Sometimes what you think is a problem with your web code is due to something completely unrelated. We created a web site and when I added an alt tag to an image (supposedly that was the cause and related timing according to the person having the problem) the image wouldn't appear randomly in Firefox for one person on one machine.
Now I know for a fact that adding an alt tag to an image is definitely not supposed to affect the ability for that image to appear in a browser. There's just no sense to that. When I finally had time to nail down all the parameters related to this problem it turned out the problem was only occurring on one machine, on any network, and not on any other machines on the same networks. I also never experienced this particular problem. Further Google searches indicated that a plugin from Real Networks somehow causes images not to appear in Firefox under certain circumstances. Further testing confirmed this to be the cause of the problem in this particular instance, however there is also information on the Firefox help web site about other potential causes of images not showing up in a Firefox browser.
The moral of the story is - it's not always the web site programmer's fault when something doesn't work. There are so many factors involved in web sites from your router and network equipment, local and wide area networks, machines in between you and the web server you're trying to access, all the plugins and add-ons in your browser and your virus and spyware software, not to mention potential malware and viruses on your machine. It's important to look into all these potential factors when trying to determine the cause of "a problem with a web site". It may not be the web site that has the problem.
Notes. Code. Cloud. AWS. Security. Automation. Databases. Bugs. Error Messages. No Guarantees.
Teri Radichel - Software Programmer and System Architect - Cloud + Security
Tuesday, October 13, 2009
Sunday, October 11, 2009
The Content already has an existing parent
If you want to make a new XML Document using JDom from a node in another XML document, you first need to remove that node from the parent XML document using detach() method.
If you try to create a new XML Document using the node before detaching it you get this error message:
The Content already has an existing parent [some parent node name].
I'm sure there is a reason why this is the error message but when you're using a node to create a new XML document the error message makes little sense to me in this particular context.
If you try to create a new XML Document using the node before detaching it you get this error message:
The Content already has an existing parent [some parent node name].
I'm sure there is a reason why this is the error message but when you're using a node to create a new XML document the error message makes little sense to me in this particular context.
Sunday, September 27, 2009
Big-O Notation
Big-O Notation measures the complexity of an algorithm or order of magnitude of the number of operations required to perform a function. In other words, how the number of processing steps increase as the number of items being processed increases. Processing may not increase in a constant manner. For instance if processing one item takes 2 seconds, processing 100 item does not necessarily take 200 seconds (2 * 100).
Big-O notation is a type of language or notation or terminology to discuss the the reality which is - algorithms need to process efficiently. Without knowing Big-O notation, an experienced programmer can look at an algorithm and understand that a step that can be moved to process outside of a loop will reduce the processing steps by the number of loops the algorithm has to perform less one. Instead of processing once for each item in the list, it can process that step only one time. For me, this underlying understanding of processing steps is more important than reciting Big-O Notation, but we must follow industry standards when applying for jobs. We need a way to communicate about complexity of an algorithm with other programmers. So I conform.
Common Big-O notation orders:
O(1) represents function that runs in constant time
The time to run an algorithm doesn't change based if the number of items being processed changes. Whether running 1 or 1000 items the time remains constant. This is rare. Looking up an element in an array usually takes the same amount of time no matter how many items are in the array and would be said to run in constant time.
O(N) represents function that runs in linear time
Operations to run directly proportional to number of items processed. For instance if it take 3 minutes to process 1 item it will take 3 X 10 = 30 minutes to process 10 items.
O(N2) represents a function that runs in quadratic time.
The equation for quadratic time is (N2 - N) / 2. Or in other words 0+1+2+...+(N-1). In Big-O notation constants are dropped so we have N2 - N. As the number of items increases, subtracting N from the result becomes a negligible difference so we can skip that and end up with N2. So if you have 2 items a function that runs in O(N2) roughly takes 4 processing steps and with 10 items takes 100 processing steps. An example would be inserting items being processed into an array in the first position and having to move every single item of the array each time to insert the new item. Functions running in quadratic time are typically not acceptable for interactive applications.
O(log N) and O(N log N) represent a functions that runs in logarithmic time.
The running time of an algorithm increases with the log of the number of items being processed. These generally mean that the algorithm deals with a data set that is partitioned into small groups of data as it is processed, like a balanced binary tree.
For instance if your asked to find the number I'm thinking of out of 100 you could ask, is it greater than or less than 50. I say greater. You say is it greater or less than 75. I say greater. You say is it greater or less than 87.5. I say greater...and continues until you get to the number I am thinking of which is 88. This is more efficient than saying, "Is it one? Is it two? Is it three?..." etc.
O(N!) represents a function that runs in factorial time.
Factorial of 5 would be 5 x 4 x 3 x 2 x 1. So if there were five items being processed and the algorithm runs in factorial time then it would require 120 processing steps. If an algorithm performs in factorial time, look for a better solution.
Related articles:
Determining Big O Notation
O (n log n)
No matter how much Big-O analysis you do, you'll still ultimately need to test your algorithms on large data sets and there are a number of factors which can affect performance outside a single algorithm in an application. Ultimately you need to test performance. As the following article states: "the only real way to know for sure is to actually try it with large data sets. There may be performance issues that are not taken into account by big-oh notation, eg, the effect on paging as virtual memory usage grows."
However during the design process, Big-O notation provides a way to talk about the complexity of an algorithm and how efficient it is expected to be in advance.
Big O Notation Notes
Big-O notation is a type of language or notation or terminology to discuss the the reality which is - algorithms need to process efficiently. Without knowing Big-O notation, an experienced programmer can look at an algorithm and understand that a step that can be moved to process outside of a loop will reduce the processing steps by the number of loops the algorithm has to perform less one. Instead of processing once for each item in the list, it can process that step only one time. For me, this underlying understanding of processing steps is more important than reciting Big-O Notation, but we must follow industry standards when applying for jobs. We need a way to communicate about complexity of an algorithm with other programmers. So I conform.
Common Big-O notation orders:
O(1) represents function that runs in constant time
The time to run an algorithm doesn't change based if the number of items being processed changes. Whether running 1 or 1000 items the time remains constant. This is rare. Looking up an element in an array usually takes the same amount of time no matter how many items are in the array and would be said to run in constant time.
O(N) represents function that runs in linear time
Operations to run directly proportional to number of items processed. For instance if it take 3 minutes to process 1 item it will take 3 X 10 = 30 minutes to process 10 items.
O(N2) represents a function that runs in quadratic time.
