Saturday, March 30, 2013

Jasper Reports iReport Designer last page blank

This took me a while, so it is worth posting in case we face it again. Hopefully, if this does not solve your issue, you will share your particular case here.

As per iReport documentation:

That property is really important if you are expecting to render a report where some elements will not be showing up because they are simply "not visible" given your current data.

From the GUI the property is available in the subreport properties section:

In JRXML that translates to the below (showing here the diff:
- <reportElement uuid="392a8fe9-92b9-47cc-a8ad-7dd48bf708d5" x="0" y="0" width="470" height="40"/>
+ <reportElement uuid="392a8fe9-92b9-47cc-a8ad-7dd48bf708d5" x="0" y="0" width="470" height="40" isRemoveLineWhenBlank="true"/>
Building Reports is a task that demands two important skills, the one you commonly find in Data Analysts plus the ones you usually find in Front End Developers.

Building the Dataset from where a report is rendered is a pure Data Analyst task. Building the right look and feel where the last pixel renders exactly how you expect is a pure Front End Developer task.

It is difficult to master those two concerns at the same time, especially when someone will need to say where one concern ends and the other starts (The Architect).

It is as difficult as mastering Risk Management and Scientific Research at the same time.

I am convinced specialization is the answer to the question about increasing productivity. The Industrial Revolution taught us that, but yet being 2013 we still do not get it and hope to have "one-man band" team which grows with that single man hiring people that are just like him. In diversity you have the secret to achieve the best possible outcome of any problem. Run your problem across a multidisciplinary team and it will be resolved hundreds of times faster than running it through hundreds of "one-man band" members of that team you thought was the all-stars team.

Friday, March 29, 2013

Nautilus Samba CIFS Authentication Configuration

For some reason Nautilus mandates to set the domain when connecting to an smb:// resource. Normally from a MAC you would use "domain\username" as the user. If setting user and domain separated does not work for you when using Nautilus just try using "domain\username" as the user AND "domain" as domain. That solved my authentication issues.

Tuesday, March 26, 2013

Multiple download is still missing in HTML5

Multiple Upload does work and it works great however it comes to my attention multiple download is still not well supported. Some claim that for security reasons it should not be allowed but what is the big deal on leaving the user select a destination directory? How is that less secure than allowing the user select the upload files from any directory? Is it that we are scared of the user allowing to write something bad in their "system" directories? Are we trying to protect the ones who click on any link and by that we are sacrificing the user experience of those that do check they are navigating a safe website before they proceed doing anything else?

So people are still then forced to use Adobe Flash. Is that more secure than allowing multiple downloads natively from HTML5? I believe that with correct controls this can be implemented safely and provide the nice user experience we all are waiting for.

Alternatives? Well,
  1. There is a way to download multiple files (the user will need to accept a browser popup which states something like in chrome "This site is attempting to download multiple files. Do you want to allow this?"). The problem will be that all files will be downloaded to the pre-configured by browser download directory. There is no way for the user or code to *dynamically* select a specific download directory. A demo can be seen in at the time of this writing. The source code is in You can always download it from github and run it locally (this is pure client side code).
  2. We could allow packaging in a zip file all documents and then offer the user a way to select where to download in their local file system. This needs flash though (which we have pushed to eliminate for years, HTML5 heard us and provided the "//input[@type="file"]/@multiple"). The problem with this (besides Flash) is that there is not support to download multiple individual files, the user needs to download a zip file and then uncompress later on. A demo for this can be found in The open source code can be reached at
  3. We could allow drag and drop from the Browser to the file system, a feature Gmail has had now for a while. The problem with this hack (besides having Chrome support only) so far is that it is limited to one file at the time. A demo is available in There are some libraries based on this finding. I leave you google for them.
Hopefully someone will read this and suggest a better approach. Please do include demo/APIs. Happy coding!

