This week's book giveaway is in the Other Languages forum.
We're giving away four copies of Functional Reactive Programming and have Stephen Blackheath and Anthony Jones on-line!
See this thread for details.
Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Dreamcar questions

 
Alexey Kuntsevich
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello!

I've got dreamcar assignment a week ago, and still meditating on it and smoking printed copies of assignment =)

I've already fixed some obvious issues in domain model and use cases (and wrote assumptions on it) but still i didn't realized if we have to handle security on this assignment somehow. I see two ways of handling security here: we're securing everything we can (https, encryption, etc, etc, etc) or we can not securing anything.

Thanks!
 
Rahul Mishra
Ranch Hand
Posts: 211
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My answer is not with the exam perspective -

But your 'All or nothing' approach seems a bit extreme. You might also want to explore

  • Message Layer Security - I am not sure about the details of the assignment but if you want to securely exchange messages (Web Services) you might want to explore this option


  • Application Layer Security - Secure EJB Methods by using method permissions, secure Web resources using resource constraints. Put a firewall infront of the application,etc.


  • From your post, it seems that the only option you have configured so far is 'Transport Layer Security'.

    Please note that while transport level security ensures a higher degree of confidence it does bring it's own can of worms (performance impact, not an end to end solution)..the higher order of encryption algorithm you use..the greater impact it has on performance (in the general sense)..

    In my opinion the level of security to be imposed should be based on the value proposition of the transmitted/stored data.

    Cheers
     
    Alexey Kuntsevich
    Greenhorn
    Posts: 12
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Thank you for your answer!

    I agree with you, it seems that transport layer and EJBs have to be secured but i didn't find anything about user authentification, authorization, roles and permissions etc in the assignment. I don't think it's a good idea for an architect to add any requirements but there's no any security requirements at all. Any opinions would be appreciated!


    Thanks!
     
    Janis Kazakovs
    Ranch Hand
    Posts: 33
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Alexey, I wrote you a response, but when I pressed submit button I was redirected to login page and when I have logged in, my message was gone. Thats very freaky annoying. I was to lazy to write again. Sorry for that.

    Janis
     
    Alexey Kuntsevich
    Greenhorn
    Posts: 12
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Thanks for trying, Janis =)))
     
    Rahul Mishra
    Ranch Hand
    Posts: 211
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Well,

    I really cant comment on it with Sun's Assignment Perpsective, but i understand your problem -

    Typically such requirements are explicit but some may contend that these are very normal requirements(atleast authentication, if not authorization).

    If i were you in this situation, i would probably list these in my assumptions and state the risk and go about desigining my solution.

    A typical project client jumps up and acts when he sees 'no need for authentication' as an assumption.But i am really not sure how the examiners think.

    May be the people who have taken the test can advice?
     
    Alexey Kuntsevich
    Greenhorn
    Posts: 12
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Thank you for your advice, Rahul!

    There were already some weak spots in assignment that required assumptions so i hope it will be ok with sun if i make some more high level assumptions about security.

    Hope anyone can share some experience about these assumptions =)

    Thanks!
     
    Manju Sebastian
    Greenhorn
    Posts: 15
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Alexey

    I think you can add authentication for sure. You can have a sequence diagram for it, with the required privileges loading on log in.
    For the dream car, basically we need to give a page without any authentication which list all requests. Some suppliers will see the requests and current bids, then only decide to make the bid, or register as a supplier etc. So i think you have to think of another role Guest too.

    I am still on the design phase, got many classes for each pages. Papers are not enough :-) Hope all of this makes less than the max for submission.

    Are you considering custom components or a composite View. I think a simple header footer would be enough.
    Let me think again and again. There are many scenarios coming to mind, Mail for Supplier Registration Activation, Mail for Bid selection, Mail for New open requests submission etc etc. At last SUN may reject my assignment, due to over thinking !!
     
    Alexey Kuntsevich
    Greenhorn
    Posts: 12
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Hello, Manju!

    Thank you for your answer!

    I creating different roles with different security permissions is a good idea, but still not sure if it won't be kinda 'overassumptioning' =)

    I don't think this assignment requires to implement any complicated view classes.

    Maybe we can discuss it by e-mail?

    Thank you!
     
    Rajes Rai
    Greenhorn
    Posts: 1
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    I have the same assignments and I am doing the authentical and authorization.
    My assumption is that same web page will greet the user and based on role, it will decide which page shall be displayed.
    I hope I am not going way beyond the requirements.
     
    With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic