Thursday, March 22, 2007

AjaxWorld 2007 Day Three (Afternoon)

JSON: Making the "X" in Ajax Superfluous:
The afternoon was off to a good start with Douglas Crockford presenting on JSON. Not much new ground was covered...In a nutshell, JSON is a better way to transfer data than XML. JSON is especially easy to use if you know that the client will be a browser (like it is with Ajax). Since JSON is a subset of JavaScript, the JavaScript engine processes JSON very easily because it is JavaScript.

Some random items mentioned beyond the obvious JSON topics...
  • YAML is a superset of JSON. A YAML decoder is a JSON decoder. And YAML has validators. So if you wanted a JSON validator, a YAML validator would work.
  • Using eval to process JSON text can open security holds. If thats a concern, use a JSON-only parser like string.parseJSON.
  • Crockford was against remote scripting....calling it the "script-tag hack". The problem is that there is no way to vet the script before it executes. The server generating the scripting must be absolutely trusted...this is not always possible in Mashup scenarios.
  • Security Comment - If there is script from 2 or more sources, then the app is not secure.
  • Proposed EcmaScript 4th edition enhancements include new commands available at now.
Here's an application of the supplant function (from the site):

var template = '<table border="{border}"><tr><th>Last</th><td>{last}</td></tr>' +

Notice that we have an HTML template with three variables in it. Then
we'll obtain a JSON object containing members that match the variables.

var data = {
"first": "Carl",
"last": "Hollywood",
"border": 2

We can then use a supplant method to fill in the template
with the data.

mydiv.innerHTML = template.supplant(data);

Nice! These upcoming EcmaScript enhancements can be used now by importing the small JavaScript functions from

In the 2:40pm timeslot, I was looking forward to seeing Clueful 2.0, but it was cancelled. Then I rushed to view "So You Wanna Be a DOM Star" from Molly Holzschlag, but it was cancelled. So my third choice was "Performance-Tune Your Ajax application". This session contained some useful information, but nothing ground-breaking on the topic.

And that ended AjaxWorld for me. There was another vendor presentation followed by 2 more sessions which continued to 7pm....but due to flight schedules, I had to miss those. If I could've stayed longer I would've loved to have seen the following I will have to wait until I receive the AjaxWorld presentations on DVD.

Ajax-Enable Your Java Application with DWR -- I love DWR!
Web 2.0 Security
Rails: De Facto API for the Web

Wednesday, March 21, 2007

AjaxWorld 2007 Day Three (Morning)

I didn't start my Day 3 at Ajaxworld until 8:50am. There were 2 previous sessions: ASP.Net Ajax, and Kapow: Serving Mashups from the Long Tail of the Web. Fortunately - I had the opportunity to see ASP.Net Ajax in action at AOL back on March 1st from another Microsoft evangelist....which mean't I could sleep a little longer.

For 8:50am - I attended Reginald Stadlbauer: Automatically Testing the UI of Ajax: Challenges and Solutions. What I didn't realize until the talk started was that this was really a product demonstration of Squish - a UI testing tool from FrogLogic. The product appeared to be a very useful web UI testing tool that is built with Ajax testing in mind. Some downsides I saw - it appeared to be very slow, even though Reginald was testing a localhost web-app, the live demo dragged. And the price is pretty steep: $2,100 per user license. I don't know the UI testing field well enough to identify its competitors. But for what its worth, I'd try Squish in a heartbeat if it was open-source!

This session finished a little early so I ran to Google Web Toolkit: Quick Relief of Ajax Pain. But this session was overflowing with people and I couldn't get in close enough to see.

