Jul 14 2010

Ask a Question at the JavaRanch Spring forum for a Chance to Win my Spring Security 3 Book!

Tag: book,contest,springsecuritypmularien @ 6:31 am

I apologize in advance for another post about the book, but for those who are interested, we’re sponsoring the JavaRanch book giveaway this week, in the JavaRanch Spring forum – simply post a new thread with a question about my book, Spring Security 3, and you will have a chance to win it! 🙂

The promotion is run by JavaRanch through the end of this week (July 16, 2010), so hurry if you’re interested! Visit the JavaRanch Spring forum to enter. It’s also a great chance to read questions others have had about the book, and ask your own questions before your purchase!

Please note that this promotion is sponsored by Packt Publishing and JavaRanch, and comments on this blog, although appreciated, will not enter you in the giveaway! Please review the JavaRanch giveaway rules for information on how to enter.

I promise that I’ll have a post which isn’t about the book next 🙂

Jul 10 2010

Free Spring Security 3 Book Excerpts / Articles / Sample Chapters

Tag: Uncategorizedpmularien @ 8:05 am

For those who were interested in the Spring Security 3 book that I recently published, Packt has excerpted a couple sections of the book as “articles” on their web site. They’re available for free, with no registration required:

Enjoy! As always, any feedback (positive or negative) is appreciated!

May 31 2010

Announcing: Spring Security 3: The Book

I write this announcement with a lot of excitement and a great sigh of relief. It was about a year ago when I was approached by Packt Publishing, who was interested in my introduction to Spring Security, and somehow got the idea that I could write. 🙂 They recognized that there was no published book focusing on Spring Security (as I have often noted myself), and wondered if I would be interested in writing a book on the subject. For me, the idea really clicked, and I jumped on the opportunity to write a book about a subject that I had already had some significant exposure to, and a desire to explore further.

Fast-forward one year, and the final 400+ page book is now available on Amazon or from other online sources, as both a printed book and eBook (eBook available from Packt). I’ve put together a web site with more information about the book at www.springsecuritybook.com – there, you’ll find a rough idea of what the book covers, what it is (and isn’t), and where you can buy it or get more information.

This has been an enormously interesting research project for me, and the culmination of hundreds (probably thousands) of hours of night and weekend work, completed in addition to a demanding full-time job and family.

In a quick list of bullet points, we cover:

  • Overall Spring Security architecture, at both a high and low level
  • Implementation of all major Spring Security features, including:
    • JDBC-backed authentication
    • Method security with annotations and pointcuts
    • Session fixation protection
    • Concurrent session control
    • Password hashing
    • Access control lists (ACLs)
  • Integration of Spring Security with external authentication providers, including:
    • OpenID
    • LDAP
    • CAS
    • Client certificates (X.509)
    • Kerberos
    • Microsoft Active Directory
  • Full configuration of Spring Security using explicit Spring Bean declarations
  • Many custom coding samples, including custom servlet filters, custom AuthenticationProviders, exception handlers, and much more.

All of these topics are covered both at a high level (how and why do they work), and a low level (how to configure, how to code, how to implement). It’s a great mix of theory and practice that I hope will be very effective for readers looking to implement Spring Security, or those who are already using it, but might not understand how it works.

I’m very excited to see the book in print, and believe it will have a big impact on the ability of users new to Spring Security to approach the framework with a better understanding of how it works. Additionally, for those users who will be doing sophisticated integrations or customizations based on the framework, there’s enough undocumented material and nuts-and-bolts discussions in the book to make it interesting for you as well.

Since most of my readers are techies, I hope to post interesting quantiative bits that I’ve been tracking along the way as I’ve coded, researched, diagrammed, revised, and all out slogged my way through gobs of code. More to come on this topic!

Please contact me if you have questions, comments, suggestions, or just congratulations 🙂

Book Info

Title: Spring Security 3

Publisher: Packt Publishing

Publication Date: May 29, 2010

Web Sites:

Pages: 420

ISBN: 978-1847199744

May 16 2010

[Quick Tip] Debugger Shortcut Key Reference

Tag: eclipse,firebug,intellij,java,netbeanspmularien @ 8:39 am

Debugger Shortcut Keys

Tool Run Continue Step Over Step Into Step Out Suspend Debug
Eclipse Ctrl+F11 F8 F6 F5 F7 N/A F11
Firebug       F11 F10    
Netbeans   F5 F8 F7 Ctrl+F7    
IntelliJ Shift-F10 F9 F8 F7 Shift+F8   Shift+F9
Visual Studio Ctrl+F5 F5 F10 F11 Shift+F11 Ctrl+Alt+Break F5

I finally had to write this down because I use different IDEs fairly often (for work and personal projects), and the fact that most common run/debug key equivalents differ in every IDE really annoyed me!

