When bytes
meet Mike

People are using all their senses for recognition. Just think about how many jingles, slogans, images, or even actor faces unequivocally remind us of something. They are consistently building what we call a brand. It’s not a coincidence by the way - it’s called multisensory marketing. Software engineering loves consistency too - not only when ACID comes to play, but also in terms of technical content. Interestingly, only some of the tech companies I know managed to build a consistent, nice to look at visual identification or technical brand (surprisingly, the budget often seems not to be a reason for that). I and many of the technical people I know actually care about those things. One could say, the content is more important than its wrapping - sure! However, mediocrity is what we feel right at first look. And in terms of marketing, nobody wants the first impression to be the last one…

At the end of 2018, I had a pleasure to give a talk at Testwarez - the oldest testing-oriented conference organized in Poland. The recording recently appeared on YouTube, so I decided to take this opportunity to figure out what has changed through the past few months in terms of tools that I presented. The goal of my talk was to present some practices and open source tools for improving the overall security of Java-based projects. Including them as a part of the delivery pipeline (static code analysis, build process, Docker images creation, etc.) sets up a regular and automated “security audits” routine even without a dedicated security team. Please don’t get me wrong - it doesn’t mean that we don’t need pentesters (“security magicians” in general) or external audits anymore. I believe that if some of their work could be done in an automated manner every day then it should make our apps noticeably more secure and reduce the number of vulnerabilities that could be found later on.

A typical luggage case padlock with 3 rings and TSA (backdoor) lock on the left A combination of 3 digits - this is the level of protection offered by the vast majority of luggage cases on the market. 3 digits secret code, that should keep all your personal belongings safe at the aircraft, lobby and hotel room. Lots to expect for just 3 digits…

I have to admit, that when I first saw Project Lombok few years ago it was quite odd to me. The whole “annotation thing” and code pieces appearing “magically” inside the classes made me skeptical. A few years later, I’m now a fan of using Lombok in my Java projects for many reasons. Not all of its users know, that Lombok has more than just reducing the boilerplate code to offer. Let’s take a look at what’s behind its magic and what could you benefit from adding it to your projects. Instead of making a hello world example using features like @Getter, @Setter or @Builder, this post is focused on some more complex concepts behind Lombok.

Building docker images within the CI pipeline isn’t something new or unusual these days. Normally it’s super easy - you just have to install Docker in your Jenkins CI environment and add jenkins user to the docker group. Problems appear when your Jenkins instance is a docker container itself. Inception begins How to make docker available inside your container? Here is a three steps solution: Install docker in your container. Expose docker socket (/var/run/docker.sock) to the Jenkins container. Expose host’s docker executable (/usr/bin/docker) to the container. At this point, you should already be able to use docker inside Jenkins’ container. Nevertheless, all docker commands executing by Jenkins must start with sudo docker. That requirement has been greatly explained in Post-installation steps for Linux chapter of docker’s docs. If it fits your needs & security restriction you can stop here - but please know, that there is a better solution ;)

I want to share with you some of my thoughts about using Apache Solr (especially SolrCloud) on production. In one of the projects I’m participating in, we are using it to provide Near-Real-Time (NRT) searching along with frequent updates to the indexes. Here are some tips, that helped our project stand still on production environment against hundreds of simultaneous requests per second. This post is focused on the memory related aspects of the Solr configuration. Most of the advice presented below apply to other large-heap Java applications as well.

The cryptographic world changed a lot since 2008 when Google’s Keyczar library showed up. However, one thing is still the same - effective cryptography is really hard to implement. Keyczar library was a quite successful attempt to provide easy to use crypto solutions based on current security standards to Java, Python and C++. Now, after 9 years of its development, the future doesn’t look so bright. Ain’t no sunshine when it’s old In the late 2016 Keyczar’s maintainers announced that:

Luke, I am Your Father! In his first day at the new job, Bob created the following class: import java.util.Arrays; import java.util.List; /** * Returns a sum of given numbers. * @author Bob */ public class NumberSumCalculator { public int sum(List<Integer> integers) { int sum = 0; if (integers != null) { for (Integer integer : integers) { sum += integer; } } return sum; } } He was so proud of it, so he put the @author Javadoc tag with his name at the top. Two days later, his friend Eve performed so called “cosmetic cleanup”:

As you can already see in the browser’s address bar, my blog (along with other sites on mkowalski.net domain) received HTTPS support. Thanks to Let’s Encrypt everyone can get valid HTTPS certificate for free! Interested? Check out their’s Getting Started Guide. If you are lucky enough your hosting provider may already support Let’s Encrypt automatically. In my case a manual configuration was required. Luckily, it have been documented well by MyDevil team, so the process took me just a few minutes.

Two days ago I’ve participated in a JUG meeting in Poznań which special guest was famous Java rock star Adam Bien with his presentation called Microservices in 2016 — What Worked Well. The session was focused on the typical Bien’s stack: JEE microservices & Docker and overlapped with his presentation on Devoxx Poland 2016. But don’t get me wrong - it was totally worth it! The Bien’s way One of the most controversial topics during the session was the preffered size and the granularity of microservices. Bien’s approach is to start with a monolith app (single WAR) and split it only when you have a good reason for it (like security requirements). He typically ends up with just a few microservices (eg. about 5), that not always have to encapsulate just one feature. At the same time they should be ‘micro’ in terms of the WAR size and a minimalistic dependecy set - ideally limited only to JEE libs provided by the application server. Probably the most powerful feature of his development model is the speed - he packages and deploys WAR into dockerized application server blazingly fast (seconds!). But are his microservices really ‘micro’?