Handling sensitive data using Maven

I read some time ago about a developer who mistakenly pushed his AWS keys to a public Github repository and ended up with a big bill as hackers used his credentials to create EC2 instances to mine for bitcoins. The worst part is that it wasn’t entirely his fault, as the Github plugin for Visual Studio had a bug that pushed changes he made to a private repository into a public one. And his isn’t the only case. There are several instances where developers push AWS keys and other sensitive information like DB usernames and passwords to a repository, and hackers are constantly querying github and other source repositories for this information. Ideally, this information shouldn’t be part of the project files.

When I use Maven, I hide this data by having my key or password information stored in my settings.xml file under system properties, which I then inject in my integration tests. That way, the sensitive information is decoupled from the project files, and there is less chance for the data to make it to a public repository. For example:

settings.xml

<settings xmlns="http://maven.apache.org/SETTINGS/1.1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd">
  <profiles>
    <profile>
      <id>default</id>
      <properties>
        <db.username>username</db.username>
        <db.password>secret</db.password>
      </properties>
    </profile>
  </profiles>
</settings>

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <build>
        <plugins>
            <plugin>
                <artifactId>maven-failsafe-plugin</artifactId>
                <configuration>
                    <systemPropertyVariables>
                        <db.username>${db.username}</db.username>
                        <db.password>${db.password}</db.password>
                    </systemPropertyVariables>
                </configuration>
            </plugin>
        </plugins>
    </build>

</project>

SampleIT.java

package org.javageek.test;

import org.junit.BeforeClass;

public class SampleIT {
    @BeforeClass
    public static void setUp() {
        String username = System.getProperty("db.username");
        String password = System.getProperty("db.password");

        // Setup DB connections here
    }
}

Since the settings.xml file is stored outside of the project files, there is a better chance that the data won’t make it to the repositories. However, if more than one person is working on the project, they also need to configure their settings.xml file, so be sure to include this info in the readme for the project, otherwise the integration tests will fail.

What other methods do you use to handle sensitive information?

 

Moving from Pebble to WordPress

Ever since I started writing this blog, I wanted to use a software that was easy to use and allowed me to focus on the important stuff, namely writing the posts, but also putting code snippets, images, etc. For more than 5 years I kept using Pebble, which is a Java-based blog web app, and which for the most part worked ok. However, I always felt that it lacked all the bells and whistles from many other blog applications, and after much consideration (and some work) I decided to move to WordPress. The final nail in the coffin for Pebble happened last week, while I was at JavaOne (more on that to follow) and I decided to take only my iPad to the sessions. I tried several times to write a post between sessions using the tablet, but the bottom line is that Pebble is not ready for mobile devices. On the other hand, WordPress even has “An App For That“™

 Planning and Deployment

I didn’t do an extensive migration plan, but I did some research. I wanted to keep all my old posts, and hopefully have a way to redirect requests from the old system to the new one. I found this nifty groovy script that converts all the pebble XML files to the WordPress export format, including comments. I had to do some modifications to the script because the original one had category import disabled, and I had some nested categories in a particular format. I used a staging site for importing the content and checking the posts, and it only took a couple of tries.

Once everything was looking the way I liked, I copied the database and the WordPress files over to the main server. I had to change some configuration options since the main site uses apache’s worker module and the staging site uses prefork, which meant using FastCGI and PHP-CGI instead of mod_php. The end result is the same. After some changes to the apache configuration, the new site with WordPress is now running.

What’s Next

Pebble and WordPress don’t use the same permalink format, so I had to find a plugin that would fix this by redirecting requests. Fortunately I found one that does what I want, and it seems to be redirecting most of the main links (Posts, Categories, Tags). I still need to figure out what to do with the rest of the links.

I am still tinkering with the layout, plugins, etc, but I have now a much more usable site. Hopefully this will mean more posts in the future.

 

Google I/O 2013: Day three

And we come to the last day of the Google I/O 2013 conference. On Friday, besides sessions there were also Code Labs, where you can get your feet wet on the new APIs and new features. I don’t know what was longer, the line for breakfast or the line for dropping off luggage at the coat check. Sessions started at 9, and my first session was “The New Android SDK Build System“, which was basically an introduction to Gradle, which is now the recommended build system for Android. If you know gradle the session will be pretty basic, but there are certain things that are android specific like assembleDebug or assembleRelease, so it’s worth check it out.

After that I stayed for the next session “High Performance Applications with RenderScript“, which was a really technical session on how to use RenderScript, the new library that allows you to take advantage of the device’s GPU to run parallel, high performance calculations.

The first Code Lab I went to was the one entitled “From Zero to Hero: Integrating Google+ Sign-In on Android and Web in Less than Three Hours“. Unfortunately the lab took longer than that and I couldn’t finish it, but it was a nice introduction on how to use Google+ APIs.

Then I went to the last session of the day, which was a repeat session from earlier, “UX Design for Developers“. In this session they described a couple of interesting concepts on how to design an application based on a certain Persona and certain Use Cases, and to focus more on the features instead of the product. It was an interesting session, and they have a Google+ community for people who want to learn more.

Overall the conference was OK in my opinion, but I think most of the session lacked more details. I suppose it is hard to really get deep into a topic in only one hour, plus you have to cater to a large group of people, some of which might not be as technical. I will definitely dig deeper into Android development and I hope to share my findings here. I was hoping to get an actual android device (tablet or phone) to deploy and test apps, but I guess that’s not too much of a deal. As for the Pixel, I will do a more extensive review later, but one advantage that I really like (as I finish typing this blog post on the plane before they close the door) is the included LTE feature. And I just got the free 100MB/month, but for now that seems more than enough. And the Flight Attendant just announced they’re closin the cabin doors…

 

Google I/O 2013: Day two

The second day of Google I/O was filled with session. There are different tracks that you can choose which include topics like Android, Google Glass, Google+, GAE, Google Maps, Youtube, etc. Some sessions were more popular than others, of course. For example, there was one Google Glass session “Developing For Glass” that was completely full, including the overflow room. It is a good thing that most sessions are being recorded and made available later for everyone to see, but you miss on the opportunity to interact with the speakers.

I went to a couple of Android sessions, and saw a couple of demos from different companies that were showcasing their products (this is what you usually do at conference, it isn’t all fun and games). I started with the session “Android Protips: Making Apps Work Like Magic“. It was a somewhat generic session where its main idea is that we can use the new features in Android like Location API to dazzle users with innovative ways of interaction.

After that, I attended the session “Google+ Sign-In for Android Developers” where I learned how to take advantage of Android’s Google+ integration to authenticate an user to your app, and to interact with other people on the user’s circles.

Then I tried to go to the session “Enchant, Simplify, Amaze: Android’s Design Principles“, but it was full. I’m sure it was good but unfortunately it doesn’t seem like this one was recorded. So instead I roamed around the developers sandbox and the companies showcasing their products.

In the session “Google Cloud Messaging” I got to see how you can use GCM to do push notification between your server and your apps in a fast, stable and reliant way.

Google has a new product called Mobile Backend Starter, which allows you to create an easy to configure backend that can be used to store and transmit data to your apps. The speakers actually demoed the generation of a project from start to the point they are sending messages between two phones using this tool. If you’re interested, you can watch the session “From Nothing to Nirvana in Minutes: Cloud Backend for your Android Applications“.

Finally I went to the session “Cross-Platform Auth with Google+ Sign-In“, where I learned how to leverage Google+ user authentication/authorization in several platforms, including Android, iOS and web.

After that I roamed around for a while, got into a hunt game that had me running around the Moscone and then I went to a couple of parties to meet interesting people and talk about all that’s been happening at the conference.

 

Google I/O 2013: Day one

Wednesday was the first day of the Google I/O 2013 conference. The doors opened at 7 am to let close to five thousand individuals into the breakfast area and into the line that eventually led to where the keynote was to take place. The organization went pretty well, with most people forming a single line, up until we arrived on the first floor, where everyone just aglomerated there before being allowed to move to the second floor. Like cattle, we bumped each other for a while until finally they let us go upstairs. Finally, I made it to the keynote and I even had a good spot right in the middle of the room.

As this is my first Google I/O conference, I wasn’t sure what to expect. The keynote started at 9 am sharp, and it was full with information about what Google is doing in different areas. The first area, Android, brought new features that have just been released like updates to the Location API, Maps API v2 and Google+ sign-in. Most importantly though, there is a new functionality available for Android that will allow people to play games in multiplayer mode using Google services for saving game data in the cloud so that it can be shared accross devices, for inviting other users, for having achievements and leaderboards and for sending actual game data between games. Google Play game services isn’t only for Android, as they also provide an iOS implementation so games can interact between platforms. Unfortunately the demo failed, but this isn’t the first time or the last time a demo will fail.

Next, Google announced a new IDE based on Intellij IDEA Community Edition, the Android Studio. It has many features that will help developers write robust Android apps, and it was a great and welcome surprise. They also announced improvements to the Developer dashboard that will allow better tracking of revenue and the possibility to do targeted deploys.

Moving away from the Android arena, Google had a lot to show, like the Google Play Music All Access service, which for only $9.99 per month ($7.99 if you join before June 21st) will allow you to not only store your library and have it available on all your devices, but also to create radio stations from a song or group of songs, for unlimited song playing. They also announced a “vanilla” version of the Samsung Galaxy S4 that contains stock Android OS and is promised to get OS updates as soon as they’re out. This for only $649 for an unlocked phone.

Google has also improved Chrome with support for an optimized picture and video compression format, and speed improvements. And what better way to make developers use Chrome than by giving each of us attending I/O a shiny new Chromebook Pixel. In fact, I am writing this blog post on the Pixel right now, and I will write a separate post with my review.

Google+ was also improved with multicolumn layouts, photo manipulation and a new and improved hangouts app that will replace Google Talk and it will allow people to send text and video chats to friends and groups.

In the search arena we now have an improved search that uses your voice and contextual information to determine exactly what are you looking for. The demo was very good, but I wonder how it will behave in real life, but this is Google and I’m sure it will be improved over time. Google Maps also got a big update with contextual info from the user and friends that will bring better related searches for nearby places.

Larry Page came onstage to talk about how Technology companies need to focus less on fighting each other and more on inovating. He was speaking strange, and it looks like it’s due to a vocal cord paralysis that has been affecting him for a while. But he took the stage and answered questions from the audience.

After the keynote came the sessions, lunch, more sessions, and then the after hours party, which had Billy Idol performing.

I have enjoyed the conference so far, but I was expecting more Android related news, new hardware or at least an update to the OS. We’ll see what happens the rest of the days.

 

Google I/O 2013: Day zero

google-io

It was the day before the conference. There wasn’t much to do except register, get your NFC enabled badge and maybe do some early shopping at the Google store. Registration opened at 2 pm sharp, and even though there was a big line the process went smoothly. You just had to scan your registration QR code and pickup your badge and t-shirt. (On a side note, the difference between the L and XL size is quite large, pardon the pun. I felt like goldilocks trying different beds, except there wasn’t something in between those two sizes, but I digress). After registration you had a chance to buy some goodies at the store, which has all kinds of things from plushies to a $170 seatbelt bag (yeah, it’s made out of seatbelts). And there was a registration booth for the game Ingress, which is a location-based AR-type of game that’s currently only available for Android.

That doesn’t mean that the rest of the day was boring. There was a Glass Photowalk event that was quite popular, maybe because one of the prizes was a Google Glass. The only problem is that in order to qualify for the prize, you had to be a U.S. resident. They couldn’t tell me if this was their restriction or Google’s, but I’ve seen so many foreign people with glasses that I think it was theirs. There were also two parties that I knew off, the I/O Kickoff party at the Hattery, and the Facebook I/O Kickoff party at Jillian’s. I went to the latter one, and got a yellow t-shirt, food and a couple of beers. I didn’t see much interaction between Facebook people and attendees, but I wasn’t paying too much attention. The food was good, though, and it was an open bar.

Today should prove to be more exciting. I hope.

 

I am still here…

Wow. It’s been over 2 years since my last post. How did I let that happen? Well, for once, I’ve been thinking about moving the blog from Pebble to WordPress (I like pebble, but there is more support and tools on wordpress), but I haven’t had the time (or the inclination) to actually do it. I did upgrade the server recently thanks to Linode upgrading every plan from 512 MB of RAM to 1024 MB, and I took the chance to update a very old server (Ubuntu 10.04 LTS) to a newer 12.04 LTS.

That went well, but I still didn’t think that I had anything woth mentioning. I’ve been busy with work (which is good), but I never thought that I had something worth sharing. That is probably a mistake. Even simple stuff I do, if I have to research just a little on how to do it, should be easy to put into a post for everyone else to skip one step in their research. That’s the beauty of having a blog, I guess. It doesn’t always have to be something profound, or something big. You can put the small stuff too.

And now that I’ve said that, I actually have something big to share, or at least I think it’s big. I was one of the lucky few to get a ticket for Google I/O 2013, and my trip starts tomorrow. I really hope I can journal everything that happens at the conference and share it here. Hopefully since I’ve already said that I will write about it, I pressure myself into writing.

 

Apple joins OpenJDK effort

Three weeks ago Apple shocked the Java community by releasing a Java update on which the main "feature" was that they were deprecating Java on OS X. What this means is that Apple will no longer continue to develop its own Java Virtual Machine for its operating system. This caused many people to react against Apple, and think that Java development on Macs was dead, and even said that they would stop using a Mac. Interestingly enough, I didn’t see actual cases of people dropping their MacBooks to the floor, stomping on them and then buying another laptop. And now they won’t have to.

Today Oracle and Apple announced that most of the Apple JVM customizations for OS X will be contributed to the OpenJDK project, which is Oracle’s main effort for evolving Java. From the press release:

The Java developer community can rest assured that the leading edge Java environment will continue to be available on Mac OS X in the future

They also mention that Java 6 will be available from Apple for the time being, including a release for their upcoming 10.6 release Lion. Java 7 and future Java releases will be available from Oracle. In short, Java will continue to be available on Macs in the near and the far future.

It is interesting that when the "Java is deprecated" news came, many people said that Apple was doing the same thing to Java that they were doing to Flash. But contrary to Flash, where Apple’s CEO Steve Jobs publicly denounced it with an open letter, with Java they’re still showing commitment in having a compatible JVM for OS X. So, Apple is not the evil company that wants to root out everything that doesn’t come from inside their company.

 

Good news, Apple deprecated Java

Apple released an update to their Java environment on Wednesday, and among the changes the big one is that they have declared Java "deprecated". This has generated lots of buzz from the Java community, many of them saying that Apple is trying to kill Java on the Mac platform, or that OS X 10.7 "Lion" will not come with Java pre-installed, a change after almost 10 years of Apple providing Java runtime environments on every Apple computer sold. But besides the sparse description of the change in their release notes, Apple has said nothing to confirm or deny these allegations. As a Java developer working exclusively on a Mac for almost 3 years now, the news first came as a bit of a shock, but after careful consideration I think this is actually good news, or at least not the really bad news that people are talking about. Here’s why.

In the beginning of the OS X era, Apple really cared about having a Java runtime on their operating system. At a time where more than 90% of the desktop computers were Windows machines and most of the desktop application development was done for this OS, having a solid JVM meant that Apple products could run Java-based desktop apps from day one, and it meant that companies would be able to have applications run on either platform as long as they did Java apps. So they licensed the JVM from Sun so that they could write, modify and make sure they had their own virtual machine from day one.

But now, with Apple focusing its effort on consumer devices like the iPhone/iPad, they don’t really care about this anymore. Just last Tuesday, Jobs said that Mac revenue only accounts for 33% of their overall profit, and I think this number will decrease further as they keep bringing new devices to market. With less effort going into OS X, they will start trimming on the edges in order to be more competitive with less resources, and Java on the Apple is the first to go, but it probably won’t be the last. This really is not surprising at all since Java on the Mac has been falling behind the official releases for quite some time. Java 6 was released almost 2 years behind, for starters, and that should have been a big clue of what happened on Wednesday.

But why is this good news, you ask? First, because as of Wednesday, we finally have an updated JDK that’s on par with the official release, including all bug and security fixes, and this will continue to be the case at least until the end of life of Snow Leopard, according to Apple. Second, they haven’t actually said that they will remove Java from Lion, they only said they will not release Apple-controlled versions. This means that we will have to rely on Oracle to produce an OS X version along with all the different versions which they’re already producing (Windows, Linux, Solaris, etc). With Oracle and IBM already collaborating on improving Java, I don’t think this is a big issue, but it’s definitely up to Oracle to do this (or maybe not, since the development of Java is based on OpenJDK, an open source effort that means anyone could come and port everything to OS X). What I would really like is for Apple to contribute back their development efforts into OpenJDK.

There’s really no reason to panic. Writing Java code on the mac should not be affected by Apple’s announcement. If any, having the same JVM release version as other platforms will actually improve it. Writing for the mac also shouldn’t be affected, unless you want your apps to be released through their upcoming App Store, since their leaked guidelines mention that it will not support having apps that are written using "deprecated or optionally-installed technologies", but you can still release the apps yourself.

The only gray area right now, as I see it, is the Apple Java Extensions API. This is the API that allows Java applications work closely with OS X, and includes things like event handling, Menu generation and underlying functionality and that make applications like IntelliJ IDEA look more like a native Mac application. As before, I sincerely hope that Apple contributes this back to OpenJDK. Worst case scenario, the Java community would have to reproduce these libraries from scratch. But besides that, Java on the Mac is just business as usual, and that’s good news.

 

JavaOne wrap-up

(I had intended to release this earlier, but after 4 full days of conferencing and partying, I just didn’t have the energy and the concentration to finish it. But here it goes.)

JavaOne is over. Five days of keynotes, sessions, exhibitions and thousands of people moving between them. This was my first official JavaOne, although I had a discover pass two years ago when I just happened to be in San Francisco when the conference happened, but I only saw the general keynotes that time. Now, thanks to the blogger pass I got from Oracle, I had full-access to all the sessions and keynotes from Oracle OpenWorld, Oracle Develop and JavaOne. Which means that it was just too much for me or anyone to attend everything. I tried to attend the main keynotes and a couple of sessions that interested me. In the end, I got back what I expected, which was to find new things, meet new people and have fun.

So, what was the main theme for JavaOne this year? There was concern from some of the people I talked to regarding whether Oracle will continue its support for Java, and most important, for the Java community, which I think is what has made Java so popular. It seems that Oracle at least is taking Java to its next versions, 7 and 8, with a somewhat clear path. It also seems that they’re starting to listen to some feedback from the community, but on the other hand they were very ambiguous on the whole "making Java free" issue. In fact, some sessions that were given by Oracle employees had PR people there just to make sure nothing was said about the matter. So much for improving the confidence of attendees regarding Java. It also seems that they will keep trying to push JavaFX (sans the scripting language) to people, and although the demos were cool, didn’t we see the same years ago? Lots of mixed feelings about this. There also seems to be some push back into the mobile arena, in which they were very careful not to mention Android, by the way. But in all, it seems that Oracle will continue to support and promote Java in the foreseeable future.

As a closing note, I really think that Oracle really needs to separate JavaOne into its own conference, and put it back where it belongs, at the Moscone. A big part of these conferences is the ability to network with your peers, but here it was close to impossible since you had to basically run from one building to another for the sessions, and then run or take a bus if you wanted to see Oracle’s keynotes at the Moscone (I never made it on time to the keynotes). Oracle tried to give the message that they’re committed to Java, but by joining the conference to their main event it almost makes it seem like JavaOne has become an afterthought to them, a second-class citizen from their big corporate event. Sure, you get to give bigger events like the Appreciation Party, but I’d gladly trade that for having Java stand on its own. If they are really committed, they should "put their money where their mouth is" and make sure JavaOne is a standalone event.