Saturday, March 23, 2013

Java Developer for Hedge Fund Administrator (Miami)

We are looking for a new addition to our team. If you feel like the technologies below are right for your future and if you want a career in Financing then apply right away. We will provide training to the right individual. So we are OK with recently graduated students but we do expect some mandatory skills.


No recruiters please.


Bachelor's degree in Computer Science or equivalent
Sun Java Certified is a plus
Linux certification is a plus
MySQL certification is a plus
SQL Server certification is a plus

Must have Skills

Java Core and Web Java development. Comfortable with both GUI and CLI
Spring Framework
SQL development.
JSON, XML and other data representation technologies

Nice to have Skills

Apache Camel
Bash scripting
Jasper Report
Talend Open Source


Collaborative coding in an agile team where separation of concerns is taken seriously: Business Analysts, Java, Data and Front End Engineers work together to create the World leading Hedge Fund Administration Software
Use JUnit for test automation
Develop Model, Controller and in many cases the Views for our platform
Performance tuning: Use Jmeter and JVisualVM to ensure the code scales
Contribute to environment setup and application deployment automation using and developing new bash scripts
Peer code review
Master current architecture and provide enhancements
Attention to detail to provide best possible estimates
Adhere to estimates with a high level of commitment 

Thursday, March 21, 2013

Remove Ubuntu Linux Banner

No matter what you do with motd you still get some undesirable messages in your Linux Login Banner? Here is a recipe to get rid of it:
#!/bin/bash -ex
# common/ubuntu/

sed -i 's/^\(session    optional*\)/#\1/g' /etc/pam.d/sshd
sed -i 's/^\(session    optional*\)/#\1/g' /etc/pam.d/sshd

Wednesday, March 20, 2013

Apache returns wrong CN Certificate

I was getting a certificate which would show up for issuer and subject a domain corresponding to the fully qualified hostname instead of the domain which the server was supposed to be serving.

It ended up being the directive ServerName which was set as the domain we wanted to serve instead of just localhost. The only way you can leave ServerName as the certificate CN is if the machine's name is the same as the CN. So to be safe:
$ grep ServerName /etc/apache2/apache2.conf
ServerName localhost 
Of course you will use the real ServerName inside the virtual host later on:
BTW if you fail to set ServerName in apache2.conf you will face a warning like the below:
apache2: Could not reliably determine the server's fully qualified domain name, using for ServerName

FlushDNS in Windows, Linux and OSX clients

Linux (Ubuntu)
sudo /etc/init.d/dns-clean start
ipconfig /flushdns
Mac OSX 10.5-10.6:
sudo dscacheutil -flushcache 
Mac OSX 10.7-10.8:
sudo killall -HUP mDNSResponder 

Web Security for everyone - Mandatory Web Browser Update

My battle to decommission support for old browsers has always faced a lot of resistance. Even though we know old browsers are buggy and insecure companies keep spending a big chunk of their web development effort just to please those that do not care about their own security. At the same time the users who do care about their security are navigating websites that are full of vulnerabilities due to "limited resources" and the impossibility to "invest more in security".

I believe it is just about time to simply check the browser of your users and stop them from navigating your website unless they upgrade their browsers. If your web users want to go to the competitor website which does support their old browser they should know they might be risking more than just staying in your website after upgrading their software. Most likely the competitor website hides in its deepest code some compromised bits which could be easily activated with just a simple User-Agent HTTP header change hand crafted by an attacker, even if the victim is using the latest version of the best available Web Client.

This is a win-win decision: The company saves money in R&D and the company elevates its security posture and compliance. The customer gets a safer and faster browser.

Why is this necessary upgrade taking so long? I see companies saying "Our IT department says that upgrading the browser across all machines will be painful", well, automate. I see others saying "We use third party websites which demand older versions of certain browsers", well, work with those providers and explain them they are compromising you! In the meanwhile use a bastion machine, one and only one box or environment (Make sure to name it RISKY, INSECURE or any other scary word) to interact with such compromised website. Do not expose *all* your users for *all* their web operations.

