AppEngine, Ant, and OAuth

I have a Google App Engine app that for some time now has just served static content.  I have a set of Jenkins jobs that just used the commands directly to set the app’s version string and update/deploy the app to AppEngine. I wanted to add some Java code to the application, and quickly realized the Jenkins job needed to change to perform a compile before uploading to AppEngine.  Rather than adding more shell steps to the Jenkins job (and not wanting to add maven into the mix), I decided to just create a quick Ant script – I even found a Google sample one. My builds kept initially failing the update (deploy) step with the following message:

[java] Your authentication credentials can't be found and may have expired. 
[java] Please run appcfg directly from the command line to re-establish your credentials.


Saywha? Before switching to Ant, I had the CI server user account set up so that build job steps would use a previously-cached OAuth2 token for password-less AppEngine commands.  I didn’t see anything on this on StackOverflow (or Google Groups, for that matter), and running the ant script as the Jenkins user from an interactive bash shell didn’t seem to have the issue. Hrm. To workaround this issue, I edited the appcfg macro in in ${sdk.dir}/config/ant-macros.xml as follows. My edits are highlighted:

  <macrodef name="appcfg" description="Manages an application">
    <attribute name="war" description="The exploded war directory containing the application"/>
    <attribute name="action" description="One of (update, rollback, update_indexes, request_logs)"/>
    <element name="options" optional="true" description="Options for appcfg (such as --server, --num_days, etc...)"/>
    <element name="args" optional="true" description="Additional arguments for the java task"/>

      <java classname=""
            fork="true" failonerror="true">
        <arg value="--disable_prompt"/>
		<!-- scotth 5.3.2014 - add oauth2 arg to force usage of OAuth2 token -->
		<arg value="--oauth2"/>
        <arg value="@{action}"/>
        <arg value="@{war}"/>

This now uses password-less auth when uploading to AppEngine from an ant script from Jenkins.

Happy coding,



How to Keep your Kids from Exiting an iOS App

If you’re like me, you probably hand your iPhone or iPad to your toddler from time to time. Maybe it’s a specific app, a video, or the photos app.  Either way, it’s pretty frustrating to launch something for them only to have them immediately exit it by pressing the home button – or worse, tapping an ad banner.

In iOS 6, there is a solution for this: Guided Access.

In short, you can configure (among other things) the following measures to prevent exiting an app via home button or ads. You can even lock down intra-app functionality. An example might be the “Done” button in the Videos app to prevent exiting a parent-selected movie or show.

Let’s look at setting up Guided Access with a real app example.

First, launch the Settings app and go to “General.”

Screenshot 2012.12.08 15.41.29

Choose “Accessibility.”

Screenshot 2012.12.08 15.41.53

Within Guided Access, slide the slider to “On.”

Screenshot 2012.12.08 15.43.30

Tap “Set Passcode.” This will be a four digit code you will use to exit “lock down” mode so you can actually exit the app when your child is done.

Screenshot 2012.12.08 15.38.43

Now, we launch the app we’re wanting to lock down.  For this example I’m demonstrating Guided Access with the free formerly free, now paid and ad-supported app “Bell Ringer.”  My kids love shaking the phone to ring the bell, but my two year old frequently taps the eye catching ads.

Screenshot 2012.12.08 15.36.46

See the ad banner? We want to keep little fingers off that for now.

To begin Guided Access, triple-tap the home key.

Screenshot 2012.12.08 15.36.56

The Guided Access prompt appears. Now it is time to prevent access to parts of the screen we want to keep the user (in our case a child) from touching.

Screenshot 2012.12.08 15.37.29

Draw a circle around areas of the screen you want to prevent touches. Here I circle the ad banner; I’ve also used this effectively on the Videos app on the “Done” button that exits a movie.  Don’t worry; you don’t have to be perfect.

Screenshot 2012.12.08 15.37.38

If you didn’t get a perfect circle earlier, use the dots to resize the rectangle Guided Access presents.

Screenshot 2012.12.08 15.37.15

Once the size and position is where you want it, touch “Start.”

Screenshot 2012.12.08 15.37.47

The app will resume full screen and you will now notice a couple of overlays – one announcing Guided Access; the other obscuring the screen area that is locked down.

Screenshot 2012.12.08 15.38.23

Now, all hardware buttons are disabled.  The Home key, when pressed, prompts us with the pass key prompt.  If we enter the key correctly, the Guided Access menu reappears.

Screenshot 2012.12.08 15.38.55

To re-enter Guided Access, tap “Resume.” To exit Guided Access (and get us where the Home key will now exit the current app), tap “End.”

Screenshot 2012.12.08 15.39.20

Now we are back to normal and can exit the app or tap on those wonderful ads.

I used this technique on my two year old who is very well versed in iPhone buttons and app exit techniques.  She fiddled with trying the home key and the Done button and after it didn’t exit a couple of times she gave up and just watched the movie she requested in the first place.

I hope you find this as useful as I have,

Scott H

How to View WebSphere Trace Logs in the RAD Console

If you develop on WebSphere Application Server (WAS) using Rational Application Developer (RAD), you likely use the handy server integration features which allow you to “publish” modules directly to the appserver without having to leave the IDE.  One feature of this integration is that the eclipse console view displays the WebSphere SystemOut.log file so the developer can view log statements, again without leaving the IDE.

One problem with this integration as I see is that this log file only displays logging at the INFO level and above.  Meaning, most often a developer server usage is a single user (themselves) analyzing application logging that probably should be trace level – that is, logging that should never see the light of day in a multi-user production environment but is immensely helpful in tracing the flow of data through the classes and methods of an application.

WebSphere Application Server does provide the capability of changing the logging level by logger name or package at runtime, but reducing the level for a given set of loggers to FINE, FINEST, or ALL results in trace logging going to a separate log file. By default, this file is trace.log.

This default presents the problem for RAD users: the eclipse console doesn’t display the trace.log file.  Meaning, a developer can add trace statements the right way in their code – log.debug() in Apache Commons-Log or log.fine/finest() with java.util.logging – yet not see these log statements in the IDE.  I have found this often causes developers who prefer the IDE’s console to begin the bad practice of intensive logging with the INFO level so they can “see” the log statements in development.  This leads to unhappy server admins, let me tell you!

Here is how you can redirect WAS trace logs to SystemOut.log in a development WebSphere Application Server instance and view trace logging in the RAD/eclipse console.  It’s surprisingly simple and I only stumbled across this behavior by accident one day.  My whole team uses it, and it works (we use WAS v7) for us.

First, log into your WAS admin console. Locate the Logs and Trace section.

Next, if applicable, select the server/profile you have integrated with RAD.  In my screenshot, the WAS profile is for a WebSphere Portal (v6.1.5) instance, but it shouldn’t matter.

First, we need to find where WAS is writing its SystemOut.log file which RAD displays in a console view. Take note (copy into the clipboard) of the file path, including any variables:

Next, go back to the server logs pane and choose Diagnostic Trace.

In the Diagnostic Trace settings, note the current file path. You may want to save a note with the original location or choose to backup your entire WAS profile config files as a safety precaution.

Change the value of the trace log to the value of the path to SystemOut log.

Click the Save button at the bottom of the page, then save these config changes to the master repository:

You should now be able to see application trace logs in your RAD console for your integrated WebSphere Application Server profile:

Feel free to add your own notes, comments, feedback in the comments section below. I’m curious as to how other teams utilize their RAD/WebSphere integration.

Happy Coding,


iOS update error 1013

Tonight I decided to update an iPhone 4 to iOS 4.3.1. I sync my phone regularly and have never encountered an update problem. That changed tonight as the 4.3.1 update failed about five times in a row with error code 1013.

Clicking “more info” on the error message led me to this page which mentioned a possible problem connecting to I fired up a browser and tried and was greeted with an Apache server directory listing. I figured since I got a response (and not a connection error) the problem must have been elsewhere, so I tried other suggestions from the support article: updating OSX, updating iTunes, changing USB ports, and rebooting. After each one, no luck: still the 1013. I began to sweat.

I read the support article closer, and even visited a large thread on the support forums and decided to peek at the /etc/hosts file. Sure enough, there was an entry for! Where’d that come from?

I used a real man’s editor and commented out the entry for The very next restore attempt succeeded on first try.

$ sudo vi /etc/hosts

Enter your own password at the prompt and press return.

Your hosts file may be slightly different, but you’ll want to comment out the entry for

# Host Database
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##       localhost broadcasthost
::1             localhost
fe80::1%lo0     localhost
"/etc/hosts" 11L, 264C

The important part is adding the # at the beginning of the line with

Note: if you’ve gotten this far but need help with the editor in this example itself, leave a comment and I can walk you through it. It’s the “vi” editor and it’s not very straightforward if you’re not used to the command prompt scene… there are several good quickstarts available online as well.

Update 4/5/2011: a good tutorial on editing the hosts file in general can be found here.

Hope this helps someone,


Update 4/5/2011: Here are the detailed steps on how to edit the system hosts file.  These are instructions for OSX Snow Leopard. (I think with Windows you can just edit the file in Notepad; the file is located at C:\Windows\System32\drivers\etc\hosts)

Update 4/27/2011: Here are a couple of articles from Macworld Magazine which explain why this may have happened.

OSX Snow Leopard instructions

  1. Open the Terminal app.
    Click on the spotlight icon (magnifying glass in the top right corner of your screen) and type “terminal”.  You should see a black square looking icon; click it.
  2. Edit the Hosts file.
    I believe you need to be using an account with administrative privileges.
  3. Once opens, click on it and you should be able to type at the blinking cursor.
  4. Type the following:
    sudo vi /etc/hosts
  5. Press the enter (or return) key.
  6. The terminal will ask you for your password. Type it carefully, because for security reasons it won’t show on the screen.
  7. Note: if you mistype your password, you should see “Sorry, try again.” up to three times.
  8. If you correctly entered your password, the editor will show you the contents of the hosts file.
  9. You should see a few lines like the example above.
  10. Use the down arrow key to move the cursor to the line that has “” in it.
    Leave the cursor on the first character in the line.
  11. Important: press the I key once.
    This puts the editor in “insert” characters mode so you can type inside the file. We’re not in Pages or Microsoft Word, and this editor is not very forgiving –  so type carefully.
  12. At the beginning of the line that has “”, type a single hash (also known as pound) character.
    It’s above the 3, so press the shift and 3 keys at the same time.  If a 3 shows up instead of #, press the delete key to correct.
  13. The line should change colors.
    The # character tells the system to ignore this line in the file, which is what we want.
  14. Press the colon ( : ) key once.  That’s the shift and semicolon ( ; ) keys at the same time.
  15. Press the x key once.
  16. Press enter.
    The :x command tells the editor to save and exit.
  17. Close and restart iTunes
  18. Re-attempt the iOS update or restore.

Eclipse Mylyn with

I’ve been using Lighthouse for tracking tasks and issues in my iOS development. I like it because it’s cloud-based and fairly elastic; right now as I write I’m the only developer but I hope to expand in the future. I have no interest in administering an issue tracking system (I’ve done so with Bugzilla and Scarab in the past) because I want to focus my available side-job time on development as much as possible.

I decided to give integrated task management a whirl using eclipse as both my mac subversion client and Java IDE. If you’re wondering how this ties into my iOS development – I have some supporting server-side Java apps and I’ve been less than impressed with Xcode’s built-in SVN tooling.

A while back I saw some early interest in integrating Mylyn and Lighthouse, and decided to see where it went. Below are the steps I took to integrate to the point where I can:

  • flag what issue I’m working on in eclipse, and then have eclipse automatically add task info into my source control commit comments
  • Quickly create tasks from within the IDE when I discover TODOs, without having to flip back and forth to retain context. Note: right now this is limited to doing so with the embedded browser; I’ll update this post if I find out how to create from eclipse itself.
  • Code in Xcode and Eclipse and commit from Eclipse, performing one commit for changes in multiple projects for a single fix or enhancement

First of all, let me say I didn’t do 90% of the legwork here. I followed the steps in forum posts on Lighthouse support and a blog entry I found. I tweaked a bit after that.

Step one: Install Mylyn Web Templates support

As of this writing, the Mylyn connector needed for Lighthouse integration didn’t come with Eclipse 3.6 (Helios) SR2 and was marked as an “incubation” component.

You may (probably?) need to add the Mylyn incubation update site to your software repositories:

Next, install the connector:

Install command in Help menu

From the Help menu, Install New Software

Plugin install dialog

The Mylyn Incubator Components install dialog

Choose “Mylyn Connector: Web Templates”.  This component will be configured after we install it to connect to Lighthouseapp’s XML feed of your tickets.

Restart eclipse when prompted.

Step Two: Configure the Connector

You’ll want to gather your lighthouse project URL before configuring a new Mylyn repository in your eclipse Task Repositories view.  You can find the URL for your project(s) on the right  side of Lighthouse after logging in:

Usually the URL is in this form:


You’ll then want to configure a new task repository in Mylyn using the web connector.  Open the Tasks view (Window -> Show View ->Task Repositories) and click the “Add Task Repository…” icon.

New Mylyn Task Repository Dialog

New Mylyn Task Repository Dialog

Enter your Lighthouse project URL as the “Server” URL.  Give this project a meaningful label in the dialog (this string will display in Eclipse any time you interact with this repository) and leave the “anonymous” checkbox selected.  We’ll get to authentication in a minute.

Add a parameter named “query” and a value of “all” in the “Additional Settings” section.  This tells the Lighthouse XML query API to search all tickets, both open and resolved.

Under “Http Authentication” be sure to check the box and enter your Lighthouse user ID and password.  I chose to have eclipse remember this password.

In the “Advanced Settings” section you can enter the following:

  • Task URL: ${serverUrl}/tickets/
  • New Task URL: ${serverUrl}/tickets/new
  • Query Pattern:

If this works, you should be able to view Lighthouse issues in the embedded browser like this:

Light house Tickets view in Eclipse Mylyn

Light house Tickets view in Eclipse Mylyn

You should now be able to open the Task List view and see a list of Lighthouse issues.

Step Three: Configuring SCM Commits

I wanted to be able to auto-tag my version control with mention of the or issue I was addressing.  With mylyn, you basically “activate” a given task / defect, perform coding, and eclipse then knows what task with which to tag your SCM commit.  To modify this from default, choose Window -> Preferences on a PC or Eclipse -> Preferences on a Mac, choose “Tasks” and enter this for the commit comment:

${task.status} – ${connector.task.prefix} ${task.key}: ${task.description}
${task.url} [#${task.key}]

Once this is set up, your check-ins should looks something along these lines:

Mylyn svn commit dialog

Mylyn svn commit dialog


In this tutorial we installed the mylyn tooling and the incubation Mylyn Web Templates plugin.  We then configured it with our Lighthouse project URL and a regular expression that allows eclipse to pluck data elements from each ticket to render in its gui (particularly when you are inspecting a single web value.  We updated the commit template preference so our check-ins can reflect the task we were working.

Hope this helps,


A Halloween scare: Facebook on Public Wi-Fi

Update: As of January 2011 Facebook now offers browsing in ssl mode without requiring the use of a userscript. Just visit your account settings, expand Account Security, and check the box that reads “Browse Facebook on a secure connection (https) whenever possible.”

Normally, I avoid unencrypted wi-fi hotspots like the plague.  If I do end up using one in a pinch, I avoid services that require (or allow) me to authenticate then continue surfing in “personalized” mode.  That is, surfing the site without HTTPS.  For example, when you sign on to your bank’s website, you always see “https” in the address bar of your browser – it never goes away until you either log out or go to another website.  With a browser and a little knowlege (“look for the lock”) it’s fairly easy to see when you’re accessing personalized content.  When using apps on a smartphone, it’s almost impossible to see when HTTPS is actually used without special phone configuration.

As I type this, I’ve been forced to use “guest” wi-fi at a hospital system away from home for about a week now as my daughter recovers from surgery.  I’ve needed to stay in touch with friends and family via Facebook, but the idea of having my FB account compromised – or my FB interactions readable by some bored kid I don’t know – concerns me greatly.  I noticed that I can pretty much change any URL on facebook to use HTTPS, but for some silly reason the site renders all URLs on pages to use http, even if you navigated using https.  Very annoying.  If my bank did this I’d use another bank.  With the world running out of IP (v4) addresses it seems most everyone will be sharing an address.  A large number of those users will be using Wi-Fi, and a large number of those users won’t be savvy (bored?) enough to read this blog or even be aware of the danger… which makes it seem (to me) to be a very bad idea to use cookie + IP address security for what should be secure site personalization.  Sure, SSL adds server-side overhead but buy yourself a few accelerators for goodness sake, Facebook!

I did however find a pair of greasemonkey scripts that for the most part seem to make facebook behave as I want it to: completely over https. The first is Facebook in HTTPS and works for most of the hyperlinks rendered in FB.  However, at time of this writing, it doesn’t force asynchronous (ajax) requests to go through https… which, if you think about how many times you see the wait animation gizmos, is what a lot of FB functionality uses. To compensate for this, I also installed a script called Force Facebook HTTPS Secure, which manipulates Facebook Javascript to use HTTPS for ajax calls.  So far when using these two scripts in tandem I’ve not seen any nonsecure FB connectivity detected using the recently released Firesheep proof of concept Firefox plugin.

On the web:

Hope this helps,


gconsync wants to use my keychain…

Today’s tidbit is about a nagging OSX dialog that doesn’t offer “remember this decision” or “don’t ask me again.”

I got a new iPhone, and decided to use Google’s ActiveSync (MS Exchange) integration to sync my contacts in the cloud for free and not $99/year. The cloud’s not all that useful if it’s only covering one device, so I set up Google contact sync on my account on our family mac.

gconsync keychain prompt

Apparently this causes a background process called gconsync to be run at an interval. Understandably, this tool has to log into your Google account in order to synchronize contact updates with Address Book. For me, whenever it would try to run it would enqueue a prompt asking if it’s OK to access a local keychain which holds Google login info. I say enqueue because since I don’t use that computer often, I’d sit down to have to click through a half dozen of the same prompt… click cancel, cancel, cancel… you get the picture. The actual text of the dialog is “gconsync wants to use the ‘sheaberlin’ keychain. Please enter the keychain password.”

To make the matter worse, the prompt seems to make Finder hang (even the menu) until you appease its desire for Google info. This wasn’t going to cut it for me.

I found an Apple Support thread discussing a different daemon process which steered me to the solution: to unlock the keychain it was asking for. Unlike my screenshot above, gconsync was looking for an application password entry in my personal keychain (“sheaberlin” instead of “login”) named GoogleContactSyncService. There was nothing else in that keychain so I set it to never lock after system sleep or idle. Boom, no more gconsync nags.

keychain settings to prevent nagging google sync dialog

Steps to squelch this dialog (from the aforementioned knowledge base thread):
1) Launch Keychain Access. On Snow Leopard it’s found in Applications —> Utilities —> Keychain Access
2) Highlight “login” (or whichever keychain is mentioned in your gconsync prompt – for me it was the one for my username, “sheaberlin”) under “Keychains” in the upper left
3) From the Edit menu select “Change settings for Keychain…”
4) Uncheck “Lock when sleeping” and click “Save”. Also uncheck “lock after … minutes of inactivity”.

Hope this helps someone,