Archive

Archive for the ‘News’ Category

JRE Exploit happened!

April 11, 2010 3 comments

Tavis Ormand discovered the bug inside Java Web Start. Critical bug that exists inside Java Runtime Environment allows to remotely run code on any machine with Java 6.0 with update 10 or later. In practice anyone can be attacked by simply entering specially designed page.

To explain how the exploit can work, you need to know that ever since 1.6.10 Sun has distributed an NPAPI plugin (for firefox, chrome ect.) and ActiveX control (for Internet Explorer) called “Java Deployment Toolkit” that simplifies distributing applications to the end user by Web Start. The launch() method of this toolkit accepts url as a parameter, however this parameter is poorly validated, thus allowing passing arbitrary parameters. This parameter is later on passed to javaws, allowing to run any code on attacked machine.

Tavis Ormand created a Proof of Concept application to show exploit in use. Source of this PoC was published by Ruben Santamart. Currently there is no fix for the bug and according to Tavis Ormand, Oracle/Sun is not planning to do it quickly:

Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

Advertisements
Categories: News

JPA2.0 banned in Poland!

January 7, 2010 6 comments

Yeah really! So I thought it’s time to play a little bit with the brand new JPA2.0 specification. I tried the Hibernate vendor, but since its implementation is still in beta and was throwing more exceptions then I thought a beta should throw, I thought I would give an EclipseLink a try.

Eclipse Link is a former Toplink and now (ever since given back to the community) a reference implementation of JPA standard. Reading this site I learned that to get started with the EclipseLink using Maven, you need to add one dependency:

<dependency>
  <groupId>org.eclipse.persistence</groupId>
  <artifactId>eclipselink</artifactId>
  <version>2.0.0</version>
  <scope>runtime</scope>
</dependency>

But Eclipse Link is still not in the main repo1 repository, so you have to add Eclipse repo information to your pom.xml.

<repository>
   <id>EclipseLink Repo</id>
   <url>http://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/rt/eclipselink/maven.repo</url>
</repository>

And here where the fun begins. If you open repository link (http://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/rt/eclipselink/maven.repo) in your browser  it will redirect you to a nearest mirror near you. Well, for people living in Poland this mirror is http://ftp.man.poznan.pl/eclipse/rt/eclipselink/maven.repo/. The problem is that polish mirror not only lacks the 2.0.0 final implementation, but also you can find eclipse link in 2.0.0-SNAPSHOT version catalogue, but the content of the catalogue will be empty (it has metadata but no jars!). All that is there is just milestonses, nothing else.

So dear readers, EclipseLink JPA2.0 is banned in Poland. It’s official :).

Thanks to the Wicket User Group we can work around this ban, using Belgium mirror repository http://eclipse.a3-system.be/rt/eclipselink/maven.repo. So this should work in your pom.xml:

<repository>
   <id>EclipseLink Repo</id>
   <url>http://eclipse.a3-system.be/rt/eclipselink/maven.repo</url>
</repository>

Funny, isn’t it? 🙂

Categories: News Tags: , ,

I wasn’t here for quite a while…

December 14, 2009 5 comments

I wasn’t here for quite a while… For the last three months I was quite busy since my life has changed rapidly. To tell the long story short:

1. First this thing happend:

2. Then we went there:

3. And then I’ve learned the consequences 🙂

Meanwhile I changed my job, did one commercial project using WicketCool (I will write about it soon) and I can finally get back to my blog ;). Hope to see you all soon.

Categories: News

Java Server Faces 2.0 is out

May 28, 2009 Leave a comment

Today JSR-314 aka JSF 2.0 was finally released. Expert group was gathered 1st July 2007, so it took almost 2 years to finish the specification. I’m really looking forward to this spec, I am curious and anxious to see what is new. From what I heard, javalobby.com will pretty soon publish RefCards about JSF 2.0, so that should be a good place to start.

From what I saw so far, JSF2.0 tries to take up, where the JSF 1.0 left off. So we are going to hear lots about AJAX support and modularization. But just because those issues were taken into consideration, does not mean that they were handled the right way.  12 members of the expert group voted ‘yes’ for the new specification, however four were against. Those four includes Apache Foundation and IBM. I fear that, when new issues and problems arrive with this new specification, Apache and IBM will once again  say ‘We told you so’.

But right now I’m patiently waiting for reference implementation to try JSF2.0 myself. I really hope that things will get better.

And remember, whatever you want to say about JSF (and me specially since I was recently ranting about it) remember this: JSF is now standard and times where you had to code in pure JSP at work are long long gone.  Always better JSF then model2 jsp-servlet programming 😉

Categories: News Tags: