Ivan Lagunov's Blog

This small article will describe how to connect to Amazon Neptune database endpoint from your PC during development. Amazon Neptune is a fully managed graph database service from Amazon. Due to security reasons direct connections to Neptune are not allowed, so it's impossible to attach a public IP address or load balancer to that service. Instead access is restricted to the same VPC where Neptune is set up, so applications should be deployed in the same VPC to be able to access the database. That's a great idea for Production however it makes it very difficult to develop, debug and test applications locally. The instructions below will help you to create a tunnel towards Neptune endpoint considering you use Amazon EKS - a managed Kubernetes service from Amazon. As a side note, if you don't use EKS, the same idea of creating a tunnel can be implemented using a Bastion server . In Kubernetes we'll create a dedicated proxying pod. Prerequisites. Setting up a tunnel. ...

Java uses the keystore file named cacerts. It should already contain all trusted root CA certificates that are used to sign intermediate and leaf certificates. Leaf certificates are end user certificates that are used to secure websites with HTTPS. However, sometimes a root CA certificate might be missing from the Java keystore or a website might be using a self-signed certificate which will result in the following exception when you try to access the website from Java code: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target For me it happened with a certificate issued by COMODO. In this case the easiest solution is to add the website certificate to the Java keystore. Shortly, it requires exporting the certificate from the website, importing it into the keystore and restarting your Java application. Please b...

This is a short note with useful commands for PFX keystores. Import to AWS Certificate Manager When you need to import PFX certificate into AWS Certificate Manager, you will have to export the unencrypted private key and certificate chain first. Export the unencrypted private key from PFX openssl pkcs12 -in domain_certificate.pfx -nocerts -nodes -out private_key.pem Export the certificate chain from PFX openssl pkcs12 -in domain_certificate.pfx -nokeys -out certificate.pem When you have the PEM files, you can go to the AWS Certificate Manager, click "Import a Certificate" button and enter the following: Certificate body* - paste the first certificate from certificate.pem ending with the words: "-----END CERTIFICATE-----" Certificate private key* - paste the contents of private_key.pem Certificate chain - paste the complete contents of certificate.pem

In this article I'm going to explain how to create keys, SSL certificates and key stores. This can be required to simply migrate your website to HTTPS or to enable single sign-on authentication or in other cases. SSL certificates can be used for digital signing/verification and for encryption/decryption. In case of digital signatures, the sender signs the message using a private key certificate, while the receiver verifies the signature of the message using the public key certificate. In case of encryption, the sender encrypts the message using the public key certificate, while the receiver decrypts the message using the private key. Generating keys. Generating certificates. Working with keystores. Generating keys The first step is generating a private/public key pair. This can be done in different ways. We'll use openssl utility as it will be used for certificates later as well. The important point is the key length - bigger length makes the key harder to crack. ...

This is a short "recipe" article explaining how to configure remote ElasticSearch instance to support CORS requests and basic authentication using Apache HTTP Server 2.4. Proxy To start with, we need to configure Apache to proxy requests to the Elasticsearch instance. By default, Elasticsearch is running on the port 9200: ProxyPass /elastic http://localhost:9200/ ProxyPassReverse /elastic http://localhost:9200/ Basic authentication Enabling basic authentication is easy. By default, Apache checks the user credentials against the local file which you can create using the following command: /path/to/htpasswd -c /usr/local/apache/password/.htpasswd_elasticsearch elasticsearchuser Then you'll need to use the following directives to allow only authenticated users to access your content: AuthType Basic AuthName "Elastic Server" AuthUserFile /usr/local/apache/password/.htpasswd_elasticsearch Require valid-user For more complex setups such as LDAP-based...

This is a short "recipe" article explaining how to configure basic authentication for the following setup: Apache Tomcat with some application that need be partially password-protected Apache HTTP Server 2.4 as a proxy CentOS 7 Linux server Although basic authentication can be configured within Tomcat itself, my target is to use Apache for that purpose. In addition, as passing unencrypted credentials over the web is insecure, I'm going to install SSL certificates to enable HTTPS for the part of my application. This setup can be used when a part of an internal application need be secured to make it publicly accessible using a separate firewall/proxy (out of scope of this article), that part will be password-protected and SSL-encrypted. Steps Copy certificates into /etc/ssl/certs/ivanlagunov.com Create symlink: cd /etc/httpd sudo ln -s /etc/ssl/certs/ivanlagunov.com Install Apache mod_ssl sudo yum -y install mod_ssl Create file with user credentials for basi...

Here I'll show an example of using Oracle Data Pump Import (impdp) utility. It allows importing Oracle data dumps. Specifically, below is the list of steps I used on an existing Oracle schema to reload the data from a dump. Steps to reload the data from an Oracle dump We start with logging into SQL Plus as sysdba to be able to manage users. sqlplus sys/password@test as sysdba Dropping the existing user. CASCADE clause will ensure that all schema objects are removed before the user. SQL> DROP USER test CASCADE; Creating a fresh user will automatically create an empty schema with the same name. SQL> CREATE USER test IDENTIFIED BY "testpassword"; Granting DBA role to the user to load the dump later. Actually, it's an overkill and loading the dump can be permitted using a more granular role IMP_FULL_DATABASE . SQL> GRANT DBA TO test; Registering the directory where the dump is located. SQL> CREATE DIRECTORY dump_dir AS '/home/test/dumpd...

Here you'll find a short overview of the actions required for publishing your artifacts to Maven Central Repository . The best way to publish your artifacts is using Open Source Software Repository Hosting (OSSRH) which runs Sonatype Nexus Platform . We'll follow the official guide with some remarks. Get permission for deployment. Deployment of artifacts. Release procedure. Get permission for deployment In the beginning you need to get permission for deployment under a certain Maven groupId. This should be done by signing up and creating a ticket in Sonatype JIRA . If the groupId already exists, either the initial requester should apply for a new user account or you should demonstrate an approval from the project owners. As a result, you'll get an account in OSSRH . For example, this is how I requested permission for com.github.dita-ot groupId. Deployment of artifacts The deployment is the first phase of artifacts publication. Here you need to create and s...

In this article I'm going to review Java 8 Lambdas use cases after I've watched the Lambdas have come to Java! screencast from Typesafe. As a nice example, I've decided to count comparisons in the Quicksort algorithm. Basic algorithm. Inline lambdas. Method references. Basic algorithm Here is a basic implementation where we count comparisons in the Quicksort algorithm: public class QuickSort { public static long countComparisons(List<Integer> a) { if (a.size() <= 1) return 0; int p = getPivot(a); int i = 1; for (int j = 1; j < a.size(); j++) { if (a.get(j) < p) { if (j > i) swapInList(a, i, j); i++; } } swapInList(a, 0, i - 1); return countComparisons(a.subList(0, i - 1)) + countComparisons(a.subList(i, a.size())) + a.size() - 1; } private static Integer getPivot(List<Integer> a) { return...

This article will guide you through the steps showing how to use the Authentication Framework in a Cocoon 2.2 application. Maven dependencies. Spring configuration. Sitemap. Login page and controls. Maven dependencies You need the following dependency in your pom.xml : <dependency> <groupId>org.apache.cocoon</groupId> <artifactId>cocoon-auth-impl</artifactId> <version>1.0.0</version> </dependency> Spring configuration Authentication Framework has a flexible configuration based on a concepts of applications and security handlers . There can be several applications defined and running at the same that are simply independent security zones of your web application. The security details of an application are specified using a security handler. There are several implementations provided and you're free to implement your own. Here is the SimpleSecurityHandler used that takes the hardcoded credentials: <?xml versio...

This article is devoted to an upgrade of a common JSF Spring application. Time flies and there is already Java EE 7 platform out and widely used. It's sometimes said that Spring framework has become legacy with appearance of Java EE 6. But it's out of scope of this post. Here I'm going to provide notes about the minimal changes that I found required for the upgrade of the application from JSF 1.2 to 2.1, from JSTL 1.1.2 to 1.2, from Servlet 2.4 to 3.0, from Spring 3.1.3 to 4.0.5, from RichFaces 3.3.3 to 4.3.7. It must be mentioned that the latest final RichFaces release 4.3.7 depends on JSF 2.1, JSTL 1.2 and Servlet 3.0.1 that dictated those versions. This post should not be considered as comprehensive but rather showing how I did the upgrade. See the links for more details. Jetty & Tomcat. JSTL. JSF & Facelets. Servlet. Spring framework. RichFaces. Jetty & Tomcat First, I upgraded the application to run with the latest servlet container versio...

