Recent Updates RSS Toggle Comment Threads | Keyboard Shortcuts

  • donpark 4:35 am on September 24, 2009 Permalink | Reply
    Tags: , sqlite3, tech   

    Installing sqlite3-ruby gem on Snow Leopard 

    Problem:

    After upgrading to Snow Leopard, I had to rebuild/reinstall MacPorts and RubyGems as recommended. While doing this, I found that sqlite3-ruby gem install failed with errors related to extconf.rb file.

    Solution:

    Not sure why this works but I found a working solution at StackOverflow which replaces:

    /usr/local/lib/libsqlite3.dylib

    with a symbolic link to one that came with XCode for Snow Leopard:

    /Developer/SDKs/MacOSX10.6.sdk/usr/lib/libsqlite3.0.dylib

    You can find the full ‘ln’ command at StackOverlow page above but be sure to rename the original in case you need to restore it.

     

  • donpark 10:21 pm on August 4, 2009 Permalink | Reply
    Tags: , jax-rs, jersey, jsp   

    Using JSP with Jersey JAX-RS Implementation 

    This post shows you some tips you’ll likely need to use JSP with Jersey in typical Java webapps.

    Tested Conditions

    While Jersey 1.1.1-ea or later is probably the only hard requirement for the tips to work, my development environment is listed here for your info. You are welcome to add to this rather meager basis for sanity.

    1. Jersey 1.1.1-ea
    2. Tomcat 6.0.20
    3. JDK 1.5
    4. OS X Leopard

    Change JSP Base Template Path

    Default base path for templates is the root of the webapp. So if my webapp is at “/…/webapps/myapp” then Viewable(“/mypage”, null) will map to “/…/webapps/myapp/mypage.jsp”

    To change this, say to “WEB-INF/jsp” as it’s commonly done for security reasons, add following init-param to Jersey servlet/filter in web.xml:

    <init-param>
<param-name>com.sun.jersey.config.property.JSPTemplatesBasePath</param-name>
<param-value>/WEB-INF/jsp</param-value>
</init-param>

    Return Viewable as part of Response

    It was not obvious to me (doh) where Viewable fits into Response when I have to return a Response instead of Viewable. It turns out, Viewable can be passed where message body entity is passed. Example:

    return Response.ok(new Viewable("/mypage", model).build();

    Use “/*” as servlet-mapping for Jersey

    The primitive servlet-mapping URI pattern scheme, which somehow survived many iterations of the servlet API, impacts JAX-RS hard if servlet-mapping is overly broad. Unfortunately, pretty restful URL calls for servlet-mapping to be “/*” instead of something like “/jersey/*”, breaking access to JSP files as well as static resources.

    To work around, you’ll have to use Jersey as a filter instead of a servlet and edit a regular-expression init-param value to punch passthrough holes in Jersey’s routing scheme. To enable this, replace Jersey servlet entry in web.xml with something like this:

    <filter>
 <filter-name>jersey</filter-name>
 <filter-class>com.sun.jersey.spi.container.servlet.ServletContainer</filter-class>
 <init-param>
  <param-name>com.sun.jersey.config.property.WebPageContentRegex</param-name>
  <param-value>/(images|js|styles|(WEB-INF/jsp))/.*</param-value>
 </init-param>
</filter>
<filter-mapping>
 <filter-name>jersey</filter-name>
 <url-pattern>/*</url-pattern>
</filter-mapping>

    That’s all for now. Hope this post saved you some headaches.

     

    • Casper Bang 4:28 am on October 20, 2009 Permalink

      Thanks Don for the useful tip regarding getting around the limitations of url-pattern with Jersey! :)

    • Henri Bezemer 2:33 am on January 7, 2010 Permalink

      Thanks for this tip. Your statement “Hope this post saved you some headaches” was quite an understatement. I was already implementing other means of templating HTML results when I found out – from your post – that Jersey has this build-in.

    • Ryan de Laplante 7:49 am on January 13, 2010 Permalink

      I recently discovered that I need to use the filter configuration instead of servlet configuration of Jersey so that my JSF app will keep working. However, I did not define a WebPageContentRegex. Instead, I just mapped the filter to /rest/* and my web content continues to work.

  • donpark 3:30 am on July 23, 2009 Permalink | Reply
    Tags: Components.utils.import, firefox, NS_ERROR_FAILURE, tips, XPCOM   

    Firefox Extension Developer Tips 

    Just a couple of tips for Firefox extension developers, hard earned after many hours of head scratching. Not adhering to either tips will confuse Firefox and XPCOM component will fail to load.

    XPCOM components get loaded before chromes are loaded.

    [Update: The most common problem related to this is Components.utils.import call fails during launch with NS_ERROR_FAILURE exception. To fix, wait until app-startup notification is received before importing javascript modules.]

    This means anything defined in chrome.manifest won’t be available until “app-startup” event is observed. Note that Resource URI scheme “resource://” introduced in Firefox 3 uses resource directives in chrome.manifest which means you should defer Components.utils.import calls until “app-startup“.

    XPCOM components implemented using Javascript should be defined as a pure object, not function.

    So it should look something like this:

    var MyServiceModule = {
  registerSelf: function(compMgr, fileSpec, location, type) {
    ..
  },
  ..
};
     

  • donpark 6:28 am on July 9, 2009 Permalink | Reply
    Tags: realtime, stream, ui   

    Real-Time State of Mind 

    I need to get back to blogging more often. Having to type more than 140 characters feels wierd. ;-)

    Given that I’ll be attending TechCrunch’s Real-Time Stream CrunchUp this Friday, I thought a blog post on a key real-time stream problem would help me into a real-time state of mind.

    Real-time streams have many technical problems to overcome many of which are thankfully being resolved by advances in technology and infrastructure but the problem that interests me the most is the user experience problems:

    Information, real-time or otherwise, is meaningless if users are drowned within it.

    Typical Twitter users see only a fraction of tweets from people they follow. The notion of Top Friends (related to my social radar diagram from 8 years ago) will help but at the cost of additional chores users have to do separate the greens from weeds.

    The financial industry has used real-time streams for a long time so there is a lot to learn there technically. But, when it comes to user experience, they haven’t cracked the nut either, forcing traders to use bewildering number of charts and numbers on multiple displays and input devices to trade. So the emerging consumer real-time stream developers will have to break new grounds ourselves.

     

    • Mike Wilson 6:44 am on July 9, 2009 Permalink

      Well, people can absorb both far more and far less information than they think. Following about 350 people is a nice sweet spot for me while I’m online.

      Financial data streaming is an interesting case of “if you dump the data at them, they will figure out what to do with it.” (Ok, it’s not “if you build it, they will come” but close.)

      The data overload can be mitigated pretty well with an effective software layer. TweetDeck’s columns, ThinkOrSwim’s analytics, etc. But “the naked stream” I think needs to be classified as a tool rather than an end product for users.

      Hmm… still a half baked thought on my part.

    • A "Karriem" Khan 4:24 pm on July 10, 2009 Permalink

      Can I buy your Party Ticket to the August Capital Party

    • donpark 4:38 pm on July 10, 2009 Permalink

      It’s not transferable and the ‘ticket’ is a wristband which can’t be taken off w/o cutting. Sorry.

  • donpark 6:04 am on May 14, 2009 Permalink | Reply
    Tags: aptana, gem_lib, radrails, wtf   

    Fixed Aptana RadRails GEM_LIB issue on mac by linking ‘/Users/{user}/.gem/ruby/1.8/gems’ to ‘/usr/local/lib/ruby/gems/1.8/gems’. I can’t blame Aptana for this since it was me who chose to use a tool built by a company that spread itself too thin. I doubt they have more than a couple of engineers working on RadRails which is not enough to provide the necessary quality across the range of environments Aptana is unfortuantely being asked to support.

     

  • donpark 7:30 pm on May 12, 2009 Permalink | Reply
    Tags: fantasy, html5, microdata   

    HTML5 Microdata Fantasy 

    I haven’t been tracking HTML5 design efforts lately but what’s being proposed for microdata (see posts by Sam Ruby and Shelly Powers) yucked me sufficiently to revisit an old fantasy of mine about HTML (man, what a boring life I have). My fantasy was to add general element/structure definition facility to HTML. It should easily extended to support microdata as well.

    The way I envisioned it being used is like this:

    <address>
<street>123 ABC St.</street>
<city>Foobar</city>
<state>CA</state><zip>94065</zip>
</address>

    which sure is preferable to:

    <div item>
<span itemtype="street">123 ABC St.</span>
<span itemtype="city">Foobar</span>
<span itemtype="state">CA</span>
<span itemtype="zip">94065</span>
</div>

    As to how a semantic structures and syntactic sugars can be defined, one very arbitrary way could be:

    <head>
<def name="address" package="http://test.com/1/mapking"
    params="{{street city state zip}}">
  <div>
    <span>{{street}}</span>
    <span>{{city}}</span>
    <span>{{zip}}</span>
    <span>{{zip}}</span>
  </div>
</def>
</head>

    I don’t have any illusions that this fantasy has even a tiny chance of coming true though. Besides, it’s like a beggar asking for caviar when any kind of microdata support will satiate our hunger.

    Boss! Boss! The Plane. The Plane!

    update:

    Here is a more elaborate version of the def element for the bored:

    <def name="name" package="http://ting.ly/name"
  attrs="$$first last$$">
  <span>$$first$$ $$middle$$ $$last$$</span>
</def>

    which could be used like this:

    <name first="Don" last="Park"/>

    There are lots of wholes in this sketch which is why it’s a fantasy.

     

    • Douglas Hineline 10:31 pm on May 12, 2009 Permalink

      You can’t stop a stampede my man. The general html semantics has too much momentum to change direction too much, besides we’re just now starting to get browsers that act somewhat similar. In the end it is all just XML nodes, but try telling that to IE.

    • donpark 11:25 pm on May 12, 2009 Permalink

      Yeah, I know. I was there when IE core guys explained how the IE worked during a W3C DOM WG meeting. If I could, I would bury W3C in the sand then build an out house over it.

    • Philip Taylor 12:52 am on May 13, 2009 Permalink

      How would your idea differ from simply defining all the data in a separate machine-readable XML file and then using XSLT (or some other templating language) to construct the HTML from it?

    • donpark 8:55 am on May 13, 2009 Permalink

      If it’s done on client-side, only that I think this is easier to learn than XSLT. If XSLT transform is server-side, this is easier to use as well. I find XSLT learning curve rather steep for average HTML jockey.

    • Simon Gibbs 11:25 am on May 14, 2009 Permalink

      If you were to put city state, zip and street elements in a namespace and use CSS3 selectors then you wouldn’t need any syntax transformation in the page, or anywhere else.

      Once the elements are in a namespace and the markup is valid XML getting to RDF (via GRDLL) or unmarshalling objects (XPath, JAX-B) is easy – everyone is happy. Most intelligent people are able to grok XML namespaces given a few days of exposure to them.

      Given CSS3 rather than a def element there is very little missing from standards and tools, so this is not especially fantastic.

    • lun0 3:12 pm on June 4, 2009 Permalink

      hehehe awesome stuff

  • donpark 11:41 pm on May 6, 2009 Permalink | Reply
    Tags: blog,   

    Smiley Profile Image Set 

    I wish I could use a set of profile images instead of just one and have appropriate one displayed based on text content so that if I put a smiley like :-) or ;-) in the text, photo of me smiling or winking will show.

    It doesn’t have to be a face, it could be topic/category images. And I don’t see why tweet-specific images couldn’t be displayed since Twitter already sends out image URL with each tweet (inside ‘user’).

     

    • Linvia 12:00 am on May 31, 2009 Permalink

      Hey this is kind of random, but I stumbled upon your blog when doing a google search.

      I am still very new to this blogging thing and I just installed the P2 theme. I was wondering how you got a display picture up. I don’t know where to even access that.

      If you could help at all that’d be so great :)

      Thanks in advance.

    • donpark 11:07 am on May 31, 2009 Permalink

      Hey Linvia. If you are referring to Flickr Photos, it’s a widget available from WordPress console if you are using WordPress.com service. If you are using your own installation, you’ll probably have to install a WordPress plugin.

  • donpark 10:44 pm on May 6, 2009 Permalink | Reply
    Tags:   

    Trying Twitter/Facebook-like P2 theme to see if that’ll get me to post more often.

    I did change default template’s post body font size and added side paddings for easier reading.

     

    • Tim 5:43 am on May 7, 2009 Permalink

      I just heard about this theme on Matt’s site and WordPress.tv and I’m trying it out as a private site for communications for my youth group. I’m hoping it works good for discussing different topics and activity updates in an easy-to-use format similar to Facebook’s and Twitter’s updates.

    • MiscBytes 1:05 pm on June 1, 2009 Permalink

      I like this theme and think it really encourages conversation. What is is like on the back end? The usual WordPress stuff? I assume you can save drafts if you want – and schedule posts, etc.?

    • test 6:29 am on July 12, 2009 Permalink

      test

    • test 6:31 am on July 12, 2009 Permalink

      test2

  • donpark 3:53 pm on April 28, 2009 Permalink | Reply
    Tags: ,   

    Why wasn’t OAuth Vulnerability found earlier? 

