To generate a trace, use
System.Diagnostics.Trace.WriteLine("some trace");
This code works when TRACE is turned on during compiling. Add the compile option in web.config:
<compilation defaultLanguage="c#" debug="true" targetFramework="4.5">
<compilers>
<compiler language="c#" ... compilerOptions="/d:DEBUG;TRACE" />
</compilers>
</compilation>
During the development, the trace can be found in the Visual Studio's console. If the application is deployed, the trace can be seen with the tool Debugview, which can be downloaded from:
https://docs.microsoft.com/en-us/sysinternals/downloads/debugview
Showing posts with label Software. Show all posts
Showing posts with label Software. Show all posts
Tuesday, December 31, 2019
Monday, December 30, 2019
OWASP Top Ten 2017 Examples and Fixes | C# Programming
1. Injection
The problem: SQL Injection
string sql = @"SELECT * FROM Memos WHERE Id = " + idString;
using (OleDbConnection cnn = new OleDbConnection(connectionString))
{
cnn.Open();
OleDbCommand cmd = new OleDbCommand(sql, cnn);
OleDbDataReader reader = cmd.ExecuteReader();
while (read.Read())
{
...
}
}
If idString comes from the user input, it can be manipulated to create unexpected SQL commands.
The fix is to use prepared statement:
string sql = @"SELECT * FROM Memos WHERE Id = ?";
using (OleDbConnection cnn = new OleDbConnection(connectionString))
{
cnn.Open();
OleDbCommand cmd = new OleDbCommand(sql, cnn);
cmd.Parameters.AddWithValue("@Id", idString);
OleDbDataReader reader = cmd.ExecuteReader();
while (read.Read())
{
...
}
}
2. Broken Authentication
The problem: Session is kept after logout
public ActionResult LogOut()
{
return RedirectToAction("LogOn");
}
The fix is to remove the user session from DB and server side:
public ActionResult LogOut()
{
string userName = Session["UserName"].ToString();
db.RemoveUserSession(userName);
Session.Abandon();
return RedirectToAction("LogOn");
}
3. Sensitive Data Exposure
The problem: Store password in plain text
var user = new User()
{
Email = email,
Login = login,
Password = password,
Name = name,
Role = role
};
The fix is to store the hash so that the password won't be stolen from the memory:
var user = new User()
{
Email = email,
Login = login,
Password = Argon2.Hash(password),
Name = name,
Role = role
};
4. XML External Entities (XXE)
var resolver = new XmlUrlResolver();
var settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Parse,
XmlResolver = resolver
};
XmlReader reader = XmlReader.Create("items.xml", settings);
The fix:
var resolver = new XmlUrlResolver();
var settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Prohibit,
XmlResolver = null
};
XmlReader reader = XmlReader.Create("items.xml", settings);
5. Broken Access Control
The problem: Unvalidated Redirects and Forwards
private ActionResult RedirectToLocal(string retureUrl)
{
if (!string.IsNullOrEmpty(returnUrl))
{
return Redirect(returnUrl);
}
return RedirectToAction("Index");
}
The fix is to validate the URL first before redirect:
private ActionResult RedirectToLocal(string retureUrl)
{
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
return RedirectToAction("Index");
}
6. Security Misconfiguration
The problem: Information Exposure of Error Details
Logger.LogError(ex.Message + ex.StackTrace);
The fix is to avoid logging stack trace unless it is in debugging:
if (Debugger.IsAttached)
Logger.LogDebug(ex.Message + ex.StackTrace);
Logger.LogError(ex.Message);
7. Cross Site Scripting (XSS)
userModel.Information = reader["Information"].ToString();
The fix:
string information = reader["Information"].ToString();
string encodedInfo = AntiXssEncoder.HtmlEncode(information, false);
userModel.Information = encodedInfo.ToString();
8. Insecure Deserialization
using (var filestream = File.Open(filename, FileMode.Open))
{
return DeserializeObject<T>(filestream, settings);
}
The fix is to use encryption/decryption during serialization/deserialization:
using (var filestream = File.Open(filename, FileMode.Open))
{
using (var cs = new CryptoStream(filestream,
CreateRijndael(password).CreateDecryptor(),
CryptoStreamMode.Read))
{
return DeserializeObject<T>(cs, settings);
}
}
private static Rijndael CreateRijndael(string password)
{
var rijndael = Rijndael.Create();
var pdb = new Rfc2898DeriveBytes(password, Pepper, 1000000);
rijndael.Key = pdb.GetBytes(32);
rijndael.IV = pdb.GetBytes(16);
return rijndael;
}
9. Using Components with Known Vulnerabilities
Linking a file from an untrusted website:
<link href="http://a.company.com/some.styles.css" rel="stylesheet" />
The fix:
<link href="https://a.trustworthy.website.com/some.styles.css"
rel="stylesheet"
integrity="sha256-......."
crossorigin="anonymous" />
10. Insufficient Logging and Monitoring
Console.WriteLine(ex.Message);
The fix:
Logger.LogError(ex.Message);
The problem: SQL Injection
string sql = @"SELECT * FROM Memos WHERE Id = " + idString;
using (OleDbConnection cnn = new OleDbConnection(connectionString))
{
cnn.Open();
OleDbCommand cmd = new OleDbCommand(sql, cnn);
OleDbDataReader reader = cmd.ExecuteReader();
while (read.Read())
{
...
}
}
If idString comes from the user input, it can be manipulated to create unexpected SQL commands.
The fix is to use prepared statement:
string sql = @"SELECT * FROM Memos WHERE Id = ?";
using (OleDbConnection cnn = new OleDbConnection(connectionString))
{
cnn.Open();
OleDbCommand cmd = new OleDbCommand(sql, cnn);
cmd.Parameters.AddWithValue("@Id", idString);
OleDbDataReader reader = cmd.ExecuteReader();
while (read.Read())
{
...
}
}
2. Broken Authentication
The problem: Session is kept after logout
public ActionResult LogOut()
{
return RedirectToAction("LogOn");
}
The fix is to remove the user session from DB and server side:
public ActionResult LogOut()
{
string userName = Session["UserName"].ToString();
db.RemoveUserSession(userName);
Session.Abandon();
return RedirectToAction("LogOn");
}
3. Sensitive Data Exposure
The problem: Store password in plain text
var user = new User()
{
Email = email,
Login = login,
Password = password,
Name = name,
Role = role
};
The fix is to store the hash so that the password won't be stolen from the memory:
var user = new User()
{
Email = email,
Login = login,
Password = Argon2.Hash(password),
Name = name,
Role = role
};
4. XML External Entities (XXE)
var resolver = new XmlUrlResolver();
var settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Parse,
XmlResolver = resolver
};
XmlReader reader = XmlReader.Create("items.xml", settings);
The fix:
var resolver = new XmlUrlResolver();
var settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Prohibit,
XmlResolver = null
};
XmlReader reader = XmlReader.Create("items.xml", settings);
5. Broken Access Control
The problem: Unvalidated Redirects and Forwards
private ActionResult RedirectToLocal(string retureUrl)
{
if (!string.IsNullOrEmpty(returnUrl))
{
return Redirect(returnUrl);
}
return RedirectToAction("Index");
}
The fix is to validate the URL first before redirect:
private ActionResult RedirectToLocal(string retureUrl)
{
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
return RedirectToAction("Index");
}
6. Security Misconfiguration
The problem: Information Exposure of Error Details
Logger.LogError(ex.Message + ex.StackTrace);
The fix is to avoid logging stack trace unless it is in debugging:
if (Debugger.IsAttached)
Logger.LogDebug(ex.Message + ex.StackTrace);
Logger.LogError(ex.Message);
7. Cross Site Scripting (XSS)
userModel.Information = reader["Information"].ToString();
The fix:
string information = reader["Information"].ToString();
string encodedInfo = AntiXssEncoder.HtmlEncode(information, false);
userModel.Information = encodedInfo.ToString();
8. Insecure Deserialization
using (var filestream = File.Open(filename, FileMode.Open))
{
return DeserializeObject<T>(filestream, settings);
}
The fix is to use encryption/decryption during serialization/deserialization:
using (var filestream = File.Open(filename, FileMode.Open))
{
using (var cs = new CryptoStream(filestream,
CreateRijndael(password).CreateDecryptor(),
CryptoStreamMode.Read))
{
return DeserializeObject<T>(cs, settings);
}
}
private static Rijndael CreateRijndael(string password)
{
var rijndael = Rijndael.Create();
var pdb = new Rfc2898DeriveBytes(password, Pepper, 1000000);
rijndael.Key = pdb.GetBytes(32);
rijndael.IV = pdb.GetBytes(16);
return rijndael;
}
9. Using Components with Known Vulnerabilities
Linking a file from an untrusted website:
<link href="http://a.company.com/some.styles.css" rel="stylesheet" />
The fix:
<link href="https://a.trustworthy.website.com/some.styles.css"
rel="stylesheet"
integrity="sha256-......."
crossorigin="anonymous" />
10. Insufficient Logging and Monitoring
Console.WriteLine(ex.Message);
The fix:
Logger.LogError(ex.Message);
Monday, November 11, 2019
Adding a CA to the trust store for Eclipse
If a Eclipse plugin uses a self-signed updating web site, you may encounter the authentication failure error when updating the plugin.
The solution is to add the CA of the self-signed certificate to the trust store that Eclipse uses.
By default, Eclipse uses the Java trust store at $JAVA_HOME/lib/security/cacerts.
To list the certificates in it, go to $JAVA_HOME/lib/security/ and run command:
$ $JAVA_HOME/bin/keytool -list -keystore ./cacerts
You may not have the permission to add a new certificate into the default trust store. We can make a copy of the default trust store and add the new certificate in the new copy.
$ cd /path/to/my/trust/store/location
$ cp $JAVA_HOME/lib/security/cacerts mytruststore
The password of Java's default cacerts is "changeit". You will need to input it when adding a new certificate into mytruststore.
Run the following command to import the new certificate (e.g. cloudServicesRootCA.cer, this post shows how to download the certificate of a CA) into mytruststore:
$ $JAVA_HOME/bin/keytool -alias cloudServicesRootCA -import -file cloudServicesRootCA.cer -keystore mytruststore
Exit Eclipse if you are running it and let Eclipse know the new trust store by adding it to Eclipse's configuration file eclipse.ini which locates in the root directory of the Eclipse installation. Use an editor to open eclipse.ini and add/modify these two parameters:
-Djavax.net.ssl.trustStore=/path/to/my/trust/store/location/mytruststore
-Djavax.net.ssl.trustStorePassword=changeit
The solution is to add the CA of the self-signed certificate to the trust store that Eclipse uses.
By default, Eclipse uses the Java trust store at $JAVA_HOME/lib/security/cacerts.
To list the certificates in it, go to $JAVA_HOME/lib/security/ and run command:
$ $JAVA_HOME/bin/keytool -list -keystore ./cacerts
You may not have the permission to add a new certificate into the default trust store. We can make a copy of the default trust store and add the new certificate in the new copy.
$ cd /path/to/my/trust/store/location
$ cp $JAVA_HOME/lib/security/cacerts mytruststore
The password of Java's default cacerts is "changeit". You will need to input it when adding a new certificate into mytruststore.
Run the following command to import the new certificate (e.g. cloudServicesRootCA.cer, this post shows how to download the certificate of a CA) into mytruststore:
$ $JAVA_HOME/bin/keytool -alias cloudServicesRootCA -import -file cloudServicesRootCA.cer -keystore mytruststore
Exit Eclipse if you are running it and let Eclipse know the new trust store by adding it to Eclipse's configuration file eclipse.ini which locates in the root directory of the Eclipse installation. Use an editor to open eclipse.ini and add/modify these two parameters:
-Djavax.net.ssl.trustStore=/path/to/my/trust/store/location/mytruststore
-Djavax.net.ssl.trustStorePassword=changeit
Wednesday, June 12, 2019
ASP.NET: Cross site scripting attack and HtmlEncode
To prevent the Cross Site Scripting (XSS) attack, we should use System.Web.HttpUtility.HtmlEncode() to encode a string before sending it in a response if the string is from an untrusted source.
System.Web.HttpUtility.HtmlEncode will encode these characters:
Character Encoded
< <
> >
" "
& &
' ' (.Net 4.0 Only)
System.Web.HttpUtility.HtmlEncode will encode these characters:
Character Encoded
< <
> >
" "
& &
' ' (.Net 4.0 Only)
Saturday, April 27, 2019
A bug in Apache's Axis2/C
The latest version of Axis2/C from Apache is 1.6.0 (http://axis.apache.org/axis2/c/core/download.cgi).
There is a bug in the file src/core/transport/http/server/apache2/apache2_stream.c of this release:
int AXIS2_CALL
apache2_stream_read(
axutil_stream_t * stream,
const axutil_env_t * env,
void *buffer,
size_t count)
{
apache2_stream_impl_t *stream_impl = NULL;
size_t read = 0;
size_t len = 0;
AXIS2_ENV_CHECK(env, AXIS2_CRITICAL_FAILURE);
stream_impl = AXIS2_INTF_TO_IMPL(stream);
while(count - len > 0)
{
read = ap_get_client_block(stream_impl->request, (char *) buffer + len,
count - len);
if(read > 0 && read != 0xFFFFFFFF)
{
len += read;
}
else
{
break;
}
}
return (int)len;
/* We are sure that the difference lies within the int range */
}
At the first highlighted place the variable "read" is declared as a type of size_t. But at the second highlighted place the method ap_get_client_block() can possibly return -1, which will be converted into a big integer when being assigned to "read" as size_t is of unsigned.
To trigger the bug, send the application an HTTP request with a Content-Length having a greater value than the actual size of the content.
A quick fix is to change the type of "read" to ssize_t to allow -1 being legally assigned to it:
ssize_t read = 0;
There is a bug in the file src/core/transport/http/server/apache2/apache2_stream.c of this release:
int AXIS2_CALL
apache2_stream_read(
axutil_stream_t * stream,
const axutil_env_t * env,
void *buffer,
size_t count)
{
apache2_stream_impl_t *stream_impl = NULL;
size_t read = 0;
size_t len = 0;
AXIS2_ENV_CHECK(env, AXIS2_CRITICAL_FAILURE);
stream_impl = AXIS2_INTF_TO_IMPL(stream);
while(count - len > 0)
{
read = ap_get_client_block(stream_impl->request, (char *) buffer + len,
count - len);
if(read > 0 && read != 0xFFFFFFFF)
{
len += read;
}
else
{
break;
}
}
return (int)len;
/* We are sure that the difference lies within the int range */
}
At the first highlighted place the variable "read" is declared as a type of size_t. But at the second highlighted place the method ap_get_client_block() can possibly return -1, which will be converted into a big integer when being assigned to "read" as size_t is of unsigned.
To trigger the bug, send the application an HTTP request with a Content-Length having a greater value than the actual size of the content.
A quick fix is to change the type of "read" to ssize_t to allow -1 being legally assigned to it:
ssize_t read = 0;
Thursday, April 25, 2019
Visual Studio: fix the References in a web site solution or .NET project
A solution can have references to multiple sub-projects. If you make some code changes on a sub-project but the changes do not seem to take effects on the project, the reference may have been broken.
To check the references in the solution, right click on the Web Site on the Solution Explorer. Select Property Pages on the menu.
In the Property Pages dialogue, select References from the listed items. Check on the lists of the references and make sure the Version of all the sub-projects have the values of Auto Update. If it is a specific version number, your changes of the sub-project will have not effect. To change it to Auto Update, use the Remove button to remove the sub-project from the list and then use the Add button to add it back.
You may also be able to add or remove the References from the Solution Explorer for projects. Just expand the project and look for the References item.
To check the references in the solution, right click on the Web Site on the Solution Explorer. Select Property Pages on the menu.
In the Property Pages dialogue, select References from the listed items. Check on the lists of the references and make sure the Version of all the sub-projects have the values of Auto Update. If it is a specific version number, your changes of the sub-project will have not effect. To change it to Auto Update, use the Remove button to remove the sub-project from the list and then use the Add button to add it back.
You may also be able to add or remove the References from the Solution Explorer for projects. Just expand the project and look for the References item.
Monday, April 15, 2019
Outlook: delay sending out emails
After you click the Send button to send the email, you may sometimes realize there were some mistakes in the email or you have forgot to mention something. However, there is no way of un-send the email.
In Outlook, we can set a rule to delay every email a little so that we have some cool down period before the email actually leaves the outbox. Here are the steps of setting up the rule:
There may be some emails that are not that important so you can send it immediately worry-free. We can add an exception for those emails in the above "delay" rule:
Apply this rule after I send the message
defer delivery by 1 minute
except if assigned to Send Immediately category
From now on, all your out going emails will be sitting in the Outbox for 1 minute before it is actually sent out. You will get a chance to edit it after you click on the Send button. To do that, drag the email from the Outbox to the Drafts and then edit it.
If you try to send an email immediately, in the new email window click on the Tags arrow (in the Toolbar) to open the Properties dialogue. At the bottom of the dialogue, click on the Categories button and select our newly defined Send Immediately category. Click the Close button. The email was given the Send Immediately property and will be sent immediately when you click on the Send button.
In Outlook, we can set a rule to delay every email a little so that we have some cool down period before the email actually leaves the outbox. Here are the steps of setting up the rule:
- Click on the Rules button of the Toolbar and select Manage Rules & Alerts...
- In the Rules and Alerts dialogue, on E-mail Rules tab, click on the New Rule... button.
- In the Rules Wizard dialogue, select Apply rule on messages I send in the Start from a blank rule box. Click on the Next button.
- Skip the Select conditions step and click on the Next button.
