The Factory Design Pattern

One of the reoccurring topics that will be covered on everythingdev will be design patterns. Having a solid understanding of design pattern methodologies will not only lead to becoming more proficient in the OOP paradigm, it can also just make your life much easier when implementing certain modules within a software project.

Right now we’ll be covering the Factory Design Pattern.

Let’s say we’re writing a paint program which allows the user to draw some shapes. Right now we can draw rectangles and circles. We’ll create a ‘Shape’ class that can handle rectangles and circles:

public class Shape {

     private int width = 0;
     private int height = 0;
     private double radius = 0.0D;
     private Boolean isRectangle = false;
     private Point[] hexagonPoints = null;  

     public Shape(int width, int height) {    
          this.isRectangle = true;
          this.width = width;  
          this.height = height;
     } 

     public Shape(double radius) {
          this.radius = radius;
     }

     public void draw() {

         if(isRectangle)

               // handle drawing the rectangle on screen...

          } else {

               // otherwise it’s a circle, and handle drawing the circle on screen….
          }
      }

}

The shape class has two constructors: one that accepts width and height parameters, and another which accepts a radius parameter. If the first constructor is called, the object will represent a rectangle, if the second is called it will be a circle. Easy enough. 

 

Soon our software has become a huge hit and we receive a request to add support for another shape type: hexagons. Hexagons will have width and height properties like rectangles. We decide to recycle an existing constructor we have for rectangles, and simply add a Boolean ‘isHexagon’ parameter to distinguish between a rectangle or hexagon, and update our draw() method accordingly.

Now our shape class looks like this:

public class Shape {

     private int width = 0;
     private int height = 0;
     private double radius = 0.0D;
     private Boolean isRectangle = false;
     private Boolean isHexagon = false;
     private Point[] hexagonPoints = null;  

     public Shape(int wfaceidth, int height, Boolean isHexagon) { 
          if(isHexagon) {
                    this.isHexagon = true;
          }
          else {
                    this.isRectangle = true;
          }   

          this.width = width;  
          this.height = height;
     } 

     public Shape(double radius) {
          this.radius = radius;
     }

     public void draw() {

         if(isRectangle)

               // handle drawing the rectangle on screen...

          }
         else if(isHexagon) {
                  // draw hexagon
         }
          else {

               // otherwise it’s a circle, and handle drawing the circle on screen….
          }
      }

}

Couple of emerging problems with our Shape class:

• It’s rapidly becoming messier (imagine what it’s going to look like as we add support for more and more distinct shapes).
• The more functionality we have, the harder debugging specific shape functionality will get.
• The onus is on the developer to juggle all the constructors and initialization parameters in their head to remember how to build each shape.

Here’s another issue: when we changed the first constructor to accommodate hexagons, it forced us to update references to that constructor. So if we have 17 different classes within our codebase that initializes a shape using that constructor, that’s 17 classes that need to be updated along with the change to our Shape class. In other words, those 17 classes are overly reliant on being aware of the underlying implementation details of the shape class. We can also say that these classes are tightly coupled. We’ll solve these problems by implementing a factory class to handle creation of the shape objects instead.

We’ll start by creating a ‘Shape’ interface containing some properties and methods that are common to all Shapes regardless of their specific type:

public interface Shape {

                public void draw();
                public void getShapeType();
                public void setColor();

}

And we’ll refractor the Shape classes so they all implement our Shape interface:

class Rectangle implements Shape

                public void draw() {…….}
                public void getShapeType(){…….}
                public void setColor(){…….}

}

class Circle implements Shape
                public void draw() {…….}
                public void getShapeType(){…….}
                public void setColor(){…….}

}

class Hexagon implements Shape

public void draw() {…….}
            public void getShapeType(){…….}
            public void setColor(){…….}

}

Then we’ll build a Factory class that will handle the creation of the various shapes:

public class ShapeFactory {

                final int TYPE_CIRCLE = 0;
                final int TYPE_OVAL = 2;
                final int TYPE_RECTANGLE = 3;
                final int TYPE_HEXAGON = 4;

                public Shape buildShape(int shapeType) { 

switch(shapeType):

case TYPE_CIRCLE: return new Circle(double radius)
                                // do stuff to make circles…

case TYPE_RECTANGLE: return new Rectangle(int width, int height)
                                // do stuff to make rectangles…

case TYPE_HEXAGON: return new Hexagon(int width, int height)
                                // do stuff to make hexagons…

default: return null;
}

                }

                return null;

}

Our Factory allows the developer (as well as other components within the system) to take a more hands-off approach to requesting certain shapes. Instead of getting caught up in the intricate under the hood details of a class (“It’s a rectangle not a hexagon… so I need to pass this parameter instead…”, or "Which constructor do I use for hexagons again?", etc) we simply make a request to our factory, “We want X type of shape”, pass the relevant information, and get back that type of shape. Then our other components can draw it, drag it, resize it, and do whatever else our program allows the user to do with shapes

The design of a Factory class could get much fancier. Having an enumerator that lists the shape types rather than those hardcoded integers is a good idea, for instance. Even in its current state though, our Factory class has already pushed us in the right direction to having a much cleaner design and loosely coupled system involving classes and objects that aren’t so heavily reliant on knowing each other’s implementation details.

