Monday, October 25, 2010

Secure Facebook Browsing

It is common that most websites use HTTPS for user authentication and use HTTP for everything else. This leaves users vulnerable to Cookie Hijacking. Tools like Firesheep brought this to forefront. It lets someone in your network perform Cookie Hijacking of Facebook as simple as installing Firefox Extension.

The best way to avoid this hack is to completely use HTTPS when using Facebook but the way Facebook work, even if you go to https://www.facebook.com (Secure HTTPS page), all the links still point to http://www.facebook.com (unsecure HTTP page). This leaves Facebook users vulnerable to tools like FireSheep.

Here is a Firefox Extension I wrote to solve the same problem for Firefox. Every time user visits Facebook.com, all the requests are forced to go through HTTPS even if user starts with http://www.facebook.com

Friday, October 22, 2010

Firefox Extension: Block Facebook from your life

Its impossible to be on web and not be a Facebook user these days. Even if you are not a Social Network user, Facebook is notified whenever you visit one of the more than one million sites on the web that use Facebook Connect and has a history of leaking personally identifiable information to third parties. Either way Facebook knows your web life.

Here is a Firefox Extension that completely blocks Facebook from your online life. It won't let you visit Facebook.com, It won't let Facebook track your moves using Facebook Connect.

Monday, April 12, 2010

WGET - Authentication

How to access a page using wget that requires authentication? wget is well equipped to handle multiple authentication scenario's.

HTTP Basic Athentication: To download a page that requires HTTP basic authentication use the following mechanism:
wget https://myUserName:myPassword@www.myserver.com/mypage.html
wget http://myUserName:myPassword@www.myserver.com/mypage.html

Form Post: To download a page protected by login built on form post use the following:

wget --post-data 'user=myUserName&password=myPassword' http://www.myserver/mypage.html

Form Post with multiple pages:If you need to navigate through multiple pages after authentication to get to your page, you can save cookies on form post for authentication and reuse the cookies file to access the page you want:

wget --post-data 'user=myUserName&password=myPassword' --cookies=on --keep-session-cookies --save-cookies=myCookies.txt http://www.myserver/auth

wget --cookies=on --load-cookies=myCookies.txt --keep-session-cookies --savecookies=myCookies.txt http://www.myserver/mypage.html

Wednesday, March 31, 2010

Hey Microsoft how about banning iTunes on windows?

Wouldn't it be interesting if Microsoft follows "CPU Hog" strategy from Jobs and ban iTunes on windows for installing malware that is "Memory Hog"?

Monday, March 08, 2010

Making No as Default in EXTJS Confirm Dialog

Currently there is no configuration that supports making "No" button as default for a Confirm dialog in ExtJS. So how to make no button as default?
One way to do this is to get Dialog and mark second button as default.

Here is the code snippet that makes no as default button:


var dialog = Ext.MessageBox.confirm('Confirm', 'Do you really mean it?' ,feedbackFunction).getDialog();
dialog.defaultButton = 2;
dialog.focus();

Sunday, March 07, 2010

GZIP and Save the earth

It is amazing how we think about least significant things and put in Maximum effort rather than take care of low hanging fruits first. GZIP RFC came out around 1996 and all modern browsers (HTTP/1.1 supported Browsers) support GZIP and still it is amazing how many website doesn't support such a basic trick to save 50% of their bandwidth costs. Just adding GZIP support reduces bandwidth by 50% (70% if the website is Mostly Text) resulting in huge amount of savings.

How to Enable GZIP for Apache:

1) Make sure LoadModule deflate_module modules/mod_deflate.so in your httpd.conf
2) Add the following lines to httpd.conf



SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|rar|zip|pdf)$ no-gzip dont-vary

Header append Vary User-Agent




and you are done. The configuration is telling Apache to GZIP every content except for Images, Zipped content and PDF files which are already in compresses format.

Next time when a browser sends request with HTTP Header:
Accept-Encoding: gzip, deflate

You webserver serves content in GZIP format and notifies the same with a proper reponse Header:
Content-Encoding: gzip

Enable GZIP on your servers today and save the Earth.

Monday, January 18, 2010

Making Jersey work with Spring

Making Jersey work with Spring simplifies JAX-RS (Restful webservices) and make Restful services development look lot easier. This is simple tutorial of how to make Jersey work with Spring3.0 (Same can be applied to Spring 2.5)

Libraries needed:
1) Spring 3.0 distribution.
2) Jersey 1.x distribution.
3) Jersey Spring 1.0.1-SNAPSHOT

Lets Inject a simple Spring Bean using Jersey @Inject annotation.

Step 1: Update web.xml
Declare the following application context configuration for Spring:



contextConfigLocation
classpath:applicationContext.xml



Configure Spring Context Listener:


org.springframework.web.context.ContextLoaderListener



Configure Spring Request Context Listener for Spring to use request scope for Spring beans:


org.springframework.web.context.request.RequestContextListener



Now declare Jersey Spring Servlet:


jerseyspring
com.sun.jersey.spi.spring.container.servlet.SpringServlet
1


jerseyspring
/resource/*



Step 2: Create applicationContext.xml
Now create applicationContext.xml to scan JAX-RS resources in a package say com.km.services and create simple bean using Spring say com.km.spring.SimpleBean



xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">






Step 3: Define your spring bean

In this case for simplification lets create a spring which does nothing but provide a method that says hello.

package com.km.spring;

public class SimpleBean {
public String sayHello() {
return "Hello my Friend";
}
}


Step 4: Create your JAX-RS resource
Now lets create the JAX-RS to which we inject the Spring Bean that is created in Step 3.

package com.km.services;

import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Component;
import com.sun.jersey.spi.inject.Inject;
import com.km.spring.SimpleBean;

@Path("/hello")
@Component
@Scope("request")
public class HelloResource {

@Inject private SimpleBean simpleBean;

@GET
@Produces("text/plain")
public String getMessage() {
return simpleBean.sayHello();
}
}



Its as simple as that. Now /resource/hello will result in printing "Hello my Friend" in your client.

Friday, January 08, 2010

Android Everywhere

Sun's dream of putting Java Everywhere is finally being realized but it has nothing to do with Sun and everything to do with Google.

Now Android is on Laptops, Netbooks, Mobile Phones, Video Phones, Washing Machines, Microwaves, Printers. Android is fast becoming UI device for consumer electronics.

Monday, January 04, 2010

MySpace Shame: Fix API and then talk of Developer Contest

Today MySpace announced Submissions Now Open for the MySpace Developer Challenge. Which is really great because MySpace is also trying to drive innovation from developer community on its platform. I got pretty excited to get an app going using Myspace API.

After trying to integrate MySpace OAuth for an hour without much success constantly failing in 6.3.2 section of OAuth spec title Service Provider Grants an Access Token getting a 500 Internal Server error. I refereed to MySpace forums and found that OAuth with MySpace hasn't been working since late November and MySpace is aware of issue for well over a month and still trying to Fix the issue.

Developer contest is a great idea to improve platfom but how about making API work before a contest so that developers can really develop the apps for contest?