Difference between revisions of "Abstraction"

From Code4Lib
Jump to: navigation, search
(General rule: Abstract things out as much as makes sense)
m (Reverted edits by 119.167.225.136 (Talk); changed back to last version by Wickr)
 
Line 1: Line 1:
 
[[Category:Patterns]]
 
[[Category:Patterns]]
  
d.y.i. whirlpool repair http://peggyfrye482.freehostia.com/www.magellan.com-repair.html www.magellan.com repairgoldfield corp http://peggyfrye482.freehostia.com/whirlpool-u.k.html whirlpool u.kwww.whirlpool.com.au http://peggyfrye482.freehostia.com/amvest-corp.-rodeo-palns.html amvest corp. rodeo palnsa.abunayyan trading corp http://peggyfrye482.freehostia.com/antique-seaman-corp.vibratory-roller.html antique seaman corp.vibratory roller6.5 diesel repair manuals http://peggyfrye482.freehostia.com/auto-repair-vallejo-ca.html auto repair vallejo camagna corp. of shopsmith http://peggyfrye482.freehostia.com/whirlpool-repair-st.-paul.html whirlpool repair st. paulw.w.w.whirlpool .com http://peggyfrye482.freehostia.com/10.5-cu-ft-whirlpool.html 10.5 cu ft whirlpoolshdoclc.dll dnserror repair http://peggyfrye482.freehostia.com/a.abunayyan-trading-corp.html a.abunayyan trading corpsubaru repair ft. collins http://peggyfrye482.freehostia.com/montcalm-publishing-corp.html montcalm publishing corpecono lodge corp. office http://peggyfrye482.freehostia.com/d.y.i.-whirlpool-tub-repair.html d.y.i. whirlpool tub repair
+
=General rule: Abstract things out as much as makes sense=
 +
 
 +
==Specific rule: Abstract the living crap out of your authentication scheme.==
 +
 
 +
Look, pretty much everyone with anything worth protecting already has an auth/authZ infrastructure in place. Sometimes an extensive, perhaps multi-institutional infrastructure. One that isn’t going to be bypassed without, say, getting fired.
 +
 
 +
So if you’re going to require people to log in, make sure you make that process as abstract as you possibly can, both in algorithm and in code. Have a singleton class that’s easily subclassed to represent your user, and call it exclusively. Make sure that your URIs are easily separated into those that require auth and those that don’t, for simple use of mod_rewrite or whatnot to redirect to authentication. Make sure it’s easy to hook into (or work around) AJAX links that might require authentication that has expired.
 +
 
 +
And for the love of god, don’t stuff username/password information into a cookie if you’re doing web work. Use a session and session key. Any auth scheme that I can spoof is no auth scheme at all, because I’m an idiot and not even trying hard.

Latest revision as of 04:34, 27 July 2009


General rule: Abstract things out as much as makes sense

Specific rule: Abstract the living crap out of your authentication scheme.

Look, pretty much everyone with anything worth protecting already has an auth/authZ infrastructure in place. Sometimes an extensive, perhaps multi-institutional infrastructure. One that isn’t going to be bypassed without, say, getting fired.

So if you’re going to require people to log in, make sure you make that process as abstract as you possibly can, both in algorithm and in code. Have a singleton class that’s easily subclassed to represent your user, and call it exclusively. Make sure that your URIs are easily separated into those that require auth and those that don’t, for simple use of mod_rewrite or whatnot to redirect to authentication. Make sure it’s easy to hook into (or work around) AJAX links that might require authentication that has expired.

And for the love of god, don’t stuff username/password information into a cookie if you’re doing web work. Use a session and session key. Any auth scheme that I can spoof is no auth scheme at all, because I’m an idiot and not even trying hard.