Thursday, September 30, 2010

Double Trouble

You've heard it said: the cardinal rule of Java programming... "Never use a double to hold currency". Ok, well it might not be the cardinal rule, but its pretty important. But every once in a while you think to yourself, "aww... just this once. It won't hurt anything". Let me save you the headache and explain why this is a terrible idea. I'll also show you some alternatives for all your money problems (programmatically speaking, of course).

Everyone knows that we humans use the base 10 numbering system. It makes sense, ten fingers... base 10... viola. But your computer was unfortunately created with only two fingers. For those less familiar with the topic of bases in numbering systems, you can think of it as the 'roll-over' point when you're counting. For base 10 (decimal), counting rolls over after you get to nine. For base 2 (binary), counting rolls over after 1. For example...
00 (0)
01 (1)
10 (2)
11 (3) 

Now, I'm not going to get into the nitty gritty of how your computer stores numbers for each of the common Java data types (browse some wikipedia articles if you're interested). As a general rule, any whole number can be exactly represented using binary notation. Any fractional number is not guaranteed to have an exact representation in binary. Just as 1/3 cannot be precisely represented in decimal format, many fractional numbers also cannot be precisely represented in binary format. Here's a good test to run if you aren't convinced:
System.out.println(
  0.1f + 0.1f + 0.1f + 0.1f + 0.1f + 0.1f + 0.1f + 0.1f
);
//Result: 0.8000001

System.out.println(
  0.1d + 0.1d + 0.1d + 0.1d + 0.1d + 0.1d + 0.1d + 0.1d
);
//Result: 0.7999999999999999
You would expect adding 0.1 eight times would give you exacly 0.8, but the results can sometimes surprise you. You can imagine the havoc this could cause if you are attempting to perform calculations on money stored as Doubles or Floats.

Solution #1:
Only deal with cents. This means multiplying your decimal number by 100 and storing it as a Long. This is a safe operation on currency because, even though your initial decimal value is not exactly represented in binary format, it will be properly rounded by the JVM when converting it to a Long. However, be sure to do this before any other calculations are performed on it. If not, you could will introduce rounding errors.
double amount = 100.01d;
long amountInPennies = (long)(amount * 100);

Solution #2:
Use BigDecimal. This type can safely handle currency represented as dollars and cents because it essentially employs solution #1 for us behind the scenes. It either detects, or you can provide it, the precision that you require. The easiest (and safest) way to construct a BigDecimal is with the String constructor.

BigDecimal num = new BigDecimal("100.01");

It will detect a number with two decimal places (hundredths) and will internally multiply that number by 100, storing the result as a whole number. The BigDecimal class provides methods for all common arithmetic operations you may need to perform. This guarantees that you won't be plagued by the rounding errors and inaccuracies inherent in doubles and floats.

Monday, April 5, 2010

Weblogic and Wildcard SSL Certificates

I've recently been working on setting up an instance of Weblogic 10.3 for a new app I'm working on. This app makes several calls to a web service over SSL that is configured with a wildcard certificate. That means the certificate was issues to *.mydomain.com. This is a slick mechanism; it saves money and is easier to maintain all of your subdomains.



The Problem: Weblogic doesn't handle wildcard certs out of the box.
When weblogic initiates a connection over SSL, it makes a call to the HostnameVerifier. The default verifier simply ensures that the hostname you're connecting to and the name that the certificate was issued for match. So you can see the problem with wildcard certs in this example. The webservice is on ws.mydomain.com and the SSL certificate was issued to *.mydomain.com. If you google this problem, you will probably find lots of 'solutions' that suggest you disable hostname verification, but this leaves you vulnerable to man-in-the-middle attacks.



