Thursday, December 05, 2013

Insidi-DoS: Internally negotiated, self-image-damaging DoS

What's more damning and ego-bruising than an external DoS (denial of service) attack? Why, an internally inspired one of course. Which self-respecting company would do such a thing to itself? What's the rationale to this irrational behaviour? Recently, the largest bank in Malaysia (let's call it Big Bank) chose to rollout a Metro-style UI 'improvement' on its well-known, critically-acclaimed Internet banking system. Mass hysteria ensued as public users were unable to perform even simple fund transfers as usual. As usual, the Head of IT's head was on the line. Big Bank promptly reverted to the previous UI and initiated damage-control measures, such as issuing an apology via Facebook.

There are numerous articles addressing the lessons to learn, root cause and best practices to avoid such incidents from happening again. This article instead will give tips to REPEAT such incidents in your company (if you are in a position of power), because people in general don't like to read boring stuff to avoid disasters in future.

As mentioned, some netizens blamed IT for causing this unfortunate incident. In a way, IT is part of the problem, but usually, they are just the receiving end of orders from above. The corporate attitude of IT in Malaysia is that they are just cooks; they just cook when given the rice. No rice, no cooking. Maybe no cook as well. So who's the real culprit? I would like to conject/suggest that the true culprit is actually a man (not being sexist, may be a woman, but this is my conjecture), who belongs to the business division, and an exuberant fan of new technology. So how does he concoct his strategy to rollout a new change and cause havoc to the Internet banking users of Big Bank?

This man with a mission may think this way:

1. Launch it quick
Launch it before the year ends. Why? Maybe people remember stuff better at year end. Great starts at the beginning of the year may be forgotten when the year is ending. Why not end the year with a bang? It doesn't matter if IT insisted that freeze period is around the corner. Launch it just before freeze period and the IT folks can also be given rest, right? Oh, but what about serious issues like...unable to login? Unable to transfer funds? Don't worry, users can still use phone banking, ATMs, even pay a visit to the branches. Alternative channels, dude! Not a serious concern, just launch it, NOW!

2. Launch it BIG
What good is a change if no one notices? The media may not cover it, the Facebook 'likes' may not even hit 4 digits, and no hoo-haa like 'Jom Heboh'. I know...just launch it during the MONTH-END! Payroll time is the best time. Even users that were forced to use Internet Banking will most likely need to login just to check if their salary is in. That way, you get maximum publicity and Big Bank can again bag yet another award for 'Most Innovative Design' for an Internet banking system.

3. No options aka I know what is good for you
Oh, why does Gmail and even Yahoo have to inform users that there's a new UI for their systems and pain-stakingly provide online cues and dialog boxes to guide the users? Come on, this UI change is awesome! Facebook did rollout a new UI and initially users were mad, but they then normalized and happily got back into broadcasting their personal data for free. Wait, Gmail, Yahoo and Facebook are free sites, but Big Bank is not. But Big Bank does not charge its users to use Internet Banking, right? We attempted to charge last decade but it backfired, so why should the users complain about the UI? It's GOOD for them! Good things must be shoved into their faces. Makes socialism such a fuzzy and 'noble' ideal... 

4. No need for stress testing, but when I do, I do it in PRODUCTION
Oh, stress testing stresses me up. The incessant whining of IT that our test environment is not up to par due to cost-saving measures to reduce IT expenditure really vexes me. What's wrong with saving cost? If I need to wait for stress testing to complete, I am not able to launch it quick, and big. Anyway, what's so performance-impacting than a UI change? It's like wearing a mask, right? You can still see, breathe, eat and hear when donning the mask. Oh, I love myself because I am so good at analogy.

Of course, in actual fact, it rarely boils down to a single person being the root cause to such incidents. Or maybe it really boils down to that. No one knows. I am not an insider in Big Bank. All I can say is, Bang2Bank.

Tuesday, November 26, 2013

Accessing Git Repositories using SSH behind HTTP proxy (TortoiseGit, Putty)

There's an easier way to do this since my previous post on the subject above. SSH key generation steps are not discussed here, but the only thing worth mentioning here is that the private key be in PPK format (use PuTTYgen to convert them)

Using TortoiseGit, use Putty to save a 'Session'. Name the session short and simple e.g. hornetsnest. This is significant and to make things simpler, no spaces for the session names.

Under the saved Putty session, the place to add proxy information is at Connection > Proxy. For HTTP proxy:
  • Proxy hostname - IP or host name of proxy server
  • Port - Proxy server port e.g. 8080
  • Username - User login Id if proxy server requires authentication
  • Password - Login Id password
To associate a SSH key, go to SSH > Auth and specify the PPK key file path under "Private key for authentication".

Remember to save the Putty session.

Now, shift over to TortoiseGit. In the window to specify the Git repository URL, instead of the usual host name value, replace it with the Putty session name. In this example, hornetsnest. So




So the connection to the Git repository via SSH will use the settings in the Putty's session. Of course, when you are not behind a proxy, you can just revert to the original URL when cloning/pulling/pushing.

Minor update: You'll need to use TortoisePlink as SSH client:

Monday, September 02, 2013

Running Apache/IHS on privileged ports (80, 443) as a non-root user: The 'sudo' way


For some out-of-this-world reason, your Unix administrator fears giving you the root access. But your web server (Apache or IBM HTTP Server) needs to bind to a privileged port e.g. 80, 443, and root privilege is needed. Using 'sudo', you can at least not bother your administrator to start/stop/restart anymore. He would either be happy that no one's calling to bug him anymore, or fear that someone like you has found a way to do something without his 'power'.

Steps below are for IBM HTTP Server (IHS) 8.5 running on AIX. Applicable for other versions & OSes with slight variations.


  • IHS location: /opt/IBM/HTTPServer
  • Using default httpd.conf @ /opt/IBM/HTTPServer/conf/httpd.conf
  • HTTP port to listen/bind: 80
  • User & group to delegate after startup: wasadmin:wasadmin
  • Logs folder & files: /opt/IBM/HTTPServer/logs - access_log and error_log
  • You have root access (for the time being)


1. 'Touch' the log files:

touch /opt/IBM/HTTPServer/logs/access_log
touch /opt/IBM/HTTPServer/logs/error_log

2. Make the following changes in httpd.conf (ensure user 'wasadmin' and group 'wasadmin' has been created already)

User wasadmin
Group wasadmin

3. Change ownership of IHS files:

chown -R wasadmin:wasadmin /opt/IBM/HTTPServer

4. Edit sudoers file (visudo), add the following line:

%wasadmin ALL = (root) NOPASSWD: /opt/IBM/HTTPServer/bin/apachectl *

This means any user in the 'wasadmin' group (prefixed with %) can control (start/stop) the IHS instance as root without needing to enter password. If you only want to allow the user 'wasadmin' to perform this, then remove the '%' to denote a user.

5. Ok, let's start IHS as user 'wasadmin'.

From root prompt:
sudo su - wasadmin

To check current user: id

Sample output:
uid=12(wasadmin) gid=203(wasadmin) groups=0(system)

Run as root without password:
sudo -u root /opt/IBM/HTTPServer/bin/apachectl start

To verify, fire up web browser and access the default webpage e.g. (port 80 is implied if not specified for HTTP).

Note: If you moved/deleted the log files, you need to touch them again using the non-root user as in Step #1 (e.g. wasadmin). Else the log files will be created with root ownership.

Tuesday, May 14, 2013

Invoking EJB3 in WebSphere using Spring

 Here are the steps to call a method of an EJB (v3.0) deployed in WebSphere 7 from a plain old Java client, either using Spring to shield your code from unnecessary implementation details, or bare-bones straightforward coding style.

Note: Tested against WAS 7 only.

Common Steps

1. Firstly, the Remote interface class is needed and will be referenced in your client code to call the EJB method. Copy the class file or Java source to your Java client workspace. In my example, the remote interface class is org.gizmo.minyakangin.CapKapakRemote
2. If you have a local development WebSphere 7, run the following command to create the stub class

[Class_Folder_Path]:>[WAS_HOME]\AppServer\bin\createEJBStubs.bat org.gizmo.minyakangin.CapKapakRemote -cp .

You should see an output similar to the one below:

Processing the org.gizmo.minyakangin.CapKapakRemote input file.
Command Successful

A file with the name _CapKapakRemote_Stub.class will be created under folder [Class_Folder_Path]\org\gizmo\minyakangin.

3. A missing stub file may produce the following errors when getting a reference to the EJB:

java.lang.ClassCastException: Unable to load class: org.gizmo.minyakangin._CapKapakRemote_Stub

java.lang.ClassCastException: incompatible with org.gizmo.minyakangin.CapKapakRemote

4. At the WebSphere Admin Console, locate the EJB application and ensure a proper JNDI reference is assigned e.g. ejb/CapKapak. It is best not to rely on the default JNDI reference. But if you insist, the default is the fully qualified remote class name i.e. org.gizmo.minyakangin.CapKapakRemote.

5. Also, check the bootstrap port of the application server instance hosting the EJB (my environment is 9812):

6. At your Java client workspace, ensure that (under [WAS_HOME]\AppServer\runtimes) and (under [WAS_HOME]\AppServer\plugins) are included in the classpath. Not sure why including only doesn't work in my case.

Caveat: The steps only work using IBM JDK (v7). You may need to do some 'hacking' to get it working under a different JVM.

Using Spring 3.x

You can interface with a plain Java interface (no EJB classes or annotations needed) using Spring. Here's the interface:

package org.gizmo.minyakangin;

public interface CapKapak {
	public String getBrand();

An EJB3 'bean' can be easily constructed using a JNDI object factory bean, and it's even easier to just use the 'jee' namespace, as below:


Note: The 'java.naming.provider.url' value should refer to the WebSphere server's bootstrap address as shown above.

Then in the code (using Spring's JUnit class):

package org.gizmo.minyakangin;

import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.AbstractJUnit4SpringContextTests;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;

@ContextConfiguration(locations = {
public class EjbTests extends AbstractJUnit4SpringContextTests {

	CapKapakRemote capKapak;
	public void before() {
		capKapak = (CapKapakRemote)applicationContext.getBean("capKapak");
	public void testLoginManager() throws Exception {
		String brand = capKapak.getBrand();

Using plain Java

package org.gizmo.minyakangin;

import java.util.Properties;

import javax.naming.InitialContext;
import javax.rmi.PortableRemoteObject;


public class StandaloneEjbClient {

	public static void main (String args[]) throws Exception {
		Properties props = new Properties();
		props.put("java.naming.factory.initial", "");
		props.put("java.naming.provider.url", "corbaloc:iiop:localhost:9812");

		InitialContext ctx = new InitialContext(props);
		Object ejbBusIntf = ctx.lookup("ejb/CapKapak");
		CapKapakRemote loginManager = (CapKapakRemote)PortableRemoteObject.narrow(ejbBusIntf, CapKapakRemote.class);
		String brand = capKapak.getBrand();

Tuesday, April 16, 2013

Strategy Pattern Applied - KeyStoreTemplate

Update: I wrongly attributed the design pattern implementation below to the Template pattern, it's actually the Strategy pattern as pointed out by a user in Reddit. However, the article below is kept in its original form, with just the title changed. Sorry for the confusion :)

The Template design pattern is useful if you have methods that follow a similar pattern but differ only in a few places. Usually, the 'generic' method will call one or several abstract methods, which are then implemented in a concrete class.

The JdbcTemplate of the Spring Framework was (and still is) a life saver. No more unclosed Connection objects that may leak to JDBC connection leaks. No more try/catch blocks that obscure the code logic. Converting the JDBC DAOs of legacy systems to use JdbcTemplate objects provided immediate benefits in terms of simplicity (eliminating copy-and-paste codes) and robust resource management (e.g. closing Connections, ResultSets, Statements).

