Matthew Bendford

Ranch Hand
+ Follow
since Dec 01, 2020
Cows and Likes
Cows
Total received
3
In last 30 days
1
Total given
0
Likes
Total received
7
Received in last 30 days
1
Total given
1
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Matthew Bendford

First you have to understand how e-mail is designed, how it's supposed to work and what's wrong with using static Transport.send().

To not get too far into it static Transport.send() tries to directly connect to the MX of the recipients domain. This only works when the server this code runs on is correctly setup to be a MX of your domain, otherwise your mails are most likely marked as spam or maybe even silently dropped without any error message at all.

That's where a proper mail server, a MTA, and non-static Transpirt.sendMessage() comes into play: Instead of try to directly connect to the recipients MX you first connect to your MX and have it handle sending the mail. This way you also get proper error messages if the delievery of a mail failed like if your domain or MX is blocked due to spam reports or if the recipients inbox is full or doesn't exist.

Yes, JavaMail can be used to do all that - but you have to use it correctly in combination with a proper set up MX for your domain. Otherwise it looks like some malware running on your local machine try to send out spam mails. That's why ISPs serving private customers gave countermeassures in place to allow you to connect proper set up MX like google or outlook but prevent from some malware going rogue to pretent to be a MX. Also private customer ranges are on pretty much any blacklist. So you have to rent a server in a proper datacenter with good reputation.
1 week ago
So, as I end up implementing whatever solution in som language anyway I'd like to have topic general.

My rather simple question is: Given a properly secured channel (TLS with DANE and a DNSSEC secured domain) how best implement a simple user registration?
I'm aware of concepts like hashing with salt or even use one-time--pad schemes. But as far as I'm aware there's that one initial step the users login credentials somehow has to be set initially.
One type I encounter on a daily basis is to use the users e-mail-address as ID, have the user request a one-time-use token send via e-mail (as there's no way to secure that I may would opt to not use it) and then set a new password by supply the e-mail-address, the one-time-token and the new password. To validate this the server then might check a few things like: comes the second request from the same remote IP the first one came, was the token already used, do the data match up - but this leads me to the question: How to transmit the password? Send it in plain as the channel is taken to be secure? Hash it already on the client and only transmit the hash? Re-use the token as salt?

Or to put it this way: How do I end up with something reproduceable in the database based on user input?

Thanks for any input in advance.

Matthew
1 week ago
Although I'm not a lawyer - so the following has to be taken with care - the issue I see with "suggestions" as 185: They lack proper definition. I'm not aware of any and can't think of any explicit definitions defining specific words as an insult - at least not in written down law texts. A judge may refer to a dictionary if it lists a word in question as an insult - but even such "human personal opinions" can be challenged.
Most "famous" is what many refer to as "Beamtenbeleidigung" - or as a literal word-by-word translation: "to insult some official". There's no such thing. So, if some official tries to threaten you with this you mostly can be sure that this official is "from the old times" and not up-to-date anymore. Unless you physical attack some official (that's what 185 calls "t├Ątlicher Angriff") there's no proper baseline this could lead to any charges. I know for sure from own personal experience. But, as you said: Although it may be possible by law it just doesn't happen, at least not anymore these days.
2 weeks ago
As you refer to germany in specific, as a german I can asure you: at least in germany you cannot get jailed for those examples.

- even when considering "insultig someone as stupid" as "hate speech" - at least in germany you only can get fined for it - but getting jailed? NOPE

- not visiting your old parents? I can name you at least one nursing home right down my street at least one of their "inmates" never got any visit from any relative for years - and for this you can't even get jailed
in germany you can officially and legally just say "nope, I 'refuse' to be responsible for my parents any longer" - and that's it - then they'Re on their own

As for my fellow europeans I don't think you can get jailed for either of them - fined? sure, but jailed? only in a more remote way: if you get fined and refuse to pay the fine THEN you can get jailed - but for not paying the fine instead of what you actually got fined for.

Fun Fact about german laws: For murder 1st degree you get about 25 years - for stealing taxes about 40 years. So, if there's a crime worse than 1st degree multi murder - it's not paying your taxes. So much for how much a live is worth in germany ...
2 weeks ago
I don't want to start an argue or discusion about this. I'm aware that it's a common term in many languages. I'm also aware that there're maybe some languages with "real" multi-dimensional arrays with fixed length inner level arrays. But Java isn't such one, aside from the very common use case that often the inner/lower level in fact does have the same size.

Just as an example: I currently developing some content for the game ArmA3. It does support different loadouts and by this different configurations of a players inventory. A major difference is wether a unit has a backpack or not. The games engine represents this in a way, that the overall unit inventory array follows a specific layout, but what's one level down determines the sub-inventories. If the slot for the backpack is null the unit doesn't have one, otherwise the slot contains a simple array with two elements: the type of the backpack and an array of carried items in it.
The overall datastructure is something like this:
Object[fixed structure length][2][non fixed]
This doesn't really fit well and the game dev recommends not to use such frankenstein to save a players inventory, but it comes close. And although this array can have up to "3 layers" it's still not an 3-D array but just a fixed size array of arrays potential either 0 or 2 elements in size with a possible third array inside with non fixed length, including 0.

The game actually stores the player inventory in several different data structures in binary and exposes several methods for different parts of the inventory. And although the game usually prevents you from doing so with scripts accessing these different methods one can even manipulate the inventory in such a way you end up with a backpack within a backpack. The only check the game does is to prevent circular redundancy like putting the outer backpack inside the inner one again - as this would cause a stack overflow.
2 weeks ago

Doug Xander wrote:i need to read a csv file using scanner


Why? That's a very bad idea and I would question that requirement. Even as an excercise it doesn't make much sense as it's far from any "real coding" - so there's no value in to try to solve some hypothetical question to come up with an idea how to solve some issue which should be prevented in the first place.
I can tell from experience: I once asked here how to parse some simple json cause existing libs failed due to the other side generates non-valid data. Simple solution: I reported it as a bug to the maintainer that his code doesn't follow standards correctly and hence produce invalid data which libs following the standard fail to parse. As my report was dropped as "not a bug" I moved on to someone else with some working code producing valid data which can be parse by existing libs.
TLDR: Before you try to solve a problem try to  figure if it's actually your fault. If someone wants you to parse CSV with a java.util.Scanner it's already game over right there. Nobody does that, and nobidy even should consider it. Why bother figuring it out?

Piet Souris wrote:2D String array


There's no such thing as multi-dimensional arrays in Java, only arrays with an array as its specific type. A String[][] isn't a 2-D String array, but an array of String arrays - an array of String[]. This manifests itself in such a a way that the "inner level" arrays all can have different sizes. Hence when iterating over such an array always use .length in the inner loop (or even better: foreach if possible and if you don't need an index).
As seen from a data structure view it's about equivalent to a list of lists - which doesn't make it a multi-dimensional list.
2 weeks ago
For me JEP 380: Unix domain sockets is a very welcome addition. Still no low-level raw socket access for something like ICMP or DHCP, but in fact for my current project very useful.
I'm not sure yet how it'll affect performance over localhost ip4/6 socket (as I guess the kernel will do some background magic optimization anyway), but it closes about half a dozen to a dozen of currently still open ip sockets I can close now.
Also: Would like to see if mariadb jdbc driver adopts to it - bye bye tcp/3306 ...
3 weeks ago
even better: don't extend any swing class but just use them
extending a class is a "IS-A" relationship - but your application isn't a JFrame or JPanel but just uses them
1 month ago
rename your class, as it hides java.lang.StringBuilder
or address java.lang.StringBuilder by its fully qualified name
it's not a good idea to name your class the same as an already existing one
also: please post console output as text rather than as screenshot - it's hard to read small images on a mobile device
1 month ago
As another example: Germany uses variable length for both area code and actual phone number. While most new phone numbers supposed to be at least 7 digits + area code, there're also 8 digit numbers and a lot of really old ones as short as only 3 or 4 digits (back from early years after WW2). Also area code differ: Berlin has (0)30 while some other area may has some like (0)3925. Also the firs 0 is omitted when using international style: +49 30 ... while calling a number in Berlin usual only uses 030 ... when called from within germany with area prefix only.
Have a look at wikipedia, it has some lists of different area codes used around the world.
Also: be aware that users might also user other characters as delimiters. In germany the hyphen - the slash / and parenthesis () are common.
1 month ago
Thanks Tim, that reply really got me a push into a possible direction: ActiveMQ
I was looking up Apache ServiceMix, and its wikipedia article mentions ActiveMQ. As I use Apache James as my mail server (actually for a couple of years now - works great) I remembered some message queue (MQ) discussions on its mailing list - and it clicked: As my use case is already heavly event based - why not extend on that and use an event bus - or a message queue for that matter.
I then just looked up ActiveMQ's page - and it already greated me with what I was looking for: some clean info how it can be used by several languages, including java and php. I then looked up how to access activemq from php: STOMP. Looked that up - and after installing the PECL and openssl-devel packages on my server a simple sudo pecl install stomp did the trick. Just added another .ini in /etc/php7/conf.d and a restart of my apache - and it shows up on phpinfo().
I actually already found not just one, but TWO examples explain exactly my use case: use php as the producer and java as the consumer.

I'm currently tinkering around with setting up the activemq borker - but that should be rather easy following the guides I found. Guess THAT's A, maybe THE, route I go, as it fits my overall project so well.

Thanks again Tim for that advice - helped quite a lot.
1 month ago
The backend is just some basic java stuff, no servlet container or application server. I do have some very basic http server code which I'm using for my PXE setup, so setting up a reverse proxy in my apache config would also be an option, as this is what I would do to "hide" a servlet container or application server anyway, but a simple control socket is also an option. As I plan to come up with my own protocol for communication between the game extension and the backend anyway I could extend it to be reused for communication between the php and the backend. It's not like I care about some additional latency or fear setting up some additional stuff - but as I'm rather lazy I'm looking for an easy simple way of implementing it.
1 month ago
So, the flow is this:
- a new player joins the game server
- the backend checks wether the user has joined before (by a unique id)
- if the user didn't join before a popup is displayed to ask for an e-mail-address
- after input and click a button the e-mail-address is send to the backend, checked if it's valid (by some DNS tricks), generates an ID to be stored in a database and an e-mail is send out
- the user has to check the inbox and click the link
- when the page is loaded the webserver sets a flag in the database (by php as one possibility) - and then the script triggers a callback to the java backend <- this is where I'm stuck
- the java backend sends an event back to the gameserver which results in the game client showing a confirmation and closes the popup

I'm stuck at the second to last step: causing some listener in the java backend to trigger when the webserver loads the php script.
Sure, I could use exec() to call some binary, or use fsockopen to connect to the backend itself, or I even can use mail() while the backend uses imap idle to listen for it, or even google how to setup an application server and send the event back to the game server this way. They're all options possible - but I'm not sure which way to go. To avoid some exploitable open inbox I would avoid the mail approach, using exec() would run some binary with the user the webserver runs, and set up an app server - I'm not sure if that's what I'm looking for as "some simple lines of code". So, maybe using fsockopen() to connect to a control socket opened by the java backend is a possible way.

Any inputs?
1 month ago
So, I'm not sure where this fits best, but that's something that bothers me for quite some time now. As I don't have any experience about setting up an application server or have a servlet deployed I'm looking for quite some easy way.
What I want to accomplish sounds simple:
- a user enters an e-mail-address
- a simple php script generates a unique ID and sends an e-mail for verification to the user
- the user clicks on the link and opens the validation page
- the webpage verifies the token and triggers some external event
My issue is the very last step: How to trigger the external event when a user browse to the page? I came up with things like exec() or send another mail to an internal mail account another process listens for via imap idle, or even call something like fsockopen, but all things I came up with either are not recommended due to exploitable security risks or just require some heavy resources not suitable to be used by many users at the same time.

So, does someone has experience in this topic? May I need to provide some more information what I actually want to use this for? Is setting up a full blown application server a good way have it sit idle for the most time hogging system resources? Is there a "good" way to maybe do this with php or other tricks a simple lamp server provides?
I'm open to any advice or questions.
1 month ago
Well, what lesson can be learned from that? Always post anything!
As you see: The stacktrace ends in some FtpURLConnection (and I'm sure the real stacktrace doesn't end there) and that's all we got - without any knowledge what the given address might be ...
So, all we were able to do was to guess blindly in the blue.