Peter Donald wrote:
On Thu, 6 Dec 2001 09:30, Berin Loritsch wrote:
A new issue:
Components that will be "marketed", "sold", or otherwise be made available
for general consumption _without_ a supplied Container need to validate
that their lifecycle is called correctly. Such components cannot make the
assumption that the users of that Component have properly read the
documentation for Avalon, and need to fail fast if it is not called
correctly. Remember that Components can be Containers as well. Not
everyone gets it right the first time.
All components are built for a container. It makes no sense otherwise.
:)
Of course Components are built for a container. It doesn't mean that someone
providing a library is going to create a Container for them and include that
Container in the library. All it means is that people who don't RTFM are going
to mess up with creating the Container if they are not familiar with Avalon.
Unix security permissions are not the most fine grained in the world. It
is far easier to create a more secure environment as we can give fine
grain access and control over resources or even make resources
unreferencable by using code (except if they go JNI which a sandboxed
environment would not allow).
No they aren't, and neither are lifecycle assertions.
No idea what you are referring to ;)
"Unix security permissions are not the most fine grained in the world."
Assertions and FilePermissions both exist to keep you from shooting
yourself in the foot.
File permissions aye ?
Yes. The famous "rm -rf /" will only erase files that _you_ have write
permissions to. You may lose all your data, but you won't lose your
system (unless the sysadmin is on crack).
They _also_ provide immediate feedback if you just
messed up your container.
This is why we should have unit tests to validate container behaviour. This
catches problems before any component is ever deployed into the container.
That is something we will provide in Excalibur--because the ExcaliburTestCase
provides all the extra stuff we need.
Again, the most useful aspect of the ComponentValidator (IMO) is the
checkActive() function. ComponentValidator.checkActive() and it's cousin
ComponentValidator.isActive() are used to make sure that the Component is
not used _before_ it's container is finished initializing it or _after_
it's container has disposed of it.
Again - this is something that should be done in the container. Phoenixs
proxys are not made accessible before the component is ready to accept
requests and just before the component is about to be shutdown the proxy will
be invalidated.
What about the rest of us? Not everyone is using Phoenix's proxies. Not
everyone is using Pheonix. Are we going to have to beef up the
DefaultComponentManager in Avalon Framework to demonstrate what _should_
be done? In essense, it should be a model of how to create a ComponentManager.
Anyone calling a method after invalidation will get an IllegalStateException
thrown that saids "you are using a service after it has shutdown - naughty,
very naughty!"
Again this way the component never has to worry about it and it is up to the
conainer to validate and maintain correct lifecycle management and you aren't
mixing concerns.
I'm beginning to see where you are going. And I might be inclined to agree
with you. The only problem is that we don't have any way of enforcing these
things now.
Beyond that, due to all the secure installations I have had to deal with, I
am beginning to err on the side of paranoia. "Explicitly don't allow anything
that isn't supposed to happen." Honestly, I don't trust all containers. I
don't even trust me to do it right all the time--much less you or anyone else.
Mistakes happen--its a fact of life. That is why there are such things as
bugs.
BTW, I have no false sense of security. Perhaps using something like that
will make you fall into such a trap--but it is a tool combined with tons of
other tools that help in the overall goal.
Why am I reminded of the Princess Bride at this point? "You keep using the
word ... "
Great movie!
" ... 'inconceivable'. I don' think it means what you think it means."
Maybe I should change my signature?
"Alo'! My name is Inego Montoya, you killed my father. Prepare to die."
--
"They that give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety."
- Benjamin Franklin
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
