i18n

Internationalization or localization are often cross functional requirements in today’s modern apps that wish to reach out to a wider audience. While working in one of the office projects, I started to lookup on how we can externalize the messages displayed to the user rather than hardcoding them in code. Here are some of the most helpful links I have been able to gather so far:

http://www.baeldung.com/spring-boot-internationalization

https://gist.github.com/jonikarppinen/0d600b0c82edce890310

Hopping into RabbitMQ

So as a part of a pet project which has now evolved into something larger, I had to jump into the details of using RabbitMQ with Springboot. I am just going to throw in some links here that I followed and that gave me quite a bit of understanding on how to use it.

http://javasampleapproach.com/spring-framework/spring-amqp/springboot-rabbitmq-topic-exchange

https://projects.spring.io/spring-amqp/

https://hub.docker.com/_/rabbitmq/

https://spring.io/guides/gs/messaging-rabbitmq/

Will expand on some of these and other findings soon. Till then, adios amigos!

Cornered by CORS

I have been working for quite a few days on a pet project for the office now, to build a new platform of sorts and for whatever reasons we had chosen Springboot and Reactjs with MySQL as the main stack for the project. For the authentication, we had decided to go with simple basic http auth with springboot jdbc backing it up. It all seemed to work quite well when setup and tested through the Postman tool. But all hell broke loose as we started integrating the ReactJS frontend with the Springboot backend.

Because springboot was running on localhost:8080 and the default test setup for the react js started the app on localhost:3333, a security feature called CORS kicked in, which at the time was totally unknown to me. 

To begin with, out of the box, Springboot was not even allowing for the so-called pre-flight request that the client was dispatching. I later learnt that these pre-flight requests are nothing but HTTP OPTION calls. So the first thing I tried was setting the following option in the application.properties file 

spring.mvc.dispatch-options-request=true

But that didn’t work so well as the browser was pretty stringent about the headers (Access-Control-*) present in the request and response messages.  I was even confused if the issue was because of the client sending improper headers and even tried switching to axios from fetch and this article here seemed to almost get me started with a proper setup. And this article almost complimented the setting up of the Authentication Entry Points (which I would later realize were not required truly).

However, after setting it up accordingly with axios, there were no errors at all, not even when the authentication was incorrect. So after a whole lot of hit and trial coding, I finally narrowed down on understanding the basics of what CORS is and how Basic HTTP Auth would work along with it and this stackoverflow link got me started. However, this article explained it in further depth. And this official springboot documentation helped me understand that Spring has a lot of inbuilt support already for CORS and I scratched off a lot of the code I wrote earlier in favor of inbuilt support.

So after some quick fixes (such as using the fullyAuthenticated method inside the WebSecurityConfigurerAdapter), this article finally helped me drive it home once I understood, you don’t even have to use the fine grained CORS support in Spring but simply enable application wide CORS support using a FilterRegistrationBean just as described in here. 

Also I switched back to the good old and simple fetch API, and things just worked like a charm with the sample code below:

fetch('http://localhost:8080/api/challenge', {headers: headers, credentials: 'include'}) .then(response => console.log(response)) .catch(error=>console.log(error));

So that was my excruciating but illuminating journey into the world of CORS. Until next time, have fun!

App Sec Paranoia

Securing passwords in Application Properties, configurations and other plain text sources

Hello World! I know it’s been forever since I posted the last post on this blog, but you know how the saying goes, better be late than never. 

So I have been working hard on a pet project, which I recently re-opened, and while trying to get it running on my local box, I noticed a security problem: The Springboot Application.properties file, as well as a bunch of other handy scripts we had written to automate the build process, had the db password in plain text. With all the latest buzz going on in my office space about application security, this got me thinking: 

There has to be a better way of providing authentication information to the build scripts.

Some Googling later I came across this nifty Unix tool called Pass which appeared to be perfect to get the passwords replaced with a command on all of the automation scripts. This article covers it nicely as well.

However, I was still left with a glaring Application.properties shouting out the password in clear text. A quick Google search revealed a likely answer in the form of Jasypt. Here’s an article that nicely covered. Here’s a the Maven repository link and here’s a sample POM file that has the dependencies required to use this.

While this apparently seems to be addressing the issue, I still had an uncomfortable feeling about having the password just out there, checked into some public repository. 

So I decided to stick with the Pass tool, and re-wrote the scripts to “pass” in the password at runtime (Pun well intended). Hopefully that should secure the app code a bit, but in terms of the overall security of the app, I have miles to go before I sleep.

Hope you guys find the tools mentioned useful. Stay tuned for more updates on the way! In the words of Spock, long live and prosper.

Continuing from the previous post, the next thing on my mind was to be able to move to oAuth based security strategy, but having freshly been introduced to the JSON Web Tokens, I wanted to first understand how we can use them with Springboot security. This tutorial explains this in the simplest possible way, and although it includes links at several places to an apparently better tutorial, this one appeared to be simpler in terms of implementation.

The next step would inevitably be to assimilate the spring security and JWT concepts with the bigger oAuth distributed single sign on systems. Stay tuned for more updates on this topic and more right over here in your favorite tech blog.

Springboot JDBC Security with MySQL

Springboot is a 500 pound gorilla of a framework. When it comes to extensiveness, the framework can be impressive and daunting at the same time. The security aspect of the framework is no exception, and while there are a myriad guides and tutorials available on the internet, putting together a working prototype proved no trivial task for me.

Google revealed this link as one of the top search results while I was looking up the topic and though it seemed fairly simple and easy at first, I started getting the following error:

PreparedStatementCallback; bad SQL grammar [select username,authority from authorities where username = ?]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Table 'demodb.authorities' doesn't exist

I was definitely using a higher version of the framework, but then I understood the real reason for the failure was elaborated here.

So now I have a working Springboot JDBC Security prototype. The next step would be to extend this to oAuth and JWT support. Stay tuned for more updates right here on this blog.

OS and Drivers: The IoT Next Step

So while fiddling with the basics of IoT, such as building a morse code device using Arduino, I was constantly thinking of using this opportunity to push ahead with the next phase in my IoT learning. I naturally started to think bigger. 

Why just put a bare minimum looping program on a bare minimum board? Why not a full Operating System? And while that thread had a natural inclination to progress towards Raspberry Pi and Raspian OS, I was both distracted by thoughts of how the OS would work in such restricted environments and thrilled at the thoughts of how a Linux device driver might work, integrating my IoT devices as just another file under the /dev mount point. 

Here are some of the Operating System choices I came across:

The Zephyr Project: Quoting the homepage of the project linked here - “The Zephyr™ Project is a scalable real-time operating system (RTOS) supporting multiple hardware architectures, optimized for resource constrained devices, and built with security in mind. This Linux Foundation hosted project embraces open source development values and governance on its mission to unite leaders from across the industry to produce a best-in-breed solution.”  

The Riot OS: Apparently the Riot OS has been around for a while and with excellent support for low power, 32bit, 16bit or even 8bit devices while still offering some pretty nifty features such as Dynamic Memory Management, Multithreading, Real time performance, support for C & C++ while still coming at a low foot print package requiring only 1.5kB RAM and 5 kB ROM. 

Apache MyNewt: Apache’s wireless savvy, hardware agnostic OS. 

RISC OS: One of the oldest Operating Systems on the list, this almost qualifies for a vintage tag! Originally released in 1987, allegedly it’s origins can be traced to the developers of the ARM microprocessor itself. I am itching to play around with this one real soon. 

Android Things: This article would not even be close to complete without mentioning Google’s IoT child. Even with the promise of easy “Android” style development, this is not really high on my list of Operating Systems for IoT I want to try out. Primary reasons being the limited support for Hardware (runs only on Microprocessors not Microcontrollers), and also Google’s “prying eyes”.

Here’s a quick comparison chart I was able to draw up with some of the popular available hardware options and prices in India as well as the supported Operating Systems (Please note that prices may be volatile/inaccurate).

Stay tuned for upcoming articles with detailed reviews on some of these operating systems mentioned here.  

While working on a pet project app, I got really interested in learning about how the latest authentication and identity providers work together with Springboot. To be honest, I had almost zero knowledge of Springboot security, and if that’s the case with you as well, you might want to get started with: https://spring.io/guides/gs/securing-web/

Arduino Morse Code Transmitter

I have been participating in quite a few IoT conferences and sessions lately, and I was also able to get my hands on a basic Arduino starter kit. So as a weekend project, I set off building a Morse code transmitter.

Components Used

Arduino Uno

Bread board

Red LED

220 Ohm Resistor

HC-05 Bluetooth module

Jumper wires

Schematics

Source Code

All of the source code is available here. It uses the Lewis Morse code library.

To hook up to the Bluetooth serial terminal, I used the Bluetooth Terminal android app.

End Results

Modularize Arduino Code

Since the last few weeks, I have been able to delve deeper into the realm of IoT than I have ever done before. I am a part of the office IoT interest group and have been regularly participating in IoT sessions and even in conferences around my city. I have even procured my own Arduino board and basic setup to get started with some real hacking.

