As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Following Alan Green's "Naming Java classes without Manager" I've started hunting *Manager classes in my own code.
How would you rename the following class? ServiceLoader, maybe? but it doesn't "load" anything from anywhere.
class ServiceManager
{
public bool IsRunning { get; };
public void Start();
public void Restart();
public void Stop();
}
Also, please share your own examples of Manager classes that you've renamed.
Thanks
I probably should have described a little more what the class does. This class starts/stops a .NET Remoting service.
The Start() method registers a channel (port) and the interfaces for the services.
Does the Manager part add anything? Why not just 'Service'.
edit:
To clarify, it doesn't seem like this manages, or controls, or does anything to, a service. It reads like it is the service.
If it was doing anything to, or for, a service, then I'd expect to be able to get the service object it controlled and call methods on that too.
If this was a controller interface that you could get from a Service object, that would be different.
Maybe ServiceController? ServiceWrapper?
If this is the service class itself, I would rename to be descriptive of the type of service it provides, i.e., BookingService, OrderProcessingService, PrintAccountingService. If it is a generic class that controls different types of services, then I would suggest that either ServiceController or ServiceManager are appropriate. Since you express a preference not to use Manager, then I would go with the former.
What are you going to do, though, if someone writes an article that says you ought to get rid of all those "Controller" class names? Bottom, line -- the class name ought to help you understand what the class does. If it's working already, don't bother renaming just to meet someone else's opinion.
While that article is relevant, I don't see an issue with the name ServiceManager
Service also works, but perhaps you need to be more specific - in a namespace. It looks to me like a Windows/NT service - so maybe just Service in your own descriptive namespace.
Having thought about it more - just plain old Service seems most appropriate. with a namespace of your choosing.
ServiceMonitor?
ServiceController?
This class starts/stops a .NET
Remoting service.
Then I would name it DotNETRemotingService...
Technically, it is a wrapper around that service... but then for all intents and purposes, within your code this IS the service, and therefore deserves to be handled as such.
Related
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 9 years ago.
What's the consequence if someone know the table name or field name in a database of mysql ? And they don't know the manager's pwd and username .Does it will be attacked easily?
You're asking a security question, it seems. For an application facing the public web, you need to practice security in depth.
To answer your question: No. Trying to secure a database by obfuscating column and table names is not usually used as part of security-in-depth.
Your web application should be built to avoid SQL injection and other exploits. That's a big topic which you can look up.
Your MySQL database machine itself should not be visible from the public network; it should be on an internal network in your web data center. That keeps script kiddies from using their own MySQL client software from finding it or connecting to it.
The user name and password for the web application's access to the MySQL database should be kept reasonably secret. It's hard to keep those completely secret, because your web app has to use them a lot.
The web application's user name should give access only to the features of MySQL which it needs to do its job. A MySQL user can be denied the privilege of, for example, creating a view, droppping a table, or creating a stored procedure.
There is not really a security risk, since they will not be able to get into your database. If they can get into your database, then they don't need to know the tablename, because they can retrieve it from the database itself.
So the most important thing is to keep your database secure, use strong username/password combo's with restricted access for the different profiles. Make sure your websites are safe for SQL-Injection etcetera.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I'm interested in recommended best practices when entities customizations are required on Dynamics CRM 2011. Microsoft recommends to modify built-in entities instead of creating new ones, but I'm concerned about forward compatibility in future upgrades, using this approach.
What are recommended best practices:
Customize built-in entities
Create new independent-system entities
It depends on what you want you're doing Lester. The reason they recommend using a built in entity is that you don't have to create it, define it, create the views, create the form, or anything. That's all done for you. If you need to keep track of an individual's address and other personal information, use the contact entity. Add the fields you need. Hide the ones you don't.
If you need to do something that isn't really supported by any of the built in entities, by all means, create your own. Just remember you'll need to define the icons, views, forms, and security for it.
It really depends on what you are attempting to create.
If you need a contact record then in the large majority of cases you will utilize the contact entity and customize as appropriate. On the other hand, if I needed to do grant management I'm unlikely to just extend an existing entity - instead I'll create the Grant entity and the appropriate related entities as custom entities. Yes, you might be able to reuse some of the existing to accomplish your goals but there is really no good reason to do so, and you run the risk of not being able to use customized built-in entity should you need it for its intended purpose in the future.
So the quick take away is to ask yourself this question: Based on the requirements do I have a natural fit to an existing entity? (i.e., this solution has order management it should fit with the order entity, etc.)
If no, build a custom entity.
If yes, ask yourself the next question: Is the business logic I'm implementing inline with how CRM works OOTB? If yes, use built-in entity and customize. If no, build a custom entity.
Hope that helps - there is no great binary decision. A lot of it is based on preference and experience along with an understanding of how the solution will evolve over time.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
What modules are you using to connect to your CouchDB server, in your Node.js applications? And why would you recommend whatever module you are using?
When getting started, do not use CouchDB libraries in NodeJS!
There several, however they are largely thin layers wrapping the HTTP API. But Node has very strong HTTP support. It's no more trouble to make simple HTTP queries. It's simpler. It's less prone to errors. When CouchDB adds a feature, you won't need to wait for library support. You will learn and understand CouchDB better. It's well worth avoiding a library at first.
I use the built-in querystring module, and also Mikeal Rogers's request library, which is a super thin HTTP convenience library.
Try to look at nano which offers simple and minimalistic API for CouchDB or high-level client cradle.
I am the author of nano. When starting with CouchDB I did exactly as Jason Smith advised using Mikeals request library. Nano was born out of using that code in production and realizing I had some coded that could be improved and abstracted.
