OK, so I have been putting of this access control stuff for too long. So let's get to it.

In "the basics" we are going to continue our discussion of access control by focusing on controlling how our application is accessed. We are not going to worry about source code files, media or image files, servers, non-web document files, or DBMSs. We are just going to worry about accessing the application from the browser, controlling program flow, etc.

[More]

So I have been working on my first ColdBox application the last couple of week, and one of the things I have been struggling with is Form Handling and Validation. I have not been struggling because these concepts are difficult, but with not knowing how they should be implemented in ColdBox or any other MVC framework.

The heart of my question is, when I want to display a form with values pre-populated (like when a user clicks on an 'edit' button for page in a CMS), do I pass the whole bean to the view for insertion into the input tags using getter and setter methods, or do I use the getter and setter methods in the controller to insert the values into the event/request context object and then using the events getValue and setValue() method in the view?

[More]

Wow. Some days I feel like I am just barely treading water on this Object-Oriented Stuff. Today is one of those days. I go to do a simple search on some concept in OO and I end up spending an hour and a half reading posts from all of these frakking geniuses

that make me feel dumber than a bag of hair.

I want to ask questions, but three things stand in my way.

1. I don't want to bombard one or two people with all of my questions
2. If I email one or two people, I don't want them to feel obligated to answer me
3. It's hard to ask a question when I don't know all the terminology and I need to provide a huge example of what I am doing

[More]

Google has announced that they have open-sourced RatProxy, which, according to the Google Code site is:

"A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments."

[More]

Let's get cracking on Access Control. In my last security post we looked at some bad examples of access control. It was good for a laugh and remembering simpler times, but we really need to see how access control can be better handled.

Now, before we begin I will throw out that the examples I am going to show in this sub-series are simplified. I am not going to try to work them into frameworks, or AOP, or any thing else that could make them "better". This is about demonstrating the concepts of access control to those that may be unfamiliar with it.

[More]

The next few posts in my security series will be delayed. I have been busy with some other projects, as you are about to read. I hope to have them out by the end of this week, or early next week.

So my journey into the world of Object-Oriented Programming has begun, and I am really excited about it. It is definitely a different way of thinking about programming. So far there are things that I like, things that I really like, and things that will take getting used to. There has not been a single thing that has made me say that I dislike OO (so far).

[More]

I am not going to include this post in my security series, because I am not really sure of the answer. This is more of a thought exercise and a request for input from the community.

So there has been a lot of discussion about best practices for application/database security. One of the "Best Practices" that is mention fairly often is:

Use Stored Procedures for Update/Insert queries.

My question is, is this really necessary to have a secure application.

[More]

So the other day I was working on a simple Ajax filter text box. As the user entered text, the table below it would filter based on the entries in the text box. It was simple enough, I was using the onKeyUp event in javascript so that each time the user released the key, the Ajax request was made.

Some of you will see the problem with this already. If the user quickly types in 5, 8, 10, 12 characters, the browser would make that many Ajax calls. And it got even worse if the user hit Backspace several times to clear the field.

[More]

This sub-series is inspired by a question that was submitted to Raymond Camden's ColdFusion Jedi blog.

Basically, the question was about whether or not "complex security" was possible with ColdFusion. I believe he was asking about granular access control. Ray's response was fine, but both he and the questioner both commented on the fact that there were no existing posts on this topic. So I said to myself....

[More]

So about a year ago the Minnesota Valley Humane Society put out a call for people to help them with their website. I was one of those that answered.

We had several planning meetings, did some research, looked at hosting options, etc, etc and decided to go with a Drupal Site. At the time I had used Drupal on a few other sites and I felt that building a custom CF site would take too long.

[More]