Australian Citizenship – At last!

It was just a day… Like any other day… I was coming back from work as usual, taking 6:02pm train from Flinders train station in Melbourne CBD.

When I reached home, i checked my mail box and saw that I have received a letter. I did not know what it was. I thought “eeh.. another bill”, but… it was not a bill.

It was a letter from Australian Department of Immigration saying that my citizenship application was approved!!!!!

Woooooo Hoooooooo!!!!! :D

Java and Those Frameworks

I came across an interesting article that discusses today’s application developers making extensive use of different frameworks in their applications.

This is the writer’s opinion:

…Todays projects are over bloated from the use of frameworks that dont really produce a real benefit. Developers spend around 75% of their time just on set up and configuration…

The question I would like to ask you dear readers:
Do todays application developers really exaggerate the use of frameworks?

I think it would be a difficult question to answer. First some clarification is needed – what is exaggeration really? The number of frameworks used or the reduced performance as a result of use of these framework? Or the amount of time developer spends on installation and configuration?

I think first as a developer, one must understand the pros and cons of the framework, and how will it affect the performance of the application to be designed. The developer must have clear idea about what is he trying to achieve by using a particular framework in his application, and whether the framework is going to give him the desired result.

As a developer, when designing an application, one may ask questions which framework should be used depending on application’s requirements. Often the will not be just one framework choice, but several frameworks.

Of course not every developer may face the same situation mentioned above. Proprietary developers rely on leading market software vendors to provide the necessary solutions in one big product bundle.

One has to take several things into account such as future enhancements and possible requirements changes by the client. Using several frameworks to support an application may be look exaggerated at start, but on the long run it may turn out as a better decision. The time spent at the start on initial framework configuration will be paid off during further implementation and maintenance.

In conclusion, I think the ability to know which framework to put for use and when, can come only with experience.

Substance and Flamingo

Today, I came across these two projects today: one called Substance (Java look & feel) and the other called Flamingo (UI components). These projects designed and maintained by Kirill Grouchnikov.

You can read Kirill’s blog, he talks about the latest releases. Also, there are few examples available. For example you can check out this Substance features example.

I was quite impressed – looks damn nice.

US Elections

Barack Obama has won the election. It makes me kind of happy – I was hoping for either Obama or Hilary (when she was still in the race) to win. Why?

Honestly speaking I do not show much interest in US politics. Having said that, I was interested to see first African-American president or first woman president. Only 50 years ago, US was dealing with race issues, and now they have their first African-American president.

Its a new chapter in US history, they have really come a long way.

Are You Right or Left Brained?

I found this picture on one of the blogs. If you look at the dancing girl and you see her spinning clockwise, then you are using your right side of your brain. If you see her spinning counter clockwise, then you are using your left side of your brain.

Dancing girl - are you using more your left side brain or your right side brain?

Dancing girl - are you using more your left side brain or your right side brain?

The link that I mentioned previously to the post where I got the image from, also has a table that explains what left and right brain sides are responsible for.

It took me couple of minutes to train my self to see her spinning in different directions. What I do is, I look at the reflection of her foot, and then I can easily “make” the girl to spin in another direction within seconds. Interesting :)

How about you?

Drools – Tutorial on Writing DSL Template

Few months ago I wrote a post that describes an example that uses source DRL in conjunction with DSL template. In the current post, I want to describe and show with few examples how to write DSL template – whats allowed and whats not.

Now, having said that, I want to say that I am not planning to repeat the whole JBoss Rules manual – the Drools team done a great job. I just want to share from my personal experience, what I have come across while working with Drools when writing DSLs.

There are few upcoming changes coming in the future release of Drools (version 5) in terms of DSL. For example DSL will become more powerful in terms of regular expressions – it will be possible to include regexp in the DSL tokens. Edson Tirelli posted an article written by Matt Geis on Drools Blog, that talks about it and gives few examples.

Since I am working with Drools 4.0.7 these days, I will describe in the current post how to write DSLs for Drools 4.0.7.

Within a scope of Drools, DSL’s job to map (expand) DRL expressions written in natural language into underlying programming code.

When writing DSL there several basic DO’s and DONT’s you should be aware of:

  1. Don’t put closing semi-column at the end of DSL expression line:
    [when]Message status is {1} = m : Message(status == {1});
  2. Avoid different token names on the left hand side (before the “=”) and right hand side (after the “=”) of the DSL expansion:
    [when]Message status is {3} = m:Message(status == {1})
    [then]Log “{message}” = System.out.println(“{bobo}”);
  3. DSL expansion should be on one line. You can even have several expressions on the same line, but you cannot break the line. By putting expression on a new line will cause an exception during parsing:
    [when]Message id is {id} = m:Message(id == {id})
    [then]LogUpdate “{2}” = System.out.println(“{2}”);
    update(m);
    [when]Message status is {s} = m:Message(status == {s})
    [then]Log “{2}” =
    System.out.println(“{2}”);
  4. Avoid having DSLs with the same name. It can create a confusion. Remember that DSL is parsed from top to bottom, so when two DSLs with the same name exist, the top one will apply during expansion since it will be matched first:
    [then]SetStatus {s} = System.out.println({s});
    [then]SetStatus {s} = m.setStatus({s});
  5. If token has quotes on the left hand side of the DSL, then the token must have quotes on the right hand side of the DSL:
    [then]SetMessage {msg} = m.setStatus({msg});
  6. There is no room for typos:rule “set-hello”
    when
    True
    then
    SetMessage “Hello”
    end[then]SetMessag “{msg}” = m.setStatus(“{msg}”);
  7. Token names can be literal or numeric characters, or both:
    [then]Print1 “{1}” = System.out.println(“{1}”);
    [then]Print2 “{msg}” = System.out.println(“{msg}”);
    [then]Print3 “{23msg}” = System.out.println(“{23msg}”);
  8. If token on the left hand side has no quotes, and expression/function on the right hand side can accept parameter of type String, then the token can be placed between quotes on the right hand side:
    [then]PrintInteger {1} = System.out.println({1});
    [then]PrintInteger2 {1} = printingFunction({1});
  9. If you want to use declared variable in right hand side, make sure it is declared on the left hand side of the rule. Remember, DSL template is ONLY a template, it is a not a place to declare variables, declaration occurs only in DRL, DSL contains the expansion. Keep in mind that declaration and usage of the variable is per-rule basis:rule “set-hello”
    when
    Message
    then
    SetMessage “Hello”
    end[when]Message = m : Message() //declare and initialize ‘m’
    [then]SetMessage “{msg}” = m.setStatus(“{msg}”);
  10. White spaces before the “=” and after are allowed when writing a DSL line:
    [then]SetMessage “{msg}” = m.setStatus(“{msg}”);
  11. If you are using a function in the right hand side of the DSL of the expansion, then make sure you provide necessary imports in DRL source for all the objects the function is using. For example if your function gets a proxy to a JMS Queue from JBoss, then you have to include imports for all the objects associated with this operation, like you normally would do it in normal Java class. Also the function itself must be present in source DRL.
  12. Left hand side of the rule, can evaluate boolean function instead of expression:rule “CheeseType”
    when
    Cheese is of type “silton”
    then
    DoSomething
    endfunction boolean someEvaluatingFunction(Cheese cheese,String type) {
    if (cheese.getType().equals(type)) return true;
    else return false;
    }

    [when]Cheese is of type “{1}” = chz:Cheese() eval(someEvaluatingFunction(chz, “{1}”))
    [then]DoSomething = System.out.println(“Something”);

If you interested in additional examples of the DRL+DSL, you can have a look at another short example that I wrote sometime ago. Also, please dont forget to have a look at the JBoss Rules manual that i mentioned earlier.

Cheers

Brainteaser: Broken Comparator

Question: The following program returns result “1″, which indicates that first Integer value is greater than the second, why?

import java.util.*;

public class Example  {

   public static void main(String[] args)  {
      System.out.println("Result: " +
	   naturalOrder.compare(new Integer(90),
				new Integer(90)));
   }

private static Comparator<Integer> naturalOrder =
				new Comparator<Integer>()  {
   public int compare(Integer first, Integer second)  {
	return first < second ? -1 : (first == second ? 0 :1);
   }
  };
}

Please note:
In this case, comparator for natural order on Integer is written for example only, and in practice there is no need to write it.

Looking forward for your answers dear readers

Resources:
Effective Java

Hack any Java class using reflection attack

Have you ever thought how secure your application is? Well reflection attack can demonstrate how vulnerable Java classes are. In this post, I will try to apply reflection attack on a simple Java class to demonstrate vulnerabilities and what can be done to prevent it (in most cases).

Consider a POJO class:

public final class VictimClass  {

	private String password = "default_password";
	private static final int USER_ID = 3452678;
	private String privateFiled = "default_value";

	/**
	 * Private constructor that should
	 * not be invoked
	 */
	private VictimClass()  {
		System.out.println("Oops... " +
		"This private constructor was not " +
			" suppose to be invoked");
	}

	/**
	 * Private accessor
	 */
	private String getPassword()  {
		return password;
	}

	 /**
	 * Private mutator
	 */
	private void setPassword(String password)  {
		this.password = password;
	}

	 /**
	 * Private static method
	 */
	private static int getUsersId()  {
		return USER_ID;
	}
}

The POJO contains private constructor and several private methods and fields, which I will attempt to invoke and modify using reflection attack.

Now, I cannot say that reflection attacks are possible due to a Java bug. No, its simply how Java classes were designed. The core reflection facility was originally designed for component based application builder tools.

In java.lang.reflect, Constructor, Method and Field extend from parent AccessibleObject class. These objects provide access to the class’s methods and fields. By calling inherited parent method setAccessible(), private variables and methods including private constructors become accessible.

My tester class:

import java.lang.reflect.Constructor;
import java.lang.reflect.Method;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
import java.lang.ClassNotFoundException;
import java.lang.InstantiationException;
import java.lang.IllegalAccessException;
import java.lang.reflect.InvocationTargetException;
import java.lang.NoSuchMethodException;

public class Tester  {

   private static String CLASS_NAME = "VictimClass";
   private static Class victimClass = null;
   private static Object victimClassObj = null;

   public static void main(String[] args)  {
	victimClass = loadClass(victimClass, CLASS_NAME);
	printClassStructure();
	attack();
   }

    private static Class loadClass(Class clazzor, String className)  {
 	Thread thread = Thread.currentThread();
	ClassLoader classLoader =
			thread.getContextClassLoader();

	try {
		clazzor = Class.forName(className, true, classLoader);
	}
	catch (ClassNotFoundException e) {
		System.err.println("Error: could not find class: "
			+ CLASS_NAME);
	}

	return clazzor;
   }

   private static void printClassStructure()  {

	Constructor[] constructors =
			victimClass.getDeclaredConstructors();
	for (Constructor c : constructors) {
		int modifier = c.getModifiers();
		System.out.println("Declared constructor name: " +
			c.getName() + "ntis accessible: " +
			c.isAccessible() + "ntis private: " +
			Modifier.isPrivate(modifier) + "n");
	}

	Method[] methods = victimClass.getDeclaredMethods();
	for (Method m : methods) {
		int modifier = m.getModifiers();
		System.out.println("Declared method name: " + m.getName() +
			"ntis accessible: " +
			m.isAccessible() +
			 "ntis private: " +
			Modifier.isPrivate(modifier) +
			 "ntis static: " +
			Modifier.isStatic(modifier) + "n");
	}

	Field[] fields = victimClass.getDeclaredFields();
	for (Field f : fields) {
		int modifier = f.getModifiers();
		System.out.println("Declared field name: " + f.getName() +
			"ntis accessible: " +
			f.isAccessible() +
			 "ntis private: " +
			Modifier.isPrivate(modifier) +
			 "ntis static: " +
			Modifier.isStatic(modifier) +
			 "ntis final: " +
			Modifier.isFinal(modifier) + "n");
	}
   }

   private static void attack()  {

     Field[] fields = victimClass.getDeclaredFields();
     Method[] methods = victimClass.getDeclaredMethods();
     Constructor[] constructors =
		victimClass.getDeclaredConstructors();
   //make constructor accessible
   constructors[0].setAccessible(true);

   System.err.println("Initiating reflection attack:");
   try {
   //create new object by invoking private constructor
   victimClassObj = constructors[0].newInstance(new Object[] {});

   //make static method accessible and get its value
   //please note: when invoking static method,
   //object represented by this Method is null
   methods[2].setAccessible(true);
   Object o = methods[2].invoke(null, new Object[] {});
   System.out.println("Got user ID from private static accessor: "
		 + o.toString());

   //make method accessible and get its value
   methods[0].setAccessible(true);
   o = methods[0].invoke(victimClassObj, new Object[] {});
   System.out.println("Got original password from private accessor: "
	+ o.toString());

   //make method accessible and set to it new value
   methods[1].setAccessible(true);
   System.out.println("Injecting new password using private mutator");
   methods[1].invoke(victimClassObj, new Object[] {"injected_password"});

   //get method's its new value
   o = methods[0].invoke(victimClassObj, new Object[] {});
   System.out.println("Got injected password from private accessor: "
	 + o.toString());

   //make field accessible and get its value
   fields[2].setAccessible(true);
   o = fields[2].get(victimClassObj);
   System.out.println("Got private field: " + o);

   //make field accessible and set to it new value
   System.out.println("Injecting value to a private field:");
   fields[2].set(victimClassObj, "new_default_value");

   //get field's its new value
   o = fields[2].get(victimClassObj);
   System.out.println("Got updated private field: " + o);

   //make field accessible and get its value
   fields[1].setAccessible(true);
   o = fields[1].get(victimClassObj);
   System.out.println("Got private static field: " + o);

   //make field accessible and set to it new value
   System.out.println("Injecting value to a private static final field:");
   fields[1].set(null, new Integer(2));

   //get field's its new value
   o = fields[1].get(victimClassObj);
   System.out.println("Got updated private static final field: " + o);

   }
   catch (InstantiationException e) {
	System.err.println("Error: could not instantiate: " + e);
   }

   catch (IllegalAccessException e) {
	System.err.println("Error: could not access: " + e);
   }

   catch (InvocationTargetException e) {
	System.err.println("Error: could not invoke the target: " + e);
   }
  }
}

The call to setAccessible() can be restricted if SecurityManager is set, then any attempt to call the method above will result in exception. If required, it is possible to grant permission java.reflect.ReflectPermission “suppressAccessChecks” using external java.policy file or by applying security policy programmatically. This permission will allow invocation of setAccessible(). My other post How to set SecurityManager and Java security policy programmatically explains how this can be achieved. Please note: by doing so, you can allow malicious access to your classes.

This is what happens when program executes:
I am using reflection, to get a print out of declared constructors, methods and fields. Following that, I am invoking private static and non-static method and attempting to change the value of private declared fields.

The program produces the following output:

Declared constructor name: VictimClass
        is accessible: false
        is private: true

Declared method name: setPassword
        is accessible: false
        is private: true
        is static: false

Declared method name: getUsersId
        is accessible: false
        is private: true
        is static: true

Declared method name: getPassword
        is accessible: false
        is private: true
        is static: false

Declared field name: password
        is accessible: false
        is private: true
        is static: false
        is final: false

Declared field name: USER_ID
        is accessible: false
        is private: true
        is static: true
        is final: true

Declared field name: privateFiled
        is accessible: false
        is private: true
        is static: false
        is final: false

Initiating reflection attack:
Oops... This private constructor was not  suppose to be invoked
Got user ID from private static accessor: 3452678
Got original password from private accessor: default_password
Injecting new password using private mutator
Got injected password from private accessor: injected_password
Got private field: default_value
Injecting value to a private field:
Got updated private field: new_default_value
Got private static field: 3452678
Injecting value to a private static final field:
Error: could not access: java.lang.IllegalAccessException: Field is final

As output shows above, it is not possible to set a value to the filed that is final. Therefore, it would be good idea to make fields final whenever possible. As it was shown before, it prevents reflection attack (when trying to set a new value), plus to that its good for performance optimization (memory allocation).

So what we got so far? When we have a POJO, it is possible to invoke private constructor, private static and non-static methods and change the value of private fields.

Enumerators on other hand do not allow invocation of their private constructors. An attempt to do so will result in IllegalArgumentException exception: “Cannot reflectively create enum objects”. Enums are safe against invocation of private constructors through reflection attacks.

Since enum object instances cannot be created through reflection, private non-static methods cannot be invoked. Having said that, it is still possible to invoke private static methods on enum using reflection, like on any other Java class.

Update: private non-static methods can be invoked on enum class, please refer to comments.