TheSolution: You might also find a few who would suggest you create your own HostnameVerifier. This is what we want, but I was unable to find any examples that actually show you how to do this! So here I will show you my implementation. Its not perfect, but I think it is certainly more than enough to get you started. DISCLAIMER: Most of the code is in a try/catch block. You'll notice that my code returns true on an error. Most likely, if your site has been compromised, the code will still run without exceptions and it should detect that the hostname and certificate don't match. If this your production system and you're super paranoid, just have the catch block return false.


package com.andrewthompson.weblogic;

import java.io.ByteArrayInputStream;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import javax.net.ssl.SSLSession;

import weblogic.security.SSL.HostnameVerifier;

/**
* Verify the hostname of outbound ssl connections. 
* 
* @author andrew.thompson
*
*/
public class WildcardHostnameVerifier implements HostnameVerifier 
{

public boolean verify(String hostname, SSLSession session)
{
try
{
Certificate cert = session.getPeerCertificates()[0];

byte [] encoded = cert.getEncoded();

CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream bais = new ByteArrayInputStream(encoded);

X509Certificate xcert = (X509Certificate)cf.generateCertificate(bais);

String cn = getCanonicalName( xcert.getSubjectDN().getName() );

log.info("CN: " + cn);
log.info("HOSTNAME: " + hostname);

if(cn.equals(hostname))
return true;

Pattern validHostPattern = Pattern.compile("\\*\\.[^*]*\\.[^*]*");
Matcher validHostMatcher = validHostPattern.matcher(cn);

// Make sure the cert only has wildcard in subdomain.  We don't
//    want to confirm *.*.com now do we?  
if(validHostMatcher.matches())
{
String regexCn = cn.replaceAll("\\*", "(.)*");

log.info("REGEXCN: " + regexCn);

Pattern pattern = Pattern.compile(regexCn);
Matcher matcher = pattern.matcher(hostname);

if(matcher.matches())
{
log.info("Pattern MATCHES");
if(matcher.group().equals(hostname))
{
log.info("Group() matches hostname: " + matcher.group());
return true;
} else {
log.info("Group() doesn't match hostname: " + matcher.group());
return false;
}
} else {
log.info("Pattern DOESN'T MATCH");
return false;
}

}


} catch (Exception e ) {
e.printStackTrace();
return true;
}

return true;
}

/**
* Return just the canonical name from the distinguishedName 
* on the cert.
*  
* @param subjectDN
* @return
*/
private String getCanonicalName(String subjectDN)
{

Pattern pattern = Pattern.compile("CN=([-.*aA-zZ0-9]*)");
Matcher matcher = pattern.matcher(subjectDN);

if(matcher.find())
{
return matcher.group(1);
}

log.info("Couldn't find match for CN in subject");
return subjectDN;

}


private final static Logger log = Logger.getLogger(WildcardHostnameVerifier.class.getCanonicalName());

}


This is simply a matter of implementing the weblogic.security.SSL.HostnameVerifier interface. You will find this class in the weblogic.jar of your server/lib dir.
You'll notice that weblogic provides us with the SSLSession. From here, we can extract the java.security.cert.Certificate. We then use a CertificateFactory to transform this Certificate into an X509 certificate. That allows us to pull some useful information out, such an the Subject Distinguished Name. This is a string of key/value pairs; we are only interested in the Common Name or CN. So, we extract the CN with a regular expression pattern matcher. If the hostname matches the CN, we're done. If not, we check to see if the CN has a wildcard (*). If so, we use another regular expression matcher to see if the hostname matches the CN with any subdomain.



Now, you just need to go into the weblogic console, select the SSL tab on your server. Check 'Custom Hostname Verifier', enter the classname of your verifier, and make sure your class is on weblogic's classpath.

Thursday, December 17, 2009

Access a Remote EJB From a Stand-Alone Client

Here, I will explain how you can access an EJB from outside a j2ee container or server. This could be a simple java-main application, or a unit test. The basic idea behind this process is application server agnostic, but these specific instructions will target Glassfish v2.1.

The Basics

In general, you always gain access to a jndi tree via the javax.naming.InitialContext. The no-arg constructor will by default look for a file on the classpath called 'jndi.properties'. This file specifies an application server-specific InitialContextFactory class, used to initialize the tree. You can also specify options such as the host and port to connect to.

The appserv-rt.jar that ships with glassfish contains a default jndi.properties file with the basic options already configured for you.

Ok, lets actually do something...

Assuming you have an EJB with a @Remote interface running on glassfish on localhost. The registered name in jndi for this ejb is 'my-ear/MyEjb/remote'. Create a new empty maven project. Add the following dependencies to your pom:
(I would recommend using my repository as Sun doesn't provide all the necessary dependencies for this in the core maven repositories.)


com.sun
appserv-rt
2.1


Now create a new class with a 'main' method. Here's an example:
public static void main(String[] args) throws Exception
{
InitialContext ctx = new InitialContext();
MyRemoteInterface service = (MyRemoteInterface)ctx.lookup("my-ear/MyEjb/remote");

Object result = service.getResult("john");

System.out.println(result);
}

You will also need to include MyRemoteInterface into your new project if you haven't already done so. Ok, thats it! Run your application and you should see the result object printed to your console.

Now, lets assume you want to connect to Glassfish on a server other than localhost

Create a new file called 'jndi.properties' and put it in your 'src/main/resources' directory. Add the following to this file:

org.omg.CORBA.ORBInitialHost=myhostname


We've just overriden the default host (provided by sun's jndi.properties') with a host of our own choosing. If you wanted to change the port to connect to:

org.omg.CORBA.ORBInitialHost=myhostname
org.omg.CORBA.ORBInitialPort=3700


Well, that's about it for now.

Wednesday, October 28, 2009

How To Generate DDL Scripts from Hibernate

One of the nice things about using Hibernate in your persistence layer is that it can automatically make updates to your database schema for you. This is nice in development, but oftentimes you need to have the ddl script file. Lucky for us, Hibernate ships with the SchemaExport class. This is what hibernate uses to make updates to your database. I'll show you how we can hijack it and use it for our own purposes as well.

Here we go. As it seems a lot of developers are migrating towards Hibernate annotations and EJB JPA, the following code assumes your classes are configured with annotations. This simple class takes the name of the package where you have your domain objects stored and generates ddl for mysql, oracle and hsql.

package com.jandrewthompson;

import java.io.File;
import java.net.URL;
import java.util.ArrayList;
import java.util.List;
import org.hibernate.cfg.AnnotationConfiguration;
import org.hibernate.tool.hbm2ddl.SchemaExport;

/**
* @author john.thompson
*
*/
public class SchemaGenerator
{
private AnnotationConfiguration cfg;

public SchemaGenerator(String packageName) throws Exception
{
cfg = new AnnotationConfiguration();
cfg.setProperty("hibernate.hbm2ddl.auto","create");

for(Class<Object> clazz : getClasses(packageName))
{
cfg.addAnnotatedClass(clazz);
}
}

/**
* Method that actually creates the file.
* @param dbDialect to use
*/
private void generate(Dialect dialect)
{
cfg.setProperty("hibernate.dialect", dialect.getDialectClass());

SchemaExport export = new SchemaExport(cfg);
export.setDelimiter(";");
export.setOutputFile("ddl_" + dialect.name().toLowerCase() + ".sql");
export.execute(true, false, false, false);
}

/**
* @param args
*/
public static void main(String[] args) throws Exception
{
SchemaGenerator gen = new SchemaGenerator("org.jthompson.myapp.domain");
gen.generate(Dialect.MYSQL);
gen.generate(Dialect.ORACLE);
gen.generate(Dialect.HSQL);
}

/**
* Utility method used to fetch Class list based on a package name.
* @param packageName (should be the package containing your annotated beans.
*/
private List getClasses(String packageName) throws Exception
{
List classes = new ArrayList();
File directory = null;
try
{
ClassLoader cld = Thread.currentThread().getContextClassLoader();
if (cld == null) {
throw new ClassNotFoundException("Can't get class loader.");
}
String path = packageName.replace('.', '/');
URL resource = cld.getResource(path);
if (resource == null) {
throw new ClassNotFoundException("No resource for " + path);
}
directory = new File(resource.getFile());
} catch (NullPointerException x) {
throw new ClassNotFoundException(packageName + " (" + directory
+ ") does not appear to be a valid package");
}
if (directory.exists()) {
String[] files = directory.list();
for (int i = 0; i < files.length; i++) {
if (files[i].endsWith(".class")) {
// removes the .class extension
classes.add(Class.forName(packageName + '.'
+ files[i].substring(0, files[i].length() - 6)));
}
}
} else {
throw new ClassNotFoundException(packageName
+ " is not a valid package");
}

return classes;
}

/**
* Holds the classnames of hibernate dialects for easy reference.
*/
private static enum Dialect
{
ORACLE("org.hibernate.dialect.Oracle10gDialect"),
MYSQL("org.hibernate.dialect.MySQLDialect"),
HSQL("org.hibernate.dialect.HSQLDialect");

private String dialectClass;
private Dialect(String dialectClass)
{
this.dialectClass = dialectClass;
}
public String getDialectClass()
{
return dialectClass;
}
}
}


It should be pretty easy to modify this code to suit your needs. If you are using hibernate xml configuration, just swap out the AnnotationConfiguration class for org.hibernate.cfg.Configuration.

