Tuesday, October 31, 2017

Maven to Repository protocol

I have used this minimalistic proxy service:


and just added a "System.out.println("read: " + new String(request));" after the "outToServer.flush();"

then in my settings.xml I point the mirror to localhost instead of the real Nexus Repository service, and I start my proxy pointing to Nexus and listening on port 80. This way, I can intercept all http request issued by Maven.

The result is quite simple:

Starting proxy for nexus-java:80 on port 80
read: GET /content/repositories/approved-from-central/commons-logging/commons-logging-api/1.1/commons-logging-api-1.1.pom HTTP/1.1
Cache-control: no-cache
Cache-store: no-store
Pragma: no-cache
Expires: 0
Accept-Encoding: gzip
User-Agent: Apache-Maven/3.3.9 (Java 1.8.0_102; Windows 7 6.1)
Host: localhost
Connection: Keep-Alive

read: GET /content/repositories/approved-from-central/commons-logging/commons-logging-api/1.1/commons-logging-api-1.1.pom.sha1 HTTP/1.1
Cache-control: no-cache
Cache-store: no-store
Pragma: no-cache
Expires: 0
Accept-Encoding: gzip
User-Agent: Apache-Maven/3.3.9 (Java 1.8.0_102; Windows 7 6.1)
Host: localhost
Connection: Keep-Alive

read: GET /content/repositories/approved-from-central/commons-logging/commons-logging-api/1.1/commons-logging-api-1.1.jar HTTP/1.1
Cache-control: no-cache
Cache-store: no-store
Pragma: no-cache
Expires: 0
Accept-Encoding: gzip
User-Agent: Apache-Maven/3.3.9 (Java 1.8.0_102; Windows 7 6.1)
Host: localhost
Connection: Keep-Alive

read: GET /content/repositories/approved-from-central/commons-logging/commons-logging-api/1.1/commons-logging-api-1.1.jar.sha1 HTTP/1.1
Cache-control: no-cache
Cache-store: no-store
Pragma: no-cache
Expires: 0
Accept-Encoding: gzip
User-Agent: Apache-Maven/3.3.9 (Java 1.8.0_102; Windows 7 6.1)
Host: localhost
Connection: Keep-Alive

read: GET /content/repositories/approved-from-central/commons-lang/commons-lang/2.1/commons-lang-2.1.pom HTTP/1.1
Cache-control: no-cache
Cache-store: no-store
Pragma: no-cache
Expires: 0
Accept-Encoding: gzip
User-Agent: Apache-Maven/3.3.9 (Java 1.8.0_102; Windows 7 6.1)
Host: localhost
Connection: Keep-Alive

read: GET /content/repositories/approved-from-central/commons-lang/commons-lang/2.1/commons-lang-2.1.pom.sha1 HTTP/1.1
Cache-control: no-cache
Cache-store: no-store
Pragma: no-cache
Expires: 0
Accept-Encoding: gzip
User-Agent: Apache-Maven/3.3.9 (Java 1.8.0_102; Windows 7 6.1)
Host: localhost
Connection: Keep-Alive

read: GET /content/repositories/approved-from-central/commons-lang/commons-lang/2.1/commons-lang-2.1.jar HTTP/1.1
Cache-control: no-cache
Cache-store: no-store
Pragma: no-cache
Expires: 0
Accept-Encoding: gzip
User-Agent: Apache-Maven/3.3.9 (Java 1.8.0_102; Windows 7 6.1)
Host: localhost
Connection: Keep-Alive

read: GET /content/repositories/approved-from-central/commons-lang/commons-lang/2.1/commons-lang-2.1.jar.sha1 HTTP/1.1
Cache-control: no-cache
Cache-store: no-store
Pragma: no-cache
Expires: 0
Accept-Encoding: gzip
User-Agent: Apache-Maven/3.3.9 (Java 1.8.0_102; Windows 7 6.1)
Host: localhost
Connection: Keep-Alive

so it's extremely easy to parse the GET command and implement a firewall/filter to block components that you know are harmful.

Monday, October 30, 2017

OracleXETNSListener runs on port 8080

If you run locally a Oracle XE instance, you are bound to have it occupy port 8080 (with catastrophic consequences for all other application using this popular port)

Run tcpview to make sure that the process tnslsnr.exe is using the port 8080

You can then open Sqldeveloper, login as SYS, and run this:


then restart the oracle listener (maybe first shut it down, they start your other application using port 8080, then start the oracle listener)

it's a sad world. Why is everyone using 8080, there are so many integer numbers...

Saturday, October 28, 2017

Setting up Maven to retrieve ojdbc8.jar

googling around in StackOverflow there is a huge variety of approaches to this very common problem: you must add the artifact to your build, but it's not available in Maven Central.... what to do?

Some resort to downloading it manually and deploying it to the local Maven repo. Some even include the file in their WEB-INF/lib folder in their SCM project. Some use some third party public repositories (like Atlassian, code.lds.org, ... ) who graciously host these artifacts.... all fine when you play on your PC, but in a serious company with strict security control all this would not be allowed. Some folks simply cowboy-style put it somewhere in their HD and add the external JAR to Eclipse.... what happens next, they don't really care, as long as it works on their machine.

Oracle hosts these artifacts in their Public Oracle Maven repository, but you need to authenticate yourself (for which reason, it's totally obscure to me!)

https://docs.oracle.com/middleware/1213/core/MAVEN/config_maven_repo.htm#MAVEN9016 here how to setup maven to connect to the Oracle repo (basically: in settings.xml you have to declare the server maven.oracle.com authenticating with your user, the in your pom.xml you must declare a rerpository with id matching this maven.oracle.com server, then a pluginRepository with id again maven.oracle.com. At this point you can declare the dependency


This post explains it in a lot of detail https://blogs.oracle.com/dev2dev/get-oracle-jdbc-drivers-and-ucp-from-oracle-maven-repository-without-ides

To make things much more complicated, the repository is not browsable https://maven.oracle.com/com/oracle/ojdbc8/ ... how to determine it content, no clue!

See also https://stackoverflow.com/questions/9898499/oracle-jdbc-ojdbc6-jar-as-a-maven-dependency] and https://stackoverflow.com/questions/1074869/find-oracle-jdbc-driver-in-maven-repository

https://mvnrepository.com/artifact/com.oracle/ojdbc6/ to get ojdbc6.jar from maven (atlassian hosted!)

https://developer.atlassian.com/docs/advanced-topics/working-with-maven/atlassian-maven-repositories to configure atlassian repo in pom.xml

IMPORTANT: when running in Eclipse, make sure you are NOT using the Embedded installation of Maven while you are configuring an EXTERNAL Maven configuration.... this multiplicity of installations and configurations only makes the developer's life more miserable.... IMHO it's better to have an independent, external, universal installation rather than an embedded one.... again another major fuck-up in Eclipse design. Forget Eclipse, use Netbeans and Intellij.

CODE: a working pom.xml is available here https://github.com/vernetto/JavaMonAmour/tree/master/oracletest

Adam Bien: real world Java EE 6 Patterns 2012 edition

here a general presentation http://download.java.net/general/podcasts/real_world_java_ee_patterns.pdf

here the book (11 USD in Kindle) https://www.amazon.com/Real-World-Java-Patterns-Rethinking-Practices/dp/1300149310/ref=sr_1_1?s=books&ie=UTF8&qid=1508683416&sr=1-1

Examples from the books here https://github.com/dlee0113/java_ee_patterns_and_best_practices

I love the dry, concise, down-to-earth approach of Adam, however a little more sense of humor would not hurt... but I prefer a concise book than a book who tries to be smart and eventually only wastes your time in endless blablabla

Saturday, October 21, 2017


Sadly there is not even a wikipedia entry, apart this short section https://en.wikipedia.org/wiki/List_of_single_sign-on_implementations "Federated SSO (LDAP and Active Directory), standard protocols (OpenID Connect, OAuth 2.0 and SAML 2.0) for Web, clustering and single sign on"

How to setup a Keycloak server:

I have done the "Standalone installation" on Windows and it works without a glitch.
The official documentation is here http://www.keycloak.org/docs/latest/getting_started/index.html - tidy and condensed.

How to secure a REST application with the previously setup Keycloak server

except that the link is broken and I got the repo from "git clone https://github.com/redhat-developer/redhat-sso-quickstarts.git" and cd redhat-sso-quickstarts and cd service-jee-jaxrs. Running mvn package now fails because of the missing keycloak.json file in the config folder.

I follow the instructions here https://github.com/redhat-developer/redhat-sso-quickstarts/tree/7.0.x/service-jee-jaxrs to create a config\keycloak.json file . Only after creating this file you can run mvn package and build the service.war.

I start a standalone wildfly at 8080, do mvn install wildfly:deploy and I get Unknown authentication mechanism KEYCLOAK

This because in my app the web.xml contains <login-config><auth-method>KEYCLOAK</auth-method></login-config>
If I change it to BASIC and redeploy, then hit http://localhost:8080/service/public , it all works. But I need KEYCLOAK!

Here https://stackoverflow.com/questions/27253559/keycloak-unknown-authentication-mechanism they explain how to configure Wildfly for KEYCLOAK.

I download the client adapter for Wildfly http://www.keycloak.org/downloads.html, the file is keycloak-wildfly-adapter-dist-3.3.0.CR2.zip and I unzip it in the WLIDFLY_HOME folder, so as to merge it to the existing bin and modules folders. Then I run:

jboss-cli.bat -c --file=adapter-install.cli

This adds

<security-domain name="keycloak">
  <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>

but it still doesn't work, same error "Unknown authentication mechanism KEYCLOAK"...

strange, in Wildfly console I can see Configuration: Subsystems Subsystem: Security Security Domain: keycloak

However, I see the message "Extension module org.keycloak.keycloak-adapter-subsystem not found"... so I run also this

jboss-cli.bat -c --file=adapter-install.cli

and restart everything and it works!

Some valuable KEYCLOAK tutorials:

this one with some quick demo on how to secure webapps, nodejs etc applications:

this one is quite professional on the overall features:

Detailed configuration instructions here http://www.keycloak.org/docs/latest/getting_started/topics/secure-jboss-app/download-quickstarts.html

Quickstarts available here https://github.com/keycloak/keycloak-quickstarts

Friday, October 20, 2017

Configure Jenkins to run the OWASP Security Check plugin

First make sure that your Jenkins installation is configured with Maven 3.5

You should also install the "OWASP Dependency-Check Plugin" plugin - for this, go to the "manage Jenkins", "manage plugins" and you should find it in the "available plugins" (if not, probably you have to download the hpi files, and copy them in the "plugins" directory under the Jenkins home folder... see my previous post on which plugin files are needed ).

create a Maven project:


Source Code Manamegent: Git

Repository URL = https://github.com/WebGoat/WebGoat.git

Branch specifier = */develop

Remove all "build triggers"

Pre-Steps : leave empty

Build/Root POM = pom.xml

Goals and Options = package -DskipTests=true

Post Steps (run regardless...) = Invoke OWASP dependency check analysis
click on "advanced", enable "Generate optional HTML report" and "Generate optional vulnerability report (HTML)"

Post-build Actions: add "Publish OWASP dependency check results"
click on "advanced", set 5 in the "failed" (red circle) "Priority high" column.... so the build will fail if there are more than 5 highly vulnerable components.