- Check defer delivery by a number of minutes in the Select action(s) box. In the Step 2 box below, click on the a number of link. Input 1 minute as the value. (It is a pity that we cannot set a value less than 1 minute.) Click on the Next button.
- Skip the Select exception(s) step and click on the Next button.
- Give the this rule a name and check the Turn on this rule checkbox. Click on the Finish button.
There may be some emails that are not that important so you can send it immediately worry-free. We can add an exception for those emails in the above "delay" rule:
- In the Rules and Alerts dialogue, select the rule we have just created and click on the Change Rule button and select Edit Rule Settings....
- Click on the Next buttons twice until we get to the Select exceptions(s) step. Check except if assigned to category category box
- In the Step 2 box below, click on the category link.
- In the Color Categories dialogue, create a new category, e.g. Send Immediately, and select it (check its checkbox).
- Back to the Rules Wizard dialogue. Click on the Finish button.
Apply this rule after I send the message
defer delivery by 1 minute
except if assigned to Send Immediately category
From now on, all your out going emails will be sitting in the Outbox for 1 minute before it is actually sent out. You will get a chance to edit it after you click on the Send button. To do that, drag the email from the Outbox to the Drafts and then edit it.
If you try to send an email immediately, in the new email window click on the Tags arrow (in the Toolbar) to open the Properties dialogue. At the bottom of the dialogue, click on the Categories button and select our newly defined Send Immediately category. Click the Close button. The email was given the Send Immediately property and will be sent immediately when you click on the Send button.
Friday, December 28, 2018
ProgressBar not shown due to animation disabled on phone | Android Programming
I noticed the ProgressBar used in my app suddenly stopped working.
<ProgressBar
style="?android:attr/progressBarStyleLarge"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:id="@+id/progressBar"
android:progressDrawable="@drawable/circular_progress_bar"/>
res/drawable/circular_progress_bar.xml:
<?xml version="1.0" encoding="utf-8"?>
<rotate
xmlns:android="http://schemas.android.com/apk/res/android"
android:fromDegrees="90"
android:pivotX="50%"
android:pivotY="50%"
android:toDegrees="360">
<shape
android:innerRadiusRatio="3"
android:shape="ring"
android:thicknessRatio="7.0">
<gradient
android:centerColor="#2277DD"
android:endColor="#2277DD"
android:startColor="#2277DD"
android:angle="0"
android:type="sweep"
android:useLevel="false" />
</shape>
</rotate>
I played with the code for an hour or so but cannot find out why. It turned out the reason is that I had turned off animation on my phone. To turn it back on, go to Settings/Developer options, find all the "animation scale" options and set the scales to a value other than "Animation off". Restart the app on the phone and the ProgressBar will come back.
<ProgressBar
style="?android:attr/progressBarStyleLarge"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:id="@+id/progressBar"
android:progressDrawable="@drawable/circular_progress_bar"/>
res/drawable/circular_progress_bar.xml:
<?xml version="1.0" encoding="utf-8"?>
<rotate
xmlns:android="http://schemas.android.com/apk/res/android"
android:fromDegrees="90"
android:pivotX="50%"
android:pivotY="50%"
android:toDegrees="360">
<shape
android:innerRadiusRatio="3"
android:shape="ring"
android:thicknessRatio="7.0">
<gradient
android:centerColor="#2277DD"
android:endColor="#2277DD"
android:startColor="#2277DD"
android:angle="0"
android:type="sweep"
android:useLevel="false" />
</shape>
</rotate>
I played with the code for an hour or so but cannot find out why. It turned out the reason is that I had turned off animation on my phone. To turn it back on, go to Settings/Developer options, find all the "animation scale" options and set the scales to a value other than "Animation off". Restart the app on the phone and the ProgressBar will come back.
Wednesday, December 26, 2018
Stop showing soft keyboard on Activity start | Android programming
If the first element in the Activity is an EditText, it will get focus when the Activity starts, and the soft keyboard will show up.
There are many ways to solve this issue if you don't want the soft keyboard pop up. Here is a simple and interesting trick that only makes small updates on the layout XML files.
Add the attributes to the parent element of the first EditText. The EditText will not get focus at the start up and thus the soft keyboard will not show. The code to be added is highlighted below:
<LinearLayout
xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:orientation="vertical"
android:focusable="true"
android:focusableInTouchMode="true">
<EditText
android:layout_width="match_parent"
android:layout_height="wrap_content"
android:id="@+id/some_iput"/>
...
There are many ways to solve this issue if you don't want the soft keyboard pop up. Here is a simple and interesting trick that only makes small updates on the layout XML files.
Add the attributes to the parent element of the first EditText. The EditText will not get focus at the start up and thus the soft keyboard will not show. The code to be added is highlighted below:
<LinearLayout
xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:orientation="vertical"
android:focusable="true"
android:focusableInTouchMode="true">
<EditText
android:layout_width="match_parent"
android:layout_height="wrap_content"
android:id="@+id/some_iput"/>
...
Sunday, September 10, 2017
JSP: escape XML
In JSP:
<%@ taglib uri = "http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
<% String str = "<abc & ' \">"; %>
<html>
<body>
<p>Escaped string: <%= fn:escapeXml(str) %> </p>
</body>
</html>
This requires the JSTL 1.2 JAR, which can be downloaded at https://mvnrepository.com/artifact/javax.servlet/jstl/1.2
<%@ taglib uri = "http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
<% String str = "<abc & ' \">"; %>
<html>
<body>
<p>Escaped string: <%= fn:escapeXml(str) %> </p>
</body>
</html>
This requires the JSTL 1.2 JAR, which can be downloaded at https://mvnrepository.com/artifact/javax.servlet/jstl/1.2
Thursday, June 4, 2015
POST HTTP requests with cURL
To POST an HTTP request with cURL, run the command like this:
curl -X POST -H "Content-Type:text/xml" --data @input-file --output output-file http://the-url
In this example, input-file is a text file with an XML request, and the content of the HTTP respone will be saved into output-file.
-H addes an HTTP header. In our example, we are sending an XML request so the Content-Type header is added to tell that.
For other options, refer to the online manpage in http://curl.haxx.se/docs/manpage.html.
cURL can be downloaded from http://curl.haxx.se/download.html. For Windows, there are some standalone versions that can run without installation, e.g. Win64-Generic: 7.33.0.
curl -X POST -H "Content-Type:text/xml" --data @input-file --output output-file http://the-url
In this example, input-file is a text file with an XML request, and the content of the HTTP respone will be saved into output-file.
-H addes an HTTP header. In our example, we are sending an XML request so the Content-Type header is added to tell that.
For other options, refer to the online manpage in http://curl.haxx.se/docs/manpage.html.
cURL can be downloaded from http://curl.haxx.se/download.html. For Windows, there are some standalone versions that can run without installation, e.g. Win64-Generic: 7.33.0.
Wednesday, July 16, 2014
PHP SoapClient error: Could not connect to host
It is a mystery why this piece of code caused a SoapFault exception:
<?php
$wsdl = "http://myws.toptip.ca/myws.wsdl";
$client = new SoapClient($wsdl, array(
"trace" => 1,
"exceptions" => 1));
$parameters = array("Element1" => "data1", "Element2" => "data2");
$response = $client->myFunction($parameters);
?>
An important fact was that the soap address location inside the WSDL is using a port other than 80, e.g.
http://myws.toptip.ca:8080/mywebservice
The exception was captured in /var/log/httpd/error_log:
PHP Fatal error: Uncaught SoapFault exception: [Http] Could not connect to host in ...
I tried to use Wireshark to capture the packets sent and received. Surprisingly, there was no packet sent out to the server from SoapClient. Not even the attempt to connect.
Accidentally, I found out an interesting thing. When I changed the port number of the soap address location in the WSDL file to the default (80), e.g.
http://myws.toptip.ca/mywebservice
SoapClient actually tried to connect to the service.
Why???
Sorry, I don't have the answer. If you have a clue, please let me know.
However, I have a workaround.
I installed the squid proxy on port 80 of the localhost. Then when creating the SoapClient object, I added the "proxy_host" and "proxy_port" options. Bang! It worked!! SoapClient sent the request to the proxy and it was successfully forwarded to the web service location.
<?php
$wsdl = "http://myws.toptip.ca/myws.wsdl";
$client = new SoapClient($wsdl, array(
"trace" => 1,
"exceptions" => 1));
$parameters = array("Element1" => "data1", "Element2" => "data2");
$response = $client->myFunction($parameters);
?>
An important fact was that the soap address location inside the WSDL is using a port other than 80, e.g.
http://myws.toptip.ca:8080/mywebservice
The exception was captured in /var/log/httpd/error_log:
PHP Fatal error: Uncaught SoapFault exception: [Http] Could not connect to host in ...
I tried to use Wireshark to capture the packets sent and received. Surprisingly, there was no packet sent out to the server from SoapClient. Not even the attempt to connect.
Accidentally, I found out an interesting thing. When I changed the port number of the soap address location in the WSDL file to the default (80), e.g.
http://myws.toptip.ca/mywebservice
SoapClient actually tried to connect to the service.
Why???
Sorry, I don't have the answer. If you have a clue, please let me know.
However, I have a workaround.
I installed the squid proxy on port 80 of the localhost. Then when creating the SoapClient object, I added the "proxy_host" and "proxy_port" options. Bang! It worked!! SoapClient sent the request to the proxy and it was successfully forwarded to the web service location.
Saturday, July 5, 2014
Create a Web Service from a WSDL with Eclipse
- Create an empty Dynamic Web Project (New->Project...->Web->Dynamic Web Project). Important Note: In the "Dynamic Web Project" dialogue, select a version less than 3.0 for the Dynamic web module version, e.g. 2.5. Otherwise, we will get an error of Apache Axis2 Web service runtime in Tomcat v7.0 Server does not support the service project <MyProject> in a later step.
- Right click on the project and select New->Others...
- In the "Select a wizard" dialogue, select Web Services->Web Service, and click the "Next" button.
- Select Top down Java bean Web Service for the Web Service type option. Input the URL of the web service in the Service definition box.
- Drag the slider on the left to choose Start service. Click the "Next" button.
- Follow the prompts to create the web service and start Tomcat.
- The web service skeleton is generated and we can fill in our implementation of the business logic.
Saturday, June 28, 2014
Web Dictionary Widget
If you like our Wiktionary and Google Translate, you will be interested in its sister project -- our new Web Dictionary Widget. Check it out at dic.solezero.com.
Create a SOAP client from a WSDL with Eclipse or Microsoft Visual Studio
Supposed we have the WSDL file of an existing web service from which we want to create a SOAP client for testing purpose, both Eclipse and Microsoft Visual Studio can help us build one quickly.
The WSDL file can be on the web or on the local disk.
Its URLs could look like the following:
file:///c://path/to/the-wsdl-file.wsdl
http://www.example.com/path/to/the-wsdl-file.wsdl
String quote = client.GetQuote("AAPL");
Dim quote As String
quote = client.GetQuote("AAPL")
Its URLs could look like the following:
file:///c://path/to/the-wsdl-file.wsdl
http://www.example.com/path/to/the-wsdl-file.wsdl
Create a SOAP client in Java with Eclipse
- Create an empty Dynamic Web Project (New->Projects...->Web->Dynamic Web Project).
- Right click on the project and select New->Others.
- In the "Select a wizard" dialogue, select Web Service->Web Service Client, and click the "Next" button.
- Input the URL of the web service in the Service definition box.
- Drag the slider on the left to choose to generate a Test client. Click the "Next" button.
- Follow the prompts to create the client and start Tomcat.
- A web-based test client is generated and we can run a test with it.
- Create an empty Java Project.
- Use wsimport to generate the library for the WSDL, e.g.: wsimport -keep -verbose -d /path/to/eclipse/workspace/project/src /path/to/wsdl-file
- Write the source code for the test client using the generated library.
