Presented by Mark Thomas, committer on Tomcat for five years
There have generally been few Tomcat threats in the wild (at least that have been reported). One in July 2008 was reported that was hackers installing a webapp, always named fex*.war (* for something - anything). It allowed hackers to get access to a shell on your server. If you were running as root, game over. The way this was being installed was through deployed servers with a Tomcat admin that had not been secured (blank or default passwords). This is obviously a very poor idea.
How can you protect yourself against Tomcat security attacks? Read more to find out.
Read the rest of this entry »
Many times on the Wicket user list, we hear questions like “How do I return a different value when my model object is null?”, or “how do I make a label that says ‘none’ when the model object is null?”, or “How do I make a Label that capitalizes all it’s text?”…. You get the idea. Typically, the gut reaction is to do something like override getConverter in the Label or onComponentTagBody and sort of abuse that facility to change what value the Label uses. This works, but it isn’t reusable. One of the greatest powers of Wicket is creating reusable pieces of code that can be used anywhere in your application.
A great way to create a reusable piece of code to cover this scenario is to use nested models. If you are familiar with Wicket, you know that models, or implementations of IModel, are basically data locators - an abstraction layer that the component uses to locate it’s data. One power that this layer of abstraction gives you is that a component doesn’t need to know where it’s data came from. And, one model can use another model and add on to it’s behavior by composition. Let’s look at some code for a couple of examples.
Read the rest of this entry »
November 6th, 2008 in
Wicket | tags:
HOWTO,
Wicket |
4 Comments
Someone sent this to the wicket users list today. There is a great article on IBM DeveloperWorks detailing how to get started with Wicket. It covers a wide array of topics, and if you are thinking of getting started with Wicket (and haven’t yet bought Wicket in Action!), you should definitely check out this article:
https://www.ibm.com/developerworks/library/wa-aj-wicket/
Since I’m busy at ApacheCon, I have not been able to read the entire thing. I did notice that he still shows setting up your web.xml with a servlet, although the latest versions of Wicket are all based on a servlet filter instead. But, that’s a small detail - the amount of work Kumarsun put into this tutorial is definitely noteworthy!
November 6th, 2008 in
Wicket | tags:
Wicket |
No Comments
Presented by Ivan Ristic, a web application firewall expert and author of ModSecurity and Apache Security
The problem: HTTP and browsers are designed for document exchange. We have web applications built using a number of loosely integrated technologies. These are created without a lot of thought about security. Things now are better than ten years ago, but there are also more threats now to defend against.
The solution: (or at least one solution) - a web application firewall.
I apologize in advance - Ivan was moving very fast, and many of the notes are sparse as he was jumping from slide to slide. I couldn’t keep up.
Read the rest of this entry »
2007 Web Hacking Incident Graph
The Threat Model - Who gets attacked? Everyone! Just because you’re small doesn’t matter. What are the goals of those trying to attack? The chart on the right shows a breakdown based on data from the Web Hacking Incidents Database.
Maybe not so surprisingly was the next slide, that showed that most successful attacks (I think somewhere near 50%) were because of someone getting the admins passwords through some means, perhaps social engineering or phishing. Sysadmins should definitely be more careful with this sensitive data.
So, how do you protect against these attacks? That’s what Sander will cover in this session.
Read the rest of this entry »
Presented by Martijn Dashorst, author of Wicket in Action and Vice President of the Wicket project
What is Wicket - if you ask me, Martijn, or many of the attendees of this class, it is simply the best java web framework available. More technically, it is a component oriented open source web application framework using just Java and HTML. “Writing a Wicket app is rather more like writing an event-based desktop application than a web application” - Michael Porter. How can you make use of this powerful, easy to use framework? Read more to find out.
Need help or training using Wicket? See http://www.wickettraining.com for professional training services. Team and individual training is available, as well as consulting, phone or email support, or custom coding on your project.
Read the rest of this entry »
Presented by J Aaron Farr, Treasurer for Apache Software Foundation
Aaron tries to unravel the mysteries of the various open source licenses for us. Starting by answering questions from the floor (only one was asked), and then moving into an explanation of open source licenses that are available, he is covering a lot of ground in fifty minutes. I really enjoyed the breakdown of licenses into three categories and the simple explanation of these categories.
Read the rest of this entry »
Presented by John Coggeshall, author of PHP 5 Unleashed
The “fastest” approach isn’t always the most scalable. John covers how to scale everything from your data, your code, to your team. He quotes Theo Schlossnagle saying “Scalability marginally impacts procedure, procedure grossly impacts scalability”.
Performance and resource scalability requires forethought and process. Besides obvious things like version control, it is very helpful to set performance goals and metric measurements ahead of time, as well as API documentation and internal development mailing lists. One of the first things to consider is what it means to your application and business to perform - 10 / 100 / 1000 requests per second? What are your performance requirements?
(Note that he focuses primarily on PHP, but some of the tips are generic for all apps)
Read the rest of this entry »
Presented by Erik Hatcher - author of Lucene in Action
Reader beware - this post is not very interesting. Maybe I was expecting too much, but I was a little disappointed by the session. It was basically a list of projects that have used Lucene. You can tell that Erik is very knowledgeable (obviously) in use of Lucene. Unfortunately, though, he starts by listing several projects that he did as pet projects that he has since let die, and most of the rest of the session was a list of projects that use Lucene or Solr.
My one takeaway is that I do need to look into Solr more - but I use Lucene already very extensively, and wasn’t introduced to anything in Lucene in this session that I haven’t already done.
Read the rest of this entry »
Presented by Michael Busch of IBM
This class was packed out - people were sitting in every chair, and others on the floor in the back of the room. Michael starts by briefly telling us about some new features in Lucene 2.4 - the latest release. For instance, payloads have been introduced to allow a certain amount of metadata to be stored in the index. He gives a very good explanation of how inverted indexes work and how payloads work in the latest release. Read the rest of this entry »
