WordPress credentials for update

After moving or updating WordPress, later plugin updates may start asking for FTP and/or SSH credentials. This can be easily avoided by setting the following:

  1. In wp_config.php

    define('FS_METHOD', 'direct');
  2. Verify file ownership permissions, on Ubuntu, this is typically:

    sudo chown -R www-data:www-data YOURFOLDER

Blocking access to files by extension in Apache

Usually, you might have a simple rule to prevent users from accessing sensitive files such as “.htaccess“, that rule might look like:

<FilesMatch "^\.ht">
Order deny,allow
Deny from all
Satisfy all
</FilesMatch>

You can also use this capability to prevent other file extensions. For example, if you wanted to block common image formats extensions, you might add the following:

<FilesMatch "\.(gif|png|jpg|ico)$">
Order allow,deny
Deny from all
Satisfy all
</FilesMatch>

Some other file extensions to consider, *.bak, *.old, *.inc

REFERENCES:

JSP Copyright tag file example

This is a simple example in .tag files, the concepts can apply to many other uses.

I’ve chosen the following common usage example:

Websites often need to contain copyright date and information in their footer.

Add this to your existing JSP page (or JSPF fragment):


<%@ taglib prefix="webinf" tagdir="/WEB-INF/tags" %>
<webinf:copyrightyear />

Create the .tag file – /WEB-INF/tags/copyrightyear.tag


<%@ tag language="java" isELIgnored="true" trimDirectiveWhitespaces="true" description="dynamically calculates year" %>
&#169;<jsp:expression>java.util.Calendar.getInstance().get(java.util.Calendar.YEAR)</jsp:expression>&#160;<jsp:doBody />

NOTE: I’ve used the <jsp:doBody /> inside the tag file in this example, as such you can also use the following format on your page(s) to use the content between the open and close.


<webinf:copyrightyear>Example</webinf:copyrightyear>

NOTE: if your server supports it, you can also use XML formatted tag file with:

<jsp:directive.tag language="java" isELIgnored="true" trimDirectiveWhitespaces="true" description="dynamically calculates year" />

Eclipse FileSync plugin

I’ve done a lot of front-end java coding over my career,  one particularly annoying aspect is the wait for a build (compile-deploy) cycle in my local developement servers to view or test a small change.  One particularly useful tool that I’ve been using for some time is a FileSync plugin for Eclipse.  It is useful as you can “map” folders from your Eclipse project to a path on your local filesystem, as such the individual files are automatically copied to your server installation.  I’ve personally used this approache with JBoss, Tomcat and WebSphere, but there is no reason that it should not work for other servers.

Java temporary file directory path

I’ve recently resurrected some old java code that I’d written back when I primarily used Windows instead of Ubuntu for development. In some of that legacy code, the temporary file paths were hardcoded, to make things more modern and portable, The following line is recommended to get the Operating System values regardless of where it is installed and ran. The file separator “slash” can also be determined in this manner.


private static final String TMPDIR = System.getProperty("java.io.tmpdir") + java.io.File.separatorChar;

Enable larger file uploads via Tomcat manager

Shortly after I automated code deployments in my Tomcat7 development testing environment, I found that some larger builds began failing with the following error:


org.apache.tomcat.util.http.fileupload.FileUploadBase$SizeLimitExceededException: the request was rejected because its size (...) exceeds the configured maximum (62428800)

After a little digging, I found that the WAR files were exceeding the default maximum upload size, thankfully, this is trivial to increase.


sudo vi /usr/share/tomcat7-admin/manager/WEB-INF/web.xml

(Change 52428800 to a larger number, perhaps doubled like 104857600)

<multipart-config
<!-- 50MB max = 52428800 (100MB = 104857600) -->
<max-file-size>104857600</max-file-size>
<max-request-size>104857600</max-request-size>
<file-size-threshold>0</file-size-threshold>
</multipart-config>

REFERENCES:

crossdomain.xml

Adobe FlashPlayer 7 added several security features. I first became aware of this one as I saw a large number of HTTP 404 errors for a file named ‘crossdomain.xml’ in my webserver logs. (see also clientaccesspolicy.xml)

If you use flash on your website, I’d suggest adding an appropriate copy of this file to limit your exposure to some potential security issues.

Restricted domains

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.example.com" />
<allow-access-from domain="example.com" />
</cross-domain-policy>

Open to all domains (not recommended, but fully backward compatible)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

REFERENCES:

X-Download-Options:noopen to download files

There are a couple of steps required to force a browser to save/download content instead of displaying it in the browser window.


X-Download-Options: noopen
X-Content-Type-Options:nosniff
Content-Disposition: attachment; filename=example.txt
Content-Type: text/plain

NOTE: MSIE also supports a poorly documented proprietary META tag…

<meta name="DownloadOptions" content="noopen|nosave" />

REFERENCES: