Skip to content

Is transparent access control worth unintelligible error messages?

Partly egged on by Rob and Brian, I just took a long overdue look at container managed security for web applications.

My conclusion: it’s nice, but there is one major flaw that dooms the whole premise. Users expect informative error messages when they ‘sign in’ and there’s no way to do that with container managed security.

I was using Tomcat 4.1, which is to say, I was examining the servlet 2.3 specification. (I just looked at the 2.4 specification and can see no amelioration of the above issue.) I also focused on the FORM method of authentication, as that’s the most customizable. (I imagine, for an intranet app obsessed with security, client certificates would be an worthwhile avenue of investigation.) I found the servlet specs to be very helpful in this process.

With the FORM method of authentication, you can customize the appearance of your login and error pages, to some extent. This is a huge win.

I really liked the automatic access control–no checking at the beginning of every ActionForm or JSP for any specific attribute. Additionally, you can protect different URL patterns easily, and for most of the applications I write, this is enough. If you need to protect buttons on a page, you can always resort to isUserInRole.

Also, you can protect the login and error pages, which should never be accessed directly in a separate /safe directory, to which you can prohibit all access.

For the times when the user is denied access to a resource, you you can create a custom 403 error page, using the error-page directive in web.xml. Unfortunately, you only seem to get three attributes: javax.servlet.error.message, javax.servlet.error.request_uri and javax.servlet.error.status_code, which limits the nature of your response. These were what Tomcat gave me–I don’t think it’s part of the spec. Regardless, IE, with default settings, doesn’t display any custom error messages, which makes this a rather moot point for general webapps.

Creating a logout page is fairly easy, just call session.invalidate() (though there seem to be some non standard methods of doing it as well).

However, as mentioned above, I just don’t think that users will accept the generic login error messages that you are forced to give. For instance, you can’t tell whether a user didn’t enter a password, or entered an incorrect password. You can’t redirect them back to a login page with helpful error messages around the incorrect box. These are fundamental issues with authentication–no serious webapp simply throws up its hands when a user doesn’t login correctly the *first* time.

Separate from user experience, but still related to authentication behavior, you can’t ‘lock out’ users who’ve attempted to login too many times. Sure, you can keep track of how many times they’ve tried to login, but the authentication process is out of your hands.

Additionally, the fact that you’re tied to a particular implementation for user/role definition means that writing custom authentication code that just accesses a RDMBS is actually more portable.

The answer, to the question posed in the title of this post: “is transparent access control worth unintelligible error messages?”, is almost always “no.” And folks accuse developers of not having any sense of user interface!

SimpleDateFormat and the 13th month

Wow. I just learned something about SimpleDateFormat, a class that I always resort to when I have to convert a String to a Date in java. Check out this bit of code:

import java.text.*;
import java.util.*;

public class foo {
public static void main (String[] args) throws Exception {
SimpleDateFormat sdf = new SimpleDateFormat("MMddyyyy");
System.out.println("12012000 "+ sdf.parse("12012000"));
System.out.println("13012000 "+ sdf.parse("13012000"));
System.out.println("12322000 "+ sdf.parse("12322000"));
}
}

and the output from that code:

$ java -classpath . foo
12012000 Fri Dec 01 00:00:00 MST 2000
13012000 Mon Jan 01 00:00:00 MST 2001
12322000 Mon Jan 01 00:00:00 MST 2001

Any overflow gets rolled into the the next higher, well, in addition, I’d call this a place. The 32nd day of December is the 1st of Jan, and the 13th month of any year is Jan. This is an implementation detail, as I found no mention of it in the SimpleDateFormat javadoc, nor the DateFormat javadoc, but others have noticed this too.

jalopy now closed source

Jalopy, which I wrote about here, is now closed source. It’s about $40 for a single user license. For more info, see the corporate website. I see that the open source version is still around, though there hasn’t been a release since 1.02, about 18 months (about the same as xdoclet actually).

I totally respect Hunsicker Marco (who is the developer, I think and certainly the owner of the corporate domain) and his right to earn a living. $40 certainly isn’t that much (in fact, he even has a link to the old, free version on his purchase page!), but I hope that he eventually rolls the improvements into the free version, a la ESR’s “Free The Future, Sell the Present” business model.

Three tech tips

Here are three items that I’ve found useful in the past, but aren’t worth an individual post because of their triviality.

1. Sometimes file archives are only available in .zip format. There are unix programs out there that can unzip such archives, and linux often ships with one. But sometimes it’s not installed. Lately, I’m almost always doing some kind of java development, in which case, you can use the jar command to extract the archive.

2. I generate an html page of all my rss feeds, using a custom perl hack (I wouldn’t go so far as to term it a script). (No newsgator for me! Did I mention I still use pine for email?) This can produce quite a big file, since I’m querying around 80 feeds. In an effort to reduce my bandwidth, which I pay for, I now gzip my rss feeds page, using CPU that I don’t pay for (well, not directly). And, while gzip may not be the most efficient of compressors, files in gzipped format can be transparently read in all the browsers I cared to test: Mozilla, Firefox, IE, and even lynx.

3. Sometimes you just want the data from a mysql query in an easy format that you can pull into a spreadsheet and manipulate further. In the past, I would have written a quick perl script, using DBI, but after investigating the client options, I found another way. mysql -u user -B -ppass -e 'select * from my_data' databasename gives you nice tab delimited output. I’ve used this with the mysql 4 client; since I couldn’t track down the mysql 3 manual, I’m not clear what version of the mysql client supports these features.

Book Review: Your Money or Your Life

Your Money or Your Life by Joe Dominguez and Vicki Robin, is a collection of simple, common sense observations about money. Perhaps because money is so fundamental to our lives, or because we associate it with work, often we don’t examine these simple truths. But the first step to making sound decisions, about money as about every other topic, is to gather all the facts so you can make a knowledgeable and concious decision. This book helps you do that.

The book takes you through 9 steps to Financial Independence, from cataloging all the money you’ve ever made to keeping a budget to their solution for non wage income. The lessons are told in a easy, simple manner, with ‘real life’ stories interspersed throughout. Some of their most profound ideas aren’t about money, but about work–what human beings look for in work that they used to look for in community and family.

I’m a single guy, and I felt this book was aimed at big spenders with families, mortgages and boats, but I still felt there were lessons to take away. Their end solution is something I’m still up in the air about, but the steps along the way were fabulous–every one simple enough to understand, yet powerful enough to change the way you thought about the concepts discussed. I liked this book and would recommend it.

Scripting languages and productivity

Bruce Eckel has some things to say about different languages and productivity. One quote in particular stood out:

“I didn’t have to look that up, or to even think about it [reading the contents of a file using python], because it’s so natural. I always have to look up the way to open files and read lines in Java. I suppose you could argue that Java wasn’t intended to do text processing and I’d agree with you, but unfortunately it seems like Java is mostly used on servers where a very common task is to process text.”

I agree entirely. I come from a perl background (it’s the language I cut my teeth on, which, I suppose, dates me), and unlike some, I’m unabashedly in favor of it. I’ve looked at python briefly, and it does seem to have perl’s flexibility and agility with less ambiguity. When you have to grab a file from the filesystem (or parse a file and stuff it into a database) there’s simply no comparison, and anyone who reaches for Java to solve such problems simply hasn’t experienced the joy of the freedom of scripting languages.

The problem with such free form languages arises when you start doing large scale systems. Java, for all its faults and complexity, forces choices about implementation to be done at a high level–which framework do we want to use, how do we architect this solution. Perl (note that I’m not talking about python, since I’m a python newbie), on the other hand, is more flexible, and hence allows more latitude. It requires more discipline to code OO perl, or, for that matter, readable perl, than it does to code readable java. (There are different ways to implement objects in perl–see Object Oriented Perl for more information.) By limiting some of the latitude of the developer, you gain some maintainability.

I was trying to think of trivial examples that illustrate this point, but I couldn’t. Perhaps it’s because I’ve been out of touch with perl’s evolving core libraries for so long, or perhaps it’s because all the perl I’ve ever had to maintain has been intensely idiomatic, where all the java I’ve had to maintain has been, though at times obtuse, fairly easy to read, but I just feel that perl is a harder language to maintain than java.

Now, how does this apply to Eckel’s statements? Well, he uses python as his example–stating that you just plain can get more done with python than you can with java. It’s hard to argue with that…. But the majority of code expense and lifecycle is not in the creation but the maintenance. How do the scripting languages stack up for large scale systems? My experience (which, granted, is primarily applicable to small to medium size systems) indicates that the very flexibility which allows Bruce such amazing productivity hampers further enhancements and bug fixing on the code he writes.

Firefox customization

Firefox, the lightweight browser based on Mozilla, has been garnering quite a bit of attention lately. I’ve been a Mozilla user since 0.5, but only use the browser component, so I thought I’d give Firefox a try. It works great, and is very similar to IE (by design, no doubt). But browsing is a habit of mine, and, like anybody else, I don’t like to change my habits. Luckily, it was easy to change Firefox to fit my needs.

1. Have the search bar respond to my shortcuts (i for google images, g for google search, q for qwestdex search). This was no different than setting it up for Mozilla.

2. Firefox by default saves form entries. I don’t like that–it’s the paranoid in me. Easily changed: go to Tools / Options / Privacy / Saved Form Information and deselect the “Save information…” checkbox.

3. Firefox blithely closes a window when there’s more than one tab open. Wow! I don’t like that at all–Mozilla gives me a warning and 99% of the time, I was aiming at the wrong window or had forgotten that I had multiple tabs open. Feedster handed me this post so I knew I wasn’t alone; a bit of searching on MozDev turned up this handy extension: tab warning. Installing this was a snap, and now my browsing experience is back to what I expected.

One problem I haven’t figured out how to fix: in Mozilla, when you open a link in a new tab, the new tab gains focus. In Firefox, the old tab remains in front.

Ease of programming

Much has been written about ease of use in software, but I think that ease of programming has an even bigger effect. Clay Shirky has a written an interesting post about situated software. Situated software is apparently social software written without certain ‘Web Software’ characteristics, and has some other unique traits. These include
1. not being as technically rigorous
2. capitalizing on ‘real world’ group knowledge without including that
knowledge in software
3. lack of generality
4. planned small number of users
5. accepted physicality
6. short lifespan
7. lack of scalability

His post simply acknowledges that social software (that is, software intended to be used by and relying on the strengths of groups) is becoming, much other software, easier and easier to write. This is due to a variety of factors:

1. Increasing awareness of computers. The PC has been around for 20 years, and is featured in more and more facets of life. This means that even folks who aren’t computer geeks have a basic understanding of how applications work and can be expected to use any applications that are interesting.

2. Open source and costless software reduce the cost structure. If you have to spend thousands of dollars (or hundreds of hours building) for a crucial infrastructure component (for example, a database, or a web server, or a set of client GUI libraries), it’s hard to justify if you’re just whipping something together for a small group. But if you have MySQL, Apache, and IE already provided free of charge, it’s a lot easier to build something interesting on top of these components. This also applies to technical knowledge. I’m on a mailing list for computer book authors and have seem quite a few lamentations about technical content being available for free on the web and cutting into book sales.

3. Programmers are expensive. Methodologies are expensive. Repeatable process is expensive. And all these are unneeded, if it’s going to be a small application used by a known and finite number of people.

4. Increasing ease of use. Tools like perl, MS Office, VB and PHP are made for throwing together quick applications. Sure, you can build large scale applications with these tools if you want, but that takes rigor and discipline. The reason it takes discipline is because these languages were designed from inception to make ‘easy things easy’ even for non programmers. Microsoft deserves plaudits for realizing this and developing their applications with the idea of a non-programmer building applications in mind. (Have you seen some of the wicked Excel spreadsheets your accounting department has?)

This trend is nothing new. In the 1960s, you had to control your video display system in your program; now you just call on MFC or Swing to handle the guts of the GUI. In the 1990s, you had to build your own state machine for each web application; now you just download one of the many frameworks out there and you get a state machine for free.

My question is, what does it do to society when everyone has some kind of understanding of software? To lean on the analogy with cars, I think you’ll end up with a similar division: a highly skilled, specialized, small workforce that builds software that’s easy to use, and a large class of users, who have varying degrees of understanding of the software, but use it in ways that the designers can’t imagine (how did you dent that?) in all facets of their lives.

Spamorama

I just ran across one of the most virulent pieces of weblog spam I’ve ever seen. It was an innocuous comment: ‘please help with my website…’ and the URL wasn’t ostentatiously bad:

pseudobreccia60 DOT tripod DOT com DOT ve (please don’t visit this site!)

pseudobreccia, in case you’re wondering, is a kind of rock. ve is the Venezuelan country code. tripod DOT com DOT ve points to ns4.hotwired.com as its authoritative name server. The comment wasn’t blatantly off topic. So, I wasn’t super suspicious of the site.

Being a bit curious, I visited it. What you get is some kind of flash application. It seems innocent enough, just an ad and an under construction sign. Viewing source shows you nothing, but every time you close the window, or change the location in the address bar, it pops up a new window with the same URL in it (I ended up having to shut the browser down entirely via the Process Manager before it would go away). But, the payload is a periodical full size window pop up with advertisements for, what else, p0rn. Shocking, I know. But the persistance of the app was amazing. I almost wish I had a flash decompiler just to take a look at what it was doing.

I was doing all this in Mozilla–I can’t imagine what it tries to do to Internet Explorer (sets up itself as your homepage, adds itself to your favorites) and I don’t want to find out.