Spring-Security-3

Introduction to Spring Security 3/3.1


Not bad but start watching from 55:00 at least ;-)

Relative Module Identifiers (dojo, AMD)

/*
Relative Module Identifiers:
http://livedocs.dojotoolkit.org/loader/amd#id8
http://livedocs.dojotoolkit.org/loader/amd#id9

A) Don’t use Relative Module Paths in require([]), only work in define([])
B) Don't use Relative Module Paths with global require use Context Sensitive _require


sample file:
path: dojo-boilerplate/js/myPackage/myModule/test3.js
no .js added at the end
*/
// !!! bad
// /dojo-boilerplate/mySubmodule9/b 404 (Not Found)
// /myModule8/a 404 (Not Found)
require(["../myModule8","./mySubmodule9"]);    
  

define(["require","../myModule","./mySubmodule1"],function(_require){
 // dojo-boilerplate/js/myPackage/myModule/mySubmodule3.js
 require(["myPackage/myModule/mySubmodule3"]);  
 //  !!! bad !!! dojo-boilerplate/mySubmodule4 
 require(["./mySubmodule4"]);     
 // dojo-boilerplate/js/myPackage/myModule/mySubmodule6.js
 _require(["myPackage/myModule/mySubmodule5"]);  
 // dojo-boilerplate/js/myPackage/myModule/mySubmodule5.js
 _require(["./mySubmodule6"]); 
 // dojo-boilerplate/js/myPackage/myModule7.js  
 _require(["../myModule7"]);   
}); 

http://demos.dojotoolkit.org/demos/faces/

http://demos.dojotoolkit.org/demos/faces/
Broken link to logo.png and header.pmg
Not working in MSIE 8
Crashing on GA code ? (Line: 35 Error: Object doesn't support this property or method)

http://demos.dojotoolkit.org/demos/fonts/charts.html
Crashing on GA code ? this.set is not a function http://www.google-analytics.com/ga.js Line 35

http://demos.dojotoolkit.org/demos/mojo/
broken link to:
http://dojotoolkit.org/about

Eclipse, WTP JavaScript Validator useless

WTP comes with JS Validator which is by default configured to
"Enable JavaScript semantic validation".

Defaults are set somehow but soon
you will have to turn OFF "the whole thing" because:

Optional Semicolon: Ignore
because of Dojo and other framework authors do not care

Local Variable is never read: Ignore
because it does not work, local.member is not considered reading local by WTP

Uninitialized local variables: Ignore
This is just JS style of me and many others

And after turning this all OFF, you will end up with
Type mismatch: cannot convert from any[] to any ItemFileWriteStore.js /dojo/data JavaScript Problem line 581
on simple lines like: var serializableArray = [];

Since this warning cannot be turned off (no UI item for this),
you must modify the plugin
or just turn WHOLE "SEMANTICS VALIDATOR" OFF.

Another piece of code that is useless, thanx for wasting my time again.

see also:
http://stackoverflow.com/questions/5765955/javascript-array-why-is-this-not-valid


Update:
Eclipse IDE for JavaScript Web Developers
eclipse-javascript-indigo-SR1-macosx-cocoa-x86_64.tar.gz
contains quite old version of the plugin:
plugin version org.eclipse.wst.jsdt.core_1.1.101.v201108151912.jar

ajaxpatterns.org

I just had a quick view to this, once popular web site.
I have found that this is deserted place full of outdated,
and almost harmful information...


so AJAX beginners (if there are any, anymore) BEWARE.

Just a few broken links....and dead topics....

REFERER: http://ajaxpatterns.org/Main_Page 
404: http://www.ajaxpatterns.org/Special:Newpages?feed=rss

REFERER: http://ajaxpatterns.org/Javascript_Frameworks
HISTORY: last update: november 2009 
404: http://www.coolpenguin.net/plainajax
404: http://www.amplesdk.com/examples/xul/
404: http://www.amplesdk.com/examples/extensions/

REFERER:http://ajaxpatterns.org/Tools
HISTORY: May 2011
PARKED DOMAIN ?:  http://ww5.ajaxwebshop.com/
ENDED DEVELOPMENT:  http://www.interaktonline.com/Products/Eclipse/JSEclipse/Overview/

I have tried to fix some articles but usually you end up with... 504 Gateway Time-out

JavaScript-based ESAPI: An In-Depth Overview

Read this to make your opinion:

https://www.owasp.org/images/0/0b/ESAPI4JS-Marcus.Niemietz.pdf

Hello DOJO !

