Avoiding JVM delays caused by random number generation

The library used for random number generation in Oracle’s JVM relies on /dev/random by default for UNIX platforms. This can potentially block the WebLogic Server process because on some operating systems /dev/random waits for a certain amount of “noise” to be generated on the host machine before returning a result.

Although /dev/random is more secure, it’s recommended to use /dev/urandom if the default JVM configuration delays WebLogic Server startup. To determine if your operating system exhibits this behaviour, try displaying a portion of the file from a shell prompt: head -n 1 /dev/random

If the command returns immediately, you can use /dev/random as the default generator for JVM. If the command does not return immediately, use these steps to configure the JVM to use /dev/urandom:

  1. Open the $JAVA_HOME/jre/lib/security/java.security file in a text editor.
  2. Change the line “securerandom.source=file:/dev/random” to read: securerandom.source=file:/dev/./urandom
  3. Save your change and exit the text editor.

And because there’s a bug in JDK when you use /dev/urandom you have to set it up as /dev/./urandom

You can also set up system property “java.security.egd” which will override the securerandom.source setting.
-Djava.security.egd=file:/dev/./urandom

Build secure Web applications by reading Iron-Clad Java

Building secure Web applications isn’t easy and contains many aspects that the development team has to consider and take into account. “Iron-Clad Java: Building Secure Web Applications” book is good starting point to learn concepts, tactics, patterns and anti-patterns to develop, deploy and maintain secure Java applications. With 304 pages the book is more about getting an overview and pointers for further reading and research but works quite nicely in that regard.

“Iron-Clad Java: Building secure Web applications”

As the name suggests, “Iron-Clad Java: Building Secure Web Applications” by Jim Manico and August Detlefsen, is targeted for Java developers and is suitable reading also for less technical people in the team like project managers and managers as it doesn’t go too deeply to technical aspects or code. After reading the book even the managers should get an appreciation and the vocabulary to discuss security with their staff. The reader should get a solid understanding of what is wrong with many web apps in general and what corrective measures to take to mitigate the issues. The book was published September 2014 and has 304 pages (ISBN-13: 978-0071835886).

The book covers topics like secure authentication and session management processes, access control design, defending against cross-site scripting (XSS) and cross-site request forgery (CSRF), protecting sensitive data while stored or in transit, preventing SQL injection, ensuring safe file I/O and upload, using effective logging, error handling, and intrusion detection methods and also guide for secure software development lifecycle (secure-SDLC). The topics are written with theory and practice and so that they are approachable for developers new to security, for those that might be a little inexperienced but still providing useful nuggets for experienced developers.

In good and bad the book gives somewhat opinionated answers what technics and tools you can use to address security issues but overall the advice is solid and un-biased and more or less framework agnostic. So, the lessons learned should apply to any project. For me, writing examples with e.g. JSP and Struts makes me question if also the other tools the book suggest (which I wasn’t familiar with) are suitable for modern Java EE application development. Something to look into after reading the book. Also OWASP seemed to have answer to almost every security aspect.

Anyways, the book’s advice isn’t about using certain technologies but giving you something to think about and educating about security aspects in your Java Web application. What matters is that the book gives explanations of why you need to implement a specific control for a given issue, how you could do it and what the impacts are. This is what many security professionals miss when speaking to developers. The book tells you what the security problem is and then why and how you should fix that so it makes sense for developers.

Taking care for Web application security isn’t just for architects and developers but it’s also a topic which importance whole team should know and understand. The “Iron-Clad Java: Building secure Web applications” gives good overview to security and is suitable for the whole development team to read.

Monitor and profile application with Java Mission Control

Monitoring Java applications is can be done with different tools and with JDK you get one good tool for it: Java Mission Control. Java Mission Control and Java Flight Recorder together create a complete tool chain to continuously collect low level and detailed runtime information enabling after-the-fact incident analysis. Starting with Oracle JDK 7 Update 40 (7u40) Java Mission Control (JMC) bundled with the HotSpot JVM. Let’s take a short look what those tools are.

