Posts Tagged: java

creative7 Comments
2
Sep 08

URL-based session is insecure and so is JavaBlogs.com

There are two main ways to associate a session state with a user — session cookies and session URL parameters. However for public sites there may be some risks for the URL-based approach.

Cookies are saved on the computer and are only ever sent in requests to the domain that has saved them. They have always been a focus of security attacks and thus they are pretty well protected. E.g. they cannot be accessed by the included third-party JavaScripts, which is important considering the current proliferation of web widgets.

On the other hands URLs are definitely accessible to the third-party scripts. What’s even worse, is that the browser will send the URL of the previous page as Referrer, when you click a link to go to the third-party site. Since most web servers will log the Referrer the owner of that site can access the logged-in user session as long as it’s live and possibly access private user data.

We hit this issue, when watching the statistics for ZeroTurnaround and clicking on a referrer link to JavaBlogs.com, which uses URL-based sessions. To our surprise we could access the logged in user data. Of course on JavaBlogs there’s not really that much data to access, but on another site this could be a serious issue.

For all I know this issue could be a very old and well-known one, but I never heard of it and apparently neither have JavaBlogs owners. If you’re making a public site make sure to keep this in mind.

creative12 Comments
11
Aug 08

Is static typing and refactoring really connected?

One of the main problems brought out when comparing dynamic languages to static ones is lack of proper refactoring support. It is usually implied that dynamic languages are not conceptually refactorable, which speeds up code rotting.

Although there is plenty of evidence that dynamic languages do support refactoring, I’d like to concentrate on the other claim — that statically typed languages are refactorable. Challenging this claim may seem laughable, as there is no lack of refactoring tools for Java or C#. But let’s examine a more advanced language that is touted as Java successor — Scala.

Scala supports structural types, which allow treating classes as records of methods that can subtyped by the presence of appropriate methods. This example was given in the Scala 2.6 release notes:
[java]
class File(name: String) {
def getName(): String = name
def open() { /*..*/ }
def close() { println(“close file”) }
}

def test(f: { def getName(): String }) {
println(f.getName)
}

test(new File(“test.txt”))
test(new java.io.File(“test.txt”))
[/java]

In this code the type { def getName(): String } refers to any class with the method getName(): String in it. Now what happens if we try to rename the method in the structural type?

  1. We can rename all the instances of the getName() methods found in all classes anywhere.
  2. We can just rename the method in the structural type and update everything else manually

Both of these approaches are useless. The first one is basically a search and replace done on all code and may rename methods that we never intended to rename (e.g. getName() in the Person class). The second one doesn’t really do anything for us.

The truth of the matter is that structural types miss an inherent scope associated with nominative (i.e. usual) types. Since every method signature in a nominative type originates from a single type, it gives refactoring a natural scope of all the subtypes of the originating type. Without that scope many refactoring techniques are essentially useless.

What is worse is that the presence of structural types also breaks refactoring in usual classes. E.g. if we try renaming getName() in the File type, we are also presented with a decision whether or not we can rename the method in structural type. And if we do rename it, we will break the code that accesses java.io.File the same way. Therefore if we want to refactor working code to working code we can again only rename everything or nothing at all.

Luckily it looks like the main refactorings broken by the structural types is renaming the methods and changing their signature. Unluckily these are the most common refactorings and having a same named method in any of the structural types breaks refactoring also in the usual classes. At the moment this mainly affects Scala and some other functional languages, but if the structural types become more spread it may come to a language near you :)

Interestingly, Cedric Beust brought out that you can refactor structural types as opposed to the duck types. Since I obviously think differently it would be interesting to hear his (and your) comments on the matter. Perhaps I’m missing something obvious?

meme1 Comment
1
Aug 08

Return-Type-Based Method Overloading in Java

Return-Type-Based Method Overloading in Java — wow! Next you’ll discover that in Java bytecode you can throw/catch any object, not just Throwable subclasses and use that knowledge to implement more weird bytecode hacks! And BTW return-type overloading is used in Java 5 to implement bridge methods that allow overriding super methods with a different return type, so it’s not really so esoteric.

memeNo Comments
31
Jul 08

TSSJS’08: Embedded Typesafe Domain Specific Languages for Java

This is a presentation I’ve given at TSSJS’08. Hope you enjoy it :)

Embedded Typesafe Domain Specific Languages for Java

reportNo Comments
21
Jun 08

TSSJS Prague Afterthoughts

The event is over and I’m heading back home for another five days. This was my second time on TSSJS and it definitely felt different. Last time it was in Barcelona and we weren’t exhibiting (in fact ZeroTurnaround didn’t even exist yet). Also this year had a lot of changes for TheServerSide, with a bunch of new people on the team and a bunch of old people leaving.

The conference content this year was great. Unfortunately I didn’t get to sit in on much talks, but I heard other participants discuss them and I know that the speakers who were there always deliver. There was quite a range of topics and none of the sponsored bullshit (there were sponsored keynotes, but apparently they were decently technical instead of unrefined marketing).

From a speaker perspective it was quite nice as well. I got to hang out with really cool dudes and had loads of fun in the evenings. Also my talks were surprisingly well attended this year, so I couldn’t be happier! The only hiccup was the “Special Appreciation Dinner” to which only half the speakers were invited. That wasn’t very well communicated and the choice of invitees was also very weird. Kudos to Brian for handling the situation and inviting everyone in the end.

However from a vendor perspective I was rather disappointed. The vendor space was hard to access and very dark, and the breaks between sessions were extremely short. The dedicated “vendor networking” time was put in the early morning before sessions and noone bothered coming. Perhaps for vendors who only need to make a few sales it was better, but for us numbers count. Luckily one of the (well attended) talks was (among others) about JavaRebel so in the end it played out OK for us. But I do think that next year TSS guys should either improve the situation considerably or do the conference without a trade show.

Finally I want to thank Geert, who was kind enough to record both my talks on his spanking new HD camcorder. I’m not sure at the moment if and when I could publish them (one recording takes more than 3 Gb at the moment), but at the very least I can make a podcast from the Fireside Chat we did with Geert and Guilaume.

← Older Entries
Newer Entries →