Thursday 12 April 2012

adding a new column as primary key in existing table

Today I come across a little tricky situation to add new column to existing table and make it as a primary key in MS SQL server, the solution is luckily simple,


 alter table my_table add [my_new_id] [int] IDENTITY(1,1);  
 alter table my_table add constraint pk_my_id primary key(my_new_id);  


if you already have a primary key, just remove that and add this new primary key.

Wednesday 11 April 2012

Running Multiple SoapUI Mock Services from single Maven pom


Sometimes we may need to run multiple SoapUI mock services as part of Test cases, usually if we start multiple mock services from SoapUI, all will start in the same port, but for some reason it is not supported when we start as part of maven execution. Below is the pom entry which is used to start two or more mock services in different ports.

<plugin>
        <groupId>eviware</groupId>
          <artifactId>maven-soapui-plugin</artifactId>         
          <executions>
            <execution>
              <id>soapui-test1</id>
              <phase>test</phase>
              <goals>
                <goal>mock</goal>
              </goals>
              <configuration>            
                   <projectFile>target/mock-project1.xml</projectFile>
                   <port>8088</port>
                   <noBlock>true</noBlock>
                 </configuration>
            </execution>
            <execution>
              <id>soapui-test2</id>
              <phase>test</phase>
              <goals>
                <goal>mock</goal>
              </goals>
             <configuration>           
                   <projectFile>target/mock-project2.xml</projectFile>
                   <port>8089</port>
                   <noBlock>true</noBlock>
                 </configuration>             
            </execution>
          </executions>
        </plugin>

Monday 9 April 2012

Secure your web apps with HDIV


Recently integrated hdiv framework into the web application I am working on.

We had already had taken enough safety measures to secure the web application, like

1. Always encoding the outputs (like always output from jsp using <C:out> with xml encoding instead of just printing them)
2. Code to secure against SQL injections
3. etc. 

But HDIV is an interesting framework, it seamlessly integrates with the existing application, no need to change the existing code (most of the time) and secures web application mainly against following attacks.

1. Cross site Scripting
2. SQL Injections
3. URL Tampering (I really like this protection, IMO only the links in the web site should be used for navigation, user should not be able to change the URL, especially the values in the path to navigate)
4. Spring bean auto binding, etc.

There are good documents about HDIV in its website hdiv.org, but did found much documentation about its integration with existing applications. So decided to explore my self and found an interesting example implementation at https://github.com/hdiv/hdiv-spring-mvc-showcase, downloaded that and explored, it is really awesome. So I am documenting some simple steps to integrate hdiv with your existing spring application.

Step 1: Dependencies

Include following dependencies in your project, for maven,

        <dependency>
                 <groupId>org.hdiv</groupId>
                   <artifactId>hdiv-core</artifactId>
                   <version>2.1.1</version>
          </dependency>
          <dependency>
                   <groupId>org.hdiv</groupId>
               <artifactId>hdiv-config</artifactId>
               <version>2.1.1</version>
          </dependency>
          <dependency>
                   <groupId>org.hdiv</groupId>
                   <artifactId>hdiv-spring-mvc</artifactId>
                   <version>2.1.1</version>
          </dependency>
          <dependency>
                   <groupId>org.hdiv</groupId>
                <artifactId>hdiv-jstl-taglibs-1.2</artifactId>
                 <version>2.1.1</version>
         </dependency>

Step 2: HDIV-Config.xml

Copy hdiv-config.xml to your resource folder(alternatively classpath, sample found in the showcase app)
see details about hdiv-config at bottom of this post.

Step 3:  web.xml Changes
Step 3.1

Include hdiv-config.xml in context config location as

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
               classpath:/spring-context.xml
               classpath:/hdiv-config.xml
        </param-value>
    </context-param>

Step 3.2

include following hdiv specific entries as,

    <!-- HDIV Init Listener -->
    <listener>
        <listener-class>org.hdiv.listener.InitListener</listener-class>
    </listener>
    <!-- HDIV Validator Filter -->
    <filter>
        <filter-name>ValidatorFilter</filter-name>
        <filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
     </filter>
     <filter-mapping>
        <filter-name>ValidatorFilter</filter-name>
        <servlet-name>dispatcher</servlet-name>
     </filter-mapping>

here dispatcher is the nothing but spring dispatcher servlet, example

    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    </servlet>

Step 3.3

 point JSTL to hdiv customized JSTL tag library.

    <jsp-config>
        <taglib>
           <taglib-uri>http://java.sun.com/jsp/jstl/core</taglib-uri>
           <taglib-location>/WEB-INF/tlds/hdiv-c.tld</taglib-location>
        </taglib>
    </jsp-config>                    


Step 4: copy hdiv-c.tld to web-inf

copy the hdiv-c.tld from sample app to web-inf/tlds folder

Step 5: Create your initial landing page

HDIV protected site always expects an HDIV state code to validate the page, if you are trying to access any page without hdiv state it will redirect you to the error page, so we have to create some initial landing page which redirect to other page with hdiv state, following is an sample jsp for initial landing page

name: index.jsp

<body>
        <c:redirect url="login/login.html"></c:redirect>
</body> 
</html> 

include this file in welcome pages list in web.xml and place it in the root folder and add the root folder as starting pages folder in hdiv-config.xml, example 

<hdiv:config errorPage="/error.jsp">
    <hdiv:startPages>/</hdiv:startPages>
     <hdiv:paramsWithoutValidation>
          <hdiv:mapping url="/job/[0-9]*/.*/update.ht"  parameters=".*"/>
     </hdiv:paramsWithoutValidation>         
</hdiv:config>

All the files in the root folder(/) is considered as landing or starting page, so will be exampted from validation for hdiv state.

Important points:

1. Spring tags 3.0 and later has build in support for hdiv, so they can be simple used along with hdiv, but to use previous versions of spring tags, you may need to point your tlds to customized spring tlds, please refer the hdiv document for more details.

2. When using along with spring security or other frameworks which intercept the request and redirects to different pages, special care should be given otherwise it will end up in indefinite redirection loops. I had spring security in the project, so moved all the spring security related files(login, logout, etc) to different path which will not be intercepted by hdiv for more clarity. 

3. whenever accessing hdiv protected paths from non protected paths always use redirects as mentioned in the landing pages step above.


Some Points on hdiv-config.xml

There are three main sections in this file

1. <hdiv:config> section, which is  used to configure the start pages path, error page and validation exceptions 

2. <hdiv:validation> section, which is used to define the acceptable input formats 

3. <hdiv:editableValidations> section, which is used to associate the validations defined in <hdiv:validation> section with paths.

HDIV is really an added protection to the sites, developers may miss few things when protecting the site. By using a framework like HDIV, developers can concentrate more on building the logic than protecting each and every page. 

Give a try, post comment on how you go....