AWS S3 SDK Java Feedback

  • Verify if Bucket already exists

call the doesBucketExist method

  • Create Subdirectory (folder): using key


PutObjectRequest request = new PutObjectRequest(bucketName, "folder/", new File(fileName));

  • Remove all the files under folder:

    using key like : folder/

  • Using Presigned Url to share object (public url)

Often we need upload a file (image) to S3 and get a tempory public URL of this object. (Be careful, you should always set private-access to this object)

We could use Presigned-url with an expiration period.

Code Example

Integration Okta with your web application

1. Introduction Okta

Okta is an amazing identity management SasS products. It provides single sign-on solution, serves as a Security Gateway and it can protect all the internal employee daily used applications.

It also provides Okta API, so you can integrate their solution into your application. For example, you can use okta authentication and authorization API to control login.

2. Create a Okta Web Application

You start by sign up in Okta Developer .  And then create a Web Application :

Specify Login redirect URIs

3. Integration Front End : okta_sign-in_widget

You could use Okta Sign-In Widget  as your login page.

var signIn = new OktaSignIn({baseUrl: 'https://dev-xxxx.oktapreview.com'});
  signIn.renderEl({
    el: '#widget-container'
  }, function success(res) {
    if (res.status === 'SUCCESS') {
      console.log('Do something with this sessionToken', res.session.token);
    } else {
    // The user can be in another authentication state that requires further action.
    // For more information about these states, see:
    //   https://github.com/okta/okta-signin-widget#rendereloptions-success-error
    }
  });
4. Integration Back End:  Implement the Authorization Code Flow

At a high-level, this flow has the following steps (copy from doc Okta):

  • Your application directs the browser to the Okta Sign-In page, where the user authenticates.
  • The browser receives an authorization code from your Okta authorization server.
  • The authorization code is passed to your application.
  • Your application sends this code to Okta, and Okta returns access and ID tokens, and optionally a refresh token.
  • Your application can now use these tokens to call the resource server (for example an API) on behalf of the user.

As mentioned in the above login widget javascript, you could get a res.session.token, you send this session token to backend controller.

Backend controller use this session token call /authorize endpoint to get a code (you might get a 302 response and in the response header you could find a location with a URI contains code param)

After that, using code to call /token endpoint to get the access and ID tokens.

Akka Actor – Scala

1. Akka Actor:

Actor Model: One of the technologies used to deal with deal with concurrent computation. (The other two are: Reactor and Event Driven).

2. Create Actor:

Actors are implemented by extending the Actor base trait and implementing the receivemethod.
Props is a configuration class to specify options for the creation of actors.


class SenderActor(message: String, receiverActor: ActorRef) extends Actor {

  var receivedMessage = ""

  def receive = {
    case WhoToSend(who) =>
      receivedMessage = s"$message, $who"
    case Message =>
      receiverActor !Print(receivedMessage)
  }
}
3. Actor communication(in scala):
  • ! means “fire-and-forget”, e.g. send a message asynchronously and return immediately. Also known as tell.
  • ? sends a message asynchronously and returns a Future representing a possible reply. Also known as ask.

object MainApp extends App {
  val system : ActorSystem = ActorSystem("MainApp")

  val receiverActor: ActorRef = system.actorOf(Receiver.props, "Receiver")

  val sender1: ActorRef = system.actorOf(Sender.props("Bob", receiverActor),"Sender1")

  sender1 ! WhoToSend("Tom")
  sender1 ! Message
}

Github Source Code

Build Reactive Restful API Using Spring 5 (WebFlux), Springboot

1. Spring 5 WebFlux

Spring 5 includes a new reactive module called WebFlux. It builds on the reactive streams. (Key Spring Doc)

WebFlux support two programming models: one is traditional based@controller, the other is functional Java 8 lambda style routing and handling.  Here we will take a look at the second one.

In general, the second WebFlux model takes incoming http request, handed by the HandlerFunction , then http request body transforms to as Flux or Mono;

Flux and Mono come from the reactor (doc). A Flux object represents a reactive sequence of 0..N items, while a Monoobject represents a single-value-or-empty (0..1) result.

