RESTful Spring Security with Authentication Token

Recently I had to do some “research” how to use Spring Security for a RESTful API serving rich JavaScript UI. There were also questions whether to use Spring Security at all, but as of now, we’re still deciding to take this path. While it is possible to have a JSON API that is not really RESTful and we can have HTTP session behind it all, we decided to go with REST. That sets the scene: REST, Spring Security and token-based authentication.

HTTP authentication and tokens

Big question is what mechanism of authentication we want to use. If for nothing else, than at least for username (login) and password we will have SSL/TLS in place, so let’s say we will have HTTPS there all the time. This blurs the difference between classical HTTP Basic and Digest access authentication. So I decided to support Basic only for simplicity. For even easier development I introduced custom X-Username and X-Password headers, which allowed to test my solution with curl and similar tools entering plain values.

I’ve read more than a couple of articles and while I hardly became an expert on security, authentication (with HTTP or not), REST or tokens, I felt I got the basics. I also got familiar with enough ideas that I had to do some choices. I thought it would be easier, but obviously there are many ways how to construct a token. And people are probably still inventing more. So I decided to use randomly generated token that does not utilize user’s password at all – but it doesn’t really matter. You somehow create that token, that’s it. I aimed for solution that allows me to change this behavior easily.

There is also questions whether one token is enough, should you transfer it in HTTP headers or utilize HttpOnly cookie so that JavaScript can’t “share” it with some attacker, etc. Way too many questions and if you feel like, you can share your ideas and reasons in the comments. For I’ll focus on server side now, that is the part related to Spring Security. The landscape here is not that deserted actually – and I got lucky I stumbled upon this StackOverflow question which lead me to this demo on GitHub. I have to admit that some parts are from there and for other parts I used it at least as to check my solution.

Spring Security for REST?

Book Spring Security 3.1 by Robert Winch and Peter Mularien was another important source of understanding what is happening here. I tackled Spring Security before but never had a chance to go in-depth (that is beyond reactive Google/StackOverflow and some reference documentation reading), mostly because I tried to get in-depth with something else. Now was the time to understand what this framework is about. Good book, nice examples – maybe some UML class diagrams would help when introducing new important classes and interfaces and their roles.

The result is my take on RESTful Spring Security – it’s not really that revolutionary, but I tried to do couple of things differently. I even provided UML diagram. :-) So I’ll copy it from README.md right here, ok?

restful-spring-security-class-uml

Now what is going on here and – if you insist – how is this different from philipsorst’s solution?

  1. I wasn’t interested in real UI, so I tested it with any REST testing extension you can find, or with curl. In the end I even put together mini-framework based on bash and curl. :-)
  2. I wasn’t interested in JPA/DB. I wanted as little frameworks thrown in as possible. So there is DAO with hardcoded users.
  3. I also wanted to come up with design that clearly separates the concept (package restsec) from any concrete implementation (secimpl), principles from details, Spring Security from the domain/application code (domain/mvc). Looking at the class diagram I think I did quite well.
  4. I wanted to try access control configured in XML and using annotations like @PreAuthenticate.
  5. Then there are some side-quests – I practiced some Gradle in combination with Spring Boot as my Bill Of Materials (kinda Maven style import scope) and I tested WildFly 8.1 (not really important).
  6. Finally – I wanted to document it sufficiently, both in code (comments) and in README + planned this post too. For self documentation. It pays off. I don’t remember what I need to do to make client certificates up and running on Tomcat, but I know where to look at (if it is not obsolete yet). And I used my own articles here and there already! (Actually, even my colleagues googled out my articles and found them helpful – you can’t imagine how it made me proud. ;-))

Spring Security going session-less

So how is it all working together? Because everything related to HTTP and authentication is concentrated essentially in TokenAuthenticationFilter, you don’t need any unprotected login URL. Filter is sitting in Spring Security filter chain, specifically in FORM_LOGIN_FILTER position. All you need is to provide authentication headers in any request. Because we are RESTful, we don’t want to utilize session at all. If you check spring-security.xml, this is set in http element:

<http realm="Protected API"
        use-expressions="true"
        create-session="stateless"
        entry-point-ref="unauthorizedEntryPoint"
        authentication-manager-ref="restAuthenticationManager">

It is important to set it to stateless (don’t use session at all), not to never (which allows Spring Security to use if it somehow exists already, just don’t create it).

Let’s stop at this statelessness for a while, shall we? This does not mean that there is no server-side state at all. It just means that we don’t work with HTTP session. We still need to remember valid tokens – we may do so within DB, application context, shared distributed memory, wherever – that is definitely stateful. But from HTTP standpoint, we should be RESTful enough now. Also we utilize Spring’s SecurityContextHolder because it makes sense if you want to benefit from other Spring Security stuff, like their annotations, etc. This way we smuggle our security information using a thread-local variable (default behavior) during each single request.

Anonymous access

Before we get to business, let us see how anonymous access works first. For that assume that these are our first request and we didn’t authenticate before. In the following sequence diagrams, grey stuff is from Spring, rest is ours.

anonymous-access-allowed

As any other model, this one is not complete or exact. Our filter is part of Spring Security chain and definitely is not called directly by browser. But in any case it’s the first moment we are interested in. Virtually every request goes through this filter (unless it avoids part of the application secured Spring Security completely). If we are accessing something available for unauthenticated user, we get what we want.

Second scenario tries to access something protected. This will not get to our Spring MVC controller:

anonymous-access-denied

It actually gets all the way to its proxy (in our case CGLib based, because our Controller does not implement any interface) and there an implementation of AccessDecisionManager finds out that anonymous user can’t access the method and AccessDeniedException is thrown. This is caught by ExceptionTranslationFilter (part of Spring Security chain) which calls authentication entry point for this kind of exception. Normal applications use the entry point it to redirect to a login screen. We don’t want to do that, but we need to implement it, so it sets the HTTP response status (401).

It’s very easy to debug it all and it’s very nice to browse through Spring code. Maybe Spring got big and complex (well it does a lot of things now), but their code is on the positive side of quality spectrum – understandable and well documented.

Login, login! Login this lap!

(Sorry, F1 race today, you know.) Four things may be happening in our application. You may be anonymous, you may be authenticated already, you’re logging in, or logging out. My implementation tries not to mix things together much, you should do just one of these things in a single request. Let’s log in to get authenticated. Login request can continue to the REST resource and return data, but I chose otherwise. This can be reimplemented of course – TokenAuthenticationFilter#checkLogin would call doNotContinueWithRequestProcessing only if the response is not 200. But currently it works this way. Here is the diagram:

login

If our filter finds information that looks like login (and it must be POST), it will pass username/password to AuthenticationService. This is still our part of solution and glues the filter with the rest of Spring Security. It calls Springs AuthenticationManager, which in turns calls our implementation of UserDetailsService, which provides username and password (in our case plain, not a good solution of course). Not to plague the diagram with stuff, I skipped Spring’s PasswordEncoder which helps authentication manager to decide if we can go on. If we can, we get back to our security service, which populates Spring’s SecurityContextHolder and now is the time to get the token.

For this we have separate component – TokenManager – which creates and stores the token for the user. Currently only one token per user is supported, but you can implement your own approach here. Actually if you reimplement AuthenticationService considerably, there may be nothing to call TokenManager. There’s a lot of freedom here, but I think TokenManager is the place where most of the customization can go into. How to create the tokens? How to store them? How to check them? Or expire them? However you want to answer these questions, TokenManager is your guy. You still may need to adjust authentication service or filter – for instance to add some HTTP related information (IP address?) into token.

Long story short? If everything is alright, HTTP response returns status 200 and the header X-Auth-Token contains the token next requests should use to prove who you are.

Authenticated request

Here we don’t care what HTTP method is used. After login, this should be easy to understand:

authenticated-access

You already know all the players, here we just first check whether provided token is indeed one of those we know – and if so, we populate SecurityContextHolder. In case of 401, we don’t even bother calling the rest of the chain. The rest (cases 200 and 403) is in Spring’s hands.

