Saturday, July 27, 2019

Serialization Filtering in Java10

in WebLogic:

Caused by: java.io.InvalidClassException: filter status: REJECTED
     at java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1258)
     at java.io.ObjectInputStream.readHandle(ObjectInputStream.java:1705)
     at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1556)
     at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2288)
     at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2212)
     at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2070)

Caused by: java.lang.StackOverflowError
                at java.io.ObjectStreamClass$FieldReflector.getPrimFieldValues(ObjectStreamClass.java:2153)
                at java.io.ObjectStreamClass.getPrimFieldValues(ObjectStreamClass.java:1390)
                at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1532)
                at java.io.ObjectOutputStream.defaultWriteObject(ObjectOutputStream.java:440)
                at com.sun.org.apache.xerces.internal.dom.NodeImpl.writeObject(NodeImpl.java:2019)
                at sun.reflect.GeneratedMethodAccessor2392.invoke(Unknown Source)


Solution:

-Dweblogic.oif.serialFilterMode=disable

Also consider the other info here :

https://docs.oracle.com/javase/10/core/serialization-filtering1.htm#JSCOR-GUID-91735293-E38E-4A81-85DC-719AFEB36026

and the value of jdk.serialFilter Security property ($JAVA_HOME/lib/security/java.security )


Monday, July 22, 2019

No suitable client certificate could be found - continuing without client authentication

"No suitable client certificate could be found - continuing without client authentication"

1) are you specifying the password for the keystore?

2) are you providing a full certificate chain ? ( chain [0] , chain [1], chain [2] until the Root CA)

3) server specified issuers different from the one of the client certificate?

4) server specified ciphers not matching the one of the certificate?

5) (this is same as 2) whole certificate chain not in keystore (see https://stackoverflow.com/questions/9299133/why-doesnt-java-send-the-client-certificate-during-ssl-handshake )



Here the code https://github.com/frohoff/jdk8u-jdk/blob/master/src/share/classes/sun/security/ssl/ClientHandshaker.java , as you see it's totally pathetic and at the same message correspond completely different scenarios.

Saturday, July 13, 2019

Book: Spring Microservices in Action


This is a brilliantly written book.

https://github.com/carnellj/spmia-chapter1

Microservice Architecture

@SpringBootApplication
@RestController
@RequestMapping
@PathVariable

Flexible, Resilient, Scalable

IaaS, PaaS, SaaS, FaaS, CaaS

Client-side load balancing, Circuit breaker, Fallback, Bulkhead

Log correlation. Log aggregation. Microservice tracing

Spring Cloud:
Netflix Eureka (discovery), Zuul (routing), Ribbon (LN), Hystrix (Circuit Breaker), Sleuth/Uipkin (logging, tracing, aggregation), Oauth2/JWT

https://cloud.spring.io/spring-cloud-security/ Spring Security

https://jwt.io JavaScript Web Token

https://travis-ci.org


Hystrix proxies all RestTemplate. calls to add timeout. Ribbon also injects RestTemplate with all available service instances for LB and FO


to expose a bean there are 2 ways:
either one of @Component, @Service, @Repository
or @Configuration + @Bean


Apache Thrift, Apache Avro

12 factor apps: codebase in git, dependencies in maven, config in separate files, backing services (DB etc) cloud-ready,
immutable builds, stateless processes, port binding, horizontal scaling, disposable services, dev=prod, streamable logs (splunk, fluentd), scripted admin tasks.


Actuator health check.








Friday, July 12, 2019

dockerfile cmd and entrypoint

very confusing, poor design IMHO


Dockerfile:

FROM ubuntu
ENV myname "pierre"
ENTRYPOINT ["/bin/bash", "-c", "echo hello ${myname}"]


docker built -t hello01 .
docker run hello01





FROM ubuntu
ENTRYPOINT ["sleep"]

docker built -t hello02 .
docker run hello02

#this sleep for 5s
docker run hello02 5

#this gives error because parameter is missing
docker run hello02



FROM ubuntu
ENTRYPOINT ["sleep"]
CMD ["5"]


this version uses a default time of 5, if not specified in command line
"docker run hello02" will sleep for 5
"docker run hello02 10" will sleep for 10









Thursday, July 11, 2019

Java JSSE SSL flags

-Djavax.net.debug=help

all turn on all debugging
ssl turn on ssl debugging

The following can be used with ssl:

record enable per-record tracing
handshake print each handshake message
keygen print key generation data
session print session activity
defaultctx print default SSL initialization
sslctx print SSLContext tracing
sessioncache print session cache tracing
keymanager print key manager tracing
trustmanager print trust manager tracing
pluggability print pluggability tracing
handshake debugging can be widened with:
data hex dump of each handshake message
verbose verbose handshake message printing


record debugging can be widened with:

plaintext hex dump of record plaintext
packet print raw SSL/TLS packets


Other non-so-famous properties:


https://www.oracle.com/technetwork/java/javase/overview/tlsreadme2-176330.html

-Dsun.security.ssl.allowUnsafeRenegotiation=true

-Dsun.security.ssl.allowLegacyHelloMessages=true

https://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html

-Djdk.tls.allowLegacyResumption=true

-Djdk.tls.allowLegacyMasterSecret=true

-Djdk.tls.traceHandshakeException=true

-Djdk.tls.useExtendedMasterSecret=true

-Djdk.tls.legacyAlgorithms=???

-Djdk.tls.ephemeralDHKeySize=???

https://docs.oracle.com/javase/10/security/java-secure-socket-extension-jsse-reference-guide.htm


jdk.tls.client.cipherSuites

jdk.tls.server.cipherSuites






Wednesday, July 10, 2019

kubectl generators and restart option

https://kubernetes.io/docs/reference/kubectl/conventions/#generators

the only non-deprecated generatori is "run-pod/v1" :

kubectl run nginx --image=nginx --generator=run-pod/v1 --dry-run -o yaml

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  containers:
  - image: nginx
    imagePullPolicy: IfNotPresent
    name: nginx
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}



kubectl run nginx --image=nginx --dry-run -o yaml

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      run: nginx
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        run: nginx
    spec:
      containers:
      - image: nginx
        name: nginx
        resources: {}
status: {}



#create nginx POD only

kubectl run nginx --image=nginx --port=80 --restart=Never --dry-run -o yaml

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  containers:
  - image: nginx
    imagePullPolicy: IfNotPresent
    name: nginx
    ports:
    - containerPort: 80
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}


#create deployment nginx and pod

kubectl run nginx --image=nginx --port=80 --restart=Always --dry-run -o yaml

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      run: nginx
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        run: nginx
    spec:
      containers:
      - image: nginx
        name: nginx
        ports:
        - containerPort: 80
        resources: {}
status: {}