Category Archives: Core Java

JAXB and XML processing

Lately, I have been working on a few interesting problems that I wanted to talk about. So I started studying more of JAXB APIs and the whole rabbit hole is huge. There are a lot of things that I can focus on these APIs. In this post, I will show how to use JAXB APIs for XML processing.

What’s JAXB and how to use APIs for XML Processing?

First, let me talk about JAXB APIs. So XML has been a language for data exchange for some time now. Java and XML came up with a partner to help developers a standard to facilitate between applications, web services, organizations using a similar technology stack. So all developers came together and they built a standard API for Java Architecture for XML Binding (JAXB). I will not describe any other detail about these API in this post, but you can check out this official documentation JAXB. JAXB APIs help to convert XML documents into Java Object and vice versa.

Scenario 1

In this scenario, how do bind a schema to Java object?

JAXB basically simplifies the access of the XML document in Java program. So as part of this, we bind schema for XML document into a set of Java classes.

To demonstrate this example, I am showing a sample XML books.xml as below:


<bookstore>
<book category="cooking">
<title lang="en">Everyday Italian</title>
<author>Giada De Laurentiis</author>
<year>2005</year>
<price>30.00</price>
</book>
<book category="children">
<title lang="en">Harry Potter</title>
<author>J K. Rowling</author>
<year>2005</year>
<price>29.99</price>
</book>
<book category="web">
<title lang="en">XQuery Kick Start</title>
<author>James McGovern</author>
<author>Per Bothner</author>
<author>Kurt Cagle</author>
<author>James Linn</author>
<author>Vaidyanathan Nagarajan</author>
<year>2003</year>
<price>49.99</price>
</book>
<book category="web" cover="paperback">
<title lang="en">Learning XML</title>
<author>Erik T. Ray</author>
<year>2003</year>
<price>39.95</price>
</book>
</bookstore>

To convert this XML into Java object, we will follow the following process

  1. Create a JAXBContext Object
  2. Create a Unmarshaller using JAXBContext Object
  3. Call Unmarshal method on Unmarshaller
  4. The result will be a Java object

package com.betterjavacode.jaxbexample;

import java.util.ArrayList;
 
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlElementWrapper;
import javax.xml.bind.annotation.XmlRootElement;
import javax.xml.bind.annotation.XmlType;

@XmlRootElement
@XmlType(propOrder = {"bookcategory"})
public class Bookstore
{
   private String bookCategory;
   private List books;

   public Bookstore(){}

   public String getBookCategory()
   {
      return this.bookCategory
   }

   public void setBookCategory(String bookCategory)
   {
     this.bookCategory = bookCategory;
   }

   public List getBooks()
   {
      return this.books;
   }

   public void setBooks(List books)
   {
      this.books = books;
   }
}


package com.betterjavacode.jaxbexample;

import javax.xml.bind.annotation.XmlRootElement;

@XmlRootElement(namespace = "com.betterjavacode.jaxbexample.Bookstore")
public class Book
{
   private String title;
   private String author;
   private int year;
   private long price;

   public Book()
   {
   }
   
   public Book(String title, String author, int year, long price)
   {
      this.title = title;
      this.author = author;
      this.year = year;
      this.price = price;
   }

   public String getTitle()
   {
     return title;
   }

   public void setTitle(String title)
   {
     this.title = title;
   }

   public String getAuthor()
   {
     return author;
   } 

   public void setAuthor(String author)
   {
     this.author = author;
   }

   public int getYear()
   {
     return year;
   }

   public void setYear(int year)
   {
     this.year = year;
   }

   public long getPrice()
   {
     return price;
   }

   public void setPrice(long price)
   {
     this.price = price;
   }

}

Using annotations and base classes, we can convert xml into java object easily. That process as described will look like below in program:


package com.betterjavacode.jaxbexample;

import java.io.File;
import java.util.ArrayList;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;

public class JAXBXMLToJava
{
    public static final Logger LOGGER = LogFactory.getLogger(JAXBXMLToJava.class);

    public static void main(String[] args)
    {
        try
        {
           JAXBContext jaxbContext = JAXBContext.newInstance(Bookstore.class);
           Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
           File xmlFile = new File("C:\\temp\\books.xml");
           Bookstore bookStore = (Bookstore) unmarshaller.unmarshal(xmlFile);

