That exclamation, appropriated from some friends who also have a three-year-old and a newborn, neatly encapsulates our parenting experience over the last couple of days. Andrew has been pushing the behavioral envelope (as can be expected of three-year-olds) and quickly learned that retribution isn’t quite as swift when I’m gone and Elise is feeding Maggie. We’re trying to establish some inviolable rules, such as no backtalk when we tell him to do something. That includes foreign languages; he’s picked up some street Spanish from his friends at preschool. We’ve had a couple of amusing moments when I applied my formidable high-school Spanish skills to try to tell Elise when he’s cursing and when he’s just making it up. I was amused, anyway; Elise mostly throws the book at him. He had a household-record 18 minute time-out today when he repeadtely talked back and stuck his tongue out.
Bilingual potty-mouth notwithstanding, he’s obviously trying to adapt. He has surprised me a couple of times with his willingness to get along. Yesterday I took him to the local playground and he toted along his new favorite toy, a plastic front loader with boy-sized accessory shovel that makes for an above-average sandbox toy. We found one other father-son team in the sandbox on arrival, and the rival three-year-old was predictably attracted to the toy. When asked if he could share, Andrew replied that he would share “in two minutes.” I took that as an indefinite put-off, a preschool equivalent of “in your dreams, Dad!” But sure enough, after a few turns of scooping and dumping, he volunteered that he was ready to share and carried his toy over to his new friend. We dads watched them play happily for a few minutes, Andrew filling the bucket with his shovel, Lucien dumping the sand into a pile.
Lesson learned: he’s always listening. He won’t always admit to it. I won’t do him any favors by underestimating him.
Monthly Archives: May 2005
This just in from the “No Kidding?” department…
Windows file system compression doesn’t have a beneficial effect on large SQL Server databases. Hard to believe, I know, but it’s true. Trust me.
Margaret Elise
Today we welcomed Margaret Elise to the family! She was born at 6:57 PM at Brigham and Women’s Hospital in Boston. She weighed 6lbs, 15oz at birth and measured 18.5 inches in length. She has great lungs and wasn’t shy about letting us know it! Mom did great and in general it was a much less trying experience than with Andrew.
More details to come later – Dad needs to get some sleep! In the mean time you can enjoy a few pictures.
Java declarative security and server-side forwards
Another lesson learned the hard way today: the J2EE declarative security model doesn’t apply when the application forwards the user request to another URL using a RequestDispatcher or an include. This means that your web application can (intentionally or not) bypass an HTTP authorization security constraint by forwarding the user request from a non-protected URL. The servlet spec does not dwell on the point, but section SRV.12.2 does say as much.
At best, this is inflexible. Having a property on the RequestDispatcher that specifies whether or not to perform auth checks would at least allow the programmer to state his intentions. At worst, it’s a security problem. If your application has a forward URL that’s not protected by HTTP authentication (not a particularly smart thing to do, but it happens), a malicious user could use that to gain access to protected parts of your application. So far I haven’t been able to use this techique between two webapps on the same server. When I try to forward a request to a protected URL in another webapp, I get a 404 error – not quite what I expected, but better that no protection whatsoever.
HTTP auth is not commonly used as an authentication strategy application-wide but sometimes we use it to protect administrative features, such as application management consoles. Having this misfeature in-place and not well-explained in the documentation sets programmers up for security problems. Sun, you can do better than that.