In conclusion, number of steps can be taken, in case someone really wants to prevent reflection attack on non-enum Java classes:

  1. Make fields final whenever possible
  2. Private constructor can throw an exception if there will be an attempt to invoke it.
  3. Applying security policy without ReflectPermission and setting security manager

I hope that I was descriptive enough here, I will appreciate your comments here.

The source code for this post was tested in my Eclipse and is attached.

Cheers

How to Set SecurityManager and Java Security Policy Programmatically

In this example I want to show how to use SecurityManager to prevent unauthorized access to private members of a Java class, for example using reflection to invoke private constructor. Besides that I also want to show how Java security policy can be set programmatically with permission allowing to invoke private constructor through reflection when security manager is in place.

Consider a POJO:

public final class VictimClass  {
	/**
	 * Private constructor that should
	 * not be invoked
	 */
	private VictimClass()  {
	   System.out.println("Instance created");
           System.out.println(
               "Constructor was made accessible");
	}
}

I want to prevent invocation of private constructor, by setting security manager. After first invocation attempt, I do want to invoke private constructor by granting required permission by refreshing current security policy.

This is my tester class:

import java.lang.reflect.Constructor;
import java.lang.ClassNotFoundException;
import java.lang.InstantiationException;
import java.lang.IllegalAccessException;
import java.lang.reflect.InvocationTargetException;
import java.lang.NoSuchMethodException;
import java.security.AccessControlException;
import java.lang.reflect.ReflectPermission;
import java.security.SecurityPermission;

public class Tester  {

	private static String CLASS_NAME = "VictimClass";
	private static Class victimClass = null;

	public static void main(String[] args)  {

	loadClass(victimClass, CLASS_NAME);

	//apply default policy with one permission
	System.setProperty("java.security.policy","default.policy");

	try {
	  //Setting security manager
	  SecurityManager sm = new SecurityManager();
	  System.setSecurityManager(sm);
	} catch (SecurityException e) {
	  System.err.println("Error: could not set security manager: " + e);
	}

	//first attempt to make constructor accessible
	try  {
	  makeConstructorAccessible();
	}
	catch (AccessControlException e) {
	  System.err.println(
		"Could not made constructor accessible: " + e.getMessage());
	}

	System.out.println("Applying ReflectPermission programmatically...");
	SecurityPolicy.getPolicy().addPermission(
		new ReflectPermission("suppressAccessChecks"));
	SecurityPolicy.getPolicy().addPermission(
		new SecurityPermission("setPolicy"));
	SecurityPolicy.getPolicy().refresh();
	makeConstructorAccessible();
	}

private static void loadClass(Class clazzor, String className)  {
	Thread thread = Thread.currentThread();
	ClassLoader classLoader =
				thread.getContextClassLoader();

	try {
	 victimClass = Class.forName(className, true, classLoader);
	}
	catch (ClassNotFoundException e) {
	 System.err.println("Error: could not find class: "
			+ CLASS_NAME);
	}
}

private static void makeConstructorAccessible()  {
	Constructor[] constructors =
			victimClass.getDeclaredConstructors();
	//make constructor accessible
	constructors[0].setAccessible(true);

   try {
	System.out.println(
	"Creating new instance by invoking private constructor");
	constructors[0].newInstance(new Object[] {});
   }
	catch (InstantiationException e) {
	  System.err.println("Error: could not instantiate: " + e);
	}
	catch (IllegalAccessException e) {
	  System.err.println("Error: could not access: " + e);
	}
	catch (InvocationTargetException e) {
	  System.err.println("Error: could not invoke the target: " + e);
	}
  }
}

This is what happens when program executes:

Before setting SecurityManager, I am applying default security policy from external file with security permission “setPolicy”, that will allow me to reset new security policy in the future.

My default security policy:

grant {
	permission java.security.SecurityPermission "setPolicy";
};

When SecurityManager is set, it restricts everything except whats permitted by security policy that was set previously. You can view list of Java permissions that can be set here.

By default, the private constructors,methods and fields are inaccessible. So if you want to use reflection, and invoke private constructor of this POJO, it will result in
IllegalAccessException since the constructor above has private modifier.

This restriction can be bypassed by calling parent method setAccessible(). To remind: java.lang.reflect.Constructor, java.lang.reflect.Method and java.lang.reflect.Field extend from parent java.lang.reflect.AccessibleObject class.

