as:
- The nonce is optional. Skipping the nonce MD5(username:nonce:password) could end up with Digest algorithm of MD5(username:password) which is not secure for simple passwords. Any computer today would be able to reverse engineer a simple password MD5 hash using available dictionaries.
- The Digest is optional. A MitM could tamper the packet and browser could fall back to Basic.

4. Digest and Basic when invoked within a browser environment has the annoying feature of opening a native popup with username/password.

5. Basic/Digest don’t expire. As long as you stole a Basic/Digest security token you can continue with the replay attack.

6. No prevention for tampering. Digest algorithm includes hashing the URI:Method:andBody yet, those algorithms are once again recommendations only and optional.

My prefer approach would be a

Custom Authentication Token a la Amazon

Amazon REST Authentication did a great job of providing a secure REST Authentication. Let’s dissect their token:

Example AWS Call:

GET /photos/puppy.jpg HTTP/1.1
Host: johnsmith.s3.amazonaws.com
Date: Mon, 26 Mar 2007 19:37:58 +0000
Authorization: AWS 0PN5J17HBGZHT7JJ3X82:frJIUN8DYpKDtOLCwo//yllqDzg=

where Authorization algorithm header is:

Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature;

and signature:

Signature = Base64( HMAC-SHA1( UTF-8-Encoding-Of( YourSecretAccessKeyID, StringToSign ) ) );

and more:

StringToSign = HTTP-Verb + "\n" +
	Content-MD5 + "\n" +
	Content-Type + "\n" +
	Date + "\n" +
	CanonicalizedAmzHeaders +
	CanonicalizedResource;

CanonicalizedResource = [ "/" + Bucket ] +
	<HTTP-Request-URI, from the protocol name up to the query string> +
	[ sub-resource, if present. For example "?acl", "?location", "?logging", or "?torrent"];

CanonicalizedAmzHeaders = <described below>

Explaining:

• CanonicalizedAmzHeaders: Some special AWS business headers. Skipping..
• CanonicalizedResource: a string concatenating elements from HTTP packet being sent – URI, parameters, Method etc. Reason? Preventing HTTP packet tampering. Assuming an attacker stole the Authentication token, then stolen token could be used only within the current REST call as vital elements of the packet are being injected as part of AWS token.
• StringToSign and Content-MD5 etc.. – more tampering prevention and obfuscation.
• Signature: One way hash encryption of the whole amalgam above.

More  thoughts:

• The token will contain a time stamp so it will expiry on inactivity.
• The token could optionally contain business sensitive data too. userID or any businessID’s.

Lastly, depending on requirements, you may want to consider using OAuth too.

Have a crafty and secure fun!

Apparently Rails doesn’t scale and Twitter moved to a JVM compiled solution which is … Scala. Probably Twitter is moving to Lift altogether?

http://www.artima.com/scalazine/articles/twitter_on_scala.html

An interesting idea. A blog post suggesting abandoning Stateful layer in favour of completly Stateless RESTful approach.

http://www.peej.co.uk/articles/no-sessions.html

“Developers became used to having sessions available to them, so when systems grew, became more complex, and started spreading over multiple servers, more and more hacks had to be introduced to keep the session support working, when in reality, sessions should never have been introduced in the first place.”

“Cart on the client

Using web2.0 RIA clients such as GWT, Vaadin or Cappuccino fit just perfect. I would only disagree with using the REST as a remedy for everything. While REST is great general purpose service architecture, decision should rather be based per technology. GWT f.i. has its first class optimized RPC API, so it’s natural for GWT to use its RPC over REST JSON.