Eclipse error: using @Override on method implementing an interface method

@Override on a method implementing an interface is not allowed in Java 5, but is allowed in Java 6+

STS 2.7.2 by default seems to set projects up to be Java 1.5.  If you would like to use Java 6, right-click on your project->Properties->Java Compiler and change Compiler compliance level to 1.6.  After a project rebuild the error should be gone.

STS: Updating Namespace List in Spring Bean Configuration Files (Maven)

STS provides a nice wizard for constructing Spring configuration files.  Right click on Project or destination directory, then New->Spring->Spring Bean Configuration File.

You can pick XSD namespaces from a list, which saves cut-and-pasting them from an another configuration file, ripping them off a blog or - heaven forbid - trying to write them yourself.

You may find the namespace list is intitially empty.  To fix this add desired dependancy jars to your Maven pom.  [May be necessary: right click on project->Maven->Update Dependencies].  If your config file is already open, close and re-open it and then click on the "Namespace" tab to select from the namespace list:

Java and Spring Annotations

Java annotations are not inherited, unless the annotation type is annotated with @Inherited.

However, from the @Inherited Javadoc:

Note that this meta-annotation type has no effect if the annotated type is used to annotate anything other than a class. Note also that this meta-annotation only causes annotations to be inherited from superclasses; annotations on implemented interfaces have no effect.

It seems Java ignores annotations on implemented interface method in order to avoid multiple inheritence issues: http://stackoverflow.com/questions/4745798/why-java-classes-do-not-inherit-annotations-from-implemented-interfaces

Now let's consider Spring's @Transactional:

Spring recommends that you only annotate concrete classes (and methods of concrete classes) with the @Transactionalannotation, as opposed to annotating interfaces. You certainly can place the @Transactional annotation on an interface (or an interface method), but this works only as you would expect it to if you are using interface-based proxies. The fact that Java annotations are not inherited from interfaces means that if you are using class-based proxies (proxy-target-class="true") or the weaving-based aspect (mode="aspectj"), then the transaction settings are not recognized by the proxying and weaving infrastructure, and the object will not be wrapped in a transactional proxy, which would be decidedly bad.

But Spring Security's @Secured is different.  Most the documentation shows the annotation on the interface class methods.  In my tests @Secured works on concrete classes and the interfaces and regardless of whether JDK or CGLib proxies are used.  This solution appears to be superior to the @Transactional solution.  It must reflect not only the methods in question but also discover their interfaces and reflect those, etc, etc...  Clearly there's a performance impact, but this seems like a better solution.

Having differing solutions is annoying, confusing and error-prone.

Spring proxies: JDK vs. CGLib

This page contains an excellent and succinct summary of Spring Proxies:

http://insufficientinformation.blogspot.com/2007/12/spring-dynamic-proxies-vs-cglib-proxies.html

You could read a chapter in most Spring books and learn less.  Heed the advice: "Most important proxy-based AOP only works from "outside". Internal method calls are never intercepted."  If you don't already understand this, take the time to do so.

The Spring reference manual is also a good read:

http://static.springsource.org/spring/docs/3.0.0.RELEASE/spring-framework-reference/html/aop.html#aop-proxying

"...once the call has finally reached the target object, the SimplePojo reference in this case, any method calls that it may make on itself, such as this.bar() or this.foo(), are going to be invoked against the this reference, and not the proxy. This has important implications. It means that self-invocation is not going to result in the advice associated with a method invocation getting a chance to execute.

Okay, so what is to be done about this? The best approach (the term best is used loosely here) is to refactor your code such that the self-invocation does not happen."

Understanding the Difference between Owners and Schemas in SQL Server 2000/2005

Understanding the Difference between Owners and Schemas in SQL Server

Studio Express to MSDE 2000 connection problem

Fresh install of SQL Server 2000 (MSDE 2000) on a Windows XP box.  Want to connect remotely via Studio Express, but get following error:

Login failed for user 'sa'. Reason: Not associated with a trusted SQL Server Connection ... (Error: 18542)

Fix: set to mixed-mode login authentication in registry, restart SQL Server
HKLM\Software\Microsoft\MSSqlserver\MSSqlServer\LoginMode  (change 1 to 0)

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q285097
http://www.microsoft.com/download/en/details.aspx?id=22661

Using Simian with Maven

The Simian documentation is a little brief, so here is how I got Simian integrated into our build.

As we already use Checkstyle, I integrated using the CheckStyle plugin.  Add the following to your Checkstyle xml configuration file, inside the Checker module tag:

<module name="com.harukizaemon.simian.SimianCheck"/>

Then I altered my Checkstyle Maven plugin:

            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-checkstyle-plugin</artifactId>
                <version>2.5</version>
                <dependencies>
                      <dependency>
                        <groupId>com.harukizaemon</groupId>
                        <artifactId>simian</artifactId>
                        <version>2.3.33</version>
                      </dependency>
                </dependencies>
                <configuration>
                    <configLocation>${user.home}/checkstyle.xml</configLocation>
                </configuration>
            </plugin>

Finally I uploaded the Simian jar to our Maven repository.

Simian warnings are now outputted as part of the Checkstyle warnings.

[Note there is a very old Maven 1 Simian plugin kicking around on the internet, but this is unlikely to be of any use to you]

Microsoft SQL Server 2000 Desktop Engine (MSDE) port number

We have to interface with a legacy MSDE database.  I cannot install the database on Windows 7, so for development I installed the database in a VM.  To detect port number:

Run C:\Program Files\Microsoft SQL Server\80\Tools\Binn\SVRNETCN.exe
Select General Tab, highlight TCP/IP, click Properties.. button

Make an exception on the firewall for this port and then, from Windows 7 client connect using Studio Express with the following server name:

tcp:<ip address>,<port number>\<db name>

Windows 7 Home: Service Logon Right

If you're using a Windows 7 Home Edition you'll have trouble granting users the right to run services.  Note this is not a problem on Professional or Ultimate Editions.

A way round it is described in the blog below - you install a Windows 2003 Resource kit and use the "ntrights" command.  I've tried it and it worked - obviously subsitute service for batch and realise that this is not recommended in any way, shape or form!!

How to grant "log on as batch job" in Windows 7 Home Premium
How to Set Logon User Rights with the Ntrights.exe Utility

Tomcat Hardening Resources

OWASP
Center for Internet Security (Linux specific, but still useful for all platforms)

INFO: validateJarFile(C:\...\WEB-INF\lib\com.springsource.javax.servlet-2.5.0.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class

This warning on your Tomcat stderr is becuase you've included a Servlet.class in your war.  You don't need to, it is supplied by the Tomcat container:  JAR Files You Should Never Include In Your Webapp

But if you remove it your Maven build fails?  Use <scope>provided</scope> it does exactly what you need:  Maven Dependency Scope

Java DateFormat and thread safety

Reminder: DateFormat is not thread safe.   It's a very easy trap to fall into.

See Javadocs:

Date formats are not synchronized. It is recommended to create separate format instances for each thread. If multiple threads access a format concurrently, it must be synchronized externally.

And multiple other blogs:

http://www.google.com/search?q=SimpleDateFormat+threads

Anemic Domain Models and Spring

I guess it started with J2EE and entity beans - people started creating lots of lovely domain classes and obediently created getter and setter functions for the data (good OO practice as we all know).  But they totally forgot about bunching object behaviour together in the same class.  Instead we often see "Service Layers" above the Domain Layer which implement all logic.

Anemic Domain Model

It's suprising how many text books and tutorials are out there advocating this approach.  In addition, DI containers such as Spring give you a strong nudge in that direction.  For example, you'll more than likely want to perform CRUD operations on your objects.  For this you'll require some kind of session/entity manager and you'd like this to be injected into your object by the container.  And for this to happen the object needs to be managed by your container.  Ah, problem - typically domain objects are application managed.  So people end up with Singleton Service or DAO objects which are managed by the container, injected with the session/entity manager and do all the CRUD operations, etc on their respective domain objects.  It can be argued that is not proper OO.  It should be noted however that people's opinons do differ:

http://stackoverflow.com/questions/258534/anemic-domain-model-pros-cons

There is a solution.  It's used in the Spring Roo generated classes and is explained in the link below.  Be warned, it involves Load Time Weaving:

http://www.gridshore.nl/2009/01/27/injecting-domain-objects-with-spring/
http://nurkiewicz.blogspot.com/2009/10/ddd-in-spring-made-easy-with-aspectj.html

Windows 2003: system user home directory

From Microsoft: "The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. The system account is used by the operating system and by services that run under Windows."

My service needed a configuration file to be placed in the home directory.  Where is the system (ie root) user home directory?  C:\Windows\system32\config\systemprofile  Obvious, right?  ;)

Returning to your previous location in the Eclipse editor

You search, say, on the location of a variable/method declaration and then you'd like to return to your previous location.

Alt + LEFT ARROW

You can navigate through your positional history using Alt + LEFT ARROW and Alt + RIGHT ARROW.  (NB same shortcut is used to go back or forward a page in most web browsers)

Eclipse Shortcuts

Bookmarking locations within a web page in Firefox

Sometimes it's handy to bookmark or send someone a precise location within a webpage.  There doesn't appear to be any standard functionality to do this in Firefox.

Of course you could look at the HTML code, find the anchor and concatenate that to the page URL, but that's a bit tedious.

Enter Show Anchors add-on.  Install this and then right-click on the desired page and select 'Show Anchors'.  A little anchor symbol now appears next to each anchor on the page.  Hover over the desired anchor and select 'Bookmark anchor' or 'Send anchor'.

Update Jan 2014: Show Anchors not supported on newer versions of Firefox.  Try Show Anchors 2 instead.

Spring NamespaceHandlers

Spring's XML schema-based configuration is convenient and can reduce developer workload, but often at the expense of a thorough understanding of what is happening under the covers.  The newer custom tags wield a lot of power, so it's worth understanding exactly how they work.

A XML schema definition is held in a .xsd file and can be included in the XML configuration file, see Referencing the schemas.

Each schema has a corresponding NamespaceHandler.  For example, the tx schema, i.e. the <tx:blah> tags are handled by the TxNamespaceHandler.  If you look in TxNamespaceHandler.java you will see that it registers a parser object for each tag in the tx schema.

The remaining piece of magic is the mapping between schema and NamespaceHandler.  This can be found in the spring.handlers file inside the associated jar's META-INF directory.  See Registering the handler and the schema.  In the case of the tx schema this file resides in the META-INF directory in org.springframework.transaction-3.0.x.RELEASE.jar.

Huawei E585, EM770 and Telstra Next G

Telstra has better coverage in rural areas than other mobile operators and this may be a reason for choosing Telstra.

You should note the Telstra 3G network consists of 850MHz coverage ("Next G" network) combined with 2100MHz coverage in certain cities. See Telstra Mobile Networks

It is therefore likely that you want to use the 850MHz coverage. This frequency band is not common, so make sure you have a compatible modem.  See Telstra Network Coverage

Note the Huawei E585 is NOT compatible (only supports 2G in 850MHz band), so if you're out of 2100MHz coverage, you're going to get 2G data at best (and you'll need to select "3G Preferred", rather than "3G Only").

However the Huawei EM770 mini PCI card is compatible and works perfectly, although you will be restricted to7.2Mbps download / 5.76Mbps upload (Telstra claim to support up to 20Mbps download in certain areas).

$2 Telstra SIMs are widely available and can be activated as a mobile broadband SIM by calling 1258887 from a Telstra phone or 132200 from a non-Telstra phone (it appears you cannot activate these online as you can with voice SIMs). See Telstra Pre-Paid Mobile Broadband Getting Started

The following modem settings worked for me:

APN	telstra.internet
Username	[blank]
Password	[blank]
Number	*99#
Authentication	CHAP

UPDATE 23/12/2011: the more recent Huawei E585u-82 does support 3G in 850MHz band.  It's available as a Vodafone Pocket WiFi 2. Look out for half price deals on these / eBay.  They can be unlocked for 10 Euros using the dc-unlocker software. Once unlocked they work fine on Telstra's 850MHz 3G.

Delete Unsent Messages in Thunderbird

Thunderbird is great, but it does have a have few quirks.

If you "Send Later" your message will be placed in your Outbox and you will be prompted to send unsent messages next time you start up Thunderbird. But let's say you decide you don't want to send that message after all. Well, supposedly, you go to your Local Folders -> Outbox folder and delete the message. Unfortunately this did not work for me (Thunerbird 3.1.11) - I could see no messages in the Outbox, yet it still prompted me to send unsent messages each time I started Thunderbird. The simplest solution I could find is right-click Outbox -> Search... Search on something to do with the email, e.g. From your email address and it will list all messages in the Outbox, select the one you wish to delete and press the Delete button.

BTW, standard "Send Later" is not particularly advanced functionality, so instead I suggest you use the Send Later 3 add-on.

Virgin Mobile Broadband (Australia)

I'm spending some time in Australia and wanted mobile broadband access, more precisely I wanted a SIM I could put in my MiFi  (Huawei E585) unit.

Virgin Mobile Broadband seemed to fit the bill: it's reasonably priced (especially compared to Telstra) and uses the Optus network which has fairly good coverage - use the Optus coverage map as offers more functionality (street location and enter town you're interested in) than the Virgin Mobile coverage map.

SIMs are widely available, but it's a bit of a rigmarole to buy one as you need photo ID and have to give an address.  You don't need to go to a specialist mobile shop; the supermarkets stock them at their customer service counters.

Virgin Broadband do a $10 Broadband SIM pack which comes with 300MB data included.  This is probably the easiest way to go, but not everybody stocks this SIM pack.  Instead you can buy one of their ubiquitous $2 SIMs and then activate it as a mobile broadband SIM on the Virgin Mobile website (or presumably via the customer service telephone line).

Note the following modem settings:

APN	VirginBroadband
Username	[blank]
Password	[blank]
Number	*99#
Authentication	PAP

I've highlighted the APN as I could not get my modem working until I changed this ("dynamic" did not work).

One further point to mention:  if you don't top up within 180 days of reaching zero balance your SIM is cancelled and cannot be topped up. However, you can still use this SIM in your modem to access the Virgin Mobile website only.  It will even allow you to attempt to top up the SIM (but won't tell you why it fails!!).  If you're an infrequent traveller to Australia you might consider keeping this SIM so that you can access the website to activate a $2 SIM in future and save you the expense of calling the customer service line.

Important: if VPN is important to you, read this first: Virgin Mobile Broadband and VPN (PPTP).html

date ranges and half-open intervals

Half-open intervals:
http://hotmath.com/hotmath_help/topics/interval-notation.html
http://mathworld.wolfram.com/Half-ClosedInterval.html

Suggested way to store date ranges with TIMESTAMP fields:
http://stackoverflow.com/questions/156032/how-do-you-store-date-ranges-which-are-actually-timestamps

Above discussion particularly relevant to SQL Server 2005 which does not have native support for DATE, only TIMESTAMP (which they call DATETIME for historical reasons).

We need to record start and end dates of services.  Services dates are assumed inclusive, in other words the service will be available for the entire first day and last day as well as the days in between.  Our problem is SQL Server 2005 forces us to use a DATETIME (or SMALLDATETIME) type, so we have to specify a time component as well as a date.  For start date the start time is easy: 00:00:00, for end date the end time is more tricky.  We bill to the second so we could say 23:59:59 (this would be considered a closed interval) or we could say 23:59:59.999 (ie approaching the boundary) or even 00:00:00 the next day.  There are advantages and disadvantages to all options but in the end we went for the third option in the database, but display inclusive end date to the users as it's more intuitive (ie we followed deepc's advice).

Joe Celko's book Thinking in Sets, he seems to favour the second approach.  This thread mentions the different approaches (Kornelis seems to favour the third approach):
http://www.sqlmonster.com/Uwe/Forum.aspx/sql-server-programming/66078/Date-Range

If you get to use SQL Server 2008 - lucky you - make use of the new data types:
http://www.simple-talk.com/sql/t-sql-programming/time-gentlemen-please!-the-sql-server-temporal-datatypes/

MySQL SSL

We decided to change our architecture so the web server and database run on separate machines.  They are both behind a firewall, however for certain reasons we still decided the db connection should be SSL.

There are instructions on how to set up MySQL to support SSL connections here: http://dev.mysql.com/doc/refman/5.1/en/secure-create-certs.html

It's fairly straightforward although following a server restart we found the following in our MySQL server logs:

SSL error: Unable to get private key

It seems the files generated are not in the correct format.  Somebody else experienced a similar problem: http://forums.mysql.com/read.php?11,400856,401127#msg-401127

We followed that advice, and the server now appeared happy, but the client still could not establish a SSL connection.  We noticed this wasn't a problem on our 64-bit platform and suspicion fell on the OpenSSL implementation.  Checking back at Shining Light, a comment attached to v1.0.0d says "Recommended for brave users" and describes v1.0.0d as a beta version.  Downgraded to v0.9.8r and everything works fine.

Raises an interesting point - the positioning of v1.0.0d on the download page and the slightly unorthodox version numbering tripped me up - I'm sure I'm not the only one.

Windows 2003: scheduled tasks and shortcuts

This tripped me up today.  Spent ages trying to figure why a scheduled task kept failing to run (Could not start), yet it ran just fine on the command line in the same user account.

Looking in the log (Scheduled Tasks window click View Log on the Advanced menu) I see:

Unable to start task.
The specific error is:
0x80070005: Access is denied.

[Note the log cycles, overwriting from the start when the log is full, so the latest entry is not necessary the last entry in the file]  The entry in the log is not very helpful.  Much wasted time later I realise scheduled tasks cannot handle shortcuts.

