Overview

When you download an application on OS X, the browser sets an extended attribute on the bundle that marks it as being quarantined. Starting in Mountain Lion, non-sandboxed apps with the quarantine flag set must be signed with a Developer ID. In practice, this means that if a user downloads an unsigned application from the internet and runs it, they’ll get an error message much like this one:

Developers who can’t sandbox their app because it needs extensive access to the system, or don’t want to for other reasons, can avoid this problem by getting a Developer ID certificate and signing their app before releasing it.

Signing an app

The first step is to get access to a machine running Mountain Lion. If you don’t have a physical machine with Mountain Lion, you can use VMWare Fusion and run Mountain Lion in a VM. This works quite well and it’s what we use here at Palomino Labs for making sure our apps work on non-developer machines.

Next you’ll need to get a Mac Developer account and generate a Developer ID in the web-based Developer Certificate Utility. Note that if you have a company ADC account, only the team agent can request Developer ID certificates.

Read on →

Update: August 21, 2012

Since this blog post was initially released in June, StackMob has made some significant changes to their development environment. In particular, rather than relying on a local runner within the stackmob gem, they now ship a Python web server. This blog post has been updated to reflect these changes. Most of the content is the same; the only sections that have changed are “Connecting Sencha to StackMob” and “Deploying to Production”. We have also updated the sample project in GitHub.

Some Cool Tools

Sencha Touch is a fantastic JavaScript framework for building mobile web applications. It is great for rapid development because it comes stocked with all the standard UI components you want, and makes connecting to your API painless. We love using Sencha Touch to knock out a quick prototype, but the really stellar thing about this framework is that it is structured to scale (from a development perspective). The MVC structure of Sencha Touch 2 applications encourages developers to build a codebase that is maintainable even as it grows large. With flexible data store options, you can prototype an app with no server component (backed by local storage). Then, once you refine your idea and decide you want to turn it into a real app, you can drop in a proper API and reuse nearly all of the prototype code.

StackMob is a rapidly improving option for building an entire REST API in minutes. It allows you to define your data model and expose CRUD actions all through a simple UI. For those of you with “real world” problems, and “non CRUD actions” they provide a really simple way to develop custom endpoints with our good friend, Mr. Java. This week, they released OAuth 2 and shiny new access control features which remove the last few hurdles to using StackMob for grown up projects.

If we combine these tools we should be able to build pretty powerful applications in very little time. This isn’t easy to do out-of-the-box, so we are going to write a series of blog posts describing how to use these tools together.

Read on →

Fans of the Mac OS X Activity Monitor might have noticed that it allows you to inspect a process and see which files it has open. Being able to get this information programmatically is useful because it lets you do things like:

• Provide better error messages: instead of saying “File (x) is in use” you can say “File (x) is in use by (some program)”.
• Infer things about what a program is doing: if Textedit has somedocument.rtf open then you know the user is probably
  editing somedocument.rtf without having to resort to using the accessibility API.
• Detect suspicious behavior: If a process has a bunch of system files open or a bunch of sockets open that might indicate
  it’s up to no good.

This post will walk you through writing get_process_handles which implements a small subset of the functionality in lsof. You can fork/clone the code at https://github.com/palominolabs/get_process_handles and follow along.

The first step is to make the skeleton app. It does nothing but display the PID requested by the user on the command line and print an error message if the user didn’t supply a valid PID.

Once that’s working we come to the tasty meat of the problem. The key method we’ll use is proc_pidinfo. Its prototype is

int proc_pidinfo(int pid, int flavor, uint64_t arg, void *buffer, int buffersize)

Read on →

Jackson is a mainstay of Java web development, providing JSON serialization & deserialization to Jersey, RestEasy, and Hadoop, among many more. Jackson can be easily integrated into most applications through the use of its data-binding annotations—simply mark fields to serialize with @JsonProperty and Jackson will happily create & read JSON representations of your object when you hand them to an ObjectMapper. Sometimes, though, you don’t have access to or don’t want to modify the source of an object that you want to use with Jackson. In these cases, you can write a custom module to provide Jackson with the information it needs to (de)JSONify your objects.

We recently ran across the no known serializer problem while trying to use Jackson (by way of Jersey) with an object that contained a Joda Time Duration. For future reference, the exception produced by Jersey looks like this:

com.sun.jersey.spi.container.ContainerResponse - The exception contained within MappableContainerException could not be mapped to a response, re-throwing to the HTTP container
com.fasterxml.jackson.databind.JsonMappingException: No suitable constructor found for type [simple type, class org.joda.time.Duration]: can not instantiate from JSON object (need to add/enable type information?)
 at [Source: org.eclipse.jetty.server.HttpInput@1c7b0f4d; line: 1, column: 47]
    at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:163) ~[jackson-databind-2.0.1.jar:na]

Since our application employed the Joda data type extensions module for Jackson, this error seemed curious, but looking into that project it became clear that translation is not provided for all of the Joda data types. Duration is an exceedingly simple object (it can be represented as a number of milliseconds), so writing our own serializer & deserializer is an easy endeavor.

Read on →

Several months ago I put up a tutorial on using Jetty, Jersey, Jackson and Guice to make a small JSON web service stack. The code is more of a proof of concept than anything else, but we’re going to be giving it a few more real-world features today by adding the use of the Metrics library. As a quick review, the project is a web service that allows accessing peanut butter & jelly sandwiches over HTTP. It has a primitive “stats” resource to allow you to see how many sandwiches have been made and how much peanut butter & jelly was used. This stats facility is more of demo of how to wire stuff together with Guice and how requests are routed to JAX-RS resources than a useful way to monitor usage, though. We’re going to do two things to improve the situation. First, we’ll re-implement the number of sandwiches and amount of PB&J tracking using individual Counters and Gauges. Second, we’ll add code to automatically create various useful metrics for every resource method via Jersey ResourceFilter, ResourceFilterFactory, ContainerFilterResponseFilter, ResourceMethodDispatchAdapter, and ResourceMethodDispatchProvider implementations. Fun! As before, I’ll outline the code changes in this article, but the complete code is in the repo for your browsing pleasure.

Reimplementing Sandwich stats

The SandwichStats object (a singleton) keeps track of the number of sandwiches and the amount of PB & J used to make them. This data is exposed through SandwichStatsResource, which response to GET of /sandwich/stats with data like {"sandwichesMade":2,"gramsOfJam":200,"gramsOfPeanutButter":400}. We want to keep track of those three numbers with metrics now as well. Metrics (the library) offers many different types of metrics (the concept). For these three numbers, there are two ways we could do it. We could use a Gauge to expose the numbers that SandwichStats is already tracking internally, or we could use a Counter that we increment whenever we increment the fields that SandwichStats already has. To demonstrate the use of Gauges and Counters, we’ll do some of both. When creating a metric object, you can use a MetricsRegistry instance or the static method on the Metrics class. If you have multiple applications running inside the same JVM, or need that separation of metrics for other reasons, use MetricsRegistery. If you aren’t doing that, you can use the static methods on Metrics, but we’ll go ahead and use a MetricsRegistry because it’s just as easy as using the Metrics class when we have Guice to help us. First, add a binding for MetricsRegistry in a Guice module:

bind(MetricsRegistry.class).toInstance(Metrics.defaultRegistry());

Read on →

There’s some confusion on the Internet about how to control which certificates are used for server (and non-server) TLS sockets and why client certs just don’t seem to work right (see here, here, here, here, etc.). I’ll explain how the process is supposed to happen, explain why it doesn’t necessarily work easily with Java, and how to work around the problem. Though this article generally applies to SSL as well as TLS, I’ll refer to just TLS from now on. Also, the testing and bug hunting in this article were done against Sun/Oracle’s JDK 6u25. I have not confirmed whether or not these issues are fixed in Java 7.

Basic terminology

Certificate or cert

The public half of a public/private key pair, though it’s not generally referred to as a key. This part is freely given to anyone.

Private key

A private key is never given out publicly. It is used to sign or encrypt data. A private key can be used to verify that its corresponding certificate was used to sign or encrypt things and vice versa.

Certificate Signing Request or CSR

A file that you generate with your private key. You can send just the CSR to your CA and they will create a signed certificate for you.

Certificate Authority or CA

These are places like Thawte that you pay in order to get a certificate that browsers will accept. You can also use someone like CACert.org to get a free certificate that browsers will not accept. You can also generate your own simple CA using openssl. A CA uses its private key to digitally sign a CSR and create a signed cert so that browsers can use the CA’s cert to tell that your cert is approved by that CA.

Distinguished Name or DN

This is defined by LDAP. It’s a grouping of RDNs (Relative Distinguished Names). A RDN is something like “CN=your name”. This one means that the Common Name is set to the string “your name”. A DN would be something like “CN=your name,OU=Engineering,O=Initech”. In this case, OU means Organizational Unit and O means Organization.

X509

A specification governing the format and usage of certificates.

How client certs are supposed to work

This is a greatly simplified explanation of the TLS 1.0 protocol. Check out the RFC for more details at around section 7.4. (There are newer versions of TLS, but 1.0 is what Java 6 supports.) I’m showing the case where client certificates have been configured on the server side, so this isn’t exactly what happens when you do normal server-only TLS.

Read on →