CodeByAkram: SpringBoot
Showing posts with label SpringBoot. Show all posts
Showing posts with label SpringBoot. Show all posts

How to use / implement OWASP ESAPI Logger in Java

Before going further lets talk about Log Forging or JVM Log Forging. 

Log Forging

According to OWASP , writing invalidated logs can allow attackers to forge log or inject malicious content in log file. Log forging is when attackers tries to add/modify the log content by exploring the security loopholes of application.

Lets understand the log forging by an example.


private void printLog(String amount) {
logger.info("Amount credited in account Rs. {}" + amount);
}
above code will print the logs like:

Amount credited in account Rs. 500

 Now suppose attacker provide the input \n\n Amount debited in account Rs.500

Amount credited in account Rs. 500

Amount debited in account Rs.500

So, attacker forged the logs by making a fake or forge entry in log.


Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using safe logging mechanism such as OWASP ESAPI logger, which will automatically remove unexpected carriage returns. So, to prevent this, we use use ESAPI Logger mechanism.

Here is the dependency of ESAPI: 

<dependency>

<groupId>org.owasp.esapi</groupId>

<artifactId>esapi</artifactId>

<version>2.2.2.0</version>

</dependency>

We can encode the logs using ESAPI‘s Encoder method and interface:


    public String encode(String message) {
    message = message.replace( '\n' ,  '_' ).replace( '\r' , '_' )
      .replace( '\t' , '_' );
    message = ESAPI.encoder().encodeForHTML( message );
    return message;
}
How to use / implement OWASP ESAPI Logger in Java





What do you mean by Aspect, Join Point, Advice?


What’s the difference between @Component, @Controller, @Repository & @Service annotations in Spring?

What do you mean by Aspect, Join Point, Advice?

Pointcut: Pointcut are expressions that is matched with join points to determine whether advice needs to be executed or not. Pointcut uses different kinds of expressions that are matched with the join points and Spring framework uses the AspectJ pointcut expression language.
AOP Advice Types
Before Advice: These advices run before the execution of join point methods. Use @Before annotation to mark an advice type as Before advice.
After (finally) Advice: An advice that gets executed after the join point method finishes executing, whether normally or by throwing an exception. We can create after advice using @After annotation.
After Returning Advice: Sometimes we want advice methods to execute only if the join point method executes normally. We can use @AfterReturning annotation to mark a method as after returning advice.
After Throwing Advice: This advice gets executed only when join point method throws exception, we can use it to rollback the transaction declaratively. We use @AfterThrowing annotation for this type of advice.
Around Advice: This is the most important and powerful advice. This advice surrounds the join point method and we can also choose whether to execute the join point method or not. We can write advice code that gets executed before and after the execution of the join point method. It is the responsibility of around advice to invoke the join point method and return values if the method is returning something. We use @Around annotation to create around advice methods.

What’s the difference between @Component, @Controller, @Repository & @Service annotations in Spring?


Spring Annotations, Codebyakram


Spring 2.5 introduces further stereotype annotations: @Component@Service, and @Controller@Component is a generic stereotype for any Spring-managed component. @Repository@Service, and @Controller are specializations of @Component for more specific use cases, for example, in the persistence, service, and presentation layers, respectively.

You may also like What do you mean by Aspect, Join Point, Advice?

Therefore, you can annotate your component classes with @Component, but by annotating them with @Repository@Service, or @Controller instead, your classes are more properly suited for processing by tools or associating with aspects. For example, these stereotype annotations make ideal targets for pointcuts.

Thus, if you are choosing between using @Component or @Service for your service layer, @Service is clearly the better choice. Similarly, as stated above, @Repository is already supported as a marker for automatic exception translation in your persistence layer.



Differentiate between constructor injection and setter injection

Partial Dependency

In Setter Injection, partial dependency is possible, means if we have 4 dependencies as mentioned below,

Differentiate between constructor injection and setter injection, codebyakram


Then it is not necessary to inject all values if we are using setter injection.

But in Constructor Injection, partial dependency is not possible because we are calling the constructor of that class.

Overriding

Constructor Injection can not override the setter injected properties but Setter injection can override the constructor injected properties.

Changes

Setter injection makes bean class object as mutable but constructor injection makes bean class object as immutable. 

Number of dependencies

If we have dependencies for example 17 in our bean class then, in this case setter injection is not recommended as we need to write almost 17 setters right, bean length will increase.

In this case, Constructor injection is highly recommended, as we can inject all the dependencies with in 3 to 4 lines by calling one constructor.