“Java Flight Recorder is a profiling and event collection framework built into the Oracle JDK. It allows Java administrators and developers to gather detailed low level information about how the Java Virtual Machine (JVM) and the Java application are behaving. Java Mission Control is an advanced set of tools that enables efficient and detailed analysis of the extensive of data collected by Java Flight Recorder. The tool chain enables developers and administrators to collect and analyze data from Java applications running locally or deployed in production environments.”Oracle Java Mission Control.

Java Mission Control and Java Flight Recorder are commercial features, which are available as part of the Oracle Java SE Advanced product. They are freely available for download for development and evaluation purposes, as per the terms in the Oracle Binary Code License Agreement, but require an Oracle Java SE Advanced license for production use.

Using Java Mission Control

Oracle Java Mission Control is a tool suite for managing, monitoring, profiling, and troubleshooting your Java applications and it consists of the JMX Console and the Java Flight Recorder. To get a good overview how you can use Java Mission Control check Java Mission Control demo video. The JMC Client is built to run on Eclipse and it’s based on the features of the old JRockit Mission Control.

The JMX Console enables you to monitor and manage your Java application and the JVM at runtime but the main and most important feature is the Flight Recorder. Java Flight Recorder (JFR) records the behavior of the JVM at runtime and you can analyze the recording offline using the Java Flight Recorder tool. They say that the overall profiling overhead for your applications stays at less than 2%, usually much less.

Starting with Oracle JDK 7 Update 40 (7u40) it’s bundled with the HotSpot JVM and although you can connect it to older JDK’s like application running on JDK 6 the newer ones show more information and have more features. So no real fun with legacy applications. The Flight Recorder needs at least JDK 7 Update 40.

Start JMC from the Windows command prompt:
"c:\Program Files\Java\jdk1.8.0_20\bin\jmc.exe"

Java Mission Control can be connected to local or remote Java Application. Start your application with following Virtual Machine flags which enables the JMX remote without authentication and Mission Control:

-Dcom.sun.management.jmxremote 
-Dcom.sun.management.jmxremote.port=8999 
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false 
-XX:+UnlockCommercialFeatures 
-XX:+FlightRecorder

If you’re using WebLogic then the JMX Remote settings are following:

-Djavax.management.builder.initial=weblogic.management.jmx.mbeanserver.WLSMBeanServerBuilder
-Dcom.sun.management.jmxremote.port=8999 -Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false 
-XX:+UnlockCommercialFeatures 
-XX:+FlightRecorder

JMC does not include or run with a security manager, so a user must ensure to run the JMC client in a secure environment.

After connecting JMC with your Java application it opens a familiar Eclipse based user interface. JMX Console has couple of tabs on the bottom which shows overview, MBeans, Memory and Thread information.

JMC: JMX Console Overview

JMC: JMX Console MBeans
JMC: JMX Console Memory

JMC: JMX Console Threads

The more useful tool is the Java Flight Recorder (JFR) for profiling your application. In Java Mission Control JVM Browser right click on the Java Virtual Machine you wish to start a Flight Recording.

Leave all the default settings and select the “Profiling – on server” template for your Event Settings. Just hit finish at this point. You can also click Next to go to the higher level event settings which are groupings of named settings in the template. You can select how often you want JFR to sample methods by changing the Method Sampling setting.

The recording will be downloaded automatically and displayed in Mission Control. Click the tab group for Code to start visualizing your Method Profiling Sample events. Switch to the method profiling tab to find a top list of the hottest methods in your application.

Too bad I don’t have nice recording to show but here’s couple of screenshots. Better overview of how to use Flight Recording can be seen from the Java Mission Control demo video.

JMC: Flight Recording

JMC: Flight Recording

JSF 1.2 and getting selected value from dropdown

JSF 1.2 has some weird features which you just have to know if you haven’t read the documents. One example is getting a value from h:selectOneMenu dropdown after onchange event. The first what comes to mind is to use binding attribute with RichFaces’ a4j:support for rerendering elements after the event but it doesn’t work like you thought it would. In some cases using the binding attribute works just fine but as the binding attribute should refer to a request scoped bean property, not a session scoped one, you might get “Duplicate id error” when switching pages back and forth.

Fortunately there is valueChangeListener in h:SelectOneMenu which you can trick to do almost the same. It is executed during Validations phase, before the “Update Model Values” phase and is intended to get a handle of both the old and new value so that you can do some business stuff based on the real change. However, you can use it to invoke actions on a dropdown change only by combining it with onchange="submit()" and immediate="true" and the selected value is to be obtained by ValueChangeEvent#getNewValue(). (StackOverflow, BalusC)

For example:

Jspx:
<h:selectOneMenu value="#{fooBean.object.value}" 
	valueChangeListener="#{fooBean.statusChanged}" 
	onchange="submit()" immediate="true">
	<f:selectItem itemLabel="" itemValue=""/>
	<f:selectItems value="#{fooBean.selectValuesList}"/>
</h:selectOneMenu>
 
Java:
public void statusChanged(ValueChangeEvent event) {
	if (event.getNewValue() != null && 
		StringUtils.hasText((String) event.getNewValue())) {
		// ... Do something with the new value
	}
}

The negative side of using onchange="submit()" is that the form is submitted, validated and you don’t get the same dynamic feeling like with a4j:support.

In JSF 2 things are easier as you don’t need the valueChangeListener and you can use the listener attribute of instead.

Installing Sun JDK 1.6 on CentOS

CentOS doesn’t have a package for Sun JDK so it has to installed manually. It’s fairly easy but there are some steps to do that. This guide has been tested on CentOS 5.4 x64_86.

Step 1. Initial setup for building RPM
-!- Do this with a non-root user

  1. Create ~/.rpmmacros
    • $ vim ~/.rpmmacros
      %_topdir /home//rpmbuild
      %_tmppath %{_topdir}/tmp
      
  2. Create needed folders:
    • $ mkdir -p ~/rpmbuild/{SOURCES,SRPMS,SPECS,RPMS,tmp,BUILD}
      
  3. Build environment needs to be complete. Some needed packages are:
    • $ sudo yum install -y rpm-build gcc gcc-c++ redhat-rpm-config
      

Step 2. Installing your favorite JDK

  1. Download Sun JDK 1.6 update 14 from Sun Java download or the Sun JDK archive.
    • Choose the correct platform (for me it’s Linux x64) and download jdk-6u18-linux-x64-rpm.bin
  2. Give it executable rights: $ chmod 755 jdk-6u18-linux-x64-rpm.bin
  3. Run the binary to extract it into RPM form: $ ./jdk-6u18-linux-x64-rpm.bin
  4. Install it:
    • $ sudo rpm -Uvh jdk-6u18-linux-amd64.rpm
      
  5. Log out and in again to make the changes in the paths take effect
  6. Check the install
    • $ java -version
      java version "1.6.0_18"
      Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
      Java HotSpot(TM) 64-Bit Server VM (build 16.0-b13, mixed mode)
      
  7. Java is now installed on /usr/bin/java

Using RichFaces 3 dataScroller and dataTable -components

RichFaces provides some nice AJAX-components for Java Server Faces but the documentation and examples could be better. RichFaces has great documentation compared to some other frameworks but it could be better with adding a little bit of real world and down to earth examples. So here is one example of using RichFaces dataScroller and dataTable -components with custom CSS-styling, backingBean and JSF-page snippets using Richfaces 3.3.2.SR1 and JSF 1.2_12.

Using RichFaces dataScroller and dataTable components has a big negative property: they work nicely if the amount of data is small but when the row count reaches to thousands they become sluggish or stop working. The rich:dataScroller needs the complete datamodel being loaded into memory and only displays a part of it. Not very efficient if the rowcount exceeds 1000 or so.

Anyways here is some real world example. The icons used in the examples for dataScroller are from Crystal Project Icons.

