DEV Community: chien hsin Yang

Propify: Type-Safe Configuration and Internationalization for Java Applications

chien hsin Yang — Mon, 23 Jun 2025 10:15:25 +0000

In the world of Java application development, managing configuration and internationalization (i18n) has always been a challenge. Developers often resort to string-based lookups that are error-prone and lack compile-time safety. What if there was a better way? Enter Propify — a powerful, lightweight Java annotation processor that eliminates configuration errors by generating type-safe classes from your configuration files and internationalization bundles.

Say goodbye to "stringly-typed" keys and runtime errors! Access every configuration value and message through strongly-typed Java methods, catching invalid accesses at compile time instead of runtime.

The Problem with Traditional Configuration

Traditional approaches to configuration in Java applications often involve:

String-based lookups: config.getString("database.url") - prone to typos and no IDE assistance
Manual type conversion: Integer.parseInt(config.getString("server.port")) - tedious and error-prone
No compile-time validation: Errors only discovered at runtime
Verbose boilerplate code: Creating POJOs to represent configuration structures

Similarly, internationalization typically relies on string keys that can't be validated until runtime:

// Traditional approach - error-prone  
String message = ResourceBundle.getBundle("messages").getString("greeting");  
String formatted = MessageFormat.format(message, userName);

Introducing Propify

Propify is a lightweight Java annotation processor that automatically generates type-safe classes for both configuration files (YAML, properties, INI) and internationalization bundles. It provides a clean, intuitive API that catches errors at compile time rather than runtime.

Key Features

🔒 Type-Safe Configuration: Access properties through generated Java methods
🌐 Type-Safe Internationalization: Strongly-typed resource bundles with ICU4J formatting
🛠️ Compile-Time Validation: Catch errors during build, not at runtime
📚 Nested Properties Support: Hierarchical configuration with dot notation
🔄 Custom Lookups: Inject dynamic values from environment variables or custom sources
⚡ Zero Runtime Overhead: All code generated at compile time

How Propify Works

Propify uses Java's annotation processing system to generate code during compilation. Here's the basic workflow:

Annotate an interface or class with @Propify or @I18n
Compile your code — Propify reads your configuration files and generates type-safe classes
Use the generated classes in your application code

The magic happens at compile time — Propify scans your codebase for annotations, reads the referenced configuration files, and generates Java classes that provide type-safe access to your configuration and messages.

Getting Started with Propify

Installation

Maven

Add dependency and annotation processor:

<dependencies>
  <dependency>
    <groupId>com.vgerbot</groupId>
    <artifactId>propify</artifactId>
    <version>2.0.0</version>
  </dependency>
</dependencies>
<build>
  <plugins>
    <plugin>
      <artifactId>maven-compiler-plugin</artifactId>
      <version>3.8.1</version>
      <configuration>
        <source>1.8</source>
        <target>1.8</target>
        <annotationProcessorPaths>
          <path>
            <groupId>com.vgerbot</groupId>
            <artifactId>propify</artifactId>
            <version>2.0.0</version>
          </path>
        </annotationProcessorPaths>
      </configuration>
    </plugin>
  </plugins>
</build>

Gradle (≥4.6)

dependencies {
  implementation 'com.vgerbot:propify:2.0.0'
  annotationProcessor 'com.vgerbot:propify:2.0.0'
}

Gradle (<4.6)

plugins {
  id 'net.ltgt.apt' version '0.21'
}
dependencies {
  compile 'com.vgerbot:propify:2.0.0'
  apt     'com.vgerbot:propify:2.0.0'
}

Type-Safe Configuration in 3 Steps

1. Create a configuration file (YAML, properties, or INI):

# application.yml
server:
  host: localhost
  port: 8080
database:
  url: jdbc:mysql://localhost:3306/mydb
  username: root
  password: secret

2. Annotate an interface:

@Propify(location = "application.yml")
public interface AppConfig {}

3. Use the generated class:

// Type-safe configuration access
AppConfigPropify config = new AppConfigPropify();
String host = config.getServer().getHost();
int port = config.getServer().getPort();
String dbUrl = config.getDatabase().getUrl();

That's it! No more string-based lookups, no more type conversion, and no more runtime errors due to typos.

Type-Safe Internationalization

Propify also makes internationalization a breeze:

1. Create message files:

# messages.properties (default)
welcome=Welcome
greeting=Hello, {name}!

# messages_zh_CN.properties
welcome=欢迎
greeting=你好, {name}！

2. Annotate a class:

@I18n(baseName = "messages", defaultLocale = "en")
public class Messages {}

3. Access messages:

// Type-safe message formatting
String welcome = MessageResource.getDefault().welcome();
String greeting = MessageResource.getDefault().greeting("John");

// Locale-specific messages
String chineseGreeting = MessageResource.get(Locale.CHINESE).greeting("张三");

Advanced Features

Custom Lookups for Dynamic Values

Propify supports variable interpolation in configuration files:

app:
  tempDir: "{env:TEMP_DIR}"
  secretKey: "{vault:db-secret}"

You can implement custom lookup providers:

class VaultLookup implements PropifyLookup {
    @Override
    public String getPrefix() {
        return "vault";
    }

    @Override
    public Object lookup(String key) {
        // Retrieve secret from vault
        return VaultClient.getSecret(key);
    }
}

@Propify(
  location = "application.yml",
  lookups = { VaultLookup.class }
)
public interface AppConfig {}

Support for Multiple Configuration Formats

Propify supports various configuration formats:

YAML: For hierarchical configuration
Properties: Traditional Java properties files
INI: For simple configuration needs

The format is automatically detected from the file extension, or you can specify it explicitly:

@Propify(
  location = "config.custom",
  mediaType = "application/x-java-properties"
)
public interface CustomConfig {}

Practical Examples

Here are some practical examples of how to use Propify in common scenarios:

Nested Configuration

# application.yml
server:
  http:
    port: 8080
  https:
    port: 8443
    keystore: /path/to/keystore

@Propify(location = "application.yml")
public interface ServerConfig {}

// Usage
ServerConfigPropify config = new ServerConfigPropify();
int httpPort = config.getServer().getHttp().getPort();  // 8080
String keystore = config.getServer().getHttps().getKeystore();  // /path/to/keystore

Environment-Specific Configuration

# app.yml
database:
  url: "jdbc:mysql://{env:DB_HOST}:{env:DB_PORT}/{env:DB_NAME}"

@Propify(
  location = "app.yml",
  lookups = { EnvironmentLookup.class }
)
public interface AppConfig {}

Benefits for Enterprise Applications

For enterprise applications, Propify offers several key benefits:

Reduced Bugs: Catch configuration errors at compile time
Improved Developer Experience: IDE auto-completion and refactoring support
Better Maintainability: Type-safe access makes code more readable and maintainable
Enhanced Security: No more hardcoded secrets with custom lookup providers
Simplified Internationalization: Type-safe message formatting with ICU support

Getting Help

If you encounter any issues or have questions about using Propify:

GitHub Issues: Submit a new issue on the GitHub repository
Documentation: Check the Wiki for detailed documentation
Examples: Browse the examples directory for sample projects

Conclusion

Propify brings type safety to configuration and internationalization in Java applications, eliminating a whole class of runtime errors and improving developer productivity. By leveraging the power of Java's annotation processing system, it provides these benefits with zero runtime overhead.

Whether you're building a small application or a large enterprise system, Propify can help you manage configuration and internationalization in a type-safe, maintainable way.

Ready to try Propify? Check out the GitHub repository and start enjoying type-safe configuration today!

Acknowledgments

Propify builds on several excellent open-source libraries:

JavaPoet — Java source file generation
Jackson YAML — YAML parsing
Apache Commons Configuration — Configuration management
ICU4J — Internationalization support

Understanding CSRF Attacks: Process, Risks, and Protection

chien hsin Yang — Mon, 23 Jun 2025 10:06:55 +0000

Cross-Site Request Forgery (CSRF) is a prevalent web security vulnerability that exploits a user's authenticated session on a trusted website to perform unauthorized actions. In this blog, we'll dive into what CSRF is, how it works, its potential impact, and effective ways to prevent it. We'll also include visual sequence diagrams created with PlantUML to illustrate both the attack and protection processes, making the concept easier to grasp.

What is CSRF?

CSRF is an attack where a malicious website tricks a user's browser into sending unintended requests to a legitimate website where the user is authenticated. Since browsers automatically include cookies with requests to the target site, the legitimate website may execute the request, assuming it came from the user. This can lead to serious consequences, such as unauthorized fund transfers, password changes, or data deletion.

The attack relies on:

The user being logged into the target site (e.g., A.com).
The target site trusting cookies for authentication without additional verification.
The attacker crafting a malicious request on another site (e.g., B.com) that the user is lured into triggering.

CSRF Attack Process

To understand how CSRF works, let's break down the attack process using a sequence diagram. The following PlantUML diagram illustrates a typical CSRF attack where a user is tricked into performing an unauthorized action on a banking website (A.com) via a malicious site (B.com).

Attack Sequence Diagram

How the Attack Works

User Logs In: The user visits A.com (e.g., a bank) and logs in. The server responds with a session cookie (session_id), stored by the browser.
User Visits Malicious Site: The user is lured to B.com (e.g., via a phishing email or malicious link). B.com serves a page with a hidden request, such as an auto-submitting form:

   <form action="https://A.com/transfer" method="POST">
       <input type="hidden" name="amount" value="1000">
       <input type="hidden" name="to" value="attacker_account">
   </form>
   <script>document.forms[0].submit();</script>

Browser Sends Request: The browser sends the forged request to A.com, automatically including the session_id cookie. Since the cookie is valid, A.com assumes the request is legitimate.
Action Executed: The bank processes the transfer, and the attacker receives the funds.

Risks of CSRF

Financial Loss: Unauthorized transfers or purchases.
Account Compromise: Password changes or account settings modifications.
Data Manipulation: Deleting or altering user data.
Reputation Damage: For websites, executing unintended actions can erode user trust.

Preventing CSRF Attacks

To mitigate CSRF, websites must implement defenses that ensure requests are intentional and originate from trusted sources. Common protections include CSRF tokens, SameSite cookies, and request validation. Below is a PlantUML sequence diagram showing how these measures block a CSRF attack.

Protection Sequence Diagram

Protection Mechanisms

CSRF Tokens:

A unique, unpredictable token is included in legitimate forms or requests (e.g., as a hidden input field):

 <form action="/transfer" method="POST">
     <input type="hidden" name="_csrf" value="random_token_12345">
     <input type="text" name="amount" value="100">
     <input type="submit" value="Transfer">
 </form>

The server validates the token for each sensitive request. Since B.com cannot access or forge the token, the attack fails.

SameSite Cookies:
- Setting the SameSite attribute to Strict or Lax prevents the browser from including cookies in cross-site requests:
```
 Set-Cookie: session_id=xyz123; SameSite=Strict
```

Strict blocks cookies for all cross-site requests; Lax allows them for top-level navigation but not for POST requests.

Referer/Origin Validation:
- The server checks the Referer or Origin header to ensure requests come from A.com. Malicious requests from B.com are rejected.
Secondary Authentication:
- For high-risk actions (e.g., transfers), require additional verification, such as re-entering a password or a CAPTCHA.

Why CSRF Protection Matters

Without proper safeguards, CSRF vulnerabilities can lead to significant harm, especially for websites handling sensitive data like banking, e-commerce, or social platforms. Modern web frameworks (e.g., Django, Spring, Laravel) include built-in CSRF protections, but developers must ensure they are correctly configured.

Best Practices for Developers

Always Use CSRF Tokens: Include tokens in forms and AJAX requests for all state-changing operations.
Adopt SameSite Cookies: Set SameSite=Strict or Lax for session cookies to minimize cross-site risks.
Avoid GET for Sensitive Actions: Use POST for operations like transfers or updates to reduce the risk of simple attacks (e.g., via <img> tags).
Test Regularly: Use tools like OWASP ZAP or Burp Suite to scan for CSRF vulnerabilities in your application.
Educate Users: Warn users about phishing risks, as CSRF often relies on social engineering to lure victims to malicious sites.

Conclusion

CSRF attacks exploit the trust between a user's browser and a legitimate website, but with proper defenses like CSRF tokens and SameSite cookies, these risks can be effectively mitigated. The sequence diagrams above illustrate both the attack and protection processes, highlighting the importance of additional verification beyond cookies. By implementing robust security measures and staying vigilant, developers can protect users from CSRF and maintain trust in their applications.

If you have questions about CSRF or want to dive deeper into specific defenses, feel free to leave a comment or reach out! Stay secure!