Navigating the Nuances of React: Managing Event Listeners in Conditional Components

In the dynamic world of React development, managing event listeners within conditional components can be a subtle yet crucial aspect that demands attention. Often, developers encounter unexpected behaviors when event listeners persist even after a component is hidden. In this post, we'll delve into this challenge and propose effective solutions to ensure seamless functionality in your React applications. Understanding the Issue Consider a scenario where a React component adds a key event liste

Post, Code and Quiet Time. Navigating the Nuances of React: Managing Event Listeners in Conditional Components By Errong Leng – 07 Apr 2024 – View online → Photo by Holly Booth / Unsplash In the dynamic world of React development, managing event listeners within conditional components can be a subtle yet crucial aspect that demands attention. Often, developers encounter unexpected behaviors when event listeners persist even after a component is hidden. In this post, we'll delve into this challenge and propose effective solutions to ensure seamless functionality in your React applications. Understanding the Issue Consider a scenario where a React component adds a key event listener using useEffect, expecting to remove it upon component unmounting. However, when the component is hidden through conditional rendering, the event listener persists, potentially causing unexpected behaviors or bugs. The Solution To address this issue and ensure proper management of event listeners in conditional components, follow these best practices: Conditional Rendering with useEffect: Leverage conditional rendering to control the visibility of components. When using useEffect to add event listeners, ensure that you consider the visibility state within the effect. Adding and Removing Event Listeners: Instead of relying solely on the cleanup function of useEffect, explicitly manage the addition and removal of event listeners based on component visibility. Component Visibility Control: Implement a mechanism to toggle the visibility of components. When a component is hidden, remove associated event listeners to prevent them from lingering and causing unexpected behaviors. Implementation Example Let's illustrate these best practices with a practical example: import React, { useState, useEffect } from 'react'; function ConditionalComponent() { const [isVisible, setIsVisible] = useState(true); useEffect(() => { const handleKeyPress = (event) => { if (event.key === 'Enter') { // Handle Enter key press console.log('Enter key pressed'); } }; if (isVisible) { window.addEventListener('keydown', handleKeyPress); } else { window.removeEventListener('keydown', handleKeyPress); } return () => { window.removeEventListener('keydown', handleKeyPress); }; }, [isVisible]); const toggleVisibility = () => { setIsVisible((prev) => !prev); }; return ( <div> <button onClick={toggleVisibility}> {isVisible ? 'Hide Component' : 'Show Component'} </button> {isVisible && <div>This component is visible!</div>} </div> ); } export default ConditionalComponent; In this example, the ConditionalComponent toggles its visibility based on the isVisible state. The useEffect hook adds and removes a key event listener depending on the component's visibility, ensuring proper management of event listeners. Conclusion By following these best practices, you can effectively manage event listeners within conditional components in your React applications. Remember to consider component visibility when adding and removing event listeners, ensuring a seamless and bug-free user experience in your web applications. Post, Code and Quiet Time. © 2024 – Unsubscribe

Debugging Deadlock Issues with Thread Dump Analysis Using kill -3 Command

Introduction: Deadlocks are a common issue in multi-threaded applications, where two or more threads are blocked indefinitely, waiting for each other to release resources. Identifying and resolving deadlocks is crucial for maintaining the stability and performance of your application. In this post, we'll explore how to use the kill -3 command to generate thread dumps and analyze them to diagnose and troubleshoot deadlock issues effectively. We'll also discuss additional tips for handling threads

Post, Code and Quiet Time. Debugging Deadlock Issues with Thread Dump Analysis Using kill -3 Command By Errong Leng – 07 Apr 2024 – View online → Photo by Library of Congress / Unsplash Introduction: Deadlocks are a common issue in multi-threaded applications, where two or more threads are blocked indefinitely, waiting for each other to release resources. Identifying and resolving deadlocks is crucial for maintaining the stability and performance of your application. In this post, we'll explore how to use the kill -3 command to generate thread dumps and analyze them to diagnose and troubleshoot deadlock issues effectively. We'll also discuss additional tips for handling threads in TIMED_WAIT state. Let's delve into the details. Generating Thread Dumps with kill -3 Command: To generate thread dumps for a Java process, you can use the kill -3 command followed by the process ID (PID). For example: kill -3 <PID> Replace <PID> with the actual process ID of your Java application. This command sends a SIGQUIT signal to the Java process, triggering it to generate a thread dump and print it to the standard error stream or log file. Analyzing Thread Dumps for Deadlocks: Once you've generated the thread dumps, you can analyze them to identify any deadlock situations. Look for the following signs: "Found one Java-level deadlock": This line indicates that the thread dump contains information about a deadlock. Locked resources: Check for threads that are holding locks on certain resources while waiting to acquire locks held by other threads. This often indicates a deadlock scenario. Thread state: Pay attention to the thread state of each thread in the dump. Threads in the "BLOCKED" state waiting for a monitor held by another thread are potential deadlock candidates. Thread stack traces: Examine the stack traces of blocked threads to understand where they're stuck and which resources they're trying to acquire. Resolving Deadlocks: Once you've identified the deadlock issues from the thread dumps, you can take appropriate measures to resolve them. Common strategies include: Reordering lock acquisition: Ensure that locks are always acquired in a consistent order across threads to avoid circular dependencies. Timeouts and retries: Implement timeouts and retries for lock acquisition to prevent threads from waiting indefinitely. Thread interruption: Consider interrupting threads that are stuck in deadlock situations to break the deadlock and allow the application to recover. Additional Tip: Handling Threads in TIMED_WAIT State When a thread is in TIMED_WAIT state, such as when using Thread.sleep() or object.wait() in a loop, simply setting a flag to exit the loop may not work as expected. If you're using a loop like while (!stopThread) { ... } and you set stopThread to true from another thread, the loop may not exit until the thread wakes up naturally. To ensure timely termination, you should call Thread.interrupt() on the waiting thread. This will interrupt its sleep or wait, causing it to throw an InterruptedException and exit the loop gracefully. Conclusion: Debugging deadlock issues in multi-threaded Java applications can be challenging, but with the kill -3 command and thread dump analysis, you can effectively diagnose and troubleshoot deadlock scenarios. By generating and analyzing thread dumps, you can identify the root cause of deadlocks and implement appropriate solutions to ensure the stability and reliability of your application. Additionally, understanding how to handle threads in TIMED_WAIT state is crucial for proper thread management and graceful termination. Post, Code and Quiet Time. © 2024 – Unsubscribe

Bypassing Client Authentication for Specific Endpoints in Spring Boot with mTLS(2 way SSL) enabled

In Spring Boot applications secured with SSL, enabling client authentication (configured as server.ssl.client-auth: need) typically requires that all incoming requests provide a valid client certificate. However, there are scenarios where certain endpoints require bypassing this client authentication while maintaining SSL security. For instance, consider a SOAP service where the operations exposed necessitate 2-way SSL, but the WSDL endpoints do not require client certificates and may pose usabi

Post, Code and Quiet Time. Bypassing Client Authentication for Specific Endpoints in Spring Boot with mTLS(2 way SSL) enabled By Errong Leng – 07 Apr 2024 – View online → In Spring Boot applications secured with SSL, enabling client authentication (configured as server.ssl.client-auth: need) typically requires that all incoming requests provide a valid client certificate. However, there are scenarios where certain endpoints require bypassing this client authentication while maintaining SSL security. For instance, consider a SOAP service where the operations exposed necessitate 2-way SSL, but the WSDL endpoints do not require client certificates and may pose usability challenges for clients. In this post, we'll explore how to achieve this by customizing Spring Security's X509 pre-authentication mechanism. We'll develop a custom filter to selectively bypass client authentication for specific endpoints while still extracting the username from client certificates for pre-authentication purposes. Let's delve into the implementation details. server.ssl.client-auth The configuration parameter server.ssl.client-auth typically refers to the server's requirement for client authentication during SSL/TLS (Secure Sockets Layer/Transport Layer Security) handshake. server.ssl.client-auth:need When set to need, it means that the server requires clients to present a valid certificate for authentication. If the client fails to provide a valid certificate or if the certificate verification fails for any reason, the server will terminate the SSL/TLS handshake, and the connection will not be established. This setting adds an extra layer of security to server-client communication, ensuring that only authorized clients with valid certificates can access the server's resources. It's commonly used in scenarios where strong authentication and security are paramount, such as in financial institutions, government agencies, or any other environment where sensitive data is exchanged. server.ssl.client-auth:want When server.ssl.client-auth is set to want, it signifies that the server requests, but does not require, client authentication during the SSL/TLS handshake. In this configuration: If the client presents a valid certificate, the server will verify it and proceed with the handshake. If the client does not present a certificate, the server will still continue with the handshake, allowing the connection to be established without client authentication. This setup provides flexibility, allowing clients to authenticate themselves if they possess a certificate, but not enforcing it as a strict requirement. It's often used in situations where optional client authentication is desired, such as in web applications where some resources are restricted to authenticated users but others are publicly accessible. So we will change server.ssl.client-auth from 'need' to 'want' and implement a custom X509 filter to change the behaviour for pre authentication by the username provided in the client cert. Custom X509AuthenticationFilter Implementation public class CustomX509AuthenticationFilter extends X509AuthenticationFilter { private X509PrincipalExtractor principalExtractor = new SubjectDnX509PrincipalExtractor(); public CustomX509AuthenticationFilter() {} @Override protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) { X509Certificate cert = extractClientCertificate(request); return (cert != null) ? this.principalExtractor.extractPrincipal(cert) : null; } @Override protected Object getPreAuthenticatedCredentials(HttpServletRequest request) { return extractClientCertificate(request); } private X509Certificate extractClientCertificate(HttpServletRequest request) { // for get method, not use the client cert even if it existed if (HttpMethod.GET.matches(request.getMethod())) { return null; } X509Certificate[] certs = (X509Certificate[]) request.getAttribute("jakarta.servlet.request.X509Certificate"); if (certs != null && certs.length > 0) { this.logger.debug(LogMessage.format("X.509 client authentication certificate:%s", certs[0])); return certs[0]; } this.logger.debug("No client certificate found in request."); // for soap request we should reject the request if no client cert found if (HttpMethod.POST.matches(request.getMethod())) { throw new RequestRejectedException("No client certificate found in request."); } return null; } public void setPrincipalExtractor(X509PrincipalExtractor principalExtractor) { this.principalExtractor = principalExtractor; } } In our custom implementation, we intentionally return a null client certificate regardless of whether the client sent one along with the request. This is particularly relevant when accessing WSDL endpoints via a browser, as the browser may automatically include a default client certificate, even if it's not the required one. Since this behavior is beyond our control and can't be reliably managed, we choose to handle it by returning null for any requests using the 'GET' method. However, if the endpoints we want to bypass client authentication for are accessed using methods other than 'GET', we may need to inspect the request URL to determine the appropriate action. so that the username pre-authentication will be skipped since we set client-auth to just 'want', not mandatory required. WebSecurity Config @Configuration @EnableWebSecurity @Slf4j public class WebSecurityConfig { @Value("${ra.client.username}") private String userNameInClientCert; @Value("${ra.client.cn-regex}") private String subjectPrincipalRegex; @Bean RequestRejectedHandler customRequestRejectedHandler() { return new CustomRequestRejectedHandler(); } @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { CustomX509AuthenticationFilter x509AuthenticationFilter = new CustomX509AuthenticationFilter(); http .authorizeRequests(authorizeRequests -> { try { authorizeRequests.requestMatchers( new AntPathRequestMatcher("/ws/*.wsdl", "GET"), new AntPathRequestMatcher("/ws/*.wsdl", "GET"), new AntPathRequestMatcher("/ws/*.xsd", "GET")) .permitAll().and().x509(AbstractHttpConfigurer::disable); authorizeRequests.requestMatchers( new AntPathRequestMatcher("/ws/op1", "POST"), new AntPathRequestMatcher("/ws/op2", "POST") ).permitAll().and().x509(x -> x.subjectPrincipalRegex(subjectPrincipalRegex) .x509AuthenticationFilter(x509AuthenticationFilter) .userDetailsService(username -> { log.info("username in client cert is : {}, {}", username, subjectPrincipalRegex); if (!username.equalsIgnoreCase(userNameInClientCert)) { throw new RequestRejectedException("no match username found from the client certificate in request."); } // TODO... check username against ldap or your username manager service // should throw new RequestRejectedException in case required username not found return new UserDetails() { @Override public Collection<? extends GrantedAuthority> getAuthorities() { List result = new ArrayList<>(); result.add(new GrantedAuthority() { @Override public String getAuthority() { return "read"; } }); return result; } @Override public String getPassword() { return null; } @Override public String getUsername() { return username; } @Override public boolean isAccountNonExpired() { return true; } @Override public boolean isAccountNonLocked() { return true; } @Override public boolean isCredentialsNonExpired() { return true; } @Override public boolean isEnabled() { return true; } }; })).csrf(c -> c.disable()); } catch (Exception e) { throw new RuntimeException(e); } }); SecurityFilterChain sc = http.build(); x509AuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class)); return sc; } } In this part of the implementation, there are a few key considerations. Firstly, we ensure that the AuthenticationManager is set to the custom X509 filter after the http.build() statement. This ensures that the AuthenticationManager is properly initialized before it's used by the filter. Secondly, we always throw a RequestRejectedException, regardless of whether a client certificate is found in the CustomX509AuthenticationFilter for protected requests or if the username doesn't match. This is because, in the filter chain of the Spring Boot web or WebFlux framework, only this exception will be caught and result in an error response being returned to the client when client authentication is set to 'want'. I've experimented with throwing a custom Runtime exception, but it gets caught as well. However, in this case, it's only logged and the SSL handshake continues because the client certificate is not required. Custom RequestRejectedHandler by default, HttpStatusRequestRejectedHandler is used to send error response for RequestRejectedException. it only set a status 400 BAD_REQUEST. but does not have any body. in case you want to set different status code or want tell the client the specific reason, we can customize it by implement a custom RequestRejectedHandler and initialize it as a Bean. @Slf4j public class CustomRequestRejectedHandler implements RequestRejectedHandler { @Override public void handle(HttpServletRequest request, HttpServletResponse response, RequestRejectedException requestRejectedException) throws IOException, ServletException { log.info("Rejecting request due to: {}", requestRejectedException.getMessage(), requestRejectedException); // response.sendError(HttpServletResponse.SC_BAD_REQUEST, requestRejectedException.getMessage()); // Set the status code response.setStatus(HttpServletResponse.SC_FORBIDDEN); // Write a custom response body response.getWriter().write(requestRejectedException.getMessage()); } } @Bean RequestRejectedHandler customRequestRejectedHandler() { return new CustomRequestRejectedHandler(); } Conclusion In scenarios where you need to selectively bypass client authentication for specific endpoints in your Spring Boot application secured with SSL, Spring Security's X509 pre-authentication mechanism offers a robust solution. By customizing the X509AuthenticationFilter, you can configure your application to extract the username from client certificates while bypassing authentication for designated endpoints. This approach ensures flexibility in managing security requirements while maintaining the integrity of your application's authentication process. Post, Code and Quiet Time. © 2024 – Unsubscribe

Implementing A/B Routing with Spring Cloud Gateway

In modern microservices architectures, routing requests based on specific criteria is a common requirement. In this post, we'll explore how to use Spring Cloud Gateway to implement A/B routing for different customers based on their customer IDs. We'll achieve this by implementing a custom filter in Spring Cloud Gateway to check the customer ID and route them to the appropriate service based on defined criteria. Custom Filter Implementation: import org.springframework.cloud.gateway.filter.Gate

Post, Code and Quiet Time. Implementing A/B Routing with Spring Cloud Gateway By Errong Leng – 06 Apr 2024 – View online → Photo by Mi Min / Unsplash In modern microservices architectures, routing requests based on specific criteria is a common requirement. In this post, we'll explore how to use Spring Cloud Gateway to implement A/B routing for different customers based on their customer IDs. We'll achieve this by implementing a custom filter in Spring Cloud Gateway to check the customer ID and route them to the appropriate service based on defined criteria. Custom Filter Implementation: import org.springframework.cloud.gateway.filter.GatewayFilter; import org.springframework.cloud.gateway.filter.factory.AbstractGatewayFilterFactory; import org.springframework.stereotype.Component; import reactor.core.publisher.Mono; @Component public class ABRouteFilter extends AbstractGatewayFilterFactory<ABRouteFilter.Config> { public ABRouteFilter() { super(Config.class); } @Override public GatewayFilter apply(Config config) { return (exchange, chain) -> { // Get the customer ID from the query parameter String customerId = exchange.getRequest().getQueryParams().getFirst("customerId"); // Perform logic to determine A/B routing based on customer ID boolean isRouteToA = shouldRouteToA(customerId); // Define the target route URL String targetUrl = isRouteToA ? config.routeToAUrl : config.routeToBUrl; // Modify the request URI to route to the appropriate service exchange.getRequest().mutate().uri(uri -> uri.path(targetUrl).build()); // Continue with the request chain return chain.filter(exchange); }; } private boolean shouldRouteToA(String customerId) { // Implement logic to check customer ID and determine routing // This could involve database checks or other criteria // Return true for route to A, false for route to B } public static class Config { private String routeToAUrl; private String routeToBUrl; public String getRouteToAUrl() { return routeToAUrl; } public void setRouteToAUrl(String routeToAUrl) { this.routeToAUrl = routeToAUrl; } public String getRouteToBUrl() { return routeToBUrl; } public void setRouteToBUrl(String routeToBUrl) { this.routeToBUrl = routeToBUrl; } } } Route Definition in YAML: spring: cloud: gateway: routes: - id: ab-routing uri: lb://service-discovery predicates: - Query=customerId, * filters: - name: ABRouteFilter args: routeToAUrl: /service-a routeToBUrl: /service-b Perform redirection if required When it comes to routing requests in a web application, there are scenarios where simple forwarding isn't enough. One such scenario is A/B routing, where different users are directed to different versions of a service based on certain criteria, such as customer IDs. In this section, we'll enhance our Spring Cloud Gateway setup to perform A/B routing with redirection. We'll utilize a custom filter to dynamically determine the appropriate service endpoint based on the customer ID in the request URL, and then seamlessly redirect the user's browser to the chosen service. This approach ensures a smoother user experience and better management of traffic distribution in your application. Let's dive into the implementation details. URI originalUri = exchange.getRequest().getURI(); URI redirectUri = UriComponentsBuilder.fromUriString(host) .path(originalUri.getPath()) .query(originalUri.getQuery()) .build().toUri(); // Perform redirection to the appropriate service URL return redirect(exchange, targetUrl); }; } private Mono<Void> redirect(ServerWebExchange exchange, String targetUrl) { exchange.getResponse().setStatusCode(HttpStatus.SEE_OTHER); exchange.getResponse().getHeaders().setLocation(URI.create(targetUrl)); return exchange.getResponse().setComplete(); } Conclusion Implementing A/B routing based on customer IDs using Spring Cloud Gateway offers a flexible and scalable solution for routing requests in microservices architectures. By leveraging custom filters and route definitions, you can dynamically route requests to different services based on specific criteria, enhancing the flexibility and scalability of your system. Post, Code and Quiet Time. © 2024 – Unsubscribe