The equation for quadratic time is (N2 - N) / 2. Or in other words 0+1+2+...+(N-1). In Big-O notation constants are dropped so we have N2 - N. As the number of items increases, subtracting N from the result becomes a negligible difference so we can skip that and end up with N2. So if you have 2 items a function that runs in O(N2) roughly takes 4 processing steps and with 10 items takes 100 processing steps. An example would be inserting items being processed into an array in the first position and having to move every single item of the array each time to insert the new item. Functions running in quadratic time are typically not acceptable for interactive applications.
O(log N) and O(N log N) represent a functions that runs in logarithmic time.
The running time of an algorithm increases with the log of the number of items being processed. These generally mean that the algorithm deals with a data set that is partitioned into small groups of data as it is processed, like a balanced binary tree.
For instance if your asked to find the number I'm thinking of out of 100 you could ask, is it greater than or less than 50. I say greater. You say is it greater or less than 75. I say greater. You say is it greater or less than 87.5. I say greater...and continues until you get to the number I am thinking of which is 88. This is more efficient than saying, "Is it one? Is it two? Is it three?..." etc.
O(N!) represents a function that runs in factorial time.
Factorial of 5 would be 5 x 4 x 3 x 2 x 1. So if there were five items being processed and the algorithm runs in factorial time then it would require 120 processing steps. If an algorithm performs in factorial time, look for a better solution.
Related articles:
Determining Big O Notation
O (n log n)
No matter how much Big-O analysis you do, you'll still ultimately need to test your algorithms on large data sets and there are a number of factors which can affect performance outside a single algorithm in an application. Ultimately you need to test performance. As the following article states: "the only real way to know for sure is to actually try it with large data sets. There may be performance issues that are not taken into account by big-oh notation, eg, the effect on paging as virtual memory usage grows."
However during the design process, Big-O notation provides a way to talk about the complexity of an algorithm and how efficient it is expected to be in advance.
Big O Notation Notes
Thursday, September 10, 2009
REST vs. SOAP Web Services
I had a request to interview for a contract job using web services. I've recently worked with .NET Web services that were implemented using SOAP and done Java web services previously but wanted a refresher. I went to look for a SOAP web service on Google to test with and it seems like Google has switched entirely to REST. I never really thought about it but I guess REST is another type of web service. I just kind of associated web services with SOAP. Wikipedia has a pretty good definition of web services.
As it turns out a lot of the major web API players are switching to REST - which is good. When I used REST for a web site integrating with Amazon's IMDB database it was much simpler and cleaner to use. I had previously reviewed a technical book and tried to test various SOAP web service software components and spent hours getting any of them to work correctly. REST is so much easier, cleaner, simpler - I wondered why everyone wasn't using it. Seems like now they are.
This is kind of funny because I went to an interview after working on the Amazon project and one of the people I was interviewing with commented that he had never met anyone who used REST before "in real life".
Here's an article comparing REST vs. SOAP web services:
Rest vs. SOAP Web Services
As it turns out a lot of the major web API players are switching to REST - which is good. When I used REST for a web site integrating with Amazon's IMDB database it was much simpler and cleaner to use. I had previously reviewed a technical book and tried to test various SOAP web service software components and spent hours getting any of them to work correctly. REST is so much easier, cleaner, simpler - I wondered why everyone wasn't using it. Seems like now they are.
This is kind of funny because I went to an interview after working on the Amazon project and one of the people I was interviewing with commented that he had never met anyone who used REST before "in real life".
Here's an article comparing REST vs. SOAP web services:
Rest vs. SOAP Web Services
Tuesday, September 01, 2009
Underscores in SQL Server Query
Well, learn something new every day. I've been using SQL Server for close to 15 years but I guess I never needed to query for an underscore before today. An underscore is a special character in SQL server.
You can use the _ wildcard character to represent any single character in a query. For instance if you want to search for any four letter word that starts with w and ends with at you could search for:
where field="w_at"
In order to query for an underscore in SQL Server you need to escape it. The escape character in SQL Server is square bracket []. So if you want to find a particular column with an undercore in it you can query using the like statement as follows:
where field LIKE '%[_]%'
If you want to query for anything with two underscores in it then you'd have to escape each underscore like this:
where field LIKE '%[_][_]%'
You can use the _ wildcard character to represent any single character in a query. For instance if you want to search for any four letter word that starts with w and ends with at you could search for:
where field="w_at"
In order to query for an underscore in SQL Server you need to escape it. The escape character in SQL Server is square bracket []. So if you want to find a particular column with an undercore in it you can query using the like statement as follows:
where field LIKE '%[_]%'
If you want to query for anything with two underscores in it then you'd have to escape each underscore like this:
where field LIKE '%[_][_]%'
Monday, August 24, 2009
Background Images Not Showing Up in Safari
Background images were not showing up in Safari for a particular web site.
Further testing indicated that putting content in the cell would make the background image show up to the point the cell was populated. In other words if I typed a bunch of lines of the word test with a break after each one, the background image would show up as far as the test list went down the page. I thought we could solve the problem by inserting an image of the particular size and shape we wanted to force the background to show up, however since the content on the page would grow and shrink we didn't have a specific height, and apparently height = 100% wasn't going to work either.
Further investigation seemed to indicate the problem had something to do with row spans where perhaps the browser has a problem calculating the height that the background image needs to be if the column it is in spans multiple rows. That's just a guess because I didn't spend time testing this out. Basically I just redesigned the page to eliminate the row spans and made the layout of the code a lot simpler and cleaner and the problem went away.
If someone had more time than I do right now some testing could probably further pinpoint the issue.
Further testing indicated that putting content in the cell would make the background image show up to the point the cell was populated. In other words if I typed a bunch of lines of the word test with a break after each one, the background image would show up as far as the test list went down the page. I thought we could solve the problem by inserting an image of the particular size and shape we wanted to force the background to show up, however since the content on the page would grow and shrink we didn't have a specific height, and apparently height = 100% wasn't going to work either.
Further investigation seemed to indicate the problem had something to do with row spans where perhaps the browser has a problem calculating the height that the background image needs to be if the column it is in spans multiple rows. That's just a guess because I didn't spend time testing this out. Basically I just redesigned the page to eliminate the row spans and made the layout of the code a lot simpler and cleaner and the problem went away.
If someone had more time than I do right now some testing could probably further pinpoint the issue.
Saturday, August 15, 2009
Java Generics List Iterator
Example of using Java generics list iterator
List<Element> l;
for (ListIterator<Element> it = l.listIterator(); it.hasNext(); )
{
Element e = it.next();
.....
}
List<Element> l;
for (ListIterator<Element> it = l.listIterator(); it.hasNext(); )
{
Element e = it.next();
.....
}
Sunday, May 24, 2009
Java Encryption
Update. DES is not secure. Use AES for symmetric encryption.
Most important: do not save keys and data in same location, otherwise don't bother encrypting at all. If the person has access to the key and the data obviously they can just unencrypt.
Consider key storage devises such as HSMs.
------
JCE (Java Cryptography Extension) Cipher Specifics
First of all, need to understand the encryption algorithm used and the specific requirements for using it in conjunction with the JCE (Java Cryptography Extension). For example if you're using DES algorithm to encrypt your data then JCE requires that you initialize the cipher using the IvParameterSpec class. The following post from sun Java forums was helpful in explaining some of this in conjunction with some information from various Java encryption books:
DES Java Encryption
- Cryptographics algorithms come in two flavors, asymmetric (public+private key) and symmetric (secret key).
[Note: Symmetric encryption requires that you keep your key secret because both encryption and decryption are done using the same key. Anyone who has your key can decrypt your data. Asymmetric encryption allows sending the public key to the person who wants to send you encrypted data and using a private key to decrypt the data. This latter form of encryption is useful when you want to allow web visitors, for instance, to encrypt and send you data, but you don't want anyone but yourself to be able to decrypt it - using your private or secret key]
- DES that is a symmetric algorithm.
- Symmetric algorithms come in two principal types, stream ciphers and block ciphers.
- Block ciphers encrypt data in blocks (usually 8-byte or 16-byte blocks).
- DES is a block cipher.
- Block ciphers are used in modes of operation, like ECB, CBC, OFB, etc.
- CBC requires a key and a Initialization Vector
[
Note:
Using JCE an initialization vector provided through IvParameterSpec object.
If you don't provide it you'll get the error: java.security.InvalidKeyException: Parameters missing
If you're using EBC mode it doesn't require an initialization vector and if you pass one in you may ge this error:
java.security.InvalidAlgorithmParameterException: ECB mode cannot use IV
To fix the above error change: "DES/ECB/PKCS5Padding" to "DES/CBC/PKCS5Padding" if EBC is not a requirement. ECB is prone to replay attacks according to some sources.
]
- Initialization vectors are usually random numbers, transmitted in clear, but can be made fixed if your problem requires it.
- If you can have random initialization vectors, you can avoid replay attacks. [i.e. someone cannot re-use your key unless they have the initialization vector]
Error: java.security.InvalidKeyException: Parameters missing
If using DES this is probably caused by not providing the initialization vector using the IvParameterSpec object.
To use the IvParameterSpec object you need to pass in a parameter which in this case is an array of 8 bytes. This is not a good example because it would be obvious to guess (1, 2, 3, 4... like password 12345) but explains the concept:
byte[] iv = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08};
IvParameterSpec ivSpec = new IvParameterSpec(iv);
//initialize the cipher using the IvParameterSpec
cipher.init(Cipher.DECRYPT_MODE, key, iv);
DES Key Size
I also found an example of some code which specifies the key size for DES which may prevent errors related to key being too short (not sure about this one but it worked):
String x = "DES/CBC/PKCS5Padding";
KeyGenerator gen = KeyGenerator.getInstance("DES");
gen.init(56); // 56 is the keysize. Fixed for DES
SecretKey key = gen.generateKey();
SecretKey
I did read somewhere that a secret key is problematic because it stores the key in a file somewhere. Will need to do more research on that later. There may be a better alternative than the SecretKey class.
SecureRandom
Initializing the keyGenerator with SecureRandom will help ensure randomness of keys. Some encryption mechanisms are weakened by the ability to guess or obtain keys using brute force because generation of keys uses a pattern that is easy to crack.
gen.init(new SecureRandom());
or for the example above:
gen.init(56, new SecureRandom());
Cross platform encoding of input data - UTF-8:
When getting the bytes of text you are trying to encode you'll want to ensure you're getting them in a format understood by all the systems using or displaying the data. UTF-8 is a good choice for web applications and email. Encode the text you want to encrypt like this:
String stringToEncrypt="encrypt this stuff";
instead of:
byte[] b = stringToEncrypt.getBytes();
use:
byte[] b = stringToEncrypt.getBytes("UTF-8");
javax.crypto.BadPaddingException: Given final block not properly padded
Some encryption algorithms have padding and others do not. The padding will tack on extra characters at the end of something that is encrypted to make it a fixed length. For instance:
test
may become
test===
The === are used to make test 8 characters long in the example above if that is the length I want according to the specification of the algorithm I'm using. The encryption algorithms will probably actually not have equal signs but nulls or some other means of creating a fixed length value.
You'll want to understand how padding is or is not used with your particular encryption algorithm and that padding is handled appropriately. Make sure you are using the correct algorithms, modes, etc. to encrypt and decrypt and that everything you're using matches up.
Additionally if you are transporting or persisting data you may need to encode it so it doesn't get altered in transit. Padding may be trimmed. Some modes of transport (passing data through HTTP via URLs) or persisting data to a database that doesn't understand all the characters in the encrypted bytes may cause characters to be lost or altered. Trying to put encryption data into a String without proper encoding won't work in most cases.
Base64 Encoding encrypted bytes before transported or stored will encode the encryption characters into characters that most systems understand. If you encode to Base64 for transport remember to decode again before you decrypt. Also note that encoding is not the same as encryption. If you encode your data using Base64 anyone can decode it using Base64.
To use Base64 you can download Apache Commons Codec from Apache.org
Import the package:
import org.apache.commons.codec.binary.*;
Code snippet:
Base64 b64 = new Base64();
byte[] a = "encrypt me".getBytes("UTF-8");
byte[] b = b64.encode(a);
encrypt(b) // call your encryption method
Before decrypting:
Byte[] c = b64.decode(b);
decrypt(c); // call your decryption method
Saving Keys to Database
Keys can be saved to a Java keystore which is basically a file. However you may also want to save your keys to a database if you have many keys and performance may be an issue or for other reasons. Remember if anyone gets a hold of your keys they can decrypt all your data so you'll want to think about how to do this securely. Using an encryption algorithm that also requires an initialization vector in addition to your key is helpful because the keys alone will not allow someone to decrypt the data. You may also limit use of keys for a short time period or use some other method to ensure keys are not reused in unintended ways.
If you want to save keys to a database then you can save your keys in VarBinary data type since that will store your byte data in the size it was passed in (no extra padding). Once you create a key you use the .getEncoded() method to get the encoded key bytes and save them to the database. Since the key is already encoded you shouldn't need to further encode it using Base64. Then you can retrieve it from the database using the getBytes("fieldname") Java sql method use it to decrypt your data.
Java Security by Scott Oaks has an example of implementation of a KeyStoreSpi class to use a database with a keystore for key management.
Friday, May 22, 2009
Special Characters to Block in Web Requests
Microsoft suggests weeding out these special characters in web requests:
< > " ' % ; ) ( & + -
Some people simply delete these characters, but a better approach is to encode them appropriately depending on what you are doing with them in your application.
< > " ' % ; ) ( & + -
Some people simply delete these characters, but a better approach is to encode them appropriately depending on what you are doing with them in your application.
Thursday, May 21, 2009
Wednesday, May 13, 2009
XSS
Just reading up on XSS (cross site scripting) attacks on web sites.
I ran across XSS shell which was linked from a few newsgroup postings where users were blatantly asking questions about how to hijack a web site using basic authentication and steal passwords. Some information was posted by securiteam.com about XSS-Shell:
http://www.securiteam.com/tools/6X00120HFO.html
This site states:
You can steal basic authentication, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.
Nice.
I then linked over to XSS Proxy which explains that Cross Site Scripting does not actually require a user to click on a link to execute if they visit a hijacked or purposefully set up web site that includes XSS code. This page has a bunch of links to more information about XSS and information about XSS-Proxy.
http://xss-proxy.sourceforge.net/
I ran across XSS shell which was linked from a few newsgroup postings where users were blatantly asking questions about how to hijack a web site using basic authentication and steal passwords. Some information was posted by securiteam.com about XSS-Shell:
http://www.securiteam.com/tools/6X00120HFO.html
This site states:
You can steal basic authentication, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.
Nice.
I then linked over to XSS Proxy which explains that Cross Site Scripting does not actually require a user to click on a link to execute if they visit a hijacked or purposefully set up web site that includes XSS code. This page has a bunch of links to more information about XSS and information about XSS-Proxy.
http://xss-proxy.sourceforge.net/
HTML Form File Upload
This is a good tutorial that makes it pretty easy to create a file upload form when using a Jetty web server:
Jetty File Upload
Basically you can just copy and paste the code and have a working file upload page in minutes.
The caveat here (as is true with any code snippet that is easy to copy and paste off the web) is that you're going to want to wrap all this in some kind of security rather than open up your web server to uploading files from anywhere on the Internet.
Additionally you'll probably want to limit the directories that can be accessed and make the directories where the files are uploaded to be non-executable and probably read only after the file is created as well.
You will want to make this form available only over SSL to help prevent files from being altered in transit and make sure your web server only uses secure SSL algorithms. You may trust your customers that are uploading files but what about all the servers those files pass through en route to your web server?
Another option would be limiting access to file upload to people on your VPN and/or restrict to certain IP Addresses.
File uploads should also be checked for viruses and malware. Making them non-executable is a good first step, assuming someone cannot hack your server and escalate privileges in such a way they can give themselves rights to change that user account to allow execution of the files. Checking to see that the files are only limited file types such as .jpgs or .gifs is helpful, however search Google for "jpg malware" or "gif malware" and you'll find plenty of examples of jpgs and gifs that have been altered to create a malicious file that can take over a machine or cause other problems.
The user on the system that is responsible for performing the file upload should also have limited rights on the system.
Of course with any web form you'll want to prevent insertion of special characters that can be used for code injection, etc. All requests should be scrubbed for potentially dangerous content.
Another thing I noticed about this code is that they are simply suppressing certain errors and warnings and sending some exceptions back to the screen. A better approach would be to catch and log all errors - including the IP address and request information when the error occurs - so you can see if someone is trying to hack your server an upload malicious content.
Just a few suggestions and I'm sure there's more that can be done to secure this simple example form.
Tiny url back to this page: http://tinyurl.com/secureforms
More on File Upload Security
Jetty File Upload
Basically you can just copy and paste the code and have a working file upload page in minutes.
The caveat here (as is true with any code snippet that is easy to copy and paste off the web) is that you're going to want to wrap all this in some kind of security rather than open up your web server to uploading files from anywhere on the Internet.
Additionally you'll probably want to limit the directories that can be accessed and make the directories where the files are uploaded to be non-executable and probably read only after the file is created as well.
You will want to make this form available only over SSL to help prevent files from being altered in transit and make sure your web server only uses secure SSL algorithms. You may trust your customers that are uploading files but what about all the servers those files pass through en route to your web server?
Another option would be limiting access to file upload to people on your VPN and/or restrict to certain IP Addresses.
File uploads should also be checked for viruses and malware. Making them non-executable is a good first step, assuming someone cannot hack your server and escalate privileges in such a way they can give themselves rights to change that user account to allow execution of the files. Checking to see that the files are only limited file types such as .jpgs or .gifs is helpful, however search Google for "jpg malware" or "gif malware" and you'll find plenty of examples of jpgs and gifs that have been altered to create a malicious file that can take over a machine or cause other problems.
The user on the system that is responsible for performing the file upload should also have limited rights on the system.
Of course with any web form you'll want to prevent insertion of special characters that can be used for code injection, etc. All requests should be scrubbed for potentially dangerous content.
Another thing I noticed about this code is that they are simply suppressing certain errors and warnings and sending some exceptions back to the screen. A better approach would be to catch and log all errors - including the IP address and request information when the error occurs - so you can see if someone is trying to hack your server an upload malicious content.
Just a few suggestions and I'm sure there's more that can be done to secure this simple example form.
Tiny url back to this page: http://tinyurl.com/secureforms
More on File Upload Security
Saturday, May 09, 2009
Singletons, Multithreading and Class Loaders
This is a pretty good article talking about use of Singletons and the implications of multi-threaded programming, distributed technologies and different class loaders.
Singleton Java
Singleton Java
Wednesday, April 29, 2009
Extra Characters in Concatenated XML String
I was attempting to concatenate two strings to form a new string. For some reason when I viewed the concatenated string there were extra characters between the concatenated values. The characters were tabs, carriage returns and spaces.
The value for the second part of the concatenated string was passed from a parent stylesheet to child template and then from child template to another child template. I am not quite sure why but some extra tabs and spaces got appended to the value as it was passed around. My xml file did not have any spaces or tabs around the value. I tried removing all the spaces and tabs around the with-param values and that didn't solve the problem either.
Well however those spaces got there I just wanted them to be gone so used the normalize-space XSL function which removed all the extraneous characters.
<xsl:value-of select="normalize-space(/little/suh-m/suh-m)"/>
The value for the second part of the concatenated string was passed from a parent stylesheet to child template and then from child template to another child template. I am not quite sure why but some extra tabs and spaces got appended to the value as it was passed around. My xml file did not have any spaces or tabs around the value. I tried removing all the spaces and tabs around the with-param values and that didn't solve the problem either.
