Skip to main content

Posts

Showing posts from 2016

My presentation from SUTOL 2016 - Automation is developer's friend

Last week I had a session at Sutol conference about automation for developers. It covered several samples, where I started with Reat.js front-end app, stored it in Domino nsf database and later did also complete build on Jenkins server with Selenium tests. It was a lot of fun to put this together and even more fun, as always, was to meet all those great people from ICS (or should I call it Watson Workplace now?) community. Sutol 2016 - Automation is developer's friend from mpradny Repository that I used for the demo is at Bitbucket.org -  https://bitbucket.org/pradnik/todoapp_full/branch/develop  . If you want to try it, you need to adjust some hardcoded values as I didn't make this build parameterized and it also depends on my Jenkins configuration. Job itself that I used was simple Pipeline from SCM, just with repo address. Let me know if you want to try it and get stuck. Many thanks to all sponsors,  organizers and attendees, who made SUTOL 2016 great even

SUTOL conference 2016

It became a tradition that every autumn SUTOL organize technical conference that focuses on topics around IBM ICS portfolio. After successful switch to English as primary language last year, this year the event will be extended to 1.5 days. Event will take place at PARKHOTEL Praha on 10th and 11th November. More details are at conference site  8th SUTOL Technical Conference . Registration will open soon. Two day program of conference should give more room for attendee interaction and community discussion. We hope that more international attendees will find their way to Prague as autumn is really nice time to visit. Weather is usually still warm and it's less crowded than during summer season. If you need any reason, why you should attend, let me know. Call for abstracts is open till 9th October and sponsors are also welcomed. See you in Prague.

XPages ${} risk of code injection possible workaround

I wasn't happy with findings in my previous post , because it can lead to security issues, but also can have performance hit when you actually need dynamic evaluation of injected code (I use it for app localization and few other use cases). After some digging I came to conclusion that it can't be easily changed/overridden because getBindingValue simply turns into createValueBinding when value is evaluated to a String with #{} inside. Only solution I see is to wrap binding with code that checks possible injections or runs the evaluation in case I really need it. Another benefit is that I can easily log/notify when possible unwanted injection happens. For the most simple use case that I used in demo I added two beans that implement DataObject to the app, so I can use following syntax ssan[..]/seval[..] (it's not possible to pass arguments in EL method calls in XPages, so this is a bit hacky way of doing this). Now when I repeat my test I get: Partial refresh to t

XPages ${} risk of code injection

While working on app optimization I experimented a bit more with 'Compute on page load' vs. 'Compute dynamically' behavior. There have been several discussions in past about possible combination of ${} and #{}, for example posts from  Marky Roden ,  Sven Hasselbach  and  Paul Withers  . What struck me today was risk of code injection. In this app many elements are read from configuration documents that are loaded into beans and later used using ${} binding. This is recommended way as it is static information, so it's efficient. It works nicely until you insert expressions into your data. This way I realized that a lot of code is prone to code injection that can be contained either in configuration documents or any string that is stored and later read this way. To simulate the issue I created simple page with one field, one button and one text: All it does is saving entered value into applicationScope and then displaying it. Since the text uses ${} Compute o

XPagesPreloadDB more evil than good

While doing optimization of application load time I found that XPagesPreloadDB notes.ini parameter didn't work in way I expected. With quick google search I realized that I'm not the first one to hit this problem as John Dalgaard wrote about the issue few years ago  https://www.dalsgaard-data.eu/blog/caching-in-xpages-not-as-straightforward-as-you-would-believe/ . My goal was similar. Just preload configuration as it's loaded from several places and even worse it's loaded using SessionAsSigner. First of my issues was caused by my stupid mistake. I copied parameter in syntax for Notes client, so it contained server name. It worked, kind of. So if you want to try it, just check the URL from request that's processed by XPages and you get: With Notes.ini setting: XPagesPreloadDB=dev/pradny!!test/appload.nsf/entry.xsp result was: http://localhost:80/dev/pradny!!test/appload.nsf/entry.xsp Which is different context than you'd normally use, so it's actuall

Domino classic Java elements encoding problems

Recently I encountered a problem, where Notes Java agent contained strange characters. My Domino Designer was set to UTF-8 and everything looked fine when I changed those characters to correct ones, but only until I reopened this design element again. I tried to reproduce the issue in different VM, but the problem didn't occur and since I have never seen it before, I started to blame Windows 8 for that, since other VM was Windows 2003 and both were English versions with default region for non-Unicode programs set to Czech. Only option I had was to switch back to non-Eclipse editors, but when I tried to open the element, it looked even worse. For example this code (check the line with a comment): When reopened: When reopened in classic editor: This can get really bad when such characters occur in string constants. Only solution was to fix the element in classic editor and leave it this way. Not really good for development. Today, I was testing the agent again and