Thursday, July 31, 2014

Book: If this is a man

watching this video of a Palestinian ambulance shot by IDF, and of a Palestinian journalist, Rami Rean, killed by the same, I can only think of the BEAUTIFUL book of an Italian Jew, miraculously escaped from Auschwitz, Primo Levi

I have read this book 25 times and never get tired. And the more I see what IDF is doing to people in Gaza, the more it reminds me of what the Nazi have done to the Jews.

You who live safe
In your warm houses,
You who find, returning in the evening,
Hot food and friendly faces:

Consider if this is a man
Who works in the mud,
Who does not know peace,
Who fights for a scrap of bread,
Who dies because of a yes or a no.
Consider if this is a woman
Without hair and without name,
With no more strength to remember,
Her eyes empty and her womb cold
Like a frog in winter.

Because such is the life in Gaza, such is the life under any "ism" - Nazism, Fascism, Zionism, Communism. and why not some sort of Capitalism.

I am not defending Hamas, Hamas is a Creation of Mossad and they deserve all desecration just like the semi-fascist government of Netanyahu.

I am sure these images will never appear on the mainstream TV.

Even now my voice is reaching millions throughout the world, millions of despairing men, women, and little children, victims of a system that makes men torture and imprison innocent people.

Wednesday, July 30, 2014

setfacl and getfacl in action

I had no clue that in Linux you can grant specific access rights to an individual user on a file/folder, using setfacl:
[root@osb-vagrant opt]# umask
[root@osb-vagrant opt]# cd /opt
[root@osb-vagrant opt]# mkdir pippo
[root@osb-vagrant opt]# ls -ltra
drwxr-xr-x   2 root root 4096 Jul 30 11:36 pippo
[root@osb-vagrant opt]# getfacl /opt/pippo
# file: pippo
# owner: root
# group: root

Since I have umask 0022, when I create a directory it's as per defaults read only for all other users. For instance, user "soa" can't create a file in /opt/pippo:

[soa@osb-vagrant pippo]$ cd /opt/pippo
[soa@osb-vagrant pippo]$ touch ciao.txt
touch: cannot touch `ciao.txt': Permission denied

But this can be changed!

[root@osb-vagrant opt]# setfacl -m u:soa:rwx /opt/pippo
[root@osb-vagrant opt]# getfacl /opt/pippo
getfacl: Removing leading '/' from absolute path names
# file: opt/pippo
# owner: root
# group: root

notice here the new element "user:soa:rwx".

At this point, user "soa" can create a file in /opt/pippo ! But no other user can...

See also for more advanced examples.

In Puppet:

exec {'/usr/bin/setfacl -R -dm u::rwx,g::rwx,o::rwx /zdata/':
      require => Mount["${inbound_messages_path}"],

Saturday, July 26, 2014

Book: We Are the Romani People

This is an excellent book from a erudite Linguistics Romani (Gipsy) scholar, telling whatever can be reasonably told about the origin of the Romani people, the evolution of their language, the horrific history of slavery, pogroms, porrajmos (Nazi killed at least 1 million Romani, but since they don't have a powerful financial lobby in NY, you'll never hear about that, and they never got neither a compensation nor a "Promised Land" stolen from its previous occupants), expulsion, prosecutions, discrimination etc.

It also narrates the attempts made to form a Romani Nation, and even to get some land to settle permanently (grotesque the request made to Mussolini to get part of Somalia....grotesque? I think another Nation got some land in 1948, and not many people found it grotesque...)

Once you read this book you will really get a better grasp of this great civilization of artists, merchants, traders whose history is so similar to the Jews

Wednesday, July 23, 2014

Eclipse: creating a weblogic-enabled project

When you create a Java project, it's NOT faceted

This project is not configured to use project facets. Converting this project to faceted form will allow you to easily control the available technologies.

and its .project file contains:

<?xml version="1.0" encoding="UTF-8"?>

if you click on "convert to faceted form" you get an extra builder org.eclipse.wst.common.project.facet.core.builder in the .project, and an extra org.eclipse.wst.common.project.facet.core.nature nature

Once you have a faceted project, you can associate it to a Runtime:

which allows you to enable WebLogic System libraries:

Let's be frank, it could be simpler. Even because NOT all WebLogic classes are available in the System Libraries, often one has to hunt right and left for the right jar.