Make sure transparency makes accountable those who do not upgrade their systems. Do not join them, push them for a needed change!

In short show this to the proper people to make your statement:
  1. A search for Internet Explorer vulnerabilities reveals that the older the browser the more vulnerable it is.
  2. To support rich user experience developers will be tempted to support plugins like Adobe Flash but these plugins are constant target of attacks as we have seen with Java Applets for example.
  3. Some old UI software won't run unless you use IE6. IT managers will be tempted to keep these old browsers around. While modern versions of Internet Explorer could be used in backward compatibility mode, in some cases you might need to enable old browsers in less secure workstations. In general try to push the owners of these applications to upgrade them.
  4. Newer versions of browsers incorporate safer and faster algorithms enhancing the user experience. Some examples of it (but not limited to) is the support for TLS1.2 which would eliminate practically all known SSL/TLS weaknesses or the Forward Secrecy support which would make the user vulnerable to intruder future sniffing of their traffic.

Saturday, March 16, 2013

HTML5 multiple upload with Spring

HTML5 allows for multiple file uploading so for those Browsers supporting it you do not need flash any longer (swfUpload flash plugin has been the defacto way for uploading multiple documents for years). In its more primitive way this would be the form you would use:
Then this is the Spring code needed in the backend (Controller method). In the below code we add an error with an unresolvable key from message properties (the name of the file).
    public ModelAndView multipleUpload(HttpServletRequest request, HttpServletResponse response,
        @RequestParam(value = "files", required = false) MultipartFile[] files, @ModelAttribute("document") Document document,
        BindingResult result) {
        ControllerContext ctx = new ControllerContext(request, response);

        if (!isValidCsrfToken(ctx)) {
            return getModelAndView(ctx, SHOW_PATH, result);

        for (MultipartFile multipartFile : files) {
            try {
            } catch (Exception e) {
                String errorMessage = e.toString();
                result.reject(multipartFile.getOriginalFilename(), errorMessage);

        return getModelAndView(ctx, SHOW_PATH, result);
As a side note if the expected response type is JSON we expose the BindingResult as a Map where for each file name we inform exactly what the problem is. The BindingResult object cannot be serialized via JACKSON as far as I can tell so for JSON responses we cannot take advantage of binding as we do with direct JSP HTML rendering.

Monday, March 11, 2013

Solaris sudo

If you can afford it security wise you should use sudo whenever possible and that includes Solaris. It is an enormous time saver not to have to be switching to root and back to original user, dealing in many cases with default csh etc.

The first step is to locate where the sudoers file is.

Assuming the /opt/csw/etc/sudoers is the location go ahead and make sure you add all privileges for the user account you want to have same powers as root:
$ su root -c 'vi /opt/csw/etc/sudoers'
#Add the necessary line for your user. In this case the typical Advent Geneva user (geneva)
root    ALL=(ALL) ALL
geneva  ALL=(ALL) ALL

Friday, March 01, 2013

Salt the LDAP password with Spring SSHA

Salted Encryption in LDAP or for any other credential storage mechanism is necessary to protect your user credentials from rainbow table based hacking. This is what what happened to the website of one of the ABC Australia television programs.

Let me show with some code how this exposure could be actually be avoided just with a little bit of salt ;-)

Let's say you use LDAP and Spring. When you save passwords from your application you will need three lines of code. If you use anything else the principle still applies: Encode with a strong algorithm like SSHA-X which relies on "salting" the encoded password. The salt should be a user specific representative binary (it could be their picture ;-) Adding some random bits to it wouldn't hurt (hey there are good image recognition programs around so be prepare for the next attack LOL):
LdapShaPasswordEncoder ldapShaPasswordEncoder = new LdapShaPasswordEncoder();
salt = ( someUserSpecificString + someRandomValue ).getBytes();
saltedPassword = ldapShaPasswordEncoder.encodePassword(password, salt);
You need no changes on the Server side, just correct the way you store passwords in your software.