Up the Scala

Tuesday, January 17, 2012

Verify SHA1 checksums from Windows using Cygwin

Tags: bash, checksums, security, sha1, windows

I have a dirty little secret. I never verify my checksums. I mean - I never used to verify my checksums.

Here's an easy way to verify a sha1 checksum in Windows, assuming you have Cygwin installed:

echo "60ab4099e811d79fe90ae8d8f184b163bdc57fa8 TortoiseGit-1.7.6.0-64bit.msi" | sha1sum -c -

You can use the "Bash here" Explore menu to open a Cygwin Bash shell in the directory containing the file. There are also other commands, such as 'md5sum' and 'sha256sum'. As always, RTFM for more details.

Now, I can verify my checksums for the sake of it.

Monday, October 3, 2011

Amazon ELB SSL Redirection using Tuckey's URLRewrite Filter

Tags: amazon-cloud, aws, ec2, https, java, redirection, ssl, webapp

The Great One - URLRewrite

URLRewrite is one of the greatest things since bread was first sliced. To get one in your Maven 2 project, you will need to in the very least take the following steps (complete details are available in the URLRewrite manual, of course):

Add this dependency to your pom.xml:

<dependency>
	<groupId>org.tuckey</groupId>
	<artifactId>urlrewritefilter</artifactId>
	<version>3.2.0</version>
	<scope>runtime</scope>
</dependency>

Add a filter definition to web.xml

<filter>
	<filter-name>UrlRewriteFilter</filter-name>
	<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>

A then a filter mapping to web.xml:

<filter-mapping>
	<filter-name>UrlRewriteFilter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

Finally, create a file named urlrewrite.xml and place it in the WEB-INF directory (this can be customized, if desired).

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 3.0//EN"
    "http://tuckey.org/res/dtds/urlrewrite3.0.dtd">
<urlrewrite default-match-type="wildcard">
 ... RULES WILL GO IN HERE ...
</urlrewrite>

That's all of the plumbing that's necessary. If URLRewrite filter is set up correctly, then you should be able to see a URLRewrite status page on localhost:{YOUR_PORT}/rewrite-status . This page will be extremely useful as you develop rules (if you have an error in your urlrewrite.xml file, then the status page will tell you what it is).

SSL Redirection with Amazon's Elastic Load Balancer (ELB) and URLRewrite

Now comes the fun part. URLRewrite is set up and working and your application is deployed in EC2 and you have an ELB configured to listen for both HTTP and HTTPS traffic (on ports 80 and 443, respectively). ELB handles all of the HTTPS certificate shenanigans for you.

Now you want to automatically redirect users who visit the HTTP site to the HTTPS site. ELB does not have this capability at the present time, unfortunately. You cannot use the standard servlet mechanism to ensure a confidential transport because the traffic between the ELB and your servlet container is HTTP.

There are a few options, one of which is to move the HTTPS certificate down to your servlet container, etc. That would be a respectable option - maybe even the best option - but let's assume for the sake of a blog post that you would like have the ELB handle the SSL.

To implement the redirection, we will take advantage of a header that the ELB adds to forwarded requests - "X-Forwarded-Proto". It's value will be "HTTPS" or "HTTP" depending on the client's original request. URLRewrite has the ability to active a rule depending on a header value, and so here you are - HTTPS redirection:

<rule match-type="regex">
		<condition type="header" operator="notequal" name="X-Forwarded-Proto">^HTTPS$</condition>
		<from>^.*$</from>
		<to type="permanent-redirect" last="true">https://%{server-name}%{request-uri}</to>
	</rule>

That's it. Non-HTTPS traffic will be permanently redirected to the HTTPS site and HTTPS traffic will flow to your application unimpeded.

Development Mode

The above works fine for production mode, but when developing we might not have HTTPS enabled. To get around that, you can add a condition to your rule as follows:

<condition type="port" operator="notequal">8080</condition>

(add it before the "from" element). You can add multiple conditions, if necessary. For example, you can also add a condition that the server-name is not equal to "localhost".

Miscellaneous

In the example above, I have assumed that URLRewrite was added to the WAR file of the application being developed. This is not strictly necessary. Tomcat, for instance, will allow you to add the filter to a global web.xml that applies to all applications. You would then need to add the URLRewrite jar to the appropriate directory. This could be useful if you have a lot of applications and you want them to use the same rules.

It is often convenient to use URLRewrite to add a version identifier (determined at build time) to each URL under a certain path encoded with response.encodeURL (including the JSTL c:url). Doing so allows you to "bust the cache" when a new version of the application is deployed. In successive testing rounds, we've often had to tell testers to refresh pages or empty browser caches in order to get the latest bug fixes. In a future blog post I would like to document a rule for this.

Sunday, June 5, 2011

Foo Hack - Isaac Schlueter on Web Development

Foo Hack - Isaac Schlueter on Web Development:

"npm is a development tool, first and foremost. People sometimes say “Yeah, I haven’t gotten time to check out that package manager stuff yet. Maybe I will when my code is more stable.”

That’s like saying that you’re going to start using source control when your code is done. It’s just silly. Source control should make your process easier, and if it doesn’t, then you’re using a broken SCM. Same for package management. It should make it easier, and if it doesn’t, then something is wrong."

Wednesday, May 18, 2011

YouTube - Getting Started Spring Data Graph Part 1

Sunday, May 8, 2011

Thinking Inside a Bigger Box - Refactoring: The Good, The Sad and The Ugly

Thinking Inside a Bigger Box - Refactoring: The Good, The Sad and The Ugly:

"When a project schedules “refactoring tasks”, I find myself sad. The need for scheduled refactorings is a symptom that we don’t do the necessary good or even sad refactorings as we should. And scheduling refactoring tasks is an excuse to perpetuate our bad habits."

Friday, May 6, 2011

Scrum Vs. XP - Why Scrum is easier to sell - Blog - Osherove

Tags: agile, articles, development, management, scrum, xp

Scrum Vs. XP - Why Scrum is easier to sell - Blog - Osherove:

"When I interview companies, the managers always think that they (sic) people under them work in a specific way. Interviewing the actual people who do the work usually shows a very different picture - that of people making stuff work despite the rules given, not because of them. It's really enlightening."

Saturday, April 23, 2011

An Improved "Gmail This" Bookmarket

Tags: bookmarklets, f/oss, free software, gmail, javascript, open source, philosophy

I was talking to my non-programmer brother and he was asking me whether there was a way to click one button to email someone something you are reading online (read: killer application idea). My answer was, "surely" and "it must exist" because it is such a trivial thing to implement with bookmarklets. "I could probably do it right now while we are on the phone." And so I did ...

I first did a quick search for "gmail bookmarklet" and the first thing that came up was Add a "Gmail This" Bookmarklet to Your Browser from About.com (via this Life Hacker post), the source code of which is reproduced below:

javascript:(function(){m='http://mail.google.com/mail/?view=cm&fs=1&tf=1&to=&su='+encodeURIComponent(document.title)+'&body='+encodeURIComponent(document.location);w=window.open(m,'addwindow','status=no,toolbar=no,width=575,height=545,resizable=yes');setTimeout(function(){w.focus();},%20250);})();
// original ^

The user of this bookmarklet, assuming she is new to such things, will likely be pleased for about 15 minutes. But then she will quickly realize that it doesn't do what she wants it to do. Namely, she wants to select a portion of the page she is reading and include that in the email along with a link to the page. The original version from About.com does not do that - it just includes the link of the page, not the highlighted text.

Still on the phone and frustrated by this, I then 1) quickly tried and failed to find another Gmail bookmarklet that has my feature, and 2) decided to write one using the best copy-and-paste techniques known to man.

The first task is to get the text the user has selected on the webpage. So, how do you do that in JavaScript? Who cares! I searched for a snippet and found the following one on DZone Snippets, reproduced below:

function getSel(){
var w=window,d=document,gS='getSelection';
return (''+(w[gS]?w[gS]():d[gS]?d[gS]():d.selection.createRange().text)).replace(/(^\s+|\s+$)/g,'');
}

I then integrated that, slightly modified, into the original bookmarklet, as shown below:

javascript:(function(){var w=window,d=document,gS='getSelection';var s=(''+(w[gS]?w[gS]():d[gS]?d[gS]():d.selection.createRange().text)).replace(/(^\s+|\s+$)/g,'');m='http://mail.google.com/mail/?view=cm&fs=1&tf=1&to=&su='+encodeURIComponent(document.title)+'&body='+encodeURIComponent(document.location+'\n\n'+s);w=window.open(m,'addwindow','status=no,toolbar=no,width=575,height=545,resizable=yes');setTimeout(function(){w.focus();},%20250);})();
// improved ^

And that's it! Now there is a new and improved Gmail This bookmarklet (right-click the link and add it to your favorites or drag the link to your toolbar to install it).

Coda

You might have guessed that this blog post is not really about bookmarklets. Like all great works of literature, it is about the meaning of life.

