Run GWT Generated Code in Nashorn

GWT is a very useful tool to compile Java code into JavaScript.

Nashorn is Oracle’s new JavaScript implementation which runs JavaScript scripts in Java.

In order to run JavaScript server-side code within a Java server I now want to make an extensive GWT library available to this JavaScript code.

For this I need to load code generated in GWT into a Nashorn engine.

This is not very easy since the load process of GWT libraries includes various ‘hacks’ which involve the DOM.

I don’t know yet how I am going to do this exactly. I found the gwt-node project. This project is meant to run GWT code on Node.js.

I think by working with the custom linker developed there (GwtNodeLinker.java) I might be able work something out.

Sandboxing JavaScript in Java App – Link Collection

The JVM is by design an insecure environment and it is generally difficult to run untrusted code in a sandboxed environment.

However, it seems that is relatively easy to sandbox JavaScript code running in Oracle Nashorn. The instructions are here. Strangely, this was not easy to find through a Google search.

Below I have listed some further sources on Sandboxing JavaScript and Java code. Although there is plenty of material on Rhino, I would not recommend using this engine. I think Nashorn has been designed with support for Sandboxed code in mind from the very beginning while in Rhino the functionality feels kind of bolted on.

UPDATE I have implemented two little libraries which takes care of the grunt work of sandboxing Nashorn and Rhino code in Java:

Nashorn Sandbox (on GitHub)

Rhino Sandbox (on Github)

Sandboxing JavaScript

Nashorn

Restricting Script Access to Specified Java Classes: From the Oracle Nashorn docs. Shows how to restrict access to specific Java classes.

Rhino

Class ContextFactory: Useful for monitoring and setting restrictions on Rhino code.

Method initSafeStandardObjects: Useful for creating sandboxed Rhino code.

Rhino Sandbox: A small library for sandboxing JavaScript code running in Rhino.

Sandboxing Rhino in Java: Blog post

Securing Rhino in Java6: Blog post

DynJS

Sandboxing JavaScript Execution in Java: Blog post

Sandboxing Java

Example Code Monitoring Threads: Example code how thread CPU usage can be monitored.

The Java Sandbox: A library for sandboxing any Java code. Might be useful to sandbox the Java code with runs the script.

Use Signed SSL Certificate with Java

It seems to me like every time I have to do something that has to do with SSL certificates – be they self-signed or signed by a certificate authority – things do not go smoothly. I only do this from time to time, so I am by no means an expert; but I do believe my difficulties result to some degree from the intrinsic complexities within SSL and the systems which support it.

I have created another guide which walks step by step through the process of configuring a Java key store with a signed SSL certificate. If you do want this to succeed, note that you have to follow every step precisely. Even minor omissions can lead to errors (believe me, I’ve tried it myself).

  • Download Portecle (from here) and Unzip it
  • Start portecle.jar by double clicking it
  • Go to File / New Keystore

  • Select JKS and click [OK]
  • Go to Tools / Generate Key Pair

  • Select Algorithm RSA and Key size 2048
  • Increase validity from the default 356 to 1000 or more days

  • In Common Name provide the domain or subdomain of the domain you want to protect
  • Provide some input for all other fields – do not leave any empty
  • Provide a password and remember it (This can be the same password as for the the whole store)
  • Provide an alias – best the name of your domain

  • You should see the following:

  • Right click the key pair you have create and select ‘Generate Certification Request’

  • Portecle will generate file ‘XYZ.csr‘ for you.
  • Provide the contents of this file to the SSL provider of your choice (see a brief comparison here – I’ve had good experiences with RapidSSL certificates from GoGetSSL).
  • Your SSL provider should supply you with an SSL certificate. This file should end with ‘.crt‘. Download it.
  • Go back to Portecle and right click your key pair again. Select ‘Import CA Reply’.

  • Import the .crt file you got from your SSL provider.
  • If this does not work, first proceed to import the certificates as listed in the next steps, then try again to import the CA Reply.
  • You can import the ROOT certificate of your SSL provider just in case.
  • Also, your SSL provider will supply you with an intermediate and server certificate. You can import these into your keystore as well.
  • Note that when importing the ROOT certificate of your provider, you might get a warning that no trust chain can be established to the certificate. However, when importing the intermediate and server certificates AFTER importing the root certificate, there should be no warning that no chain can be established.
  • Your keystore should look something like this now:

  • Now go to File / Save Keystore
  • Provide the same password you used before.

Now you can use the created key store in Java servers. For an easy way how to use a keystore with Java, check out step 7 in this post.

Using RapidSSL Certificate from GoGetSSL for Java Server

IMPORTANT: I found it a lot easier and less error prone to use the GUI tool Portecle to go about generating a SSL certificate/key. You can find my instructions to do so in another post.

