Flat Rock ICT Services

At my current client I am using IBM's Websphere Integrated Developer (WID) toolkit. It's basicaly an Eclipse with a massive load of plugins (It comes on 6 (!) installation cd's!).

Among all the things it allows you to do, is that it can create Business Objects based on a database. You point the WID to a database, select a few tables, and for every single one it generates a JAVA class.

I am a big fan of recursive tables, to keep database designs simple and efficient. For instance, think of a database model of a family tree. There you will have Humans (me, dad, mum, brothers, sisters, etc...), and Relationships (marriage, affair, etc...). Every record in the Humans table will have an ID, and 2 parent ID's, pointing to the biological parents of the person. Both those records will have 2 parent ID's each as well. Untill you reach the first person in a given tree.

In JAVA it's very simple to map this. All you do is define a class, and you give it 2 properties (parent1, parent2) and give them the same type.

public Class Human
{
    Human parent1;
    Human parent2;
    BigDecimal id;
}

Now, the WID doesn't work like that. It does almost everything in XML. In my opinion they've done just what Spring has done as well: taken out all the spaghetti code, and made it into spaghetti XML. Totaly overdone. One thing they forgot, however, is: recursion.

A class is defined by an XSD (XML) file. For every property of the class that is a complex type (another class) it defines an include for the XSD file for that class. If you have classes with circular dependencies, like the very direct one shown above, it will include itself. Which will then include itself again. Etcetera etcetera etcetera. Untill a Stack Overflow occurs.

I'm amazed that such a basic thing is such a problem in a flagship product of a company like IBM.

Due to sheer coincidence a huge security leak has been discovered in the Dutch government's internet user authentication meganism DigiD: A random person logged into one of the government's websites to file a felony claim. He owns a petrol station, and someone drove off without paying.

When he was logged into the system, it turns out he accidentally got into someone else's account. In this system he can do whatever he wants. Change personal details, file emigration details, stop or request all kind of welfare or child support, etcetera. He has full access to everything the government knows about this other person.

The response from the Department of National Affairs responds with "Coincidence exists. This never happened before." But is it really such a coincidence that will otherwise never happen, as they try to make it seem?

Ofcourse not. Such a high-profile system should have the highest security imaginable. And the designers of the security of this system made a very big mistake, that is not even allowed in simple internet fora or webpages for which you need to create a free account in order to participate: They allow users with the same username.
The effect of this is that you can only distinguish the different users by their passwords. That means the users must have different passwords. But what if they don't? Then the system can not distinguish the user, and will just open the account for whichever user is found first in the system.

How this system made it into production without anybody realizing this security flaw, is a miracle, and let's hope it will be fixed immediately. There is a reason why bank's use complex logon systems with dual codes and hardware devices according to the 'knowledge & possession' principle.

But no matter what: be most careful with your personal details online.