Solomon Raz

Greenhorn
+ Follow
since Feb 26, 2005
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Solomon Raz

Are component interfaces mandatory for components in the component diagrams?
If yes, can the interfaces really be very generic? For instance, a component may provide functionalities such as PayByCreditCard and PayByMileageAcct. Can that component expose one generic interface (say PaymentServices) rather than two specific interfaces. This should help me keep my component diagram relatively uncluttered. In fact it would really help if I did not include component interfaces at all, but would like to know if it's acceptable.
Deepak,
Congratulations !! Fantastic job!!

Can you provide some light on how you handled security (decl or prog)?
Having changed my mind back and forth on this several times in the last month, I decided to stick with Container Managed Security(CMS) finally. But again, as I see most folks in this forum say they use Intercepting Filters, I did not see a need for that with CMS. I'm somewhat unsure of my direction. Any thoughts will be greatly appreciated!

Secondly, how much documentation did you provide?

Thanks a bunch and good luck in your career.
Solomon

Originally posted by Gopal Chiluki:
does this mean it is fair to have an association between SegmentFare class and Seat ?



Gopal,
I see Seat Fare as an attribute of Seat. For this business domain, Fare is an atomic literal and there is no behavior associated with that. So, I wouldn't make that a class.

Solomon
I'm redeploying this question again. Will get help in any form: ans, links, book names etc.,

My understanding is in container managed security, if a protected resource is accessed, the container will direct the user to the sign-on page. Let's say the user has never registered before and clicks the Register button on the sign-on page and successfully registers and logs on. Will the container take the user back to the protected resource he/she was originally attempting to access? Or is it up to the application to do that.

Solomon

Originally posted by Colin Fletcher:
I do not have the requirements. I am basing my feedback on the above articles. If the requirement is to have all user interactions use SSL, that makes it pretty clear.

I think of my experience with a major airline in Canada. I have my credit card stored on my profile. When I login and establish my session, I believe the credit card information is accessable. I don't think anyone wants their sensitive information exposed.

I would hate to think I would be switched to an 'insecure' session to search for flights.

I view using SSL like an escalator. Once you get on, you are not getting off until the end.



Colin, Thanks for your feedback!
This would mean the main web page would also only be accessible via SSL. As we know users rarely enter the protocol name in the URL address...which means if they did not enter "https" the browser is gonna assume it's an http which in our case is not allowed. So,in your real-world app how did you route the http requests to https or did the user see an error from the web server stating "This page must be viewed over a secure channel" or something. I'm not sure if the web servers have capabilities to auto route http to https.

Solomon
Secondly the requirements state "All user interactions must be secured with SSL". Does it not make sense to make only all confidential transactions secure? I don't think searching for flights needs to be done via a secure channel. I see lots of unnecessary overhead with the encodings/decodings for the possibly huge list of data that may be returned from the server.

Please jive in with your thoughts.

Solomon
I read the following from the blueprints website about not allowing the user to use non-SSL requests after an SSL request has been processed.

"If you are using sessions, once you switch to SSL you should never accept any further requests for that session that are non-SSL. For example, a shopping site might not use SSL until the checkout page, then it may switch to using SSL in order to accept your card number. After switching to SSL, you should stop listening to non-SSL requests for this session. The reason for this practice is that the session ID itself was non-encrypted on the earlier communications, which is not so bad when you're just doing your shopping, but once the credit card information is stored in the session, you don't want a bad guy trying to fake the purchase transaction against your credit card. This practice could be easily implemented using a filter."

I understand Sun's reasoning to not allow non-SSL after an SSL call is made.
But if I do what is recommended above, Change Itinerary process which requires the user to be logged-in (using SSL) may not be able to call Prepare Itinerary (which is a non-SSL process until we get to payment).

How are situations like this handled in the real-world?

Solomon
My understanding is in container managed security, if a protected resource is accessed, the container will direct the user to the sign-on page. Let's say the user has never registered before and clicks the Register button on the sign-on page and successfully registers and logs on. Will the container take the user back to the protected resource he/she was originally attempting to access? Or is it up to the application to do that.

Solomon
If I access an external subsytem(say an external DB), should I show that subsytem in the domain class diagram. I believe I shouldn't as it is external to the business domain I'm concerned about. Let me know if I'm wrong.
Of the following 2 options, what is the most common way a session bean would interact with an external DB.
(a) SB-->DAO-->(external DB)
(b) SB-->(POJO interface object)-->DAO-->(external DB)
I seem to like (b) as an interface is usually used to show calls to external systems. If there are better options than these 2 that represent communication with external systems more clearly, please provide more info on those.

Solomon
Thanks Deepak. This helps!!

Solomon
I'm little bit confused on if Facades should be Stateful/Stateless Session beans. I'm planning on having the rich client communicate with the EJB tier to various Facade objects. I earlier thought about having the Facades as SLSBs. But I need to maintain the state in an SFSB. Instead of having an SLSB Facade and an SFSB for state, I'm leaning towards making the Facades SFSBs. Are there any major issues with this approach.

Solomon
Does anyone know if an EJB app client can be packaged and provisioned on demand using Java Webstart technology with a JNLP file?


Solomon
Along, I guess after giving it some thought, I may have answered my own qn. I'm thinking the filter servlet will look at the URL and if it is that of the swing app's FC, it should look at the XML message and determine what the request type is and do the necessary authentication. Is this in line with your thought also.

thanks
Solomon