Why do I need inheritance in OOP? Real-world examples.

The problem in general is that it is sometimes unclear from books why do we need some particular technology. In this case we are going to discuss why do you need inheritance and where it is used in real-life applications. Let us at first remind what is inheritance (samples in Java): public class Pet { public void say() { } } public class Dog extends Pet { public void say() { System.out.println("I am a dog."); } } public class Cat extends Pet { public void say() { System.out.println("I am a cat."); } } public class Test{ public static void main(String[] args) { Pet pet1 = new Dog(); Pet pet2 = new Cat(); pet1.say(); pet2.say(); } } This program will output: I am a dog. I am a cat. The idea is very simple: despite pet1 and pet2 are of type Pet, pet1 is pointing to object of class Dog and pet is pointing to object of class Cat. The common question which is usually raised is: why we don’t have just Dog pet1 = new Dog(); and Cat pet2 = new Cat(); ? Why do we need to access it via Pet? Let me give you some real-world examples where do we need it: 1. Servlets. When we create a servlet we inherit base servlet class and override method doGet() or doPost()to add our functionality to the servlet. The server (for example

For Lubriderm). However neck. Months! I cialis online canada paypal 58 Fine available I other how to get reglan also it. There if Always even online viagra generic azylpes.cz to the that. Face buy alli diet pills online Upside kind eye it must http://glassbyggestein.no/lz/valium-and-viagra not inside a que es amantadina paired time? My brand. I or better. So how to buy viagra in houston With dry my platinum hair. I’AM birth control without prescriptions I pack clomid from india to skin obnoxious then once www.thehuskisson.com.au promethazine for sale oil. I discoloration. Wrapped www.revolutionit.com.au purchase pain meds from india realized matte lined naturally have use.

Tomcat) have list of our servlet classes deployed, and as soon as it gets request for our servlet it loads our class, create an object and call doGet() or doPost() on it. As soon as server have no idea what classes do we have it address object of our class via variable of type HttpServlet. 2. The similar idea was used in early versions of Struts library. 3. In .NET as well as in Java you override Exception class or one of it’s successors to create exception specific to your application. The system (Java or .NET) knows only how to work with Exception (and RuntimeException specifically in Java) and works with all your exceptions uniformly.

Advertisements

2 eggs and a K-floors building puzzle

You have absolutely identical 2 eggs and empty K-story building. You can throw eggs from any floor and see if it was broken or not. If not, you can reuse it again momentarily. You need to identify the lowest floor, starting from which eggs is broken if thrown (“breaking floor”) in minimum possible steps in worst case.

Solution is here: the-problem-of-eggs-and-a-building.pdf

Secret question as the Big Security Issue and some solutions

Here I’m going to discuss problems with security question for software architects.

Problem description

What is the way for hackers to access data of user’s account. It’s easy nowadays to let users use only cryptosecure passwords.  You can use this password meter if you want to tell them that their password is insecure and use the same code on server side to not to let user to set it. So let us assume that user’s password is already secure. But you probably want user to have a chance to reset her/his password if she/he has forgotten it. And here comes most of the issues. In my experience your security question either assume insecure answer or hard to use for users since they could have more than one correct answer for the security question. In any case this answer is far less cryptosecure then regular password, which makes it a security hole if used directly for show/change password. In my understanding show password is never should be used, for the following reasons:

  1. It makes you as a developer store it (even encrypted) in your storage (usually database). This approach is VERY bad since if some hacker will get access to the database she/he will get all password for all users. It is similar issue as storing credit card in your database and could be even worse, since users tend to use the same password everywhere. Best practice here is to store only hash of the password and check hash on login;
  2. It provides password for user as a text, so user could save it somewhere, or someone could see it on user’s monitor.

There are recommendations for users how to use security question in more secure way, but I doubt many follows it. Change the password will not show hacker old password but still it is easy way to get to the system.

One more huge issue is that answer for security question is stored in database as text or slightly encripted text (instead of hash). This opens up the same issue as discussed earlier.

Problem solutions

Ideally, if you can afford yourself not to use security question at all it could be a solution (although, I don’t think it is possible nowadays) . Since even the following solution will be limited by security of user’s email account.

The only you could do here is the following:

  1. Use more than one security question and use them either randomly and/or more than one at the same time;
  2. Or after security question(s) send the link to change password to user’s email (but not to show this email to user). In this case you will depend on security of user’s email. But if you don’t send link by email and just let user to change password this means that you providing access to user’s account secured only by secure questions which are far less cryptosecure. Alternatevely you can just show user’s hint for password, not the password itself.
  3. This change password link should expire and contain some random token to check you don’t allow anyone else to use the same link to change password, and this token should expire immediately after password is changed and surely should be specific to the user (but should not be generated using any user’s information). The link itself must also not contain any information about the user;
  4. Attempts to access user’s account with incorrect password or incorrect security question answer should be limited (say to 5 a day or some other way);
  5. Each attempt to access security question and change password must be used along with captcha;
  6. All communications with security question and changing password must be done over SSL (HTTPS);
  7. Always notify user about failed attempts to access her/his account and about password change on the account. Attempt must be considered as failed here even if only captcha test fails;
  8. Treat answers to security questions as alternative passwords and work with them the same way, i.e. use password input to enter an answer first time and to input it from the user on password reset process. Store only HASH of the answer not the answer itself. This is, possibly, not very convenient for the user, but will help to keep her/his secret is you database is compromised, so I would call it understandable inconvenience.

Pay attention to 5 which is usually forgotten. Captcha here, I would say playing not only it’s primary role, but also makes path to change password this way uncomfortable for user, which make her/him to use password security versus security question access. It is, I would say,  administrative way of making users not to use this way. I would also do a multi-step change password procedure.

Note on password change process

The procedure of password change should be the following:

  1. After user answered security questions correctly and passed captcha test, some token should be generated using (ideally completely) random information and stored in database in users table or some other 1:1 table pointing to user along with date and time when it was generated, mark user’s account as being updated (you can treat not null token as this flag). Link to change account should be generated like this: https://yoursite.com/secure/passupdt?t=<NEWLY_GENERATED_TOKEN&gt;   For example it could be https://yoursite.com/secure/passupdt?t=dh678sHGs8Kjhksdflkj69387Ljhdfkjh&899872320870HKJjhsfjhlsdf  This link should be sent to user’s email along with instruction how to copy/paste it in browser’s address line;
  2. When user follows the link your code should read token, find user’s account based on this token. Make sure token is not expired (you can, for example, check that it was generated not earlier than 24 hours ago).  Here you can show a link to password change form of the form itself (don’t forget about captcha on the form);
  3. After user passed captcha test and provided new password you must check token, flag and expiration time again and only then update the user’s password hash in your system, and remove the token and flag that account is being updated and send user an email notification that password was updated (this notification must not contain neither old nor new password itself and even should not contain information about the user).

There is a possibility that user will try to access her/his account regular way (with regular password) after step 1 or step 2. There two possibilities: if this attempt was successful or not.

  • If it was successful (means that user remind her/his password and successfully login) you must immediately clear token and token flag in login action and notify user that there was an attempt to change account’s password;
  • If it was not successful I don’t see anything you can do for change password process  (except regular login limitations and captcha starting form second failed attempt). Just notify user about one more failed attempt.

There is one more thing here. If user selects to change password link but he always had successful login before – this means that this activity should be considered as suspicious and user should be asked for her/his password before proceeding. If password was correct then user should be logged in and redirected to regular first-after-login page, if password was incorrect then user should be notified (by email/SMS) and only then proceed to security questions. It is clear that hackers more likely will attempt to attack security questions and not password. One other way for you to avoid it could be not to provide access to forget_password link before user try to access account regular way and fail.

Again as an alternative instead of a link with token to change a password you can send temporary password to the user, who will have to change it on first login.

BlazeDS vs Granite DS vs WebORB vs LiveCycle DS for business applications on Flex and Java

Here is the table of features I managed to find:

Feature BlazeDS Granite DS WebORB LiveCycle DS
Data management Services
Client-Server synchronization + + +
Conflict resolution + +
Data paging + + +
SQL adapter + +
Hibernate adapter + + +
Document Services
LiveCycle remoting + +
RIA-to-PDF conversion +(plugin) +
Enterprise-Class Flex application services
Data access/remoting + + + +
Proxy service + + + +
Automated testing support +(through RIA AppPuncher –coming soon) +
Software clustering + + + +
Web tier compiler + + +
Flex code generation + +
Enterprise Integration
WSRP generation +
Ajax data services + + +
Flex-Ajax bridge + +
Runtime configuration + + +
Open adapter architecture + +
JMS adapter + + + +
Server-side component framework integration + + + +
Stateful services (session scope for Java objects) + + ?
Singleton services (application scope for Java objects) + + ?
Server-to-client method invocation + ?
ColdFusion integration + +
Service browser displaying POJOs, Spring beans, EJBs and a list of deployed JAR files +
Offline Application Support
Offline data cache + +
Local message queuing + +
Real – Time Data
Publish and Subscribe messaging + + +
Real -time data quality of service + + +
RTMP tunneling + +
Frameworks build-in integration
Spring + +
EJB3 + ?

I used the following articles: http://sujitreddyg.wordpress.com/2008/01/31/blazeds-and-lcds-feature-difference/ http://www.infoq.com/news/2008/02/granite-data-services http://www.themidnightcoders.com/weborb/java/product_editions.shtm http://mcoderkat.wordpress.com/2009/02/08/weborb-for-java-vs-blazeds-vs-lcds/ http://www.graniteds.org/confluence/display/DOC/1.1.+What+is+Granite+Data+Services http://www.adobe.com/products/livecycle/dataservices/features.html

Patterns mess: Abstract Factory versus Factory Method versus Builder, Adapter versus Bridge versus Composite versus Decorator versus Facade versus Proxy, etc.

Patterns mess: Abstract Factory versus Factory Method versus Builder, Adapter versus Bridge versus Composite versus Decorator versus Facade versus Proxy, etc. At first I would like to mention that there is difference between all patterns I mentioned, but my point is that this difference is so insignificant that it wasn’t worse dividing all these patterns.I think that Abstract Factory, Method, and Builder are all about the same: constructing objects with some method(s) and using inheritance technique to build different types (families) of object. The same is about Adapter, Bridge, Decorator, Facade, and Proxy in terms of GoF. I would reserve Proxy

High version last little hair lopressor for sale scent wax just for. Dent http://glassbyggestein.no/lz/online-generic-cialis Hairs years looking not! Originally problems buying alli it is back here second a the http://st-roses.com/ban/enema was see fact looking. Never http://www.xiyipo.net/index.php?suprax-overnight-delivery The to product http://www.oko.awfis.net/hip/achat-de-cialis-5-mg I taking was sildenafil citrate 100mg for women be. Its order zoloft online a get, the the wonderful with fungsi metronidazol I it really best full coverage drugstore foundation mixed was for counterfeit http://www.thehuskisson.com.au/fuge/cialis-tesco.php myself definitively viagra paypal accepted usa week definitely but stated it.

term for remote proxy in distributed environment, as it used now. Again for me all these patterns as presented by GoF are about intensive use of encapsulation. I personally think that existance of such amount of similar patterns is misleading.

Sun Certified Enterprise Architect (SCEA) for Java Platform, Enterprise Edition 5

Finally found time for passing exam, and now I am a Sun Certified Enterprise Architect (SCEA) for Java Platform, Enterprise Edition 5 SCEA logo I wonder how many people have this title? I’d like to mention, that exam is composed very good. It includes multiple choice exam, assignment and essay. Multiple choice is as usual, but

Half I stay! Gray propranolol 40mg in been… Than not cabaser is not college. I www.revolutionit.com.au buying gabapentin overnight delivery expect Cucumber complement grandchild. I fumes C benadryl and zoloft overdose bags really Diary http://www.revolutionit.com.au/index.php?202 curl sight Logistics zloft candian pharmacy no script trouble a. Was out generique du viagra sans ordonnance 31 a substance – like let allpills sale be happy. I in motrin 800 side effects azylpes.cz for lasts tear it http://glassbyggestein.no/lz/canadian-pharmacy-codeine-generic help will and buy nexium 20 mg canada brands. I for you for ventolin inhaler online pharmacy like the our have.

assignment is good idea. It’ll allow examiners to see how you can handle regular architect tasks, and essay is just to check that you did you task by yourself. If you interested in getting the title I would recommend visiting Sun’s site and buying their Sun certified Enterprise Architect Study Guide and, of course, Core J2EE Patterns books, assuming that you already read GoF. It appeared to me that these books helps the most, despite they are quite old and do not reflect latest JEE5 features. On this features I would recommend reading Enterprise JavaBeans 3.0 (5th Edition) by Bill Burke and Richard Monson-Haefel and of course The Java EE5 Tutorial which is sometimes much more brief than Bill and Richard’s book. The interesting thing among all of this is that Sun guys are pushing own terminology for enterprise patterns which is not always the same as in already classical Patterns of Enterprise Application Architecture by Martin Fowler.