that’s great…

you want acegi on that wall, you need acegi on that wall…

Just a little under 2 years ago, I became more aware of security as an important part of implementing a complete system. I know that many simply rely on the role based ACL-paradigm of the Sun Servlet spec. they’re using. Others may build their own Filter-based system. If keeping out non-authenticated and /or non-authorized users is your goal, this will suffice.

Some go further and use a proper framework to do this. One of the more popular, and in my opinion – better frameworks is Acegi. Relying on the Spring frameworks core concepts, it’s fairly lightweight, and non-intrusive. This is partly why it’s now Spring sub-project. Unless you are a fan of recreating the wheel, this is obviously a step up.

Basic Security

Assume basic security is achieved: a non-authenticated or non-authorized user cannot gain access to protected resources on your system. Great, but can’t stop there? In the summer of 2005, I was asked (told) to attend a security conference in Baltimore, MD. It wasn’t as bad as I expected it to be: spent 3 days at an old college buddies home, saw places I hadn’t seen in about a decade. Oh, and the conference wasn’t half bad – I learned quite a bit.

The most important lesson was that authenticated and authorized users can still be malicious. One of the better presenters recalled a situation in which a C-level exec at a company was using an inventory site, along with his competitors. This exec realized that by changing his user-id in the query string from “1” to “3” (another reason why you should use a GUID generator), he could get access to a competitor’s information. Although this was a read-only inventory view, the exec was able to make decisions at his firm based directly on this information — most would call this an unfair advantage. When this came to light, obviously the exec and his firm faced some issues, but this destroyed the integrity of the inventory site. All this to say, even with your ‘trusted’ users: Trust, but Verify.

Better Security

Even if located in a safe community, an apartment building will have a locked front door. This is simply an attempt to authenticate people coming into the building via a door key (ROLE_RENTER). However, just because you enter a building doesn’t mean you are authorized to every corner of that building. In order to go to the basement or roof, you need a special key that only the superintendent has (ROLE_SUPER). To enter apartment #3, you will need the key for that apartment. Roles aren’t enough here — you need to white-list a set of keys that only open the lock on apartment #3.

Look at your own code, some of us simply assume if the role A can’t see data made only for role B, we’re good to go. No, we’re not (see example above). This requires white-list restrictions at the service and/or domain level. I suggest the verification should take place nearest the thing that needs protection. Verify domain access in your persistence/dao layer, and verify actions at the service layer.

Implementation

Some (me) of have made the mistake of relying solely on Hibernate’s Filter feature for access security. This is based on a false assumption: if the user can’t see an item, they can’t edit it. Those filters simply provide views of existing data without having to actually define the view in your schema. These filters do not get applied to Hibernate Session get(…) or load(…) calls. Hence, if a user specifies a valid object id, even though they could not see it in their filtered view, they can access it via a direct load. Abandoning get and load in your daos is removing your nose in spite of your face: you’d lose some of the benefit of secondary cache retrieval. So then what?

Well, if you aren’t already an Acegi user, you should consider it. Acegi comes with reasonable documentation and good examples on how to implement JDBC-based ACL security for both your services and domain objects. However, if you use Hibernate, you’ll need to provide your own implementation for some things (ACL-entry mapping and retrieval). More on that in a future post.

it’s play money… no really.

I know it’s childish, but it’s a great time-waster: hedgestop. Ya sign-up and get $50,000,000 to start. Then go nuts investing with this fake money and no commissions. I’ve made $40,000, but since I have 50 million, it’s not really impressive. If ya sign up, let me know: people can challenge each other for a an agreed upon amount.

9/11, where are we now?

It’s September 11th. I wonder how many people remember? More importantly, how many people have forgotten? Over the past 6 years, if you’ve been through an airport, or overseas in general, you know that day changed this country, better yet the world, forever.

I guess you’d be more interested if you were affected by the attacks, at least indirectly. I’m fortunate enough to have only known people near the towers during the attack, and not in them. I didn’t know anyone who perished. I was grew up in the NYC — one of the greatest cities in the world! I joined a startup in Rochester, NY. I was at work at the time, and a co-worker, said he heard something crazy on the radio, we all listened in, and it was a report that a plane had flown into tower one. We all thought, how does that even happen?! Even in that moment of fear, you think, “Who would dare make an attack on US soil? Don’t they know we’ll rain bullets on their heads?!” In the end, it was a terrorist attack, by predominantly Saudis.

Subsequently, in 2003 that start-up, brought me to Minnesota. By this time the US had basically leveled the Taliban in Afghanistan. That was a good start, but we didn’t finish the job: kill, or capture Osama Bin Laden. Instead, we turned our focus towards Iraq and its dictator, Saddam Hussein. I knew that maybe the info was a bit shaky, but like I’ve said in the past, I thought C. Powell knew what he was talking about.

Yes, it’s 9/11, but let’s forget where we were – where are we now? By now, everyone has should agree that there were no WMDs. So, how did we get into this quagmire? Well it was the leadership. Yes, leadership is difficult; but this is is why you usually surround yourself with people smarter than yourself (see FDR’s Brain Trust). Normally, they support you, and keep your feet on the ground. Well, at least theoretically. In a short time, there will be another election. There are a number of viable candidates, in both parties. In the end, I hope the nation selects one who is not simply able to wage war, but a leader, in every sense of the word.

that’s too honest?

9. Unexplained gaps in work history. While job seekers should account for these gaps, they should be careful with their wording. “One of the weirdest things that I ever saw on a resume … was a candidate who explained a 10-year lapse in work experience as being in jail during those years for killing her husband,” recalls Linda Goodspeed, marketing recruiting manager at VistaPrint. In such a situation, she says, the best thing to write would be “left work for personal reasons,” and the candidate would be able to explain the criminal record later.

Yeah, there is such a thing as too honest. Also, how would she “explain” the criminal record later? Mumble murder under her breath? Read the rest here.

Toolman 0.2

So I was looking for something related to JavaScript in the WebWork documentation. That’s not really important. Somehow, a section on some of the opensource JavaScript technologies caught my attention: Tool-man examples.

I’ve been wondering how I would add drag and drop functionality to one of my web-apps. It is only at release 0.2, but no worries: It literally took me 10 minutes to add this functionality to my site. Aside from being easy to use, it’s just a handful of JavaScript files that come to about 20.5KB, and it plays well with Dojo.

Thank you, Tim Taylor!