Nov
18
2009
0

Verified by Visa’s insecure password requirements

Several retailers have signed up for Visa’s Verified by Visa program, which adds an additional step to the familiar online credit card process. Theoretically, this step makes the transaction more secure by allowing you to specify and use a password in addition to the usual details like “name on card” and “billing address”. Unfortunately their password requirements are terrible. Passwords must contain at least 6 characters and at most 8 characters, must contain at least one letter and at least one number and no special characters allowed.

Here is their javascript password validator:


if( (/\W/).test(document.passwdForm.pin1.value) || (document.passwdForm.pin1.value.length < 6) || (document.passwdForm.pin1.value.length > 8 ) )
{
    alert("Your password does not conform to the Password Policy. Please try again.");
    document.passwdForm.pin1.focus();
    return false;
}

For a feature that supposedly exists to protect my money on the web, this is just pathetic.

Written by Dan in: General |
Nov
17
2009
0

No Leonids for Littleton

Not wanting to drive outside of the city at 2 AM, I figured I’d try to catch one or two meteors from The Leonids from my backyard. Sadly, all I got was a pretty indigo sky and some nice looking stars. Until next time…

No Leonids for Littleton

No Leonids for Littleton

Written by Dan in: photography | Tags: , , , ,
Nov
05
2009
0

Groovy deserialization troubles

In a grails application, I needed to persist a complicated expression tree to the database, but I didn’t want to have Hibernate generate a database table for the information as it would greatly affect read performance (lots of joins) and I don’t need to have relational access to subsets of the tree. I decided to serialize the entire tree into a BLOB.

After creating a Hibernate userType to handle the serialization/deserialization, I ran into a ClassNotFoundException when attempting to deserialize my object.  I found out that this is due to java using the “last defined ClassLoader” when deserializing with an ObjectInputStream, which might not be the right ClassLoader in a Groovy environment (see: http://jira.codehaus.org/browse/GROOVY-1627.

The solution? Subclass ObjectInputStream to allow you to pass in a predefined ClassLoader and override the resolveClass(ObjectStream classDesc) to use this ClassLoader parameter:


public class ClassLoaderAwareObjectInputStream extends ObjectInputStream {

 private ClassLoader myClassLoader;

 public ClassLoaderAwareObjectInputStream(ClassLoader myClassLoader) throws IOException, SecurityException {
 super();
 this.myClassLoader = myClassLoader;
 }

 public ClassLoaderAwareObjectInputStream(InputStream in, ClassLoader myClassLoader) throws IOException {
 super(in);
 this.myClassLoader = myClassLoader;
 }

 @Override
 protected Class resolveClass(ObjectStreamClass desc) throws IOException,
 ClassNotFoundException {
 String name = desc.getName();
 return Class.forName(name, false, myClassLoader);
 }
}

Thanks to Satish Gunnu for the tip.

Written by Dan in: General | Tags: , , , , , , ,

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com