Re: [JBoss-dev] Example of how careless handling of AOP pointcut expressions can screw you up good

Mon, 30 Jan 2006 11:32:13 -0800

FYI, if you refactor code with Intelllij, and have the AOP XML in your classpath, it will discover and change the XML for at least the classname. 

Ovidiu Feodorov wrote:



Yes, that's why I said Tim does a very good job at surrounding the 
functionality he writes with test cases that check whether the expected 
good things happen, but also probe for potential bad things.


Adding lots of tests has two major benefits:

1. Provide you with a safety mesh. Thicker, the better, it may help you 
catch problems by exposing random interactions never thought about. 
Machines to run testsuites are cheap.
2. Help you better understand the functionality you write, help you 
discover edge cases and potential pitfalls, and quite often help you to 
find a better way to write the very functionality you're working on.



Writing tests increases the development time, but the benefits far 
exceed the drawbacks. Just think at a production down situation that can 
have been prevented by having the right (and trivial) test in place.



The Messaging project's capital sin is to modify/remove a semantically 
correct test :)


Scott M Stark wrote:


I would suspect that the tests simply asserted that someone could be
denied access. This is a general failing in the tests I see written.
Tests only assert that the expected good things happen. There are not
enough tests written to validate that bad behaviors are also constrained
to expected and recoverable behaviors.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Ovidiu Feodorov
Sent: Friday, January 27, 2006 11:44 AM
To: jboss-development@lists.sourceforge.net
Subject: [JBoss-dev] Example of how careless handling of AOP pointcut
expressions can screw you up good



A succinct example of how AOP pointcut expressions without proper tests 
and/or compile-time check tools can screw you up good:



JMS lets you create anonymous message producers, and for this case, 
security checks must be applied on each message send. The following 
pointcut expression enforces that:



  <bind pointcut="execution(* 
org.jboss.jms.server.endpoint.advised.ProducerAdvised->send(..))">
     <advice name="handleSend" 
aspect="org.jboss.jms.server.container.SecurityAspect"/>

  </bind>


Recently, the ProducerAdvised's send() method name and signature has 
been changed upon a refactoring:


$ cvs diff -r 1.3 -r 1.2 ProducerAdvised.java
Index: ProducerAdvised.java
===================================================================
RCS file:
/cvsroot/jboss/jboss-jms/src/main/org/jboss/jms/server/endpoint/advised/
ProducerAdvised.java,v
retrieving revision 1.3
retrieving revision 1.2
diff -r1.3 -r1.2

...

68c69
<    public void sendMessage(Message message) throws JMSException
---

 


  public void send(Destination destination, Message message, int

   


deliveryMode, int priority, long timeToLive) throws JMSException

...


As result, no security checks were applied anymore on individual message


sends for anonymous producers, leading to a very silent, subtle and 
potentially dangerous error condition.


Praises to Tim for adding test cases that helped us catch the problem on

our work benches and not in some customer's production environment.


Can the Eclipse AOP plugin help in catching this type of error at 
refactoring time?


Ovidiu



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642
_______________________________________________
JBoss-Development mailing list
JBoss-Development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-development


 





--
Bill Burke
Chief Architect
JBoss Inc.


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
JBoss-Development mailing list
JBoss-Development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-development






















					Reply via email to