The old XP warhorse was seriously low on disk space so a bit of TLC was required.
Warning: This worked for me - you're on your own! Backup important stuff first!
Run CCleaner.
Just get it dude!
Then run PC Decrapifier. This didn't do much in my case but then I'm quite strict on what I install in the first place.
Then, using Explorer Search, I searched for *.log, *.tmp and *.bak and deleted all the junk.
Then I searched for all files greater than 10 Mb and deleted all the junk.
Advice: If in doubt , don't delete.
Then I deleted the old "Windows Update" files. These are the ones in the /Windows folder in folders like "$NtUninstallKB842773$". Again, Google this if you're not sure.
Then I deleted the files in the /Windows/Prefetch folder. Again, Google this if you're not sure.
If you have SQL server installed, you can clear out most of the files on the C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\LOG folder. Again, Google this if you're not sure.
And then run Windirstat. This gives a graphical representation of who is using what. Poke around a bit.
Man, I had a ton of crap on my PC and now it's gone!
Enjoy!
Wednesday, May 05, 2010
Tuesday, March 23, 2010
StackOverflow : There goes my rep!
Before the big recalculation:
(That's 4595 !)
and after:
(That's 3636 !)
Enjoy!
(That's 4595 !)
and after:
(That's 3636 !)
Enjoy!
Misc : Can't login to Stack Overflow with Blogger OpenID
Suddenly couldn't login to Stack Overflow or it's "family" (Meta, ServerFault, SuperUser etc.) using my Blogger OpenID. (Cue: Major panic).
Mr. Google to the rescue - the answer is here in this article How to upgrade your Blogger OpenID to a decent one.
Note: I did not get the length error reported in some posts but the above sorted out my problem.
Tip: To ensure this doesn't happen again, get an alternate OpenID - I used Google. Just click on your user name at the top of the StackOverflow screen and then click "Change OpenID" (next to the "Edit" hyperlink). You then get an "openid" and a "alt openid" and you can swap the two around using the "swap" hyperlink.
Enjoy!
Mr. Google to the rescue - the answer is here in this article How to upgrade your Blogger OpenID to a decent one.
Note: I did not get the length error reported in some posts but the above sorted out my problem.
Tip: To ensure this doesn't happen again, get an alternate OpenID - I used Google. Just click on your user name at the top of the StackOverflow screen and then click "Change OpenID" (next to the "Edit" hyperlink). You then get an "openid" and a "alt openid" and you can swap the two around using the "swap" hyperlink.
Enjoy!
Wednesday, March 10, 2010
Preventing Cross-Site scripting in Java
You can read about XSS here: Cross-site scripting
Been trying to figure out how to disable it using html encoding and what Java libraries are available.
OWASP's site has an article on this: http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java
To quote:
"Injection attacks rely on the fact that interpreters take data and execute it as commands. If an attacker can modify the data that's sent to an interpreter, they may be able to make it misbehave. One way to help prevent this from happening is to encode the attacker's data in such a way that the interpreter will not get confused. HTML entity encoding is just such an encoding mechanism for many interpreters."
There are two ways to encode the data viz. entity reference and numeric reference:
From Wikipedia:
http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
An entity reference uses the "&" symbol:
& quot; (double) quotation mark
& amp; ampersand
& apos; apostrophe (= apostrophe-quote)
& lt; less-than sign
& gt; greater-than sign
A numeric character reference refers to a character by its Universal Character Set/Unicode code point, and uses the format
&#nnnn;
or
&#xhhhh;
where nnnn is the code point in decimal form, and hhhh is the code point in hexadecimal form
Although the OWASP article mentioned above talks about entity references, the code sample enclosed actually uses numeric entity encoding i.e.
<script></script>
encodes as:
&hash60;script&hash62;&hash60;&hash47;script&hash62;
where "hash" = the "#" character
Some further research around this issue leads to:
AntiXSS for Java which is a port to Java of the Microsoft Anti-Cross Site Scripting (AntiXSS) library for .NET applications
and to:
Open Web Application Security Project (OWASP)
which has a:
Enterprise Security API (ESAPI)
Click on the "Java EE" tab. There are two ways to invoke the functionality. One uses the classes directly:
Note: ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. Failure to canonicalize input is a very common mistake when implementing validation schemes. Canonicalization is automatic when using the ESAPI Validator.
and the other uses the wrapper:
They both convert <script></script> to andlt;scriptandgt;andlt;&hashx2f;scriptandgt;
where "and" is the "&" character.
Interestingly, this is a combination of both reference types.
Just to note: The example at the top converted the "/" to &hash47; whereas ESAPI converts it to &hashx2f; This is because one is decimal and one is hex!