    According to OAuth about page, it was Blaine Cook who initiated the birth of the the standard while working at Twitter in Nov. 2006. Blaine mobilized the initiative by getting Chris Messina involved which attracted others at CitizenSpace to join the effort (an excellent demonstration of benefits co-working social environments offer). By April 2007, the initiative got to formalize and, by October 2007, OAuth Core 1.0 spec was finalized. The question of interest to me is, why did it take a year and a half to uncover the first vulnerability?

    It’s puzzling because OAuth was well known and popularized, attracted a large body of developers, many of whom I presume read the spec, and implemented by many, some very large companies. I’ve read the spec as well and discussed it with peers and partners in the security and payment industry on several occasions.

    I think the right answer might be that our collective perspective in dealing with the standard was focused on implementation, application, and hype while wrongly assuming that the standard was secure. Recollecting my thoughts when I was reading the spec for the first time, I now realize that it was the safety in numbers and the lure of promising applications that influenced me to focus only on implementation.

    The good news is that I think OAuth will be given the proper shake it needs to get any remaining kinks out. The bad news is that we are likely to repeat the mistake when the next popular grassroots standard emerges in a hurry. Relatively fast pace of community/grassroots standard initiatives is not a concern only if mass appeal can be effectively leveraged to shine intensive searchlight on all aspect of the standard.

     

    • Peter Keane 5:25 pm on April 28, 2009 Permalink

      I recently implemented my first OAuth client and had a slightly uneasy feeling that there was a bit of magic — I couldn’t cleary see how it was truly secure. Fact is, it was pretty darn close — the hole was never exploited (that we know) and steps are being taken to close that hole.

      That said, a simple fix will still leave a bit of “magic:” there is an authentication equivalency that is not being addressed (in OAuth terms, that user@consumer == user@service_provider) by way of a properly out-of-band mechanism. I would prefer to see that hole sewn up more definitively — essntially “whitelisting good guys” rather than “blacklisting bad guys” (which can become a game of whack-a-mole). I should note that many knowledgeable folks on the list feel the proposed fix is adequate. Two-legged OAuth, a less common use than the typical Three-legged flavor, is an excellent protocol (the exploit was discovered only in the Three-legged variety), and I suspect we’ll see more adoption as a stand-in for HTTP Basic & HTTP Digest authentication.

    • Matt Brubeck 7:24 pm on April 28, 2009 Permalink

      I don’t think it’s that complicated. There have been all manner of crypto protocols and security protocols that have been in use for years before critical flaws were discovered. Some were developed by standards bodies or subject to academic peer review. The fact is that any flaws left in a system after it’s been reviewed and revised and published can be quite hard to see, even if they’re obvious after someone points them out.

    • donpark 8:21 pm on April 28, 2009 Permalink

      Matt, while I agree that other protocols had flaws of varying nature, uncovering of fundamental flaws like the OAuth one and DNS one are rare events, often resulting in industry-wide scramble.

      Also, I don’t think we should accept incidental trickles of flaw discoveries as the norm when there are actions we can take to improve the process.

      IMO, it’s the same with open source projects. OS participants are primarily focused on using, extending, or repurposing the project code which means while bugs are uncovered, security vulnerabilities are rarely found until attack incidents occur or by chance.

      So I think some attention should be paid to finding ways or factors to introduce in grassroots initiatives and open source projects that encourages early detection of security vulnerabilities.

  • donpark 2:58 pm on April 25, 2009 Permalink | Reply
    Tags: , ,   

    On Twitter’s OAuth Fix 

    While the OAuth team is working on addressing the OAuth session fixation vulnerability at the spec level, Twitter made following changes to reduce the exposure window:

    • Shorter Request Token timeout – This is good practice in general. Developers tend to be too generous and, all too often, forget to enforce or verify enforcement.
    • Ignore oauth_callback, in favor of URL set at regration time – this prevents hackers from intercepting callback.

    Double-callback is still possible though which means Twitter OAuth Consumers will have to detect extraneous callbacks and invalidate access to everyone involved because they have no way of telling who is who.

    Remaining exposure to the vulnerability is when hacker’s simulated callback arrives before the user. We are talking temporal exposure of a couple of seconds at most which, given current Twitter use-cases, is not that big a deal. I wouldn’t do banking over Twitter though. ;-)

     

Older Posts →

c
compose new post
j
next post/next comment
k
previous post/previous comment
r
reply
e
edit
o
show/hide comments
t
go to top
l
go to login
h
show/hide help
esc
cancel