Monthly Archives: July 2013

networking

Configuring Firewall Packet Filtering Using iptables

Leave a comment

This article was tested using iptables v1.3.5 running on CentOS.

Displaying Currently Active Rule

iptables -L -v -n

-v flag turns on verbose mode, and -n causes hostname to be resolved into IP when displaying.

Adding A New Rule

iptables -A INPUT -j ACCEPT -s  -m comment --comment 'Reverse proxy'

Above rule will be added to the end of INPUT chain, and when rule matches (packing coming from ip ), it will be accepted

Rejecting Packets Created From Inbound Conenctions

In the following example all packets from inbound connection are rejected, but not outbound. The only inbound packets allowed are from 72.8.190.105 and 199.241.192.0/22

Chain INPUT (policy ACCEPT 704K packets, 218M bytes)
 pkts bytes target     prot opt in     out     source               destination
  36M 4776M ACCEPT     all  --  *      *       72.8.190.105         0.0.0.0/0       /* Allow incoming from Reverse Proxy*/
4439K  577M ACCEPT     all  --  *      *       199.241.192.0/22     0.0.0.0/0       /* Allow incoming from Reverse Proxy */
  10M 2897M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       state RELATED,ESTABLISHED /* Accept incoming packets from already established conn */
14586  878K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       /* Reject everything else */ reject-with icmp-port-unreachable

This is achieved by checking state. If incoming packet is associated with TCP connection with RELATED / ESTABLISHED then it will be allowed.

Such rule can be added using

iptables -A INPUT -j REJECT -m state --state ESTABLISHED,RELATED -m comment --comment 'Reject everything else'

Saving Rules

Use /sbin/service iptables save to persist changes for the next time the server is rebooted.

Looking up Command for Currently Configure Rules

When you saved your iptables settings, the command used to reconstruct the rules can be looked up on /etc/sysconfig/iptables file

networking

Testing SMTP Server Using Telnet

Leave a comment

SMTP server can be tested simply by using telnet client. On Windows 7 above telnet client has to be installed first via control panel (Windows Add/Remove Features)

Following is a sample SMTP commands to send for a standard mail server listening on IP port 25, without authentication

C:telnet  25
HELO mycompany.com
MAIL FROM:
RCPT TO:
DATA
To: Gerry Tan <>
From: My Company Support <>
Subject: Testing mail server via SMTP
Please ignore this email as this is just testing mail server via SMTP

.
quit

The two newlines and dot at the end is important.

SMTP Server With Authentication

To use SMTP username / password authentication, you first need to encrypt it to Base64. It can be done with command line perl:

 perl -MMIME::Base64 -e 'print encode_base64("gerrytan");'
 perl -MMIME::Base64 -e 'print encode_base64("Mypass123");'

Becareful if you username / password contains symbols meaningful to perl! An @ character can be interpreted as perl array. You have to escape it using (I spent an hour figuring out why authentication failed due to this).

And issue AUTH LOGIN command after HELO / EHLO. The server will prompt for username and password in Base 64

220 mail.tpg.com.au ESMTP (mail16) Sendmail ready.
EHLO mail.tpg.com.au
250-mail16.tpgi.com.au Hello  [], pleased to
meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 28521268
250-DSN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
**********
334 UGFzc3dvcmQ6
**********
235 2.0.0 OK Authenticated
MAIL FROM:
250 2.1.0 ... Sender ok
RCPT TO:
RC250 2.1.5 ... Recipient ok

Thanks to http://exchange.mvps.org/smtp_frames.htm.

java

Using Spring Data MongoDB

1 Comment

a great third party support based on standard MongoDB Java Driver.

Dependencies

Following dependencies are required. Check for latest version via Nexus Central Repository:

  1. spring-data-mongodb 
    
  org.springframework.data
  spring-data-mongodb
  1.2.1.RELEASE
  2. mongo-java-driver 
    
  org.mongodb
  mongo-java-driver
  2.11.1

Setup Mongo Connection, Template and Repository Scanning

This is similar idea with setting up db datasource. In this example the mongo database server is located at localhost:27017 (default). The MongoDB database name used is enrollment. The tag specifies the base package to scan for repository classes

Domain / Entity Class

Example on this post will be based on a simple Student entity class with only id and name field:

import org.springframework.data.annotation.Id;

public class Student {
  @Id private String id;
  private String name;
  // getters & setters..
}

Without explicit configuration this entity class will be mapped into MongoDB collection name student. To override this default behavior use (collection = "...") annotation.

Repository Class

Simply add an interface extending Spring Data Repository interface. Below sample uses PagingAndSortingRepository, which extends CrudRepository which provides most basic operation. The type parameter specifies this repository operates over Student entity, with the ID type being String. Spring Data will automatically generate an implementation of this interface.

public interface StudentRepository extends PagingAndSortingRepository {

}

This repository can now be injected into controllers:


("/student")
public class StudentController {

   private StudentRepository studentRepository;

  (method = GET)
  public String get(Model model) {
    Iterable students = studentRepository.findAll();
    return "student";
  }

  (value = "/new", method = POST)
  public String addNew(("student") Student student) {
    studentRepository.save(student);
  }

  ...
}

Read More

Learn more about Spring Data and MongoDB:

  • Spring Data MongoDB Reference Manual – http://static.springsource.org/spring-data/data-mongodb/docs/current/reference/html/index.html
  • MongoDB Manual – http://docs.mongodb.org/manual/
java

Eclipse Unable to Detect Glassfish 3 Server Is Started

Leave a comment

Found this problem on my Windows 7 PC where when I tried to start my Glassfish 3 server via Eclipse it seems to start alright, but Eclipse could not detect it has started.

On the server panel progress bar is stuck at “Starting glassfish..” message, and after few minutes it will say “Unable to start server on time”.. yet the server process is still running on the background.

glassfish

Thanks to this StackOverflow answer by HAmark, this problem seem to be caused by Java unable to resolve the host name “localhost”.

This can be resolved by adding following entry on your C:WindowsSystem32driversetchosts file:

127.0.0.1 localhost
java

Sending E-Mail Using GMail SMTP via Apache Commons Emails

1 Comment

GMail provides a handy and reliable SMTP mail server for your program / script. Following are GMail SMTP configuration settings:

  • SMTP Host Name: smtp.gmail.com
  • SMTP Port: 587
  • TLS Enabled: Yes
  • Username:
  • Password:

In Java you can use commons-email to simply send an E-Mail using your GMail account.

First add commons-email jar into your classpath. If you use Maven, simply add following dependency (or newer version if any):


  org.apache.commons
  commons-email
  1.3.1

Following example assumes your GMail email is and password abcd1234.

Email email = new SimpleEmail();
email.setSmtpPort(587);
email.setHostName("smtp.gmail.com");
email.setAuthentication("", "abcd1234");
email.setStartTLSEnabled(true);
email.setFrom("", "John Doe");
email.setSubject("Hi this is testing email only");
email.setMsg("Hello there testing to send email from GMail");
email.addTo("");
email.send();

Note that by default GMail only allows email to be sent from your address (), you cannot send as somebody else for security reason. You need to perform additional configuration to allow external email to be sent via your GMail account.

java

Using Maven to Include All Java EE API Into Classpath

Leave a comment

If you use full Java EE container such as JBoss or Glassfish — and you (are fortunate enough) to use Maven. Here’s a simple way to pull all Java EE dependencies into your classpath. Add following dependency into your pom.xml:


  javax
  javaee-api
  6.0
  provided

Notice the scope is set to provided, this is important because on runtime all those classes will be provided by your container.

Also the above is for Java EE 6. You can use following for Java EE 7:


  javax
  javaee-api
  7.0
  provided
java

Cross Site Request Forgery (CSRF) Protection in Spring 3.1

Leave a comment

Eyal Lupu has written an excellent article in his blog about mitigating Cross Site Request Forgery (CSRF) attack.

CSRF allows an attacker to create a fake form / link posting to a secured website. It exploits the fact you might have an active session from a secured website. For example, an attacker can create a fake form / link with all the data required to transfer money to his / her account without you realizing it.

This CSRF prevention techniques involes two components:

  1. Rendering a hidden form field with randomly generated token stored in session
  2. Ensuring the next post request came with matching token

The sample source code of this solution can be obtained from:

git clone https://github.com/eyal-lupu/eyallupu-blog.git

java

Session Scoped Beans in Spring

Leave a comment

If your Spring application context is associated with a Java EE container (eg: created via ), you can set your bean in a session scope. This means every user starting a new http session will obtain a different copy of your bean.

Let’s see this in action. Below I have a ShoppingCart bean

public class ShoppingCart implements Serializable {
  private int userId;
  private List products;
  // getters & setters ...
}

Configure this to be a session scoped bean in spring xml configuration file:

The tag will cause Spring to create a proxy class over the ShoppingCart bean. This is critical because we want to inject our ShoppingCart to a singleton class (eg: Service / Controller classes) yet each user’s http session should get its own copy of the data.

In order for proxying to take effect you also need to include cglib library into your classpath.

I can now inject the ShoppingCart into HomeController:


("/home")
public class HomeController {

   private ShoppingCart shoppingCart;

  ...
}

One way to think about this is the proxy is actually a singleton mirror image of the ShoppingCart class, except each user coming from different HttpSession will see different data when they invoke the public methods. For each new HttpSession, on the first time user invokes one of the proxied method a new actual ShoppingCart bean instance is created behind the screen.