Tuesday, July 22, 2014

Open letter to John Kerry

Dear John Kerry,

we love America - you set us Italians free from Mussolini - and we love Jewish people, who gave birth to geniuses like J.Christ, K.Marx, S.Freud, A.Einstein, N. Chomsky . Top people. Love them.

BUT I think our IDF friends have gone a bit too far in Gaza. Maybe the pictures of dismembered Palestinian children, pregnant women torn apart and medical staff being shot at don't make it on your laptop, but they make waves around the world and they tarnish the compassion that humanity has for the Jews.

You are a great, good man and I think you should get on the front line and set things straight, reestablishing the confidence that humanity has in America and in Judaism.

So this is my offer: I will pay you a first class flight to Tel Aviv, private limousine picking you up from the airport and bringing you to Gaza City, visit to a couple of Gaza hospitals where you will be able to assert the job done by IDF, night in 5 stars hotel in Tel Aviv and flight back to America.

I don't expect you anything in return, no public declarations, no "let's stop Gaza attacks now" decisions..... just watch with you eyes the horror created by the war, see the Palestinian children disemboweled and agonizing, then go back to your family. I am sure you know this horror, back from the time you served in Viet-Nam.

If you accept, just contact me on this blog, I will immediately wire you the funds.



Revocation information for the security certificate for this site is not available.

one of our workstations was getting regularly this popup "Revocation information for the security certificate for this site is not available. Do you want to proceed?". It's a Windows 7 machine.

Clicking on "view certificate" it was showing one of our certificates. Opening the certificate we discovered that there is a Certificate Revocation List

They tried "Start, then Control Panel, then Internet Options, then Clear SSSL State", they also checked that the date/time was correct.

This article is a sort of universal source of truth for this issue.

Then we discovered simply that the CRL URL was not accessible from that workstation, because the proxy was blocking it. Granting access to that URL solved the issue.

Sunday, July 20, 2014

A message from a young girl in Gaza to Israel and the rest of USofA

Here a list of the victims so far, with their age... guess what, mostly adolescents and children. Of course no western media will ever report their name nor their picture: they are Palestinian Terrorists!

Incidentally these very honest people are sending medical relief to Gaza, I am donating 1000 dollars, I cannot sit and do nothing without losing respect for myself.

Thursday, July 17, 2014

OSB and the Load Balancer Source-IP (X-Forwarded-For)

If you configure correctly the Load balancer, OSB should be able to retrieve the actual Client (Originator) IP address:

tran:user-header name="Source-IP" value=""

      <con:endpoint name="ProxyService$PVLoadBalancerTest$PVLoadBalancerTestPS" xmlns:con="">
            <con:request xsi:type="http:HttpRequestMetaData" xmlns:http="" xmlns:xsi="">
               <tran:headers xsi:type="http:HttpRequestHeaders" xmlns:tran="">
                  <tran:user-header name="Source-IP" value=""/>
                  <http:User-Agent>Jakarta Commons-HttpClient/3.1</http:User-Agent>
               <tran:encoding xmlns:tran="">iso-8859-1</tran:encoding>
            <con:response xsi:type="http:HttpResponseMetaData" xmlns:http="" xmlns:xsi="">
               <tran:headers xsi:type="http:HttpResponseHeaders" xmlns:tran="">
               <tran:response-code xmlns:tran="">0</tran:response-code>

while the http:client-host and the http:client-address refer to the Load Balancer IP address (fixed)

How the LB should be configured, I have little clue, I only know that they do a "Insert Src IP Addr..: Header field : "Source-IP"". See here for instruction for a specific product Citrix NetScaler .

this XPath will extract the info :


In order to log this IP in the WebLogic access.log file, see document "How to obtain the correct Client IP address when a Physical Load Balancer and a Web Server Configured With Proxy Plug-in Are Between The Client And Weblogic (Doc ID 1375129.1)", where they explain the "Insert XForwardedFor" , the "WL-Proxy-Client-IP" and the "WebLogic Plug-In Enabled".

See also

From the Console Help of "WebLogic Plug-In Enabled" I read:

Set this attribute to true if the cluster will receive requests from a proxy plug-in or HttpClusterServlet. When WeblogicPluginEnabled is true, a call to getRemoteAddr will return the address of the browser client from the proprietary WL-Proxy-Client-IP header, instead of the web server.

So I believe that the name of the header should be changed from "Source-IP" to "WL-Proxy-Client-IP" in order to be able to capture it.... too bad it's not configurable... no, wait, the doc says "Since 10.3.3 it is possible to configure a specific header that WLS will check when getRemoteAddr is called. That can be set on the WebServer Mbean.". It looks like they refer to this method.

One should then choose HTTP Logging as ELF (Extended Logging Format), by default the fields are "date time cs-method cs-uri sc-status". One should add cs(X-Forwarded-For) or cs(Source-IP) or whatever name you are using for the header.

From the Oracle DOC 1375129.1:

1. At weblogic end, you need to enable the "WebLogic Plug-In Enabled" This option can be set both at the cluster level or server level.

WebLogic Plug-In Enabled:

Set this attribute to true if the cluster will receive requests from a proxy plug-in or HttpClusterServlet. When WeblogicPluginEnabled is true, a call to getRemoteAddr will return the address of the browser client from the proprietary WL-Proxy-Client-IP header, instead of the web server.

For non-clustered servers that will receive proxied requests, this attribute may be set at the server level, on the Server > Configuration >General tab.

If you want to set it at cluster level, ex: Home >Summary of Servers >Summary of Clusters >new_Cluster_1 > General > Advanced

2. At the loadbalancer end, you need to creating HTTP profile and then enable "WL-Proxy-Client-IP: [IP::client_addr]" ,  and also enable "Insert XForwardedFor"

view git README.markdown files

I am not going to check in a readme file only to discover that its formatting sucks on github or stash... and have to repeat the entire cycle some dozen times...

this seems to sole my problem.... it's online.... it's very sleek with plenty of options I will never use... this until I will find some free LOCAL tool - like a notepad++ plugin (in the meantime, you can use this Syntax Highlighting tool for Notepad++)

Wednesday, July 16, 2014

Eclipse, javax.servlet.http cannot be resolved to a type

So, in StinkEclipse, editing a WebApplication, in a JSP you make a reference to javax.servlet.http.HttpServletRequest and you get a red "javax.servlet.http cannot be resolved to a type".

I guess this is because even in 2014 they maintain this stupid division between JSE and JEE, making your life so miserable. So HTTP is part of JEE and not available by default. Why this, I guess to save a few bytes. Morons.

This is the solution in 3 steps

in the Eclipse Windows Preferences

in your project properties

Guys at Eclipse, this is really a friendly advice, have you considered some other hobby, like knitting, or bicycle repair? At least you would not do so much damage to the developers community... and leave IDE development to the real pros, like IntelliJ or Netbeans people...

No, wait, a failed bike repair could kill someone.... better if you stick to IDEs...

Sunday, July 13, 2014

Book: The Spinoza Problem

I have rarely read such a deep, penetrating book... at the beginning the continuous jumping back and forth between the 2 characters of Spinoza and Rosenberg is a bit annoying, but after some time you get used. This book gives very good historical coverage of the Prosecution against the Jews in Portugal, the Jewish community in Amsterdam in the 17th century

One can only feel deep sympathy for the young Spinoza, confronted to some fanatic Jewish priests - and a community of bigot believers - who saw their power endangered by the vivid, critical and frank intelligence of this genius.

I have personally felt quite uninterested by the Rosenberg story, most Nazi ideologists were simply dumb mean sick people (I have read the autobiography of Rudolf Höss and it's just damn dumb and boring), and Rosenberg was just one more puppet in the hands of a much bigger, smart and powerful puppeteer....

Book: Rogue State: A Guide to the World's Only Superpower

Rogue State: A Guide to the World's Only Superpower

I highly recommend this book, historically very accurate, about the history of interventions (covert or open) of US in the rest of the world... a vivid recollection of mass massacres around the world, perpetrated in the name of the interest of the ruling financial elite.

Friday, July 11, 2014

windows remote desktop: The Local Security Authority cannot be contacted

Trying to connect to a Windows 7 Desktop, using "windows remote desktop", get this very explanatory message "The Local Security Authority cannot be contacted".

After wasting one hour to find an appropriate monitor to connect to the box, I discovered that simply the password expired.

Just one extra (of the already billions) reason to hate Microsoft.

WebLogic supported Cyphers

The list of the possible strong cyphers not that long:

AES256-GCM-SHA384      TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD

AES256-SHA256                TLSv1.2 Kx=RSA     Au=RSA  Enc=AES(256)  Mac=SHA256

AES128-GCM-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD

AES128-SHA256                TLSv1.2 Kx=RSA     Au=RSA  Enc=AES(128)  Mac=SHA256

AES256-SHA                       SSLv3 Kx=RSA       Au=RSA  Enc=AES(256)  Mac=SHA1

DES-CBC3-SHA                  SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1

AES128-SHA                       SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

and they are all supported by most popular Content Delivery appliances.

According to Oracle doc, WebLogic supports SSL3 and TLS1, you can restrict the protocols with the 2 properties and (funnily it seems that the property value is spelled slightly differently in the 2 properties)

Interestingly it seems that support for TLS version > 1.0 is available only with Java 7.

So if you run on Java 6 the only option available is using SSL3.

WebLogic these days supports only the "JSSE-based SSL implementation", and the Cypher Suites are listed here for Java 6 and Java 7

Thursday, July 10, 2014

wlst goes in OutOfMemory... what to do?

If you invoke the, it's a can of worms of intricate shall calls, hard to disentangle:


plus other stuff....

After some hunting, I discover that the JVM memory options are set in:

and hardcoded to
MEM_ARGS=-Xms32m -Xmx200m -XX:MaxPermSize=128m

and there is no way you can pass these parameters BEFORE calling the script...

So finally your only option is to change persistently...

Don't tell me this sucks, I already know...

So if you get the dreaded "Error: GC overhead limit exceeded", you can increase the MEM_ARGS settings or try to disable the error (I don't think this will help) with

Israel bombing of Gaza: a very lame excuse

A few general meditations about the current destruction Israel is carrying out in a foreign country - in violation of all the possible international conventions.

*) 3 young Israelis are kidnapped by Palestinians on a road leading to a Settlement.
As far as I know all the roads to Settlements are strictly forbidden to Palestinians, apart the very few with a special permit. It should not be difficult to track them down and punish them.
What? 3 Israelis accepting to board a car driven by Palestinians? In an area where almost only Israeli people are driving by? That sound VERY weird.
A later version says that 2 of the kidnappers where Palestinians disguised as Jews. I think only a non-Jew could let himself fool into mistaking a Palestinian for a Traditional Jew, it's like for me to mistake a Norwegian for a Neapolitan... not for a split second... How many people can stay in a car, 5, the 3 kids and the 2 kidnappers.... so...

*) Minutes after the family receives a call from one of the boys, saying "we have been kidnapped".
Of course, nobody these days carries cell phones, how could the kidnappers think of searching the 3 boys for phones

*) in the phone call, 2 voices of the kidnappers are heard with strong Arabic accent, then shooting happens
of course, when the 3 kids boarded the car, the kidnappers were speaking perfect Hebrew without any accent...

*) despite the father reported to the police, they started acting only 3 hours later
Wait, Israel is spending zillions of dollars to bomb Gaza in retaliation, but when they were told they waited 3 hours to take into action? Mmmmmm..... And also, I am almost sure all the area is closely surveilled by satellite... are they searching for satellite images to detect who carried out the kidnapping?

*) The corpses of the 3 young Israelis are found the day after in Palestinian territory
As far as I know it's impossible to cross the border without being fully searched. Smuggling 3 corpses should be next to impossible.

More details are available here

I stop here... it's all really sad. I have full sympathy for Jews, but not for war criminals.

For those who like history, please read the event who brought to KristallNacht,  and tell me how different is what the Nazi did and what Israel is doing - a series of Pogroms against Palestinians.

Wednesday, July 9, 2014

WebLogic session.invalidate() is not enough

Implementing correctly security in WebLogic can be a daunting task. So many caveats and dodgy behaviors and not all is CLEARLY documented.

Suppose I have protested all my JSP with this clause in web.xml:

                These pages are only accessible by authorized
                These are the roles who have access.
                This is how the user data must be transmitted.

and the role "admin" is defined in a weblogic.xml:


At this point all your JSP require that you are authenticated.

To logout, you can provide this JSP code:

request.logout();  // only from WebLogic 12, requires Servlet 3.0

Without the "invalidateAll(...)", it will not work. Apparently the session information is still kept on the server, and the session will be immediately resumed without asking you to authenticate again. Frustrating. Documentation on this topic is a bit confusing.

Tuesday, July 8, 2014

OSB, Multipart Email and reading attachments in IPad

How to send an email with attachment in OSB is already covered elsewhere.

However there are some caveats: some email clients like IPad/IPhone are really picky, and they don't handle correctly a PDF in attachment if the OSB default is used.

Here it says: OSB when an attachment is present in the message, OSB is overrding the "Content-Type" property to "multipart/related" inspite of me setting the "Content-Type" property of HTTP Transport Header in OSB

The problem is that an IPad seems to handle correctly only messages with "Content-Type" = multipart/alternative or multipart/mixed. So the only choice is to manufacture yourself the $body message to send to the SMTP Mail Business Service, by hardcoding the multipart/alternative. By no means you should have Content-ID around: IPad doesn't like them.

This is done in an Oracle Support article : Service Bus 11g: How to Send a Multipart Email (Doc ID 1561677.1)

To import the project in a OSB version prior to, in ExportInfo, change : imp:property name="productversion" value="" and rejar everything.

Refer to for comprehensive explanation of MIME standards.

Gmail menu "show original" was essential to debug the actual email content.

See also this article where Apple support warns about possible issues with attachment... guys, how about testing better your code and make it more robust?

Also, always remember to delete $attachments variable before you route to BS !

One more thing: it seems that iOS changes the filename into filename="mime-attachment.pdf" for large PDF ( > 50 KB approximately). This is really really weird. no workaround so far. Not a HUGE issue, but still annoying. Actually this seems to happen only if there is a space in the filename...

Sunday, July 6, 2014

Stormy weather...

This huge secular tree - along with many, many others - was uprooted on Friday by a freaky storm over the Lausanne lake.

People here assure they have never seen anything like that before.

A gym colleague working in the insurance industry tells me that in the last 5 years these extreme weather events are becoming so frequent and unpredictable that the insurance industry is unable to handle this kind of business any longer, because forecasts are irremediably too optimistic and reality is always a lot worse.

All this spells "we are screwed"... and more than us, our children are screwed and - if anybody is still fool enough to put someone in this collapsing world - our grandchildren too are super-screwed.

Friday, July 4, 2014

BEA-090487: The peer is rejecting the certificate chain as being untrusted or incomplete

I see some errors like:

BEA-090487: UNKNOWN_CA alert received from . The peer is rejecting the certificate chain as being untrusted or incomplete

The doc says:

Warning: UNKNOWN_CA alert received from peer. The peer is rejecting the certificate chain as being untrusted or incomplete.

The certificate chain was not trusted by the peer.

The peer is not configured to trust the CA that signed the certificate chain.

Review the certificate chain and the peer trusted CA configuration to determine whether the peer should be trusting the certificate chain or whether a new certificate chain is required that is trusted by the peer.

From the HTTP access logs, I discovered that someone hit our HTTP service with a browser which was not trusting our certificate... so the solution is simply add a security exception in the browser.

Thursday, July 3, 2014

wget for Windows

If you are stranded on a Windows machine and you need to do a wget, you will be horrified to discover that there is not such tool.
Here they show how to use PowerShell to emulate the command.
For me, this simple code worked:
run PowerShell,

Function Get-Webclient ($url, $out) {
 $request = New-Object System.Net.WebCLient
 $request.DownloadFile($url, $out)

Get-Webclient "" "C:\tmp\Foo3.txt"

Windows is so pathetic that if I were a Microsoft developer I would pretend I work serving fries in a Mac Donald to avoid being shunned by my neighbors...

George Carlin and the Freak Show

One of the greatest philosophers - unfortunately no longer living.