Hence we can rush towards…

Logout

Logout should invalidate user’s sess… ehm, token, obviously. That implies valid token is provided. We also insist on POST and require specific URL. We could also request logout with another HTTP header, or with “logout” mentioned in X-Auth-Token, etc. Here it is:

logout

And that’s it really!

Conclusion

You could see all the important players on the diagrams, some of them are our classes, some of them are part of Spring Security “auto-magic”. I’m sure even XML configuration is much clearer now. There is great deal of freedom here – you may bypass Spring Security authentication manager altogether, for instance – don’t know why, but there may be reasons.

I’m not done yet. Later we’ll need to integrate this with some reliable Windows Domain SSO authentication (so far we count on Waffle), not to mention with the rest of the application.

That “demo app” is a mix of XML configuration and annotations, so check those out, check the comments, README, etc. I really tried different things just to find out how it all works (like that mandatory ROLE_ prefix!) and I’m still probably just skimming the surface. But still better than two weeks ago. :-)

And that concludes my post and my first campaign in this war.

Crippling IT revolutions

Long time ago computers were slow, UI was primitive (say Windows) and there was a lot to learn. Now all is about the end of PC era, tablets and absolute disregard for the voice of users. And still you have to learn a lot as a user. What I miss quite a lot in technology is evolutionary design, something getting just better and better. Refined. I’m not a Mac user, maybe the situation there is different… I don’t know. Maybe it’s market pressure.

It’s not all bad. I’m personally done with HTC Android phones (because of revolutionary bugs), but my wife’s Samsung (cheaper than both HTCs) seems OK. And Nexus tablet isn’t bad either. But then there are simple things I believe should work and they don’t. For instance, you log in to your Google account on the tablet, then your wife uses it with her account and week later a friend of yours asks you why you never answer him on Skype even though you are green all the time. Skype? Online all the time?! No way… and then you get it. Skype installed on Android tablet where you are not actually active for a week. Where are any reasonable defaults? Where are all the years of experience with these communication programs, chats and all?

You may argue I should set it all properly – but… It’s extremely complicated to manage various communication accounts. Their settings and policies change all the time, UI even more so. Something is in the cloud, something in your local settings. Different on each computer. And something is somehow combined. Products come and go. Some communication options are out of your control – on my HTC Wildfire I cannot disable Google Talk when I want to use Google account (there are actually way too many things that can’t be disabled for such a slow phone). But I never want to chat on a phone!

Talking about Google – I’m logged in all the time, yet it forgets my prefered language every couple of weeks, or days even (forces me to use my native Slovak, while I prefer English for professional reasons). Every time I set it properly in their settings and after a while it’s gone. How can we set things properly with products like this? Every second day (or more often) they ask me about Cookies. I’m OK with Cookies on trusted services (well… trusted… I just feel unimportant enough not to care about NSA’s knowledge about me :-)). Why I have to confirm this more than once in a… week? Month would be OK, a year ideal.

And then there are new notebook trends, so let’s skip to HW for a while. I bought Lenovo G500 for my wife. It seemed OK. But then you learn things you’d never expect – like that F1-12 keys must be pressed with Fn key, because their default functions are inverted (Fn actions instead of F1-12) without any option to flip this stupid idea off! The same happened even on ThinkPad S531, but there you have an option to lock Fn key (press Fn+Esc). So you can use ThinkPad professionally, but G500 is just a silly toy really! Try to use IntelliJ IDEA or any IDE for that matter. Try to press Ctrl+Alt+Shift+F7… and add Fn to it. Not impossible, but really silly. Luckily external keyboard works just fine.

Let’s talk about ThinkPad S531 a bit more. It could have been great computer actually. I don’t like Fn in the corner, but hey – it’s ThinkPad, IBM started it, get used to it. But why I have to get used to the new touchpad without physical buttons? Maybe it would work with Mac, but on PC where you need even three buttons sometimes…? Most of the time I indeed use external mouse, but when I’m on the move, I still want to have reasonably good experience using the notebook as is. Here it is very limited. I’m more often than not unable to press right “button” without accidentally moving the cursor. This is no revolution or evolution – it’s plain step backwards.

