HP SWF Decompiling and Security Analysis Tool
HP has released a tool called SWF Scan for decompiling and looking at SWFs for security issues. Available from http://www.hp.com/go/swfscan.
« February 2009 | Main | April 2009 »
HP has released a tool called SWF Scan for decompiling and looking at SWFs for security issues. Available from http://www.hp.com/go/swfscan.
It has always felt counter intuitive that there are classes which are not thread safe in the Sun JDK, but that is the case. One that I frequently see people trip up on is SimpleDateFormat. From the documentation:
Date formats are not synchronized. It is recommended to create separate format instances for each thread. If multiple threads access a format concurrently, it must be synchronized externally.
UPDATE
While SimpleDateFormat is not thread safe, as pointed out in the comments below, Spring seems to create new binders per request removing the need for this approach. In reviewing the documentation it isn't immediately clear that this is the case.
I recently had to create a custom editor for a Spring Web MVC command and ran into this issue. One possible fix, without introducing a ThreadLocal, is to just create a SimpleDateFormat every time. Hence this simple ThreadSafeSimpleDateFormat wrapper.
import java.text.DateFormat; import java.text.FieldPosition; import java.text.ParsePosition; import java.text.SimpleDateFormat; import java.util.Date; public class ThreadSafeSimpleDateFormat extends DateFormat { private String pattern; public ThreadSafeSimpleDateFormat(String pattern) { this.pattern = pattern; } @Override public StringBuffer format(Date date, StringBuffer toAppendTo, FieldPosition fieldPosition) { return new SimpleDateFormat(pattern).format(date, toAppendTo, fieldPosition); } @Override public Date parse(String source, ParsePosition pos) { return new SimpleDateFormat(pattern).parse(source, pos); } }
Then to setup that as the editor handler for a command that has a date field, in my controller that uses the command I added the following:
@Override protected void initBinder(HttpServletRequest request, ServletRequestDataBinder binder) throws Exception { super.initBinder(request, binder); binder.registerCustomEditor(Date.class, DATE_TIME, new CustomDateEditor(new ThreadSafeSimpleDateFormat(DATE_TIME_FORMAT), false)); }
The combination of Spring Web MVC with Velocity makes for easy view handling. One of the things that I'm confused about though is getting the configuration up an running. I've been very happy with this configuration so I thought I'd share it.
First part is to let the system know where to find Velocity templates. I store them all in a directory called velocity which is part of the web application.
<bean id="velocityConfig" class="org.springframework.web.servlet.view.velocity.VelocityConfigurer"> <property name="resourceLoaderPath"> <value>/WEB-INF/velocity/</value> </property> </bean>
Next up is letting Spring know that Velocity is the default View that will be used. This configures a few handy defaults that represent the common case response. That being is will be an XML response, the template name has no prefix and a .vm suffix, and we configure some custom tools to be available in the macros.
<bean id="viewResolver" class="org.springframework.web.servlet.view.velocity.VelocityViewResolver"> <property name="exposeSpringMacroHelpers"> <value>true</value> </property> <property name="contentType"> <value>text/xml</value> </property> <property name="prefix"> <value></value> </property> <property name="suffix"> <value>.vm</value> </property> <property name="toolboxConfigLocation"> <value>/WEB-INF/toolbox.xml</value> </property> </bean>
The toolbox configuration file defines some handy tools and in particular defaults the format that dates should be in when converted to a String. In this case the format is what ActionScript 3 expects, since this is the back end for a Flex project.
<toolbox> <tool> <key>esc</key> <scope>application</scope> <class>com.neophi.util.NullEscapeTool</class> </tool> <tool> <key>exceptionTool</key> <scope>application</scope> <class>com.neophi.util.ExceptionTool</class> </tool> <tool> <key>dateTool</key> <scope>application</scope> <class>org.apache.velocity.tools.generic.DateTool</class> <parameter name="format" value="EEE MMM dd HH:mm:ss 'UTC'Z yyyy"/> </tool> </toolbox>
I've always felt like I'm missing some obvious configuration setting with Velocity that will make null values just show up as empty strings instead of being left as $model.attribute. Since I've not found that setting yet, the NullEscapeTool wraps the standard Velocity EscapeTool and sends back an empty string if the value was null.
