Blog

JDK 17 and ‘illegal reflective access’

As Java moves towards adopting security best practices – whether that’s JPMS or sealed classes – it’s evident that the best recourse is to pay down the tech debt and update the code to adopt these policies into your own code. Or if not your own code (in the case of external dependencies), then use updated libraries or different libraries that follow Java 9+ security best practices.

In the enterprise world that’s not always possible, so we discussed here resolution to one particular problem which occurs when migrating to JDK 16+ from JDK 11. These temporary fixes can buy you some time while allowing you to upgrade to a more modern versions of Java

Go ahead, use Float and Double datatypes in Oracle for Money

The nature of decimal types aren’t the same across popular RDBMS For databases such as MySql and Postgres, using Float and Double columns types to store things like money is erroneous and can lead to strange results. This is due to Float and Decimal (and Real) being known as ‘approximated datatypes’, in other words they’re represented in formats like the IEEE 754 and stored in a field as binary. So that the value you store Read more…

Spring JPA & Hibernate: Importing data before your beans are initialized

The problem At times, it may make sense to load system settings for an application from the database at ‘start time’. Sometimes this means attempting to query for such data early in a bean’s lifecycle, such as at construction time or slightly afterwards (e.g. ‘afterPropertiesSet()’ or init-method/@PostConstruct). This may work if the application is backed by a dedicated database that is ever present for the application lifecycle, or at least is started before the application Read more…

Why consecutive slashes in resource path fail in Jar files

Resource paths with consecutive slashes seem to work in the IDE (STS and IntelliJ) but fail to load when the application is deployed as a Jar file. Let’s see why. tldr; To speed lookup of resources and classes, Java’s Zip implementation uses hashes to match filenames initially rather than a full string comparison. A double slash in the path is essentially mapping to an entirely different hash and thus to a hash not available in Read more…

Generating Certificate Fingerprint for Filebeat

For the purpose of ElasticSearch and Filebeats in particular. The documentation at Elastic does not go into much detail as to what the property ‘ca_sha256‘ is or how to generate it. The only remark they make is The pin is a base64 encoded string of the SHA-256 of the certificate. Not only is this not informative, but also misleading. So the correct way to generate this is via openssl. The correct way is described in Read more…

Session JDBC Effect on Scheduling Thread Pool

When @EnabledScheduling annotation is visible in the context, Spring Boot’s Autoconfigurers usually create two Thread Pools ThreadPoolTaskExecutor ThreadPoolTaskScheduler As their names imply, the Task Executor is used for executing tasks, while the Task Scheduler is used to run scheduled tasks – such as those annotated with @Scheduled. The size of this scheduled-pool is specified using the ‘spring.task.scheduling.pool.size’ property – set to ‘1’ by default. The scheduled pool is autoconfigured on condition that no other relevant Read more…

Controlling JDBCSession Timeout

You might have noticed that Spring Boot’s server.session.timeout does not apply if JDBCSession library is autoconfigured. Which means, the standard way to set default session timeout no longer applies. The appropriate way to set the timeout in this case is through the @EnableJdbcHttpSession annotation’s maxInactiveIntervalInSeconds like so. This is fine if you don’t mind moving the config magic values into the code, however all our properties are injected through a secrets and property management solution, Read more…

Preventing Session Timeout Extension in JdbcSession

Among other things, Sessions are an important aspect of application security and establish a realm of trust between the end user and the application. I won’t be going into the details of JSesson here, nor the background of how Spring manages sessions. More information on Spring Session can be found here. Sessions of course timeout as part of security mechanism. The timeout, specified as maxInactiveInterval attribute of HttpSession) is specified by the application or business Read more…

Photo by Matej from Pexels

No-Cost SSL in EasyWP with Let’s Encrypt

In the year 2020, having a secure connection to your website in imperative. It shows your guests that you care about their data and privacy and an ‘https’ connection with the ever-familiar ‘lock’ icon establishes a sense of safety and trust with your guests. SSL certificates, however, are still expensive. This is where Electronic Frontier Foundation’s Let’s Encrypt initiative comes to the rescue. By issuing free SSL certificates for everyone, their goal is to have Read more…