Drools – Tutorial on Writing DSL Template

Few months ago I wrote a post that describes an example that uses source DRL in conjunction with DSL template. In the current post, I want to describe and show with few examples how to write DSL template – whats allowed and whats not.

Now, having said that, I want to say that I am not planning to repeat the whole JBoss Rules manual – the Drools team done a great job. I just want to share from my personal experience, what I have come across while working with Drools when writing DSLs.

There are few upcoming changes coming in the future release of Drools (version 5) in terms of DSL. For example DSL will become more powerful in terms of regular expressions – it will be possible to include regexp in the DSL tokens. Edson Tirelli posted an article written by Matt Geis on Drools Blog, that talks about it and gives few examples.

Since I am working with Drools 4.0.7 these days, I will describe in the current post how to write DSLs for Drools 4.0.7.

Within a scope of Drools, DSL’s job to map (expand) DRL expressions written in natural language into underlying programming code.

When writing DSL there several basic DO’s and DONT’s you should be aware of:

  1. Don’t put closing semi-column at the end of DSL expression line:
    [when]Message status is {1} = m : Message(status == {1});
  2. Avoid different token names on the left hand side (before the “=”) and right hand side (after the “=”) of the DSL expansion:
    [when]Message status is {3} = m:Message(status == {1})
    [then]Log “{message}” = System.out.println(“{bobo}”);
  3. DSL expansion should be on one line. You can even have several expressions on the same line, but you cannot break the line. By putting expression on a new line will cause an exception during parsing:
    [when]Message id is {id} = m:Message(id == {id})
    [then]LogUpdate “{2}” = System.out.println(“{2}”);
    update(m);
    [when]Message status is {s} = m:Message(status == {s})
    [then]Log “{2}” =
    System.out.println(“{2}”);
  4. Avoid having DSLs with the same name. It can create a confusion. Remember that DSL is parsed from top to bottom, so when two DSLs with the same name exist, the top one will apply during expansion since it will be matched first:
    [then]SetStatus {s} = System.out.println({s});
    [then]SetStatus {s} = m.setStatus({s});
  5. If token has quotes on the left hand side of the DSL, then the token must have quotes on the right hand side of the DSL:
    [then]SetMessage {msg} = m.setStatus({msg});
  6. There is no room for typos:rule “set-hello”
    when
    True
    then
    SetMessage “Hello”
    end[then]SetMessag “{msg}” = m.setStatus(“{msg}”);
  7. Token names can be literal or numeric characters, or both:
    [then]Print1 “{1}” = System.out.println(“{1}”);
    [then]Print2 “{msg}” = System.out.println(“{msg}”);
    [then]Print3 “{23msg}” = System.out.println(“{23msg}”);
  8. If token on the left hand side has no quotes, and expression/function on the right hand side can accept parameter of type String, then the token can be placed between quotes on the right hand side:
    [then]PrintInteger {1} = System.out.println({1});
    [then]PrintInteger2 {1} = printingFunction({1});
  9. If you want to use declared variable in right hand side, make sure it is declared on the left hand side of the rule. Remember, DSL template is ONLY a template, it is a not a place to declare variables, declaration occurs only in DRL, DSL contains the expansion. Keep in mind that declaration and usage of the variable is per-rule basis:rule “set-hello”
    when
    Message
    then
    SetMessage “Hello”
    end[when]Message = m : Message() //declare and initialize ‘m’
    [then]SetMessage “{msg}” = m.setStatus(“{msg}”);
  10. White spaces before the “=” and after are allowed when writing a DSL line:
    [then]SetMessage “{msg}” = m.setStatus(“{msg}”);
  11. If you are using a function in the right hand side of the DSL of the expansion, then make sure you provide necessary imports in DRL source for all the objects the function is using. For example if your function gets a proxy to a JMS Queue from JBoss, then you have to include imports for all the objects associated with this operation, like you normally would do it in normal Java class. Also the function itself must be present in source DRL.
  12. Left hand side of the rule, can evaluate boolean function instead of expression:rule “CheeseType”
    when
    Cheese is of type “silton”
    then
    DoSomething
    endfunction boolean someEvaluatingFunction(Cheese cheese,String type) {
    if (cheese.getType().equals(type)) return true;
    else return false;
    }

    [when]Cheese is of type “{1}” = chz:Cheese() eval(someEvaluatingFunction(chz, “{1}”))
    [then]DoSomething = System.out.println(“Something”);

If you interested in additional examples of the DRL+DSL, you can have a look at another short example that I wrote sometime ago. Also, please dont forget to have a look at the JBoss Rules manual that i mentioned earlier.

Cheers

Brainteaser: Broken Comparator

Question: The following program returns result “1″, which indicates that first Integer value is greater than the second, why?

import java.util.*;

public class Example  {

   public static void main(String[] args)  {
      System.out.println("Result: " +
	   naturalOrder.compare(new Integer(90),
				new Integer(90)));
   }

private static Comparator<Integer> naturalOrder =
				new Comparator<Integer>()  {
   public int compare(Integer first, Integer second)  {
	return first < second ? -1 : (first == second ? 0 :1);
   }
  };
}

Please note:
In this case, comparator for natural order on Integer is written for example only, and in practice there is no need to write it.

Looking forward for your answers dear readers

Resources:
Effective Java

Hack any Java class using reflection attack

Have you ever thought how secure your application is? Well reflection attack can demonstrate how vulnerable Java classes are. In this post, I will try to apply reflection attack on a simple Java class to demonstrate vulnerabilities and what can be done to prevent it (in most cases).

Consider a POJO class:

public final class VictimClass  {

	private String password = "default_password";
	private static final int USER_ID = 3452678;
	private String privateFiled = "default_value";

	/**
	 * Private constructor that should
	 * not be invoked
	 */
	private VictimClass()  {
		System.out.println("Oops... " +
		"This private constructor was not " +
			" suppose to be invoked");
	}

	/**
	 * Private accessor
	 */
	private String getPassword()  {
		return password;
	}

	 /**
	 * Private mutator
	 */
	private void setPassword(String password)  {
		this.password = password;
	}

	 /**
	 * Private static method
	 */
	private static int getUsersId()  {
		return USER_ID;
	}
}

The POJO contains private constructor and several private methods and fields, which I will attempt to invoke and modify using reflection attack.

Now, I cannot say that reflection attacks are possible due to a Java bug. No, its simply how Java classes were designed. The core reflection facility was originally designed for component based application builder tools.

In java.lang.reflect, Constructor, Method and Field extend from parent AccessibleObject class. These objects provide access to the class’s methods and fields. By calling inherited parent method setAccessible(), private variables and methods including private constructors become accessible.

My tester class:

import java.lang.reflect.Constructor;
import java.lang.reflect.Method;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
import java.lang.ClassNotFoundException;
import java.lang.InstantiationException;
import java.lang.IllegalAccessException;
import java.lang.reflect.InvocationTargetException;
import java.lang.NoSuchMethodException;

public class Tester  {

   private static String CLASS_NAME = "VictimClass";
   private static Class victimClass = null;
   private static Object victimClassObj = null;

   public static void main(String[] args)  {
	victimClass = loadClass(victimClass, CLASS_NAME);
	printClassStructure();
	attack();
   }

    private static Class loadClass(Class clazzor, String className)  {
 	Thread thread = Thread.currentThread();
	ClassLoader classLoader =
			thread.getContextClassLoader();

	try {
		clazzor = Class.forName(className, true, classLoader);
	}
	catch (ClassNotFoundException e) {
		System.err.println("Error: could not find class: "
			+ CLASS_NAME);
	}

	return clazzor;
   }

   private static void printClassStructure()  {

	Constructor[] constructors =
			victimClass.getDeclaredConstructors();
	for (Constructor c : constructors) {
		int modifier = c.getModifiers();
		System.out.println("Declared constructor name: " +
			c.getName() + "ntis accessible: " +
			c.isAccessible() + "ntis private: " +
			Modifier.isPrivate(modifier) + "n");
	}

	Method[] methods = victimClass.getDeclaredMethods();
	for (Method m : methods) {
		int modifier = m.getModifiers();
		System.out.println("Declared method name: " + m.getName() +
			"ntis accessible: " +
			m.isAccessible() +
			 "ntis private: " +
			Modifier.isPrivate(modifier) +
			 "ntis static: " +
			Modifier.isStatic(modifier) + "n");
	}

	Field[] fields = victimClass.getDeclaredFields();
	for (Field f : fields) {
		int modifier = f.getModifiers();
		System.out.println("Declared field name: " + f.getName() +
			"ntis accessible: " +
			f.isAccessible() +
			 "ntis private: " +
			Modifier.isPrivate(modifier) +
			 "ntis static: " +
			Modifier.isStatic(modifier) +
			 "ntis final: " +
			Modifier.isFinal(modifier) + "n");
	}
   }

   private static void attack()  {

     Field[] fields = victimClass.getDeclaredFields();
     Method[] methods = victimClass.getDeclaredMethods();
     Constructor[] constructors =
		victimClass.getDeclaredConstructors();
   //make constructor accessible
   constructors[0].setAccessible(true);

