Tuesday, October 11, 2016

Struts 1.3.10 not backward compatible with Struts 1.2.9/1.2.4

Recently while working on one of the application built on top of Struts 1.2.4, there was a security vulnerability reported by Varacode scan asking us to upgrade to latest Struts 1 version 1.3.10.

Our organisation manages java libraries in Nexus Maven repository, the application built around 6 years back which does not make use of Maven for managing its dependencies. As a security mandate we must use our internal Maven Nexus repository to obtain all dependent jars of Struts 1.3.10 and put them manually in the classpath of ant script.

Fortunately good people at Apache Software Foundation have already thought about the problem and have built maven dependencies plugin which allows us to easily download the dependencies of any artifact, so I followed below steps to download these dependencies

1. I created one blank maven project in Eclipse
2. Updated the pom.xml as follows


<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>org.test</groupId>
  <artifactId>dependencydownload</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  
 <build>
  <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-dependency-plugin</artifactId>
        <version>2.10</version>
        <executions>
          <execution>
            <id>copy-dependencies</id>
            <phase>install</phase>
            <goals>
              <goal>copy-dependencies</goal>
            </goals>
            <configuration>
              <outputDirectory>${project.build.directory}/dependencies</outputDirectory>
              <overWriteReleases>false</overWriteReleases>
              <overWriteSnapshots>false</overWriteSnapshots>
              <overWriteIfNewer>true</overWriteIfNewer>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
 </build>
    
    <dependencies>
    <dependency>
    <groupId>org.apache.struts</groupId>
    <artifactId>struts-core</artifactId>
    <version>1.3.10</version>
</dependency>
    </dependencies>
</project>
As highlighted in above pom.xml dependencies plugin will execute on maven install phase and will store its dependencies in
${project.build.directory}/dependencies
folder which as per Maven convention is your target/dependencies directory.

If your organisation uses custom Maven setup then this default may refer to some other directory. Once you run command mvn install either from command line or from Eclipse you should get all your dependencies in your target/dependencies

Once you obtain all the dependencies you can easily add them in ant script.

Making struts configuration changes.



After updating jars you need to follow below instructions to get the application working.

1. Identify if there are any tag libraries copied from older struts jars to your web application. If there are you need to replace them from the new struts jar.

2. Identify any custom tags defined which points to older struts tag classes, if you find you need to search for new class package [ Don't forget to use Eclipse Ctrl-Shift-T ] Once you make above changes hopefully you will have your application up and running.

Hope this helps.

Sunday, March 9, 2014

Findbugs issue with detecting resource leaks for resource initialized outside methods scope

Recently while working with Findbugs plugin for Eclipse I discovered that Findbugs fails to identify resource leak in the scenarios where resource is initialized outside the method scope.

Below is the sample code in which Findbugs fails to detect resource leak
public class TestConn {
 // JDBC driver name and database URL
 static final String JDBC_DRIVER = "com.mysql.jdbc.Driver";
 static final String DB_URL = "jdbc:mysql://localhost/EMP";

 // Database credentials
 static final String USER = "username";
 static final String PASS = "password";

 public static void main(String[] args) {
  Test();
 }// end main

 private static void Test() {
  Connection conn = null;
  Statement stmt = null;
  try {
   // STEP 2: Register JDBC driver
   Class.forName("com.mysql.jdbc.Driver");

   // STEP 3: Open a connection
   System.out.println("Connecting to database...");
   conn = getConn();//<===Findbugs fails to detect connection leak

   // STEP 4: Execute a query
   System.out.println("Creating statement...");
   stmt = conn.createStatement();
   String sql;
   sql = "SELECT id, first, last, age FROM Employees";
   ResultSet rs = stmt.executeQuery(sql);

   // STEP 5: Extract data from result set
   while (rs.next()) {
    // Retrieve by column name
    int id = rs.getInt("id");
    int age = rs.getInt("age");
    String first = rs.getString("first");
    String last = rs.getString("last");

    // Display values
    System.out.print("ID: " + id);
    System.out.print(", Age: " + age);
    System.out.print(", First: " + first);
    System.out.println(", Last: " + last);
   }
   