Thursday, October 22, 2009

Event Driven Programming with Java - Monsoon

I've recently been involved on an Adobe Flex project at work. One of the things that I've really come to enjoy about Flex is its powerful event framework. For instance, component A can say that it throws an OnSave event. Component B says it listens for OnSave events. Neither component has to know anything about each other, but when component A throws the event, B will automatically handle it.

If you've been around Java for any length of time, you may have done some AWT or Swing development. Here, we have a similar concept of events, but each listener has to register itself with whatever object might throw that event. In the end, you end up with a tightly coupled web of connections and dependencies that, if not managed correctly, can quickly become a nightmare to maintain.

Enter Monsoon. I know that there are other event frameworks available, but could not find any that did exactly what I wanted (granted I didn't search that hard). I also thought this would be an interesting challenge. The idea is that all of the event plumbing is handled automatically via Java 1.5 Annotations. An 'event' in this system can be any java object (POJO). Methods that dispatch and listen for events both have the @Event annotation. The return object from a dispatch method is used as the method parameter of the listening method. For Example:

@Event(name="saveUser", type=EventType.DISPATCHER)
public User save()
{
  return user;
}

@Event(name="saveUser", type=EventType.LISTENER)
public void onSave(User user)
{
  //do something with user
}


If you're using Spring, configuration is trivial. Just include an 'EventBeanPostProcessor' bean in your spring config.

<bean class="org.jthompson.monsoon.spring.EventBeanPostProcessor">
  <property name="managedBeanNames">
    <list>
      <value>dispatcher</value>
      <value>listener</value>
    </list>
  </property>
</bean>


Otherwise, you'll need to use the included ObjectFactory to generate your objects if you aren't using spring.


Dispatcher dispatcher = (Dispatcher)factory.generateProxy(new Dispatcher());


Monsoon will automatically discover the connections between dispatchers and listeners for you. If you register three object that listen for a particular event, they will all be triggered automatically.

This is still in an early phase of development and there is a lot of work yet to do. However, if you find it useful or interesing in the least please let me know!

You can get the latest version of Monsoon via maven here:
http://monsoon-events.googlecode.com/svn/trunk/repo

You can also browse the source code at my googlecode page:
http://code.google.com/p/monsoon-events/

Wednesday, October 21, 2009

Alyssa's Bed

I've recently started working on my latest project; a toddler bed for our little girl. I didn't really want to spend a ton of money on a plastic/toy like bed that would only last a short time. Plus, I thought it would be nice to have an heirloom piece that might get passed down through the family.



I usually start out a new design on graph paper the old fasioned way. You know, with a pencil, ruler, t-square and compass. I'll then transfer any curves and such that I may need to full-scale cardboard templates. This time I decided to use CAD software to help with the design. I discovered that I can print full-scale patterns on my printer in sections, then tape then together. Man, that was easy! I'll post the files here later if anyone is interested.

As of now, I've got my plans and my cut list complete. I also rough sketched out each part on the lumber I plan to use to make the most efficient use of the stock (maple). Pics coming soon...

alyssa's bed.pdf
alyssa's bed.dwg

Monday, September 7, 2009

VW's Do Float

How do I know this? Unfortunately... personal experience. My daily driver is a 1967 Volkswagen Beetle. Driving home from work, I ran into some flash flooding. Needless to say, I wound up drifting across an intersection in about a foot and a half of water. I was pretty lucky that there was no major damage done. I did suffer from a squeaky starter bushing for a while; easily fixable with a dab of wheel bearing grease.

I did however have about 3 inches of water on my new floor pans. When I welded them in last summer, I sealed them with 3M Fast-N-Firm seam sealer. I now realize that was a mistake. The stuff gets real brittle and doesn't seal worth a darn. I chipped away the old sealant and used TigerSeal. This is some really nice stuff. It goes on easy, is polyurethane based, and is very flexible. I'll definitely be using more of this stuff in the future