Archive for April, 2005

When enough is enough

Published
by
Gianugo
on April 29, 2005
in English
. Comment

I usually refrain talking about politics, I don’t quite feel this kind of discussions belong to a geeky blog, but tonight I just have to scream my disgust with the USA (and the italian government, for that matter).

Most of you might not be aware that a few months ago an italian hostage in Iraq was freed by the italian intelligence, maybe after paying ransom money. On the way to the airport, a US patrol opened fire on the hostage car, killing an italian secret agent and wounding the hostage.

Now, US military findings are telling us that the US patrol wasn’t aware that a rescue operation was in place and that the car was traveling at high speed (around 100km/h) and didn’t stop after warning signs were issued and warning shots were fired. We have a different story here: italians were given written permissions from the US command, the hostage keeps saying that the car wasn’t speeding, and no warning signs whatsoever were issued before gunshots started to pepper the car killing Nicola Calipari.

Of course I wasn’t there so I can’t really tell who is right and who is wrong (but hint: that very night Nicholas Negroponte was due to pass by that very road, and the patrol was sent to ensure that everything was in order). What really bothers me is that since March 4, the day this tragedy happen, the US haven’t let their italian allies proceed with any investigation, including even have a look at the car being shot, and right now they are basically saying that they did exactly what they were supposed to do and that they can’t be blamed for what is and remains a “tragic accident”.

Tragic accident my ass. I could have lived with an admission of reciprocal incompetence (Italy should have been more clear about what was going on that night in Baghdad, the US soldiers should have given those poor guys a chance to stop instead than just firing away), but this is more than I can bear. If only this was the first time ever the US behave in such an arrogant way: back in 1999 a US jet killed 20 people when the crew sheared a cable car wires in the ski resort of Cermis, in Northern Italy. When the plane landed, the flight recorder was “accidentally” reset, so that no flight data were available: there was however a voice recording of a laughing crew betting that the pilot wouldn’t have been able to fly below the wires. The US wouldn’t let italian courts prosecute their fellow soldiers, and we trusted our allies would have been running a careful inquiry and trial. Well, guess what? Captain Richard Ashby, the aircraft pilot, was cleared of all charges and didn’t spend a single day in jail. Findings were the poor guy was confused by the mountain terrain, had his altitude indicators not working correctly and, despite flying day in day out over that strip of land, didn’t have the cable wires on his map. How does that sound to any reasonable human being?

I’m tired of having allies whose main proposition is to protect their asses at all costs. I’m tired of having an ally who wants us to trust their laughable commissions but takes our fingerprints and photos when we come to visit the US. Now more than ever, an old italian saying applies: “God, protect me from my friends, I’ll take care of enemies myself”. And I’m tired of being ashamed of belonging to a country whose goverment still thinks what’s going on in Iraq is a peace mission and that we should stand by the US side to make sure that freedom drops below 40$ a barrel. National pride should go way beyond “differing on the conclusions of the US about the accident”: we should leave Iraq first thing tomorrow, and be done with it.

(ok, ok, no more political ranting, at least for a while…)

Servlet authentication woes

Published
by
Gianugo
on April 27, 2005
in English and Open Source
. Comments

I’ve always been surprised by how the servlet spec writers managed to make my life unnecessarily harder in a number of occasions, and today, despite an ongoing flu, I have been bitten (again) by what appears to be a stupid yet blocking problem in implementing what seemed to be an easy task.

We are writing an application exposing a REST interface and a web based administration. We need to protect access to both of them, of course with different sets of users. Now, if there is something that I hate with a passion, is writing custom authentication code in a web application. Why on earth should I bother with cookies, sessions, redirects and all the fuss when security is clearly a protocol concern and it’s much better managed by the application server? Programmatic security kills SSO, is a PITA to maintain, needs to be reimplemented basically on every deployment and, overall, tends to suck badly (is there anything worse that an HTTP 200/302 when a resource is protected?).

Declarative security is my favourite way to go for a number of reasons:

  • every application server comes with a full set of different AAA backends, be it flat files, databases or LDAP servers. Any decent “enterprise” environment has some kind of integration with corporate security layers, and such integration comes at the application server level;
  • security policies can be set by system administrators using server-wide settings and with no need to learn a different tool (yes, I’ve been a sysadmin in a past life, could you tell?);
  • a tested application server security code can be trusted (and audited) much better than custom written code;
  • custom application code needs sessions, adding unnecessary overhead to the application server;
  • I’m a lazy butt. Why should I bother writing code that goes around reinventing wheels?

This said, today I started to wrestle with my web.xml and, surprise surprise, I came to understand that either I’m a complete idiot (and I’d be happy to find out), or the servlet specs are horribly wrong. If you remember, a few lines above I wrote that I had to support two different set of users, which can be easily done using roles. I have another requirement though: users want to see a fancy FORM based authentication (which, to my surprise, uses the damn cookie&session paradigm), whereas applications accessing the REST interface could certainly deal much better with BASIC or DIGEST auth.

Well, despite the fact that the login-config tag does accept an optional realm attribute, which seems to suggest that at a certain point someone pointed out how there might be an exotic case for a web application to host more than one protected area, the actual servlet specification seem to state that only ONE login-config element per web.xml is actually allowed. This means, basically, that whatever is configuredas the authentication method, it will be global to the whole application space, with no chance to override it apart from entering the programmatic security hell.

Bottom line, I’m stuck with this stupid issue, cursing the servlet specifications and trying to come up with a solution with will most probably need to use programmatic security. Unless the lazyweb comes to the rescue, of course.

Piove (ovviamente sul bagnato)

Published
by
Gianugo
on April 17, 2005
in Golf and Italiano
. Comments

Sono tempi convulsi: sono strozzato dal lavoro, tanto che nelle ultime due settimane sarò andato due o tre volte al massimo (compresi i fine settimana) in campo pratica, e ho una voglia di andare a giocare che leva di sentimento.

Venerdì scorso sembrava che riuscissi a prendermi una mezza giornata e fare un giro a Tolcinasco: al mattino mi sveglio presto per lavorare fino all’ora di pranzo e poi scappare, ma il tempo non promette niente di buono. Alle dieci capisco che non è cosa vista la pioggia che cade, e metto via i bastoni ricacciando una lacrimuccia.

Venerdì decido di muovermi per fare una garetta nel week-end in quel di Lecco, iscrivendomi per una partenza a mezzogiorno di oggi. Stamattina mi sveglio e… piove. Decido di andare lo stesso al campo anche perché la gara era già partita, quindi avrei perso la quota di iscrizione se non mi fossi presentato (poi se qualcuno mi spiegasse che cosa fa un club per giustificare 20 euro di costo di iscrizione, mi si chiarirebbe un mistero della vita): arrivo a Lecco sotto una pioggia battente, e mi comunicano che causa defezioni sarei partito mezz’ora prima del previsto.

Corro in campo pratica a scaldarmi un minimo, e la pioggia nel frattempo cresce, fino a raggiungere le dimensioni del diluvio. Sul tee bastano i venti secondi senza ombrello per inzuppare anche le mutande rimaste nel cassetto di casa: arrivo a fatica in green e noto come manchino giusto ninfee e paperelle per poterlo chiamare stagno. Faccio in tempo a tirare un fuori limite al tee della 2 quando arriva la sospensione: dopo un’ora passata a strizzare lo strizzabile visto che sembrava assodato che si ripartisse, è arrivato l’annullamento. E anche questo fine settimana è andato, visto che domani tocca lavorare.

La prossima settimana la passerò nuovamente lontano dai bastoni visto che sono a Roma: ovviamente ho scelto la settimana migliore per questo viaggio di lavoro, visto che il mio circolo organizza una bella garetta a Bogogno che sicuramente valeva il viaggio. Insomma, pare che la prossima gara all’orizzonte sia quella riservata ai volontari dell’Open d’Italia: partenza dai tee dei professionisti, fairway larghi come sentieri di montagna e green di cemento. Immagino che sarà la fiera delle X e prego che non si giochi medal ma, giuro, se si mette anche a piovere mi metto a urlare.

Back to the blogosphere

Published
by
Gianugo
on April 16, 2005
in English
. Closed

This blog has been down for roughly two weeks now. Unfortunately we had a major hardware crash over here: you can be redundant as much as you want, but if 3 disks out of 4 die overnight, there is little you can do apart from an impressive amount of swearwords and curses. So, the last two weeks were spent trying to:

  • recover stuff from backups (and interesting journey to the past of my sysadmin experience);
  • find a new colo given that the old one – where this server will be sitting for another few days – has not been supportive at all (no helping hand whatsoever, no remote reboot facility, in a word plain crap). Whois is your friend if you want to stay away from these guys;
  • travel and work like mad given that this major crash came in the worst moment ever, with lots of stuff to do;
  • finally, find a moment to resurrect this blog from a less-than-faithful backup

Definitely not the funniest period of my life. Next week is going to be busy as well, with my regularly scheduled travel to Rome showing a crammed schedule of moving machines around, delivering a very important project milestone and handle some slippery slopes than need my attention. But it feels good to be back anyway.