Testing 2-Way SSL with Postman and SOAPUI: A Step-by-Step Guide

Ensuring secure communication between clients and servers is paramount in today's digital landscape. Two-way SSL authentication, also known as mutual SSL authentication, provides an additional layer of security by requiring both the server and the client to authenticate each other. In this guide, we'll walk through how to test 2-way SSL authentication using two popular API testing tools: Postman and SOAPUI. Step 1: Setup and Configuration Before we dive into testing, ensure you have the followi

Post, Code and Quiet Time. Testing 2-Way SSL with Postman and SOAPUI: A Step-by-Step Guide By Errong Leng – 06 Apr 2024 – View online → Photo by Leo_Visions / Unsplash Ensuring secure communication between clients and servers is paramount in today's digital landscape. Two-way SSL authentication, also known as mutual SSL authentication, provides an additional layer of security by requiring both the server and the client to authenticate each other. In this guide, we'll walk through how to test 2-way SSL authentication using two popular API testing tools: Postman and SOAPUI. Step 1: Setup and Configuration Before we dive into testing, ensure you have the following prerequisites: Postman and/or SOAPUI installed on your machine Access to a server with a valid SSL certificate configured for two-way authentication Client certificate and private key files (.pfx or .p12 format) for authentication Truststore containing the server's certificate (for Postman) Step 2: Configuring Postman for 2-Way SSL Open Postman and navigate to the request you want to test. Click on the "Settings" icon next to the Send button. In the "Settings" tab, navigate to the "SSL certificate verification" section. Select "Client Certificate" and upload your client certificate (.pfx or .p12) and enter the passphrase if prompted. Optionally, upload the server's certificate to the "SSL certificate verification" section's "Root Certificate" field for additional validation. Click "Update" to save your settings. Now, send the request. Postman will use the provided client certificate for authentication. Not verify SSL during sent if your server cert is self signed. Set proper protocl such as TLSv1.3 in case you see 'sock hung up' error Step 3: Testing with SOAPUI Open SOAPUI and create a new project or open an existing one. Right-click on the project or test suite, navigate to "Add Step," and select "Load TestStep" -> "HTTP Test Request." Enter the request details (URL, method, headers, etc.) in the request editor. Switch to the "SSL" tab in the request editor. Check the "Use client certificate" option and browse to select your client certificate (.pfx or .p12) and enter the passphrase if prompted. Optionally, import the server's certificate into SOAPUI's truststore for validation. Save your changes and run the test. Step 4: Verifying Results After sending requests from both Postman and SOAPUI, verify that the server responds correctly. Check the response status codes, headers, and payload to ensure successful communication. Monitor for any SSL-related errors or warnings in the tool's console/logs. Conclusion: Testing two-way SSL authentication with tools like Postman and SOAPUI is crucial for ensuring the security and integrity of your API communication. By following the steps outlined in this guide, you can effectively validate your server's SSL configuration and ensure seamless communication between your client and server while maintaining the highest standards of security. Post, Code and Quiet Time. © 2024 – Unsubscribe