2. Code example
2.1 Create a handler:

@Component
public class UserHandler {

    public Mono getUser(ServerRequest request){
            try{
                String uuid = request.pathVariable("uuid");
                return ServerResponse
                        .ok()
                        .contentType(MediaType.APPLICATION_JSON)
                        .body(BodyInserters.fromObject(new UserJson(uuid, "bob")));
            }catch (IllegalArgumentException i){
                return ServerResponse.badRequest()
                        .contentType(MediaType.TEXT_PLAIN)
                        .body(BodyInserters.fromObject(i.getMessage()));
            }
    }
}
2.2 Create a route:

@Configuration
public class UserRouter {

    @Bean
    public RouterFunction route(UserHandler userHandler){
        return RouterFunctions.route(RequestPredicates.GET("/users/{uuid}").
                and(RequestPredicates.accept(MediaType.TEXT_PLAIN)),
                userHandler::getUser);
    }
}

Source Code example Github

Building Restful API using Springboot

1.Create Spring-boot project

IntelliJ IDEA CE doesn’t support “spring initializr” plugin, so we should initial a SpringBoot project using https://start.spring.io/

Download and unzip project, import it into IntelliJ.

2. Coding
  • Using  @RestController annotation which equals :  @controller + @ResponseBody
  •  Springboot main class should be in the same package with controllers and it should be in the root.

  • Code Controller:

@RestController
public class UserController {

    @RequestMapping(value = "/users/{uuid}", method = RequestMethod.GET)
    public ResponseEntity getUser(@PathVariable("uuid") String uuid) {
        UserJson userJson = new UserJson(uuid, "bob");
        return new ResponseEntity<>(userJson, HttpStatus.OK);
    }
}
  • Code Entity:

public class UserJson {

    @JsonProperty(value = "uuid")
    private String uuid;

    @JsonProperty(value = "name")
    private String name;

    public UserJson(String uuid, String name) {
        this.uuid = uuid;
        this.name = name;
    }
}
  • Run project

Configration Context and Port (Modifiy application.properties)


./gradlew build bootRun

Source Code Github

Learning Flask Python – 0

1. Install python3 (Mac)

brew install python3
2. Install PIP (Python Package Index)

curl https://bootstrap.pypa.io/get-pip.py > get-pip.py
sudo python get-pip.py
3. Install virtualenv (a tool to create isolated Python environments)

sudo pip install virtualenv
4.Create a project

$ mkdir myproject
$ cd myproject
$ virtualenv venv

$ . venv/bin/activate
5. install flask

$ pip install Flask
6. create a hello world app

create a hello.py under myproject folder


from flask import Flask
app = Flask(__name__)

@app.route('/')
def hello_world():
    return 'Hello, World!'

run app:


$ export FLASK_APP=hello.py
$ flask run

play framework (filter, action)

1. KeY concepts of http architect in Play framework

In core play2, the handling of HTTP is :


RequestHeader -> Array[Byte] -> Result 
RequestHeader -> Iteratee[Array[Byte],Result]

The above computation takes the request header RequestHeader, then takes the request body as Array[Byte] and produces a Result. (play doc)

2. action and filter

Most of the requests received by a Play application are handled by an Action.

A play.api.mvc.Action is basically a (play.api.mvc.Request => play.api.mvc.Result) function that handles a request and generates a result to be sent to the client.

A Controller is nothing more than a singleton object that generates Action values. (play doc)

The Filter is applying global filters to each request.

3. Using Filter and action

The filter is used for all the routes. Action can be customized for certain route (on a specific controller)

Using Filter for creating global ratelimter for the API:


public class GlobalRatelimitFilter extends Filter {

    private static final long MAX_REQUESTS = 10;
    private static final long PERIOD = 60;
    private AtomicLong remainingRequests;
    private Instant expirationTime;

    @Inject
    public GlobalRatelimitFilter(Materializer mat) {
        super(mat);
        this.remainingRequests = new AtomicLong(MAX_REQUESTS);
        this.expirationTime = Instant.now().plusSeconds(PERIOD);
    }

