Friday, September 30, 2011

Web Session Management White Paper

PDF Link:

Developing an application with secure session management requires developers to understand a few crucial subtleties of cookies — their attributes, their values, and how to keep them confidential — and to understand how real-world attackers are abusing weak session management in real applications today.

Thursday, September 29, 2011

Making VIM on windows behave like linux

The following:

1. Open the file _vimrc which you will find inside c:\Program files\vim

2. Find the line that says:

behave mswin

3. Change it to

behave xterm

4. Save and exit.

This will now allow you to select text by typing the 'vi' then using the arrows to select text.

Deleting all lines that are empty or contain spaces in vim

To delete all lines that are empty in vim:


To delete all empty lines or empty lines that contain spaces:


Note that \s represents the space character in the regular expression. Or simply, you can also represent the space character with [ ]:

:g/^[ ]*$/d

Pasting code into VIM without the indentation problem

Frequently, when pasting code into vim, i get lots of indentation spaces that really frustrate me.
I discovered that this vim issue can easily be handled by typing in the command mode in vim:

:set paste

Then going to insert mode and pasting the source code.

Disable Autoindent in VIM

To disable autoindent in vim, you can do the following:

:set noautoindent | set nosmartindent | set nocindent

Or place the folowing lines in your .vimrc (linux) or _vimrc (windows):

set noautoindent
set nosmartindent
set nocindent

Sunday, September 25, 2011

Git Cheat Sheets

Goodbye Adobe Photoshop, Goodbye Paint.NET, Good Bye Greedy Pricing Schemes

I lately found this wonderful image processing application named PhotoPlus Starter Edition and I'm now no longer using either Adobe Photoshop nor Paint.NET.


The best "git log" command to use

This is the best git log command to use:
git log --decorate --graph --oneline

You can alias this command as follows:
git config --global "log --graph --decorate --oneline"

Now you can use it as follows:
git lol

Making two branches identical after a git merge

I had two branches, heavy_refactoring and master branch in git.
I have already merged heavy_refactoring into master, but I had some trouble since master looks different than heavy_refactoring at the end due to some changes that took place on master before the merge. These changes I dont want.

What I wanted is that the 'master' branch look exactly like heavy_refactoring.

So here are the steps:

1. Go to the master branch first.

git checkout master

2. First you do a git diff between the two branches:

git diff --summary master heavy_refactoring

This will shows us the differences that should take place for master to become heavy_refactoring. It is very important that you type 'master' before 'heavy_refactoring' to advise the git diffing to give the differences so that I can get from master to heavy_refactoring.

The --summary is a switch to tell the diff not to show the contents inside each file.

3. After running the command, a list of deleted, modified and created files show up.

4. If the diff tells you that I file is "deleted", this means it should be removed from the master branch using:

git rm file_to_remove

5. If the diff tells you that I file is "created", this means you have to copy it from the heavy_refactoring branch to the master branch using:

# Copying a file from another branch to the current branch
git checkout heavy_refactoring src/main/java/com/basil/

6. If the diff tells you that I file got "modified", this means you also have to copy it from heavy_refactoring branch to the master branch. Notice that my objective here is to make master exactly like heavy_refactoring.

git checkout heavy_refactoring srcmain/java/com/basil/

At the end, I can run the git diff again and it will show me an empty result which will indicate that the two branches are exact:

git diff --summary master heavy_refactoring

Monday, September 19, 2011

Enabling SSL in Apache Tomcat 6 The Easy Way

NOTE: This article does not use the APR tomcat module but rather the default Tomcat 6 deployment.

To enable SSL for Apache Tomcat 6, perform the following:

1. Create an SSL certificate using the java supplied keytool:

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

NOTE: If you get the error:
keytool error: java.lang.Exception: Key pair not generated, alias <tomcat> already exists
Then most probably you have a key file already in your user directory. If you are root, this will be /root/.keystore

2. You will be requested for data that will show on your user browser's certificate, fill them all in.
Notice that the bold font is my input. No problem if you stick to the password "changeit" as it is the default password used by tomcat.

Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name: Jeremy Atkins
What is your organizational unit: OU
What is the name of your organization: NOYO
What is the name of your city or your locality: MyCity
What is the name of your state or province: Saudi Arabia
What is the two-letter country code for this unit:  uk
Is the entered data correct: yes

Enter key password for <tomcat>
        (RETURN if same as keystore password): PRESS RETURN KEY

It is important to have the keystore password and the key password the same. This is done by pressing the RETURN KEY in the last step. This is necessary since Tomcat doesn't support having different passwords in the keystore and key.

3. When you're done with the previous step, a keystore file gets created in the user directory named keystore. Since I'm the root user, I will find it in /root/.keystore.
Check that the file /root/.keystore got created.

4. Next, open the tomcat server.xml for editing:
vi ${tomcat_installation_dir}/conf/server.xml

And uncomment the following section by removing the <!-- and the --> surrounding them from top and bottom:

   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"

5. Change the port number from 8443 to 443 which is the default SSL port known to all browsers.
Switch to 8443 while in development if needed.

   <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"

6. Now add the following line in between to tell tomcat where to locate the keystore and specify the password you specified:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
   maxThreads="150" scheme="https" secure="true"
   clientAuth="false" sslProtocol="TLS"
   keystoreFile="${user.home}/.keystore" keystorePass="changeit"

Tomcat will automatically replace ${user.home} with the path of the home directory for the user tomcat is running under. Which in my case is "/root"

7. Restart apache tomcat using:
<tomcat_installation_dir>/bin/ stop
<tomcat_installation_dir>/bin/ start

Disabling WebDAV DELETE, PUT, OPTIONS in Apache Tomcat 6

It really took me more than two hours searching over the internet just to understand how to do this simple configuration of disabled the WebDAV methods in apache tomcat 6 for all applications.

Here is how to do it:

In your apache tomcat 6 installation, simply open the file <installation_directory>/conf/web.xml for editing. Note that this web.xml file acts as a global file for all web applications and is processed before the web.xml's web application file.

At the end of the global web.xml file and just before the closing tag place the following text:

<web-resource-name>restricted methods</web-resource-name>
<auth-constraint />

The above security-constraint simply denies the above WebDAV methods to be processed by tomcat and returns a forbidden message.

The <auth-constraint /> simply means: "For any user, deny access to PUT, DELETE, OPTIONS, and TRACE methods".

After that, restart apache tomcat 6 using:

<installation_directory>/bin/ stop
<installation_directory>/bin/ start

To be able to verify that these methods are now forbidden, I used some javascript jquery code:
1. Open firefox with the firebug plugin installed
2. Open a webapplication that has jquery javascript file included within it.
3. Open firebug and select the "Console" tab from firebug
4. Write the following javascript code:

  type: 'DELETE',
  url: "",
  data: {},
  error: function() {alert('ERROR');},
  success: function() {alert('SUCCESS');},

5. Click the Run button.
6. You should see an alert dialog with the message ERROR and a response in firebug with the following message:
"NetworkError: 403 Forbidden -"

7. Repeat the above for the OPTIONS, TRACE and PUT methods.

I'm sure there's a simpler way to verify it other than javascript. But I don't know how.

Monday, September 12, 2011

Creativity is Not Design

Too often I notice designers and non-designers alike equating creativity with design. I find this assumption disturbing because it is one of the many fallacies that allow unskilled but creative pretenders to consider themselves capable design professionals when they’re nothing of the sort… Creativity is bound by no laws, rules, or strictures… Design, on the other hand, is based entirely on math, psychology, human perception, and a host of rigid rules and laws that can be broken by only a highly skilled few…

Automatic Java Class Diagram Generation Using ObjectAid

I was looking for a tool that would allow me to view my classes graphically, until I bumped into this question from

And after trying several tools, I think ObjectAid beats'em all.

Object Aid Website: