/by apr on why-oh-why/

What's wrong with Payment gateways?

I've seen this problem coming a long time ago; in my country there's a local credit card association called POS2000. After a long long time they've settled on a single ISO-8583 v1987 based protocol that is a mix of several POS and host based protocols where every acquirer managed to bastardize the standard a little bit in order to make the POS implementor's life a little bit worse.

They did a pretty good job (at bastardizing us) and made jPOS quite better (we have now support for esoteric stuff such as the dynamic packagers that change the way we deal with a message for different message types, etc.).

But that's nothing compared to web based payment gateways.

The first craptastic work I've got to see was presented by a local credit card acquirer/issuer.

You know, the regular redirect-to-the-acquirer-site thing with OK and DECLINE URLs which were available in hidden fields, as if a malicious user couldn't read the page source code and hand-craft the OK-url to continue shopping. Come on! More acquirers followed the trend and provided similar pathetic implementations that very few merchants and less users actually use; but things get worst, thanks to the mouse and some visual tools, there's a whole new group of people writing SOAP based services. OMG!!

We are dealing with quite a few now, to support credit card transactions, prepaid top up applications, etc.

Decades of hard work by large financial institutions working on good standards go down the toilet, it's easier to "invent" an API than read an ISO spec and do the right thing. We are working now with a pre-paid phone company and you get to see things like no reversals, and one-second time-window for voids (come on!), and the results code are usually SQL syntax errors displayed to the client.

A similar thing happens with language-specific APIs, vendors think that developers are stupid and not capable enough to deal with a well specified protocol, so they create an API that is usually a bad and closed source implementation of a bad proprietary wire protocol.

Serenity now!

As a follow-up to the previous post about vdmspace, I've implemented a simple SpaceWriter TransactionParticipant that can be used to log all transaction contexts to the highly reliable VoldemortSpace (vdm:space). It can be added to your transaction flow like this:

The code looks like this:

package org.jpos.transaction;

import java.io.Serializable;
import org.jpos.space.Space;
import org.jpos.space.SpaceFactory;
import org.jpos.core.Configurable;
import org.jpos.core.Configuration;
import org.jpos.core.ConfigurationException;

public class SpaceWriter implements AbortParticipant, Configurable {
    Space sp;
    String prefix;
    Configuration cfg;
    public int prepare (long id, Serializable o) {
        return PREPARED | READONLY;
    }
    public int prepareForAbort (long id, Serializable o) { 
        return PREPARED | READONLY;
    }
    public void commit (long id, Serializable o) { 
        outContext (id, (Context) o);
    }
    public void abort  (long id, Serializable o) { 
        outContext (id, (Context) o);
    }
    private void outContext (long id, Context ctx) {
        if (sp == null)
            sp = SpaceFactory.getSpace (cfg.get ("space", null));
        sp.out (prefix + Long.toString (id), ctx);
    }
    public void setConfiguration (Configuration cfg) {
        this.cfg = cfg;
        prefix = cfg.get ("prefix", "");
    }
}

You can add this participant to the very end of your transaction flow. All persistent entries in your Context would get stored.

As a follow-up to the VoldemortSpace post and after one month of development and testing we are not proud (see caveats below) to announce the vdmspace module and its supporting voldemort module. I've added two modules to jposee/opt, 'voldemort' and 'vdmspace' (r153). I splitted them in two different modules because I think there might be situations where accessing a Voldemort store directly could be desirable, without the Space implementation layer. During the last month playing with this exciting technology I faced many problems and tried different implementations. I tried not to use a coordinator, but Voldemort provides no easy locking mechanism in its StoreClient interface other than optimistic locking, making some space operations difficult to implement. So here are the caveats:

• Using the vdmspace for high concurrency input / output (in space terms, in/out) over the same keys will work, but could eventually fail.
• An out with timeout works as expected, but requires an extra write in order to register the entry for later review by the garbage collector.
• You want to make sure that you run just one garbage collector in the cluster (this is a temporary limitation that can be easily solved).

Having said the cons, I believe the vdmspace is good for:

• Storing massive number of transactions, provided each transaction is stored under its own unique key (i.e. could be used to implement a SOR).
• Implementing a second level cache for configuration data that doesn't change too often.

In order to test this, you need to enable opt/commons, opt/voldemort and opt/vdmspace, then you can use simple code like this:

import org.jpos.space.*; Space sp = SpaceFactory.getSpace ("vdm:space"); ... ...

This needs a lot of test, so feedback is Welcome!

jPOS business partners from Jethro LTD UK will be visiting several jPOS sites in Naerobi, Kenya next week. If you are interested to meet their crew, please contact us and we'll make it happen. NOTE: the blond pretty lady from  their front page is not coming, she needs to stay in the front page :)

When we call:

   Object obj = sp.in ("MyQueue");
   ...
   ....
   // do some processing using 'obj'
   ...
   ...

I always feel worried about what could happen between the point in time you take the object off the Space and you place it in a safe storage for further processing. There's always some single point of failure toward the outer services, for instance, while you are reading a message from a socket, if that process dies, your message is lost, but in the case of a Space, specially a reliable one (such as the VoldemortSpace), it's just too sad to loose a message that was previously carefully stored in a highly available fail-safe way, just because a client worker crashes. The initial solutions that came to mind would involve passing around some kind of Transaction Object (like Jini's Transaction or JTA) so we could make the Space participate in the transaction, but that's something easy to say, but not that easy to implement. Then sometime ago, I've read about how Amazon's SQS nicely solves a problem like this with temporary reads, when you read from SQS, you get the object for a couple of minutes and you need to confirm that you actually got it, otherwise, the object would show up again in the queue. I think an easy way to implement that using very simple space operations, would be to implement a temporary 'move' operation. I think that a proper syntax would be something like this:

   K move (K from, long timeout);

You get the idea, you'd use something like:

  Object tmpKey = sp.move ("MyQueue", 60000L);
  try {
      Object value = sp.rdp (tmpKey);
      ...
      ... process the entry
  } finally {
      sp.inp (tmpKey);
  }

If for some reason, you fail to 'inp' from tmpKey in your 60 seconds time-window, the object would show up again in the 'MyQueue' queue. I'm not implementing this now, but I may add the method as a place holder in the Space interface.

When I start writing a new Space implementation, a Friend's episode where Phoebe's brother tells Phoebe he "melts stuff" comes to mind (hilarious). He melts stuff; I write Space implementations [nerdy laugh here]. Back in the late 90s I started reading about the Linda Coordination Language and loved it,  I deployed a 25 node Jini/JavaSpaces (Outrigger) based application (small supermarket chain, each node was a member of the Jini federation). Due to the slow links, some early problems with OutRigger and a low memory budget on the nodes, we had to replace that implementation with a minimalistic one, and that's why I wrote the first jPOS Space implementation. But I always wanted to have a reliable, self-healing, highly scalable space, and guess what, I believe Project Voldemort is a God send for that, a perfect fit. We still need a couple of weeks in order to be able to provide a first release, we still have some locking problems and need to work on the garbage collector in order to efficiently reclaim space used by expired entries, but I thought it could be a good idea to share with you the fact that we are working with this new and exciting technology just in case you want to get yourself up to speed with it. Meanwhile, you may want to read and play with Project Voldemort, Amazon Dynamo and the miniSpaces tutorial.

People sometimes use jPOS as a library and do the wiring using Java code, something that Q2 already does in a clean and easy to maintain way. In r2735 we've introduced a couple of changes to Q2 in order to simplify the way you can embed it in your application in order to get the best of both worlds. You basically need to instantiate a Q2 object and call its start() method. That's it. At shutdown time, you call stop() on that instance. There's no reason not to use Q2 now, you just need to:

import org.jpos.q2.Q2;
...
...
  Q2 q2 = new Q2("path/to/your/deploy/directory");
  q2.start();
...
...

At stop time, you simply call:

  q2.stop();

Ditto, jPOS 1.6.4 has been released. Here is the ChangeLog. We are moving development to 1.6.5 now. jPOS-EE modules/jpos/lib has been updated with a pre-compiled version of 1.6.4. Please report problems to jpos-dev mailing list (see Resources).

/by apr/ This has nothing to do with jPOS, but since I don't have a personal blog I thought it would be a good idea to share this funny finding. I think I've "invented" a very easy way to add a some level of security to my regular credit cards, I'm testing it and works great on my MasterCard. It's very simple. I've memorized the CVC on the back of the card and then erased it with my little swiss army knife (you've got one, right? otherwise you wouldn't be reading this blog). This won't protect you against a problem like this but it's good if your card gets robbed or you lost your wallet. The procedure to use the "protected" card is very simple, you need to stay close to the operator and when you see a weird expression in her/his face when [s]he turns around the card to read the CVC, you just say "it's kind of erased, the number is NNN". So far it has worked all the time, I just need to refine the method for restaurants with no wireless POS where my wife bugs me to use an "unprotected" card in order to avoid all the fuzz (she ends up using hers most of the time, which is not bad either)

Hey, check this out, here is jPOS long time contributor Bharavi!