This feed does not validate.
<language>en,de</language>
^
<pubdate>Mon, 01 Sep 2025 16:33:08 +0000</pubdate>
^
line 24, column 67: (10 occurrences) [help]
<link>2025/09/authentication-with-pkce-and-vanilla-javascript.html</link>
^
line 25, column 26: (10 occurrences) [help]
<author>Stephan H. Wissel</author>
^
line 26, column 43: (10 occurrences) [help]
<guid>d41aa310-8734-11f0-8a15-a76556d24dc9</guid>
^
line 27, column 27: (10 occurrences) [help]
<pubDate>01 September 2025</pubDate>
^
In addition, interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
<?xml version="1.0"?><rss version="2.0"><channel> <title>wissel.net Usability - Productivity - Business - The web - Singapore and Twins</title> <link>https://wissel.net/blog/stories.rss</link> <description>Thoughts, Insights and Opinions of Stephan H. Wissel. Topics included: Salesforce, Lotus Notes and Domino, IBM Websphere, NodeJS, JavaScript, J2EE, .Net, Software Archtecture, Personcentric Development, Agile Software, SDLC, Singapore and my Twins</description> <language>en,de</language> <copyright>(C) 2003 - 2021 Stephan H. Wissel, All rights reserved</copyright> <pubdate>Mon, 01 Sep 2025 16:33:08 +0000</pubdate><item> <title>Authentication with PKCE and vanilla JavaScript</title> <description><p>Finally you got rid of user management in your application since your organisation has standardized on an <a href="https://www.cloudflare.com/en-gb/learning/access-management/what-is-an-identity-provider/">IdP</a>. There are plenty to choose from. I usually develop using a <a href="/blog/2024/10/onetime-idp-with-keycloak.html">Keycloak</a> IdP before I test it with the target IdP (and yes: Azure Entrada tries to be different).</p><p>So it's time to adjust your <a href="https://developer.mozilla.org/en-US/docs/Glossary/SPA">SPA</a> to use the IdP. The admins tell you, you need to use <a href="https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce">PKCE</a>, part of the <a href="https://openid.net/developers/how-connect-works/">OIDC</a> specification</p><h3>Where is the fun in ready made?</h3><p>A <a href="https://www.npmjs.com/search?q=OIDC&amp;sortBy=downloads_monthly">quick search on npmjs</a> shows, the topic is popular and AWS takes the crown. But for deeper understanding, let's roll our own.</p><h3>Prerequisites</h3><p>There are just four items you need. The first three are provided by your IdP admins, the forth one you have to provide to them.</p><ul> <li>The URL of your IdP, the full path where <code>.well-known</code> can be found. That's usually the root, but does differ for Entrada or Keycloak</li> <li>The issuer. That typically is the URL, except for Entrada</li> <li>The clientId. A String, usually opaque</li> <li>The callback urls. Pick those wisely. Typically you want three: <code>http://localhost:3000/myApp</code>, <code>https://localhost:8443/myApp</code> and <code>https://final.place.com/myApp</code> The first two enable you to test your application locally with both http and https</li></ul></description> <link>2025/09/authentication-with-pkce-and-vanilla-javascript.html</link> <author>Stephan H. Wissel</author> <guid>d41aa310-8734-11f0-8a15-a76556d24dc9</guid> <pubDate>01 September 2025</pubDate> </item><item> <title>Installing a macOS developer workstation</title> <description><p>It is sitting on my desk, a shiny M4 MacBook. It wants to be configured. I can take the easy route and use the <a href="https://support.apple.com/en-sg/102613">Migration Assistant</a>. But that would carry forward all the cruft the various incarnations of the Migration Assistant have accumulated over the decade. So I went the hard way.</p><h3>Manual with a dash of AppStore</h3><p>First Stop: update macOS. In my case Sequoia 15.1 -&gt; 15.6.1</p><p>Installation falls into 3 categories</p><ul> <li>command line tooling</li> <li>settings &amp; data</li> <li>GUI applications</li></ul><p>Followed by the reconfiguration of license keys</p></description> <link>2025/08/installing-a-macos-developer-workstation.html</link> <author>Stephan H. Wissel</author> <guid>ab012430-84d3-11f0-a69f-6fd5883f9ade</guid> <pubDate>29 August 2025</pubDate> </item><item> <title>CouchDB, JWKS and PEM public keys</title> <description><p>Depending on <a href="/blog/2024/06/how-deep-do-you-authenticate.html">how deep you authenticate</a>, you might be tasked maintaining a user base in <code>_users</code> (and welcome to "I forgot my password" hell). The standing recommendation is to implement a single source of identity using a directory as <a href="https://www.cloudflare.com/learning/access-management/what-is-an-identity-provider">Identity Provider (IdP)</a>. My favorite <a href="https://couchdb.apache.org/">NoSQL database</a> can be <a href="https://docs.couchdb.org/en/stable/api/server/authn.html#jwt-authentication">configured</a> to trust JWT signed by known IdPs, so let's do that.</p><h3>Some assembly required</h3><p>CouchDB can be configured in three ways: Edit the respective ini file, use the Fauxton UI or use the REST API. I like the later since I'm comfortable with <a href="https://curl.se/">curl</a> and <a href="https://www.usebruno.com/">Bruno</a> (not a fan of Postman anymore). The steps are:</p><ul> <li>configure a client on your identity provider</li> <li>enable JWT authentication</li> <li>specify what claims are mandatory</li> <li>specify how to map roles</li> <li>add trustedd public keys</li> <li>restart your node</li></ul></description> <link>2025/07/couchdb-and-jwks.html</link> <author>Stephan H. Wissel</author> <guid>268f01d0-6d46-11f0-802c-d975bb98b8ec</guid> <pubDate>30 July 2025</pubDate> </item><item> <title>Report your CSP (violations)</title> <description><p>I'm a big fan of a strict <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP">Content Security Policy (CSP)</a>. It can be a pain to setup (but there is help, <a href="https://report-uri.com/home/generate"><strong>here</strong></a>, <a href="https://cybeready.com/top-9-content-security-policy-generators/">here</a>, <a href="https://chromewebstore.google.com/detail/content-security-policy-c/ahlnecfloencbkpfnpljbojmjkfgnmdc?hl=en">here</a> and <a href="https://www.quantcdn.io/tools/automatic-csp-generator"><strong>here</strong></a>) and <a href="https://csp-evaluator.withgoogle.com/">evaluate</a>.</p><h3>Let's report it</h3><p>You won't know if a policy was tried to be violated unless the attempt is reported back to your application. For that purpose we use the CSP directives <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/report-to"><code>report-to</code></a> and the older, deprecated <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/report-uri"><code>report-uri</code></a>. Until Firefox catches up, use both. When a browser supports <code>report-to</code>, <code>report-uri</code> gets ignored.</p><p>Reporting isn't only useful in production, but already during development and especially during retrofitting. There you can swap the <code>Content-Security-Policy</code> header for <code>Content-Security-Policy-Report-Only</code>. It will allow all content to load, but report back all violations.</p><p>You then run your <a href="https://www.browserstack.com/guide/end-to-end-testing">E2E Tests</a> (You have those, haven't you?) and get a free overview what loads from where. Adjust the CSP, rinse and repeat.</p><h3>Where to report to?</h3><p>There are numerous SaaS providers with fancy dashboards, that offer ready made solutions. When you are pressed for time, that might be your best option. I haven't evaluated them, so I can't recommend or endorse them.</p></description> <link>2025/07/report-your-csp.html</link> <author>Stephan H. Wissel</author> <guid>e2912cf0-6148-11f0-b6bc-9dae663e3d57</guid> <pubDate>07 July 2025</pubDate> </item><item> <title>HTML's template element in single page applications</title> <description><p>"<em>We need to use [insert-framework-of-the-day]!</em>" is the typical answer when asking for a light web single page application (SPA).</p><p>It doesn't need to be that way, <a href="https://paulswithers.github.io/">Paul</a> and myself shared in a <a href="https://github.com/paulswithers/super-procode-mode-openntf">recent webinar</a>.</p><h3>Serving the long tail</h3><p><a href="https://www.wavemaker.com/long-tail-apps-shadow-it-problem/">Long Tail Apps</a> tend to be outside of IT control, since they bypass the (usually heavy) standup of an IT development project.</p><p>That standup could be way lighter, when your application just consists of one html file, one css file, one js file, one manifest and (optionally) one or more image files as well as a <a href="https://opensource.hcltechsw.com/Domino-rest-api/references/hostingstatic.html">definded point of deployment</a>.</p><p>The typical objection goes: "<em>But it is never one HTML file, I need a login, a list and a form in read and edit mode</em>"</p><h3>template to the rescue</h3><p>The <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/template"><code>&lt;template&gt;</code></a> element is part of the <a href="https://developer.mozilla.org/en-US/docs/Web/API/Web_components">WebComponents</a> specification and it is useful in simple SPA applications.</p></description> <link>2025/06/html-templates-spa.html</link> <author>Stephan H. Wissel</author> <guid>bfdb1860-5009-11f0-9a8e-691adff7d010</guid> <pubDate>23 June 2025</pubDate> </item><item> <title>Fun with AI system prompts</title> <description><p><a href="https://www.google.com/search?q=ai+chatbots">AI Chatbots</a> are a popular topic. As part of a session at <a href="https://engage.ug/">Engage 2025</a> I was looking for an easy to grasp example to understand the difference of user prompt and system prompt, the later typically invisible to the user. My goal was to make it abundantly clear how important the system prompt is.</p><p>I settled sending the same user prompt with vastly different system prompts. Here is what I got.</p><h3>Romeo at the balcony</h3><p>Mercutio?s mocking my love and he?s never been in love himself.</p><p>Wait. What?s that light coming from the window over there? It?s like the east, with Juliet as the morning sun! Rise, Juliet, beautiful sun, and kill the jealous moon who?s already fading and sad because you are far more beautiful than she is. Don?t swear off men like the virgin moon goddess Diana?the moon envies you anyway. Her virginal appearance is weak and pale and only fools want to emulate it. Get rid of it.</p><p>It?s my lady! Oh, it?s my love. Oh, if only she knew I love her. She?s talking but I can?t hear anything. What does it matter?</p><p>Her expression means something and I can answer that. No, I?m being too forward. She?s not talking to me. Oh, if two of the most beautiful stars had to leave heaven on important business, they?d ask her eyes to do the twinkling for them while they were gone! What if her eyes took their places in the sky and those stars became her eyes? Her beautiful face would outshine those stars in her head like daylight outshines lamps, while her eyes in the sky would be so bright at nighttime that birds would be convinced it was day. Look at how she leans her cheek on her hand. I wish I were a glove on her hand so I could touch her cheek!</p></description> <link>2025/05/fun-with-ai-system-prompts.html</link> <author>Stephan H. Wissel</author> <guid>d4495700-365d-11f0-87fb-618e413f1645</guid> <pubDate>07 May 2025</pubDate> </item><item> <title>Deploying a Single Page Application using the Domino REST API</title> <description><p>The <a href="https://opensource.hcltechsw.com/Domino-rest-api/">Domino REST API</a> not only provides secure access to "jsonified" Domino data,<br> but also comes with capabilities to ease integration. This enables one to quickly cater to <a href="https://en.wikipedia.org/wiki/Long_tail">the long tail</a> of applications, giving them a home instead of loosing them to the shadow IT.</p><p>Once you know the steps, you can deploy new <a href="https://developer.mozilla.org/en-US/docs/Glossary/SPA">Single Purpose Applications</a> (I modified the meaning of SPA a little) in no time.</p><h3>No CORS, no headache</h3><p>DRAPI allows to <a href="https://opensource.hcltechsw.com/Domino-rest-api/references/hostingstatic.html">host static applications</a> in the <code>keepweb.d</code> directory. "Static" might be a little misnomer (it only relates to the source files, not the interaction) since a JS file can make your experience quite interactive. Since you run on the same Domain and port as the API, you don't need to worry about <a href="https://developer.mozilla.org/en-US/docs/Glossary/CORS">CORS</a></p><h3>Preparation</h3><p>Your SPA will live in a sub directory of <code>keepweb.d</code>, so think about a name, we shall use <code>demo42</code> here. Add a suitable icon (e.g. 72x72 px png), name it <code>demo42.png</code> and you are ready to roll. Let's assume our Domino API is running on <code>https://api.demo.io</code></p><h3>Work faster with vitejs</h3><p><a href="https://vite.dev/">viteJS</a> is one of the fronteand tools you <strong>want</strong> to learn. It features "hot module reload" to speed up development and, when done, packages your application nice and tidy.</p><p>It is easy to get started. You need a current version (22.x at time of writing) of <a href="https://nodejs.org/en">nodeJS</a> installed as development tooling.</p><pre><code class="language-bash">npm create vite@latest demo42 -- --template vanillacd demo42npm install</code></pre><p>This will create the demo42 directory and scaffold the project for you. Before we get started with athe development, let's adjust the environment. In the root of the project create a file <code>vite.config.js</code></p><pre><code class="language-js">import { defineConfig } from 'vite'; export default defineConfig({ base: '/keepweb/demo42/', server: { proxy: { '/api': { target: 'https://api.demo.io', changeOrigin: true } } }});</code></pre><p>This allows you to develop in the comfort of your local machine's <a href="https://vite.dev/guide/api-hmr">hot module reload</a> which refreshes your app on svae automagically. It also fixes the path matching to its final destination. Next create in <code>public</code> the file <code>manifest.json</code>. This file defines the tile layout for the landing page.</p><pre><code class="language-json">{ "short_name": "Demo 42", "name": "The final answer to all Demos", "start_url": ".", "display": "standalone", "theme_color": "#000000", "background_color": "#aacccc", "icon": "vite.svg"}</code></pre><p>You can play with colors and icons as you deem fit. Now we are ready to run the application:</p><pre><code class="language-bash">npm run dev</code></pre></description> <link>2025/03/deploying-a-spa-to-drapi.html</link> <author>Stephan H. Wissel</author> <guid>7e85c300-0339-11f0-b3bc-e33450aa6e10</guid> <pubDate>17 March 2025</pubDate> </item><item> <title>ufw cheatsheet</title> <description><p>Mainly as a note to self.</p><h3>My default firewall setup</h3><pre><code class="language-bash">sudo ufw statussudo ufw default allow outgoingsudo ufw default deny incominggrep IPV6 /etc/default/ufwsudo ufw allow sshsudo ufw limit ssh/tcp comment 'Rate limit for openssh server'sudo ufw allow 80/tcp comment 'Allow nginx HTTP'sudo ufw limit 80 comment 'limit nginx HTTP'sudo ufw allow 443/tcp comment 'Allow nginx HTTPS'# For Domino mailsudo ufw allow 1352/tcp comment 'Allow Notes replication'sudo ufw allow 25/tcp comment 'Allow SMTP'sudo ufw allow 587/tcp comment 'Allow SMTP'sudo ufw allow 110/tcp comment 'Allow POP3'sudo ufw allow 995/tcp comment 'Allow POP3s'sudo ufw allow 143/tcp comment 'Allow IMAP'sudo ufw allow 993/tcp comment 'Allow IMAPs'sudo ufw allow from 1.2.3.4 'Allow the othe Domino'sudo ufw enable</code></pre></description> <link>2025/02/ufw-cheatsheet.html</link> <author>Stephan H. Wissel</author> <guid>dd7313e0-f3a3-11ef-85ce-6116619fca24</guid> <pubDate>26 February 2025</pubDate> </item><item> <title>Java Record Derived Creation (stopgap until JEP 468 arrives)</title> <description><p>Java 14 (in a preview feature) introduced <a href="https://docs.oracle.com/en/java/javase/14/language/records.html">Records</a>. In a nutshell: Records are (<a href="https://codeadventures.littlebluefrog.nl/posts/06-immutability-in-records/">mostly</a>) immutable objects with a greatly reduced amount of boilerplate code requirements. For a detailed introduction head over to <a href="https://www.baeldung.com/java-record-keyword">Baeldung</a>.</p><h3>When records need update</h3><p>The short answer: create a new record and use the existing as input. Let's look at an example:</p><pre><code class="language-java">public record Billionaire(String name, Long wealth, Temporal assessment) { public Billionaire cloneWithNewAssesment(Long newWealth, Temporal currentAssesment) { return new Billionaire(this.name, newWealth,currentAssesment); }}</code></pre><p>By itself this is a clean solution. You might add another function for unchanged assesment values. It gets messy when your records have a few more fields.</p><p>To address this, <a href="https://openjdk.org/jeps/468">JEP 468</a> has neen proposed. Unfortunately it isn't seen anywhere in <a href="https://openjdk.org/projects/jdk/23/">JDK 23</a> or <a href="https://openjdk.org/projects/jdk/24/">JDK 24</a>. Its syntax follows the spirit of boilerplate avoidance.</p><pre><code class="language-java">// Wealth changedBillonaire theUpdated = oldBillionaire with { newWealth, newAssesment} // Wealth unchangedBillonaire anotherUpdated = oldBillionaire with { newAssesment}</code></pre><p>Ultimately that's the way to go. Until then I needed a stopgap measure. It contains quite some boilerplate, following the <a href="https://www.digitalocean.com/community/tutorials/builder-design-pattern-in-java">builder pattern</a> to make use easier</p><pre><code class="language-java">public record Billionaire(String name, Long wealth, Temporal assessment) { public BillionaireUpdater forCloning() { return new BillionaireUpdater(this); }} public class BillionaireUpdater { Long wealth = null; Temporal assessment = null; final Billionaire old; public BillionaireUpdater(Billionaire old) { this.old = old; } public BillionaireUpdater wealth(Long wealth) { this.wealth = wealth; return this; } public BillionaireUpdater assessment(Temporal assessment) { this.assessment = assessment; return this; } public Billionaire build() { return new Billionaire( old.name(), this.wealth == null ? old.wealth : this.wealth, this.assesment == null ? old.assesment : this.assesment ); }}</code></pre><p>This approach keeps the "bulky" code outside the record, so once <a href="https://openjdk.org/jeps/468">JEP 468</a> becomes available, updating should be managable leading to the ultimate removal of the <code>Updater</code> classes. The use is quite straight forward:</p><pre><code class="language-java">Billionaire theUpdated = oldBillionaire.forCloning() .wealth(insaneAmount) .assesment(dateOfAssesment) .build(); </code></pre><p>As usual YMMV</p></description> <link>2024/12/java-record-derived-creation.html</link> <author>Stephan H. Wissel</author> <guid>5f44d330-c664-11ef-af6d-a7bb66125fd9</guid> <pubDate>30 December 2024</pubDate> </item><item> <title>Building ARM64 on Github</title> <description><p>Getting your <a href="https://www.redhat.com/en/topics/devops/what-is-ci-cd">CI/CD</a> pipeline right can be a daunting task. Here is one I had to address:</p><ul> <li>Create a <a href="https://quarkus.io/">Quarkus</a> Java application</li> <li>Compile it to a native executable</li> <li>Build a container for it</li> <li>Make the container available to both Linux and MacOS</li></ul><p>The little irony, Docker on macOS or Windowsruns Linux under the hood.</p><h3>The easy part - Quarkus</h3><p>As I've <a href="/blog/2023/10/quarkus-and-graalvm-starter.html">written before</a> it is easy to get started with <a href="https://quarkus.io/">Quarkus</a>. It provides <a href="https://quarkus.io/guides/container-image">5 ways to build containers</a>, and <a href="https://quarkus.io/guides/building-native-image">detailed instructions</a> to build a native image.</p><p>Building a native image looked daunting, with quite some prerequisites like GraalVM, CLI and C compiler. Luckily all this is available in a builder image, and a simple property settin in your <a href="https://maven.apache.org/guides/introduction/introduction-to-the-pom.html"><code>pom.xml</code></a> settles it:</p></description> <link>2024/11/building-arm64-on-github.html</link> <author>Stephan H. Wissel</author> <guid>d7561d60-a6f8-11ef-97b1-713842e709f4</guid> <pubDate>20 November 2024</pubDate> </item> </channel></rss> 