Asides:
Refer to:
XSS (Cross Site Scripting) Prevention Cheat Sheet
Refer to my SO question:
Java - XSS - HTML encoding - Character entity reference vs. Numeric entity reference
Enjoy!
Been trying to figure out how to disable it using html encoding and what Java libraries are available.
OWASP's site has an article on this: http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java
To quote:
"Injection attacks rely on the fact that interpreters take data and execute it as commands. If an attacker can modify the data that's sent to an interpreter, they may be able to make it misbehave. One way to help prevent this from happening is to encode the attacker's data in such a way that the interpreter will not get confused. HTML entity encoding is just such an encoding mechanism for many interpreters."
There are two ways to encode the data viz. entity reference and numeric reference:
From Wikipedia:
http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
An entity reference uses the "&" symbol:
& quot; (double) quotation mark
& amp; ampersand
& apos; apostrophe (= apostrophe-quote)
& lt; less-than sign
& gt; greater-than sign
A numeric character reference refers to a character by its Universal Character Set/Unicode code point, and uses the format
&#nnnn;
or
&#xhhhh;
where nnnn is the code point in decimal form, and hhhh is the code point in hexadecimal form
Although the OWASP article mentioned above talks about entity references, the code sample enclosed actually uses numeric entity encoding i.e.
<script></script>
encodes as:
&hash60;script&hash62;&hash60;&hash47;script&hash62;
where "hash" = the "#" character
Some further research around this issue leads to:
AntiXSS for Java which is a port to Java of the Microsoft Anti-Cross Site Scripting (AntiXSS) library for .NET applications
and to:
Open Web Application Security Project (OWASP)
which has a:
Enterprise Security API (ESAPI)
Click on the "Java EE" tab. There are two ways to invoke the functionality. One uses the classes directly:
import org.owasp.esapi.codecs.HTMLEntityCodec;
public static StringBuilder esapiCodecHtml (String s)
{
HTMLEntityCodec hec = new HTMLEntityCodec();
StringBuilder b = new StringBuilder(s.length());
char[] immune = { ',', '.', '-', '_', ' ' };
String returnStr = "";
String clean = ESAPI.encoder().canonicalize(s);
System.out.println ("Cleaned result is " + clean);
for (int i = 0; i < s.length(); i++)
{
char ch = s.charAt(i);
returnStr = hec.encodeCharacter(immune, ch);
b.append(returnStr);
}
return b;
}
Note: ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. Failure to canonicalize input is a very common mistake when implementing validation schemes. Canonicalization is automatic when using the ESAPI Validator.
and the other uses the wrapper:
import org.owasp.esapi.ESAPI;
public static String esapiEncodeForHTML (String s)
{
String returnStr = "";
String clean = ESAPI.encoder().canonicalize(s);
System.out.println ("Cleaned result is " + clean);
returnStr = ESAPI.encoder().encodeForHTML(s);
return returnStr;
}
They both convert <script></script> to andlt;scriptandgt;andlt;&hashx2f;scriptandgt;
where "and" is the "&" character.
Interestingly, this is a combination of both reference types.
Just to note: The example at the top converted the "/" to &hash47; whereas ESAPI converts it to &hashx2f; This is because one is decimal and one is hex!
Asides:
Refer to:
XSS (Cross Site Scripting) Prevention Cheat Sheet
Refer to my SO question:
Java - XSS - HTML encoding - Character entity reference vs. Numeric entity reference
Enjoy!
Thursday, March 04, 2010
IE : Enter won't submit the form
Wasted hours trying to fix this problem with IE. Firefox works A-OK.
Using JSP and if you have a form with one input field and the Submit button is not labelled Submit, then IE will not submit the form data on Enter. You have to click the "Submit" button to get it to work.
So jumped into Stack Overflow and here's the answer to my question
here.
Enjoy!
Using JSP and if you have a form with one input field and the Submit button is not labelled Submit, then IE will not submit the form data on Enter. You have to click the "Submit" button to get it to work.
So jumped into Stack Overflow and here's the answer to my question
here.
Enjoy!
Thursday, February 25, 2010
XP : PC resumes from hibernation on it's own
Had this problem on my XP PC. Trying to be clean and green so I put the PC into hibernation when I'm away for any length of time. (To do this, just press the power switch and then choose the Hibernation option.)
It stayed in hibernation for about 10 minutes and then came out of it on it's own accord.
Mr. Google to the rescue and some research showed the answer here.
The trick is to select the "Only allow management stations to bring the computer out of standby check box" option as described in the article. Problem solved.
Note: The title of the article i.e. "The computer may unexpectedly resume from standby or hibernation and then automatically return to standby or hibernation after two minutes" is somewhat misleading because my PC didn't return to hibernation but the fix still worked.
