Wednesday, March 31, 2010

OAuth-ing Twitter thru Twitter4J API

Further to my blog topic - "OAuth - 'valet' key to online info lockers" couple of days back, I found a blog which 'OAuth's to Twitter to generate access token using Twitter4J API at:
OAuth-ing Twitter thru Twitter4J API

Oracle - SID vs Service Name

Oracle SIDs vs Oracle Service Name?

SID = unique name of the instance/database (eg the oracle process running on the machine). Oracle considers the "Database" to the be files.
ServiceName = alias used when connecting. The main purpose of this is if you are running a cluster, the client can say "connect me to", the DBA can on the fly change the number of instances which are available to requests, or even move to a completely different database without the client needing to change any settings.

Service name is recorded in Tnsnames.ora file on the clients and it can be the same as SID and you can also give it any other name you want. ORACLE_SID is recorded in instance_name; this could be the same as the database name (init.ora for db_name parameter). oratab file gives the list of instances in the server.

SERVICE_NAME is the new feature from oracle 8i onwards in which database can register itself with listener. If database is registered with listener in this way then use SERVICE_NAME parameter in tnsnames.ora; otherwise - use SID in tnsnames.ora.

In Oracle Parallel Server (RAC), there would be different SERVICE_NAME for each instance.

SERVICE_NAMES specifies one or more names for the database service to which this instance connects. You can specify multiple services names in order to distinguish among different uses of the same database. For example:

Service names also identify a single service that is available from two different databases through the use of replication. In an Oracle Parallel Server environment, parameter has to be used for every instance.

You might have have a staging database and a production database with the same SID but referenced with 2 different service names:

      (PROTOCOL = TCP) 
      (PORT = 1521)
      (PROTOCOL = TCP) 
      (PORT = 1521)


Creating DataSource in Tomcat

Unlike Weblogic AppServer, the tomcat don't provide way to add the datasource via the admin console.
For managing the datasource, we need to edit the settings.xml; follow the link:
Datasource in Tomcat
[This done by editing context.xml in the apache~/conf]

Monday, March 29, 2010

Installing 'not found' jars to local maven repo

At times, some of the jar files won't be found or inconsistent version (with vendor's) of the jar might be found in maven central repo at: So, we need to go and deploy into our local repo.
Below are 2 ways of doing it.

1. If no source of jar available:-
       mvn install:install-file -DartifactId=ojdbc14 -Dversion= -Dpackaging=jar -Dfile=path/to/file

2. If jar available in repo other than repo1.maven... :-

With respect to Sun related jars, Refer: Coping with sun-jars

Sunday, March 28, 2010

Rocky Road to Dublin

"Rocky Road to Dublin" is a fast-paced 19th century Irish song about a man's experiences as he travels to Liverpool, England from his home in Tuam.

Recently, reminded in theme song of the movie - Sherlock Holmes.

Now, time to... Enjoy the Song!

An Irish instrumental:

Thursday, March 25, 2010

Async-ing a java task: ExecutorService & Future

At times, we need to make our task asynchronous, for instance, posting a message into 3 different destinations and the user is not concerned about the success of the each task's completion.

Then, ExecutorService can be used.

public interface Callable

A task that returns a result and may throw an exception. Implementors define a single method with no arguments called call.

The Callable interface is similar to Runnable, in that both are designed for classes whose instances are potentially executed by another thread. A Runnable, however, does not return a result and cannot throw a checked exception.

The Executors class contains utility methods to convert from other common forms to Callable classes.

Executors are Factory and utility methods for Executor, ExecutorService, ScheduledExecutorService, ThreadFactory, and Callable classes.

public interface ExecutorService extends Executor

An Executor that provides methods to manage termination and methods that can produce a Future for tracking progress of one or more asynchronous tasks.

An ExecutorService can be shut down, which will cause it to stop accepting new tasks. After being shut down, the executor will eventually terminate, at which point no tasks are actively executing, no tasks are awaiting execution, and no new tasks can be submitted.

Method submit extends base method Executor.execute(java.lang.Runnable) by creating and returning a Future that can be used to cancel execution and/or wait for completion. Methods invokeAny and invokeAll perform the most commonly useful forms of bulk execution, executing a collection of tasks and then waiting for at least one, or all, to complete. (Class ExecutorCompletionService can be used to write customized variants of these methods.)

The Executors class provides factory methods for the executor services provided in this package.
Usage Example

Here is a sketch of a network service in which threads in a thread pool service incoming requests. It uses the preconfigured Executors.newFixedThreadPool(int) factory method:

class NetworkService {
private final ServerSocket serverSocket;
private final ExecutorService pool;

public NetworkService(int port, int poolSize) throws IOException {
serverSocket = new ServerSocket(port);
pool = Executors.newFixedThreadPool(poolSize);

public void serve() {
try {
for (;;) {
pool.execute(new Handler(serverSocket.accept()));
} catch (IOException ex) {

class Handler implements Runnable {
private final Socket socket;
Handler(Socket socket) { this.socket = socket; }
public void run() {
// read and service request

public interface Future

A Future represents the result of an asynchronous computation. Methods are provided to check if the computation is complete, to wait for its completion, and to retrieve the result of the computation. The result can only be retrieved using method get when the computation has completed, blocking if necessary until it is ready. Cancellation is performed by the cancel method. Additional methods are provided to determine if the task completed normally or was cancelled. Once a computation has completed, the computation cannot be cancelled. If you would like to use a Future for the sake of cancellability but not provide a usable result, you can declare types of the form Future and return null as a result of the underlying task.

Sample Usage (Note that the following classes are all made-up.)

interface ArchiveSearcher { String search(String target); }
class App {
ExecutorService executor = ...
ArchiveSearcher searcher = ...
void showSearch(final String target) throws InterruptedException {
Future future = executor.submit(new Callable() {
public String call() { return; }
displayOtherThings(); // do other things while searching
try {
displayText(future.get()); // use future
} catch (ExecutionException ex) { cleanup(); return; }

The FutureTask class is an implementation of Future that implements Runnable, and so may be executed by an Executor. For example, the above construction with submit could be replaced by:

FutureTask future =
new FutureTask(new Callable() {
public String call() {

Metro & Axis2 - Studying the webservice leaders



Building new webservice:

Metro using Maven
Metro WS with Eclipse

JAXWS WsImport compiler from Maven2 - .pom section


Metro vs Axis:

Monitoring WS traffic :

tcpMonitor for SoapUI
WS Monitor

Misc :
 Quick cook page for JAX-WS

OAuth - 'valet' key to online info lockers

OAuth is an open protocol that allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their username and password - Instead they hand out tokens.

Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything.

Everyday new website offer services which tie together functionality from other sites. A photo lab printing your online photos, a social network using your address book to look for friends, and APIs to build your own desktop application version of a popular site. These are all great services – what is not so great about some of the implementations available today is their request for your username and password to the other site. When you agree to share your secret credentials, not only you expose your password to someone else (yes, that same password you also use for online banking), you also give them full access to do as they wish. They can do anything they wanted – even change your password and lock you out.

OAuth allows the you, the User, to grant access to your private resources on third party site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User), without sharing their access permissions or the full extent of their data. Each token grants access to a specific site (e.g. a video editing site) for specific resources (e.g. just videos from a specific album) and for a defined duration (e.g. the next 2 hours).

The promoted/used by Twitter, Digg & even biggies like Google & Yahoo.

Twitter provides ‘Sign-in with Twitter’, the ability to use Twitter as a delegated sign-in provider for third-party websites. This feature asks third party site for their Twitter username and password, and then use these credentials to make an authenticated API call. If the call is successful, they know the user is really who they claim to be and let them use the service. The sites will no longer need to handle Twitter passwords, store them, protect them, and deal with the legal consequences.

If you are extending an existing service, implementing a specific API and building a site that has great dependencies on another service, OAuth gives you everything you need, for very little extra work.

Glossary :
  • Service Provider – the Service Provider controls all aspects of the OAuth implementation. The Service Provider is the term used to describe the website or web-service where the restricted resources are located. It can be a photo sharing site where users keep albums, an online bank service, a microblogging site, or any other service where ‘user’s private stuff’ is kept. OAuth does not mandate that the Service Provider will also be the identity provider which means the Service Provider can use its own usernames and passwords to authenticate users, or use other systems such as OpenID.
  • User – the user is why OAuth exists and without users, there is no need for OAuth. The users have ‘stuff’ they don’t want to make public on the Service Provider, but they do want to share it with another site. In OAuth, the protocol stops without manual interaction with the user at least once to receive permission to grant access.
  • Consumer – this is a fancy name for an application trying to access the User’s resources. This can be a website, a desktop program, a mobile device, a set-top box, or anything else connected to the web. The Consumer is the one getting permission to access resources and the Consumer is where the useful part of OAuth happens. OAuth defines ‘Consumer Developer’ as the entity writing code to interact with the Service Provider. 
  • ‘Consumer Key’ and ‘Consumer Secret’/'Shared Secret '- obtained by Consumer on registering with SP
  • Request Token: received by Consumer when the CK & CS are send to SP for access request. This is send along with the redirection of the user to the authorization page of SP.
  • OAuth Verifier: Send back by SP when user authorizes Consumer thru SP's page (post login in SP's site)
  • Access Token (OAuth token) & Token Secret: send by SP when Consumer sends it's Verifier, CK & CS for access to Consumer authorized resource at SP's site
  • Protected Resources: the ‘stuff’ OAuth protects and allow access to. This can be data (photos, documents, contacts), activities (posting blog item, transferring funds) or any URL with a need for access restrictions.
  • Tokens – are used instead of User credentials to access resources. A Token is generally a random string of letters and numbers (but not limited to) that is unique, hard to guess, and paired with a Secret to protect the Token from being abused. OAuth defines two different types of Tokens: Request and Access.
 Sample Workflow: 

Security Process Concepts: 

Visualizing the Security handshake between SP & Consumer: 

Official Site:

Getting Started: 

The Guide: 

Discussion Group: 

OAuth Core 1.0 was released December 4, 2007.
OAuth Core 1.0 Revision A was released June 24, 2009.

Wednesday, March 24, 2010

Maven - enterpise proj builder

Apache Maven is a software tool for Java project management and build automation.
Maven dynamically downloads Java libraries and Maven plug-ins from one or more repositories. Maven provides built-in support for retrieving files from the Maven 2 Central Repository and other Maven repositories, and can upload artifacts to specific repositories after a successful build. A local cache of downloaded artifacts acts as the primary means of synchronizing the output of projects on a local system.
Maven is built using a plugin-based architecture that allows it to make use of any application controllable through standard input. Theoretically, this would allow anyone to write plugins to interface with build tools (compilers, unit test tools, etc.) for any other language.

Basic Concepts:
1. POM file
2. Build Lifecycle
3. Phase
4. Plugin
5. Goal
6. Dependencies

7. Repository: Maven, Central (enterprise), Local (~\.m2)

Run thru:
1. mvn in shell/cmd
2. maven plugin for eclipse (/netbeans/other IDEs)

Creating a eclipse proj using Maven: 

Deploying 3rd party jar to remote repo: 


Further reading: 

Tuesday, March 23, 2010

ssh Reverse Tunnelling

The reverse tunnelling/connection is usually used to bypass firewall restrictions on open ports. A firewall usually blocks open ports, but does not block outgoing traffic. In a normal forward connection, a client connects to a server through the server's open port, but in the case of a reverse connection, the client opens the port that the server connects to. The most common way a reverse connection is used is to bypass firewall and Router security restrictions.

SSH is an extremely useful tool in that it allows you to do many things in a secure fashion that you might not otherwise be able to do. One of the things SSH allows you to do is to set up a reverse encrypted tunnel for data transfer. Typically, when you initiate an SSH tunnel, you forward a port on the local machine to a remote machine which can allow you to connect to an insecure service in a secure way, such as POP3 or IMAP. However, you can also do the reverse. You can forward a port on the remote machine to the local machine while still initiating the tunnel from the local machine.

This is useful if you have a service on the remote end that you want to have connected to something on the local machine, but you don't wish to open up your firewall or have SSH private keys stored on the remote machine. By using a reverse tunnel, you maintain all of the control on the local machine.
An example usage for this would be for logging messages; by setting up a reverse SSH tunnel, you can have a logger on the remote system send logs to the local system (i.e., syslog-ng).
Another example, a Trojan horse running on a computer behind a firewall that blocks incoming connections can easily open an outbound connection to a remote host on the Internet. Once the connection is established, the remote host can send commands to the Trojan horse. Trojan horses (Remote Administration Tools) that use a reverse connection usually send SYN (TCP) packets to the attacker's IP address. The attacker listens for these SYN packets and accepts the desired connections.

How to?
[SSH Reverse Tunnel HOWTO:-]
To set up the reverse tunnel, use:

$ ssh -nNT -R

What this does is initiate a connection to and forwards TCP port 1100 on to TCP port 1100 on The "-n" option tells ssh to associate standard input with /dev/null, "-N" tells ssh to just set up the tunnel and not to prepare a command stream, and "-T" tells ssh not to allocate a pseudo-tty on the remote system. These options are useful because all that is desired is the tunnel and no actual commands will be sent through the tunnel, unlike a normal SSH login session. The "-R" option tells ssh to set up the tunnel as a reverse tunnel.

Now, if anything connects to port 1100 on the remote system, it will be transparently forwarded to port 1100 on the local system.

How to detect?

If a computer is sending SYN packets or is connected to an attacker's PC, the connections can be discovered by using the netstat command or a common port listener like “Active Ports”. If the Internet connection is closed down and an application still tries to connect to remote hosts it may be infected with malware. Keyloggers and other malicious programs are harder to detect once installed, because they connect only once per session. Note that SYN packets by themselves are not necessarily a cause for alarm, as they are a standard part of all TCP connections.

There are legitimate uses for using reverse connections, for example to allow hosts behind a NAT firewall to be administered remotely. These hosts do not normally have public IP addresses, and so must either have ports forwarded at the firewall, or open reverse connections to a central administration server.

Monday, March 22, 2010

Why go for SVN, over CVS? ...SVN adopted into Apache family!

SVN is gaining popularity as a version control system.
On 17 February 2010 it has become Apache Subversion.

Subversion uses the WebDAV and DeltaV extensions to the HTTP protocol for client/server communications.

Should refer:
    a. #Layers
    b. #Filesystem
    c. #Properties
    d. #Branching_and_tagging
2. Official site:
3. HOWTO setup Subversion for Windows with Apache:

Good reference material:- 
2. On nightly builds:-

Why SVN better go than CVS?
1. Guarenteed Atomic commits 
2. rename files and keep versioning history
3. No physical difference between tags & branch - only logical difference. So, branching and tagging constant time operations. Both of these are implemented simply by copying the directory you are tagging, and have a cost the same as any other copy. 
4. uses a diffing algorithm called Vdelta to provide efficient binary diffing (eg: .ps, .pdf etc)
5. Client-server communication: if we modify a local file and commit, only the differences between our local file and the most recent revision we have locally are sent to the server, meaning a lot less use of bandwidth.

SVN packages can be found at:

Install Commands for Linux:
1. Fedora:-  $ yum install subversion 
2. Debian:-  $ apt-get install subversion
3. Ubuntu:-  $ apt-get install subversion
4. OpenBSD:- $ pkg_add subversion 
5. FreeBSD:-  
        $ cd /usr/ports/devel/subversion
        $ make install

Next BIG version control coming up: GIT developed by Linus Trovalds for Linux Kernel development[]