Vesak @ Bandos’

http://picasaweb.google.com/s/c/bin/slideshow.swf

Advertisements

Linux for human beings

This is a post that should have been written few days back, On April 29th Ubuntu 10.04 – (Lucid Lynx) was released, and I was counting days till it did but couldn’t try it out because of the release work I was doing in my machine. Last weekend (even the work wasn’t quite over) my anxiousness couldn’t rest. I installed the new beast keeping my /home safe. To tell you the truth, the installation process was hardly “linux like”. There were no screens showing any commands executing, nor view of the terminal. What you see is a breath taking slide show (very much windows like, but much sweeter) trying to show off the beauty 😉 and market itself.

Ubuntu - 10.04 (Lucid Lynx)

Well I know many of you already have tried Lucid, and there is nothing new for me to mention, hence I thought of writing few words about Ubuntu’s slogan “Linux For Human Beings”. My history as a Linux user is not that ancient, even though I have used it side by side with a  Windows OS, I’ve never gone total Linux, There were reasons behind. {1} I was afraid it will all break down in the middle of something. {2} It looked like a dark cave with alot of never ending tunnels {3} It was hard for me to troubleshoot on my own (I was a novice). But thanks to Sandaruwan and the never ending virus problems, performance degradation with time in windows, I jumped in to the deep-end. Ever since am a happy man 😉

Before Ubuntu, I have tried Debian and Suse, but with Ubuntu I felt quite safe. There were number of reasons, among them, Canonical released frequent updates and bug fixes (mainly fixes related to hardware drivers). Ubuntu’s is doing major release twice a year with a considerable amount of improvements, and nevertheless its Virus free, ultra fast and very stable for a software development environment.

Being those my reasons, I believe Linux is the answer for many 3rd world countries, to obtain a high IT literacy rate. When Microsoft and other proprietary software vendors are investing in millions and billions to put a full-stop to software piracy (Which as a software engineer I encourage), and when personal computers are sold with these proprietary software pre installed (Ofcause not for free) with prices automatically goes sky high, resulting a normal user to look at a computer as if it is a Jet plane ;).

But for some (many) reason free and open source software is hidden to the normal user world. Of-cause there are few myths associated, One popular myth is that Open source and free software doesn’t come up to the standard of proprietary software, If we forget for an instance that I work for a 100% open source company 😉 , and look at Apache software foundation, where there are plenty of great products (Apache HTTP server, Tomcat, Maven, Synapse et al.), but normally the argument is “A normal user doesn’t care about the server space. What does free software offer for them ?, to listen to music, edit some photos, check email and browse internet” ? And as far as I see this is where Ubuntu places itself. I believe this is why it displays a pretty screen while its being installed and I think so far Ubuntu had done a great Job, and it is ready with a strong and shiny armour, to battle with any proprietary operating system and make it’s mark.

So if you are a normal user reading this article, try new Ubuntu, and when you are buying your next personal computer, ask you computer supplier to give the machine with Ubuntu. I promises you, you will save a hell a lot of money, and it will set you free. 🙂

Sharing HTTPS, HTTP sessions in tomcat hosted web-apps

The requirement is to only serve the login page securely and once the user is authenticated (s)he should be redirected to non-secure http mode. I was struggling to do this quite some time back, and just thought of documenting about it.

The requirement

The idea I had was; “It should be quite simple”, Facebook does that, Google does that and why is it still not well documented ?, However the almost all Google search results for my queries were about simply redirecting HTTP traffic to HTTPS for certain URLs, some were using URL rewriting (mod_rewrite), and some have used server configuration via Tomcat’s server.xml.

What I really wanted to achieve is to preserve the state between the protocol switch. After some considerable amount of searching I found out this is not achievable (in a very clean manner) with tomcat or rather it is a conflict between security and state management in the servlet spec itself, hence there only exist a dirty hack (not sure if this works) to get it done, but even that hack couldn’t be applied to my scenario.

So after some thinking I came up with my own hack (I think its even dirtier 😉 ) to solve the issue; Its quite simple, and involves cookie manipulation. My approach was simply read the HTTPS cookie and set it as the HTTP cookie, what I need was one jsp which is served with HTTPS and few lines of Java code.

The solution
The solution

True enough it certainly looks like a hack, but security wise its as same as the Tomcat user group has suggested. so until the new servlet specification answers this question we have to live with this. the code of converting the cookies are as follows.

   
    Cookie[] cookies = request.getCookies();
    String sessionId;
    if (cookies != null) {
        for (Cookie c : cookies) {
            if (c.getName().equals("JSESSIONID")) {
                sessionId = c.getValue();
            }
        }
    }

    Cookie k = new Cookie("JSESSIONID", sessionId);
    k.setPath(request.getContextPath());
    response.addCookie(k);

Basically what the code does is, reading the secure cookies while inside the middle.jsp and setting them without security (k.setSecure() is not mentioned hence by default its false), and that’s about it, once this is done you can simply redirect to the HTTP page.

response.sendRedirect("http://foo.com:8080/index.jsp");  

and now the cookie which originally set via HTTPS is accessible to the HTTP requests, hence the session is shared.