Enjoy.
It stayed in hibernation for about 10 minutes and then came out of it on it's own accord.
Mr. Google to the rescue and some research showed the answer here.
The trick is to select the "Only allow management stations to bring the computer out of standby check box" option as described in the article. Problem solved.
Note: The title of the article i.e. "The computer may unexpectedly resume from standby or hibernation and then automatically return to standby or hibernation after two minutes" is somewhat misleading because my PC didn't return to hibernation but the fix still worked.
Enjoy.
Friday, February 12, 2010
Vista : No Audio Output Device is installed
The Compaq laptop with Vista Home Premium that we have always battles to play sounds through the headphones.
Somehow, we manged to disable the laptop sound while trying to get the headphones to work and got the message "No Audio Output Device is installed".
Control panel / Device manager / Sound, video and game controllers shows "High Definition Audio Codec". Tried updating the driver - Nix. Tried checking for new hardware - Nix.
Tried disabling - enabling - Nix.
You need to uninstall the device and then check for new hardware. Vista will find the "new" sound card and re-enable the audio device.
Problem solved.
Enjoy!
Somehow, we manged to disable the laptop sound while trying to get the headphones to work and got the message "No Audio Output Device is installed".
Control panel / Device manager / Sound, video and game controllers shows "High Definition Audio Codec". Tried updating the driver - Nix. Tried checking for new hardware - Nix.
Tried disabling - enabling - Nix.
You need to uninstall the device and then check for new hardware. Vista will find the "new" sound card and re-enable the audio device.
Problem solved.
Enjoy!
Monday, February 08, 2010
Java : Sending a HTTP OPTIONS command
The HTTP OPTIONS command is documented here.
I needed to do this programmatically and thought I would document the code.
Running this against Sun Java System Application Server 9.1 returns:
This sends something like "OPTIONS / HTTP/1.0". There is another version of the command that sends "OPTIONS * HTTP/1.0".
The "*" is actually part of the URI. However, "java.net.HttpURLConnection" has no facility which allows this. Some research suggests that this could be done by using "Apache Commons HttpClient".
Enjoy!
I needed to do this programmatically and thought I would document the code.
import java.net.HttpURLConnection;
import java.net.URL;
...
try {
String type = "text/plain;charset=UTF-8";
URL url = new URL("http://xxx/");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setDoOutput(true);
conn.setRequestMethod("OPTIONS");
conn.setRequestProperty("Content-Type", type);
System.out.println(String.format("HTTP %d: %s",
conn.getResponseCode(), conn.getResponseMessage()));
for(String header : conn.getHeaderFields().keySet() ){
System.out.println(String.format("%s : %s",
header, conn.getHeaderFields().get(header)));
}
String rMessage = conn.getResponseMessage();
System.out.println ("Response " + rMessage);
} catch (Exception e) {
e.printStackTrace();
}
}
Running this against Sun Java System Application Server 9.1 returns:
HTTP 200: OK
X-Powered-By : [Servlet/2.5]
Content-Length : [0]
Allow : [GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS]
null : [HTTP/1.1 200 OK]
Date : [Sun, 07 Feb 2010 19:11:57 GMT]
Server : [Sun Java System Application Server 9.1]
Content-Type : [text/html; charset=iso-8859-1]
Response OK
This sends something like "OPTIONS / HTTP/1.0". There is another version of the command that sends "OPTIONS * HTTP/1.0".
The "*" is actually part of the URI. However, "java.net.HttpURLConnection" has no facility which allows this. Some research suggests that this could be done by using "Apache Commons HttpClient".
Enjoy!
Thursday, January 28, 2010
Metro : Printing / dumping out the contents of a SOAP packet
I've used Metro a lot and I've always battled to have decent logging.
In the web service, I normally log all the inputs and the outputs and all the exceptions. Wouldn't it be easier if you could just log all the requests and responses which would guarantee that you had all the information all of the time?
I just couldn't figure out how.
Until I came across "MessageDumpingFeature". You find this in the Glassfish \lib directory in the webservices-rt.jar file.
If you've generated web services using Metro, you find the code below very familiar. All you really need to do is replace:
service.getWebServiceName();
with
service.getWebServiceName(messageDumper);
The code looks like:
It prints out both normal responses and SOAP Faults.
A request would be dumped like:
A valid response would be dumped like:
A SOAP fault would be dumped like:
Of course, instead of dumping out the request / response, it could be written to a file instead.
Enjoy!
In the web service, I normally log all the inputs and the outputs and all the exceptions. Wouldn't it be easier if you could just log all the requests and responses which would guarantee that you had all the information all of the time?
I just couldn't figure out how.
Until I came across "MessageDumpingFeature". You find this in the Glassfish \lib directory in the webservices-rt.jar file.
