tmro

Sun have released not too long ago a Java ME SDK 3.0 that finally brings an official Wireless Toolkit Emulator to the Mac platform.

I have been dealing with SUN software for a while now and I was not expecting this to be a smooth ride. Those who’d dealt with the WTK on Windows/Linux platform are well aware of the limitations of these emulators. What I was not prepared for was to get so much clutter that would just not work more than a couple of times.

First impression: this wtk looks like the most polished emulator ever released by Sun.

Sadly, after using the thing for a few days I discovered that the old habits had not changed:

• there is no menu entry to run an existing jad/jar pair. You have to right click on an emulator instance and then run it…
• you cannot set-up a project starting from a jad/jar pair. There used to be an option to do this back in wtk 2.2…
• after running a couple of apps the whole thing crashes an burns
• when closing down the wtk a process is left lingering. Run this in a terminal:  ps aux | grep device-manager.app
• switching the verbose mode when launching the emulator kills the whole thing dead!
• they bundled ant 1.7.1 with the distro although ant is built in Mac OS
• Permgen errors are thrown if you try to launch the app too often. LOL

Here’s what happened when I created a new project and tried to run it:

*** Error ***

Failed to connect to device 0!

Reason:

Emulator 0 terminated while waiting for it to register!

The same thing happens with Emulator 1 and 2 and 3 and 4 and 5 and 6 and … you get the picture.

Googling did return lots of forum posts, but hardly any answers…

So after wasting more than 2 hours on this issue I did the unthinkable: rebooted my mac! To my surprise the miracle happened during the reboot: I was finally able to run the project again.

Needless to say I am very disappointed but not surprised by the quality of this, early access, Java ME SDK.

Cheers…

If you landed on this page it probably means that you’ve attempted to deploy a Jersey RESTful web service in IBM’s Websphere app server.
First of all: what were you thinking?!?

Secondly: it probably wasn’t your decision and you just need to make it work and move on. That was our case anyway…

So rather than bore you to death with how we ended up debugging the JVM and discovering that a java.lang.TypeNotPresentException is thrown when calling class.isAnnotationPresent from within the cores (com.ibm.oti.reflect.AnnotationHelper.getAnnotation) of the IBM J9 JVM rather than a plain true / false, I will just give you a bullet list of the things that need to happen to keep Websphere happy.

• Get your versions right! Jersey 1.0.3 and Websphere AS 6.1.0.25 (including 6.1.0.25 Fix Pack for Web Services) (Getting here is a blog post in itself and I will not do it here)
• Make sure that the enterprise app that contains your Jersey resources uses “Classes loaded with parent class loader first” and “Single class loader for application” (That is in your application’s “Class loading and update detection” section.)
• In your web xml configure the Jersey servlet to search for resources using ClassNames rather than packages. Basically make sure your web.xml looks similar to what I have below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

        <servlet>
		<servlet-name>Jersey Web Application</servlet-name>
		<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
		<init-param>
			<param-name>com.sun.jersey.config.property.resourceConfigClass</param-name>
			<param-value>com.sun.jersey.api.core.ClassNamesResourceConfig</param-value>
                </init-param>
		<init-param>
			<param-name>com.sun.jersey.config.property.classnames</param-name>
			<param-value>
				net.tmro.MyRESTfulResource
			</param-value>
		</init-param>
		<load-on-startup>10</load-on-startup>
	</servlet>
 
	<servlet-mapping>
		<servlet-name>Jersey Web Application</servlet-name>
		<url-pattern>/json/*</url-pattern>
	</servlet-mapping>

• Okay, some clarification: the reason ClassNamesResourceConfig is used rather than PackagesResourceConfig is that when the packages are browsed for the actual @Path annotated classes an actual jar browsing is done which throws and swallows a nasty SecurityException… I invite you (more like dare you) to try using ClasspathResourceConfig and let me know if it works.

Now go ahead and give this a try… don’t forget to let me know if it worked or failed for you… Good luck!

Cheers….

First of all, let me just say this: if one is using a Windows Mobile device, why would they need a J2ME / JavaME application? Unless maybe it’s a game…

Windows Mobile devices don’t always come with JVMs, which only makes it hard for both developers and users. The problem is that there are not too many options out there. Not free at least. Here are the implementations that I am aware of:

• IBM Websphere Everyplace Micro Environment (former J9)
• CrE-ME
• Jeode (discontinued) in favour of the more expensive Jbed
• Jbed
• JBlend
• JV-Lite2 Wireless Edition

As a developer one can probably only hope to get IBM’s implementation or CrE-ME, as the other ones are mostly sold to device manufacturers. I know it hurts to pay money for a Java ME implementation but if you google long enough you’ll find some free versions on some forums.

The other problems that I’ve found with these implementations is that you can’t get too fancy with your applications. Sometimes the SSL certificates are not available to these JVMs, other times if the application is served as a stream from some server the JVM (AMS) won’t install it. Other JVMs will read the URL and name the application after whatever follows the last forward slash “/”. Problems everywhere.

So why does SUN not step up and provide an implementation to help the Java ME developers out there? There is no official JVM for the iPhone, no JVM for the Android platform… Is SUN giving up on the Java ME platform?

Windows Mobile (CE) and Java have been on the market for a long time, yet they have not worked together and other platforms have stepped up and conquered the developers’ hearts. I really cannot see an iPhone developer switching to Java ME. I can imagine though lots of Java ME developers really looking forward to moving the Apple’s platform. And all this right before Google realease some final version of the hyped Android platform.

What do you think?

Cheers…

I am no DBA guy. No doubt about that. I would be even more frustrated if I were one. Today I stumbled upon another PostgreSQL issue but this time around I decided to share my anger with you.

Problem: Imagine that you need to write a query that returns the values that match a condition or null if nothing is matched. In other words you are trying to do a coalesce. So your query would be something like Select * from EMPLOYEE where :empNoParameter IS NULL or :empNoParameter = EMP_NO. Normally you’d rewrite this as: Select * from EMPLOYEE where EMP_NO = COALESCE(:empNoParameter, EMP_NO) because COALESCE will return the first non-null value that it finds … Now the problem is that in EJBQL or the new Java Persistence Query Language there is no Coalesce function. Damn. So you have to write in the first style. The problem is that, in PostgreSQL (8.3), you will get a org.postgresql.util.PSQLException: ERROR: operator does not exist: character
varying = bytea or something similar to that.

Solution: The query was Select * from EMPLOYEE where :empNoParameter IS NULL or :empNoParameter = EMP_NO and it failed; that happened because when the PostgreSQL JDBC driver first encountered the empNoParameter named parameter it had no clue what type it was because empNoParameter IS NULL does not really reveal the type. So the driver just assigned some default type to the param. Which would be okay if you didn’t need to do some other comparison later on with the same parameter. So when you come across :empNoParameter the second time around it will have the type it was given initially and will only work as intended if the EMP_NO is indeed of that type. Which in most cases will not be. So here is the solution: swap the tests around: Select * from EMPLOYEE where :empNoParameter = EMP_NO OR :empNoParameter IS NULL. Now the named query will work because the JDBC driver will be able to identify :empNoParameter’s type from the first test it has to make.

Rant: Why don’t you do a look ahead you silly PostgreSQL driver? Eh? Why don’t you?

Note: This is my guess as I have not studied the JDBC driver code. I know it worked in more than one scenario though so hopefully it will work for you too…

Cheers…

Update (a day later): Apparently the video if fixed now. Good on ya. Can we have a final SDK now, please?

My friend Jono and I had a closer look the other night at how Vodafone NZ’s changes affect our browsing experience.

I will not reproduce here what our first thoughts were; I will let you judge for yourselves. We chose two sites for our tests: asb.co.nz and tvnz.co.nz

Asb.co.nz was loaded over HTTPS and over HTTP.

This is asb.co.nz over HTTPS:

All’s good, the website looks exactly the way it is supposed to look like.

Now over HTTP. Boy oh boy!

So what went wrong? I believe a couple of things caused this tremendous change:

• The page was converted from HTML to WML so that it can be displayed on our non-full HTML compliant browser
• The request was not an HTTPS request therefore during the HTML to WML conversion Vodafone’s software injected those images at the top and changed the layout of the site.

Let’s just say that Asb’s website just happens to be complicated and therefore it looks bad after the conversion. One could say that it is Asb’s fault for not having a mobile version of the site. Well have a look at what happens when you browse to website that does have a mobile version of the site.

TVNZ portable – not that portable after Vodafone’s changes tho

Obviously this is not what TVNZ had in mind when they paid to develop a mobile version of their website. I will tell you what went wrong here:

• A request was made for the tvnz website. Normally the web application would detect the mobile agent and render the mobile version of the site.
• Vodafone on the other hand, loaded the website and re-rendered it to the mobile client adding their images at the top

This what it was supposed to be

Sadly, the non-optimized version of the site looks heaps better.

To get this last version loaded on our phone we simply chose to use a different APN. See my other post to learn more about this.

If this is what happens to a website, can you imagine what happens if you try to use a Java application to transfer data? Do keep in mind that java applications do not send user agent information over the air…

If I am wrong in my assumptions do let me know and I will update this post.

Cheers…

There is one thing that often makes me close Safari and fire up Firefox: missing link highlighting.

Hello,

This blog came to life because of my frustration: I pay for a service that does not give me any value…

ASB netcode has been unavailable for some time now for the Telecom customers in New Zealand. What this means is that if you are a Telecom customer you cannot receive Netcode messages on your mobile phone when ASB sends them to you…

If you do not know what Netcode is then you can have a look on www.asb.co.nz or you can just believe me when I tell you that it is ASB's Two Factor authentication solution. To give you an example, ASB customers who try to make a payment over $800 (NZD) are sent an SMS with a code that is required to complete the transaction.

But why did ASB introduce Netcode for their Fastnet Internet Banking Service? Did they try to prevent man-in-the-middle attacks? Netcode does not solve this problem… (read on and you will understand why not) Did they want to prevent phishing? Phishing cannot be stopped by a TXT message… I know you find it hard to believe but bear with me for a moment here.

I think it is great that ASB are using a TXT based solution rather than a hardware token. I would hate to have to carry another thingy with me simply because I want to make a n internet payment. At the end of the day the hardware token is not much more useful anyway… It is all perception, unless you can prove me wrong.

So here is my argument:
I will show you how the bad guy (Bill) is going to be the-man-in-the-middle and transfer money to his account from a vicitim's account.

Let's begin:
Marry – naive girl who clicks on any link that has her bank's name in it…
Bill – the bad guy: he has set up a phishing site that looks just like the site that belongs to Marry's bank
ASB – the bank that Marry uses and that has a two factor solution in place (pin based or no pin based, Bill doesn't care)

So Bill sends an email to Marry that has a link to a fake ASB site….
Marry clicks the link and then she sees the login page… she puts her credentials and submits the page…
Bill gets the credentials and goes to the real ASB Fastnet internet banking site and uses them to actually login… this is a typical case of phishing…
Bill wants to transfer money from Marry's account to his own but wait, he can't because he is going to be asked for a Netcode… so he waits until…
Marry clicks on a function in the fake ASB internet banking site to, say, do a funds transfer….
Bill's site now displays a field for a Netcode and Bill goes to the real site and requests the Netcode
ASB sends the Netcode to Marry's phone and…
Marry types the netcode in Bill's site
Bill now takes the Netcode and puts it in the real site and bum! the transfer is complete!!!

Ooops, does this sound difficult? Well it is not easy to do but it can be done. I do hope that I am wrong and that this scenario does not actually puts me at risk but what does the bank security expert have to say?

This is not a tutorial on how to hack a bank but a call to make the banks come up with better two factor authentication solutions, I know a few ways to do that and I might just put them in writing in another blog… Oh they are cheaper and faster too…

Should any of you dear readers work for a bank please tell me if this article does more harm than good. I just want people to think about this problem. At the moment I am afraid the this kind of two factor authentication solutions just create a perception of security and they do not add too much real value to us as customers… not to mention that we have to pay for a service that does not really protects us…

Cheers…

Just to make things more clear: The IBM session turned out to be quite different from what IBM had told me on the phone.

Not only were there more than 2 people from one particular IBM partner ( BNZ ) but there were still workstations available.

I wonder why IBM did not bother to announce the people on the waiting list that there were still seats available.

Or maybe they did…

Cheers…

IBM organizes the "Websphere Proof of Technology" session in Wellington New Zealand on the 30-th of November: http://www-8.ibm.com/events/au/wspot/esb.html
I could not believe my ears today when IBM called to say that they had more registrations than they imagined they would have and can only accommodate one person per company. I just can’t imagine why they would not change the location or maybe organize a second session so that everyone interested could attend.
Probably the question should be: why did they accept registrations when they ran out of seats?

Hmm… this is not very professional.

Cheers…