Browsing this web site today, I have run into deep disapointment:

http://dojotoolkit.org/documentation/tutorials/1.6/hello_dojo/

Error: Could not load 'dijit.form.Select'; last tried '../dijit/form/Select.js'
Source File: http://dojotoolkit.org/js/dojo/1.6/dojo/dojo.js
Line: 14

Error: _onloadHook is not defined
Source File: http://www.facebook.com/plugins/like.php?href=http://dojotoolkit.org/documentation/tutorials/1.6/hello_dojo/index.php&layout=button_count&show_faces=false&width=250&action=like&font&colorscheme=light&height=21
Line: 4

Error: missing ; before statement
Source File: http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/ISUz2NXkL5P.js
Line: 50, Column: 38
Source Code:
-b;if(c<0){f=Dialogif(a.name=='cancel'){this.cancel();}else if(Dialog.call_or_eval(this,this._handler,{button:a})!==false)this.hide();},_submitForm:function(d,e,b){var c=this.getFormData();if(b)c[b.name]=b.label;if(this._extra_data)copy_properties(c,this.

Error: _onloadHook is not defined
Source File: http://www.facebook.com/plugins/like.php?href=http://dojotoolkit.org/documentation/tutorials/1.6/hello_dojo/index.php&layout=button_count&show_faces=false&width=250&action=like&font&colorscheme=light&height=21
Line: 4

shame on you, leading framework developers !

CWE-601: oracle.com

Browse the link and logon, if you have account with them.

http://www.oracle.com/webapps/redirect/signon?nexturl=http://ainthek.blogspot.com/
------------------------------------
So they have "fixed" client side problem
http://ainthek.blogspot.com/2011/05/client-side-xss-documentwritelocationhr.html.

and kept more serious
CWE-601: URL Redirection to Untrusted Site ('Open Redirect') still open ?

nice ....

w3.org and comments

Can we (miss) USE this somehow ?

Generated from data/head-home.php, ../../smarty/{head.tpl} 
 Generated from data/mast-home.php, ../../smarty/{mast.tpl} 
 #w3c_mast / Page top header 
 w3c_sec_nav is populated through js 
 
 Main navigation menu 
 /end #w3c_mast 
 
 
 
 
 
 
 
 
 end events talks 
 end main content 

    <div id="w3c_home_video">
      <h2 class="category">
        <a href="/participate/podcastsvideo">Featured Video
            <img src="/2008/site/images/header-link.gif" alt="Header link" width
="13" height="13" class="header-link"/>
        </a>
      </h2>
      <p>Here</p>
    </div>
    
 end main col 
 Generated from data/footer.php, ../../smarty/{footer-block.tpl} 
 #footer address / page signature 
 /end #footer 
 Generated from data/scripts.php, ../../smarty/{scripts.tpl} 

Processing.js

great library but:

//Can you simplify this ?
if (obj === null || other === null) {
      return (obj === null) && (other === null);

//.. do I need braces ? Throwing Strings ? Not good for onerror handlers... 
throw ("XMLHttpRequest failed, status code " + xhr.status);

// try to count number of "this." in minimized version ;-(
 
// how many times will you call the same functionn in one line....
a.charAt(0) === "(" || a.charAt(0) === "[") return a.charAt(0)

//loops; could be even shorter right ? (++ vs. --)
a = 0;
for (c = h.length; a < c; ++a) h[a].owner = this;

//could you be more verbose ?
//hardly !
DrawingShared.prototype.vertex = function() {
      var vert = [];

      if (firstVert) { firstVert = false; }

      if (arguments.length === 4) { //x, y, u, v
        vert[0] = arguments[0];
        vert[1] = arguments[1];
        vert[2] = 0;
        vert[3] = arguments[2];
        vert[4] = arguments[3];
      } else { // x, y, z, u, v
        vert[0] = arguments[0];
        vert[1] = arguments[1];
        vert[2] = arguments[2] || 0;
        vert[3] = arguments[3] || 0;
        vert[4] = arguments[4] || 0;
      }

      vert["isVert"] = true;

      return vert;
    };

etc..etc...

