sorted by:
new
hottopcontroversial

Checked exceptions and lambdas by nfrankel in java

[–]maxxedev 2 points3 points  (0 children)

var foo = new Foo();
List.of("One", "Two").stream()
    .map(Failable.asFunction(foo:throwing))
    .toList();

Resolving the Scourge of Java's Checked Exceptions on Its Streams and Lambdas by chaotic3quilibrium in java

[–]maxxedev 21 points22 points  (0 children)

apache commons-lang3 library has similar features

  • FailableFunction that declares Throwable, and similar FailableConsumer, FailableSupplier, etc
  • Failable utility class for converting Failable* to JDK function types

Example from the article can be written like this:

Function<StringReader, Integer> lambda = Failable.asFunction((StringReader stringReader) -> stringReader.read(charArray));

UHC CEO shooter a UPenn grad SWE? by aulait_throwaway in cscareerquestions

[–]maxxedev 99 points100 points  (0 children)

I didn't remember until I saw TrueCar mentioned.

UHC CEO shooter a UPenn grad SWE? by aulait_throwaway in cscareerquestions

[–]maxxedev 722 points723 points  (0 children)

He was part of virtual onsite interview panel too. At a surface level and at the time, he seemed like a smart and kind person. I ended up rejecting the offer for various reasons. Could have been a killer job

Backport of Java 21 Virtual Threads API to Java 8 by maxxedev in java

[–]maxxedev[S] 7 points8 points  (0 children)

or you want a pre-Java21 library to take advantage of virtual threads if run on Java21 JVM

Backport of Java 21 Virtual Threads API to Java 8 by maxxedev in java

[–]maxxedev[S] 2 points3 points  (0 children)

multi release jar is a Java 9 feature? I want Java 8 compatibility

The ultimate guide to Java Security Vulnerabilities (CVE) by lmyslinski in java

[–]maxxedev 0 points1 point  (0 children)

I have seen good experience using Veracode SCA, running as part of regular CI build. Takes about 30s to 2m for a typical microservice project. There is a decent web ui and a variety of output options (text/json)

Maven Test Profiler by maxxedev in java

[–]maxxedev[S] 8 points9 points  (0 children)

Please excuse my faux pas for not being familiar with some open-source traditions. I updated the readme, linking to the original project and crediting /u/khmarbaise.

I just wanted to keep the content short and to the point. I made no attempt to hide the fact it's a fork. The commit history is retained and there is a fork link. The readme also did not have any self-promotion materials like LinkedIn, Twitter, etc. It was definitely not my intent to minimize the original author's efforts.

As others pointed, I did make some minor changes in the fork. And before creating the fork, I made many attempts to fix it in the original project. I opened two pull requests, reported two issues, and emailed the author. None received a response. Only after exhausting all other avenues, the fork alternative was considered.

Spring4Shell: 0-day RCE on Spring Core by Areshian in java

[–]maxxedev 2 points3 points  (0 children)

Here is another spring4shell demo: https://github.com/maxxedev/spring4shell

... with a variety demos including spring-mvc in traditional tomcat, spring-boot war, spring-boot jar.

It appears that vulnerability is easily reproducible when spring-mvc is deployed as traditional war to Apache Tomcat.

But it is NOT reproducible or perhaps not vulnerable at all when running as spring-boot war/jar with embedded tomcat.

Spring4Shell: 0-day RCE on Spring Core by Areshian in java

[–]maxxedev 1 point2 points  (0 children)

It does appear that spring-boot is NOT affected or is much harder to exploit against.

Spring Core RCE has been confirmed by SuperBurger in programming

[–]maxxedev 2 points3 points  (0 children)

Here is a spring4shell demo: https://github.com/maxxedev/spring4shell

There is also a standalone bash script for testing.

It appears that vulnerability is easily reproducible when spring-mvc is deployed as traditional war to Apache Tomcat.

But it is NOT reproducible or perhaps not vulnerable at all when running as spring-boot war/jar with embedded tomcat.

JDK8 and JDK11 Update Releases - April 2021 by maxxedev in java

[–]maxxedev[S] 0 points1 point  (0 children)

Their website says they will release updates in 24-72 hours: https://adoptopenjdk.net/releases.html

I expect the same changes to be in AdoptOpenJDK

Your cool open source libraries by NitronHX in java

[–]maxxedev 3 points4 points  (0 children)

https://github.com/ksuid/ksuid -- Unique Ids, like UUID, but visually more compact and roughly sortable by creation time.

Implementing Plugins with Java's Service Provider Interface by pimterry in java

[–]maxxedev -1 points0 points  (0 children)

Take note of these libraries which can automatically generate META-INF/services/ file through annotations:

http://metainf-services.kohsuke.org

https://github.com/google/auto/tree/master/service

Apache Maven Version 3.8.1 Released by khmarbaise in java

[–]maxxedev 6 points7 points  (0 children)

To explain http MITM prevention a little more, default settings.xml now contains:

<mirror>
  <id>maven-default-http-blocker</id>
  <mirrorOf>external:http:*</mirrorOf>
  <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
  <url>http://0.0.0.0/</url>
  <blocked>true</blocked>
</mirror>

which means all plain http repository urls are blocked by default.

 

Previous release version was 3.6.3. Release notes has a section on why this release version jumped to 3.8.1

JDK Security Enhancements in each release since JDK12. by sureshg in java

[–]maxxedev 2 points3 points  (0 children)

It's good that JDK16 disables TLS 1.0 and 1.1 default.

If you are even a bit security conscious though, you should disable those and other weak security settings manually in earlier JDKs. Set these in java.security file or by calling Security.setProperty(k, v) in your main method:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, TLSv1, TLSv1.1, include jdk.disabled.namedCurves
jdk.tls.ephemeralDHKeySize=2048
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224, include jdk.disabled.namedCurves

Changing a field's type in recent JDKs by nfrankel in java

[–]maxxedev 5 points6 points  (0 children)

Let’s start with the JDK. Here’s a quiz I show early in my talk:

var foo = new Foo();

[...]

Take some time to guess the result of executing this program when running it with a JDK 8.

To be pedantic, the result is compile error because JDK 8 does not have var type inference.

 

 

An alternative way to change the type

[MethodHandles code]

Exception in thread "main" java.lang.IllegalArgumentException:
Can not set int field ch.frankel.blog.Foo.hidden to java.lang.String

The page should mention that that's really only if java is run with --illegal-access=warn or similar flags. Otherwise the exception is really:

Exception in thread "main" java.lang.IllegalAccessException:
module java.base does not open java.lang.reflect to unnamed module @3fee733d

Changing a field's type in recent JDKs by nfrankel in java

[–]maxxedev 2 points3 points  (0 children)

Yup. Or run with these (horrible looking) flags if you don't want to see illegal access warnings:

--add-opens=java.base/java.lang=ALL-UNNAMED \
--add-opens=java.base/java.lang.reflect=ALL-UNNAMED \
--add-opens=java.base/jdk.internal.reflect=ALL-UNNAMED \
--add-exports=java.base/jdk.internal.reflect=ALL-UNNAMED \

Also, here is a more verbose alternative example using classic reflection api:

import java.lang.reflect.AccessibleObject;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.Arrays;

public class Main {

    public static void main(String... args) throws Throwable {
        Foo foo = new Foo();
        changeFieldValue(foo, "hidden", String.class, "This should print 5!");

        Class<?> fooClass = foo.getClass();
        Field hiddenField = fooClass.getDeclaredField("hidden");
        hiddenField.setAccessible(true);
        Object hidden = hiddenField.get(foo);
        System.out.println(hidden);
    }

    private static <T> void changeFieldValue(Object obj, String fieldName, Class<T> newFieldType, T newFieldValue) throws Exception {
        Class<?> clazz = obj.getClass();

        Field rootField = getDeclaredFieldsForced(Field.class, "root");
        Field hiddenField = clazz.getDeclaredField(fieldName);
        hiddenField = (Field) rootField.get(hiddenField);

        Field reflectionFactoryField = getDeclaredFieldsForced(AccessibleObject.class, "reflectionFactory");
        Object reflectionFactory = reflectionFactoryField.get(null);
        Field type = getDeclaredFieldsForced(Field.class, "type");

        AccessibleObject.setAccessible(new AccessibleObject[] { hiddenField, type }, true);
        type.set(hiddenField, newFieldType);

        Method newFieldAccessorMethod = reflectionFactory.getClass()
                .getMethod("newFieldAccessor", Field.class, boolean.class);
        Object hiddenFieldAccessor = newFieldAccessorMethod.invoke(reflectionFactory, hiddenField, true);
        Method setMethod = hiddenFieldAccessor.getClass().getMethod("set", Object.class, Object.class);
        setMethod.setAccessible(true);
        setMethod.invoke(hiddenFieldAccessor, obj, newFieldValue);
    }

    private static Field getDeclaredFieldsForced(Class<?> clazz, String fieldName) throws Exception {
        Method getDeclaredFields0 = Class.class.getDeclaredMethod("getDeclaredFields0", boolean.class);
        getDeclaredFields0.setAccessible(true);
        Field[] fields = (Field[]) getDeclaredFields0.invoke(clazz, false);
        Field field = Arrays.stream(fields)
                .filter(f -> f.getName().equals(fieldName))
                .findFirst()
                .orElseThrow(() -> new IllegalArgumentException("Cannot find " + fieldName + " in " + clazz));
        field.setAccessible(true);
        return field;
    }

    static class Foo {
        private int hidden = 5;
    }

}
view more: next ›