8/21/2019

[Ref] Data Classes Considered Harmful

In reality, there ain't no such thing as a free lunch, when you used data class as Project Lombok.

Data Classes Considered Harmful

6/03/2019

Linux ate ram as disk cache

One day QA asked why memory was really low in QA linux server. Really not sure, this question is interesting for me, as known, our java applications always configured memory limitation, shouldn't happen low memory issue.

From result of "free -m" command executed and checked, If you just naively look at "used" and "free", you'll think your ram is 98/99% full.

Googling that situation, linuxatemyram, what's going on?
Linux is borrowing unused memory for disk caching. This makes it looks like you are low on memory, but everything is fine. Try to use unused memory as disk caching makes the system much faster and more responsive.

If you deeply read "linux ate ram", don't panic, your ram is fine. ^^!

5/22/2019

httpstat - curl statisticsmade simple

Sometimes need to measure RESTful Api to clarify network and server processing capabilities in customer side. httpstat tool that visualizes curl statistics in a way of beauty and clarity.

macOS install

brew install httpstat

curl statistics

httpstat www.google.com

httpstat site

https://github.com/reorx/httpstat

4/19/2019

Disable encoding URL Using RestTemplate in Spring

The RestTemplate is smart to convert the URL with specific characters to URL encoded. But sometimes, we need to disable URL encoding in order to some specific characters are available on server side as its business requirement.
It's a legacy web service and bad design, but customer don't want to change for some reasons.

Disable Encoding URL

Set encoding encoding mode when initialing rest template.

DefaultUriBuilderFactory defaultUriBuilderFactory = new DefaultUriBuilderFactory();
defaultUriBuilderFactory.setEncodingMode(DefaultUriBuilderFactory.EncodingMode.NONE);
      
RestTemplate restTemplate = new RestTemplate();
restTemplate.setUriTemplateHandler(defaultUriBuilderFactory);

Using other encoding mode to satisfy different integration strategies.

TEMPLATE_AND_VALUES, VALUES_ONLY, URI_COMPONENT, NONE

4/10/2019

3 Type of Timeouts in Http client

There are three type of timeouts in Http Client which could be considered to be adjusted when encountering unreliable destination endpoint.

  1. ConnectionTimeout
    Set the timeout in milliseconds used when requesting a connection from the connection manager.
  2. ConnectionRequestTimeout
    Determines the timeout in milliseconds until a connection is established. A timeout value of zero is interpreted as an infinite timeout.
  3. SocketTimeout
    Determines the socket timeout (SO_TIMEOUT) in milliseconds, which is the timeout for waiting for data or, put differently, a maximum period inactivity between two consecutive data packets).

2/19/2019

Import a SSL certificate into a JVM

Sometimes, it's inevitable that HTTPs is only provided, or you are unable to change third part code to ignore certificate verification.

How to import a certificate into a JVM? Here are some steps.

Step1. Fetch the certificate

openssl s_client -connect youtube.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > youtube.crt

Step2. Import the certificate

keytool -import -alias youtube.com -keystore /Users/chliu/.sdkman/candidates/java/current/jre/lib/security/cacerts -file youtube.crt
Enter keystore password:<changeit>
Owner: CN=*.google.com, O=Google LLC, L=Mountain View, ST=California, C=US
Issuer: CN=Google Internet Authority G3, O=Google Trust Services, C=US
Serial number: 3b6e50a1d2080062
Valid from: Tue Jan 29 22:58:00 CST 2019 until: Tue Apr 23 22:58:00 CST 2019
Certificate fingerprints:
     MD5:  19:0D:FC:58:69:85:29:59:C4:42:71:05:21:EA:B4:2E
     SHA1: E4:A8:7B:F5:3E:9A:17:4A:E2:9F:26:8F:81:23:78:E3:15:08:85:99
     SHA256: F7:EE:A9:17:44:FD:5D:E8:09:73:4D:97:85:E4:7E:AE:FA:73:6D:6F:31:36:55:0B:07:1B:15:68:D8:81:A3:C8
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://pki.goog/gsr2/GTSGIAG3.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.pki.goog/GTSGIAG3
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 77 C2 B8 50 9A 67 76 76   B1 2D C2 86 D0 83 A0 7E  w..P.gvv.-......
0010: A6 7E BA 4B                                        ...K
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.pki.goog/GTSGIAG3.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.3]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.google.com
  DNSName: *.android.com
  DNSName: *.appengine.google.com
  DNSName: *.cloud.google.com
  DNSName: *.g.co
  DNSName: *.gcp.gvt2.com
  DNSName: *.ggpht.cn
  DNSName: *.google-analytics.com
  DNSName: *.google.ca
  DNSName: *.google.cl
  DNSName: *.google.co.in
  DNSName: *.google.co.jp
  DNSName: *.google.co.uk
  DNSName: *.google.com.ar
  DNSName: *.google.com.au
  DNSName: *.google.com.br
  DNSName: *.google.com.co
  DNSName: *.google.com.mx
  DNSName: *.google.com.tr
  DNSName: *.google.com.vn
  DNSName: *.google.de
  DNSName: *.google.es
  DNSName: *.google.fr
  DNSName: *.google.hu
  DNSName: *.google.it
  DNSName: *.google.nl
  DNSName: *.google.pl
  DNSName: *.google.pt
  DNSName: *.googleadapis.com
  DNSName: *.googleapis.cn
  DNSName: *.googlecommerce.com
  DNSName: *.googlevideo.com
  DNSName: *.gstatic.cn
  DNSName: *.gstatic.com
  DNSName: *.gstaticcnapps.cn
  DNSName: *.gvt1.com
  DNSName: *.gvt2.com
  DNSName: *.metric.gstatic.com
  DNSName: *.urchin.com
  DNSName: *.url.google.com
  DNSName: *.youtube-nocookie.com
  DNSName: *.youtube.com
  DNSName: *.youtubeeducation.com
  DNSName: *.youtubekids.com
  DNSName: *.yt.be
  DNSName: *.ytimg.com
  DNSName: android.clients.google.com
  DNSName: android.com
  DNSName: developer.android.google.cn
  DNSName: developers.android.google.cn
  DNSName: g.co
  DNSName: ggpht.cn
  DNSName: goo.gl
  DNSName: google-analytics.com
  DNSName: google.com
  DNSName: googlecommerce.com
  DNSName: source.android.google.cn
  DNSName: urchin.com
  DNSName: www.goo.gl
  DNSName: youtu.be
  DNSName: youtube.com
  DNSName: youtubeeducation.com
  DNSName: youtubekids.com
  DNSName: yt.be
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BB F4 15 80 EC F0 4E F6   58 5A B1 49 4C 82 12 48  ......N.XZ.IL..H
0010: F9 FB 7E 3B                                        ...;
]
]

Step3. Check certificate in keystore

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts | grep youtube

Step4. Specify trust store AND PASSWRD

-Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts 
-Djavax.net.ssl.trustStorePassword=changeit 
-Djavax.net.debug=all

If there are some issue that hostname in certificate didn't matched, the steps below can help to confirm the issue.

  • Check the Server’s FQDN and make sure this match with the URL configured on the Certificate.
  • Wildcard certificate cannot support subdomain. The subdomain also need to create a certificate. How to Fix SSL Common Name Mismatch Error

2/14/2019

Ignore Certificate Verification Using RestTemplate

For some reasons, we don't want to verify certificate verification when data transfer has to happen over HTTPS.

How to disable verification using restTemplate in Spring?

  1. Custom trustStrategy that trusts all certs
  2. Implement hostname verification which trusts all host