Blogbody Rotating Header Image

java

Security with Java Scripting (JRuby, Jython, Groovy, BeanShell, etc)

Feb 9th, 2009
by plightbo.
3 comments

I’m looking to run some un-verified scripts (written in a yet-to-be-determined language, but needs to be Java-based, so JRuby, Groovy, Jython, BeanShell, etc are all candidates). I want these scripts to be able to do some things and restricted from doing other things.

Normally, I’d just go use Java’s SecurityManager and be done with it. That’s pretty simple and lets me restrict file and network access, the ability to shutdown the JVM, etc. And that will work well for the high level stuff I want to block off.

But there is some stuff I want to allow, but only via my custom API/library that I’ve providing. For example, I don’t want to allow direct network access to open up a URLConnection to yahoo.com, but I am OK if it is done with MyURLConnection. That is – there is a set of methods/classes that I want to allow and then everything else I want to be off limits.

I don’t believe this type of security can be done with the standard Java security model, but perhaps it can. I don’t have a specific requirement for performance or flexibility in the scripting language itself (the scripts will be simple procedural calls to my API with basic looping/branching). So even a “large” overhead that checks a security check on every reflection call is fine by me.

Suggestions?

IDEA 8: Buggy as Hell

Jan 14th, 2009
by plightbo.
4 comments

Here is a running list of all the bugs I’ve come across with IntelliJ IDEA 8 so far. Some of these may actually be thoughtful changes from the behavior in version 7, but they are annoying so I’m calling them bugs :)

  • Can no longer autocomplete lowercase for enums. For example, typing “TimeUnit.sec” does not prompt for TimeUnit.SECONDS. This used to work in IDEA 7 and is inconsistent with autocomplete for methods (“getcon” prompts “getConnectionTimeout”).
  • Pasting a block of code no longer always asks asks me to auto-import the classes needed to make the code work. It does in some cases, but not in others.
  • I don’t remember searching by files (Command-Shift-N) showing me .java files unless there was no other match for my search. This annoys me, since now when I search for “foo” I expect to see foo.jsp to be selected first (it’s listed first), but FooActionBean.java is listed at the bottom but sometimes it is preselected, making me have to use the arrow keys.
  • Sometimes, especially on more complex pages, HTML auto tag closing (ie: “<ul>” causes “</ul>” to be inserted) doesn’t work for all tags. I’ve seen cases where it works for <li> but not for <ul> or <div>.
  • <title> tags don’t get indented in a <head> tag unless there is additional content in the head section. This may have been done on purpose, but I don’t like it. I end up having to correct the indentation myself or running the auto-format, which is always risky.
  • Pasting HTML/JSP snippets from one part of a JSP to another part causes the indentation to be completely lost (shifted all the way to the left). In the previous versions, IDEA was smart enough to paste in and match the correct indentation level for the context I just pasted in to.
  • When renaming/moving a class, any JSP tag that references it (ie: “<s:link beanclass=’foo.Bar’>…”) will get HTML escaped, completely breaking the behavior and introducing a bug in to my code. Worst yet: it won’t even tell me, which is totally breaks my trust of IDEA’s traditionally excellent refactoring tools.
  • Related to the above – when tying a fully qualified class name in a JSP tag, typing lower case letters (“foobar”) will prompt the class “FooBar”. This is good. But when I press enter on the selected class, the resulting text is all lower case “foobar” rather than the actual class name. This is bad!
  • UPDATE 1: When a class doesn’t exist and IDEA prompts you to create the class, it suggests a bad default module. It used to suggest the module that the current code was in (which logically makes sense), but now it’s suggesting a different module, which I didn’t catch at first. I’m loosing my trust with IDEA :(
  • UPDATE 2: When debugging, the “Run to Cursor” feature seems to never work. Hovering my mouse over it produces a very nice “null” tooltip.
  • UPDATE 3: Clicking on the left margin on a blank line produces an error claiming that “Method breakpoints may dramatically slow down debugging” – despite the fact that I didn’t add a method-level breakpoint.
  • UPDATE 4: Command-P does not show parameter information for Pattern.compile unless the cursor is placed immediately to the right of the opening parenthesis. It appears this is due to the internal support for syntax highlighting of regexes.
  • UPDATE 4: Related to the last one – normally IDEA is smart enough to know that when I type a double quote and I’m inside of a string, it will not add a new one and instead will replace the double quote character to the right of my cursor. This doesn’t work in regexes.
  • UPDATE 5: The debugger seems incredibly slow now. Perhaps it’s from one of those phantom “method breakpoints” it thinks I’ve turned on, but the Frames, Debugger, and Watches tabs are now really slow. So slow I can watch them render and evaluate – something that never happened in IDEA 7.
  • UPDATE 6: As we all know, pressing dot will prompt the list of methods and fields available to call. I use this all the time – so much so that I put the auto-complete time down from the default of 1000ms to 0ms. Unfortunately, a regression from 7 to 8 happened that breaks chained method calls using this feature. For example, typing “mapEntry.” will prompt me for “getValue()” and “getKey()”. If I navigate using the arrow keys to “getValue()” and then press “.” again, I expect to now see the method list for the instance in the Map.Entry value. Instead, “getValue().” is completed, but then I have to press control-space to get the next list. Lame!
  • UPDATE 7: Pasting in the code “Gson gson = new Gson();” prompts me to import the “Gson” on both the right hand side and the left hand side.
  • UPDATE 8: Despite having the SQL support plugin enabled on both my laptop and my desktop, only my laptop is doing any sort of SQL syntax support for *.sql files. Very odd.

There are a lot more and I’ll update this list as I find them. This was just the ones I wrote down while coding this morning. Got some of your own to share? Add them in the comments and I’ll roll ‘em in here to share with the JetBrains team.

Tip: Compact Logging in Java

Dec 29th, 2008
by plightbo.
9 comments

One of the little touches I added to Able, which came from code originally in BrowserMob, was a nice little JDK logging formatter. It is designed to work with modern IDEs (IntelliJ IDEA being my personal favorite) and their ability to understand shorthand notation for classes.

As I was building BrowserMob, I was getting irritated by long package and class names as well as the fact that my log messages weren’t lined up nicely. For example, I’d get:

INFO 12/29 19:26:28 org.directwebremoting.impl.StartupUtil - Starting: DwrGuiceServlet v3.0.0.109.dev
INFO 12/29 19:26:31 com.browsermob.stripes.WelcomeActionBean - Some log message
INFO 12/29 19:26:37 com.browsermob.stripes.WelcomeActionBean - Some log message

I tried a simple formatter that truncated the class name, but the result wasn’t very helpful, since the class name (usually the most important part) would get cut off when the package name was too long:

INFO 12/29 19:26:28 org.directwebremotin - Starting: DwrGuiceServlet v3.0.0.109.dev
INFO 12/29 19:26:31 com.browsermob.strip - Some log message
INFO 12/29 19:26:37 com.browsermob.strip - Some log message

That was when I realized that often the package name wasn’t that useful, especially since they were often very predictable and unique even in a compact state. For example, in the past developers I have worked with would often write “n.s.s.c.StripesFilter” as a short hand for “net.sourceforge.stripes.controller.StripesFilter”. So why not use this for logging too? The result was much easier on the eyes:

INFO 12/29 19:26:28 o.d.i.StartupUtil    - Starting: DwrGuiceServlet v3.0.0.109.dev
INFO 12/29 19:26:31 c.b.s.WelcomeAction~ - Some log message
INFO 12/29 19:26:37 c.b.s.WelcomeAction~ - Some log message

Basically, the packages would get cut down to the first letter of each sub-package. If the class name pushes the whole thing beyond 20 characters, then a tilde is added to indicate the name is longer than could fit.

The nice thing about this is that it works beautifully with modern IDEs. I can copy the text “c.b.s.WelcomeAction” and locate that string in IDEA and it’ll know what I mean:

200812291142.jpg

If you want to use this formatter, you can find the code here in the Able source repository. It could probably get some performance improvements, such as some simple memoization, so feel free to send any tweaks you make my way. Do you have any neat tricks you do with logging? If so, please share in the comments!

Merb to be Merged in to Rails

Dec 29th, 2008
by plightbo.
Comments are off for this post

Very smart move by both the Merb and Rails project leaders:

Big news in the world of Ruby web frameworks: Merb and Rails will be merged.

[From InfoQ: Merb Will Be Merged Into Rails 3.0 ]

I’ve been telling people for a while that Ruby has been following the Java path at an accelerated pace. Ruby was able to learn from many of the mistakes that Java made, but the overall path seemed very similar.

The split between Merb and Rails was no different than the split between Struts and XYZ Framework. The XYZ project leaders explained that they forked off from Merb because they wanted “more flexibility” or “more cowbell” or whatever. This sounded exactly like me circa 2003 when I was championing WebWork as a better alternative to Struts.

By 2005, some of us in the Java community got a clue and realized that joining forces may be better for the user.

Congratulations to the Ruby community for getting a clue faster than we did the Java community. But please don’t let it go to your head (*cough*DHH*cough*)… you have had the benefit of learning from previous pioneers. ;)

Tonight: Java and Beer AppFuse and Tapestry tech leads

Dec 29th, 2008
by plightbo.
Comments are off for this post

Reposting Matt’s blog entry:

If you live in Portland, Oregon – or just happen to be in town – you might want to join us for some beers and tech talk tomorrow (Monday) night. Patrick Lightbody, Howard Lewis Ship and Matt Raible will be meeting around 6:30PM at the Rogue Distillery & Public House. With 36 taps and the delicious beer from Rogue Ales, this is sure to be a fun night.

If you’re on Facebook, you can let us know you’re coming by RSVP’ing to the Event. Otherwise, please leave a comment or just show up.

There is also a Calagator entry here.

Tonight: Speaking Portland Java Users Group

Dec 16th, 2008
by plightbo.
1 comment

Tonight I will be speaking at the Portland Java User’s Group in downtown Portland:

Patrick will present his work on a new open source initiative named Able. Able is a combination of a library and quickstart template that aims to tightly integrate several modern Java frameworks: Hibernate (persistence), Stripes (web framework), Guice (core container), and DWR (AJAX). By taking advantage of libraries that embrace annotations and generics, Able simplifies Java web development and provides integration at several levels, including validation, transaction handling, and object lifecycle management.

If you want to do some reading in advance, here are some relevant links: