400 Bad Request when using Glassfish REST API

When you try to automate your Glassfish administration duties with its REST API using POST or DELETE methods, and all you get is HTTP response 400 and zero content, you forgot to read this:

REST requests that add, update, or delete objects must specify the X-Requested-By header with the value GlassFish REST HTML interface.

It is intended to prevent CSRF attacks as noted in Jason's Lee post.

Enabling SOAP message signing for EJB webservice client in Glassfish

Let's start writing posts again!

Today's solution is for following scenario: An EJB uses a web service client, and needs to sign its request with a trusted certificate. We are running Glassfish 3.1.1. Its documentation is pretty straighforward about specifying default client provider, which will cause all webservice calls to be signed. But we cannot do that, because other web service we're calling cannot handle digitally signed SOAP messages. Documentation only mentions web service endpoint configuration .

Here's what to do

Add following to your glassfish-ejb-jar.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-ejb-jar PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 EJB 3.1//EN"
  "http://glassfish.org/dtds/glassfish-ejb-jar_3_1-1.dtd">
<glassfish-ejb-jar>
    <enterprise-beans>
        <ejb>
            <ejb-name>EjbThatSignsSoapRequests</ejb-name>
            <service-ref>
                <!-- you might need explicit @WebService(name="service") on that field,
                     even if the field is named service -->
                <service-ref-name>service</service-ref-name>
                <port-info>
                    <!-- This is the vital part - specify port of web service -->
                    <wsdl-port>
                        <namespaceURI>urn:webservice:namespace-from-wsdl</namespaceURI>
                        <localpart>WebServicePortName</localpart>
                    </wsdl-port>
                    <message-security-binding
                        auth-layer="SOAP" provider-id="ClientProvider"/>
                </port-info>
            </service-ref>
       </ejb>
   </enterprise-beans>
</glassfish-ejb-jar>

Then, configure your client e. g. via admin gui at path Configurations > server-config > Security > Message Security > SOAP > Tab Providers > Client Provider.

Distribution for rather old computer
My nephews have an old K6–350 with 64 MB RAM, 2.1 GB HDD, and S3 Trio64 graphics at their grandparent's hou­se. They used it to play about 6 windows games they have installed, until one day when boot files were suddenly gone. Unfortunately (or not?), I already thrown out all Windows 95/98  instalation disks. I also don't posses working floppy drive for few years, so all the floppies are already gone (except for few, but as I found out, those are unreadable anyway). So I went on a quest finding a linux distribution that:
  • would run on i586
  • would run some desktop environment, while leaving some of the 64MB of RAM unallocated
  • would run recent wine
  • would run X with GL/DRI, so those games could be run
Well, I've got some bad news – there is no such distribution. Here's why:

Damn Small Linux

DSL installed OK to the harddisk, but it only allowed it's ownmyDSL extensions to be installed. Those doesn't include dosbox or wine >0.9.4×. Switching to apt didn't work on that version, because package statuses were broken, and it would mean downloading and forcing installation of each deb. (Well, I'm writing it after few more days of expermimentation, and it doesn't look like big deal now :), so maybe I'll return to that).

Vector Linux Lite

The LiveCD didn't boot, and installation was too big for 1.8GB partition. Where's the ‚Light‘ part?

Deli Linux

Looks nice in VM, however, there are no packages for it – neither wine or dosbox.

Debian

I installed XFCE environment, but it looks too heavy for the machine space- and memory-wise. Maybe if I started without X and then added JWM and ROX session, and configure it properly… well it would take some time to have it done.

TeenPup 2008

This is a puplet – spinoff of Puppy Linux 2.1. It contains many applications, games, nice icons. But getting packages for puppy linux is a quest itself – searching forums for .pet files, finding passwords for password protected repositories, and fighting incompatible versions of libraries. This distribution helped me getting acquainted with ROX file manager, which is actually quite nice once you understand the philosophy of it. However, wine package didn't work because of incompatible libc. I also managed to lead it to the state where it wouldn't reboot intead it always just restarted X session. So it was time to move further.

PuppyLinux 4.1.2

So after spending few days with TeenPup I understood desktop and bootup process of PuppyLinux, so I picked generic one. Installing wine went smoothly. But DirectX games wouldn't run on Xvesa or Xorg with vesa driver. The solution looked simple – just download full Xorg 7.3 and finally have answer to question, whether the system is actually capable of running those games from Wine. However, there is bug in Xorg 7.3 – xorg-server 1.3.0 doesn't export some of basic symbol properly, so enabling S3 driver results in linking error „Symbol RamDac not found“. So I tried to find a puplet that includes X.org 7.4

LXDE puplet

I found that one, burned the ISO, and found out it's i686 only.

Arch Linux

and arch linux is i686 only as well.

TinyME

This is the last distribution I tried. Looks quite momry heavy (still LXDE is way heavier than ROX/JWM) and still has xserver 1.3.0

Conclusion

There's no out-of-the-box solution. So I will either return to DSL or Debian, or get some bootable CD with win95 bootdisk and just run sys c: (to find out, some other system files are missing :)) – but getting such CD is not easy, who needs win95 anymore?
Google Desktop shortcuts

I've been having quite a trouble with Google Desktop binding all sorts of keyboard shortcuts that interfere with my work. Most annoying was with its binding of Win+Space, that collides with my Launchy hotkey. I solved this by tuning the startup order of applications, but it wasn't pretty. Today I found new hope. According to this post, shortcuts can be configured via registry:

In „HKEY_CURRENT_U­SER\Software\Go­ogle\Google Desktop\Prefe­rences“

create a DWORD value named „hot_key_flags“.

Setting this value to:

  • „0“ disables both Ctrl-Alt-G and Windows-G
  • „1“ disables Windows-G, but leaves Ctrl-Alt-G enabled
  • „2“ disables Ctrl-Alt-G, but leaves Windows-G enabled
  • Removing the key or setting the value to „3“ or higher will enable both keys.

This solved my problem with AltGr+G, later I will try if it also helped launchy.

Smart render in Vegas for Panasonic H-280 hard disk camcorder

I spent few evenings figuring out why vegas always recompresses MPEG2 video from my camcorder, instead of using Smart Render. First, both project and encoder must be set to video size 704×576 pixels, with upper field first interlace (note, that changing encoder template is only possible with Vegas Pro). And the magic setting that will allow smart render is to set Maximum Bitrate for encoder to exactly 9542800 bits/s.

Special device UUID=xxxxxxxxxxxxxxxx does not exist (especially with LVM)

UUID partition was mystery to me – according to all documentation available they make life easier instantly and you no longer have to worry about your partition letters. Since I'm using LVM on all servers I manage I already stopped worrying. But since this is preferred method now, I wanted to use it (especially after last time udev created /dev/mapper/vg-lv device, but no /dev/vg/lv device after boot and I realized that after my backups were week old and I had to restore corrupted file :().

But here's the problem with UUIDs and LVM: After you create new LV, vol_id and blkid will show their UUID. But as soon as you want to mount that LV via /etc/fstab, it yields Special device UUID=... does not exist. Today I learned this special command:

sudo partprobe

It updates the /dev/disk/by-uuid directory and your uuid mount works like a charm.

Compress your /usr to save space

I just found clever post with steps to make more space available to your root partition by having /usr compressed with squashfs and overlayed with unionfs. So I'm adding it here as note to self to try it on my Ubuntu on USB disk, where I devoted to much space to NTFS partitions :) It also could be fine for Aspire One, if my wife will start to actually store any files there, not just do the browsing.

http://po-ru.com/…-the-eee-pc/

Oh yes, and according to this comment, Ubuntu 8.10 works nicely on Aspire One, so if I'll be willing to sacrifice nice bootup times of Linpus to more standard way of administration (at least for me), I might give that a try.

Setting up Acer Aspire One

I recently got this cutie from Acer. It's purpose is to be my wife's browsing machine. For that I had to modify some things:

  1. Install Skype
  2. Install Pidgin
  3. Upgrade to Firefox 3
  4. Instal mscorefonts
  5. Video player with subtitle support

    (more…)

window.opener.location – access denied

Let’s have a look at my programming duties today. The plot goes like this: There is a Web Dynpro within Enterprise Portal (I don’t know proper English fairy tale style, but this sentence feels similar to ‘In a dark, filthy cave lived a horryfying twelve-headed fire-spitting dragon’). This web dynpro opens external window with a JSPDynPage portal component.

Amongst other functionality there is a button, which switches application on the opening window. Since it’s a webdynpro in a portal, we need to use window.opener.top.location, as webdynpro is within a frame (or iframe). First time in works. Second time, Internet Explorer yields Access Denied.

You think: Common cross-site scripting issue. But we only do window.location.href="/irj/portal?NavigationTarget=ROLES://...", so no server is changed. The new component sits at same server as well. And it worked for the first time! Window opener still exists, but any access to it returns Access Denied. And the cause is, that we didn’t change window.opener, we changed window.opener.top, and thus window.opener is no longer valid. Once you realize that, the solution is pretty straightforward:

this.windowopenertop = window.opener.top;
this.windowopenertop.location.href=role1url;

and then later

this.windowopernetop.location.href=role2url;

…and the dragon lived happy ever after (though the user can choose to see another dragon at same location).

OpenSwan and Cisco PIX: ISAKMP:not zero on reserved payload 5

Now this was another long night: I was trying to create IPSec tunnel between Cisco PIX and Ubuntu-based router with OpenSwan. At first, I was unable to estabilish ISAKMP communication as PIX always rejected it with SA not acceptable. That was solved with adding

ike=aes-sha1-modp1024

into ipsec.conf configuration file. And once I got though this I came to thegreat showstopper, that is mentioned in the title. Cisco and various forums state, that my pre-shared key was wrong (but it wasn’t), that I should do clear crypto sa on the PIX (but it didn’t help), or that my access list was wrong (but they seemed right). After giving up and getting some sleep instead I decided to change the encryption (I used AES with SHA1). I added new policy for 3DES with MD5 and suddenly the message was gone!

But there was a new one, saying Proxy Identities Not Supported, and finally I found where I should have had 192.168.8.0 instead of 192.168.1.0 – in the ipsec.conf.

And from that time on, the tunnel works perfectly.

One more note:

After you’re happy that your tunnel has been estabilished and you’re re looking forward to trying it out, you may get disappointed that no pings to remote internal network will work, and that ssh will return No route to host.The secret ingredient is to use internal network interface as source, so use

ping remoteinternalhost -I routerinternalinterfaceip
ssh -b routerinternalinterfaceip remoteinternalhost