Create a SOAP client in C# with Microsoft Visual Studio
- Click on menu File->New Project...
- In the "New Project" dialogue, choose the template C#->Test. Change Name/Location/Solution/Solution name as needed. Click the "OK" button.
- On the Solution Explorer panel, right click on the project's References and select Add Service References...
- Input the URL of the web service in the Address box and click the "GO" button. Change the Namespace as needed. Click on the "OK" button.
- The test client is generated and the file UnitTest1.cs file is opened for us to add our test cases.
- Use http://www.webservicex.net/stockquote.asmx?WSDL as an example, We can write something like the below in TestMethod1():
String quote = client.GetQuote("AAPL");
Create a SOAP client in VB with Microsoft Visual Studio
- Click on menu File->New Project...
- In the "New Project" dialogue, choose the template Visual Basic->Test. Change Name/Location/solution/solution name as needed. Click the "OK" button.
- On the Solution Explorer panel, right click on the project's name and select Add Service References...
- Input the URL of the web service in the Address box and click the "GO" button. Change the Namespace as needed. Click on the "OK" button.
- The test client is generated and the file UnitTest1.vb file is opened for us to add our test cases.
- Use http://www.webservicex.net/stockquote.asmx?WSDL as an example, We can write something like the below in TestMethod1():
Dim quote As String
quote = client.GetQuote("AAPL")
Saturday, January 11, 2014
Miscellaneous problems with GWT/Spring/Hibernate/Eclipse in web development
Debug breakpoints are not triggered in GWT client package.
Reason: Debug mode form GWT client package only works in the Development mode. In the production mode, the GWT client side runs the compiled Javascript that has lost the information of the debug breakpoints.Solution: Use the URL of http://127.0.0.1:8888/myproject.html?gwt.codesvr=127.0.0.1:9997 -- note: the "?gwt.codesvr=127.0.0.1:9997" part refers to the code server running the Java version of the client package.
When using GWT SimplePager setPageSize() for the paging of a CellTable, only the first page has data. Pressing the Next button shows no more data and pressing the Back button may raise a null-pointer exception.
Solution: Use a ListDataProvider<T> to inject the data of the list to the widget, e.g.CellTable<DataObj> cellTable = new CellTable<DataObj>();
...
cellTable.addColumn(...);
...
cellTable.setRowData(0, dataList);
cellTable.setRowCount(dataList.size(), true);
...
// Add a pager
SimplePager.Resources pagerResources = GWT.create(SimplePager.Resources.class);
SimplePager simplePager = new SimplePager(TextLocation.CENTER, pagerResources, false, 0, true);
...
simplePager.setDisplay(cellTable);
simplePager.setPageSize(10);
...
// Must use ListDataProvider for correct paging.
ListDataProvider<DataObj> dataProvider = new ListDataProvider<DataObj>();
dataProvider.addDataDisplay(cellTable);
dataProvider.setList(dataList);
org.hibernate.MappingException: Repeated column in mapping for entity: ... column: ... (shold be mapped with insert="false" update="false")
Reason: The column is used as JoinColumn too. If different values are set for the "Column" and "JoinColumn", it will cause inconsistence. Hibernate only allows the changes on one place when doing the insertion or update.Solution: Use "insertable=false, updatable=false" in all but one mapping, e.g.
@Column (name="...", insertable=false, updatable="false")
or
@JoinColumn (name="...", referancedColumnName="...", insertable=false, updatable=false)
Hibernate criteria.list() returns empty list.
Solution: Add<property name="packageToScan" value="package.to.scan.for.the.entity.classes" />
to
<bean id=sessionFactory"
class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
GWT WindowBuilder cannot find the CSS file. Trying to add new style generates this error message "There are no CSS files referenced from modules HTML."
Reason: The WindowBuilder cannot access the CSS under the "war" directory.Solution: Create a new subdirectory where the ???.gwt.xml locates. By default, GWT recognizes the directory name as "public". If we want to use another name, such as "css", we need to add
<public path="css">
into the ???.gwt.xml file. We also add the file name of the CSS file to the ???.gwt.xml file
<stylesheet src="???.css" />
The GWT compiler will copy all the files under "public" to "war/my-project-name" directory.
Exception from Hibernate 4 when calling sessionFactory.getCurrentSession(): Caused by: org.hibernate.HibernateException: No Session found for current thread.
Solution: Verify that the configuration for transactionManager is correct. Add @Transactional to the method that calls sessionFactory.getCurrentSession().Exception from Hibernate: Caused by: org.hibernate.ObjectNoFoundException: No row with the given identifier exists: [...]
Reason: The Entity has a one-to-one, one-to-many etc mapping and the referred Entity has no data for this reference. For example, the User table can be joined to the ContactInfo table. For a user that does not have a record in the ContactInfo table, such an exception will be thrown.Solution: Use the @NotFound(action=NotFoundAction.IGNORE) annotation for the reference member. The member will then be set as null in the returned Entity.
Associated entities are not saved when saving an entity.
Reason: By default, we have to explicitly save each one.Solution: Use CascadeType for the mapping, e.g. @OneToOne(cascade=CascadeType.PERSIST), @OneToMany(cascade=CascadeType.ALL), etc. Hibernate will then automatically propagate your action to the associated entity.
Exception: Caused by: org.hibernate.AnnotationException: No identifier specified for entity
Reason: Annotation @Id is missing. Each @Entity needs an @Id. It is the primary key in the database.To automatically generate column names in uppercase from property name.
Solution: Create a naming strategy from hibernate DefaultNamingStrategy:public class MyNamingStrategy extends DefaultNamingStrategy {
@Override
public String propertyToColumnName(String propertyName) {
return proertyName.toUpperCase();
}
}
In the configuration XML file, add:
<property name="namingStrategy">
<bean class="package.path.to.MyNamingStrategy" />
</property>
OneToMany unidirectional mapping throws exception: org.hibernate.MappingException: Unable to find column with logical name: ??? in org.hibernate.mapping.Table(???) and its related supertables and secondary tables.
