Add the following entry to gradle.properties:
org.gradle.jvmargs='-Dfile.encoding=UTF-8'Page 11 of 33
JVM Parameters
Modify the java heap memory based on container memory using one of the following JVM parameters:
| Parameter | Description |
|---|---|
| -XX:InitialRAMPercentage | The initial size of the heap based on the total container memory. |
| -XX:MinRAMPercentage | The maximum heap size based on the size of the JVM running on small heap. The small is heap is of approximately 125MB. |
| -XX:MaxRAMPercentage | The maximum heap size based on the size of the JVM running on greater than small heap. |
Displaying the Current Value
Use the following command the display the current value of the container aware JVM Parameters using the following:
docker container run -it --rm openjdk:17.0.2-slim java -XX:+PrintFlagsFinal -version | grep -E ".*RAMPercentage"Expect to see something like the following:
double InitialRAMPercentage = 1.562500
{product} {default}
double MaxRAMPercentage = 25.000000
{product} {default}
double MinRAMPercentage = 50.000000
{product} {default}Checking the Current Memory and CPU using JShell
-
Open a jshell in the container using the following:
docker container run -it --rm openjdk:17.0.2-slim jshell -
Paste the following command in jshell:
var rt = Runtime.getRuntime(); System.out.printf("Heap size: %dMB%nMaximum size of heap: %dMB%nAvailable processors: %d%n", rt.totalMemory()/1024/1024, rt.maxMemory()/1024/1024, rt.availableProcessors()); -
Press enter.
Expect to see something similar to the following:
rt ==> java.lang.Runtime@1d81eb93 Heap size: 252MB Maximum size of heap: 3966MB Available processors: 16 $2 ==> java.io.PrintStream@34c45dca -
Type the following in jshell and press enter.
/exit
Allocating a Memory and CPU to a Container
-
Execute the following command to allocate 100mb of memory and 1 CPU to the container:
docker container run -it --rm -m 100m --cpus=1 openjdk:17.0.2-slim jshell -
Paste the following command in jshell:
var rt = Runtime.getRuntime(); System.out.printf("Heap size: %dMB%nMaximum size of heap: %dMB%nAvailable processors: %d%n", rt.totalMemory()/1024/1024, rt.maxMemory()/1024/1024, rt.availableProcessors()); -
Press enter.
Expect to see something similar to the following:
rt ==> java.lang.Runtime@6659c656 Heap size: 7MB Maximum size of heap: 48MB Available processors: 1 $2 ==> java.io.PrintStream@2d8e6db6Notice the following:
Value Heap size 7MB Maximum size of heap 48MB Available processors 1 -
Type the following in jshell and press enter.
/exit
Modifying the Allocated Maximum Size of Heap Memory
-
Execute the following command to allocate 100mb of memory and 1 CPU to the container:
docker container run -it --rm -m 100m --cpus=1 openjdk:17.0.2-slim jshell -R-XX:MinRAMPercentage=80 -
Paste the following command in jshell:
var rt = Runtime.getRuntime(); System.out.printf("Heap size: %dMB%nMaximum size of heap: %dMB%nAvailable processors: %d%n", rt.totalMemory()/1024/1024, rt.maxMemory()/1024/1024, rt.availableProcessors()); -
Press enter.
Expect to see something similar to the following:
rt ==> java.lang.Runtime@6659c656 Heap size: 7MB Maximum size of heap: 77MB Available processors: 1 $2 ==> java.io.PrintStream@2d8e6db6Notice the Maximum size of heap become 77MB. This is because of the JVM argument -XX:MinRAMPercentage=80 passed in jshell as:
-R-XX:MinRAMPercentage=80We use the --XX:MinRAMPercentage=80 because the memory allocated is a small heap.
-
Type the following in jshell and press enter.
/exit
The resource owner password credential grant type is designed as a stop-gap for legacy applications. Should only be used temporarily until the migration of the application to OAUTH is complete. This grant type should never be used anymore. This type can request for offline_access scope (i.e. to request for refresh token).
-
Use the token end point to do post request for the access token with the following headers:
Content-Type = application/x-www-form-urlencodedAnd with the following form data:
grant_type = password client_id = the one used from step 1. client_secret =username = password = scope = (Optional) what permision wanted. If not specified, default permission will be given. state = (Optional) value to echo to us. Expected Response
{ "access_token" : <ACCESS_TOKEN>, "token_type" : "Bearer", "expires_in" : 3600, "scope" : <The scope allowed by the server> } -
Call the API with the authorization header like the following syntax:
Bearer <ACCESS_TOKEN>
Related Post
KEYCLOAK – JWT GENERATION – PASSWORD GRANT TYPE
The open id configuration exposes some information like the following:
- Authorization endpoint
- Token endpoint
- Supported grant types
- Supported response types
- Supported response modes
- Supported claims
- Supported scopes
Use the following address syntax to find-out the OpenID configuration:
<KEYCLOAK_ADDRESS>/realms/<TARGET_REALM>/.well-known/openid-configurationExample
Given
| Token | Value |
|---|---|
| KEYCLOAK_ADDRESS | http://localhost:8080 |
| TARGET_REALM | test |
The OpenID configuration would be:
http://localhost:8080/realms/testrealm/.well-known/openid-configuration
Pre-requisite
- Keycloak 19^1
Creating a New Client and User
-
Sign in to keycloak admin console using the following address:
Must know a valid credential.
-
Switch or create a realm that is NOT a master realm (i.e. leave the master realms for keycloak usage only), like the following (i.e. jwtrealm):
-
Create a new client as follows:
-
Ensure that OpenID Connect is the Client type.
-
Provide a Client ID (e.g. jwtclient).
-
Click the Next button.
-
Enable the Client authentication.
