Mark S. Kolich

Configuring Apache to Tunnel SSH Through an HTTP Web-Proxy with Proxytunnel

2011-12-31T21:00:00Z

Here's the situation, I'm often on a network that does not allow outbound traffic on port 22. Meaning, I cannot directly "SSH out" from that network to my Linux box at home. Fair enough. However, this network does allow outbound traffic on ports 80, 443, and 8443 via a web-proxy. That said, if I want to "SSH out" from this network to my Linux box at home, I can do so with a little tweaking of my remote Apache server and my local SSH client.

Here's how ...]]> 1 - Overview

First, you'll need to configure your Apache web-server to accept traffic on a port that's acceptable to the web-proxy. In my case, I don't have anything running on port 8443, and the web-proxy allows traffic through port 8443, so that's perfect. Apache will be configured to listen on 8443, and act as a "proxy" between an SSH client and an SSH server (usually the SSH server running on the box you're trying to connect to).

Second, on the client side, you'll be using something like Proxytunnel to punch a hole through the web-proxy allowing your SSH client to connect to an SSH server of your choice.

Putting it all together, the basic flow is ...

Your local SSH client uses Proxytunnel to connect to web-proxy.corp.example.com:3128
Web-proxy.corp.example.com connects to Apache running at yourwebserver:8443
Your Apache server, acting as yet another proxy, connects to yoursshserver:22
It works!

2 - Install and Configure Proxytunnel

If you're on Ubuntu, you can install Proxytunnel with the following command:

#/> sudo apt-get install proxytunnel

Once installed, edit your ~/.ssh/config file to instruct your SSH client to use Proxytunnel when connecting to the destination host:

## ~/.ssh/config

Host kolich.com
  Hostname kolich.com
  ProtocolKeepAlives 30
  ProxyCommand /usr/bin/proxytunnel \
    -p web-proxy.corp.example.com:3128 \
    -r kolich.com:8443 -d %h:%p \
    -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)"

In this example, when my SSH client makes an attempt to connect to kolich.com:22, it will spawn Proxytunnel which will then route my connection through web-proxy.corp.example.com:3128 and on to kolich.com:8443. This seems really convoluted, but it actually works quite well.

Note that I'm spoofing a somewhat real User-Agent to prevent suspicion from the system administrators running web-proxy.corp.example.com. If you're a system administrator that runs such a web-proxy, please accept my apologies for making your life even more difficult.

3 - Configure mod_proxy on Apache

Now that you've got the client part figured out, you'll need to configure Apache's mod_proxy module to proxy traffic between yourwebserver:8443 and yoursshserver:22. In all likelihood, your web-server and SSH server are the same box. At least, in my home, they are.

Oh, and I assume you already have Apache and mod_proxy installed, and working. There are ton of other tutorials and nice blog posts online about how to install and setup Apache if you don't already have it installed and functional.

In my Apache virtual host configuration, I've added another V-host listening on port 8443 that will only accept CONNECT requests bound for kolich.com on port 22:

## Load the required modules.
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so

## Listen on port 8443 (in addition to other ports like 80 or 443)
Listen 8443



  ServerName youwebserver:8443
  DocumentRoot /some/path/maybe/not/required
  ServerAdmin admin@example.com

  ## Only ever allow incoming HTTP CONNECT requests.
  ## Explicitly deny other request types like GET, POST, etc.
  ## This tells Apache to return a 403 Forbidden if this virtual
  ## host receives anything other than an HTTP CONNECT.
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} !^CONNECT [NC]
  RewriteRule ^/(.*)$ - [F,L]

  ## Setup proxying between youwebserver:8443 and yoursshserver:22

  ProxyRequests On
  ProxyBadHeader Ignore
  ProxyVia Full
  
  ## IMPORTANT: The AllowCONNECT directive specifies a list
  ## of port numbers to which the proxy CONNECT method may
  ## connect.  For security, only allow CONNECT requests
  ## bound for port 22.
  AllowCONNECT 22

  ## IMPORTANT: By default, deny everyone.  If you don't do this
  ## others will be able to connect to port 22 on any host.
  
    Order deny,allow
    Deny from all
  

  ## Now, only allow CONNECT requests bound for kolich.com
  ## Should be replaced with yoursshserver.com or the hostname
  ## of whatever SSH server you're trying to connect to.  Note
  ## that ProxyMatch takes a regular expression, so you can do
  ## things like (kolich\.com|anothersshserver\.com) if you want
  ## to allow connections to multiple destinations.
  
    Order allow,deny
    Allow from all
  

  ## Logging, always a good idea.
  LogLevel warn
  ErrorLog logs/yourwebserver-proxy_error_log
  CustomLog logs/yourwebserver-proxy_request_log combined

Once you get everything integrated, restart Apache and you should be golden.

4 - Under the Hood

To prove that everything works, let's try a few things.

First I'm going to telnet to web-proxy.corp.example.com:3128. Then, I'm going to tell it to connect to kolich.com:8443. Finally, I'm going to tell Apache on kolich.com:8443 to connect to kolich.com:22. This is exactly the same flow used by Proxytunnel under the hood.

(mark@ubuntu)~> telnet web-proxy.corp.example.com 3128
Trying 10.10.10.10...
Connected to web-proxy.corp.example.com (10.10.10.10).
Escape character is '^]'.
CONNECT kolich.com:8443 HTTP/1.1
Host: kolich.com

HTTP/1.0 200 Connection Established

CONNECT kolich.com:22 HTTP/1.1
Host: kolich.com

HTTP/1.0 200 Connection Established
Proxy-agent: Apache

SSH-2.0-OpenSSH_4.3

Sweet! Notice the raw "SSH-2.0-OpenSSH_4.3" response from the SSH server, indicating a successful connection. Now, If I was a real SSH client, I'd continue the handshake and away we go.

So, from a real SSH client with Proxytunnel enabled ...

(mark@ubuntu)~> ssh mark@kolich.com
Via web-proxy.corp.example.com:3128 -> kolich.com:8443 -> kolich.com:22
mark@kolich.com's password:

Last login: Sat Dec 31 12:53:22 2011 from gateway.kolich.local
(mark@server)~>

It works! Notice the intermediate "Via web-proxy.corp.example.com:3128 -> kolich.com:8443 -> kolich.com:22" output from Proxytunnel telling me what it's doing to connect. And of course, look at that beautiful shell prompt.

SSH through a web-proxy, I love it.

Enjoy.

Resolve Custom Object Arguments in a Spring 3 Controller @RequestMapping Annotated Method

2011-07-31T01:25:00Z

Spring 3 is great at automatically resolving standard arguments into a controller request method. For example, a primitive Spring controller might look like this ...

@Controller
@RequestMapping(value="/somepath")
public class MyController {

  @RequestMapping(method={RequestMethod.GET, RequestMethod.HEAD})
  public ModelAndView someMethod(final HttpServletRequest request,
    final Principal principal) {
    // Extract some special object needed to process the request from
    // the session -- this object is bound to the session elsewhere on
    // a successful authentication.
    final MyObject obj = (MyObject)request.getSession().getAttribute("myobjkey");
    // Do actual work.
    /* ... */
    return new ModelAndView("someview");
  }

}

In this case, Spring knows the HttpServletRequest argument represents the incoming Servlet request, and the Principal argument is the object representing the authenticated user (in the event that you're using Spring Security to manage authentication in your web-application). On method invocation, Spring automatically resolves these arguments for you. Neat!

However, the repetition becomes obvious where in every controller, you need to fetch the same MyObject from the session, over and over again. Instead of repeating that line of code in every method of every controller that needs access to MyObject, what if you could tell Spring how to resolve MyObject automatically on invocation?]]> bound it to the session on a successful authentication (either on your own or via Spring Security) ...

import java.util.UUID;

public final class MyObject {

  // A unique and static identifier.
  private UUID id_;

  public MyObject() {
    id_ = UUID.randomUUID();
  }

  public UUID getId() {
    return id_;
  }

}

Good news! Spring can automatically resolve an argument of type MyObject if used as an argument into a controller request method.

1 - Meet WebArgumentResolver

The WebArgumentResolver interface let's you define a bean that tells Spring where to find a custom argument of any type when used in a controller request method. Here's an example that tells Spring where to find an argument of type MyObject bound to the session ...

import static javax.servlet.jsp.PageContext.SESSION_SCOPE;

import org.springframework.core.MethodParameter;
import org.springframework.web.bind.support.WebArgumentResolver;
import org.springframework.web.context.request.NativeWebRequest;

public class SessionExtractingWebArgumentResolver implements WebArgumentResolver {

  @Override
  public Object resolveArgument(final MethodParameter mp,
    final NativeWebRequest nwr) throws Exception {
    Object argument = UNRESOLVED;
    if(mp.getParameterType().equals(MyObject.class)) {
      // Assumes that a MyObject is bound to the session elsewhere using
      // attribute key "myobjkey" on a successful authentication.
      if((argument = nwr.getAttribute("myobjkey", SESSION_SCOPE)) == null) {
        throw new Exception("Fail, no MyObject bound to session!");
      }
    }
    return argument;
  }

}

Now that we've defined our WebArgumentResolver bean, we can wire it into in our Spring MVC configuration.

2 - Wire it Into Spring MVC

Wire your custom WebArgumentResolver into Spring's AnnotationHandlerMethodAdapter using a quick declaration in your Spring MVC XML configuration. Here's an example ...

Yay! Now, if Spring encounters a MyObject argument in a controller request method, it will look it up using our custom WebArgumentResolver and extract it from the session accordingly.

3 - An Improved Controller

Now that Spring can resolve MyObject automatically, we can use it as an argument into any controller request method ...

@RequestMapping(method={RequestMethod.GET, RequestMethod.HEAD})
public ModelAndView betterMethod(final MyObject my) {
  /* ... */
}

Great! No more ugly repetition, and less code. That's a win-win, baby.

Enjoy.

More Fun with RFC 2397 -- The "data" URL scheme and Mobile Networks

2011-01-21T22:20:00Z

In July of '09, when I first learned of the "data" URL scheme, I was pumped. With a little work, my web-applications could use the "data" URL scheme to embed actual base-64 encoded binary image data directly inside of my HTML and CSS. In the same post, I subsequently commented on why this scheme can be incredibly useful, especially for mobile web-applications or API's that service mobile apps. Even with significant advances in wireless networks over the past several years, traditional HTTP continues to lag (for the most part) over poor 3G and 4G networks. For this reason, the "data" URL scheme can be a life saver -- you can embed binary image data directly inside of your HTML and CSS, freeing the device from initiating wasteful HTTP transactions to load these images later.

Today marked yet another personal milestone for my usage of the "data" URL scheme. Building an API that services a mobile app for the HP/Palm webOS platform, I quickly rediscovered the importance of this scheme. It turns out I can embed base-64 encoded binary image data in a JSON response payload that is sent directly to a wireless webOS device! What this means, is that I can build my API resource to send everything the app requested, including any additional external resources like images, in a single HTTP response!]]> 1 - An Example

Imagine the app is fetching details about a user from my API. The HTTP request leaving the app might look something like this ...

GET /user/markkolich.json HTTP/1.1
Host: api.example.com
User-Agent: webOS

... and a normal HTTP response might look something like this ...

HTTP/1.0 200 OK
Date: Fri, 21 Jan 2011 23:09:32 GMT
Content-Type: application/json;charset=UTF-8
Content-Length: 78
Vary: Accept-Encoding,User-Agent
Connection: close

{
 "user":"markkolich",
 "name":"Mark Kolich",
 "avatar":"http://api.example.com/images/markkolich.png"
}

Nothing special. But note that the API response, a JSON object, contains a URL to an avatar image which in all likelihood the app will need to fetch and display later. The problem here, is that now that the app has the response in its hands, it has to turn around and kick off yet another HTTP transaction to load the image from the provided URL. And that additional fetch could be very painful over a slow wireless network with quite a bit of latency.

2 - The "data" URL Scheme to the Rescue

Instead of the API sending just a URL that points to an image, it could also include the actual image data itself, a base-64 encoded "data" URL in the JSON response. For example:

{
 "user":"markkolich",
 "name":"Mark Kolich",
 "avatar":{
  "url":"http://api.example.com/images/markkolich.png",
  "data_uri":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAA
    ABCAAAAAA6fptVAAAAAnRSTlMA/1uRIrUAAAACYktHRAD+8Ij8KQAAAAlwSFlz
    AAAASAAAAEgARslrPgAAAAl2cEFnAAAAAQAAAAEAx5Vf7QAAAApJREFUCNdj+A
    8AAQEBABu27lYAAAAASUVORK5CYII="
 }
}

I know that this isn't technically valid JSON because I'm line wrapping in the middle of the base-64 encoded image payload; I'm wrapping so that I can fit the entire JSON block into a single column on my blog for display purposes. For the record, your data payload shouldn't have any line breaks in it.

Looking at the new response, this is far superior to sending just a URL that points to an image. Yes, we're sending a little more data, but now the app does not have to initiate another HTTP transaction to load the avatar. Due to the usually poor latency of wireless networks (EDGE, 3G, 4G, etc.), and the natural overhead of HTTP, it's far better to send more data at once in a single transaction than over multiple smaller transactions.

Finally, in JavaScript, sourcing the encoded image data into an actual Image object is trivial:

// Assume userObj is the JSON object returned
// in my example response above.
var userObj = { /*...*/ };

// Straight up.
(new Image).src = userObj.avatar.data_uri;

// Maybe you prefer jQuery?
$("").attr("src", userObj.avatar.data_uri);

Assuming your app platform supports the "data" URL scheme (yes, the HP/Palm webOS platform does), this strategy wins every time, hands down.

3 - The "data" URL Format

Putting it all together, the RFC 2397 says the accepted syntax/format of data URI's are as follows:

data:[][;base64],

So you'll need to define a media type (the Content-Type), declare that the data is base-64 encoded and provide an encoded payload.

4 - Determining the Content-Type

If you don't already know the Content-Type of the image you plan to base-64 encode, then you'll have to discover it. This isn't too hard, and involves writing a bit of code that checks the header of your image to determine its type. If you examine the specs of each image format you plan to support, you'll probably find that ...

a. Every JPEG-image starts with a quick 2-byte "Start of Image" (SOI) marker:

0xFF D8

b. Every PNG-image starts with a fixed 8-byte signature:

0x89 50 4E 47 0D 0A 1A 0A

c. Every GIF-image starts with a fixed 3-byte signature:

0x47 49 46

I'm not going to post any sample solutions here, because iterating over byte[] arrays and comparing values to determine an image format is trivial. However, in Java, it may help you to think of each image format as a value in an enumeration:

public enum ImageContentType {
  
  PNG("image/png", new byte[]{
    (byte)0x89, (byte)0x50, (byte)0x4E, (byte)0x47, 
    (byte)0x0D, (byte)0x0A, (byte)0x1A, (byte)0x0A
    }),

  JPEG("image/jpeg", new byte[]{
    (byte)0xFF, (byte)0xD8
    }),

  GIF("image/gif", new byte[]{
    (byte)0x47, (byte)0x49, (byte)0x46
    });
  
  private String contentType_;
  private byte[] header_;
  
  private ImageContentType(String contentType, byte[] header) {
    contentType_ = contentType;
    header_ = header;
  }
  
  public byte[] getHeader() {
    return header_;
  }
  
  public String getContentType() {
    return contentType_;
  }
  
  @Override
  public String toString() {
    return getContentType();
  }
  
  public static final ImageContentType getContentType(final byte[] image) {
    ImageContentType ict = null;
    for(final ImageContentType type : ImageContentType.values()) {
      /* compare the header of image[] to type.getHeader() */
    }
    return ict;
  }
  
}

Of course, you could always just check the file extension of the image you plan to encode, and determine a Content-Type based on that. In other words, if the resource ends in .jpg then you could assume, with reasonable certainty, that the Content-Type is image/jpeg. However, only relying on the file extension to tell you the format can be a dangerous strategy if you're not careful.

5 - Encode and Assemble

Now that you know the Content-Type, you can base-64 encode the image payload and assemble a valid "data" URI string. Don't bother writing a base-64 encoder from scratch, since there are many wonderful open-source implementations available for free. The most popular seems to be in the Apache Commons Codec library. Specifically, take a peek at org.apache.commons.codec.binary.Base64.

So, here's some pseudo code illustrating how to put it all together ...

import org.apache.commons.codec.binary.Base64;

private static final String DATA_URI_SCHEME = "data:%s;base64,%s";

/* ... */

// Create a new Base64 object, setting the line length to zero
// so that the output is not chunked (e.g., no line breaks).
final Base64 b64 = new Base64(0);

// Some image data, that you've fetched elsewhere.
final byte[] image = ...;

// Discover the image format.
final ImageContentType ict = ImageContentType.getContentType(image);

// Encode the image.
byte[] encoded = b64.encodeBase64(image);

// Convert the encoded byte array into its String representation.
// Base-64 is just ASCII, to this is totally fine.
String imageEncoded = new String(encoded, "UTF-8");

/* ... */

// Build the data URI String for inclusion in our API response.
final String dataUri = String.format(DATA_URI_SCHEME,
  ict.toString(), imageEncoded);

Now that you've assembled a valid data URI String, it's simple to attach it to a JSON object and return it to the caller.

Have fun!

Remember to Close Your Streams When Using Java's Runtime.getRuntime().exec()

2011-01-05T22:25:00Z

For more than a year, I got away with forgetting to close my standard I/O streams when spawning a process in Java with Runtime.getRuntime().exec(). On Linux, I was using exec() to spawn the df command to check my file system disk space usage. Standard out from df was piped into the parent (Java) where I parsed the output to see if any partitions were getting full. Simple enough, right?

In December 2010, I began experimenting with Java's next generation garbage collection engine, aptly named G1 (a.k.a., Garbage First). Assuming you have Java 6 Update 14 or later you can enable the next-generation G1 garbage collector (still experimental as of Jan 2011) using the following JVM options:

-XX:+UnlockExperimentalVMOptions -XX:+UseG1GC

This post isn't about G1, so I'm not going to dig into the nitty-gritty on garbage collection. However, I discovered that G1 isn't as aggressive as the current Java garbage collector with regards to cleaning up streams. Bug in G1? Maybe, maybe not. Regardless, my app ran for a week or two with G1 enabled then I started to see all sorts of silly java.net.SocketException's claiming I had "Too many open files". Using the trusty lsof command, I saw that my Java process had left open a ton of stranded pipes. Definitely an indication of a leak somewhere ...

#/> lsof -p 23064 | grep pipe
...
java    23064 mark  996w  FIFO    0,7    152581 pipe
java    23064 mark  997r  FIFO    0,7    152309 pipe
java    23064 mark  998r  FIFO    0,7    152448 pipe
java    23064 mark  999w  FIFO    0,7    152720 pipe
java    23064 mark 1000w  FIFO    0,7    152859 pipe
java    23064 mark 1001r  FIFO    0,7    152583 pipe
java    23064 mark 1002w  FIFO    0,7    153134 pipe
java    23064 mark 1003r  FIFO    0,7    152722 pipe
java    23064 mark 1004w  FIFO    0,7    154801 pipe
java    23064 mark 1005r  FIFO    0,7    152861 pipe
java    23064 mark 1006w  FIFO    0,7    152997 pipe
java    23064 mark 1007w  FIFO    0,7    153564 pipe
java    23064 mark 1008r  FIFO    0,7    152999 pipe
java    23064 mark 1009r  FIFO    0,7    153136 pipe
java    23064 mark 1010r  FIFO    0,7    153278 pipe
java    23064 mark 1011w  FIFO    0,7    153406 pipe
java    23064 mark 1012w  FIFO    0,7    153713 pipe
...

With a little persistence, I crawled through my code looking for any obvious problem spots -- places where I forgot to close a stream -- and discovered that my calls to exec() were problematic. Calling exec() returns a Process object for the child where all standard I/O ops are redirected to the parent through three streams: STDOUT, STDIN, STDERR. It turns out you have to explicitly close these streams when you're done with the child otherwise they are left open! And, as you can see in the lsof output above, I was not closing these streams causing a nasty leak which eventually brought down my application.

Going back to differences in the garbage collectors, it seems that the current default garbage collector cleaned up after my mess (closed the streams for me), but G1 did not. Hence why I never saw the "Too many open files" exception until I enabled G1.

That said, the undocumented proper way of handing a Process object and its corresponding I/O streams is to wrap the exec() call in a try-finally block, closing the STDOUT, STDIN, and STDERR streams when you're done with the Process object. The abstract class java.lang.Process exposes these three streams to you via getOutputStream(), getInputStream() and getErrorStream() which you must explicitly close.

Here's the pseudo code:

import static org.apache.commons.io.IOUtils.closeQuietly;

Process p = null;
try {
  p = Runtime.getRuntime().exec(...);
  // Do something with p.
} finally {
  if(p != null) {
    closeQuietly(p.getOutputStream());
    closeQuietly(p.getInputStream());
    closeQuietly(p.getErrorStream());
  }
}

Note that closeQuietly() is part of the Apache Commons IOUtils library -- it's a helper method to close a stream ignoring nulls and exceptions. With this change in place, I redeployed my app and sure enough the problem was resolved.

Lesson learned: regardless of what garbage collector you're using, it's always a good idea to explicitly close the STDOUT, STDIN, and STDERR streams associated with a Process object when you are done with it.

Enjoy.

Reduce Storage Costs in the Cloud: GZIP Compress Binary Streams with Java

2010-12-23T19:00:00Z

Let me start by saying that most cloud storage solutions are relatively cheap to begin with, so compressing entities or streams stored in a database table or an elastic cloud store may not save you all that much. Purely in terms of cloud storage costs, you might save pennies or at most dollars if you compress optimally. In this case, optimally meaning you know your payloads will GZIP compress nicely and it makes sense to do so. In fact, if you forcefully compress entities unnecessarily you may actually increase their size!

Let's say you have a "bucket" in which you plan to store hundreds or even thousands of cached HTML documents. Common sense might tell you that HTML compresses well. Your tiger like Computer Science instincts were right: HTML, generally speaking, does compress well and is a great candidate for compression. Obviously, less bytes stored in the cloud usually means slightly reduced storage costs.

In Java, most applications represent HTML as a String literal which is really just a sequence of characters. Or to look at it another way, HTML can be thought of an array of bytes with a known character encoding. Thinking in terms of bytes, it's quite easy to GZIP compress and uncompress byte[] arrays on the fly in Java. Meet GZIPInputStream and GZIPOutputStream.

GZIP compress an InputStream and return the result as a new byte[] array:

public static final byte[] compress(final InputStream is)
  throws IOException {
  GZIPOutputStream gzos = null;
  try {
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    gzos = new GZIPOutputStream(baos);
    copy(is, gzos);
    gzos.finish(); // Important!
    return baos.toByteArray();
  } finally {
    closeQuietly(gzos);
  }
}

GZIP uncompress an InputStream and return the result as a new byte[] array:

public static final byte[] uncompress(final InputStream is)
  throws IOException {
  GZIPInputStream gzis = null;
  try {
    ByteArrayOutputStream baos = new ByteArrayOutputStream();    
    gzis = new GZIPInputStream(is);
    copy(gzis, baos);
    return baos.toByteArray();
  } finally {
    closeQuietly(gzis);
  }
}

First, note that I'm using ByteArrayOutputStream's to store the resulting compressed or uncompressed byte[] array in memory. Naturally, this means that this solution may not be ideal for you depending on your application. If you're planning to compress gigs of data in memory, that could be a bad idea unless you really know what you're doing. Proper usage of this really depends on your application and your intentions.

Second, the copy() and closeQuietly() pseudo methods above are implemented for you here in my GzipCompressor utility class.

Looping back to our cached HTML example, let's compress a tiny HTML document represented here as a String:

// Note that this HTML is tiny, and probably won't compress well at all.
// In fact, the "compressed" result may actually be larger in size than
// the uncompressed original String.  This is just an example however,
// to show you how to compress a String literal.
final String html = "Horrible HTML
";

// Get the UTF-8 encoded bytes from the input String.  I'm assuming
// that my HTML document is UTF-8 encoded.
final byte[] uncompressed = html.getBytes(UTF_8);
System.out.println("Uncompressed: " + uncompressed.length + "-bytes.");

// Compress and report the result.
final byte[] compressed = compress(uncompressed);
System.out.println("Compressed: " + compressed.length + "-bytes.");

Now that you have a compressed byte[] array, it should be trivial to store it in the cloud using your favorite cloud storage engine or database. Ideally, you'll want to tweak your entities so that PUT's and GET's automatically compress and uncompress these entities on the fly for you.

My full GzipCompressor utility class can be found here.

Enjoy.

Set the Cache-Control and Expires Headers on a Redirect with mod_rewrite

2010-12-11T20:25:00Z

In many web-service infrastructures, it's often desirable to disable the caching of redirects. Specifically, you might want to set the Expires or Cache-Control headers so that your 301 or 302 redirects from Apache's mod_rewrite are never cached upstream. Off the top of my head, I can think of a number of reasons why you might want to prevent the caching of a redirect:

Your redirect may change from one request, to the next. Disable caching so the client (the browser) isn't redirected to the same destination every time.
Your web-application is behind a reverse caching proxy, and you don't want the caching proxy to cache the redirect.
In development, you're sitting behind a corporate web-proxy that is notorious for caching content when it really shouldn't. Disable caching on the redirects so you can verify that your web-application is working as expected during testing (assuming the web-proxy obeys your Cache-Control and Expires headers).
Your web-application counts how many times someone is redirected. Disable caching so your click-through statistics are a bit more accurate.

Surprisingly, this seemingly common need isn't well documented in the official Apache docs. So, here's how to do it.

In this example, I'm redirecting based on the Host. If the incoming request does not match the Host I require, mod_rewrite triggers a 301 redirect to the correct Host. Of course, your RewriteCond's might be different.

RewriteCond %{HTTP_HOST} !^mark\.koli\.ch [NC]
RewriteRule ^/(.*)$ http://mark.koli.ch/$1 [R=301,L,E=nocache:1]

## Set the response header if the "nocache" environment variable is set
## in the RewriteRule above.
Header always set Cache-Control "no-store, no-cache, must-revalidate" env=nocache

## Set Expires too ...
Header always set Expires "Thu, 01 Jan 1970 00:00:00 GMT" env=nocache

In this example, when the RewriteRule is fired the "nocache" environment variable is set. Note the E=nocache:1 rewrite flag in the RewriteRule. Subsequently, mod_headers will set the Cache-Control and Expires headers only if this "nocache" environment variable is set. In other words, "nocache" is only set on a 301 redirect from the RewriteRule.

This works nicely.

GET /wombat HTTP/1.1
Host: koli.ch

HTTP/1.1 301 Moved Permanently
Date: Sat, 11 Dec 2010 19:36:09 GMT
Location: http://mark.koli.ch/wombat
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 230
Content-Type: text/html; charset=iso-8859-1
Connection: close

Yay for HTTP.

Tri-Monitor Configuration With an HP Z600 Workstation and Dual Nvidia Quadro FX 1800's

2010-12-03T22:50:00Z

For months, I've had a spare 20" HP LCD-2065 display sitting under my desk at the office. With a few extra cycles on my hands, I decided to take half-a-day and setup a truly bad ass developers workstation: three, 20-inch monitors, Xinerama'ed to produce a single 4800x1200 pixel desktop (each display driving 1600x1200 @ 60 Hz). And, best of all, the HP Z600 Workstation powering this monster is running 64-bit 10.04 Ubuntu Linux.

Not bad, eh?

Here's how I did it ...]]> Nvidia Quadro FX 1800 PCIe card. This really isn't a bad graphics card, but if you have one of these and you expect to drive three displays with a single FX 1800, you should stop right there. Turns out, even though the Quadro FX 1800 offers three display outs (2 displayPorts and 1 DVI) the card will not let you use all three outs at once. At most, in any configuration, you'll be able to drive only two displays with the FX 1800: either using both displayPorts, or one displayPort and the DVI out.

So what if you want to drive 3-displays on a Z600? Well, you have two choices: get another Quadro FX 1800 and insert it into the 2nd PCIe x16 slot, or find another graphics card that's supported by the latest Nvidia driver. Lucky for me, I was able to get my hands on an extra Quadro FX 1800, popped it in, and bingo. Tri-monitor, biggest desktop I've ever used in my life, perfection. Not to mention the latest Nvidia drivers (260.19.21 as of 12/2/10) work flawlessly with the FX 1800 on 64-bit Ubuntu 10.04.

I will note, however, that before I snagged an extra FX 1800, I tried pairing a single FX 1800 with an older Nvidia GeForce 5200 PCI. Configuring 3-monitors with an FX 1800 (only supported by the latest Nvidia driver) and the GeForce 5200 (supported by the legacy GPU Nvidia driver) failed miserably. It turns out, you really can't mix-and-match new and legacy hardware that use different driver versions (well, maybe you can, but I tried for an hour and gave up in disgust). In short, after my experiments here, it feels like you'll have better luck using two identical cards, instead of trying to mix-and-match random graphics hardware.

Good luck, and happy hacking!

JSON, XML, and stray Ampersands with Amazon's SQS (Simple Queue Service)

2010-10-26T05:17:00Z

Amazon's SQS (Simple Queue Service) uses XML formatted payloads to push and pop messages to and from an SQS queue. In other words, the underlying request and response bodies are XML payloads, containing among other things, a message ID and a message receipt handle. This means that the message body itself (the thing you're pushing onto the queue) ultimately has to be properly XML escaped to work right. Well it turns out, Amazon's own AWS library is very flaky here, and does not do the right thing when unmarshalling an XML SQS response back into an Object. Essentially, it gets confused when it encounters an XML escaped ampersand in the message body. For example, this popped message (in pseudo XML) fails miserably to unmarshall:

{"music":"rock & roll"}

Note that the ampersand in the message body is properly XML escaped, however, Amazon's own AWS library returns this as the message body once unmarshalled:

{"music":"rock &

In other words, the message body ends abruptly at the ampersand, and needless to say, any reasonable JSON library will fail to parse this malformed block of nonsense.

Solution: if you are going to use SQS, and there's a possibility the messages you're going to push onto a queue will have issues with XML escaping, it appears you should always base-64 encode the message body, then base-64 decode it when popping. Fortunately, the Apache Commons Codec library has a wonderful Base64 class to handle this encoding and decoding mess for you.

Bottom line, if you're encountering encoding issues with Amazon's SQS, better check if your messages are able to make it through the XML marshalling and unmarshalling process. If not, you'll need to base-64 encode and decode your messages to dance around bugs in Amazon's AWS library.

Good luck, and hope this helps.

Better Mobile Device Detection with a Spring 3 Interceptor

2010-10-19T04:05:00Z

The other day on some Java/JSP tutorial web-site I saw the worst example ever for detecting and properly rendering a mobile capable version of a web-site. Yes, I'm pointing at you Roseindia. In every JSP of this example, their mobile User-Agent detection involved one big if/else block:

<%

String userAgent = request.getHeader("User-Agent");
if(userAgent.contains("iPhone")) {
  %> Mobile site! <%
} else {
  %> Regular site! <%
}

%>

This wins the worst coding example of the year award. Here's why this is terrible and you should never use this example:

Not all requests contain a User-Agent header. In fact, the User-Agent header is purely optional. In the code above, if the request does not contain a User-Agent you'll see a nice NullPointerException thrown at userAgent.contains() given that the userAgent is null.
Not every mobile device is an iPhone. What about Blackberry, Andriod or Palm clients? Blindly assuming that every mobile user is on an iPhone, or other similar device, is horrendously ignorant.
Many great frameworks exist, like Spring 3 MVC, that allow you to separate your web-application business and display logic. This in mind, combing both into a single JSP is a bad idea for a number of reasons. In an ideal world, your mobile device detection would occur in an interceptor that triggers your MVC framework to render one view for mobile devices, and another view for all others.

This is a fairly common requirement: users visiting your site in a standard web-browser see one view, and users on a mobile device (like a Palm) see a "mobile version" of the same view. So, here's a way to implement better mobile device detection in your web-application using a Spring 3 HandlerInterceptorAdapter ...]]>

1 - Configure Spring

First, you'll need to make the necessary adjustments to your Spring MVC configuration which usually involves tweaking your mvc.xml configuration file. Regardless of where your MVC XML configuration is, you'll be defining an MVC interceptor for your application like so ...


  
  
    
    
            init-method="init">
        
          
            .*(webos|palm|treo).*
            .*(andriod).*
            .*(kindle|pocket|o2|vodaphone|wap|midp|psp).*
            .*(iphone|ipod).*
            .*(blackberry|opera mini).*

This bean, which I will discuss next, extends Spring's abstract HandlerInterceptorAdapter. We will build this interceptor so that it's called right before a Spring view is rendered, giving the interceptor a chance to modify the final view name as necessary. Also, note that this bean defines a List of regular expressions that the interceptor will use to determine if the client is a mobile device. You can add or remove regular expressions to this List depending on which mobile devices (a.k.a., User-Agent's) you plan to support.

If you are not familiar with Spring interceptors, you might like to read up on them here.

2 - The MobileInterceptor

Without further ado, here's my MobileInterceptor ...

/**
 * Copyright (c) 2010 Mark S. Kolich
 * http://mark.koli.ch
 *
 * Permission is hereby granted, free of charge, to any person
 * obtaining a copy of this software and associated documentation
 * files (the "Software"), to deal in the Software without
 * restriction, including without limitation the rights to use,
 * copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the
 * Software is furnished to do so, subject to the following
 * conditions:
 *
 * The above copyright notice and this permission notice shall be
 * included in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
 * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
 * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 * OTHER DEALINGS IN THE SOFTWARE.
 */

package com.kolich.spring.interceptors;

import java.util.ArrayList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

public class MobileInterceptor extends HandlerInterceptorAdapter {
  
  /**
   * The name of the mobile view that the viewer is re-directed to
   * in the event that a mobile device is detected.
   */
  private static final String MOBILE_VIEWER_VIEW_NAME = "mobile";
  
  /**
   * The User-Agent Http header.
   */
  private static final String USER_AGENT_HEADER = "User-Agent";
  
  private List mobileAgents_;
  private List uaPatterns_;
  
  public void init() {
    uaPatterns_ = new ArrayList();
    // Pre-compile the user-agent patterns as specified in mvc.xml
    for(final String ua : mobileAgents_) {
      try {
        uaPatterns_.add(Pattern.compile(ua, Pattern.CASE_INSENSITIVE));
      } catch (PatternSyntaxException e) {
        // Ignore the pattern, if it failed to compile
        // for whatever reason.
      }
    }
  }
  
  @Override
  public void postHandle(HttpServletRequest request,
    HttpServletResponse response, Object handler,
    ModelAndView mav) throws Exception {
    final String userAgent = request.getHeader(USER_AGENT_HEADER);
    if(userAgent != null) {
      // If the User-Agent matches a mobile device, then we set
      // the view name to the mobile view JSP so that a mobile
      // JSP is rendered instead of a normal view.
      if(isMobile(userAgent)) {
        final String view = mav.getViewName();
        // If the incoming view was "homepage" then this interceptor
        // changes the view name to "homepage-mobile" which, depending
        // on your Spring configuration would probably resolve to
        // "homepage-mobile.jsp" to render a mobile version of your
        // site.
        mav.setViewName(view + "-" + MOBILE_VIEWER_VIEW_NAME);
      }
    }
  }
  
  /**
   * Returns true of the given User-Agent string matches a suspected
   * mobile device.
   * @param agent
   * @return
   */
  private final boolean isMobile(final String agent) {
    boolean mobile = false;
    for(final Pattern p : uaPatterns_) {
      final Matcher m = p.matcher(agent);
      if(m.find()) {
        mobile = true;
        break;
      }
    }
    return mobile;
  }
  
  public void setMobileUserAgents(List agents) {
    mobileAgents_ = agents;
  }
  
}

As you probably noticed the real meat of this interceptor bean is inside of the postHandle() method, which examines the User-Agent HTTP request header (if any), checks if it's a mobile device, and if so slightly changes the resulting view name so that a mobile version of the view is rendered instead of the normal version. According to the Spring documentation, the postHandle() method is "called after HandlerAdapter actually invoked the handler, but before the DispatcherServlet renders the view." In our case, this is perfect.

Inside of postHandle() my MobileInterceptor retrieves the resolved view name, then if the User-Agent matches that of a known mobile device, it changes the view name by appending "-mobile" to end of it. For example, say you have a view named "about" that is rendered by "about.jsp". This interceptor would change the resulting view name to "about-mobile" which would be rendered by "about-mobile.jsp" (assuming you are using a standard InternalResourceViewResolver to resolve view names to JSP's). In other words, this means you can put all of your mobile display logic into about-mobile.jsp, while about.jsp is left in tact for non-mobile clients; you keep your mobile and non-mobile display logic separate in two individual files. Of course, I don't have to tell you that keeping these separate will make your life as a developer a LOT easier in the long run.

3 - Putting it all Together

Putting everything together, the XML configuration tells Spring to call my interceptor bean whenever it encounters a specific path. In this case, I told Spring to watch for the paths /somepath and /anotherpath based on the 's you see above in the XML. When Spring handles a request for /somepath or /anotherpath it will call the interceptor at the appropriate point in the chain based on the methods overridden by my bean. In this case, I've overridden the postHandle() method such that Spring will call my interceptor bean to do what it needs to do once the view has been resolved and it's ready to render up some content. Of course, you could also override preHandle() if you needed the interceptor to be called before a view is selected, and so on. Again, take a peek at HandlerInterceptorAdapter for all of the gory details.

Enjoy!

Understanding the HTTP Vary Header and Caching Proxies (Squid, etc.)

2010-09-25T07:10:00Z

I never paid much attention to the HTTP Vary header. In fact, I've been fortunate enough to avoid it for this long and never really had to care much about it. Well, it turns out when you're configuring a high-performance reverse proxy, understanding the Vary header and what it means to your reverse proxy caching policies is absolutely crucial.

Here's an interesting problem I recently solved that dealt with Squid, Apache, and that elusive Vary response header ...
]]> 1 - The Vary Basics

Popular caching proxies, like Squid, usually generate a hash of the request from a number of inputs including the URI and the contents of the Vary response header. When a caching proxy receives a request for a resource, it gathers these inputs, generates a hash, then checks its cache to see if it already has a resource sitting on disk, or in memory, that matches the computed hash. This is how Squid, and other caching proxies, fundamentally know if they have a cache HIT or MISS (e.g., can Squid return the content it has cached or does it need to revalidate the request against the destination server).

That in mind, you can probably see how the Vary header is quite important when a caching proxy is looking for a cache HIT or MISS. The Vary header is a way for the web-server to tell any intermediaries (caching proxies) what they should use, if necessary, to figure out if the requested resource is fresh or stale. Sample Vary headers include:

Vary: Accept-Encoding
Vary: Accept-Encoding,User-Agent
Vary: X-Some-Custom-Header,Host
Vary: *

According to the HTTP spec, "the Vary field value indicates the set of request-header fields that fully determines, while the response is fresh, whether a cache is permitted to use the response to reply to a subsequent request without revalidation." Yep, that's pretty important (I discovered this the hard way).

2 - The Caching Problem

I configured Squid to act as a round-robin load balancer and caching proxy, sitting in front of about four Apache web-servers. Each Apache web-server was running a copy of my web-application, which I intended to have Squid cache where possible. Certain requests, were for large JSON objects, and I explicitly configured Squid to cache requests ending in .json for 24-hours.

I opened a web-browser and visited a URL I expected to be cached (should have already been in the cache from a previous request, notice the HIT) ...

GET /path/big.json HTTP/1.1
Host: app.kolich.local
User-Agent: Firefox

HTTP/1.0 200 OK
Date: Fri, 24 Sep 2010 23:09:32 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Age: 1235
X-Cache: HIT from cache.kolich.local
X-Cache-Lookup: HIT from cache.kolich.local:80
Content-Length: 25090
Connection: close

Ok, looks good! I opened a 2nd web-browser on a different machine (hint: with a different User-Agent) and tried again. This time, notice the X-Cache: MISS ...

GET /path/big.json HTTP/1.1
Host: app.kolich.local
User-Agent: Chrome

HTTP/1.0 200 OK
Date: Fri, 24 Sep 2010 23:11:45 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Age: 4
X-Cache: MISS from cache.kolich.local
X-Cache-Lookup: MISS from cache.kolich.local:80
Content-Length: 25090
Connection: close

Wow, look at that. I requested exactly the same resource, just from a different browser, and I saw a cache MISS. This is obviously not what I want, I need the same cached resource to be served up from the cache regardless of who's making the request. If left alone, this is only caching a response per User-Agent, not globally per resource.

3 - Solution: Check Your Vary Headers

Remember how I said the contents of the Vary header are important for caching proxies?

In both requests above, note the User-Agent request headers and the contents of the Vary response headers. Although each request was for exactly the same resource, Squid determined that they were very different as far as its cache was concerned. How did this happen? Well, take a peek at a Vary response header:

Vary: Accept-Encoding,User-Agent

This tells Squid that the request URI, the Accept-Encoding request header, and the User-Agent request header should be included in a hash when determining if an object is available in its cache, or not. Obviously, any reasonable hash of (URI, Accept-Encoding, "Firefox") should not match the hash of (URI, Accept-Encoding, "Chrome"). Hence why Squid seemed to think the request was for different objects!

To fix this, I located the source of the annoying "User-Agent" addition to my Vary response header, which happened to come from Apache's very own mod_deflate module. The recommended mod_deflate configuration involves appending "User-Agent" to the Vary response header on any response that is not compressed by mod_deflate. I don't really see why this is necessary, but the Apache folks seemed to think this was important. Here's the relevant lines from the Apache suggested mod_deflate configuration:

SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|ico)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary

In any event, I removed the 2nd line above, restarted Apache and Squid began caching beautifully regardless of which client issued the request. Essentially, I told Squid to stop caring about the User-Agent by removing "User-Agent" from my Vary response header, and problem solved!

The joys of HTTP.

Cheers.

Recursively Deleting Large Amazon S3 Buckets

2010-09-17T15:54:00Z

My first experience using Amazon Web Services for a production quality project was quite fun, and deeply interesting. I've played with AWS a bit on my own time, but I recently had a chance to really sink my teeth into it and implement production level code that uses AWS as a real platform for an upcoming web, and mobile application.

Perhaps the most interesting, and frustrating, part of this project involved storing hundreds of thousands of objects in an AWS S3 bucket. If you're not familiar with S3, it's the AWS equivalent to an online storage web-service. The concept is simple: you create an S3 "bucket" then shove "objects" into the bucket, creating folders where necessary. Of course, you can also update and delete objects. If it helps, think of S3 as a pseudo online file-system that's theoretically capable of storing an unlimited amount of data. Yes, I'm talking Exabytes of data ... theoretically ... if you're willing to pay Amazon for that much storage.

In any event, I created a new S3 bucket and eventually placed hundreds of thousands of objects into it. S3 handled this with ease. The problem, however, was when it came time to delete this bucket and all objects inside of it. Turns out, there is no native S3 API call that recursively deletes an S3 bucket, or renames it for that matter. I guess Amazon leaves it up to the developer to implement such functionality?

That said, if you need to recursively delete a very large S3 bucket, you really have 2 options: use a tool like s3funnel or write your own tool that efficiently deletes multiple objects concurrently. Note that I say concurrently, otherwise you'll waste a lot of time sitting around waiting for a single-threaded delete to remove objects one at a time, which is horribly inefficient. Well this sounds like a perfect problem for a thread pool and wouldn't you guess it, even a CountDownLatch!

Continue reading for the code ...]]>
Here's the pseudo code. Note that I say pseudo code because it's not a complete implementation. This examples assumes you have an AWS S3 implementation (a library) that's able to list objects in a bucket, delete buckets, and delete objects.

package com.kolich.aws.s3.util;

import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.List;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;

import com.amazonaws.services.s3.model.S3ObjectSummary;

public class RecursiveS3BucketDelete {

  private static final String AWS_ACCESS_KEY_PROPERTY = "aws.key";
  private static final String AWS_SECRET_PROPERTY = "aws.secret";
  
  /**
   * The -Daws.key and -Daws.secret system properties should
   * be set like this:
   * -Daws.key=AK7895IH1234X2GW12IQ
   * -Daws.secret=1234567890123456789012345678901234456789
   */
  
  // Set up a new thread pool to delete 20 objects at a time.
  private static final ExecutorService pool__ =
        Executors.newFixedThreadPool(20);
  
  public static void main(String[] args) {
    
    final String accessKey = System.getProperty(AWS_ACCESS_KEY_PROPERTY);
    final String secret = System.getProperty(AWS_SECRET_PROPERTY);
    if(accessKey == null || secret == null) {
      throw new IllegalArgumentException("You're missing the " +
          "-Daws.key and -Daws.secret required VM properties.");
    }
    
    final String bucketName;
    if(args.length < 1) {
      throw new IllegalArgumentException("Missing required " +
          "program argument: bucket name.");
    }
    bucketName = args[0];
    
    // ... setup your S3 client here.
    
    List objects = null;
    do {
      objects = s3.listObjects(bucketName).getObjectSummaries();
      // Create a new CountDownLatch with a size of how many objects
      // we fetched.  Each worker thread will decrement the latch on
      // completion; the parent waits until all workers are finished
      // before starting a new batch of delete worker threads.
      final CountDownLatch latch = new CountDownLatch(objects.size());
      for(final S3ObjectSummary object : objects) {
        pool__.execute(new Runnable() {
          @Override
          public void run() {
            try {
              s3.deleteObject(bucketName,
                URLEncoder.encode(object.getKey(), "UTF-8"));
            } catch (Exception e) {
              System.err.println(">>>> FAILED to delete object: (" +
                bucketName + ", " + object.getKey()+ ")");
            } finally {
              latch.countDown();
            }
          }
        });
      }
      // Wait here until the current set of threads
      // are done processing.  This prevents us from shoving too
      // many threads into the thread pool; it's a little more
      // controlled this way.
      try {
        System.out.println("Waiting for threads to finish ...");
        // This blocks the parent until all spawned children
        // have finished.
        latch.await();
      } catch (InterruptedException e) { }
    } while(objects != null && !objects.isEmpty());
    
    pool__.shutdown();
    
    // Finally, delete the bucket itself.
    try {
      s3.deleteBucket(bucketName);
    } catch (Exception e) {
      System.err.println("Failed to ultimately delete bucket: " +
          bucketName);
    }

  }

}

Additional notes, and warnings:

If you're not familiar with using a CountDownLatch, you can find my detailed blog post on it here.
If you're going to delete multiple objects at a time, you should confirm the S3 library you're using is thread safe. Many S3 libraries I've seen rely on the popular Apache Commons HttpClient to handle the underlying HTTP communication work with S3. However, you should note that HttpClient isn't thread safe by default, unless you've explicitly set it up to use a ThreadSafeClientConnManager.

Enjoy.

Integrating Ant and Google's Closure Compiler

2010-08-21T18:45:00Z

With a little spare time on my hands, I dug into Google's Closure Compiler, an open-source tool that minifies and optimizes JavaScript for better performance. Unlike other JavaScript compression tools like JSMin, Packer or the YUI compressor, Google's Closure Compiler converts your decent JavaScript into "better" JavaScript. It does so by searching for and pointing out obvious JavaScript pitfalls, deleting dead code, and optimizing what's left to make your web-applications more efficient. This all sounds great, so I gave it a whirl and eventually integrated it into my Ant build for a new project. Heck, I even found a bug and suggested an enhancement.

1 - $jQuery Users be Warned

Before you run off and have a field day with the Closure Compiler, you should know that optimizing jQuery with the compiler's ADVANCED_OPTIMIZATIONS mode failed miserably. Even with a proper JS externs file, I could not get jQuery, or my JavaScript that uses jQuery, to compile under ADVANCED_OPTIMIZATIONS mode. Ok, actually it compiled fine, but when I tried to run this JavaScript in a browser: welcome to JavaScript Error City, population one.

Eventually, I gave up and reverted back to SIMPLE_OPTIMIZATIONS mode instead. This works much better. If you know something I don't about compiling jQuery in advanced mode, please let me know.

2 - Get 'er done

First things first, you'll need to download the Closure Compiler JAR and integrate it into your Ant build file by defining a new Ant task:

  location="${lib.dir}/google-closure-compiler.jar" />

  classname="com.google.javascript.jscomp.ant.CompileTask"
  classpath="${jscompjar}"/>

Yay, now you have a Ant task.

3 - Concatenate

Next, you'll need Ant to concatenate each of your JavaScript files into a single file. Technically, you don't have to do this, but I found it much easier and I like having all of my JavaScript compressed into a single resource:

Note that I'm using a FileList instead of a FileSet. This is because the order in which the resources are concatenated is important; they should be concatenated in the order in which they are required, and using a FileList ensures proper order. More on that here.

Also, note that if you eventually plan on compiling your JavaScript with ADVANCED_OPTIMIZATIONS enabled, you'll need to concatenate your JavaScript files together anyways. Further, using a single JavaScript resource across your entire site has obvious performance advantages. HTTP operations are usually expensive (especially on mobile devices), so having a web-browser download one large JavaScript file with everything in it is usually better than having it download multiple smaller files. Of course, you could even take it a step further and use a tool like LABjs to load your JavaScript dynamically, as needed.

4 - Compile

Ok, now that your JavaScript files have been concatenated into a single resource, let's use the Ant task we defined earlier to compile it:

  debug="false" output="${release.js.dir}/project.min.js">

Assuming your code compiled cleanly, you'll have a Closure Compiler optimized JavaScript file sitting around ready for deployment!

Enjoy.

Spring 3 and Spring Security: Setting your Own Custom /j_spring_security_check Filter Processes URL

2010-07-25T02:20:00Z

While working on a new personal project, I decided to pick up and dig into Spring 3 MVC and Spring Security. I've touched both of these technologies here and there in a number of other projects, but this new opportunity has really opened the door for a deep dive into Spring. I know the Ruby fanatics out there would say I'm crazy, but once I got all of the awful XML configuration mess out of the way, I'm really enjoying Spring's stability and reliability. I know Ruby and Rails is hip and what not, but Spring 3 has really made an impression on me. It's hard to beat such a mature enterprise framework.

I setup a few Spring 3 controllers, and integrated Spring Security into my web-app. All went great and so I added a simple form-based login to my Spring Security XML configuration.

Problem: Overriding UsernamePasswordAuthenticationFilter

When setting up a form-based login via a default Spring Security configuration, Spring auto generates and configures a UsernamePasswordAuthenticationFilter bean. This filter, by default, responds to the URL /j_spring_security_check when processing a login POST from your web-form. First, I want to override Spring Security's default login process URL to /login instead of /j_spring_security_check. Second, I've configured a Spring 3 controller to display my login web-form when a user visits /login.

That said, here's the underlying problem with Spring Security's default UsernamePasswordAuthenticationFilter: I want it to accept and process POST's to /login, but a GET or any HTTP method to /login should be forwarded to the next filter in the chain. Not surprisingly, you cannot do this with Spring Security's default UsernamePasswordAuthenticationFilter because it does not @Override the doFilter() method of AbstractAuthenticationProcessingFilter. In short, there's no way to get and check the incoming HTTP request method and re-route it using the default UsernamePasswordAuthenticationFilter.

Solution: Write your own Spring Security Authentication Filter

If you want a Spring controller to process GET requests to /login, but Spring Security to intercept and process a POST to /login, then you'll need to write your own Spring Security authentication filter. Here's the idea:

public class MyFilter extends AbstractAuthenticationProcessingFilter {

  private static final String DEFAULT_FILTER_PROCESSES_URL = "/login";
  private static final String POST = "POST";

  public MyFilter () {
    super(DEFAULT_FILTER_PROCESSES_URL);
  }

  @Override
  public Authentication attemptAuthentication(HttpServletRequest request,
    HttpServletResponse response) throws AuthenticationException,
    IOException, ServletException {
    // You'll need to fill in the gaps here.  See the source of
    // UsernamePasswordAuthenticationFilter for a working implementation
    // you can leverage.
  }

  @Override
  public void doFilter(ServletRequest req, ServletResponse res,
    FilterChain chain) throws IOException, ServletException {
    final HttpServletRequest request = (HttpServletRequest) req;
    final HttpServletResponse response = (HttpServletResponse) res;
    if(request.getMethod().equals(POST)) {
      // If the incoming request is a POST, then we send it up
      // to the AbstractAuthenticationProcessingFilter.
      super.doFilter(request, response, chain);
    } else {
      // If it's a GET, we ignore this request and send it
      // to the next filter in the chain.  In this case, that
      // pretty much means the request will hit the /login
      // controller which will process the request to show the
      // login page.
      chain.doFilter(request, response);
    }
  }

}

Note the good stuff inside of doFilter(). If the incoming request method is a POST, then we send it up to our AbstractAuthenticationProcessingFilter to actually process the login. If it's a GET, or any other HTTP request method for that matter, we simply send it to the next filter in the chain.

Finally, remember that you'll need to define your own FORM_LOGIN_FILTER inside of your Spring Security XML configuration to override the default /j_spring_security_check URL:

  entry-point-ref="LoginUrlAuthenticationEntryPoint">
  


  class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">

Enjoy!

Extended Thoughts on Custom Tiny URL Engines

2010-05-31T23:35:00Z

A blog reader recently contacted me via email and asked, "hey, how does your koli.ch tiny URL thing work?" Well, I would be happy to explain. As previously discussed here, and here, I'm not using Apache's mod_rewrite RewriteMap engine. No, koli.ch tiny URL's are using an interesting combination of Apache's mod_rewrite RewriteRule directive and Onyx, which is basically PHP talking to a MySQL database.

So, let's follow http://koli.ch/x3dh through the redirection process. The "3dh" you see on the end of each URL is a base-36 encoded number, that maps to a unique bookmark resource stored inside of Onyx.

Step 1 - koli.ch to mark.koli.ch

First, you may have noticed that http://koli.ch always redirects to http://mark.koli.ch by default. This is accomplished using Apache's mod_rewrite in my virtual host configuration ...

RewriteCond %{HTTP_HOST} !^mark\.koli\.ch [NC]
RewriteRule ^/(.*)$ http://mark.koli.ch/$1 [R=301,L]

You'll notice that the Perl compatible regular expression in the RewriteRule directive captures the URL-path content after the first slash, allowing me to gracefully forward URL's like http://koli.ch/about-mark.html to http://mark.koli.ch/about-mark.html. Consequently, tiny URL's like http://koli.ch/x3dh are forwarded to http://mark.koli.ch/x3dh. And, this redirect is a 301 Moved Permanently instead of a default 302 Found redirect.

Step 2 - mark.koli.ch to onyx.koli.ch

Next, in the same virtual host configuration, I use mod_rewrite's RewriteRule directive to match URL-paths that represent a tiny URL. As far as Onyx is concerned, all of my tiny URL's all start with "x" and contain at least one, but no more than ten, word characters following the "x" ...

RewriteCond %{REQUEST_URI} !\.(htm?l)$ [NC]
RewriteRule ^/x(\w{1,10})$ https://onyx.koli.ch/x$1 [L]

Notice the regular expression group, I'm only capturing the word-characters following the "x" in the request URI, then appending them onto https://onyx.koli.ch/x before handing it off to Onyx. Note that I have not specified the redirect response code in the RewriteRule options. In this case, Apache will 302 Found redirect to Onyx, which tells search engines and other bots that this redirect is much less permanent than a 301 Moved Permanently.

Step 3 - onyx.koli.ch to ?

Once the browser hits https://onyx.koli.ch/x, I use RewriteRule one last time to call a redirection controller I wrote in PHP which actually takes the tiny URL, sanitizes the request URI then looks it up in a MySQL database to retrieve the final URL to redirect to. This is part of Onyx. Here's the pseudo code ...


$uri = (isset($_SERVER['REQUEST_URI'])) ? $_SERVER['REQUEST_URI'] : null;
if(empty($uri)) {
  throw new InternalErrorException();
}

// Strip the leading / from the front of the URI
$uri = preg_replace("/^\//","",$uri);
@list(, $resource) = preg_split("/[\/\?]/", $uri, -1, PREG_SPLIT_NO_EMPTY);
if(!empty($resource)) {
  $resource = preg_replace("/\D/","",$resource);
} else {
  throw new BadRequestException();
}

// ... do some MySQL things here, look up the $resource in the DB.
$url = ... some URL from the database

// Redirect the user to their destination, via an HTTP 302 Found
header(HTTP_302_FOUND);

// Unset the Pragma HTTP response header; to avoid
// redirection issues on IE.
header(PRAGMA.": ");
header(CACHE_CONTROL.": no-store, no-cache");

header(LOCATION_HEADER.': '.$url);

?>

That's it. Cheers.

MySQL Triggers and SUPER Privileges: "Access denied; you need the SUPER privilege for this operation."

2010-05-27T19:20:00Z

I just discovered that dealing with MySQL triggers, in many instances, is quite painful. For example, here's a trigger that deletes a bunch of rows in a table on every INSERT:

delimiter |
CREATE TRIGGER delete_expired_tweets AFTER INSERT ON tweets
  FOR EACH ROW BEGIN
    DELETE FROM tweets WHERE DATEDIFF(NOW(), created_at) > 365;
  END;
|

delimiter ;

Ok, let's load this trigger into MySQL:

#/> mysql -h myhost -u normaluser -p mydatabase
Enter password: **********
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.0.41-community-nt MySQL Community Edition (GPL)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> source trigger.sql
ERROR 1227 (42000): Access denied; you need the SUPER privilege
    for this operation

Access denied? I dug into it, and confirmed that you can only add triggers if your user account has the SUPER privilege enabled. You're probably thinking, "No kidding Sherlock, that's what the error message says." Yes, I know that's what the error message says. But here's the problem. Normal database users created using "GRANT ALL PRIVILEGES ON database.* TO..." will not have the SUPER privilege assigned to them by default. As described here, the SUPER privilege in MySQL let's the account do some things that normal database users, in most environments, should not be able to do (like kill database threads, modify global system variables, etc.). As a result, it's a very bad idea to grant the SUPER privilege to normal database users, even if they just need the SUPER privilege to load a trigger. You know better than that!

Even worse, suppose you GRANT SUPER PRIVILEGES to a single user, on a single database. Well, that still won't be enough to load a trigger. Unfortunately, loading triggers requires SUPER PRIVILEGES at the global level (e.g., GRANT SUPER PRIVILEGES ON *.*). Again, it's a very bad ideal to grant normal database users the SUPER privilege.

So how exactly am I supposed to load this trigger? Well as far as I can tell, assuming I refuse to give myself SUPER PRIVILEGES for the reasons I just explained, I have two options:

Don't use triggers, and find another way to cleanup rows in my table.
Log into the database as root/admin and load the trigger on behalf of the normal user. If I wasn't the owner of this database server, this would probably involve asking my database administrator to load the trigger for me.

This is just one of many common annoyances with MySQL. Sucks, I know.

OAuth and the Twitter API: Generate a one-time access token and token secret

2010-05-23T19:05:00Z

This is not a Twitter and OAuth tutorial. This post does not talk about how to use the Twitter API, nor does it offer any examples. For that, you should go elsewhere. This post simply provides a high-level overview of using an OAuth "one-time access token and secret" when you need to write a quick piece of code that fetches read-only data from the Twitter API.

You may have heard that Twitter plans to stop supporting HTTP Basic Authentication on June 30, 2010. This means that starting on June 30th, to use Twitter's API, your application must support OAuth. OAuth is a nice step up from basic authentication but it makes developing web or desktop applications that communicate with Twitter, slightly more painful. Well, painful isn't the right word, but you definitely have to jump through more hoops to get things to work. Gone are the days of simply sending a username and password to the API.

In response to this change, Twitter API proxy services like SuperTweet have popped up. Turns out, if you know what you're doing with OAuth, SuperTweet and other API proxy services are entirely unnecessary, not to mention unsafe. You're better off upgrading your applications to use OAuth the right way, instead of making them rely on potentially insecure third-party proxy services. And again, it's not difficult, just a bit annoying.

Scenario

You're a developer, and you need to write some code that pulls in Tweets from one or more users. Maybe you also need to pull down a list of followers for each of these users. Not surprisingly, it's entirely unreasonable to ask each of them to authenticate your application using OAuth. You just want to write code that pulls down their public timeline, followers, etc. avoiding the whole OAuth dance with each user, every time.

Solution

Register a new application on Twitter. Then, dig into your application control panel and find your new "single access token" and "single access token secret" for the application you just registered.

As described here, "Twitter offers the ability for you to retrieve a single access token (complete with oauth_token_secret) from application detail pages found in your application control panel. This is ideal for applications migrating to OAuth with single-user use cases ... By using a single access token, you don't need to implement the entire OAuth token acquisition dance. Instead, you can pick up from the point where you are working with an access token to make signed requests for Twitter resources."

This token and token secret is as close as you'll get to a username/password equivalent in OAuth. In other words, once you have this one-time token and token secret for your application, you can issue signed OAuth requests against the Twitter API just like you would with a basic username and password. If you want to think about it this way, the token is like your username and the token secret is like your password. Don't share them. Once you have these credentials, you can pull in Tweets for any public user, get their followers, read the public timeline, etc.

Here are several examples in a number of popular languages showing how you can use this one-time token and token secret in your project.

Yay for OAuth.

Formatting a Java Date into a Specific TimeZone and Conversion Between TimeZone's

2010-05-15T18:51:00Z

Date objects in Java, and probably most other robust languages, simply represent a snapshot of a point in time. In other words, java.util.Date knows nothing about the time zone you're referring to when instantiating or manipulating a Date object. Fact is, java.util.Date does not have to care about your time zone, because internally a Date is really nothing more than a count of the number of milliseconds since the standard base time known as "the epoch", namely January 1, 1970, 00:00:00 GMT.

If it helps, think about it this way: X milliseconds since the epoch is X milliseconds since the epoch in the US-Pacific time zone, X milliseconds since the epoch in GMT-0 (London), X milliseconds since the epoch in India, etc. In short, when it's 1273947282085 milliseconds since the epoch, it's 1273947282085 milliseconds since the epoch everywhere in the world at the same time regardless of what time zone you're sitting in. And since Java's util.Date is simply a snapshot of the number of milliseconds at a specific point in time, you can see why Date doesn't care about your time zone. It's irrelevant.

But Mark, how do I convert a java.util.Date into a different time zone? You can't, and that question makes no sense. That's like asking me to "take a picture of the sound." Here's some B.S. code that you should not use, but I've put it here for illustrative purposes:

// Do NOT use this, it does nothing and makes no sense.
public static final Date convertIntoTimeZone(Date date, TimeZone tz) {
  final Calendar cal = Calendar.getInstance();
  cal.setTime(date);
  cal.setTimeZone(tz);
  return cal.getTime();
}

You can't convert a Date into a different time zone, but you can use Java's handy DateFormat class to format a Date into the time zone of your choice. To put it differently, let Date do its thing. Then, when you're ready to display or print out a String representation of Date, that's when you tell DateFormat what time zone you want it in. So, here's some code that makes sense, and actually works:

final Date currentTime = new Date();

final SimpleDateFormat sdf =
        new SimpleDateFormat("EEE, MMM d, yyyy hh:mm:ss a z");

// Give it to me in US-Pacific time.
sdf.setTimeZone(TimeZone.getTimeZone("America/Los_Angeles"));
System.out.println("LA time: " + sdf.format(currentTime));

// Give it to me in GMT-0 time.
sdf.setTimeZone(TimeZone.getTimeZone("GMT"));
System.out.println("GMT time: " + sdf.format(currentTime));

// Or maybe Zagreb local time.
sdf.setTimeZone(TimeZone.getTimeZone("Europe/Zagreb"));
System.out.println("Zagreb time: " + sdf.format(currentTime));

// Even 10 hours and 10 minutes ahead of GMT
sdf.setTimeZone(TimeZone.getTimeZone("GMT+0010"));
System.out.println("10/10 ahead time: " + sdf.format(currentTime));

Yay for Dates and time zones! Enjoy.

HTTP Digest Access Authentication using MD5 and HttpClient 4

2010-05-04T20:30:00Z

Dealing with HTTP's Digest authentication mechanism isn't too bad once you have the basic building blocks in place. Luckily HttpClient 4 can automatically solve many types of authentication challenges for you, if used correctly. Using HttpClient 4, I built an app that authenticates against a SOAP based web-service requiring WWW-Authenticate Digest authentication. In a nutshell, the fundamental principal behind HTTP Digest authentication is simple:

The client asks for a page that requires authentication.
The server responds with an HTTP 401 response code, providing the authentication realm and a randomly-generated, single-use value called a "nonce". The authentication "challenge" itself is encapsulated inside of the WWW-Authenticate HTTP response header.
The client "solves" the authentication challenge and a solution is sent back to the web-server via the HTTP Authorization header on a subsequent request. The solution usually contains some type of MD5 hashed mess of your username, password, and "nonce".
Assuming the solution is acceptable the server responds with a successful type response, usually an HTTP 200 OK.

Here's a sample with a bit of pseudo code mixed in (so, you get the idea):

// A org.apache.http.impl.auth.DigestScheme instance is
// what will process the challenge from the web-server
final DigestScheme md5Auth = new DigestScheme();

// This should return an HTTP 401 Unauthorized with
// a challenge to solve.
final HttpResponse authResponse =
        doPost(url, postBody, contentType);

// Validate that we got an HTTP 401 back
if(authResponse.getStatusLine().getStatusCode() ==
      HttpStatus.SC_UNAUTHORIZED) {
  if(authResponse.containsHeader("WWW-Authenticate")) {
    // Get the challenge.
    final Header challenge =
            authResponse.getHeaders("WWW-Authenticate")[0];
    // Solve it.
    md5Auth.processChallenge(challenge);
    // Generate a solution Authentication header using your
    // username and password.
    final Header solution = md5Auth.authenticate(
            new UsernamePasswordCredentials(username, password),
            new BasicHttpRequest(HttpPost.METHOD_NAME,
                  new URL(url).getPath()));
    // Do another POST, but this time include the solution
    // Authentication header as generated by HttpClient.
    final HttpResponse goodResponse =
            doPost(url, postBody, contentType, solution);
    // ... do something useful with goodResponse, which assuming
    // your credentials were valid, should contain the data you
    // requested.
  } else {
    throw new Error("Web-service responded with Http 401, " +
      "but didn't send us a usable WWW-Authenticate header.");
  }
} else {
  throw new Error("Didn't get an Http 401 " +
      "like we were expecting.");
}

Enjoy.

Pingdom Incorrectly Reports Page Load Time

2010-04-24T20:00:00Z

I recently discovered that Pingdom, in many instances, does not correctly report page-load time. As it turns out, when you ask Pingdom to tell you how fast your site loads it will incorrectly download all images and other resources referenced in your CSS, regardless of whether they are actually used on your site or not. Of course this isn't ideal, because Pingdom will claim the page you're testing takes longer to load than it really does! By comparison, smart web-browsers do not blindly download every image referenced in the CSS, on every page. Instead, they download the resources as needed.

For folks who really care about site optimization and performance, this is a big deal. Especially if you're hired to help a client optimize the page-load time of their web-site, but services like Pingdom lie and report junk.

Here's an example; imagine this is your homepage:



 My Homepage
 

 
  header

  content

  footer

Ok, so you've got a header and a footer that will appear on every page. In addition, you've got a few other CSS selectors for the homepage, for your "about us" page, and for your "contact us" page. In a real web-browser, when you visit this page the browser will load the following images as referenced in your CSS:

header.png
homepage.png
footer.png

However, when you test this same page using Pingdom, Pingdom will claim your site is loading the following resources:

header.png
homepage.png
about-us.png
contact.png
footer.png

Wait a second, that's not accurate at all! On this hypothetical homepage, I'm definitely not using #aboutus or #contact anywhere, so why should the resources associated with these selectors be factored into my page load time? In reality, they shouldn't be because that's not how real web-browsers work.

To further validate my findings, I used the Rackspace Cloud and allocated a new machine with a running web-server. I loaded this hypothetical homepage HTML onto it, and asked Pingdom to tell me how fast it loads:

Wrong! I'm not using aboutus.png or contactus.png anywhere on the homepage, so why should Pingdom factor the load time of those images into my test results? In contrast, using Firefox and HttpFox, I verified that real web-browsers only load the resources they need to properly render the page:

Here you can see the correct resources are loaded in Firefox: header.png, homepage.png, and footer.png.

Bottom line, you really shouldn't use Pingdom and other external performance analysis tools as "bibles" for improving your page-load time. Clearly they're only tools to help you identify obvious problems, and are definitely not a complete solution. For more accurate results, I would suggest using tools like YSlow and Google's Page Speed.

Cheers.

Understanding Java's CountDownLatch and CyclicBarrier

2010-04-09T18:20:00Z

While working on some nifty multi-threaded Java recently, a colleague pointed me to a few really useful Java classes: CountDownLatch and CyclicBarrier. My code was quite typical, a parent worker thread spawns a bunch of children to do real work, and needs to wait for the children to finish before continuing. The catch though, is that the child worker threads may or may not finish successfully, and in all likelihood will finish at different times. Even so, the parent thread must wait until all of its children have finished because the parent can only make forward progress once the children are complete. I whipped up a little demo (screen shot left) that spawns five worker threads which update a JProgressBar at a random interval. The demo finishes once each progress bar hits 100%.]]> 1 - CountDownLatch

Meet CountDownLatch. As described in the Java 6 API docs, a CountDownLatch is "a synchronization aid that allows one or more threads to wait until a set of operations being performed in other threads completes." In other words, the developer says new CountDownLatch(N) which waits for N threads to finish before the latch is "released" allowing the calling thread to make forward progress. Couldn't be more perfect here. To make my life a little easier, I wrote a few wrapper classes that encapsulate a CountDownLatch which allow me to easily synchronize on a List, a list of worker threads:

ThreadRunner.java -- A class that accepts a List (a List of BaseWorker's), creates a new CountDownLatch(list.size()), starts each BasedWorker then allows the developer to await() on the runner for all BaseWorker's to finish.
BaseWorker.java -- An abstract class that represents each worker thread, and defines a set of methods each BaseWorker must implement to be used with a ThreadRunner.

So, using these wrappers, let's create a new worker:

public class MyWorker extends BaseWorker {

  private int someField_;

  public MyWorker(int worker) {
    super();
    someField_ = worker;
    // ...
  }

  @Override
  public void myRun() throws Exception {
    // ...
  }

  @Override
  public String getWorkerName() {
    return String.format("%s #%s",
        getClass().getSimpleName(), someField_);
  }

}

Now let's setup a new ThreadRunner that will take a bunch of BaseWorker's, start them, then wait for all to finish:

public class MyRunner {

  private static final List workers__;
  static {
    workers__ = new ArrayList();
    workers__.add(new MyWorker(1));
    workers__.add(new MyWorker(2));
    workers__.add(new MyWorker(3));
  }

  public static void main(String[] args) {
    final ThreadRunner runner = new ThreadRunner(workers__);
    // Start all of the threads in this runner.
    runner.start();
    // Wait for all of the threads to finish.
    runner.await();
    // Did all of our workers complete without error?
    if(runner.wasSuccessful()) {
      System.out.println("All workers finished cleanly.");
    } else {
      System.out.println("Not all workers finished cleanly.");
    }
  }

}

In this example, I built a List of BaseWorker's, gave the list to the ThreadRunner and asked the runner to start them. Upon calling runner.await(), the ThreadRunner blocks waiting for all of the workers to finish. Note that my concept of "finish" here means either successfully, or unsuccessfully (an Exception or Error case). Subsequently, I call runner.wasSuccessful() to check if all of the workers finished cleanly, basically asking the runner did all of your workers finish without throwing any Exception's or Error's?

If you're interested, you can download my complete ThreadRunner demo/example that further demonstrates the usage of these wrapper classes using Swing and several JProgressBar's.

2 - CyclicBarrier

A CyclicBarrier is similar to that of a CountDownLatch, except that a CyclicBarrier is "a synchronization aid that allows a set of threads to all wait for each other to reach a common barrier point." Like a CountDownLatch, a CyclicBarrier can be used to synchronize a number of threads. But instead of exiting upon completion, theads using a CyclicBarrier await() for all other threads in the pool to finish. Here's a usage example of a CyclicBarrier built around my BaseWorker class:

public class MyCyclicWorker extends BaseWorker {

  private CyclicBarrier barrier_;

  public MyWorker(CyclicBarrier barrier) {
    super();
    barrier_ = barrier;
    // ...
  }

  @Override
  public void myRun() throws Exception {
    // ...
    // Wait here for all other threads
    // in the CyclicBarrier to finish.
    barrier_.await();
  }

  @Override
  public String getWorkerName() {
    return getClass().getSimpleName();
  }

}

Here's the class that starts up a bunch of these MyCyclicWorkers, then runs a single "cleanup" thread once all of the workers are done:

public class CyclicExample {

  private static final int CYCLIC_THREADS = 5;

  public static void main(String[] args) {
    final CyclicBarrier barrier =
            new CyclicBarrier(CYCLIC_THREADS,
              new Runnable() {
                @Override
                public void run() {
                  // Cleanup thread, or completion thread.
                  // Called when all of the worker threads
                  // are finished.
                  // ...
                }
              });
    for(int i=0; i < CYCLIC_THREADS; ++i) {
      new MyCyclicWorker(barrier).start();
    }
    // ...
  }

}

Enjoy!