YubiKey

YubiKey

Let's face it: most computer security is dreadful. People email confidential information cleartext, lose unencrypted laptops with sensitive data in public places, issue documents without clearing the amendment history, choose weak passwords and reuse them.  And that's before we even consider Malware.  Things are just too frigging complex.  Here's a beautifully simple device that gives you another layer of security: YubiKey.  It issues one time passwords and only needs a usb port.  I've been carrying one around on my keyring for almost a year - thin and robust, it still works perfectly.

Review of the YubiKey and two rivals here.  Pay attention to the advice in final paragraph:

I could not see any major differences between these three hardware based authentication systems, prices and security are much the same, probably the most important deciding factor when picking one of them is to make sure that the websites you normally visit have support for the specific hardware authentication token of your liking.

Two-way / Mutual SSL authentication with Java and Tomcat

We have an unprotected client-server webservice (SOAP) setup.  As it's in a secure environment we were ok, but the client is to moved out of that environment into the big bad world and will now talk to the server through a firewall.  So we have a requirement to encrypt the messages to prevent eavesdropping and to implement authentication to ensure only authorised clients use the service.

We considered two options: 1) WS-Security SOAP or 2) SSL.  I Googled for people's opinions:

WS-Security versus SOA over SSL
WS-Security vs. SSL
Secure Web Services REST over HTTPS vs SOAP + WS-Security. Which is better?
On the performance of SSL vs. WS-Security
When to use WS-Security and SSL

Suffices to say this a hotly debated subject.  There is no blanket answer; it depends on your individual circumstances.  As I usually opt for simplicity and did not require any additional WS-Security functionality, 2-way SSL was the choice I made.

With 2-way SSL the client and the server exchange public certificates.  That way the traffic can be encrypted and they can both be certain to whom they are speaking.

To implement, ensure you have the java home bin directory on your path (that's where the keytool executable lives), and do the following (vary passwords/locations/periods as required) on the client:

# create keystore and generate client key pair
keytool -genkey -alias client -keyalg RSA -validity 3650 -keystore .\client.keystore -storepass abcd1234 - keypass abcd1234

# export client public certificate
keytool -export -alias client -keystore .\client.keystore -storepass abcd1234 -file .\client.cer

Similarly, on the server:

# create keystore and generate server key pair
keytool -genkey -alias server -keyalg RSA -validity 3650 -keystore .\server.keystore -storepass abcd1234 - keypass abcd1234

# export server public certificate
keytool -export -alias server -keystore .\server.keystore -storepass abcd1234 -file .\server.cer

Copy the client certificate to the server and vice-versa.  Then import the server certificate to the client's truststore:

# create truststore and import server certificate
keytool -import -alias server -keystore .\client.truststore -storepass abcd1234 -file .\server.cer

And on the server:

# create truststore and import client certificate
keytool -import -alias client -keystore .\server.truststore -storepass abcd1234 -file .\client.cer

Now we have the keystores and truststores set up on the respective machines we need to let the applications know about them.  For the Java client you need to set the following system properties:

javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
javax.net.ssl.keyStore
javax.net.ssl.keyStorePassword
javax.net.ssl.keyAlias (required if more than 1 key in the keystore)

You can either do this on the command line using the -D option, or you can do it programmatically using System.setProperty().

On the server side you need to configure tomcat.  Find the server.xml file in the conf directory and add a connector similar to this:

<Connector port="8433"

protocol="HTTP/1.1"

SSLEnabled="true"

maxThreads="150"

scheme="https"

secure="true"

clientAuth="true"

sslProtocol="TLS"

keystoreFile="<path>\server.keystore"

truststoreFile="<path>\server.truststore"

keystorePass="<password>"

truststorePass="<password>"

keyAlias="server"

/>

Note clientAuth is set to true.  Good to go!

Useful links:
An Introduction to Mutual SSL Authentication
Client certificates with apache
The fifteen minute guide to mutual authentication

bitcoin

Heard about this on Security Now!  bitcoin is a digital currency and very interesting indeed - both the concept and the underlying technology.  BTW, if you don't already listen to Security Now! I suggest you do.

There's a bitcoin bubble brewing at the moment: Bitcoin Watch.  Bitcoin hit USD parity in Feb 2011 - two years previous it had practically no value.

cheap and cheerful HSM?

YubiHSM currently in beta

washed out

You know the feeling, just putting the finishing touches to a release, and then ... WTF ... all the widgets on the screen have screwed up and showing transparent!  I didn't even touch the GUI!!  After a panic that went on longer than it should have, I remembered playing with my monitor settings the day before and setting the contrast up way high.  On my monitor this had the effect of showing the background colour as white and made the widgets look translucent.  Lesson learnt, phew.  Try it - if you can't see the blue background of this post against the white your contrast may be too high.