Reason: The elments of "name" and "referencedColumnName" in JoinColumn annotation depend on the context (see http://docs.oracle.com/javaee/6/api/javax/persistence/JoinColumn.html).Solution: In my case, I need to switch the values of them. And refeencedColumnName should refer to a PHYSICAL column in the source table.
When primary key is used as @OneToOne mapping and @JoinColumn, an exception is thrown: Caused by: java.lang.NullPointerException at org.hibernate.type.descriptor.java.AbstractTypeDescriptor.extractHashCode (AbstractTypeDescriptor.java:88)
Solution: Restructure the code to make sure the target object is persisted first so that the primary key is known when persisting the object in question.Exception: Caused by: org.hibernate.PersistentObjectException: detached entity passed to persist.
Reason 1: Inconsistency issue. E.g. Class A has a @OnetoMany reference to class B, while class B has a @ManyToOne reference to class A. We need to satisfy both side of the relationship before performing persistence, i.e. objA.getB().add(objB); objB.setA(objA).Reason 2: Manually set the value for the field of GenerationType.AUTO.
Exception: org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role ...... could not initialize proxy - no Session
Solution: use Hibername.initialize() to initialize the proxy before the session is closed.Exception: com.google.gwt.user.client.rpc.SerializationException: Type 'org.hibernate.collection.internal.PersistentBag' was not included in the set of types which can be serialized by this SerializationPolicy or its Class object could not be loaded. For security purposes, this type will not be serialized.
Solution: http://www.gwtproject.org/articles/using_gwt_with_hibernate.html: 1. write our own light weight DTO, separating from Entity bean. 2. use Dozer to generate DTO for each Entity bean. 3. use Gilead (hibernate4gwt) lib.Tuesday, November 12, 2013
Adding Images to Wiktionary and Google Translate Extension
"Use it or lose it" -- that is what scientists have discovered about our brains. Is it true that because the online dictionary tools are so handy, people do not bother to memorize new words any more? It doesn't have to be like that. What if the dictionary can actually help you build your vocabulary?
A traditional dictionary may hardly help much on that purpose. How about a visual dictionary? The book Brain Rules (by John Medina) states that Text and oral presentations are not just less efficient than pictures for retaining certain types of information; they are way less efficient. If information is presented orally, people remember about 10 percent, tested 72 hours after exposure. That figure goes up to 65 percent if you add a picture. In another book Moonwalking With Einstein (by Joshua Foer), the memory athletes turn the boring things into vivid images to memorize them .
Inspired by these facts, images are added to version 7.0 of Wiktionary and Google Translate, the Firefox extension. Certainly not every word can be presented by an image. However, with the help of a search engine, we can almost always show some related images that can help us better understand and memorize the word.
In this version, we use the Google Custom Search Engine to get images. It is free for the first 100 searches per day. This should be enough for a regular use.
To enable this feature in Wiktionary and Google Translate, open the Options dialogue and select the Advanced tab. Enable the Show Images checkbox and fill in the Google API key and Custom Search Engine ID boxes. You need to get your own Google API key and Google Custom Search Engine ID (see below for the steps of getting them.)
Your Google API key and Custom Search Engine ID will not be encrypted when being stored with Firefox. Therefore, it is a good idea to use the dedicated pair of Google API key and Custom Search Engine ID for Wiktionary and Google Translate.
If you have already known how to get Google API key and Google Custom Search Engine ID, you can skip the following.
How to get a Google API key
There is a trick to generate a CSE ID for searching the whole Web. Please keep on reading.
A traditional dictionary may hardly help much on that purpose. How about a visual dictionary? The book Brain Rules (by John Medina) states that Text and oral presentations are not just less efficient than pictures for retaining certain types of information; they are way less efficient. If information is presented orally, people remember about 10 percent, tested 72 hours after exposure. That figure goes up to 65 percent if you add a picture. In another book Moonwalking With Einstein (by Joshua Foer), the memory athletes turn the boring things into vivid images to memorize them .
Inspired by these facts, images are added to version 7.0 of Wiktionary and Google Translate, the Firefox extension. Certainly not every word can be presented by an image. However, with the help of a search engine, we can almost always show some related images that can help us better understand and memorize the word.
In this version, we use the Google Custom Search Engine to get images. It is free for the first 100 searches per day. This should be enough for a regular use.
To enable this feature in Wiktionary and Google Translate, open the Options dialogue and select the Advanced tab. Enable the Show Images checkbox and fill in the Google API key and Custom Search Engine ID boxes. You need to get your own Google API key and Google Custom Search Engine ID (see below for the steps of getting them.)
Your Google API key and Custom Search Engine ID will not be encrypted when being stored with Firefox. Therefore, it is a good idea to use the dedicated pair of Google API key and Custom Search Engine ID for Wiktionary and Google Translate.
If you have already known how to get Google API key and Google Custom Search Engine ID, you can skip the following.
How to get a Google API key
- Go to https://code.google.com/apis/console/
- Click the "Create project ..." button. You will be brought to the page of All Services.
- Find Custome Search API from the list and turn it by clicking the ON/OFF button.
- Select API Access from the menu on the left side.
- Click the "Create new Browser key ..." button. An API key will be generated and shown.
There is a trick to generate a CSE ID for searching the whole Web. Please keep on reading.
- Go to https://www.google.com/cse/
- Click the Create a custom search engine button.
- Enter www.example.com in the Site to search box. Click the CREATE button.
- Find the item of Modify your search engine and click the Control Panel button.
- On the Basics tab, scroll to the bottom. Find the Sites to search section and choose Search the entire web but emphasize included sites.
- Click on the checkbox of the site www.example.com (which we entered earlier) and press the Delete button to remove it.
- On the same page, above the Sites to search section, find the Details section and press the Search Engine ID button to get your CSE ID.
- (As reminded by the first 3 comments below,) turn on the option of Image Search, which is near the middle of the Basics tab.
Saturday, April 13, 2013
Change the value of a std::string in gdb debugging
In gdb stepping, you can change the value of a variable by running:
(gdb) set myvar=5
to change the variable myvar to 5.
