Monthly Archives: October 2013

Secured FTP – SFTP Vs. FTPS

I do work using various protocols such as FTP, SFTP, FTPS etc. as my application does interact with other application using these protocols for various integration needs. Recently i came to an interesting topic while looking for various protocols for evaluation purpose. All the various file transfer protocol namely FTP, SFTP and FTPS come into evaluation and it sparked a debate as to which one should be included for secured FTP, SFTP or FTPS. To answer this i had to do a bit of research on the internet and i don’t have to do anything of my own in my post. I just had to plagiarize various content in the internet as written by awesome authors. The reference for these have been given in my reference section below my post.

While doing the research i managed to pull out some important points in some structured manner which i would like to present below:

FTP protocol – takes roots in year 1980

Disadvantages

  • Lack of the uniform format for directory listing (this problem has been partially solved by introducing MLST command, but it’s not supported by some servers).
  • Presence of the secondary connection (DATA connection).
  • Standard FTP doesn’t provide security requirements as required in modern day application integration and this is the main reason for looking for other options to transfer data in a much secured fashion.
  • Even though the protocol is simple, it still isn’t very firewall friendly, because of the need to open two ports per session and the need in one of the more efficient permutations, to open one of the ports inbound.

The two mainstream protocols available for Secure FTP transfers are named

  • SFTP (SSH File Transfer Protocol – FTP over SSH) – Ideally SFTP doesn’t have anything to do with FTP or FTPS. It’s called as FTP over SSH as the FTP standard is there for a long time and it’s a popular one for file transfer. So some people do refer SFTP as FTP over SSH.
  • FTPS (FTP over SSL/TLS)

Advantages (Both)

  • Offer a high level of protection since they implement strong algorithms such as AES and Triple DES to encrypt any data transferred. To be more precise they use a combination of an asymmetric algorithm (RSA, DSA), a symmetric algorithm (DES/3DES, AES, Twhofish and so on), and a key-exchange algorithm.
  • Support a wide variety of functionality with a broad command set for transferring and working with files.

Notable differences between SFTP and FTPS is how connections are authenticated and managed.

SFTP (SSH File Transfer Protocol – FTP over SSH)

In General:

  • A connection gets authenticated using different techniques.  For a basic authentication it just requires a user id and password to connect to the SFTP server. The important difference with respect to standard FTP is that in this case any user ids and passwords supplied over the SFTP connection will be encrypted.
  • SSH keys and fingerprinting can also be used to authenticate SFTP connections in addition to, or instead of, passwords; whereas FTPS does not support this.
  • With respect to implementation, SFTP is a clear winner as opposed to FTPS, as it is more firewall friendly. It requires only a single port number 22 to be opened through the firewall. This port will be used for all SFTP communications, including the initial authentication, any commands issued, as well as any data transferred.

Pros:

  • Has good standards background that strictly defines most (if not all) aspects of operations
  • Has only one connection (no need for DATA connection)
  • The connection is always secured
  • The directory listing is uniform and machine-readable
  • The protocol includes operations for permission and attribute manipulation, file locking, and more functionality

Cons:

  • The communication is binary and can’t be logged “as is” for human reading
  • SSH keys are harder to manage and validate
  • The standards define certain things as optional or recommended, which leads to certain compatibility problems between different software titles from different vendors
  • No server-to-server copy and recursive directory removal operations

FTPS (FTP over SSL/TLS)

In General:

  • With FTPS, a connection is authenticated using a user id, password and through certificate(s).  Like SFTP, the users and passwords for FTPS connections will also be encrypted. When a FTPS client connects to a FTPS server, the client verifies if the server’s certificate is trusted. The certificate is considered trusted if either the certificate was signed off by a known certificate authority (CA), like Verisign, or if the certificate was self-signed (by your partner) and you have a copy of their public certificate in your trusted key store.
  • FTPS can be very difficult to patch through a tightly secured firewall since FTPS uses multiple port numbers. The initial port number (default of 21) is used for authentication and passing any commands.  However, every time a file transfer request (get, put) or directory listing request is made, another port number needs to be opened.  You and your trading partners will therefore have to open a range of ports in your firewalls to allow for FTPS connections, which can be a security risk for your network.

