Re: [JEXL] Detecting infinite loops in JEXL Scripts

2023-08-23 Thread Matt Sicker 
Your best bet here is an execution timeout, but this can cause false positives 
if the loop is large enough and intentional. In the general case, it’s 
impossible due to the Halting Problem as raised elsewhere in the thread.

> On Aug 7, 2023, at 6:02 AM, Aditya Kumar1 
>  wrote:
> 
> Hi,
>  
> I am planning to use JEXL library in my SaaS based product to run 
> JavaScripts/JexlScripts(I understand, Jexl is not exactly java script).
>  
> Since, security is one of the most important requirements for any SaaS based 
> product, I am going to use Jexl Sandbox and Jexl Features to secure my 
> application. I see that in Jexl features, we have a way to turn off the loops 
> but for my requirement, I need to enable loops in the scripts. 
>  
> Is there a way detect infinite loops incase someone write’s such an 
> expression which turn into infinite loop during evaluation? Also, someone can 
> also try to sabotage our application by running infinite loops. Is there a 
> way to detect and avoid such a security issue?  
>  
> PS: I would really appreciate if you could let me know any other security 
> aspects which I need to consider while using JEXL library.
>  
> Thanks,
> Aditya 
> —
> Aditya Kumar1
> Technology Architect
> Precisely.com 
> 
>  
>  
>  
> 
> ATTENTION: -
> The information contained in this message (including any files transmitted 
> with this message) may contain proprietary, trade secret or other 
> confidential and/or legally privileged information. Any pricing information 
> contained in this message or in any files transmitted with this message is 
> always confidential and cannot be shared with any third parties without prior 
> written approval from Precisely. This message is intended to be read only by 
> the individual or entity to whom it is addressed or by their designee. If the 
> reader of this message is not the intended recipient, you are on notice that 
> any use, disclosure, copying or distribution of this message, in any form, is 
> strictly prohibited. If you have received this message in error, please 
> immediately notify the sender and/or Precisely and destroy all copies of this 
> message in your possession, custody or control.
>

Re: Trie with non-String keys

2022-08-15 Thread Matt Sicker 
Is this like a sort of composite key that‘s ultimately comparable similar to 
total ordering on strings?

—
Matt Sicker

> On Aug 15, 2022, at 08:36, Gary Gregory  wrote:
> 
> Since a trie is traditionally used with strings, this is not surprising to
> me. What kind of key are you wanting to use?
> 
> Gary
> 
>> On Wed, Aug 3, 2022, 08:16 Willi Schönborn  wrote:
>> 
>> I was trying to see whether I could use AbstractPatriciaTrie to create a
>> trie for non-String keys.
>> Especially the existence of the KeyAnalyzer type suggested that I could do
>> this.
>> But the AbstractPatriciaTrie is package-private and not exposed.
>> Was that a conscious decision?
>>

Re: [collections] Adding a Table data structure?

2021-08-31 Thread Matt Sicker 
Sounds interesting. Filing a Jira issue under the COLLECTIONS project to track 
the effort would be a good next step after this thread.

https://issues.apache.org/jira/projects/COLLECTIONS/issues/COLLECTIONS

Matt Sicker

> On Aug 31, 2021, at 19:55, Will Herrmann  wrote:
> 
> I am wondering if it would be appropriate to add a Table (a.k.a. Matrix) 
> data structure to Commons Collections 4. Guava has one[1] and it seems like 
> it would fit in with this project.
> 
> From the Guava Javadoc for Table
> 
>> A collection that associates an ordered pair of keys, called a row key and a 
>> column key, with a single value. A table may be sparse, with only a small 
>> fraction of row key / column key pairs possessing a corresponding value.
> 
> Under the hood, a Table seems to be implemented as a Map V>>, with concrete implementations backed by HashMaps or TreeMaps.
> 
> If it would be appropriate to add such a data structure, what would be the 
> process of adding it to Commons Collections 4?
> 
> [1]: https://github.com/google/guava/wiki/NewCollectionTypesExplained#table
> -
> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> For additional commands, e-mail: user-h...@commons.apache.org
>

Re: commons-fileupload dependency and CVE

2021-07-09 Thread Matt Sicker 
Snyk looks like they have something like that in early access. I’ve seen a
similar feature before in Whitesource, though it was fairly clunky. Then
there’s the CodeQL queries on GitHub/LGTM which can find effective usage
fairly well.

On Fri, Jul 9, 2021 at 11:54 Mark Thomas  wrote:

> On 09/07/2021 15:49, Daniel Wille wrote:
> > That is good to know, and I appreciate that info.
> >
> > I know that making updates to libraries for reasons like this is
> > frowned upon by developers whose time is better spent fixing actual
> > problems. It does mean however that many users will be in a situation
> > where a corporate tool will detect the CVE, requiring the developer to
> > investigate so they can either explain why the CVE is a non-issue, or
> > force them to override the dependency in their build (which I did,
> > because that's the easiest course).
>
> I'd strongly recommend pushing for better tools.
>
> For example, the ASF automatically rejects any vulnerability report that
> is just the verbatim output of a security scanner. We will only accept
> issues from such reports when backed either by a PoC or manual analysis
> that demonstrates a genuine security issue.
>
> There are scanners available that don't just check dependencies but
> check the code used so they only flag the dependencies where the
> problematic code path is used. You'll still get some false positives but
> the valid / invalid ratio will be a lot better.
>
> We did a trial with one such tool at the ASF. I liked it. I don't recall
> the name of the tool. I can try and look it up if there is interest
> although I think it may have gone through a rebrand since we tested it.
>
> Mark
>
> -
> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> For additional commands, e-mail: user-h...@commons.apache.org
>
>

Re: Security issue in commons-fileup.load version 1.4 .