Ergonomy of other keys could also be questioned. Actually I was extremely pleased with layout of PgUp/Dn, End, Home and the rest on HP ProBooks. And I’m far from HP lover. But having Page Up/Down in the upper right corner was easy to find and very easy to use. Lenovo put quite useless Explorer key there and Home/End are buried in the upper row. Talking about these keys… most of them can be redefined, but Lenovo put Screen Lock key just above numpad as well. Just in case you are dumb or what… what is wrong with Win+L? This can’t be redefined, because – so it seems – it is hardwired to Win+L! Bravo…

And then there is Windows 8. Point one actually. Screw Metro, we’ve all heard tons about it already. But then there are those small things. Try Narrator for instance! Just press Win+Enter out of curiosity. I felt like disabled (no offence) immediately – because I was not able to turn it off. I had to Google it. Mute shortcut came handy in the meantime. Many people obviously want to disable these accessibility features – but there is no easy way. No single switch. Microsoft! Hear us! (Maybe they need Narrator for our complaints too.) Solutions? Delete narrator.exe for instance. Or disable its executable in Registry. (All provided by StackOverflow, Microsoft offers no definitive solution.) You gotta be kidding me, right?

Everything seems to be dumbed down lately – but in the most wrong way. More features that are hardly understood by my mum anyway – and too few options for professionals. Not talking only about programmers here, this must annoy most of power users of any kind. And then there are other Google searches I went through during my first two days with Windows 8. And many of them were very close at the top of the suggested list before I even started writing last words! Like “windows 8 touch keyboard” finished with “keeps coming back”, or “windows 8 wifi” with “forgets password” (suggested on 6th place). Why do we have to keep solving annoying stuff instead of doing our job?

Sure, some things may be caused by Lenovo drivers… so what?

Any positives compared to Windows 7? Maybe under cover (which is expected), but UI goes in the wrong way. Ugly, thick window borders that can’t be easily customized. And when you get happy that you can easily set the background for the welcome screen, you find out that there is also this uber-ugly login screen with the most ugly metro violet ever (Sun’s enterprise violet was so nice compared to this. :-))

Well, rant over, next time I’ll try to solve something with Docker and Wildfly – and that seems to be much more promising direction of evolution.

Maschine 2.0 Newbie Review

It has been some time since I upgraded my Maschine to 2.0. Not a big win for me when I think about it, but you know how it is – old Maschine will hardly have any support and – probably the biggest reason – I wanted to support Native Instruments and maybe get some more sound content in the process.

I used Maschine 1.x with my Maschine Mikro (Mk1) to create a few songs – or mostly just drum/bass lines for songs that we could perform live. It was alright and I liked that I needed to interact only with the controller on stage.

Now I tried to use Maschine 2.0 expecting some improvements over the previous software version. I’m sure many people got what they wanted, but for me Maschine 2.0 is more like a facelift – without bringing anything essential. Kinda like “we have to come up with something new” stuff. This is probably not fair, but I just use basic things and I feel that way.

I don’t expect things to always go my way. I have ideas and try to communicate them on forums of my favourite products, not to mention many bug reports for things like IntelliJ IDEA that even got fixed. ;-) One simply cannot have it all. But there are a few things that are kinda striking.

I use Large layout for instance and let’s take a look, how it looks by default:

First the “red problems”: So the Arranger (upper part) does not display all 8 groups you have (at least by default), and Pattern Editor has plenty of free space for more sounds than necessary. Of course you can use this space in the part with Piano roll…

However, the biggest point here is – even though you can change the layout (use the section corner marked on the right of the screenshot) there seems to be no way how to save it. So even if you change it, the next time it’s gone.

