Cross Site Request Forgery

Web Applications as we know them have always been vulnerable from attackers , which could be BOTS or just some school kid trying hard to unknowingly mess up your life's work, today we are going to talk about CSRF or Cross Site Request Forgery.
First of all we have to try and understand that how CSRF actually works for attackers, it actually utilizes any active authenticated sessions for the user against any server i.e. say you are currently logged into your google account or facebook account. nowadays as more and more web applications are using SSO or Single Sign On we are becoming more vulnerable to these attacks.
Now just suppose your session is active and you receive a mail from iwanascrewyou@hacker.com with a link which was explicitly created to download or export your contact list so that it can get more targets. if you click on the link which says like www.owasp.org, but in case you are working for or own an older application then you might have to add some new components and folllow some methodology

• We have to authenticate each and every link or form present in your application
• For that we will have to use some kind of authentication token mechanism
• a Validator should have to be implemented say as a Servlet Filter if you have a centralized controller

So if you can implement something like above then  you could be assure that your application is secure more details as on how to implement this is available on OWASP. kindly have a look if you are interested

Using Google Application Engine

Hello Again Friends and welcome to my blog. Today i will let u guys have a sneak preview of the Google Application Engine however you may find proprietary google articles but still needs a little bit more explanation so lets start
Google Application Engine lets a user publish websites or web applications to be precise on the google engine or google servers its currently open source and looking on the number of the developers who have contributed to this it's going to be open source for untill a long duration of time.
Currently gooogle Application engine supports only two platforms i.e Python and Java here we will be talking about Java implementation of the application engine i will be using Eclipse Plugin of the Application engine which is available for the lates releases of eclipse Ganymede and Galileo[Latest] the URL of the download site is
For Galileo Package of eclipse
and
For Ganymede Package of eclipse

after installing and downloading the plugins your Eclipse IDE will be ready to develop and deploy the Applications and you would be able to see the Google App Engine ICON now start a new eclipse project

Now Enter the Appropriate Settings such as do you want to use the GWT or not after that you could start building on the JSP pages and classes for your Scripts the technologies which are completeley supported by Google App Engine are

• JSP
• JSPXHTML
• JSTL
• Java Beans
• JDO[Data Nucleus]
• JPA[Data Nucleus]

The  J2EE technologies which are not currently completely Supported or with Partial Support which are typically Web Frameworks are

• JSF
• RichFaces
• JPA {Dependency Injection and All}
• Struts
• Seam

The technologies mentioned above are supported only with use some of the tweaks or some other workarounds which i shall explain for each of them And finally Un-supported Technologies

• EJB
• JMX
• Container Managed Persistence[CMP]

and
many more of the J2EE standard ............

We will begin with  a simple servlet that would insert value into the Data Store by using a Persistence Enabled Class Lets dive into the code and find out how
//CODE BEGIN Employee.java Entity

package com.equinox;

import java.io.Serializable;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.JoinColumn;
import javax.persistence.NamedQueries;
import javax.persistence.NamedQuery;
import javax.persistence.Table;

/**
 *
 * @author root
 */
@Entity
@Table(name = "Users")
@NamedQueries({@NamedQuery(name = "Users.findByUserID", query = "SELECT u FROM Users u WHERE u.userID = :userID"), @NamedQuery(name = "Users.findByUsername", query = "SELECT u FROM Users u WHERE u.username = :username"), @NamedQuery(name = "Users.findByPassword", query = "SELECT u FROM Users u WHERE u.password = :password"), @NamedQuery(name = "Users.findByCollegeName", query = "SELECT u FROM Users u WHERE u.collegeName = :collegeName"), @NamedQuery(name = "Users.findByColRegNo", query = "SELECT u FROM Users u WHERE u.colRegNo = :colRegNo"), @NamedQuery(name = "Users.findBySecurityQuestion", query = "SELECT u FROM Users u WHERE u.securityQuestion = :securityQuestion"), @NamedQuery(name = "Users.findBySecurityAnswer", query = "SELECT u FROM Users u WHERE u.securityAnswer = :securityAnswer"), @NamedQuery(name = "Users.findByUserStatus", query = "SELECT u FROM Users u WHERE u.userStatus = :userStatus")})
public class Users implements Serializable {
    private static final long serialVersionUID = 1L;
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    @Column(name = "UserID", nullable = false)
    private Long userID;
    @Column(name = "Username")
    private String username;
    @Column(name = "Password")
    private String password;
    @Column(name = "SecurityQuestion")
    private String securityQuestion;
    @Column(name = "SecurityAnswer")
    private String securityAnswer;
    @Column(name = "UserStatus")
    private Boolean userStatus;
    @JoinColumn(name="role_id",referencedColumnName="roleID")
    private Role role_id;