There are a lot of useful articles detailing what, why and how of this design pattern, so I will not rehash them here. I will just document down how I applied this pattern to solve some age-old problem.

I decided to follow the JdbcTemplate's design style to come up with a KeyStoreTemplate, a class that handles importing or exporting of keys to/from a keystore. To make things simple, this class will only handle 2 things: Importing a key, and exporting a key.

Firstly, the KeyStoreTemplate code (abridged for simplicity):


public class KeyStoreTemplate {

 * Just enough parameters to open a keystore.
 public KeyStoreTemplate(File keyStoreFile, Provider provider, String keyStoreType, String keyStorePassword) {
  this.keyStoreFile = keyStoreFile;
  this.provider = provider;
  this.keyStoreType = keyStoreType;
  this.keyStorePassword = keyStorePassword;

 * This is to get/export a key from the keystore.
 public Key getFromKeyStore(KeyStoreExporter exporter) {
  FileInputStream fis = null;
  try {
   KeyStore ks = KeyStore.getInstance(keyStoreType, provider);
         fis = new FileInputStream(keyStoreFile);

         //Keystore file must exists!
         if(keyStoreFile.exists()) {
          ks.load(fis, keyStorePassword.toCharArray());
         } else {
          throw new RuntimeException("Keystore file cannot be located!");
         String keyPass = keyStorePassword;

         return exporter.exportKey(ks, keyPass);
  } catch (Exception e) {
   throw new RuntimeException("Something went wrong!", e);
  } finally {

 * This is to save/import a key to the keystore.
 public void saveToKeyStore(KeyStoreImporter importer) {
  FileInputStream fis = null;
  FileOutputStream fos = null;
  try {
   KeyStore ks = KeyStore.getInstance(keyStoreType, provider);
         fis = new FileInputStream(keyStoreFile);

         //Keystore file must exists!
         if(keyStoreFile.exists()) {
          ks.load(fis, keyStorePassword.toCharArray());
         } else {
          throw new BusinessException("Keystore file cannot be located!");
         String keyPass = keyStorePassword;

         importer.importPrivateKey(ks, keyPass);
         fos = new FileOutputStream(keyStoreFile);, keyStorePassword.toCharArray());
  } catch (Exception e) {
   throw new RuntimeException("Something went wrong!", e);
  } finally {

Notice that there are 2 interfaces: KeyStoreExporter and KeyStoreImporter. These interfaces are implemented by the caller class of KeyStoreTemplate to do the 'effective' stuff, without worrying about the KeyStore details. The KeyStore object is passed in, much like the ResultSet object is passed in when using JdbcTemplate.


public interface KeyStoreImporter {

 public void importPrivateKey(KeyStore keyStore, String keyPassword) throws GeneralSecurityException;

public interface KeyStoreExporter {

 public Key exportKey(KeyStore keyStore, String keyPassword) throws GeneralSecurityException;

So, how to use them? Example as below:

//Key generation and key import
KeyPair keyPair = generateRSAKeyPair();
final Certificate[] certs = CryptoUtils.generateCertificate(keyPair);

RSAPublicKey publicKey = (RSAPublicKey)keyPair.getPublic();
final RSAPrivateKey privateKey = (RSAPrivateKey)keyPair.getPrivate();

logger.debug("[generateAndStoreRSAKeyPair] pubKey={},privKey={}", publicKey.getClass(), privateKey.getClass());

keyStoreTemplate.saveToKeyStore(new KeyStoreImporter() {
 public void importPrivateKey(KeyStore ks, String keyPassword) throws KeyStoreException {
  ks.setKeyEntry(alias, privateKey, keyPassword.toCharArray(), certs);
//Method to get an RSA public key
public RSAPublicKey getRSAPublicKey(final String alias) throws BusinessException {