If you've generated web services using Metro, you find the code below very familiar. All you really need to do is replace:
service.getWebServiceName();
with
service.getWebServiceName(messageDumper);
The code looks like:
import com.sun.xml.ws.assembler.MessageDumpingFeature;
... snip ...
messageDumper = new MessageDumpingFeature();
ServiceName service = new ServiceName();
WebServiceName port = service.getWebServiceName(messageDumper);
// TODO initialize WS operation arguments here
java.lang.String xxx = "yyy";
java.lang.String yyy = "zzz"
// TODO process result here
ResultName result = port.doWebService(xxx, yyy);
String request = messageDumper.nextMessage();
String response = messageDumper.nextMessage();
System.out.println (request);
System.out.println (response);
... snip ...
} catch (Exception ex) {
String request = messageDumper.nextMessage();
String response = messageDumper.nextMessage();
System.out.println (request);
System.out.println (response);
}
It prints out both normal responses and SOAP Faults.
A request would be dumped like:
<?xml version="1.0" ?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<ns2:doWebService xmlns:ns2="http://namespace/">
<xxx>yyy</xxx>
<yyy>zzz</yyy>
</ns2:doWebService>
</S:Body>
</S:Envelope>
A valid response would be dumped like:
<?xml version="1.0" ?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<ns2:doWebService xmlns:ns2="http://namespace/">
<return>
<aaa>bbb</aaa>
<bbb>ccc</bbb>
</return>
</ns2:doWebService>
</S:Body>
</S:Envelope>
A SOAP fault would be dumped like:
<?xml version="1.0" ?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<S:Fault xmlns:ns4="http://www.w3.org/2003/05/soap-envelope">
<faultcode>S:Server</faultcode>
<faultstring>SomeErrorString</faultstring>
<detail>
<ns2:SomeException xmlns:ns2="http://namespace/">
<message>SomeErrorMessage</message>
</ns2:SomeException>
</detail>
</S:Fault>
</S:Body>
</S:Envelope>
Of course, instead of dumping out the request / response, it could be written to a file instead.
Enjoy!
Thursday, January 07, 2010
SOAPUI : Adding a wsdl
Assume a WSDL like:
http://host:port/ApplicationServer/Service
Sometimes when you are adding a WSDL like the above you get an error:
SOAPUIException: Error inporting wsdl
Try qualifying the URL i.e.
http://host:port/ApplicationServer/Service?wsdl
Enjoy!
http://host:port/ApplicationServer/Service
Sometimes when you are adding a WSDL like the above you get an error:
SOAPUIException: Error inporting wsdl
Try qualifying the URL i.e.
http://host:port/ApplicationServer/Service?wsdl
Enjoy!
Wednesday, January 06, 2010
SOAPUI : NoClassDefFoundError
Using SOAPUI 3.0.1 to test web services created using Netbeans, JAX-WS and Metro.
When I try and run the TestRunner, I get:
My solution was to edit soapui.bat (in the /bin directory) and add:
set JAVA_HOME=C:\Program Files\Java\jdk1.6.0_16
at the top.
Then, instead of running soapui.exe from the desktop shortcut, I open a command prompt and run soapui.bat from there manually.
Problem solved.
Enjoy!
When I try and run the TestRunner, I get:
java.lang.NoClassDefFoundError: org/apache/commons/cli/CommandLineParser
My solution was to edit soapui.bat (in the /bin directory) and add:
set JAVA_HOME=C:\Program Files\Java\jdk1.6.0_16
at the top.
Then, instead of running soapui.exe from the desktop shortcut, I open a command prompt and run soapui.bat from there manually.
Problem solved.
Enjoy!
Tuesday, January 05, 2010
Metro : Sniffing the traffic with JAX-WS, Netbeans and Metro
I often use Fiddler to view / log browser traffic.
From the web site: "Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language."
However, it doesn't work when you want to look at Java web service (SOAP) traffic generated by the JAX-WS support in Netbeans (i.e. Metro).
I have a number of command line tools that I use to generate various types of traffic with a command line like:
To get Fiddler to work, you need to change the command line to:
Fiddler uses port 8888 as default.
Enjoy!
From the web site: "Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language."
However, it doesn't work when you want to look at Java web service (SOAP) traffic generated by the JAX-WS support in Netbeans (i.e. Metro).
I have a number of command line tools that I use to generate various types of traffic with a command line like:
java -jar SomeProgram.jar
To get Fiddler to work, you need to change the command line to:
java -DproxySet=true -DproxyHost=127.0.0.1 -DproxyPort=8888 -jar SomeProgram.jar
Fiddler uses port 8888 as default.
Enjoy!
Subscribe to:
Posts (Atom)