My company designs and develop mobile and web based banking solutions. Our customers (banks for the most part) are highly bureaucratized, orthodox (ie. like to have everything pre-defined and pre-approved) and risk adverse, and therefore change and the disruption of the status quo is not a normal sight within most of them.
Most banking IT departments are used to the good old waterfall development cycle (believe it or not). Additionally, when they purchase a tailor made system (or a highly customizable product based deployment) they prefer to know in advance exactly what the system will do, how will it do it and how long will it take to deploy it (even if they don’t know what they want themselves).
I believe this happens a lot in provider/customer relationships, and not only in the finantial sector.
But during real life software development projects at banks, as it happens on almost all software projects:
So an agile methodology seems to be in order, right? But how to couple both worlds…
Here is a good and simple anti cross-site scripting (XSS) filter written for Java web applications. What it basically does is remove all suspicious strings from request parameters before returning them to the application. It’s an improvement over my previous post on the topic.
You should configure it as the first filter in your chain (web.xml) and it’s generally a good idea to let it catch every request made to your site.
I bet that when you are about to start coding a new software piece, specially if it’s for a corporate customer, you don’t even question yourself whether to generate an activity log or not, it’s a mandatory commodity nowadays.
What’s not so obvious is that there are at least two major uses for an activity trail in almost all systems:
In my experience most developer generated log information is oriented towards solving the first issue (analyzing errors). And even if you include context information in the log about the user, his actions and consequences; your typical log has several disadvantages towards solving the second problem.
I recently had the need to list all the classes available within a given list of packages, to execute them via reflection as part of a plugin architecture in a new product we are developing.
This proved to be a little more hard than it should, since Javas provided reflection utilities don’t have any metadata regarding the contents of a package available in your classpath.
As you have probably realized I decided to change my blog’s URL to http://ricardozuasti.com. This change comes from my desire to give my blog a more personal touch, and also to open the door for other technologies besides Java in my posts.
The content and tonic of the blog will continue on the same line, hopefully with a lot more activity.
I also decided to code my own WordPress theme for the site, and since as a UI designer I’m an excellent programmer… I based it upon Twitter’s amazing Bootstrap UI. I hope you find it usable, clear and unobtrusive; feel free to send me suggestions and comments about it.
The spartanjava.com domain is still active and redirecting towards the new address, so all bookmarks should work. The spartanjava RSS feed should also continue working, but if you can please update your RSS readers to point to the new domain.
Afraid of malicious injections in your web app requests, heres a simple way to improve your application security. Push every request parameter through a filtering function before it’s feeded to your application code.
Such a function can be as simple as:
private String cleanParameter(String value) {
if (value != null) {
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\\(", "(").replaceAll("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
}
return value;
}
This will escape/remove potentially dangerous Javascript code and HTML/XML tags.
You can implement this on a web filter or a struts interceptor or a DWR filter depending on the technology you use for you app.
In case you are not doing it already, using asynchronous logging is generally a good idea. You don’t want your application to slow down if the server IO is a little behind flushing all that logging to the filesystem. By making it asynchronous your application can continue running without having to wait for the log lines to be written to their final destination.
My personal choice for Java logging is log4j, there are a lot of different frameworks (including Suns own logging API), but log4j works great and is extremely flexible.
Sounds like it should be quite straightforward, right? Well, it is, but for some reason it took me more than a few minutes (maybe I need to get more sleep :P). Anyway, to view Androids emulator log from Eclipse go to Window / Show View / Other… / Android / LogCat
The Google folks were kind enough to include a version of the Apache HTTP Client in the Android SDK, ergo loading a web resource/page from our Android apps is really simple:
HttpClient httpClient = new DefaultHttpClient();
HttpContext localContext = new BasicHttpContext();
HttpGet httpGet = new HttpGet("http://www.spartanjava.com");
HttpResponse response = httpClient.execute(httpGet, localContext);
String result = "";
BufferedReader reader = new BufferedReader(
new InputStreamReader(
response.getEntity().getContent()
)
);
String line = null;
while ((line = reader.readLine()) != null){
result += line + "\n";
}
// Now you have the whole HTML loaded on the result variable
Back in April I wrote about Java to/from JSON serialization using XStream. After developing several AJAX applications using PHP and JQuery, I found that for a lot of scenarios a very simple approach is not only easy but very effective. In the case of PHP, you can effectively enable AJAX in your apps using jQuerys $.getJSON() and PHP json_encode().
I think we can use a very similar approach for Java web applications, enabling the use of AJAX through a very simple, elegant and extensible architecture, without the use of complex frameworks and extra configurations.