Generate SSL certificate for Tomcat
Following are the steps to create an real SSL certificate (verified by VeriSign/Thawte etc.) for Tomcat:
1. Creation of keystore
keytool -genkey -alias XXX -keyalg RSA -keystore ./XXX.keystore
2. Generation of CSR
keytool -certreq -alias XXX -file XXX.csr -keystore ./XXX.keystore
Send the generated XXX.csr to the signing authority and get the certificate from them. Save that file as “XXX.thawte”
3. Install the certificate in the keystore
keytool -import -alias XXX -trustcacerts -file XXX.thawte -keystore XXX.keystore
That’s it.
List of Countries
In case you need a list of countries, here is the file
Integrate Apache 2 with Tomcat 6
I have been trying to configure apache/tomcat is such a way that apache comes on the front-end so that I can have all the features of apache like URL rewriting, virtual hosts, PHP etc. and forward only certain requests to tomcat whose only job should be running servlets.
I have CentOS installed on my server with Apache 2 installed through yum and the goal was to install the binaries for Tomcat 6 and make them talk to each other. After some googling, the best tutorial I found to configure tomcat through mod_jk was found here. I have attached the PDF of the instructions here.
After following the steps, I was easily able to create a worker and configure apache to forward the request to /examples to tomcat.
The next issue was how to configure virtual hosts so that I can host multiple websites, some handled by apache and others through tomcat. Following is the snippet of httpd.conf setting that needs to be updated to enable virtual hosting.
NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
# SSL protocol.
#
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@lalitmehta.com
ServerName www.lalitmehta.com
ErrorLog logs/lalitmehta.com-error_log
CustomLog logs/lalitmehta-access_log common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin info@saiyam.com
ServerName rsspile.com
# No need of DocumentRoot
ErrorLog logs/rsspile.com-error_log
CustomLog logs/rsspile.com-access_log common
JkMount /rss ajp13
JkMount /rss/* ajp13
</VirtualHost>
I do have two questions though:
1. since mod_jk.so is available for download for Linux, what advantage you get by compiling Apache and mod_jk from source? Most of the websites mention the need to compile the source. Let me know 
2. How do I enable SSL on my server with the above configuration?
IE 6 bug in window.location
There is a bug in IE 6 where following code does not work
var newUrl = "http://www.google.com/";
window.location = newUrl;
// This also doesn't work!
// window.location.href = newUrl;
After a scratching head for couple of hours, found the solution here
var newUrl = "http://google.com/";
setTimeout(function()
{
window.location = newUrl;
}, 0);
TOP 25 Most Dangerous Programming Errors
- CWE-20:Improper Input Validation
- CWE-116:Improper Encoding or Escaping of Output
- CWE-89:Failure to Preserve SQL Query Structure
- CWE-79:Failure to Preserve Web Page Structure
- CWE-78:Failure to Preserve OS Command Structure
- CWE-319:Cleartext Transmission of Sensitive Information
- CWE-352:Cross-Site Request Forgery
- CWE-362:Race Condition
- CWE-209:Error Message Information Leak
- CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
- CWE-642:External Control of Critical State Data
- CWE-73:External Control of File Name or Path
- CWE-426:Untrusted Search Path
- CWE-94:Failure to Control Generation of Code
- CWE-494:Download of Code Without Integrity Check
- CWE-404:Improper Resource Shutdown or Release
- CWE-665:Improper Initialization
- CWE-682:Incorrect Calculation
- CWE-285:Improper Access Control
- CWE-327:Use of a Broken or Risky Cryptographic Algorithm
- CWE-259:Hard-Coded Password
- CWE-732:Insecure Permission Assignment for Critical Resource
- CWE-330:Use of Insufficiently Random Values
- CWE-250:Execution with Unnecessary Privileges
- CWE-602:Client-Side Enforcement of Server-Side Security
Access parent window from modalDialog
When you call showModalDialog() you need to pass “self”, without the quotes, as the second argument.
You can then access the parent(opener) with:
var opener = window.dialogArguments;
You can then access any function declared in parent window with:
opener.myFunction();
Secure file upload
No matter what web based technology you are using, these tips will always be helpful when it comes down to uploading files:
- Keep uploaded files where they cannot be directly accessed by the users via a direct URL. This can be done either by storing uploaded files outside of the web root or configuring the web server to deny access to the uploads directory.
- Use system-generated file names instead of the names supplied by users when storing files on the file system. This will prevent local file inclusion attacks and also make any kind of file name manipulation by the user impossible. More information can be found here.
Differences between Strict XHTML and Transitional XHTML
Following attributes were removed from the Strict XHTML:
- Attribute alink is forbidden on body.
- Attribute background is forbidden on body.
- Attribute bgcolor is forbidden on body, table, td, th, tr.
- Attribute border is forbidden on img, object, it can be used on table.
- Attribute clear is forbidden on br.
- Attribute language is forbidden on script.
- Attribute link is forbidden on body.
- Attribute name is forbidden on form, img, it can be used on a, button, input, map, meta, object, param, select, textarea.
- Attribute noshade is forbidden on hr.
- Attribute nowrap is forbidden on td, th.
- Attribute start is forbidden on ol.
- Attribute target is forbidden on a, area, base, form, link.
- Attribute text is forbidden on body.
- Attribute type is forbidden on li, ol, ul. It can be used on a button, input, link, object, param, script, style.
- Attribute value is forbidden on li. It can be used on button, input, option, param.
- Attribute vlink is forbidden on body.
Following elements cannot occur in the given context in the Strict XHTML:
- #PCDATA cannot be a child of blockquote, body, form, noscript.
- Element a cannot be a child of blockquote, body, form, noscript.
- Element abbr cannot be a child of blockquote, body, form, noscript.
- Element acronym cannot be a child of blockquote, body, form, noscript.
- Element b cannot be a child of blockquote, body, form, noscript.
- Element bdo cannot be a child of blockquote, body, form, noscript.
- Element big cannot be a child of blockquote, body, form, noscript.
- Element br cannot be a child of blockquote, body, form, noscript.
- Element button cannot be a child of blockquote, body, form, noscript.
- Element cite cannot be a child of blockquote, body, form, noscript.
- Element code cannot be a child of blockquote, body, form, noscript.
- Element dfn cannot be a child of blockquote, body, form, noscript.
- Element em cannot be a child of blockquote, body, form, noscript.
- Element i cannot be a child of blockquote, body, form, noscript.
- Element img cannot be a child of blockquote, body, form, noscript.
- Element input cannot be a child of blockquote, body, form, noscript.
- Element kbd cannot be a child of blockquote, body, form, noscript.
- Element label cannot be a child of blockquote, body, form, noscript.
- Element map cannot be a child of blockquote, body, form, noscript.
- Element object cannot be a child of blockquote, body, form, noscript.
- Element q cannot be a child of blockquote, body, form, noscript.
- Element samp cannot be a child of blockquote, body, form, noscript.
- Element select cannot be a child of blockquote, body, form, noscript.
- Element small cannot be a child of blockquote, body, form, noscript.
- Element span cannot be a child of blockquote, body, form, noscript.
- Element strong cannot be a child of blockquote, body, form, noscript.
- Element sub cannot be a child of blockquote, body, form, noscript.
- Element sup cannot be a child of blockquote, body, form, noscript.
- Element textarea cannot be a child of blockquote, body, form, noscript.
- Element tt cannot be a child of blockquote, body, form, noscript.
- Element var cannot be a child of blockquote, body, form, noscript.
Rules of converting HTML to XHTML-Transitional
Converting from traditional HTML to XHTML 1.0 Transitional is easy, as long as you work carefully and observe the following rules:
1. Open with the proper DOCTYPE & Namespace
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd “>
2. Write all tags in lowercase
<title>XHTML Rules</title>
3. Quote all attribute values
src=”xyz.png” and not src=xyz.png
4. Close all tags
<p>Some Text</p>
5. Close “empty” tags, too
<img src=”xyz.png” />
Rules for Speeding Up Your Web Site
Yahoo Developer Network posted a nice set of rules to speed up your website. The excerpt is as follows:
- Make Fewer HTTP Requests
- Use a Content Delivery Network
- Add an Expires Header
- Gzip Components
- Put Stylesheets at the Top
- Put Scripts at the Bottom
- Avoid CSS Expressions
- Make JavaScript and CSS External
- Reduce DNS Lookups
- Minify JavaScript
- Avoid Redirects
- Remove Duplicate Scripts
- Configure ETags
You can read the full article here.