How to set connection timeout for RestTemplate in spring?

How to set connection timeout for RestTemplate in spring? codebyakram

We can set the timeout for RestTemplate by doing some custom configuration for RestTemplate.

First you need to create a class named as HttpClientConfig in this class we configure HttpClient because RestTemplate internally uses the HttpClient.


package com.codebyakram;

import org.apache.http.client.config.RequestConfig;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.slf4j.Logger;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class HttpClientConfig {

 public static final Logger LOGGER = org.slf4j.LoggerFactory.getLogger(HttpClientConfig.class.getName());
 // Determines the timeout in milliseconds until a connection is established.
 private static final int CONNECT_TIMEOUT = 30000;

 // The timeout when requesting a connection from the connection manager.
 
 private int REQUEST_TIMEOUT = 10000;
 
 @Bean
 public CloseableHttpClient httpClient() {
  RequestConfig requestConfig = RequestConfig.custom().setConnectionRequestTimeout(REQUEST_TIMEOUT).build();
  return HttpClients.custom().setDefaultRequestConfig(requestConfig).build();
 }
}

Here in this class we setting HttpClient in RestTemplate

package com.codebyakram;

import org.apache.http.impl.client.CloseableHttpClient;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.scheduling.TaskScheduler;
import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
import org.springframework.web.client.RestTemplate;

@Configuration
public class RestTemplateConfig {

 @Autowired
 CloseableHttpClient httpClient;


 @Bean
 public RestTemplate restTemplate() {
  RestTemplate restTemplate = new RestTemplate(clientHttpRequestFactory());
  return restTemplate;
 }

 @Bean
 public HttpComponentsClientHttpRequestFactory clientHttpRequestFactory() {
  HttpComponentsClientHttpRequestFactory clientHttpRequestFactory = new HttpComponentsClientHttpRequestFactory();
  clientHttpRequestFactory.setHttpClient(httpClient);
  return clientHttpRequestFactory;
 }

 @Bean
 public TaskScheduler taskScheduler() {
  ThreadPoolTaskScheduler scheduler = new ThreadPoolTaskScheduler();
  scheduler.setThreadNamePrefix("poolScheduler");
  scheduler.setPoolSize(50);
  return scheduler;
 }
}

So now we are done with the cofiguration of request timeout for RestTemplate.

How To deploy Spring Boot application on Tomcat?

How To deploy Spring Boot application on existing Tomcat?

Related Questions:- Deploy a Spring Boot WAR into a Tomcat Server, Spring Boot – Deploy WAR file to Tomcat

spring boot tomcat codybyakram


Spring boot is a framework that allow you to set up production ready setup of spring application and also Tomcat is one of the most popular server used for Java. By default spring boot application build a standalone application that can contains the Tomcat. But if you have your existing Tomcat and you want to deploy your spring boot application on that server than you need to follow the below steps.

Add the below dependency in pom.xml

               <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>

And change the packaging to war or just add the below code in pon.xml.

             <packaging>war</packaging>

Finally, we initialize the Servlet context required by Tomcat by implementing the SpringBootServletInitializer interface and override the configure method:

@SpringBootApplication
public class Application extends SpringBootServletInitializer {
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(Application.class);

public static void main(String[] args) {
SpringApplication.run(Application.class, args);

}
}

Now build war file using below maven command,
      
      mvn clean package

How to disable Spring banner

How to disable Spring banner?

spring banner codebyakram
You can disable the spring boot banner by adding the below mentioned code in your main method.
app.setBannerMode(Banner.Mode.OFF);

Just add the above mentioned code in main method and spring banner will be disabled.

What is @SpringBootApplication in Spring Boot

What is @SpringBootApplication in Spring Boot?

"Indicates a configuration class that declares one or more @Bean methods and also triggers auto-configuration and component scanning. This is a convenience annotation that is equivalent to declaring @Configuration, @EnableAutoConfiguration and @ComponentScan."
CodeByAkram SpringBoot

 If you are using spring boot version below 1.2 than you need to add the below annotation in your application.
  1. @Configuration to enable Java-based configuration and mark your class a Configuration class.
  2. @ComponentScan to enable component scanning so that controllers and other components will automatically discovered and registered as bean in Spring's Application Context.
  3. @EnableAutoConfiguration to enable Spring Boot's auto-configuration feature.
But if you using spring boot 1.2 or above version, you just need to add the @SpringBootApplication annotation in your main class and your main class should be in your base package.

@SpringBootApplication = @Configuration + @ComponentScan + @EnableAutoConfiguration