Mailing-List: contact struts-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Struts Users Mailing List" <struts-user@jakarta.apache.org>
Message-ID: 
 <7851AE957357D611A8EB000347961E770E65A049@mail.1.24.172.in-addr.arpa>
From: "Jerry Jalenak" <Jerry.Jalenak@LABONE.com>
To: "'Struts Users Mailing List'" <struts-user@jakarta.apache.org>
Subject: RE: [OT] Use of Static Methods
Date: Thu, 10 Jul 2003 12:30:13 -0500
MIME-Version: 1.0
Content-Type: text/plain;
 charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Micael,

The class is called 'Password':

public class Password
{
	public static byte[] getEncryptedPassword(byte[] digestKey, String
password)
	{
		try
		{
			MessageDigest md =
MessageDigest.getInstance("SHA1");
			md.update(digestKey);
			md.update(password.getBytes());
			return (md.digest());
		}
		catch(Exception e)
		{
			return (null);
		}
	}
	
	public static byte[] getRandomDigestKey()
	{
		byte[] digestKey = new byte[12];
		
		SecureRandom sr = new SecureRandom();
		sr.nextBytes(digestKey);
		return (digestKey);
	}
	
	public static String getRandomPassword()
	{
		return (RandomStringUtils.randomAlphabetic(8));
	}
}

I am calling this using 'Password.getEncryptedPassword(digestKey,
password)'.  I don't think I have thread issues since I'm not using instance
variables, but I'm concerned about the use of the
MessageDigest.getInstance() and SecureRandom calls....

Thanks!

Jerry Jalenak
Team Lead, Web Publishing
LabOne, Inc.
10101 Renner Blvd.
Lenexa, KS  66219
(913) 577-1496

jerry.jalenak@labone.com


-----Original Message-----
From: Micael [mailto:caraunltd@harbornet.com]
Sent: Thursday, July 10, 2003 11:51 AM
To: Struts Users Mailing List
Subject: RE: [OT] Use of Static Methods


Could you give us the method body again?  That is where we can see if there 
is a thread safety issue?