Quite a while ago I had users complaining they could not use my application from another secure network zone. It appeared the root cause was in using Yahoo CDN for serving YUI resources while there was no internet access in that specific network zone. Also living behind a proxy, our regular users used to suffer from longer delays from time to time due to proxying. An obvious solution turned out to be using a locally served YUI. For this a combo loader is required if you care about efficiency on Production. Installation To start with, there are several alternative open-source tools that can be used for combo loading: Official PHP loader by Yahoo – is obsolete and is said not to work with any version over 3.3.0. CGI script combo – I cannot say much about it besides that it's 3 years old. Node.js combo handler – is kept updated and is the one that I decided to use. The Node.js combo handler is supplied with rather self-contained README file at github. Nevertheless, I...

In this article I'm going to show a common use case of XML Catalogs . Their usage is not only recommended to avoid certain issues but can also drastically improve the performance. I'll start with explaining the issue that I've faced recently and will conclude with the resolution. Issue To start with, I've got the following exception: java.io.IOException: Server returned HTTP response code: 429 for URL: http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd The HTTP code 429 stands for "Too Many Requests" that can appear when: The user has sent too many requests in a given amount of time. Intended for use with rate limiting schemes Just to provide some context, I have an Apache Cocoon based application that does a lot of XSLT processing with Saxon . It appears that every time Saxon reads an xml document with a DTD reference, it tries to fetch the DTD source for validation. Obviously, if the processing rate is high enough and there is no caching, you can cre...

Once we had a severe issue with Sedna hanging regularly. It was caused by broken indexes after an upgrade at that moment. The issue caused quite a nightmare and led to a lot of time wasted until we solved it together with Sedna devs. Since that moment it has become very important to be able to look into what is happening inside Sedna at any particular moment. Fortunately, there is a suitable way although it's not documented properly on the Sedna website. All you need is to build Sedna from source with a special flag RelWithDebugInfo . Cmake build modes. Using gdb. Using netstat. Cmake build modes Cmake has several build modes with Release and Debug obviously among them. Another mode that can be of big use is called RelWithDebugInfo . There is a perfect explanation for it on the mailing list : The difference between Debug and RelwithDebInfo is that RelwithDebInfo is quite similar to Release mode. It produces fully optimised code, but also builds the program database, and in...

In this article I'm going to guide you through the process of customization of oXygen Author Component . More specifically I'm going to create a new operation for the DITA framework that will generate and insert an xml fragment into the current document. While you can find the official documentation on this topic very useful, it misses any real code examples. Of course, you can download the author component startup project but it'll help those looking how to integrate the component as a Java Applet, thus, it's slightly irrelevant for us. Requirements In order to make a customization for the Author Component you need to have an oXygen standalone installation. For the development of Java customizations you'll need oxygen.jar on the classpath. This library is available in the oXygen installation directory as well as in the Author SDK project and in the author component startup project. Moreover, inside last two resources you can find javadocs and partial source...

I've concluded an older post with a promise to investigate the issues of integration of Play Framework with RequireJS and YUI . Finally I've got some time to resolve all issues so I'm going to showcase a working sample multi-page project in this article. Sample project. Issues. Sample project Play Framework offers a nice official tutorial for RequireJS-support . However, it appeared that not all RequireJS features are fully supported by Play Framework yet (see below in Issues section). So it required some tuning before everything started working. I've published a sample project on github so you're welcome to look into it. Some of the issues that I faced are described in the section below. Here I'm going to show a couple of screenshots of the sample application. This is how one page of the application looks like: Below is the screenshot of the network tab of the Google Chrome developer tools showing all page resources in the production mode. You c...

Recently I've worked on the application making cross-domain ajax calls with YUI . While YUI offers io-xdr module for making cross-domain requests via Flash transport , it seems to me quite unnatural as it leads to unnecessary complexity. Moreover, io-xdr was marked deprecated several months ago without explicit mentioning the preferred way. An obvious alternative is using XMLHttpRequest as a transport for cross-domain requests. However, it has some limitations and undocumented pitfalls that I'd like to review in this post. Cross-Domain request using XMLHttpRequest. YUI IO Utility. YUI Datasource IO. Cross-Domain request using XMLHttpRequest Cross-domain requests can be sent using a common XMLHttpRequest object. The only requirement is that the server must be configured to properly handle those requests. Specifically, it should set the Access-Control-Allow-Origin response header according to Cross-Origin Resource Sharing specification . For more details and good tuto...