May 21, 2013

JBoss DatabaseServerLoginModule with Added Salt and Iteration Count

Today I came by an interesting open source project which extends default JBoss DatabaseServerLoginModule, but with the extra added functionality salted password and iteration count. Enjoy

http://www.rtner.de/software/PBKDF2.html

How to Encrypt Password in JBoss 7 and EAP 6

When using a background process to connect to a server that requires some login, you have the problem to store that password securily. And the problem is that is a background process, that do have a user interaction, which supply the login credential. So the background process needs be given the login credential beforehand. Which rises the problem of storing the password not in clear text.

So how do we achieve that with JBoss 7 and EAP 6? The shipped solution is JBoss Vault. Here follows a link of using it - https://community.jboss.org/wiki/JBossAS7SecuringPasswords. A note of the example, that you might want to consider:
  • The key length of 1024 bytes is quite weak, consider using a longer key. 
  • You probably want to increase the default validity period, with the -validity flag.
 The next question that arise is how safe is this? And Red Hat answer that on the same page.

"The default implementation of the vault utlizes a Java KeyStore. Its configuration uses Password Based Encryption, which is security by obscurity.  This is not 100% security. It only gets away from the problem of clear text passwords in configuration files.  There is always a weak link. (As mentallurg suggests in the comments, the keystore password is the weakest link)."
   
"Ideally, 3rd party ISV robust implementations of Vaults should provide the necessary security."

[https://community.jboss.org/wiki/JBossAS7SecuringPasswords#Frequently_Asked_Questions]

And maybe the most obvious question is how to make it stronger. And Red Hat answer that also on the same page. Store the keystore on an external USB device which you mount on bootup and then remove it. Or use a stronger third party solution.





How to enable Tree View in File Browse Nautilus in RHEL 6

After installing RHEL 6, the default configuration for browsing files, in the file browser (Nautilius 2.28.4, https://live.gnome.org/Nautilus), is to display catalog as icon. This display have never been my favorite, because it requires a lot of mouse clicking when browsing. A better layout is using the Tree View. To use the tree view, open Nautilius and:
  1. Open Preferences dialog, by clicking Edit -> Preference. See picture 1.
  2. In first tab select the lowest option Show only folders
  3. In the second tab select Always open in browser windows. See picture 2.
Picture 1: Nautilius Preference dialog, View tab.

Picture 2: Nautilius Preference dialog, Behavior tab.

If you want more extensions to Nautilius, check out the Nautilius extensions page - https://live.gnome.org/Nautilus/Extending.
 

May 16, 2013

How to Handle Character Encoding in JSP and Servlets

When writing simple web application you might not want to bother to use some web framework and simply use simple JSP and Servlet. This has been the case for me recently, but there is of course pitfalls with that as everything else in life. And one of those is to handle character encoding.

In you JSP be sure you use the below encoding settings:

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Insert title here</title>
</head>
<body>

    <h1>Empty Page</h1>

</body>
</html>

These encoding settings are important if you are planning to pass get parameters in the URL and those parameters might contain character not covered in ISO-8859-1 character table. You should here be aware of how the HTTP work, that it is stateless by design, which means that the server has no way of knowing how to interpret the url-encoded GET parameters, so it assumes ISO-8859-1.

The next gotcha is when I JSP call a Servlet. Here again the server has no way of knowing how to interpret the url-encoded GET parameters, therefore you must explicitly tell the server how to url encode the passed parameters. That is done via the methods.

req.setCharacterEncoding("UTF-8");
resp.setCharacterEncoding("UTF-8");

If you are planning to send direct HTML response from the Servlet, do not forget to set the response content type.

resp.setContentType("text/html; charset=UTF-8");

May 14, 2013

Problem installing Maven 3 on Ubuntu 13.04 Raring

Today I reinstalled my machine with the latest Ubuntu version 13.10 (Raring) and after installation I installed Maven 3, but run into problem.

The following packages have unmet dependencies:
 maven : Depends: libwagon2-java (>= 2.2-2) but it is not going to be installed


I searched the official Ubuntu bug report site, https://bugs.launchpad.net/ubuntu/ and found the solution.

https://bugs.launchpad.net/ubuntu/+source/maven2/+bug/1173142