However, once I received my first real assignment of creating a Morse Code flasher, I realised that writing the whole code inside a single Sketch file, just doesn’t make sense. So I did what I always do, searched Google, and got this link for writing libraries for Arduino. 

However, while playing with it, I realized that the instructions on the site are not quite accurate, perhaps due to version differences. So for instance, I could not find a Sketch > Import Library  menu item. There were Include Library and Add File... menu items instead. 

I figured that I could simply create the additional modules inside the sketch folder directly if modularization is all that I needed. Also, instead of referring to header files as <header.h> I could simply use “header.h” as is commonly used for C/C++ custom header files. Finally, instead of using the regular Arduino IDE, I felt using something like Sublime Text was better in terms of code and syntax highlights.

Anyway, I am still tinkering around and I am just happy that I can write the code in C++ and break it up into smaller chunks.

Getting Started with Grunt and AngularJS like a Pro

In continuation to my previous article, once I dabbled a bit with the AngularJS concept, I immediately started to think of how to bring all of this together into a coherent project boilerplate? How does this work with node, npm, and package.json? 

So I did a bit of digging myself to first learn about the workings of the build system using the following videos from LearnCode academy:

Obviously, I needed references to packages.json and to a sample grunt file to get started.  

Once I got all the stuff together and after a bit of fiddling, I finally managed to create a working project harness / boilerplate, which I promptly pushed into this Github repository. 

If you are just getting started with AngularJS and grunt, I would highly recommend that you at least take a look at the videos and the repository. Obviously I am yet to add full testing support (Karma + Protractor), but I am planning to add those only after I have learnt about their workings sufficiently. Stay tuned to find out more.

Learning AngularJS

When I learnt jQuery years ago, it provided an immense and immediate boost to my productivity on the job. I could create fairly simple web applications really fast and thanks to cloud services such as Bluemix, I could get an app up and rolling in no time at all.

But with the host of applications I created, I soon realised that jQuery alone wasn’t sufficient when it comes to scaleability. Even without any knowledge of  the numerous JS frameworks, such as Angular and React, I could understand the necessity of using one in order to be able to rapidly scale up my developed applications. But back then, the learning curve of these massive frameworks appeared daunting, especially given that the learning was mostly out of my own self interest. And so, I had turned towards what appeared to be a relatively simpler framework back then -  backbone.js.

When I joined my new company about a month back, I got my first taste of one of these frameworks during basic bootcamp session, - ReactJS and I was fairly impressed with the way in which the previously challenging framework was simplified by the instructor.

However, now that I am starting up on a new project, the tech stack includes AngularJS and hence I have started learning this framework.

Although it was recommended that we followed the PhoneCat tutorial for a quick start, I found this Concepts Guide to be much more helpful to start with.

Also, this video on YouTube is a great place to get started. With all of these resources, hoping I can ramp up to this new framework in no time.

Zebra Crossing or (ZXing) seems to be a nifty barcode image processing library in Java worth exploring. Have you ever used this library? Share your experiences with me.

Happy New Year

I suppose I have a habit of disappointing when it comes to regularity, whether it be waking up in the morning or publishing my blog posts, and last year was no exception to that. I was really held up by a lot of stuffs, especially with the job switch, it got a bit difficult to be regular, but that’s still no excuse for not sharing some of the cool technology I keep exploring all the time.

So I suppose one of my New Year resolution is going to be being a bit more regular with my posts. I will be trying to put up at least one post each month to begin with and see where we can get from there.

Also, I have been planning on a few changes for this year for this blog. For one, in addition to the regular software and technology stacks I explore, I will be including some mobile app reviews as well. Also, I am planning on categorizing my posts, and including at least a few fresh and original articles every now and then.

2017 is going to be a great year, with my new job, I am confident of being able to focus on learning and exploring many new technologies. Also, with some of the financial burdens cleared out, I might even be able to self-fund some interesting projects.

What are you looking forward to do in 2017? Tweet me your thoughts and resolutions. Wish you all a very happy new year!

Even with the bunch of android code I have written, I am still a noob when it comes to automated testing on android. Not that I am proud of it either, which is why I have started reading up. At least it's a start!

Not sure if this is an alternative worth exploring for webpage content extraction, but putting it here anyway for future reference.

Github is perhaps one of the most widely used distributed version control systems today. Most open source projects are hosted on github.

But what if you wanted to have a private hosted github repository? While there are multiple self-hosted github clones available, such as Gitlab and Gogs, Kallithea is an Open source alternative I found to be quite an attractive option with near enterprise class features such as LDAP integration.