Tuesday Feb 27, 2007


Gilad Bracha just writes an article on Java tuples support, in which he claims that every language should have it. While we all know there's even no Pair inside Java, why comes him suddenly saying that Java must have it? Maybe he's struggled for it for many years but always turned down by Graham Hamilton? Now that Graham himself also left Sun, and Gilad believes he can pick up this topic again? Just kidding.

n-Tuple is nice and I also like it. Some people commenting on Gilad's post want it be implemented in JVM because that will help the performance. I don't like the idea, partly because I don't like JVM changes, which means a whole bunch of operators on the new data type, but mostly because I think Tuple is just another language element, and must be a generic class. What's more important is how to express it in an elegant style so that it looks natural, slim, and easy to use.

The following is my proposal:


  1. First create a new immutable class Pair<A,B> (in the java.util package), which has a constructor with 2 arguments, and have 2 methods calls car() and cdr().
  2. Tuple<A,B,...,C> is syntactic sugar/macro of Pair<A,Pair<B,Pair<...,Pair<C,Void>...>>. Javac knows this.
  3. Javac also knows that new Tuple<A,B,C>(a,b,c) is new Pair<A,Pair<B,Pair<C,Void>>>(a,new Pair<B,Pair<C,Void>>(b, new Pair<C,Void>(c, null))), and it writes this translation much faster than I do.
  4. and .caddr means .cdr().cdr().car(), and it automatically finds out if you write too many d at compile time.
  5. Maybe tuple knows about variant arguments, but seems not necessary.
Is this enough?

Friday Jan 12, 2007

I love AJAX

I love AJAX much more than any other so-called RIA things. Reason:

AJAX generates HTML codes, which stays seamlessly with other HTML elements on a web page, especially in look and feel. While all the other things, either Java Applet, or Java WebStart apps, or Flash movies, just look so alien, and I don't like them.

Well, seems this pure Java AJAX is OK too, although it use Java, but should have the same user experiences with plain-vanilla AJAX.

Wednesday Dec 06, 2006

What is HugeOidNotSupportedByOldJDK?

In previous versions of JDK, the ObjectIdentifier's internal storage is int[], which is an array of each component you see in the string format of the OID. If a component is large than Integer.MAX_INT, there's no way to store it.

So we fixed the implementation by using the DER encoded value as the internal storage. No matter how huge a component of an OID is, as long as it's a valid OID, it can be expressed by the class. This is also good for performance reasons, since most operations on OID are I/O (DER-encoding and decoding) and comparison. Using the DER makes these operations very light.

But there's one tiny problem, ObjectIdentifier is Serializable, and serialized format is an API of the class and has to kept compatible, both forward and backward. The problem is that newly created OID with huge components will never be de-serialized by the old implementation correctly. One method to let it be deserialized to one that's acceptable by the old implementation, which means the OID is actually changed, not a good idea. The other method is simply forbidding the form be deserialized in the old impl. We choose the latter.
br/> Now, if an OID does not include huge component, it can serialized by any impl and correctly deserialized by the other one. If a huge component exists, the new impl supports that, and when serialized, it generates a poison into the serialized form that's not recognized by the old impl. Whenever an old impl tries to deserialize it, an exception is thrown, and you read this long word in the exception message: HugeOidNotSupportedByOldJDK.

Are you directed to this page because you're searching for this word? If so, that's just what I want. The single reason I choose such a long word is I expect you will search it and then land here. This is what I called Programming 2.0.

Wednesday Dec 07, 2005

mustang: talking to Microsoft IIS server with "Integrated Windows Authentication"

MS IIS server has an authentication scheme called "integrated windows authentication". in order to browse pages on this kind of web server, the user needs a windows user account which is in the same domain as the web server. normally, if you are working on a windows client PC which you already login to the domain, then you can just browse the web site as if it's unprotected.

under the hood, IIS uses MS SSPI (?) to do all the authentication works with the active directory. this is known to the public world as GSS API with Kerberos. since GSS/Kerberos has been inside Java for a long time, it's fairly easy to apply it in the HTTP protocol handler. so now, you can use java to access those secret pages. the codes are still:

        URL url = new URL(url);
        InputStream ins = url.openConnection().getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(ins));
        String str;
        while((str = reader.readLine()) != null)
that's very simple, isn't it?

oh, well... sorry, not that simple, for all of you (sysadmin, especially) who have been playing with GSS and kerberos in java before, you know we need to do more things to configure the kerberos runtime environment. just like any other GSS app, you will need these things:
  • a JAAS login config file, say login.conf, normally look like
    com.sun.security.jgss.krb5.initiate {
      com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true;
    attention: read the JAAS login entry carefully, there is a krb5 there, this is the new GSS entry name in mustang.
  • a krb5.conf file, normally looks like:
        default_realm = ME.COM
        default_tkt_enctypes = rc4-hmac
        default_tgs_enctypes = rc4-hmac
        permitted_enctypes = rc4-hmac
        ME.COM = {
            kdc = kdc.me.com
    the 3 enctypes lines are (maybe) needed, since that's the default enctype active directory is using and maybe not the one on your machine or VM.
ok, then you can just call
java -Djava.security.krb5.conf=krb5.conf \\
    -Djava.security.auth.login.config=login.conf \\
    -Djavax.security.auth.useSubjectCredsOnly=false \\
to see the content of the file.

if you are not on a windows machine and want to run this example, please make sure you've called kinit before so that a credential cache is already stored somewhere on your system. of course, you can always ignore this step by providing the username and password inside the application (although this's somewhat contrary to the best feature that kerberos brings to us, the single sign-on). to do this, you need to change the value of doNotPrompt to false in the login.conf file and add a customized authenticator in your application, like this:
    static class MyAuthenticator extends Authenticator {
        public PasswordAuthentication getPasswordAuthentication() {
            return (new PasswordAuthentication("myname", "mypass".toCharArray()));
of course, i know you won't hardcode the pair inside your code like me. there are a lot of console or GUI ways to get them from the user. also, don't forget to call
Authenticator.setDefault(new MyAuthenticator());
before the URL fetching. only this will make your new authenticator usable in the system.

so, that's still very easy, isn't it?

for those of you who complains that this is only a windows feature, i must tell you the (almost) same authentication scheme is also available elsewhere, say, apache. read this article by wyllys to see the details.

mustang: jarsigner will be unhappy if the signer's certificate does not match several criteria

Jayson Falkner has a blog entry named Blarg #18: Sun enhances WebStart or Sun breaks WebStart and upsets people? You decide. which talks about the new behavior in java web start. basically, now java web start will reject any jar which is signed by a certificate that itself cannot be used to sign codes. for example, a certificate with a KeyUsage extension but without the codeSigning bit set. this is standard-compliant and a correct step to go. unfortunately, jarsigner didn't go the same way at the same time, so developer will only notice this change when the app is deployed somewhere. so, recently we add checks into jarsigner to see if the certificate match several criteria, which is almost identical to the check java web start is doing now. in order to keep compatibility, if the check fails, only warning messages are shown. maybe one day a new option like -strict can be applied to stop the signing process whenever something illegal is detected.


from now on, i will talk about something new in mustang that's related to security and networking which i know of.

Friday Nov 18, 2005

Laptop for Every Kid

just read wired's Negroponte: Laptop for Every Kid and totally impressed. i dare not say java suits what mr negroponte decribed as a open-source development tool, but i would really be happy (and do what i can) if mustang can run on it and be a choice of any kids that may be using it. and, maybe bluej, or even more...

Tuesday Aug 02, 2005

Java China is coming

The Java China Developers' Conference 2005 will be held on Sep 13 and 14 in China, including Beijing, Shanghai, Guangzhou, Chengdu, Nanjing, Dalian, Xi'an, Shenzhen, and Hong Kong.

Wednesday Jul 27, 2005

A sequence graph

I want to learn something about UML graphs and I just have a case that I can express in a sequence chart. I go Violet and create this graph.

The graph tells about how the JGSS GSSName is created with the API and SPI things. It looks pretty but I'm sure it's very non-standard. I especially don't know how to express an abstract class, a static method, calls and returns, and I don't know how to tell who implements who and who extends who in a formal way. I am also curious why Violet automatically create another vertical box of GSSManagerImpl when GSSNameImpl call its getNameElement() method.

Wednesday Apr 27, 2005

native look-and-feel

some people blame swing (and netbeans) because it doesn't have a native look-and-feel on its running platforms. they think SWT (and eclipse) is better. some people even start to think even SWT is not so native these days (sorry, forget the link). but how important is native look-and-feel. on the apple platform, it may be important, because it did have a consistent l&f. what about others? windows? we can see every flavour of l&f there. windows media player has a cold blue round corner, real player is a little greener, and apple has its iron gray itunes, while other programs can just be skinnified in all ways. so, are they all to be blamed? i always believe ms office is the UI pioneer inside microsoft. in every version of office, you will find something not so native but will be native in the next version of windows. in office 5 we have toolbars, in 6 the toolbar goes flat and there's tabbed dialogs, then we see coolbars, and then fancy animated menus. nobody says office doesn't have a native look and feel. so why blames swing? in the old days, the CDE metal on windows may looks some ugly (mainly because windows guys are not familiar with big screens ;) ). now we have ocean and synth, and they're so beautiful. the look and feel problem is not a native or not problem, it's a slick or not, or fast or not, or clean or not one. it's time to appreciate the slick and fast and clean of swing now.

Friday Mar 11, 2005

any way to let javadoc read comments from outside the source codes?

i am doing experiments on javadoc comments translation now. it's easy to extract the comments into some plain files, and, after some heavy labours of translations, how to put them back into the doc system?

in order to generate the doc tree, we need to run the javadoc tool. and currently javadoc reads comment lines from the source codes using the javac parser / scanner things. it seems silly to put the translation back into the source codes again, since they are internationalized strings, and there seems to be no standard on the encoding of java souce codes. so there must be a way to instruct javadoc to read comments directly from the plain text files.

is it easy?

seems there maybe 2 points we can hook in. first, the place the scanner reads the comment. second, the doclet uses the comment. i prefer the second one, which may means changing the constructors of various DocImpl classes or how the constructors are called. in either way, the document string from the source codes will be ignored and directly read from text files themselves. it won't be difficult to change the codes, but there should be a way to make this smarter, like a standard way of adding hooks. the comments may come from plain text files, or they may come from a database, or, even more funny, comes from the current System.in or other mysterious network sockets.

it seems a system level registered object can do this. looks like a glocal cookie handler.

more experiments will reveal more maybe.


This blog has a comments managing system that requires me to approve each comment manually. Please do not re-post and I will reply it (if I have an answer) when I get pinged.


Top Tags
« June 2016