The end result is minimalistic and you still have a way to go down to the request level and do a request (which many users do).
Nano was really well accepted by the CouchBase team, mostly cause it's soo\ simple and maps well to the API.
If you are interested in checking out more check out this blog post:
http://writings.nunojob.com/2011/08/nano-minimalistic-couchdb-client-for-nodejs.html
I've written a very clean and simple HTTP API wrapper, called node-couchdb-api. It doesn't add any bloat features like an ORM, and it follows typical Node.js conventions for callbacks and async code.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
What are the best practices for securing a coldfusion webpage from malicious users? (including, but not limited to, sql injection attacks)
Is cfqueryparam enough?
I use a modified portcullis, and filter all incoming var scopes (URL,FORM,COOKIE) onRequestStart.
http://portcullis.riaforge.org/
Pete Freitag has an awesome blog, especially this post on Hardening ColdFusion
Never trust the client.
The most ColdFusion specific "set and forget" is following server administrator hardening guidelines noted above, keeping the server up-to-date, and following ColdFusion on twitter to learn about any new issues immediately.
For app security, which is common across all languages, you should validate every piece of information that touches your server from the client. Forms are are obvious areas of tight control, but don't forget about URL parameters that you might use for application state management or control. Something like &startRow=10&tag=security which isn't "supposed" to be touched by the user is user input. Even if your application could never break with invalid data, you might not know how that data will be used in the future. Validation could be as simple as ensuring that someone isn't entering a 100 character long first name and doesn't contain programming characters or ensuring that &startRow is always a number. These are the little things that application developers sometimes skip because everything works OK as long as you are using the software as expected.
I believe you can look at the Sony Playstation hacking as an example. Unfortunately, they didn't expect someone to hack the client (playstation console) and manipulate the PlayStation console software to hack the server. The server trusted the client.
Never trust the client.
I would say best practices for ColdFusion are similar to those for programming web applications in any language.
I recently read Essential PHP Security Chris Shiflett and the majority of issues discussed affect ColdFusion as well, though the syntax for dealing with them may be slightly different. I expect there are other (possibly better) language agnostic books which contain principles which can easily be altered for use in ColdFusion.
Although using a prebuilt solution will work, I recommend knowing all the possible issues that must be protected. Check out Hack Proofing ColdFusion at Amazon.
Another great place to learn about security (and all kinds of other topics) is to check out Charlie Arehart's massive list of recorded user group presentations: http://www.carehart.org/ugtv/
Here is information on a good tool that can be used to prevent XSS.
https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
http://www.petefreitag.com/item/760.cfm
Fairly easy to implement and Java based.
I recommend you the excellent talk by Justin McLean "ColdFusion Security and
Risk Management". It includes a case study.
PDF presentation http://cdn.classsoftware.com/talks/CFMeetupSecurity.pdf
Video streaming: http://experts.adobeconnect.com/p22718297
CfQueryParam is very important, but not nearly enough.
There is a boxed solution we use at my work: http://foundeo.com/security/. It covers most of the bases. And even if you don't want to buy it, you can take a look at it's feature set and get an idea of the things you should be considering.
You may like to check -
http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSe61e35da8d3185183e145c0d1353e31f559-8000.html
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
I want to learn more about sandboxing. Not just about it. I want to learn such that I will be able to write a simple sandbox.
Surprisingly, there isn't any information available anywhere. Even the Wikipedia article is not good.
Can any one please suggest me good material. I know that its very advanced level concept. So, what are the prerequisites for learning & mastering it.
read about API hooking, for example sandboxie hooks Windows kernel to filter all api calls to filesystem and redirects it results to sandbox, you could hook APIs and filter it, pass only valid parameters, return errors for invalid calls
for API hooking you will find plenty materials on the net, try on codeproject.com
Google's Chromium uses sandboxing and has several documents about it:
http://dev.chromium.org/developers/design-documents/sandbox
http://code.google.com/p/chromium/wiki/LinuxSandboxing
You might also look at jails in FreeBSD. These are the FreeBSD equivalent of sandboxes.
The source code for jail is available (though you'll have to understand the rest of the FreeBSD code as well.)
A simple sandbox would simply be an environment in which you let 'something' execute, but restrict what it can do.
Typically, this "something" is an already-existing language, like Java, or JavaScript, or C#, or native code. Java has 'sandboxing' apis for applets and so on, and .NET has various 'trust' levels, JavaScript has the bounds placed on it by the interpreters (browsers).
So it's a little weird to "write" your own sandbox unless you also have a language you want to sandbox.
Do you have such a language? What do you want to learn about, specifically?
This is very dependent on what do you want to sandbox. If it is a full-blown system with multiple interfaces/languages available, you really do not want to re-invent the wheel, but run a virtual machine in VirtualBox, QEmu or some other alternative
In any case, a sandbox IS, at least on some level a virtualization of the system you are 'supposed to be' running...
If you need to sandbox applications for a single (interpreted) language, modifying the interpreter sound like a sensible approach.
The answer will likely be language specific. Unfortunately most languages don't have built-in sandboxing capabilities. But functional languages tend to be powerful enough that one can be built from scratch without extending the language.
In Tcl the basic mechanism is to create slave interpreters:
interp create -safe sandbox
interp eval sandbox $set_up_code
set result [interp eval sandbox $unsafe_code]
I wrote an overview of the ways of sandboxing within Linux the other day, which links to a lot of references for the different techniques. Similar methods are applicable in other operating systems. I hope it is helpful - I couldn't find much comprehensively documented either.