At 07:53 AM 7/10/03 -0500, you wrote:
>To everyone:  WOW!  Talk about opening a can of worms!  It's been quite
>interesting reading the different viewpoints regarding the use of statics
vs
>singletons, whether Perl is OO or not, etc. etc. etc.  It's this kind of
>discussion that makes this list one (if not THE) best list on the web.
>
>Ted: Thanks for answering the specific question.  As much as I've enjoyed
>the thread, all I really wanted to know is if my approach for these
'helper'
>methods was appropriate or not.  I'm not sure what you mean by 'whether
>instantiating Password is an issue' - I can't think of a case where
>instantiating any class would be an issue, so I guess I could change the
>Password class to be a 'normal' class.  The 'getEncryptedPassword()' method
>is used by several different classes, so I don't really want to make it
part
>of a specific class - that's one of the reasons I moved it to a 'helper'
>class and made it static.  I guess the only question I have remaining is
>whether there is a problem with maintaining 'thread safety' with the use of
>a static method....   Is there a chance that two or more users can get to
>the method at the same time and clobber each other?
>
>
>Jerry Jalenak
>Team Lead, Web Publishing
>LabOne, Inc.
>10101 Renner Blvd.
>Lenexa, KS  66219
>(913) 577-1496
>
>jerry.jalenak@labone.com
>
>
>-----Original Message-----
>From: Ted Husted [mailto:husted@apache.org]
>Sent: Wednesday, July 09, 2003 5:34 PM
>To: Struts Users Mailing List
>Subject: Re: [OT] Use of Static Methods
>
>
>It's mainly a question of whether instantiating Password is an issue. If
>   not, then make it a normal method.
>
>Ideally, getEncryptedPassword should be a method of whatever class needs
>to call it.
>
>The benefit of static methods is that they can be called without
>instantiating the class that contains them. So long as instantiation is
>not an issue, then make it a normal method on whichever class needs to
>use it. (Or make Password a member class of whichever classes need to
>call it, and instantiate it when the parent class is instantiated.)
>
>-Ted.
>
>
>Jerry Jalenak wrote:
> > <back-from-lunch>
> >
> > Thanks to everyone for weighing in on this.  I certainly didn't expect
>this
> > type of discussion.
> >
> > Let me give an example of what we are trying to do, and see if this is
> > appropriate or not.  For various reasons we have a 'roll your own' logon
> > authentication process.  Part of the process takes the users password,
and
> > using a stored digest key, we encrypt it and then compare it to the
stored
> > (encrypted) password.  If they match, great.  If not, then we return an
> > error.  The code that we use to do the encryption looks like the
>following:
> >
> >       public static byte[] getEncryptedPassword(byte[] digestKey, String
> > password)
> >       {
> >               try
> >               {
> >                       MessageDigest md =
> > MessageDigest.getInstance("SHA1");
> >                       md.update(digestKey);
> >                       md.update(password.getBytes());
> >                       return (md.digest());
> >               }
> >               catch(Exception e)
> >               {
> >                       return (null);
> >               }
> >       }
> >
> > The class name is 'Password', so to call this method we use something
like
> > 'Password.getEncryptedPassword(storedDigestKey, enteredPassword)'.  Is
>this
> > type of method appropriate for a 'static' method?  Or should this be a
> > singleton?  Or a normal class?
> >
> >
> >
> > Jerry Jalenak
> > Team Lead, Web Publishing
> > LabOne, Inc.
> > 10101 Renner Blvd.
> > Lenexa, KS  66219
> > (913) 577-1496
> >
> > jerry.jalenak@labone.com
> >
> >
> > -----Original Message-----
> > From: Yee, Richard K,,DMDCWEST [mailto:Yeerk@osd.pentagon.mil]
> > Sent: Wednesday, July 09, 2003 12:35 PM
> > To: 'Struts Users Mailing List'
> > Subject: RE: [OT] Use of Static Methods
> >
> >
> > I and a lot of other developers would disagree with the statement
> > "Static methods are evil for many reasons including philosophical
(they're
> > not OO) and practical (you can't override their behavior)."
> >
> > 1) Whenever you write a method that only accesses static data of a
class,
> > you should declare the method as static.
> >
> > 2) It is not correct to say that static methods can't be overriden. They
>can
> > be overridden with another static method. You can't override a static
>method
> > to be non-static, however.
> >
> > 3) There are many cases where using the static modifier on a method is
> > totally appropriate. Typically, they are used on methods that provide a
>very
> > specific functionality that will never change. Using the static modifier
>on
> > such methods also reduces the overall memory footprint of an
application.
> >
> > Regards,
> >
> > Richard
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: David Graham [mailto:grahamdavid1980@yahoo.com]
> > Sent: Wednesday, July 09, 2003 9:22 AM
> > To: Struts Users Mailing List
> > Subject: RE: [OT] Use of Static Methods
> >
> >
> >
> >>One of my programmers asked me whether or not it is OK to define
> >>helper methods as 'static' - and I realized that I didn't know the
> >>answer.  So I guess the question is, in a web application, can common
> >>code be factored out
> >>to a helper class and marked as 'static'?
> >
> >
> > Static methods are evil for many reasons including philosophical
(they're
> > not OO) and practical (you can't override their behavior).  You should
use
>a
> > Singleton class with non-static methods.
> >
> > Struts' RequestUtils class is a good example of why you should never use
> > static methods.  Developers want to override their behavior but can't
> > because everything is static.
> >
> > David
> >
> >
> >>Are there any major problems
> >>with
> >>doing this?  I should know the answer, but just can't put my thumb on
> >>it right now.... 8)
> >>
> >>TIA!
> >>
> >>Jerry Jalenak
> >>Team Lead, Web Publishing
> >>LabOne, Inc.
> >>10101 Renner Blvd.
> >>Lenexa, KS  66219
> >>(913) 577-1496
> >>
> >>jerry.jalenak@labone.com
> >>
> >>
> >>This transmission (and any information attached to it) may be
> >>confidential and is intended solely for the use of the individual or
> >>entity to which it is
> >>addressed. If you are not the intended recipient or the person
> >>responsible for
> >>delivering the transmission to the intended recipient, be advised that
> >>you have
> >>received this transmission in error and that any use, dissemination,
> >>forwarding,
> >>printing, or copying of this information is strictly prohibited. If you
> >>have
> >>received this transmission in error, please immediately notify LabOne at
> >>the
> >>following email address: securityincidentreporting@labone.com
> >>
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >>
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >
> >
> > This transmission (and any information attached to it) may be
confidential
>and is intended solely for the use of the individual or entity to which it
>is addressed. If you are not the intended recipient or the person
>responsible for delivering the transmission to the intended recipient, be
>advised that you have received this transmission in error and that any use,
>dissemination, forwarding, printing, or copying of this information is
>strictly prohibited. If you have received this transmission in error,
please
>immediately notify LabOne at the following email address:
>securityincidentreporting@labone.com
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >
> >
>
>
>--
>Ted Husted,
>    Junit in Action  - <http://www.manning.com/massol/>,
>    Struts in Action - <http://husted.com/struts/book.html>,
>    JSP Site Design  - <http://www.amazon.com/exec/obidos/ISBN=1861005512>.
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org


LEGAL NOTICE

This electronic mail  transmission and any accompanying documents contain 
information belonging to the sender which may be confidential and legally 
privileged.  This information is intended only for the use of the 
individual or entity to whom this electronic mail transmission was sent as 
indicated above. If you are not the intended recipient, any disclosure, 
copying, distribution, or action taken in reliance on the contents of the 
information contained in this transmission is strictly prohibited.  If you 
have received this transmission in error, please delete the message.  Thank 
you  


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org