Spartan Java

Afraid of malicious injections in your web app requests, heres a simple way to improve your application security. Push every request parameter through a filtering function before it’s feeded to your application code.

Such a function can be as simple as:

1
2
3
4
5
6
7
8
9
10

private String cleanParameter(String value) {
   if (value != null) {
      value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
      value = value.replaceAll("\\(", "&#40;").replaceAll("\\)", "&#41;");
      value = value.replaceAll("'", "&#39;");
      value = value.replaceAll("eval\\((.*)\\)", "");
      value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
   }
   return value;
}

This will escape/remove potentially dangerous Javascript code and HTML/XML tags.

You can implement this on a web filter or a struts interceptor or a DWR filter depending on the technology you use for you app.

In case you are not doing it already, using asynchronous logging is generally a good idea. You don’t want your application to slow down if the server IO is a little behind flushing all that logging to the filesystem. By making it asynchronous your application can continue running without having to wait for the log lines to be written to their final destination.

My personal choice for Java logging is log4j, there are a lot of different frameworks (including Suns own logging API), but log4j works great and is extremely flexible.
(continue reading…)

Sounds like it should be quite straightforward, right? Well, it is, but for some reason it took me more than a few minutes (maybe I need to get more sleep :P). Anyway, to view Androids emulator log from Eclipse go to Window / Show View / Other… / Android / LogCat

The Google folks were kind enough to include a version of the Apache HTTP Client in the Android SDK, ergo loading a web resource/page from our Android apps is really simple:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

HttpClient httpClient = new DefaultHttpClient();
HttpContext localContext = new BasicHttpContext();
HttpGet httpGet = new HttpGet("http://www.spartanjava.com");
HttpResponse response = httpClient.execute(httpGet, localContext);
String result = "";
 
BufferedReader reader = new BufferedReader(
    new InputStreamReader(
      response.getEntity().getContent()
    )
  );
 
String line = null;
while ((line = reader.readLine()) != null){
  result += line + "\n";
}
 
// Now you have the whole HTML loaded on the result variable

Back in April I wrote about Java to/from JSON serialization using XStream. After developing several AJAX applications using PHP and JQuery, I found that for a lot of scenarios a very simple approach is not only easy but very effective. In the case of PHP, you can effectively enable AJAX in your apps using jQuerys $.getJSON() and PHP json_encode().

I think we can use a very similar approach for Java web applications, enabling the use of AJAX through a very simple, elegant and extensible architecture, without the use of complex frameworks and extra configurations.
(continue reading…)

Someone asked me about the implementation details of the Google Appengine sample I published a few weeks ago (http://obovweb.appspot.com/). Well, you can get a hold of the source code here.

There’s not much to tell, apart from the specific HMAC-SHA1 implementation (which you can check out in Obovs source code) it’s a very simple JSP/DWR application.

I find it quite annoying when I can’t post/confirm a web form using the Enter key.

Here is a nifty little javascript trick to do it when you do not need/want a submit input in your html.
(continue reading…)

I’ve been trying out the Google Android platform, and I have to say I’m quite pleased with it. The bundled Java API and VM seem to work very well and the development tools (Eclipse plugin and SDK) work just fine.

You can tell a lot of thought has been put into the API and the proposed development “style”, and the tutorials and documentation are easy to follow and do not deviate to marketing and commercial stuff.

Anyway, stay tuned if you want to get into it, I will post an app to the marketplace soon enough.

I’ve faced this problem a few times before, but this time I decided to find a generic solution to it. I needed to prevent users from clicking action links in a web application multiple times and therefore triggering some server side action a lot of times when only one time was enough/needed.

After looking around for a few hours for an elegant solution I just couldn’t find one, all the articles/answers I found required controls on each link and/or special handling on the server side code that reacted to them.
(continue reading…)

It’s really annoying to run something interactively on MS Windows when you know deep inside it should be an OS Service. Doing this on a *nix system is quite simple (most of the times you just need to write a short shell script), but on MS Windows it’s not so easy.
(continue reading…)