By calling inherited parent method setAccessible(), private variables and methods including private constructors become accessible.

With SecurityManager set, an attempt to invoke setAccessible() will result in AccessControlException. Following that, I am granting required ReflectPermission suppressAccessChecks by applying my own security policy. This will allow me to invoke private constructor in my POJO.

Now, having said that, I have to say that granting ReflectPermission with action suppressAccessChecks can be extremely dangerous as it allows private constructors to become accessible, as the example above shows. Not only constructors, but inaccessible fields and methods can become accessible, which can allow room for reflection attacks. In my other post Hack any Java class using reflection attack I explain how this can be achieved.

When I am applying my own security policy, please note that I am granting again security permission “setPolicy”. Because I am reseting default policy set previously, I have to grant “setPolicy” permission again if I want to keep applying new security policies in the future at run time of this program.

Below is my own implementation of java.security.Policy class, I tried to put enough comments to make things straight forward to you readers:

import java.security.Policy;
import java.security.CodeSource;
import java.lang.reflect.ReflectPermission;
import java.security.SecurityPermission;
import java.security.*;
import java.lang.RuntimePermission;
import java.util.*;

public class SecurityPolicy extends Policy {

	private PermissionCollection perms = null;

    //lazy initialization class holder
    private static class SecurityPolicyHolder {
	private static final SecurityPolicy policy = new SecurityPolicy();
    }

    private SecurityPolicy() {
	perms = new Permissions();
    }

    public static SecurityPolicy getPolicy() {
	return SecurityPolicyHolder.policy;
    }

    public PermissionCollection getPermissions(CodeSource codesource) {
        return perms;
    }

    //invoked when new Permission is added to the current security Policy
	public boolean implies(ProtectionDomain domain, Permission permission)  {

	//get permission collection from the domain
	PermissionCollection domainPermissions = domain.getPermissions();

	//get enumeration of permission elements
	Enumeration<Permission> permissions = domainPermissions.elements();

	//convert to array list (dont have to, i just dont like enumerations)
	ArrayList<Permission> list = Collections.list(permissions);

	//Checks to see if the specified permission is
	//implied (subset of) by the collection of
	//Permission objects held in this PermissionCollection
	if (!domainPermissions.implies(permission)) {

		//permission collection in the domain is read-only,
		//Exception will be thrown if Permission object
		//is added to read-only collection
		if (domainPermissions.isReadOnly()) {

			//Because collection is read-only,
			//add Permission objects to the local
			//permission collection instead
			for (Permission p :list) {
				if (!perms.implies(p)) {
				   perms.add(p);
				}
			}

			//assign local permission collection as a
			//domain permission collection
			domainPermissions = perms;
		}
		else {
			//if domain permission collection is not read only,
			//just add new permission to it
		  domainPermissions.add(permission);
		}

		//check if now domain has the new Permission
		return domainPermissions.implies(permission);
	}

		return false;
	}

	public void addPermission(Permission permission)  {
        perms.add(permission);
	}
        //you can write your own implementation
	//of refresh method
        @Override
	public void refresh() {
         Policy.setPolicy(this);
	}
}

The following shows program output. Please not that first attempt to make private constructor accessible resulted in exception. After required permission was granted, new object instance was succesfully created through reflection:

Could not made constructor accessible:
access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
Applying ReflectPermission programmatically...
Creating new instance by invoking private constructor
Constructor was made accessible
Instance created

Please note:
I did test this code. But I am not sure whether my SecuriyPolicy class implemented efficiently. The source code for this post is attached.

set java security policy sourcecode

Brainteaser: ArrayList VS TreeSet

When I came across the following example I did not expect the results that the program has printed :) hehe…

Question: What does this program print? Why?

import java.util.*;

public class SetList {

    public static void main(String[] args) {

    Set<Integer> set =
    			new TreeSet<Integer>();
    List<Integer> list =
    			new ArrayList<Integer>();

    for (int i = -3; i < 3; i++) {
        set.add(i);
        list.add(i);
    }

    for (int i = 0; i < 3; i++) {
        set.remove(i);
        list.remove(i);
    }

     System.out.println(set + " " + list);
   }
}

Looking forward for your answers dear readers

Resources:
Effective Java