Compiling to different versions of Java in Eclipse

I’ve just had the rather unsettling experience of trying to deploy a new jar file (one I recompiled after some changes). This file were to be deployed on a rather old set up of Java 1.4.2. On first try everything broke with the classic “Unsupported major.minor version 50.0”.

So I went back to the drawing board. I installed java 1.4, and made sure my development Tomcat was running it. Then I did some research and found out how to make Eclipse compile 1.4 compliant code. I started and I got the same error still.

Once I figured out what was wrong I realized I was an idiot (Doh!). The error I’ve gotten wasn’t for any file part of the jar I was trying to deploy but for “index_jsp”. The thing is my Tomcat compiled my JSP:s into class files and never looked at them again until they were changed. I am sure there’s several ways to solve the problem, I just went and deleted the files in the “work”-directory (those pertaining to my Context).

The preferences window for setting source and target versions for java compilation
The preferences window for setting source and target versions for Java compilation

Now over to how to make Eclipse code projects to a certain Java version.

There are two values you will want to keep track of. The source version and the target version. The source version tells what version your source code is written in. Whereas the target version tells what version of Java you want your class files in.

If for instance you have a project written in Java 1.4 source style, but you have to run it on a Java 5 you’d set the source version to 1.4 and the target to 1.5. You are now compiling Java 1.4 source into Java 5 class files.  Unfortunately you’re not able to do the opposite, compile Java 5 source code into Java 1.4 class files.  This is probably due to API incompatibilities, Java 5 has a larger API than Java 1.4.

Now, in Eclipse you have two settings in three places that controls the source and target versions of your compilations. Under Window->Preferences->Java->Compiler (Eclipse 3.4) you’re able to set the versions for the whole IDE.

When you create a new project you’re able to determine what version of Java (source and target you want) and right clicking on a project and choosing Properties->Java Compiler, you have the same dialog as before.

You set the target level in the select box “Compiler compliance level”, and optionally by unchecking the “Use default compliance settings” you’re able to change the target (“Generated .class files compatibility”) and source respectively.

If you experience other problems you may want to “clean” your project(s). Cleaning a project means all compiled files are removed and all source files are recompiled (something the IDE will do by itself when you change compilation versions, but if you want to be sure, you can do it manually). This is done by choosing Project->Clean. In the dialog you can chose to clean all projects or just those you select.

SQL-Injections, the two most common types

Opening a site Google has listed as spreading malicious software via the browser. In this case the site was the victim of SQL-injections.
Opening a site Google has listed as spreading malicious software via the browser. In this case the site was the victim of SQL-injections.

What are SQL-injections? How can they affect my site? How does it happen and how can I avoid it?

Your site may already be under attack, but the attacker is only using your site to attack your users! This is done using something called SQL-injections.

Since Firefox (2 and 3) and MSIE 7 started using Google’s (and others) system for blocking sites that produce harmful web pages the problem with SQL-injections have been put on the spot.

What happens is that an attacker hacks a site by placing their own SQL-code into the database of the victim system. A system open to SQL-injections may be attacked in basically two ways. Either the attacker performs a DOS (denial of service) attack. This could be done by deleting all the tables or doing something else harmful to the site, effectively bringing the whole site down.

The other form of attack that can be performed on systems open to SQL-injections is far more sneaky and may not be detected at all by the site owner or the site visitors. This form of attack consists of planting client side browser code in the database making all visitors run client side code that will infect their computer with malware or viruses. This malicious software may do everything from listening in on traffic between the client (web browser) and bank sites, to connecting the client system to a botnet.

Needless to say, attacks using SQL-injections has become a problem not so much for the owner of the originally defunct site as for the visitors to said site. Although users of the web should not underestimate the consequence of a good virus protection, system update policy and secure browsing policy.

Since the owner of the vulnerable site won’t notice any detour from business as usual and neither will most infected clients, nobody is the wiser to the problem.

This is why Google (and others) have started evaluating (and flagging) sites with bad content, and why Firefox and MSIE (and probably others) have started blocking them.

Continue reading SQL-Injections, the two most common types

Search and Replace in MySQL

I’ve come across a problem in one of my projects at work. It consists of searching and replacing data in a MySQL server. The data to be replaced is an old URL used in lots of text fields all over the place, it is the customers own site URL but since they moved, they now want all URLs to point to their new location.

Searching the web and checking up the MySQL function database returns the following useful command:

REPLACE(str, from_str, to_str)

It would in my case be used like this:

UPDATE myTable SET theTextField =
REPLACE(theTextField, '', '');

myTable is the table containing the data I want to replace, theTextField is the exact field in which this data is located. Obviously “” is the existing information, that I want to replace, and “” is the information this string should be replaced with.