    public Users() {
    }

    public Role getRole_id() {
return role_id;
}

public void setRole_id(Role role_id) {
this.role_id = role_id;
}

public Users(Long userID) {
        this.userID = userID;
    }

    public Long getUserID() {
        return userID;
    }

    public void setUserID(Long userID) {
        this.userID = userID;
    }

    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

  
    public String getSecurityQuestion() {
        return securityQuestion;
    }

    public void setSecurityQuestion(String securityQuestion) {
        this.securityQuestion = securityQuestion;
    }

    public String getSecurityAnswer() {
        return securityAnswer;
    }

    public void setSecurityAnswer(String securityAnswer) {
        this.securityAnswer = securityAnswer;
    }

    public Boolean getUserStatus() {
        return userStatus;
    }

    public void setUserStatus(Boolean userStatus) {
        this.userStatus = userStatus;
    }

    @Override
    public int hashCode() {
        int hash = 0;
        hash += (userID != null ? userID.hashCode() : 0);
        return hash;
    }

    @Override
    public boolean equals(Object object) {
        // TODO: Warning - this method won't work in the case the id fields are not set
        if (!(object instanceof Users)) {
            return false;
        }
        Users other = (Users) object;
        if ((this.userID == null && other.userID != null) || (this.userID != null && !this.userID.equals(other.userID))) {
            return false;
        }
        return true;
    }

    @Override
    public String toString() {
        return "com.equinox.Users[userID=" + userID + "]";
    }


}
//CODE END
the above given is the Entity Class for the Employee now lets have a look at the controller
//CODE BEGIN EmployeeController.java

package com.equinox.controllers;
import javax.persistence.EntityManager;
import javax.persistence.Query;

import com.equinox.EMF;
import com.equinox.Users;
public class UserController {

public static  Users getUser(Integer uid)
{
try{
EntityManager em= EMF.get().createEntityManager();
Users u=em.find(Users.class, uid);
em.close();
return u;

}catch(Exception e)
{
return null;
}

}
public static boolean createNewUser(String username,String password,String secQues,String secAns)
{
Users u = new Users();
u.setUsername(username);
u.setPassword(password);
u.setSecurityQuestion(secQues);
u.setSecurityAnswer(secAns);
try
{
EntityManager em= EMF.get().createEntityManager();
Query q1= em.createQuery("Select r from Role r where r.rolename =:roleName");
q1.setParameter("roleName", "USER");

em.persist(u);
em.clear();
return true;


}catch(Exception e){
return false;
}


}

}

//CODE END

And finally the Servlet which handles the response and creates a dummy user

//CODE Begin

package com.equinox;

import java.io.IOException;

import java.util.Iterator;

import javax.persistence.EntityManager;

import javax.persistence.Query;

import javax.servlet.http.HttpServlet;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

@SuppressWarnings("serial")

public class NewtestServlet extends HttpServlet {

@SuppressWarnings("unchecked")

public void doGet(HttpServletRequest req, HttpServletResponse resp)

throws IOException {

resp.setContentType("text/plain");

resp.getWriter().println("Hello, world");

EntityManager em= EMF.get().createEntityManager();

Users usr= new Users();

usr.setUsername("Techounds");

usr.setPassword("techounds12345");

usr.setSecurityAnswer("jacky");

usr.setSecurityQuestion("what is ur pets name");

usr.setUserStatus(true);

em.persist(usr);

Query q1=em.createQuery("Select u from Users u");

java.util.List l1=(java.util.List)q1.getResultList();

Iterator itr=l1.iterator();

while(itr.hasNext())

{

Users temp= (Users)itr.next();

resp.getWriter().write(temp.getUsername());

}

em.close();

}

}

//CODE END

the above example uses the JPA {DATA NUCLEUS} platform and Entity class along with a custom controller