TODO: will be continued

Aptana - Editor Feature Matrix

What to expect and not expect from Aptana Studio 3.X Editors.
http://wiki.appcelerator.org/display/tis/Editor+Feature+Matrix

Thanx to aptana team for link.

jira.appcelerator.org, CWE-209 (Error Message Information Leak)

Try this:

http://jira.appcelerator.org/charts?filename=jfreechart-onetime-4050881654227115418.png

It will print nice detailed error message,
design or badly configured server ?

Aptana Studio 3.3 and html5boilerplate support

Aptana comes with nice feature and includes html5boilerplate
as wizard.
Excited I decided to give it a try.....

This wizard let's you open online (git) verzion or Cached version.
(nice !)

however both versions cause problems:
cached version is pretty old (referencing 1.4 jQuery) and fails with errors,

ENTRY com.aptana.projects 4 0 2011-06-10 00:45:42.917
!MESSAGE Unable to overwrite file during .zip extraction
!STACK 1
org.eclipse.core.runtime.CoreException: Failed applying file-template variables

Git based version of the wizard is fine and gets created
however HTML editor reports errors:

Unexpected end of file index.html /test line 54 JS Problem

Horror folks !

UPDATE: filled bug report

https://aptanastudio.tenderapp.com/discussions/problems/3002-html5-boilerplate-obsolete-and-buggy

http://jira.appcelerator.org/browse/TC-67

and also
http://jira.appcelerator.org/browse/TC-68

Roo, Maven, STS and paranoid Corporate Proxies (fixed with Fiddler)

If you are using Roo, it uses
pgp.mit.edu:11371
to verify signatures of downloaded Roo Add-on.

If your proxy blocks 11371 and
your proxy admin. is paranoid
(or just lazy)
you will hardly get adon installed.

Since I don't know how to change this uri (can I ?)
I open fiddler
and type in the Quick Exec box:

urlreplace  pgp.mit.edu:11371 keyserver.ubuntu.com

This now uses ubuntu keyserver and "standard" port 80.

Thanx for Fiddler once again.
TODO: Mac solution

Waiting response from Roo team.....

Aptana Studio 3 and HTML5 Support ?

One of the benefits in HTML5 is simplifications:

However Apatana (claiming HTML5 support)
made me disapointed
on my first trial:

<link rel="stylesheet" href="/boilerplate/styles/sample.css" />

This valid HTML5 construction results in warning:

link lacks "type" attribute 

Since I hate warnings and
I hate writing any extra code
I supressed the warning in
Window/Preferences/Aptana/validation/HTML
thax for that option at least.

Or am I doing something wrong ?

UPDATE:
Nothing wrong, after private discussion with aptana team they resond with:
WE HAVE TICKET OPENED FOR THIS:
https://aptana.lighthouseapp.com/projects/35272/tickets/1860.

however I have no account to see the ticket ;-)

skipnav sass mixin

This is rewrite of excelent idea from
http://www.jimthatcher.com/skipnav.htm as Sass mixin.

/*
http://www.jimthatcher.com/skipnav.htm
<nav class="my-skipnav">
 <a href="#maincontent">Skip to main content</a>
 <a href="#sitemap">Skip to footer site map</a>
</nav>

Usage:
// using traditional class
.my-skipnav {
 @include  a11y-skipnav;
}
// or using structure selector
body>nav:first-child {
 @include  a11y-skipnav;
}
*/
@mixin a11y-skipnav {
 text-align: left;
 a {
  position: absolute;
  left: -10000px;
  width: 1px;
  height: 1px;
  overflow: hidden;  
 } 
 a:focus, a:active {
  position: static;
  left: 0;
  width: auto;
  height: auto;
  overflow: visible;
 }
} 

IBM home page improved

www.ibm.com

IBM has made several impovements in their homepage markup: so I want to give them credit after all blames I have made before....

I like usage of network path references,
even if it is not consistent across whole page.

Also usage of iepngfix, DD_belatedPNG.fix('#ibm-geo, #q, #ibm-search, .ibm-no-mobile');
is fancy, but, why they don't credit the original author ?