@Override public String xml(Object string) { String result = super.xml(string); if (result == null) { return ""; } return result; }
The ExceptionTool exposes one method stackTrace() that converts the stack trace associated with an exception to a string so that it can be included in the view. Not necessarily something you want to expose in a production environment, but very handy when debugging.
public String stackTrace(Exception exception) { ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); PrintStream printStream = new PrintStream(byteArrayOutputStream); exception.printStackTrace(printStream); printStream.close(); // Closing a ByteArrayOutputStream has no effect, so don't do it which avoids the need to try/catch the IOException return byteArrayOutputStream.toString(); }
Lastly if you want to have Velocity also handle certain exceptions that your web application may throw the exception resolver facility is great for handling that. In this case the exception value that ServerException refers to is a Velocity template that incorporates the ExceptionTool mentioned above.
<bean id="exceptionResolver" class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver"> <property name="warnLogCategory"> <value>com.neophi.exception</value> </property> <property name="defaultStatusCode"> <value>200</value> </property> <property name="exceptionMappings"> <props> <prop key="com.neophi.exception.ServerException">exception</prop> </props> </property> </bean>
I'm a firm believer in automated testing. The more testing you can automate the less work you need to do to be sure you didn't break stuff each time you make a change. While most people think of unit testing when talking about automated testing, the higher up the interaction chain you can go while not making your tests brittle the better off you will be. On my current project unit test coverage is great, but given that ultimately all of the services get exposed as a web application, being able to automate testing at that level would be beneficial. Below is the approach I took to automate testing our web application.
The key ingredients to the approach are JUnit (testing framework), HtmlUnit (web request handler), and Jetty (integrated application server). Each automated test is written as a JUnit test with a call to a centralized function to startup the web application. To fully isolate each test method you could switch this to an @Before annotation. I've found though that the automated tests are most accurately defined as integration tests. Having a single instance running for all tests simulates the ultimate environment better so I only ever startup one server. Each test method is responsible for setting up the environment (.i.e. test data) to match what it needs so that the order of test methods never matters.
public class SampleTest { @BeforeClass public static void startServer() throws Exception { ObjectMother.startServer(); } }
The startServer() call in ObjectMother is responsible for starting the server if not already running. I startup the server on a random port to test that the configuration isn't port specific. The base URL for the web application is exposed so that tests making requests know what URL to start the call at. One issue I ran into is that you might need to play with the physical directory passed to WebAppContext as running from Eclipse versus Ant might have you starting in different working directories. To get around this issue there is a a little directory helper that searches for the target directory based on current, parent, and a couple other locations it could be found out.
import org.mortbay.jetty.Server; import org.mortbay.jetty.webapp.WebAppContext; public class ObjectMother { public static String baseUrl; private static Server server; public static void startServer() throws Exception { if (server == null) { server = new Server(0); server.addHandler(new WebAppContext("build/testapp", "/sample-server")); server.start(); int actualPort = server.getConnectors()[0].getLocalPort(); baseUrl = "http://localhost:" + actualPort + "/sample-server"; } } }
The creation of the "build/testapp" referenced above is done by Ant. When running within Eclipse an external tool builder is called to stage the web application like it would if it were to package it as a war. In particular the staging done for unit testing adjusts any deployment parameters so that they tuned for the test environment.