Well however those spaces got there I just wanted them to be gone so used the normalize-space XSL function which removed all the extraneous characters.
<xsl:value-of select="normalize-space(/little/suh-m/suh-m)"/>
Friday, April 24, 2009
Text Box With No Value in XSL
If you're trying to display a text box with no value using XSL and the text box is collapsing, causing your HTML to be parsed incorrectly by a browser, set your HTML output method in your XSL file to HTML as explained here:
<?xml version="1.0" encoding="ISO-8859-1"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="html"/>
...
</xsl:stylesheet>
<?xml version="1.0" encoding="ISO-8859-1"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="html"/>
...
</xsl:stylesheet>
Comments in XSL to Show up in HTML
XSL tag to make XSL comments show up in HTML:
<xsl:comment>This is a comment</xsl:comment>
You may have to set output method = html in your xml file as well:
Output method = html
<xsl:comment>This is a comment</xsl:comment>
You may have to set output method = html in your xml file as well:
Output method = html
Tuesday, April 07, 2009
Login to CVS Remote via SSH
Login to CVS using SSH:
>set CVSROOT=:ssh:[user_name_here]@[server_here]:/[cvs_root_dir_here]
>cvs login
>CVS password:[enter password at the prompt]
Replace the items in brackets above with the appropriate information for your CVS server.
>set CVSROOT=:ssh:[user_name_here]@[server_here]:/[cvs_root_dir_here]
>cvs login
>CVS password:[enter password at the prompt]
Replace the items in brackets above with the appropriate information for your CVS server.
Thursday, April 02, 2009
java.net.BindException: Address already in use: JVM_Bind
After setting up SSL on a web server not running on a standard port I had to remind myself what was going on when I got this error:
java.net.BindException: Address already in use: JVM_Bind
Obviously two things were running on the same port. What I forgot was the default port was set to run on the same port I had set up SSL to run on. I commented out the default port in the configuration and now the web server only accepts SSL connections. (Which is what I wanted - I could have also set it up to accept http requests on one port and https requests on a different port).
This same error also happens when you have two applications configured to listen on the same port. For instance when running Tomcat, Apache and/or IIS on the same machine. They are HTTP web severs so typically all run on port 80 so have to configure them to run on different ports.
java.net.BindException: Address already in use: JVM_Bind
Obviously two things were running on the same port. What I forgot was the default port was set to run on the same port I had set up SSL to run on. I commented out the default port in the configuration and now the web server only accepts SSL connections. (Which is what I wanted - I could have also set it up to accept http requests on one port and https requests on a different port).
This same error also happens when you have two applications configured to listen on the same port. For instance when running Tomcat, Apache and/or IIS on the same machine. They are HTTP web severs so typically all run on port 80 so have to configure them to run on different ports.
IE8 Change causes Form Element References to break
I had a problem with some web pages on a particular application after upgrading to IE 8. Referencing forms like this stopped working (but continued to work in Firefox).
document.forms[0].field_name
document.forms["formname"].field_name
After exploring what I thought was an IE 8 bug further I found that my HTML code was missing a "td" tag in one place. Apparently because the HTML code was not well-formed somehow that affected the JavaScript code and was not executed properly.
Most of my HTML code is well-formed due to use of my web publishing engine (BMetrix.com) which forces a certain level of compliance but this was a custom component designed outside of the system which ended up having this particular issue.
document.forms[0].field_name
document.forms["formname"].field_name
After exploring what I thought was an IE 8 bug further I found that my HTML code was missing a "td" tag in one place. Apparently because the HTML code was not well-formed somehow that affected the JavaScript code and was not executed properly.
Most of my HTML code is well-formed due to use of my web publishing engine (BMetrix.com) which forces a certain level of compliance but this was a custom component designed outside of the system which ended up having this particular issue.
Tuesday, March 31, 2009
ScheduledThreadPoolExecutor vs. Timer (Java)
I read that the Timer object was replaced by the ScheduleThreadPoolExecutor class in a book on multi-threaded programming or maybe it was a book on design patterns. I stuck this information away in the back of my mind as I had previously written some code using the Timer class, and had been given Spring beans using timers.
Recently I started working on a something similar to my existing code using the Timer object. Since it was so similar I thought I would just copy my other project, modify it slightly, and be done with it. I ran into a problem where the execution of the code seemed to just stop without terminating the thread and no error message.
I switched to the Executor class and was able to get an error message. Apparently the Timer object has a problem with unchecked exceptions.
Then I switched over to the ScheduledThreadPoolExecutor - same thing. Execution hangs. No error message.
Here is a simple example of Executor:
Recently I started working on a something similar to my existing code using the Timer object. Since it was so similar I thought I would just copy my other project, modify it slightly, and be done with it. I ran into a problem where the execution of the code seemed to just stop without terminating the thread and no error message.
I switched to the Executor class and was able to get an error message. Apparently the Timer object has a problem with unchecked exceptions.
Then I switched over to the ScheduledThreadPoolExecutor - same thing. Execution hangs. No error message.
Here is a simple example of Executor:
public class ExampleExecutor
{
private static final int NTHREADS = 100;
private static final Executor exec
= Executors.newFixedThreadPool(NTHREADS);
public static void main(String args[]) {
while (true) {
Runnable task = new Runnable() {
public void run() {
doMyThing();
}
private void doMyThing(){
//do something
}
};
exec.execute(task);
}
}
}
Thursday, March 26, 2009
What is the difference between TLS and SSL?
In seeking the technical differences between TLS and SSL I uncovered many web pages which glossed over the topic and lacked any true answer or technical detail. Like this one which basically describes SSL on Yahoo Q & A.
This page, though vague, at least states that they are different standards and TLS uses stronger encryption mechanisms.
Many web sites claimed TLS was basically the same as SSL since it is based on SSL. If this were true, why would the IETF bother to create a new version and give it a different name on top of that? This made no sense.
Additionally why are most banks switching to TLS and requiring those who communicate with them via email to use it if there is no difference?
I ended up pulling up the IETF web site and pulling up the actual standard to take a look at what it had to say:
RFC Number 4346: TLS 1.1
In short, SSL3.0 and TLS are different according to a few blurbs I pulled out of the above TLS 1.1 Standard document:
_____________
IV
Unlike previous versions of SSL and TLS, TLS 1.1 uses an explicit IV in order to prevent the attacks described by [CBCATT]. We recommend the following equivalently strong procedures. For clarity we use the following notation....
__________
The SSLv3 specification was not clear about the encoding of public-key-encrypted data, and therefore many SSLv3 implementations do not include the length bytes, encoding the RSA encrypted data directly in the ClientKeyExchange message.
This specification requires correct encoding of the EncryptedPreMasterSecret complete withlength bytes. The resulting PDU is incompatible with many SSLv3 implementations. Implementors upgrading from SSLv3 must modify their implementations to generate and accept the correct encoding. Implementors who wish to be compatible with both SSLv3 and TLS should make their implementation's behavior dependent on the protocol version.
Implementation Note: It is now known that remote timing-based attacks on SSL are possible, at least when the client and server are on the same LAN. Accordingly, implementations that use static RSA keys SHOULD use RSA blinding or some other anti-timing technique, as described in [TIMING].
__________
When SSLv3 and TLS 1.0 were designed, the United States restricted the export of cryptographic software containing certain strong encryption algorithms. A series of cipher suites were designed to operate at reduced key lengths in order to comply with those regulations. Due to advances in computer performance, these algorithms are now unacceptably weak, and export restrictions have since been loosened. TLS 1.1 implementations MUST NOT negotiate these cipher suites in TLS 1.1 mode. However, for backward compatibility they may be offered in the ClientHello for use with TLS...
[Goes on to list ciphers]
______
In previous versions of SSL, CBC mode was used properly EXCEPT that it used a predictable IV in the form of the last block of the previous ciphertext. This made TLS [I think they mean SSL since talking about PREVIOUS versions] open to chosen plaintext attacks. This version of the protocol is immune to those attacks. For exact details in the encryption modes proven secure, see [ENCAUTH].
____________
By the way if you're using SSL 2.0 - get rid of it ASAP and you may want to use TLS enforcement from Postini or another provider in your email solution:
Because TLS includes substantial improvements over SSL Version 2.0, attackers may try to make TLS-capable clients and servers fall back to Version 2.0. This attack can occur if (and only if) two TLS-capable parties use an SSL 2.0 handshake.
_____________
And as a final note...
For TLS to be able to provide a secure connection, both the client and server systems, keys, and applications must be secure. In addition, the implementation must be free of security errors.
The system is only as strong as the weakest key exchange and authentication algorithm supported, and only trustworthy cryptographic functions should be used. Short public keys, 40-bit bulk encryption keys, and anonymous servers should be used with great caution. Implementations and users must be careful when deciding which certificates and certificate authorities are acceptable; a dishonest certificate authority can do tremendous damage.
This page, though vague, at least states that they are different standards and TLS uses stronger encryption mechanisms.
Many web sites claimed TLS was basically the same as SSL since it is based on SSL. If this were true, why would the IETF bother to create a new version and give it a different name on top of that? This made no sense.
Additionally why are most banks switching to TLS and requiring those who communicate with them via email to use it if there is no difference?
I ended up pulling up the IETF web site and pulling up the actual standard to take a look at what it had to say:
RFC Number 4346: TLS 1.1
In short, SSL3.0 and TLS are different according to a few blurbs I pulled out of the above TLS 1.1 Standard document:
_____________
IV
Unlike previous versions of SSL and TLS, TLS 1.1 uses an explicit IV in order to prevent the attacks described by [CBCATT]. We recommend the following equivalently strong procedures. For clarity we use the following notation....
__________
The SSLv3 specification was not clear about the encoding of public-key-encrypted data, and therefore many SSLv3 implementations do not include the length bytes, encoding the RSA encrypted data directly in the ClientKeyExchange message.
This specification requires correct encoding of the EncryptedPreMasterSecret complete withlength bytes. The resulting PDU is incompatible with many SSLv3 implementations. Implementors upgrading from SSLv3 must modify their implementations to generate and accept the correct encoding. Implementors who wish to be compatible with both SSLv3 and TLS should make their implementation's behavior dependent on the protocol version.
Implementation Note: It is now known that remote timing-based attacks on SSL are possible, at least when the client and server are on the same LAN. Accordingly, implementations that use static RSA keys SHOULD use RSA blinding or some other anti-timing technique, as described in [TIMING].
__________
When SSLv3 and TLS 1.0 were designed, the United States restricted the export of cryptographic software containing certain strong encryption algorithms. A series of cipher suites were designed to operate at reduced key lengths in order to comply with those regulations. Due to advances in computer performance, these algorithms are now unacceptably weak, and export restrictions have since been loosened. TLS 1.1 implementations MUST NOT negotiate these cipher suites in TLS 1.1 mode. However, for backward compatibility they may be offered in the ClientHello for use with TLS...
[Goes on to list ciphers]
______
In previous versions of SSL, CBC mode was used properly EXCEPT that it used a predictable IV in the form of the last block of the previous ciphertext. This made TLS [I think they mean SSL since talking about PREVIOUS versions] open to chosen plaintext attacks. This version of the protocol is immune to those attacks. For exact details in the encryption modes proven secure, see [ENCAUTH].
____________
By the way if you're using SSL 2.0 - get rid of it ASAP and you may want to use TLS enforcement from Postini or another provider in your email solution:
Because TLS includes substantial improvements over SSL Version 2.0, attackers may try to make TLS-capable clients and servers fall back to Version 2.0. This attack can occur if (and only if) two TLS-capable parties use an SSL 2.0 handshake.
_____________
And as a final note...
For TLS to be able to provide a secure connection, both the client and server systems, keys, and applications must be secure. In addition, the implementation must be free of security errors.
The system is only as strong as the weakest key exchange and authentication algorithm supported, and only trustworthy cryptographic functions should be used. Short public keys, 40-bit bulk encryption keys, and anonymous servers should be used with great caution. Implementations and users must be careful when deciding which certificates and certificate authorities are acceptable; a dishonest certificate authority can do tremendous damage.
Monday, March 23, 2009
Test Mail Server For Inbound TLS
Do you really know who is at the other end of your email communication? Read about TLS.
Here's how to test if your server supports TLS:
At command prompt use nslookup to get the mail server for a domain (in this example checking postini.com)
> nslookup
> set q=mx
> postini.com
The results have a line for each mail server like this:
postini.com MX preference = 5, mail exchanger = postini.com.s8a1.psmtp.com
> exit
Now use telnet to test the mail server above (after exchanger = ) to find out if supports TLS:
>telnet postini.com.s8a1.psmtp.com 25
after you connect:
>ehlo postini.com
If you see this in the output, the server supports inbound TLS communication:
> 250-STARTTLS
Unfortunately...a lot of mail companies support inbound, but not outbound TLS. Yahoo for example, supports sending mail using TLS however when I turned on end to end TLS enforcement, people using Yahoo could not send me email. That means email from them to me is never encrypted and highly insecure.
Here's how to test if your server supports TLS:
At command prompt use nslookup to get the mail server for a domain (in this example checking postini.com)
> nslookup
> set q=mx
> postini.com
The results have a line for each mail server like this:
postini.com MX preference = 5, mail exchanger = postini.com.s8a1.psmtp.com
> exit
Now use telnet to test the mail server above (after exchanger = ) to find out if supports TLS:
>telnet postini.com.s8a1.psmtp.com 25
after you connect:
>ehlo postini.com
If you see this in the output, the server supports inbound TLS communication:
> 250-STARTTLS
Unfortunately...a lot of mail companies support inbound, but not outbound TLS. Yahoo for example, supports sending mail using TLS however when I turned on end to end TLS enforcement, people using Yahoo could not send me email. That means email from them to me is never encrypted and highly insecure.
Java SSL Certrificate Request
Install Java and set up a path to the bin folder under your Java root if you haven't done so already.
Run the following commands from a command prompt (go to start menu and choose run, then type in cmd and hit enter to get a command prompt window).
_________________________________
Side note: These are the instructions on the Network Solutions web site including generating the request using RSA which according to Java defaults to MD5 signature algorithm.
In generating a public/private key pair, the signature algorithm (-sigalg option) is derived from the algorithm of the underlying private key: If the underlying private key is of type "DSA", the -sigalg option defaults to "SHA1withDSA", and if the underlying private key is of type "RSA", -sigalg defaults to "MD5withRSA". Please consult the Java Cryptography Architecture API Specification & Reference for a full list of -keyalg and -sigalg you can choose from.
MD5 is less secure than SHA and was a recent hack demonstrating how to spoof certain SSL certificates using MD5. Network Solutions says the CSR is generated using MD5 but doesn't matter because the certificate is signed using SHA1.
_________________________________
You can change the names below in red to whatever you want.
1. Go to the directory where you want to create the keystore file.
2. Type the following:
keytool -keystore mykeystore -alias mykeyalias -genkey -keyalg RSA
3. Answer the following questions. Make sure it matches what you put in your domain name registration. The full domain name is entered at the first and last name prompt (oddly enough). For example:
Enter keystore password: password
What is your first and last name?
[Unknown]: your.domainname.com
What is the name of your organizational unit?
[Unknown]: Whatever
What is the name of your organization?
[Unknown]: Your Company Name Here
What is the name of your City or Locality?
[Unknown]: Seattle
What is the name of your State or Province?
[Unknown]: WA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=your.domainname.com, OU=Whatever, O=Your Company Name Here,
L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password): supersecretpassword
Save the above information because you will need to type it in exactly if you ever need to recreate the certificate.
4. Type the following to generate a certificate request (CSR) file. The contents of this file will be given to the SSL Certificate Authority to generate a trusted certificate:
keytool -certreq -alias mykeyalias -keystore mykeystore -file myrequest.csr
5. Copy the contents of myrequest.csr and provide it to your certificate authority.
6. The certificate authority will give you back one or more files which you then need to import back into your keystore (in the order and according to the directions you get from your certficate authority). The command will look something like this:
keytool -keystore mykeystore -import -mykeyalias jetty -file mynewcert.crt -trustcacerts
More: Java Keytool
Run the following commands from a command prompt (go to start menu and choose run, then type in cmd and hit enter to get a command prompt window).
_________________________________
Side note: These are the instructions on the Network Solutions web site including generating the request using RSA which according to Java defaults to MD5 signature algorithm.
In generating a public/private key pair, the signature algorithm (-sigalg option) is derived from the algorithm of the underlying private key: If the underlying private key is of type "DSA", the -sigalg option defaults to "SHA1withDSA", and if the underlying private key is of type "RSA", -sigalg defaults to "MD5withRSA". Please consult the Java Cryptography Architecture API Specification & Reference for a full list of -keyalg and -sigalg you can choose from.
MD5 is less secure than SHA and was a recent hack demonstrating how to spoof certain SSL certificates using MD5. Network Solutions says the CSR is generated using MD5 but doesn't matter because the certificate is signed using SHA1.
_________________________________
You can change the names below in red to whatever you want.
1. Go to the directory where you want to create the keystore file.
2. Type the following:
keytool -keystore mykeystore -alias mykeyalias -genkey -keyalg RSA
3. Answer the following questions. Make sure it matches what you put in your domain name registration. The full domain name is entered at the first and last name prompt (oddly enough). For example:
Enter keystore password: password
What is your first and last name?
[Unknown]: your.domainname.com
What is the name of your organizational unit?
[Unknown]: Whatever
What is the name of your organization?
[Unknown]: Your Company Name Here
What is the name of your City or Locality?
[Unknown]: Seattle
What is the name of your State or Province?
[Unknown]: WA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=your.domainname.com, OU=Whatever, O=Your Company Name Here,
L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password): supersecretpassword
Save the above information because you will need to type it in exactly if you ever need to recreate the certificate.
4. Type the following to generate a certificate request (CSR) file. The contents of this file will be given to the SSL Certificate Authority to generate a trusted certificate:
keytool -certreq -alias mykeyalias -keystore mykeystore -file myrequest.csr
5. Copy the contents of myrequest.csr and provide it to your certificate authority.
6. The certificate authority will give you back one or more files which you then need to import back into your keystore (in the order and according to the directions you get from your certficate authority). The command will look something like this:
keytool -keystore mykeystore -import -mykeyalias jetty -file mynewcert.crt -trustcacerts
More: Java Keytool
Installing Your Network Solutions SSL Certificate on Java Based Web Servers
These instructions were incorrect on the Network Solutions web site for about the last three years, at least for the certs I have purchased from them. Maybe they have updated it by now.
Installing Your Network Solutions SSL Certificate on Java Based Web Servers
There are 4 certificates that you will receive from Network Solutions:
1. AddTrustExternalCARoot.crt
2. UTNAddTrustServer_CA.crt
3. NetworkSolutions_CA.crt
4. yourdomainname.crt
These must be imported in the correct order:
1. AddTrustExternalCARoot.crt
2. UTNAddTrustServer_CA.crt
3. NetworkSolutions_CA.crt
4. yourdomainname.crt
Use the keytool command to import the certificates as follows:
keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore domain.key
Use the same process for the UTNAddTrustServer_CA.crt certificate using the keytool command:
keytool -import -trustcacerts -alias utnaddtrustserverca -file UTNAddTrustServer_CA.crt -keystore domain.key
Use the same process for the NetworkSolutions_CA.crt certificate using the keytool command:
keytool -import -trustcacerts -alias networksolutionsca -file NetworkSolutions_CA.crt -keystore domain.key
Use the same process for the site certificate using the keytool command, if you are using an alias then please include the alias command in the string. Example:
keytool -import -trustcacerts -alias yyy (where yyy is the alias specified during CSR creation) -file yourdomainname.crt -keystore domain.key
The password is then requested.