2021-05-27 Thread Matt Sicker 
As the user, you have ultimate control over transitive dependency
versions that end up in your application. Using Maven, for example,
you can override the commons-fileupload dependency on commons-io to
the latest release. I don't think anyone here wants to go through an
entire release for a component just to update a dependency.

On Thu, 27 May 2021 at 10:00, Singh, Randeep  wrote:
>
> HI All,
>
> This is regarding one of security issue that is reported in our component 
> which is coming from commons-io (2.2) lib transitive dependency via 
> commons-fileupload .
> It seems this is fixed in commons-io (2.7) or above, Hence would it be  
> possible to bump version of commons-io to 2.8 or 2.9 and release a patch .
> I can see that it has been already done with this commit 
> https://github.com/apache/commons-fileupload/commit/8370f1e0a15a0469d04579e2abd5500ebf90b8c8/
>may I know by when we can expect a release of 2.0 ? in case patch is not 
> possible .
>
>
> Best Regards
> Randeep

-
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org

Re: commons-dbcp2 Information Exposure Vulnerability

2021-05-26 Thread Matt Sicker 
See https://issues.apache.org/jira/browse/DBCP-562 which is still open.

On Wed, 26 May 2021 at 10:29, Adesina Adebiyi
 wrote:
>
> Good day,
>
> I am researching an issue raised by sonatype (sonatype-2020-1349) -- that
> org.apache.commons:commons-dbcp2 has "information exposure" vulnerability,
> that all versions, including version 2.8.0, are vulnerable.
>
> It appears that Gary's commit of Sep 21, 2020 (mask out name and password)
> fixed the issue:
> https://github.com/apache/commons-dbcp/blob/rel/commons-dbcp-2.8.0/RELEASE-NOTES.txt
>
> Yet Sonatype is claiming that version 2.8.0 is vulnerable to information
> disclosure.  Indeed, WhiteSource and Snyk.io are also reporting that
> versions of Apache commons including 2.8.0 are vulnerable:
>
> WhiteSource
> Upgrade Version : No fix version available
> CVSS 3.1
> https://www.whitesourcesoftware.com/vulnerability-database/WS-2020-0287
>
> Sonatype-2020-1349
> CVSS Vector:CVSS:3.1  The Apache Commons DBCP packages are vulnerable to
> Insufficiently Protected Credential
> The application is vulnerable by using this component
>
> Snyk.io
> https://snyk.io/vuln/maven:org.apache.commons%3Acommons-dbcp2
> All versions vulnerable to Information exposure including the latest
> published 21 Sep, 2020  org.apache.commons:commons-dbcp2 2.8.0
>
> Was Gary's commit never released?  Or did Gary's released commit fix the
> issue and somehow Sonatype, Snyk.io, and WhiteSource are incorrectly
> reporting commons-dbcp2 version 2.8.0 as vulnerable to Information Exposure?
>
> Thanks for your prompt response.
>
> Regards.
>
> Adesina
>
>
>
> Regards,
>
> Adesina

-
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org

Re: [NUMBERS] Article on Commons Numbers

2020-09-28 Thread Matt Sicker 
Very nice blog post! If you’re looking for inspiration on what Field could
be useful for, while there aren’t included implementations to make them
appropriate in production, you can model many cryptographic operations
using different fields. AES, RSA, ChaCha, ECC; they all operate on finite
fields. I say they’re not appropriate for production because a cryptography
library should always use constant time math algorithms rather than generic
but non-constant time algorithms (the latter is represented in BigInteger
and all classes dependent on it). The API allows for constant time
implementations, though!

On Mon, Sep 28, 2020 at 16:49 Nicola Vitucci 
wrote:

> Hi all,
>
>
>
> Here is my article on Numbers as promised:
> https://apothem.blog/apache-commons-numbers.html
>
>
>
> I hope it can be useful as a first comprehensive documentation and as an
> outsider's perspective on the current status of the library. Please feel
> free to comment and suggest improvements!
>
>
>
> Nicola
>
>
>
> -
>
> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
>
> For additional commands, e-mail: user-h...@commons.apache.org
>
>
>
> --
Matt Sicker

Re: Final tag for commons-io-2.6

2019-09-25 Thread Matt Sicker 
There's also the fact that release tags are supposed to go inside rel/
or wherever to make them immutable.

