Sunday, October 9, 2016

Creating a custom mode and worker files in Ace editor

[1] and [2]  contain a good example on how to create your own worker code , and integrating the worker to the mode with a worker client. The problem I faced was  though this content was added to two new files, syntax validation was not working as the worker file was lacking some initial methods that was coming from ace editor itself. So in order to create your custom worker with all those basic methods include this is what you can follow.

Let us assume your custom language is called 'lang1'.
1. Create mode and worker content files with the naming convention a 'lang1.js' and 'lang1_worker.js.
2. Download ace source code from https://github.com/ajaxorg/ace.
3. In ace source code go to '/lib/ace/mode' folder and place your lang1.js and lang1_worker.js files.
4. Build ace source code with command ' node ./Makefile.dryice.js '.(Check github page for instructions)
5. Once successfully built, go to 'build/src' folder and you can find your mode file as 'lang1.js' and your worker file created as 'worker-nel.js'.

Now you can place these files in your source code location and work with them. Do remember to update the worker name to new one,  when creating the worker client.
var worker = new WorkerClient(["lang1"], "lang1/mode/worker-lang1", "Lang1Module");

[1] https://github.com/antlr/antlr4/blob/master/doc/ace-javascript-target.md
[2] https://github.com/ajaxorg/ace/wiki/Syntax-validation

Thursday, September 15, 2016

XSLT stylesheet template to add a namespace with namespace prefix

If you need to write down a xslt stylesheet ,and you need to add a namespace to a certain element with a namespace prefix , you could write a template like below. In this it will add the namespace to <UserRequest> node.

<xsl:template match="UserRequest">
        <!--Define the namespace with namespace prefix ns0 -->
        <xsl:element name="ns0:{local-name()}" namespace="http://sample.org">
            <!--apply to above selected node-->
            <xsl:apply-templates select="node()|@*">
        </xsl:apply-templates></xsl:element>
    </xsl:template>


If you need to add this namespace to <UserRequest> and its child element , the template match should change to below.

<xsl:template match="UserRequest | UserRequest/*">

Handeling namespaces in xpath expressions of WSO2 ESB payload mediator

You could checkout payload factory mediator of WSO2 ESB in https://docs.wso2.com/display/ESB500/PayloadFactory+Mediator.  If you need to provide an xml input that has namespaces (other than default namespace) included, and you need to access some node of this in <args> of payloadFactory mediator you could do it like this with xpath.

 <payloadFactory media-type="xml">
<format key="conf:resources/output.xml"/>
    <args>
      <arg xmlns:ns0="http://sample.org" expression="//ns0:UserRequest" />
    </args>
  </payloadFactory>



Saturday, August 27, 2016

Why are human tasks important for your business process?

Business processes can be considered as workflows ranging from a vacation approval process to a pizza ordering process. With WSO2 Business Process Server , you can easily create these workflows by creating your own BPEL processes.  BPEL is a standard to model your web service orchestration and you read more on it in [1] . In simple terms you can create a BPEL process to interact with different web services getting the responses that you need.  However there are scenarios where everything is not based on just sending a request and getting a response. Some business processes require a human touch.

For example if you consider a leave approving process, you need to send your request to probably your HR manager and wait until he/she approves/rejects your request. Your HR manager might do this right on that day or it could be next week. So until this decision is made, you have to hold back on booking your airline tickets for your vacation. Right? Wouldn't it be nice if you just get notified once the HR manager makes a decision?

Ok , so it is important.... but how to implement this?
Well as a developer  if you were to create a solution with above requirements it will not be an easy task. You need to know when a request was sent, need to make sure that the requests are sent to the correct person, need to keep track on when the HR manager approves/rejects it and finally need to let the employee know about the decision that was made. If it was just about calling a web service yeah sure you can model a BPEL process with few WSDLs but now a real user will be interacting in a step.  So how can we add this human interaction to a BPEL process ?  With WSO2 BPS server this is easily done through human tasks.

