classNotFoundException : Javax.Servlet.Jsp.Jstl.Core.Config

Are you trying to leverage JSTL tags in JSP but getting classNotFoundException? This might be the case if you are deploying your web application in tomcat (I came across this while migrating from one container to other). Many JEE containers provides this, but not tomcat.
To solve this, Include following dependency in project to fetch the jar and bundle it with library


Book review of “HTML5 & CSS3 For The Real World” By Estelle Weyl, Louis Lazaris, Alexis Goldstein

HTML and CSS for real world is a quick peak into HTML5 and CSS elements for developing modern web apps. But it for UI –do not look out for WebRtc, CORS feature etc.

This books expects familiarity with the HTML and CSS –so if it’s your first encounter with HTML and CSS, skip this book and get familiarity with those first as many a place you will find phrase “as you already know”.
Book starts nice with a bit of background and history, weighing in why HTML5 is good, how much it is supported –but then it became too theoretical, at least till chapter 5. Some visuals have been provided along with code, but I felt a lack of “hands on approach”. Chapters 6 and 7 have plenty of examples but again starting chapter 8, it weighs more towards theory.

The part I like most is that it covers compatibility across browsers quite comprehensively, augmenting it with notes, tips and tricks

Why to buy the book: If you do not know what to learn in HTML5 and CSS3 and not keen on getting your hands on reference guide –go for this book. It will give you enough steam to get you started. Cross browser compatibility have been covered thoroughly.

Why not to buy the book: If you know what to learn, this book is no better than reference guide. Practical tips and tricks help, but anyway it can be acquired as one get hands on.

Review of “The Basics of Web Hacking Tools and Techniques to Attack the Web” by Josh Pauli; O’Reilly Media

Josh Pauli, in this book tries to touch of the basics of web hacking -concepts, tools, methodologies and all. The author does a great justice providing enough pointers to start with and then delve as much deeper as ones interest.

It identifies different layers at which hacking can be done for example network layer, application layer etc., provides insight about the tools (Burp, Zed Attack Proxy, Nmap, Nessus etc.) which can be used at each layer –both free as well as paid ones, discusses what are the ways an application vulnerability can be attacked, good analogies to understand the issues better and many hands on example to try out each one of them. In fact analogies makes life much easier to understand stuff!
If you are developer and have not thought about the security issues before –it will be an eye-opener! Oh no, can this be hacked? Tools to monitor HTTP traffic (Browser extension as well as PC tools), types of XSS attack, how user’s trust and server’s trust can be fooled –many more concepts have been nicely touched upon. For advanced knowledge, author have given out an impressive list of book at the end.

One drawback –or maybe not, it’s really subjective, is that most of context is for Linux –so users working primarily with windows will have to map all linux stuff to windows parallel.

For the users who already are well versed with the tools, methodology and type of attacks -this might be a refresher, but at end it does justice for its title, BASICs.

A must have for everyone who want to understand the basic, what really a PEN test mean, want to “break” and fix application before the penetration test team does it! Have fun hacking your own website 😉

Failing unit tests with mockito

I posted a question here

Mockito will report an exception in calling class and fail the test -but it would not print the trace. Check out for two stuff:

  1. toString -can it result in NPTR? Do not print the field values blindly, have a NULLability check there.
  2. equals -While mocking, we pay not initialize the ID, for example if ID is a DB generated, then it’s NOT
    part of constructor and one can easily forget to assign it..
  3. Check for exception which can occur in calling module -may be the problem is as simple as trace not being printed!

Mock annotation returning null for mocked object

Using mockito and had written

private SomeService someService;

This was returning NULL and my test cases were failing -What was the missing element – a one liner

public class SomeClass{

Which is needed for @Mock annotation to work!

Remote debugging eclipse with tomcat

Its extremely basic -but I always miss a step or so and end up searching on google. So I though I will just Jot it down -more so for me!

  • In bin/catalina.bat add following

    set JPDA_OPTS=-agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n
  • For starting tomcat, do not use startup.bat instead navigate to bin folder from command prompt and use following command to start tomcat
    “catalina.bat jpda start”
  • If tomcat starts listening successfully -it should print a message as

    “Listening for transport dt_socket at address: 8000”
  • Next In eclipse,

    1. select the project and click on debug->debug configurations Under “Remote Java application” -create a new configuration, and then enter

      Host -> localhost

      Port -> 8000 (same as given in address for JPDA_OPTS)
    2. All set ..eclipse should be able to connect to tomcat and debug points should be enabled in webapp

Why web sockets fail on http while succeed over https

I was in a mess and this is the blog which gave me clue out of it.
I had created two simple examples of websocket implementation using yet to realease spring 4 support for websockets.
I tested it from home and all well and good (no issues).
Next day I tried to demo it in my team –and the HTTP version failed, but to surprise the HTTPS was still good and saved my day!
I realized that I have not done my homework properly –rather impressed by simplicity of spring, have rushed in implementation. While searching for the issue I stumbled on the above article –it turns out that “Automatic Proxy” at office network was culprit. Here is the story

  1. We have “automatic proxy ” at work place –meaning no explicit IP or script in proxy tab in browser setting, once on network, transparent proxies are used.
  2. For HTTP :: Since browser was not aware of any explicit proxy, it addressed the Web socket server and while passing through the transparent proxy, required headers were removed. Websocket is an http upgrade (communicated via certain header, above article have all the details) -since headers were removed, the end server could not make sense of it and treated as simple HTTP
  3. For HTTPS :: Again browser was not aware of proxy, but since data was encrypted –proxy did not tampered the header and request went through to the actual server -since headers were still there all went good and fine!
  4. Spring web socket client (Sockjs) was smart enough to switch to WSS when I used HTTPS –which I did not realize at first shot. Lesson learned -test stuff behind proxy, firewalls even if it is an internal demo 🙂

In actual scenario –in any of corporate deployment, it’s going to be a HTTPS, so seems that web socket have a very good story there!

Spring data -yet another abstraction -quickly getting started

We started with JDBC, then ORM which abstracted the underlying relation DB. Then came JPA -which abstracted the underlying ORM. Now Spring Data

But the kind of versatility we see today in data storage -relational, distributed, nosql and others, to me Spring Data seems to server the purpose.

It abstracts the CRUD for “different” type of data as relational, nosql and just by coding to appropriate interface CRUD operations can be achieved. For getting started use this link for configuring the entity manage, transaction manager -basically the setup stuff.

Write a DaoInterface -here the magic goes, the extended interface decides type of data , relational, nosql etc.

public interface TestDao extends CrudRepository<TestData , Integer> {

And then for CRUD operations use this Interface :

public class TestService{
    TestDao testDao;
 	public boolean saveTestData(TestData testData){
                return true;
    	return false;
	@Table (name="testtable")
	public class TestData {
	    private Long id;
	    public Long getId() {
	        return id;
	    public void setId(Long id) { = id;

I found it simple, yet flexible and power full considering the fact that although projects start with SQL, but down the line NOSQL is definitely on their road map -this abstraction will ensure least throwaway code!

Is amazon micro instance of any worth?

I was attracted by per hour pricing of Amazon cloud hosting – to see how things work out, I decided to give it a try.

The Good Part
The entry level is “micro instance” -free of cost for 750 hrs a month. I quickly calculated 24×30=720 -hmm and it works. It says, it good for small traffic -perfect! I just had couple of visitors per HOUR! Nothing can be lesser than that 😉

Background of my APP -its a enterprise app, CPU intensive and high on DB queries. Wanted to demo a couple of clients so was just looking around for some cheap option and I stumbled upon “Free” option.

And The Bad Part
My excitement did not last longer -I noticed a behavior that for a couple of ‘seconds’ things would work as fast as its locally deployed but just a couple of minutes of continuous usage -and thing would come to grinding halt:(

I would have smelled fishy on my side if I could produce this behavior locally, but I have been running this app in LAB environment for a couple of days without any issue.

I spend couple of hours searching for the root cause and I stumble upon this -Thanks god, it saved me a hell lot of effort! Visit this blog and it’s nicely described how “stealed CPU” is the culprit!

So is micro instance any worth ? Only if you want to get a first hand feel of deployments in the cloud and a pat that “hooo -my app is running in ‘cloud’ “, nothing more nothing less!

For starter and less traffic -use their small instance which as on today comes at .080$ in singapore zone. As explained in the blog-at least it will provide consistent behavior.

HAPROXY up and running in couple of minutes

I tried HAPROXY for my WEBAPP (Hosted on tomcat) -reason for using HAPROXY is that it also supports WEBSOCKETS and my current project uses websockets for server push.
As first step, I tested it with bare bone web application -wow, it’s just so easy, without any hiccups it was up and working in ~30 minutes. I used Linux box as no distribution for windows is available (One can use cygwin) -My previous poston same.

  1. Download HAPROXY , I used version haproxy-1.4.24.
  2. Untar it tar -xvf haproxy-1.4.24.tar.gz.
  3. Build HAPROXY, command “make TARGET=linux26” This is for centos58, Linux kernel 2.6. 26 in “TARGET=linux26″ indicates kernel for linux, if its 2.4 use TARGET=linux24”. As a side note, to know the kernel use uname -a on your linux box.
  4. copy haproxy to /usr/sbin use “cp haproxy /usr/sbin/haproxy”
  5. Create a config file say /etc/haproxy_chandan.cfg:
  6. A mentioned on the HAPROXY site, this is the bare minimum configuration needed -Add it to the config file
        maxconn 256
        mode http
        timeout connect 5000ms
        timeout client 50000ms
        timeout server 50000ms
    frontend http-in
        bind *:80
        default_backend websockets_support
    backend websockets_support
        server ws1 a.b.c.d:8888 maxconn 32
        server ws2 a.b.c.d:8080 maxconn 32
    listen admin
        bind *:8080
        stats enable
  7. Start HAPROXY, /usr/sbin/haproxy -f /etc/haproxy_chandan.cfg
  8. As configured, requests will be handled at port 80 while the admin console for haproxy is 8080

Access your app from http://ipofmachinewherehaproxyisinstalled:80
Access haproxy admin console from http://ipofmachinewherehaproxyisinstalled:8080/haproxy?stats

Thats all. Moving on to configure it for WebSockets and see if it needs additional configuration tweaks or changes -will post.