I saw a post on twitter about Security Headers. Basically Security Headers will scan your website and check for some common HTTP Headers that you should be including to make your site more secure. They also include helpful links as to how to fix the issues it finds. On my first scanned it warned me of the following: MISSING Content-Security-Policy, MISSING X-Frame-Options, MISSING X-Xss-Protection, MISSING X-Content-Type-Options, MISSING Public-Key-Pins, and X-Powered-By. After going through their documentation I added all of those headers except for Public Key Pins. I am not 100% on that, my concern is when your certificate expires and you replace it (which on a free certificate happens every year) do you end up with people getting an error on your website for the next week cause they have an old key pinned? Not sure enough about that to actually enable it, which is why I hadn’t previously enabled it. The other headers though I didn’t realize could be an issue so I promptly corrected them. The one thing I couldn’t easily fix was the Server header as apparently that is compiled into NGINX and I wasn’t feeling like compiling my own from source. I was able to remove the version string though. All in all they give some very easy configuration changes you can make to help prevent attacks against your website and I strongly recommend giving their tool a look.

I am happy to report that after much delay the Mojohaus team has finally fixed the Aspectj Maven plugin to allow disabling the annotation processing by the aspectj compiler. It will be fixed in version 1.8 of the plugin. You may recall that back in April I was forced to fork the project to fix this and move on so I could do our Spring 4.1 upgrade. I look forward to switching back to the community version and at that point I will probably delete my github repository as I never wanted to maintain my own version to begin with. Now back to some programming on my new Cassandra layer…

I am on a new project at work that looks to be very interesting. I am redesigning our Cassandra layer. Currently we have a beautifully done layer that was designed and implemented by our former architect. It ends up making Cassandra look just like a JPA entity and we have Cassandra Repositories that look just like Spring Data JPA Repositories. After this was in place we discovered the Spring Data Cassandra project. We went to the talk on Spring Data Cassandra and it turns out they had implemented pretty much the system that our architect implemented.

I just finished up the Java 8 lambda’s and streams class. I finished a little later than I wanted to because I decided to upgrade to Windows 10 last week which was an epic failure. I used the media download tool to upgrade prior to my machine coming up in the queue and all the upgrade ran normally and things appeared to work fine. At the end it booted up and presented a login screen. I attempted to login and the machine sat there spinning for about a minute and then rebooted. After coming back the same. At that point I realized I made a mistake trusting the upgrade and my normal windows procedure is to buy a new drive, do a clean install and then bring my data over. (That was last Wednesday.) So Thursday at noon I ran over to Microcenter and bought a new drive. Then over the weekend I did a clean install of 10 and copied my data from the old drive. I am not up and running on 10 and I would have to say I like it more than Windows 7. It seems fast on my old machine, the UI improvements are great, but I haven’t yet had a chance to test any of my games on Steam to see how it handles video gaming. A coworker tried to upgrade his Windows 7 laptop which also failed but his automatically rolled back. My nephew was able to successfully run the upgrade from Windows 8.1 so it seems like 8 is a safer OS to upgrade from.

After a month long hiatus I have returned. I have been traveling for most of the last month so the blog sort of fell to the side. Now that I am done with my summer travel I hope to be back to the weekly posting schedule. That being said I don’t have a lot of updates as I have been vacationing and not doing a lot of work so it was recharge time and not explore new technologies. However today there is a new MOOC starting that people may be interested in, it is the Java 8 Lambda and Streams Intro class. I plan on going through this class to try to improve my way of thinking to be more functional when solving problems in Java. I am hoping to do some work to push a container upgrade at work in the next couple of weeks which will allow us to go to Java 8 in production in the following month so with any luck I will be using these new constructs come fall in my projects.

For several months now I have been hearing all the hype on the blogs for Docker. I mostly have been ignoring the stuff, skim a post here and there but I haven’t been that interested in it. One of my coworkers has taken a big interest on the other hand and has started to work on putting out different services we run into containers.

When we started out with our new architecture we were requiring people to install different services to get their development environment up and running. At first this wasn’t that big of a deal, you need to install rabbitMQ in additional to JBoss and setting up a SQLServer database. Then we added memcached into the mix. At this point environment setup was getting pretty complex for anyone new we hired and our architect came up with a solution to make it easier. Use a virtual box image to host rabbitMQ and memcached as well as the newly added Solr and Zookeeper. This was a great solution for a while it allowed us to get people up and running much faster and add new things as we needed them (like Cassandra). Their are a couple of problems with this solution. If we roll out a new version of say Cassandra like we are doing you are going to lose all of your data. The other issue is our architect was promoted and this solution is no longer being maintained.

Last Monday I got into the office and I decided that is it, I am going to get our app upgraded to Spring 4.1. I had been working on this off and on for like 9 months, updating dependencies in the pom, doing some testing, wash, rinse, repeat…

As I had mentioned in a previous posts one of the first issues I had was the new aspect j running the hibernate metamodel generator and dumping a bunch of generated class in the root level directory of wherever maven was running. I had opened a Jira against the aspectj-maven-plugin. There was even a user who contributed a patch for the issue, and the developer promised to look at it in January but months went by with no effort to resolve the issue. Now CodeHaus is shutdown and the active projects have moved to MojoHaus. As of yet the aspectj-maven-plugin hasn’t been moved so more and more it looks like my decision to download the code from their SVN repository and fork it on github was correct.

I took advantage of the long weekend to go through CodeSchool’s Shaping up with Angular.js free course. I have to say it was very well done. They very quickly get the major themes across in the video and then you apply the stuff in your browser where you can see how it actually affects the page in the preview page. Anyone who has worked on the knockout.js tutorial will recognize this style of learning. Having taken the class on CodeSchool I now feel like I know enough to actually start using Angular so I would definitely recommend the course to anyone wanting to get started with Angular. I remember that first aha moment I had when learning knockout, where it was just sort of mind blowing how much more productive you could be in that framework than just using jQuery. And I had the same sort of thing with Angular, I can see why I would prefer to use Angular over knockout as well as it seems to take the great things that knockout does and take it up to the next level. To get someone who isn’t a super front end person interested in a front end technology is an impressive feat so well done Angular.

So a little while back when I had been playing with Pagespeed I somehow managed to break certificate stapling on my server. So when I ran the Qualys SSL Server Test my score had fallen to a B! I messed around and tried a few things and I had no luck getting it to work. One of my friends said the site started to give weird errors under Chrome on Android. Then I was reading this CertSimple Blog entry yesterday and they mentioned the Mozilla Server Side TLS Project, which I don’t think I had heard of. Basically what it does is you enter your server version and your OpenSSL version and how aggressive you want your security settings and it will generate a sample config for you. It will tell you based on how aggressive your settings are what the minimum browser versions are. For example of of the differences between Intermediate and Modern is that they drop support for TLSv1 in Modern and only support TLSv1.1 and TLSv1.2. For most browsers this doesn’t seem to be an issue but if you are running IE that means the minimum browser version is IE 11. I debated whether I should drop TLSv1 support or not, but I figure if I keep it I can support IE back to 7, though I can’t imagine any software engineers that might check out this blog using IE anyway. For now I have kept it but one of these days I will drop it because given the rate of SSL issues with Freak and Logjam lately, it is only a matter of time before someone finds a hole in TLSv1.

We had some workshops over the last couple of days at work on an intro to Angular.js. I have to say I came away from them pretty impressed with the framework. I can see why it is taking the development world by storm.

I think the controllers make it very relate able for anyone coming from the Java world as it is like dealing with Spring or Struts at that point. The way you do URL parameters in your $routeparams is just like doing any sort of rest URL parameters.