

$50 to anyone who can tell me the whereabouts of these meatheads - alrex021
http://www.hackersinshape.net/archives/35

======
jacquesm
It sure looks like the company the author works for could use a bit of a code
auditing, not just the bits that you're looking at right now.

Who knows what else is squirreled away in there, if this could escape
attention for 5 whole years then chances are there is more where that came
from.

------
wallflower
Can you do something practical like throw away their home-grown J2EE auth and
use Spring?

~~~
alrex021
We actually rolled out a new project for them recently using Spring framework,
and was to a large degree a success. The problem with the system in question
is that it would require some what quite a bit of re-architecture to work
Spring into the bigger picture. Its on the cards for the coming major release
though. The problem has been that the authentication/authorization to large
degree is crippled. Crippled in a sense that each user login was bound through
data schema and many other parts to only a single user role per user login
credentials. So fixing this has been the obvious priority. As one of the
requirements that came up is the user SSO (Single-Sign-On), integration with
Corporate LDAP support for auth.

------
coglethorpe
I know exactly where those meatheads are. They are working for every company
I've ever worked for. The larger companies usually have a higher concentration
of them.

------
Allocator2008
I don't get what is wrong with that, other than in the try - catch block in
the init() method the Exception e is stubbed, i.,e., a stack trace or whatever
is not printed. I know that is bad. Is that the main problem? Other than that,
it looked like perfectly valid code to me, though admittedly I know C better
than I know Java. Don't get me wrong - I believe you that there are valid
concerns, it's just that personally I don't see them, other than the issue
with the try - catch block.

~~~
alrex021
Besides the obvious try, catch ...do nothing, the code checks for a username
"pustulio" and then redirect user to a screen that just say "all your base,
are belong to us!" in plain text. Do I need to say more. :)

