Don't Panic!

Spring Security delegating password encoder

Published on March 14, 2022

The Spring Security PasswordEncoder interface exists to make it easy to safely encode passwords for storage in a database. Hashing the password using a secure algorithm with a heavy work factor will slow down an attacker even if they compromise the password database.

Since the interface was introduced, security recommendations have changed as CPUs / GPUs become more powerful and as vulnerabilities are discovered in legacy algorithms. The original StandardPasswordEncoder is now deprecated as the SHA-256 algorithm is considered insecure. Spring offers more secure implementations based on bcrypt, PBKDF2 and Argon2.

However, Spring no longer ties you to a single algorithm. The new DelegatingPasswordEncoder provides support for multiple PasswordEncoder implementations, many of which are available in Spring Boot applications with default configuration. This makes it possible to select an algorithm at run time and to have a database containing password hashes with different algorithms.

Testing Spring reactive WebClient

Published on January 15, 2022

Spring WebClient is the reactive replacement for the legacy RestTemplate. It has a more modern fluent API and first class support for Reactive Streams. This means it supports non-blocking, asynchronous responses.

However, the reactive WebClient does not yet have the mature test support that RestTemplate now has. There is not yet a standard recipe to test Spring WebClient applications. No doubt support will be improved in future versions but for now, here’s what works for me.

Securing a Zookeeper ensemble

Published on November 30, 2021

In the previous post, we looked at how to build a three cluster Zookeeper ensemble. However, the ensemble was not secured in any way. This would allow unauthorised clients to query Zookeeper and to push data to znodes. It also allows unauthorised Zookeeper instances to join the ensemble and potentially even instruct the cluster to shut down.

Even in secured networks, it’s a good idea to use some of the security features available in Zookeeper. In this post we’ll look at two security mechanisms: mutual TLS (mTLS) and SASL authentication. We’ll set up these security features on the server-server communication (leader election protocols) and client-server communication (Kafta to Zookeeper).

Building a Zookeeper ensemble

Published on October 28, 2021

Some notes on setting up and configuring a Zookeeper ensemble. Many guides use some shortcuts to setting up the ensemble such as running multiple Zookeeper instances on a single machine or running them in Docker. Both require some workarounds to make it work. As a better example, this guide runs three Zookeeper instances across three different VMs.

Microsoft Bot Framework Part 3: Connect to channels

Published on September 1, 2021

In the first two parts we built a bot using the Microsoft Bot Framework SDK and registered it in Azure. In this third and final part we’ll consume the bot using three of the available Bot Framework Channels: A simple chat component on a web page, SMS text and a fully custom Node.js application.

Microsoft Bot Framework Part 2: Build a bot with Bot Framework SDK

Published on August 7, 2021

The Microsoft Bot Framework is a flexible framework for building conversational bots. A bot can be written once and deployed to multiple channels including webchat, Microsoft Teams, Alexa and SMS. It supports text, speech and rich GUIs with images and controls.

In this three part series, I’ll register a ‘hello world’ bot application as an Azure Bot Resource and then look at how to customise my bot behaviours. Finally I’ll make it available to a chat widget on a web page, SMS and consume it from a Node.js application.

In the first part, we created an Azure Bot registration and connected to a demo bot application. In this part we’ll swap out the demo bot for one we’ve built using the Microsoft Bot Framework SDK.

Microsoft Bot Framework Part 1: Create an Azure Bot Resource

Published on July 27, 2021

In this part, I’ll register and configure a bot with Microsoft Azure Bot Service. It might seem odd to start here rather than going straight into the application code. However, getting this step out of the way gives us something simple to play with that works end to end.

Exception handling in ScheduledExecutorService

Published on May 15, 2021

Java’s ScheduledExecutorService allows you to schedule Runnable tasks without having to worry too much about creating Threads. At its simplest, you can schedule a task like this:

Runnable task = () -> System.out.println("Hello world!");
executor.schedule(task, 10, TimeUnit.SECONDS);
System.out.println("Done!");

The output is:

Done! Hello world!

That is we schedule the task, then print “Done!”. 10 seconds later the scheduled task executes and prints “Hello world!”.

But what happens if the Runnable throws an Exception?

The epoch was an hour late

Published on January 1, 2021

The epoch – midnight on 1st January 1970 – is one of the most important moments in computing. Many systems store dates and times as the number of seconds (or milliseconds) since the epoch. When new year’s revellers counted down the seconds before Big Ben struck twelve for the first time in a new decade, who would have known that the moment would be significant fifty years on?

Except, it didn’t. On the moment that is represented as zero in Unix, C, Java and so many other systems, Big Ben did not strike twelve. At midnight on the 1st January 1970, Big Ben struck one.

Execute Around idiom in Java

Published on November 28, 2020

The Execute Around idiom is a pattern that allows you to wrap an action with some standard setup / tear down steps. Examples might include:

Execute within a lock: acquire the lock, do the action, release the lock
Resource handling: acquire the resource, do the action, close the resource
Execute as a user: switch to the user, do the action, switch back to the original user
Exception handling: do the action, handle the exceptions
Time an action: start a timer, do the action, stop the timer

The pattern allows you to pass in arbitrary actions and have them run with the same setup / tear down steps.

Don't Panic! Posts