TurboManage

David Chandler's Journal of Java Web and Mobile Development

  • David M. Chandler


    Web app developer since 1994 and Google Cloud Platform Instructor now residing in Colorado. Besides tech, I enjoy landscape photography and share my work at ColoradoPhoto.gallery.

  • Subscribe

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 224 other followers

  • Sleepless Nights…

    August 2006
    S M T W T F S
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • Blog Stats

    • 1,034,589 hits

Archive for August, 2006

JSF for Struts Developers Online Registration Now Open

Posted by David Chandler on August 19, 2006

Just a quick note for those who have been waiting for online registration for my upcoming class on JSF for Struts Developers in Atlanta. In order to give every student the best possible learning experience, registration is limited to 15 students.

Posted in Uncategorized | Leave a Comment »

Securing MyFaces Applications Against the OWASP Top Ten

Posted by David Chandler on August 17, 2006

Update Oct 6, 2009: you can download this presentation from the Writings page above.

My presentation on this subject has been selected for the upcoming ApacheCon US 2006! If you’d like to be a technical reviewer beforehand, please e-mail me at the address on the Consulting menu above. See you there!

ApacheCon US 2006

The JavaServer Faces (JSF) API is an excellent foundation for building secure Web applications because of its component-oriented nature, carefulness surrounding data validation, and numerous extension points. Apache myFaces builds on this strength by providing components which offer built-in protection against many of the OWASP Top Ten attacks including form parameter tampering and cross-site scripting. In this presentation, we’ll review how myFaces protects against these attacks and move on to explore JSF extensions you can deploy to provide complete protection against the OWASP Top Ten, including forced browsing, information leakage in select boxes, and unauthorized method execution. Specifically, we’ll look at centralized approaches to ensuring that every field and form is properly validated, a phase listener and view handler to prevent forced browsing and assist with detection of session hijacking, a customer converter and component to hide sensitive information such as IDs in menu options, and a JAAS permission checker for component actions (event handler methods).

/dmc

Posted in JavaServer Faces, Web App Security | Leave a Comment »

Eclipse Keyboard Shortcut of the Week

Posted by David Chandler on August 14, 2006

Just a quickie time-saver here. I hate having to use the mouse to navigate through code (yes, I can still use vi) as it slow and bothered my right shoulder enough over time to force me to mouse with my left hand. If you’re like me, you’ll want to know about:

Ctrl+Shift+T (Open Type) Just type the first few letters of the Java class you’re looking for, and voila, you can use the arrow keys to find exactly the right one. No more clicking on folders in Package Explorer.

Ctrl+Shift+R (Open Resource) Same drill, but works for any resource in the Package Explorer.

You can find a bunch more of my favorite keyboard shortcuts in my Eclipse Google Notebook (linked on left).

/dmc

Posted in Eclipse, Ergonomics | Comments Off on Eclipse Keyboard Shortcut of the Week

If You’re Too Busy, You’re Not Doing Your Job

Posted by David Chandler on August 9, 2006

Much has been written about the virtues of the lazy programmer, the one who never likes to write the same code twice. For the lazy programmer, coding anything once is fun because it’s a learning experience, but coding it twice is tedious. Not only that, but also it is dangerous because manual repetition means there are too many degrees of freedom for error. And not only that, but doing the same thing twice when you could have done it once is WASTE. One of the principal ways you improve throughput in any system is to eliminate waste (think for just a moment about your body).

The brilliance of the lazy programmer is that he can recognize when he has just done the same thing twice. Others don’t see they have done the same thing at all. In other words, the lazy programmer’s mind works at a higher level of abstraction. He can factor out the common code in the right dimensions and build abstractions so he never has to generate waste by writing that code again (and of course, this is fun because it’s a new kind of code). Then he sees the common factors in the successive versions of those abstractions, and after 10 years or so, can build something as beautifully well-factored as, say, JavaServer Faces.

I submit that the same ability for abstract thinking and automation are key requirements for Operations and QA, too. For an Ops guy to follow a standard procedure for system installations is mere competence (if the Ops organization has no such procedures, the Ops manager should be replaced–there is no excuse for such a lack of discipline). The truly great Ops people learn a system well enough to automate its installation and maintenance. They wield power tools with funky names like sed, perl, bash, and even InstallShield. They can run some command that will reinstall and reconfigure every server on the network in the event of a disaster and they know it works because they use the script for daily installs.

But, alas, like the lazy programmer, the lazy ops guy is rarely seen. In his place are (very) hard-working drones who manually repeat the same steps day after day, spend most of their time reacting to the perpetual crisis, and wonder why they live in a world of chaos.

If your Ops people are always busy, it might be a sign that they aren’t doing their job!

/dmc

Posted in Business of Software | Leave a Comment »

How to Hire Good QA People for Web Applications

Posted by David Chandler on August 9, 2006

A veteran software manager recently gave me same valuable insights on finding highly productive and effective QA people.

These two questions reveal a great deal about someone’s mindset and approach to software testing:

  1. How do you generate large amounts of test data?
  2. What are the pitfalls of automated Web testing and how do you get around them?

Unfortunately, the people running many QA organizations don’t understand these things themselves and wonder why their automated testing efforts repeatedly fail. Those rare few who do and ‘splain it to them are prone to get fired because it’s not safe to be smarter than the boss.Almost any programmer can tell you what you need to do to deep testing of a system: how to test each subsystem, how to generate meaningful test data that will really exercise the system, how to do positive and negative (no side effects) testing directly in the database vs. relying solely on what shows up on the screen, etc. In other words, the programmer knows more ways the system can (and can’t) fail because of their knowledge of how it works.

QA and Development should talk more often.

Posted in Business of Software | Leave a Comment »

Disable Browser Caching in JSF

Posted by David Chandler on August 8, 2006

Browser caching of page content has negative security implications when your application runs on shared terminals (like the public library). You can turn it off with this simple phase listener. Well, maybe. As some of the comments indicate, browsers are finicky, and of course, we never trust the browser, anyway, so using this technique is certainly not a security guarantee of any kind.

package my.util;

import javax.faces.context.FacesContext;
import javax.faces.event.PhaseEvent;
import javax.faces.event.PhaseId;
import javax.faces.event.PhaseListener;
import javax.servlet.http.HttpServletResponse;

public class CacheControlPhaseListener implements PhaseListener
{
	public PhaseId getPhaseId()
	{
		return PhaseId.RENDER_RESPONSE;
	}

	public void afterPhase(PhaseEvent event)
	{
	}

	public void beforePhase(PhaseEvent event)
	{
		FacesContext facesContext = event.getFacesContext();
		HttpServletResponse response = (HttpServletResponse) facesContext
				.getExternalContext().getResponse();
		response.addHeader("Pragma", "no-cache");
		response.addHeader("Cache-Control", "no-cache");
		// Stronger according to blog comment below that references HTTP spec
		response.addHeader("Cache-Control", "no-store");
		response.addHeader("Cache-Control", "must-revalidate");
		// some date in the past
		response.addHeader("Expires", "Mon, 8 Aug 2006 10:00:00 GMT");
	}
}

To register the phase listener, just add this to your faces-config.xml:

	<lifecycle>
		<phase-listener id="nocache">my.util.CacheControlPhaseListener</phase-listener>
	</lifecycle>

Posted in JavaServer Faces, Web App Security | 65 Comments »

JSF Security Presentation at OWASP Atlanta Wed Aug 9

Posted by David Chandler on August 8, 2006

Securing JavaServer Faces Applications Against the OWASP Top Ten Attacks

This is a preview of the talk I’ll be giving at ApacheCon US in October.

When: Wednesday August 9th 6:30pm – 8:00pm

Location:
Thoughtmill – MapQuest <http://www.mapquest.com/directions/main.adp?go=1&do=nw&rmm=1&un=m&cl=EN&ct=NA&rsres=1&1ahXX=&1y=US&1a=&1c=&1s=&1z=&2ahXX=&2y=US&2a=2520+Northwinds+Parkway%2C+Suite+300&2c=Alpharetta&2s=Ga&2z=30004>
Two Northwinds Center
2520 Northwinds Parkway, Suite 300
Alpharetta, GA 30004
tel: 678.566.4700
fax: 678.566.4861

This meeting is open to public and admission is free.

OWASP Atlanta – our mission as a local chapter of the Open Web Application Security Project is to help promote awareness and contributions to web application security.

Who Should Attend – anyone interested in Web Application Security (management, security architects, developers, etc)

Please RSVP for this event. Send email to cburkeinga “at” hotmail and also Register to OWASP Atlanta mailing list at: http://lists.sourceforge.net/lists/listinfo/owasp-atlanta/

Keynote Speaker: David Chandler
Abstract:
The JavaServer Faces (JSF) API is an excellent foundation for building
secure Web applications because of its component-oriented nature,
carefulness surrounding data validation, and numerous extension points.
Apache myFaces builds on this strength by providing components which
offer built-in protection against many of the OWASP Top Ten attacks
including form parameter tampering and cross-site scripting. In this
presentation, we’ll review how myFaces protects against these attacks
and move on to explore JSF extensions you can deploy to provide complete
protection against the OWASP Top Ten, including forced browsing,
information leakage in select boxes, and unauthorized method execution.
Specifically, we’ll look at centralized approaches to ensuring that
every field and form is properly validated, a phase listener and view
handler to prevent forced browsing and assist with detection of session
hijacking, a customer converter and component to hide sensitive
information such as IDs in menu options, and a JAAS permission checker
for component actions (event handler methods).

Speaker Biography:
David Chandler is a Java Web Architect in Atlanta, GA, where he has been developing a next-generation platform for Internet banking applications. An electrical engineer by trade, Chandler got hooked on developing dynamic Web applications in 1994 and hasn’t looked back since. Having written Web applications in C, perl, ColdFusion, and Java, Chandler is a huge fan of tools like Hibernate and JSF that bring together the robustness and expressiveness of Java along with the speedy development that once belonged only to scripting languages. Chandler holds a patent on a method of organizing hierarchical data in a relational database and is the author of the best-selling Running a Perfect Web Site (Que, 1995).

Posted in JavaServer Faces, Web App Security | 3 Comments »

A PRG Phase Listener for JSF

Posted by David Chandler on August 6, 2006

This post (and blog) has moved to http://learnjsf.com/wp/2006/08/06/a-prg-phase-listener-for-jsf/

Posted in JavaServer Faces | 4 Comments »

 
%d bloggers like this: