Tim McGuire

Ranch Hand
+ Follow
since Apr 30, 2003
Tim likes ...
IntelliJ IDE VI Editor Tomcat Server
Merit badge: grant badges
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
35
Received in last 30 days
0
Total given
42
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Tim McGuire

JAAS is one of the authentication providers that Spring can use. Note that JAAS works at a lower level than web-application. It has hooks (if that is the right term) into the application server and operating system. Spring Security works in the application layer. It has its own authentication API that is very good and does not need to use JAAS. Often an existing JAAS provider is used when Spring security is implemented. In most cases, a new project would not be enhanced by using JAAS.

Spring Security based on ACEGI and ACEGI vs JAAS was covered: https://coderanch.com/t/134325/Security/ACEGI-JAAS
10 years ago

Prince Manchanda wrote:We implemented OWASP's CSRFGuard to protect our pages in the web application. For example */myCsrfProtected.jsp. We have injected CSRF token at all occurrences of */myCsrfProtected.jsp within the application. Everything works fine.

However, we have other use case where the link to this protected page is sent out to users in an email. Think about a link to a report. Now when user clicks on this link, the token is missing or invalid and hence the CSRFGuard filter blocks the request assuming this to be a CSRF attack. (this is what filter has been implemented for :-) )

Is there any way to handle this use case and allow access to CSRF protected page from outside the application.



Hi, this is a great question because it highlights exactly what CSRF is and what CSRF guards should be used for. CSRF is usually defined as a way to trick people into triggering requests that change stuff (like deleting, updating, or creating records) if the request doesn't change data, but is just used to view a page or generate a report, then it probably doesn't need CSRF Guard, right? CSRF is used guarantee with the use of a one-time token that the request was generated from a page within the web application. So, the short answer to your question is no, you don't want to use CSRF Guard on a page that you want accessed via an email link. You should be able to skip CSRF protection for these pages.
11 years ago

Arun Giridhar wrote:I have no friends in my life (live alone), the only friend i have is javaranch (aka ranchers) and i don't know many things ..... I was developing Technical skills (Many people were much better then me technically).



It is positive that you are reaching out to us and people have expressed their heartfelt opinions. I advise you to do what they say: Go see a doctor. Here in the states, if you told a doctor what you are telling us, he or she would give you anti-depressants that will make you feel better in two weeks (almost required via the law of defensive medicine).

the disclaimer: I have no qualifications to make such a judgement and we certainly over-prescribe these medicines, BUT STILL, do you live in a place where you can get access to a doctor and / or this medicine? This might be the lift you need out of the hole and walking forward again.
11 years ago

Tiya Khambadkone wrote:I want to write a java code that will
1. go a path (eg: C:/dev/myxmls)
2. pick one by one all files (all are having *.xml extension) from 'myxmls' folder
3. print that file name on console (System.out.printly(filename))



We would much rather see you post your own code, working or not, and give you tips to help you get it working or point you toward resources that will help you to learn how to solve your problem using best practices.



show us the code you have so far so that we can advise on it.
11 years ago

Brian Wheeler wrote:

Tim McGuire wrote:

Brian Wheeler wrote:Hey Everyone,

I got my client side validation to work using this example provided here RichFaces Client Side Validation

Notice, that there is no validation errors until you type and click out of that input form. Not a use case I want.

I'm trying to validate the input forms during an on submit action. Similar to to example provided here. rich:message demo

Using the above example source code, the problem I'm having is when I click the submit button nothing happens. No validation error and no submit action. Am I missing something? Can someone experienced with what I'm trying to do give me some feedback?

Thanks in Advance.



To be clear, you want validation to happen when you click submit button? I can't give feedback unless I see the code you use. Can you post the code that you are using?



Hey Tim,

Yes, I would like it to validate on the client side on submit, if validation pass submit form. Currently, it validates when you type text and move focus outside the form. I think this is default behavior. Here's the code snippet.

xhtml


bean



The example you linked to has validation parameters in the client side:


so, why don't you use a validateLength tag in your xhtml?
11 years ago
JSF

Brian Wheeler wrote:Hey Everyone,

I got my client side validation to work using this example provided here RichFaces Client Side Validation

Notice, that there is no validation errors until you type and click out of that input form. Not a use case I want.

I'm trying to validate the input forms during an on submit action. Similar to to example provided here. rich:message demo

Using the above example source code, the problem I'm having is when I click the submit button nothing happens. No validation error and no submit action. Am I missing something? Can someone experienced with what I'm trying to do give me some feedback?

Thanks in Advance.



To be clear, you want validation to happen when you click submit button? I can't give feedback unless I see the code you use. Can you post the code that you are using?
11 years ago
JSF
Hi,

I'm looking for a way to verify that the jar files in a web application have had the latest securty patches applied.
For example, Struts 2 versions before Struts 2.3.1.1 have a security hole (https://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/)

I'm looking for an automated way to scan an existing, deployed war file for this and other outdated jar versions.

Eventually the goal is to integrate this scan into our build sequence.
11 years ago
For real strangeness, read non-fiction

These two books told stories that seem to far-fetched for fiction:

The March of Folly by Barbara Tuchman (http://www.amazon.com/The-March-Folly-From-Vietnam/dp/0345308239) This book takes three historical periods (American Revolution, Protestant Reformation, and Vietnam era) and shows how those in power (the british throne, the catholic church, and the USA) spectacularly screwed things up.

and

The Big Short (http://en.wikipedia.org/wiki/The_Big_Short). This is a very recent book about the real-estate bubble and bust. It was a strange story in many ways at once including the personalities involved, the imaginative financial dealings, and the pure dysfunction on display.

11 years ago
can you edit your post and put code tags around the java code? It is very difficult to read otherwise.

like so:



also post your real code. This will not compile as is (typos, etc.).
11 years ago
I think anyone trying to help you will need more information. database optimization is a big subject.

How big is/are the table(s) you need to update? What does the actual SQL query look like (post the code).

are you sure there is a performance problem on the database side and not in the code? Do you have any tools that break down the database steps so you can see where it is taking too long? How did you decide which indexes are not being used, from an explain plan? Are you able to change the database around (denormalize) if needed?
I can only conclude that conn is null, except why would it work for update? It could be that the db user does not have insert privileges but has update privileges. Can you check that?

If that isn't it, please post more of the code, especially were you are creating the conn object and post the full stack trace of the error. use e.printStackTrace()

Santhi Muthusamy wrote:Hi,

I have sample.war deployed and running in tomcat. I have some contents added to webapps/sample/data. When i redeploy(auto) any new war i do not want to overwrite this folder (data). is it possible with tomcat?



application data should be in a directory on the same level as webapps so that it is not erased when you redeploy your app.
11 years ago

mark I thomas wrote:I already tested my code (by the way it was not from any google..). But I didn't feel 100% sure if I can overwrite an existing timeinMillion so I don't know if there is any potential problem -- and that's why I posted the question.

Tim's response started with "Not really..." puzzled me because I didn't know what that "not really.." menas so I was interested in hearing more from that part but unfortunately I didn't get any insight from him.

I thought when someone said "not really..." he must have something interesting in his mind and that's what I expected to hear and discuss with that person.

Tim's second email even confused me more --- It seems he was asking me "If you think there is no problem then why bother asking ?" Well, Most people believe they write the correct code but people still do code review in team, your peers may identify some potential issue that you don't see -- That's exactly why I posted that question.

I think I am very cool.


You are cooler than the other side of the pillow.

when you asked " I want to get a Calendar that is on the same day as "12345678L" but is at 6:00AM. Does this code achieve that ? "

I said "not exactly" because I wanted you to see that what you thought was 6:00 was actually 6:00:45. For my alarm clock in the morning, then this is good enough. For the mars lander, maybe not.

When you said the code worked for you anyway, it became funny because I had identified a potential issue but the requirements began shifting under us.
11 years ago
can you post the code you use to start this one up?
11 years ago
if you say it is good enough, then it is good enough! How could I have a problem with that?
11 years ago