On Wed, 25 Sep 2019 at 11:21, Gary Gregory  wrote:
>
> On Wed, Sep 25, 2019 at 12:06 PM sebb  wrote:
>
> > On Wed, 25 Sep 2019 at 16:59, Gary Gregory  wrote:
> > >
> > > On Wed, Sep 25, 2019 at 8:44 AM sebb  wrote:
> > >>
> > >> On Wed, 25 Sep 2019 at 11:34, Roberto Oliveira 
> > wrote:
> > >> >
> > >> > On Wed, Sep 25, 2019 at 12:31 PM sebb  wrote:
> > >> > >
> > >> > > On Wed, 25 Sep 2019 at 07:41, Daniel Kreling 
> > wrote:
> > >> > > >
> > >> > > > We need to build the package from source
> > >> > >
> > >> > > In which case you should be using the formal release package.
> > >> > >
> > >> > > > and we need to know precisely
> > >> > > > where the development ended.
> > >> > >
> > >> > > What do you mean by that?
> > >> > He means that if he wants to build version 2.6 from source he doesn't
> > >> > know from where he should build.
> > >>
> > >> He should build from the official source release.
> > >>
> > >> These are linked from the download page, i.e.
> > >>
> > >> https://commons.apache.org/proper/commons-io/download_io.cgi
> > >>
> > >> For automated builds you can use:
> > >>
> > >>
> > http://www.apache.org/dyn/closer.cgi/?filename=commons/io/source/commons-io-2.6-src.zip=download
> > >>
> > >> You should check the sig or hash from:
> > >>
> > https://www.apache.org/dist/commons/io/source/commons-io-2.6-src.zip.asc
> > >>
> > https://www.apache.org/dist/commons/io/source/commons-io-2.6-src.zip.sha256
> > >>
> > >> You can replace .zip with .tar.gz above
> > >>
> > >> > Can you or someone confirm the version 2.6 was built from tag
> > >> > "commons-io-2.6-RC3" ?
> > >>
> > >> Only the source packages linked from the download page are official
> > releases.
> > >
> > >
> > > But that does not address the poster's question. If we are confident
> > that commons-io-2.6-RC3 is indeed 2.6, then we should create a tag called
> > rel/commons-io-2.6, right?
> >
> > The tag would not be an official source release.
> >
>
> That's besides the point, the point is that the tag for the release is
> missing, clearly. Either we know enough to create the tag or we do not.
> Folks can do what they want with the tag like any other tag. Am I missing
> something here?
>
> Gary
>
> >
> > > Gary
> > >
> > >>
> > >> > >
> > >> > > > Thanks,
> > >> > > > Daniel
> > >> > > >
> > >> > > > On Tue, Sep 24, 2019 at 6:52 PM sebb  wrote:
> > >> > > > >
> > >> > > > > Might I ask why the tag is so important?
> > >> > > > >
> > >> > > > > If you are looking to download the source, then that is
> > available from
> > >> > > > > the usual download page:
> > >> > > > >
> > >> > > > > https://commons.apache.org/proper/commons-io/download_io.cgi
> > >> > > > >
> > >> > > > > On Tue, 24 Sep 2019 at 11:32, Roberto Oliveira <
> > rguim...@redhat.com> wrote:
> > >> > > > > >
> > >> > > > > > Hi Gary,
> > >> > > > > >
> > >> > > > > > Thanks for looking at it. Is there any update?
> > >> > > > > >
> > >> > > > > > On Fri, Sep 20, 2019 at 2:10 PM Gary Gregory <
> > garydgreg...@gmail.com> wrote:
> > >> > > > > > >
> > >> > > > > > > Looking...
> > >> > > > > > >
> > >> > > > > > > On Fri, Sep 20, 2019 at 7:32 AM Daniel Kreling <
> > dkrel...@redhat.com> wrote:
> > >> > > > > > >>
> > >> > > > > > >> Hi
> > >> > > > > > >>
> > >> > > > > > >> I am looking for the final tag for commons-io version 2.6
> > and I have
> > >> >

Re: no name listed for file contained in a 7z file?

2019-01-29 Thread Matt Sicker 
On Mon, 28 Jan 2019 at 18:55, Albretch Mueller  wrote:
>  I fell out of love with coding some time ago. I have been noticing
> that things kept going on. All I read there were words. How do you
> open a JIRA issue? Could you at least provide me with a link? I tried
> searching my way through it but teachers don't have that much time

Jira: https://issues.apache.org/jira/browse/COMPRESS

-- 
Matt Sicker 

-
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org

Re: [dbcp] in DBCP 1.4 - Any auto-reconnect property available ?

2019-01-15 Thread Matt Sicker 
One idea might be to invoke a crafted query for your connection check
that fails every so often so it'll be forced to reconnect, though I
haven't tried that before.

On Tue, 15 Jan 2019 at 14:39, RAJIV S  wrote:
>
> Hi Team,
>
>
> In DBCP 1.4 is there any property which can help to disconnect and
> reconnect DB connection with in some specified time ?
>
>
> Actually , We are using DBCP 1.4 version in our application. It's a
> standalone Java processor code , developer some years ago, works well till
> now.
>
> Recently we encounter a problem that Oracle SWAM memory grows continuously
> due to high usage . DBAs suggested to disconnect and reconnect db
> connection from this java application with some specified time.
>
> I am unable to find relevant property or  documentation help.
>
> Please someone help me if anyone knows how do deal this situation.
> --
> Regards,
>
> Rajiv.S



-- 
Matt Sicker 

-
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org

Re: [vfs] Is VFS2 suitable for production use?

2018-07-15 Thread Matt Sicker 
There have been suggestions in the past for a v3, so if you search the
mailing lists, you may find a good place to start.

On Sun, Jul 15, 2018 at 07:15, Gary Gregory  wrote:

> VFS is stable and maintained. Feel free to provide PRs :-)
>
> Gary
>
> On Sun, Jul 15, 2018, 03:00 Jurrie Overgoor  wrote:
>
> > Hello everyone,
> >
> > At the moment, my team is using Apache VFS2 in production. We use it for
> > HTTP(S) and for (S)FTP. However, we are having some problems with this.
> >
> > SFTP is implemented using JSCH. That project now seems abandoned. I had
> > to cook up my own fix for issue JSCH-111 (see
> > https://github.com/Jurrie/jsch-111-bugfix).
> >
> > HTTP(S) is implemented using Apache Httpclient 3.x, which is end of life
> > (see https://hc.apache.org/httpclient-3.x/). Its replacement is Apache
> > HttpComponents, but that is not a plug-and-play direct replacement.
> >
> > That leads me to wonder whether Apache VFS2 is still under active
> > development? Are there any plans to fix the above things? Is it still
> > advised to use Apache VSF2 in production software?
> >
> > With kind regards,
> >
> > Jurrie
> >
> >
> > -----
> > To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> > For additional commands, e-mail: user-h...@commons.apache.org
> >
> >
>
-- 
Matt Sicker

Re: Some sort of "pollution" between two Virtual Hosts on the same machine, causes Google to look on site A for files on site B

2018-07-03 Thread Matt Sicker 
uk.crt
> SSLCertificateChainFile
> /etc/ssl/ssl.crt/www_kirkbymicrowave_co_uk.ca-bundle
> # For most configuration files from conf-available/, which are
> # enabled or disabled at a global level, it is possible to
> # include a line for only one particular virtual host. For example the
> # following line enables the CGI configuration for this host only
> # after it has been globally disabled with "a2disconf".
> #Include conf-available/serve-cgi-bin.conf
>
> ErrorDocument 404 /error-pages/404.html
> ErrorDocument 410 /error-pages/410.html
> ErrorDocument 500 /error-pages/500.html
> ErrorDocument 503 /error-pages/503.html
> 
>
> 
> # Redirect www.kirkbymicrowave.co.uk on port 80 to the https site.
> ServerName www.kirkbymicrowave.co.uk
> ServerAdmin drkir...@kirkbymicrowave.co.uk
> ErrorLog ${APACHE_LOG_DIR}/error-www.kirkbymicrowave.co.uk-port-80.log
> CustomLog
> ${APACHE_LOG_DIR}/access-www.kirkbymicrowave.co.uk-port-80.log combined
> Redirect "/" "https://www.kirkbymicrowave.co.uk/;
> 
>
> 
> # Redirect kirkbymicrowave.co.uk on port 80 to the https site.
> ServerName kirkbymicrowave.co.uk
> ServerAdmin drkir...@kirkbymicrowave.co.uk
> ErrorLog ${APACHE_LOG_DIR}/error-kirkbymicrowave.co.uk-port-80.log
> CustomLog ${APACHE_LOG_DIR}/access-kirkbymicrowave.co.uk-port-80.log
> combined
> Redirect "/" "https://www.kirkbymicrowave.co.uk/;
> 
>
>
> 
> #Redirect kirkbymicrowave.co.uk on port 443 to the www. site.
> ServerName kirkbymicrowave.co.uk
>  SSLEngine on
> SSLCertificateKeyFile
> /etc/ssl/private/www_kirkbymicrowave_co_uk.key
> SSLCertificateFile /etc/ssl/ssl.crt/www_kirkbymicrowave_co_uk.crt
> SSLCertificateChainFile
> /etc/ssl/ssl.crt/www_kirkbymicrowave_co_uk.ca-bundle
> ServerAdmin drkir...@kirkbymicrowave.co.uk
> ErrorLog ${APACHE_LOG_DIR}/error-kirkbymicrowave.co.uk-port-443.log
> CustomLog ${APACHE_LOG_DIR}/access-kirkbymicrowave.co.uk-port-443.log
> combined
> Redirect "/" "https://www.kirkbymicrowave.co.uk/;
> 
>


-- 
Matt Sicker

Re: [dbcp] DBCP2 Under Java 8?

2018-04-23 Thread Matt Sicker 
I've been using DBCP2 in Java 8 for years now. DBCP2 is also used in
Tomcat, and recent versions of Tomcat require Java 8, so it's been well
tested in that realm as well.

On 23 April 2018 at 16:10, Frank <fuzz...@verizon.net> wrote:

> Hi folks,
>
> The subject says it all! :-)  The DBCP Overview page indicates "DBCP 2
> compiles and runs under Java 7 only".  I assume it would be good for Java 8
> as well, but has any testing been done along the Java 8 lines?
>
> Thanks,
>
> -Frank
>
>


-- 
Matt Sicker <boa...@gmail.com>

Re: [DBCP] troubleshooting pool activity (tomcat version)

2018-03-20 Thread Matt Sicker 
On Tue, Mar 20, 2018 at 21:21, Shawn Heisey <apa...@elyograg.org> wrote:

> Main Question:  Does dbcp by chance record a stacktrace of the code that
> requests a connection from the pool?  I would like to poke my way
> through the active connections (entry point being the DataSource
> implementation), and ask them where in our code they were requested.


Yes, that’s a flag you set in the data source. See for example
BasicDataSource: abandoned usage tracking.

I
> have to do this in the Tomcat fork of dbcp, and I know I'm not on a
> Tomcat mailing list, but I'm hoping that whatever you can tell me will
> apply to that version too.  If I can get a stacktrace of where each
> connection was requested, I can pinpoint problematic code a lot faster.
> There is a LOT of code that uses the database, scattered across a lot of
> git repositories.  If I could grep the code easily to find them all, I
> would.


IIRC, DBCP came from Tomcat in the first place. And they keep it synced
upstream.


>
> Side question: Why has Tomcat maintained what looks like a fork of dbcp
> for such a long time period?  If they really believe their
> implementation has an advantage, it seems like everyone would benefit if
> they worked to get the upstream library to offer the same advantages.
> Am I drifting into flamewar territory by even wondering about this?  I
> did find the tomcat documentation page about their connection pool.  It
> basically reads to me as "Commons DBCP is substandard and bloated.
> These are the many ways that our implementation is better."
>
> https://tomcat.apache.org/tomcat-9.0-doc/jdbc-pool.html
>
> I haven't compared DBCP with other pool implementations, but my work
> with DBCP has never run into any problems that weren't my own fault.
> This mailing list has shown a high degree of patience with my dumb
> questions.
>
> Thanks,
> Shawn
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> For additional commands, e-mail: user-h...@commons.apache.org
>
> --
Matt Sicker <boa...@gmail.com>

Re: [DBCP] Connection pool not behaving as I expect

2018-03-01 Thread Matt Sicker 
Take a look inside commons-pool for the instrumentation (e.g., JMX). You
can also track usage on borrow and other leaks.

Also, Tomcat uses DBCP as it is.