The following steps show how a RapidSSL certificate obtained through GoGetSSL can be used to secure a Java server.

Step 1: Purchase Certificate

Go to gogetssl and purchase a Standard RapidSSL certificate (should be around $5 / year).

Step 2: Create Keystore

Run:

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore server.keystore

When asked for ‘What is your first and last name?’ enter the domain of your server (can also be a subdomain).

Press ENTER when prompted for ‘Enter key password for <tomcat>’

Step 3: Create CSR 

Run:

keytool -certreq -keyalg RSA -alias tomcat -file server.csr -keystore server.keystore

Open the file server.csr and copy its contents into the clipboard.

Step 4: Upload CSR to GoGetSSL

Login to GoGetSSL and select ‘Manage SSL Certificates’ / All.

Next to the certificate you have just purchased should be a [Generate] button. Click it.

Choose ‘Order Type’: ‘New Order’

Choose ‘Web Server Software’: ‘Jakart-Tomcat’

Paste the CSR you copied from server.csr.

Choose signature algorithm SHA2.

Click [Validate CSR]

Step 5: Perform Email Validation and Give Your Details

Specify an email address to which the validation email should be sent and click [Next Step].

Also give your details and confirm the RapidSSL terms and conditions.

Note: Now wait a few minutes until you get the email and confirm it when you got it.

Step 6: Import RapidSSL Certificates Into Keystore

You will receive an email with the certificate for the server and the intermediate certificate from RapidSSL.

You’ll need to add both to your keystore.

First the intermediate certificate:

Get it from the email and paste it into a file ‘intermediate.crt’ and put it into the same folder as you keystore. Then run:

keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore server.keystore

You should get a message ‘Certificate was added to keystore’

Then the server certificate:

Get it from the email and paste it into a file ‘server.crt’ and put it into the same folder as you keystore. Then run:

keytool -import -trustcacerts -alias server -file server.crt -keystore server.keystore

You should again get a message ‘Certificate was added to keystore’.

Now you can use server.keystore to secure your Java Webserver with SSL.

Install Oracle JDK with Puppet

Problem

You would like to install Oracle JDK using Puppet.

Using the puppetlabs/java module, you might get an error message such as:

Error: Java distribution oracle-jdk is not supported. at […]/init.pp:57 on node […]

Solution

Use the module puppet-jdk-oracle.

Just follow the installation instruction from the GitHub page.

Note that you might want to set the java version used to the latest available. You can find the latest version and build number from the Oracle JDK downloads page.

To get the build number, you first need to accept the terms and conditions and then check the URL of the link to download the version of the JDK you are interested in:

Also, make sure to configure the right platform: ‘x64’ for 64 bit systems and ‘i586’ for 32 bit systems.

UPDATE: Note that newer versions of Java 8 also require the inclusion of a hash. So the download link from Oracle will look as follows:

http://download.oracle.com/otn-pub/java/jdk/8u131-b11/d54c1d3a095b4ff2b6607d096fa80163/jdk-8u131-linux-x64.tar.gz

The part in bold is the hash.

As of 26th of Mai 2017, the configuration needs to be adjusted as follows (Thanks @Vulco, see in comments below):

Within ~/manifests/install.pp adjust the following variables:

$default_8_update = ‘131’
$default_8_build = ’11’
$default_8_hash = ‘d54c1d3a095b4ff2b6607d096fa80163’

As of 30th of April 2015, this would be the configuration for the latest JDK version on 64 bit Linux:

class { ‘jdk_oracle’:

    version => ‘8’,

    version_update => ’45’,

    version_build => ’14’,

    platform => ‘x64’,

    ensure => ‘installed’,

}

Xtend Error: Cannot find class Consumer

Problem

When deploying you Xtend application to a different environment than your development environment you might encounter an error such as:

[ERROR] symbol: class Consumer
[…]
[ERROR] cannot find symbol

Solution

This error is caused by Xtend trying to use Java 8 features. It does so when your development machine runs Java 8.

For eclipse, you can fix this by using a Java 7 JDK under Window / Preferences / Java / Installed JREs. Then ‘Clean’ your project and all references to the Consumer class should be obliterated.

For Maven, you can find more information on this page.

Setting Up eclipse Luna with Maven for Android

As of August 2014, don’t even try this.

Officially, the Google Eclipse plugin supports Eclipse 4.4 (Luna) at present. However, in order to be able to create projects which are both Maven projects and Android projects you will need to install the m2e-android plugin. This currently does not support eclipse Luna. Probably, if you create a new Android project based on the archetype suggested by the m2e-android plugin, you might get errors such as:

  • …R cannot be resolved to a variable
  • Plugin execution not covered by lifecycle configuration: com.jayway.maven.plugins.android.generation2:android-maven-plugin:3.8.2:generate-sources (execution: default-generate-sources, phase: generate-sources)
  • Project configurator “me.gladwell.eclipse.m2e.android.androidDevelopmentToolsProjectConfigurator” is not available. To enable full functionality, install the project configurator and run Maven->Update Project Configuration.
  • Plugin execution not covered by lifecycle configuration: com.jayway.maven.plugins.android.generation2:android-maven-plugin:3.8.2:proguard (execution: default-proguard, phase: process-classes)

My recommendation is to use Android Studio.

You can easily add Maven dependencies to projects in Android Studio. Just locate the ‘build.gradle’ file in your application directory and add a compile dependency.

Cross-Domain Requests in GWT with JSONP

GWT RPC is built upon AJAX requests and thus is subject to the Same-Origin Policy. However, it is really easy in GWT (as well as in other JavaScript applications) to circumvent this policy using a method called JSON-with-padding (JSONP).

Unfortunately, there are a couple of issues one needs to consider before utilizing JSON-P:

Amount of Data Send from Client to Server

The biggest limitation of JSONP is that it uses GET and not POST requests. Thus, all data send from the client to the server needs to be encoded as URL query parameters such as:

http://myserver.com/myrpctarget?data_from_client=lotsofdatafromclient

These URL parameters can only hold a limited amount of data. I couldn’t find a conclusive upper limit on this, but most sensible suggestions seem to indicate that parameters should be limited to between 2,000 or 4,000 bytes. Please note that many sources here discuss the limit of characters which can be put into a browsers address bar. This limit is not the same as the limit for GET requests triggered from within JS code.

Reliance on GWT RPC

It is a non-trivial (but not impossible – I’ve done it!) endeavor to channel GWT RPC requests through JSONP. Thus, if your application is deeply dependent on GWT RPC, it will probably involve a lot of work to make it JSONP ready. Good news is that if you use the Request Builder API things will be far easier.

Other than these two issues there is really nothing stopping you from writing GWT client applications, which can communicate with multiple servers. I believe that this decoupling from client and server is far more valuable than the added security derived from restricting requests to one domain. After all, the browser is a client application which is by design meant to communicate with many different servers. If you have a choice, consider the two factors above and architect your GWT applications from the very beginning in a way which enables JSONP requests.

Resources

GWT JavaDoc – JsonpRequestBuilder

Wikipedia – JSONP

GWT 2, JSONP and Javascript Overlays with JsonpRequestBuilder

GWT Exclude Package From Source Path

Problem

The Google Web Toolkit Java to JavaScript transpiler is a powerful tool to convert Java source code into JavaScript files. Unfortunately, not all Java code can be transpiled into JavaScript code by GWT.

Sometimes, a project contains a mix of Java code that can be converted into JavaScript and Java code that doesn’t. In that case, the GWT compiler issues errors such as ‘No source code is available for type …‘.

Solution

GWT module definitions (.gwt.xml) files allow to specify fine-grained rules which files in a project are to be converted and which files should not. The rules are based on Ant patterns, which can be difficult to wrap one’s head around. Below are a few handy examples.

Exclude all files in packages with the name ‘/jre/’

<source path='' >

    <exclude name="**/jre/**" />
</source>

Exclude the file ‘ForJre.java’:

<source path='' >
   <exclude name="**/ForJre.java" />
</source>

Copy EntrySet of a HashMap in Java

All the key-value pairs of a Map in Java can be accessed through the method .entrySet() on the Map interface. Sometimes it might be required to create a copy of the resulting list.

A straightforward approach would be to utilize the constructor of the ArrayList class, which accepts a list as parameter, such as

List<Entry<…> copy = new ArrayList<Entry<…>>(map.entrySet());

Unfortunately, this approach does not work in all cases, for instance when using GWT. The problem is that the individual Entries in the entrySet are not guaranteed to contain the keys and value of the map. Thus, in order to create a safe copy of an entry set, the following steps are required:

  • Add the class MyEntry to your application.
  • Create a new ArrayList with the size of your entrySet: copy = new ArrayList(map.entrySet().size());
  • Loop through the entry set of the map and create individual copies of all entries:

for (Entry<…> e : map.entrySet()) {

copy.add(new MyEntry<…>(e.getKey(), e.getValue()));

}

Not too easy but worth the effort; since if you don’t create a copy of an entrySet like this, your application becomes dependend on the internals of the map implementation of your choice. You might also want to consider to create a copy of the whole map and then use the entrySet of the copied map. This can be accomplished in less lines of code but will be less performant, since the internal index for the map would have to be recreated.