This blog post is about the "scratching an itch" principle that makes free and open source software (F/OSS) so desirable and powerful. When the source is available, hackers, that is, superheroes with the power to manipulate the source - hackers like me, and others way more powerful - modify it to satisfy their needs, improving the original software. And they share those changes with whosoever wants them. The user community tends to choose the most useful variants of the software, enabling a kind of "evolution by user selection". Why do the hacker-gods do this? You might as well ask Superman why he does what he does. And in case you haven't figured it out yet, that is the meaning of life.

Now if I can only explain to my brother how to install bookmarklets ... users ... sigh ...

Sunday, April 17, 2011

What sacrificing quality gets you according to Kent Beck ...

Here are two passages from Extreme Programming Explained by Kent Beck that figuratively made me shout "AMEN!" at the top of my voice:

Temporarily sacrificing internal quality to reduce time to market in hopes that external quality won't suffer too much is a tempting short-term play. And you can often get away with making a mess for a matter of weeks or months. Eventually, though, internal quality problems will catch up with you and make your software prohibitively expensive to maintain, or unable to reach a competitive level of external quality.

and

There is a human effect from quality. Everybody wants to do a good job, and they work much better if they feel they are doing good work. If you deliberately downgrade quality, your team might go faster at first, but soon the demoralization of producing crap [emphasis mine] will overwhelm any gains you temporarily made from not testing, or not reviewing, or not sticking to standards.

These two passages appear in his discussion of the three familiar control variables in software development - quality, time, and cost - and a less widely known one, scope. In the extreme programming methodology (XP), management gets to pick the values of three of the variables and the development team picks the value of the fourth - without exception.

Beck's position is that quality is a horrible variable to mess around with - either by explicitly demanding low quality or by picking the values of the other three variables such that the implied quality is low. He instead advocates that the fourth variable, scope, is the best one to fiddle with. By reducing scope, you can give quality room to breathe, reduce cost, and deliver on time. Assuming that quality is fixed reasonably high, by increasing scope you imply either an increase in time, cost, or both. And so on.

The book is really good (so far, I haven't finished) and I especially encourage all management types to read it.

Thursday, April 7, 2011

... the key, the whole key, and nothing but the key, so help me Codd!

Third normal form - Wikipedia, the free encyclopedia:

"A memorable summary of Codd's definition of 3NF, paralleling the traditional pledge to give true evidence in a court of law, was given by Bill Kent: every non-key attribute 'must provide a fact about the key, the whole key, and nothing but the key.'[5] A common variation supplements this definition with the oath: 'so help me Codd'.[6]"

Monday, April 4, 2011

Naked Objects - Richard Pawson

Reading Richard Pawson's thesis on "Naked Objects" (pdf) and it reminds me of the Stapler framework used by Jenkins (formerly Hudson). Was Jenkins designed with the 'naked objects' concept in mind?

Tuesday, March 22, 2011

/dev/null : Weblog

/dev/null : Weblog: "The Seven Habits of Highly Dysfunctional Design

There are a number of design decisions in Java and its related libraries that I have complained about on more than one occasion, but I wanted to write down some of my thoughts as to why I believe that they are bad design decisions, how they could have been better, and thus how to avoid inflicting similar pain on others."

Thursday, March 10, 2011

Nerd Venn Diagram: Geek, Dork or Dweeb?

Nerd Venn Diagram: Geek, Dork or Dweeb?: "Nerd Venn Diagram: Geek, Dork or Dweeb?
By Scott Beale on September 15, 2009

Nerd Venn Diagram

Here’s a handy Nerd Venn Diagram to help determine if you are a Geek, Dork or Dweeb."

Sunday, February 6, 2011

Here’s a flowchart. Kill it. Kill it with fire.

What Does It All Mean? - Dive Into HTML5: "I’m not even going to talk about the crazy shit that Internet Explorer 8 does to switch between its four — four! — different rendering modes. Here’s a flowchart. Kill it. Kill it with fire.)"

Thursday, December 16, 2010

Java EE Productivity Report 2011 | ZeroTurnaround.com

Java EE Productivity Report 2011 | ZeroTurnaround.com: "Java EE Productivity Report 2011"

Tuesday, November 30, 2010

Pixar's Brad Bird on Fostering Innovation: Tech News

Pixar's Brad Bird on Fostering Innovation: Tech News: Lesson One: Herd Your Black Sheep

The Quarterly: How did your first project at Pixar—The Incredibles—shake things up?

Brad Bird: I said, “Give us the black sheep. I want artists who are frustrated. I want the ones who have another way of doing things that nobody’s listening to. Give us all the guys who are probably headed out the door.” A lot of them were malcontents because they saw different ways of doing things, but there was little opportunity to try them, since the established way was working very, very well. We gave the black sheep a chance to prove their theories, and we changed the way a number of things are done here.