In the console output of the build, you should see something like this:

[DependencyCheck] OWASP Dependency-Check Plugin v3.0.0
[DependencyCheck] Executing Dependency-Check with the following options:
[DependencyCheck]  -name = Pierre
[DependencyCheck]  -scanPath = /path/to/workspace/Pierre
[DependencyCheck]  -outputDirectory = /path/to/workspace/Pierre
[DependencyCheck]  -dataDirectory = /path/to/workspace/Pierre/dependency-check-data
[DependencyCheck]  -dataMirroringType = none
[DependencyCheck]  -isQuickQueryTimestampEnabled = true
[DependencyCheck]  -jarAnalyzerEnabled = true
[DependencyCheck]  -nspAnalyzerEnabled = true
[DependencyCheck]  -composerLockAnalyzerEnabled = true
[DependencyCheck]  -pythonDistributionAnalyzerEnabled = true
[DependencyCheck]  -pythonPackageAnalyzerEnabled = true
[DependencyCheck]  -rubyBundlerAuditAnalyzerEnabled = true
[DependencyCheck]  -rubyGemAnalyzerEnabled = true
[DependencyCheck]  -cocoaPodsAnalyzerEnabled = true
[DependencyCheck]  -swiftPackageManagerAnalyzerEnabled = true
[DependencyCheck]  -archiveAnalyzerEnabled = true
[DependencyCheck]  -assemblyAnalyzerEnabled = true
[DependencyCheck]  -centralAnalyzerEnabled = true
[DependencyCheck]  -nuspecAnalyzerEnabled = true
[DependencyCheck]  -nexusAnalyzerEnabled = false
[DependencyCheck]  -autoconfAnalyzerEnabled = true
[DependencyCheck]  -cmakeAnalyzerEnabled = true
[DependencyCheck]  -opensslAnalyzerEnabled = true
[DependencyCheck]  -showEvidence = true
[DependencyCheck]  -formats = XML HTML VULN 
[DependencyCheck]  -autoUpdate = true
[DependencyCheck]  -updateOnly = false

If the "jarAnalyzerEnabled" is not true, then something is wrong.

If you see "org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download the NVD CVE data..... Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Unable to resolve domain 'nvd.nist.gov' " , most likely you are behind a proxy. You can still build the h2 DB - containing all the vulnerabilities feed - and provide it offline to the Jenkins job. But to build this DB you must run the job on a computer connected to internet, then look in the workspace for a db.h2 file.
This configuration is to be done in "Invoke OWASP dependency check analysis", then "advanced" and set "Data directory" to the folder where you have copied the h2 db file. Also, check the "Disable NVD auto-update" flag.

If this still fails with this error, then I really don't know where the issue is, probably AGAIN a proxy problem as also explained here https://github.com/jeremylong/DependencyCheck/issues/932:

[DependencyCheck] Message: Could not connect to Central search. Analysis failed.
[DependencyCheck] org.owasp.dependencycheck.analyzer.exception.AnalysisException: Could not connect to Central search. Analysis failed.
[DependencyCheck]  at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:244)
[DependencyCheck]  at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:137)
[DependencyCheck]  at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
[DependencyCheck]  at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
[DependencyCheck]  at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[DependencyCheck]  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[DependencyCheck]  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[DependencyCheck]  at java.lang.Thread.run(Thread.java:745)
[DependencyCheck] Caused by: java.io.IOException: Finally failed connecting to Central search. Giving up after 5 tries.
[DependencyCheck]  at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:288)
[DependencyCheck]  at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:198)
[DependencyCheck]  ... 7 more

[DependencyCheck] Caused by: java.net.UnknownHostException: search.maven.org
[DependencyCheck]  at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)
[DependencyCheck]  at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
[DependencyCheck]  at java.net.Socket.connect(Socket.java:589)
[DependencyCheck]  at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
[DependencyCheck]  at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
[DependencyCheck]  at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
[DependencyCheck]  at sun.net.www.http.HttpClient.(HttpClient.java:211)
[DependencyCheck]  at sun.net.www.http.HttpClient.New(HttpClient.java:308)
[DependencyCheck]  at sun.net.www.http.HttpClient.New(HttpClient.java:326)
[DependencyCheck]  at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1169)
[DependencyCheck]  at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
[DependencyCheck]  at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
[DependencyCheck]  at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:933)
[DependencyCheck]  at org.owasp.dependencycheck.data.central.CentralSearch.searchSha1(CentralSearch.java:127)
[DependencyCheck]  at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:266)

one can try to set -Danalyzer.central.enabled=false
(see https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/dependencycheck.properties ) and/or enable proxy for https://search.maven.org/solrsearch/select

It's nice to read https://jeremylong.github.io/DependencyCheck/general/internals.html on how the analyzer works.

The NVD (National Vulnerability Database) CVE (Common Vulnerabilities and Exposures) feeds are here https://nvd.nist.gov/vuln/data-feeds. They contain the Common Platform Enumeration CPE catalog of all known vulnerabilities and Common Weakness Enumeration (CWE) .

How to trigger a daily job to get NVD updates: https://medium.com/@PrakhashS/checking-vulnerabilities-in-3rd-party-dependencies-using-owasp-dependency-check-plugin-in-jenkins-bedfe8de6ba8

VirtualBox shared folder on Linux Centos guest and Windows host

my main Linux user is "centos".

in VirtualBox, right-click on your VM, Settings, Shared Folder, create an entry with Folder Path = d:\pierre\pvshared and Folder Name = pvshared , check "auto-mount" and "make permanent"

Make sure you have the latest VBoxAdditions installed:

cd /run/media/centos/VBOXADDITIONS_5.1.30_118389/
sudo ./autorun.sh

#group vboxsf should already exist, so this should fail:
sudo groupadd vboxsf
sudo usermod -a -G vboxsf centos


login again with your user (centos)

uid=1000(centos) gid=1000(centos) groups=1000(centos),983(vboxsf) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

cd /media/sf_pvshared
touch pippo.txt

you should see the file pippo.txt on your d:\pierre\pvshared folder in Windows

I have also done

sudo chmod 777 /media/sf_pvshared

but I don't think it's required once the centos user is assigned to vboxsf group

Wednesday, October 18, 2017

OWASP Dependency Check maven plugin





just run

mvn dependency-check:check

and you get a great report with all the vulnerabilities in your dependencies.... fantastic! Even a Jenkins plugin is available, so you don't need to modify all your poms.

To install it as Jenkins Plugin, install these plugins:


Interesting post on how to configure a separate jenkins task just to update the NIST repos in a common folder https://medium.com/@PrakhashS/checking-vulnerabilities-in-3rd-party-dependencies-using-owasp-dependency-check-plugin-in-jenkins-bedfe8de6ba8 to avoid checking for updates at every build.

A similar post goes here https://blog.dominikschadow.de/2015/07/using-owasp-dependency-check-as-jenkins-plugin/

A good test is to run it against the WebGoat https://github.com/WebGoat/WebGoat but the repo is heavy and you need a good internet connection

Here https://jeremylong.github.io/DependencyCheck/general/dependency-check.pdf a presentation of the plugin by Jeremy Long (OWASP)


http://petstore.swagger.io/ automatically generated console, documenting the interfaces and allowing you to test them.... better than the WSDL-based test client generator... but I wonder how much work is needed, I would hate to have to manually edit YAML files to generate this UI...

short and sweet presentation (skip first 3 minutes)

A live example here, using Spring Boot

git clone https://github.com/TechPrimers/spring-boot-swagger-example.git
cd spring-boot-swagger-example
mvn spring-boot:run

in your browser put http://localhost:8088/swagger-ui.html

Main annotations are:

io.swagger.annotations.Api (class level)

io.swagger.annotations.ApiOperation , io.swagger.annotations.ApiResponses, io.swagger.annotations.ApiResponse at method level

io.swagger.annotations.ApiModelProperty at field level

and to document the Site:
etc etc

all the rest are org.springframework.web.bind.annotation annotations (GetMapping, PathVariable, RequestMapping, RestController)

Valle d'Aosta photostream

autumn colors are embarassingly beautiful... but the lack of snow on the mountains, and the state of the glaciers, is distressing... go on burning fossil fuels, in any at this point case there is no tomorrow

The pictures were takes in 2 places, https://it.wikipedia.org/wiki/Pointe_de_Chaligne and https://en.wikipedia.org/wiki/Monte_Emilius

Monday, October 16, 2017





"Simplicity is the ultimate sophistication" (probably Leonardo never said this sentence anyway)


Wildfly Swarm

"packaging and running Java EE applications by packaging them with just enough of the server runtime to "java -jar" your application."

home page here http://wildfly-swarm.io/

"Stinky Maven" instructions to incorporate the product in your build:




This will import a BOM in $M2_HOME\repository\org\wildfly\swarm\bom-all\2017.9.5\bom-all-2017.9.5.pom

At this point you simply have to use the Swarm "fractions":

<!-- Wildfly Swarm Camel Fractions -->
    <!-- Wildfly Swarm Fractions -->

each of these fractions will simply consist of a JAR with a module.xml, this one is for the camel-cdi fraction:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<module xmlns="urn:jboss:module:1.3" name="org.apache.camel.component.cdi">
  <artifact name="org.apache.camel:camel-cdi:2.19.0"/>
  <module name="javax.annotation.api"/>
    <module name="javax.enterprise.api"/>
    <module name="javax.xml.bind.api"/>
    <module name="org.apache.camel.core.xml"/>
    <module name="org.jboss.weld.core"/>
    <module name="org.jboss.weld.spi"/>
    <module name="org.slf4j"/>
    <module name="javax.el.api"/>
    <module name="org.apache.camel.core"/>

All this looks like Matrovshka матрёшка ...

This page is similar to the Spring Initializr http://wildfly-swarm.io/generator/

To add health monitoring, follow these instructions https://wildfly-swarm.gitbooks.io/wildfly-swarm-users-guide/advanced/monitoring.html

important commands

mvn wildfly-swarm:run

mvn package
cd target
java -jar demo-swarm.jar demo.war

if you add


you can also do:

mvn wildfly:deploy

Sunday, October 15, 2017

Camel in Action, Second Edition

I have just purchased the book from Manning (if you google for "manning discount code" you should find a coupon to get a 40% discount on these EXTREMELY (52 USD) expensive books ...)

I am a bit disappointed by the book, it's extremely verbose and it repeats a lot of concepts that - unless this is the first IT book you read in your life - are very well known to anybody. You have to wade across a lot of verbosity to extract useful practical info "how to solve this kind of problem".

Also, the choice to cover at the same depth the XML DSL and the Java DSL, the Spring XML configuration and the Spring Java configuration leaves me astonished.... Spring XML is almost extinct, in favor of Java.

Also, some frightening basic English mistakes like using "whom" instead of "who" , together with incredibly complicated sentences, makes you wonder about the literary skills of the authors.

I also dislike embedding a lot of incomplete code in a book.... a coding book should only provide a link to a github repository, I can't understand code if I don't see ii in its completeness... for instance something frustrating is when the import statements are omitted.

The examples associated to the book are here:
git clone https://github.com/camelinaction/camelinaction2

Here https://github.com/apache/camel/tree/master/examples/camel-example-spring-boot a simple Camel - Spring Boot example

run it like this:

git clone https://github.com/apache/camel.git
cd camel
mvn install
cd examples\camel-example-spring-boot
mvn spring-boot:run

Wednesday, October 11, 2017

JAX-RS tutorials and documentation

Here a reasoned discussion about CacheControl and ETag https://abhirockzz.wordpress.com/2016/03/27/efficient-jax-rs-conditional-gets-puts/

Here https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html all the HTTP 1.1 headers specifications


deploy it in a PVRestRS project and hit it with http://localhost:8080/PVRestRS/users

it's an excellent simple example showing the use of:


specifically, here http://docs.oracle.com/javaee/7/api/javax/ws/rs/core/Request.html#evaluatePreconditions-javax.ws.rs.core.EntityTag- some explanations on the use of an ETag.


Some explanations on "what ETag is for?" here http://www.logicbig.com/quick-info/web/etag-header/

I open Chrome, STRL-SHIFT.I (developer tools) , Networks, select "users", right-click, console / Headers/all (it took me a lot of clicking to find it...) and I see this:

Request URL:http://localhost:8080/PVRestRS/users
Request Method:GET
Status Code:304 Not Modified
Remote Address:
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Date:Wed, 11 Oct 2017 00:31:57 GMT
Request Headers
view source
Accept-Encoding:gzip, deflate, br
Cookie:Idea-f3d396f=f1a96b31-981d-4574-a116-314fe061816e; __utma=111872281.364080227.1506531800.1506531800.1506531800.1; __utmc=111872281; __utmz=111872281.1506531800.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
If-Modified-Since:Tue, 19 Sep 2017 22:00:00 GMT
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

If I request http://localhost:8080/PVRestRS/users/pippo , I see also ETag:"version1" and (the second time only) If-None-Match:"version1"

"The If-None-Match request-header field is used with a method to make it conditional. A client that has one or more entities previously obtained from the resource can verify that none of those entities is current by including a list of their associated entity tags in the If-None-Match header field. The purpose of this feature is to allow efficient updates of cached information with a minimum amount of transaction overhead. It is also used to prevent a method (e.g. PUT) from inadvertently modifying an existing resource when the client believes that the resource does not exist. "

"1. If the response includes the "s-maxage" cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But (if the specified maximum age has
passed) a proxy cache MUST first revalidate it with the origin
server, using the request-headers from the new request to allow
the origin server to authenticate the new request. (This is the
defined behavior for s-maxage.) If the response includes "s-
maxage=0", the proxy MUST always revalidate it before re-using

If a response includes an s-maxage directive, then for a shared cache (but not for a private cache), the maximum age specified by this directive overrides the maximum age specified by either the max-age directive or the Expires header. The s-maxage directive also implies the semantics of the proxy-revalidate directive (see section 14.9.4), i.e., that the shared cache must not use the entry after it becomes stale to respond to a subsequent request without first revalidating it with the origin server. The s- maxage directive is always ignored by a private cache. "

This book is on my to-read list https://leanpub.com/rest-assured-with-jaxrs

The excellent article about JAX-RS on Java Magazine jan/feb 2016 by Abishek is available here http://www.javamagazine.mozaicreader.com/JanFeb2016#&pageSet=32&page=0

Sunday, October 8, 2017

Wildfly quickstarts part 1

git clone https://github.com/wildfly/quickstart


https://github.com/wildfly/quickstart/tree/11.x/helloworld technologies=CDI,Servlet


mvn wildfly:deploy
mvn wildfly:undeploy
mvn dependency:sources


https://github.com/wildfly/quickstart/tree/11.x/helloworld-ws technologies=JAX-WS has Arquillan tests


#to run arquillan tests
mvn clean verify -Parq-remote





https://github.com/wildfly/quickstart/tree/11.x/helloworld-rf technologies=CDI,JAX-RS


javax.ws.rs.ApplicationPath @ApplicationPath("rest")
javax.ws.rs.Produces @Produces({ "application/json" }) @Produces({ "application/xml" })


https://github.com/wildfly/quickstart/tree/11.x/helloworld-singleton technologies=EJB,Singleton,JSF



@Named = @Component in Spring. @Inject = @Autowired in Spring


https://github.com/wildfly/quickstart/tree/11.x/helloworld-ssl technologies: SSL,Undertow



https://github.com/wildfly/quickstart/tree/11.x/helloworld-mutual-ssl-secured technologies=Mutual SSL, Security, Undertow

BTW it's very similar to helloworld-mutual-ssl


https://github.com/wildfly/quickstart/tree/11.x/helloworld-classfiletransformer technologies: EJB, javassist it's about byte code manipulation and intercepting method calls



https://github.com/wildfly/quickstart/tree/11.x/helloworld-html5 Technologies: CDI, JAX-RS, HTML5


curl -i -X POST http://localhost:8080/helloworld-html5/hello/json/pierluigi
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    29  100    29    0     0     29      0  0:00:01 --:--:--  0:00:01   142HTTP/1.1 200 OK
Connection: keep-alive
X-Powered-By: Undertow/1
Server: WildFly/11
Content-Type: application/json
Content-Length: 29
Date: Sat, 07 Oct 2017 21:36:41 GMT


remarkable the Arquillan functional tests to be found in the embedded helloworld-html5-test-webdriver https://github.com/wildfly/quickstart/tree/11.x/helloworld-html5/functional-tests

mvn clean verify -Parq-remote // to run tests on an already started remote server
mvn clean verify -Parq-managed // to start a server and run tests in it

tests will probably fail because they take too long...


https://github.com/wildfly/quickstart/tree/11.x/helloworld-jms Technologies: JMS



Since the JBoss console doesn't have a tool to browse JMS queues (WebLogic console is sooo much better) one can use HermesJMS or this little tool http://www.mastertheboss.com/jboss-server/jboss-jms/a-jms-browser-for-jboss-wildfly available here https://github.com/fmarchioni/mastertheboss/tree/master/JMSBrowser

git clone https://github.com/fmarchioni/mastertheboss.git
cd mastertheboss/JMSBrowser
mvn clean install wildfly:deploy

and then http://localhost:8080/JMSBrowser/ (in my case, it can't find the test queue, no idea why)

HermesJMS really stinks and I can't make it works (maybe not meant to run with Java 8)... another tools is jmstoolbox https://sourceforge.net/projects/jmstoolbox/files/v4.4/


https://github.com/wildfly/quickstart/tree/11.x/helloworld-mbean Technologies: CDI, JMX, MBean






javax.jms.JMSDestinationDefinitions https://docs.oracle.com/javaee/7/api/javax/jms/JMSDestinationDefinition.html

javax.servlet.annotation.WebServlet http://docs.oracle.com/javaee/7/api/javax/servlet/annotation/WebServlet.html



https://github.com/wildfly/quickstart/tree/11.x/helloworld-mdb-propertysubstitution Technologies: JMS, EJB, MDB


about "MDB annotation property substitution" :

the MDB connection properties are given in the standalone.xml in the system-properties, and you use variable substitution
@ActivationConfigProperty(propertyName = "destinationLookup", propertyValue = "${property.helloworldmdb.queue}")

HermesJMS fails to start with Java 8

HermesJMS silently fails.

in hermes.bat I remove "echo off" and replace "javaw" with "java", to discover that the error is:

org.xml.sax.SAXNotRecognizedException: Feature 'http://javax.xml.XMLConstants/feature/secure-processing' is not recognized.

I replace the HermesJMS/lib/xercesImpl.jar with a new one https://mvnrepository.com/artifact/xerces/xercesImpl/2.11.0-22 and it works!

Here https://developer.jboss.org/wiki/UsingHermesJMSWithHornetQ#comment-11123 how to connect HermesJMS to JBoss

Onboarding a new team member

I know someone who had recently gone through a very traumatic experience of joining a new team. Although he considers himself a really tough guy, who is not easily scared by challenge, within his first few days he had immediately taken the decision to quit at all costs - he did all he could to quickly learn the technologies and understand the environment, he simply believed that the team he was in was SEVERELY lacking in communication. Too bad: big trauma for the poor guy, big loss of time and money for the organization, all could have been prevented with some communication.

Here is some advice to properly handle a new on-boarder.

1) tell him/her in advance what technologies he will be working on. Since normally it takes minimum one month before you can join the team, you can learn that stuff at home and reduce the initial sense of "fremdheit" (alienation, alienness, disorientation.... in Italian we say "spaesamento", which is "feeling you have when you leave your village (paese) and enter into foreign territory)

2) since day one, spend regularly time (say minimum 30 minutes a day) talking and mentoring the new guy

3) invite often the new guy to participate in the resolution of a problem on the actual applications you are developing/maintaining - nothing better than "learning in action".... later he can read the documents, he will understand them much better when he can attach them to some living application he has seen before.

4) avoid by all means to assign tasks by email/chat. Talk to the guy to explain him the task, and answer to all his questions, make him very clear that communication is open at all time and he is very welcome to ask questions

5) give the new guy a "play environment" (ideally a VM or docker container) where he can experiment without fear of breaking the existing code

6) don't make the poor guy go through the pain of applying himself for all the rights he need to access the different environments. All this account creation and rights is an activity that should be started BEFORE the guy arrives. It's painful, it's boring, in some large organizations it means using half a dozen tools and clicking like crazy.

7) even if everybody is very busy, find the time to say good morning, how are you feeling, etc

8) document, in a written form, the requirements you give to the guy. You won't believe how much still today people believe that you can actually work on something like "please write me the tests on this application" without even giving the specifications, without having any javadoc, without even documenting the DB structure.... and sometimes they don't even say "please"

9) make sure that the guy knows BEFORE JOINING what exactly is expected from him

10) if the guy gives explicit signs of being uneasy, don't ignore them!

And remember, you you think something (requirements, implementation details) is reckoned not being worth to be written, then most likely it's not even worth to be implemented.

Even if all this sounds simply common sense, you won't believe how multi-million projects still rely on a "swim or sink" approach - maybe someone particularly macho is even happy if you sink.

Wonderful (?!) pictures of military training available here http://uk.businessinsider.com/insane-military-training-exercises-around-the-world-2015-2/#south-korean-special-warfare-trainees-are-covering-themselves-with-snow-here-to-help-strengthen-both-physical-power-and-psychological-fortitude-8 , but remember, IT requires you to be smart and knowledgeable, not to be a hero.

Eclipse CHE

Sadly, CHE is not dedicated to greatly inspiring revolutionary leader Che Guevara, but to the city of Cherkasy (Ukraine) where most of the development is done.



docker run eclipse/che start

Since I run from a VirtualBox VM on my Windows PUEAH host, I get this:

INFO: Welcome to Eclipse Che!
INFO: You are missing a mandatory parameter:
INFO:    1. Mount 'docker.sock' for accessing Docker with unix sockets.
INFO:    2. Or, set DOCKER_HOST to Docker's location (unix or tcp).
INFO: Mount Syntax:
INFO:    Start with 'docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock' ...
INFO:    Start with 'docker run -it --rm -e DOCKER_HOST= ...'
INFO: Possible root causes:
INFO:    1. Your admin has not granted permissions to /var/run/docker.sock.
INFO:    2. You passed '--user uid:gid' with bad values.
INFO:    3. Your firewall is blocking TCP ports for accessing Docker daemon.

now I try running this

[centos@localhost ~]$ docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock eclipse/che start

WARN: Bound 'eclipse/che' to 'eclipse/che:5.18.0'
 WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
INFO: Welcome to Eclipse Che!
INFO: We could not detect a location to save data.
INFO: Volume mount a local directory to ':/data'.
INFO: Simplest syntax:
INFO:   docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock
INFO:                       -v :/data
INFO:                          eclipse/che start
INFO: Or, run with additional overrides:
INFO:   docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock
INFO:                       -v :/data
INFO:                       -v :/data/instance
INFO:                       -v :/data/backup
INFO:                          eclipse/che start

so I do

mkdir chedata
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v /home/centos/chedata:/data eclipse/che start

if you run "docker run --help", you learn that "-it" means "interactive tty" , "--rm" means "--rm , the container is removed when it exits", -v bind mount a volume

at this point I still get an error:

INFO: (che init): Installing configuration and bootstrap variables:
INFO: (che init):   CHE_HOST=
INFO: (che init):   CHE_VERSION=5.18.0
INFO: (che init):   CHE_CONFIG=/home/centos/chedata
INFO: (che init):   CHE_INSTANCE=/home/centos/chedata/instance
INFO: (che config): Generating che configuration...
INFO: (che config): Customizing docker-compose for running in a container
INFO: (che start): Preflight checks
 WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
         mem (1.5 GiB):           [OK]
         disk (100 MB):           [OK]
         port 8080 (http):        [AVAILABLE]
         conn (browser => ws):    [NOT OK]
         conn (server => ws):     [NOT OK]

ERROR: Try 'docker run  eclipse/che info --network' for more tests.

so I run

docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v /home/centos/chedata:/data eclipse/che info --network

and I get this

INFO: (che cli): 5.18.0 - using docker 17.09.0-ce / native
INFO: ---------------------------------------
INFO: --------   CONNECTIVITY TEST   --------
INFO: ---------------------------------------
INFO: (che network): eclipse/che-ip:5.18.0:
INFO: (che network): Browser => Workspace Agent (localhost): Connection failed
INFO: (che network): Browser => Workspace Agent ( Connection failed
INFO: (che network): Server  => Workspace Agent (External IP): Connection failed
INFO: (che network): Server  => Workspace Agent (Internal IP): Connection succeeded

Probably I have to work a little on my VM network settings ... maybe some other time...

Saturday, October 7, 2017

Install Openshift Container Platform on Ubuntu 16.4

download oc here


untar the oc executable and put it somewhere in the path (e.g. /usr/local/bin )

install docker:

sudo apt install docker.io
#sudo groupadd docker // this should not be necessary!
sudo usermod -aG docker $(whoami)
sudo reboot now
sudo service docker start
docker ps

oc cluster up

if it comes up with an error related to --insecure-registry, you can start with "oc cluster up --skip-registry-check=true"

It's really a struggle to make all this work... the whole integration Openshift-Docker is very environment-dependent, for instance on Ubuntu 17.4 I could not even install Docker... .pathetic... always something going wrong...

Friday, October 6, 2017

Fixing a currupt (or corrupted? ) USB drive

I open (in Windows) the disk management tool, and I keep getting this message when trying to format the USB drive:

usb drive windows cannot format the volume because the volume is offline

this video explain how to "brutally fix" the USB drive:

run diskpart in admin mode

list disk

select disk N (N depends on your system)

list partition

select partition M (M depends on your system)

delete partition override

All this happened because I was preparing a USB drive to boot Centos 7 as per https://wiki.centos.org/HowTos/InstallFromUSBkey and using the https://sourceforge.net/projects/win32diskimager/ win32diskimager ... apparently I have stopped it while it was writing, and this corrupted the USB disk.... scary...

Here a useful list of commands.... priceless.... https://commandwindows.com/diskpart.htm much better than the Disk Management UI tool

Adam Bien The Great, and how to monitor health of a Docker Container

git clone https://github.com/AdamBien/airhacks.git

git clone https://github.com/AdamBien/docklands.git

docker build -t airhacks/payara-ping .

Sending build context to Docker daemon  14.85kB
Step 1/5 : FROM airhacks/payara
latest: Pulling from airhacks/payara
785fe1d06b2d: Pull complete 
b6ea41613b27: Pull complete 
164939690f71: Pull complete 
5cd0a8d28e0b: Pull complete 
1fa1008aa8f7: Pull complete 
4fe8b3142e9d: Pull complete 
Digest: sha256:f550a096b325f467155a462069bddd54f8d365fdb285271b9b2fdbfec4464018
Status: Downloaded newer image for airhacks/payara:latest
 ---> d2d4659c3fbb
Step 2/5 : MAINTAINER Adam Bien, adam-bien.com
 ---> Running in 36c695b80088
 ---> 8d417d79b693
Removing intermediate container 36c695b80088
Step 3/5 : COPY ping.war ${DEPLOYMENT_DIR}
 ---> 3b2a6278d76e
Step 4/5 : ENV WAR ping.war
 ---> Running in fa4484344c05
 ---> 14d72ab44a73
Removing intermediate container fa4484344c05
Step 5/5 : HEALTHCHECK --interval=15s CMD curl --fail http://localhost:8080/ping/resources/pings/echo/+ || exit 1
 ---> Running in 26f9dd4b7d01
 ---> d97945495493
Removing intermediate container 26f9dd4b7d01
Successfully built d97945495493
Successfully tagged airhacks/payara-ping:latest

What does a "docker build -t bla" do? https://docs.docker.com/engine/reference/commandline/build/#options "This will build like the previous example, but it will then tag the resulting image. "


docker inspect payara-ping

docker exec -it payara-ping /bin/bash

cd ../domains/domain1/autodeploy/

Thursday, October 5, 2017

Nexus Repository Health Check (RHC) unauthorized proxy

"The components in the repository were inspected, but their identity could not be confirmed. This may have happened for the following reasons:

The repository does not contain enough identified components for the results to be meaningful
The components were built from source instead of pulled from the Central Repository
The components were obtained from a repository other than the Central Repository

The connection to the Sonatype server is at rhc.sonatype.com port 443, that is IP address, which corresponds also to clm.sonatype.com and insight.sonatype.com

Apparently for the PRO version it's rhc-pro.sonatype.com 443 which is

Apparently one can have only ONE health check every 24 hours.

Incidentally, if you are using a proxy, and you are not authenticated, you get this error message

org.apache.http.impl.execchain.TunnelRefusedException pxpool-1-thread-4 CONNECT refused by proxy: HTTP/1.1 407 Proxy Authentication Required

with this stacktrace

java.lang.Throwable.(String) 1
java.lang.Exception.(String) 1
org.apache.http.HttpException.(String) 1
org.apache.http.impl.execchain.TunnelRefusedException.(String, HttpResponse) 1
org.apache.http.impl.execchain.MainClientExec.createTunnelToTarget(AuthState, HttpClientConnection, HttpRoute, HttpRequest, HttpClientContext) 1
org.apache.http.impl.execchain.MainClientExec.establishRoute(AuthState, HttpClientConnection, HttpRoute, HttpRequest, HttpClientContext) 1
org.apache.http.impl.execchain.MainClientExec.execute(HttpRoute, HttpRequestWrapper, HttpClientContext, HttpExecutionAware) 1
org.apache.http.impl.execchain.ProtocolExec.execute(HttpRoute, HttpRequestWrapper, HttpClientContext, HttpExecutionAware) 1
org.apache.http.impl.execchain.RetryExec.execute(HttpRoute, HttpRequestWrapper, HttpClientContext, HttpExecutionAware) 1
org.apache.http.impl.execchain.RedirectExec.execute(HttpRoute, HttpRequestWrapper, HttpClientContext, HttpExecutionAware) 1
org.apache.http.impl.client.InternalHttpClient.doExecute(HttpHost, HttpRequest, HttpContext) 1
org.apache.http.impl.client.CloseableHttpClient.execute(HttpUriRequest, HttpContext) 1
org.apache.http.impl.client.CloseableHttpClient.execute(HttpUriRequest) 1
org.apache.http.impl.client.CloseableHttpClient.execute(HttpUriRequest) 1
com.sonatype.nexus.plugins.healthcheck.service.impl.InsightServiceImpl.execute(HttpUriRequest) 1
com.sonatype.nexus.plugins.healthcheck.service.impl.InsightServiceImpl.doGet(String) 1
com.sonatype.nexus.plugins.healthcheck.service.impl.InsightServiceImpl.getNextRunDeltas(String) 1
com.sonatype.nexus.plugins.healthcheck.task.HealthCheckTask.doDeltaCheck(String) 1
com.sonatype.nexus.plugins.healthcheck.task.HealthCheckTask.doRunSafe() 1
com.sonatype.nexus.plugins.healthcheck.task.HealthCheckTask.doRun() 1
org.sonatype.nexus.scheduling.AbstractNexusTask.call() 1
org.sonatype.scheduling.DefaultScheduledTask.call() 1
org.sonatype.nexus.threads.MDCAwareCallable.call() 1
org.apache.shiro.subject.support.SubjectCallable.doCall(Callable) 1
org.apache.shiro.subject.support.SubjectCallable.call() 1
java.util.concurrent.FutureTask.run() 1
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor$ScheduledFutureTask) 1
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run() 1
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor$Worker) 1
java.util.concurrent.ThreadPoolExecutor$Worker.run() 1
java.lang.Thread.run() 1

So https://support.microsoft.com/en-us/help/248020/iis-5-0-error-message-http-1-1-407-proxy-authentication-required you have to talk to the proxy administrator

Wednesday, October 4, 2017

Nexus 2.14 not starting "No such file or directory"

scary, all of a sudden I get in the wrapper.log file:

jvm 1 | wrapper | Unable to start JVM: No such file or directory (2)

this is really unimpressive, a decent coder would AT LEAST tell you "WHICH file or directory" could not be found.... but most developers are just selfish jerks who don't care about operations.

I edit the "bin/nexus" script to put a "set -x" at the beginning, and I discover that the command used to execute the wrapper is

/u01/app/admrun/nexus-java/bin/../bin/jsw/linux-x86-64/wrapper /u01/app/admrun/nexus-java/bin/../bin/jsw/conf/wrapper.conf wrapper.syslog.ident=nexus wrapper.pidfile=/u01/app/admrun/nexus-java/bin/../bin/jsw/linux-x86-64/nexus.pid wrapper.daemonize=TRUE

if you run the command with wrapper.daemonize=FALSE you can see the errors directly in the console - which is easier to debug.

useful post here https://stackoverflow.com/questions/29355815/error-in-sonar-startup-unable-to-start-jvm-no-such-file-or-directory-2

there I discover that there is an extra parameter wrapper.java.command, and in fact in wrapper.conf I see

# Set the JVM executable
# (modify this to absolute path if you need a Java that is not on the OS path)

in fact, I don't have "java" in my path:

which java
/usr/bin/which: no java in (/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/u01/app/admrun/bin)

I try to set it to "wrapper.java.command=/u01/app/java/jdk1.8.0_45/bin/java" and it magically works

All this is really, really sad. A start script should CLEARLY validate all preconditions and give a very explanatory message stating what is wrong and how to fix it. Pathetic.

Tuesday, October 3, 2017

I have deleted my Facebook account

I was wasting way too much time simply browsing through a lot of endless chatter, sometimes almost neurotically/compulsively.

And some times I found myself intervening in other people conversations, gratuitously. And sometimes also polemically.

I feel now a liberated person, I have more free time and I have regained control of the time spent on a PC.

Also, I believe that true friendship can only stem from shared experiences, common values and ideals, and you can't really know someone via an interposed screen and keyboard. So, real friends stay in contact by email; the rest, I don't really care, just like they don't care about me.

Haha I will open a Facebook Closed Group "Facebookist Anonymous" for those who are intoxicated with Facebook - Alcoholic Anonymous style.

Incidentally, group therapies like AA really work - I have quit smoking thanks to a similar group. Maybe the idea of a group therapy to stop wasting a life on internet can be very effective.

Sunday, October 1, 2017

CentOS VM in VirtualBox connection to Internet

Panic, my new CentOS VM was unable to connect to internet, no clue what I had done wrong.

Eventually this post gave me the solution https://superuser.com/a/1053605/95314

This is how the Network section is setup (pardon my German)

sudo vi /etc/sysconfig/network-scripts/ifcfg-enp0s3

I am adding


and changing this to yes


and "sudo reboot now"

Now I can happily ping google.com