Security Headers

I saw a post on twitter about Security Headers. Basically Security Headers will scan your website and check for some common HTTP Headers that you should be including to make your site more secure. They also include helpful links as to how to fix the issues it finds. On my first scanned it warned me of the following: MISSING Content-Security-Policy, MISSING X-Frame-Options, MISSING X-Xss-Protection, MISSING X-Content-Type-Options, MISSING Public-Key-Pins, and X-Powered-By. After going through their documentation I added all of those headers except for Public Key Pins. I am not 100% on that, my concern is when your certificate expires and you replace it (which on a free certificate happens every year) do you end up with people getting an error on your website for the next week cause they have an old key pinned? Not sure enough about that to actually enable it, which is why I hadn’t previously enabled it. The other headers though I didn’t realize could be an issue so I promptly corrected them. The one thing I couldn’t easily fix was the Server header as apparently that is compiled into NGINX and I wasn’t feeling like compiling my own from source. I was able to remove the version string though. All in all they give some very easy configuration changes you can make to help prevent attacks against your website and I strongly recommend giving their tool a look.

AspectJ Maven Plugin update

I am happy to report that after much delay the Mojohaus team has finally fixed the Aspectj Maven plugin to allow disabling the annotation processing by the aspectj compiler. It will be fixed in version 1.8 of the plugin. You may recall that back in April I was forced to fork the project to fix this and move on so I could do our Spring 4.1 upgrade. I look forward to switching back to the community version and at that point I will probably delete my github repository as I never wanted to maintain my own version to begin with. Now back to some programming on my new Cassandra layer…

Spring Boot for prototyping

I am on a new project at work that looks to be very interesting. I am redesigning our Cassandra layer. Currently we have a beautifully done layer that was designed and implemented by our former architect. It ends up making Cassandra look just like a JPA entity and we have Cassandra Repositories that look just like Spring Data JPA Repositories. After this was in place we discovered the Spring Data Cassandra project. We went to the talk on Spring Data Cassandra and it turns out they had implemented pretty much the system that our architect implemented.

Now my goal for this project is to create a higher level Cassandra abstraction for our system. Often in Cassandra we create multiple tables to represent the same data. The reason is depending on how you structure the data in CQL determines what queries you can run. We have the need to query some tables in many different ways so we need multiple tables to be able to answer the questions that we could in the SQL world. In our architecture we don’t want the developer to worry about which table they need to query for a given question, we would like to present this more like a standard JPA entity where the developer doesn’t need to worry about it and we abstract away which particular table is being queried or which tables are being saved to.

One of the initial thoughts of this project was to use Spring Data Cassandra. The advantage of that is we would have a third party library we could use so we wouldn’t have to maintain the low level Cassandra code. At one point I was considering ripping out our custom Cassandra Data layer and just using the Spring Data one (prior to this project) as ours is so close to what they are doing anyway why should we maintain that code when there is a perfectly good library we could use and we are already using Spring Data JPA. Right now I am not sure if I want to do that anymore though. If I go with Spring Data Cassandra each of the underlying tables would need to be modeled as a separate entity like our current framework. In that case then I would need a second layer on top if I am trying to present 1 domain object backing multiple tables so this seems like it isn’t ideal for what we are thinking. Another thing I am not 100% on with Spring Data Cassandra is that it isn’t backed by Pivotal. It is a community plugin. That isn’t necessarily a problem but I do have concerns about how up to date it will be. One way to look at this is maybe I should be involved in the plugin since clearly I could be working on that as well, but I get a little concerned about if it will be around otherwise. I noticed that the Spring Data Cassandra project is built off of the Datastax 2.0 driver. So if we are running off of Cassandra 2.1 (which we probably will be by the time this project goes live) we aren’t necessarily taking advantage of the new features. Again I could submit a pull request to update it, but given that I am not sure this is the right approach anyway at this point I haven’t decided to go this route (though that may change). Another thing I noticed is Spring’s initializr doesn’t list Cassandra as an option out of the box. Though I suspect if you checked JPA and then added the Spring Data Cassandra to your maven pom or Gradle file it would probably work.

So how does this tie into Spring Boot? Well I am not a big design everything up front kind of person. I tend to like to play around in code to come up with my design ideas. So I decided I want to prototype against what we are doing so I can see how this design would play out in code. I downloaded a new Spring project from the initializr with AOP, JAX-RS, Actuator, and Shell support. I then pulled our code for our Cassandra layer into there and added the Cassandra driver to the maven pom. I updated the application.properties file with my Cassandra database properties and low and behold I was up and running with a framework to test all of my changes in. Even though I have played around with boot, seeing myself able to build a sandbox to play around with this design in so quickly was very impressive to me. So now I can evolve this design without messing up our current code base and when I get to something I am happy with I can just bring those changes into back into our branch and we will be ready to go with our new design. So even though I am stuck with a monolith and I couldn’t easily bring boot into our main product the design of our project is such that it was very easy to pull that whole layer into this project and just be up and running with almost no configuration (aside from setting up the Cassandra connection properties).

So as usual I think Spring Boot is the bomb and everyone should be using it. I look forward to seeing where this design takes me. Once I have my high level sorted out I may try playing with dropping Spring Data Cassandra in the low level to see if we want to use that as our base, but my current guess is we won’t end up going that route.

Java 8 lambdas and streams

I just finished up the Java 8 lambda’s and streams class. I finished a little later than I wanted to because I decided to upgrade to Windows 10 last week which was an epic failure. I used the media download tool to upgrade prior to my machine coming up in the queue and all the upgrade ran normally and things appeared to work fine. At the end it booted up and presented a login screen. I attempted to login and the machine sat there spinning for about a minute and then rebooted. After coming back the same. At that point I realized I made a mistake trusting the upgrade and my normal windows procedure is to buy a new drive, do a clean install and then bring my data over. (That was last Wednesday.) So Thursday at noon I ran over to Microcenter and bought a new drive. Then over the weekend I did a clean install of 10 and copied my data from the old drive. I am not up and running on 10 and I would have to say I like it more than Windows 7. It seems fast on my old machine, the UI improvements are great, but I haven’t yet had a chance to test any of my games on Steam to see how it handles video gaming. A coworker tried to upgrade his Windows 7 laptop which also failed but his automatically rolled back. My nephew was able to successfully run the upgrade from Windows 8.1 so it seems like 8 is a safer OS to upgrade from.

Now on to the class, I did lesson 3 and Simon did a great job closing out the topic. My first impression of the course was that I thought I preferred Venkat’s approach to the topic at SpringOne 2014, but what I liked about Simon Ritter’s approach was he covered a lot of low level questions I immediately had when watching the videos. Like primitives vs a lot of boxing and unboxing of variables. Another advantage of Simon’s course was the homework was amazing. I would watch all the lectures and be like yeah I got this, and then the homework would hit and I would be like wait how do I do that again? I watched Venkat’s video, but since I didn’t start using the stuff right away it didn’t stick. In this case I was forced to use the material from the video which was super helpful. The homework questions seemed to escalate in difficulty which was good to really reinforce the knowledge. The test questions were really good, but I didn’t like the questions where you had to check multiple correct questions, and I think those were the one’s I missed. I think I do better with a radio button style of answer than a check all that are right test, but I still passed all the tests easily after doing the homework.

I have to say the homework 3 was brutal I haven’t completely finished the problem yet, which is probably a good sign as it really challenged me whereas all the previous homework problems I could work through in about 30 minutes. So at the end of the day would I recommend the course? Most definitely it was great and I am much better off for taking it. This was my first practical use of the new Java 8 constructs and the material was laid out in such a way that it really challenged my thinking to get me to stop thinking imperatively and start thinking functionally. I have approval at work to start working on our JBoss EAP upgrade and once I get that in place Java 8 will be a go. Hopefully in the next month or two we will be running this in production and then I am going to turn on java 8 compilation and start using this stuff. They are talking about re-running this class in September and anyone who missed this round should sign up then. Also you should follow Simon Ritter on Twitter at @speakjava.