Pros:

  • Widely known and used
  • The communication can be read and understood by humans
  • Provides services for server-to-server file transfer
  • SSL/TLS has good authentication mechanisms (X.509 certificate features)
  • FTP and SSL/TLS support is built into many Internet communication frameworks

Cons:

  • Doesn’t have a uniform directory listing format
  • Requires a secondary DATA channel, which makes it hard to use behind the firewalls
  • Doesn’t define a standard for file name character sets (encodings)
  • Not all FTP servers support SSL/TLS
  • Doesn’t have a standard way to get and change file and directory attributes

Summary/Conclusion

In summary, SFTP and FTPS are both very secure with strong authentication options.  In general, SFTP is technologically superior to FTPS. Since SFTP is much easier to port through firewalls, and FTPS due to this reason (needs a range of opts to be opened) puts additional security treats to the network, I believe SFTP is the clear winner in case you need a secure FTP for your application integration needs.

In our protocol evaluation, considering the above points, I feel we can go with SFTP for secured file transfer and can omit FTPS. FTPS is omitted not because it is not suitable, but because it does the same things as SFTP and is superior in many ways as opposed to FTPS.

Reference

http://blog.goanywheremft.com/2011/10/20/sftp-ftps-secure-ftp-transfers/

http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c14329/FTPS-vs-SFTP-What-to-Choose.htm

https://www.eldos.com/sbb/articles/4672.php?page=all

Page Visitors: 1859

Java Interview Questions – Java Concepts

  • What are the different types of memory areas allocated by JVM?
    • Class (Method) Area – stores per-class structures like fields, method data, method code and constant pool.
    • Heap – runtime area where the actual objects reside.
    • Stack – holds local variables and partial results and plays a pivotal role in method invocation and return. For each thread created, private JVM stack is being created and maintained. It stores each method invocation in the form of a frame and its destroyed soon after the method invocation is complete.
    • Program Counter (PC) Register – it contains the currently executed Java Virtual Machine instruction.
    • Native Method Stack – contains all the native method used in the application.
  • What makes Java software-based platform to be called as “write once run anywhere”?

Because of the program being compiled into bytecode and this bytecode being run inside a runtime environment (JVM) makes this software-based platform able to run on top of other hardware-based platforms. The JVM though is platform dependent and is available for various hardware-platforms available.

  • Does Java support multiple inheritance?

Theoretically on the class level Java doesn’t support multiple inheritance to avoid complexity and with the aim of simplifying the language. Having said that using interfaces it does support multiple inheritance and is widely used.

  • What is Association, Aggregation and Composition?

I wouldn’t want to reinvent and write answer for this question, rather I would point you directly to this link here.

  • What is meant by Abstraction, Generalization, Realization and Dependency?

Again read the link here and you will get all the relevant details.

Page Visitors: 396

Java Interview Questions – Error and Exception Handling

  • What is Exception chaining in Java?

One of the important exception handling concept in Java when a different exception is thrown in response to an actual exception. This in turn will create a chain of exceptions. This is commonly used to wrap a checked exception to unchecked exception under various scenarios and such coding prevails when actually writing a framework in which case a known checked exception is thrown as an unchecked framework exception. Even though new exception is thrown, as a best practise always include the root cause (exception) in the newly created exception class.

  • With regards to JDK7 there is a new feature with regards to Exception handling. Can you detail this?

There are numerous small and medium new features on JDK7 which are very useful. Some of them with regards to error and exception handling is as detailed below:-

    • Multiple exception handling in one catch block

Reduces code cluttering and are more readable.

    •  ARM (Automatic Resource Management) blocks

As the name suggests it is capable of automatically handling resources on behalf of you, also known popularly as try with resource. Takes lot of botheration away from developers. Below is the example from oracle java docs:

Page Visitors: 1538

Java Interview Questions – Collections

  • What is the key requirement for an object to be used as a key in hash based collection e.g. HashMap or Hashtable or ConcurrentHashMap?

The object should implement both equals() and hashcode() methods.

  • What are immutable classes in Java? How to make immutable class in Java?

Immutable classes are classes, whose objects once created cannot be modified once created. Any modification to these immutable objects will result in another immutable object. Example classes are String and StringBuffer classes in Java.

To make an immutable class the class should be made final. All the fields in the class should also be made final and utmost care should be taken so as to ascertain that object reference must not leak during construction phase of the object.

  • What happens internally when you invoke get(Key key) method in hash based collections like HashMap and Hashtable?

The following steps happen:

      • The Key.hashcode() method gets invoked to get the bucket location in the array backed Hash collections.
      • In the backing array the keys and values are stored in an internal class called as Entry. If there is only one Entry at the bucket location, the value is returned. If due to some reasons two keys have same hashcode (this happens), the bucket location will have two entries and it forms a sort of a linked list data structure. In that case, it traverses through the list comparing keys in each entry using keys.equals() until it return true. Once true is returned, the value is returned.
  • Why should an object which is to be used as key in collection classes need to be immutable?

This is required because the hashcode() method when being called should always return the same value.

  • Have you heard of ConcurrentHashMap, if so what is it?

This is an alternative to Hashtable in Java and as the name suggests, it is synchronized, thread safe and highly usable in multi-threaded programming.

  • How to make HashMap synchronized in nature?

You can use Collections.synchronizedMap(HashMap). This will return a collection very much similar to Hashtable.

  • What are the difference/similarities between HashSet and TreeSet?

Some of the difference are:-

    • HashSet is faster than TreeSet with regards to performance.
    • HashSet doesn’t preserve ordering but TreeSet does.
    • HashSet allows null objects but TreeSet doesn’t.
    • HashSet is backed by HashMap and TreeSet is backed by TreeMap.

Some of the similarities are:-

    • Both are thread-safe and synchronized in nature.
    • Both implement Set interface

Reference:-

Awesome post (Hats Off) – http://java67.blogspot.ae/2013/07/15-advanced-core-java-interview-questions-answers-senior-experienced-5-6-years-programmers-developers.html

Page Visitors: 971

Spring Framework Vs. JEE – Part III

This is my final blog on this topic, hopefully. Part I of the blog can be found in here and Part II of this blog can be found in here.

I do at times think that my blog title itself is misleading or rather incorrect as I don’t feel that there needs to be a comparison between the two as both can exists together in one application without any issues at all. In fact if that’s the case we can use the best of both and be happy. But, there does exist this debate for a very long time and now a days Oracle also at times gives a comment to kill Spring Framework (buy and kill it to reduce competition, Oracle’s buying spree logic) and go with standards. Being the creators and maintainers of the Java language they do have the right to promote JEE but I feel they don’t have to have such a stance IMHO.

The community with full adoption of language has made it to a be a standard. Similarly when Spring Framework came in existence it was indeed helping Java developers use Java and avoid the complexities to develop enterprise application. In fact we have to give full credit to Spring Framework in keeping Java language alive and kicking. I have heard many times, even from my own managers that Java is too heavy and not that good for application development when you compare .NET. Spring to some extent have been bale to bring that easiness to it by taking the complexities away. At the moment also there might not be that much comparison between easiness with respect to .NET, but community is ready to develop applications using Java. Again for enterprise application comparing .NET and Java (JEE) is not that of a good idea because of so many reasons. Don’t want to divulge too much off the topic here.

As Kelly Tisdell mentions in his blog, JEE has definitely taken some page out of Spring Book and added onto its big Java bible and spreads a word across that “Java is standard, so migrate to JEE from Spring to be in standard”. It doesn’t say directly that stop using Spring but it has that tone in it.

Even after taking those pages, to develop an enterprise application from scratch using JEE does have its won complexities and Spring does have that easiness to it (might be subjective and debatable, but that what i feel). Most of nicer features in Spring has now crept into JEE under different names and much refined fashion (JEE have learned from mistakes and corrected it) for sure and that’s the reason developers have been prompted to think for this migration.

I wanted to put more facts in here rather than my opinions, but after so long I have indeed lost interest in filling in more details and i thought that i will just give my opinion and close this not so ending blog post.  Apologies for same.

In my opinion, Spring and JEE should marry each other and an enterprise application should be developed taking into good points from both. I am in no way saying that JEE or Spring scores over the other because both are really good platforms to develop your enterprise applications.

Page Visitors: 272