Making Life Simple » general web

Generate SSL certificate for Tomcat

lalit — Thu, 21 Jan 2010 18:21:00 +0000

Following are the steps to create an real SSL certificate (verified by VeriSign/Thawte etc.) for Tomcat:
1. Creation of keystore
keytool -genkey -alias XXX -keyalg RSA -keystore ./XXX.keystore

2. Generation of CSR
keytool -certreq -alias XXX -file XXX.csr -keystore ./XXX.keystore
Send the generated XXX.csr to the signing authority and get the certificate from them. Save that file as “XXX.thawte”

3. Install the certificate in the keystore
keytool -import -alias XXX -trustcacerts -file XXX.thawte -keystore XXX.keystore

That’s it.

List of Countries

lalit — Wed, 20 Jan 2010 22:45:10 +0000

In case you need a list of countries, here is the file

Integrate Apache 2 with Tomcat 6

lalit — Mon, 18 Jan 2010 20:08:18 +0000

I have been trying to configure apache/tomcat is such a way that apache comes on the front-end so that I can have all the features of apache like URL rewriting, virtual hosts, PHP etc. and forward only certain requests to tomcat whose only job should be running servlets.

I have CentOS installed on my server with Apache 2 installed through yum and the goal was to install the binaries for Tomcat 6 and make them talk to each other. After some googling, the best tutorial I found to configure tomcat through mod_jk was found here. I have attached the PDF of the instructions here.
After following the steps, I was easily able to create a worker and configure apache to forward the request to /examples to tomcat.
The next issue was how to configure virtual hosts so that I can host multiple websites, some handled by apache and others through tomcat. Following is the snippet of httpd.conf setting that needs to be updated to enable virtual hosting.

NameVirtualHost *:80 # # NOTE: NameVirtualHost cannot be used without a port specifier # (e.g. :80) if mod_ssl is being used, due to the nature of the # SSL protocol. # # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for requests without a known # server name. # # # ServerAdmin webmaster@dummy-host.example.com # DocumentRoot /www/docs/dummy-host.example.com # ServerName dummy-host.example.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common #ServerAdmin webmaster@lalitmehta.com ServerName www.lalitmehta.com ErrorLog logs/lalitmehta.com-error_log CustomLog logs/lalitmehta-access_log common ServerAdmin info@saiyam.com ServerName rsspile.com # No need of DocumentRoot ErrorLog logs/rsspile.com-error_log CustomLog logs/rsspile.com-access_log common JkMount /rss ajp13 JkMount /rss/* ajp13

I do have two questions though:
1. since mod_jk.so is available for download for Linux, what advantage you get by compiling Apache and mod_jk from source? Most of the websites mention the need to compile the source. Let me know
2. How do I enable SSL on my server with the above configuration?

IE 6 bug in window.location

lalit — Wed, 13 Jan 2010 23:09:51 +0000

There is a bug in IE 6 where following code does not work

var newUrl = "http://www.google.com/"; window.location = newUrl; // This also doesn't work! // window.location.href = newUrl;

After a scratching head for couple of hours, found the solution here

var newUrl = "http://google.com/"; setTimeout(function() { window.location = newUrl; }, 0);

TOP 25 Most Dangerous Programming Errors

lalit — Wed, 14 Jan 2009 01:59:07 +0000

CWE-20:Improper Input Validation
CWE-116:Improper Encoding or Escaping of Output
CWE-89:Failure to Preserve SQL Query Structure
CWE-79:Failure to Preserve Web Page Structure
CWE-78:Failure to Preserve OS Command Structure
CWE-319:Cleartext Transmission of Sensitive Information
CWE-352:Cross-Site Request Forgery
CWE-362:Race Condition
CWE-209:Error Message Information Leak
CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-642:External Control of Critical State Data
CWE-73:External Control of File Name or Path
CWE-426:Untrusted Search Path
CWE-94:Failure to Control Generation of Code
CWE-494:Download of Code Without Integrity Check
CWE-404:Improper Resource Shutdown or Release
CWE-665:Improper Initialization
CWE-682:Incorrect Calculation
CWE-285:Improper Access Control
CWE-327:Use of a Broken or Risky Cryptographic Algorithm
CWE-259:Hard-Coded Password
CWE-732:Insecure Permission Assignment for Critical Resource
CWE-330:Use of Insufficiently Random Values
CWE-250:Execution with Unnecessary Privileges
CWE-602:Client-Side Enforcement of Server-Side Security

Full story

Access parent window from modalDialog

lalit — Fri, 15 Aug 2008 20:49:08 +0000

When you call showModalDialog() you need to pass “self”, without the quotes, as the second argument.

You can then access the parent(opener) with:
var opener = window.dialogArguments;

You can then access any function declared in parent window with:
opener.myFunction();

Secure file upload

lalit — Tue, 05 Feb 2008 02:26:38 +0000

No matter what web based technology you are using, these tips will always be helpful when it comes down to uploading files:

Keep uploaded files where they cannot be directly accessed by the users via a direct URL. This can be done either by storing uploaded files outside of the web root or configuring the web server to deny access to the uploads directory.
Use system-generated file names instead of the names supplied by users when storing files on the file system. This will prevent local file inclusion attacks and also make any kind of file name manipulation by the user impossible. More information can be found here.

Differences between Strict XHTML and Transitional XHTML

lalit — Thu, 08 Nov 2007 05:15:07 +0000

Following attributes were removed from the Strict XHTML:

Attribute alink is forbidden on body.
Attribute background is forbidden on body.
Attribute bgcolor is forbidden on body, table, td, th, tr.
Attribute border is forbidden on img, object, it can be used on table.
Attribute clear is forbidden on br.
Attribute language is forbidden on script.
Attribute link is forbidden on body.
Attribute name is forbidden on form, img, it can be used on a, button, input, map, meta, object, param, select, textarea.
Attribute noshade is forbidden on hr.
Attribute nowrap is forbidden on td, th.
Attribute start is forbidden on ol.
Attribute target is forbidden on a, area, base, form, link.
Attribute text is forbidden on body.
Attribute type is forbidden on li, ol, ul. It can be used on a button, input, link, object, param, script, style.
Attribute value is forbidden on li. It can be used on button, input, option, param.
Attribute vlink is forbidden on body.

Following elements cannot occur in the given context in the Strict XHTML:

#PCDATA cannot be a child of blockquote, body, form, noscript.
Element a cannot be a child of blockquote, body, form, noscript.
Element abbr cannot be a child of blockquote, body, form, noscript.
Element acronym cannot be a child of blockquote, body, form, noscript.
Element b cannot be a child of blockquote, body, form, noscript.
Element bdo cannot be a child of blockquote, body, form, noscript.
Element big cannot be a child of blockquote, body, form, noscript.
Element br cannot be a child of blockquote, body, form, noscript.
Element button cannot be a child of blockquote, body, form, noscript.
Element cite cannot be a child of blockquote, body, form, noscript.
Element code cannot be a child of blockquote, body, form, noscript.
Element dfn cannot be a child of blockquote, body, form, noscript.
Element em cannot be a child of blockquote, body, form, noscript.
Element i cannot be a child of blockquote, body, form, noscript.
Element img cannot be a child of blockquote, body, form, noscript.
Element input cannot be a child of blockquote, body, form, noscript.
Element kbd cannot be a child of blockquote, body, form, noscript.
Element label cannot be a child of blockquote, body, form, noscript.
Element map cannot be a child of blockquote, body, form, noscript.
Element object cannot be a child of blockquote, body, form, noscript.
Element q cannot be a child of blockquote, body, form, noscript.
Element samp cannot be a child of blockquote, body, form, noscript.
Element select cannot be a child of blockquote, body, form, noscript.
Element small cannot be a child of blockquote, body, form, noscript.
Element span cannot be a child of blockquote, body, form, noscript.
Element strong cannot be a child of blockquote, body, form, noscript.
Element sub cannot be a child of blockquote, body, form, noscript.
Element sup cannot be a child of blockquote, body, form, noscript.
Element textarea cannot be a child of blockquote, body, form, noscript.
Element tt cannot be a child of blockquote, body, form, noscript.
Element var cannot be a child of blockquote, body, form, noscript.

Rules of converting HTML to XHTML-Transitional

lalit — Wed, 07 Nov 2007 04:13:46 +0000

Converting from traditional HTML to XHTML 1.0 Transitional is easy, as long as you work carefully and observe the following rules:
1. Open with the proper DOCTYPE & Namespace

2. Write all tags in lowercase
XHTML Rules
3. Quote all attribute values
src=”xyz.png” and not src=xyz.png
4. Close all tags

Some Text

5. Close “empty” tags, too

Rules for Speeding Up Your Web Site

lalit — Wed, 05 Sep 2007 03:25:24 +0000

Yahoo Developer Network posted a nice set of rules to speed up your website. The excerpt is as follows:

Make Fewer HTTP Requests
Use a Content Delivery Network
Add an Expires Header
Gzip Components
Put Stylesheets at the Top
Put Scripts at the Bottom
Avoid CSS Expressions
Make JavaScript and CSS External
Reduce DNS Lookups
Minify JavaScript
Avoid Redirects
Remove Duplicate Scripts
Configure ETags

You can read the full article here.