Thursday, February 24, 2005

JSP Custom Tags

Presumably I've been looking in the wrong places, but finding a simple example of creating a custom JSP tag eluded me. So, after much wrangling, here is my simple example:

test.jsp
<%@ taglib uri="/WEB-INF/my.tld" prefix="my" %>
<my:foo value="${some JSTL expression}"/>


my.tld
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE taglib PUBLIC
"-//Sun Microsystems, Inc.//DTD JSP Tag Library 1.2//EN"
"http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd">

<taglib>
<tlib-version>1.0</tlib-version>
<jsp-version>1.2</jsp-version>
<short-name>My Tags</short-name>
<tag>
<name>foo</name>
<tag-class>my.Foo</tag-class>
<attribute>
<name>value</name>
</attribute>
</tag>
</taglib>


Foo.java
package my;

import org.apache.taglibs.standard.lang.support.ExpressionEvaluatorManager;
import java.io.IOException;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.tagext.TagSupport;

public class Foo
extends TagSupport
{
String _value;
public String getValue() { return _value; }
public void setValue(String value) { _value = value; }

public int doStartTag()
throws JspException
{
return SKIP_BODY;
}

public int doEndTag()
throws JspException
{
try
{
String result = (String) ExpressionEvaluatorManager.evaluate
(
"value", _value, String.class, this, pageContext
);
pageContext.getOut().print("[" + result + "]");
}
catch (IOException ex)
{
throw new JspException("problem generating output", ex);
}

return EVAL_PAGE;
}
}


Note that even this is not the simplest possible example in that I've added JSTL expression evaluation, and done so in a non-portable manner. It strikes me as such a useful capability that I've included it anyway. The gotchas are that in addition to the obvious (the requirement to be using Tomcat, the need to import the Apache-specific implementation class and the need to call evaluate()), you need to remember to include JSTL's standard.jar in your classpath when compiling Foo.java and, if you're using Jasper at compile time (i.e. deploying .class files made from .jsp files ahead of time instead of deploying .jsp files and letting your container compile them on demand), you'll need to make certain that Foo.class is in Jasper's classpath so that it can perform its validation of your custom tags.

Wednesday, February 23, 2005

Moblogging

Oh the absurdity of it all. Having gotten blog posting working again (blogger.raz.cx bug) and worked out that my mobile 'net access problems were the result of an incompatibility between the phone and UKLinux.net's new modem bank, I am finding the temptation to post from the mobile to be irresistable. So, here it is - blog a la cellulare.

(Attempt #2 - #1 appears to have been eaten by a recently fixed mail-to-blog bug at blogger.raz.cx)

Wednesday, February 16, 2005

Oops. Is SHA-1 broken?

Schneier reports that a Chinese team has broken SHA-1. It appears that he's seen their (not yet public) paper and while he can't yet tell whether the attack is real notes that the paper is by a reputable team and appears to assume that it's for real.

How broken remains to be seen: a reduction from 2^80 to 2^69 hash operations to brute force it still appears to me to leave a very large problem for an adversary to solve, but it does mean that (s)he can solve it 2048 times as fast.

Scary.

Tuesday, February 15, 2005

Motorola A768i OTA sync, HTTPS

A while ago I did manage to get the phone to sync with Sync4J 2.2b3 over HTTP. Tonight I tried sync'ing via HTTPS; as far as I can tell, the phone will not even attempt to sync over HTTPS, it will merely report its inability to connect. Sniffing at the server did not even show TCP SYN (connection attempts).
The next obvious path for securing OTA sync is the Movian VPN client that came with the phone, but this appears to be a 60-connections-only evaluation license, and certicom appears to have killed the product (license keys are no longer available) in October last year, before I received my phone in fact!
A further approach is the kernel's IPSec, if it's present - this is going to require some fiddling.
A final approch is SSH port forwarding or the like - again, this is going to require some fiddling.

One other note: the phone was connecting to and communicating with the same Sync4J instance that I used successfully a week or two ago, but this time, shortly after successfully authentication a "data communication error" was reported on the phone. More fiddling...

"That's no space-station, it's a moon!"

If only Obi-Wan had known. Cassini recently returned this image of Mimas, a 398Km moon of Saturn, photographed at a distance of 1.7 million Km. Fortunately that enormous crater is simply an impact crater named Herschel, not the reflector dish for a planet smashing weapon.

Thanks to Maggie Blukis for the link to the Guardian story.

UPDATE 15-Feb-2005: An even more recent image (16-Jan-2005) has been published, taken from a range of 213,000 Km which is a lot clearer. It doesn't show the crater at its Lucas-esque angle of the first though.

Sunday, February 13, 2005

Hero Worship

I regularly read the blogs of both Seth Godin and Hugh Macleod. They seem to me to be on a similar wavelength, although they tend to cover different ground (Hugh's Hughtrain is a strategic mindset for marketers who have finally grokked that markets are made of people and that people are constantly looking for something to believe, Seth's Permission Marketing is a tactical approach to communicating successfully with markets that are made of people who are sick of being treated as though they are not people).

It now seems that in addition to noticing each other they've noticed that they've noticed each other, which has led Hugh to remark:
Being called "my hero" by... ermmm... my hero is pretty freaky. Heh.

Thursday, February 10, 2005

Babooshka, do you like pina-colada?

You know the songs, now transplant to a chat room re-meeting between a Jordanian husband and wife. The Internet has had a profound impact in the western world, I can't help wondering whether the eventual impact in the Islamic world might not be even greater.

Thanks to Andrew Morton for the link.

Wednesday, February 09, 2005

Boarding gate ID checks, who needs them?

Predicating any "security" on possession of documents is a tricky business to begin with, but using a boarding pass as a key element in airline security, particularly when many airlines allow passengers to print them at home, is ludicrous. Nonetheless this appears to be exactly what the US TSA is permitting. The reasoning appears to be that because a boarding pass has been compared to a government issued ID at the security checkpoint that therefore IDs need not be checked at boarding. This proivides a trivial circumvention of the no-fly list.

One exquisite consequence of this is that would-be-terrorists (who aren't permitted to purchase airline tickets in their own names) are saved the tedium of forging government IDs, they need merely buy a ticket in someone else's name (e.g. with a stolen credit card, the ticket being in the name of the card-holder) and then print a boarding pass which matches their real government-issued ID. "Forging" a boarding pass, particularly when airlines intend them to be printed at home and therefore supply a template, is so much easier than forging a passport.

Tuesday, February 08, 2005

These Weapons of Mass Destruction cannot be displayed