Enter keystore password: (This is the one used during CSR creation) After the password is entered information will be displayed about the certificate and you will be asked if you want to trust it.
Trust this certificate? [no]:
(The default is no so type 'y' or 'yes')
Then an information message will display as follows:
Certificate was added to keystore
Installing Your Network Solutions SSL Certificate on Java Based Web Servers
There are 4 certificates that you will receive from Network Solutions:
1. AddTrustExternalCARoot.crt
2. UTNAddTrustServer_CA.crt
3. NetworkSolutions_CA.crt
4. yourdomainname.crt
These must be imported in the correct order:
1. AddTrustExternalCARoot.crt
2. UTNAddTrustServer_CA.crt
3. NetworkSolutions_CA.crt
4. yourdomainname.crt
Use the keytool command to import the certificates as follows:
keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore domain.key
Use the same process for the UTNAddTrustServer_CA.crt certificate using the keytool command:
keytool -import -trustcacerts -alias utnaddtrustserverca -file UTNAddTrustServer_CA.crt -keystore domain.key
Use the same process for the NetworkSolutions_CA.crt certificate using the keytool command:
keytool -import -trustcacerts -alias networksolutionsca -file NetworkSolutions_CA.crt -keystore domain.key
Use the same process for the site certificate using the keytool command, if you are using an alias then please include the alias command in the string. Example:
keytool -import -trustcacerts -alias yyy (where yyy is the alias specified during CSR creation) -file yourdomainname.crt -keystore domain.key
The password is then requested.
Enter keystore password: (This is the one used during CSR creation) After the password is entered information will be displayed about the certificate and you will be asked if you want to trust it.
Trust this certificate? [no]:
(The default is no so type 'y' or 'yes')
Then an information message will display as follows:
Certificate was added to keystore
ProntoScript
I recently finished a project using ProntoScript which is used to create customized functions on some Philips remote controls with touch screens. I got a call to troubleshoot some issues displaying images from security cameras on the touch screen. I made a few code changes, however the main problem was the camera software was set up so the remote control software didn't have permissions to view the photos coming from the security cameras. We made some changes to the settings to allow the calls from the remote control to access the camera images.
The only issue is, by allowing a guest user to access the security camera with no login, anyone who can get to that URL could view the images over the Internet. I recommended that my client do something like set up a proxy server that could login to get the images from the camera, so only the remote control camera could get to the proxy with no login on the local network, but anyone coming over the Internet would have to login to view those images. There may also be a way to pass a login to the security cameras but I was not asked to look into that further (so far).
The only issue is, by allowing a guest user to access the security camera with no login, anyone who can get to that URL could view the images over the Internet. I recommended that my client do something like set up a proxy server that could login to get the images from the camera, so only the remote control camera could get to the proxy with no login on the local network, but anyone coming over the Internet would have to login to view those images. There may also be a way to pass a login to the security cameras but I was not asked to look into that further (so far).
Sunday, March 22, 2009
Adding String of XML nodes to Document Node - JDom
Let's say you have a JDom XML Document and you have a string of XML content. You want to add the XML content in the String to a particular Node or Element in the Xml document. Here's how in a nutshell, though you'll probably want to organize these differently in the actual implementation.
1. Convert the XML String to XML as follows:
String s = "<nodes><node>one</node><node>two</node></nodes>"
SAXBuilder sb = new SAXBuilder();
InputStream is = IoTools.inputStreamFromString(s);
Document doc = sb.build(is);
2. Get the element you want to update
//assuming you have instantiated XML Document doc2Update elsewhere
String xpath="/some/node/in/document";
Element e = (Element) (XPath.selectSingleNode(doc2Update , xpath));
3. Add the document content to the element
e.addContent(doc.getRootElement().cloneContent());
1. Convert the XML String to XML as follows:
String s = "<nodes><node>one</node><node>two</node></nodes>"
SAXBuilder sb = new SAXBuilder();
InputStream is = IoTools.inputStreamFromString(s);
Document doc = sb.build(is);
2. Get the element you want to update
//assuming you have instantiated XML Document doc2Update elsewhere
String xpath="/some/node/in/document";
Element e = (Element) (XPath.selectSingleNode(doc2Update , xpath));
3. Add the document content to the element
e.addContent(doc.getRootElement().cloneContent());
Friday, February 20, 2009
Content is not allowed in prolog.
If you see the "Content is not allowed in prolog" error trying to transform xml and xsl the various problems I have found that have caused it include:
1. The wrong type of encoding - for instance, the opening XML tag specifies utf-16 and the format is actually utf-8 in the first line of the document:
<?xml version="1.0" encoding="utf-8"?>
2. Text before the root which is supposed to be enclosed in an xml tag. For instance:
<?xml version="1.0" encoding="utf-8"?>
This text is in the wrong place
<root>
<element>text</element>
</root>
3. Something else wrong with the opening xml tag such as a problem with references to dtd, etc.
4. You think you're passing XML string in a variable but you're actually passing in a file name or some other String by mistake. Check the value of your variable and make sure it contains valid XML.
5. Other people have mentioned special characters inserted at the beginning of Microsoft documents that you don't typically see - Byte-Order-Mark or BOM. Use a product to edit text files that does not insert these special characters. I have not had this problem using Notepad on Windows.
1. The wrong type of encoding - for instance, the opening XML tag specifies utf-16 and the format is actually utf-8 in the first line of the document:
<?xml version="1.0" encoding="utf-8"?>
2. Text before the root which is supposed to be enclosed in an xml tag. For instance:
<?xml version="1.0" encoding="utf-8"?>
This text is in the wrong place
<root>
<element>text</element>
</root>
3. Something else wrong with the opening xml tag such as a problem with references to dtd, etc.
4. You think you're passing XML string in a variable but you're actually passing in a file name or some other String by mistake. Check the value of your variable and make sure it contains valid XML.
5. Other people have mentioned special characters inserted at the beginning of Microsoft documents that you don't typically see - Byte-Order-Mark or BOM. Use a product to edit text files that does not insert these special characters. I have not had this problem using Notepad on Windows.
Subscribe to:
Posts (Atom)