My other issue was with zooming. You can only zoom on the zooming scroll bars (horizontal ones are marked with blue, but the same goes for vertical ones). Now imagine you want to fix a particular event with your mouse. To zoom to any reasonable level you have to go away from the event (that is already probably selected) and meddle with the scroll bar, pressing the mouse button, moving the mouse up/down to zoom – and also to the left/right in order to keep the event in the view. Now imagine using just Ctrl+mouse wheel right on the spot (or Ctrl+Shift for vertical zoom which is less needed in most cases). Wouldn’t that be great?

Generally many things in Maschine UI are made in a way that is completely counterintuitive – the only way is to learn the stuff and keep using it, because otherwise you have to refresh it every time before you occasionally use the Maschine software (my case).

When I compare this with Reaper for instance, that is a true power tool where:

  • you see keyboard shortcuts next to the action in any menu (main, contextual) – this is true for main menu in Maschine as well, but that is just too little
  • you can assign nearly whatever to whatever in their Actions window – not to mention you can use it as a quick reference and find the shortcut for an action there too
  • UI always loads how I left it
  • there are tooltips for buttons, often even with status information (for instance: Metronome disabled) – tooltips would be a big help for any starting/intermediate/occasional user of Maschine

We may argue that focus in Maschine is on another thing (partially true), that they don’t want to spoil it with too many DAW-like features (agreed, mouse zoom is not colliding with anything in Maschine though), and that you should mostly use their hardware. The last thing is valid for things like live productions (and more of course), but one way or the other – if you prepare something in Maschine for later use, you may need to edit it. And that is much easier with UI and mouse.

To sum it up: Maschine UI is different from standard even when not necessary, lacking tooltips completely, there is no in-place help with keyboard shortcuts, few contextual menus (no wonder when right-click deletes stuff, double click would probably did just as good), it doesn’t save the UI layout, zoom is awkward and I’m not going into shortcut customization.

I know that UI is just an addition to the hardware (though absolutely necessary) and personally I can pardon that you can’t change keyboard shortcuts. But many of these things are kinda easy to fix (tooltips?) and they would help a long way – especially users new to NI.

Maschine sure is a lot of fun anyway, but a little bit more seriousness to its DAW aspects wouldn’t hurt at all.

Witcher 2 bittersweet review

I’ll not bother with pictures or story, everything can be found elsewhere. I used http://witcher.wikia.com/ as a guide when I needed it. I want to sum up my experiences and feelings from the game development lately.

Consolization is obviously unstoppable process that can be understood. Some games deal with it better – with PC having proper treatment – others fare worse. Witcher 2 is the latter case, unfortunately.

I’ll skip all the good parts – story and graphics (after many years I upgraded my graphics adapter to get this game into enjoyable shape :-)).

The first big letdown was the fact that keyboard is adjustable only out of game through dedicated configuration program (as are many other things, but those are of less importance for serious gameplay). Even when you want to check your layout, you have to go there. My solution was to use snipping tool and let the screenshot on the second monitor as a reference. So it all started with terrible customization experience. If you want to change some setting be ready for 5 minutes roundtrip.

In-game control of the character itself is another disappointment. Geralt is unresponsive, walk is slow and then run is too fast when you’re picking things around – the whole feeling is laggy. Maybe it is my older rig, I don’t know. While turning around is acceptable, movement itself is terrible however.

I don’t like new fight system, first Witcher was more fun with combos. I avoided bombs and traps, unless situation required them (the first wraith fights especially). Maybe one of the reasons why I did so was that the whole UI was laggy, unresponsive and workflow terribly designed (graphically it is alright).

Similarly, mini-games that worked in the first game clearly suck in this one. Fist-fight is for babies, arm wrestling on the other hand is just frustrating with that jumping cursor – and dice poker? They couldn’t mutilate it any more (camera view, post-processing, physics, everything).

I don’t know what happens on the background when I move around my Inventory, but mouse is very lazy. Sorting the stuff is all but intuitive, with no tooltips where they would really help. And you have more ways how to accept things – mouse click, Enter (but not the numpad one?!) and Space. But not all of this works everywhere. I’d  welcome escape for dialogs with shopkeepers (it gets you menu).

Dialogs control are terrible too. You can believe clicking with your mouse on a dialog selection, but while the other one is highlighted, it is also the one to be selected. You have to move your mouse first – how practical. So you decide to load previous save, so you can repeat the dialogue. But saved game often shows picture from some completely different save – you can see the time is right (few minutes ago), but it truly is misleading when you first notice this. Audio is not balanced at all either – sometimes everything is fine, then other dialogs are hardly audible – you just don’t know how to set music volume properly.

Because so many things are made so complicated in game thanks to the controls (probably not a problem on console) I just didn’t do them. I made minimum of alchemy.

Yeah, I played on easy – which I normally don’t. I did it because before upgrading my graphics card it was pain to go through tutorial fights even on lower resolution. Game is probably CPU bound in my case, though new graphics definitely helped a lot. Maybe I would have to do more of alchemy on some higher difficulty, but honestly – I imagine it being rather frustrating anyway. I liked (or at least used) alchemy in the first game a lot. Not here.

Graphics and story are the strongest point for me. Audio is OK when it comes to soundtrack (I liked first one much more and often put it on without the game), dialogue quality varies (especially timing and volume during other noise), shouts are mostly hardly believable.

When I compare this game to Mass Effect (1 or 2, never played 3) – that is if you like both genres – this one was far less enjoying. In Flotsam I was stuck like forever, then the game got some pace, Vergen was OK, but all those corridors made me thinking how great freedom we had in the first Witcher – and chapter 3 was over very quickly. After this they tell you to wait after the credits to see the end… Don’t even bother – they go for like 20 minutes or more? Just check it on YouTube. Mass Effect? I just sat back after the job well done (saving the galaxy after all) and I could just listen to the music. Credit music in Witcher 2 gets boring after all those letters.

I’d gladly sit back and watch the credits, I’d really do – but after over 5 minutes it just adds bitterness to the bittersweet taste of the whole experience. Shame – could have been nice 9/10. For me all in all it’s more like 7/10.

Git Bash Here in Console2 in Total Commander with keyboard shortcut (hotkey)?

Not sure whether I ever made longer title – but as I had to Google a lot about it and even wrote to Total Commander support email I decided to put it “on paper”. I wanted to press a keyboard shortcut to open Git Bash in Console2 (default window is just as terrible as “cmd”, marking, copying and pasting is just pure pain). Of course in current directory.

Because I have installed Cygwin as well and had it as a default shell for Console2, I decided to add a new tab configuration like this:

Main menu: Edit-Settings-Tabs-Add and then fill up things accordingly

Now the Total Commander part. While I googled a lot how to assign my custom command to a shortcut (hotkey) maybe I used different keywords, maybe I was just unlucky… I wrote to support in the end. Answer goes as this (thanks to Christian Ghisler):

  1. Go to menu Configuration – Options (you can get here with Alt-O twice) – Misc (last option in the list on the left)

  2. Choose your hotkey, I went for Ctrl+B (it doesn’t make any file “bold” I hope)

  3. Click on the small magnifying glass

  4. Click on usercmd.ini (all the way down)

  5. Click on New

  6. Choose a name, e.g. em_git_bash_here

  7. Click OK

  8. Enter the details (see lower)

  9. Click OK in all open dialogs

Here is screenshot of the settings in Total Commander:

Here the -t obviously chooses the tab you want to open and -d sets the initial working directory.

BTW: The last dialog is the same like for a custom button. I actually found a blog about how to add a custom button with Git Bash Here, but assigning it to a hotkey was another story. Also running it in Console2 was easier than it seemed from various internet resources. Many advices pointed to the Windows Registry – but I didn’t want that.

Total Commander itself is a bit tricky. Don’t get me wrong, I love it and that’s why I have bought it (way too late, but I have) and also could appreciate support (right to the point). But when you want to find that %P is “current directory” you better google it. Ctrl+F in the Help window (very good one actually) does not help, because “source path” does not contain neither “current” nor “directory” obviously. :-) With Internet at hand these are no problems at all.

BTW2: If you have your command in Total Commander named you can just reference it when you need it for button bar – don’t click on magnifying glass icon, just set Command value to “em_git_bash_here” (or however you named it) and you’re done.

Hope you made it with my procedure and my pictures. May the power of keyboard shortcuts (or hotkeys, whatever ;-)) be with you!

ZSE Ponuka E.Zľava?

This time in Slovak about how I was awarded 0% discount from my electricity retailer. Sorry for being silent lately, I have a lot of work and no steam to write here right now.

S neodolateľnou ponukou E.Zľava od svojho seriózneho dodávateľa ZSE (člen skupiny e-on) som sa prvýkrát stretol, keď nám ju poslali poštou. Keďže v nej išlo aj o nejaké asistenčné služby a navyše viazanosť, nebol som si istý, či ju chcem – takže som ju jednoducho neriešil.

Lenže potom som raz dostal návštevu, ktorá mi to všetko vysvetlila. Asistenčné služby sme nechceli, ale zľavu za viazanosť… povedal som si, keď už je chlapík tu, prečo nie. Veci mi boli vysvetlené, ale z mojej strany išlo aj o istú mieru dôvery, keďže som jednal so spoločnosťou, ktorej zákazník som už nejaký čas, bla, bla, bla.

Chlapík odišiel, ja som vyrazil na web – a ľaľa ho, aj takéto články som našiel:

Tak som sa podujal, že im napíšem, a tentoraz to bolo od srdca. Odpoveď som od 5. januára nedostal.

Vážená ZSE

Elektrinu od Vás odoberáme už vyše 6 rokov a nemal som v úmysle na tejto skutočnosti nič meniť. To sa všetko zmenilo počas uplynulej hodiny.

Dnes sa u mňa zastavil zástupca vašej spoločnosti, pán G. (Gxxx? Gxxxx? ťažko to rozlúštiť) ohľadom E.Zľavy. Ja som hovoril, že sme neporozumeli celej ponuke na asistenčné služby, ktorá nám už skôr prišla – bola pre nás krajne neprehľadná. Váš zástupca túto vec neriešil, išlo len o ponuku zľavy. Celú dobu sa hovorilo o 4%, chvíľu som to študoval, ale zase som nechcel veľmi zdržiavať.

Myslel som si, že ZSE je totiž seriózna spoločnosť. Váš zástupca o.i. povedal aj to, že ak by som aj prestúpil inam (čo som neplánoval), tak by som prišiel len o zľavu. Toto neviem potvrdiť, keďže dodatkom sa upravuje doba platnosti pôvodnej zmluvy na dobu určitú a musel by som zrejme podrobne študovať aj tú, čo by skoršie ukončenie znamenalo.

Vrcholom všetkého je, že sme rodina s dvomi deťmi v 4-izbovom byte, varíme na elektrike takmer každý deň (malé deti) a naša spotreba je pod 3MWh, čo znamená (ako asi viete) 0% zľavu. Aj pri 4% by som ušetril možno 3 eurá, keďže ide o 3 mesiace (čo zástupca zabudol pripomenúť), aj to nie z celej sumy (na to našťastie upozornil).

Takže kvôli možno 3 eurám (v mojom prípade 0) ma zástupca “serióznej” spoločnosti musí otravovať osobne doma, vysvetlenie dopadov zmluvy zďaleka nedostahuje kvality podpriemerného poisťovacieho agenta a navyše mám teraz zmluvu na dobu určitú, pričom predtým som sa o ňu nemusel a NECHCEL starať.

Reči o tom, že “asi len zisťujú, aký kmeň im ostal”, alebo odpoveď na otázku, prečo nemôžu zľavu prosto len tak priznať v zmysle “obchodníci nemajú prístup k osobným údajom”… už tu som mal začať tušiť problémy. Len kvôli značke ZSE som to podpísal, alternatívneho operátora by som vyhodil dávno, alebo by som si pred ním išiel na Internet vyhľadať názorové články o jeho serióznosti.

Takto si dávam do kalendára na december poznámku, že sa treba poobzerať po inom dodávateľovi elektrickej energie. Možno by som si to rozmyslel, keby ste mi originál môjho dodatku doručili späť a najbližšie ma otravovali s niečím, čo mi naozaj ušetrí peniaze. Takto totiž naopak iba plytváte mojím časom, o trpezlivosti nehovoriac.

S pozdravom

Richard Richter

zák.č. xxxx

Trochu ma to celé prekvapilo, keďže – hoci na Slovensku – na mňa ako už existujúceho zákazníka podobné finty zatiaľ neskúšal ani žiadny operátor internetu či telefónie, ani moja banka, proste nikto.

Mimochodom, dnes už ponúkajú 4% od 2MWh ročne, čo by sa nás už týkalo. Ale nič to nemení na fakte, že ide o jednotky Eur. Takže nechtiac, ale predsa, budem musiet koncom roka riešiť nejakú zmluvu na energiu. A nevidím dôvod, prečo ju zase riešiť so ZSE.

Happy New Year 2013!

Happy New year, of course! My last year was a bit poorer blog-wise. For some reasons I was more lazy to write about things. Heck, sometimes I think that I was less lucky with new technology in overall. I achieved some nice results with testing in our company during the previous year. This year I wanted to push Continuous Integration, testing a bit further, maybe Gradle – but results in CI area are mixed and the rest brought no real results at all.

On the brighter side, I managed to finish my quest for system time shifter on JVM that would be usable for testing purposes – all documented in my post. Blogging is not all of course and I am quite happy how topics around Clean Code got some attention around me. We pushed Java Simon project a bit further too, I learned a few interesting things around Spring, MVC and jQuery… Add this beautiful Scala class on Coursera and this year was more than fun after all.

Still I’d like to make some resolutions. I discovered QueryDSL (thanks to a colleague of mine) and this seems to be answer to readable and compile time safe Criteria – because those shipped with JPA2 are simply horrible to read. It works well with IDEA’s annotation processor, Maven and it should be no problem with Gradle either. Ah, Gradle! For around two years I’m watching this guy but for whatever reason I was not able to use it for anything more than a few tests – but that is not Gradle’s fault. I like it, I like the idea, I like the language – and I think this year is time to switch Java Simon from Maven to Gradle. And after that I’ll go on with projects in our company, although the battle there will be more difficult I guess.

Out of technology, I managed to put together a few songs with my colleagues and it was fun – the first time I played in something close to a band. We played only on our company party but it doesn’t change anything… it was a real fun. We didn’t have a drummer so I used my Native Instruments Maschine Mikro and pre-programmed our songs – and I was really happy with the results. I’ll probably dedicate a post to Maschine Mikro, because it is one really interesting controller (and software too!).


Maschine Mikro controller

Talking about music, I managed to upload two full-blown tracks to my Soundcloud and later added two simple guitar+voice tracks. While mixing/mastering is still my weakness, I’m happy that I was able to pull through this recording-wise. And just how I imagined – my songs composed with paper, pen and acoustic guitar many years ago can really work as rock recording too.

So what about this year and those resolutions? Gradle – sure. More testing methodology on our projects – maybe I’ll even manage to document it here on the blog. Pushing Continuous delivery just a bit further again. Scala or other JVM language? I don’t know. Maybe, maybe for tests. And a bit of my music – I need to practice more with keyboard, guitar and bass guitar (yeah, I bought lovely Yamaha bass too).


Bass guitar Yamaha RBX375

Last resolution is no resolution at all – we have to survive somehow “socialistic” experiments of our government here in Slovakia (although there is nothing social about them). Europe has its own deal of problems – and USA? Well they saved themselves from falling down that fiscal cliff or what – just a few hours ago. And it probably means to make the cliff a bit higher for the next time. So we might have escaped one Doom’s day lately at the end of 2012, but who knows how our civilization will fare in the future.

Then I remember those really poor and I know we have nothing really horrible to complain about. So once again – Happy New year – and whole year of 2013!

Follow

Get every new post delivered to your Inbox.

Join 220 other followers