-
In the Authentication flow, unselect the standard flow.
-
Click the Save button.
-
-
Create a new user as follows:
-
Fill-in the username field (e.g. testuser).
-
Click the Create button.
-
Click the Credentials tab.
-
Click the Set password button.
-
Fill-in the Password field.
-
Fill-in the Password confirmation field.
-
Turn-off temporary.
-
Click the Save button.
-
Click the Save password button.
-
Using Postman for Testing
-
Create a post request to the following address format:
http://localhost:8080/realms/<TARGET_REALM>/protocol/openid-connect/tokenExample
Using the jwtrealm as the TARGET_REALM (i.e. configured in the previous section).
http://localhost:8080/realms/jwtrealm/protocol/openid-connect/token
-
Click the Body tab.
-
Select x-www-form-url-encoded.
-
Add the following entries:
Key Value Comment client_id jwtclient This is the client configured earlier. grant_type password This is for direct access grant type. client_secret <Client secret> This can be found in the jwtclient (i.e. configured earlier) client credentials tab. 
scope openid The openid scope is required; to indicate that the application intends to use OIDC to verify the user's identity. username testuser This is the user configured earlier. password <password> This is the password for the user that is configured earlier. -
Click the Send button.
Success Output
The success output is in the following format.
{
"access_token": "The access token.",
"expires_in": "Access token expiration.",
"refresh_expires_in": "Refresh token expiration",
"refresh_token": "The refresh token.",
"token_type": "Bearer",
"id_token": "The ID token.",
"not-before-policy": 0,
"session_state": "The session state.",
"scope": "openid profile email"
}You paste the encoded token to the following website to decode its content:
Invalid Credential Output
{
"error": "invalid_grant",
"error_description": "Invalid user credentials"
}Related Post
THE RESOURCE OWNER PASSWORD CREDENTIAL (ROPC) GRANT TYPE
The event IDs that can be searched in windows event viewer (i.e. Windows Logs -> System) for the confirmation of shutdown or restart.
| Event ID | Name | Description |
|---|---|---|
| 14 | The system has rebooted without cleanly shutting down first | This event indicates that some unexpected activity prevented Windows from shutting down correctly. Such a shutdown might be caused by an interruption in the power supply or by a Stop error. If feasible, Windows records any error codes as it shuts down. |
| 1074 | System has been shutdown by a process/user. | This event is written when an application causes the system to restart, or when the user initiates a restart or shutdown by clicking Start or pressing CTRL+ALT+DELETE, and then clicking Shut Down. |
| 6006 | The event log service was stopped. | The event is logged at boot time noting that the Event Log service was stopped. |
| 6008 | Unexpected system shutdown | The previous system shutdown at Time on Date was unexpected. |
-
Open your chrome browser.
-
Access the following using the address bar:
chrome://net-internals/#hsts -
Find for the following section:
Delete domain security policies
-
Type in the domain that has HSTS that you wanted to be removed.
-
Press the delete button.
Related Post
HTTP STRICT TRANSPORT SECURITY (HSTS)
The authorization code grant type is designed for confidential clients (e.g. websites with a server back end) that can keep a secret. This type can request for offline_access scope (i.e. to request for refresh token).
-
Use the authorization end point to request the authorization code with the following query parameters:
response_type = code client_id = the client unique code redirect_uri = redirection URL. state = (Optional) value to echo to us. scope = (Optional) what permision wanted. If not specified, default permission will be given. response_mode = (Optional) queryA login form will be displayed if not yet filled-up before.
Expected Response
The redirect_uri with the following query parameters:
code = The authorization code state = state value if given. -
Use the token end point to do post request for the access token with the following headers:
Content-Type = application/x-www-form-urlencoded Authorization = Basic <CREDENTIAL>And with the following parameters:
grant_type = authorization_code. code = The authorization code from step 1. redirect_uri = The used from step 1.Expected Response
Header
Content-Type: application/json { "access_token" : <ACCESS_TOKEN>, "token_type" : "Bearer", "expires_in" : 3600, "scope" : <The scope allowed by the server> } -
Call the API with the authorization header like the following syntax:
Bearer <ACCESS_TOKEN>
Sample implementation can be found here.
-
Download the gradle binary from the following address:
https://services.gradle.org/distributions/
For example gradle-7.4-all.zip.
-
Place the downloaded gradle binary to the gradle/wrapper directory of the gradle project.
-
Update the wrapper configuration (i.e. gradle/wrapper/gradle-wrapper.properties) like the following:
If you've downloaded gradle-7.4-all.zip binary from step 1.
distributionBase=PROJECT distributionPath=wrapper/dists distributionUrl=gradle-7.4-all.zip zipStoreBase=PROJECT zipStorePath=wrapper/dists
The UTF-16LE base64 encoding is compatible to be used with powershell's encoded command.
Encoding
//The text to encode.
var command = "Write-Output \"Hello World\"";
var encodedString = Base64.getEncoder().encodeToString(command.getBytes(StandardCharsets.UTF_16LE));
System.out.printf("Base64: %s%n", encodedString);Output
Base64: VwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiAEgAZQBsAGwAbwAgAFcAbwByAGwAZAAiAA==The preceding output can be used with powershell like the following:
powershell -encodedcommand VwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiAEgAZQBsAGwAbwAgAFcAbwByAGwAZAAiAA==
Decoding
//The base64 text to decode.
var base64="VwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiAEgAZQBsAGwAbwAgAFcAbwByAGwAZAAiAA==";
byte[] decodedBytes = Base64.getDecoder().decode(base64);
String decodedString = new String(decodedBytes, StandardCharsets.UTF_16LE);
System.out.printf("Decoded: %s%n", decodedString);Output
Decoded: Write-Output "Hello World"
Recent Comments