Spartan Java

Afraid of malicious injections in your web app requests, heres a simple way to improve your application security. Push every request parameter through a filtering function before it’s feeded to your application code.

Such a function can be as simple as:

1
2
3
4
5
6
7
8
9
10

private String cleanParameter(String value) {
   if (value != null) {
      value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
      value = value.replaceAll("\\(", "&#40;").replaceAll("\\)", "&#41;");
      value = value.replaceAll("'", "&#39;");
      value = value.replaceAll("eval\\((.*)\\)", "");
      value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
   }
   return value;
}

This will escape/remove potentially dangerous Javascript code and HTML/XML tags.

You can implement this on a web filter or a struts interceptor or a DWR filter depending on the technology you use for you app.

In case you are not doing it already, using asynchronous logging is generally a good idea. You don’t want your application to slow down if the server IO is a little behind flushing all that logging to the filesystem. By making it asynchronous your application can continue running without having to wait for the log lines to be written to their final destination.

My personal choice for Java logging is log4j, there are a lot of different frameworks (including Suns own logging API), but log4j works great and is extremely flexible.
(continue reading…)

Someone asked me about the implementation details of the Google Appengine sample I published a few weeks ago (http://obovweb.appspot.com/). Well, you can get a hold of the source code here.

There’s not much to tell, apart from the specific HMAC-SHA1 implementation (which you can check out in Obovs source code) it’s a very simple JSP/DWR application.

I’ve faced this problem a few times before, but this time I decided to find a generic solution to it. I needed to prevent users from clicking action links in a web application multiple times and therefore triggering some server side action a lot of times when only one time was enough/needed.

After looking around for a few hours for an elegant solution I just couldn’t find one, all the articles/answers I found required controls on each link and/or special handling on the server side code that reacted to them.
(continue reading…)

I decided to try out the new Java based version of Google Appengine. So i wrote a very simple web app that allows the user to generate one time passwords (OTP) using the HMAC-SHA1 algortihm (see OATH).

You can check it out at http://obovweb.appspot.com. As the name suggests its based on my obov library.
(continue reading…)

There are many commercial SSH client libraries for Java, but it was hard to find a good open source one. Finally I stumbled upon SSHTools and I have to say it works wonderfully and the API is clean and simple.
(continue reading…)

I recently faced the problem of encrypting something in PHP and decrypting it using Java, this proved to be a little more of a challenge than what it initially seemed like. (continue reading…)

A new version of obov is available for download. Some nice new features were added:

• Methods to generate passwords using the HMAC-SHA1 algorithm
• A handy utility method to generate secret keys (seeds) based on any given string

Go get it!

obov stands for OATH Based OTP validator. It’s a 100% pure Java library that provides simple to use methods to validate (and related utilities) one time passwords generated by OATH compliant devices.
(continue reading…)

The folks at IBM have a nice API to use i5/OS (AS400) stuff from Java code. Check it out at http://www-03.ibm.com/systems/i/software/toolbox/index.html.

What I particularly find very useful and have used often is to validate user names and passwords with the AS400 authentication services. The following code validates a userName and password.
(continue reading…)