9:40am brought Christophe Conreats to the stage to demo Adobe's products: High Definition User Experience with Flex & Apollo. This was also a similar presentation to one I attended at AOL on March 1st. But since Adobe's Flex and Apollo's products look so good - it was still interesting to watch a second time. The most impressive demo was a virtual biology book with transparent layered pages that turned and over-layed organs on a cut-away view of the human body. I don't need this feature - but it's great eye-candy. For me the 4 leading Ajax toolkits/frameworks to pay attention to are: Dojo Toolkit, Adobe Flex/Apollo, Open laszlo, Prototype/

11:35am's presentation was from Helmi Technologies: Step-by-Step - Open source RIA platform. I want to say something nice, but this presentation was a complete train-wreck. The audience repeatedly shouted "we can't hear you"...but it made no difference. If they were hoping to make a good impression of Helmi - they didn't. At the end of the talk - the application never worked, and the presenters left the stage without taking any questions.

Next, JetBrain's presentation JavaScript Puzzlers was a lot of fun. In the spirit of the book Java Puzzlers, Mike Aizatsky delivered a entertaining demonstration of how tricky JavaScript coding can be. His puzzlers challenged the audience to find casting problems, differences in equal statements in JavaScript, and issues with switch statements. This wasn't an Ajax talk, but it was enjoyable -- and appropriate since JavaScript and Ajax go hand-in-hand.

AjaxWorld: Impressions of the OpenLaszlo Platform

For the 2:40pm - the only game in town is Laszlo System's presentation: The Browser, The Portal, and the Desktop. If you haven't tried it yet, visit the OpenLaszlo site to see application samples created with the OpenLaszlo platform. It's FREE and open-source. The coolest feature is its ability to generate a Flash (version 6, 7, 8) edition or an Ajax edition. Under the hood - Flex and OpenLaszlo are very similar -- some even say that Flex was a copy-cat of Laszlo. Either way - we probably have OpenLaszlo to thank because it most certainly made Adobe open-source the Flex SDK and compiler sooner rather than later.

Now Laszlo System as I understand it is the commercial entity that is trying to make money by building solutions and consulting on the OpenLaszlo platform (somebody correct me if I'm wrong!). Laszlo is all over AjaxWorld, and they were demo'ing WebTop - a very attractive RIA desktop delivered via the web. WebOS anybody?

Open Laszlo is on my list of things to experiment with when I have time.

Since Adobe Flex 2 is free, why choose Open Laszlo? Here's what one of their engineers said....Open Laszlo deploys to Flash 6, 7, or 8 -- that's 98% of the browsers by Adobe's numbers. Flex 2 apparently requires Flash 9 (60%). So if you want to reach the largest audience without an install - Open Laszlo is the better choice (now). Also - if you are building widgets for mobile devices - Flash Lite provides Flash 7 support, not Flash 9. Which means - that once again - Open Laszlo would be the better choice (for now).

But if a Flash 9 installation is an acceptable installation requirement - then the difference seems to disappear since Flex 2 SDK is free, and Flash 9 is supposed to be noticeably faster.

If Open Laszlo had drag-and-drop interface like Flex Builder - then the scales would tip back to Open Laszlo...but their eclipse plug-in project has been archived.

AjaxWorld 2007 Day Two (Afternoon)

Since I'm interested in Dojo - I decide to attend James Harmon's talk "Creating AJAX-Powered Forms with the Dojo Toolkit". This was a bad choice for me because I didn't really learn anything new. But for those that have no exposure to the Dojo Toolkit - it would've been a really good session. His 50-minute presentation enhanced a typical JSP HTML form using Dojo elements that included client-side, and server-side validation, Rich Text Editor control, and a Combo Box. Slides can be found here.

Finally - food! During the lunch break- there was a Power Panel in the main ballroom - unfortunately - I'm eating lunch and chatting with others during the lunch break and miss most of the panel.

For the 2:40pm - the only game in town is Laszlo System's presentation. I created a separate blog entry just for this one....Laszlo had a big presence at AjaxWorld.

On to the next presentation....Dylan Scheimann: Web Vector Graphics & Dojo Draw This! I want to watch this again when the AjaxWorld DVD comes out because I had to run out of the room to take a call from work. But in a nutshell - Dojo provides a vector graphics library (dojo.gfx) that's supposed to be easier to use than VML or SVG, and it hides cross-browser issues. That sounds like a good thing. So if you want to do graphics, and build charts in the browser -- definitely check this out.

At 4:30pm - I watched a presentation on ICEFaces. I never heard of them before AjaxWorld. It appears to be a fairly rich looking java-centric Ajax platform that was recently open-sourced. Their presentation certainly looked good - and this presentation focused on security aspects of the product which seems to plug potential holes in Ajax. Using Java EE enforced security roles (I think Stephen said he's using Tomcat and Tomcat roles) - you can prevent users from running particular Ajax features. My impression is that ICEFaces and BackBase play in the same space.
What does this mean? Just another Ajax libary to explore some day....but not today.

The conference continued further with 2 more sessions - but I was completely spent at this point. I didn't have the energy to continue due to jet-lag from Bangalore, and I felt that 10 hours of Ajax presentations was enough fun for one day. Too bad I won't be able to make the boat-trip sponsored by Laszlo - I'm sure they'd provide enough free drinks to convince me to rewrite everything using Open Laszlo :-)

Some other things I would miss:

Tuesday, March 20, 2007

AjaxWorld 2007 Day Two (Morning)

Day Two at AjaxWorld is off to a great start with a keynote presentation at 7:45am from Bret Taylor of Google: Scaling Ajax: The Promise and the Challenge of Modern Web Development. Bret Taylor was introduced as being the original developer of showcase Ajax web application Google Maps.

He covered a wide range of Ajax topics including....
  • How Ajax has changed the way we design User Interfaces
  • How Ajax has changed the way we view APIs
    • APIs are simple and lightweight
    • Less SOAP
    • More JavaScript
  • Ajax is about using and abusing standards
    • DOM was designed for text docs
    • XMLHttpRequest - not a standard - but supported by all browsers
    • Cross-host communication using and script and iframe tag
Brent then went on to describe how Google Maps takes care of the Back Button...making the Back Button work is a common problem with Ajax application. The solution centers around the use of iFrames for soft vs. hard states. A hard-state is a display state that should be restored if the user hits the back button. For these, GoogleMaps creates a new URL for the iFrame which causes the URL to become part of the history. Soft-states are stored as textbox values within the iFrame. Browser exhibit a behavior where they like to recover the value contained in the textbox when reverting to the previous URL in history. The end-result is that the back button appears to function correctly to the user.

Drawing vector graphics in the browser was also discussed
  • solution in 2005: VML in IE, line-drawing server for others
  • solution in 2007: vml in IE, SVG in firefox, canvas in safari
He the went on to discuss many of the well-known problems with Ajax.

And to wrap-up, he summed up the future state of Ajax...
  • Better tools and libraries
    • Google web toolkit
      • java to javascript compiler
      • hides browser compatibliity issues
      • maps ui programming concepts ( ex: constraint-based layout) to the DOM and css
    • growing community and open source toolkit
      • dojo toolkit -- google contributes
      • prototype
      • mochikit
      • yahoo UI library
  • Bret's predictions
    • technology will be open (no one will "own" the platform)
    • technology will be evolutionary (browser works pretty well already)
    • technology will address an end user need (ex: rich graphics), not just a developer needs (ex: programming language features)
The 8:15am timeslot had a cool title, but the hype from the title did not live up to expectations: The User is the Killer App. Luis Derechin and his VP of Platform Engineering , Danny Malks delivered a presentation which could have sent the same message with less slides ... we are in a user-centric world. And things like Ajax make the user happy.

For 9:10am - I chose to listen to Billy Hoffman, Hacking and Exploiting Ajax Applications. Even though I was already aware of XSS and SQL Injection security issues, Billy's enthusiam to seek and destroy websites that are prone to attack was a great source of solid entertainment.

While demonstrating, Billy used this site to show various types of attacks.

  • Ajax increases the attack surface. In addition to traditional threats...
    • web services
    • page methods
  • Be aware of SQL injection risks
    • especially since most dbs have functions that allow shell script stored procedures and/or direct API access

A key theme he repeated several times...Stop trusting the client
  • Could call functions out of order
  • could bypass form logic / validation
  • information leakage - gives away information about your app
    • function/variable names
    • function parameters and return types
    • program flow
    • trust
    • datatypes and valid ranges
    • JavaScript itself
      • comments with useful information
      • He told a Macworld story - their registration site had md5 hash codes listed in a JavaScript array - so it was easy to figure out the codes for discounts.
    • JavaScript obfuscation does not fully protect
  • Be alert to XSS holes (Cross-Site Scripting). Potential malicious things that could be done...
    • cookie theft
      • session hijacking
    • key logging
    • screen scraping
    • malicious scripts
    • mousemoves
And something new for Ajax -- Ajax mashups can open new security issues when acting as bridges to other sites...
  • another layer for attacker to hide beind
  • theft of resources...
  • dos of affiliate websites
  • bypass of traditional security

He then went on to describe a backdoor security hole in the popular Prototype library. Apparently, when Prototype sees data with a JSON header - it automatically runs it through malicious JavaScript has a way into a Prototype site. I haven't had time to experiment with this - but its worth nothing.

How can we tighten up security in our apps. Here are some of his tips:
  • input validation
    • client side validation is no validation
    • don't use blacklisting (I will not allow these chars)
    • use whitelisting (only list acceptable/known chars/formats)
    • validate both data type and range/length
    • validate data format
    • escaping input is as good as validation
  • prevent info leadkage
    • no monolithic .js or .css filesin master pages
    • separate ajax page method/web services from other web serivces
    • turn off WSDLs for web services
    • comments in JS files cannot be masked
    • minimize logic pushed to the client
    • minimize what is exposed by a web service
    • obfuscation? not really
Useful tools
  • firebug
  • ie watch
  • fiddler
  • web developer toolbar
The final presentation of the morning I attended was a Q&A by Google which started at 11:40am. Unfortunately - I only caught a few minutes of this because I had to take a conference call at noon. But this looked like a very promising block of time -- 3 Google engineers (including Bret Taylor) up on stage in the big ballroom ready to answer any questions.

Here's a couple notes I scribbled down before I had to run off...

  • Google Maps uses iFrame functionality because they wanted to harness the back-button behavior. (see my notes from the first speaker of the day)
  • Google Gadgets uses XMLHttpRequest to do its Ajax transfers. And they use an Ajax proxy to get around cross-domain issues.
  • A question was asked about security and gadgets. Google prefers not to be in the "security business" - and want to provide free services and not make security a barrier. If you need logins - you lose users.
  • Google has its own internal service called dogfood where Google employees use their own products (corporate version of calendar, gmail, etc...) - "eat our own dogfood"
  • Why would they choose Flex or Ajax? They design for a user experience, and then choose technology depending on what meets the requirements. Ex: Google Maps is Ajax, but their stock ticker chart is Flash.
  • Why use Java in GoogleWebToolkit rather than a declarative markup like Flex/Laszlo in XML? A design philosophy of the GWT was to make it easier for Java coders (because there are a lot of them) to build Ajax apps as easily as they build AWT/Swing apps.

Monday, March 19, 2007

AjaxWorld 2007 Day One (NYC)

I'm here at AjaxWorld NYC which starts today (3/20/2007):

SWAG review: I received a black bag which contained the following items....
  • 1 AjaxWorld DVD (2-discs - very nice)
  • A couple vendor CDs
    • IntelliJIdea - 30 day trial
    • Oracle Fusion Middleware
    • Flex 2 SDK (which is free), Flex Builder 30-day trial
    • unlabelled CD-R
      • Turns out it has all the presentations - that's nice. Would be nice to label the CD
  • Some glossy product sheets

A copy of the book Real-world Ajax would've been a nice surprise (hint!)

WiFi in the hotel needs a password....Password is "AJAX0307". And if the WiFi is down - go across the street to Cosi - grab a coffee - and enjoy their free WiFi (it's more stable than the Roosevelt's)

AjaxWorld is supposed to start at 1:30 -- but we don't start until 1:45. Jeremy Gleelan explains to the crowd that we're starting late because he told the people in the registration line that he wouldn't start without them. Nice for the people in line, not so nice for the thousand people in the room waiting.