    @Override
    public CompletionStage apply(Function<Http.RequestHeader, CompletionStage> next, Http.RequestHeader rh) {

        if (Instant.now().isAfter(this.expirationTime)) {
            this.remainingRequests = new AtomicLong(MAX_REQUESTS);
            this.expirationTime = Instant.now().plusSeconds(PERIOD);
        }
        if (this.remainingRequests.get() > 0L) {
            this.remainingRequests.getAndDecrement();
            return next.apply(rh).thenApply(result -> result.withHeader("X-Remaining-Ratelimit", String.valueOf(this.remainingRequests.get())));
        } else {
            return CompletableFuture.completedFuture(Results.status(429, "too many requests globally"));
        }
    }
}

code github

Using action for creating specific ratelimiter for certain routes:


public class RatelimitAction extends Action {

    private static final String USER_ENDPOINT_RATELIMIT = "user-endpoint-ratelimit";

    @Inject
    @NamedCache("ratelimit-cache")
    private SyncCacheApi cache;

    @Override
    public CompletionStage call(Http.Context ctx) {
        int limit = configuration.limit();
        int period = configuration.period();
        Ratelimit ratelimit = cache.getOrElseUpdate(USER_ENDPOINT_RATELIMIT, () -> new Ratelimit(limit, period));

        if (ratelimit.expired()) {
            ratelimit = new Ratelimit(limit, period);
            cache.set(USER_ENDPOINT_RATELIMIT, ratelimit);
        }
        ratelimit.decrease();

        if (ratelimit.reached()) {
            return CompletableFuture.completedFuture(Results.status(429, "too may requests for /users endpoint"));
        }

        return delegate.call(ctx);
    }
}

Using Action to control the API, Security, verify the requests before it calling the controller.


public class IPStrictAction extends Action {

    @Override
    public CompletionStage call(Http.Context ctx) {

        String[] whiteListIPs = configuration.whiteListIPs();

        String clientHost = ctx.request().host().split(":")[0];

        if(!iPwhitelisted(whiteListIPs, clientHost)){
            CompletableFuture.completedFuture(Results.status(403, "IP not allowed"));
        }

        return delegate.call(ctx);
    }

    private boolean iPwhitelisted(String[] whiteListIPs, String clientHost) {
        return Arrays.asList(whiteListIPs).contains(clientHost);
    }
}

Code Github

Java – Exception

Exception:

Definition: An exception is an event, which occurs during the execution of a program, that disrupts the normal flow of the program’s instructions.

Three Kinds of exception:
  • Checked Exception: These are exceptional conditions that a well-written application should anticipate and recover from.

NoSuchFieldException, IOException etc.

  • Errors (Unchecked exception): These are exceptional conditions that are external to the application, and that the application usually cannot anticipate or recover from.

An application might choose to catch this exception, in order to notify the user of the problem — but it also might make sense for the program to print a stack trace and exit.

  • Runtime exception (Unchecked exception): These are exceptional conditions that are internal to the application, and that the application usually cannot anticipate or recover from.The application can catch this exception, but it probably makes more sense to eliminate the bug that caused the exception to occur.

IndexOutOfBoundsException, IllegalArgumentException etc.

Password Store Best practice – Security Hash in Java

In Development we often encounter the case when we have to store the user’s password. Obversely, we should never store the real, raw password. Instead we store the hash value of the password.

There are some advanced Hashing secure one-way functions compute a one-way (irreversible) transform.  Owasp

Today we will introduce two widely used hash methods:

  • PBKDF2WithHmacSHA512:

PBKDF2 (Password-Based Key Derivation Function 2)
SHA (Secure Hash Algorithm )

Java implementation code

  • Bcrypt:

bcrypt is a password hashing function based on the Blowfish cipher.

Java implementation code

Other good articles:

https://howtodoinjava.com/security/how-to-generate-secure-password-hash-md5-sha-pbkdf2-bcrypt-examples/

HMAC (Hash-based message authentication codes)

HMAC stands for Hash-based message authentication codes which is often used between communication between server and client.

  1. The server and client are both provided with a secret key known only by that specific server and client.
  2. The client generates a unique HMAC, or hash, per request to the server by hashing the request data with the secret key and sending it as part of a request.
  3. The server receives the request and regenerates its own unique HMAC, it compares the two HMACs. If they’re equal, the client is trusted and the request is executed.
  4. The whole process is well described here by Amazon.
  5. RFC 2104 – HMAC: Keyed-Hashing for Message Authentication
  6. Example of codes for creating HMAC-SHA256.