Now that the server is running requests can be made against it. This is where HtmlUnit gets used. A typical test looks something like this:
@Test public void testBasic() throws FailingHttpStatusCodeException, IOException { List<NameValuePair> parameters = new ArrayList<NameValuePair>(); parameters.add(new NameValuePair(SampleCommand.CUSTOMER, ObjectMother.CUSTOMER)); parameters.add(new NameValuePair(SampleCommand.URI, ObjectMother.URI)); WebRequestSettings webRequestSettings = new WebRequestSettings(new URL(ObjectMother.baseUrl + "/sample/")); webRequestSettings.setRequestParameters(parameters); WebClient webClient = new WebClient(); webClient.setThrowExceptionOnFailingStatusCode(false); Page page = webClient.getPage(webRequestSettings); assertEquals(HttpServletResponse.SC_OK, page.getWebResponse().getStatusCode()); // additional request specific assertions }
Frequently the response is XML based, so for these the XmlPage wrapper is used instead.
assertEquals(ServerUtil.XML_CONTENT_TYPE, page.getWebResponse().getContentType()); XmlPage xmlPage = (XmlPage) page; NodeList nodeList = xmlPage.getXmlDocument().getElementsByTagName(ObjectMother.FAILURE_ELEMENT_NAME); assertTrue(nodeList.getLength() > 0);
Since Jetty is starting up within the JVM, instead of as a separate process, using Eclipse's debug as JUnit test just works. The web application startup catches Spring configuration errors quickly and ensures that all paths are what they should be.
Joe Berkovitz is speaking about Building Muscular Graphical Editors in Flex.
Focus on how people build and edit visual documents. Amazed at the problems that come up building visual editors like that.
Ran into lots of issues while building Noteflight. Ended up creating Moccasin framework for working with visual editors. Moccasin is also being used in InfraRed5's new RedLine site editing tool.
He gave a quick demo of Noteflight. Tool for creating and sharing musical scores with a little social interaction thrown in. Selection has different modes: individual object, group of objects (sequence or collection), and a passage. Undo and redo are built in to almost everything.
Uses MVC with a few tweaks. Views emit events that are fed to Mediators which perform actions on a Controller which edits the Model. Models are abstract and non visual. Layouts are visual grouping of model but not drawn.
Undo History <- Document <- Layout Context <- View Context ^ ^ ^ ^ \-> Model <- Layouts <- Views
Model, Layouts, and Views are collection of objects that are cooperating, but all belong to a single object, the context or document they are operation in.
Sometimes when you need to print you need to make visual tweaks so that it looks better, in this case just have a separate view context.
Don't like using events for what should be a function call.
Standard undo/redo wisdom is to use a command pattern. ICommand, execute(), undo(), and redo(). Commands are stateful, need to create them.
Instead constrain the model to only allow, property change, child add, or child remove. Bindable properties will dispatch events for you. For collections and change events you need to bubble them up in your model. Then you only need to listen to the root.
UndoHistory needs to open group/close group. Makes many micro modifications that are recorded. Undo or redo called on undo history controller.
How do you track dirty versus clean? Bookkeeping in undo history.
He gave a demo of InfraRed5's RedLine site builder which is also using Moccasin.
Moccasin is on Google Code. MVCS framework, XML based model, "smart wrappers", object selection management, group based undo/redo, mouse gesture/object handle support, scalable document views.
Moccasin wraps a model object to handle events. Moccasin includes simple world which is an application to show how the framework is used. Uses a feedback layer sitting in front of objects. Ran through an example of changing the Square object to have a width and height instead of just a size.
View registers mediators that it wants to use.
How to persist state of views? Have separate model that hte views manage.
Likes domain specific frameworks instead of monolithic frameworks.
Moccasin more focused on UI design and layout versus client/server work that Cairngorm uses.
Last night I finished my obsessive tear through Orson Scott Card's Ender Series. I had read Ender's Game a number of years ago and throughly enjoyed it. Towards the end of January the lunchtime conversation at work turned to the most recent book in the series and that it was a good read. Since I wasn't really into my other reading options at the time, I thought I'd start reading the series. Rereading Ender's Game, which is one of only about half a dozen books I've ever reread, I became enamored with the characters and the idea of reading the rest of the series. If you haven't read the series I've probably let drop some spoilers below so be warned.
The writing isn't highbrow by any means, which the author freely admits to, making the books quick reading. The themes introduced in Speaker for the Dead didn't feel as science fiction themed as Ender's Game but do explore humans interacting with an alien race perceived to be less technologically advanced. The action continues with Xenocide and Children of the Mind regaining some of the science fiction themes with the introduction of instantaneous travel, items created through thought, and adaptable viruses. The religious mumbo jumbo he starts to throw in with the Path world and the various people visited by Peter started to get annoying, but overall the first four books of the series are great reading.
Ender's Shadow starts a four book series focused around Bean, who was first introduced in Ender's Game. I find Bean as interesting a character as Ender but with this book the story line turns more towards Earth and starts a downward trend into focusing on religious and political themes. This trend continues in Shadow of the Hegemon and becomes overly religious in Shadow Puppets only to be equaled by an overly political Shadow of the Giant. Needless to say I only enjoyed the first of the Bean quartet.
First Meetings and particularly A War of Gifts: An Ender Story felt like the author needed a quick dollar or two. They are both short and while First Meetings does fill in the background of how major characters met, A War of Gifts is a complete throw away and could stand not to have been written. Star Wars Holiday Special anyone?
The latest book, Ender in Exile, gets back into a more science fiction themed world with new creatures and telepathy while helping fill out various story lines introduced in earlier books. However, as with the entire series there are plenty of ideas mentioned that could themselves become books if they were ever explored. In general though Ender in Exile is a welcome return to the style of the first five books versus the other books in the shadow series.
Now that I'm caught up with the series I'm find myself brooding over what was brought to my attention while reading the series. I strongly disagree with Orson Scott Card's personal views on many issues. In retrospect, matching the timeline of when the some of his books were written to his political writings I find myself thinking that those shadow books I disliked so much seemed to be espousing his world views about marriage, religions, and politics.
My dilemma is this: Do I not read any of his future works because his view of the world doesn't agree with mine? How much of a hypocrite am I for having finished reading the series even though partway through it I became away of his injudicious personal views?
Today for lunch we went to Legal Sea Foods in Kendall to wish a co-worker farewell as it was her last day. I ordered a gimlet and after asking what gins they had, asked for it with Bombay Sapphire. When my drink came it was very limey which was what I wanted. After a couple of sips, the waiter asked me about the drink to which I replied it was okay. He then informed me that he substituted Tanqueray for the gin (that being the cocktail menu stated drink) since it blended with their lime cordial better.
My anger flared and I hurled back at him some snarky comment concerning that being the reason why I didn't taste as much juniper as I was expecting. He offered to replace it, to which I continued my rant and replied that since that was what I had ordered I'd like that. Here enters the principle of the matter. I would rather have had him recommend that I try the drink with Tanqueray when I ordered it, instead of specifically ignoring my request.
Now I've demonstrated that I'm not a super taster when it comes to gin. In fact I swapped Bombay Sapphire with Tanqueray when I did that blind tasting. This of course means that when my drink was replaced he could have just switched what he originally served me to another glass and I would have been none the wiser. I suspect he's either laughing his ass having done just that and remarking how rude and ignorant I was. Hence on the matter of taste, what gin the drink was served with really didn't matter.
With all of that said, I'm still fuming and my mind is still obsessing over the issue. I'm pissed off at myself for letting my anger flair so easily. I'm pissed off at the waiter for switching my order around. I'm pissed off at the fact that I'm still thinking about it even when I know I couldn't tell the difference. Turns out nor can most people. So there you have have it, a possibly nice lunch and the rest of my day distracted over something that really shouldn't have mattered. Grrrrr.
Recently on a couple of unrelated blogs there were links to Ze Frank's Brain Crack video. It is succinct and hit home. I'm trying to think about how best to act on it without that thought turning into yet more brain crack. I'm not to the point that I'm going to make it a public contract on myself, but given my recent ramblings, I clearly have some crack to remove.