  } catch (SQLException se) {
   // Handle errors for JDBC
   se.printStackTrace();
  } catch (Exception e) {
   // Handle errors for Class.forName
   e.printStackTrace();
  } finally {
   /*try {
    conn.close();
   } catch (SQLException e) {
    // TODO Auto-generated catch block
    e.printStackTrace();
   }*/
  }// end try
  System.out.println("Goodbye!");
 }

 private static Connection getConn() throws SQLException {
  return DriverManager.getConnection(DB_URL, USER, PASS);
 }
}
As you might already recognized the leak situation where connection object initialized at line 24.
conn = getConn();//<===Findbugs fails to detect connection leak
The solution for the problem is not that straightforward and separate plugin was required to recognize the resource leak situations. This new plugin would act as add on for Findbugs to detect leak in this specific scenario.

You download the plugin at https://github.com/spsarolkar/Findbugs_AdResTrackr/blob/master/AdvancedResourceTrackr/dist/LeakedResourceDetector.jar

Feel free fork the repository "https://github.com/spsarolkar/Findbugs_AdResTrackr.git"

Friday, August 14, 2009

Difference between C++ references and Java references

Many people who learn Java with a background of C++ often get confused between reference of C++ and reference of Java. Even if they share same phrase there is not much similarity between them. You might wonder that C++ pointers share the similar functionality that of Java references.
Here is the similarity between C++ pointers and Java references.



C++ PointersJava references
Declaration and assignment:
Obj* o1;//Uptil now no memory is allocated on heap
o1=new Obj();//Now we have o1 pointing to object on heap
Declaration and assignment:Obj o1;//Uptil now no memory is allocated
o1=new Obj();//Now we have o1 pointing to object on heap
Base class pointer can point to derived class objectBase claas reference pointes to derived class object
Obj* o1,o2; o1=new Obj();
o2=o1;
o1 and o2 now point to same object
Obj o1,o2; o1=new Obj();
o2=o1;
o1 and o2 now point to same object


In C++ if we try to assign derived class object to base class reference, object slicing will occur.
From this you can get a idea about how much strong the references are, they allow runtime polymorphism without dealing with pointers. In case of pointers you need to free the memory allocated for pointers. In Java we do not need to wory about freeing allocated memory because system(JVM) takes care of it. So Java tried to achive best of both the worlds. This all comes at the price. As garbage collection ( name of background thread responsible for releasing allocated memory ) run as a background process it slows down the system.

Tuesday, June 23, 2009

CODD's Rules

Edgar F. Codd is a father of RDBMS ( Relational database management system )
He has putforth twelve rules which DBMS must follow ( 10 followed by Oracle 2 partialy followed )
These rules are
  • Information rule
  • Gauranted access
  • Systematic treatement to NULL
  • Active online catalog
  • Comprehensive data language
  • View updating rule
  • High level Insert,Update,Delete
  • Physical data independence
  • Logical data indepence
  • Distributed independence
  • Integrity indepence
  • No subversion rule

Information rule: It states that all information shold be stored in tables. Information about the tables should also be stored in tables.
Guaranted Access: It states that if you know table name and primary key you should be able to recover unique record.
Systematic treatement to NULL: It states that NULL is not confined to any datatype but it can be stored in all datatypes.
Active Online Catalog: It states that all information about databases should be stored in data dictionary which should be maintained by DBMS.
Comprehensive data language: This rule states that all data should be accessible by language. All DBMS follows this by providing SQL.
View updating rule: All views should be able to do DML operations. (Not followed by all DMBS not even Oracle).
High level Insert,Update,Delete: High level insert update delete should be possible i.e. it should affect multiple records with single query
Physical data independence: This rule states that where data is stored should be taken care by Operating System. This rule is partially followed by Oracle. Oracle tells OS where to store data using hash.
Logical data indepence: This rule states that data can be present anywhere physically but it should be accessible using same query. e.g. when we run select query we get desired result every time even when DBMS keeps on modifying location where data is stored for efficiency purposes.
Integrity independence:
  1. Entety integrity - Concept of primary key
  2. Referncial integrity - Concept of foreign key
  3. Domail integrity - Concept of data type

Distributed independence: DBMS should support distributed database. Followed by oracle.
Non-subversion rule: If relational system has low level language this language should not bypass integrity constraints