Salt your passwords!

Not so long ago it was common to see passwords stored in databases in plaintext. Major corporations were even guilty of this (do a google search for “web hosting stored passwords in plaintext” to see what I mean). Thankfully it appears that developers have finally realized it’s better to code something the safe way the first time rather than suffer the repercussions of shortcuts. As a result, the instances of this occurring are quickly dwindling out of existence.

These days there’s a phenomenon that’s arguably just as dangerous: hashing unsalted passwords. 

Let’s imagine a scenario where a malicious individual has managed to acquire a copy of user records from our web application’s database. Three records have been chosen from our “user” table:

ID	Name	UserName	Password
198	Martha Robinson	mrobinson	0ce8d8fccd5e6071fdab1a4edec504872ad338dcf34920f5b5baedfb9a74da91
237	John Davidson	jdoe	0ce8d8fccd5e6071fdab1a4edec504872ad338dcf34920f5b5baedfb9a74da91
599	Sarah Smith	ssmith	ca74e5fe75654735d3b8d04a7bdf5dcdd06f1c6c2a215171a24e5a9dcb28e7a2

All passwords in the table are hashed once using SHA-256.

You might be thinking, these passwords are hashed, so what’s the problem? One of the defining traits of modern day hashing algorithms is that the slightest change in the source string will drastically change the generated hash from that string. For instance, take a look at the hashes for ‘Football123’ and ‘Footballs123’ (respectively): 

0ce8d8fccd5e6071fdab1a4edec504872ad338dcf34920f5b5baedfb9a74da91
f77211f25d1f3bafd92ca23085d583f230c9febe6fc4e45a2e5ef0592c68f2e5

See that? By just changing the “Football” part in our plaintext password to plural “Footballs”, there’s a huge difference in the appearance of the two hashes.

The first thing the hacker is going to do is try and crack Martha and Johns’ passwords. Why? The two hashes are identical to each other. Thus, the attacker will deduce from this that those hashes were calculated from the same exact passwords.

Now the hacker knows that Martha and John have identical passwords. This is a big problem – what are the chances they both happened to think of the same extremely complex and secure passphrase? Not very likely.

What we need is a way to ensure that even simple passwords – even ones like Martha and Johns’, will at least appear unique in our db. This is where salting comes into play. What we do is generate a “random” string of characters and mix those in with our plaintext source passkey. 

So in our above example, instead of hashing ‘Football123’ which results in: 0ce8d8fccd5e6071fdab1a4edec504872ad338dcf34920f5b5baedfb9a74da91

We can take a random string like ab9FlmNO!!, concatenate it to the end of our ‘Football123’ text and hash that instead which yields: da2c1d31cb17f8a7fc13a7e49f392c99dcee1f6bd863ba266abf28ed1aa0e9f9

Or maybe we have Football123Lc87nHNm!? Which becomes: b2cf5569f2fd345218c4670431d32b3a5ea38ec3a02a719973f73b5d9d25a130

And now even if someone else comes along with the same password, they’ll still end up with a unique hash.

The orientation of the salt doesn’t really matter – you could place it at the end, at the beginning, in the middle of the string, wherever. As long as your back-end code knows how to apply the salt to the given plaintext password prior to hashing, you’re good. The main point is adding extra characters to the passwords to make their hashes more distinguishable.

In terms of storing those salts in the database, we could simply add on another column to our user table that could contain the hash. The next time a user tries to log in, our system looks up the corresponding salt hash, adds that to the user-provided password, hashes them together, and if that hash matches the pass in the database, then the password is correct.

If the salt is blatantly exposed in the database as well, then doesn’t that render this security measure useless? No, this makes it increasingly more difficult for our attacker to be able to identify those who have weak passwords simply by visual inspection. The hacker can easily see Martha and John’s salts, but won’t be able to discern quickly that they have the same passwords. Sure, it would be much better if the hash wasn’t exposed to begin with, but that isn’t feasible as our application needs some way of being able to tell what that salt actually is. We could also have a global salt that would be used by every user, which could be encapsulated within the application and unknown to database. This would present its own set of drawbacks as well. There's no 100% "safe" solution. We're just making this as secure as we possibly can.

Although salting is a powerful safeguard against brute-force and dictionary attacks, it’s far from being the only tool you’ll want in your arsenal of security mechanisms if you expect your application and its data to withstand modern day exploits. That said, it’s an invaluable technique that builds a strong starting foundation for proper password storage. Salting is a critical step that must not be overlooked during the development process.