The keynote, Douglas Crockford didn't take the stage until 1:50pm....and then he only got a chance to speak until 2:15.

AjaxWorld: Ajax, the Browser Application Platform
My hero, the JavaScript god himself, Douglas Crockford, was the keynote speaker (creator of JSON). He surveyed to crowd to see who was in the audience, about 20% of the crowd appeared to be beginners, the remaining had some level of Ajax experience.

Although Douglas didn't break any new ground, he gave a very polite and organized introduction to why we were all here at AjaxWorld. Some interesting comments....

  • First he covered, where we've been...."Java Applets - Flop"
  • What we want out of Ajax..."Apps without installation"
  • A quick shout-out about JSON: "JSON is the X in Ajax:
  • "Best thing to happen after the browser wars...Microsoft did nothing" -- this resulted in stability which allowed applications using Ajax to grow
  • We want open systems, but we miss the advantages of proprietary systems and lack a single vision
  • Stability
  • "apalling standards" -- not enough web standards exist to cover everything necessary to build a modern browser
  • Lack for Foresight - web wasn't originally designed to be used for application delivery
Current Situation
  • 200+ Ajax Libraries
  • Too many - we need a shake-out phase
  • Security is a concern
    • "whitelist filtering"
    • Server's responsibility not to send confidential info to unauthorized agents
    • Server's responsibility not to accept data from unauthorized agents
  • Ajax Wow Factor -- Need to keep at a minimum. "Dare to be dull"
  • Mobile Ajax lags.
    • Java failed on mobile
    • Future: Web apps on mobile
    • Mobile Ajax is here
  • Ajax Competition
    • Adobe Apollo
    • Microsoft WPF/e
More Douglas Crockford! More Douglas Crockford!

In the 2:30pm timeslot, I chose Ryan Stout's presentation "JavaScript Performance: Speeding Up Your Ajax Apps". I really enjoyed Ryan's presentation, and found it to be 45 minutes very well-spent.

He gave some great tips from the trenches, and talked about various techniques he uses to improve Ajax performance. So rather than parrot back what he said - Ryan posted his slides here...

Some key points:
  • slow apps lose users
  • focus on user experience, not resource use
  • profile javascript using firebug - latest firebug has lots of profiling tools
  • profile network activity using firebug
  • avoid things that cause page reflows (redraws or shifts)
  • Keep users informed - use timeouts to provide a chance for the browser to breath
  • interactivity beats response time
  • Set Expiration Date - take advantage of caching.
The 3:40pm - 4:40pm timeslot was filled with 2 Ajax product presentations...neither are open-source...

"Enterprise Web 2.0 - Programming with Levers, Dials and maybe Switches"
A product presentation for Nexaweb. Their key message is "Enterprise Web 2.0 (Enterprise IT + Web 2.0) + switches/levers = business agility". So an application architect needs to balance the needs of the users to help determine where the code resides. Everything from a modern fat-client, to a thin-client is possible today. And Nexaweb appears to make it easy to move between a lightweight thin-client all the way to a fat-client concept....and a couple levels in-between.


"AJAX Best Practices"
A product presentation for BackBase. BackBase appears to be a polished Java-centric Ajax framework that works well with JSF and Struts. The price is steep though -- I spoke briefly to the Backbase rep in the vendor room and developer seats are $2000 each, and server licenses are $8000 per cpu.

The last speaker of the day for me was Ajit Jaokar...his presentation was titled: "Deploying Web-Based Applications to Mobile Devices Using AJAX Techniques". Ajit is the author of the book "Mobile Web 2.0". We didn't get a copy of his slides, but his presentation was well attended and he was asked many questions throughout the speech. The key theme of this topic was Mobile Ajax is driving widgets. He went on to describe WCID (W3C Web Integration Compound document) which is like Ajax++ (Ajax plus audio and video).

He also gave props to Apple..."apple practically invented widgets", "apple is best poised to take advantage of mobile widgets". And Ajit claims Apple is not using Java or Flash in their upcoming iPhone - they are using Ajax technology.

Mobile Ajax is not Google Maps or Netflix. Ajit is Mobile Ajax is widgets. Hopefully we'll get his slides later, because he spoke VERY fast, and covered a lot of material.

I thoroughly enjoyed this presentation and wished Ajit had more time to speak. More information about his talk can be found on his own blog...

...and that wraps up Day One at AjaxWorld 2007 for me!

AjaxWorld 2007 - Waiting for it to start...

So I'm getting ready to attend AjaxWorld in New York City on March 19-21 -- and I realize that the conference is not 3's more like 1 half-day, and 2 painfully-long-days:

Monday, 1:30pm - 5:30pm
Tuesday, 7:30am - 8pm
Wednesday, 7:30am - 7pm

Check out the schedule - it looks like there will be a lot of interesting topics....

And I like Ajax a lot, but 13 hours on Day#2 is just asking too much for a human to endure.

....looking forward to these presentations:
Ajax, The browser the platform - Douglas Crockford (a javascript god)
JavaScript, performance: speeding up Ajax Apps
Ajax Best Practices (I hope this isn't a BackBase advertisement!)
Enterprise Comet: The Real-time Web

I spend the morning having breakfast and lunch with some of the other orphaned AjaxWorld attendees who also arrive earlier than the 1:30pm start-time. One of the guys I had lunch with is Dean Allemang, who will be speaking on Day#3 about using RDFa to build Semantic Mash-ups.

Dean's great to talk to - and I formulate my own short description of RDFa and Semantic Mash-ups. But before I can describe RDFa I have to do a little setup: the Semantic Web reflects a web where the pages are not designed just for humans, but also for computers. Microformats helps by appending extra information to standard web page tags so they contain more descriptive information. RDF is a format which does something similar to Microformats for data transfers. It helps to describe that data that is being sent from machine to machine.

Many people have heard of Ajax Mashups (,, etc...) which blend data with a visual API (ex: Google Maps). A Semantic mash-up merges unrelated data sources together to form a useful product (ex: bike route, with wi-fi hotspots).

Friday, March 9, 2007

7 days in Bangalore, India....

I had to go to Bangalore, India to teach some classes on Ajax and Web 2.0 this week. So I started a separate travel Blog just about this trip.

It should provide some interesting reading for any business travelers going to Bangalore for the first time. I hope you enjoy it!

Sunday, March 4, 2007

Goodbye Windows...Hello Mac....

I started out my computing life with the Radio Shack TRS-80 and the Apple II+ computer. While simultaneously using PC clones in my jobs.

By 1985 - I had moved from one Macintosh, to another...while simultaneously using PC clones and Sun workstations in my internships.

Sadly - after entering the formal business world in the 1990s -- it became clear, that Macs weren't welcome at the office. So since 1994 - I stopped buying Apple, and sold my soul to the dark-side and owning, and using Microsoft Windows.

So here it is, 2007, and I am convinced that we are at the forefront of a dramatic and fast shift to Apple. Last week, I was running an all-day developer's conference with 5 leading technology speakers on Web 2.0. 3 out of 5 of those speakers -- used Macs. I also teach an Ajax course -- about 50% of my students...use Macs.

An article in RDM describes many of the realities that I'm seeing first-hand. Apple is starting to win back the key people that really matter in the next generation of software...the developers.

Apple's triple-combo is quite devastating....Since Mac OS X - Apple started shipping computers which run on a Linux operating system. Strike One Microsoft! And in 2006, Apple start to ship Macs running the Intel Core Duo chips before the Windows machines had them! Strike Two Microsoft! And native Apple software or third-party software like Parallels -- makes its possible to run multiple operating systems....Apple's operating system OR Windows OR most variants of Linux. Ouch...Strike Three Microsoft!

And then there's Microsoft Vista -- dead-on-arrival.

It no longer matters what operating system you are running...Windows, Mac, Unix/Linux. High scale Web Services, Ajax, and Flash are making it possible to run almost anything anywhere.

Microsoft....You're OUT! Or at least -- a commodity.