I am looking for simple way to connect information about requirement/release and source code.
The case is that developer should be able to find any artifacts created given release or CR in easy way.
The idea I have is to introduce some new annotation to mark any new class ( I am not sure if it is good for any new method) for example:
#ArtifactInfo(release="1.2" cr="cr123")
Do you have any other ideas? Maybe you use already something similar?
Take care,
Marcin
IMO the code is the wrong place for that kind of information.
Take a look at the imaginary code below.
class Authenticator {
login(String username, String password){
User user = retrieveUserFromDatabase(username);
throwIfWrongpassword(user, password);
verifyUserAge(user)
}
void throwIfWrongpassword(User user, String password){
//throws AuthenticationException if password is wrong
}
void verifyUserAge(User user){
//verify that user is above 18 or account is authorized by a parent
}
void biometricLogin(String username, BiometricImage bioimg){
User user = retrieveUserFromDatabase(username);
verifyBiometricImage(user, password);
verifyUserAge(user);
}
}
This is the result of a few requirements:
Users must authenticate to have acces to the system
Users can use biometric authentication instead on password auth
Underaged users must be authorized be parents or something like that.
All those requirements were added in different poins of time, on different versions of the software.
A class-level, or even a method-level annotation won't suffice to effectively map requirements to code.
You'd have to use a "line of code"-level annotation.
Of course, that's impractical.
The right way to do that is to follow a few best practices when using the source code repository and the bug tracker:
1) Every requirement corresponds to one or more issues on the bug tracker
2) Every commit message starts with a corresponding issue key, like "PROJ-123 - a nice feature"
3) When you do a release (meaning, incrementing your software version), you tell the bug tracker that those issues were fixed in that version.
If you need to know what requirements were implemented in what version, ask your bug tracker.
If you need to know all the code that was produced for a given requirement, ask your source code repository (filter commits by log message)
If you need to know what is the requirement for a given line of code, ask your source code repository. GIT and SVN have a "blame" command that will tell you, for a given file, for each line of code, who commited it, when, and the commit message (which will have the issue number if everyone on the team is a good boy) - So this will work as that hypothetical "line-of-code"-level annotation.
Using "commit hooks" can help you enforce rule 2) in an organization.
Maven has some degree of integration with JIRA and other bug trackers, and maybe it can help automate #3. But I haven't really used it like that. But if it doesn't do what you need, you can always ask for more :-)
Related
Does anyone know how to fix the Checkmarx vulnerability -- Cross Site History Manipulation for java based applcations?
Here is the description provided by Checkmarx scan -- "the method may leak server-side conditional values, enabling user tracking from another website. This may constitute a Privacy Violation."
Here is the related code :
if(user is logged in) {
response.sendRedirect(url);
} else {
response.sendRedirect(url)
}
Upon googling I found some Checkmarx documentation which to suggest to add a random number to the redirect url. Here is the link to the document : https://www.checkmarx.com/wp-content/uploads/2012/07/XSHM-Cross-site-history-manipulation.pdf
For e.g :
If ( !isAuthenticated)
Redirect(„Login.aspx?r=‟ + Random())
I tried this approach but the Checkmarx scan still show the same vulnerability.Not sure why.
XSHM could be a CWE-203 (http://cwe.mitre.org/data/definitions/203.html) from CX documentation.
The problem could be complex or simple. With just your 5 lines we can not said exactly what the good solution is.
Checkmarx is check if your redirect url include some random value. Here are some random methods checking by Java/Cx/General/Find_Cross_Site_History_Manipulation_Random:
Random.Next
Math.random
Randomizer.*
Random.nextBytes
I am using the service account model and Google's Admin SDK Java API to retrieve and modify users.
The goal is to add an alias for an existing user.
Alias newAlias = new Alias();
newAlias.setId(userID);
newAlias.setAlias(alias);
Directory.Users.Aliases.Insert request = directory.users().aliases().insert(userID, newAlias);
request.execute();
execute() fails 100% of the time with the error message:
"Value set through a parameter is inconsistent with a value set in the request"
but of course does not identify the problem parameter or value, or provide a suggestion.
I tried all 8 combinations of scoped (or not scoped) userID and alias in newAlias, and userID in the request, with the same result. By all 8 combinations, I mean:
newAlias.setId(userID);
newAlias.setAlias(alias);
insert(userID, newAlias);
newAlias.setId(userID#domain.com);
newAlias.setAlias(alias#domain.com);
insert(userID#domain.com, newAlias);
and so on...
Any ideas greatly appreciated.
I think it is worth adding that, while I believe the above approach is correct (using Directory.Aliases.Insert) and that I am missing some critical information or made a mistake, I also attempted to add the alias by updating the User object instead of Aliases, something like this:
List<String> aliases = new ArrayList<String>();
aliases.add(scopedAlias); //userid#domain.com
User user = new User();
user = retrieveUser(uid); //Gets current record from Google
user.setAliases(aliases);
Directory.Users.Update request
= directory.users().update(uid, user);
request.execute();
That did not work either.
Anyone have an example of working code?
I've gotten aliases inserted using the following:
Alias alias = new Alias();
alias.setAlias(aliasString);
directory.users().aliases().insert(userId, alias).execute();
I don't have anything in the way of insight as to why your approach isn't working or why my approach works, but there you go.
S. McKinley's suggestion worked.
The key difference:
I had been including the call:
alias.setId(userId);
or
alias.setId(scopedUserId); //userId#domain
Either one resulted in the "parameter is inconsistent with a value" error. Leave it out and the alias gets created.
I was able to find the customerId as follows
Go to admin.google.com
Security -> Set up single sign-on (SSO)
You will see URLs like this:
https://accounts.google.com/o/saml2/idp?idpid=Cxxxxxxxx
That Cxxxxxxxx is your customerId
When I try to connect to accumulo from a java client, it is failing. I am using the 'root' user but have changed the password. I debugged my code, it is in fact getting the correct user name and password, the same I one I use to log into the shell with.
I read on some other sites that I have to set 'trace.user' and 'trace.password' in my accumulo-site.xml file, so I did that and restarted accumulo. Unfortunately it did not change a thing.
When I try to connect from java, these are the important lines from the stack:
Caused by: org.apache.accumulo.core.client.AccumuloSecurityException: Error BAD_CREDENTIALS for user root - Username or Password is Invalid
Caused by: ThriftSecurityException(user:root, code:BAD_CREDENTIALS)
From my accumulo console, I see this:
08 15:44:06,0544 tserver:michael-GA-890GPA-UD3H 4
ERROR
ThriftSecurityException(user:root, code:BAD_CREDENTIALS)
When I look through my accumulo logs I just see the same exception and its stack getting printed every second that goes by.
I went looking through the accumulo manual and couldn't find anything that I'm missing. A google search and SO search also did not help me.
Would somebody please tell me what I'm doing wrong?
Depending on the version you're using, you may also have trace.token.property.password defined in accumulo-site.xml which is the replacement for trace.password. >=1.6.0 introduced the trace.token.property.password property. If both that property and trace.password are present in the configuration, trace.token.property.password will take precedence over trace.password.
Look at the $ACCUMULO_LOG_DIR/tracer_$hostname.debug.log file, you'll likely have numerous exceptions in there.
The "proper" way (read as: how you'd want to do it in a production environment) to configure the tracer is to create the 'trace' table as 'root', create a 'trace' user, and give the 'trace' user READ, WRITE and ALTER_TABLE permissions on the 'trace' table. Then, update trace.user and trace.token.property.password in accumulo-site.xml.
Not sure if you still want the solution or not, what helped me is changing the value of trace.token.property.password to the correct password, i.e., the value of instance.secret for the trace.user 'root' in accumulo-site.xml file.
Or you could open the acccumulo shell using the 'root' user and create a new user inside the shell and then update the values of both the trace user and it's current password.
Can someone please explain what is the difference between CreateUser(String) and CreateUser(User,Credential) in confluence. I want to create one user for confluence, if user is not there in the group. There is no information in confluence documentation. :(
I wrote code like this, but not sure whetehr it will accept createUser method twice in same line.
userAccessor.createUser(userAccessor.createUser(username), Credential.encrypted(password));
I am guesing, if inside createUser is executed,then it will throw an exception at outside parent createUser as it is trying to create same user again?
Please give me your thoughts
Thanks
Samuel.
The new createUser(User, Credential) method replaces the old createUser(String) method, so you should use the former and construct a user with all the details:
User user = userAccessor.createUser(new DefaultUser("mryall", "Matt Ryall", "matt#mattryall.net"),
Credential.unencrypted("secret"));
The reason for having this API was to reduce the number of calls needed to create a user, and fix the potential race condition where you're creating a user with a username but with otherwise empty fields (name, email, password).
This entire API is very poorly documented. I work on the Confluence team at Atlassian - so mea culpa! We'll try to get this fixed.
I am working on an existing Web based application.
Now, I need to secure the application against what I think is called url hacking. For instance, if the customer with customerId 1 is logged in and viewing his profile, the following http get variable will be visible in the address field: customerId=1.
I need to prevent a customer from being able to set customerId=2 and see the profile of another customer.
The problem is that, the application is already in production and in good working condition, so the changes should be minimal with respect to this change.
How is this best achieved?
Any sugggestions/comments?
why do you give the id in the URL when the user should only be allowed to change his profile? I don't see any need for this. Rather get the current user from SecurityConext and display its profile on an URL without the id.
with the new information you gave in the comments I suggest sth. like this:
just check if the given orderid in the URL belongs to the current user.
You're saying you use "normal web based Application" so I assume Servlet/jsp based. In your servlet you would do something like this:
int orderId = Integer.parseInt(request.getParameter("orderId"));
String username = request.getUserPrincipal().getName();
/*now you need to check if username match with the username of the order e.g. by using hibernate to get the order by id and check its user and if not throw PermissionDeniedException or similiar*/
95% agree with Korgen's answer above.
5% - if you want to allow administrator access to edit user profiles using the same functionality just switch to UUID to identify edited user.