 return (RSAPublicKey)keyStoreTemplate.getFromKeyStore(new KeyStoreExporter() {
  public Key exportKey(KeyStore keyStore, @SuppressWarnings("unused") String keyPassword) throws GeneralSecurityException {
   Certificate cert = keyStore.getCertificate(alias);
   RSAPublicKey publicKey = (RSAPublicKey)cert.getPublicKey();
   return publicKey;
//Method to get a secret key
public SecretKey getSecretKey(final String alias) throws BusinessException {

 return (SecretKey)keyStoreTemplate.getFromKeyStore(new KeyStoreExporter() {
  public Key exportKey(KeyStore keyStore, String keyPassword) throws GeneralSecurityException {
   SecretKey secretKey = (SecretKey)keyStore.getKey(alias, keyPassword.toCharArray());
   return secretKey;

Thursday, March 14, 2013

Cryptography Using JCA - Services In Providers

The Java Cryptography Architecture (JCA) is an extensible framework that enables you to use perform cryptographic operations. JCA also promotes implementation independence (program should not care about who's providing the cryptographic service) and implementation interoperability (program should not be tied to a specific provider of a particular cryptographic service).

JCA allows numerous cryptographic services e.g. ciphers, key generators, message digests to be bundled up in a class, and registered declaratively in a special file ( or programmatically via the class (method 'addProvider').

Although JCA is a standard, different JDKs implement JCA differently. Between Sun/Oracle and IBM JDKs, the IBM JDK is sort of more 'orderly' than Oracle's. For instance, IBM's uber provider ( implements the following keystore formats: JCEKS, PKCS12KS (PKCS12), JKS. Oracle JDK 'spreads' the keystore format implementations into the following providers:

  • - JKS
  • com.sun.crypto.provider.SunJCE - JCEKS
  • - PKCS12
Despite the popular recommendation to write applications that do not point to a specific Provider class, there are some use cases that require an application/program to know exactly what services a Provider class is offering. This requirement becomes more prevalent when supporting multiple application servers that may be tightly coupled with a particular JDK e.g. WebSphere bundled with IBM JDK. I usually use Tomcat+Oracle JDK for development (more lightweight, faster), but my testing/production setup is WebSphere+IBM JDK. To further complicate matters, my project needs the use of a hardware security module (HSM) which uses the JCA API via the provider class So, when I am at home (without access to the HSM), I would want to continue writing code but at least get the codes tested on a JDK provider. I can then switch to use the nCipherKM provider for another round of unit testing before committing the code to source control.

The usual assumption is that one Provider class is enough e.g. IBMJCE for IBM JDKs, SunJCE for Oracle JDKs. So the usual solution is to implement a class that specifies one provider, using reflection to avoid compile errors due to "Class Not Found":

//For nShield HSM
Class c = Class.forName("");
Provider provider = (Provider)c.newInstance();

//For Oracle JDK
Class c = Class.forName("com.sun.crypto.provider.SunJCE");
Provider provider = (Provider)c.newInstance();

Class c = Class.forName("");
Provider provider = (Provider)c.newInstance();

This design was OK, until I encountered a NoSuchAlgorithmException error running some unit test cases on Oracle JDK. And the algorithm I was using is RSA, a common algorithm! How can this be, the documentation says that RSA is supported! The same test cases worked fine on IBM JDK.

Upon further investigation, I realised that much to my dismay, the SunJCE provider does not have an implementation for the KeyPairGenerator service for RSA. An implementation however is found in the provider class So the assumption of "1 provider to provide them all" is broken. But thanks to JCA's open API, a Provider object can be passed in when requesting for a Service instance e.g.

KeyGenerator kgen = KeyGenerator.getInstance("AES", provider);

To help with my inspection of the various Provider objects, I've furnished a JUnit test to pretty-print out the various services of each registered Provider instance in a JDK.

package org.gizmo.jca;

import java.util.Comparator;
import java.util.SortedSet;
import java.util.TreeSet;

import javax.crypto.KeyGenerator;

import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.Test;

public class CryptoTests {

 public void testBouncyCastleProvider() throws Exception {
  Provider p = new BouncyCastleProvider();
  String info = p.getInfo();
  System.out.println(p.getClass() + " - " + info);
 public void testProviders() throws Exception {
  Provider[] providers = Security.getProviders();
  for(Provider p : providers) {
   String info = p.getInfo();
   System.out.println(p.getClass() + " - " + info);
 private void printServices(Provider p) {
  SortedSet<Service> services = new TreeSet<Service>(new ProviderServiceComparator());
  for(Service service : services) {
   String algo = service.getAlgorithm();
   System.out.println("==> Service: " + service.getType() + " - " + algo);

  * This is to sort the various Services to make it easier on the eyes...
 private class ProviderServiceComparator implements Comparator<Service> {

  public int compare(Service object1, Service object2) {
   String s1 = object1.getType() + object1.getAlgorithm();
   String s2 = object2.getType() + object2.getAlgorithm();;

   return s1.compareTo(s2);


Anyway, if the algorithms you use are common and strong enough for your needs, the BouncyCastle provider can be used. It works well across JDKs (tested against IBM & Oracle). BouncyCastle does not support JKS or JCEKS keystore formats, but if you are not fussy, the BC keystore format works just fine. BouncyCastle is also open source and can be freely included in your applications.

Tip: JKS keystores cannot store SecretKeys. You can try it as your homework :)

Hope this post will enlighten you to explore JCA further, or at least be aware of the pitfalls of 'blissful ignorance' when working with JCA.

Tuesday, January 22, 2013

Beginning HP-UX for Linux Junkies

I've got the (unfortunate) privilege of doing some tinkering using a HP-UX box. But, as any battle-hardened Linux user would tell you, HP-UX (along with AIX, Solaris and other Unixes) is a different animal. Things may look similar, but lots of commands for simple things are different in parameters and usage. Here's what I learnt during this short stint using HP-UX and hopefully this will be good start for beginners.

Before you proceed

Ensure that the IP address of the HP-UX box in /etc/host file is correct. A simple line like this ( is an invalid address) will cause a lot of headaches:

#commented as 'evidence'
#    TEST01

Find out machine architecture:

Run: machinfo

Sample output:

CPU info:
   Intel(R) Itanium 2 9100 series processor (1.59 GHz, 18 MB)
   2 cores, 4 logical processors per socket
   532 MT/s bus, CPU version A1
          Active processor count:
          2 sockets
          4 cores (2 per socket)
          4 logical processors (2 per socket)
          LCPU attribute is disabled

Memory: 16353 MB (15.97 GB)

Firmware info:

   Firmware revision:  04.31
   FP SWA driver revision: 1.18
   IPMI is supported on this system.
   BMC firmware revision: 5.38

Platform info:

   Model:                  "ia64 hp server BL870c"
   Machine ID number:      27f7c389-7d33-11ee-45bb-3c46ec670369
   Machine serial number:  SGH55555RB

OS info:

   Nodename:  TEST01
   Release:   HP-UX B.11.31
   Version:   U (unlimited-user license)
   Machine:   ia64
   ID Number: 0670548873
   vmunix _release_version:
@(#) $Revision: vmunix:    B.11.31_LR FLAVOR=perf

Installing Bash shell

Once you've identified your HP-UX hardware and OS version (mine's ia64 aka Itanium running OS v11.31 aka 11i v3), go to and search for 'bash'. As of the time of this article, the direct link to the bash download page is The page also shows the run-time dependencies needed. You'll need to download & install the dependencies as well (you can use 'depothelper' to install an application along with its dependencies in one go).

1) Download
2) Transfer file to HP-UX box e.g. /tmp/bash-4.2.039-ia64-11.31.depot.gz
3) Unzip: gunzip /tmp/bash-4.2.039-ia64-11.31.depot.gz
4) Install: swinstall -s /tmp/bash-4.2.039-ia64-11.31.depot bash

By default, all external program executables are installed to /usr/local/bin. So to run: /usr/local/bin/bash

If you see this prompt:


Then you have installed bash successfully.

Using X-Windows

HP-UX uses CDE (Common Desktop Environment), so you can use Xming or Cygwin/X and run the following command to bring up the X-Windows login screen:

Xming: Xming -query

Cygwin/X: xwin -query

There's nothing much to see compared to Linux distros.

Using built-in System Management Homepage web application

By default, HP-UX comes with a nifty web application hosted within its box. This web application is like webmin.

To run: hpsmh autostart

Just point your web browser to (replace with actual IP of the box).

Useful link:

Wednesday, January 02, 2013

IntelliJ CE for Maven WebApps

IntelliJ Community Edition is a free and good IDE for plain old Java programming, and is also good for Android development. When it comes to enterprise/web development, the Ultimate Edition is the better choice if you can afford it. However, you can also do some simple Java web development using Maven and running your application server outside of IntelliJ. No doubt it's less integrated but you can at least breathe some life exploring more of IntelliJ.

Software used:

  • Oracle JDK 7
  • Maven v3.0.4
  • IntelliJ Community Edition (CE) v12.0.1
  • Apache Tomcat 7

Before starting, ensure that the M2_HOME environment variable has been set to point to your local Maven home folder.

IntelliJ Steps:

  1. Enable on-the-fly compilation. Go to File > Settings > Compiler, check 'Use external build' and 'Make project automatically'.
  2. Ensure the Maven plugin is enabled. Go to File > Settings > Plugins (under IDE Settings), item 'Maven Integration' should be checked. Restart the IDE if needed/prompted.
  3. Create a new project. 
    1. Go to File > New Project..., choose 'Maven Module' (under Java). Set the project location to the desired folder which will house your pom.xml file. Click 'Next' (proceed to create the folder if needed).
    2. Check 'Create from archetype' and select 'maven-archetype-webapp'. Click 'Next'. Click 'Finish'.
  4. At the right side of the IDE, there will be a button for 'Maven Projects'. Click it to bring up the Maven panel. From the panel, you can then run targets e.g. install, clean, package and check the dependencies.
  5. At the right side of the IDE, there will be a button for 'Maven Projects'. Click it to bring up the Maven panel. From the panel, you can then run targets e.g. install, clean, package and check the dependencies.
  6. Point the class files to the web application's WEB-INF/classes folder. Right-click the project root folder, select 'Open Module Settings'. At the 'Paths' tab, under 'Compile output', select/ensure 'Use module compile output path', and change the 'Output Path' to your project's 'src/main/webapp/WEB-INF/classes' folder*.
  7. Add 'maven-dependency-plugin' plugin to copy dependency JARs to WEB-INF/lib folder. Add the following snippet to the pom.xml file (top-level):
  8. This plugin will instruct Maven to copy all dependency JARs into the 'outputDirectory' path when executing the 'install' task when using profile 'local'. At the Maven panel, check 'local' under Profiles and right-click 'install' under Lifecycles, and select 'Run mavenweb [install]'. After running you should see the junit-3.8.1.jar in the WEB-INF/lib folder.
  9. Add Tomcat webapp config file. This is to specify the Maven webapp folder to be loaded by Tomcat. The simplest:
  10. Save the contents to the file @ [TOMCAT_HOME]\conf\Catalina\localhost\mavenweb.xml
  11. Run Tomcat. You can use 'catalina start' command under [TOMCAT_HOME]\bin to fire up an instance. Then to test the web app, point your browser to You should be greeted with a 'Hello World!'.
* I use the 'src' folder so that there's no need to run any Maven 'compile' task and Tomcat can detect a change and reload the webapp. But it's up to personal preference as this way will mean extra care to be taken to cleanup or ignore files for source control check-ins.

Final note
If you need to use a proxy to access the Internet, you can configure Maven to use it by right-clicking the project root folder, select 'Maven' > [Open/Create] settings.xml. Then add the proxy settings e.g.


  • Maven -
  • IntelliJ Community Edition (CE) -