Dec 01 2009

[Tutorial] URL Shortening in Java using bit.ly

Tag: bitly,java,tinyurl,tutorial,twitterpmularien @ 12:19 am

A while ago, I had written up a tutorial on accessing the TinyURL API from Java. I was recently playing with the bit.ly API and decided to write up a quick tutorial on generating bit.ly URLs from Java.

Why bit.ly?

Since Twitter switched from TinyURL to bit.ly, I decided I’d take a look at it. Personally, I love the stats tracking features of bit.ly, and the ability to store history, and parse the results of the API call in XML or JSON (I use XML in this tutorial).

What you Need

First, you’ll need a bit.ly account in order to be assigned an API key. Your API key will show up under the “API Key” heading in your bit.ly account page.

You’ll also need the Apache Commons HTTP (3.x) library and a recent version of Java.

Calling bit.ly’s REST API

bit.ly’s API is slightly more complex than TinyURL’s, but only very slightly so. Here’s an example of calling the API:

		HttpClient httpclient = new HttpClient();
		HttpMethod method = new GetMethod("http://api.bit.ly/shorten");
				new NameValuePair[]{
						new NameValuePair("longUrl","http://www.amazon.com/),
						new NameValuePair("version","2.0.1"),
						new NameValuePair("login","mybitlylogin"),
						new NameValuePair("apiKey","R_abcdefmyguid"),
						new NameValuePair("format","xml"),
						new NameValuePair("history","1")
		String responseXml = method.getResponseBodyAsString();

Obviously, you would substitute “login” with your bit.ly login name, and “apiKey” with your API key. This will result in the “longUrl” you pass being returned in an XML structure that looks like the following:


Processing the Returned XML

To do a “dumb” processing of the returned XML, we can simply do something like the following (depending on what XML APIs you have available, you can get much more sophisticated 🙂 ):

		String retVal = null;
		if(responseXml != null) {
			// parse the XML
			DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
			DocumentBuilder db = dbf.newDocumentBuilder();
			StringReader st = new StringReader(responseXml);
			Document d = db.parse(new InputSource(st));
			NodeList nl = d.getElementsByTagName("shortUrl");
			if(nl != null) {
				Node n = nl.item(0);
				retVal = n.getTextContent();
		return retVal;

It appears there is also a very early stage project at Google Code called “bitlyj”, which seems to offer a very straightforward API. I’ll try to post a tutorial for this soon, in the meantime, feel free to check it out here: bitlyj at Google Code. As always, feedback is appreciated!

Aug 13 2009

[Tutorial] Amazon SOAP Product Advertising API from Java – Including Signing of Requests with WS-Security

Tag: amazon,axis,development,java,opensource,tutorial,webservicespmularien @ 11:10 pm

Amazon has made a lot of affiliates unhappy with their updates to the Product Advertising API (ex-Affiliate API). I first covered invoking this API a couple years ago – my, have things changed since then.

On August 15, 2009, Amazon will be requiring all affiliates using the Product Advertising API to digitally sign their API requests. Previously, calls to the web service required only the AWS Access Key ID. Now, affiliates are required to sign the requests with a private key (and supply the AWS Access Key ID!) in order for the request to be accepted.

Unfortunately, many affiliates feel that Amazon has really botched this transition. Very little documentation is available on how to sign requests, and the majority of the responses in the affiliate community forum are unanswered by Amazon staff. Additional bad news for Java users is that Amazon has apparently dropped their Java library (Amazon A2S), which used to nicely abstract the ugliness of making requests to the web service.

In this tutorial, we’ll implement an Amazon Product Advertising API client using Apache Axis2 1.5, invoking the API’s SOAP methods. We’ll sign the requests using a PKCS 12 (.p12) file. Get some popcorn – this is a very long and involved process 🙁 Continue reading “[Tutorial] Amazon SOAP Product Advertising API from Java – Including Signing of Requests with WS-Security”

Jun 23 2009

[Quick Tip] Printing out all matches in an Ant fileset

Tag: ant,java,quicktippmularien @ 10:17 pm

This is one of those things that’s so handy, I can’t believe it hasn’t been posted before. I found a 2006 post from JavaLobby, where R.J. Lorimer writes about how to print out a classpath.

Also useful, but the particular use case I ran into was – one of our build scripts uses a fileset to select incrementally more complex test suites to run. Developers can do a quick check locally with the “short tests” – however, since these are specified as a fileset, it’s hard to know exactly what will run. I wanted to create a simple ant task to take the fileset, and print out everything that matched.
Continue reading “[Quick Tip] Printing out all matches in an Ant fileset”

Jun 01 2009

5 Common Log4J Mistakes

Tag: development,java,learning,log4j,opensourcepmularien @ 10:22 pm

I’ve seen these antipatterns over and over again, and I thought it was time to write about them to help any folks who are new to Log4J out there. Senior developers – please share this with your junior peers and save yourself the pain of refactoring later! I’m interested in common mistakes or points of confusion that you’ve seen as well.

Read on to get a quick tutorial, or reference to point your developers at…

Continue reading “5 Common Log4J Mistakes”

May 21 2009

Flash Player Settings Manager

Tag: flash,security,webpmularien @ 8:00 pm

For those who don’t already have this bookmarked, you can use the Flash Player settings manager movie on the Adobe Support Web site to adjust the following:

  • Website privacy and storage settings (did you know that Flash keeps a list of all sites you’ve visited with Flash movies?)
  • Global security settings (setting trusted locations, etc.)

Also, remember there’s a separate global security settings panel for content creators (i.e. running Flash in debug mode). Personally, it seems kind of odd that Flash itself doesn’t have this functionality within the player, but it is what it is.

Basically, I’m just writing this so I don’t forget where it is next time I’m doing Flash development.

Mar 24 2009

SourceForge-hosted PDFCreator Trojan/Toolbar Warning

Tag: opensource,opinion,randompmularien @ 11:46 pm

I decided to post this as a public safety announcement, since I (surprisingly) didn’t see this blogged elsewhere. I have, for many years now, used the free/open source PDFCreator software for simple PDF generation and testing.

I recently updated to the most recent version (0.9.7) of the software (now hosted at pdfforge.org), and have made an interesting discovery.

The software is bundled with a browser toolbar component that has behavior which I would consider malware or trojan-like behavior. The notable difference is that it redirects certain types of browser traffic to www.searchsettings.com, which is a linkbait/parking-type site.

In Firefox, I noticed an extension called “Search Settings 1.2” which, once removed, killed this behavior. After more research, I saw that IE had 2 Add-Ins installed (these were also removed). I did some more digging, and that’s when things got interesting.

There is a SourceForge Bug 2607106 “Remove trojan from download!” filed against this project. There’s the report at SiteAdvisor on pdfforge.org hosting this malware. There’s the post from an angry user on the pdfforge.org message boards.

To clarify, there are other “free” PDF creation projects that are questionable at best. However, I always took PDFCreator (sf.net) as a legitimate open source project.

The PDFCreator Toolbar is apparently implemented using “mybrowserbar”. As per their terms of service, they indicate:

f) modify your Microsoft Internet Explorer and/or Mozilla Firefox browser settings for the default search engine, address bar search, “DNS error” page, “404 error” page, and new tab page to facilitate more informative responses as determined by The Toolbar;

mybrowserbar.com “Company Information” redirects to www.spigot.com, which claims to be “Coming in March 2009”. spigot.com is a proxied domain, so there’s no further information available.

I downloaded and investigated the source tarball for the PDFCreator project, and the source of the browser toolbar installer is nowhere to be found (indeed, the .exe included with the installer isn’t present). There’s a response from Philip, one of the developers, in the pdfforge.org forum which sheds a little light on the browser toolbar. I completely empathize with his desire to make some money from his open source work; however, I’d disagree that this is an appropriate approach, and at the very least, the toolbar install option should be more up-front about it.

It’s unfortunate to see a long-time, responsible open source project act this way, and I do hope it’s an honest mistake. I wanted to give people the heads-up who may not be aware of this.

Next Page »