Build secure Web applications by reading Iron-Clad Java

Building secure Web applications isn’t easy and contains many aspects that the development team has to consider and take into account. “Iron-Clad Java: Building Secure Web Applications” book is good starting point to learn concepts, tactics, patterns and anti-patterns to develop, deploy and maintain secure Java applications. With 304 pages the book is more about getting an overview and pointers for further reading and research but works quite nicely in that regard.

“Iron-Clad Java: Building secure Web applications”

As the name suggests, “Iron-Clad Java: Building Secure Web Applications” by Jim Manico and August Detlefsen, is targeted for Java developers and is suitable reading also for less technical people in the team like project managers and managers as it doesn’t go too deeply to technical aspects or code. After reading the book even the managers should get an appreciation and the vocabulary to discuss security with their staff. The reader should get a solid understanding of what is wrong with many web apps in general and what corrective measures to take to mitigate the issues. The book was published September 2014 and has 304 pages (ISBN-13: 978-0071835886).

The book covers topics like secure authentication and session management processes, access control design, defending against cross-site scripting (XSS) and cross-site request forgery (CSRF), protecting sensitive data while stored or in transit, preventing SQL injection, ensuring safe file I/O and upload, using effective logging, error handling, and intrusion detection methods and also guide for secure software development lifecycle (secure-SDLC). The topics are written with theory and practice and so that they are approachable for developers new to security, for those that might be a little inexperienced but still providing useful nuggets for experienced developers.

In good and bad the book gives somewhat opinionated answers what technics and tools you can use to address security issues but overall the advice is solid and un-biased and more or less framework agnostic. So, the lessons learned should apply to any project. For me, writing examples with e.g. JSP and Struts makes me question if also the other tools the book suggest (which I wasn’t familiar with) are suitable for modern Java EE application development. Something to look into after reading the book. Also OWASP seemed to have answer to almost every security aspect.

Anyways, the book’s advice isn’t about using certain technologies but giving you something to think about and educating about security aspects in your Java Web application. What matters is that the book gives explanations of why you need to implement a specific control for a given issue, how you could do it and what the impacts are. This is what many security professionals miss when speaking to developers. The book tells you what the security problem is and then why and how you should fix that so it makes sense for developers.

Taking care for Web application security isn’t just for architects and developers but it’s also a topic which importance whole team should know and understand. The “Iron-Clad Java: Building secure Web applications” gives good overview to security and is suitable for the whole development team to read.

Creating Vagrant Base Box with Veewee

Vagrant is a great tool for creating and configuring lightweight, reproducible, portable virtual machine environments but the first step for using Vagrant, downloading an existing “base box”, raises some questions. E.g. How are these unverified boxes built? So, you might end up building your own base box which is often time consuming and cumbersome. Fortunately there’s a tool called Veewee which aims to automate all the steps for building base boxes and to collect best practices in a transparent way.

Vagrant Base Box with Veewee

Veewee is a tool for easily (and repeatedly) building custom Vagrant base boxes, KVMs, and virtual machine images. You can use it to build a Vagrant box in Linux, Mac OS X and Windows but I found out that fulfilling the requirements on Windows is quite difficult (read Ruby and RVM) so just forget it.

To get you started there are some requirements you need to fulfill. First you’ll need to install at least one of the supported virtual machine providers like VirtualBox and second you need some development libraries.

On Ubuntu 15.04 Linux and using VirtualBox you need these packages:

$ apt-get install virtualbox git curl ruby ruby-dev libxslt1-dev libxml2-dev zlib1g-dev

Install RVM on Linux

For Ruby environment it’s recommended to use either rvm or rbenv. I chose the RVM and followed the RVM install documentation.

Install mpapis public key:

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3

if keyserver fails, you can use $ curl -sSL https://rvm.io/mpapis.asc | gpg --import -

Install RVM stable with ruby:

$ \curl -sSL https://get.rvm.io | bash -s stable --ruby

Installing Veewee with RVM

With RVM already installed, ensure a ruby version that’s supported by Veewee is available on your machine:

$ source /home/marko/.rvm/scripts/rvm
$ rvm install ruby

Clone the veewee project from source:

$ cd <path_to_workspace>
$ git clone https://github.com/jedi4ever/veewee.git
$ cd veewee

Set the local gemset and ruby version within the current directory:

$ rvm use ruby@veewee --create

Run bundle install to install Gemfile dependencies for your local gemset:

$ gem install bundler
$ bundle install

Bundle install will take some time.

Building Vagrant Box with Veewee

Veewee uses definitions to build new virtual machines and ‘definition’ is derived from a ‘template’ and preconfigured templates are found in templates/ folder. Veewee Basics explains how you can create your own customized definition.

For my customized Vagrant Box I decided to use Tommy Muehle’s definition as a template as it contained what I wanted. Simple CentOS 6.6. Box with Puppet. I just changed the localization to Finland and made it bigger for WebLogic use case in mind. My definition for Vagrant Box can be found in GitHub.

To use my definition just clone the repository for CentOS 6.6 Box, copy the “centos-6.6-x86_64_puppet” folder to definitions/ folder under Veewee and make your own changes if needed. After you’re done run:

$ bundle exec veewee vbox build centos-6.6-x86_64_puppet

The build command runs Veewee scripts and automates the manual steps needed while installing a new Linux distribution.

Installing CentOS to Vagrant Box with Veewee

To export the Box for further use with Vagrant, run:

$ bundle exec veewee vbox export centos-6.6-x86_64_puppet

The above command is actually calling “vagrant package –base ‘centos-6.6-x86_64_puppet’ –output ‘boxes/centos-6.6-x86_64_puppet'”. The machine gets shut down, exported and will be packed in a centos-6.6-x86_64_puppet.box file inside the current directory.

And you’re all done. Now you can use your just created base box for Vagrant boxes. Import it into Vagrant’s box repository and use it to initialize a fresh project:

$ vagrant box add 'centos-6.6-x86_64_puppet' 'centos-6.6-x86_64_puppet.box'
$ vagrant init 'centos-6.6-x86_64_puppet'

Using Veewee to build a Vagrant Box is simple and what’s more important it’s automated and reproducible. Using Ruby and RVM on Windows 7 turned out to be practically impossible but old ThinkPad W510 with Ubuntu 15.04 worked nicely. Of course you could create a base box with Vagrant way which means installing and configuring your Linux manually. But why would you want to that if you can just automate it?

Starting iOS development with Swift

Mobile application development differs between platforms and after doing couple of applications for the Sailfish OS powering Jolla phone it was finally time to see what other platforms have to provide. I develop Java applications at work so it was logical to look into iOS and learn some Swift. The Internet is full of resources of how to start developing for iOS and here’s my take to the topic. Now I just need an iPhone to run my app on a real device :)

Getting started

Coming from the Java EE and Web application world it’s good to read some documentation about mobile application development for iPhone and iOS before starting to code. You need to learn the basics concepts about iOS platform and Swift language and good starting point is to check Apple’s resources for developers and iOS developer library and read the guide how to start developing iOS apps (although it’s with Objective-C). To learn Swift you can read guide to Swift language or if you like books there’s also The Swift Programming Language book.

You can also start learning iOS development with several free or paid online courses. Coding with Chris “how to make an iPhone app” series of videos is a good starting point although it’s designed for people who have no programming experience. It provides nice overview to the tools and how to start developing. You can also follow the App Development: Teaching Swift by Apple Education with code examples or if you’ve the money and need diploma see the Udemy course for iOS developers or Udacity’s iOS developer Nanodegree.

It’s also good to read Human Interface Guidelines for iOS-based devices although the guidelines don’t provide any practical examples. It’s a good resource to learn how iOS applications should work, tells you how your app should look and behave and how to use the UI elements that UIKit provides. As I have done apps for Sailfish OS it was good to adapt my thinking to see things in the iOS way.

In practice the best way to learn is to just write code and experiment. Getting to know XCode and Interface Builder takes some time. After using Eclipse and IntelliJ IDEA for Java development both XCode and Apple’s graphical UI editor are somewhat confusing at first.

There’s also couple of iOS development newsletters to follow: iOS Dev Weekly, This Week In Swift. Also the In depth Mac and iOS articles archives is a good resource.

And if you’re using IRC there’s #cocoa-init channel on irc.freenode.net focused on asking and answering questions for beginning developers on iOS and OS X. For more general iOS development you can join #iphonedev channel on irc.freenode.net. To join them you need to register your nick.

Development in practice

Basic tools

For iOS development your options with tools are somewhat limited as you need Mac computer running OS X (10.9.4 or later) for being able to run Apple Xcode and iOS SDK. The other option is to use JetBrains Appcode (99e) which is better (what I’ve understood). Xcode can be installed from Mac App Store and it comes with iOS SDK. Also although you can run your applications in iOS Simulator it helps to have a real device which helps you to understand how apps interact with users and what the look and feel should be. The documentation and examples gets you far but nothing beats to have first hand experience of the platform.