Does WSO2 BPS Server make it easy?
[2] is a really good blog on what human tasks are and how you can use it and explains the anatomy behind it with respect to WSO2 BPS. I suggest you first go through it. First you need to create your human task based on WS-HumanTask specification [3].  You can easily create it and deploy in WSO2 BPS which is explained in [4]. Once your human task is all set up, now you need a link to add this human task step into your BPEL process. With the use of  WS-BPEL Extension for People (BPEL4People) specification [5]  you could include your human task interaction to your BPEL process.

But now you might think it is a very tedious task to implement those specifications AND worry about the actual business process creation. But since WSO2 BPS comes with implementations of these specifications you only need to worry about creating those artifacts.

Link human tasks to the BPEL process
For example in your BPEL process when you add a bpel4people step, you could add a remote task partner link defining your human task details, so that once this step is reached, a human task will be created in the human task engine, and the BPEL  process will wait until that task is completed.

 <extensionActivity>
                    <b4p:peopleActivity name="TestTASKPeopleActivity"
                                        inputVariable="b4pInput"
                                        outputVariable="b4pOutput"
                                        isSkipable="no">
                        <b4p:remoteTask partnerLink="b4pPartnerLink"
                                        operation="approve"
                                        responseOperation="approvalResponse">
                        </b4p:remoteTask>
                    </b4p:peopleActivity>
                </extensionActivity>

Create Human Tasks in one go
 If you went through [4] you might feel that creating a human task is a bit of hectic process where you need to create all those files manually. But with WSO2 BPS 3.6.0 that is not the case! Now we have introduced  BPS tooling where you can create your human task in one go and it is really easy. You could check out the basics of this in [6].

Finally now you need to decide how you are going to create the UI for those human tasks?  You can easily create your own API with the admin services that are exposed through WSO2 BPS. Go through [7] for a good explanation on this.


[1] http://wso2.com/library/articles/writing-simple-ws-bpel-process-wso2-bps-apache-ode/
[2]http://wso2.com/library/articles/2012/01/human-tasks-bridging-bits-real-world/
[3] http://docs.oasis-open.org/bpel4people/bpel4people-1.1-spec-cd-09.pdf
[4] https://docs.wso2.com/display/BPS360/Writing+a+Human+Task+Artifact
[5] http://docs.oasis-open.org/bpel4people/ws-humantask-1.1-spec-cd-10.pdf
[6] https://codeoutloud.wordpress.com/2016/06/22/creating-a-human-task-artifact-with-wso2-bps-tooling/
[7] http://nandikajayawardana.blogspot.com/2013/05/how-to-implement-your-own-task-ui-on.html

Wednesday, August 3, 2016

Manually create JWKS_URI for public certificates

A JWK is a JSON representation of a cryptographic key.  More details on this can be found in https://tools.ietf.org/html/rfc7517#section-4. Following blog would give out the steps on how you can manually extract modulus and exponent values of a public certificate , in the format expected in this JWKS_URI.

For this example, we will be trying to extract the values from WSO2 Identity Server's public certificate.

1. Find the public keystore .jks file which is located in <WSO2_IS>/repository/resources/security folder. (wso2carbon.jks)

2. Next step is to extract the public certificate from the keystore, and get the RSAPublic Key of it. For all these steps I will be creating a java client which will be using java.security.KeyStore functions.