Because an std::string is not a primitive data type, it cannot be changed in this way.
The std::string is a class and it has methods that you can call in gdb to change the value of an instance of it. For example, if mystring is an object of std::string, you can do either:
(gdb) call mystring.assign("new value")
or
(gdb) call mystring.operator=("new value")
to change the value of mystring into "new value".
(gdb) set myvar=5
to change the variable myvar to 5.
Because an std::string is not a primitive data type, it cannot be changed in this way.
The std::string is a class and it has methods that you can call in gdb to change the value of an instance of it. For example, if mystring is an object of std::string, you can do either:
(gdb) call mystring.assign("new value")
or
(gdb) call mystring.operator=("new value")
to change the value of mystring into "new value".
Thursday, February 28, 2013
Firefox extension: Show Website Verifier
When you are visiting a secure website, Firefox shows a lock icon on the URI bar. The icon is small and in gray. It is somehow hard to distinguish the icon from the one for the insecure website unless you pay particular attention to it.
The Show Website Verifier extension brings some convenience to you:
If you want to disable the extension, just right click on the toolbar. You will find a menu item Show Website Verifier. Click on it to switch the extension on or off.
Download the Show Website Verifier addon from Mozilla Add-ons website:
https://addons.mozilla.org/en-US/firefox/addon/show-website-verifier/
The Show Website Verifier extension brings some convenience to you:
- It shows a distinct light blue label beside the lock icon for a verified secure website, letting you easily spot whether a website is safe or not.
- The label prints who verified the website and issued the certificate. By seeing the verifier, you know whether the website is signed by an established orgnization or self-signed.
If you want to disable the extension, just right click on the toolbar. You will find a menu item Show Website Verifier. Click on it to switch the extension on or off.
Download the Show Website Verifier addon from Mozilla Add-ons website:
https://addons.mozilla.org/en-US/firefox/addon/show-website-verifier/
Thursday, February 21, 2013
Overflow in datagram type sockets
When using Datagram type sockets, the packets may not be sent when the sending buffer is full. If the sending buffer is full, the send function returns error EAGAIN (usually with an integer value of 11 in Linux). The EAGAIN error message prints "Resource temporarily unavailable".
If packet loss happens, we can use the system function setsockopt() with SO_RCVBUF to increase the receiving buffer. Similarly, if EAGAIN error happens, we can use setsockopt() with SO_SNDBUF to increase the sending buffer.
According to the manpage of socket(7), when you use setsockopt() to set the buffer size, the kernel doubles the value you specify. And getsockopt() will return the doubled value. For example, if you do:
int new_size = 10240;
setsockopt(sock, SOL_SOCKET, SO_RCVBUF, &new_size, sizeof(new_size));
getsockopt() will return 20480 as the new buffer size.
These function calls cannot increase the buffer size to as much larger as you want. The maximum size it can reach is restricted by the system parameters net.core.rmem_max and net.core.wmem_max -- for the maximum of receiving and sending respectively. You can check the current value of these system parameters by bringing up a console and issuing these commands:
cat /proc/sys/net/core/rmem_max
cat /proc/sys/net/core/wmem_max
To increase them, you need to have the admin privilege to run the sysctl command. e.g.
sysctl -w net.core.rmem_max=256000
sysctl -w net.core.wmem_max=256000
For datagram-oriented Unix Domain Socket, setting the SO_SNDBUF socket option has an effect, but the SO_RCVBUF option does not (manpage unix(7)). And even the buffer is big enough, we can still experience the packet overflow problem. That is because there is another limitation in the datagram type Unix Domain Socket. The backlog of the packets in the buffer is not unlimited. For example, the default value of the maximum backlog in most Linux systems is set to 10, i.e. only 10 packets can wait in the queue. The commands to check and increase the backlog limit are:
cat /proc/sys/net/unix/max_dgram_qlen
sysctl -w net.unix.max_dgram_qlen=128
And certainly, you need to be an administrative user to change it.
These parameters should be well planned to avoid the waste of the memory space. And since these are system parameters, changing them will affect any processes and programs that use sockets, not just your program.
If packet loss happens, we can use the system function setsockopt() with SO_RCVBUF to increase the receiving buffer. Similarly, if EAGAIN error happens, we can use setsockopt() with SO_SNDBUF to increase the sending buffer.
According to the manpage of socket(7), when you use setsockopt() to set the buffer size, the kernel doubles the value you specify. And getsockopt() will return the doubled value. For example, if you do:
int new_size = 10240;
setsockopt(sock, SOL_SOCKET, SO_RCVBUF, &new_size, sizeof(new_size));
getsockopt() will return 20480 as the new buffer size.
These function calls cannot increase the buffer size to as much larger as you want. The maximum size it can reach is restricted by the system parameters net.core.rmem_max and net.core.wmem_max -- for the maximum of receiving and sending respectively. You can check the current value of these system parameters by bringing up a console and issuing these commands:
cat /proc/sys/net/core/rmem_max
cat /proc/sys/net/core/wmem_max
To increase them, you need to have the admin privilege to run the sysctl command. e.g.
sysctl -w net.core.rmem_max=256000
sysctl -w net.core.wmem_max=256000
For datagram-oriented Unix Domain Socket, setting the SO_SNDBUF socket option has an effect, but the SO_RCVBUF option does not (manpage unix(7)). And even the buffer is big enough, we can still experience the packet overflow problem. That is because there is another limitation in the datagram type Unix Domain Socket. The backlog of the packets in the buffer is not unlimited. For example, the default value of the maximum backlog in most Linux systems is set to 10, i.e. only 10 packets can wait in the queue. The commands to check and increase the backlog limit are:
cat /proc/sys/net/unix/max_dgram_qlen
sysctl -w net.unix.max_dgram_qlen=128
And certainly, you need to be an administrative user to change it.
These parameters should be well planned to avoid the waste of the memory space. And since these are system parameters, changing them will affect any processes and programs that use sockets, not just your program.
Subscribe to:
Posts (Atom)
Posts
