32ndAirhacksQ&A.md

32ndAirhacksQ&A.md

Ask questions and see you at November, 7th at 6.PM. CET: http://www.ustream.tv/channel/adambien

Also see archives: airhacks.tv

Hi Adam,

in a project for a large and very security-affine client the question was raised, how to "manage" security patches in docker containers automatically. (E.g. there is a container that rely on an php:apache container where security patches for php should be immediately installed for the application container)

The reason is, that neither the client nor we are aware about tracking all security patches that will come up in the future. So we're looking for an automated solution that periodically looking for updates of container images (and their parent images) and (rebuild and/or) restart the containers with the fetched image updates.

Is there any solution you could suggest?

Just restarting a container will fetch updates from the actual image, but this image will not be built automatically, when a parent image (e.g. FROM centos:latest) will be changed.

Thx a lot + Regards,
Robert

Hello Adam,

I'm having a problem with a JAX-RS API, I have a resource called 'certificates' and a method (POST) generate, like this:

// ... package, imports and application/json
@Path("certificates")
public class CertificatesResource {
    // ... other injects and variables
    @Context
    UriInfo uriInfo;
    // ... other methods

    @POST
    public Response generate(@Valid PostCertificatePayload){
        // ... some logic and persistance
        URI location = uriInfo.getAbsolutePathBuilder().path("/" + certificate.getId()).build();
        return Response.created(location).build();
    }

    // ... other methods
}

(Sorry for pasting code but I thought it was the easiest way.)

It works perfectly if I consume the service directly, but I need a balancer (currently a nginx proxy) and with the balancer, the Location header is the name of the server. Ex:

POST /api/resources/certificates/ HTTP/1.1
Host: nginx.localdomain

HTTP/1.1 201 Created
Server: nginx/1.10.1
Location: http://wildfly.localdomain:8080/api/resources/certificates/5eb377b3-c051-461c-b0f8-fcf3ec48f030

As you can see, the Location header is the Wildfly Server that is not accessible from the DMZ. What could be the nifty way to solve this? Currently I created a parameter in a table with the host that it should return (boring solution).

And even harder, I'm using APIMAN and it exposes a different Context Path. Ex:

POST /apiman-gateway/Organization/api/1.0/certificates/ HTTP/1.1
Host: apigw.localdomain

HTTP/1.1 201 Created
Server: nginx/1.10.1
Location: http://wildfly.localdomain:8080/api/resources/certificates/5eb377b3-c051-461c-b0f8-fcf3ec48f030

As you can see I need the Location header to be https://apigw.localdomain/apiman-gateway/Organization/api/1.0/certificates/5eb377b3-c051-461c-b0f8-fcf3ec48f030.

The final scenario is:

dmz-nginx -> dmz-apiman -> internal-nginx -> internal-wildfly

Have you encountered a scenario like this before? How do you solve the Location header problem?

Thank you and best regards,
Marvin M.

@mmonge: see the http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect option in NGINX

Hi Adam,

What is/are the approach(es) you take to secure your RESTful web services?

After a long struggle with Apache Shiro, I decided get rid of it and write my own authentication and authorization annotation and use them for my micro webservices.
But I'm not sure if I'm in the right direction. I wanted to ask an expert.
Thanks.

@lightbend @AdamBien #microservices is not a goal.The goal is scalable dev process.For some companies mservices on top of #JavaEE are fine

— Lukasz Wachowicz (@vachacz) November 3, 2016

Hi Adam,

When developing a REST application, what's your approach for deploying the (JS based) UI? Do you put it on the same WAR? Create two separete WARs and deploy them to independent server instances? Just copy the JS app to the www folder of an Apache HTTP?

Thanks!

Hi Adam,

My question is about the JDBC vs ORM because almost every project or tutorial includes the use of ORM (eclipselink, hibernate, apache cayenne) but what about the performance because the benefits from the developer's perspective are very clear. Maybe you recomend the use of an enhanced JDBC like Spring JDBC Template or Apache Commons DBUtils.

Thanks in advance.

What does mean SERIALIZABLE in transaction context?

Just a small comment on "JDBC vs ORM" subject (after seeing the podcast):

We have worked on a huge statistical analysis system, where there were KPI graphs for the clients. One of the KPI graphs involved querying about 5-10M records from the database (it was a table with like 700M records). The select speed and transport to application server was nothing (we have been using a very good performing MS SQL server, and we only queried the table by the unique indexes) ~ 1-10 sec.

BUT: processing this amount of data was very slow from JPA side (it doesn't matter if you are using hibernate or eclipselink), since it is instantiating a huge amount of objects through reflection. So, using JDBC was the only option here, if we wanted to process all those records in acceptable time. To my experience, there is a record number, that is the dividing line between JPA and JDBC. So if your queries have no more than 1000-10000 records, you can go safely with JPA. In any other case, just rather use JDBC.

One of my previous colleagues had an experience with querying more records, but he stated, that above selecting 250000 records it had a huge performance impact on hibernate.