Prince Manchanda

Ranch Hand
+ Follow
since Jun 25, 2001
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
In last 30 days
0
Forums and Threads

Recent posts by Prince Manchanda

Hi Dinakar,

I suppose you would be using the Type 4 Driver.

The jar file containing the JDBC Driver for MS SQL Server is available here: http://www.microsoft.com/en-in/download/details.aspx?id=11774.

Generally the name of the JAR file is sqljdbc.jar.

I am not sure why do you need other jar files for connecting to MS SQL Server.

Are you facing any other problem while connecting to the DB, apart from the JAR file issue that you mentioned.
Can you post some examples of the data that is getting replicated.

The application works fine but currently there is data getting replicated among different users.



Also, would recommend that you check for static variables in your Servlet. They are known to create problems, in my experience.
10 years ago
I would request you to share code to explain the problem you are facing.

Also what is the way to put the csrfguard.properties in my web project so that every time making jar from the csrfguard project is not required.



Not very clear what you mean or how are you using the CSRFGuard APIs. One way can be to put the properties file in your WEB-INF directory.
We have a Java/JEE based web application that relies heavily on *.properties files. Most of the properties are read only that is rarely modified during run time. Still, there are set of properties -- system configurations -- that can be changed via UI on the production servers.

The framework around properties is a home grown solution based on java.util.Properties class and also takes into account internalization/localization of certain set of properties. We have more than 5000 properties files in our code base.

We are in the process of revamping the application and one of the question that is being debated hotly is:

  • Whether we should replace the existing file based framework with a NoSql database that supports key-value pairs. For Example, Redis.


  • So, to decide on this we are looking for some sort of pointers on the following lines:

  • Will there be any change in performance whilst NoSQL DB vs file system
  • One advantage that I see with using databases to store this information is that, If I were to set up new instances or move instances around in Cloud, then I won't need to copy the changed files.


  • However, I am a bit skeptical about adding an additional layer of accessing a DB just for the purpose of storing key-value pairs that in most of the cases are Strings (no large objects etc)

  • Do NoSQL database solutions typically perform better or worse than straight file access in read-only situations?

  • 10 years ago
    Respected Experts,

    I am implementing a module for my web application that would be responsible for scheduling and running batch jobs. I am looking for frameworks (Quartz, Spring Batch) etc that can help me to avoid developing everything from scratch. The main features that I am looking for are:

  • UI that can be used to schedule the jobs and check the status of jobs in progress
  • Monitoring of the Jobs in progress e.g. time taken, reason for failure etc
  • Easy Extensibility to create new jobs. Our application will have few 'out of box' jobs that is these would be bundled
  • Ability to run batch and shell scripts
  • Minimal Performance Overhead
  • Interface with web application or can run within a Servlet container


  • There are quite a good number of frameworks available but I am looking for some sort of expert opinion on these. Also, would I need to use two different frameworks (quartz + spring batch) for these two requirements - Scheduling and Running. OR there is a single framework available that meets both the requirements.

    Thanks and Regards
    P Manchanda
    Our Web application depends heavily on Java Applets. For each Java Applet we have multiple signed jar files that contain the applet class and the dependent classes. The number of these JARs can go upto 70-80 per applet.

    Looking at the Java Console Logs, it seems that the JARs files are downloaded and processed one by one, in a typical sequential manner. This causes a delay in loading of an applet when the JRE cache is empty.

    To overcome this, one of the options that we are considering is to download the JARs in parallel. The following http://bugs.sun.com/view_bug.do;jsessionid=24ca0c1ebdaa56b65e5d2c2389b6?bug_id=6890389 bug discusses an issue with parallel download of JARs:

    So, my queries are:

  • Does JRE downloads applet JARs in parallel by default and the Java Console logs don't portray correct picture?
  • If above is correct, then how to validate if JARs are being downloaded in parallel?
  • If above is not correct, how we can download JARs in parallel? like some custom code approach or some flag for JRE.


  • 10 years ago
    I am exploring the use of Proguard for my web application. I am primarily interested in shrinking and obfuscating my Applets. What I observed was that the -keep options behave differently with SHRINK and OBFUSCATE options.

    For Example, my config file contains the following options to enable shrink and obfuscate and disable optimize and preverify:




    The only keep option that



    None of the classes in my input jar extend the Driver class

    On running this I get the following exception:



    After that I change my config file to remove the # that is uncomment the -dontshrink option. This means that I am instructing Proguard to only obfuscate my input jar. In this case everything works fine and I am able to get an obfuscated JAR. The package names and class names have been changed in the obfuscated JAR. All the classes from input JAR were present in the obfuscated JAR.

    In an attempt to understand the problem with SHRINK, I

  • Removed the comment from -dontobfuscate, so as not to obfuscate
  • Commented the above keep option and the and added the following keep condition:




  • In this case I am only Shrinking the code. On running this I was able to get an output JAR with only one class that was mentioned in the above keep option.

    This makes me to believe that
  • in case of SHRINK, Proguard shrinks only those classes that match the keep conditions
  • in case of OBFUSCATE, Proguard obfuscates those classes that don't match the keep conditions


  • Is this a known behavior or I am missing something.

    If this is a known behavior, then how do we make Proguard to SHRINK and OBFUSCATE same set of classes with a single configuration.
    I am looking for a tool (may be build time or eclipse plugin) that can help me to identify if I am not logging the Exception trace/message.

    We have a legacy application that has try catch block in which a custom error message is logged. The exception is not logged and is not thrown. So, when a problem occurs, there is no stack trace in the log files that would help to debug the issue. An example of this is:



    i need a tool like Coverity or Checkstyle that can help me to identify all such occurrences in my code base.

    I want to understand how to configure Apache HTTP to display a 'custom page' when Apache is invoked directly. Apache displays its default page when invoked directly. This poses are security risk since it reveals web server's identity. This problem is bit more than just replacing or modifying the index.html. The details of the same are as under:

    We have Apache Web Server in front of JBoss. My application is accessed using the following URL:

    This URL request would serve the log on page from my application running on JBoss.

    When i hit the , Apache's default page is served that is index.html. We haven't tweaked this default configuration of Apache.

    My question is that how can I configure apache to serve when I invoke .

    One way is that i use META REFRESH tag inside the index.html (or a custom html) and use it to for redirection. I am looking for an alternative to this solution.

    Thanks and Regards
    Prince Manchanda
    11 years ago
    We have a bunch of Applets that work fine with JRE 6u29 with both 'Enable the next-generation Java plugin' option checked and unchecked. However, when we moved to JRE 1.7 (and JDK 1.7), the Internet Explorer started hanging while loading the Applets. This happens when the 'Enable the next-generation Java plugin' option is unchecked.

    The 'Enable the next-generation Java plugin' is available in Start > Control Panel > Java > Java Control Panel > Advanced > Java Plug-in. This option can be modified only on 32 bit JRE.

    To view the behavioral differences between JRE 6 and JRE 7, the following applet can be used:

    http://jdk6.java.net/nonav/plugin2/liveconnect/ArrayAccess.html

    This Applet runs (that is it shows the output) when the plugin option is checked. But doesn't shows any output with the plugin unchecked.

    Is this a known issue with JRE 7. Is there any workaround/fix for the same.
    11 years ago
    Do we have any way (apart from using suite() method) to ensure that the methods of a JUnit are returned in a specific order.

    We have a quite a good number of JUnits(running into thousands). Many of them (don't have the exact numbers) are written in such a way that tests in a JUnit are dependent on each other. No doubt this is a bad design practice but the application is quite old.

    Till now we were using JDK 1.6 that maintained the order of the methods in same order as they appear in the source code. However, we need to move to JDK 1.7. But JDK 1.7 doesn't guarantee any ordering in which the methods are returned. This results in failure of the JUnits that have dependency.

    Using the suite method to maintain the order is not suitable as that would mean modifying all the JUnits.


    11 years ago

    if the request doesn't change data, but is just used to view a page or generate a report, then it probably doesn't need CSRF Guard, right?


    Agreed. This is the theory behind deciding which pages to CSRF protect or not. But unfortunately in our case, there is not a clean separation here. We even have GET requests modifying the server data or a servlet servicing both GET and POST requests.

    you don't want to use CSRF Guard on a page that you want accessed via an email link. You should be able to skip CSRF protection for these pages.



    The pages we protect for CSRF attacks are flagged by our in-house as well as customer pen tests. So, these have to be protected. Skipping them makes our customers and QA unhappy.
    11 years ago
    We implemented OWASP's CSRFGuard to protect our pages in the web application. For example */myCsrfProtected.jsp. We have injected CSRF token at all occurrences of */myCsrfProtected.jsp within the application. Everything works fine.

    However, we have other use case where the link to this protected page is sent out to users in an email. Think about a link to a report. Now when user clicks on this link, the token is missing or invalid and hence the CSRFGuard filter blocks the request assuming this to be a CSRF attack. (this is what filter has been implemented for :-) )

    Is there any way to handle this use case and allow access to CSRF protected page from outside the application.
    11 years ago
    My Web Application has few pages, the links for which are sent to the outside world in email. So, when user clicks on the link in the email, he/she will have to log in and then redirected to the link. An example of such link is for Saved Report.

    My requirement is that I want to identify if a request coming from such link is legitimate. That the link used to invoke the application is the same that has been sent in the mail.

    At first thought, the solution for this might be similar to what is used by sites for confirmation of new users. A link is sent to the new user's email and it contains some sort of encoded string.

    Any implementation details of this solution or any other solution would be really helpful.
    12 years ago
    I have configured JBoss 5.1 for SSL using self signed certificates. The certificates were generated using . The configuration snippet from server.xml looks like:



    Everthing works fine and I am able to access my test application over the secure port.

    https://myServerName:8443/hello/hello.jsp

    However, when i sniff the packets using WireShark, I don't see any handshake packet. Is it due to some mis-configuration or certificate error.
    12 years ago