Category Archives: Java/Java EE

how to cancel when volunteering for first (frc/ftc/fll)

Posted on by
Reply

A friend asked me how to switch from one volunteer event to another on firstinpires.org. It isn’t intuitive at all.

The answer:

  1. Logon to firstinspires.org
  2. Click “My dashboard”

If you were already assigned to the role

  1. Expand “assigned event volunteer roles”
  2. Click “Role options” pull down
  3. Click message coordinator and write a message that switched to Saturday

If you were not yet  assigned to the role

  1. Expand “pending applications”
  2. Click “Role options” pull down
  3. Click “withdraw application”
  4. Click “withdraw”
  5. Hope it worked. The role still appears in your list so you aren’t automatically withdrawn (not great usability)

[2018 oracle code one] JWT’s suck

Posted on by
Reply

JWTs Suck
Speaker: Randall Degges
@rdegges

For more blog posts, see The Oracle Code One table of contents

JWT (JSON Web Token)

  • pronounced “jot”
  • JSON data
  • cryptographically signed
  • Not encrypted most of the time
  • Prove that some JSON data can be trusted
  • Common use case: Website generates JWT after validating credentials. Website then sends JWT to browser and browser stores in localStorage. Then browser sends to website for subsequent requests.
  • There are stateless and stateful JWT. The later maps to a session id. People don’t use stateful JWTs.
  • 2012 – Spec came out
  • 2014 – began gaining adoption/marketing
  • seven of the first 10 hits on jwt are marketing pitches

Cookies

  • JWT stores session id as JSON blob. In cookie, just a string.
  • Session cookies are underappreciated
  • Use HttpOnly flag
  • Use SameSite-strict flag
  • Use secure flag
  • Browser sends cookie header to website

HTML Local Storage

  • JavaScript only accessible
  • Store key value pairs in browser

Myths about JWTs

  • JWTs are easier to use – JWTs require additional tools, libraries and knowledge to function. Developer effort. Vs session cookies which are built into all web frameworks.
  • JWTs are more flexible – Cookies can store one piece of data per cookie or serialize into a cookie. JWT has claims which are certain pieces of data that always included – ex: when token created/expires. Cookie actually expires at expiration times. Tokens don’t disappear automatically
  • JWTs are more secure – Cryptographically signed and can be encrypted. However, actually using the encryption feature is rare. The spec is complicated and libraries vary in support. Also multiple vulnerabilities in past two years.
  • JWTs prevent CSRF – Cookies are susceptible to CSRF because sent to server automatically. Local storage is safe from CSRF because developer needs to write JavaScript to send the data. However, you are now vulnerable to XSS which is worse. CSRF is far easier to fix than XSS because most websites link to Google Analytics, third party jquery, etc. OWASP recommends not storing any sensitive information in local storage.
  • JWTs are better for cross domain authentication – Good when create temporary token that lasts for 10 seconds. It is used between the login service and your app.
  • JWTs are more efficient than cookies – 179 bytes. If just sign the id part, is 64 bytes. Difference even greater when add data.
  • JWTS are easy to revoke – Could change signing key of application, but that also logs out the other users. Alternatively, use the revocation list pattern so can invalidate one. But now you’ve introduced state/database/cache.

Better use cases for JWT

  • Short duration (one minute or less) for one time use
  • ex: downloading a file, reseting a password

My take: I hadn’t heard of JWTs. So I learned a lot! It was fun hearing the audience questions/comments/statements was fun. That said, I need to read up on the topic to see the other point of view.

[2018 oracle code] psa java is still free

Posted on by
Reply

Public Service Announcement: Java is Still Free

Speaker: Trisha Gee (Java Community), Simon Maple  (LJC – London Java Community), Roman Kennke (Red Hat) (Didn’t catch his name) Simon Ritter (Azul), Tim Ellison (IBM) + Moderated by Steve Poole (IBM),

For more blog posts, see The Oracle Code One table of contents

This talk is mainly Q&A. The high points.

  • What do the recent changes mean to us?
    • Simon R – 6 month release cycle/faster releases/new features more quickly. Oracle said impractical to provided long term support for all releases. Strategy similar to what Ubuntu does; one release every three years is LTS and others are feature releases. JDK 11 under different license. If download from oracle.com, Oracle Technology License Agreement – can use in dev/test/demos free. Must subscribe to use in Prod. If download from openjdk, can use completely free – GPL v2. OpenJDK has updates for 6 months. Open JDK source code product is what everyone uses to build. Oracle will contribute changes to Open JDK for 6 months. This means Adopt Open JDK will need someone to backport fixes from later releases to add long term support. Someone (probably RedHat) will have to step up to lead Open JDK project for JDK 8 and 11 to do the work of backporting fixes. Azul has Zulu which is Open JDK build. Have community version which is free and a commercial version where provide support for less $ than Oracle.
    • Tim – At IBM, Java is an enabler. IBM and customers have a lot invested in Java. Goal is not to make money from Java directly. Money comes from higher level products that run on Java. Goal/working on contributing back to OpenJDK and Eclipse community. Also offer a support contract. Work for hire. IBM represents problem you have in Java community.
  • IBM will contribute to OpenJDK if find bug fixes. Will this make branches differ?
    • Tim – for 6 months Oracle doing in public OpenJDK. After that, will be an internal fork from Oracle. The public OpenJDK one will be under control of the stewards of that project. There is a risk that the fixes are different. [there’s always been that risk for IBM JDK, no?]
    • Simon R – Oracle will upstream fixes into OpenJDK 11 until JDK 12 comes out. After that, not as easy as just back porting JDK 12 fixes. Since there are new features added, need to determine what is a bug fix or security fix that needs to be back ported. Further, features get removed (ex: CORBA module). Therefore there are no bug fixes/security patches for that feature to back port.
    • Roman – Took over OpenJDK 6 and then OpenJDK 7 updates after Oracle stepped back. Plan to do the same for OpenJDK 8 and 11 when that happens. RedHat plans to support OpenJDK 8 until 2023.
    • Simon R – Private group behind OpenJDK for major vendors that contribute. This is where security issues get discussed so patches can be made available. It’s not just Oracle. Covers versions as long as anyone is supporting.
  • Has Oracle committed to giving vulnerability group opportunity to back port before CVE released publicly?
    • Simon R – Yes. They are discussed earlier
  • Scott Selikoff asked how similar OpenJDK and Oracle JDK are at release?
    • Trisha – Aiming for it to be the same binary. Not literally the same because the license is in the binary.
    • Roman – Built from same sources
    • Simon R – Functionally the same
    • Trisha – If a bug is in one, it should be in both
    • SImon M – unlocking commercial features doesn’t make sense in OpenJDK, but does in Oracle JDK
  • Scott Selikoff asked if recommend using a non-LTS release?
    • Trisha – “it depends”. Large enterprises will go with LTS. Some people will be happy to use new features as they come in. Stable enough to use in prod. Non-banks may be happy to use.
    • Simon R – Java 13 and 15 are MTS (medium term support). Commercial decision on how long something supported
    • Trisha – LTS and updates are not the same thing. In past, were getting updates but not support
  • Is JDK license included in Oracle product
    • Simon R – ask Oracle
    • Trisha – thinks comes with product
  • If on Zing JDK 8 now and willing to upgrade once in next two years, what/when go?
    • Simon R – Following same LTS strategy as Oracle for Zing. Use Zulu/Red Hat/AdoptOpenJDK as alternative to Oracle JDK
  • What are ramifications of license period lapsing in internet sparse location.
    • Tim – ask Oracle. Wouldn’t stop working, but ask Oracle about licensing.
  • Why call OpenJDK 11 LTS if only get support for 6 months. What are plans for CVEs after that 6 month period. Using a CMS requires supported JDK.
    • Roman – RedHat supporting JDK 11 for many years. OpenJDK patches still free.
    • Tim – cost depends on where you get JDK from. Oracle created 3 year LTS concept. Vendors stepped up to align.
    • Simon M – LJC (London Java Community) and many companies using Adopt OpenJDK platform turned into build engine to make OpenJDK binaries available to community. Aiming for 4 years for LTS releases. Support people typically buy covers support and security. Support contracts gets vendor commitment to fix reported issues. Vs filing a bug and hoping it will happen. Most people care about CVEs not issues they specifically found.
    • Trisha – Oracle talking about Oracle releases OpenJDK. But not the only people to produce OpenJDK binary.
    • Simon M – Adopt OpenJDK supports more platforms than Oracle
    • Simon R – Difference between source code and binaries. Source code contains changes. Someone still needs to create the binaries. Aka vendors.
    • Roman – Trying to create OpenJDK binaries
  • Suppose Oracle makes small features to their branch. Do you see them doing that?
    • Trisha – that’s not how it works
    • Simon R – Oracle doing the opposite. Removing commercial features from Oracle JDK.
  • Will RHEL and WebSphere use LTS versions?
    • Roman – yes
    • Tim – Yes for IBM WebSphere
  • Thoughts on Mark R and running build with latest every 6 months?
    • Simon R – It’s about preparing for the future. Ideally you learn impact every 6 months.
    • Simon M – APIs can be removed. By testing on feature releases, better understanding in advance of how app could break.
    • Trisha – Changes need to make to app should still work on Java 8 so can make changes in app without having to upgrade
    • Simon M – jdeps tells you which APIs you are using that are marked for removal.
  • Will Open JDK and Oracle JDK version string to be exactly same?
    • Trisha – Yes. Version string under JEP.
  • Oracle committed to someone in a private meeting that will give at least 18 months lead time on removing documented features.
    • Simon R – very publicly stated one release (6 months) warning
    • Trisha – Stuff deprecated in 9 already gone in 11.
    • Simon M – Two people at Oracle gave conflicting info
    • Tim – Get them to sign it 🙂
  • Someone from Oracle said to ask him the ask Oracle stuff

My take: I wish this talk was better publicized. I also wish Oracle had done this so you could hear all the opinions at once. That said, a big thank you to IBM for setting this up!