File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Developer Certification (SCJD/OCMJD) and the fly likes Is checking for SecurityException in updateRecord method necessary? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Certification » Developer Certification (SCJD/OCMJD)
Bookmark "Is checking for SecurityException in updateRecord method necessary?" Watch "Is checking for SecurityException in updateRecord method necessary?" New topic

Is checking for SecurityException in updateRecord method necessary?

sunny hsiao

Joined: Dec 04, 2005
Posts: 4
Hello Ranchers,

I am doing the URLyBird project. and I have a question on the SecurityException that is thrown by the updateRecord method.

The JavaDoc for updateRecord(long recNo, String[] data, long lockCookie) below suggests that the updateRecord() method should do a check on the LockManager�s reservations (a hashmap object that stores the record number as the key and lockCookie as the value) against the parameters provided to the updateRecord() prior to committing the changes to the database.

// Modifies the fields of a record. The new value for field n
// appears in data[n]. Throws SecurityException
// if the record is locked with a cookie other than lockCookie.
public void updateRecord(long recNo, String[] data, long lockCookie)
throws RecordNotFoundException, SecurityException;

But investigating the business logic of how a record is locked, updated, and unlocked or the private property of the reservations, it seems it is not very likely that the SecurityException will be thrown at all.

If this is the case, should we still implement that checking against the LockManager�s reservations? (the hashmap object) For me, I implemented a method called checkForSameLockingOwner(long recNo, long suppliedCookie) in LockManager class and is called from the Data�s updateRecord method.

The SecurityException is thrown if checkForSameLockingOwner methods returns a false result.

[ April 30, 2008: Message edited by: sunny hsiao ]
mohamed sulibi
Ranch Hand

Joined: Sep 04, 2005
Posts: 169

think about another TestClass class that sun will run against you implementation that contains all cases that may fail you in assignment.

what you think ?

Mohamed Darim.
sunny hsiao

Joined: Dec 04, 2005
Posts: 4
In my humble opinion, I don�t think it is possible for another TestClass to come and intentionally hack the LockManager�s hashmap object reservation and attempt to book an already locked record with a different lockCookie.

I think the only way the SecurityException can be thrown is if there are two different versions of clients, 1 client has a booking method that uses lockRecord, update, and unlock. Another client has a version with booking method that just calls the updateRecord without lock. And the SecurityException is thrown when thread 1 locked the record but before it can perform the updates, second client directly performs the updateRecord method.

Which I guess is possible if in future; another programmer decides to make change to the application and if he/she was careless and just decide to call the updateRecord method in its� booking method, instead of the lock, update, unlock steps.

What do you all think? Do you all have a something like checkLockingOwner method?
Chandrakant Dhome

Joined: Dec 14, 2005
Posts: 6
1. This is public method.
2. From description method's responsibility includes updating the record if lockCookie provided was the one originally used to lock it.
3. Public methods should not depend on checks in business logic calling them, most of all, ones modifying data.

So I think you should put a check and throw back an exception.

Don't get me started about those stupid light bulbs.
subject: Is checking for SecurityException in updateRecord method necessary?
Similar Threads
B&S question about new values in updateRecord
Difference b/w Cookie and LockCookie
Cookie value used in DBAccess Interface
lock-cookie generation?
Lock question!