JSF-page

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
<h:form id="myForm">
    <rich:dataScroller styleClass="dataScroller" id="scroller" 
        for="resultTable" maxPages="15" fastStep="3"
        renderIfSinglePage="false" immediate="false" 
        binding="#{backingBean.scroller}" page="#{backingBean.scrollerPage}">
        <f:facet name="first" >
            <h:graphicImage id="firstImage" styleClass="scroller" 
            url="images/crystal/tab_first.png" alt="first"/>
        </f:facet>
        <f:facet name="last">
            <h:graphicImage id="lastImage" styleClass="scroller" 
                url="images/crystal/tab_last.png" alt="last"/>
        </f:facet>
        <f:facet name="previous">
            <h:graphicImage id="prevImage" styleClass="scroller" 
                url="images/crystal/tab_left.png" alt="previous"/>
            </f:facet>
        <f:facet name="next">
            <h:graphicImage id="nextImage" styleClass="scroller" 
                url="images/crystal/tab_right.png" alt="previous"/>
        </f:facet>
        <f:facet name="fastforward">
            <h:graphicImage id="ffImage" styleClass="scroller" 
                url="images/crystal/tab_fastf.png" alt="next"/>
        </f:facet>
        <f:facet name="fastrewind">
            <h:graphicImage id="frImage" styleClass="scroller" 
                url="images/crystal/tab_fastr.png" alt="next"/>
        </f:facet>
        <f:facet name="first_disabled" >
            <h:graphicImage id="firstImage_d" styleClass="scroller" 
                url="images/crystal/tab_first.png" alt="first"/>
        </f:facet>
        <f:facet name="last_disabled">
            <h:graphicImage id="lastImage_d" styleClass="scroller" 
                url="images/crystal/tab_last.png" alt="last"/>
        </f:facet>
        <f:facet name="previous_disabled">
            <h:graphicImage id="prevImage_d" styleClass="scroller" 
                url="images/crystal/tab_left.png" alt="previous"/>
        </f:facet>
        <f:facet name="next_disabled">
            <h:graphicImage id="nextImage_d" styleClass="scroller" 
                url="images/crystal/tab_right.png" alt="next"/>
        </f:facet>
        <f:facet name="fastforward_disabled">
            <h:graphicImage id="ffImage_d" styleClass="scroller" 
                url="images/crystal/tab_fastf.png" alt="next"/>
        </f:facet>
        <f:facet name="fastrewind_disabled">
            <h:graphicImage id="frImage_d" styleClass="scroller" 
                url="images/crystal/tab_fastr.png" alt="previous"/>
        </f:facet>
        <f:facet name="controlsSeparator">
            <h:outputText id="sep" value=" " />
        </f:facet>
</rich:dataScroller>
 
<rich:dataTable styleClass="resultTable" id="resultTable" 
    rows="10" rowClasses=",odd"  columnClasses="col"  
    value="#{backingBean.resultList}" binding="#{backingBean.resultData}" 
    var="h" sortMode="multi">
    <rich:column sortBy="#{h.desc}">
        <f:facet name="header">
            <h:outputText value="description" />
        </f:facet>
        <h:commandLink value="#{h.desc}"
            action="#{backingBean.showRowData}">
            <f:param name="selectedRow" value="#{h.desc" />
        </h:commandLink>
    </rich:column>
    <rich:column sortBy="#{h.value}">
        <f:facet name="header">
            <h:outputText value="value" />
        </f:facet>
        <h:outputText value="#{h.value}" />
    </rich:column>
</rich:dataTable>
</h:form>

Backing Bean

Create some variables for dataScroller and getters and setters for them:

1
2
3
4
5
6
7
8
// RichFaces dataScroller variables
private HtmlDatascroller scroller = new HtmlDatascroller();
private String scrollerPage = "";
 
// Getting the clicked row's data
public String showRowdata() {
  MyDataModel current = (myDataModel) getResultData().getRowData();
}

CSS styling

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
/* =RichFaces DataScroller
----------------------------------------------- */
.rich-datascr {font-size: 1.1em;border: 0;}
.rich-table-cell {font-size: 1.0em;}
.rich-table-sortable-header {font-size: 1.1em;font-weight: bold;}
td.rich-datascr-button {background-color: #fff;border: 0px solid #ccc;text-decoration: none;}
td.rich-datascr-button-dsbld {background-color: #fff;}
.rich-datascr-ctrls-separator {padding-right: 5px;}
.rich-dtascroller-table {background: #fff;border: 0;}
.scroller {display: block;background-color: #fff;border: 1px solid #ccc;padding: 3px 3px;margin: 0px 5px 5px 5px;text-decoration: none;}
.scroller:hover {background-color: #eee;}
td.rich-datascr-button-dsbld .scroller {background-color: #eee;}
td.rich-datascr-inact {font-size: 1.2em;color: #000;border: 0;}
td.rich-datascr-inact:hover {text-decoration: underline;}
td.rich-datascr-act {font-size: 1.2em;text-decoration: underline;}
td.rich-datascr-act {border: 0;font-weight: bold;}

Selecting All rows with JavaScript

Add to the JSF-page a new column which has the checkbox. We are using JavaScript to loop through the input fields which are after :tu -ending id-field.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<rich:column>
  <f:facet name="header">
    <h:panelGroup layout="block">
      <script type="text/javascript">
        //<![CDATA[
        // RichFaces datatable select all -checkbox
        function checkAllCheckboxesInTable( inputId, state ){
          var commonIdPart = inputId.substr(0, inputId.lastIndexOf(':'));
          var tableId = commonIdPart + ':tu'
          var tableElement = document.getElementById( tableId );
          var inputs = tableElement.getElementsByTagName('input');
          for (var i = 0; i <= inputs.length; i++){
            var input = inputs[i];
            if (input != undefined) {
              if( input.getAttribute('type') == 'checkbox' && state){
                input.setAttribute('checked', state);
              } else{
                input.setAttribute('checked', false);
                input.removeAttribute('checked');
              }
            }
          }
        }
        //]]>
      </script>
      <h:selectBooleanCheckbox id="t0" onclick="checkAllCheckboxesInTable( this.id, this.checked );">
        <a4j:support event="onchange" reRender="resultTable"/>
      </h:selectBooleanCheckbox>
    </h:panelGroup>
  </f:facet>
  <h:selectBooleanCheckbox id="t1" value="#{h.selected}" />
</rich:column>

Selecting All rows in backing bean

You can also check all the checkboxes from the backingBean but it has problems with table ordering and when the lists order changes the selection goes wrong.

Add to the JSF-page a new column:

1
2
3
4
5
6
7
8
<rich:column>
  <f:facet name="header">
    <h:selectBooleanCheckbox id="t0" value="#{backingBean.selectedAll}" onclick="this.blur()">
        <a4j:support event="onchange" actionListener="#{backingBean.selectAll}" reRender="resultTable, t0, t1"/>
      </h:selectBooleanCheckbox>
    </f:facet>
  <h:selectBooleanCheckbox id="t1" value="#{h.selected}" />
</rich:column>

Make a new method to your backingBean:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
public void selectAll(ActionEvent event) {
	logger.info("*** backingBean.selectAll(): " + scrollerPage + " ***");
 
	// get the current scroller page
	int page = Integer.valueOf(scrollerPage).intValue();
	if (page != 0) {
	    page = page - 1;
	}
	int start = page * 10;
	int stop = (page * 10) + 10;
	if (stop > getResultList().size()) {
	    stop = getResultList().size();
	}
	logger.debug("> page: " + page + "; start: " + start + "; stop: " + stop);
 
	// check the boxes on the active page
	for (int i = start; i < stop; i++) {
	    logger.debug("> valitaan: " + i + "; " + selectedAll);
	    getResultList().get(i).setSelected(selectedAll);
	}
}