aspose file tools*
The moose likes Architect Certification (SCEA/OCMJEA) and the fly likes Dreamcar questions Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Certification » Architect Certification (SCEA/OCMJEA)
Bookmark "Dreamcar questions" Watch "Dreamcar questions" New topic
Author

Dreamcar questions

Alexey Kuntsevich
Greenhorn

Joined: Jan 12, 2009
Posts: 12
Hello!

I've got dreamcar assignment a week ago, and still meditating on it and smoking printed copies of assignment =)

I've already fixed some obvious issues in domain model and use cases (and wrote assumptions on it) but still i didn't realized if we have to handle security on this assignment somehow. I see two ways of handling security here: we're securing everything we can (https, encryption, etc, etc, etc) or we can not securing anything.

Thanks!


SCJP 6, SCBCD, SCWCD. Making SCEA assignment atm.
Rahul Mishra
Ranch Hand

Joined: Jan 22, 2006
Posts: 211
My answer is not with the exam perspective -

But your 'All or nothing' approach seems a bit extreme. You might also want to explore

  • Message Layer Security - I am not sure about the details of the assignment but if you want to securely exchange messages (Web Services) you might want to explore this option


  • Application Layer Security - Secure EJB Methods by using method permissions, secure Web resources using resource constraints. Put a firewall infront of the application,etc.


  • From your post, it seems that the only option you have configured so far is 'Transport Layer Security'.

    Please note that while transport level security ensures a higher degree of confidence it does bring it's own can of worms (performance impact, not an end to end solution)..the higher order of encryption algorithm you use..the greater impact it has on performance (in the general sense)..

    In my opinion the level of security to be imposed should be based on the value proposition of the transmitted/stored data.

    Cheers


    OCMJEA/SCEA, SCDJWS, SCBCD 1.3, SCJP 1.4
    My SCEA experience:http://javalogue.blogspot.com/
    Alexey Kuntsevich
    Greenhorn

    Joined: Jan 12, 2009
    Posts: 12
    Thank you for your answer!

    I agree with you, it seems that transport layer and EJBs have to be secured but i didn't find anything about user authentification, authorization, roles and permissions etc in the assignment. I don't think it's a good idea for an architect to add any requirements but there's no any security requirements at all. Any opinions would be appreciated!


    Thanks!
    Janis Kazakovs
    Ranch Hand

    Joined: Aug 13, 2009
    Posts: 33
    Alexey, I wrote you a response, but when I pressed submit button I was redirected to login page and when I have logged in, my message was gone. Thats very freaky annoying. I was to lazy to write again. Sorry for that.

    Janis


    SCEA 5.0, SCBCD 5.0, SCWCD 1.4, SCJP 5.0
    OMG-Certified UML Professional, Intermediate; OMG-Certified UML Professional, Fundamental
    Alexey Kuntsevich
    Greenhorn

    Joined: Jan 12, 2009
    Posts: 12
    Thanks for trying, Janis =)))
    Rahul Mishra
    Ranch Hand

    Joined: Jan 22, 2006
    Posts: 211
    Well,

    I really cant comment on it with Sun's Assignment Perpsective, but i understand your problem -

    Typically such requirements are explicit but some may contend that these are very normal requirements(atleast authentication, if not authorization).

    If i were you in this situation, i would probably list these in my assumptions and state the risk and go about desigining my solution.

    A typical project client jumps up and acts when he sees 'no need for authentication' as an assumption.But i am really not sure how the examiners think.

    May be the people who have taken the test can advice?
    Alexey Kuntsevich
    Greenhorn

    Joined: Jan 12, 2009
    Posts: 12
    Thank you for your advice, Rahul!

    There were already some weak spots in assignment that required assumptions so i hope it will be ok with sun if i make some more high level assumptions about security.

    Hope anyone can share some experience about these assumptions =)

    Thanks!
    Manju Sebastian
    Greenhorn

    Joined: Aug 17, 2009
    Posts: 15
    Alexey

    I think you can add authentication for sure. You can have a sequence diagram for it, with the required privileges loading on log in.
    For the dream car, basically we need to give a page without any authentication which list all requests. Some suppliers will see the requests and current bids, then only decide to make the bid, or register as a supplier etc. So i think you have to think of another role Guest too.

    I am still on the design phase, got many classes for each pages. Papers are not enough :-) Hope all of this makes less than the max for submission.

    Are you considering custom components or a composite View. I think a simple header footer would be enough.
    Let me think again and again. There are many scenarios coming to mind, Mail for Supplier Registration Activation, Mail for Bid selection, Mail for New open requests submission etc etc. At last SUN may reject my assignment, due to over thinking !!


    SCJP1.4, SCBCD 5.0, SCDJWS, SCWCD 5.0, SCEA 5.0
    Alexey Kuntsevich
    Greenhorn

    Joined: Jan 12, 2009
    Posts: 12
    Hello, Manju!

    Thank you for your answer!

    I creating different roles with different security permissions is a good idea, but still not sure if it won't be kinda 'overassumptioning' =)

    I don't think this assignment requires to implement any complicated view classes.

    Maybe we can discuss it by e-mail?

    Thank you!
    Rajes Rai
    Greenhorn

    Joined: Nov 05, 2009
    Posts: 1
    I have the same assignments and I am doing the authentical and authorization.
    My assumption is that same web page will greet the user and based on role, it will decide which page shall be displayed.
    I hope I am not going way beyond the requirements.
     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: Dreamcar questions