   System.err.println("Initiating reflection attack:");
   try {
   //create new object by invoking private constructor
   victimClassObj = constructors[0].newInstance(new Object[] {});

   //make static method accessible and get its value
   //please note: when invoking static method,
   //object represented by this Method is null
   methods[2].setAccessible(true);
   Object o = methods[2].invoke(null, new Object[] {});
   System.out.println("Got user ID from private static accessor: "
		 + o.toString());

   //make method accessible and get its value
   methods[0].setAccessible(true);
   o = methods[0].invoke(victimClassObj, new Object[] {});
   System.out.println("Got original password from private accessor: "
	+ o.toString());

   //make method accessible and set to it new value
   methods[1].setAccessible(true);
   System.out.println("Injecting new password using private mutator");
   methods[1].invoke(victimClassObj, new Object[] {"injected_password"});

   //get method's its new value
   o = methods[0].invoke(victimClassObj, new Object[] {});
   System.out.println("Got injected password from private accessor: "
	 + o.toString());

   //make field accessible and get its value
   fields[2].setAccessible(true);
   o = fields[2].get(victimClassObj);
   System.out.println("Got private field: " + o);

   //make field accessible and set to it new value
   System.out.println("Injecting value to a private field:");
   fields[2].set(victimClassObj, "new_default_value");

   //get field's its new value
   o = fields[2].get(victimClassObj);
   System.out.println("Got updated private field: " + o);

   //make field accessible and get its value
   fields[1].setAccessible(true);
   o = fields[1].get(victimClassObj);
   System.out.println("Got private static field: " + o);

   //make field accessible and set to it new value
   System.out.println("Injecting value to a private static final field:");
   fields[1].set(null, new Integer(2));

   //get field's its new value
   o = fields[1].get(victimClassObj);
   System.out.println("Got updated private static final field: " + o);

   }
   catch (InstantiationException e) {
	System.err.println("Error: could not instantiate: " + e);
   }

   catch (IllegalAccessException e) {
	System.err.println("Error: could not access: " + e);
   }

   catch (InvocationTargetException e) {
	System.err.println("Error: could not invoke the target: " + e);
   }
  }
}

The call to setAccessible() can be restricted if SecurityManager is set, then any attempt to call the method above will result in exception. If required, it is possible to grant permission java.reflect.ReflectPermission “suppressAccessChecks” using external java.policy file or by applying security policy programmatically. This permission will allow invocation of setAccessible(). My other post How to set SecurityManager and Java security policy programmatically explains how this can be achieved. Please note: by doing so, you can allow malicious access to your classes.

This is what happens when program executes:
I am using reflection, to get a print out of declared constructors, methods and fields. Following that, I am invoking private static and non-static method and attempting to change the value of private declared fields.

The program produces the following output:

Declared constructor name: VictimClass
        is accessible: false
        is private: true

Declared method name: setPassword
        is accessible: false
        is private: true
        is static: false

Declared method name: getUsersId
        is accessible: false
        is private: true
        is static: true

Declared method name: getPassword
        is accessible: false
        is private: true
        is static: false

Declared field name: password
        is accessible: false
        is private: true
        is static: false
        is final: false

Declared field name: USER_ID
        is accessible: false
        is private: true
        is static: true
        is final: true

Declared field name: privateFiled
        is accessible: false
        is private: true
        is static: false
        is final: false

Initiating reflection attack:
Oops... This private constructor was not  suppose to be invoked
Got user ID from private static accessor: 3452678
Got original password from private accessor: default_password
Injecting new password using private mutator
Got injected password from private accessor: injected_password
Got private field: default_value
Injecting value to a private field:
Got updated private field: new_default_value
Got private static field: 3452678
Injecting value to a private static final field:
Error: could not access: java.lang.IllegalAccessException: Field is final

As output shows above, it is not possible to set a value to the filed that is final. Therefore, it would be good idea to make fields final whenever possible. As it was shown before, it prevents reflection attack (when trying to set a new value), plus to that its good for performance optimization (memory allocation).

So what we got so far? When we have a POJO, it is possible to invoke private constructor, private static and non-static methods and change the value of private fields.

Enumerators on other hand do not allow invocation of their private constructors. An attempt to do so will result in IllegalArgumentException exception: “Cannot reflectively create enum objects”. Enums are safe against invocation of private constructors through reflection attacks.

Since enum object instances cannot be created through reflection, private non-static methods cannot be invoked. Having said that, it is still possible to invoke private static methods on enum using reflection, like on any other Java class.

Update: private non-static methods can be invoked on enum class, please refer to comments.

In conclusion, number of steps can be taken, in case someone really wants to prevent reflection attack on non-enum Java classes:

  1. Make fields final whenever possible
  2. Private constructor can throw an exception if there will be an attempt to invoke it.
  3. Applying security policy without ReflectPermission and setting security manager

I hope that I was descriptive enough here, I will appreciate your comments here.

The source code for this post was tested in my Eclipse and is attached.

Cheers

How to Set SecurityManager and Java Security Policy Programmatically

In this example I want to show how to use SecurityManager to prevent unauthorized access to private members of a Java class, for example using reflection to invoke private constructor. Besides that I also want to show how Java security policy can be set programmatically with permission allowing to invoke private constructor through reflection when security manager is in place.

Consider a POJO:

public final class VictimClass  {
	/**
	 * Private constructor that should
	 * not be invoked
	 */
	private VictimClass()  {
	   System.out.println("Instance created");
           System.out.println(
               "Constructor was made accessible");
	}
}

I want to prevent invocation of private constructor, by setting security manager. After first invocation attempt, I do want to invoke private constructor by granting required permission by refreshing current security policy.

This is my tester class:

import java.lang.reflect.Constructor;
import java.lang.ClassNotFoundException;
import java.lang.InstantiationException;
import java.lang.IllegalAccessException;
import java.lang.reflect.InvocationTargetException;
import java.lang.NoSuchMethodException;
import java.security.AccessControlException;
import java.lang.reflect.ReflectPermission;
import java.security.SecurityPermission;

public class Tester  {

	private static String CLASS_NAME = "VictimClass";
	private static Class victimClass = null;

	public static void main(String[] args)  {

	loadClass(victimClass, CLASS_NAME);

	//apply default policy with one permission
	System.setProperty("java.security.policy","default.policy");

	try {
	  //Setting security manager
	  SecurityManager sm = new SecurityManager();
	  System.setSecurityManager(sm);
	} catch (SecurityException e) {
	  System.err.println("Error: could not set security manager: " + e);
	}

	//first attempt to make constructor accessible
	try  {
	  makeConstructorAccessible();
	}
	catch (AccessControlException e) {
	  System.err.println(
		"Could not made constructor accessible: " + e.getMessage());
	}

	System.out.println("Applying ReflectPermission programmatically...");
	SecurityPolicy.getPolicy().addPermission(
		new ReflectPermission("suppressAccessChecks"));
	SecurityPolicy.getPolicy().addPermission(
		new SecurityPermission("setPolicy"));
	SecurityPolicy.getPolicy().refresh();
	makeConstructorAccessible();
	}

private static void loadClass(Class clazzor, String className)  {
	Thread thread = Thread.currentThread();
	ClassLoader classLoader =
				thread.getContextClassLoader();

	try {
	 victimClass = Class.forName(className, true, classLoader);
	}
	catch (ClassNotFoundException e) {
	 System.err.println("Error: could not find class: "
			+ CLASS_NAME);
	}
}

private static void makeConstructorAccessible()  {
	Constructor[] constructors =
			victimClass.getDeclaredConstructors();
	//make constructor accessible
	constructors[0].setAccessible(true);

   try {
	System.out.println(
	"Creating new instance by invoking private constructor");
	constructors[0].newInstance(new Object[] {});
   }
	catch (InstantiationException e) {
	  System.err.println("Error: could not instantiate: " + e);
	}
	catch (IllegalAccessException e) {
	  System.err.println("Error: could not access: " + e);
	}
	catch (InvocationTargetException e) {
	  System.err.println("Error: could not invoke the target: " + e);
	}
  }
}

This is what happens when program executes:

Before setting SecurityManager, I am applying default security policy from external file with security permission “setPolicy”, that will allow me to reset new security policy in the future.

My default security policy:

grant {
	permission java.security.SecurityPermission "setPolicy";
};

When SecurityManager is set, it restricts everything except whats permitted by security policy that was set previously. You can view list of Java permissions that can be set here.

By default, the private constructors,methods and fields are inaccessible. So if you want to use reflection, and invoke private constructor of this POJO, it will result in
IllegalAccessException since the constructor above has private modifier.

This restriction can be bypassed by calling parent method setAccessible(). To remind: java.lang.reflect.Constructor, java.lang.reflect.Method and java.lang.reflect.Field extend from parent java.lang.reflect.AccessibleObject class.

By calling inherited parent method setAccessible(), private variables and methods including private constructors become accessible.

With SecurityManager set, an attempt to invoke setAccessible() will result in AccessControlException. Following that, I am granting required ReflectPermission suppressAccessChecks by applying my own security policy. This will allow me to invoke private constructor in my POJO.

Now, having said that, I have to say that granting ReflectPermission with action suppressAccessChecks can be extremely dangerous as it allows private constructors to become accessible, as the example above shows. Not only constructors, but inaccessible fields and methods can become accessible, which can allow room for reflection attacks. In my other post Hack any Java class using reflection attack I explain how this can be achieved.

When I am applying my own security policy, please note that I am granting again security permission “setPolicy”. Because I am reseting default policy set previously, I have to grant “setPolicy” permission again if I want to keep applying new security policies in the future at run time of this program.

Below is my own implementation of java.security.Policy class, I tried to put enough comments to make things straight forward to you readers:

import java.security.Policy;
import java.security.CodeSource;
import java.lang.reflect.ReflectPermission;
import java.security.SecurityPermission;
import java.security.*;
import java.lang.RuntimePermission;
import java.util.*;

public class SecurityPolicy extends Policy {

	private PermissionCollection perms = null;

    //lazy initialization class holder
    private static class SecurityPolicyHolder {
	private static final SecurityPolicy policy = new SecurityPolicy();
    }

    private SecurityPolicy() {
	perms = new Permissions();
    }

    public static SecurityPolicy getPolicy() {
	return SecurityPolicyHolder.policy;
    }

    public PermissionCollection getPermissions(CodeSource codesource) {
        return perms;
    }

    //invoked when new Permission is added to the current security Policy
	public boolean implies(ProtectionDomain domain, Permission permission)  {

	//get permission collection from the domain
	PermissionCollection domainPermissions = domain.getPermissions();

	//get enumeration of permission elements
	Enumeration<Permission> permissions = domainPermissions.elements();

	//convert to array list (dont have to, i just dont like enumerations)
	ArrayList<Permission> list = Collections.list(permissions);

	//Checks to see if the specified permission is
	//implied (subset of) by the collection of
	//Permission objects held in this PermissionCollection
	if (!domainPermissions.implies(permission)) {

		//permission collection in the domain is read-only,
		//Exception will be thrown if Permission object
		//is added to read-only collection
		if (domainPermissions.isReadOnly()) {

			//Because collection is read-only,
			//add Permission objects to the local
			//permission collection instead
			for (Permission p :list) {
				if (!perms.implies(p)) {
				   perms.add(p);
				}
			}

			//assign local permission collection as a
			//domain permission collection
			domainPermissions = perms;
		}
		else {
			//if domain permission collection is not read only,
			//just add new permission to it
		  domainPermissions.add(permission);
		}

		//check if now domain has the new Permission
		return domainPermissions.implies(permission);
	}

		return false;
	}

	public void addPermission(Permission permission)  {
        perms.add(permission);
	}
        //you can write your own implementation
	//of refresh method
        @Override
	public void refresh() {
         Policy.setPolicy(this);
	}
}

The following shows program output. Please not that first attempt to make private constructor accessible resulted in exception. After required permission was granted, new object instance was succesfully created through reflection:

Could not made constructor accessible:
access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
Applying ReflectPermission programmatically...
Creating new instance by invoking private constructor
Constructor was made accessible
Instance created

Please note:
I did test this code. But I am not sure whether my SecuriyPolicy class implemented efficiently. The source code for this post is attached.

set java security policy sourcecode

Brainteaser: ArrayList VS TreeSet

When I came across the following example I did not expect the results that the program has printed :) hehe…

Question: What does this program print? Why?

import java.util.*;

public class SetList {

    public static void main(String[] args) {

    Set<Integer> set =
    			new TreeSet<Integer>();
    List<Integer> list =
    			new ArrayList<Integer>();

    for (int i = -3; i < 3; i++) {
        set.add(i);
        list.add(i);
    }

    for (int i = 0; i < 3; i++) {
        set.remove(i);
        list.remove(i);
    }

     System.out.println(set + " " + list);
   }
}

Looking forward for your answers dear readers

Resources:
Effective Java