 FileInputStream file = new FileInputStream("/Desktop/wso2IS/repository/resources/security/wso2carbon.jks");
            KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
            keystore.load(file, "wso2carbon".toCharArray());
            String alias = "wso2carbon";
            // Get certificate of public key
            Certificate cert = keystore.getCertificate(alias);
            // Get public key
            publicKey = (RSAPublicKey) cert.getPublicKey();

3. Now that you have the publicKey extracted, you can get the modulus and exponent values.
 like below.
BigInteger n =  publicKey.getModulus();
BigInterger e =  publicKey.getPublicExponent();


 But in order to add these into JWKS_URI format , as explained in [1], you need to have those integer values, base64url encoded in their bigendian format. So for this following code snippets will be used.
Following function can be called, where bytes represents n.toByteArray() and e.toByteArray() accordingly.
base64Encode(bytes, 0, bytes.length, false);
So you could invoke like below.

base64Encode(n.toByteArray(), 0 , n.toByteArray().length,false);
base64Encode(e.toByteArray(), 0 , e.toByteArray().length,false);

 this base64Encode function code will be like below.

 public String base64Encode(final byte[] bytes, final int offset, final int length, final boolean padding) {
        final StringBuilder buffer = new StringBuilder(length * 3);
        for (int i = offset; i < offset + length; i += 3) {

            int p0 = bytes[i] & 0xFC;
            p0 >>= 2;

            int p1 = bytes[i] & 0x03;
            p1 <<= 4;

            int p2;
            int p3;
            if (i + 1 < offset + length) {
                p2 = bytes[i + 1] & 0xF0;
                p2 >>= 4;
                p3 = bytes[i + 1] & 0x0F;
                p3 <<= 2;
            } else {
                p2 = 0;
                p3 = 0;
            }
            int p4;
            int p5;
            if (i + 2 < offset + length) {
                p4 = bytes[i + 2] & 0xC0;
                p4 >>= 6;
                p5 = bytes[i + 2] & 0x3F;
            } else {
                p4 = 0;
                p5 = 0;
            }

            if (i + 2 < offset + length) {
                buffer.append(ENCODE_MAP[p0]);
                buffer.append(ENCODE_MAP[p1 | p2]);
                buffer.append(ENCODE_MAP[p3 | p4]);
                buffer.append(ENCODE_MAP[p5]);
            } else if (i + 1 < offset + length) {
                buffer.append(ENCODE_MAP[p0]);
                buffer.append(ENCODE_MAP[p1 | p2]);
                buffer.append(ENCODE_MAP[p3]);
                if (padding) {
                    buffer.append('=');
                }
            } else {
                buffer.append(ENCODE_MAP[p0]);
                buffer.append(ENCODE_MAP[p1 | p2]);
                if (padding) {
                    buffer.append("==");
                }
            }
        }
        return buffer.toString();
    }
This code block will convert the exponent and modulus values to their big endian format, and finally encode them. ENCODE_MAP value will be "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_".toCharArray();

After you get these value in proper format, you can look into [1] and create the json representation as required.

[1] https://tools.ietf.org/html/rfc7517#section-4.

Thursday, July 28, 2016

Installing IBM JRE in Linux

Following document is the easiest guide that was available.

http://www.ibm.com/support/knowledgecenter/en/SSYKE2_7.1.0/com.ibm.java.lnx.71.doc/user/ia_install_attended.html


Basically after downloading, you need to first make sure you have rpm build tool installed. This can be checked by following command.

rpm -q rpm-build

Next you can run  the sdk.bin that you downloaded.  ./package-name.bin

By running above it will install IBM on your machine. You could check with java -version option.


Wednesday, June 29, 2016

Adding LoadBalancer Endpoints in WSO2 Developer Studio 3.8.0

Wso2 Dev Studio can be used to create different carbon related projects, including ESB projects. https://docs.wso2.com/display/DVS380/Creating+ESB+Artifacts contains the basic information on how to add ESB artifacts. From the different endpoints we can add, Loadbalancer endpoint is one option that is available.

Most people are confused with the automatic folder that gets created when adding a LB endpoint in dev studio, called 'complex-endpoints'. You do not need to worry about this since this folder just contains some meta information for a scenario like below.

