Getting around security
You create a secure environment for users - how do you help them take advantage of your security features or at least be aware when they have bypassed them.
When you scan for available wireless, you will often encounter people who have left the default settings on. There are some who run their wireless open so that other people can use them. These often have no password requirements. I'm talking about what happens when you encounter a network whose name is linksys, for example. There is a pretty good chance that they have never changed the default settings.
One option could be to require that the settings be entered on first use. If a user wanted to use the customary defaults for some business or personal reason, they could but they would have to enter these defaults by hand. The decision would need to be a conscious one. The point is that the router comes with security built in. A user can name it and create a login and password. We just don't force them to and so they often don't.
This came to mind because of a conversation I overheard yesterday. Actually, I overheard many conversations yesterday but one stuck with me. It seems more common on flights these days that until we pull back from the gate and as soon as we land, people are talking on cell phones. On the last flight the person next to me was talking about a court case. I didn't know anything about it so I didn't think much more of it.
But yesterday in the shuttle van on the way to the hotel, one of the Eclipse stewards talked loudly on a cell phone about board business. I know who he was because he had to spell his name to the van driver. That didn't mean anything to me until he made a phone call and loudly talked about a meeting he was going to have with "Skip" about procedural issues in choosing (what I inferred to be) the next executive director. In fact, the man at the other end of the phone was a candidate for the position who was being assured that he was on the short list and the list would not be opened up again. It was impossible not to listen. Conversation on the shuttle among families halted during his high volume phone call.
Less than ten minutes later he was at his hotel and could have made his call privately. But it made me ask the question I began with. How do you structure security in your app so that people like our friendly steward are aware when what they are doing is not secure.
Perhaps the SAML folks have thought about this. In today's Weblogs , Eve Maler blogs about the upcoming annual RSA Conference in SAMLblogging. The "Security Assertion Markup Language (SAML) vendors will be there to take part in an interoperability demonstration that's third in a long-running series. "
The security theme also leads
Also in Java Today . Denis Piliptchouk considers "the issues of code protection and distribution, and Code Access Security (CAS) mechanisms" in part three of his series Java vs. .Net security. As always he provides detailed analysis and clear conclusions. For example, in the category of Code Protection: Cryptographic he reports "Strong names in .NET offer an improved approach to versioning. JAR files, on the other hand, have more options for signing, so this category is a draw."
In Supercharge Your Java Web Applications with Translets , Raghu Donepudi walks through an example of using translets to transform XML. He notes that the downside to using XSL is that "it can take a considerable amount of time and reduce performance. The time needed to parse XML and XSL documents is directly proportional to the size of the documents. Each transformation requires the XML and XSL documents to be loaded, syntax checked, and parsed." He recommends using translets.
Translets "are precompiled XSL documents that are optimized and converted into simple Java classes. When you compile your application Java files, you compile your XSL files into Java class files. During runtime, you can load translets like any regular Java class and perform XSL transformations over and over again. The syntax checking and parsing of XSL documents are done when the XSL files are compiled. The transformation therefore takes only as long as the compiled code takes to execute, which improves performance multiple folds.
Chris Adamson blogs that Mac OS X J2SE 1.4.2 goes final "with substantial improvements, including LiveConnect support for the Safari web browser."
In today's java.net News Headlines
- Oracle Begins Shipping 10g Database
- Eclipse Forms Independent Board
- MagicDraw UML 7.5 Beta
- WinLAF 0.4
Registered users can submit news items for the
href="http://today.java.net/today/news/">java.net News Page using
our news submission
form. All submissions go through an editorial review by news director
Steve Mallet before being posted to the site. You can also subscribe to
News RSS feed.
Current and upcoming
- February 2-5 EclipseCon
- February 9-12 O'Reilly Emerging Technology Conference
- February 12 JAIN Technology Day @ Munich
- February 17-18 Sun Tech Days
- March 22-26 Game Developers Conference, 2004
Registered users can submit event listings for the
href="http://www.java.net/events">java.net Events Page using our
href="http://today.java.net/cs/user/create/e"> events submission
form. All submissions go through an editorial review before being
posted to the site.
Archives and Subscriptions: This blog is delivered weekdays as the
Today RSS feed. All java.net members can subscribe to the email
updates for the site at the href="https://java-net.dev.java.net/servlets/ProjectMailingListList">
java-net Mailing Lists page. You must be logged in to subscribe
to the javanet_Daily and javanet_Weekly lists. Also, once this page
is no longer featured as the front page of
java.net it will be archived along with other past issues in the href="http://today.java.net/today/archive/">java.net Archive.