           ArrayList books = bookStore.getBooks();
           for(Book book:books)
           {
              System.out.println("Book: " + book.getTitle());
           }
        }
        catch(JAXBException e)
        {
           LOGGER.debug("unable to unmarshal", e);
        }
    }
}

So in this scenario, we took an xml and converted that into a java object.

Scenario 2

In this scenario, I will show one of the features of JAXB APIs.

How to change the namespace prefixes?

By default when you marshal Java object to XML, JAXB Marshaller uses default namespace prefixes like ns1, ns2, ns3 etc. While this can be perfectly valid XML for readability purposes, you might run into an issue like signature validation if Signature validation API was expecting different namespaces.

In such cases, JAXB offers a NamespacePrefixMapper which allows you to change your namespace prefixes.

Advantages of JAXB

  • JAXB offers different ways to handle the large size of XML
  • Dealing with XML data can be complex, but in Java world, it is easier to deal with objects. JAXB makes that easy.
  • JAXB allows you to access data in non-sequential order, but unlike DOM-based processing, it doesn’t force you to navigate through a tree to access the data.
  • And JAXB is flexible

Conclusion

Previously, I had shown how to consume a SOAP webservice using JAXB marshaller. In this post, I have given a brief introduction to JAXB APIs and how to use them for XML processing. There are a lot of other features that JAXB APIs offer.

References

  1. JAXB User guide – user guide
  2. Java Architecture for XML Binding – JAXB

 

 

 

How to use JProfiler for Performance testing

If you are a developer, some point of time you will have to use JProfiler for measuring the performance of your application. Many times, this is left to specialized performance teams or developers who know the tools well, but don’t know much about the code that they are trying to measure the performance. This approach, despite might be working, can have its flaws. Especially since performance team members are not writing the code. So as part of this past, I want to debunk few myths around this and why a developer should equally focus on a tool like JProfiler to check the performance.

What will you need

  • JProfiler (standalone or plugin in IntelliJ)
  • IntelliJ
  • A web application that you can profile

Understanding JProfiler

First JProfiler is a tool to understand what is going on inside a running JVM. Before we run the test, we should understand the basic functionality of JProfiler and how it will help us in performance improvement.

There are three aspects to JProfiler:

Time Profiling – This measures the execution paths of your application on the method level.

Memory Profiling – This provides the in-depth understand of heap usage by the application.

Thread Profiling – This analyses the thread synchronization issues.

JProfiler combines time, memory and thread profilers in a single application.

Performance Test

In this test, we will be profiling java code of the application. You can download JProfiler as a standalone tool to run or download a plugin with IntelliJ which is what I have done in my case.

Once you start IntelliJ for your web application either locally or remotely, you will see an icon on top right to start the JProfiler. If you are running the application locally, JProfiler will launch and will ask user to find the directory where JProfiler.exe is located, once you click OK, it will start the application server (from intelliJ RUN configuration).

JProfiler from IntelliJ

In Filter Settings , you can select the option Edit and it will launch another window where you can provide other application related settings. You can also run JProfiler for a remote application. For that you can provide the application’s host and port address in this application settings.

Application Settings

In my case, I am running the application locally, so I will skip these settings for right now.

Once the OK button is clicked, it will launch the tomcat webserver that I am using in this Spring based web application. I will launch my application in another browser window and do the necessary testing with application. JProfiler should profile my activity. Once you do that, we can verify CPU view for hot spots that Profiler found in our application. This will look like below:

Hot Spots

One good thing about this feature is that it shows where the application is taking more time and it is arranged in descending order. So most of the time that my code is taking in the libraries that I am using. If you expand each node, you will find in detail about each method that is getting called.

Conclusion

In this post, I showed how to use JProfiler. This was an introductory post as I have not talked about the different views that JProfiler offers for profiling the application.

Supporting FORMS authentication for ADFS in Android applications

Scenario with ADFS Authentication

Recently I came across this scenario where an application was using ADFS for authentication. The administrator had configured Windows Integrated Authentication as well as Forms Authentication as authentication policies. But when the user accessed the Android application, passive authentication through the Android webview browser fails because it redirects to the Windows Integrated Authentication URL instead of Forms Authentication. As the webview browser does not support WIA.

Android Phone

A solution to configure ADFS

Most organizations when using Active  Directory Federation Services (ADFS), use windows integrated authentication for their intranet. This helps users in their networks to enter credentials only once. Most browser-based applications provide a seamless experience to users without asking them to enter credentials again.

However, in this scenario, a user was trying to access an android application that equally needs passive authentication with an android webview browser. But android webview browser does not support WIA that results in authentication failure.

In such a scenario, ADFS should fall back to FORMS authentication and redirect the user to the login form. ADFS for windows server provides a simple configuration trick for authentication to fall back to FORMS.

  1. WIASupportedUserAgentString property of Set-ADFSProperties command
  2. WindowsIntegratedFallbackEnabled property of Set-AdfsGlobalAuthenticationPolicy command

Set-AdfsGlobalAuthenticationPolicy -WindowsIntegratedFallbackEnabled $true

WIASupportedUserAgentString gives the user agents that support WIA. If the component of the user agent string does not match any of the components of the user agent strings that are configured in WIASupportedUserAgentString property, ADFS will fall back to providing forms-based authentication, provided WindowsIntegratedFallbackEnabled flag is set to true.

Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents

MSIE 6.0

MSIE 7.0; Windows NT

MSIE 8.0

MSIE 9.0

MSIE 10.0; Windows NT 6

MSIE 11.0; Windows NT 10

Windows NT 6.3; Trident/7.0

Windows NT 6.3; Win64; x64; Trident/7.0

Windows NT 6.3; WOW64; Trident/7.0

Windows NT 6.2; Trident/7.0

Windows NT 6.2; Win64; x64; Trident/7.0

Windows NT 6.2; WOW64; Trident/7.0

Windows NT 6.1; Trident/7.0

Windows NT 6.1; Win64; x64; Trident/7.0

Windows NT 6.1; WOW64; Trident/7.0

Windows NT 10.0; Trident/7.0

Windows NT 10.0; Win64; x64; Trident/7.0

Windows NT 10.0; WOW64; Trident/7.0

MSIPC

In this particular case, we removed Safari and Chrome from the list of user-agent strings, that’s when the authentication for application worked through passive authentication.

Conclusion

In conclusion, I showed in this post how to use FORMS authentication with ADFS for an android application. If you enjoyed this post, subscribe to my blog.

References

  1. Configuring Forms based authentication
  2. Forms based authentication

 

Could not find or load main class org.apache.maven.surefire.booter.ForkedBooter

Problem with Surefire library

Recently one of my Jenkins build failed with an error Could not find or load main class org.apache.maven.surefire.booter.ForkedBooter . A surefire plugin that maven was using to run JUnit tests was failing.

surefire library issue

A solution to fix the issue with Surefire library

I found two solutions to this problem. But first, let’s try to understand what exactly caused this problem.

In OpenJDK version 1.8.181, there were some behavioral changes that might be the reason for this issue. I had updated the Java version to use based on the system in my Jenkins build. This will make a system to get the latest open JDK. Also, there is a bug in the surefire plugin that is using absolute paths while Java will allow only relative paths. You can find more details about this issue here.

So to fix this issue, the easiest solution is Djdk.net.URLClassPath.disableClassPathURLCheck=true .

Another solution that worked for me was to go back to the older JDK version that I was using in Jenkins build before I shifted to System option. I went back to open JDK version 1.8.118 version and it did the trick also.

Conclusion

In conclusion, I showed how to fix an error during Jenkins build “Could not find or load main class”. If you enjoyed this post, subscribe to my blog here.

References

  1. Could not find forkedbooter class – here
  2. Surefire bug

 

Use of clockskew in SAML Assertion in SAML Protocol

In this post, I will explain how we can use clockskew in SAML Assertion to avoid a general problem when a Service Provider (SP) receives a SAML response from Identity Provider (IdP) and if both of them are on different machines which is generally the scenario.

So when a user accesses a SP application, SP sends an authentication request to IdP and IdP sends a SAML response to SP. The typical SAML response looks like below:

<saml2p:Response Destination="https://localhost:8443/spring-security-saml2-sample/saml/SSO"
                 ID="_8ced26c57648ea420c5e27ac7f3d78b3"
                 InResponseTo="a3ei0bej41ie0dg738jji60271f1bca"
                 IssueInstant="2018-10-31T18:39:05.109Z"
                 Version="2.0"
                 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                 >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.betterjavacode.com/sts</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_8ced26c57648ea420c5e27ac7f3d78b3">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="xsd"
                                                xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>k6k9seVwZT8qEfainB+HDUJmv7wLwPjJxRARgrFLk3E=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
eYl7/5Bg4f2ZtXYl1Tp/ZW4CIqna1sjHjVSB/zhj3NHncQu7pq9PBTdWz0JEaE8+efICz7trDQvI
J0tih35Vg7NqDtOeps7vMttV0XvrnWKIXEqrscyNgkhwy+KW2oprKIWTJq6y3Z0kQ7n2DlTRkfAE
yLRPxqr8AZU+77Tbv4DmTQVp934ivibUaMNU79nkhMMo7vf0ldpeNCe5Ll5Q7nxgNBCrL4mhbGdU
DNJDVqJIhQZDJUYhBVZSgLo6mYLxf0ndQr5+GdcvO3i8VlooH49I5ZO6LfsBlNiSU6WezC0Fcz8J
biodrT3h62Jny8FKUgYfXA8i0ZoAerCxHmLGFQ==
</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIICpTCCAY2gAwIBAgIHAKQk/Tty7TANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhJbmZvclNU
UzAeFw0xNzExMTAxNjIwMjVaFw0xOTExMTAxNjIwMjZaMBMxETAPBgNVBAMMCEluZm9yU1RTMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuy40GofgfSldiu7AXRSWQZo8YIUmdJOXV5gd
YUiIBggcm5J+jttd21av9AWBDLtvekIqgG+nM1SEarDNlCgrnThqDtdsBDnT+B5FQowLwqNQZb0C
6PSWccp484OLHhv3YwbjV/IxgW6wlv2EejPF93NTPc5TkkpIKIEARJwKiUvuwzkcX1atD8HESj8/
5wZhK3g3MSv+CaJb1Y732U2aa34RI6HYRNlKRsqRj55SZnPs3AmIBL/rdVbt5eYJdK+jXSOMQ9Sb
TNkgTAYKnlSQP8NhsNc1Y5ZJ231KD3rSqHEXwpKVXFuEgtBnCL9utqyUU0Fu9PNJJj0hf9otMJw2
pQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAsqxA/+llqNtJq/VPtAa0XwtldB7/4Gew5LgfU5Yj7
/ruHuxCh03xfnLyjo0bxrFeMbhHMg4MzJhgah0zTIl4WMRI781CiMxGfMdvQAHhY5hgpryqKUTbH
qcIoW1WkTEL+TrOSk2gjL/n/4KsUJ3XKeI4j4h2RDvbIF8u9cbrB5RupEwJlo/pK3mCr3GQGFxVX
4yli+AysMmz8JWz2hWQad0QQr9KIYmZdgauNt7uYn4u+7cngtTtQF/EMoZU1pAFI5lDP13mxI1rR
eYGzoKhGfHIy7TiXYvqX0vFomzkgr6D0DnRlRkQR8J5EVtnGZ7sF50KlNviG+IxrPNndUdeX</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion ID="_43514fee402111bfa8ef07e2bb3e1816"
                     IssueInstant="2018-10-31T18:39:05.109Z"
                     Version="2.0"
                     xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                     >
        <saml2:Issuer>https://sts.betterjavacode.com/sts</saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                          NameQualifier="https://sts.betterjavacode.com/sts"
                          SPNameQualifier="https://localhost:8443/spring-security-saml2-sample/saml/metadata"
                          >-74375301938178262591541011144180</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="a3ei0bej41ie0dg738jji60271f1bca"
                                               NotOnOrAfter="2018-10-31T18:44:05.109Z"
                                               Recipient="https://localhost:8443/spring-security-saml2-sample/saml/SSO"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2018-10-31T18:39:05.109Z"
                          NotOnOrAfter="2018-10-31T18:44:04.109Z"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>https://localhost:8443/spring-security-saml2-sample/saml/metadata</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="http://schemas.microsoft.com/claims/Tenant">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >ABC Company</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.microsoft.com/claims/Identity">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >testuser</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >Test User</saml2:AttributeValue>
            </saml2:Attribute>

            <saml2:Attribute Name="http://schemas.microsoft.com/claims/Email">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >test.user@betterjavacode.com</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="http://schemas.microsoft.com/claims/Session">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xsd:string"
                                      >-65311121040491585821541011144177</saml2:AttributeValue>
            </saml2:Attribute>                        
        </saml2:AttributeStatement>
        <saml2:AuthnStatement AuthnInstant="2018-10-31T18:39:05.109Z"
                              SessionIndex="31079178551135950171541011144177"
                              >
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

Now SP and IdP are on different machine. And there can be a case that their clocks are not synced. So when IdP generates the response, it has an element SubjectConfirmationData that contains NotBefore and NotOnOrAfter. Subject indicates details about the user and relying party who is receiving the assertion. Relying party has to verify that the assertion is coming from the right issuer.

NotBefore – Time before which subject can not be validated.

NotOnOrAfter – Time on or after which subject has expired.

Similarly, there will be Conditions element in the assertion and this element will also contain attributes NotBefore or NotOnOrAfter. These two attributes indicate at what time assertion will be valid and after what time, it will be expired.

Problem

Now if we take into account a scenario where system clocks of IdP and SP are not in sync and if Idp clock is ahead of Sp clock, how do we handle this scenario?

Solution

So as described in above scenario, then assertion validation will fail because of NotBefore time will be greater than the time on SP machine.

To solve this issue, we can either make sure IdP and SP clocks are in sync. But this seems human-dependent solution and getting clocks in sync is not always practical solution.

Another way this can be solved by adding a clockskew in SAML assertion. A relying party that is consuming the assertion should apply small clockskew to time to accommodate small changes in time.

private int clockSkew = 120;

SubconfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();

if(subjectConfirmationData.getNotOnOrAfter().plusSeconds(clockSkew).isBeforeNow())
{
 // throw error - Subject Confirmation Data has expired
}

/***
*
*
*/

if (conditions.getNotBefore() != null && conditions.getNotBefore().minusSeconds(clockSkew).isAfterNow()) 
{
      throw new SAMLException("Assertion condition notBefore is not valid");
}

if (conditions.getNotOnOrAfter() != null && conditions.getNotOnOrAfter().plusSeconds(clockSkew).isBeforeNow()) 
{
      throw new SAMLException("Assertion condition notOnOrAfter is not valid");
}

 

References

  1. SAML Specification
  2. SAML assertion with NotBefore and NotOnOrAfter