Very simple, very elegant (well… if you forget about the site URL in the database in the first place…) Now all I have to do is try it out as well. (Expect more reports on the progress of this work!)

Who writes GNU/Linux?

You may have thought GNU/Linux was written by idealistic Unix Gurus camped up with a bunch of Jolt-Colas in their mom’s basement, but a recent report from the Linux Foundation states the opposite. Since Linux kernel version 2.6.11 in Mars 2005 the number of developers has grown from 483 to 1,057 in version 2.6.24 (January 2008). However, the number of sponsoring companies has also grown from 71 to 186 in the same time.

The major contributors aren’t Mom’s Basement Inc. either. Companies like Novell, IBM, Intel, SGI, Oracle, Google and HP rank among the 20 largest contributors (counted in number of sponsored changes, and here sponsoring means paying employees to program those changes).

This is just the Linux kernel (some 8.5 – 9 million lines of code). However, the Linux kernel in itself is of little use to anyone. You have to add the GNU part of GNU/Linux, consisting of commands like fdisk, aspell, bison, ghostview, and wget to that, and you’ll be looking at a much larger number of lines of code. If we go even further adding programs from other projects (like the Mozilla project’s FireFox web browser, or the OpenOffice suite) more lines of code are added (for exact numbers see, and we’re still talking about programs supported by large companies (IBM, Sun, etc).

To sum it all up: no, GNU/Linux is not being written by enthusiasts in the basement anymore. It’s being written by large corporations for competitive reasons. Hardware manufacturers wants to make sure Linux will work on their hardware, software companies can be anything from Linux distribution owners (Red Hat, Novell, MontaVista), use embedded versions of Linux in their consumer hardware (Sony, Nokia, Samsung), or for other reasons (for instance Volkswagen uses Linux for in-car networking between different components).

FTP with Wget

I’ve just had the total pain of trying to get files (a lot of files, in a lot of directories) via a musty old FTP client (in Linux/Ubuntu).

The problem is that the FTP client (ftp) doesn’t offer much to help (like recursive downloads, or mapping up the directories on the client side with those on the serverside, etc).

I searched and I found this thread:

…with this excellent snippet (posted by Mr. C.):

wget -r --ftp-user YourUSERNAME --ftp-password YourPASS ftp://FTPSITE//dir/'*.html'

If you want to download something other than *.html, you can change the file name pattern as you would expect.

If you want to add more directories, simply add them, but keep track of the number of slashes (“/”).  There should be only one after the new directory names (at least that’s how I made it work.  It may work wonderfully regardless of the number of slashes, but then again, why challenge fate?)

Happy FTPing!

Open UP

Anybody who ever came into contact with RUP (which is the name of Rational’s — now IBM’s — version of the Unified Process) may have stumbled upon their web application created to support the process. In there you can find work flows, actor and artifact definitions, templates etc etc.

I did, come across it some ten or so years ago. Since then I’ve had the (mis)fortune to work at companies with their own “UP” or what-have-you-versions of development processes. However, imagine my surprise and delight when I came across an Open version of UP (sponsored by the Eclipse project) with the web application, the actors and templates and all.

Institutionalized hearsay – no, we still don’t know what’s really going on!

I just read in my local news paper that the US’s war on terror has failed to weaken al Qaeda.

Interesting, I thought, and read on, just to find out that someone had made a survey of some 20 000 people in 23 countries around the world, asking them if the war on terror had weakened al Qaeda.

Continue reading Institutionalized hearsay – no, we still don’t know what’s really going on!

Using Statistical Analysis to Create Intrusion Detection

Professor Avishai Wool presents a system that protects GNU/Linux machines from intrusion and malicious program code by using statistical analysis and policy files defining a program’s normal behavior, and if that program deviates from said behavior the system stops it.

Since the analysis is hooked into standard GNU/Linux build tools and uses the source code to derive the policy the system is said to guarantee zero false positives. A system of this type is cited to be able to perform protection from threats long before traditional anti virus solutions has categorized them, and with far less penalty to system performance.

Here’s a list of links for further reading:

Mounting devices with UUID identifiers instead of using /dev paths

I don’t know why, but from time to time drivers are assigned other “/dev”-paths on my ubuntu 6.10 LTS GNU/Linux server. I think a removable USB driver might have something to do with it…

However, when that happens it is a complete pain in the a$$ because if the driver is relocated, the system cannot find it and if it is mentioned in /etc/fstab the system reasons (justly so, I might add) that if it can’t find the drive it should pull the emergency break and jump into a rescue prompt (where mostly everything is disabled), letting the user (that’s me) deal with the problem.

I usually press the CTRL-D command exiting the shell and getting back to the boot process praying that no vital driver was lost. (I’m not really a guru, just a poor guy trying to make live a little easier).

For some reason (touch wood!) the drives with the boot image or with system specific things on them has never been moved around this way. Usually its the USB drive itself (when I still had it in the fstab) that has moved (I’ll get back on how to make it auto-mount in a later post) or in this latest case, one of the back-up drives.

However, there’s a solution. If you run GNU/Linux you might have seen it in your fstab-file. The use of a UUID to do mount instead of the regular /dev/something. My desktop computer’s fstab looks like this:

# /etc/fstab: static file system information.
# <file system> <mount point>   <type>  <options> <dump>  <pass>
proc            /proc           proc    defaults  0       0
# /dev/sda1
UUID=e1f37856-6cfd-43f9-bea0-d4c2e43afe29 /     reiserfs notail,relatime 0  1
# /dev/sda6
UUID=64549135-a478-4aef-bb2a-da37d245dd9c /home reiserfs relatime        0  2

From this rather confusing array of characters (I had to shrink the spaces in order to fit it on the site) you can determine that there’s three devices mounted at start up (proc, sda1 and sda6, I’ve got even more, but the exact number of devices are not interesting for this discussion).

The proc device always resides at the file system “proc”, and it does not have nor need a UUID. However the sda1 and sda6 devices are regular hard drives (formatted with reiserfs) and they can change designation, for instance if I start rearranging my sata-cables or start a USB drive in a USB slot with a lower ID than those of my sda drivers (I’m guessing on that one but I’ve seen it on my server so…) These are therefore interesting to mount not by their dev-names but by their UUID’s. The UUID are stored on the drive itself and it wont change unless the drive is reformatted. The drive can be moved, turned off, turned on, it will still have the same UUID.

So, using UUIDs are a good idea when I want to create my new, drives-moving-around-proofed server configuration. The first step is to determine what UUID the drives have. This is done with the following command:

sudo vol_id -u /dev/something

I had problems finding “vol_id”. It was not in the PATH, and could therefore not be run like above. I did a locate (locate vol_id) and found it in “/lib/udev” so I prepended that path to my command. I’ve also to determine how to get the UUID from a swap partition, but for now I’m happy to have the infringing drives on UUID and hope the swap wont move (perhaps with the extra 2GB of memory I also stashed in it will need the swap even less, but anyway)…

You won’t be able to determine the UUID of any drive part of a software raid configuration (but then again, the software raid is able to do its own magic locating of drives regardless of their sd-number — trust me, I’ve done that as well — so they won’t need a UUID anyway — wouldn’t surprise me if raid uses the same scheme behind the scene though)

Let’s look at the changes I did in my fstab file (always make backups before you start messing with this file! If you fail to set it up correctly your system will probably not start at all so have a live-cd handy before trying to do this!):

/etc/fstab before I changed it (just a part of it)

# /etc/fstab: static file system information.
# <file system> <mount point>    <type>   <options>           <dump>  <pass>
proc            /proc            proc     defaults            0       0
/dev/sdc1       /                reiserfs notail,user_xattr   0       1
/dev/sdc5       /home            reiserfs defaults,user_xattr 0       2

As you can see the situation is not as clear on this machine as it was on my desktop machine. Here sdc is the main system drive and that alone is a, well not a worrisome problem, but a slight discomfort… sdc never moved around, but being that I have a bunch (8 or 9) sata-cables in a large but far-from-large-enough case I’m bound to switch them around one day or another…

Anyway, using the above vol_id command to get the UUIDs of the drives, I’ve updated my fstab to look like this (still only partial fstab but you get the idea):

# /etc/fstab: static file system information.
# <file system> <mount point>    <type>   <options>           <dump>  <pass>
proc            /proc            proc     defaults            0       0
UUID=716cf691-dabd-4894-8e46-bc02b4c092b4 /     reiserfs notail,user_xattr   0  1
UUID=9587a32e-ebb2-45ab-9e68-7a66cf43d6b4 /home reiserfs defaults,user_xattr 0  2

Unfortunately I have the same problem as above, the lines wont fit in the editor (or on the site) if I tabulate them correctly, but hopefully you’ll still be able to connect the dots. Every group of white spaces (space, or tab) in the file counts as a field separator. I’ve commented out the “/dev/sdc…” section, added a line feed and replaced it with the “UUID=…” section, and then left the rest of the line intact.

This makes sense since I’ve replaced one identifier (“dev/sdc…”) with another (“UUID=…”). So, after the original “dev”-version of the file has been safely backed up, the entries in the original “/etc/fstab” has been checked and double checked, it’s time to restart and pray this will actually work. :O

Here’s a few links you might want to check out before you give it a try:

Good luck!

Update: If, however, you’re using LVM, you’ll get stable device names and you should mount these instead. If you use LVM-snapshots you’re going to get two or more volumes with the same UUID, and in that case you should absolutely not use UUID mounting.

%d bloggers like this: