Monthly Archives: October 2005

The Joy Of Sharing

I really love to take photos. I’m not terribly good at it, but I’m not terribly bad either. I do take a lot of photos when I get the opportunity though so that helps me get a good one every now and then. I try to share some of the best photos I take. If you look on the front page of you’ll see a link that says “My Pictures” and it will take you to stock.xchng where I give away as many as anybody wants to take.
My photos have literally been downloaded thousands of times at this point and I hope they will be downloaded many thousands more. I’ve gotten emails telling me that they went into web designs, t-shirts, the cover of a book of poetry and short stories, and even an advertising flyer. Those were only the ones people took the time to tell me about.
My friend Don Thorp takes photos too and he’s a much better photographer than I am. Here’s a really cool one of his photos:

He hasn’t put his photos on stock.xchng or iStockPhoto or anyplace else, they just sit on his website and still people find them and ask to use them. So far I think this particular photo was used for an illustration in a childrens book and is in a Korean biology book.
Total amount of money I’ve made so far from putting some photos up for money on iStockPhoto: Less than $2 (US). Total amount of satisfaction I’ve gotten from handing out almost 3,000 photos on stock.xchng: Way way way more.
Look around and ask yourself if you don’t have something that is worth sharing too.

Role != Permission

We use Kasai for security on some applications at work now. I was responsible for the choice of Kasai and I recognize that it has some serious problems, in fact, I have a kind of love/hate relationship with it because of the way it is written and maintained. However, before I do an entry complaining about it, let me talk about why I love it and why most people don’t seem to understand some aspects of security.
Let me say it simply. Roles are not equal to permissions. Way too many systems (like Tomcat) and way too many people I’ve worked with treat roles as though they were a valid form of permission control rather than a way to simplify permission grouping. Kasai does this correctly. It treats permissions as though they were the low level access controls that they should be. Every thing you want to control access to, perhaps down to the page or function call level, can each be a separate permission. Because that many permissions can quickly become unweildy they allow for permission groups and roles to group permissions at higher and higher levels of abstraction.
Let’s take a real world analogy for an example. Let’s say you had a business where you had a lot of cabinets to which you needed to control access. If you did things they way most people do you’d try to do that with as few keys as possible, one key handles the first five cabinets, the blue one is only for special cabinet ‘A’, etc. Then, if you suddenly have to shuffle around the contents of the cabinets or add somebody new who you only want to open some subset of cabinets for which no key combination exists, you are in a world of hurt because you may end up having to change the locks on each cabinet and get a whole new set of keys.
That’s what most people do when it comes to using roles with security. They try to boil down security to a couple of keys which open a lot of locks. They create Admin, Editor, and User roles and “hope” that it will all work out. Then they code up their application (web or otherwise) to check for those roles and in effect, code the security into their application. If somebody comes along who needs to cross over a couple of roles (i.e. James is just a regular user in most respects but we trust him to review newly added forum posts to filter out the junk so he’s like an editor in just that one respect) then you end up creating an all new role just for that one flavor of user (and modifying all affected pages), eventually, if carried far enough for enough users, roles become finer and finer grained and can approach being individual permissions again. Except that you won’t have any roles or other higher level abstraction to group those permissions for easier application to the majority of users who aren’t exceptions and fall nicely into the easy partitions you wanted in the first place. Every user will have to have 20 different “roles” to be able to function.
What you would ideally do is put a different lock on each of your cabinets and have a different key for each lock. Then, even if you rearrange the contents of the cabinets you can just collect all the keys and hand them back out again in the new combinations and your security is restored. Your cabinets didn’t have to be modified and the only problem, at least in real life, is the proliferation of tons of keys to deal with. And in the computer world, we can use abstractions like roles and groups to gather together the most common arrangements of “keys” (permissions) that we will be applying to the majority of users.
Get yourself a real security system which has at least permissions and groups. Use permissions in a fine grained way to control access to individual functions. Use the higher level abstraction(s) to group the fine grained permissions into easy to apply units because most of your users will fall into easy to label categories. If you don’t do this right though, it’s the exceptions which will eat your lunch.

NetBeans 5.0 Looks Like A Big Improvement

I watched this Flash based presentation on the NetBeans 5.0 Beta over at JavaLobby and I was very pleased. I used NetBeans for many years as my IDE for Java development and I only moved to Eclipse because it had things like refactoring that I just wasn’t getting from NetBeans.
NetBeans didn’t just go stagnant in the face of a superior product though. Quite the contrary. They’ve been frantically adding new features and refactoring to improve speed and usability. Overall, what I saw in the above presentation and the last one on NetBeans 4.0 (where they shifted to Ant for all project management, hear that Eclipse?) is very very encouraging. With this kind of serious competition between two free IDEs I feel very lucky to be doing Java work.
Without a doubt, between Java and all the open source libraries and servers and tools available for it, I am more productive within a given unit of time than I have ever been in the 18 years I’ve been doing software development.