Richard, Thanks for the review and comments. I'll update my use of SecureRandom to call one of the 'getInstance' methods.
Jerry Jalenak Team Lead, Web Publishing LabOne, Inc. 10101 Renner Blvd. Lenexa, KS 66219 (913) 577-1496 [EMAIL PROTECTED] -----Original Message----- From: Yee, Richard K,,DMDCWEST [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 12:56 PM To: 'Struts Users Mailing List' Subject: RE: [OT] Use of Static Methods Jerry, Your methods are thread-safe. The MessageDigest.getInstance() and SecureRandom() calls are thread-safe too. One thing I read while reading the JavaDocs for SecureRandom() was: This constructor is provided for backwards compatibility. The caller is encouraged to use one of the alternative getInstance methods to obtain a SecureRandom object. You might consider changing your code to comply with this. Regards, Richard -----Original Message----- From: Jerry Jalenak [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 10:30 AM To: 'Struts Users Mailing List' Subject: RE: [OT] Use of Static Methods Micael, The class is called 'Password': public class Password { public static byte[] getEncryptedPassword(byte[] digestKey, String password) { try { MessageDigest md = MessageDigest.getInstance("SHA1"); md.update(digestKey); md.update(password.getBytes()); return (md.digest()); } catch(Exception e) { return (null); } } public static byte[] getRandomDigestKey() { byte[] digestKey = new byte[12]; SecureRandom sr = new SecureRandom(); sr.nextBytes(digestKey); return (digestKey); } public static String getRandomPassword() { return (RandomStringUtils.randomAlphabetic(8)); } } I am calling this using 'Password.getEncryptedPassword(digestKey, password)'. I don't think I have thread issues since I'm not using instance variables, but I'm concerned about the use of the MessageDigest.getInstance() and SecureRandom calls.... Thanks! Jerry Jalenak Team Lead, Web Publishing LabOne, Inc. 10101 Renner Blvd. Lenexa, KS 66219 (913) 577-1496 [EMAIL PROTECTED] -----Original Message----- From: Micael [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 11:51 AM To: Struts Users Mailing List Subject: RE: [OT] Use of Static Methods Could you give us the method body again? That is where we can see if there is a thread safety issue? At 07:53 AM 7/10/03 -0500, you wrote: >To everyone: WOW! Talk about opening a can of worms! It's been quite >interesting reading the different viewpoints regarding the use of >statics vs >singletons, whether Perl is OO or not, etc. etc. etc. It's this kind >of discussion that makes this list one (if not THE) best list on the >web. > >Ted: Thanks for answering the specific question. As much as I've >enjoyed the thread, all I really wanted to know is if my approach for >these 'helper' >methods was appropriate or not. I'm not sure what you mean by 'whether >instantiating Password is an issue' - I can't think of a case where >instantiating any class would be an issue, so I guess I could change >the Password class to be a 'normal' class. The >'getEncryptedPassword()' method is used by several different classes, >so I don't really want to make it part >of a specific class - that's one of the reasons I moved it to a >'helper' class and made it static. I guess the only question I have >remaining is whether there is a problem with maintaining 'thread safety' with the use of >a static method.... Is there a chance that two or more users can get to >the method at the same time and clobber each other? > > >Jerry Jalenak >Team Lead, Web Publishing >LabOne, Inc. >10101 Renner Blvd. >Lenexa, KS 66219 >(913) 577-1496 > >[EMAIL PROTECTED] > > >-----Original Message----- >From: Ted Husted [mailto:[EMAIL PROTECTED] >Sent: Wednesday, July 09, 2003 5:34 PM >To: Struts Users Mailing List >Subject: Re: [OT] Use of Static Methods > > >It's mainly a question of whether instantiating Password is an issue. If > not, then make it a normal method. > >Ideally, getEncryptedPassword should be a method of whatever class >needs to call it. > >The benefit of static methods is that they can be called without >instantiating the class that contains them. So long as instantiation is >not an issue, then make it a normal method on whichever class needs to >use it. (Or make Password a member class of whichever classes need to >call it, and instantiate it when the parent class is instantiated.) > >-Ted. > > >Jerry Jalenak wrote: > > <back-from-lunch> > > > > Thanks to everyone for weighing in on this. I certainly didn't > > expect >this > > type of discussion. > > > > Let me give an example of what we are trying to do, and see if this > > is appropriate or not. For various reasons we have a 'roll your > > own' logon authentication process. Part of the process takes the > > users password, and > > using a stored digest key, we encrypt it and then compare it to the stored > > (encrypted) password. If they match, great. If not, then we return > > an error. The code that we use to do the encryption looks like the >following: > > > > public static byte[] getEncryptedPassword(byte[] digestKey, > > String > > password) > > { > > try > > { > > MessageDigest md = > > MessageDigest.getInstance("SHA1"); > > md.update(digestKey); > > md.update(password.getBytes()); > > return (md.digest()); > > } > > catch(Exception e) > > { > > return (null); > > } > > } > > > > The class name is 'Password', so to call this method we use > > something like > > 'Password.getEncryptedPassword(storedDigestKey, enteredPassword)'. > > Is >this > > type of method appropriate for a 'static' method? Or should this be > > a singleton? Or a normal class? > > > > > > > > Jerry Jalenak > > Team Lead, Web Publishing > > LabOne, Inc. > > 10101 Renner Blvd. > > Lenexa, KS 66219 > > (913) 577-1496 > > > > [EMAIL PROTECTED] > > > > > > -----Original Message----- > > From: Yee, Richard K,,DMDCWEST [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 09, 2003 12:35 PM > > To: 'Struts Users Mailing List' > > Subject: RE: [OT] Use of Static Methods > > > > > > I and a lot of other developers would disagree with the statement > > "Static methods are evil for many reasons including philosophical (they're > > not OO) and practical (you can't override their behavior)." > > > > 1) Whenever you write a method that only accesses static data of a class, > > you should declare the method as static. > > > > 2) It is not correct to say that static methods can't be overriden. > > They >can > > be overridden with another static method. You can't override a > > static >method > > to be non-static, however. > > > > 3) There are many cases where using the static modifier on a method > > is totally appropriate. Typically, they are used on methods that > > provide a >very > > specific functionality that will never change. Using the static > > modifier >on > > such methods also reduces the overall memory footprint of an application. > > > > Regards, > > > > Richard > > > > > > > > > > > > -----Original Message----- > > From: David Graham [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 09, 2003 9:22 AM > > To: Struts Users Mailing List > > Subject: RE: [OT] Use of Static Methods > > > > > > > >>One of my programmers asked me whether or not it is OK to define > >>helper methods as 'static' - and I realized that I didn't know the > >>answer. So I guess the question is, in a web application, can > >>common code be factored out to a helper class and marked as > >>'static'? > > > > > > Static methods are evil for many reasons including philosophical (they're > > not OO) and practical (you can't override their behavior). You > > should use >a > > Singleton class with non-static methods. > > > > Struts' RequestUtils class is a good example of why you should never > > use static methods. Developers want to override their behavior but > > can't because everything is static. > > > > David > > > > > >>Are there any major problems > >>with > >>doing this? I should know the answer, but just can't put my thumb > >>on it right now.... 8) > >> > >>TIA! > >> > >>Jerry Jalenak > >>Team Lead, Web Publishing > >>LabOne, Inc. > >>10101 Renner Blvd. > >>Lenexa, KS 66219 > >>(913) 577-1496 > >> > >>[EMAIL PROTECTED] > >> > >> > >>This transmission (and any information attached to it) may be > >>confidential and is intended solely for the use of the individual or > >>entity to which it is addressed. If you are not the intended > >>recipient or the person responsible for > >>delivering the transmission to the intended recipient, be advised that > >>you have > >>received this transmission in error and that any use, dissemination, > >>forwarding, > >>printing, or copying of this information is strictly prohibited. If you > >>have > >>received this transmission in error, please immediately notify LabOne at > >>the > >>following email address: [EMAIL PROTECTED] > >> > >> > >> > >>-------------------------------------------------------------------- > >>- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >>-------------------------------------------------------------------- > >>- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > > > > > > > > __________________________________ > > Do you Yahoo!? > > SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com > > > > -------------------------------------------------------------------- > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > -------------------------------------------------------------------- > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > This transmission (and any information attached to it) may be confidential >and is intended solely for the use of the individual or entity to which >it is addressed. If you are not the intended recipient or the person >responsible for delivering the transmission to the intended recipient, >be advised that you have received this transmission in error and that >any use, dissemination, forwarding, printing, or copying of this >information is strictly prohibited. If you have received this >transmission in error, please >immediately notify LabOne at the following email address: >[EMAIL PROTECTED] > > > > > > > > -------------------------------------------------------------------- > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > >-- >Ted Husted, > Junit in Action - <http://www.manning.com/massol/>, > Struts in Action - <http://husted.com/struts/book.html>, > JSP Site Design - ><http://www.amazon.com/exec/obidos/ISBN=1861005512>. > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] LEGAL NOTICE This electronic mail transmission and any accompanying documents contain information belonging to the sender which may be confidential and legally privileged. This information is intended only for the use of the individual or entity to whom this electronic mail transmission was sent as indicated above. If you are not the intended recipient, any disclosure, copying, distribution, or action taken in reliance on the contents of the information contained in this transmission is strictly prohibited. If you have received this transmission in error, please delete the message. Thank you --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