In a scenario where you need an LB endpoint inside another LB endpoint, suppose a user needs to add two address endpoints to inner LB endpoint . To open up the inner LB diagram in a graphical editor we needed a physical file in the workspace even though its an anonymous endpoint. Hence the creation of 'complex-endpoints' directory is to store these physical files that are automatically created , for anonymous endpoints like LB,Failover. These are metadata and will not be listed in any Composite application project's artifacts list.

Another issue most users complain is that though they have added LB endpoint, this does not appear in the tool pallet under 'Defined Endpoints'. This is probably because your ESB project's artifacts.xml does not have the entry for this endpoint. You could view this file through the file system.



Monday, June 20, 2016

Adding API name to JWT Token WSO2 API Manager 1.8.0

If we need to set additional claims to the JWT token, we need to implement a custom JWT token generator as explained in [1].  Assume you need to set the API Name to the JWT token. You could do it as below in your custom JWT Token generator.

public Map<String, String> populateCustomClaims(APIKeyValidationInfoDTO keyValidationInfoDTO, String apiContext, String version, String accessToken)
            throws APIManagementException {

        String apiName = keyValidationInfoDTO.getApiName();
        Map<String,String> map = new HashMap<String, String>();
        map.put("API_NAME", apiName);

        return map;
    }



This will set the API_NAME property with the value to the JWT token like below.

{"iss":"wso2.org/products/am","exp":1466431406496,"http://wso2.org/claims/subscriber":"admin","http://wso2.org/claims/applicationid":"2","http://wso2.org/claims/applicationname":"app1","http://wso2.org/claims/applicationtier":"Unlimited","http://wso2.org/claims/apicontext":"/custom","http://wso2.org/claims/version":"1.0","http://wso2.org/claims/tier":"Bronze","http://wso2.org/claims/keytype":"PRODUCTION","http://wso2.org/claims/usertype":"APPLICATION","http://wso2.org/claims/enduser":"null","http://wso2.org/claims/enduserTenantId":"null","API_NAME":"CustomAPI"};

[1] https://docs.wso2.com/display/AM180/Passing+Enduser+Attributes+to+the+Backend+Using+JWT

Wednesday, June 15, 2016

Creating a synapse handler with WSO2 ESB 4.9.0

There might be scenarios where you need to access data of a request/response at different points. For example you might want to perform some operation to the incoming request to ESB or you might want to access the payload that is sent from the Back End to ESB. So the perfect solution for this in ESB 4.9.0 is to write a synapse handler. [1] gives a very good explanation on how to implement and deploy this.


Following is a sample implementation of a synapse handler. Suppose your client is invoking an API artifact that is deployed in ESB, through API Manager. And suppose you need to get this client's IP address. Since we need to access the IP address of the client request that is coming into ESB, the method to access this property is 'handleRequestInFlow'. Now when you invoke an API artifact deployed in ESB, following logs will appear.

public class TestHandler extends AbstractSynapseHandler {


    static Logger log = Logger.getLogger(TestHandler.class.getName());


    protected void activate(ComponentContext ctxt) {
        try {
            log.debug("API test Handler");
        } catch (Throwable e) {
            log.error("Failed to activate API basic test Handler", e);
        }
    }

    @Override
    public boolean handleRequestInFlow(MessageContext synCtx) {
        log.info("Request In Flow");

        Axis2MessageContext axis2smc = (Axis2MessageContext) synCtx;
        org.apache.axis2.context.MessageContext axis2MessageCtx =
                axis2smc.getAxis2MessageContext();
        log.info("Client IP is " + axis2MessageCtx.getProperty("REMOTE_ADDR"));

        return true;
    }

    @Override
    public boolean handleRequestOutFlow(MessageContext synCtx) {
 log.info("Request Out Flow");
return true;
}

    @Override
    public boolean handleResponseInFlow(MessageContext synCtx) {
 log.info("Response In Flow");
  return true;
}


    @Override
    public boolean handleResponseOutFlow(MessageContext synCtx) {
  log.info("Response Out Flow");
   return true;
}


}

Tuesday, May 24, 2016

Fixing startup order resolver warnings in WSO2 C5



To really understand the concepts and basics on startup order you need to follow up https://medium.com/@sameera.jayasoma/resolving-startup-order-of-carbon-components-in-wso2-carbon-5-0-0-497fe3287e67#.3rlhypnrv first. With WSO2 Carbon 5 development, you might come across continuous warnings like below when starting up the server.

Problem

WARN {org.wso2.carbon.kernel.internal.startupresolver.StartupOrderResolver} - Startup component wso2-microservices-server from bundle(msf4j-core:1.1.0.SNAPSHOT) will be in the pending state until Capability org.wso2.msf4j.Microservice from bundle(org.wso2.carbon.bpmn.rest:5.0.0.SNAPSHOT) is available

WARN {org.wso2.carbon.kernel.internal.startupresolver.
StartupOrderResolver} - Startup component wso2-microservices-server from bundle(msf4j-core:1.1.0.SNAPSHOT) will be in the pending state until Capability org.wso2.msf4j.Interceptor from bundle(org.wso2.carbon.bpmn.rest:5.0.0.SNAPSHOT) is available

What this means in simple terms is that microservice-server is waiting for a microservice from bpmn.rest component.

Solution
Now if you have written up few microservices, you could add them to your pom.xml like below. In this case since we know the exact number of microservices that we wrote we can directly define the count too.

<carbon.component> osgi.service;objectClass="org.wso2.msf4j.Microservice";serviceCount="10"
</carbon.component>


If you read above provided link you would get an idea on how this works. Basically we are telling that Microservice will be expecting 10 microservices (which implements org.wso2.msf4j.Microservice)
But adding this will only solve the first warning. In this usecase I have a class implementing Interceptor interface too. Therefore I could update it as below.

<carbon.component>osgi.service;objectClass="org.wso2.msf4j.Interceptor";serviceCount="1",
osgi.service;objectClass="org.wso2.msf4j.Microservice";serviceCount="10"
</carbon.component>

Monday, May 16, 2016

Lambda expressions: the easy way

With the introduction of Java 8, a key concept that came out was lambda expressions. It is a bit confusing at the start, but once you get the hang of it, it really simplifies the code. So here are few key points that helped me in understanding the concept of Lambda expressions.s

1. Behavior Parameterization

Behavior parameterization is the idea behind lambda expressions. That is now you can pass a code block as an argument to a method, just like you used to pass variables and objects.

2. Syntax of lambda

input parameters - > body of lambda  (expression/block of code)

The important thing to note here is , that if the body of lambda is an expression, it will return the value of the expression, hence you do not need to add keyword 'return'. However if you have a set of statements executed, then you need to add the keyword 'return' as well as an ending ';'.

for example,

 (int a, int b) -> a +b

(int a, int b) -> {
                           int c = a + b;
                           return c * a;
                        } ;

3. Functional interfaces

A functional interface is an interface that specifies only one abstract method.
Lambdas can be used in the context of functional interfaces. That is lambda expressions  can be treated as an instance of the mentioned functional interface, hence you do not need to specify the input parameter types.
For example if we consider 'Predicate' functional interface that is provided by Java, which returns a boolean value, we could write it like ,

Predicate<Person> p = (Person p1) -> p1.getAge();

also we could write it like ,
Predicate<Person> p = (p1) -> p1.getAge();

So there are a number of supported functional interfaces that are provided from Java, which you could check in [1] . However if you need to write your own custom functional interface, you could do it with the use of @Functional. This annotation is not mandatory, but it will throw an error if there is anything more than one abstract method defined.

[1] https://docs.oracle.com/javase/8/docs/api/java/util/function/package-summary.html


                         



Monday, May 2, 2016

Latest version of Javascript - ECMAScript!

ES6 also known as ECMAScript is the latest standardized version of javascript. Following is a good intro to what ECMAScript has.

 http://blog.teamtreehouse.com/get-started-ecmascript-6

 From the look of it, JavaScript seems to be getting more object oriented with concepts like classes, inheritance. Good move!

Wednesday, April 27, 2016

Handling query parameters in microservices

For a quick introduction on how to write a microservice you could follow https://docs.wso2.com/display/MSF4J100/Creating+a+Microservice+as+an+OSGi+Bundle.

In this blog what i'm focusing is on how to handle/access query parameters of a request in terms on msf4j. For this you could use  io.netty.handler.codec.http.QueryStringDecoder of netty.

Suppose you have a method like below, in your micro service. This method will be called from a request like  .../serviceA/services?name=abc&id=123...
So you would need to extract those query parameter values, in order to retrieve the relevant services.

   @GET
    @Path("/")
    @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
    public Response getQueriedResponse(@Context HttpRequest request) {
       
          QueryStringDecoder decoder = new QueryStringDecoder(request.getUri());

       
          String id = decoder.parameters().get("id").get(0);
         String name = decoder.parameters().get("name").get(0);


       ........ Rest of the code...............................
}

As you can see above, you can pass the request's uri to QueryStringDecoder of netty. From there you could access the relevant query parameter values. Basically you could access any query parameter value by passing its name.

 String value = decoder.parameters().get(propertyName).get(0);



Friday, March 18, 2016

Quick fix for common checkstyle issues

If you are running checkstyles maven plugin against your code, you will most probably be prompted with these two common issues. It can be really frustrating having to go through each file and fix some issues such as 1.

1.  error: File contains tab characters
2.  error: Wrong order for 'java.util.ArrayList' (or any other import that you have used) import.

Quick fix for first issue: In intellij idea plugin, select the respective code and go to edit -> convert indents -> to spaces.


As for the second issue there is no exact quick fix that I could find. Here basically you need to arrange your imports in lexicographical order. For example imports with 'java' needs to be listed prior to 'javax'.  You need to arrange imports of similar group together, and then sort imports within each group as well. For example if you take the below set of imports, first you need to group them into a single group, and then arrange them in alphabetical order from the set in red to the set in blue.


import java.util.Set;
import java.util.HashSet;
import java.util.List;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.zip.ZipInputStream;


import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.zip.ZipInputStream; 


Hope this saved your time!

Tuesday, February 23, 2016

Creating custom CRUD queries with Camunda

Camunda is a forked project of Activiti, which can be used as a bpmn runtime.  When implementing different tasks with Camunda as the bpmn engine, I came across a situation where we need to write custom CRUD queries to a custom table of camunda database. Following [1] is a good starting point which explains the integration with MyBatis framework , and how we can start our own myBatis session to execute our custom mappings against the queries.

[1] https://docs.camunda.org/manual/7.4/examples/tutorials/custom-queries/#custom-mybatis-queries
However there is hardly any  documentation that gives  information on how to work with other operations such as inserts, updates and deletes. Also for insert operation you can't pass the mapping id name as well. Therefore following is an example on how to perform all CRUD operations with camunda and MyBatis.

 For this example suppose you have a mapping file with mappings like below.
<resultMap type="org.model.CarEntity"
               id="selectMetaDataMap">
        <id property="id" column="ID_"/>
        <result property="name" column="NAME_"/>
        <result property="id" column="ID_"/>
        <result property="brand" column="BRAND_"/>
    </resultMap>

    <!-- Default execution as PREPARED statements -->
    <select id="selectCar"
            parameterType="map"
            resultMap="selectMetaDataMap">
        select * from ${prefix}CAR TABLE WHERE ID_ = #{id} AND NAME_
        = #{name}
    </select>
    <select id="selectCars" resultMap="selectMetaDataMap">
        select * from ${prefix}CAR TABLE
    </select>

    <insert id="insertCar"
            parameterType="org.model.CarEntity">
        insert into ${prefix}CAR TABLE(ID_, NAME_, BRAND_)
        values (#{id}, #{name}, #{brand})
    </insert>

    <update id="updateCar"
            parameterType="org.model.CarEntity">
        update ${prefix}CAR TABLE
        <set>
            BRAND_ = #{brand}
        </set>
        where NAME_=#{name} and ID_ = #{id}
    </update>

    <delete id="deleteCar"
            parameterType="org.model.CarEntity">
        delete from ${prefix}CAR TABLE where NAME_= #{name} and ID_
        = #{id}
    </delete>



 Following are the sample queries you can perform at the end for each operation and mapping.

1. Select a single object for the given query with id 'selectCar'.

commandContext.getDbEntityManager() .selectOne( "selectCar",id);

Here if your mapping select statement has a where clause such as 'where id =#id and name =#name, you can combine those variables like below and pass to the method.

Map<String, String> parameters = new HashMap<String, String>();
                parameters.put(id);
                parameters.put(name);


commandContext.getDbEntityManager() .selectOne( "selectCar",parameters);

2. Select a list of objects for the given query with select id 'selectCars'

commandContext.getDbEntityManager() .selectList("selectCars");

3.   Insert a car entity object.

commandContext.getDbEntityManager().insert(CarEntity car);

4. Update car entity object.
commandContext.getDbEntityManager().update(CarEntity.class,"updateCar", car);

5. Delete car entity object.
commandContext.getDbEntityManager().delete(CarEntity.class, "deleteCar", car);

What you need to remember is when it comes to matching the mapping id in insert and update operations there is a naming convention. For example when we directly call the insert operation in 3, a string is created combining the prefix ( which is the operation : either insert/update) with the name of the Entity ( in this case CarEntity) , and it removes the last six characters. That is why we have used 'insertCar' as the id for insert mapping.  However for update and delete method you could use the relevant method which allows you to pass the custom string like in 4 and 5.

As for the Entity class, you could create your own DTO class and implement Entity interface like below.

import org.camunda.bpm.engine.impl.db.DbEntity;
 
public class CarEntity implements Entity{} 

Tuesday, February 9, 2016

Removing attached sources from Intellij Idea

When debugging code, you would come across instances, where you need to attach external sources (jars/zips) in order to continue debugging process with external library sources in place. However, unless you attach these sources through project structure option, you will find it hard to remove such a source attachment or to reattach a new source over it.

The solution for this is to remove the referred resource from it's current path.  Since this source is not within the project it is just referring to the file which is located externally. So in order to remove this attached source, you have to remove the original external source file from its location.


Friday, January 29, 2016

Fixing xss vulnerabilities in your jaggery based web applications

XSS attacks are quite a common security threat in web applications.  For example, suppose your web application contains a url like below.

http://host:port/app1/addEmployee/id=

An attacker can get his own script executed  from above url, if you have not checked and fixed your xss vulnerabilities. He could perform a malicious script like below.

http://host:port/app1/addEmployee/id=<script>alert(1)</script>

If above url did not contain proper encoding , when accessing above url, the script will be executed against your application.

In a jaggery based application , in order to encode you could easily use owasp java encoder.

In your jag file, first import the encoder like below.

 var Encode = Packages.org.owasp.encoder.Encode;

Next you could use the Encode methods where and when it is related. For example let us take the above url , and let us assume that this url is implemented to be at a button click like below.

 <button type="button" class="btn btn-default" onclick="addUser(<%=Encode.forJavaScript(id)%>)"><%=i18n.localize("submit", "Submit")%></button>

After encoding, this would escape the ending script tag like,  </ \ script> .  Depending on the content you need to encode , you would have to choose the relevant encoding method, such as forHtml, forUriComponent etc.. You could find all the related methods in [1].


[1]  https://github.com/OWASP/owasp-java-encoder/blob/master/core/src/main/java/org/owasp/encoder/Encode.java