Advent of EE6

Finally after a much anticipated period of time by the java developers across the world Sun Microsystem has finally launched Java EE6 with EJB 3.1 and numerous changes which i myself have to go through yet . the most astonishing feature of the EE6 is the ability to deploy the EJB's in a War file itself seems like those days when a programmer has to prepare a complete ejb-jar.xml for getting their EJB's to take on the container are over now and soon will be forgotten but somehow i still miss the flexibility offerred by the EJB 2.0 Deployment descriptor and have been using it through the 3.0 architecture also lets see how much support sun has provided for the EJB this time here is a sneak preview of the features of the EE 6 technology

here is a snippet from the Sun Microsystem's Official website

Java EE 6 Technologies
Technologies	JSR	Download
Java Platform, Enterprise Edition 6 (Java EE 6)	JSR 316	Download spec
Web Services Technologies   » Read more
Java API for RESTful Web Services (JAX-RS) 1.1	JSR 311	Download spec
Implementing Enterprise Web Services 1.3	JSR 109	Download spec
Java API for XML-Based Web Services (JAX-WS) 2.2	JSR 224	Download spec
Java Architecture for XML Binding (JAXB) 2.2	JSR 222	Download spec
Web Services Metadata for the Java Platform	JSR 181	Download spec
Java API for XML-Based RPC (JAX-RPC) 1.1	JSR 101	Download spec
Java APIs for XML Messaging 1.3	JSR 67	Download spec
Java API for XML Registries (JAXR) 1.0	JSR 93	Download spec
Web Application Technologies   » Read more
Java Servlet 3.0	JSR 315	Download spec
JavaServer Faces 2.0	JSR 314	Download spec
JavaServer Pages 2.2/Expression Language 1.1	JSR 245	Download spec
A Standard Tag Library for JavaServer Pages (JSTL) 1.2	JSR 52	Download spec
Debugging Support for Other Languages 1.0	JSR 45	Download spec
Enterprise Application Technologies   » Read more
Contexts and Dependency Injection for Java (Web Beans 1.0)	JSR 299	Download spec
Bean Validation 1.0	JSR 303	Download spec
Enterprise JavaBeans 3.1	JSR 318	Download spec
Java EE Connector Architecture 1.6	JSR 322	Download spec
Java Persistence 2.0	JSR 317	Download spec
Common Annotations for the Java Platform 1.1	JSR 250	Download spec
Java Message Service API 1.1	JSR 914	Download spec
Java Transaction API (JTA) 1.1	JSR 907	Download spec
JavaMail 1.4	JSR 919	Download spec
Management and Security Technologies   » Read more
Java Authentication Service Provider Interface for Containers	JSR 196	Download spec
Java Authorization Contract for Containers 1.3	JSR 115	Download spec
Java EE Application Deployment 1.2	JSR 88	Download spec
J2EE Management 1.1	JSR 77	Download spec
Java EE-related Specs in Java SE
Java API for XML Processing (JAXP) 1.3	JSR 206	Download spec
Java Database Connectivity 4.0	JSR 221	Download spec
Java Management Extensions (JMX) 2.0	JSR 255	Download spec
JavaBeans Activation Framework (JAF) 1.1	JSR 925	Download spec
Streaming API for XML (StAX) 1.0	JSR 173	Download spec

Introduction

Enterprise Java Beans (EJB) is a server-side component architecture for the Java Enterprise Edition (Java EE) platform, aiming to enable rapid and simplified development for distributed, transactional, secure and portable applications.

EJB experienced wide adoption in its version 2, reaching a level of maturity which made it capable to embrace the requirements of many enterprise applications. Despite its relative success, there were many critical voices accusing it of being overcomplicated. Lack of a good persistence strategy, long and tedious deployment descriptors, or limited capacity for testing, were some of the many times used arguments, causing a considerable number of developers to look for alternative technologies.

Sun reacted slowly, but it was able to come up with a greatly revised version of the specification, which has considerably enhanced its potential. EJB 3 dealt with most of the existing drawbacks, presenting solutions which got consensual acceptance among the community. EJB became a viable solution again, and many teams which had once put it aside are now using it.

Even though its success, EJB 3 did not go as far as it could. Going back to EJB 2.1, the spec was facing two main challenges: 1) to go through a massive restructuring in order to change existing features, like a powerful persistence framework as a substitute for Entity Beans, support for annotations as a substitute for deployment descriptors, drop of home interfaces, etc; 2) to introduce new solutions for problems not being dealt by the spec like support for Singletons, support for method interception or asynchronous calls to session beans, and to improve existing features like enhancing the Timer Service. Priority was correctly given to the restructuring- "we fist clean and rearrange the house, and only then we bring the new furniture"- even though there were some new features as well, like the support for interceptors. Now that the cleaning is done, it is time to benefit from it and to go one step beyond.

EJB 3.1 introduces a new set of features which intends to leverage the potential of the technology. It is, in my opinion, a release of major importance, which brings capabilities which were most wanted since long ago, making it more able to fulfill the needs of modern enterprise applications, and contributing for an increased adoption.

The EJB 3.1 Proposed Final Draft has been recently released and we are now close to its final version. This article will go through most of the new features, providing a detailed overview about each one of them.