What I still hate is overuse of IDs, presentational classes and endless DIV nestings

<!-- LEADSPACE_BEGIN -->
<div class="ibm-container" id="ibm-leadspace-head">
<div class="ibm-container-body" id="ibm-leadspace-body">
<div class="ibm-columns" id="ibm-lead-1">
<div class="ibm-col-1-1">

<!-- LEADSPACE_END -->
<div id="ibm-pcon">
<div id="ibm-content">
<div id="ibm-content-body">
<div id="ibm-content-main">
<div id="ibm-news-feed">
<div id="ibm-news-feed-inner">

 
<!-- PROMOTION_BEGIN -->
<div class="ibm-container" id="ibm-promotion-module">
<div class="ibm-container-body">
<div class="ibm-columns">
<!-- ibm-col-6-2 ibm-expand-section: Z725354V02338R50 -->
<div class="ibm-col-6-2 ibm-expand-section">
<!-- B302493F36942F04 -->

I believe IBM has finally started to watch Web trends and tries to apply them to their
web design (at least to home page).

It is still very basic improvements,
but I wish them good luck!

Thanx for making my day nicer (even if you have changed this a couple of weeks ago, I have found time only today).

For dark ages see ora or ms homepage markup.
Watch and learn !

Client side XSS: document.write(location.href)

Is this safe ?
(C) www.orace.com

if (USER.guid) {
    document.write('Welcome ' + USER.firstname + ' ( <a class=profile href=https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx?nextURL=' + location.href + '\>' + 'Account' + '<\/a> | <a class=profile href=/us/corporate/contact/about-your-account-070507.html>' + 'Help' + '<\/a> | <a class=profile href=javascript:sso_sign_out();>' + 'Sign Out' + '<\/a> )');
}
else {
    document.write('<span class=profile>( ' + ' <a href=http://www.oracle.com/webapps/redirect/signon?nexturl=' + location.href + '>Sign In/Register for Account</a> ' + ' <span style=color: rgb(0, 0, 0)>|</span> ' + '<a href=/us/corporate/contact/about-your-account-070507.html>Help</a>' + ' )</span>');
}

UPDATE: 16.6.2011
Somehow they decided to fix it ? based on this article ? I dont believe so, if yes please next time give some credits by comment ;-)

if (USER.guid) {
    document.write('Welcome ' + USER.firstname + ' ( <a class=profile href=https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx?nextURL=' + encodeURI(location.href) + '\>' + 'Account' + '<\/a> | <a class=profile href=/us/corporate/contact/about-your-account-070507.html>' + 'Help' + '<\/a> | <a class=profile href=javascript:sso_sign_out();>' + 'Sign Out' + '<\/a> )');
}
else {
    document.write('<span class=profile>( ' + ' <a href=http://www.oracle.com/webapps/redirect/signon?nexturl=' + encodeURI(location.href) + '>Sign In/Register for Account</a> ' + ' <span style=color: rgb(0, 0, 0)>|</span> ' + '<a href=/us/corporate/contact/about-your-account-070507.html>Help</a>' + ' )</span>');
}

Any ideas now ?

Sass Mixin For HTML5 classes and their obsolete HTML4 equivalents

This

@mixin back-compat($prefix) {
 
 @each $h5tag in 
  article,
  aside,
  audio,
  canvas,
  command,
  datalist,
  details,
  embed,
  figcaption,
  figure,
  footer,
  header,
  hgroup,
  keygen,
  mark,
  meter,
  nav,
  output,
  progress,
  rp,
  rt,
  ruby,
  section,
  source,
  summary,
  time,
  track,
  video,
  wbr
 {
   .#{$prefix}#{$h5tag} {
  @extend #{$h5tag}; 
   }
 }
}

sample usage

@include back-compat("html5-");
article, section, ruby
{
  COLOR:red;
}

Generates:

article, .html5-article, section, .html5-section, ruby, .html5-ruby {
  COLOR: red;
}

Nice nice....

Link of the day !

http://jdbartlett.github.com/innershiv/

thank you,thank you,thank you

Customize your Modernizr download (errors on page)

I have tried this web site today and have run ito "lame code" controlling the
checkboxes to customize download:
http://modernizr.github.com/Modernizr/2.0-beta/

 $("a.toggle-group").live('click', function() {
    var group = $(this).closest(".features");
    var checkbox = $(group).find(':checkbox');
    checkbox.each(function(){
      $(this).attr('checked', !$(this).is(':checked'));
    });
    event.preventDefault();
  });

Please fix otherwise we will end with errors like:
Error: event is not defined

Source File: http://modernizr.github.com/Modernizr/2.0-beta/#
Line: 173

MSIE and incorrect .src and .href (final solution ?)

Could this be a final solution for uri resolving in .src and .href for MSIE ? (blogged before, search..)

function getUriRef(element, attrName) {
    //MSIE sometimes returns unnormalized .src or .href property 
    //for LINK and SCRIPT tags, it has not been observed on a.href
    // example: s.src returns "sss" instead of ptoto://auth/sss
    // this is observable always on "some" pages and "some" elements
    // in case .src does not work -> getAttribute('src',4) works
    // when .src works (returns abs. uri), getAttribute('src',4) does not work and returns (raw)
    // TODO: detect, dont do always, study reason why this happens
    var uri = element[attrName];
    if (uri != null) {
        if (!(/^[A-Z][0-9A-Z+\-\.]*:/i).test(uri)) {
            //TODO: TEST XB for additional param, but i dont expect any normal browser to fail here
            uri = element.getAttribute(attrName, 4);
        };
    }
    return uri;
}

Deadly jQuery Selectors (my naive jQuery programming)

Deadly jQuery Selectors (my naive jQuery programming)


// give me all tags with href or src attribute
*[href],*[src]

//MSIE 8: 20000 ms ;-(
//FF 3.6: 1 ms :-)

// simple fix for this is to use plain old dom:

var uri, uris=[], i, e;
for (es = d().getElementsByTagName("*"), i = es.length; i; ) {
e = es[--i];
uri = e.href || e.src;
if (uri) uris.push(uri);
}
// MSIE 8: 323 ms ;-| not so bad

waitFor function

Blind code (not tested)
any comments welcomed

function waitFor(condition, onSuccess, onTimeout, timeout, pollInterval) {
    // TODO: document + testcase
    pollInterval || (pollInterval = 100);
    var endTime = new Date().valueOf() + (timeout || 10000),
  errs, //condition eval errors
        c,    // condition eval result (can be object)  
        check = function () {
            try { c = condition(); }
            catch (ex) { (errs = (errs || [])).push(ex); }
            if (c)
                onSuccess(c);   //receives condition result (ca be {})
            else if (new Date().valueOf() < endTime)
                setTimeout(check, pollInterval);
            else if (onTimeout)
                onTimeout(errs); //receives err result (null or non empty [] of Error)
        };
    check();
};

Mobile Perf bookmarklet by @souders (Link of the day)

I have been very pleased by todays tweets
specially @souders compilation of other bookmarklets:

Mobile Perf bookmarklet

I have looked a bit closer to some of them:
First:
DOM Monster
and I have posted two comments to GitHub:

issue/8
and
issue/7
Happy to receive reply:

From: madrobby

You're welcome to submit pull requests/patches. However, I think DOM Monster will grow and change quite a bit so premature micro-optimizations might be a 

might early...

View Issue: https://github.com/madrobby/dom-monster/issues#issue/8/comment/672058

But:
I consider both issues as basic coding practice, not optimization ! (rename to JS Monster ?)
I'm not "skilled" with github (yet) sorry.

I'm willing to contribute, but cannot be forced into how and when.

Some ideas and wishes
from my own unfinished code performing "page analysis".
My code is not only performance based so some may not aplly to DOM Monster.

• Inline Scripts Detection
• Standard vs. Quircks mode
• Empty ULs and others that cannot be empty (semantics)
• Meta tag "best pracices"
• Anti-SEO hunter (bad, old SEO practices detection)
• jSession string and other identifiers in URLs
• Accessibility checks
• DHTML event registration
• Ajax style links (# fragment links)
• .... more and more

So my bookmarklet is/was mix and
I'm thinking (thanx to @souders)
about splitting it into more categories now
and maybe "reuse" existing code or whole bookmarklet,
once they will comply with minimal "js qualities" ;-)

Danger of InternalResourceViewResolver (Spring)

Sping's InternalResourceViewResolver will servre pages OUTSIDE of specified prefix:

http://www.aitk.info/Danger%20of%20InternalResourceViewResolver%20(Spring).pdf