On 1 March 2018 at 21:46, Shawn Heisey <apa...@elyograg.org> wrote:

> On 3/1/2018 4:46 PM, Gary Gregory wrote:
>
>> I do not think this is a question I, or anyone here, can answer
>> generically. I can read between that lines that you must feel frustrated
>> and I certainly empathize with that. I think you might want to debug your
>> application and come up with some parameters for us to start helping you.
>> A
>> reproducible example is always best but I understand it might be hard to
>> provide in this particular case.
>>
>
> There is a lot of frustration.  Until today all of it was directed at our
> developers, for creating programs and configs that make way too many
> connections to the DB.
>
> But then today, I had that small eureka moment, thinking "wait a minute
> ... how can this even be happening at all, if the connection pool has
> connections that the DB server says are active and idle?"
>
> Reiterating something I said before: I know you can't help me with the
> pools that the Tomcat servers are creating for our webapps.  So I'll limit
> the rest of the discussion to my own program, which uses DBCP, and has the
> same problems.
>
> Please tell me what information you'd like me to provide. Anything that is
> in my power, I will get it to you.
>
> This is how I set up DBCP in my code:
>
>   /*
>* Create a datasource (connection pool) for the master database server.
>*/
>   ConnectionFactory cfMaster = new DriverManagerConnectionFactory(masterUrl,
> dbUser, dbPass);
>   PoolableConnectionFactory pcfMaster = new 
> PoolableConnectionFactory(cfMaster,
> null);
>   pcfMaster.setValidationQuery(validationQuery);
>   pcfMaster.setValidationQueryTimeout(Const.FIVE_SECONDS / 1000);
>   opMaster = new GenericObjectPool<>(pcfMaster);
>   opMaster.setMaxWaitMillis(Const.THIRTY_SECONDS);
>   opMaster.setMaxIdle(numShards);
>   opMaster.setMaxTotal(numShards * 5);
>   opMaster.setNumTestsPerEvictionRun(numShards * 5);
> opMaster.setTimeBetweenEvictionRunsMillis(Const.FIVE_SECONDS);
>   opMaster.setMinEvictableIdleTimeMillis(Const.ONE_MINUTE * 5);
>   opMaster.setTestOnCreate(true);
>   opMaster.setTestOnBorrow(true);
>   opMaster.setTestOnReturn(true);
>   opMaster.setTestWhileIdle(true);
>   pcfMaster.setPool(opMaster);
>   dsMaster = new PoolingDataSource<>(opMaster);
>
> The JDBC driver we use is MySQL.  As of a few weeks ago, it was the newest
> stable version available, 5.1.something.  Also at that time, I was using
> the latest DBCP and POOL versions.  If any new versions have come out very
> recently, I probably don't have them yet.
>
> Typically the numShards value we're using is 6, to help with understanding
> the code above.
>
> Observations: When the MySQL server has reached its connection limit, at
> least one of the idle connections is from this program using DBCP.  But
> when the program attempts to use the DB, it gets the "Too many connections"
> error response -- which means that it must be opening a brand new
> connection, despite the fact that there SHOULD be at least one that is
> ready and sitting in the pool.
>
> The code that uses the DB is basic JDBC code.  It calls getConnection() on
> the dataSource, verifies that the connection is valid, creates a statement,
> executes it, and if it was a query, processes the resultset.  Then it
> closes any resultset, closes the statement, and closes the connection.  As
> I understand it, that close should return the connection to the pool, still
> open, and ready for re-use.  This all happens within a single thread.  I
> went through this code pretty closely for another issue on this mailing
> list.  It's possible that I missed something, but it looks very clean.
>
> I was going to add some debug logging to my code, but I can't see any way
> with PoolingDataSource to get the number of active and idle connections,
> just to make SURE that the pool really has what I think it does.
>
> I have a code change ready to switch everything to BasicDataSource and add
> the debug logging.  It's generally less verbose code, and looks to be just
> as configurable as PoolingDataSource.  Would that change be a good idea?
>
>
> Thanks,
> Shawn
>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> For additional commands, e-mail: user-h...@commons.apache.org
>
>


-- 
Matt Sicker <boa...@gmail.com>

Re: [LANG] Object Merge Functionality

2016-11-29 Thread Matt Sicker 
Would BeanUtils work for this case?

https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.3/apidocs/org/apache/commons/beanutils/BeanUtils.html#copyProperties-java.lang.Object-java.lang.Object-

On 29 November 2016 at 18:13, Gary Gregory <garydgreg...@gmail.com> wrote:

> This feels out of scope to me. Nonetheless an interesting challenge.
>
> Gary
>
> On Tue, Nov 29, 2016 at 4:10 PM, Anthony Bonafide <
> anthonymbonaf...@gmail.com> wrote:
>
> > Hello All,
> >
> >  I was wondering if there is functionality within the commons-lang
> > library to merge two or more objects together. The desired functionality
> > would be, given a source and target object copy all the fields from the
> > source to the target where the destination’s fields are null. This is
> > similar to the behavior of Object.assign
> > <https://developer.mozilla.org/en-US/docs/Web/JavaScript/
> > Reference/Global_Objects/Object/assign>
> > found
> > in javascript. I think this is useful when dealing with hierarchies where
> >  objects inherit defaults from other objects higher in the hierarchy. If
> > this feature does not exist and you think it is useful, I would like to
> > submit a pull request. Any thoughts?
> >
> >
> > Thank you,
> >
> >
> > Anthony Bonafide
> >
>
>
>
> --
> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
> Java Persistence with Hibernate, Second Edition
> <https://www.amazon.com/gp/product/1617290459/ref=as_li_
> tl?ie=UTF8=1789=9325=1617290459&
> linkCode=as2=garygregory-20=cadb800f39946ec62ea2b1af9fe6a2b8>
>
> <http:ir-na.amazon-adsystem.com/e/ir?t=garygregory-20=am2=1=
> 1617290459>
> JUnit in Action, Second Edition
> <https://www.amazon.com/gp/product/1935182021/ref=as_li_
> tl?ie=UTF8=1789=9325=1935182021&
> linkCode=as2=garygregory-20=31ecd1f6b6d1eaf8886ac902a24de418%22
> >
>
> <http:ir-na.amazon-adsystem.com/e/ir?t=garygregory-20=am2=1=
> 1935182021>
> Spring Batch in Action
> <https://www.amazon.com/gp/product/1935182951/ref=as_li_
> tl?ie=UTF8=1789=9325=1935182951&
> linkCode=%7B%7BlinkCode%7D%7D=garygregory-20=%7B%
> 7Blink_id%7D%7D%22%3ESpring+Batch+in+Action>
> <http:ir-na.amazon-adsystem.com/e/ir?t=garygregory-20=am2=1=
> 1935182951>
> Blog: http://garygregory.wordpress.com
> Home: http://garygregory.com/
> Tweet! http://twitter.com/GaryGregory
>



-- 
Matt Sicker <boa...@gmail.com>

Re: namespaces in XML configurations

2016-11-20 Thread Matt Sicker 
Whoops, I didn't even notice that!