I found it beneficial to watch e.g. the Coding with Chris “how to make an iPhone app” series of videos for getting around XCode development environment.

Xcode and UI builder

Developing for iOS

iPhone applications can be written with Objective-C or with newer Swift programming language. Objective-C is built on top of the C programming language and provides object-oriented capabilities and a dynamic runtime. Swift in the other hand can be described as Objective without the C and is a replacement for the Objective-C language and works side-by-side with it. Wikipedia has good short description of Swift.

Although Swift is relatively new and what I’ve read isn’t quite as robust as Objective-C it’s good starting point for developing iOS apps. Having used some Objective-C for OS X apps I wouldn’t recommend it to anyone if you don’t actually need it.

iOS platform

Apple’s operating system for iPhone, iOS, provides many frameworks for developers and as a developer you’ve to decide which version to target as it affects your application and capabilities. Apple’s iOS developer page provides short overview of what it has to offer. The current version is iOS 8 and i.a. Shinobicontrols has written iOS 8 Day by Day eBook which consists of 39 blog posts covering the most significant features available to developers in iOS 8.

As a developer you have to choose which version of iOS you target and whether your app is universal or only for iPhone or iPad as it affects your code and potential users. Do you need the new features in iOS 8 or is iOS 7 enough and is it worth to make solutions to fit both versions? And do you need different user interface for bigger screen in iPad or is universal version enough? iOS 8 is supported on iPhone 4s or newer and newer iPads and what I read about 72% of devices are using iOS 8 and 25% are on iOS 7. So, I think it’s enough to target iOS 8 as it provides you more options how to implement your app.

Developing with Swift

The best way to get to know Swift is just read some code, watch tutorials and of course write code. To learn Swift you can read guide to Swift language and you can watch from Youtube e.g. rm2kdev series about Swift starting from the basics and example of doing a To Do List app.

One nice element of the Swift system which helps you to get hang of it, is its ability to be cleanly debugged and run within the development environment, using a read–eval–print loop (REPL). It gives you interactive properties more in common with the scripting capabilities of Python than traditional systems programming languages. It’s useful to play with Swift in Xcode Playground and see what your code does.

Knowing Swift language is just one part and the bigger part in my opinion is to know how to use the UI elements that UIKit provides to create good user experience. When I started developing my app with Swift majority of time went to figuring out how to construct the user interface with Xcode UI builder and what the elements should be, not actually writing much code in Swift. User experience section in iOS Developer Library and UI Elements in iOS Human Interface Guidelines provide good starting points for reading about user experience but doesn’t help you much with coding especially when the sample codes are in Objective-C. Basic UI elements like “pull to refresh”, “swipe between views”, “split view” and “slide-out navigation” are more easily found by googling.

We all have our own ways to learn new platform and programming language and I find it beneficial to just create small application which experiment with different concepts and interactions. I’m gathering my own experiments with iOS technologies to GitHub and building a news reader application for High.fi on the way.

So, what are you waiting for? Download Xcode and start developing your own app for iOS :)

Summary

Documentation

iOS 8

Other resources

Courses and guides

Notes from Owasp Helsinki Chapter Meeting 27

Security is important part of software development and often it doesn’t get enough attention or developers don’t know enough about it. I have been following Troy Hunt on Twitter for some time and as he was coming to Owasp Helsinki Chapter Meeting #27 it was great opportunity to hear about application security at first hand. Especially about hacking yourself first. The event was held at Life Science Center in Keilaranta and although it didnt’ provide much new information about security and how to protect against hackers, it was nice event. The event consisted talks presented by Troy Hunt: 50 Shades of AppSec and Hack yourself first.

50 Shades of AppSec

50 Shades of AppSec

The first talk was “50 shades of appsec” which covered a broad spectrum of what’s happening in our industry and how challenging it’s becoming for those of us working in AppSec to keep ahead of the attacks. Troy covered everything from the social aspects of hacking through to some of the more obscure attacks and the increasing challenges we have as defenders.

There was some nice bad examples how not to do things and hilarious examples how even criminal masterminds are fallible. Asking questions in StackOverflow with an account tied to your real identity, take a photo with iPhone and not clearing the EXIF data (which has location info).

“50 Shades of AppSec” talk didn’t provide much new information which I wouldn’t have read from Twitter or other news sources but was entertaining anyways. Good presentation matters.

Hack yourself first

If you’re protecting applications against attacks it’s good to know how attackers can exploit your application’s security holes. The online attacks against websites has accelerated quickly and the same risks continue to be exploited. These are often easily identified directly within the browser; it’s just a matter of understanding the vulnerable patterns to look for.

Troy Hunt’s “Hack Yourself First” talk was about developers building up cyber-offence skills and proactively seeking out security vulnerabilities in their own websites before an attacker does. It looked at website security from the attacker’s perspective and how to exploit common risks in a vulnerable web application. As usual the issues were quite basic information and could be easily identified and fixed with right knowledge and tools like Havij and Fiddler.

One interesting example was to use Fiddler to proxy your device’s traffic and look how remote server communicates with it and even decrypt HTTPS. You can e.g. edit request and response and change values sent to mobile. One example is to change the value for admin and see if the mobile application validates it on every request or do you really get admin rights to the application or service. Practical example was capture the traffic sent to British Airways mobile app and see the WiFi password list for free WiFi.

Or is it?

Second interesting example was about using WiFi Pineapple. To trick devices to connect with “known” wireless network, capture and circumvent it’s traffic. You did know that devices broadcasts the SSIDs they have previously connected and with devices like Pineapple you can easily see it and then do some magic.

WiFi Pineapple and captured SSIDs.

Q & A and afterwords

Views from Life Science Center Sauna

The questions and answers section was quite active as security is an interesting topic. There were good questions like how do you verify companies you use, like you’re using Freedome from F-Secure? It’s about choosing the least risky option. Better than WiFi at airport without VPN. You don’t really know.

Other interesting topic was about how security people don’t understand development and developers don’t understand security. It’s about working together and not just security people saying “There are vulnerabilities, fix those.” More cooperation would be better and it needs support from higher up to work together.

Afterwards the event had reserved the sauna on the 7th floor which provided also nice views over Laajalahti and some refreshments. Time to network and try to do small talk although I’m not the most social person. I wasn’t surprised that Troy didn’t join us to the sauna but it was nice that he had some time to talk in the lounge.

I didn’t get the Owasp sticker but I got some crafty swag from Nixu and Troy also provided one month free pass for Pluralsight which has courses to educate yourself

One of the crafty takeouts from the event camera cover sticker for laptop. Who is paranoid about infosec?

Will be busy month after to see all Pluralsight courses

Thanks to the organizers and event sponsor Nixu. Nicely noticed that Hunt is in Europe and to get him to talk about security. I also got a ride home with some good tips about restaurants in Tallinn which was nice. Thumbs up.

Disabling Derby in Oracle WebLogic 12c

Oracle WebLogic has some interesting traits to help developers frustrate. From Weblogic 10.3.4 and above the Apache Derby Database is included in the installation. That’s fine but from 12.1.2 release it also starts automatically which is usually unwanted, useless and waste of resources. Previous versions of WebLogic didn’t automatically start the Derby database.

Fortunately you can disable it as basically there is a simple IF statement in the “$WL_DOMAIN_HOME$\bin\setDomainEnv.cmd” file:

@REM Set DERBY_FLAG, if derby is available.
 
if exist %WL_HOME%\common\derby\lib\derby.jar (
    set DERBY_FLAG=true
)

If you want to prevent Derby form starting you have three options:

  • Rename “derby.jar” to something else
  • Delete the IF statement from start-up script
  • Set the DERBY_FLAG to false in the startWeblogic.cmd script

I couldn’t find Oracle’s documentation about Derby in Weblogic but those four options seems to work. I prefer the third option which is quite easy to configure. (via Oracle Community)

In my “$WL_DOMAIN_HOME$\bin\startWebLogic.cmd” I added

...
@REM Call setDomainEnv here.
 
@REM Disabling Derby
set DERBY_FLAG = false
...

Book: Real World Java EE Night Hacks

Reading software development related books can be said to be unnecessary as all the information can be also found from the Internet but sometimes it’s easier to read all the related topics from one place. Adam Bien’s “Real World Java EE Night Hacks: Dissecting the Business Tier” is a book which walks through best practices and patterns used to create a Java EE 6 application and covers several important topics from architecture to performance and monitoring to testing. The book has 167 pages with source code so the topics are more about getting the idea than explaining them thoroughly. So if you’re new to Java EE 6 and patterns this book is for you. It gets you started and gives you topics to research more.

Real World Java EE Night Hacks

“Real World Java EE Night Hacks” walks through best practices and patterns used to create a real world Java EE application called “X-ray.” It’s a high-performance blog statistics application add-on for Apache Roller which is built with “vanilla” Java EE 6. It tells you about the core principles of Java EE like EJB 3.1, CDI, JPA, JTA, JAX-RS, Dependency Injection, Convention over Configuration, interceptors, transactions and binds them in “X-ray” application with source code to follow. The book is also more than just Java EE as it covers concepts like unit and integration testing, performance measuring and monitoring, continuous integration, real-time monitoring and timers and batch processing.

The book is easy to read although it isn’t for beginners as it requires you to know the Java jargon and main topics of Java EE. The book covers all the important topics regarding what you would need to know when building Java EE application but doesn’t explain or cover them thoroughly. It’s understandable as you would need more than one book to go them all through in sufficient detail. It’s more about telling you that there are this kinds of things to consider and how to apply them with Java EE application. It’s a starting point for your own research. It would’ve been also nice to have more pictures and diagrams in it.

In overall, the “Real World Java EE Night Hacks” is a decent book about implementing Java EE concepts and application architecture with best practices and patterns but it still feels a bit meager especially as the example isn’t an application you would first think of Java EE application to be.

WordPress theme development with Vagrant on OS X

Developing WordPress themes requires you to have either remote machine with the needed software or installing e.g. PHP and MySQL to your local machine. Although setting up the development environment (LAMP stack) in OS X is quite easy there’s also better option, to separate it from your machine and make it more like it’s on some hosting provider. And for that it was time to get to know how Vagrant works and how to utilize it for WordPress theme development on OS X. Also this way you can make separate environments for different projects. Here’s short article to get you started.

In short: We setup Homebrew to install packages, Virtualbox will be used to run an Ubuntu Linux virtual machine and then we will use Vagrant to start, stop and build the virtual machine from Vagrantfile.

Setting up Vagrant for WordPress development

Step 0: Install Homebrew

We will use Homebrew to install the needed packages on OS X. Homebrew is the missing package manager for OS X.

$ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Step 1: Install VirtualBox

You can install Virtualbox manually or by using Homebrew.

$ brew cask install virtualbox

Step 2: Install Vagrant

Vagrant is software for creating and configuring lightweight, reproducible, and portable virtual development environments. It can be seen as a wrapper around virtualization software such as VirtualBox and around configuration management software such as Ansible, Chef, Salt or Puppet. Vagrant essentially builds virtual images from references (boxes) of a type of operating system with applications and dependent software.

You can install Vagrant from Vagrant site or by using Homebrew.

$ brew install Caskroom/cask/vagrant

Step 3: Vagrantfile for WordPress environment

To get started quickly we want to start with some premade Vagrantfiles and there are multiple choices for WordPress development.

One good choice could be WordPress Theme Review VVV which also installs Theme Unit test data and other plugins to test your theme. Other simple option is to use Vagrantpress which is a packaged development environment for developing WordPress themes and modules.

  • Clone the project, $ git clone https://github.com/chad-thompson/vagrantpress.git
  • Run $ vagrant plugin install vagrant-hostsupdater from command line
  • Rename the vagrantpress to the name you want for your project.
  • Navigate to the directory you just renamed.
  • Run the command $ vagrant up from the directory. It will ask your password to setup the hostname.
  • Open your browser to http://vagrantpress.dev

Working with the environment

To log in to the local WordPress installation: http://vagrantpress.dev/wp-admin/. The username is admin, the password is vagrant.

Your WordPress installation files can be seen in the directory you created for the VagrantPress.

You can access phpMyAdmin: http://vagrantpress.dev/phpmyadmin/ with username wordpress, password wordpress.

Using Vagrant

Using Vagrant is quite simple and there’s nice Getting started guide. In short there’s couple of commands you need. Also the virtual machine is located on your home directory under ~/.vagrant.d/boxes.

To start or resume working on any project, to install every dependency that project needs, and to set up any networking and synced folders, type this in your project directory.

$ vagrant up

See your Vagrant virtual machines’ status.

$ vagrant global-status

You can ssh to your project’s machine running in Vagrant.

$ vagrant ssh

You can also ssh to Vagrant’s Linux. The password is vagrant as also is the root password.

$ ssh vagrant@127.0.0.1 -p2222

When you’re done working for the day to suspend your VM:

$ vagrant halt

When you’re done playing around, you can remove all traces of it. Note: it also removes all the changes you made to the virtual machine, like your WordPress settings and data.

$ vagrant destroy.

If you ever have any issues with the VM, you should try to provision it with puppet again.

$ vagrant reload --provision

As Vagrant is running the virtual machines with Virtualbox you can also manage and see their status by starting Virtualbox GUI. Or using following commands.

$ VBoxManage list runningvms
$ VBoxManage list vms
$ VBoxManage controlvm <uuid> poweroff
$ VBoxManage unregistervm <uuid>

Setting up Bower and Gulp in Windows

Doing things manually is fine once but if you can automate things it’s better. With little tools you can speed up development and reduce recursive mundane tasks such as starting a project or setting up boilerplate code. I recently came across Bower which is a package manager for the web. With Bower you can fetch and install packages from all over, and it takes care of finding, downloading, and saving the stuff you’re looking for. The other interesting tool to help you get going is Gulp which enables you to automate and enhance your workflow. Let’s see how to put things together on Windows, nothing special just steps to get you started.

Gulp tasks

Install Git

Bower needs Git to work so first install Git if you don’t have it. I chose Git for Windows which gives you BASH emulation used to run Git from the command line, graphical user interface for using Git and Shell integration.

Just click through the installation.

Install Node.js

Bower depends on Node.js and NPM so you need to get Node.js. Just download the installation package from Node.js site and click through it.

Install Bower

After you have Node.js installed we can install Bower with npm. You might need to restart your Windows to get all the path variables setup so Npm can find them.

Open up the Git Bash or Command Prompt and Bower is installed globally by running the following command.

$ npm install -g bower

Once you have Bower installed you then can install packages and dependencies using these commands:

# Using a local or remote package
bower install <package>
 
# Using a specific version of a package
bower install <package>#<version>
 
# Search packages
$ bower search <package>

By default packages will be put in the bower_components directory which can be changed if you prefer. If you want your packages downloaded into js/libs you can achieve this by creating a .bowerrc file

.bowerrc

{
    "directory": "js/libs"
}

You can also create a bower.json file which allows you to define the packages needed along with dependencies and then simply run bower install to download packages. In our example we setup a simple Backbone.js application which uses Bootstrap.

bower.json

{
    "name": "Foobar",
    "version": "0.1.0",
    "dependencies": {
          "jquery": "~2.0.3",
          "underscore": "~1.5.0",
          "bootstrap": "~3.3.2",
          "backbone": "~1.1.2"
    }
}

Our bower.json describes that we want some JavaScript libraries and as we have defined the version with ~ it can have bigger minor versions, e.g. jquery version can be between 2.0.3 < 2.1.0. Read more about semantic versioner for npm.

Now after creating that file inside the app directory you can run the following command:

$ bower install

After that you should see all your JavaScript packages under bower_components folder.

Install Gulp

To automate and enhance your workflow you can use Gulp for example to copy the files where you want them. There are nice recipes to show how to benefit of Gulp.

Install Gulp globally with npm:

$ npm install --global gulp

Install Gulp also in your project devDependencies:

$ npm install --save-dev gulp

Now we can setup our Gulp dependencies which pull from npm. Create a new package.json file in your project root and just add an empty object, {} and save it.

Next we install gulp-bower plugin which we can use to install Bower packages.

$ npm install --save-dev gulp-bower

This will install all the needed dependencies in a node_modules folder and also automatically update our package.json file with these dependencies.

Finally we need to setup the gulpfile.js which defines our tasks we want to perform. First we define what we installed in npm step above and create a config object to hold various settings. The bowerDir is just the path to the bower_components. Finally we add task for running bower and default task. Our bower tasks basically runs bower install but by including in the gulpfile other contributors only have to run gulp bower and have them all setup and ready.

gulp.js

var gulp = require('gulp'),
    bower = require('gulp-bower');
 
var config = {
     bowerDir: './bower_components'
}
 
gulp.task('bower', function() {
    return bower()
        .pipe(gulp.dest(config.bowerDir))
});
 
$ gulp.task('default', ['bower']);

The default task runs the bower task and all the user has to do to setup the needed packages is to run

$ gulp

In our case running gulp just runs our bower task which downloads the JavaScript packages we need. Pretty simple.

Gulp is powerful tool and has many use cases but also needs some to get all things working like you want and even then you might need to make compromises. One crafty task for Gulp and Bower is to customize your Bootstrap theme. Also Mark Goodyear has written good article about Getting started with gulp which shows some typical use cases.

Essential IntelliJ IDEA keyboard shortcuts

Recently I switched from using Eclipse to IntelliJ IDEA as our Java EE application’s front-end was done with JavaScript and the support for front-end technologies in Eclipse is more or less non-existent. The switch for long time Eclipse user wasn’t easy as IDEA works a bit differently but the change was worth it. The biggest difference in daily work with IDE is the shortcuts which are quite different in IDEA. In theory you can use Eclipse keymap for shortcuts but it just doesn’t work like it should and in practice you have to learn the IDEA way. There are many posts in the Internet about keyboard shortcuts in IDEA but there’s always place for more :) So, here’s my list of shortcuts to keep in your finger memory.

Learn keymap with Key Promoter

To learn your way around IntelliJ IDEA’s keyboard shortcuts there’s nice “Key Promoter” plugin to train yourself. It prompts whenever you use the mouse when you could’ve used the keyboard instead (similar to Eclipse’s Mousefeed).

To install the plugin:

  1. Ctrl+Alt+S to pull up the Settings screen
  2. Filter on “plugin”. Click “Plugins”, then “Browse Repositories” at the bottom
  3. Filter on “key promoter”
  4. Double click to install
  5. Essential IntelliJ IDEA keyboard shortcuts

    IntelliJ IDEA keymap

    You may be tempted to just go with the Eclipse keymap but it’s better to learn the IDEA way although it’s quite irritating at start. You also should change some default IDEA keyboard shortcuts to better ones like “closing editor window” with Ctrl+F4 which is too cumbersome compared to the de facto Ctrl+W. And changing “comment current line or selection” with Ctrl+/ which is impossible with Finnish keyboards to Ctrl+7.

    If you want to know how Eclipse shortcuts map to IDEA there’s nice post about IntelliJ IDEA shortcuts for Eclipse users and I added some in my list.

    Recent Viewed or edited Files: CTLR + E / CTRL + SHIFT + E
    Shows you a popup with all the recent files that you have opened or actually changed in the IDE. If you start typing, you can filter the files.

    Go to Class or file: CTRL + N and CTRL + Shift + N
    Allows you to search by name for a Java file in your project. If you combine it with SHIFT, it searches any file. Adding ALT on top of that it searches for symbols. (Eclipse: Ctrl+Shift+T and Ctrl+Shift+R)

    Find and Replace in Path: CTRL + SHIFT + F / CTRL + SHIFT + R
    Allows you to find in files or replace in files. (Eclipse: Ctrl+H)

    Incremental Find: F3 / CTRL + L
    When using CTLR-F to find in current file the F3 lets you to loop through the results. (Eclipse: Ctrl+K)

    Delete line: CTRL + Y
    Delete current line under cursor. Yank it. (Eclipse: Ctrl+D)

    Goto line: CTRL + G
    Go to given line number. (Eclipse: Ctrl-L)

    Syntax Aware Selection: CTRL + W
    Allows you to select code with context. Awesome when you need to select large blocks or just specific parts of a piece of code.

    Complete Statement: CTRL + SHIFT + ENTER
    This will try to complete your current statement. How? By adding curly braces, or semicolon and line change.

    Smart Type Completion: CTRL + SHIFT + SPACE
    Like auto complete (CTRL + SPACE) but if you add a SHIFT you get the smart completion. This means that the IDE will try to match expected types that suit the current context and filter all the other options.

    Reformat source code and optimize imports: CTRL + ALT + L
    Allows you to reformat source code to meet the requirements of your code style. Lays out spacing, indents, keywords etc. Reformatting can apply to the selected text, entire file, or entire project.

    Quick Fix: Alt+Enter
    (Eclipse: Ctrl+1)
    Gives you a list of intentions applicable to the code at the caret.

    Paste one of the previous values from clipboard: CTRL + SHIFT + V
    Shows you a dialog to select previous value from the clipboard to be pasted.

    Comment or uncomment line or block: Ctrl+7 / Ctrl+Shift+7
    Allows you to comment or uncomment the current line or selected block of source code. This is originally Ctrl + / (Slash) which is impossible with Finnish keyboard layouts.

    Show Diff (in Changes): CTRL + D
    In Changes tab compares the file with latest repository version.

    Highlight Usages: CTRL + SHIFT + F7
    Place the cursor in a element and after pressing the cursor the IDE will highlight all the occurrences of the selected element.

    Go to Declaration: CTRL + B
    If you place the cursor in a class, method or variable and use the shortcut you will immediately jump to the declaration of the element.

    Navigate Between Methods: ALT + UP/DOWN Arrows
    Jump between methods.

    Refactoring String Fragments: CTRL + ALT + V
    Refactor hardcoded string into variable/field/constant. Select the section of the String you want to extract, and use the normal “Extract…” shortcuts to extract it into a variable.

    Other useful keyboard shortcuts

    There are many useful keyboard shortcuts and you can print them from Help > Default Keymap Reference. Here are some more shortcuts which are also handy.

    Update application: CTRL + F10
    Current file structure: CTRL + F12
    Bookmarks: F11 and SHIFT + F11
    Generate Getters & Setters (in editor): ALT + INSERT
    Create New _* (in project navigator): ALT + INSERT
    Refactor – Rename: SHIFT + F6
    Open Settings CTRL + Alt + S
    Duplicate line: CTRL + D
    Move line: CTRL + ALT + UP / DOWN
    Find Command: CTRL + SHIFT + A
    Show usages in a pop-up list: CTRL + Alt + F7
    Extract Variable/Method/Constant/Field: CTRL + ALT + V/M/C/F
    Quick JavaDoc Popup: CTRL + Q
    Tab switcher: CTRL + TAB
    Jump to Project Navigator: ALT + 1
    Jump back to last tool window/panel: F12
    Jump to beginning/end of block (e.g., method start/end): CTRL + [ and CTRL + ]
    Toggle uppercase/lowercase of selection: CTRL + SHIFT + U
    Toggle collapse/expand: CTRL + .
    Toggle full screen editor (hide other tool windows): CTRL + SHIFT + F12

    Not a keyboard shortcut exactly but the “iter” smart template is great. If you want to iterate though something using a for loop type “iter” then TAB to use the live template. It will figure out the most likely variable you want to iterate over and generate a for loop for it. In Eclipse it worked more logically with just typing for and then autocomplete.

Year in review

The year 2015 is almost here so it’s time to take a short review what I wrote this year and plan for the next. In 2014 I managed to wrote almost monthly and got together total of 14 articles covering topics of software development, WebLogic issues, Sailfish OS, user experience and gadgets. Last year I planned to write one post per month and in average I got there. Have to be satisfied with it although I could write more.

Looking back

During the past couple of years I have taken part of Fujitsu’s campaigns and testing their laptops and tablets and last year I took part of Master your Business project and tested Lifebook U904 Ultrabook. It’s slim and quite robust laptop with brilliant touch screen although it could benefit from better design regarding cooling. In Autumn I was invited to visit Fujitsu Forum in Munich to hear more about Fujitsu’s services and get insights about what’s new in information technology. The article from the event is still on my draft list. It was nice trip and great to see other bloggers and the project team. In other gadget related topics I also solved my problem with connecting Jabra HALO2 headset with Windows 7. I just had to update Bluetooth drivers in my Dell.

As a software developer I decided to challenge myself last year with developing applications for mobile phones and started with Sailfish OS which runs in Jolla. With Qt, QML and JavaScript it was fun and relatively easy to make useful apps like Sailimgur for browsing imgur and Haikala for reading high.fi news. I also made Colordots game which I ported from Ubuntu Touch. I planned to write more about how to develop apps for Sailfish OS but got around just to cover Sailfish OS user interface design practices and in more technical detail how to debug power consumption issues.

At work I do different kinds of software development related tasks and it’s good to write about the issues I find and how to solve those, like how to use X11 forwarding in Windows when I needed to install Oracle Database to Linux server. I also wrote about Oracle WebLogic related issues like how to recover managed server in incompatible state and what’s wrong with LDAP provider getting stuck.

Developing Java EE applications includes many tools and one of them is Maven which work quite fine for us. E.g. you can use WebLogic Maven plug-in to deploy your application and make your own plugins to generate HTML documentation from Markdown. And if you want to distribute your project’ artifacts to the world you can put it to the Maven Central with OSSRH.

I have been following Atlassian’s Sven Peter in Twitter about how to better do software development so it was great to finally get to hear the talk live when Atlassian’s Get Git Right landed to Helsinki. It was nice event although it had also the marketing aspect about Atlassian’s tools. Nice tools but sometimes the cost is too much. Now I just hope we move from Subversion to Git someday.

I also wrote short article about using Java Mission Control to monitor and profile your Java application. Too bad it’s really useful only with newer JDKs so legacy apps have to use other means like JavaMelody or NewRelic. I also took a short look at stagemonitor but didn’t yet write about it. Looked quite nice for monitoring but not as easy to setup as JavaMelody. Also Spring Boot had nice statistics out of the box but more about that next year.

Planning for 2015

As you may have noticed I’m not a very active writer and technical topics take time to get out from draft to a full article. In the past three years I have managed to write on average one article per month and it seems to be a good target to pursue. Why change something that works quite fine?

For the coming year, looking at blog’s draft folder there’s posts about Sailfish OS and Windows Phone development, software monitoring, setting up continuous integration, utilizing PaaS and starting with Spring Boot. I should just stop starting and start finishing my personal projects so I could add the finishing touches to drafts.

So, stay tuned and subscribe to the RSS feed or follow me on Twitter. Check also my other blog in Finnish.