It’s Friday, and time again for some Friday Fixes: selected problems I encountered during the week and their solutions.
You know the old saying, “build a man a fire and he’s warm for a day; set a man on fire, and he’s warm for the rest of his life.” Or something like that. I’ve been asked about tool preferences and development approaches lately, so this week’s post focuses on tools and strategies.
If you’re sick of JVM hot-swap error messages and having to redeploy for nearly every change (who isn’t?), run, do not walk, to ZeroTurnaround‘s site and get JRebel. I gave up on an early trial last year, but picked it up again with the latest version a few weeks ago. This thing is so essential, it should be part of the Eclipse base.
And while you’re in there, check out their Java EE Productivity Report. Interesting.
My DB2 tool of choice depends on what I’m doing: designing, programming, tuning, administering, or monitoring. There is no “one tool that rules them all,” but my favorites have included TOAD, Eclipse DTP, MyEclipse Database Tools, Spotlight, db2top, db2mon, some custom tools I wrote, and the plain old command line.
I never liked IBM’s standard GUI tools like Control Center and Command Editor; they’re just too slow and awkward. With the advent of DB2 10, IBM is finally discontinuing Control Center, replacing it with Data Studio 3.1, the grown-up version of the Optim tools and old Eclipse plugins.
I recently switched from a combination of tools to primarily using Data Studio. Having yet another Eclipse workspace open does tax memory a bit, but it’s worth it to get Data Studio’s feature richness. Not only do I get the basics of navigation, SQL editors, table browsing and editing, I can do explains, tuning, and administration tasks quickly from the same tool. Capability wise, it’s like “TOAD meets DTP,” and it’s the closest thing yet to that “one DB2 tool.”
For team development, I’m a fan of preloaded images and workspaces. That is, create a standard workspace that other developers can just pick up, update from the VCS, and start developing. It spares everyone from having to repeat setup steps, or debug configuration issues due to a missed setting somewhere. Alongside this, everybody uses the same directory structures and naming conventions. Yes, “convention over configuration.”
But with the flexibility of today’s IDEs, this has become a lost art in many shops. Developers give in to the lure of customization and go their own ways. But is that worth the resulting lost time and fat manual “setup documents?”
Cloud-based IDEs promise quick start-up and common workspaces, but you don’t have to move development environments to the cloud to get that. Simply follow a common directory structure and build a ready-to-use Eclipse workspace for all team members to grab and go.
I’ve been following Josh Primero’s blog as he challenges the typical programmer lifestyle.
Josh is taking it to extremes, but he does have a point: developers’ lives are often too hectic and too distracted. This “do more with less” economy means multiple projects and responsibilities and the unending tyranny of the urgent. Yet we need blocks of focused time to be productive, separated by meaningful breaks for recovery, reflection, and “strategerizing.” It’s like fartlek training: those speed sprints are counterproductive without recovery paces in between. Prior generations of programmers had “smoke breaks;” we need equivalent times away from the desk to walk away and reflect, and then come back with new ideas and approaches.
I’ll be following to see if these experiments yield working solutions, and if Josh can stay employed. You may want to follow him as well.
Be > XSS
As far as I know, there’s no-one whose middle name is <script>transferFunds()</script>. But does your web site know that?
It’s surprising how prevalent cross-site scripting (XSS) attacks are, even after a long history and established preventions. Even large sites like Facebook and Twitter have been victimized, embarrassing them and their users. The general solution approach is simple: validate your inputs and escape your outputs. And open source libraries like ESAPI, StringEscapeUtils, and AntiSamy provide ready assistance.
But misses often aren’t due to systematic neglect, rather they’re caused by small defects and oversights. All it takes is one missed input validation or one missed output-encode to create a hole. 99% secure isn’t good enough.
With that in mind, I coded a servlet filter to reject post parameters with certain “blacklist” characters like < and >. “White list” input validation is better than a blacklist, but a filter is a last line of defense against places where server-side input validation may have been missed. It’s a quick and simple solution if your site doesn’t have to accept these symbols.
I’m hopeful that one day we’ll have a comprehensive open source framework that we can simply drop in to protect against most web site vulnerabilities without all the custom coding and configuration that existing frameworks require. In the mean time, just say no to special characters you don’t really need.
On that note, I’ve turned off comments for this blog. Nearly all real feedback comes via emails anyway, and I’m tired of the flood of spam comments that come during “comments open” intervals. Most spam comments are just cross-links to boost page rank, but I also get some desperate hack attempts. Either way, it’s time-consuming to reject them all, so I’m turning comments off completely. To send feedback, please email me.