On 20 November 2016 at 08:06, Claude Warren <cla...@xenei.com> wrote:

> @sebb
>
> good catch.
>
> On Sun, Nov 20, 2016 at 1:33 PM, sebb <seb...@gmail.com> wrote:
>
> > It may be valid XML, but AFAICT the scope of a namespace is the
> > enclosing element.
> >
> > So 'x' is only defined in the head, but is being used in the body.
> >
> > Try what happens when the namespace is defined and used only in the
> > body element.
> >
> >
> > On 20 November 2016 at 00:34, Matt Sicker <boa...@gmail.com> wrote:
> > > Considering that's valid XML, that certainly sounds like a bug. Could
> you
> > > file an issue on jira for it?
> > > https://issues.apache.org/jira/browse/CONFIGURATION
> > >
> > > On 19 November 2016 at 17:52, Claude Warren <cla...@xenei.com> wrote:
> > >
> > >> I am attempting to use configuration2 for the first time and have run
> > into
> > >> what I think is a bug.
> > >>
> > >> {noformat}
> > >> http://www.xml.com/books;
> > >> xmlns:h="http://www.w3.org/HTML/1998/html4;
> > >> xmlns:x='http://xenei.org'>
> > >>  Book Review
> > >>  
> > >>   
> > >>hoo
> > >>XML: A Primer
> > >>
> > >> 
> > >>  AuthorPrice
> > >>  PagesDate
> > >> 
> > >>  Simon St. Laurent
> > >>  31.98
> > >>  352
> > >>  1998/01
> > >> 
> > >>
> > >>   
> > >>  
> > >> 
> > >> {noformat}
> > >>
> > >> will parse but
> > >>
> > >> {noformat}
> > >> http://www.xml.com/books;
> > >> xmlns:h="http://www.w3.org/HTML/1998/html4;>
> > >>  Book
> > >> Review
> > >>  
> > >>   
> > >>hoo
> > >>XML: A Primer
> > >>
> > >> 
> > >>  AuthorPrice
> > >>  PagesDate
> > >> 
> > >>  Simon St. Laurent
> > >>  31.98
> > >>  352
> > >>  1998/01
> > >> 
> > >>
> > >>   
> > >>  
> > >> 
> > >> {noformat}
> > >>
> > >> will not.
> > >>
> > >> Note the only difference is  that the namespace for "x" is not
> declared
> > on
> > >> the first element.  Is this a bug or intended?
> > >>
> > >> Claude
> > >>
> > >>
> > >> --
> > >> I like: Like Like - The likeliest place on the web
> > >> <http://like-like.xenei.com>
> > >> LinkedIn: http://www.linkedin.com/in/claudewarren
> > >>
> > >
> > >
> > >
> > > --
> > > Matt Sicker <boa...@gmail.com>
> >
> > -
> > To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> > For additional commands, e-mail: user-h...@commons.apache.org
> >
> >
>
>
> --
> I like: Like Like - The likeliest place on the web
> <http://like-like.xenei.com>
> LinkedIn: http://www.linkedin.com/in/claudewarren
>



-- 
Matt Sicker <boa...@gmail.com>

Re: namespaces in XML configurations

2016-11-19 Thread Matt Sicker 
Considering that's valid XML, that certainly sounds like a bug. Could you
file an issue on jira for it?
https://issues.apache.org/jira/browse/CONFIGURATION

On 19 November 2016 at 17:52, Claude Warren <cla...@xenei.com> wrote:

> I am attempting to use configuration2 for the first time and have run into
> what I think is a bug.
>
> {noformat}
> http://www.xml.com/books;
> xmlns:h="http://www.w3.org/HTML/1998/html4;
> xmlns:x='http://xenei.org'>
>  Book Review
>  
>   
>hoo
>XML: A Primer
>
> 
>  AuthorPrice
>  PagesDate
> 
>  Simon St. Laurent
>  31.98
>  352
>  1998/01
> 
>
>   
>  
> 
> {noformat}
>
> will parse but
>
> {noformat}
> http://www.xml.com/books;
> xmlns:h="http://www.w3.org/HTML/1998/html4;>
>  Book
> Review
>  
>   
>hoo
>XML: A Primer
>
> 
>  AuthorPrice
>  PagesDate
> 
>  Simon St. Laurent
>  31.98
>  352
>  1998/01
> 
>
>   
>  
> 
> {noformat}
>
> will not.
>
> Note the only difference is  that the namespace for "x" is not declared on
> the first element.  Is this a bug or intended?
>
> Claude
>
>
> --
> I like: Like Like - The likeliest place on the web
> <http://like-like.xenei.com>
> LinkedIn: http://www.linkedin.com/in/claudewarren
>



-- 
Matt Sicker <boa...@gmail.com>

Re: [imaging] Changing compile baseline of library to JDK7

2016-10-12 Thread Matt Sicker 
One problem with that is that Apache developers are generally not paid by
Oracle or others to extend support for Java 6 support in anything, so we
tend to stick to what is publicly supported instead. The publicly available
releases of Java 6 have been EOL for quite a while now. This is why a lot
of Apache projects have been migrating to Java 7 this year and last year.

As for preventing issues while building for Java 6 but using Java 7, I
believe you can specify a bootstrap classpath for the JDK so that the code
you compile is compiled against the JDK 6 classes while running in Java 7.
In Maven, there is the animal sniffer plugin which can fail your build if
you use any new classes or methods from JDK 7, and there's most likely a
similar plugin for Gradle.

On 12 October 2016 at 08:38, Thad Humphries <thad.humphr...@gmail.com>
wrote:

> On Wed, Oct 12, 2016 at 4:33 AM, sebb <seb...@gmail.com> wrote:
>
> > May I ask why a minium of Java 7 is a problem for some people?
> >
> > It would be useful to know this when considering other updates.
> >
>
> In my case, one of our oldest and largest customers--a Fortune 100
> company--is running Oracle WebLogic 10.3, which they purchase with Extended
> Support for Java SE 6. Oracle states that Extended Support for Java SE 6
> will be available December 2018 (
> http://www.oracle.com/technetwork/java/eol-135779.html). We have no
> indication that they will upgrade before then.
>
> Most of my development is with GWT using Gradle as my build tool. In
> addition to having to back out Commons Imaging, I am for now sticking with
> an older Gradle plugin for GWT because the alternative plugin also requires
> Java 7. I've found out the best way to avoid the accidental introduction of
> a Java 7 binary is to stick with Java 6 for the build environment, too.
>
>
> >
> > On 11 October 2016 at 17:10, Thad Humphries <thad.humphr...@gmail.com>
> > wrote:
> > > Yes. I've had to pull commons-imaging from my apps and replace it with
> > > JAI-IMAGEIO. JAI is old and unsupported, but its jar files still work
> > with
> > > Java 6. (There are also older versions of Twelve Monkeys that work with
> > > Java 6. https://github.com/haraldk/TwelveMonkeys)
> > >
> > > On Tue, Oct 11, 2016 at 11:38 AM, Sergio Matone <ser...@cedeo.net>
> > wrote:
> > >
> > >> I would like to express my disappoint since the library, which was
> > working
> > >> perfectly, is now compiled using Java 7 without issuing a version.
> > >>
> > >> I understand that the library is in SNAPSHOT, but why it wasn't issued
> > at
> > >> least a 1.0.0 version, tagging the Java 6 version.
> > >> You broke builds of several of my programs in production. That's not
> the
> > >> way Apache usually behaves.
> > >>
> > >> Sergio
> > >>
> > >
> > >
> > > --
> > > "Hell hath no limits, nor is circumscrib'd In one self-place; but where
> > we
> > > are is hell, And where hell is, there must we ever be" --Christopher
> > > Marlowe, *Doctor Faustus* (v. 121-24)
> >
> > -----
> > To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> > For additional commands, e-mail: user-h...@commons.apache.org
> >
> >
>
>
> --
> "Hell hath no limits, nor is circumscrib'd In one self-place; but where we
> are is hell, And where hell is, there must we ever be" --Christopher
> Marlowe, *Doctor Faustus* (v. 121-24)
>



-- 
Matt Sicker <boa...@gmail.com>

Re: Prefix for mails to user@commons.apache.org?

2016-08-30 Thread Matt Sicker 
Oh, I thought he was talking about subprojects, not lists. Yeah, the
List-Id and other List-* headers are good enough for this normally.

On 30 August 2016 at 10:49, Paix, Manfred <mp...@informatica.com> wrote:

>
> I don't like an additional prefix in the subject line, the subproject like
> [math] should be enough.
>
> -Ursprüngliche Nachricht-----
> Von: Matt Sicker [mailto:boa...@gmail.com]
> Gesendet: Dienstag, 30. August 2016 17:43
> An: Commons Users List
> Betreff: Re: Prefix for mails to user@commons.apache.org?
>
> The List-Id header only says which list it's from, not which subproject
> it's in.
>
> On 30 August 2016 at 10:23, Thomas Brand <t...@trellis.ch> wrote:
>
> > On Tue, August 30, 2016 17:18, Mark Thomas wrote:
> > > On 30/08/2016 16:14, Thomas Brand wrote:
> > >
> > >>
> > >> Hi,
> > >> when i receive mail from other lists, they have a subject like
> > [listname]
> > >> subject, which akes it easy to quickly sort and overview mails from
> > >> multiple lists in one box (i.e. the inbox). It also makes it easier
> > >> to quickly filter from spam messages. Would it be possible that
> > >> listserver from  user@commons.apache.org would automagically prefix
> the subject?
> > >
> > > Unlikely.
> > >
> > >
> > > The ASF mail server sets the List-Id mail header which can be used
> > > for sorting / filtering.
> > >
> > > Mark
> > >
> >
> > I see, fair enough.
> > Would it hurt though if there would be this redundancy for dumber
> clients?
> > Greetings
> >
> >
> >
> > -
> > To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> > For additional commands, e-mail: user-h...@commons.apache.org
> >
> >
>
>
> --
> Matt Sicker <boa...@gmail.com>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> For additional commands, e-mail: user-h...@commons.apache.org
>
>


-- 
Matt Sicker <boa...@gmail.com>

Re: Prefix for mails to user@commons.apache.org?

2016-08-30 Thread Matt Sicker 
The List-Id header only says which list it's from, not which subproject
it's in.

On 30 August 2016 at 10:23, Thomas Brand <t...@trellis.ch> wrote:

> On Tue, August 30, 2016 17:18, Mark Thomas wrote:
> > On 30/08/2016 16:14, Thomas Brand wrote:
> >
> >>
> >> Hi,
> >> when i receive mail from other lists, they have a subject like
> [listname]
> >> subject, which akes it easy to quickly sort and overview mails from
> >> multiple lists in one box (i.e. the inbox). It also makes it easier to
> >> quickly filter from spam messages. Would it be possible that listserver
> >> from  user@commons.apache.org would automagically prefix the subject?
> >
> > Unlikely.
> >
> >
> > The ASF mail server sets the List-Id mail header which can be used for
> > sorting / filtering.
> >
> > Mark
> >
>
> I see, fair enough.
> Would it hurt though if there would be this redundancy for dumber clients?
> Greetings
>
>
>
> -----
> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> For additional commands, e-mail: user-h...@commons.apache.org
>
>


-- 
Matt Sicker <boa...@gmail.com>

Re: [dbutils] Confusion about the release process

2016-08-16 Thread Matt Sicker 
If we can migrate it first, I could work on merging back your work into an
official release.

On 16 August 2016 at 14:15, Benedikt Ritter <brit...@apache.org> wrote:

> Matt Sicker <boa...@gmail.com> schrieb am Di., 16. Aug. 2016 um 20:51 Uhr:
>
> > Is dbutils in git yet?
> >
>
> No, but we can easily migrate it.
>
>
> >
> > On 16 August 2016 at 13:46, William Speirs <wspe...@apache.org> wrote:
> >
> > > I was, but am no longer, working on DBUTILS 2.0. There are a LOT of
> > changes
> > > there. Some of those changes have been made here:
> > > https://github.com/wspeirs/sop4j-dbutils I don't cut releases to that
> > all
> > > that often either, but grabbing that code and getting it working
> > shouldn't
> > > be too hard.
> > >
> > > Bill-
> > >
> > > On Tue, Aug 16, 2016 at 1:57 PM, Matt Sicker <boa...@gmail.com> wrote:
> > >
> > > > Is dbutils even ready for a 2.0 release? If so, I could RM it
> sometime
> > > > soon.
> > > >
> > > > On 16 August 2016 at 12:45, Robert Huffman <robert.huff...@gmail.com
> >
> > > > wrote:
> > > >
> > > > > As nearly as I can tell, the latest release of dbutils is 1.6.
> > However,
> > > > > there are hints there was a 1.7 at some point, though there is no
> > > branch
> > > > or
> > > > > tag for that version on the GitHub Mirror. The GitHub mirror does
> > have
> > > a
> > > > RC
> > > > > for 2.0.
> > > > >
> > > > > This is an issue for me because our recent upgrade to OJDBC 12
> causes
> > > > > AbstractQueryRunner.fillStatement to throw an SQL exception. That
> > > defect
> > > > > has been resolved, supposedly in 1.6. However, the sources.jar from
> > > > > MavenCentral for 1.6 does NOT include the fix.
> > > > >
> > > > > So I have a couple of questions. Can someone publish the correct
> > > > artifacts
> > > > > to Maven Central? And when can we expect 2.0 to be released?
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Matt Sicker <boa...@gmail.com>
> > > >
> > >
> >
> >
> >
> > --
> > Matt Sicker <boa...@gmail.com>
> >
>



-- 
Matt Sicker <boa...@gmail.com>

Re: [dbutils] Confusion about the release process

2016-08-16 Thread Matt Sicker 
Is dbutils in git yet?

On 16 August 2016 at 13:46, William Speirs <wspe...@apache.org> wrote:

> I was, but am no longer, working on DBUTILS 2.0. There are a LOT of changes
> there. Some of those changes have been made here:
> https://github.com/wspeirs/sop4j-dbutils I don't cut releases to that all
> that often either, but grabbing that code and getting it working shouldn't
> be too hard.
>
> Bill-
>
> On Tue, Aug 16, 2016 at 1:57 PM, Matt Sicker <boa...@gmail.com> wrote:
>
> > Is dbutils even ready for a 2.0 release? If so, I could RM it sometime
> > soon.
> >
> > On 16 August 2016 at 12:45, Robert Huffman <robert.huff...@gmail.com>
> > wrote:
> >
> > > As nearly as I can tell, the latest release of dbutils is 1.6. However,
> > > there are hints there was a 1.7 at some point, though there is no
> branch
> > or
> > > tag for that version on the GitHub Mirror. The GitHub mirror does have
> a
> > RC
> > > for 2.0.
> > >
> > > This is an issue for me because our recent upgrade to OJDBC 12 causes
> > > AbstractQueryRunner.fillStatement to throw an SQL exception. That
> defect
> > > has been resolved, supposedly in 1.6. However, the sources.jar from
> > > MavenCentral for 1.6 does NOT include the fix.
> > >
> > > So I have a couple of questions. Can someone publish the correct
> > artifacts
> > > to Maven Central? And when can we expect 2.0 to be released?
> > >
> >
> >
> >
> > --
> > Matt Sicker <boa...@gmail.com>
> >
>



-- 
Matt Sicker <boa...@gmail.com>

Re: [dbutils] Confusion about the release process

2016-08-16 Thread Matt Sicker 
Is dbutils even ready for a 2.0 release? If so, I could RM it sometime soon.

On 16 August 2016 at 12:45, Robert Huffman <robert.huff...@gmail.com> wrote:

> As nearly as I can tell, the latest release of dbutils is 1.6. However,
> there are hints there was a 1.7 at some point, though there is no branch or
> tag for that version on the GitHub Mirror. The GitHub mirror does have a RC
> for 2.0.
>
> This is an issue for me because our recent upgrade to OJDBC 12 causes
> AbstractQueryRunner.fillStatement to throw an SQL exception. That defect
> has been resolved, supposedly in 1.6. However, the sources.jar from
> MavenCentral for 1.6 does NOT include the fix.
>
> So I have a couple of questions. Can someone publish the correct artifacts
> to Maven Central? And when can we expect 2.0 to be released?
>



-- 
Matt Sicker <boa...@gmail.com>